Asante Technologies IC36240 user manual Configuring Snmp, Authentication, Access Control

Page 43

In the following example, the software is configured from the file my-config at IP address 192.168.123.59:

Switch# copy tftp://192.168.123.59/my-confg running-config

Download file ‘my-config’ from 192.168.123.59 to running-config? [y/n] y

Accessing tftp://192.168.123.59/my-config...

[OK] 487 bytes copied in time <1 sec

Updating running-config...

To clear the saved configuration, use the following command from privileged mode:

Switch# erase startup-config

5.3 Configuring SNMP

This section discusses the following tasks needed to configure Simple Network Management Protocol (SNMP).

Simple Network Management Protocol (SNMP) is the standard of network management protocols on TCP/IP-based networks.

SNMP allows network managers to obtain specific performance and configuration information from a software agent on a remote-network device. SNMP allows different types of networks to communicate by exchanging network information through messages known as protocol data units (PDUs). The IntraCore IC36240 supports SNMPv1, v2 and v3. The SNMPv3 protocol has improved the authentication, access control, and security methods. The following sections outline these methods.

5.3.1 Authentication

SNMPv1 relies on IP address-based access lists and community strings that function like a password and is shared between an SNMP manager and agent. IP address-based access lists can be vulnerable to IP address spoofing.

When there is easy physical access to a network or community strings intercepted, simple network management operations can reveal network information about any device configured for remote SNMP management.

Because SNMPv3 requires that, both the SNMP manager and agent share a secret authentication key, to ensure security in your network use the SNMPv3 protocol. Each SNMPv3 packet carries the user's name and key. The key is generated from a user password by using a secure hash function.

The User-based Security Model (USM) for SNMPv3 defines two authentication protocols: HMAC-MD5-96, which is based on MD5 (faster). The MD5 protocol must be implemented in an SNMPv3 environment.

MD5 is a hashing algorithm. When a message concatenated with a user's key is received, the system generates a fingerprint for the string. After the hash is performed, the fingerprint is added to the message (without the key). Sending this fingerprint with the message protects it from both the Modification of Information and Masquerade security threats. If any of the data in the packet is modified after the original is transmitted, it is detected when the hash is performed on the received message (minus the fingerprint, plus the users key), and the result is compared to the fingerprint that was received. This process also protects the network from Masquerade attack because the scope of the authentication includes the message's origin. In this way, both the identity of the sender and integrity of the message can be verified.

5.3.2 Access Control

SNMPv3 allows for the definition of multiple access controls. Access control is a security function performed at the PDU level. Strong access control demands strong authentication, which SNMPv3 does have.

43

Asante IntraCore IC36240

User’s Manual

Page 42 Page 44
Image 43
Page 42 Page 44
Contents IntraCore IC36240 Series IntraCore IC36240 Layer 2+ Gigabit Ethernet Switch User’s ManualTable of Contents Password Service Password-Encryption Snmp Configuration Commands Trunk Ieee 802.1q Technical Support and Warranty Introduction FeaturesFront and Back Panel Descriptions Package ContentsLED LEDsConsole Interface Management and ConfigurationInstallation Overview Hardware Installation and SetupSafety Overview Environmental Requirements Installing into an Equipment RackRecommended Installation Tools Power RequirementsSFP Mini Gbic Ports Installing the Optional External Power SupplyEquipment Rack Guidelines Connecting to the Network Connecting Power1 10/100/1000BaseT Ports Cabling Procedures Pin Number Pair Number & Wire Colors Gigabit Ethernet Ports Cabling ProceduresAsante IntraCore IC36240 Connecting to a Console Initial Software SetupUser Access Verification Password Connecting to a PCPrivileges Commands Passwords and Privileges CommandsEnable Password Service Password-Encryption PasswordPassword and login Commands Login SecurityConfiguring an IP Address Username CommandSwitchconfig# ip default-gateway Restoring Factory DefaultsSystem Boot Parameters Setting a Default IP Gateway AddressDocument Conventions Understanding the Command Line Interface CLIUser Top User Exec Mode Access Each Command ModeCommand Show ? Purpose Privileged Top Privileged Exec ModeGlobal Configuration Mode Switch# configure Command Exit End Ctrl-Z PurposeSpanning-Tree Configuration Mode Interface Configuration ModeVlan Configuration Mode Advanced Features Supported within the Command ModeSpanning-tree mst configuration Example of Context Sensitive Help Command Help PurposeSwitch# configure ? Checking Command SyntaxKeystrokes/Command Purpose Using CLI Command HistoryUsing the No and Default Forms of Commands Using Command-Line Editing Features and ShortcutsCompleting a Partial Command Name Moving Around on the Command LineKeystrokes Purpose Editing Command Lines That Wrap Deleting Entries Redisplaying the Current Command LineScrolling Down a Line or a Screen Controlling Capitalization Transposing Mistyped CharactersKeystrokes Switch# clock set 092930 28 January Switch# reload cr Managing the System and Configuration FilesSetting the System Clock Switch# clock ?Enabling the System Log Changing the PasswordTesting Connections with Ping Tests Specifying the HostnameSwitch# show running-config Managing Configuration FilesDisplaying the Operating Configuration Configuring from the TerminalNewname# copy running-config startup-config Copying Configuration Files to a Network ServerSwitch# copy startup-config ? Switch# copy running-config Tftp Switch# copy running-configSwitch# copy running-config tftp//192.168.0.1/my-config Switch# copy tftp//192.168.123.59/my-confg running-config Configuring SnmpAuthentication Access ControlSecurity Levels Create or Modify Access Control for Snmp CommunitySupport Establish the Contact and Location of the Snmp Agent Command Purpose Snmp-server community string viewSnmp Configuration Commands Configuring Spanning TreeSpanning-tree mst? Spanning Tree ParametersPort Path Cost Spanning Tree Port ConfigurationRapid Spanning Tree Protocol Rstp Port PriorityEnabling Rapid Spanning Tree Configuring Switch/Bridge PrioritySwitchconfig# spanning-tree priority priority Rapid ConvergenceConfiguring Port Priority Configuring Link TypeConfiguring an Edge Port Configuring Port Path CostMultiple Spanning-Tree MST Vlan Configuring VlanMAC Address Table Switchconfig# mac-address-table aging-timeShow mac-address-table Assign IP Addresses to Switch Configuring IPClass Address or Range Status Define a Static ARP Cache Establish Address ResolutionForwarding Unknown Multicast Packets Configuring IgmpManaging IP Multicast Traffic Igmp OverviewHost-query messages Using Access ListsSwitchconfig-if-veth1#ip igmp query-interval Command Purpose Ip igmp query-max-response-timeUsing a Classification ACL Asante IntraCore IC36240 Create a Standard Access List Create an Expanded Access List Create a MAC Access ListSwitchconfig# mac access-list standard Access-list 101 deny tcp 192.168.123.0 0.0.0.255 ? Access-list 101 ?Access-list 101 deny ? Access-list 101 deny tcp ?Access-list standard ? Creating an Access List with a NameApplying an Access List to an Interface Access-list ?Switchconfig# access-list 110 permit udp any any eq Configuring Common Access ListsAccess-list 101 deny ip any any Creating or Modifying a Vlan Vlan ConfigurationSwitchconfig-vlan#port-member delete eth Switch# show vlanDeleting a Vlan Vlan Port Membership Modes Static AccessTrunk Ieee 802.1q Switchconfig# end Command Purpose Switchconfig# vlan dot1q tag nativePriority Queuing Quality of Service ConfigurationConfiguring Weighted Fair Queuing Monitoring Weighted Fair Queuing ListsMonitoring Priority Queuing Lists Configuring Traffic Shaping for an InterfaceTraffic Shaping Defining the Priority ListGeneric Traffic Shaping Example Configuring Rate LimitConfiguring Traffic Shaping for an Access List Monitoring the Traffic Shaping ConfigurationAsante IntraCore IC36240 Main Configuration Menu Configuring the Switch Using the GUIFront Panel Information Screen Information ScreensGeneral Information Screen Assign IP Addresses to SwitchClass Address or Range Status Individual Port Configuration Screen Port Configuration MenuAsante IntraCore IC36240 Press go Spanning Tree Protocol Configuration STP Port Configuration Global STP Bridge Configuration Snmp Configuration Asante IntraCore IC36240 Address Table Screen Asante IntraCore IC36240 Asante IntraCore IC36240 Vlan Configuration Asante IntraCore IC36240 Click Apply Igmp Configuration Asante IntraCore IC36240 Asante IntraCore IC36240 Web CLI Screen System Clock Menu Save Problem Possible Solutions Appendix a Basic TroubleshootingPerformance Appendix B SpecificationsPhysical Characteristics Environmental RangeStandards Compliance Technical Support and WarrantyFCC Compliance Statement Important Safety Instructions Appendix C FCC Compliance and Warranty StatementsIntraCare Warranty Statement Appendix D Online Warranty Registration Index Access ListIgmp LED Safety Priority Queuing Vlan
Top Page Image Contents