Command Authorization and Logging | Juniper Networks EX2500 manual

EX2500 Ethernet Switch Configuration Guide

NOTE: When you are using the EX2500 Web Device Manager, the TACACS+ Accounting Stop records are sent only if the Logout button on the browser is clicked.

Command Authorization and Logging

When TACACS+ Command Authorization is enabled, EX2500 configuration commands are sent to the TACACS+ server for authorization. Use the following command to enable TACACS+ Command Authorization:

ex2500(config)# tacacs-server command-authorization

When TACACS+ Command Logging is enabled, EX2500 configuration commands are logged on the TACACS+ server. Use the following command to enable TACACS+ Command Logging:

ex2500(config)# tacacs-server command-logging

The following examples illustrate the format of EX2500 commands sent to the

TACACS+ server:

authorization request, cmd=shell, cmd-arg=interface ip accounting request, cmd=shell, cmd-arg=interface ip authorization request, cmd=shell, cmd-arg=enable accounting request, cmd=shell, cmd-arg=enable

Configuring TACACS+ Authentication on the Switch

1.Configure the Primary and Secondary TACACS+ servers, and enable TACACS authentication.

ex2500(config)# tacacs-server primary-host 10.10.1.1 ex2500(config)# tacacs-server secondary-host 10.10.1.2 ex2500(config)# tacacs-server enable

2.Configure the TACACS+ secret and second secret.

ex2500(config)# tacacs-serverprimary-host 10.10.1.1 key <1-32 character secret>

ex2500(config)# tacacs-serversecondary-host 10.10.1.2 key <1-32 character secret>

3.If desired, you may change the default TCP port number used to listen to TACACS+. The well-known port for TACACS+ is 49.

ex2500(config)# tacacs-server port <TCP port number>

4.Configure the number of retry attempts and the timeout period.

ex2500(config)# tacacs-server retransmit 3 ex2500(config)# tacacs-server timeout 5

16 Securing Access to the Switch

Image 30

Juniper Networks EX2500 manual Command Authorization and Logging, Configuring TACACS+ Authentication on the Switch

Contents

Configuration Guide North Mathilda Avenue Sunnyvale, CA Ii „ Table of Contents Chapter VLANs Chapter Ports and Trunking Rmon Overview Rmon Group 1-Statistics Rmon Group 2-History Port Mirroring Overview Configuring Port Mirroring AppendixesIndexes Default Vlan Settings Port-Based Vlan AssignmentPage List of Tables EX2500 Ethernet Switch Configuration Guide „ List of Tables Audience About This GuideObjectives Supported Platforms Documentation Conventions Icon Meaning Description List of Technical Publications Documentation FeedbackRequesting Technical Support Self-Help Online Tools and Resources Opening a Case with Jtac EX2500 Ethernet Switch Applications Page Accessing the Switch Configuring the Management Interface Dynamic Host Configuration Protocol Configure the default gateway. Enable the gateway Using Telnet Using the EX2500 Web Device Manager Configuring EX2500 Web Device Manager Access via Http Configuring EX2500 Web Device Manager Access via Https Using Snmp SNMPv1, SNMPv2 Default Configuration User ConfigurationSNMPv3 SNMPv2 Trap Host Configuration Configuring Snmp Trap HostsSNMPv1 Trap Host Configuration Configure an entry in the notify table Securing Access to the Switch SNMPv3 Trap Host Configuration Configuring Radius on the Switch Radius Authentication and AuthorizationHow Radius Authentication Works Configure the Radius secret Radius Authentication Features in the EX2500 Switch Switch User Accounts Radius Attributes for EX2500 User Privileges TACACS+ Authentication How TACACS+ Authentication WorksTACACS+ Authentication Features in the EX2500 Switch „ starttime „ stoptime „ elapsedtime „ disccause Command Authorization and Logging Configuring TACACS+ Authentication on the SwitchConfigure the TACACS+ secret and second secret Secure Shell Configuring SSH Features on the SwitchGenerating RSA Host and Server Keys for SSH Access SSH Encryption of Management Messages End User Access Control SSH Integration with Radius and TACACS+ Authentication Considerations for Configuring End User Accounts User Access Control Listing Current Users Logging In to an End User Account VLANs Vlan Overview Vlan Numbers „ Port configurationVLANs and Port Vlan ID Numbers Pvid Numbers Illustrates the default Vlan settings on the switch Vlan Tagging Default Vlan Settings Port-Based Vlan Assignment Vlan Configuration Rules Vlan Topologies and Design Considerations Multiple VLANs Configuration Example Multiple VLANs example in is described in Table Enable tagging on uplink ports that support multiple VLANs Private VLANs Private Vlan Ports Configure a secondary Vlan and map it to the primary Vlan Private Vlan Configuration GuidelinesPrivate Vlan Configuration Example Verify the configuration Spanning Tree Protocol Spanning Tree Overview Bridge Protocol Data Units BPDUs Determining the Path for Forwarding BPDUsBridge Priority Port Priority Spanning Tree Group Configuration GuidelinesChanging the Spanning Tree Mode Port Path Cost Creating a Vlan Rules for Vlan Tagged PortsAdding and Removing Ports from STGs Rapid Spanning Tree Protocol Port State Changes Port Type and Link Type Rstp Configuration GuidelinesRstp Configuration Example Edge Port Default Spanning Tree Configuration Why Do We Need Multiple Spanning Trees?Per Vlan Rapid Spanning Tree Pvrst Configuration Guidelines Configuring Pvrst Mstp Region Mstp Configuration GuidelinesMultiple Spanning Tree Protocol Common Internal Spanning Tree Multiple Spanning Tree Groups Configuration Example Implementing Multiple Spanning Tree Groups Fast Uplink Convergence Vlan Configuration Guidelines Configuring Fast Uplink Convergence Ports and Trunking Trunking OverviewStatistical Load Distribution Built-In Fault Tolerance Before Configuring Static TrunksTrunk Group Configuration Rules Port Trunking Configuration Example Port Trunk Group Configuration Example Follow these steps on the EX2500 switch Define a trunk group „ Destination MAC Dmac Configurable Trunk Hash AlgorithmLink Aggregation Control Protocol „ Destination IP DIP 48 „ Link Aggregation Control Protocol Optionally Reducing Lacp Timeout Lacp Configuration GuidelinesConfiguring Lacp Set the Lacp mode Ex2500config-if# lacp timeout short ex2500config-if# exit Quality of Service QoS Overview Using ACL Filters COS To delete a MAC Extended ACL MAC Extended ACLsIP Standard ACLs To delete an IP Standard ACL IP Extended ACLs To delete an IP Extended ACL Understanding ACL Priority TCP/UDP Viewing ACL Statistics ACL Configuration ExamplesAssigning ACLs to a Port ACL Example 1-Blocking Traffic to a Host ACL Example 3-Blocking Http Traffic Add the ACL to a port ACL Example 4-Blocking All Except Certain Packets Assign the ACLs to a port Using Storm Control Filters Configuring Storm ControlBroadcast Storms Using Dscp Values to Provide QoS Differentiated Services Concepts Per Hop Behavior Assured Forwarding Drop Precedence Class Use the following command to perform Dscp mapping QoS LevelsDscp Mapping Using 802.1p Priority to Provide QoS Shows the priority bits in a VLAN-tagged packet Queuing and Scheduling Remote Monitoring Rmon Overview Configure the Rmon statistics on a port Rmon Group 1-Statistics This configuration enables Rmon History collection on port Configuring Rmon HistoryConfigure the Rmon History parameters for a port Rmon Group 2-History Configuring Rmon Alarms Rmon Group 3-AlarmsAlarm MIB Objects Configure the Rmon Alarm parameters to track Icmp messages Ex2500config# rmon event 110 type log-only Rmon Group 9-EventsPage Igmp Igmp Snooping FastLeave Igmp Snooping Configuration Example IGMPv3 Snooping Static Multicast Router Ex2500# show ip igmp groups High Availability Through Uplink Failure Detection High Availability Overview Spanning Tree Protocol with UFD UFD Configuration Guidelines Failure Detection Pair UFD Configuration Example Monitoring UFDPage Appendixes EX2500 Ethernet Switch Configuration Guide 80 „ Appendixes „ Port Mirroring Overview on „ Configuring Port Mirroring on Port Mirroring Overview Configuring Port Mirroring Indexes „ Index on EX2500 Ethernet Switch Configuration Guide 84 „ Indexes Index Numerics Physical. See switch ports Management interface, configuringMulti-links between switches, port trunking Internet Group Management Protocol. See Igmp Security Quality of Service. See QoSQoS Segmentation. See IP subnets Segments. See IP subnets Virtual Local Area Networks. See VLANs Example showing multiple VLANs