Configuration guidelines | Blade ICE G8000 manual

RackSwitch G8000 Application Guide

Configuration guidelines

When configuring EAPoL, consider the following guidelines:

The 802.1X port-based authentication is currently supported only in point-to-point config- urations, that is, with a single supplicant connected to an 802.1X-enabled switch port.

When 802.1X is enabled, a port has to be in the authorized state before any other Layer 2 feature can be operationally enabled. For example, the STG state of a port is operationally disabled while the port is in the unauthorized state.

The 802.1X supplicant capability is not supported. Therefore, none of its ports can suc- cessfully connect to an 802.1X-enabled port of another device, such as another switch, that acts as an authenticator, unless access control on the remote port is disabled or is con- figured in forced-authorized mode. For example, if a G8000 is connected to another G8000, and if 802.1X is enabled on both switches, the two connected ports must be con- figured in force-authorized mode.

The 802.1X standard has optional provisions for supporting dynamic virtual LAN assignment via RADIUS tunnelling attributes, for example, Tunnel-Type (=VLAN), Tunnel-Medium-Type (=802), and Tunnel-Private-Group-ID (=VLAN id).

These attributes are not supported and might affect 802.1X operations. Other unsupported attributes include Service-Type, Session-Timeout, and Termination-Action.

RADIUS accounting service for 802.1X-authenticated devices or users is not supported.

Configuration changes performed using SNMP and the standard 802.1X MIB will take effect immediately.

BMD00041, November 2008

Chapter 2: Port-based Network Access Control 45

Image 45

Blade ICE G8000 manual Configuration guidelines

Contents

Application Guide RackSwitch G8000 Application Guide Contents Ports and Trunking Quality of Service Appendix a Troubleshooting Figures RackSwitch G8000 Application Guide Tables RackSwitch G8000 Application Guide Who Should Use This Guide Preface What You’ll Find in This Guide Typographic Conventions Typographic Conventions How to Get Help Accessing the Switch Configuring an IP Interface Log on to the switch Enter IP interface modeConfigure the default gateway. Enable the gateway Using Telnet Using the Browser-Based Interface Configuring BBI access via HttpConfiguring BBI access via Https RS G8000 config# access https import-certificate Default configuration Using SnmpSnmp v1 Snmp Privacy-password User configuration 22 „ Accessing the Switch SNMPv2 trap host configuration Configuring Snmp Trap HostsConfigure an entry in the notify table SNMPv1 trap host SNMPv3 trap host configuration Securing Access to the Switch How Radius authentication works Radius Authentication and Authorization Configure the Radius secret and enable the feature Configuring Radius Radius authentication features in Blade OS Radius Attributes for G8000 user privileges Switch User Accounts How TACACS+ authentication works TACACS+ Authentication Authorization TACACS+ authentication features in Blade OS Accounting Command authorization and logging Configure the TACACS+ secret and second secret Configuring TACACS+ Authentication Configuring SSH features on the switch Secure ShellSSH encryption of management messages SSH Integration with RADIUS/TACACS+ Authentication Generating RSA Host and Server Keys for SSH access End User Access Control Considerations for configuring End User AccountsUser Access Control Logging into an End User account Listing current Users RackSwitch G8000 Application Guide 38 „ Accessing the Switch Port-based Network Access Control Extensible Authentication Protocol over LAN Port Unauthorized 802.1X authentication process EAPoL message exchange „ Unauthorized 802.1X port states„ Authorized „ Force Unauthorized Support for Radius Attributes Supported Radius attributes Configuration guidelines BMD00041, November VLANs Overview VLANs and Port Vlan ID Numbers Vlan numbersViewing VLANs Pvid numbers Viewing and Configuring PVIDs Vlan Tagging 1Default Vlan settings 2Port-based Vlan assignment 4802.1Q tag assignment Vlan Topologies and Design Considerations Vlan configuration rules Component Description Multiple VLANs with Tagging Adapters Vlan Vlan configuration example Enable tagging on uplink ports that support multiple VLANsConfigure the VLANs and their member ports Private Vlan ports Private VLANs Select a Vlan and define the Private Vlan type as primary Configuration example Verify the configuration Configure a secondary Vlan and map it to the primary Vlan RackSwitch G8000 Application Guide 62 „ VLANs Ports and Trunking Statistical load distribution Built-In fault tolerance Static trunk group configuration rules Before you configure static trunks 66 „ Ports and Trunking Follow these steps on the G8000 Port Trunking Example Examine the trunking information on each switch Repeat the process on the other switch „ Source IP SIP + Destination IP DIP Configurable Trunk Hash Algorithm Link Aggregation Control Protocol Admin key RS G8000 # show lacp information Lacp configuration guidelines Configuring LacpSet the Lacp mode Spanning Tree 1Ports, Trunk Groups, and VLANs Determining the Path for Forwarding BPDUs Bridge Protocol Data Units BPDUs Changing the Spanning Tree mode Spanning Tree Group configuration guidelines Assigning a Vlan to a Spanning Tree Group Creating a Vlan Rules for Vlan Tagged portsAdding and removing ports from STGs RackSwitch G8000 Application Guide Port state changes Rapid Spanning Tree Protocol Port Type and Link Type Rstp configuration guidelinesEdge Port Link Type Configure Rapid Spanning Tree Rstp configuration example Per Vlan Rapid Spanning Tree Default Spanning Tree configuration 1Two VLANs on one Spanning Tree Group Why do we need multiple Spanning Trees? Pvrst configuration guidelines Configuring PvrstSet the Spanning-tree mode to PVRST+ Multiple Spanning Tree Protocol Mstp RegionCommon Internal Spanning Tree Mstp configuration guidelines Passing Vlan Blocking Vlan Configure Multiple Spanning Tree Protocol Configuring Multiple Spanning Tree Groups 90 „ Spanning Tree Fast Uplink Convergence Configuring Fast Uplink Convergence RackSwitch G8000 Application Guide 92 „ Spanning Tree Quality of Service COS MAC Extended ACLs Using ACL Filters IP Extended ACLs IP Standard ACLs 1Well-known protocol types Assigning ACLs to a port Understanding ACL priority Viewing ACL statistics Use the following command to view ACL statistics Configure an Access Control List ACL configuration examplesExample Assign the ACL to port 100.10.1.0 Add the ACL to a port Add the ACL to port Configure a MAC ACL to deny all other traffic Configure IP ACLs to deny all other traffic Assign the ACLs to a port Using Storm Control Filters Configuring storm controlBroadcast storms Differentiated Services Concepts Using Dscp Values to Provide QoS RackSwitch G8000 Application Guide Drop Class Precedence Per Hop Behavior QoS Levels Default QoS Service Levels DSCP-to-802.1p mapping Use the following command to perform DSCP-to-802.1p mapping 3Layer 2 802.1q/802.1p Vlan tagged packet Using 802.1p Priority to Provide QoS 802.1p configuration example Configure a port’s default 802.1p priority value toQueuing and Scheduling Overview Remote Monitoring Enable Rmon on a port Configuring Rmon statisticsConfigure the Rmon statistics on a port Rmon group 1-Statistics History MIB Object ID Rmon group 2-History Configuring Rmon History Rmon group 3-AlarmsConfigure the Rmon History parameters for a port View Rmon History for the port Configuring Rmon Alarms Alarm MIB objects Configure the Rmon Alarm parameters to track Icmp messages Configure Rmon eventsConfigure the Rmon event parameters Rmon group 9-Events Basic IP Routing IP Routing Benefits 1The Router Legacy Network Routing Between IP Subnets 122 „ Basic IP Routing Example of Subnet Routing 2Switch-Based Routing Topology 1Subnet Routing Example IP Address Assignments Using VLANs to segregate Broadcast Domains 3Subnet Routing Example Optional Vlan Ports Add the switch ports to their respective VLANs Configure the default gateway to the routers’ addresses Enable IP routingAssign a Vlan to each IP interface Dynamic Host Configuration Protocol RackSwitch G8000 Application Guide 128 „ Basic IP Routing Igmp Igmp Snooping IGMPv3 Snooping FastLeave Configure Igmp Snooping Igmp Snooping configuration exampleEnable IGMPv3 Snooping optional Add VLANs to Igmp Snooping RS G8000# show ip igmp groups View dynamic Igmp information Static Multicast Router Configure a Static Multicast Router High Availability 1Uplink Failure Detection example Uplink Failure Detection Failure Detection Pair Spanning Tree Protocol with UFD Configuration guidelines Configuring UFD Monitoring UFDTurn on Uplink Failure Detection UFD Troubleshooting Figure A-1Monitoring Ports Monitoring Ports Enable port mirroring Configuring Port MirroringView the current configuration Port Mirroring behavior BMD00041, November Numerics Index Igmp TACACS+