Secure Shell | Juniper Networks EX2500 instruction

Chapter 1: Accessing the Switch

Secure Shell

Secure Shell (SSH) uses secure tunnels to encrypt and secure messages between a remote administrator and the switch. Telnet does not provide this level of security. The Telnet method of managing an EX2500 switch does not provide a secure connection.

SSH is a protocol that enables remote administrators to log securely into the

EX2500 over a network to execute management commands.

SSH provides the following benefits:

Authentication of remote administrators

Identifying the administrator using Name and Password

Authorization of remote administrators

Determining the permitted actions and customizing service for individual administrators

Encryption of management messages

Encrypting messages between the remote administrator and switch

The EX2500 implementation of SSH supports versions 1.0 and 2.0 and SSH client versions 1.5 through 2.x.

Configuring SSH Features on the Switch

SSH is disabled by default. Before you can use SSH commands on the switch, turn on SSH as follows:

ex2500(config)# ssh enable

SSH Encryption of Management Messages

The following encryption and authentication methods are supported for SSH:

Server Host Authentication: Client RSA authenticates the switch at the beginning of every connection.

Key Exchange: RSA.

Encryption: 3DES-CBC and DES.

User Authentication: Local password authentication.

Generating RSA Host and Server Keys for SSH Access

To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key is 1024 bits and is used to identify the EX2500 switch. The server key is 768 bits and is used to make it impossible for someone to decipher a captured session by breaking into the EX2500 switch at a later time.

Securing Access to the Switch 17

Image 31

Juniper Networks EX2500 manual Secure Shell, Configuring SSH Features on the Switch, SSH Encryption of Management Messages

Contents

North Mathilda Avenue Sunnyvale, CA Configuration Guide Ii „ Table of Contents Chapter VLANs Rmon Overview Rmon Group 1-Statistics Rmon Group 2-History Chapter Ports and Trunking Appendixes Port Mirroring Overview Configuring Port MirroringIndexes Port-Based Vlan Assignment Default Vlan SettingsPage List of Tables EX2500 Ethernet Switch Configuration Guide „ List of Tables Supported Platforms About This GuideObjectives Audience Icon Meaning Description Documentation Conventions Documentation Feedback List of Technical PublicationsRequesting Technical Support Opening a Case with Jtac Self-Help Online Tools and Resources EX2500 Ethernet Switch Applications Page Configuring the Management Interface Accessing the Switch Configure the default gateway. Enable the gateway Dynamic Host Configuration Protocol Using the EX2500 Web Device Manager Using Telnet Configuring EX2500 Web Device Manager Access via Https Configuring EX2500 Web Device Manager Access via Http SNMPv1, SNMPv2 Using Snmp User Configuration Default ConfigurationSNMPv3 Configure an entry in the notify table Configuring Snmp Trap HostsSNMPv1 Trap Host Configuration SNMPv2 Trap Host Configuration SNMPv3 Trap Host Configuration Securing Access to the Switch Configure the Radius secret Radius Authentication and AuthorizationHow Radius Authentication Works Configuring Radius on the Switch Radius Authentication Features in the EX2500 Switch Radius Attributes for EX2500 User Privileges Switch User Accounts How TACACS+ Authentication Works TACACS+ AuthenticationTACACS+ Authentication Features in the EX2500 Switch „ starttime „ stoptime „ elapsedtime „ disccause Configuring TACACS+ Authentication on the Switch Command Authorization and LoggingConfigure the TACACS+ secret and second secret SSH Encryption of Management Messages Configuring SSH Features on the SwitchGenerating RSA Host and Server Keys for SSH Access Secure Shell SSH Integration with Radius and TACACS+ Authentication End User Access Control User Access Control Considerations for Configuring End User Accounts Logging In to an End User Account Listing Current Users Vlan Overview VLANs Pvid Numbers „ Port configurationVLANs and Port Vlan ID Numbers Vlan Numbers Vlan Tagging Illustrates the default Vlan settings on the switch Default Vlan Settings Port-Based Vlan Assignment Vlan Topologies and Design Considerations Vlan Configuration Rules Multiple VLANs example in is described in Table Multiple VLANs Configuration Example Enable tagging on uplink ports that support multiple VLANs Private Vlan Ports Private VLANs Verify the configuration Private Vlan Configuration GuidelinesPrivate Vlan Configuration Example Configure a secondary Vlan and map it to the primary Vlan Spanning Tree Overview Spanning Tree Protocol Determining the Path for Forwarding BPDUs Bridge Protocol Data Units BPDUsBridge Priority Port Path Cost Spanning Tree Group Configuration GuidelinesChanging the Spanning Tree Mode Port Priority Rules for Vlan Tagged Ports Creating a VlanAdding and Removing Ports from STGs Port State Changes Rapid Spanning Tree Protocol Edge Port Rstp Configuration GuidelinesRstp Configuration Example Port Type and Link Type Why Do We Need Multiple Spanning Trees? Default Spanning Tree ConfigurationPer Vlan Rapid Spanning Tree Configuring Pvrst Pvrst Configuration Guidelines Common Internal Spanning Tree Mstp Configuration GuidelinesMultiple Spanning Tree Protocol Mstp Region Implementing Multiple Spanning Tree Groups Multiple Spanning Tree Groups Configuration Example Vlan Fast Uplink Convergence Configuring Fast Uplink Convergence Configuration Guidelines Trunking Overview Ports and TrunkingStatistical Load Distribution Before Configuring Static Trunks Built-In Fault ToleranceTrunk Group Configuration Rules Port Trunk Group Configuration Example Port Trunking Configuration Example Follow these steps on the EX2500 switch Define a trunk group „ Destination IP DIP Configurable Trunk Hash AlgorithmLink Aggregation Control Protocol „ Destination MAC Dmac 48 „ Link Aggregation Control Protocol Set the Lacp mode Lacp Configuration GuidelinesConfiguring Lacp Optionally Reducing Lacp Timeout Ex2500config-if# lacp timeout short ex2500config-if# exit QoS Overview Quality of Service COS Using ACL Filters To delete an IP Standard ACL MAC Extended ACLsIP Standard ACLs To delete a MAC Extended ACL To delete an IP Extended ACL IP Extended ACLs TCP/UDP Understanding ACL Priority ACL Example 1-Blocking Traffic to a Host ACL Configuration ExamplesAssigning ACLs to a Port Viewing ACL Statistics Add the ACL to a port ACL Example 3-Blocking Http Traffic Assign the ACLs to a port ACL Example 4-Blocking All Except Certain Packets Configuring Storm Control Using Storm Control FiltersBroadcast Storms Differentiated Services Concepts Using Dscp Values to Provide QoS Assured Forwarding Drop Precedence Class Per Hop Behavior QoS Levels Use the following command to perform Dscp mappingDscp Mapping Shows the priority bits in a VLAN-tagged packet Using 802.1p Priority to Provide QoS Queuing and Scheduling Rmon Overview Remote Monitoring Rmon Group 1-Statistics Configure the Rmon statistics on a port Rmon Group 2-History Configuring Rmon HistoryConfigure the Rmon History parameters for a port This configuration enables Rmon History collection on port Configure the Rmon Alarm parameters to track Icmp messages Rmon Group 3-AlarmsAlarm MIB Objects Configuring Rmon Alarms Rmon Group 9-Events Ex2500config# rmon event 110 type log-onlyPage Igmp Snooping Igmp FastLeave IGMPv3 Snooping Igmp Snooping Configuration Example Ex2500# show ip igmp groups Static Multicast Router High Availability Overview High Availability Through Uplink Failure Detection Failure Detection Pair Spanning Tree Protocol with UFD UFD Configuration Guidelines Monitoring UFD UFD Configuration ExamplePage Appendixes EX2500 Ethernet Switch Configuration Guide 80 „ Appendixes Port Mirroring Overview „ Port Mirroring Overview on „ Configuring Port Mirroring on Configuring Port Mirroring „ Index on Indexes EX2500 Ethernet Switch Configuration Guide 84 „ Indexes Numerics Index Internet Group Management Protocol. See Igmp Management interface, configuringMulti-links between switches, port trunking Physical. See switch ports Segmentation. See IP subnets Segments. See IP subnets Quality of Service. See QoSQoS Security Example showing multiple VLANs Virtual Local Area Networks. See VLANs