Blade ICE G8124-E, G8124 TACACS+ Authentication Features in BLADEOS

BLADEOS 6.5.2 Application Guide

70  Chapter 4: Authentication & Authorization Protocols BMD00220, October 2010

TACACS+ Authentication Features in BLADEOS

Authentication is the action of determining the identity of a user, and is generally done when the

user first attempts to log in to a device or gain access to its services. BLADEOS supports ASCII

inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change password

requests, and one-time password authentication are not supported.

Authorization

Authorization is the action of determining a user’s privileges on the device, and usually takes place

after authentication.

The default mapping between TACACS+ authorization levels and BLADEOS management access

levels is shown in Tabl e 5. The authorization levels must be defined on the TACACS+ server.

Alternate mapping between TACACS+ authorization levels and BLADEOS management access levels

is shown in Tabl e 6. Use the following command to set the alternate TACACS+ authorization levels.

If the remote user is successfully authenticated by the authentication server, the switch verifies the

privileges of the remote user and authorizes the appropriate access. The administrator has an option

to allow secure backdoor access via Telnet/SSH. Secure backdoor provides switch access when the

TACACS+ servers cannot be reached. You always can access the switch via the console port, by

using notacacs and the administrator password, whether secure backdoor is enabled or not.

Note – To obtain the TACACS+ backdoor password for your G8124, contact Technical Support.

Tabl e 5 Default TACACS+ Authorization Levels

BLADEOS User Access Level TACACS+ level

user 0

oper 3

admin 6

RS G8124(config)#tacacs-server privilege-mapping

Tabl e 6 Alternate TACACS+ Authorization Levels

BLADEOS User Access Level TACACS+ level

user 0 - 1

oper 6 - 8

admin 14 - 15

Contents

Main Page Contents Part 1: Getting Started 23 Part 2: Securing the Switch 53 Page Part 3: Switch Basics 85 Page Part 4: Advanced Switching Features 145 Page Part 5: IP Routing 217 Page Page Part 6: High Availability Fundamentals 315 Part 7: Network Management 343 Part 8: Monitoring 367 Part 9: Appendices 379 Page Preface Who Should Use This Guide What Youll Find in This Guide Part 1: Getting Started Part 2: Securing the Switch Part 3: Switch Basics Part 4: Advanced Switching Features Part 5: IP Routing Part 6: High Availability Fundamentals Part 7: Network Management Part 8: Monitoring Part 9: Appendices Additional References Typographic Conventions How to Get Help Page Page CHAPTER 1 Switch Administration Administration Interfaces Command Line Interface Browser-Based Interface Establishing a Connection Using the Switch Management Ports Page Using the Switch Data Ports Using Telnet Using Secure Shell Using SSH to Access the Switch Using a Web Browser Configuring HTTP Access to the BBI Configuring HTTPS Access to the BBI Page BBI Summary Using Simple Network Management Protocol BOOTP/DHCP Client IP Address Services Global BOOTP Relay Agent Configuration Domain-Specific BOOTP Relay Agent Configuration Switch Login Levels Page Page CHAPTER 2 Initial Setup Information Needed for Setup Default Setup Options Stopping and Restarting Setup Manually Stopping Setup Restarting Setup Setup Part 1: Basic System Configuration Setup Part 2: Port Configuration Page Setup Part 3: VLANs Setup Part 4: IP Configuration IP Interfaces Page Default Gateways IP Routing Setup Part 5: Final Steps Optional Setup for Telnet Support Page Page Page CHAPTER 3 Securing Administration Secure Shell and Secure Copy Configuring SSH/SCP Features on the Switch To Enable or Disable the SSH Feature To Enable or Disable SCP Apply and Save Configuring the SCP Administrator Password Using SSH and SCP Client Commands To Log In to the Switch To Copy the Switch Configuration File to the SCP Host To Load a Switch Configuration File from the SCP Host To Apply and Save the Configuration To Copy the Switch Image and Boot Files to the SCP Host To Load Switch Configuration Files from the SCP Host SSH and SCP Encryption of Management Messages Generating RSA Host and Server Keys for SSH Access SSH/SCP Integration with Radius Authentication SSH/SCP Integration with TACACS+ Authentication SecurID Support Using SecurID with SSH Using SecurID with SCP End User Access Control Considerations for Configuring End User Accounts Strong Passwords User Access Control Setting up User IDs Defining a Users Access Level Validating a Users Configuration Enabling or Disabling a User Listing Current Users Logging into an End User Account CHAPTER 4 Authentication & Authorization Protocols RADIUS Authentication and Authorization How RADIUS Authentication Works Configuring RADIUS on the Switch RADIUS Authentication Features in BLADEOS Switch User Accounts RADIUS Attributes for BLADEOS User Privileges TACACS+ Authentication How TACACS+ Authentication Works TACACS+ Authentication Features in BLADEOS Authorization Accounting Command Authorization and Logging Configuring TACACS+ Authentication on the Switch LDAP Authentication and Authorization Configuring the LDAP Server Configuring LDAP Authentication on the Switch CHAPTER 5 Access Control Lists Summary of Packet Classifiers Page Summary of ACL Actions Assigning Individual ACLs to a Port ACL Order of Precedence ACL Metering and Re-Marking Metering Re-Marking ACL Port Mirroring Viewing ACL Statistics ACL Configuration Examples ACL Example 1 ACL Example 2 ACL Example 3 VLAN Maps Page Using Storm Control Filters Broadcast Storms Configuring Storm Control Page Page CHAPTER 6 VLANs VLANs Overview VLANs and Port VLAN ID Numbers VLAN Numbers PVID Numbers VLAN Tagging Page 92 Chapter 6: VLANs BMD00220, October 2010 Figure 2 Port-based VLAN assignment r o f B Figure 4 802.1Q tag assignment r o f B VLAN Topologies and Desi gn Considerations VLAN Configuration Rules Multiple VLANs with Tagging Adapters Page VLAN Configuration Example Private VLANs Private VLAN Ports Page Page CHAPTER 7 Ports and Trunking Trunking Overview Before You Configure Static T runks Trunk Group Configuration Rules Port Trunking Example Page Configurable Trunk Hash Algorithm Link Aggregation Control Protocol Configuring LACP CHAPTER 8 Spanning T ree Protocols Spanning Tree Protocol Modes Global STP Control STP/PVST+ Mode Port States Bridge Protocol Data Units Bridge Protocol Data Units Overview Determining the Path for Forwarding BPDUs Bridge Priority Port Priority Fast Uplink Convergence Fast Uplink Configuration Guidelines Configuring Fast Uplink Convergence Port Fast Forwarding Simple STP Configuration x Page Per-VLAN Spanning Tree Groups Using Multiple STGs to Eliminate False Loops STP/PVST+ Defaults and Guidelines Adding a VLAN to a Spanning Tree Group Creating a VLAN Rules for VLAN Tagged Ports Adding and Removing Ports from STGs Switch-Centric Configuration Configuring Multiple STGs Page Rapid Spanning Tree Protocol Port State Changes RSTP Configuration Guidelines RSTP Configuration Example Per-VLAN Rapid Spanning Tree Groups Configuring PVRST Multiple Spanning T ree Pro tocol MSTP Region Common Internal Spanning Tree MSTP Configuration Guidelines MSTP Configuration Example 1 MSTP Configuration Example 2 Blocking VLAN 1 Passing VLAN 2 Passing VLAN 1 Blocking VLAN 2 Page Port Type and Link Type Edge Port Link Type Page CHAPTER 9 Quality of Service QoS Overview ACL Filter Permit/Deny COS Queue Using ACL Filters Summary of ACL Actions ACL Metering and Re-Marking Metering Re-Marking Using DSCP Values to Provide QoS Differentiated Services Concepts 7 6 5 4 3 2 1 0 Per Hop Behavior QoS Levels DSCP Re-Marking and Mapping DSCP Re-Marking Configuration Example Using 802.1p Priority to Provide QoS 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 Queuing and Scheduling Page Page Page CHAPTER 10 Deployment Profiles Available Profiles Page Selecting Profiles Automatic Configuration Changes Page CHAPTER 11 Virtualization Page CHAPTER 12 Virtual NICs Defining Server Ports Enabling the vNIC Feature vNIC IDs vNIC IDs on the Switch vNIC Interface Names on the Server vNIC Bandwidth Metering vNIC Groups Page vNIC Teaming Failover Servers Primary Switch To Backup Switch Virtual Pipes Page BMD00220, October 2010 Chapter 12: Virtual NICs 161 vNIC Configuration Example Consider the following example configuration: Figure 21 Multiple vNIC Groups Switch 1 Servers VNIC Group 1 VLAN 1000 VNIC Group 2 VLAN 1774 Page Page vNICs for iSCSI on Emulex Eraptor 2 CHAPTER 13 VMready VE Capacity Defining Server Ports VM Group Types Local VM Groups Configuring a Local VM Group Page Distributed VM Groups VM Profiles Initializing a Distributed VM Group Assigning Members Synchronizing the Configuration Removing Member VEs Virtualization Management Servers Assigning a vCenter vCenter Scans Deleting the vCenter Exporting Profiles VMware Operational Commands Pre-Provisioning VEs VLAN Maps Page VM Policy Bandwidth Control VM Policy Bandwidth Control Commands Bandwidth Policies vs. Bandwidth Shaping VMready Information Displays Local VE Information To view additional detail regarding any specific VE, see vCenter VE Details on page183). vCenter Hypervisor Hosts vCenter VEs vCenter VE Details VMready Configuration Example Page Page CHAPTER 14 FCoE and CEE Page Fibre Channel over Ethernet The FCoE Topology Fibre Channel LAN Page FCoE Requirements Converged Enhanced Ethernet ! Turning CEE On or Off Effects on Link Layer Discovery Protocol Effects on 802.1p Quality of Service Effects on Flow Control FCoE Initialization Protocol Snooping Global FIP Snooping Settings FIP Snooping for Specific Ports Port FCF and ENode Detection FCoE Connection Timeout FCoE ACL Rules FCoE VLANs Viewing FIP Snooping Information Operational Commands FIP Snooping Configuration Priority-Based Flow Control Global Configuration PFC Configuration Example Page Enhanced Transmission Selection 802.1p Priority Values Page Priority Groups PGID Assigning Priority Values to a Priority Group Deleting a Priority Group Allocating Bandwidth Allocated Bandwidth for PGID 0 Through 7 Unlimited Bandwidth for PGID 15 Configuring ETS Page Data Center Bridging Capability Exchange DCBX Settings Enabling and Disabling DCBX Peer Configuration Negotiation Page Configuring DCBX Page Page Part 5: IP Routing Page CHAPTER 15 Basic IP Routing IP Routing Benefits Routing Between IP Subnets Page Example of Subnet Routing Using VLANs to Segregate Broadcast Domains Page Page ECMP Static Routes OSPF Integration ECMP Route Hashing Configuring ECMP Static Routes Dynamic Host Configuration Protocol DHCP Relay Agent Page CHAPTER 16 Internet Protocol Version 6 IPv6 Limitations IPv6 Address Format IPv6 Address T ype s Unicast Address Multicast Anycast IPv6 Address Autoconfiguration IPv6 Interfaces Neighbor Discovery Neighbor Discovery Overview Host vs. Router Supported Applications Page Configuration Guidelines IPv6 Configuration Examples IPv6 Example 1 IPv6 Example 2 Page Page CHAPTER 17 Routing Information Protocol Distance Vector Protocol Stability Routing Updates RIPv1 RIPv2 RIPv2 in RIPv1 Compatibility Mode RIP Features Poison Triggered Updates Multicast Default Metric Authentication RIP Configuration Example 3. Turn on RIP globally and enable RIP for each interface. 2. Add IP interfaces with IPv4 addresses to VLANs. Page CHAPTER 18 Internet Group Management Protocol IGMP Snooping IGMP Groups FastLeave IGMPv3 Snooping Page IGMP Snooping Configuration Example Static Multicast Router Configure a Static Multicast Router IGMP Querier IGMP Filtering Configuring the Range Configuring the Action Configure IGMP Filtering Page CHAPTER 19 Border Gateway Protocol Internal Routing Versus Exte rnal Routing Forming BGP Peer Routers What is a Route Map? Incoming and Outgoing Route Maps Access Lists (alist) Network Filter (nwf) Route Maps (rmap) Precedence Configuration Overview Page Aggregating Routes Redistributing Routes BGP Attributes Local Preference Attribute Metric (Multi-Exit Discriminator) Attribute Selecting Route Paths in BGP BGP Failover Configuration Page Default Redistribution and Route Aggregation Example Page Page CHAPTER 20 OSPF OSPFv2 Overview Types of OSPF Areas Backbone Area 0 Stub Area Not-So-Stubby Area (NSSA) Transit Area Types of OSPF Routing Devices OSPF Autonomous System Area 3 Area 2 Neighbors and Adjacencies The Link-State Database The Shortest Path First Tree Internal Versus External Routing OSPFv2 Implementation in BLADEOS Configurable Parameters Defining Areas Assigning the Area Index Using the Area ID to Assign the OSPF Area Number Attaching an Area to a Network Interface Cost Electing the Designated Router and Backup Summarizing Routes Default Routes The OSPF default route configuration can be removed with the command: Virtual Links Router ID Authentication Configuring Plain Text OSPF Passwords Configuring MD5 Authentication Host Routes for Load Balancing OSPF Features Not Supported in This Release OSPFv2 Configuration Examples Example 1: Simple OSPF Domain Page Example 2: Virtual Links Configuring OSPF for a Virtual Link on Switch #1 Page Configuring OSPF for a Virtual Link on Switch #2 Other Virtual Link Options Example 3: Summarizing Routes Page Verifying OSPF Configuration OSPFv3 Implementation in BLADEOS OSPFv3 Differences from OSPFv2 OSPFv3 Requires IPv6 Interfaces OSPFv3 Uses Independent Command Paths OSPFv3 Identifies Neighbors by Router ID Other Internal Improvements OSPFv3 Limitations OSPFv3 Configuration Example BLADE Switch Page Page CHAPTER 21 Protocol Independent Multicast PIM Overview Supported PIM Modes and Features Basic PIM Settings Globally Enabling or Disabling the PIM Feature Defining a PIM Network Component Defining an IP Interface for PIM Use PIM Neighbor Filters Additional Sparse Mode Settings Specifying the Rendezvous Point Influencing the Designated Router Selection Specifying a Bootstrap Router Using PIM with Other Features PIM with ACLs or VMAPs PIM with IGMP PIM Configuration Examples Example 1: PIM-SM with Dynamic RP Example 2: PIM-SM with Static RP Example 3: PIM-DM Page Page Page Page CHAPTER 22 Basic Redundancy Trunking for Link Redundancy Hot Links Forward Delay Preemption FDB Update Configuring Hot Links Active MultiPath Protocol Health Checks FDB Flush Configuring an Aggregator Switch Configuring an Access Switch Verifying AMP Operation Page CHAPTER 23 Layer 2 Failover Monitoring Trunk Links Setting the Failover Limit Manually Monitoring Port Links Monitor Port State Control Port State L2 Failover with Other Features LACP Spanning Tree Protocol Configuration Guidelines Configuring Layer 2 Failover Page CHAPTER 24 Virtual Router Redundancy Protocol VRRP Overview VRRP Components Virtual Router Virtual Router MAC Address Owners and Renters VRRP Operation Selecting the Master VRRP Router Failover Methods Active-Active Redundancy Virtual Router Group Active (subnet A and C) Active (subnet B and D) BLADEOS Extensions to VRRP Virtual Router Deployment Considerations Assigning VRRP Virtual Router ID Configuring the Switch for Tracking High Availability Configurations Task 1: Configure G8124 1 1. Configure client and server interfaces. 3. Turn on VRRP and configure two Virtual Interface Routers. 2. Configure the default gateways. Each default gateway points to a Layer 3 router. Page Task 2: Configure G8124 2 1. Configure client and server interfaces. 3. Turn on VRRP and configure two Virtual Interface Routers. 2. Configure the default gateways. Each default gateway points to a Layer 3 router. Page Page Page CHAPTER 25 Link Layer Discovery Protocol LLDP Overview Enabling or Disabling LLDP Global LLDP Setting Transmit and Receive Control LLDP Transmit Fea tures Scheduled Interval Minimum Interval Time-to-Live for Transmitted Information Trap Notifications Changing the LLDP Transmit State Types of Information Tr ansmitted Page LLDP Receive Features Types of Information Received Viewing Remote Device Information Time-to-Live for Received Information LLDP Example Configuration Page CHAPTER 26 Simple Network Management Protocol SNMP Version 1 SNMP Version 3 Default Configuration User Configuration Example Configuring SNMP Trap Host s SNMPv1 Trap Host 5. Use the community table to specify which community string is used in the trap. SNMPv2 Trap Host Configuration Note BLADEOS 6.5 supports only IPv4 addresses for SNMP trap hosts. SNMPv3 Trap Host Configuration SNMP MIBs Page Page Switch Images and Configuration Files Loading a New Switch Image Loading a Saved Switch Configuration Saving the Switch Configuration Saving a Switch Dump Page Page CHAPTER 27 Remote Monitoring RMON Overview RMON Group 1Statistics Example Configuration RMON Group 2History History MIB Object ID Configuring RMON History RMON Group 3Alarms Alarm MIB objects Configuring RMON Alarms RMON Group 9Events CHAPTER 28 sFLOW sFlow Statistical Counters sFlow Network Sampling sFlow Example Configuration CHAPTER 29 Port Mirroring Configuring Port Mirroring Page Page APPENDIX A Glossary Page Index Symbols Numerics A B D E F G H I J L M N P Q R S T U V W