Alcatel-Lucent 6600 Security Concerns

Configuring RDP RDP Overview

OmniSwitch 6600 Family Network Configuration Guide April 2006 page 17-7

Security Concerns

ICMP RDP packets are not authenticated, which makes them vulnerable to the following attacks:

•Passive monitoring—Attackers can use RDP to re-route traffic from vulnerable systems through the

attacker’s system. This allows the attacker to monitor or record one side of the conversation. However,

the attacker must reside on the same network as the victim for this scenario to work.

•Man in the middle—Attacker modifies any of the outgoing traffic or plays man in the middle, acting

as a proxy between the router and the end host. In this case, the victim thinks that it is communicating

with an end host, not an attacker system. The end host thinks that is it communicating with a router

because the attacker system is passing information through to the host from the router. If the victim is a

secure web server that uses SSL, the attacker sitting in between the server and an end host could inter-

cept unencrypted traffic. As is the case with passive monitoring, the attacker must reside on the same

network as the victim for this scenario to work.

•Denial of service (DoS)—Remote attackers can spoof these ICMP packets and remotely add bad

default-route entries into a victim’s routing table. This would cause the victim to forward frames to the

wrong address, thus making it impossible for the victim’s traffic to reach other networks. Because of

the large number of vulnerable systems and the fact that this attack will penetrate firewalls that do not

stop incoming ICMP packets, this DoS attack can become quite severe. (See Chapter14, “Configuring

IP,” and Chapter 24, “Configuring QoS,” for more information about DoS attacks.)

Note. Security concerns associated with using RDP are generic to the feature as defined in RFC 1256 and

not specific to this implementation.

Contents

Main Page Contents Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page About This Guide Supported Platforms Unsupported Platforms Who Should Read this Manual? When Should I Read this Manual? What is in this Manual? What is Not in this Manual? How is the Information Organized? Documentation Roadmap Stage 1: Using the Switch for the First Time Stage 2: Gaining Familiarity with Basic Switch Functions Stage 3: Integrating the Switch Into a Network Anytime Related Documentation Page User Manuals Web Site Technical Support Page 1 Configuring Ethernet Ports Ethernet Specifications Ethernet Port Defaults Configuring Ethernet Ports Tutorial For more information about available show commands, refer to the OmniSwitch CLI Reference Guide. Ethernet Ports Overview Configuring Ethernet Ports page 1-6 OmniSwitch 6600 Family Network Configuration Guide April 2006 Ethernet Ports Overview 10/100 Ethernet Ports 1 Optional Stacking or Gigabit Ethernet Note. OmniSwitch 6602-24 and 6602-48 have two built-in MiniGBIC ports. OmniSwitch 6648 CONSOLE OmniSwitch 6624 25 26 27 28 100 Mbps Fiber SFP Ports 1 Optional Stacking or Gigabit Ethernet CONSOLE OmniSwitch 6600-U24 OmniSwitch 6600-P24 10/100 Ethernet Ports 1 Gigabit Ethernet Ports 25 and 26 OmniSwitch 6602-24 EXPANSION/STACKINGEXPANSION OmniSwitch 6600-P24 OmniSwitch 6602-48 10/100 Ethernet Ports 1 Gigabit Ethernet Ports 49 and 50 10/100 Crossover Supported Gigabit Copper SFPs Supported Valid Port Settings Page Page Setting Ethernet Port Parameters Setting Trap Port Link Messages Enabling Trap Port Link Messages Disabling Trap Port Link Messages Setting Flow Control Enabling Flow Control Disabling Flow Control Setting Flow Control Wait Time Configuring the Flow Control Wait Time Restoring the Flow Control Wait Time Setting Interface Line Speed Configuring Duplex Mode Enabling and Disabling Interfaces Configuring Inter-frame Gap Values Resetting Statistics Counters Configuring Flood Rates Enabling the Maximum Flood Rate Enabling Maximum Flood Rate for Multicast Traffic Configuring Flood Rate Values Configuring a Port Alias Configuring Auto Negotiation, Crossover, and Flow Control Settings Enabling and Disabling Auto Negotiation Configuring Crossover Settings Enabling and Disabling Flow Page Verifying Ethernet Port Configuration Page 2 Managing Source Learning Source Learning Specifications Source Learning Defaults Sample MAC Address Table Configuration Page MAC Address Table Overview Using Static MAC Addresses Configuring Static MAC Addresses Static MAC Addresses on Link Aggregate Ports Using Static Multicast MAC Addresses Configuring Static Multicast MAC Addresses Static Multicast MAC Addresses on Link Aggregate Ports Configuring MAC Address Table Aging Time Page Displaying MAC Address Table Information Page 3 Configuring Learned Port Security Learned Port Security Specifications Learned Port Security Defaults Sample Learned Port Security Configuration Learned Port Security Overview How LPS Authorizes Source MAC Addresses Dynamic Configuration of Authorized MAC Addresses Static Configuration of Authorized MAC Addresses Understanding the LPS Table Enabling/Disabling Learned Port Security Configuring a Source Learning Time Limit Configuring the Number of MAC Addresses Allowed Configuring Authorized MAC Addresses Configuring an Authorized MAC Address Range Selecting the Security Violation Mode Restoring the Operational State of an LPS Port Displaying Learned Port Security Information Page 4 Configuring VLANs VLAN Specifications VLAN Defaults Sample VLAN Configuration To verify that ports 3/2-4 were assigned to VLAN 255, use the showvlan port command. For example: VLAN Management Overview Creating/Modifying VLANs Adding/Removing a VLAN Enabling/Disabling the VLAN Administrative Status Modifying the VLAN Description Defining VLAN Port Assignments Changing the Default VLAN Assignment for a Port Configuring Dynamic VLAN Port Assignment Configuring VLAN Rule Classification Enabling/Disabling VLAN Mobile Tag Classification Enabling/Disabling Spanning Tree for a VLAN Enabling/Disabling VLAN Authentication Configuring VLAN Router Interfaces What is Single MAC Router Mode? Bridging VLANs Across Multiple Switches Switch A Switch B Switch C Verifying the VLAN Configuration VLAN 10 5 Configuring Spanning Tree Parameters Spanning Tree Specifications Spanning Tree Bridge Parameter Defaults Spanning Tree Port Parameter Defaults Multiple Spanning Tree (MST) Region Defaults Spanning Tree Overview How the Spanning Tree Topology is Calculated Bridge Protocol Data Units (BPDU) Page Topology Examples Switch C Switch B Switch A (Root Bridge) (Designated Bridge) Switch C Switch B Switch A Spanning Tree Operating Modes Using the Flat Spanning Tree Mode Using 1x1 Spanning Tree Mode Flat STP Switch Configuring Spanning Tree Bridge Parameters Bridge Configuration Commands Overview Page Selecting Bridge Protocol Configuring the Bridge Priority Configuring the Bridge Hello Time Configuring the Bridge Max Age Time Configuring the Bridge Forward Delay Time Enabling/Disabling the VLAN BPDU Switching Status Configuring the Path Cost Mode Configuring Spanning Tree Port Parameters Bridge Configuration Commands Overview Page Enabling/Disabling Spanning Tree on a Port Spanning Tree on Link Aggregate Ports Configuring Port Priority Port Priority on Link Aggregate Ports Configuring Port Path Cost Page Path Cost for Link Aggregate Ports Configuring Port Mode Mode for Link Aggregate Ports Configuring Port Connection Type Connection Type on Link Aggregate Ports Sample Spanning Tree Configuration Example Network Overview Switch B Switch A (Designated Bridge) Example Network Configuration Steps Page Verifying the Spanning Tree Configuration 6 Using 802.1s Multiple Spanning Tree MST Specifications Spanning Tree Bridge Parameter Defaults Spanning Tree Port Parameter Defaults MST Region Defaults MST General Overview How MSTP Works Page Page Comparing MSTP with STP and RSTP What is a Multiple Spanning Tree Instance (MSTI) What is a Multiple Spanning Tree Region What is the Common Spanning Tree What is the Internal Spanning Tree (IST) Instance What is the Common and Internal Spanning Tree Instance MST Configuration Overview Using Spanning Tree Configuration Commands Understanding Spanning Tree Modes MST Interoperability and Migration Migrating from Flat Mode STP/RSTP to Flat Mode MSTP Migrating from 1x1 Mode to Flat Mode MSTP Quick Steps for Configuring an MST Region Page Quick Steps for Configuring MSTIs Switch A Switch B Page Verifying the MST Configuration Page 7 Assigning Ports to VLANs Port Assignment Specifications Port Assignment Defaults Sample VLAN Port Assignment Statically Assigning Ports to VLANs Dynamically Assigning Ports to VLANs How Dynamic Port Assignment Works VLAN Mobile Tag Classification Page Tagged Mobile Port Traffic Triggers Dynamic VLAN Assignment VLAN 2 VLAN 1 VLAN 4 VLAN 3 Dynamic VPA Default VLAN VLAN Rule Classification Page Configuring Dynamic VLAN Port Assignment Enabling/Disabling Port Mobility Ignoring Bridge Protocol Data Units (BPDU) Page Understanding Mobile Port Properties What is a Configured Default VLAN? What is a Secondary VLAN? How Mobile Port Traffic that Does Not Match any VLAN Rules is Classified If default VLAN is enabled.... Why disable default VLAN? Why enable default VLAN? If default VLAN is disabled.... How Mobile Port VLAN Assignments Age vlan port default Why enable restore default VLAN? Why disable restore default VLAN? Configuring Mobile Port Properties Enable/Disable Default VLAN Enable/Disable Default VLAN Restore Enable/Disable Port Authentication Enable/Disable 802.1X Port-Based Access Control Verifying VLAN Port Associations and Mobile Port Properties Understanding show vlan port Output Understanding show vlan port mobile Output 8 Defining VLAN Rules VLAN Rules Specifications VLAN Rules Defaults Sample VLAN Rule Configuration VLAN Rules Overview VLAN Rule Types DHCP Rules Binding Rules MAC Address Rules Network Address Rules Protocol Rules Custom (User Defined) Rules Port Rules Understanding VLAN Rule Precedence Page Page Configuring VLAN Rule Definitions Defining DHCP MAC Address Rules Defining DHCP MAC Range Rules Defining DHCP Port Rules Defining DHCP Generic Rules Defining Binding Rules How to Define a MAC-Port-IP Address Binding Rule How to Define a MAC-Port-Protocol Binding Rule How to Define a MAC-Port Binding Rule How to Define a MAC-IP Address Binding Rule How to Define an IP-Port Binding Rule How to Define a Port-Protocol Binding Rule Defining MAC Address Rules Defining MAC Range Rules Defining IP Network Address Rules Defining IPX Network Address Rules Defining Protocol Rules Defining Custom (User) Rules Defining Port Rules Application Example: DHCP Rules The VLANs DHCP Servers and Clients Page DHCP Port and MAC Rule Application Example Branch VLAN Production VLAN Test VLA N DHCP Servers Page Page 9 Configuring Port Mapping Port Mapping Specifications Port Mapping Defaults Quick Steps for Configuring Port Mapping Creating/Deleting a Port Mapping Session Creating a Port Mapping Session Deleting a User/Network Port of a Session Deleting a Port Mapping Session Enabling/Disabling a Port Mapping Session Enabling a Port Mapping Session Disabling a Port Mapping Session Configuring a Port Mapping Direction Configuring Unidirectional Port Mapping Sample Port Mapping Configuration Example Port Mapping Overview Example Port Mapping Configuration Steps Verifying the Port Mapping Configuration 10 Using Interswitch Protocols Page AMAP Overview AMAP Transmission States Discovery Transmission State Common Transmission State Passive Reception State Common Transmission and Remote Switches Configuring AMAP Enabling or Disabling AMAP Configuring the AMAP Discovery Timeout Interval Configuring the AMAP Common Timeout Interval Displaying AMAP Information A simplified visual illustration of these connections is shown here for example purposes only: See the OmniSwitch CLI Reference Guide for information about the show amap command. 11 Configuring 802.1Q 802.1Q Specifications 802.1Q Defaults Table 802.1Q Overview Page Configuring an 802.1Q VLAN Enabling Tagging on a Port Enabling Tagging with Link Aggregation Configuring the Frame Type Show 802.1Q Information Application Example The following sections show how to create the network illustrated above. Connecting Stack 1 and Stack 2 Using 802.1Q 1Create VLAN 2 by entering vlan 2 as shown below (VLAN 1 is the default VLAN for the switch): 2Set port 1/1 as a tagged port and assign it to VLAN 2 by entering the following: Connecting Stack 2 and Stack 3 Using 802.1Q Verifying 802.1Q Configuration Page 12 Configuring Static Link Aggregation Static Link Aggregation Specifications Static Link Aggregation Default Values Quick Steps for Configuring Static Link Aggregation Page Static Link Aggregation Overview Static Link Aggregation Operation Relationship to Other Features Configuring Static Link Aggregation Groups Configuring Mandatory Static Link Aggregate Parameters Creating and Deleting a Static Link Aggregate Group Creating a Static Aggregate Group Deleting a Static Aggregate Group Adding and Deleting Ports in a Static Aggregate Group Adding Ports to a Static Aggregate Group Configuring Static Link Aggregation Groups Configuring Static Link Aggregation OmniSwitch 6624/6600-U24/6600-P24 Valid Port Assignment Locations page 12-10 OmniSwitch 6600 Family Network Configuration Guide April 2006 Number of Links OmniSwitch 6624/6600-U24/6600-P24 Maximum Valid Port Assignment 2528 (Gigabit) OmniSwitch 6648 Valid Port Assignment Locations OmniSwitch 6600 Family Network Configuration Guide April 2006 page 12-11 Number of Links OmniSwitch 6648 Maximum Valid Port Assignment 5152 (Gigabit) Number of Links (Aggregate Size) OmniSwitch 6602-24 Maximum Valid Configuring Static Link Aggregation Configuring Static Link Aggregation Groups OmniSwitch 6602-48 Valid Port Configuration Locations OmniSwitch 6600 Family Network Configuration Guide April 2006 page 12-13 Number of Links OmniSwitch 6602-48 Maximum Valid Port Configuration Removing Ports from a Static Aggregate Group Modifying Static Aggregation Group Parameters Modifying the Static Aggregate Group Name Creating a Static Aggregate Group Name Deleting a Static Aggregate Group Name Modifying the Static Aggregate Group Administrative State Application Example Page Displaying Static Link Aggregation Configuration and Statistics 13 Configuring Dynamic Link Aggregation Dynamic Link Aggregation Specifications Dynamic Link Aggregation Default Values Quick Steps for Configuring Dynamic Link Aggregation Page Page Dynamic Link Aggregation Overview Dynamic Link Aggregation Operation Page Relationship to Other Features Configuring Dynamic Link Aggregate Groups Configuring Mandatory Dynamic Link Aggregate Parameters Creating and Deleting a Dynamic Aggregate Group Creating a Dynamic Aggregate Group Deleting a Dynamic Aggregate Group Configuring Ports to Join and Removing Ports in a Dynamic Aggregate Group Configuring Ports To Join a Dynamic Aggregate Group Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregate Groups OmniSwitch 6600 Family Network Configuration Guide April 2006 page 13-13 2528 (Gigabit) Configuring Dynamic Link Aggregate Groups Configuring Dynamic Link Aggregation OmniSwitch 6648 Valid Port Configuration Locations page 13-14 OmniSwitch 6600 Family Network Configuration Guide April 2006 Number of Links OmniSwitch 6648 Maximum Valid 5152 (Gigabit) Number of Links (Aggregate Size) OmniSwitch 6602-24 Maximum Valid Configuring Dynamic Link Aggregate Groups Configuring Dynamic Link Aggregation OmniSwitch 6602-48 Valid Port Configuration Locations page 13-16 OmniSwitch 6600 Family Network Configuration Guide April 2006 Number of Links OmniSwitch 6602-48 Maximum Valid Port Configuration Page Removing Ports from a Dynamic Aggregate Group Modifying Dynamic Link Aggregate Group Parameters Modifying Dynamic Aggregate Group Parameters Modifying the Dynamic Aggregate Group Name Configuring a Dynamic Aggregate Group name Deleting a Dynamic Aggregate Group Name Modifying the Dynamic Aggregate Group Administrative State Enabling a Dynamic Aggregate Group Disabling a Dynamic Aggregate Group Configuring and Deleting the Dynamic Aggregate Group Actor Administrative Key Configuring a Dynamic Aggregate Actor Administrative Key Modifying the Dynamic Aggregate Group Actor System Priority Configuring a Dynamic Aggregate Group Actor System Priority Restoring the Dynamic Aggregate Group Actor System Priority Modifying the Dynamic Aggregate Group Actor System ID Configuring a Dynamic Aggregate Group Actor System ID Modifying the Dynamic Aggregate Group Partner Administrative Key Configuring a Dynamic Aggregate Group Partner Administrative Key Restoring the Dynamic Aggregate Group partner Administrative Key Modifying the Dynamic Aggregate Group Partner System Priority Configuring a Dynamic Aggregate Group Partner System Priority Modifying Dynamic Link Aggregate Actor Port Parameters Modifying the Actor Port System Administrative State Configuring Actor Port Administrative State Values Restoring Actor Port Administrative State Values Modifying the Actor Port System ID Configuring an Actor Port System ID Restoring the Actor Port System ID Modifying the Actor Port System Priority Configuring an Actor Port System Priority Restoring the Actor Port System Priority Modifying the Actor Port Priority Configuring the Actor Port Priority Restoring the Actor Port Priority Modifying Dynamic Aggregate Partner Port Parameters Modifying the Partner Port System Administrative State Configuring Partner Port System Administrative State Values Restoring Partner Port System Administrative State Values Modifying the Partner Port Administrative Key Configuring the Partner Port Administrative Key Restoring the Partner Port Administrative Key Modifying the Partner Port System ID Configuring the Partner Port System ID Modifying the Partner Port System Priority Configuring the Partner Port System Priority Restoring the Partner Port System Priority Modifying the Partner Port Administrative Status Configuring the Partner Port Administrative Status Restoring the Partner Port Administrative Status Modifying the Partner Port Priority Configuring the Partner Port Priority Restoring the Partner Port Priority Application Examples Sample Network Overview Link Aggregation and Spanning Tree Example Link Aggregation and QoS Example Page Displaying Dynamic Link Aggregation Configuration and Statistics A screen similar to the following would be displayed: Page 14 Configuring IP IP Specifications IP Defaults Quick Steps for Configuring IP Forwarding IP Overview IP Protocols Transport Protocols Application-Layer Protocols Additional IP Protocols IP Forwarding Configuring an IP Router Interface Modifying an IP Router Interface Removing an IP Router Interface Creating a Static Route Creating a Default Route Configuring Address Resolution Protocol (ARP) Adding a Permanent ARP Entry Deleting a Permanent Entry from the ARP Table Clearing Dynamic ARP Entries Local Proxy ARP ARP Filtering Page IP Configuration Configuring the Router Primary Address Configuring the Router ID Configuring the Route Preference of a Router Configuring the Time-to-Live (TTL) Value IP-Directed Broadcasts Denial of Service (DoS) Filtering Page Setting Penalty Values Setting the Port Scan Penalty Value Threshold Setting the Decay Value Enabling DoS Traps Enabling/Disabling IP Services Page Managing IP Internet Control Message Protocol (ICMP) Activating ICMP Control Messages Enabling All ICMP Types Setting the Minimum Packet Gap ICMP Control Table ICMP Statistics Table Using the Ping Command Tracing an IP Route Displaying TCP Information Displaying UDP Information Verifying the IP Configuration 15 Configuring IPv6 IPv6 Specifications IPv6 Defaults Quick Steps for Configuring IPv6 Routing IPv6 Overview IPv6 Addressing IPv6 Address Notation IPv6 Address Prefix Notation Autoconfiguration of IPv6 Addresses Tunneling IPv6 over IPv4 6to4 Tunnels 6to4 Site to 6to4 Site over IPv4 Domain 6to4 Site to IPv6 Site over IPv4/IPv6 Domains Configured Tunnels Configuring an IPv6 Interface Modifying an IPv6 Interface Removing an IPv6 Interface Assigning IPv6 Addresses Page Configuring IPv6 Tunnel Interfaces Verifying the IPv6 Configuration Page 16 Configuring RIP RIP Specifications RIP Defaults Quick Steps for Configuring RIP Routing RIP Overview RIP Version 2 RIP Routing Loading RIP Enabling RIP Creating a RIP Interface Enabling a RIP Interface Configuring the RIP Interface Send Option Configuring the RIP Interface Receive Option Configuring the RIP Interface Metric Configuring the RIP Interface Route Tag RIP Options Configuring the RIP Forced Hold-down Interval Enabling a RIP Host Route RIP Redistribution Enabling RIP Redistribution Configuring a RIP Redistribution Policy Configuring a Redistribution Metric Configuring a RIP Redistribution Filter Creating a Redistribution Filter Configuring a Redistribution Filter Action Configuring a Redistribution Filter Metric Configuring the Redistribution Filter Route Control Action Configuring a Redistribution Filter Route Tag RIP Security Configuring Authentication Type Configuring Passwords Verifying the RIP Configuration Page 17 Configuring RDP RDP Specifications RDP Defaults Quick Steps for Configuring RDP Page RDP Overview RS-2 RS-1 RDP Interfaces Security Concerns Enabling/Disabling RDP Creating an RDP Interface Specifying an Advertisement Destination Address Defining the Advertisement Interval Setting the Maximum Advertisement Interval Setting the Minimum Advertisement Interval Setting the Advertisement Lifetime Setting the Preference Levels for Router IP Addresses Verifying the RDP Configuration Page 18 Configuring DHCP Relay DHCP Relay Specifications DHCP Relay Defaults Quick Steps for Setting Up DHCP Relay DHCP Relay Overview DHCP DHCP and the OmniSwitch DHCP Relay and Authentication External DHCP Relay Application Internal DHCP Relay DHCP Relay Implementation Global DHCP Setting the IP Address Per-VLAN DHCP Identifying the VLAN Configuring BOOTP/DHCP Relay Parameters Setting the Forward Delay Setting Maximum Hops Setting the Relay Forwarding Option Using Automatic IP Configuration Enabling Automatic IP Configuration Configuring UDP Port Relay Enabling/Disabling UDP Port Relay Specifying a Forwarding VLAN Configuring DHCP Security Features Using the Relay Agent Information Option (Option-82) How the Relay Agent Processes DHCP Packets from the Client How the Relay Agent Processes DHCP Packets from the Server Enabling the Relay Agent Information Option-82 Configuring a Relay Agent Information Option-82 Policy Using DHCP Snooping DHCP Snooping Configuration Guidelines Enabling DHCP Snooping Switch-level DHCP Snooping VLAN-Level DHCP Snooping Configuring the Port Trust Mode Configuring the DHCP Snooping Binding Table Configuring the Binding Table Timeout Synchronizing the Binding Table Verifying the DHCP Relay Configuration Page 19 Configuring VRRP VRRP Specifications VRRP Defaults Quick Steps for Creating a Virtual Router VRRP Overview Why Use VRRP? Definition of a Virtual Router VRRP MAC Addresses ARP Requests ICMP Redirects VRRP Startup Delay VRRP Tracking Interaction With Other Features Configuration Overview Basic Virtual Router Configuration Creating a Virtual Router Specifying an IP Address for a Virtual Router Configuring the Advertisement Interval Configuring Virtual Router Priority Setting Preemption for Virtual Routers Enabling/Disabling a Virtual Router Setting VRRP Traps Setting VRRP Startup Delay Creating Tracking Policies Associating a Tracking Policy With a Virtual Router Verifying the VRRP Configuration VRRP Application Example Page VRRP Tracking Example Page 20 Managing Authentication Servers Authentication Server Specifications Server Defaults RADIUS Authentication Servers LDAP Authentication Servers Quick Steps For Configuring Authentication Servers Server Overview Backup Authentication Servers Authenticated Switch Access Authenticated VLANs Port-Based Network Access Control (802.1X) ACE/Server Clearing an ACE/Server Secret RADIUS Servers RADIUS Server Attributes Standard Attributes Page Vendor-Specific Attributes for RADIUS Configuring Functional Privileges on the Server RADIUS Accounting Server Attributes Configuring the RADIUS Client LDAP Servers Setting Up the LDAP Authentication Server LDAP Server Details LDIF File Structure Common Entries Directory Entries Directory Searches Retrieving Directory Search Results Directory Modifications Directory Compare and Sort The LDAP URL Password Policies and Directory Servers Directory Server Schema for LDAP Authentication Vendor-Specific Attributes for LDAP Servers Configuring Functional Privileges on the Server Configuring Authentication Key Attributes LDAP Accounting Attributes AccountStartTime AccountStopTime AccountFailTime Dynamic Logging Configuring the LDAP Authentication Client Creating an LDAP Authentication Server Modifying an LDAP Authentication Server Setting Up SSL for an LDAP Authentication Server Removing an LDAP Authentication Server Page Page 21 Configuring Authenticated VLANs Authenticated Network Overview Page AVLAN Configuration Overview Sample AVLAN Configuration Page Setting Up Authentication Clients Telnet Authentication Client Web Browser Authentication Client Configuring the Web Browser Client Language File Required Files for Web Browser Clients Installing Files for Mac OS 9.x Clients Installing Files for Mac OSX.1 Clients Page SSL for Web Browser Clients Windows, Linux, and Mac OS 9 Clients Mac OSX.1 Clients DNS Name and Web Browser Clients Installing the AV-Client Loading the Microsoft DLC Protocol Stack Windows 2000 and Windows NT Windows 98 Windows 95 Loading the AV-Client Software Windows 2000 and Windows NT Page Page Page Page Setting the AV-Client as Primary Network Login Windows 95 and Windows 98 Configuring the AV-Client Utility Selecting a Dialog Mode Enabling/disabling the AV-Client at Startup Automatic Client or NOS Logoff Page Logging Into the Network Through an AV-Client Logging Off the AV-Client Configuring the AV-Client for DHCP Delay for IP Address Request Releasing the IP Address Page Page Configuring Authenticated VLANs Removing a User From an Authenticated Network Configuring Authentication IP Addresses Setting Up the Default VLAN for Authentication Clients Port Binding and Authenticated VLANs Configuring Authenticated Ports Setting Up a DNS Path Setting Up the DHCP Server Before Authentication After Authentication Enabling DHCP Relay for Authentication Clients Configuring a DHCP Gateway for the Relay Configuring the Server Authority Mode Configuring Single Mode Page Configuring Multiple Mode Specifying Accounting Servers Verifying the AVLAN Configuration 22 Configuring 802.1X 802.1X Specifications 802.1X Defaults Quick Steps for Configuring 802.1X Optional. To display the number of 802.1x users on the switch, use the show 802.1x users command: See the OmniSwitch CLI Reference Guide for information about the fields in this display. 802.1X Overview Supplicant Classification 802.1X Ports and DHCP Re-authentication 802.1X Accounting Compared to Authenticated VLANs Using Access Guardian Policies Policy Types Page Setting Up Port-Based Network Access Control Setting 802.1X Switch Parameters Enabling MAC Authentication for Non-Supplicants Enabling 802.1X on Ports Configuring 802.1X Port Parameters Configuring the Port Control Direction Configuring the Port Authorization Configuring 802.1X Port Timeouts Configuring the Maximum Number of Requests Re-authenticating an 802.1X Port Initializing an 802.1X Port Configuring the Supplicant Polling Retry Count Configuring Accounting for 802.1X Configuring Access Guardian Policies Configuring Supplicant Policies Supplicant Policy Examples Configuring Non-supplicant Policies Non-supplicant Policy Examples Page Verifying the 802.1X Port Configuration Page 23 Managing Policy Servers Policy Server Specifications Policy Server Defaults Policy Server Overview Installing the LDAP Policy Server Modifying Policy Servers Modifying LDAP Policy Server Parameters Disabling the Policy Server From Downloading Policies Modifying the Port Number Modifying the Policy Server Username and Password Modifying the Searchbase Configuring a Secure Socket Layer for a Policy Server Loading Policies From an LDAP Server Removing LDAP Policies From the Switch Interaction With CLI Policies Verifying the Policy Server Configuration Page 24 Configuring QoS QoS Specifications QoS General Overview QoS Policy Overview How Policies Are Used Valid Policies Interaction With Other Features Condition Combinations Policy Condition Combinations Condition/Action Combinations Policy Condition/Action Combinations Policy Condition/Action Combinations (continued) Conditions Actions Supported When? QoS Defaults Global QoS Defaults QoS Port Defaults Policy Rule Defaults Policy Action Defaults Default (Built-in) Policies QoS Configuration Overview Configuring Global QoS Parameters Enabling/Disabling QoS Setting the Global Default Dispositions Using the QoS Log What Kind of Information Is Logged Number of Lines in the QoS Log Log Detail Level Forwarding Log Events to PolicyView Forwarding Log Events to the Console Displaying the QoS Log Clearing the QoS Log Flow Timeout Fragment Classification Enabling/Disabling Fragment Classification Setting the Fragment Timeout Classifying Bridged Traffic as Layer 3 Setting the Statistics Interval Returning the Global Configuration to Defaults Page QoS Ports and Queues Shared Queues Trusted and Untrusted Ports Configuring Trusted Ports Using Trusted Ports With Policies Verifying the QoS Port and Queue Configuration Creating Policies Quick Steps for Creating Policies ASCII-File-Only Syntax Creating Policy Conditions Removing Condition Parameters Deleting Policy Conditions Creating Policy Actions Removing Action Parameters Deleting a Policy Action Creating Policy Rules Disabling Rules Rule Precedence How Precedence is Determined Specifying Precedence for a Particular Rule Layer 3 Rules With Compatible Actions Layer 3 Rules With Conflicting Actions Saving Rules Logging Rules Deleting Rules Verifying Policy Configuration Page Testing Conditions Page Using Condition Groups in Policies ACLs Sample Group Configuration Creating Network Groups Creating Services Creating Service Groups Creating MAC Groups Creating Port Groups Port Groups and Maximum Bandwidth Source Port Group Example Destination Port Group Examples Important Notes on Maximum Bandwidth Verifying Condition Group Configuration Using Map Groups Sample Map Group Configuration How Map Groups Work Creating Map Groups Verifying Map Group Configuration Applying the Configuration Deleting the Pending Configuration Flushing the Configuration Interaction With LDAP Policies Verifying the Applied Policy Configuration Policy Applications Basic QoS Policies Basic Commands Traffic Prioritization Example priority Bandwidth Shaping Example ICMP Policy Example 802.1p and ToS/DSCP Marking and Mapping Page 25 Configuring ACLs ACL Specifications ACL Defaults Quick Steps for Creating ACLs ACL Overview Rule Precedence Example: Rule Type Example: Rule Order Example: Layer 3 Rules With Compatible Actions Example: Layer 3 Rules With Conflicting Actions Interaction With Other Features Valid Combinations ACL Configuration Overview Setting the Global Disposition Page Creating Condition Groups For ACLs Configuring ACLs Creating Policy Conditions For ACLs Creating Policy Actions For ACLs Creating Policy Rules for ACLs Layer 2 ACLs Layer 2 ACL: Example 1 Layer 2 ACL: Example 2 Layer 3 ACLs Layer 3 ACL: Example 1 Layer 3 ACL: Example 2 Multicast Filtering ACLs Page Using ACL Security Features Configuring a UserPorts Group Configuring a DisablePorts ACL Configuring a DropServices Group ACL Page Configuring ICMP Drop Rules Configuring a BPDUShutdownPorts Group Verifying the ACL Configuration Page ACL Application Example 26 Configuring IP Multicast Switching IPMS Specifications IPMS Default Values IPMS Overview IPMS Example Reserved Multicast Addresses IPMS and Link Aggregation Configuring IPMS on a Switch Enabling and Disabling IPMS on a Switch Enabling IPMS Disabling IPMS Configuring and Removing a Static Neighbor Configuring and Removing a Static Querier Configuring a Static Querier Removing a Static Querier Configuring and Removing a Static Member Configuring a Static Member Removing a Static Member Modifying IPMS Parameters Modifying the Leave Timeout Configuring the Leave Timeout Restoring the Leave Timeout Modifying the Query Interval Modifying the Neighbor Timeout Configuring the Neighbor Timeout Restoring the Neighbor Timeout Modifying the Querier Timeout Configuring the Querier Timeout Modifying the Flow Timeout Configuring the Flow Timeout Restoring the Flow Timeout Modifying the Querier Aging and Election Timeout Configuring the Querier Aging and Election Timeout IPMS Application Example 5Modify the leave timeout from its default value of 10 seconds to 120 seconds by entering: An example of what these commands look like entered sequentially on the command line: Displaying IPMS Configurations and Statistics Page 27 Diagnosing Switch Problems Page Port Mirroring Overview Port Mirroring Specifications Port Mirroring Defaults Quick Steps for Configuring Port Mirroring Port Monitoring Overview Port Monitoring Specifications Port Monitoring Defaults Quick Steps for Configuring Port Monitoring Remote Monitoring (RMON) Overview RMON Specifications RMON Probe Defaults Quick Steps for Enabling/Disabling RMON Probes Switch Health Overview Switch Health Specifications Switch Health Defaults Quick Steps for Configuring Switch Health Port Mirroring What Ports Can Be Mirrored? How Port Mirroring Works What Happens to the Mirroring Port Using Port Mirroring with External RMON Probes Creating a Mirroring Session Unblocking Ports (Protection from Spanning Tree) Enabling or Disabling Mirroring Status Creating a Mirroring Session and Enabling Mirroring Status Disabling a Mirroring Session (Disabling Mirroring Status) Configuring Port Mirroring Direction Enabling or Disabling a Port Mirroring Session (Shorthand) Displaying Port Mirroring Status Deleting A Mirroring Session Port Monitoring Configuring a Port Monitoring Session Enabling a Port Monitoring Session Disabling a Port Monitoring Session Deleting a Port Monitoring Session Pausing a Port Monitoring Session Configuring Port Monitoring Session Persistence Configuring a Port Monitoring Data File Suppressing Port Monitoring File Creation Configuring Port Monitoring Direction Displaying Port Monitoring Status and Data Remote Monitoring (RMON) Ethernet Statistics History (Control & Statistics) Alarm Event Enabling or Disabling RMON Probes Displaying RMON Tables Displaying a List of RMON Probes Displaying Statistics for a Particular RMON Probe Sample Display for Ethernet Statistics Probe Sample Display for History Probe Sample Display for Alarm Probe Displaying a List of RMON Events Displaying a Specific RMON Event Monitoring Switch Health Page Configuring Resource and Temperature Thresholds Displaying Health Threshold Limits Configuring Sampling Intervals Viewing Sampling Intervals Viewing Health Statistics for the Switch Viewing Health Statistics for a Specific Interface Resetting Health Statistics for the Switch 28 Using Switch Logging Switch Logging Specifications Switch Logging Defaults Quick Steps for Configuring Switch Logging Switch Logging Overview Switch Logging Commands Overview Enabling Switch Logging Setting the Switch Logging Severity Level Page Specifying the Severity Level Removing the Severity Level Specifying the Switch Logging Output Device Enabling/Disabling Switch Logging Output to the Console Enabling/Disabling Switch Logging Output to Flash Memory Specifying an IP Address for Switch Logging Output Disabling an IP Address from Receiving Switch Logging Output Displaying Switch Logging Status Configuring the Switch Logging File Size Clearing the Switch Logging Files Displaying Switch Logging Records 29 Monitoring Memory Memory Monitoring Specifications Memory Monitoring Defaults Quick Steps for Configuring Memory Monitoring Debug Memory Commands Overview Configuring Debug Memory Commands Enabling/Disabling Memory Monitoring Functions Displaying the Memory Monitor Log Displaying the Memory Monitor Global Statistics Displaying the Memory Monitor Task Statistics --Output continues on the following page-- Page Displaying the Memory Monitor Size Statistics Page A Software License and Copyright Statements Alcatel License Agreement ALCATEL INTERNETWORKING, INC. (AII) SOFTWARE LICENSE AGREEMENT Page Page Third Party Licenses and Notices A.Booting and Debugging Non-Proprietary Software B. The OpenLDAP Public License: Version 2.4, 8 December 2000 C. Linux D. GNU GENERAL PUBLIC LICENSE: Version 2, June 1991 Preamble GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION Page Page Page Appendix: How to Apply These Terms to Your New Programs E. University of California F. Carnegie-Mellon University G.Random.c H.Apptitude, Inc. I. Agranat J. RSA Security Inc. K. Sun Microsystems, Inc. L. Wind River Systems, Inc. M.Network Time Protocol Version 4 Index Numerics A B C D E F H I L M N O P Q R S Page T U V W