Extreme Networks 300-48 7

Summit 300-48 Switch Software User Guide 83

7Unified Access Security

This chapter describes the security features of the Summit 300-48 switch and includes information on

the following topics:

•Overview of Security on page 83

•User Access Security on page84

•Network Security Policies on page 8 7

•Network Security Policies on page 8 7

•CLI Commands for Security on the Switch on page 89

Overview of Security

The Extreme Unified Access™ Security architecture provides secure access for all wired and wireless

stations within the unified network. You can maintain the network with a single, unified security

policy, provide service to all stations without requiring upgrades, and take advantage of integrated

policy and management capabilities not available in overlay networks or those with “thick” access

points. Unified Access Security provides the following key capabilities:

•Consolidated management — Up to 48 wireless ports from a single Summit 300-48 switch, larger

network support with less management overhead

•Scalable encryption — ASIC based AES encryption, WPA with TKIP support, and RC4 based WEP

support on the Altitude 300 wireless port

•802.1x Authentication — 802.1x authentication (PEAP, EAP-TTLS, EAP-TLS)

The unified structure simplifies security policies without compromising protection and provides the

following benefits:

•Single user experience — Same authentication procedures for wired and wireless users

•Unified management — Single management platform for wired and wireless networks

•Unified configuration — Consistent CLI for wired and wireless functions

•Single authentication infrastructure — Single set of policies, RADIUS, and certificate servers

These security features provide protection for users and for the network infrastructure.

Contents

Main Page Contents Preface Chapter 1 ExtremeWare Overview Chapter 2 Accessing the Switch Chapter 3 Managing the Switch Chapter 4 Configuring Ports on a Switch Chapter 5 Virtual LANs (VLANs) Chapter 6 Wireless Networking Chapter 7 Unified Access Security Chapter 8 Power Over Ethernet Chapter 9 Forwarding Database (FDB) Chapter 10 Access Policies Chapter 11 Quality of Service (QoS) Chapter 12 Status Monitoring and Statistics Chapter 13 Spanning Tree Protocol (STP) Chapter 14 IP Unicast Routing Appendix A Safety Information Appendix B Supported Standards Appendix C Software Upgrade and Boot Options Appendix D Troubleshooting Page Figures Page Tabl e s Page Preface Introduction Conventions Related Publications 1 Summary of Features Unified Access Virtual LANs (VLANs) Spanning Tree Protocol Quality of Service Load Sharing Software Licensing Security Licensing Obtaining a Security License Security Features Under License Control Software Factory Defaults Page Page 2 Understanding the Command Syntax Syntax Helper Command Completion with Syntax Helper Abbreviated Syntax Command Shortcuts Summit 300-48 Switch Numerical Ranges Line-Editing Keys Command History Common Commands Table 6 : Co mmon Commands Table 5 : L ine-Editing Keys (continued) Table 6 : Common Commands (continued) Configuring Management Access Table 6 : Co mmon Commands (continue d) User Account Administrator Account Prompt Text Default Accounts Changing the Default Password Creating a Management Account Viewing Accounts Deleting an Account Domain Name Service Client Services Checking Basic Connectivity Ping Traceroute Page Page 3 Overview Using the Console Interface Using Telnet Connecting to Another Host Using Telnet Configuring Switch IP Parameters Using a BOOTP Server Manually Configuring the IP Settings Disconnecting a Telnet Session Controlling Telnet Access Using Secure Shell 2 (SSH2) Enabling SSH2 for Inbound Switch Access Using SNMP Accessing Switch Agents Supported MIBs Configuring SNMP Settings Displaying SNMP Settings Authenticating Users RADIUS Client Configuring RADIUS Client RADIUS RFC 2138 Attributes RADIUS Server Configuration Example (Merit) RADIUS Per-Command Configuration Example Contents of the file "profiles": Using ExtremeWare Vista Controlling Web Access Setting Up Your Browser Accessing ExtremeWare Vista Navigating ExtremeWare Vista Task Frame Content Frame Status Messages Standalone Buttons Saving Changes Filtering Information Do a GET When Configuring a VLAN Sending Screen Output to Extreme Networks Using the Simple Network Time Protocol Configuring and Using SNTP Page Table 1 3: Greenwich Mean Time Offsets (continued) SNTP Configuration Commands Table14 describes SNTP configuration commands. SNTP Example Table 1 4: SNTP Configuration Commands 4 Por t N u m b er i n g Enabling and Disabling Switch Ports Configuring Switch Port Speed and Duplex Setting Switch Port Commands Load Sharing on the Switch Load-Sharing Algorithms Configured IP Address-Based Load Sharing Configuring Switch Load Sharing Load-Sharing Example Load-Sharing on a Summit 300-48 Switch Verifying the Load-Sharing Configuration Switch Port-Mirroring Port-Mirroring Commands Port-Mirroring Example Extreme Discovery Protocol EDP Commands Page 5 Overview of Virtual LANs Benefits Types of VLANs Port-Based VLANs Spanning Switches with Port-Based VLANs Sales Tagg e d VLANs Accounting Engineering Uses of Tagged VLANs Assigning a VLAN Tag Figure 4: Physical diagram of tagged and untagged traffic *Tagged Ports M S Sales Marketing Mixing Port-Based and Tagged VLANs VLAN Names Default VLAN Renaming a VLAN Configuring VLANs on the Switch VLAN Configuration Commands VLAN Configuration Examples Displaying VLAN Settings Page 6 Overview of Wireless Networking Summary of Wireless Features Wired network Wireless Devices Summit 300-48 Bridging Managing Wireless Ports Configuring RF Properties Table 2 0: RF Profile Property Values (continued) Configuring Wireless Switch Properties Configuring Country Codes Configuring Wireless Ports Configuring Wireless Port Interfaces Table25 lists the configuration commands for w ireless ports. Managing Wireless Clients Table26 lists the commands for configuring i nteractions with client stations . Show Commands Table 2 5: Wireless Port Interface Configuration Commands Table 2 6: Client Configuration Commands Event Logging and Reporting Page 7 Overview of Security User Access Security Authentication Authentication Method: Open Authentication Method: WEP Authentication Method: 802.1x/EAP Privacy Cipher Suites WPA-Only Support Legacy and WPA 802.1x Support Network Security Policies Policy Design Policy Examples Policies and RADIUS Support RADIUS Attributes Vendor-Specific Attributes CLI Commands for Security on the Switch Security Profile Commands Page Example Wireless Configuration Process Table 3 4: Security Profile Command Property Values (continued) Page Page Page 8 Overview Summary of PoE Features Port Power Management Port Power Operator Limit Power Budget Management Reserved Power Common Power Pool Port Pow er Ev en ts Per- Po r t L ED s Configuring Power Over Ethernet Page Page Table 3 7: PoE Show Commands Page 9 Overview of the FDB FDB Contents FDB Entry Types How FDB Entries Get Added Associating a QoS Profile with an FDB Entry Configuring FDB Entries FDB Configuration Examples Displaying FDB Entries 10 Overview of Access Policies Access Control Lists Rate Limits Using Access Control Lists Access Masks Access Lists Rate Limits How Access Control Lists Work Access Mask Precedence Numbers Specifying a Default Rule The permit-established Keyword Adding Access Mask, Access List, and Rate Limit Entries Maximum Entries Deleting Access Mask, Access List, and Rate Limit Entries Verifying Access Control List Configurations Access Control List Commands Table 3 9: Access Control List Configuration Commands Page Table 3 9: Access Control List Configuration Commands (continued) Access Control List Examples Using the Permit-Established Keyword TCP UDP ICMP Page Example 2: Filter ICMP Packets 10.10.10.100 10.10.20.100 ICMP Example 3: Rate-limiting Packets SYN SYN Page 11 Overview of Policy-Based Quality of Service Applications and Types of QoS Voice Applications Video Applications Critical Database Applications Web Browsing Applications Configuring QoS for a Port or VLAN Traffic Groupings Access List Based Traffic Groupings MAC-Based Traffic Groupings Permanent MAC addresses Dynamic MAC Addresses Blackhole MAC Address Verifying MAC-Based QoS Settings Explicit Class of Service (802.1p and DiffServ) Traffic Groupings Configuring 802.1p Priority Observing 802.1p Information 802.1p Commands Configuring 802.1p Priority Replacing 802.1p Priority Information Configuring DiffServ Observing DiffServ Information Changing DiffServ Code point assignments in the QoS Profile Replacing DiffServ Code Points DiffServ Examples Physical and Logical Groupings Source port VLAN Verifying Physical and Logical Groupings Verifying Configuration and Performance QoS Monitor Real-Time Performance Monitoring Displaying QoS Profile Information Modifying a QoS Configuration Traffic Rate-Limiting 12 Status Monitoring Page Por t S t a t is t i cs Port Errors Port Monitoring Display Keys Setting the System Recovery Level Logging Local Logging Real-Time Display Remote Logging Logging Configuration Changes Logging Commands Table 5 1: Logging Commands (continued) RMON About RMON RMON Features of the Switch Statistics History Configuring RMON Event Actions 13 Overview of the Spanning Tree Protocol Spanning Tree Domains Defaults STPD BPDU Tunneling STP Configurations Page Configuring STP on the Switch Page Table 5 3: STP Configuration Commands (continued) STP Configuration Example Displaying STP Settings Disabling and Resetting STP 14 Overview of IP Unicast Routing Router Interfaces Populating the Routing Table Static Routes Multiple Routes IP Route Sharing Proxy ARP ARP-Incapable Devices Proxy ARP Between Subnets Relative Route Priorities Configuring IP Unicast Routing Verifying the IP Unicast Routing Configuration IP Commands Table57 describes the commands used to configure the IP route table. Table 5 7: Route Table Configuration Commands Table 5 6: Basic IP Commands (continued) Table58 describes the commands used to configure IP options and the ICMP protocol. Table 5 8: ICMP Configuration Commands Table 5 7: Route Table Configuration Commands (continued) Table 5 8: ICMP Configuration Commands (continued) Routing Configuration Example The example in Figure 18 is configured as follows: Displaying Router Settings To display settings for various IP routing components, use the commands listed in Table59. Resetting and Disabling Router Settings Table 5 9: Router Show Commands Table 6 0: Router Reset and Disable Commands Configuring DHCP/BOOTP Relay Table 6 0: Router Reset and Disable Commands (continued) Verifying the DHCP/BOOTP Relay Configuration UDP-Forwarding Configuring UDP-Forwarding UDP-Forwarding Example ICMP Packet Processing UDP-Forwarding Commands Table 6 1: UDP-Forwarding Commands (continued) Page A Important Safety Information Power Power C ord Connections Lithium Battery Page B The following is a list of software standards supported by ExtremeWare for the Summit 300-48 switch. Page C Downloading a New Image Rebooting the Switch Saving Configuration Changes Returning to Factory Defaults Using TFTP to Upload the Configuration Using TFTP to Download the Configuration Downloading a Complete Configuration Downloading an Incremental Configuration Scheduled Incremental Configuration Download Remember to Save Upgrading and Accessing BootROM Upgrading Bootloader Accessing the Bootstrap CLI Accessing the Bootloader CLI Boot Option Commands Table64 lists the CLI commands asso ciated with switch boot opti ons. Table 6 4: Boot Option Commands NOTE If this command does not complete successfully, it could prevent the switch from booting. Table 6 4: Boot Option Commands (continued) D LEDs Using the Command-Line Interface Port Configuration VLANs STP Debug Tracing TOP Command Contacting Extreme Technical Support Page Index Numerics A permit-established permit-established B D E F G H K L M N O Q R S T traceroute U V W Index of Commands C D E H L N P Q T U