Manuals / Brands / Computer Equipment / Switch / HP / Computer Equipment / Switch

HP 445946-001 NOTE:, Table, TACACS+ level, User access level

1 198

Download 198 pages, 8.34 Mb

Accessing the switch

TACACS+ offers the following advantages over RADIUS:

•TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP based. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers.

•TACACS+ offers full packet encryption whereas RADIUS offers password-only encryption in authentication requests.

•TACACS+ separates authentication, authorization, and accounting.

How TACACS+ authentication works

TACACS+ works much in the same way as RADIUS authentication.

1.Remote administrator connects to the switch and provides user name and password.

NOTE: The user name and password can have a maximum length of 128 characters. The password cannot be left blank.

2.Using Authentication/Authorization protocol, the switch sends request to authentication server.

3.Authentication server checks the request against the user ID database.

4.Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access.

During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command.

TACACS+ authentication features

Authentication is the action of determining the identity of a user, and is generally done when the user first attempts to log in to a device or gain access to its services. Switch software supports ASCII inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one-time password authentication are not supported.

Authorization

Authorization is the action of determining a user’s privileges on the device, and usually takes place after authentication.

The default mapping between TACACS+ authorization privilege levels and switch management access levels is shown in the table below. The privilege levels listed in the following table must be defined on the TACACS+ server.

Table 4 Default TACACS+ privilege levels

User access level	TACACS+ level

user	0

oper	3

admin	6

26

Contents

HP 10Gb Ethernet BL-cSwitch Page Contents Ports and trunking Configuring LACP Port-basedNetwork Access and traffic control VLANs Viewing VLANs Bridge priority Port priority Port path cost Adding a VLAN to a Spanning Tree Group Creating a VLAN Basic IP routing Routing Information Protocol IGMP Snooping Configuring IGMP Snooping (CLI example) Configuring a Static Mrouter (CLI example) Configuring IGMP Snooping (BBI example) Configuring IGMP Filtering (BBI example) Types of OSPF areas High availability Spanning Tree Protocol with UFD Configuring UFD on Switch 1 (CLI example) Configuring UFD on Switch 2 (CLI example) Configuring Uplink Failure Detection (BBI example) Accessing the switch Additional references http://www.hp.com/go/bladesystem/documentation •HP 10Gb Ethernet BL-cSwitch User Guide •HP 10Gb Ethernet BL-cSwitch Command Reference Guide •HP 10Gb Ethernet BL-cSwitch ISCLI Reference Guide ○Untagged ○Port VLAN ID (PVID): VLAN Interface •Gateway 254—Thisgateway is the default gateway for the management interface Using the command line interfaces Using the Browser-basedInterface Using Simple Network Management Protocol /cfg/sys/ssnmp/snmpv3/usm <x>/auth md5|sha To configure a user with name rview wview nview CLI user equivalent CLI oper equivalent SNMPv1 trap host 3.Configure an entry in the notify table c/sys/ssnmp/snmpv3/tparam <x>/uname 5.Use the community table to define the community string used in the traps snmpv2 snmpv1 /c/sys/ssnmp/snmpv3/access <x>/level /c/sys/ssnmp/snmpv3/tparam <x Secure access to the switch Configuring an IP address range for the management network How RADIUS authentication works Configuring RADIUS on the switch (CLI example) Configuring RADIUS on the switch (BBI example) RADIUS authentication features User accounts for RADIUS users RADIUS attributes for user privileges NOTE: User access level TACACS+ level Quit 2.Configure the TACACS+ secret and second secret 5.Configure custom privilege-levelmapping (optional) 6.Apply and save the configuration Tacacs+ Submit Secure Shell and Secure Copy Configuring SSH and SCP features (CLI example) Enabling or disabling SSH Enabling or disabling SCP apply and save Configuring the SCP administrator password Using SSH and SCP client commands Logging in to the switch Downloading configuration from the switch using SCP Uploading configuration to the switch using SCP Applying and saving configuration SSH and SCP encryption of management messages Generating RSA host and server keys for SSH access SSH/SCP integration with RADIUS and TACACS+ authentication Page Ports and trunking Port trunk groups Before you configure trunks Trunk group configuration rules Port trunking example Figure 1.On Switch 1, configure trunk groups 5 and 3: 2.On Switch 2, configure trunk groups 4 and 2: 3.Examine the trunking information on each switch, using the following command: Trunk Groups Add e. Click Submit Dashboard Page Configurable Trunk Hash algorithm Link Aggregation Control Protocol Actor Switch Partner Switch Page 1.Set the LACP mode on port 3. Set the LACP mode on port 4. Define the admin key on port 5.Apply and verify the configuration 6.Save your new configuration changes Port-basedNetwork Access and traffic control Page Page Table 9 EAP support for RADIUS attributes Attribute Attribute Value A-R A-A Port-basedtraffic control To configure a port for traffic control, perform the following steps: 1.Configure the traffic-controlthreshold and enable traffic control 2.To disable a traffic-controlthreshold, use the following command: 3.Apply and save the configuration VLANs Viewing VLANs Port information Port configuration VLAN tagging Page Page Figure 7 802.1Q tagging (after 802.1Q tag assignment) VLANs and IP interfaces VLAN topologies and design considerations /cfg/l2/stp /cfg/l2/mrst Page Multiple VLANS with tagging Figure 8 Multiple VLANs with VLAN tagging The features of this VLAN are described in the following table: Table 10 Multiple VLANs with tagging Component Configuring ports and VLANs on Switch 1 (CLI example) Page Configuring ports and VLANs on Switch 2 (CLI example) Configuring ports and VLANs on Switch 1 (BBI example) e.Click Submit Add VLAN c.Click Submit FDB static entries Page Spanning Tree Protocol Bridge priority Port priority Port path cost Page Switch element Belongs to Multiple Spanning Trees Page Configuring Switch 1 (CLI example) Configuring Switch 2 (CLI example) Configuring Switch 1 (BBI example) Submit Port Fast Forwarding Fast Uplink Convergence RSTP and MSTP Edge port Link type Configuring Rapid Spanning Tree (CLI example) Configuring Rapid Spanning Tree Protocol (BBI example) Multiple Spanning Tree Protocol Configuring Multiple Spanning Tree Protocol (CLI example) Configuring Multiple Spanning Tree Protocol (BBI example) CIST-Bridge CIST-Ports d. Click Submit Quality of Service Using ACL filters Number Protocol Name TCP/UDP Application Flag Precedence Group ACLs Precedence Level Using ACL Groups ACL Metering and Re-marking Viewing ACL statistics ACL configuration examples 1.Configure Access Control Lists (ACLs) b.Open the Access Control Lists folder, and select Add ACL Deny IPv4 Page Page Using DSCP values to provide QoS Drop Precedence Class Table 18 Class selector priority classes Priority Using 802.1p priorities to provide QoS Page 1.Configure a port’s default 802.1 priority 1.Configure a port’s default 802.1p priority Page Page Priority - CoS CoS - Weight Queuing and scheduling Basic IP routing Page Page Example of subnet routing Subnet Devices IP Addresses Interface IP Interface Switch Port VLAN # 4.The VLANs shown in the table above are configured as follows: 5.Each time you add a port to a VLAN, you may get the following prompt: 6.Enter y to set the default Port VLAN ID (PVID) for the port 7.Add each IP interface to the appropriate VLAN 9.Apply and verify the configuration Dynamic Host Configuration Protocol Page Routing Information Protocol RIPv1 RIPv2 RIPv2 in RIPv1 compatibility mode RIP Features Page RIP configuration example 1. Add VLANs for routing interfaces 2. Add IP interfaces to VLANs (/cfg/l3/frwd/on) before you turn RIP on /maint/route/dump IGMP Snooping Page Configuring the range Configuring the action Configuring IGMP Snooping (CLI example) Configuring IGMP Filtering (CLI example) Configuring a Static Mrouter (CLI example) Configuring IGMP Snooping (BBI example) Page Configuring IGMP Filtering (BBI example) a. Select Layer 3 > IGMP > IGMP Filters > Add Filter Layer 3 > IGMP > IGMP Filters > Switch Ports Page Configuring a Static Multicast Router (BBI example) Page OSPF Page dead OSPF implementation in HP 10GbE switch software Assigning the area index Using the area ID to assign the OSPF area number Attaching an area to a network Default routes Page Page Page OSPF configuration examples Example 1: Simple OSPF domain (BBI example) Add IP Interface Page Add OSPF Area d.Select Add OSPF Area f.Click Submit Add OSPF Interface d.Select Add OSPF Interface f. Click Submit Configuring OSPF for a virtual link on Switch A 8.Attach the network interface to the backbone 9.Attach the network interface to the transit area Configure the virtual link Switch B in step Apply and save the configuration changes Other Virtual Link Options Figure 23 Summarizing routes hide Configure IP interfaces for each network which will be attached to OSPF areas 2.Enable OSPF 3.Define the backbone Use the following commands to verify the OSPF configuration on your switch: •/info/l3/ospf/general •/info/l3/ospf/nbr •/info/l3/ospf/dbase/dbsum •/info/l3/ospf/routes Remote monitoring Configuring RMON Statistics (CLI example) Configuring RMON Statistics (BBI example) Page 4.Click Submit History MIB objects Configure RMON History (CLI example) Configure RMON History (BBI example) Alarm MIB objects Configure RMON Alarms (CLI example 1) Configure RMON Alarms (CLI example 2) Configure RMON Alarms (BBI example 1) 2.Click Submit Configure RMON Alarms (BBI example 2) Configuring RMON Events (CLI example) Configuring RMON Events (BBI example) High availability Page Page Configuring UFD on Switch 1 (CLI example) Configuring UFD on Switch 2 (CLI example) Configuring Uplink Failure Detection (BBI example) Add Virtual router Virtual router MAC address Owners and renters Master and backup virtual router Virtual Interface Router Failover methods Figure 26 Active-Activeredundancy HP 10GbE switch extensions to VRRP Parameter Virtual router deployment considerations Task 1: Configure Switch A 2.Configure client and server interfaces 4.Turn on VRRP and configure two Virtual Interface Routers 6.Turn off Spanning Tree Protocol globally Task 2: Configure Switch B Task 1: Configure Switch A (BBI example) Page Page Add Default Gateway Page Add Virtual Router g.Select Add Virtual Router i.Click Submit Add Spanning Tree Group Page off Troubleshooting tools To configure Port Mirroring for the example shown in the preceding figure: 1.Specify the monitoring port 2.Select the ports that you want to mirror 3.Enable Port Mirroring 4. Apply and save the configuration Port-Based Port Mirroring d.Click Add Mirrored Port Other network troubleshooting techniques Other network troubleshooting techniques include the following /info/sys/log -mgt –data Page Index