Extreme Networks 300-48 Network Security Policies

Network Security Policies

Summit 300-48 Switch Software User Guide 87

Network Security Policies

Network security policy refers to a set of network rules that apply to user access. You can base the rules

on a variety of factors, including user identification, time and location, and method of authentication. It

is possible to design network security policies to do all of the following:

•Permit or deny network access based on location and time of day.

•Place the user into a VLAN based on identity or authentication method.

•Limit where the user is permitted to go on the network based on identity or authentication method .

Policy Design

When designing a security policy for your network, keep the following objectives in mind:

•Make each wired and wireless client as secure as possible.

•Protect company resources.

•Make the network infrastructure as secure as possible.

•Be able to track and identify wired and wireless rogues.

To achieve these objectives, it is necessary to work within the constraints of your environment:

•Technology of all the clients

—802.11 radio technology (b, a, g, a/b, a/g)

—Operating system (W2K, XP, Pocket PC, ….)

—Client readiness for 802.1x; client upgrades

•Authentication servers available or planned

—Operating System Login only (i.e. Domain Access, LDAP)

—RADIUS for Users

—PKI Infrastructure

•Nature of the user population

•Ability to divide users into meaningful groups

•Network resources required by users

•Desired access restrictions based on resources, locations, times, and security level

•Acceptable level of network management and user training

•Anticipated changes in the network

Contents

Main Page Contents Preface Chapter 1 ExtremeWare Overview Chapter 2 Accessing the Switch Chapter 3 Managing the Switch Chapter 4 Configuring Ports on a Switch Chapter 5 Virtual LANs (VLANs) Chapter 6 Wireless Networking Chapter 7 Unified Access Security Chapter 8 Power Over Ethernet Chapter 9 Forwarding Database (FDB) Chapter 10 Access Policies Chapter 11 Quality of Service (QoS) Chapter 12 Status Monitoring and Statistics Chapter 13 Spanning Tree Protocol (STP) Chapter 14 IP Unicast Routing Appendix A Safety Information Appendix B Supported Standards Appendix C Software Upgrade and Boot Options Appendix D Troubleshooting Page Figures Page Tabl e s Page Preface Introduction Conventions Related Publications 1 Summary of Features Unified Access Virtual LANs (VLANs) Spanning Tree Protocol Quality of Service Load Sharing Software Licensing Security Licensing Obtaining a Security License Security Features Under License Control Software Factory Defaults Page Page 2 Understanding the Command Syntax Syntax Helper Command Completion with Syntax Helper Abbreviated Syntax Command Shortcuts Summit 300-48 Switch Numerical Ranges Line-Editing Keys Command History Common Commands Table 6 : Co mmon Commands Table 5 : L ine-Editing Keys (continued) Table 6 : Common Commands (continued) Configuring Management Access Table 6 : Co mmon Commands (continue d) User Account Administrator Account Prompt Text Default Accounts Changing the Default Password Creating a Management Account Viewing Accounts Deleting an Account Domain Name Service Client Services Checking Basic Connectivity Ping Traceroute Page Page 3 Overview Using the Console Interface Using Telnet Connecting to Another Host Using Telnet Configuring Switch IP Parameters Using a BOOTP Server Manually Configuring the IP Settings Disconnecting a Telnet Session Controlling Telnet Access Using Secure Shell 2 (SSH2) Enabling SSH2 for Inbound Switch Access Using SNMP Accessing Switch Agents Supported MIBs Configuring SNMP Settings Displaying SNMP Settings Authenticating Users RADIUS Client Configuring RADIUS Client RADIUS RFC 2138 Attributes RADIUS Server Configuration Example (Merit) RADIUS Per-Command Configuration Example Contents of the file "profiles": Using ExtremeWare Vista Controlling Web Access Setting Up Your Browser Accessing ExtremeWare Vista Navigating ExtremeWare Vista Task Frame Content Frame Status Messages Standalone Buttons Saving Changes Filtering Information Do a GET When Configuring a VLAN Sending Screen Output to Extreme Networks Using the Simple Network Time Protocol Configuring and Using SNTP Page Table 1 3: Greenwich Mean Time Offsets (continued) SNTP Configuration Commands Table14 describes SNTP configuration commands. SNTP Example Table 1 4: SNTP Configuration Commands 4 Por t N u m b er i n g Enabling and Disabling Switch Ports Configuring Switch Port Speed and Duplex Setting Switch Port Commands Load Sharing on the Switch Load-Sharing Algorithms Configured IP Address-Based Load Sharing Configuring Switch Load Sharing Load-Sharing Example Load-Sharing on a Summit 300-48 Switch Verifying the Load-Sharing Configuration Switch Port-Mirroring Port-Mirroring Commands Port-Mirroring Example Extreme Discovery Protocol EDP Commands Page 5 Overview of Virtual LANs Benefits Types of VLANs Port-Based VLANs Spanning Switches with Port-Based VLANs Sales Tagg e d VLANs Accounting Engineering Uses of Tagged VLANs Assigning a VLAN Tag Figure 4: Physical diagram of tagged and untagged traffic *Tagged Ports M S Sales Marketing Mixing Port-Based and Tagged VLANs VLAN Names Default VLAN Renaming a VLAN Configuring VLANs on the Switch VLAN Configuration Commands VLAN Configuration Examples Displaying VLAN Settings Page 6 Overview of Wireless Networking Summary of Wireless Features Wired network Wireless Devices Summit 300-48 Bridging Managing Wireless Ports Configuring RF Properties Table 2 0: RF Profile Property Values (continued) Configuring Wireless Switch Properties Configuring Country Codes Configuring Wireless Ports Configuring Wireless Port Interfaces Table25 lists the configuration commands for w ireless ports. Managing Wireless Clients Table26 lists the commands for configuring i nteractions with client stations . Show Commands Table 2 5: Wireless Port Interface Configuration Commands Table 2 6: Client Configuration Commands Event Logging and Reporting Page 7 Overview of Security User Access Security Authentication Authentication Method: Open Authentication Method: WEP Authentication Method: 802.1x/EAP Privacy Cipher Suites WPA-Only Support Legacy and WPA 802.1x Support Network Security Policies Policy Design Policy Examples Policies and RADIUS Support RADIUS Attributes Vendor-Specific Attributes CLI Commands for Security on the Switch Security Profile Commands Page Example Wireless Configuration Process Table 3 4: Security Profile Command Property Values (continued) Page Page Page 8 Overview Summary of PoE Features Port Power Management Port Power Operator Limit Power Budget Management Reserved Power Common Power Pool Port Pow er Ev en ts Per- Po r t L ED s Configuring Power Over Ethernet Page Page Table 3 7: PoE Show Commands Page 9 Overview of the FDB FDB Contents FDB Entry Types How FDB Entries Get Added Associating a QoS Profile with an FDB Entry Configuring FDB Entries FDB Configuration Examples Displaying FDB Entries 10 Overview of Access Policies Access Control Lists Rate Limits Using Access Control Lists Access Masks Access Lists Rate Limits How Access Control Lists Work Access Mask Precedence Numbers Specifying a Default Rule The permit-established Keyword Adding Access Mask, Access List, and Rate Limit Entries Maximum Entries Deleting Access Mask, Access List, and Rate Limit Entries Verifying Access Control List Configurations Access Control List Commands Table 3 9: Access Control List Configuration Commands Page Table 3 9: Access Control List Configuration Commands (continued) Access Control List Examples Using the Permit-Established Keyword TCP UDP ICMP Page Example 2: Filter ICMP Packets 10.10.10.100 10.10.20.100 ICMP Example 3: Rate-limiting Packets SYN SYN Page 11 Overview of Policy-Based Quality of Service Applications and Types of QoS Voice Applications Video Applications Critical Database Applications Web Browsing Applications Configuring QoS for a Port or VLAN Traffic Groupings Access List Based Traffic Groupings MAC-Based Traffic Groupings Permanent MAC addresses Dynamic MAC Addresses Blackhole MAC Address Verifying MAC-Based QoS Settings Explicit Class of Service (802.1p and DiffServ) Traffic Groupings Configuring 802.1p Priority Observing 802.1p Information 802.1p Commands Configuring 802.1p Priority Replacing 802.1p Priority Information Configuring DiffServ Observing DiffServ Information Changing DiffServ Code point assignments in the QoS Profile Replacing DiffServ Code Points DiffServ Examples Physical and Logical Groupings Source port VLAN Verifying Physical and Logical Groupings Verifying Configuration and Performance QoS Monitor Real-Time Performance Monitoring Displaying QoS Profile Information Modifying a QoS Configuration Traffic Rate-Limiting 12 Status Monitoring Page Por t S t a t is t i cs Port Errors Port Monitoring Display Keys Setting the System Recovery Level Logging Local Logging Real-Time Display Remote Logging Logging Configuration Changes Logging Commands Table 5 1: Logging Commands (continued) RMON About RMON RMON Features of the Switch Statistics History Configuring RMON Event Actions 13 Overview of the Spanning Tree Protocol Spanning Tree Domains Defaults STPD BPDU Tunneling STP Configurations Page Configuring STP on the Switch Page Table 5 3: STP Configuration Commands (continued) STP Configuration Example Displaying STP Settings Disabling and Resetting STP 14 Overview of IP Unicast Routing Router Interfaces Populating the Routing Table Static Routes Multiple Routes IP Route Sharing Proxy ARP ARP-Incapable Devices Proxy ARP Between Subnets Relative Route Priorities Configuring IP Unicast Routing Verifying the IP Unicast Routing Configuration IP Commands Table57 describes the commands used to configure the IP route table. Table 5 7: Route Table Configuration Commands Table 5 6: Basic IP Commands (continued) Table58 describes the commands used to configure IP options and the ICMP protocol. Table 5 8: ICMP Configuration Commands Table 5 7: Route Table Configuration Commands (continued) Table 5 8: ICMP Configuration Commands (continued) Routing Configuration Example The example in Figure 18 is configured as follows: Displaying Router Settings To display settings for various IP routing components, use the commands listed in Table59. Resetting and Disabling Router Settings Table 5 9: Router Show Commands Table 6 0: Router Reset and Disable Commands Configuring DHCP/BOOTP Relay Table 6 0: Router Reset and Disable Commands (continued) Verifying the DHCP/BOOTP Relay Configuration UDP-Forwarding Configuring UDP-Forwarding UDP-Forwarding Example ICMP Packet Processing UDP-Forwarding Commands Table 6 1: UDP-Forwarding Commands (continued) Page A Important Safety Information Power Power C ord Connections Lithium Battery Page B The following is a list of software standards supported by ExtremeWare for the Summit 300-48 switch. Page C Downloading a New Image Rebooting the Switch Saving Configuration Changes Returning to Factory Defaults Using TFTP to Upload the Configuration Using TFTP to Download the Configuration Downloading a Complete Configuration Downloading an Incremental Configuration Scheduled Incremental Configuration Download Remember to Save Upgrading and Accessing BootROM Upgrading Bootloader Accessing the Bootstrap CLI Accessing the Bootloader CLI Boot Option Commands Table64 lists the CLI commands asso ciated with switch boot opti ons. Table 6 4: Boot Option Commands NOTE If this command does not complete successfully, it could prevent the switch from booting. Table 6 4: Boot Option Commands (continued) D LEDs Using the Command-Line Interface Port Configuration VLANs STP Debug Tracing TOP Command Contacting Extreme Technical Support Page Index Numerics A permit-established permit-established B D E F G H K L M N O Q R S T traceroute U V W Index of Commands C D E H L N P Q T U