Juniper Networks EX2500 guide

Chapter 1: Accessing the Switch

The default mapping between TACACS+ authorization levels and EX2500 management access levels is shown in Table 6. The authorization levels must be defined on the TACACS+ server.

Table 6: Default TACACS+ Authorization Levels

EX2500 User Access Level	TACACS+ level

user	0

oper	3

admin	6

Alternate mapping between TACACS+ authorization levels and EX2500 management access levels is shown in Table 7. Use the following command to set the alternate TACACS+ authorization levels:

ex2500(config)# tacacs-server privilege-mapping

Table 7: Alternate TACACS+ Authorization Levels

EX2500 User Access Level	TACACS+ level

user	0 - 1

oper	6 -	8

admin	14	- 15

If the remote user is successfully authenticated by the authentication server, the switch verifies the privileges of the remote user and authorizes the appropriate access. The administrator has an option to allow secure backdoor access via Telnet or SSH. Secure backdoor provides switch access when the TACACS+ servers cannot be reached. You always can access the switch via the console port by using notacacs and the administrator password, whether secure backdoor is enabled or not.

NOTE: To obtain the TACACS+ backdoor password for your EX2500 switch, contact technical support.

Accounting

Accounting is the action of recording a user's activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization are not performed via TACACS+, no TACACS+ accounting messages are sent out. The EX2500 switch supports the following TACACS+ accounting attributes:

protocol (console, telnet, ssh, or http)

start_time

stop_time

elapsed_time

disc_cause

Securing Access to the Switch 15

Image 29

Juniper Networks EX2500 manual „ starttime „ stoptime „ elapsedtime „ disccause

Contents

North Mathilda Avenue Sunnyvale, CA Configuration Guide Ii „ Table of Contents Chapter VLANs Rmon Overview Rmon Group 1-Statistics Rmon Group 2-History Chapter Ports and Trunking Indexes Port Mirroring Overview Configuring Port MirroringAppendixes Port-Based Vlan Assignment Default Vlan SettingsPage List of Tables EX2500 Ethernet Switch Configuration Guide „ List of Tables Objectives About This GuideAudience Supported Platforms Icon Meaning Description Documentation Conventions Requesting Technical Support List of Technical PublicationsDocumentation Feedback Opening a Case with Jtac Self-Help Online Tools and Resources EX2500 Ethernet Switch Applications Page Configuring the Management Interface Accessing the Switch Configure the default gateway. Enable the gateway Dynamic Host Configuration Protocol Using the EX2500 Web Device Manager Using Telnet Configuring EX2500 Web Device Manager Access via Https Configuring EX2500 Web Device Manager Access via Http SNMPv1, SNMPv2 Using Snmp SNMPv3 Default ConfigurationUser Configuration SNMPv1 Trap Host Configuration Configuring Snmp Trap HostsSNMPv2 Trap Host Configuration Configure an entry in the notify table SNMPv3 Trap Host Configuration Securing Access to the Switch How Radius Authentication Works Radius Authentication and AuthorizationConfiguring Radius on the Switch Configure the Radius secret Radius Authentication Features in the EX2500 Switch Radius Attributes for EX2500 User Privileges Switch User Accounts TACACS+ Authentication Features in the EX2500 Switch TACACS+ AuthenticationHow TACACS+ Authentication Works „ starttime „ stoptime „ elapsedtime „ disccause Configure the TACACS+ secret and second secret Command Authorization and LoggingConfiguring TACACS+ Authentication on the Switch Generating RSA Host and Server Keys for SSH Access Configuring SSH Features on the SwitchSecure Shell SSH Encryption of Management Messages SSH Integration with Radius and TACACS+ Authentication End User Access Control User Access Control Considerations for Configuring End User Accounts Logging In to an End User Account Listing Current Users Vlan Overview VLANs VLANs and Port Vlan ID Numbers „ Port configurationVlan Numbers Pvid Numbers Vlan Tagging Illustrates the default Vlan settings on the switch Default Vlan Settings Port-Based Vlan Assignment Vlan Topologies and Design Considerations Vlan Configuration Rules Multiple VLANs example in is described in Table Multiple VLANs Configuration Example Enable tagging on uplink ports that support multiple VLANs Private Vlan Ports Private VLANs Private Vlan Configuration Example Private Vlan Configuration GuidelinesConfigure a secondary Vlan and map it to the primary Vlan Verify the configuration Spanning Tree Overview Spanning Tree Protocol Bridge Priority Bridge Protocol Data Units BPDUsDetermining the Path for Forwarding BPDUs Changing the Spanning Tree Mode Spanning Tree Group Configuration GuidelinesPort Priority Port Path Cost Adding and Removing Ports from STGs Creating a VlanRules for Vlan Tagged Ports Port State Changes Rapid Spanning Tree Protocol Rstp Configuration Example Rstp Configuration GuidelinesPort Type and Link Type Edge Port Per Vlan Rapid Spanning Tree Default Spanning Tree ConfigurationWhy Do We Need Multiple Spanning Trees? Configuring Pvrst Pvrst Configuration Guidelines Multiple Spanning Tree Protocol Mstp Configuration GuidelinesMstp Region Common Internal Spanning Tree Implementing Multiple Spanning Tree Groups Multiple Spanning Tree Groups Configuration Example Vlan Fast Uplink Convergence Configuring Fast Uplink Convergence Configuration Guidelines Statistical Load Distribution Ports and TrunkingTrunking Overview Trunk Group Configuration Rules Built-In Fault ToleranceBefore Configuring Static Trunks Port Trunk Group Configuration Example Port Trunking Configuration Example Follow these steps on the EX2500 switch Define a trunk group Link Aggregation Control Protocol Configurable Trunk Hash Algorithm„ Destination MAC Dmac „ Destination IP DIP 48 „ Link Aggregation Control Protocol Configuring Lacp Lacp Configuration GuidelinesOptionally Reducing Lacp Timeout Set the Lacp mode Ex2500config-if# lacp timeout short ex2500config-if# exit QoS Overview Quality of Service COS Using ACL Filters IP Standard ACLs MAC Extended ACLsTo delete a MAC Extended ACL To delete an IP Standard ACL To delete an IP Extended ACL IP Extended ACLs TCP/UDP Understanding ACL Priority Assigning ACLs to a Port ACL Configuration ExamplesViewing ACL Statistics ACL Example 1-Blocking Traffic to a Host Add the ACL to a port ACL Example 3-Blocking Http Traffic Assign the ACLs to a port ACL Example 4-Blocking All Except Certain Packets Broadcast Storms Using Storm Control FiltersConfiguring Storm Control Differentiated Services Concepts Using Dscp Values to Provide QoS Assured Forwarding Drop Precedence Class Per Hop Behavior Dscp Mapping Use the following command to perform Dscp mappingQoS Levels Shows the priority bits in a VLAN-tagged packet Using 802.1p Priority to Provide QoS Queuing and Scheduling Rmon Overview Remote Monitoring Rmon Group 1-Statistics Configure the Rmon statistics on a port Configure the Rmon History parameters for a port Configuring Rmon HistoryThis configuration enables Rmon History collection on port Rmon Group 2-History Alarm MIB Objects Rmon Group 3-AlarmsConfiguring Rmon Alarms Configure the Rmon Alarm parameters to track Icmp messages Rmon Group 9-Events Ex2500config# rmon event 110 type log-onlyPage Igmp Snooping Igmp FastLeave IGMPv3 Snooping Igmp Snooping Configuration Example Ex2500# show ip igmp groups Static Multicast Router High Availability Overview High Availability Through Uplink Failure Detection Failure Detection Pair Spanning Tree Protocol with UFD UFD Configuration Guidelines Monitoring UFD UFD Configuration ExamplePage Appendixes EX2500 Ethernet Switch Configuration Guide 80 „ Appendixes Port Mirroring Overview „ Port Mirroring Overview on „ Configuring Port Mirroring on Configuring Port Mirroring „ Index on Indexes EX2500 Ethernet Switch Configuration Guide 84 „ Indexes Numerics Index Multi-links between switches, port trunking Management interface, configuringPhysical. See switch ports Internet Group Management Protocol. See Igmp QoS Quality of Service. See QoSSecurity Segmentation. See IP subnets Segments. See IP subnets Example showing multiple VLANs Virtual Local Area Networks. See VLANs