Manuals / GE / Computer Equipment / Switch

GE ML1200 instruction manual TACACS+ Flow, TACACS+ Packet

Models: ML1200

1 344

Download 344 pages 51.98 Kb

Page 140

ACCESS USING TACACS+

CHAPTER 8: ACCESS USING TACACS+

8.1.2TACACS+ Flow

TACACS works in conjunction with the local user list on the ML1200 software (operating system). The process of authentication as well as authorization is shown in the flow chart below.

Start

Login as Operator

No

Login

Yes

User in Local

Is User Manager?

User List?

Yes

No

Login as Manager

Logout

TACACS+ Enabled?

No

Yes

Yes

Authentication

Connection failure

failure

Connect to

Additional

Logout

TACACS server to

Servers?

authenticate

Authorized as

No

Authenticated

Operator or

Logout

Authorization failure

TACACS+

Login as Operator

authorization

Authorized as

Manager

Login as Manager

754716A1.CDR

FIGURE 8–1: TACACS Authorization Flowchart

The above flow diagram shows the tight integration of TACACS+ authentication with the local user-based authentication. There are two stages a user goes through in TACACS+. The first stage is authentication where the user is verified against the network user database. The second stage is authorization, where it is determined whether the user has operator access or manager privileges.

8.1.3TACACS+ Packet

Packet encryption is a supported and is a configurable option for the ML1200 software. When encrypted, all authentication and authorization TACACS+ packets are encrypted and are not readable by protocol capture and sniffing devices such as EtherReal or others. Packet data is hashed and shared using MD5 and secret string defined between the MultiLink ML1200 Managed Field Switch and the TACACS+ server.

8–2	MULTILINK ML1200 MANAGED FIELD SWITCH – INSTRUCTION MANUAL

Image 140

GE ML1200 instruction manual TACACS+ Flow, TACACS+ Packet

Contents

MultiLink ML1200 Managed Field Switch GE MultilinElectrical Safety requirements Canadian Emissions StatementTable of Contents Access 10-5 10-110-3 10-7 10-1210-13 10-1914-9 15-115-4 15-517-14 17-1618-1 18-3Inspecting the Package and Product Multilink ML1200 Managed Field Switch IntroductionGetting Started Order Codes ML1200Specifications PerformanceAlarm Relay Contacts Interrupts Sinusoidal Vibration DNV To 4 GApplicable Council Directive According to CE Compliance Low voltage directive EN60950-1 EMC DirectiveNorth America CULus UL60950-1 C22.2 No ISO9001Console Connection Command Line Interface FirmwareConsole Setup Logging In for the First Time Automatic IP Address ConfigurationConsole Screen Setting the IP Parameters Using Console Port StepIpconfig ip=ip-address mask=subnet-mask dgw=gateway ML1200# rebootAn example is shown below ML1200# saveEnable user-name Privilege LevelsUser Management Help command string Command EnterCommand string TAB First character of the command TAB HelpFollowing example, the TAB key completes the command ExitingLogout Following example illustrates logging out from a sessionSecure site will issue the certificate check shown below EnerVista Secure Web ManagementMake sure you use Https secure Http and not Http in the URL Example shown in the previous section, the URL isLogin screen Select the Administration User Mgmt User Accounts menu item To add a user, use the add buttonIntroduction Introduction Introduction Modifying the Privilege Level To exit or logout, click on the logout button Confirm the logout by selecting OK in the pop-up window ML1200 Firmware Updates Updating through the Command LineUpdating Multilink ML1200 Firmware Selecting the Proper VersionML1200# xmodem get type=app Https//IP address of the switch Introduction Introduction Multilink ML1200 Managed Field Switch Product Description OverviewProduct Description Product Description PoE power pass-through, C2 Module MDIX, 10/100Mb 4-port Four-Port Copper Module, C1 Module MdixTwo-Port Fiber Modules, 2@ 100Mb fiber Two -Port 10 Mb mm Fiber ST ModulesSFP Gigabit 1000Mbps port modules Packet Prioritization, 802.1p QOSFrame Buffering and Flow Control Managed Network Firmware for Multilink ML1200-SeriesFeatures and Benefits Managed switching for high performance Ethernet LANsFeatures Fiber-Built-In Management Software includedProduct Description Applications Example Example Preparation Multilink ML1200 Managed Field Switch InstallationLocating Multilink ML1200 Switches Copper Connecting Ethernet MediaFiber Twisted Pair CAT 3, 4 Twisted Pair CATGigabit SFP Small Form-factor Pluggable Optical Transceivers HK Module H7 Module H8 HD ModuleHE HJ Module Mechanical Installation DIN-Rail Mounting the Multilink ML1200Installation Electrical Installation Powering the Multilink ML1200 Managed Field Switch3 ML1200 Port Module PM Installation Pinout information for above connector Request to SendTransceiver Data GroundFunctionality Multilink ML1200 Managed Field Switch OperationSwitching Functionality For Multilink ML1200 models /ML1200 Status LEDsAuto-Cross Mdix and Auto-negotiation, for RJ-45 ports Flow-control, Ieee 802.3x standard Power Budget Calculations for ML1200 PM’s with Fiber Media TypicalH4, HH Mb FX Multilink ML1200 Managed Field Switch Port Modules 2 ML1200 Modules2.2 C7 Module, 2@10Mb multi-mode FX-ST twist lock Module CB Module, 2 Ports @100Mbps single-mode FX-SC-type, Sgl.M CC Module, 4 @100Mb multi-mode FX , Mtrj Small-Form-factor 2.10 C1 Module Twisted Pair, 10/100Mb, 4-Port PoE LEDs Summary SFPs, Gigabit 1000Mbps port modules Before Calling for Assistance Operation Overview Multilink ML1200 Managed Field Switch IP AddressingIP Address and System Information Edit the IP address information Dhcp and bootp Bootp DatabaseConfiguring DHCP/bootp/Manual/AUTO Importance of an IP AddressSelect the Administration System menu item Click EditUsing Telnet Telnet enabledisableML1200access## telnet enable ML1200access## exit ML1200#Select the Administration Telnet menu item Default port for telnet isTelnet ipaddress port=port number Show session Kill session id=sessionFor example ML1200# show sessionSystem Parameters Setting ParametersSetting Serial Port Parameters Date and Time SnmpSetvar sysnamesyscontactsyslocation =string Set timezone GMT=+ or hour=0-14 min=0-59Syntax for other date and time commands are Following command sequence sets the daylight locationNetwork Time Set timeformat format=1224ML1200sntp## exit ML1200sntp## sync hour=5 ML1200sntp## sntp enableML1200# sntp IP Addressing IP Addressing Config file System ConfigurationSaving and Loading Command Line # Restricted Rights System Displaying configuration Syntax show config module=module-nameWhere module-name can be Names, passwords’show config’ command output MoreML1200# show config module=snmp Hardware Select N Saving ConfigurationSelect Y. The ML1200 will prompt Show host command displays the host table entries Save format=v2v3Script File # Restricted RightsSaving and Loading EnerVista Software IP Addressing Host Names IP Addressing Erasing Configuration Kill Config option using SWMIP Addressing STP, Rstp settings Port/Tag Vlan settingsIP-Access and Host Table settings Lacp settingsML1200# kill config What’s changed in IPV6? IPv6Introduction to IPv6 3 IPv6 Addressing Configuring IPv6 Syntax ping6 IPv6 address pings an IPv6 stationSyntax show ipv6 displays the IPv6 information Syntax ftp IPv6 address ftp to an IPv6 stationList of commands in this chapter Syntax telnet IPv6 address telnet to an IPv6 stationMultilink ML1200 Managed Field Switch Access Considerations Securing AccessPasswords DescriptionPort Security Feature Commands For example, using the configure port-securitycommandLearn port=number-list enabledisable show port-security Ps enabledisableML1200port-security## ps enable ML1200port-security## ps disableAllowing MAC Addresses ML1200port-security## allowExample 6-1 Viewing the port security settings ML1200port-security## learn port=3 enableTo deny a mac address, use the following Example 6-2 Enabling learning on a portExample 6-4 Removing MAC addresses from specific ports Save the port-security configuration use the save commandML1200port-security## signal port=3 logandtrap Access Considerations Example 6-5 Configuring port security Security LogsML1200# show log Example 6-6 Security log commandsSet logsize size=1-1000 Access Show ip-accessAuthorized Managers RemoveallExample 6-7 Allowing/blocking specific IP addresses ML1200# accessML1200access## exit Configuring Port Security with EnerVista Software After enabling the EnerVista Secure Web Management softwareAccess Considerations Access Considerations Logs Authorized Managers Access Considerations Access Considerations 2 802.1x Protocol Multilink ML1200 Managed Field Switch Access Using RadiusIntroduction to 802.1x network components 802.1x authentication details Configuring 802.1x through the Command Line Interface Show auth configportsAuth enabledisable AuthTrigger-reauthport=numlistrange Show-statscommand displays 802.1x related statisticsShow-stats port=num On following Example 7-1 Setting port control parametersExample Setting port control parameters ML1200auth## show-port backendML1200auth## shoW-port reauth ML1200auth##Commands To edit the port settings, click on the edit icon Select the Configuration Radius Port Access menu item Access Using Radius Access Using Radius After all the port characteristics are enabled Multilink ML1200 Managed Field Switch Access using TACACS+ Introduction to TACACS+TACACS+ Flow TACACS+ PacketPacket type Possible values are Tacacs packet formatConfiguring TACACS+ through the Command Line Interface Tacplus enabledisableExample 8-1 below, illustrates how to configure TACACS+ Show tacplus statusserversML1200user## tacplus disable Example 8-1 Configuring TACACS+ML1200user## tacplus enable Access Using TACACS+ Access Using TACACS+ Access Using TACACS+ Multilink ML1200 Managed Field Switch Port Mirroring Setup Port MirroringPort Mirroring using the Command Line Interface Prtmr enabledisableShow port-mirror Port-mirrorPort Setup Device command enters the device configuration modeSetport command configures the port characteristics DeviceExample 9-1 Port setup ML1200# deviceML1200device## show port ML1200device## exit ML1200#Where the rxthreshold value can be from 4 to 30 default is Flow ControlBack Pressure Flowcontrol xonlimit=value xofflimit=valueBack pressure and flow control ML1200device## show port=11Broadcast Storms Show broadcast-protect Broadcast-protect enabledisableRate-thresholdport=portlistrange rate=frames/sec Link Loss Alert Example 9-3 Preventing broadcast stormsExample 9-4 Link loss alert ML1200device## show port=3Select the Configuration Port Mirroring menu item Port Setup Port Mirroring and Setup Port Mirroring and Setup Broadcast Storm menu Port Mirroring and Setup Multilink ML1200 Managed Field Switch Vlan Vlan DescriptionVlan Multilink ML1200 supports up to 32 VLANs per switch Tag Vlan vs. Port Vlan10-4 Add id=vlan Id name=vlan name port=numberlistrange Configuring Port VLANs through the Command Line InterfaceSet vlan type=porttagnone Start vlan=namenumberlistrange SaveEdit id=vlan Id name=vlan name port=numberlistrange Show vlan type=porttag id=vlanidVlan VID=1 Select the Configuration Vlan Port-Based menu item Currently assigned Port VLANs are displayed as follows10-9 10-10 10-11 Configuring Tag VLANs through the Command Line Interface Show-port port=portlistrange10-13 Example 10-1 Converting Port Vlan to Tag Vlan Converting Port Vlan to Tag Vlan ML1200tag-vlan##add id=20 name=marketing port=3-5ML1200tag-vlan##set-port port=3-5 filter status=enable Name engineering Status Active Port Mode Status Tagged 10-19 Click On Configuration vlan tag-based Menu Next step is to define the VLANs needed. To do that10-21 Select the Configuration Vlan Tag-Based Tagging menu 10-23 10-24 Vlan Registration over Garp Gvrp ConceptsGvrp Operations Vlan Registration Over GarpVlan assignment in Gvrp enabled switches Static vlan=VID Port settings for Gvrp operationsShow-vlan Gvrp options Example 11-1 Converting a dynamic Vlan to a static VlanML1200# gvrp ML1200gvrp## show-vlan ML1200gvrp## static vlan=10 ML1200gvrp## show-vlan11-6 Configuring Gvrp through the Command Line Interface Gvrp Operation NotesShow gvrp Show-forbidExample 11-2 Configuring Gvrp Gvrp options on To configure GvrpSelect the Configuration Vlan Gvrp menu item 11-10 Features and Operation STP default values Spanning Tree Protocol STPConfiguring STP Show stp configportsExample 12-1 Viewing STP configuration Example 12-2 Viewing STP portsStp enabledisable StpSet stp type=stprstp Show active-stpExample 12-3shows how to enable STP using the above commands Example 12-3 Enabling STPTimers forward-delay=4-30 hello=1-10 age=6-40 Example 12-4 Configuring STP parameters ML1200stp##show stp portsConfiguring STP parameters ML1200stp##cost port=2 value=20 ML1200stp##port port=1 status=enable Designated Root Priority 15535 Rstp concepts Transition from STP to Rstp Rapid Spanning Tree Protocol13-3 Configuring Rstp through the Command Line Interface Rstp enabledisableNormal Rstp Rstp13-5 Example 13-2 Reviewing the Rstp port parameters Show-forceversion Path cost as defined in Ieee 802.1d / 802.1wForceversion stprstp Show-timers Port port=numberlistrange status=enabledisableExample 13-4 Configuring Rstp ML1200rstp##show stp configConfiguring Rstp ML1200rstp##priority port=2 value=100 ML1200rstp##port port=1 status=disable Syntax for the romode command on Rstp is shown below Romode add port=portlistrange romode del port=portlistrangeExample 13-5 Configuring smart RSTP, ring-only mode ML1200rstp##romode add port=1,213-15 Status Indicates whether STP or Rstp is enabled 13-17 Path cost defined in Ieee 802.1d and 802.1w 13-19 Click the Edit button to configure Rstp Then Save Enable Status 13-22 QoS Concepts Multilink ML1200 Managed Field Switch Quality of ServiceQoS Overview DiffServ and QoS IP PrecedenceIP Precedence ToS Field in an IP Packet Header Configuring QoS through the Command Line Interface Set-weightweight=0-7Show-portweight QosPort weight settings Show qos command displays the QoS settingsShow qos type=porttagtos port=portlistrange Set-untagport=portlistrange priority=highlow tag=0-7Following example shows how to configure QoS Example 14-1 Configuring QoSConfiguring QoS ML1200qos##set-weight weight=4 ML1200qos##show-portweight 14-9 14-10 14-11 14-12 Multilink ML1200 Managed Field Switch Igmp Igmp ConceptsIgmp Figure below shows a network running Igmp IP Multicast Filters Isolating multicast traffic in a networkReserved Addresses Excluded from IP Multicast Igmp Filtering Igmp SupportConfiguring Igmp through the Command Line Interface Igmp enable/disableShow igmp command displays the Igmp status IgmpShow-router Show-groupShow-port Following example shows how to configure Igmp Example 15-1 Configuring IgmpML1200igmp## show-port ML1200igmp## show-routerConfiguring Igmp ML1200igmp## mcast disable ML1200igmp## mcast enable15-11 15-12 Multilink ML1200 Managed Field Switch Snmp Snmp ConceptsSnmp Traps StandardsEnterprise Traps Intruder SNMPv1 standardsRFC 2271-2275 SNMPv3 Configuring Snmp through the Command Line Interface Following example shows how to configure Snmp Show-trap id=id#Show-group id=id Show-view id=idExample 16-1 Configuring Snmp Configuring Snmp ML1200snmpv3## show-group ML1200snmpv3## show-group id=1ML1200snmpv3## show-view ML1200snmpv3## show-view id=1ML1200snmpv3## show-access ML1200snmpv3## show-access id=1ML1200snmpv3## show-user ML1200snmpv3## show-user id=216-11 Multiple managers can be added as shown below 16-13 16-14 Configuring Rmon RmonML1200rmon## show rmon event ML1200rmon## exit ML1200#Multilink ML1200 Managed Field Switch Miscellaneous MailSmtp Smtp enabledisableShow smtp configrecipients Server ip=ip-addr port=1-65535 retry=0-3 domain=domain Server command configures the global Smtp server settingsDelete id=1-5 ML1200smtp##show smtp config Statistics Following figure displays the port statistics for group Serial Connectivity Optimizing serial connection in HyperTerminalShow version HistoryShow history Ping through EnerVista Secure Web Management software Ping through the Command Line InterfacePing Set prompt prompt string Changing the Command Line PromptPrompt Command Line Interface Example System EventsFollowing example illustrates a typical event log Example 17-2 Typical system event logSelect the Configuration Statistics Log Statistics menu item EnerVista Example17-13 Command Reference Main CommandsSet timeout sets the system inactivity time out Set commands are listed belowSet password sets the current user password Configuration commands Snmp enables or disables SnmpAlarm commands are shown below Authorization commands are shown belowDevice commands are shown below Vlan Registration over Garp for detailsSetqos configures QOS configuration usage Rapid Spanning Tree Protocol for additional detailsPasswd change the user password Spanning Tree Protocol STP for additional details17-20 Multilink ML1200 Managed Field Switch Modbus Protocol Modbus ConfigurationCommand Line Interface Settings Following command-line interface settings are availableML1200access## modbus port=602 ML1200# access ML1200access## modbus enableML1200access## show modbus EnerVista Settings Select the Configuration Access Modbus menu itemModbus memory map Sheet 1 Memory MappingModbus Memory Map Modbus memory map Sheet 2 Modbus memory map Sheet 3 Modbus memory map Sheet 4 Modbus memory map Sheet 5 Modbus memory map Sheet 6 Modbus memory map Sheet 7 Modbus memory map Sheet 8 Modbus memory map Sheet 9 Modbus memory map Sheet 10 Modbus memory map Sheet 11 Modbus memory map Sheet 12 Modbus memory map Sheet 13 Modbus memory map Sheet 14 Modbus memory map Sheet 15 Modbus memory map Sheet 16 Modbus memory map Sheet 17 Modbus memory map Sheet 18 Modbus memory map Sheet 19 Modbus memory map Sheet 20 Modbus memory map Sheet 21 Modbus memory map Sheet 22 Modbus memory map Sheet 23 Modbus memory map Sheet 24 Modbus memory map Sheet 25 Modbus memory map Sheet 26 Modbus memory map Sheet 27 Modbus memory map Sheet 28 Modbus memory map Sheet 29 Modbus memory map Sheet 30 Modbus memory map Sheet 31 Modbus memory map Sheet 32 Modbus memory map Sheet 33 Format Codes 18-38 Multilink ML1200 Managed Field Switch Appendix a Revision HistoryChange Notes Changes to the ManualWarranty GE Multilin Warranty StatementMultilin Power Consumption 48 V DC, 24 V DC and 125 V DC Power, Theory of Operation Applications for DC Powered Ethernet Switches ML1200, -48 V, 24 V, 125 V DC Installation UL Requirements for DC-powered units Operation DC Power Input Appendix C Internal DC Dual- Source Power Input Specifications for Multilink ML1200 Field Switch Power Supply Internal, -48VDC Dual-SourceChapter C Internal DC DUAL-SOURCE Power Input Option Dual-Source Option Theory of Operation Features and Benefits of the Dual-Source Design Installation