Manuals / Nortel Networks / Computer Equipment / Switch

Nortel Networks 1000ASE-XD, 1000BASE-SX RADIUS-based network security, MAC address-based security

Models: 1000ASE-XD 1000BASE-ZX 1000BASE-SX 1000BASE-LX

1 214

Download 214 pages 17.84 Kb

Page 37

RADIUS-based network security

Chapter 1 BayStack 420 Switch 37

RADIUS-based network security

The RADIUS-based security feature allows you to set up network access control, using the RADIUS (Remote Authentication Dial-In User Services) security protocol. The RADIUS-based security feature uses the RADIUS protocol to authenticate local console and Telnet logins.

You will need to set up specific user accounts (user names and passwords, and Service-Type attributes) on your RADIUS server before the authentication process can be initiated. To provide each user with appropriate levels of access to the switch, set the following username attributes on your RADIUS server:

•Read-write access—Set the Service-Type field value to Administrative.

•Read-only access—Set the Service-Type field value to NAS-Prompt.

For detailed instructions to set up your RADIUS server, refer to your RADIUS server documentation.

For instructions to use the console interface (CI) to set up the RADIUS-based security feature, see Chapter 3, “Using the console interface,” on page 87.

MAC address-based security

The MAC address-based security feature allows you to set up network access control, based on source MAC addresses of authorized stations.

You can:

•Create a list of up to 448 MAC addresses and specify which addresses are authorized to connect to your switch or stack configuration. The 448 MAC addresses can be configured within a single standalone switch, or they can be distributed in any order among the units in a single stack configuration.

•Specify which of your switch ports each MAC address is allowed to access.

The options for allowed port access include: NONE, ALL, and single or multiple ports that are specified in a list, for example, 1/1-4,1/6,2/9 (see “Port list syntax” on page 115).

•Specify optional actions to be exercised by your switch if the software detects a security violation.

Using the BayStack 420 10/100/1000 Switch

Image 37

Nortel Networks 1000ASE-XD, 1000BASE-SX, 1000BASE-LX, 1000BASE-ZX RADIUS-based network security, MAC address-based security

Contents

Part No. 209418-A May 4401 Great America Parkway Santa Clara, CA Using the BayStack 420 10/100/1000 SwitchTrademarks Copyright 2001 Nortel NetworksRestricted rights legend Statement of conditionsTaiwan Requirements Japan/Nippon Requirements OnlyCanada Requirements Only Using the BayStack 420 10/100/1000 Switch209418-A Nortel Networks Inc. software license agreementown data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files, data, or programs Using the BayStack 420 10/100/1000 Switch209418-A Chapter BayStack 420 Switch ContentsPreface Using the BayStack 420 10/100/1000 Switch8 Contents Chapter Network configuration209418-A Chapter Using the console interfaceAppendix A Technical specifications Chapter Troubleshooting10 Contents 209418-AAppendix C Quick configuration for MultiLink Trunking Appendix D Appendix B Installing a Gigabit Interface Converter GBICConnectors and pin assignments Appendix E Default settings Appendix F209418-A 12 ContentsUsing the BayStack 420 10/100 Ethernet Switch Figures209418-A 14 FiguresFigures 209418-A 16 FiguresTables Physical dimensions Environmental specificationsPerformance specifications GBIC specificationsBefore you begin Prefacewhere there is more than one option. You must choose Text conventionsethernet/2/1 and as many parameter-value pairs as show at validroute italic textshow ip alerts routes, you enter either show ip alerts or show ip routes, but not bothRelated publications Technical Solutions Center How to get helpTelephone 209418-A 24 Preface“Physical description,” next “Features” on page Chapter BayStack 420 SwitchPhysical description Chapter 1 BayStack 420 SwitchConsole port Front panelGigabit Interface Converter GBIC Port connectorsLED display panel BayStack 420-24T SwitchTable 2 BayStack 420 Switch LED descriptions Chapter 1 BayStack 420 SwitchUsing the BayStack 420 10/100/1000 Switch LabelBack panel Cascade Up and Down connectorsCooling fans Specifications AC power receptacleCountry/Plug description Typical plugVorsicht Bitte sofort lesen Caution Please read immediatelyAttention Lisez ceci immédiatement Attenzione Leggere attentamenteAdvertencia Sírvase leer inmediatamente Virtual Local Area Networks VLANs FeaturesStudent Dormitory SecurityTeachers’ offices and classroomsThe switch MAC address-based security RADIUS-based network securityConfiguration parameters storage Switch software image storageFlash memory storage Port mirroring conversation steering MultiLink TrunkingAutosensing, autonegotiation, and autopolarity Standards RFCsApplication SNMP MIB supportStandard MIBs Proprietary MIBsAppendix F, “Sample BootP configuration file,” on page BootP automatic IP configuration/MAC addressSNMP trap support Configuration and switch management Optivity network management software consists of views, most of which are maps that illustrate the interconnections between the segments, rings, and nodes of your network. The views allow you to analyze network performance and fault conditions on the individual segments and specific areas in your network. They can also alert you when a problem has occurred in a specific location. For further information about Optivity, contact your Nortel Networks sales representative Network configuration examples Chapter Network configurationDesktop switch application “Network configuration examples,” nextBefore Segment switch applicationAfter Figure 7 BayStack 420 Switch used as a segment switch Chapter 2 Network configurationUsing the BayStack 420 10/100/1000 Switch 9997EAHigh-density switched workgroup application Unit Select switch BayStack 420 Switch stack operation9998EB Base unit Initial installationStack MAC address Stack up configurations Stack configurationsRemoving a unit from the stack Stack down configurations 10002EA In Unit Unit Unit Unit Unit Unit Unit UnitIEEE 802.1Q VLAN workgroups VLAN BayStack IEEE 802.1Q taggingVLAN Untagged member-a port that has been configured as an untagged member of a specific VLAN. When an untagged frame exits the switch through an untagged member port, the frame header remains unchanged. When a tagged frame exits the switch through an untagged member port, the tag is stripped and the tagged frame is changed to an untagged frame BS45010A 3 bits 16 bits1 bits 12 bitsBS45014A BS45013APort VLANs spanning multiple 802.1Q tagged switches VLANs spanning multiple switchestagging switch VLANS spanning multiple untagged switchesVLAN 10006EA 10007EA Shared serversPorts 8, 6, and 11 are untagged members of VLAN To configure the VLAN port membership for VLAN To configure the PVID port VLAN identifier for port Figure 24 Default VLAN Port Configuration screen example Chapter 2 Network configurationUsing the BayStack 420 10/100/1000 Switch The PVID/VLAN association for VLAN 3 is now PVID =VLAN workgroup summary Figure 26 VLAN configuration spanning multiple switches Chapter 2 Network configurationUsing the BayStack 420 10/100/1000 Switch Untagged portsMultiLink Trunks VLAN configuration rules10009EA 10010EA Client/server configuration using MultiLink TrunksBayStack Trunk configuration screen examplesTrunk configuration screen for Switch S1 Switch S1 is configured as follows Trunk configuration screen for Switch S2 Figure 32 shows the MultiLink Trunk Configuration screen for Switch S2 78 Chapter 2 Network configuration Trunk Configuration screen for Switch S3Figure 33 MultiLink Trunk Configuration screen for Switch S3 209418-ATrunk Configuration screen for Switch S4 Figure 34 shows the MultiLink Trunk Configuration screen for Switch S4 Before you configure trunks 10013EA Spanning tree considerations for MultiLink Trunks10014EA Figure 37 Example 2 detecting a misconfigured port 84 Chapter 2 Network configuration209418-A 10017EAPort mirroring Additional tips about the MultiLink Trunking featureIs your port mirroring configuration complete? Accessing the CI menus and screens Chapter Using the console interface“Accessing the CI menus and screens,” next “Using the CI menus and screens” on page “Main menu” on pageNavigating the CI menus and screens Using the CI menus and screensChapter 3 Using the console interface Screen fields and descriptionsUsing the BayStack 420 10/100/1000 Switch To return to the previous menu, press Ctrl-RMain menu Using the BayStack 420 10/100/1000 Switch Chapter 3 Using the console interfaceTable 9 describes the CI main menu options Figure 40 Console interface main menuPort Configuration screen” on page 147. This screen allows you to configure 92 Chapter 3 Using the console interfaceTable 9 Console interface main menu options continued 209418-AUsing the BayStack 420 10/100/1000 Switch Chapter 3 Using the console interfaceTable 9 Console interface main menu options continued IP Configuration/Setup screen Table 10 IP Configuration/Setup screen fields Chapter 3 Using the console interfaceUsing the BayStack 420 10/100/1000 Switch Choosing a BootP request mode BootP Always BootP When NeededChapter 3 Using the console interface Using the BayStack 420 10/100/1000 SwitchBootP or Last Address BootP Disabled98 Chapter 3 Using the console interface 209418-ASNMP Configuration screen To open the System Characteristics screen System Characteristics screenChoose System Characteristics or press s from the main menu 100 Chapter 3 Using the console interfaceChapter 3 Using the console interface Table 12 describes the System Characteristics screen fieldsFigure 43 System Characteristics screen Table 12 System Characteristics screen fieldsTable 12 System Characteristics screen fields continued 102 Chapter 3 Using the console interfaceA read-only field that shows the length of time since the last reset. Note that this field 209418-ASwitch Configuration Menu screen 104 Chapter 3 Using the console interface Table 13 describes the Switch Configuration Menu optionsTable 13 Switch Configuration Menu options 209418-ASee “System Log screen” on page MAC Address Table screenTable 14 describes the MAC Address Table screen fields 106 Chapter 3 Using the console interfaceFigure 45 MAC Address Table screen Table 14 MAC Address Table screen fieldsMAC Address Security Configuration Menu screen Address Security Port Configuration screen” on page 111”. This screen describes the MAC Address Security Configuration Menu options.” onFigure 47 MAC Address Security Configuration screen Chapter 3 Using the console interfaceTable 16 MAC Address Security Configuration screen fields Using the BayStack 420 10/100/1000 SwitchTable 16 MAC Address Security Configuration screen fields continued 110 Chapter 3 Using the console interfaceConfiguration screen see “Port Configuration screen” on page “SNMP Configuration screen” on pageMAC Address Security Port Configuration screen Figure 48 MAC Security Port Configuration screen 1 of 112 Chapter 3 Using the console interfaceFigure 49 MAC Security Port Configuration screen 2 of 209418-AMAC Address Security Port Lists screens To open the MAC Address Security Lists screen Port list syntax Adding a new port to an existing port number list Accelerator keys for repetitive tasksCopying an existing field into and adjacent field Removing a port from an existing port number listMAC Address Security Table screens Using the BayStack 420 10/100/1000 Switch Chapter 3 Using the console interfaceTable 19 describes the MAC Address Security Table screen fields Figure 53 MAC Address Security Table screenA single unit/port or a port list value for example, 1/3, 1/6 VLAN Configuration Menu screenFigure 54 VLAN Configuration Menu screen Chapter 3 Using the console interfaceTable 20 VLAN Configuration Menu options Using the BayStack 420 10/100/1000 SwitchVLAN Configuration screen Chapter 3 Using the console interface Table 21 describes the VLAN Configuration screen fieldsFigure 55 VLAN Configuration screen Table 21 VLAN Configuration screen fieldsTable 21 VLAN Configuration screen fields continued 124 Chapter 3 Using the console interface209418-A VLAN # VLAN numberVLAN Port Configuration screen 126 Chapter 3 Using the console interface Table 22 describes the VLAN Port Configuration screen fieldsFigure 56 VLAN Port Configuration screen Table 22 VLAN Port Configuration screen fieldsVLAN Display by Port screen Table 23 describes the VLAN Display by Port screen fields 128 Chapter 3 Using the console interfaceFigure 57 VLAN Display by Port screen Table 23 VLAN Display by Port screen fieldsPort Configuration screen 130 Chapter 3 Using the console interface Table 24 describes the Port Configuration screen fieldsFigure 59 Port Configuration screen 2 of Table 24 Port Configuration screen fieldsHigh Speed Flow Control Configuration screen Figure 60 High Speed Flow Control Configuration 132 Chapter 3 Using the console interfaceTable 25 High Speed Flow Control Configuration screen fields 209418-AChoosing a high speed flow control mode MultiLink Trunk Configuration Menu screenSymmetric mode Asymmetric modeTo open the MultiLink Trunk Configuration Menu screen MultiLink Trunk Configuration screen 136 Chapter 3 Using the console interface Table 27 describes the MultiLink Trunk Configuration screen fieldsFigure 62 MultiLink Trunk Configuration screen Table 27 MultiLink Trunk Configuration screen fieldsMultiLink Trunk Utilization screen Figure 63 MultiLink Trunk Utilization screen 1 of 138 Chapter 3 Using the console interfaceFigure 64 MultiLink Trunk Utilization screen 2 of 209418-AFigure 65 shows an example of a Port Mirroring Configuration screen Port Mirroring Configuration screenChapter 3 Using the console interface Using the BayStack 420 10/100/1000 SwitchFigure 65 Port Mirroring Configuration screen 140 Chapter 3 Using the console interfaceTable 29 Port Mirroring Configuration screen fields 209418-APort Statistics screen To open the Port Statistics screen Using the BayStack 420 10/100/1000 Switch Chapter 3 Using the console interfaceOnly appears if the switch is participating in a stack configuration. The field allows Table 31 Port Statistics screen fieldsTable 31 Port Statistics screen fields continued 144 Chapter 3 Using the console interface209418-A Transmitted column Indicates the total number of 1024-byte to 1518-byte packetsSystem Log screen Table 32 describes the System Log screen fields 146 Chapter 3 Using the console interface Figure 67 System Log screenTable 32 System Log screen fields 209418-AConsole/Comm Port Configuration screen 148 Chapter 3 Using the console interface Table 33 describes the Console/Comm Port Configuration screen fieldsFigure 68 Console/Comm Port Configuration screen Table 33 Console/Comm Port Configuration screen fieldsTable 33 Console/Comm Port Configuration screen fields continued Chapter 3 Using the console interfaceUsing the BayStack 420 10/100/1000 Switch None, Local Password, RADIUS AuthenticationTable 33 Console/Comm Port Configuration screen fields continued 150 Chapter 3 Using the console interfaceparticipating switch in a stack configuration through a console terminal 209418-ATable 33 Console/Comm Port Configuration screen fields continued Chapter 3 Using the console interfaceUsing the BayStack 420 10/100/1000 Switch Any ASCII string of up to 15 printable charactersTable 33 Console/Comm Port Configuration screen fields continued 152 Chapter 3 Using the console interfaceCaution you change the system-supplied default passwords, be sure to 209418-ATable 33 Console/Comm Port Configuration screen fields continued Chapter 3 Using the console interfaceUsing the BayStack 420 10/100/1000 Switch FieldRenumber Stack Units screen Chapter 3 Using the console interface Hardware Unit Information screenUsing the BayStack 420 10/100/1000 Switch Table 34 describes the Renumber Stack Units screen fieldsSpanning Tree Configuration Menu screen Chapter 3 Using the console interface Table 35 describes the Spanning Tree Configuration Menu optionsFigure 71 Spanning Tree Configuration Menu screen Table 35 Spanning Tree Configuration Menu optionsSpanning Tree Port Configuration screen Chapter 3 Using the console interface Table 36 describes the Spanning Tree Port Configuration screen fieldsFigure 73 Spanning Tree Port Configuration screen 2 of Table 36 Spanning Tree Port Configuration screen fieldsTable 36 Spanning Tree Port Configuration screen fields continued 160 Chapter 3 Using the console interfaceWhen an individual port is a trunk member see Trunk field, changing this setting for one 209418-ASpanning Tree Switch Settings screen 162 Chapter 3 Using the console interface Table 37 describes the Spanning Tree Switch Settings parametersTable 37 Spanning Tree Switch Settings parameters 209418-ATable 37 Spanning Tree Switch Settings parameters continued Chapter 3 Using the console interfaceUsing the BayStack 420 10/100/1000 Switch Indicates the Forward Delay parameter value that the root bridge is currently using. ThisTELNET Configuration screen Chapter 3 Using the console interface Table 38 describes the TELNET Configuration screen fieldsTable 38 TELNET Configuration screen fields Using the BayStack 420 10/100/1000 SwitchSoftware Download screen To open the Software Download screen Figure 76 Software Download screen for a BayStack 420 Switch stack 168 Chapter 3 Using the console interfaceTable 39 describes the Software Download screen fields Table 39 Software Download screen fieldsLED Indications during the download process Configuration File Download/Upload screenTo open the Configuration File Download/Upload screen Table 40 Configuration File Download/Upload screen fields Chapter 3 Using the console interfaceUsing the BayStack 420 10/100/1000 Switch Requirements “Diagnosing and correcting problems” on page Chapter TroubleshootingInterpreting the LEDs “Interpreting the LEDs,” next174 Chapter 4 Troubleshooting Figure 78 LED display panel BayStack 420-24T SwitchTable 42 BayStack 420 Switch LED descriptions 209418-ADiagnosing and correcting problems Normal power-up sequence Autonegotiation modes Port connection problemsPort interface Environmental Appendix A Technical specificationsElectrical Performance specifications Physical dimensions180 Appendix A Technical specifications Physical dimensionsNetwork protocol and standards compatibility Safety agency certificationElectromagnetic emissions The BayStack 420 Switch meets the EN50082-11997 standard Electromagnetic immunity182 Appendix A Technical specifications 209418-AProduct description Appendix B Installing a Gigabit Interface Converter GBIC9702FA GBIC labeling9706EA GBIC specifications Standards, connectors, cabling, and distanceGBIC Models 1000BASE-SX1000BASE-LX SC-SC Mode Conditioning Patch Cord 62.5/125-part number AA0018035 1000BASE-XD 1000BASE-ZX Handling, safety, and environmental guidelines 8769EA Installing a GBICTo install a GBIC 1 Remove the GBIC from its protective packaging Appendix C Quick configuration for MultiLink Trunking Figure 83 Configuring MultiLink Trunks 194 Appendix C Quick configuration for MultiLink TrunkingConfigure trunk members see MultiLink Trunking Configuration Rules Configuration RulesRJ-45 10BASE-T/100BASE-TX port connectors Appendix D Connectors and pin assignmentsMDI and MDI-X devices MDI-X to MDI-X cable connections MDI-X to MDI cable connectionsBayStack 420 Switch DB-9 RS-232-D Console/Comm Port connectorSwitch or hub Appendix D Connectors and pin assignments Table 55 lists the DB-9 Console port connector pin assignmentsTable 55 DB-9 Console port connector pin assignments Using the BayStack 420 10/100/1000 Switch209418-A 200 Appendix D Connectors and pin assignmentsTable 56 Factory default settings Appendix E Default settingsUsing the BayStack 420 10/100/1000 Switch Table 56 Factory default settings continued 202 Appendix E Default settingsDefault setting 209418-ATable 56 Factory default settings continued Appendix E Default settingsUsing the BayStack 420 10/100/1000 Switch Default settingTable 56 Factory default settings continued 204 Appendix E Default settingsDefault setting 209418-ATable 56 Factory default settings continued Appendix E Default settingsUsing the BayStack 420 10/100/1000 Switch Retrieve Configuration Image from209418-A 206 Appendix E Default settingsAppendix F Sample BootP configuration file 209418-A 208 Appendix F Sample BootP configuration fileIndex Page Index Using the BayStack 420 10/100/1000 Switch209418-A 212 Index