Manuals / Cabletron Systems / Computer Equipment / Network Router

Cabletron Systems SmartSwitch manual Configuring Tacacs Plus, Monitoring Tacacs Plus

Models: SmartSwitch

1 338

Download 338 pages 45.77 Kb

Page 274

Chapter 18: Security Configuration Guide

Configuring TACACS Plus

You can secure login or Enable mode access to the SSR by enabling a TACACS Plus client. A TACACS Plus server responds to the SSR TACACS Plus client to provide authentication.

You can configure up to five TACACS Plus server targets on the SSR. A timeout is set to tell the SSR how long to wait for a response from TACACS Plus servers.

To configure TACACS Plus security, enter the following commands in Configure mode:

Specify a TACACS Plus server.	tacacs-plus set server <hostname or IP-addr>

Set the TACACS Plus time to wait	tacacs-plus set timeout <number>
for a TACACS Plus server reply.

Determine the SSR action if no	tacacs-plus set last-resort
server responds.	passwordsucceed

Enable TACACS Plus.	tacacs-plus enable

Cause TACACS Plus	tacacs-plus authentication loginenable
authentication at user login or
when user tries to access Enable
mode.

Cause TACACS Plus	tacacs-plus authentication loginenable
authentication at user login or
when user tries to access Enable
mode.

Logs specified types of command	tacacs-plus accounting command level
to TACACS Plus server.	<level>

Logs to TACACS Plus server	tacacs-plus accounting shell
when shell is stopped or started	startstopall
on SSR.

Logs to TACACS Plus server	tacacs-plus accounting snmp
SNMP changes to startup or	activestartup
active configuration.

Logs specified type(s) of	tacacs-plus accounting system
messages to TACACS Plus server.	fatalerrorwarninginfo

Monitoring TACACS Plus

You can monitor TACACS Plus configuration and statistics within the SSR.

274	SmartSwitch Router User Reference Manual

Image 274

Cabletron Systems SmartSwitch manual Configuring Tacacs Plus, Monitoring Tacacs Plus

Contents

SmartSwitch Router User Reference Manual 9032578-04SmartSwitch Router User Reference Manual Industry Canada Notice Vcci NoticeCabletron SYSTEMS, INC Program License Agreement SmartSwitch Router User Reference Manual SmartSwitch Router User Reference Manual SmartSwitch Router User Reference Manual Cabletron Systems Limited Program License Agreement SmartSwitch Router User Reference Manual Safety Information Laser Radiation and ConnectorsEC Directive 89/336/EEC EC Directive 73/23/EECSmartSwitch Router User Reference Manual Contents Hot Swapping Line Cards and Control Modules SmartTRUNK Configuration Guide Creating a non-IP/non-IPX VlanVrrp Configuration Guide 127 Multicast Routing Configuration Guide 199 IP Multicast Overview 199209 Web Hosting Configuration Guide 233 255 QoS Configuration Guide 283 WAN Configuration Guide 315 Contents About This Manual How to Use This ManualPreface Who Should Read This Manual?Preface Related Documentation Installing and setting up the SSRManaging the SSR using Cabletron’s For Information About SeePreface SmartSwitch Router User Reference Manual Feature Specification SSR Hardware and software specificationsChapter SSR Product Overview IPX RIP, SAP Multicast IGMP, DvmrpSupported Media Encapsulation Type Supported Routing ProtocolsUnderstanding the Command Line Interface Configuring the SmartSwitch RouterRouting Information Protocol RIP Version 1 Common CLI key commands Basic Line Editing CommandsAccess Modes Key Sequence CommandUser Mode Enable Mode Exit Configure Mode Boot Prom Mode PvstBoot and System Image Loading System Images and Configuration FilesDisabling a Function or Feature Configuration FilesLoading System Image Software Ssr# system show versionActivating the Configuration Commands in the Scratchpad Loading Boot Prom SoftwareEnter the system image list command to verify the change CLI displays the following message Copying the Configuration to the Startup Configuration FileEnter yes or y to activate the changes Displaying Configuration Changes Managing the SSRSetting SSR Date and Time Setting the SSR NameConfiguring NTP Configuring Snmp Services Configuring the SSR CLIConfiguring DNS Connecting Between the SSR and Other Systems Configuring LoggingMonitoring Configuration Task CommandShow the configuration changes Show the SSR login bannerShow the type of Power-On Self Test Post Reboot Show the status of the switching fabricHot Swapping Overview Chapter Hot Swapping Line Cards Control ModulesHot Swapping Line Cards Deactivating the Line Card Removing the Line CardHot Swapping a Secondary Control Module Installing a New Line CardHot Swapping One Type of Line Card With Another Deactivating the Control Module Removing the Control ModuleHot Swapping a Switching Fabric Module SSR 8600 only Installing the Control ModuleSSR-SF-16 Offline Switching Fabric Bridging Overview Chapter Bridging Configuration GuideSpanning Tree Ieee 802.1d Vlan Overview Bridging Modes Flow-Based and Address-BasedProtocol-based VLANs Port-based VLANsMAC-address-based VLANs Subnet-based VLANsPolicy-based VLANs SSR Vlan SupportMulticast-based VLANs VLANs and the SSRAccess Ports and Trunk Ports 802.1Q support Ports, VLANs, and L3 InterfacesConfiguring Address-based or Flow-based Bridging Configuring SSR Bridging FunctionsExplicit and Implicit VLANs Configuring Spanning Tree Address-Based Bridge Table Flow-Based Bridge TableSetting the Bridge Priority Adjusting Spanning-Tree ParametersMore ports for a particular Vlan Adjusting Bridge Protocol Data Unit Bpdu Intervals Setting a Port PriorityAssigning Port Costs Defining the Forward Delay Interval Adjusting the Interval between Hello TimesDefining the Maximum Age Configuring VLANs for Bridging Configuring a Port or Protocol based VlanConfiguring Vlan Trunk Ports Creating a Port or Protocol Based VlanConfiguring Layer-2 Filters Monitoring BridgingCreating a non-IP/non-IPX Vlan Configuration ExamplesCreating an IP or IPX Vlan Show information on MACsPage Chapter SmartTRUNK Configuration Guide OverviewCreating a SmartTRUNK Configuring SmartTRUNKsAdd Physical Ports to the SmartTRUNK Monitoring SmartTRUNKs Specify Traffic Distribution Policy OptionalExample Configurations St.2 St.4 Router Switch ServerSmartTRUNK Configuration Guide Page Chapter Configuration GuideDhcp Overview Configuring Client Parameters Configuring DhcpConfiguring an IP Address Pool Client ParametersConfiguring a Static IP Address Grouping Scopes with a Common InterfaceUpdating the Lease Database Configuring Dhcp Server ParametersMonitoring the Dhcp Server Define an IP address pool for addresses 10.1.1.10 through Dhcp Configuration ExamplesDefine Dhcp network parameters for the scope ‘scope1’ Define a static IP address forConfiguring Secondary Subnets Secondary Subnets and Directly-Connected Clients Include ‘scope2’ in the superscope ‘super1’Interacting with Relay Agents Define the address pool for ‘scope1’ Page Chapter IP Routing Configuration Guide IP Routing OverviewUnicast Routing Protocols IP Routing ProtocolsSSR supports standards-based TCP, UDP, and IP Multicast Routing ProtocolsConfiguring IP Interfaces for a Vlan Configuring IP Interfaces and ParametersConfiguring IP Addresses to Ports Specifying Ethernet Encapsulation MethodConfiguring ARP Cache Entries Configuring Address Resolution Protocol ARPConfiguring Proxy ARP Specifying IP Interfaces for Rarp Configuring Reverse Address Resolution Protocol RarpDefining MAC-to-IP Address Mappings Monitoring Rarp Configuring DNS ParametersConfiguring IP Services Icmp Specify pingConfiguring Direct Broadcast Configuring IP HelperConfiguring Denial of Service DOS Configuring Router Discovery Monitoring IP ParametersAssigning IP/IPX Interfaces IP Routing Configuration Guide Configuring Vrrp Vrrp OverviewConfiguration of Router R1 Basic Vrrp ConfigurationBackup Following is the configuration file for Router R1 in FigureConfiguration for Router R2 Symmetrical ConfigurationFollowing is the configuration file for Router R2 in Figure Master for VRID=1 Master for VRID=2 Backup for VRID=2 Symmetrical Vrrp ConfigurationMulti-Backup Configuration Configuration of Router R2Multi-Backup Vrrp Configuration SmartSwitch Router User Reference Manual 101 Virtual Router Default Priority Configured Priority Configuration of Router R3 Additional ConfigurationFollowing is the configuration file for Router R3 in Figure Setting the Advertisement Interval Setting the Backup PrioritySetting Pre-empt Mode Monitoring Vrrp Setting an Authentication KeyIp-redundancy trace Virtual routers Display information about all Vrrp Configuration NotesIp-redundancy show Specific virtual routerSmartSwitch Router User Reference Manual 107 108 Configuring RIP Chapter RIP Configuration GuideRIP Overview Configuring RIP Parameters Configuring RIP InterfacesEnabling and Disabling RIP To RIP Set the authentication methodCharacters Set the authentication method Specify that RIP V2 packetsConfiguring RIP Route Default-Metric Configuring RIP Route PreferenceMonitoring RIP Configuration Example 114 Ospf Ospf OverviewDisable Ospf Configuring OspfEnable Ospf Ospf MultipathOspf Parameter Default Value Configuring Ospf Interface ParametersOspf Interface Parameters Create an Ospf area Configuring an Ospf AreaAdd an interface to an Ospf area Add a stub host to an Ospf area Configuring Ospf Area ParametersCreating Virtual Links Add a network to an Ospf area forLink Configuring Ospf over Non-Broadcast Multiple AccessCreate a virtual Set virtual linkMonitoring Ospf Ospf Configuration Examples Exporting All Interface & Static Routes to Ospf Exporting All RIP, Interface & Static Routes to OspfCreate a RIP export source Create a Ospf export destination for type-1 routesCreate a Ospf export destination for type-2 routes Create a Static export sourceCreate Ospf export source Create a RIP export destinationCreate OSPF-ASE export source R10 Chapter BGP Configuration Guide BGP OverviewBasic BGP Tasks SSR BGP ImplementationConfiguring a BGP Peer Group Setting the Autonomous System NumberSetting the Router ID Ip-router global set autonomous-system num1 loops num2Where Autonomous-system numberAdding and Removing a BGP Peer Using AS-Path Regular ExpressionsStarting BGP 132 AS-Path Regular Expression Examples Using the AS Path Prepend FeatureTo import MCI routes with a preference BGP Configuration Examples Following is an exampleBGP Peering Session Example AS-1 AS-2 CLI configuration for router SSR1 is as followsPhysical Link Peering Relationship Gated.conf file for router SSR1 is as follows Ibgp Configuration ExampleCLI configuration for router SSR2 is as follows Gated.conf file for router SSR2 is as followsIbgp Routing Group Example Sample Ibgp Configuration Routing Group Type AS-64801Following lines in the Cisco router configure Ospf Ibgp Internal Group Example Illustrates a sample Ibgp Internal group configuration Sample Ibgp Configuration Internal Group TypeSmartSwitch Router User Reference Manual 143 Configuration for router C1 a Cisco router is as follows Ebgp Multihop Configuration ExampleConfiguration for router C2 a Cisco router is as follows AS-64800 Physical LinkCLI configuration for router SSR3 is as follows Gated.conf file for router SSR3 is as follows CLI configuration for router SSR4 is as followsCommunity Attribute Example Gated.conf file for router SSR4 is as followsSample BGP Configuration Specific Community Sample BGP Configuration Well-Known Community , router SSR11 has the following configuration , router SSR13 has the following configuration , router SSR10 has the following configuration , router SSR14 has the following configurationSmartSwitch Router User Reference Manual 153 LocalPref Attribute Example Sample BGP Configuration LocalPref Attribute Multi-Exit Discriminator Attribute Example Sample BGP Configuration MED Attribute Router SSR6 has the following CLI configurationAS-64900 Router SSR8 has the following CLI configurationEbgp Aggregation Example AS-64901Router SSR9 has the following CLI configuration Route Reflection ExampleShows a sample configuration that uses route reflection AS-64902SmartSwitch Router User Reference Manual 161 162 Chapter Routing Policy Configuration Guide Route Import and Export Policy OverviewPreference Defined by CLI Command Default Default Preference ValuesPreference Import Policies Import-SourceExport-Destination Export PoliciesRoute-Filter Export-SourceSpecifying a Route Filter Aggregates and Generates Aggregate-Destination Aggregate-SourceAuthentication Authentication MethodsConfiguring Simple Routing Policies Authentication Keys and Key ManagementRedistributing Static Routes Redistributing Directly Attached NetworksRedistributing RIP into Ospf Redistributing Ospf to RIP Redistributing RIP into RIPRedistributing Aggregate Routes Routes into Ospf Simple Route Redistribution ExamplesTo redistribute aggregate Example 1 Redistribution into RIPExporting All Static Routes to All RIP Interfaces Exporting a Given Static Route to All RIP InterfacesExample 2 Redistribution into Ospf 176 Configuring Advanced Routing Policies 178 Creating an Export Destination Creating an Export SourceCreating an Aggregate Route Creating an Import SourceCreating a Route Filter Create a RIP importSmartSwitch Router User Reference Manual 181 Examples of Import Policies Creating an Aggregate DestinationCreating an Aggregate Source Example 1 Importing from RIPR41 184 Example 2 Importing from Ospf 186 R41 Importing a Selected Subset of OSPF-ASE Routes Examples of Export Policies Example 1 Exporting to RIPIp-router policy create rip-export-source ripExpSrc Exporting a Given Static Route to a Specific RIP Interface Exporting Aggregate-Routes into RIP Ip-router policy create aggr-export-source aggrExpSrc Example 2 Exporting to Ospf SmartSwitch Router User Reference Manual 195 196 SmartSwitch Router User Reference Manual 197 198 IP Multicast Overview Chapter Multicast Routing Configuration GuideIgmp Overview Dvmrp Overview Configuring Igmp Query Interval Configuring IgmpConfiguring Igmp on an IP Interface Configuring Igmp Response Wait TimeConfiguring Per-Interface Control of Igmp Membership Configuring DvmrpStarting and Stopping Dvmrp Configuring Dvmrp Parameters Configuring Dvmrp on an InterfaceConfiguring the Dvmrp Routing Metric Configuring Dvmrp TTL & Scope Configuring a Dvmrp TunnelMonitoring Igmp & Dvmrp Multicast protocols Igmp Show all interfaces runningShow all multicast routes Page 208 Chapter IP Policy-Based Forwarding Configuration Guide Defining an ACL Profile Configuring IP PoliciesAssociating the Profile with an IP Policy Creating Multi-statement IP Policies Setting Load Distribution for Next-hop Gateways Setting the IP Policy ActionApplying an IP Policy to an Interface Checking the Availability of Next-hop GatewaysAn IP interface Apply a defined IP policy to IP Policy Configuration ExamplesRouting Traffic to Different ISPs All IP interfaces on the SSRUsing an IP policy to route traffic to two different ISPs Prioritizing Service to Customers Using an IP policy to prioritize service to customersAuthenticating Users through a Firewall Using an IP policy to authenticate users through a firewallFirewall Load Balancing Selecting Next Hop Gateway from IP Packet InformationIP policies Monitoring IP PoliciesDisplay information about all Display statistics about aIp-policy show interface interface SmartSwitch Router User Reference Manual 221 222 Chapter Network Address Translation Configuration Guide Configuring NAT Setting Inside and Outside InterfacesStatic Setting NAT RulesManaging Dynamic Bindings DynamicNAT and FTP Static ConfigurationSpecify the FTP session timeout Monitoring NATNext, define the interfaces to be NAT inside or outside Using Static NATFirst step is to create the interfaces Then, define the NAT static rulesDynamic Configuration Using Dynamic NATDynamic NAT with IP Overload PAT Configuration Using Dynamic NAT with IP Overload Dynamic NAT with Outside Interface RedundancyUsing Dynamic NAT with Matching Interface Redundancy 232 Chapter Web Hosting Configuration Guide Creating the Server Group Configuring Load BalancingLoad Balancing Specifying Load Balancing Policy OptionalSetting Server Status Adding Servers to the Load Balancing GroupSetting Timeouts for Load Balancing Mappings Allowing Access to Load Balancing ServersLoad Balancing and FTP Configuration Examples Displaying Load Balancing InformationFtp.quick.com Internet Router User Queries 207.135.89.16 10.1.1.1 Ftp.quick..com 10.1.1.2Virtual IP Address Ranges 207.135.89.16 207.135.89.17 207.135.89.18Configuring Web Caching Web CachingRedirected to cache servers Creating the Cache GroupSpecifying the Clients for the Cache Group Optional Not redirected to cache serversOther Configurations Configuration ExampleBypassing Cache Servers Monitoring Web-Caching Distributing Frequently-Accessed Sites Across Cache ServersProxy Server Redundancy Show caching policy information Show cache server informationIPX Routing Overview Chapter IPX Routing Configuration GuideRIP Routing Information Protocol SAP Service Advertising Protocol Creating IPX Interfaces Configuring IPX RIP & SAPIPX Addresses Configuring IPX Interfaces for a Vlan Configuring IPX Interfaces and ParametersConfiguring IPX Addresses to Ports Specifying IPX Encapsulation MethodEnabling IPX RIP Configuring IPX RoutingConfiguring Static Routes Enabling SAPControlling Access to IPX Networks Configuring Static SAP Table EntriesCreating an IPX Access Control List Creating an IPX SAP Access Control List Creating an IPX Type 20 Access Control ListCreating an IPX GNS Access Control List Creating an IPX RIP Access Control List Monitoring an IPX NetworkAdds a SAP access list Adds a GNS access list 254 Chapter Access Control List Configuration Guide ACL Basics Defining Selection Criteria in ACL RulesHow ACL Rules are Evaluated Implicit Deny Rule Allowing External Responses to Established TCP Connections Creating and Modifying ACLs Following ACL illustrates this featureEditing ACLs Offline Maintaining ACLs Using the ACL Editor Applying ACLs to Interfaces Using ACLsThese uses of ACLs are described in the following sections Applying ACLs to Services Using ACLs as ProfilesSSR Feature ACL Profile Usage Following SSR features use ACL profilesUsing Profile ACLs with the IP Policy Facility Using Profile ACLs with the Traffic Rate Limiting Facility Using Profile ACLs with Dynamic NAT Using Profile ACLs with the Port Mirroring FacilityUsing Profile ACLs with the Web Caching Facility Redirecting Http Traffic to Cache ServersEnabling ACL Logging Preventing Web Objects From Being CachedMonitoring ACLs 270 Chapter Security Configuration Guide Security OverviewConfiguring SSR Access Security Configuring RadiusMonitoring Radius Configuring TacacsMonitoring Tacacs Configuring Tacacs Plus Monitoring Tacacs PlusConfiguring Passwords Layer-2 Security FiltersConfiguring Layer-2 Address Filters Configuring Layer-2 Port-to-Address Lock FiltersConfigure a source static Configuring Layer-2 Static Entry FiltersConfiguring Layer-2 Secure Port Filters Configure a destination staticMonitoring Layer-2 Security Filters Et.1.1 Et.1.2 Et.1.3 Hub Layer-2 Filter ExamplesStatic Entries Example Port-to-Address Lock Examples Example 2 Secure PortsLayer-3 Access Control Lists ACLs 282 Chapter QoS Configuration Guide QoS & Layer-2/Layer-3/Layer-4 Flow OverviewLayer-2 and Layer-3 & Layer-4 Flow Specification Precedence for Layer-3 FlowsTraffic Prioritization for Layer-2 Flows Configuring Layer-2 QoSSSR Queuing Policies Configuring IP QoS Policies Traffic Prioritization for Layer-3 & Layer-4 FlowsSetting an IPX QoS Policy Configuring IPX QoS PoliciesSetting an IP QoS Policy Specifying Precedence for an IP QoS PolicyToS Rewrite Configuring SSR Queueing PolicyAllocating Bandwidth for a Weighted-Fair Queuing Policy Specifying Precedence for an IPX QoS PolicyConfiguring ToS Rewrite for IP Packets MBZTos-rewrite Show all IP QoS flows Monitoring QoSLimiting Traffic Rate Show all IPX QoS flowsApply a rate limit profile to an Example ConfigurationDefine a rate limit profile InterfaceDisplaying Rate Limit Information Interface interface294 Chapter Performance Monitoring Guide Performance Monitoring OverviewMAC table Show information about a Show port error statisticsShow information about the master Particular MAC address Show info about multicastsMonitoring Broadcast Traffic Configuring the SSR for Port MirroringOnly IP ACLs can be specified for port mirroring 298 Configuring and Enabling Rmon Rmon OverviewExample of Rmon Configuration Commands Rmon Groups Lite Rmon GroupsStandard Rmon Groups Professional Rmon GroupsControl Tables Using Rmon Configuring Rmon Groups String status enabledisable EnabledisableNum status enabledisable Size owner string status enabledisableRmon protocol-distribution index index-number Port port owner string status enabledisableOid type absolutedelta status enabledisable Rmon user-history-control index index-numberDisplaying Rmon Information Rmon CLI Filters Following shows Host table output without a CLI filter 01000CCCCCCCUsing Rmon CLI Filters Troubleshooting RmonCreating Rmon CLI Filters 312 Allocating Memory to Rmon Ssr# rmon show status Rmon StatusRmon set memory number WAN WAN OverviewStatic, Mapped, and Dynamic Peer IP/IPX Addresses Configuring WAN InterfacesPrimary and Secondary Addresses Static AddressesMapped Addresses Following command line displays an example for a VlanFollowing command line displays two examples for PPP Dynamic AddressesForcing Bridged Encapsulation Following command line displays an example for PPPPacket Compression Nature of the Data Example ConfigurationsAverage Packet Size Link IntegrityWAN Quality of Service Packet EncryptionCongestion Management Weighted-Fair QueueingSource Filtering and ACLs Random Early Discard REDVirtual Circuits Frame Relay OverviewAdaptive Shaping Configuring Frame Relay Interfaces for the SSR Permanent Virtual Circuits PVCsSetting up a Frame Relay Service Profile Applying a Service Profile to an Active Frame Relay WAN PortFrame Relay Port Configuration Monitoring Frame Relay WAN Ports326 Point-to-Point Protocol PPP Overview Configuring PPP InterfacesUse of LCP Magic Numbers Setting up a PPP Service Profile Defining the Type and Location of a PPP InterfaceConfiguring Multilink PPP Bundles Applying a Service Profile to an Active PPP PortCompression on MLP Bundles or Links PPP Port Configuration Monitoring PPP WAN PortsSsrconfig# ppp apply service profile2 ports hs.5.1 WAN Configuration Examples Simple Configuration FileMulti-Router WAN Configuration Multi-router WAN configurationRouter R2 Configuration File Router R1 Configuration FileFollowing configuration file applies to Router R1 Following configuration file applies to Router R2Router R4 Configuration File Router R3 Configuration FileFollowing configuration file applies to Router R3 Following configuration file applies to Router R4Router R6 Configuration File Router R5 Configuration FileFollowing configuration file applies to Router R5 Following configuration file applies to Router R6SmartSwitch Router User Reference Manual 337 338