Manuals / Blade ICE / Computer Equipment / Computer Accessories

Blade ICE G8000 manual Port-based Network Access Control, Chapter, „ “802.1X port states” on page

Models: G8000

1 145

Download 145 pages 21.85 Kb

Page 39

Image 39

CHAPTER 2

Port-based Network Access Control

Port-Based Network Access control provides a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics. It prevents access to ports that fail authentication and authorization. This feature provides security to ports of the G8000 that connect to servers.

The following topics are discussed in this section:

“Extensible Authentication Protocol over LAN” on page 40

“802.1X authentication process” on page 41

“802.1X port states” on page 43

“Supported RADIUS attributes” on page 44

“Configuration guidelines” on page 45

BMD00041, November 2008

Page 39

Image 39

Blade ICE G8000 manual Port-based Network Access Control, Chapter, „ “Extensible Authentication Protocol over LAN” on page

Contents

Part Number BMD00041, November RackSwitch G8000Application Guide VersionRackSwitch G8000 Application Guide Preface ContentsChapter 1 Accessing the Switch Chapter 2 Port-based Network Access ControlChapter 5 Spanning Tree Chapter 4 Ports and TrunkingChapter 7 Remote Monitoring Chapter 6 Quality of ServiceChapter 10 High Availability Appendix A TroubleshootingChapter 8 Basic IP Routing Chapter 9 IGMPFigures BMD00041, November RackSwitch G8000 Application GuideTables BMD00041, November RackSwitch G8000 Application GuideWho Should Use This Guide PrefaceWhat You’ll Find in This Guide Table 1 Typographic Conventions Typographic ConventionsRackSwitch G8000 Application Guide SymbolHow to Get Help „ “Using the Browser-Based Interface” on page „ “Using SNMP” on page Accessing the SwitchCHAPTER „ “Configuring an IP Interface” on page „ “Using Telnet” on pageCommand Reference Configuring an IP Interface1. Log on to the switch 2. Enter IP interface mode 4. Configure the default gateway. Enable the gatewayUsing Telnet Using the Browser-Based Interface Configuring BBI access via HTTPConfiguring BBI access via HTTPS The BBI is organized at a high level as follows SNMP Using SNMPDefault configuration SNMP v1User configuration 22 „ Chapter 1 Accessing the Switch RackSwitch G8000 Application GuideRS G8000 config# snmp-server group 5 user-name admin RS G8000 config# snmp-server group 5 group-name admingrp1. Configure an entry in the notify table Configuring SNMP Trap HostsSNMPv2 trap host configuration SNMPv1 trap hostSNMPv3 trap host configuration „ “End User Access Control” on page Securing Access to the Switch„ “RADIUS Authentication and Authorization” on page „ “TACACS+ Authentication” on pageHow RADIUS authentication works RADIUS Authentication and Authorization2. Configure the RADIUS secret and enable the feature Configuring RADIUSRADIUS authentication features in Blade OS Vendor-supplied Switch User AccountsRADIUS Attributes for G8000 user privileges Vendor-suppliedHow TACACS+ authentication works TACACS+ AuthenticationTACACS+ authentication features in Blade OS AuthorizationRS G8000 config# tacacs-server privilege-mapping Command authorization and logging AccountingRS G8000 config# tacacs-server command-authorization 4. Configure the number of retry attempts, and the timeout period Configuring TACACS+ AuthenticationRS G8000 config# tacacs-server command-logging 2. Configure the TACACS+ secret and second secretConfiguring SSH features on the switch Secure ShellSSH encryption of management messages RS G8000 config# ssh generate-server-key Generating RSA Host and Server Keys for SSH accessSSH Integration with RADIUS/TACACS+ Authentication RS G8000 config# ssh generate-host-keySetting up User IDs End User Access ControlConsiderations for configuring End User Accounts User Access ControlEnabling or Disabling a User Defining a User’s access levelListing current Users Logging into an End User accountRackSwitch G8000 Application Guide 38 „ Chapter 1 Accessing the SwitchBMD00041, November „ “Configuration guidelines” on page Port-based Network Access Control„ “Extensible Authentication Protocol over LAN” on page „ “802.1X authentication process” on pageExtensible Authentication Protocol over LAN 802.1X authentication process Port UnauthorizedPort Authorized EAPoL message exchange „ Force Unauthorized 802.1X port states„ Unauthorized „ AuthorizedTable 2 Support for RADIUS Attributes Supported RADIUS attributesRackSwitch G8000 Application Guide 44 „ Chapter 2 Port-based Network Access ControlConfiguration guidelines RackSwitch G8000 Application Guide 46 „ Chapter 2 Port-based Network Access ControlBMD00041, November „ “VLAN Topologies and Design Considerations” on page VLANsCHAPTER „ “VLANs and Port VLAN ID Numbers” on page „ “VLAN Tagging” on pageOverview VLANs and Port VLAN ID Numbers VLAN numbersViewing VLANs PVID numbers Viewing and Configuring PVIDsVLAN Tagging BS45010A Figure 3-1 Default VLAN settingsFigure 3-2 Port-based VLAN assignment Figure 3-3 802.1Q tagging after port-based VLAN assignmentBefore 16 bits Figure 3-4 802.1Q tag assignmentFigure 3-5 802.1Q tagging after 802.1Q tag assignment untagged packetVLAN Topologies and Design Considerations VLAN configuration rulesMultiple VLANs with Tagging Adapters ComponentDescription Description Component3. Configure the VLANs and their member ports VLAN configuration example1. Enable VLAN tagging on server ports that support multiple VLANs 2. Enable tagging on uplink ports that support multiple VLANsPrivate VLAN ports Private VLANsConfiguration example Configuration guidelines1. Select a VLAN and define the Private VLAN type as primary enable 2. Configure a secondary VLAN and map it to the primary VLAN3. Verify the configuration RackSwitch G8000 Application GuideRackSwitch G8000 Application Guide 62 „ Chapter 3 VLANsBMD00041, November „ ““Overview” on page 64” „ “Port Trunking Example” on page Ports and Trunking„ “Configurable Trunk Hash Algorithm” on page CHAPTERBuilt-In fault tolerance Statistical load distributionOverview Static trunk group configuration rules Before you configure static trunks„ All trunk members must be in the same Spanning Tree Group STG and can belong to only one Spanning Tree Group STG. However if all ports are tagged, then all trunk ports can belong to multiple STGs 1. Follow these steps on the G8000 Port Trunking ExampleTrunk 3 Ports 2, 23, and Trunk 1 Ports 1, 7, andRS G8000 config# portchannel 1 member 1,7,32 2. Repeat the process on the other switch3. Connect the switch ports that will be members in the trunk group 4. Examine the trunking information on each switchConfigurable Trunk Hash Algorithm Admin key Link Aggregation Control ProtocolEach port on the switch can have one of the following LACP modes LACP configuration guidelines Configuring LACP3. Set the LACP mode „ “Per VLAN Rapid Spanning Tree” on page Spanning TreeCHAPTER „ “Overview” on page „ “Rapid Spanning Tree Protocol” on pageTable 5-1 Ports, Trunk Groups, and VLANs OverviewBridge Protocol Data Units BPDUs Determining the Path for Forwarding BPDUsBridge Priority Port Path Cost Spanning Tree Group configuration guidelinesChanging the Spanning Tree mode Port PriorityAssigning a VLAN to a Spanning Tree Group Creating a VLAN Rules for VLAN Tagged portsAdding and removing ports from STGs RackSwitch G8000 Application Guide BMD00041, NovemberChapter 5 Spanning Tree „ Port state changes Rapid Spanning Tree ProtocolLink Type RSTP configuration guidelinesPort Type and Link Type Edge Port2. Set the Spanning Tree mode to Rapid Spanning Tree RSTP configuration exampleConfigure Rapid Spanning Tree 1. Configure port and VLAN membership on the switchPer VLAN Rapid Spanning Tree Default Spanning Tree configurationWhy do we need multiple Spanning Trees? Figure 5-1 Two VLANs on one Spanning Tree GroupFigure 5-2 Two VLANs, each on a different Spanning Tree Group PVRST configuration guidelines Configuring PVRST1. Set the Spanning-tree mode to PVRST+ Multiple Spanning Tree Protocol MSTP RegionCommon Internal Spanning Tree MSTP configuration guidelines Blocking VLAN Passing VLANBlocking VLAN RackSwitch G8000 Application Guide2. Configure Multiple Spanning Tree Protocol Configuring Multiple Spanning Tree Groupsmember RackSwitch G8000 Application Guideenable memberConfiguration Guidelines Configuring Fast Uplink ConvergenceFast Uplink Convergence RackSwitch G8000 Application Guide 92 „ Chapter 5 Spanning TreeBMD00041, November „ “Using DSCP Values to Provide QoS” on page Quality of Service„ “Overview” on page „ “Using ACL Filters” on page „ “Using Storm Control Filters” on pageOverview Permit/DenyFilter COS QueueMAC Extended ACLs Using ACL FiltersIP Extended ACLs IP Standard ACLsTable 6-1 Well-known protocol types RackSwitch G8000 Application GuideRS G8000 config# access-list ip extended RS G8000 config# no access-list ip extendedACL IP Extended Understanding ACL priorityAssigning ACLs to a port Port 1 access group ACL IP ExtendedViewing ACL statistics 3. Verify the configuration ACL configuration examplesExample 1. Configure an Access Control List2. Assign the ACL to port Use this configuration to block traffic from a network destined for a specific host address. All traffic that ingresses port 10 with source IP from the class 100.10.1.0/24 and destination IP 200.20.2.2 is denied1. Configure an Access Control List Exampleconfig# ip access-list ip extended 1. Configure an Access Control List1. Configure an Access Control List RackSwitch G8000 Application Guide2. Configure IP ACLs to deny all other traffic 4. Configure a MAC ACL to deny all other trafficExample ip access-group 1103 in RackSwitch G8000 Application GuideRS G8000 config# interface port RS G8000 config-if#Using Storm Control Filters Configuring storm controlBroadcast storms Using DSCP Values to Provide QoS Differentiated Services Concepts7 6 5 4 The switch can perform the following actions to the DSCP Per Hop Behavior Service Level QoS LevelsDefault QoS Service Levels RackSwitch G8000 Application GuideDSCP-to-802.1p mapping Figure 6-3 Layer 2 802.1q/802.1p VLAN tagged packet Using 802.1p Priority to Provide QoS802.1p configuration example Queuing and Scheduling1. Configure a port’s default 802.1p priority value to Remote Monitoring OverviewCHAPTER 2. Configure the RMON statistics on a port Configuring RMON statisticsRMON group 1-Statistics 1. Enable RMON on a portRMON group 2-History History MIB Object IDRS G8000# show rmon history 2. Configure the RMON History parameters for a port RMON group 3-AlarmsConfiguring RMON History 1. Enable RMON on a portAlarm MIB objects Configuring RMON AlarmsExample 1. Configure the RMON event parameters Configure RMON eventsRMON group 9-Events 1. Configure the RMON Alarm parameters to track ICMP messages„ “IP Routing Benefits” on page Basic IP Routing„ “Dynamic Host Configuration Protocol” on page CHAPTERIP Routing Benefits Figure 8-1 The Router Legacy Network Routing Between IP Subnets„ Traffic to the router increases, increasing congestion Figure 8-2 Switch-Based Routing Topology Example of Subnet RoutingTable 8-1 Subnet Routing Example IP Address Assignments Using VLANs to segregate Broadcast DomainsConfiguration example 2. Assign an IP interface for each subnet attached to the switchenable 4. Add the switch ports to their respective VLANsRackSwitch G8000 Application Guide enable5. Assign a VLAN to each IP interface 6. Configure the default gateway to the routers’ addresses7. Enable IP routing 8. Verify the configurationDynamic Host Configuration Protocol RackSwitch G8000 Application Guide 128 „ Chapter 8 Basic IP RoutingBMD00041, November „ “Static Multicast Router” on page IGMPCHAPTER „ “IGMP Snooping” on page „ “IGMPv3 Snooping” on pageRS G8000 config# no ip igmp flood IGMP SnoopingFastLeave IGMPv3 SnoopingRS G8000 config# ip igmp fastleave VLAN number RS G8000 config# ip igmp snoop igmpv3 sources IGMP Snooping configuration exampleConfigure IGMP Snooping RS G8000 config# no ip igmp snoop igmpv3 excludeRS G8000# show ip igmp mrouter RackSwitch G8000 Application Guide5. View dynamic IGMP information RS G8000# show ip igmp groupsConfigure a Static Multicast Router Static Multicast Router2. Verify the configuration BMD00041, November High AvailabilityCHAPTER „ “Uplink Failure Detection” on pageFigure 10-1 Uplink Failure Detection example Uplink Failure Detection„ Link to Monitor LtM Failure Detection PairSpanning Tree Protocol with UFD Configuration guidelines2. Assign the Link to Monitor LtM ports Configuring UFDMonitoring UFD 1. Configure Network Adapter Teaming on the serversBMD00041, November TroubleshootingAPPENDIX A „ “Monitoring Ports” on pageFigure A-1 Monitoring Ports Monitoring Ports3. View the current configuration Configuring Port MirroringPort Mirroring behavior 2. Enable port mirroringRackSwitch G8000 Application Guide 142 „ Appendix A TroubleshootingBMD00041, November Symbols IndexNumerics

Port-based Network Access Control

“Extensible Authentication Protocol over LAN” on page 40

“802.1X authentication process” on page 41

“802.1X port states” on page 43

“Supported RADIUS attributes” on page 44

“Configuration guidelines” on page 45

“Extensible Authentication Protocol over LAN” on page 40

“802.1X authentication process” on page 41

“802.1X port states” on page 43

“Supported RADIUS attributes” on page 44

“Configuration guidelines” on page 45