Enterasys Networks 2E253, 2H252, 2H253, 2H258 - page 52

Overview of Security Methods

3-14 Accessing Local Management

If the server returns an “access-accept” response (the user successfully authenticated), it must also

return a Radius “FilterID” attribute containing an ASCII string with the following fields in the

specified format:

“Enterasys:version=V:mgmt=M:policy=N”

Where:

V is the version number (currently V=1)

M is the access level for management, one of the following strings:

“su” for super-user access

“rw” for read-write access

“ro” for read-only access

N is the policy profile string (refer to the policy profile MIB)

The secondary server is always consulted if it is configured. Note that the minimum additional

information that must be configured to use a server is its IP and Shared Secret.

A backup secondary server is always consulted if it has been configured with its IP and Shared

Secret. If communication is lost to all servers, and the user is connected to the local console serial

port, the authorization screen will change to allow access to the switch by using the Local

Management Module password.

If the user is connected remotely via TELNET or WebView, the switch will continue to deny

access until communication with the Radius Server is operational again. Optionally, if the switch

has been configured to allow remote access, the switch can be configured to use the Local

Management Module password in the event of a Radius failure.

NOTES:

1. Quotation marks (“ ”) are used for clarification only, and are not part of the command

strings.

2. If the FilterID attribute is not returned, or the “mgmt” field is absent or contains an

unrecognizable value, access to Local Management is denied.

3. Policy profiles are not yet deployed and the “policy=N” part may be omitted.

Contents

Main Page NOTICE Version: Information in this guide refers to SmartSwitch 2200 Series firmware version 5.05.xx. ENTERASYS NETWORKS, INC. PROGRAM LICENSE AGREEMENT Page Page Contents ABOUT THIS GUIDE 1 2 3 4 5 6 7 8 9 10 11 12 A B Figures Page Page Tables Page About This Guide USING THIS GUIDE STRUCTURE OF THIS GUIDE Page RELATED DOCUMENTS DOCUMENT CONVENTIONS TYPOGRAPHICAL AND KEYSTROKE CONVENTIONS Page Introduction 1.1 OVERVIEW 1.1.1 The Management Agent 1.1.2 In-Band vs. Out-of-Band 1.2 NAVIGATING LOCAL MANAGEMENT SCREENS 1.3 LOCAL MANAGEMENT REQUIREMENTS Local Management Screen Elements 1-4 Introduction 1.4 LOCAL MANAGEMENT SCREEN ELEMENTS Event Message Field Display Field Input Fields Display Fields See Note Event Message Field Display Fields Input Fields Selection Fields Command Fields 1.5 LOCAL MANAGEMENT KEYBOARD CONVENTIONS 1.6 GETTING HELP Page Local Management Requirements 2.1 MANAGEMENT TERMINAL SETUP Management Terminal Setup 2-2 Local Management Requirements 2.1.1 Console Cable Connection FAST ETHERNET WORKGROUP SWITCH 30691_02 Figure 2-1 Management Terminal Connection RJ45 COM Port 2.1.2 Management Terminal Setup Parameters 2.2 TELNET CONNECTIONS 2.3 MONITORING AN UNINTERRUPTIBLE POWER SUPPLY Monitoring an Uninterruptible Power Supply Local Management Requirements 2-5 Figure 2-2 Uninterruptible Power Supply (UPS) Connection RJ45 COM Port UPS Device RJ45-to-DB9 UPS Adapter DB9 Port UTP Cable with RJ45 Connectors Page Accessing Local Management 3.1 NAVIGATING LOCAL MANAGEMENT SCREENS Navigating Local Management Screens B * Refer to the SmartTrunk Users Guide for the screen hierarchy. Does not apply to MATRIX E7. 3-2 Accessing Local Management Figure 3-1 802.1Q Switching Mode, LM Screen Hierarchy B 3.1.3 Using the NEXT and PREVIOUS Commands 3.1.4 Using the CLEAR COUNTERS Command 3.2 PASSWORD SCREEN Page Page Page Page Page Page 3.4 OVERVIEW OF SECURITY METHODS 3.4.1 Host Access Control Authentication (HACA) Page 3.4.2 802.1X Port Based Network Access Control 3.4.2.1 Definitions of Terms and Abbreviations 3.4.2.2 802.1X Security Overview 3.4.3 MAC Authentication Overview 3.4.3.1 Authentication Method Selection 3.4.3.3 Concurrent Operation of 802.1X and MAC 3.4.3.2 Authentication Method Sequence Authentication Page Page 3.4.4 MAC Authentication Control 3.5 SECURITY MENU SCREEN Refer to Tabl e 3-4 for a functional description of each menu item. Page Page Page 3.6.1 Setting the Module Login Password 3.7 RADIUS CONFIGURATION SCREEN Page Page 3.7.1 Setting the Last Resort Authentication 3.7.2 Setting the Local and Remote Servers Page Page 3.9 SYSTEM AUTHENTICATION CONFIGURATION SCREEN Page EAP (Port) Configuration Screen Accessing Local Management 3-35 3.10 EAP (PORT) CONFIGURATION SCREEN To configure authentication settings for each port. Figure 3-9 EAP Port Configuration Screen Page Page Page Page Page Page Page Page 3.11.2 EAP Authenticator Statistics Screen Page Page 3.11.3 EAP Diagnostic Statistics Screen Page Page 3.12 MAC PORT CONFIGURATION SCREEN Page 3.13 MAC SUPPLICANT CONFIGURATION SCREEN Page Page Device Configuration Menu Screens Page Page General Configuration Screen 4-4 Device Configuration Menu Screens 4.2 GENERAL CONFIGURATION SCREEN Figure 4-2 General Configuration Screen Page Page Page 4.2.1 Setting the IP Address 4.2.2 Setting the Subnet Mask 4.2.3 Setting the Default Gateway 4.2.4 Setting the TFTP Gateway IP Address 4.2.5 Setting the Module Name 4.2.6 Setting the Device Date 4.2.7 Setting the Device Time 4.2.8 Entering a New Screen Refresh Time 4.2.9 Setting the Screen Lockout Time 4.2.10 Configuring the COM Port 4.2.10.1 Changing the COM Port Application WARNING 4.2.11 Clearing NVRAM 4.2.12 Enabling/Disabling IP Fragmentation WARNING Page 4.4 SNMP COMMUNITY NAMES CONFIGURATION SCREEN Page 4.4.1 Establishing Community Names SNMP Traps Configuration Screen Device Configuration Menu Screens 4-21 4.5 SNMP TRAPS CONFIGURATION SCREEN Refer to Tabl e 4-6 for a functional description of each screen field. Figure 4-9 SNMP Traps Configuration Screen 4.5.1 Configuring the Trap Table Access Control List Screen Device Configuration Menu Screens 4-23 4.6 ACCESS CONTROL LIST SCREEN Figure 4-10 Access Control List Screen Page 4.6.1 Entering IP Addresses Entering Single Addresses Entering Ranges of Addresses 4.6.2 Enable/Disable ACL 4.7 SYSTEM RESOURCES INFORMATION SCREEN 4.7.1 Setting the Reset Peak Switch Utilization 4.8 FLASH DOWNLOAD CONFIGURATION SCREEN FLASH Download Configuration Screen Device Configuration Menu Screens 4-31 Figure 4-12 Flash Download Configuration Screen Page Page 4.8.1 Image File Download Using Runtime 4.8.2 Configuration File Download Using TFTP 4.8.3 Configuration File Upload Using TFTP Page Port Configuration Menu Screens Page Page 5.2 ETHERNET INTERFACE CONFIGURATION SCREEN Ethernet Interface Configuration Screen Port Configuration Menu Screens 5-5 Figure 5-3 Ethernet Interface Configuration Screen Refer to Tabl e 5-2 for a functional description of each screen field. Table 5-2 Ethernet Interface Configuration Screen Field Descriptions Page 5.3 ETHERNET PORT CONFIGURATION SCREEN Page Page Page Page 5.3.1 Selecting Field Settings 5.3.2 Setting the Advertised Ability Page Page 5.6 PORT REDIRECT CONFIGURATION SCREEN Port Redirect Configuration Screen 5-16 Port Configuration Menu Screens Figure 5-6 Port Redirect Configuration Screen only one destination port associated with one or more VLANs. Refer to Tabl e 5-5 for a functional description of each screen field. Table 5-5 Port Redirect Configuration Screen Field Descriptions Source Port (Read-Only) See the VLAN ID of the VLANs that are currently set as source Page 5.6.1 Changing Source and Destination Ports 5.7 VLAN REDIRECT CONFIGURATION SCREEN VLAN Redirect Configuration Screen 5-20 Port Configuration Menu Screens Figure 5-7 VLAN Redirect Configuration Screen Page 5.7.1 Changing Source VLAN and Destination Ports 5.8 LINK AGGREGATION MENU SCREEN (802.3ad MAIN MENU SCREEN) Usage Notes Definitions to Know Page Page 5.8.1 802.3ad Port Screen 5-28 Port Configuration Menu Screens Figure 5-9 802.3ad Port Screen Refer to Tabl e 5-8 for a functional description of each screen field. Viewing and Editing 802.3ad Port Parameters 5-30 Port Configuration Menu Screens 5.8.1.1 802.3ad Port Details Screen Figure 5-10 802.3ad Port Details Screen Page Page ActorOperState Page Viewing and Editing 802.3ad Port Parameters Displaying Port Statistics 5-36 Port Configuration Menu Screens 5.8.1.2 802.3ad Port Statistics Screen Refer to Tabl e 5-10 for a functional description of each screen field. Figure 5-11 802.3ad Port Statistics Screen Page Page Port Configuration Menu Screens 5-39 5.8.2 802.3ad Aggregator Screen Refer to Tabl e 5-11 for a functional description of each screen field. Figure 5-12 802.3ad Aggregator Screen Viewing and Editing 802.3ad Aggregator Parameters Displaying Aggregator Details 5.8.2.1 802.3ad Aggregator Details Screen Page Page 5.9 BROADCAST SUPPRESSION CONFIGURATION SCREEN Broadcast Suppression Configuration Screen Port Configuration Menu Screens 5-45 Figure 5-15 Broadcast Suppression Configuration Screen Refer to Tabl e 5-14 for a functional description of each screen field. Table 5-14 Broadcast Suppression Configuration Screen Field Descriptions 5.9.1 Setting the Threshold 5.9.2 Setting the Reset Peak 802.1 Configuration Menu Screens Page Page Page 6.3 SPANNING TREE CONFIGURATION SCREEN Page Page 6.3.1 Configuring a VLAN Spanning Tree Spanning Tree Port Configuration Screen 802.1 Configuration Menu Screens 6-9 6.4 SPANNING TREE PORT CONFIGURATION SCREEN Figure 6-4 Spanning Tree Port Configuration Screen Page Page Page Page Page 802.1Q VLAN Configuration Menu Screens 7.1 SUMMARY OF VLAN LOCAL MANAGEMENT 7.1.1 Preparing for VLAN Configuration 7.2 802.1Q VLAN CONFIGURATION MENU SCREEN Page Page 7.3 STATIC VLAN CONFIGURATION SCREEN Page 7.3.1 Creating a Static VLAN 7.3.2 Displaying the Current Static VLAN Port Egress List 7.3.3 Renaming a Static VLAN 7.3.4 Deleting a Static VLAN information. 7.3.5 Paging Through the VLAN List Static VLAN Egress Configuration Screen 802.1Q VLAN Configuration Menu Screens 7-11 7.4 STATIC VLAN EGRESS CONFIGURATION SCREEN to configure a port connected to an end user device. with the VLAN. This setting is usually to configure a port as a trunk port to another switch. Figure 7-4 Static VLAN Egress Configuration Screen Page 7.4.1 Setting Egress Types on Ports Setting the Egress Type on One or More Ports Individually Setting the Same Egress Type on All Ports Simultaneously Page Page 7.6 CURRENT VLAN EGRESS CONFIGURATION SCREEN 7.7 VLAN PORT CONFIGURATION SCREEN VLAN Port Configuration Screen 7-18 802.1Q VLAN Configuration Menu Screens Figure 7-7 VLAN Port Configuration Screen Refer to Tabl e 7-6 for a functional description of each screen field. Table 7-6 VLAN Port Configuration Screen Field Descriptions Policy PVID Override is (Read-Only) Page 7.7.1 Changing the Port Mode 7.7.2 Configuring the VLAN Ports 7.8 VLAN CLASSIFICATION CONFIGURATION SCREEN Page Page Page Page Page Page Page 7.8.1 Classification Precedence Rules - - - - Page Page 7.8.2 Displaying the Current Classification Rule Assignments 7.8.3 Assigning a Classification to a VID 7.8.4 Deleting Line Items Deleting All Classification Rules Deleting One or More Classification Rules 7.9 PROTOCOL PORT CONFIGURATION SCREEN Page Page 7.9.1 Assigning Ports to a VID/Classification Assigning One or More Ports Individually Assigning All Ports Simultaneously Assigning VID/Classification to Port VLAN Lists 802.1p Configuration Menu Screens Screen Navigation Paths Page Page Page Port Priority Configuration Screen Refer to Tabl e 8-2 for a functional description of each screen field. 802.1p Configuration Menu Screens 8-5 Figure 8-2 Port Priority Configuration Screen 8.2.1 Setting Switch Port Priority Port-by-Port 8.2.2 Setting Switch Port Priority on All Ports 8.3 TRAFFIC CLASS INFORMATION SCREEN Traffic Class Information Screen 8-8 802.1p Configuration Menu Screens Figure 8-3 Traffic Class Information Screen Page Traffic Class Configuration Screen 8-10 802.1p Configuration Menu Screens 8.4 TRAFFIC CLASS CONFIGURATION SCREEN Figure 8-4 Traffic Class Configuration Screen Number of port selected in the Traffic Class Information screen. 8.4.1 Assigning the Traffic Class to Port Priority 8.5 TRANSMIT QUEUES CONFIGURATION SCREEN Transmit Queues Configuration Screen 802.1p Configuration Menu Screens 8-13 Figure 8-5 Transmit Queues Configuration Screen Page 8.5.1 Setting the Current Queueing Mode 8.6 PRIORITY CLASSIFICATION CONFIGURATION SCREEN Page Page Page Page Page Page Page Page Page 8.6.1 Classification Precedence Rules - - - - Page 8.6.2 About the IP TOS Rewrite Function Layer 2 Layer 3 8.6.3 Displaying the Current PID/Classification Assignments 8.6.4 Assigning a Classification to a PID 8.6.5 Deleting PID/Classification/Description Line Items Deleting All Line Items Deleting One or More Line Items 8.7 Page Page 8.7.2 Solving the Problem Switch 2 8.8 RATE LIMITING CONFIGURATION SCREEN Rate Limiting Configuration Screen 8-38 802.1p Configuration Menu Screens Figure 8-10 Rate Limiting Configuration Screen Maximum Refer to Tabl e 8-10 for a functional description of each screen field. Table 8-10 Rate Limiting Configuration Screen Field Descriptions See the priorities associated with each port entry. Port # (Read-Only) See the number of each configured port. The same port number may appear four times, but with different priorities assigned. Page Page 8.8.1 Configuring a Port Page 8.8.2 Changing/Deleting Port Line Items Changing One or More Line Items Deleting All Line Items Deleting One or More Line Items 8.8.3 More About Rate Limiting Page Page Layer 3 Extensions Menu Screens Page 9.2 IGMP/VLAN CONFIGURATION SCREEN Page Page Page 9.2.1 IGMP/VLAN Configuration Procedure Page Device Statistics Menu Screens 10.1 DEVICE STATISTICS MENU SCREEN Page 10.2 SWITCH STATISTICS SCREEN Switch Statistics Screen 10-4 Device Statistics Menu Screens Figure 10-2 Switch Statistics Screen Refer to Table10-2 for a functional description of each screen field. Table 10-2 Switch Statistics Screen Field Descriptions Port # (Read-Only) Identify the port number. The total number of ports is dependent on the Frames Txmtd (Read-Only) See the number of frames transmitted by the interface since the last Frames Fltrd (Read-Only) See the number of frames filtered by the interface since the last 10.3 INTERFACE STATISTICS SCREEN Page Page 10.3.1 Displaying Interface Statistics RMON Statistics Screen Device Statistics Menu Screens 10-9 10.4 RMON STATISTICS SCREEN To obtain RMON statistics for each interface, on an interface-by-interface basis. Refer to Table10-4 for a functional description of each screen field. Figure 10-4 RMON Statistics Screen Page Page 10.4.1 Displaying RMON Statistics Network Tools Screens Network Tools 11-2 Network Tools Screens Screen ExampleNetwork Tools Help Screen Page 11.2 BUILT-IN COMMANDS command alias Built-in Commands alias (Continued) Network Tools Screens 11-5 Examples: arp arp_learn bridge cdp defroute dynamic_egress ev dynamic_egress (Continued) ev (Continued) gigabit_port_mode igmpv3_drop lg_frame_admin link_trap loopback_detect maclock loopback_detect (Continued) Page Page netstat non_bridge_if_num netstat (Continued) Page policy Built-in Commands policy (Continued) 11-2 2 Network Tools Screens Examples: (Contiued) radius Page Page rate_limit_mode reset rate_limit_mode (Continued) sat_size show show (Continued) soft_reset stpEdgePort stpForceVersion stpLegacyPathCost stpPointToPointMAC stpLegacyPathCost (Continued) stpPort stpRealTimeMsgAge suppress_topology_traps stpRealTimeMsgAge (Continued) telnet timed_soft_reset timed_reset traceroute timed_reset (Continued) vrrpPort 11.3 EXAMPLE, EFFECTS OF AGING TIME ON DYNAMIC EGRESS 11.4 EXAMPLE, USING DYNAMIC EGRESS TO CONTROL TRAFFIC PCs S1 Web Server Solving the Problem 11.5 SPECIAL COMMANDS done, quit, exit VLAN Operation and Network Applications 12.1 DEFINING VLANs A B 12.2 TYPES OF VLANs 12.2.1 802.1Q VLANs 12.2.2 Other VLAN Strategies 12.3 BENEFITS AND RESTRICTIONS 12.4 VLAN TERMS Page Page Page 12.6.1 Defining a VLAN 12.6.2 Classifying Frames to a VLAN 12.6.3 Customizing the VLAN Forwarding List 12.7 VLAN SWITCH OPERATION Page Page 12.7.2.2 Known Unicasts 12.8 VLAN CONFIGURATION 12.8.1 Managing the Switch 12.8.2 Switch Without VLANs 3 6 12.8.3 Switch with VLANs 802.1Q Switch 1 3 6 2 7 4 5 802.1Q Switch Page 12.9 SUMMARY OF VLAN LOCAL MANAGEMENT For details about each screen and how to use them, refer to Chapter 7. 12.9.1 Preparing for VLAN Configuration 12.10 QUICK VLAN WALKTHROUGH Assigning a VLAN ID and VLAN Name Assigning Ports to the VLAN Egress list Quick VLAN Walkthrough 12-18 VLAN Operation and Network Applications Figure 12-7 Walkthrough Stage Two, Port 3 Egress Setting NOTE: For the purposes of this walkthrough, port 10 will be configured as the trunk port. Configuring the Port Parameters Quick VLAN Walkthrough 12-20 VLAN Operation and Network Applications Figure 12-9 Walkthrough Stage Four, VLAN Port Configuration 12.11 EXAMPLES 12.12 EXAMPLE 1, SINGLE SWITCH OPERATION 12.12.1 Solving the Problem For the Red VLAN 3 6 B3 12.12.2 Frame Handling B2 B1 R1 R2 R2 12.13 EXAMPLE 2, VLANs ACROSS MULTIPLE SWITCHES Page 12.13.1 Solving the Problem Switch 4 Switch 2 Page 12.13.2 Frame Handling Page Page 12.14 EXAMPLE 3, FILTERING TRAFFIC ACCORDING TO A LAYER 4 CLASSIFICATION RULE 12.14.1 Solving the Problem Switches 1 and 2 S1 12.15 EXAMPLE 4, SECURING SENSITIVE INFORMATION ACCORDING TO SUBNET 12.15.1 Solving the Problem Switch 1 12.16 EXAMPLE 5, USING DYNAMIC EGRESS TO CONTROL TRAFFIC Solving the Problem 12.17 EXAMPLE 6, LOCKING A MAC ADDRESS TO A PORT USING CLASSIFICATION RULES 00.00.00.00.00.0A 00.00.00.00.00.0B 12.17.1 Solving the Problem Page Page Page Page A Generic Attribute Registration Protocol (GARP) A.1 OVERVIEW Page B About IGMP Page Page Page Index Numerics A B C D E F G H I K L M N P Q R S Page T U V W