MAC Address-Based Security | Nortel Networks 10BASE-T manual

Introduction to the BayStack 410-24T Switch

MAC Address-Based Security

The MAC address-based security feature allows you to set up network access control, based on source MAC addresses of authorized stations.

You can:

•Create a list of up to 448 MAC addresses and specify which addresses are authorized to connect to your switch or stack configuration. The 448 MAC addresses can be configured within a single standalone switch or they can be distributed in any order among the units in a single stack configuration.

•Specify which of your switch ports each MAC address is allowed to access.

The options for allowed port access include: NONE, ALL, and single or multiple ports that are specified in a list, for example, 1/1-4,1/6,2/9 (see “Port List Syntax” on page 3-34).

•Specify optional actions to be exercised by your switch if the software detects a security violation.

The response can be to send a trap, turn on destination address (DA) filtering, disable the specific port, or any combination of these three options.

For instructions on using the console interface (CI) to set up network access control, see “MAC Address-Based Security” on page 3-23.

The MAC address-based security feature is based on Nortel Networks BaySecure™ LAN Access for Ethernet, a real-time security system that safeguards Ethernet networks from unauthorized surveillance and intrusion.

To learn more about Nortel Networks BaySecure LAN Access for Ethernet, refer to the Bay Networks Guide to Implementing BaySecure LAN Access for Ethernet (Part number 345-1106A).

309985-C Rev 00

1-15

Image 45

Nortel Networks 10BASE-T manual MAC Address-Based Security

Contents

Using the BayStack 410-24T 10BASE-T Switch Trademarks Copyright 2000 Nortel NetworksStatement of Conditions USA Requirements Only Taiwan Requirements Japan/Nippon Requirements OnlyCanada Requirements Only EC Declaration of Conformity Nortel Networks NA Inc. Software License Agreement Rev Page Contents Viii Chapter Installing the BayStack 410-24T Switch Chapter Using the Console Interface Chapter Troubleshooting Appendix B Media Dependent Adapters Appendix D Connectors and Pin Assignments Page Figures Vlan Configuration Spanning Multiple Switches IP Configuration/Setup Screen Standalone Switch Figure B-1 Figure C-3 Page Tables 102 Preface Audience Switch View a sample BootP configuration fileOrganization This guide has four chapters, six appendixes, and an index Text Conventions Acronyms Reverse Address Resolution Protocol Remote Authentication Dial-In User ServicesRedundant power supply unit Media dependent adapter Related Publications Technical Solutions Center Telephone How to Get HelpPage Description BayStack 410-24T Switch Comm Port Front Panel Uplink/Expansion ModuleSlot 10BASE-T Port Connectors LED Display Panel BayStack 410-24T Switch LED DescriptionsProvides descriptions of the LEDs Label Type Color State Meaning CAS Up Stack mode Off Switch is in standalone mode Green Back Panel BayStack 410-24T Switch Back Panel AC Power Receptacle International Power Cord SpecificationsCountry/Plug description Specifications Typical plug Rpsu Connector Cascade Module SlotCooling Fans Features Telnet Introduction to the BayStack 410-24T Switch Virtual Local Area Networks VLANs Security BayStack 410-24T Switch Security Feature See MAC Address-Based Security on MAC Address-Based Security Ieee 802.1p RADIUS-Based Network SecuritySnmp Security Configuration and Switch Management Igmp Snooping FeatureSwitch Software Image Flash Memory Storage Autosensing and Autonegotiation Configuration Parameters MultiLink Trunking Ieee 802.1Q VLANsPort Mirroring BootP Automatic IP Configuration/MAC Address Snmp MIB Support Trap Name Configurable Sent whenSnmp Trap Support Supported Snmp Traps Desktop Switch Application Network Configuration BayStack 410-24T Switch Used as a Desktop Switch BayStack 410-24T Switch Used as a Workgroup Switch Segment Switch Application Configuring Power Workgroups and a Shared Media Hub High-Density Switched Workgroup Application Fail-Safe Stack Example Fail-Safe Stack Application 10. Compatible Software Versions Stack Operation Using the BayStack 410-24T 10BASE-T Switch Cascade a Out Connector Unit Select SwitchBayStack 400-ST1 Cascade Module 12. Connecting Cascade Cables Cascade a In Connector Base Unit Using the BayStack 410-24T 10BASE-T Switch Stack Configurations Stack Down Configurations Stack Up Configurations 14. Stack Down Configuration Example Redundant Cascade Stacking Feature 15. Redundant Cascade Stacking Feature 16. Port-Based Vlan Example Ieee 802.1Q Vlan Workgroups Ieee 802.1Q Tagging 17. Default Vlan Settings 18. Port-Based Vlan Assignment 20 .1Q Tag Assignment VLANs Spanning Multiple 802.1Q Tagged Switches VLANs Spanning Multiple Switches 23. VLANs Spanning Multiple Untagged Switches VLANs Spanning Multiple Untagged Switches 24. Possible Problems with VLANs and Spanning Tree Protocol 25. Multiple VLANs Sharing Resources Shared Servers 26. Vlan Broadcast Domains Within the Switch Default Vlan Configuration screen opens Figure To configure the Vlan port membership for Vlan 28. Vlan Configuration Screen Example To configure the Pvid port Vlan identifier for Port 29. Default Vlan Port Configuration Screen Example Vlan Workgroup Summary 30. Vlan Port Configuration Screen Example 31. Vlan Configuration Spanning Multiple Switches Vlan Configuration Rules Igmp Snooping 32. IP Multicast Propagation With Igmp Routing 33. BayStack 410-24T Switch Filtering IP Multicast Streams 1 34. BayStack 410-24T Switch Filtering IP Multicast Streams 2 Igmp Snooping Configuration Rules 35. Prioritizing Packets Ieee 802.1p Prioritizing 36. Port Transmit Queue Traffic Class Configuration screen opens Figure To configure the port priority level, follow these steps 38. Setting Port Priority Example Vlan Port Configuration screen opens Figure MultiLink Trunks 39. Switch-to-Switch Trunk Configuration Example 40. Switch-to-Server Trunk Configuration Example Client/Server Configuration Using MultiLink Trunks 41. Client/Server Configuration Example Trunk Configuration Screen Examples Trunk Configuration Screen for Switch S1Setting Up the Trunk Configuration for S1 43. MultiLink Trunk Configuration Screen for Switch S1 MultiLink Trunk Configuration screen opens Figure Using the BayStack 410-24T 10BASE-T Switch 44. MultiLink Trunk Configuration Screen for Switch S2 Trunk Configuration Screen for Switch S2 Using the BayStack 410-24T 10BASE-T Switch 45. MultiLink Trunk Configuration Screen for Switch S3 Trunk Configuration Screen for Switch S3 Using the BayStack 410-24T 10BASE-T Switch 46. MultiLink Trunk Configuration Screen for Switch S4 Trunk Configuration Screen for Switch S4 Using the BayStack 410-24T 10BASE-T Switch MultiLink Trunking Configuration Rules Before Configuring Trunks Using the BayStack 410-24T 10BASE-T Switch 47. Loss of Distributed Trunk Members 48. Path Cost Arbitration Example Spanning Tree Considerations for MultiLink Trunks 49. Example 1 Correctly Configured Trunk 50. Example 2 Detecting a Misconfigured Port Additional Tips About the MultiLink Trunking Feature Port Mirroring Conversation Steering 51. Port-Based Mirroring Configuration Example Port-Based Mirroring Configuration Using the BayStack 410-24T 10BASE-T Switch 52. Port Mirroring Port-Based Screen Example Address-Based Mirroring Configuration 53. Address-Based Mirroring Configuration Example 54. Port Mirroring Address-Based Screen Example Port Mirroring Configuration Rules Installation Requirements Installing the BayStack 410-24T Switch Contents will be the same Installing the BayStack 410-24T Switch on a Flat Surface Installation Procedure Installing the BayStack 410-24T Switch in a Rack Positioning the Chassis in the Rack Attaching Mounting Brackets Attaching Devices to the BayStack 410-24T Switch BASE-T Port Connections Connecting 10BASE-T Ports and 10/100 MDA Ports Fiber Optic Port Connections Connecting Fiber Optic MDA Ports Console/Comm Port To connect a terminal to the Console/Comm port Connecting a Terminal to the Console/Comm Port Connecting Power Grounded AC Power Outlet BayStack 410-24T Switch AC Power Receptacle Verifying the Installation Using the LEDs Verifying the InstallationPower-Up Sequence Stage Description LED indication Configuration includes an additional test Cascade Sram test Verifying the Installation Using the Self-Test Screen 12. Nortel Networks Logo Screen Standalone Switch Setup Initial Setup 13. Main Menu for Standalone Switch 14. IP Configuration/Setup Screen Standalone Switch Stack Setup 15. Main Menu Standalone Switch Example 17. IP Configuration/Setup Screen Stack Configuration Installing the BayStack 410-24T Switch Page Chapter Using the Console Interface Navigating the CI Menus and Screens Using the CI Menus and Screens Map of Console Interface Screens Screen Fields and Descriptions Console Interface Main Menu Main Menu Console Interface Main Menu options Describes the CI main menu options Save Current Settings Configuration FileReset Reset to Default Logout OptionDescription IP Configuration/Setup Screen IP Configuration/Setup IP Configuration/Setup Screen Fields Describes the IP Configuration/Setup screen fields FieldDescription Choosing a BootP Request ModeIP Address to Ping BootP or Last Address BootP Disabled BootP Always BootP When Needed Describes the Snmp Configuration screen fields Snmp ConfigurationSnmp Configuration Screen Fields Field Description Read-Only Snmp Configuration Screen Fields Describes the System Characteristics screen fields System Characteristics System Characteristics Screen Fields System Characteristics Screen Fields Describes the Switch Configuration Menu screen options Switch Configuration Switch Configuration Menu Screen Options Switch Configuration Menu Screen Options MAC Address Table Screen MAC Address Table MAC Address Table Screen Fields Describes the MAC Address Table screen fieldsField Description Aging Time Find an Address MAC Address-Based Security MAC Address Security Configuration Menu MAC Address Security Configuration Menu Options MAC Address Security Configuration MAC Address Security Configuration Screen Field Description MAC Address Security MAC Address Security Configuration Screen FieldsSNMP-Locked Partition Time MAC Address Security Port Configuration 10. MAC Address Security Port Configuration Screen 1 11. MAC Address Security Port Configuration Screen 2 Field Description Unit MAC Address Security Port Configuration Screen FieldsPort Trunk 12. MAC Address Security Port Lists Screens 5 Screens MAC Address Security Port Lists MAC Address Security Port Lists Screen Fields Field Description EntryPort List Port List Syntax Adding a New Port to an Existing Port Number List Removing a Port from an Existing Port Number ListCopying an Existing Field into an Adjacent Field 14. MAC Address Security Table Screens 16 Screens MAC Address Security Table 15. MAC Address Security Table Screen MAC Address Security Table Screen Fields Field Description Find an AddressAllowed Source Vlan Configuration Menu 12. Vlan Configuration Menu Screen Options 12 describes the Vlan Configuration Menu screen options Vlan Configuration 13 describes the Vlan Configuration screen fields Vlan Configuration Screen FieldsField Description Create Vlan Protocol Id PID Vlan Type Field Description User-defined PID 13. Vlan Configuration Screen FieldsVlan State Port Membership PID Name Encapsulation PID Value hex Vlan Type Predefined Protocol Identifier PID PID Value hex Comments Reserved PIDs Vlan Port Configuration Gigabit Ports and BayStack 410-24T Switch Ports Restriction 16 describes the Vlan Port Configuration screen fields Vlan Port Configuration Screen FieldsFilter Tagged Frames 16. Vlan Port Configuration Screen Fields 19. Vlan Display by Port Screen Vlan Display by Port Traffic Class Configuration 18 describes the Traffic Class Configuration screen fields Traffic Class Configuration Screen FieldsField Description User Priority Port Configuration Port Configuration Screen 1Rev Port Configuration Screen Fields 19 describes the Port Configuration screen fields LnkTrap High Speed Flow Control ConfigurationAutonegotiation Speed/Duplex1 20. High Speed Flow Control Configuration Screen Fields 23. High Speed Flow Control Configuration Screen High Speed Flow Control Configuration Screen Fields Choosing a High Speed Flow Control Mode MultiLink Trunk Configuration Symmetric ModeAsymmetric Mode 21. MultiLink Trunk Configuration Menu Screen Options Option Description MultiLink TrunkUtilization MultiLink Trunk Configuration Screen Field Description Trunk MultiLink Trunk Configuration Screen Fields MultiLink Trunk Utilization Screen MultiLink Trunk Configuration Screen Fields 26. MultiLink Trunk Utilization Screen 1 MultiLink Trunk Utilization Screen Fields 23 describes the MultiLink Trunk Utilization screen fieldsTraffic Type Unit/Port 23. MultiLink Trunk Utilization Screen Fields Port Mirroring ConfigurationField Description Last 5 Minutes Last 30 Minutes 24. Port Mirroring Configuration Screen Fields 24 describes the Port Mirroring Configuration screen fields Unit/Port Y Field Description Monitor Unit/PortAddress a Address B Monitoring Modes Fields Description Port-basedAddress-based 29. Rate Limiting Configuration Screen 1 Rate Limiting Configuration 30. Rate Limiting Configuration Screen 2 Rate Limiting Configuration Screen Fields 26 describes the Rate Limiting Configuration screen fieldsPacket Type Limit Igmp Configuration Menu 27 describes the Igmp Configuration Menu screen options27. Igmp Configuration Menu Screen Options Igmp Configuration Option Description Display Multicast GroupMembership 28 describes the Igmp Configuration screen fields Igmp Configuration Screen FieldsField Description Igmp Configuration Screen Fields 28. Igmp Configuration Screen Fields Configuring Ports as Static Router Ports Multicast Group Membership 29 describes the Multicast Group Membership screen options Multicast Group Membership Screen OptionsOption Description 34. Port Statistics Screen Port Statistics 30 describes the Port Statistics screen fields Gigabit MDAPort Statistics Screen Fields Port Statistics Screen Fields Pause Frames Single Collisions 35. ATM Configuration Menu Screen ATM Configuration Menu Before Configuring Your ATM MDA LEC Configuration 31 describes the ATM Configuration Menu screen options31. ATM Configuration Menu Screen Options MDA Software LEC Configuration Screen Fields 32 describes the LEC Configuration screen fields LEC Configuration Screen Fields 32. LEC Configuration Screen Fields ATM MDA Configuration ATM MDA Configuration Screen Fields 33 describes the ATM MDA Configuration screen fields UNI Version User Defined Field Description PHY Type ATM MDA Software Download 34 describes the ATM MDA Software Download screen fields 34. ATM MDA Software Download Screen FieldsTftp Server IP Address Using the Console Interface 35. Console/Comm Port Configuration Screen Fields Console/Comm Port Configuration Baud, 4800 Baud, 9600 Baud, 19200 Baud, 38400 Baud Password Type FieldDescription Console SwitchTelnet Switch Console Stack Field Description Telnet Stack Switch PasswordConsole Read-Only Console Read-Write An Ascii string of up to 15 printable characters Any Ascii string of up to 15 printable characters Server 40. Renumber Stack Units Screen Renumber Stack Units 36. Renumber Stack Units Screen Options 36 describes the Renumber Stack Units screen options Hardware Unit Information Spanning Tree Configuration Return to Main Menu 37. Spanning Tree Configuration Menu Screen Options 43. Spanning Tree Port Configuration Screen 1 Spanning Tree Port Configuration Spanning Tree Port Configuration Screen Fields 44. Spanning Tree Port Configuration Screen 2 Spanning Tree Port Configuration Screen Fields 45. Spanning Tree Switch Settings Screen Display Spanning Tree Switch Settings 39 describes the Spanning Tree Switch Settings parameters 39. Spanning Tree Switch Settings ParametersParameter Description Delay Parameter Description Forward DelayBridge Hello Time 46. TELNET/SNMP Manager List Configuration Screen TELNET/SNMP Manager List Configuration Login Timeout Login Retries Inactivity Event Logging 40. TELNET/SNMP Manager List Configuration Screen Fields Field Description Allowed Source IP AddressMask Software Download 41. Software Download Screen Fields 41 describes the Software Download screen fields New Image LED Indications During the Download Process Phase Description LED Indications 42. LED Indications During the Software Download ProcessLink status LEDs ports 18 to 24 only The LEDs begin to 48. Configuration File Download/Upload Screen Configuration File Copy Configuration 43. Configuration File Download/Upload Screen FieldsRetrieve Configuration Image to Server These parameters are not saved Used in this screen See Parameters Not Saved to the Configuration File 49. Event Log Screen Display Event Log 50. Sample Event Log Entry Showing Excessive Bad Entries Excessive Bad Entries Write Threshold Flash Update Reset Save Current Settings 53. Self-Test Screen After Resetting the Switch 54. Nortel Networks Logo Screen Reset to Default Settings 55. Self-Test Screen After Resetting to Default Settings 129 Logout 57. Password Prompt Screen Chapter Troubleshooting Interpreting the LEDs Troubleshooting Diagnosing and Correcting the Problem Normal Power-Up Sequence Symptom Probable cause Corrective actionCorrective Actions See Port Connection Problems on Port Connection Problems Port Interface Autonegotiation Modes Software Download Error Codes Software Download Error CodesError code Description Corrective action Center Page Parameter Specifications Parameter Operating Specification Storage SpecificationEnvironmental Electrical Physical Dimensions Performance SpecificationsNetwork Protocol and Standards Compatibility Data Rate Safety Agency CertificationInterface Options Electromagnetic Emissions Declaration of Conformity Electromagnetic Immunity Type Model/Description See Appendix B Media Dependent Adapters Label Description 10BASE-T/100BASE-TX MDA 100BASE-FX MDAs Figure B-2 BASE-FX MDA Front Panels Table B-2 BASE-FX MDA Components Figure B-3. Installing an MDA Installing an MDA Remove the AC power cord from the power source When replacing an installed MDAReplacing an MDA Loosen the thumbscrews and remove the MDAPage To learn more about See Appendix C Quick Steps to Features To create or modify an 802.1Q VLAN, follow the flowcharts Configuring 802.1Q VLANs Figure C-2. Configuring 802.1Q VLANs 2 Figure C-3. Configuring 802.1Q VLANs 3 Figure C-4. Configuring the BayStack 450-2M3/2S3 MDA 1 Configuring the BayStack 450-2M3/2S3 MDAs Figure C-5. Configuring the BayStack 450-2M3/2S3 MDA 2 Figure C-6. Configuring the BayStack 450-2M3/2S3 MDA 3 Figure C-7. Configuring MultiLink Trunks Configuring MultiLink Trunks Figure C-8. Configuring Port Mirroring 1 Configuring Port Mirroring Figure C-9. Configuring Port Mirroring 2 Figure C-10. Configuring Igmp Snooping 1 Configuring Igmp Snooping Figure C-11. Configuring Igmp Snooping 2 Figure C-12. Configuring Igmp Snooping 3 Page Figure D-1. RJ-45 8-Pin Modular Port Connector RJ-45 10BASE-T/100BASE-TX Port Connectors Table D-1 RJ-45 Port Connector Pin Assignments Pin Signal DescriptionMDI and MDI-X Devices Figure D-2. MDI-X to MDI Cable Connections MDI-X to MDI Cable Connections Figure D-3 MDI-X to MDI-X Cable Connections MDI-X to MDI-X Cable Connections Table D-2 DB-9 Console/Comm Port Connector Pin Assignments DB-9 RS-232-D Console/Comm Port ConnectorPage Appears in this CI screen Field Default setting Appendix E Default Settings Using the BayStack 410-24T 10BASE-TSwitch Default Settings Using the BayStack 410-24T 10BASE-T Switch LEC Console Switch Password Type 40 on Using the BayStack 410-24T 10BASE-T Switch Appendix F Sample BootP Configuration File Using the BayStack 410-24T 10BASE-T Switch Index Index-2 Index-3 Index-4 Index-5 Index-6