Allied Telesis AT-S63

Chapter 34: PKI Certificates and SSL

404 Section IX: Management Security

Guidelines

The guidelines for creating certificates are:

A certificate can have only one key.

A switch can use only those certificates that contain a key that was

generated on the switch.

You can create multiple certificates on a switch, but the device uses

the certificate whose key pair has been designated as the active key

pair for the switch’s web server.

Most web browsers support both unsecured (plaintext) and secured

(encrypted) operation. These modes are referred to as HTTP and

HTTPS, respectively. If you choose to use encryption when you

manage a switch, the web browser you use must support HTTPS.

Contents

Main Page Contents Page Page Page Page Page Page Page Page Page Figures Page Tables Page Preface How This Guide is Organized Page Product Documentation Where to Go First Page Document Conventions Page Contacting Allied Telesis Page Section I Basic Operations Page Chapter 1 Overview Layer 2+ and Basic Layer 3 Switches Page Page Page Page AT-S63 Management Software Management Interfaces and Features Page Page Page Page Management Access Methods Remote SNMP Management Manager Access Levels Installation and Management Configurations Stand-alone Switch Enhanced Stacking Stacking Page IP Configuration Redundant Twisted Pair Ports Page History of New Features Version 3.0.0 Version 2.1.0 Version 2.0.0 Version 1.3.0 Version 1.2.0 Page Page Chapter 2 Enhanced Stacking Page Page Master and Slave Switches Common VLAN Master Switch and the Local Interface Slave Switches Enhanced Stacking Compatibility Enhanced Stacking Guidelines General Steps Chapter 3 SNMPv1 and SNMPv2c Page Page Community String Attributes Community String Name Access Mode Operating Status Open or Closed Access Status Page Default SNMP Community Strings Page Page Page Page Chapter 5 Static Port Trunks Page Page Load Distribution Methods Page Page Chapter 6 LACP Port Trunks Page Page Page Page Page LACP System Priority Adminkey Parameter LACP Port Priority Value Load Distribution Methods Page Page Page Chapter 7 Port Mirror Page Page Page Section II Advanced Operations Page Chapter 8 File System Page Boot Configuration Files File Naming Conventions Using Wildcards to Specify Groups of Files Page Chapter 9 Event Logs and the Syslog Client Page Event Messages Syslog Client Chapter 10 Classifiers Page Page Page Classifier Criteria Destination MAC Address (Layer 2) Source MAC Address (Layer 2) Ethernet 802.2 and Ethernet II Frame Types (Layer 2) 802.1p Priority Level (Layer 2) VLAN ID (Layer 2) Protocol (Layer 2) IP ToS (Type of Service) (Layer 3) IP DSCP (DiffServ Code Point) (ToS) (Layer 3) IP Protocol (Layer 3) Source IP Addresses (Layer 3) Source IP Mask (Layer 3) Destination IP Addresses (Layer 3) Destination IP Mask (Layer 3) TCP Source Ports (Layer 4) TCP Destination Ports (Layer 4) UDP Source Ports (Layer 4) UDP Destination Ports (Layer 4) TCP Flags Page Chapter 11 Access Control Lists Page Page Page Parts of an ACL Page Page Chapter 11: Access Control Lists 126 Section II: Advanced Operations Figure 7. ACL Example 2 Figure 8. ACL Example 3 Page Figure 11. ACL Example 6 Page Chapter 12 Class of Service Page Page Page Page Scheduling Strict Priority Scheduling Weighted Round Robin Priority Scheduling Page Page Chapter 13 Quality of Service Page Page Page Classifiers Flow Groups Traffic Classes Policies QoS Policy Guidelines Packet Processing Bandwidth Allocation Packet Prioritization Page Replacing Priorities VLAN Tag User Priorities DSCP Values DiffServ Domains Page Voice Applications Page Video Applications Chapter 13: Quality of Service 156 Section II: Advanced Operations Figure 14. QoS Video Application Example The parts of the policies are: Classifier - Specifies the IP address of the node with a video Flow Group - Specifies the new priority level of 4 for the packets. As Section II: Advanced Operations 157 Traffic Class - The packet stream is assigned a maximum bandwidth of Critical Database Policy Component Hierarchy Figure 16. Policy Component Hierarchy Example Page Chapter 14 Denial of Service Defenses Page Page SYN Flood Attack Smurf Attack Land Attack Page Teardrop Attack Ping of Death Attack IP Options Attack Mirroring Traffic Page Section III Snooping Protocols Page Page Page Page Page Page Page Page Page Chapter 17 RRP Snooping Page Page Page Page Page Page Page Restrictions Page Page Page Page Page Chapter 19 SNMPv3 Page Page SNMPv3 Authentication Protocols SNMPv3 Privacy Protocol SNMPv3 MIB Views Page SNMPv3 Storage Types SNMPv3 Message Notification SNMPv3 Tables SNMPv3 User Table SNMPv3 View Table SNMPv3 Access Table SNMPv3 Security To Group Table Page SNMPv3 User SNMPv3 View SNMPv3 Access SecurityToGroup Page Page Page Page Chapter 20 Spanning Tree and Rapid Spanning Tree Protocols Page Page Bridge Priority and the Root Bridge Path Costs and Port Costs Port Priority Page Forwarding Delay and Topology Changes Hello Time and Bridge Protocol Data Units (BPDU) Point-to-Point and Edge Ports Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols 222 Section V: Spanning Tree Protocols Edge Port Point-to-Point and Edge Port 87654321 8765 4321 Workstation (Full-duplex Mode) Mixed STP and RSTP Networks Chapter 20: Spanning Tree and Rapid Spanning Tree Protocols 224 Section V: Spanning Tree Protocols Spanning Tree and VLANs Sales Blocked Port Blocked Data Link Chapter 21 Multiple Spanning Tree Protocol Page Page Multiple Spanning Tree Instance (MSTI) Figure 25. VLAN Fragmentation with STP or RSTP Blocked Port VLAN Production Untagged Ports Untagged Figure 26. MSTP Example of Two Spanning Tree Instances VLAN in MSTI 1 VLAN in MSTI 2 Untagged Ports Untagged MSTI 1 MSTI 2 Tagged Ports Tagged Presales Design Engineering MSTI Guidelines Page Ports in Multiple MSTIs Multiple Spanning Tree Regions GBIC AT-9424T/GB V Region Guidelines Common and Internal (CIST) MSTP with STP and RSTP Summary of Guidelines Page Associating VLANs to MSTIs Switch A Switch B Port 1 Port 8 BPDU Packet BPDU Packet Instances: CIST 0 and MSTI 10 Instances: CIST 0 Port 15 Port 4 Connecting VLANs Across Different Regions Page Section VI Virtual LANs Page Chapter 22 Port-based and Tagged VLANs Page Page Page Port-based VLAN Overview VLAN Name VLAN Identifier Untagged Ports Port VLAN Identifier Guidelines to Creating a Port- based VLAN Drawbacks of VLANs Example 1 Example 2 Page Tagged VLAN Overview Tagged and Untagged Ports Port VLAN Identifier Guidelines to Creating a Tagged VLAN Tagged VLAN Example Figure 34 illustrates how tagged ports can be used to interconnect IEEE 802.1Q-based products. WAN Figure 34. Example of a Tagged VLAN Page Chapter 23 GARP VLAN Registration Protocol Page Page Page Page Page GVRP and Network Security GVRP-inactive Intermediate Switches Generic Attribute Registration Protocol (GARP) Overview Page Page Page Chapter 24 Multiple VLAN Modes Page Page 802.1Q- Compliant Multiple VLAN Mode Page Non-802.1Q Compliant Multiple VLAN Mode Chapter 25 Protected Ports VLANs Page Page Page Page Page Chapter 26 MAC Address-based VLANs Page Page Egress Ports Page Page VLANs That Span Switches Page VLAN Hierarchy Page Page Page Section VII Routing Page Chapter 27 Internet Protocol Version 4 Packet Routing Page Page Page Routing Interfaces VLAN ID (VID) Interface Numbers IP Address and Subnet Mask Page Interface Names Static Routes Page Routing Information Protocol (RIP) Page Default Routes Equal-cost Multi-path (ECMP) Routing Page Routing Table Address Resolution Protocol (ARP) Table Internet Control Message Protocol (ICMP) Page Routing Interfaces and Management Features Network Servers Enhanced Stacking Remote Telnet, SSH, and Web Browser Management Sessions Page Local Interface AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches Local Interface ARP Table Default Gateway Routing Command Example Creating the VLANs Creating the Routing Interfaces Adding a Static Route and Default Route Adding RIP Selecting the Local Interface Non-routing Command Example Page Upgrading from AT-S63 Version 1.3.0 or Earlier Chapter 28 BOOTP Relay Agent Page Page Page Page Page Chapter 29 Virtual Router Redundancy Protocol Page Page Master Switch Backup Switches Interface Monitoring Port Monitoring VRRP on the Switch Page Page Page Page Chapter 30 MAC Address-based Port Security Page Automatic Limited Secured Locked Invalid Frames and Intrusion Actions Page Chapter 31 802.1x Port-based Network Access Control Page Page Page Authentication Process Port Roles None Role Authenticator Role Authentication Modes Operational Settings Supplicant Role Authenticator Ports with Single and Multiple Supplicants Single Operating Mode Chapter 31: 802.1x Port-based Network Access Control 364 Section VIII: Port Security AT-9400 Switch Piggy-back Mode: Disabled Authenticated Client Port 6 Page Page Figure 43. Single Operating Mode with Multiple Clients Using the Piggy- back Feature - Example 3 AT-9400 Switch (A) Piggy-back Mode: Disabled Operating Mode Port 6: or Piggy-back Mode: Enabled Port 11: or Role: Supplicant Page AT-9400 Switch (A) AT-9400 Switch (B) Figure 45. Authenticator Port in Multiple Operating Mode - Example 2 Port 6 Client Ports: Supplicant and VLAN Associations Single Operating Mode Operating Mode Supplicant VLAN Attributes on the RADIUS Server Guest VLAN RADIUS Accounting General Steps Page Page Page Page Section IX Management Security Page Chapter 32 Web Server Page Supported Protocols Configuring the Web Server for HTTP Configuring the Web Server for HTTPS General Steps for a Self-signed General Steps for a Public or Private CA Page Chapter 33 Encryption Keys Page Page Encryption Key Length Encryption Key Guidelines Technical Overview Data Encryption Symmetrical Encryption DES Encryption Algorithms Triple DES Encryption Algorithms Asymmetrical (Public Key) Encryption Data Authentication Key Exchange Algorithms Page Chapter 34 PKI Certificates and SSL Page Types of Certificates Page Distinguished Names Page SSL and Enhanced Stacking Page Technical Overview SSL Encryption User Verification Authentication Public Key Infrastructure Public Keys Message Encryption Digital Signatures Certificates X.509 Certificates Elements of a Public Key Infrastructure End Entities (EE) Certification Authorities Validation CA Hierarchies and Certificate Chains Root CA Certificates Revocation Lists (CRLs) PKI Implementation PKI Standards Certificate Retrieval and Storage Root CA Certificate Validation Page Chapter 35 Secure Shell (SSH) Page Page Support for SSH SSH Server SSH Clients SSH and Enhanced Stacking Page SSH Configuration Guidelines General Steps to Configuring SSH Chapter 36 TACACS+ and RADIUS Protocols Page Page Page Page Page Page Page Chapter 37 Management Access Control List Page Page Parts of a Management ACE IP Address Mask Application Page Page Page Page Appendix A AT-S63 Management Software Default Settings Page Page Page BOOTP Relay Agent Class of Service Page 802.1x Port-Based Network Access Control Page Page Page Page GVRP IGMP Snooping Internet Protocol Version 4 Packet Routing MAC Address-based Port Security Page Page Manager and Operator Account Multicast Listener Discovery Snooping Public Key Infrastructure Port Settings RJ-45 Serial Terminal Port Page Server-based Authentication (RADIUS and TACACS+) Server-based Authentication TACACS+ Client RADIUS Client Simple Network Management Protocol Simple Network Time Protocol Spanning Tree Protocols (STP, RSTP, and MSTP) Switch Settings Protocol Rapid Spanning Tree Protocol Protocol Secure Shell Server Page Page Page Page VLANs Page Appendix B SNMPv3 Configuration Examples SNMPv3 Configuration Examples Manager Configuration Configure SNMPv3 User Table Menu Configure SNMPv3 View Table Menu Configure SNMPv3 Access Table Operator Configuration Configure SNMPv3 User Table Menu Configure SNMPv3 View Table Menu Worksheet Configure SNMPv3 Access Table Page Page Appendix C Features and Standards 10/100/1000Base-T Twisted Pair Ports Ethernet Protection Switching Ring Snooping Page MAC Address Table Management Access and Security Management Access Methods Management Interfaces Management MIBs Port Security Port Trunking and Mirroring Spanning Tree Protocols System Monitoring Traffic Control Virtual LANs Page Appendix D MIB Objects Access Control Lists Class of Service Date, Time, and SNTP Client Page Enhanced Stacking GVRP Page MAC Address Table Management Access Control List Miscellaneous Port Mirroring Quality of Service Page Port Configuration and Status Page Static Port Trunk VLANs Page Page Index Numerics A B C D E F G H K L M N O P Q R S T U V W X