Nortel Networks 2000 EAPOL-based security

71

Using the Business Policy Switch 2000 Version 1.2

•Specify optional actions to be exercised by your switch if the software dete ct s

a security violation.

The response can be to send a trap, turn on destination addres s ( DA) fi lt er ing,

disable the specific port, or any combination of these three options.

The MAC address-based security feature is based on Nortel Networks

BaySecure™ LAN Access for Ethernet, a real-time security system that saf eguard s

Ethernet networks from unauthorized surveillance and intrusion.

For instructions on configuring the MAC address-based security feature, refer to

Chapter 3, Using Web-based Management for the Business Policy Switch 2000

Software Version 1.2, Reference for the Business Policy Switch 2000 Management

Software Version 1.2, and Reference for the Business Policy Switch 2000

Command Line Interface Software Version 1.2.

EAPOL-based security

BPS 2000 software version 1.1 provides support for security based on the

Extensible Authentication Protocol ove r L AN (EAPOL), which uses the EAP as

described in the IEEE Draft P802.1X to allow you to set up network access

control on internal LANs.

For information on configuring EAPOL-based security using the Console

Interface (CI) menus, refer to Chapter 3. To configure this feature using the

Web-based management system, refer to Using Web-based Management for the

Business Policy Switch 2000 Software Version 1.2. To use Device Manager (DM)

to configure EAPOL-based security, refer to Reference for the Business Policy

Switch 2000 Management Software Version 1.2. And, to configure this feature

using CLI commands, refer to Reference for the Business Policy Switch 2000

Command Line Interface Software Version 1.2. book.

EAP allows the exchange of authentication information between any end station

or server connected to the switch and an authentication server (such as a RADIUS

server). The EAPOL-based security feature operates in conjunction with a

RADIUS-based server to extend the benefits of remote authentication to internal

LAN clients.

Contents

Main 208700-B Copyright 2001 Nortel Networks Trademarks Statement of Conditions USA Requirements Only Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice Japan/Nippon Requirements Only Taiwan Requirements Canada Requirements Only Page Nortel Networks NA Inc. Software License Agreement Page Contents Page Page Page Page Page Page Page Page Page Figures Page Page Page Page Page Tables Page Page Page Preface Before you begin Related publications Page How to get help Page Page Chapter 1 The Business Policy Switch 2000 General description Stacking compatibility Page Software version 1.2 compatibility with BayStack 450 switches Physical description Front panel Console port Uplink/Expansion slot Port connectors See Appendixes for more information about the RJ-45 port connectors. LED display panel Business Policy Switch 2000 Tabl e 2 Business Policy Switch 2000 LED descriptions (continued) Tabl e 2 Business Policy Switch 2000 LED descriptions (continued) Page Back panel Cascade Module slot Cooling fans AC power receptacle Table 4 International power cord specifications Redundant power supply unit (RPSU) and uninterruptible power supply (UPS) 100 Watt DC-DC Converter Features CLI management system Increased VLANs Multiple Spanning Tree Protocol groups Page STG configuration guidelines Page Spanning Tree Fast Learning ASCII configuration file Sample ASCII configuration file Page IP manager list Policy-enabled networks with QoS metering Support for the GBIC MDA EAPOL-based security Automatic PVID Page Tabular port statistics Ability to ping Improved STP Fast Learning Mode BootP menu item for a stack of only BPS 2000 switches Policy-enabled networking Virtual Local Area Networks (VLANs) Shared VLAN Learning (SVL) modeMultiple VLANs use a single forwarding database. Using 256 VLANs Security Page Page Page RADIUS-based network security MAC address-based security EAPOL-based security Page EAPOL dynamic VLAN assignment Page System requirements EAPOL-based security configuration rules Flash memory storage Switch software image storage Configuration parameters storage MultiLink Trunking Port mirroring (conversation steering) Autosensing and autonegotiation BootP automatic IP configuration/MAC address Configuration and switch management Multifield packet classification SNMP MIB support 82 Chapter 1 The Business Policy Switch 2000 Tabl e 5 SNMP MIB support SNMP trap support Supported standards and RFCs Standards RFCs Page Page Chapter 2 Network configuration Network configuration examples Desktop switch application Segment switch application 90 Chapter 2 Network configuration Figure 9 Business Policy Switch used as a segment switch High-density switched workgroup application Fail-safe stack application Business Policy Switch stack operation BayStack 400-ST1 Cascade Module Cascade A Out connector Unit Select switch Cascade A In connector Base unit Initial installation Stack MAC address Temporary base unit Removing a unit from the stack IP address Stack configurations Stack up configurations Table 7 describes the stack up configuration illustration references. Stack down configurations Page Redundant cascade stacking feature Table 9 describes the redundant cascade stacking illustration references. IEEE 802.1Q VLAN workgroups IEEE 802.1Q tagging Page Chapter 2 Ne twork configuration 107 Figure 18 Default VLAN settings 108 Chapter 2 Network configuration Figure 19 Port-based VLAN assignment Figure 20 802.1Q tagging (after port-based VLAN assignment) Chapter 2 Ne twork configuration 109 Figure 21 Policy-based VLAN assignment Figure 22 802.1Q tagging (after policy-based VLAN assignment) Page VLANs spanning multiple switches VLANs spanning multiple 802.1Q tagged switches VLANS spanning multiple untagged switches Page Shared servers Page Page Page Page Page VLAN workgroup summary Chapter 2 Ne twork configuration 121 Figure 34 VLAN configuration spanning multiple switches VLAN configuration rules IGMP snooping Page 124 Chapter 2 Network configuration Figure 35 IP Multicast propagation with IGMP routing Page Page IGMP snooping configuration rules 128 Chapter 2 Network configuration IEEE 802.1p prioritizing Figure 38 Prioritizing packets MultiLink Trunks Page Client/server configuration using MultiLink Trunks Before you configure trunks MultiLink Trunking configuration rules How the MultiLink Trunk reacts to losing distributed trunk members Spanning tree considerations for MultiLink Trunks Page Page Additional tips about the MultiLink Trunking feature Port mirroring Port-based mirroring configuration Page Page Address-based mirroring configuration Page Port mirroring configuration rules Page Chapter 3 Using the console interface Accessing the CI menus and screens Using the CI menus and screens Navigating the CI menus and screens 150 Chapter 3 Using the console interface Screen fields and descriptions Figure 50 Map of console interface screens Main Menu 152 Chapter 3 Using the console interface Figure 51 Console interface main menu Table 1 0 describes the CI main menu options Tabl e 10 Consol e interface Main Menu options Chapter 3 Using the console interface 153 Tabl e 10 Consol e interface Main Menu options (continued) 154 Chapter 3 Using the console interface Tabl e 10 Consol e interface Main Menu options (continued) IP Configuration/Setup screen 156 Chapter 3 Using the console interface Tabl e 11 IP Configuration/Setup scree n fields Note: Chapter 3 Using the console interface 157 Choosing a BootP request mode Tabl e 11 IP Configuration/Setup scr een fields (continued) BootP When Needed BootP Always BootP Disabled BootP or Last Address 160 Chapter 3 Using the console interface SNMP Configuration screen Figure 53 SNMP Configuration screen Chapter 3 Using the console interface 161 Table 1 2 describes the SNMP Configuration screen fields. Tabl e 12 SNMP Co nfiguration screen fields 162 Chapter 3 Using the console interface System Characteristics screen Figure 54 System Characteristics screen Chapter 3 Using the console interface 163 Table 1 3 describes the System Characteristics screen fields. Tabl e 13 Syste m Characteristics screen fields Switch Configuration Menu screen Chapter 3 Using the console interface 165 Figure 55 Switch Configuration Menu screen Table 1 4 describes the Switch Configuration Menu screen options. Tabl e 14 Switch Configuration Menu screen options 166 Chapter 3 Using the console interface Tabl e 14 Switch Configuration Menu screen options (continued) Chapter 3 Using the console interface 167 MAC Address Table screen Menu screen to open the MAC Address Table screen (Figure56). Tabl e 14 Switch Configuration Menu screen options (continued) 168 Chapter 3 Using the console interface Figure 56 MAC Address Table Screen Table 1 5 describes the MAC Address Table screen fields. Tabl e 15 MAC Addr ess Table screen fields MAC Address Security Configuration Menu screen 170 Chapter 3 Using the console interface Figure 57 MAC Address Security Configuration Menu screen Table 1 6 describes the MAC Address Security Configuration Menu options. Tabl e 16 MAC Ad dress Security Configuration Menu Options MAC Address Security Configuration screen 172 Chapter 3 Using the console interface Table 1 7 describes the MAC Address Security Configuration screen fields. Tabl e 17 MAC Add ress Security Configuration fields Chapter 3 Using the console interface 173 MAC Address Security Port Configuration screen Tabl e 17 MAC Add ress Security Configuration fields (continued) Page Chapter 3 Using the console interface 175 Figure 59 MAC Security Port Configuration screen (1 of 2) Figure 60 MAC Security Port Configuration screen (2 of 2) MAC Address Security Port Lists screens Chapter 3 Using the console interface 177 Figure 61 MAC Address Security Port Lists screens To open the MAC Address Security Lists screen: Screen 1 Screen 2 Screen 3 Screen 4 Screen 5 Port list syntax Accelerator keys for repetitive tasks Adding a new port to an existing port number list Removing a port from an existing port number list Copying an existing field into and adjacent field Chapter 3 Using the console interface 181 Screen 16 MAC Address Security Table screens Figure 63 MAC Address Security Table screens Configuration Menu to open the MAC Address Security Table screen (Figure64). Screen 1 182 Chapter 3 Using the console interface Table 2 0 describes the MAC Address Security Table screen fields. Tabl e 20 MAC Ad dress Security Table Screen Fields EAPOL Security Configuration screen 184 Chapter 3 Using the console interface To open the EAPOL Security Configuration screen: Configuration Menu. Chapter 3 Using the console interface 185 Tabl e 21 EAPOL s ecurity configuration screen options (continued) 186 Chapter 3 Using the console interface Tabl e 21 EAPOL s ecurity configuration screen options (continued) VLAN Configuration Menu screen Page VLAN Configuration screen Page Chapter 3 Using the console interface 191 Figure 67 VLAN Configuration screen Table 2 3 describes the VLAN Configuration screen fields. Tabl e 23 VLAN Co nfiguration screen fields 192 Chapter 3 Using the console interface Tabl e 23 VLAN Co nfiguration screen fields (continued) Chapter 3 Using the console interface 193 Tabl e 23 VLAN Co nfiguration screen fields (continued) 194 Chapter 3 Using the console interface Predefined Protocol Identifier (PID) description Tabl e 24 Predefin ed Protocol Identifier (PID) User-Defined Protocol Identifier Description MAC Address Configuration for MAC-SA-Based VLAN screen Gigabit ports restriction VLAN Port Configuration screen 198 Chapter 3 Using the console interface Figure 69 VLAN Port Configuration screen Table 2 7 describes the VLAN Port Configuration screen fields. Tabl e 27 VLAN P ort Configuration screen fields Chapter 3 Using the console interface 199 Tabl e 27 VLAN P ort Configuration screen fields (continued) VLAN Display by Port screen Port Configuration screen 202 Chapter 3 Using the console interface Figure 71 Port Configuration screen (1 of 2) Figure 72 Port Configuration screen (2 of 2) Chapter 3 Using the console interface 203 Table 2 9 describes the Port Configuration screen fields. Tabl e 29 Port Co nfiguration screen fields High Speed Flow Control Configuration screen Table 3 0 describes the High Speed Flow Control Configuration screen fields. Choosing a high speed flow control mode Symmetric mode Asymmetric mode MultiLink Trunk Configuration Menu screen MultiLink Trunk Configuration screen Page 210 Chapter 3 Using the console interface Table 3 2 describes the MultiLink Trunk Configuration screen fields. Tabl e 32 MultiL ink Trunk Configuration screen fields MultiLink Trunk Utilization screen 212 Chapter 3 Using the console interface Figure 77 MultiLink Trunk Utilization screen (2 of 2) Table 3 3 describes the MultiLink Trunk Utilization screen fields. Tabl e 33 MultiL ink Trunk Utilization screen fields Port Mirroring Configuration screen 214 Chapter 3 Using the console interface Figure 78 Port Mirror Configuration screen Table 3 4 describes the Port Mirroring Configuration screen fields. Tabl e 34 Port M irroring Configuration screen fields Chapter 3 Using the console interface 215 Tabl e 34 Port M irroring Configuration screen fields (continued) Rate Limiting Configuration screen Chapter 3 Using the console interface 217 To open the Rate Limiting Configuration screen: Configuration Menu screen. Page Chapter 3 Using the console interface 219 IGMP Configuration Menu screen Tabl e 36 Rate Lim iting Configuration screen fields Page IGMP Configuration screen 222 Chapter 3 Using the console interface Figure 82 IGMP Configuration screen Table 3 8 describes the IGMP Configuration screen fields. Tabl e 38 IGMP C onfiguration screen fields Chapter 3 Using the console interface 223 Tabl e 38 IGMP C onfiguration screen fields (continued) Multicast Group Membership screen Table 3 9 describes the Multicast Group Membe rs hip screen options. Port Statistics screen Chapter 3 Using the console interface 227 Figure 84 Port Statistics screen 228 Chapter 3 Using the console interface Tabl e 40 Port Stati stics screen fields Chapter 3 Using the console interface 229 Tabl e 40 Port S tatistics screen fields (continued) Stack Operational Mode screen Console/Comm Port Configuration screen 232 Chapter 3 Using the console interface Figure 86 Console/Comm Port Configuration screen Table 4 2 describes the Console/Comm Port Configuration screen fields. Tabl e 42 Consol e/Comm Port Configuration screen fields Page Page Caution: Page Identify Unit Numbers When you choose Identify Unit Numbers from the main menu, the console returns the message: Renumber Stack Units screen Chapter 3 Using the console interface 239 Table 4 3 describes the Renumber Stack Units screen options. Hardware Unit Information screen Tabl e 43 Renumber Stack Units screen options Spanning Tree Configuration Menu screen Table 4 4 describes the Spanning Tree Configuration Menu screen options . Spanning Tree Group Configuration screen Table 4 5 describes the Spanning Tree Group Configuration parameters. 244 Chapter 3 Using the console interface Tabl e 45 Spanning Tree Group C onfiguration parameters (continued) Spanning Tree Port Configuration screen 246 Chapter 3 Using the console interface Figure 91 Spanning Tree Port Configuration Chapter 3 Using the console interface 247 Table 4 6 describes the Spanning Tree Port Configuration screen fields. Tabl e 46 Spanni ng Tree Port Configuration screen fields Spanning Tree Switch Settings screen Page 250 Chapter 3 Using the console interface Table 4 7 describes the Spanning Tree Switch Se tti ngs parameters. Tabl e 47 Spanning Tree Switch S ettings parameters Chapter 3 Using the console interface 251 Tabl e 47 Spanning Tree Switch Settings parameters (continued) Spanning Tree VLAN Membership screen Table 4 8 describes the Spanning Tree VLAN Membership parameters. TELNET/SNMP/Web Access Configuration screen Chapter 3 Using the console interface 255 Table 4 9 describes the TELNET/SNMP/Web Access Configuration screen fields. Tabl e 49 TELNET/SN MP/Web Access Configuration screen fields 256 Chapter 3 Using the console interface Tabl e 49 TELNET/SN MP/Web Access Configuration screen fields (continued) Software Download screen Page Page 260 Chapter 3 Using the console interface Table 5 0 describes the Software Download screen fields. Tabl e 50 Software Do wnload screen fields LED Indications during the download process Configuration File Menu screen Configuration File Download/Upload screen Page 264 Chapter 3 Using the console interface Tabl e 52 Configur ation File Download/Upload screen fields Requirements ASCII Configuration File Download screen Table 5 4 describes the ASCII Configuration File Download screen fields. 268 Chapter 3 Using the console interface Tabl e 54 ASCII Confi guration File Download screen fields System Log screen Table 5 5 describes the System Log screen fields. Chapter 3 Using the console interface 271 Tabl e 55 Syste m Log screen fields Page Chapter 4 Policy-enabled networks Summary Summary of packet classifiers IP packets Summary of actions Differentiated Services (DiffServ) overview DiffServ Concepts QoS classes 278 Chapter4 Policy-enabled networks Tabl e 56 Service classes Packet classifiers or filters Layer 2 filters IP filters Changing IEEE 802.1p priority and drop precedence Ports Page Page Queue sets Interface groups Metering or traffic policing overview Policy overview Packet flow using QoS Default QoS settings QoS configuration guidelines COPS overview Page Chapter 5 Sample QoS configuration Creating interface groups Page Page Page Accepting default mapping values Setting up filters and filter groups Defining an IP filter menu option. Page Creating an IP Filter Group Table entry Page Page Page Defining a layer 2 filter Page Page Creating a Layer2 Filter Group Table entry Page Page Configuring actions Page Configuring meters To configure a meter: Configuring policies Page Page Assigning mapping values Assigning 802.1p priority queue assignment Verifying DSCP mapping Page Page Assigning 802.1p user priority mapping Verifying DSCP queue assignments Page Page Chapter 6 Troubleshooting Interpreting the LEDs Diagnosing and correcting the problem Interpreting the LEDs 328 Chapter 6 Troubleshooting Figure 129 LED display panel Business Policy Switch 2000 Chapter 6 Troubleshooting 329 Tabl e 59 Business Policy Switch LED descriptions (continued) 330 Chapter 6 Troubleshooting Tabl e 59 Business Policy Switch LED descriptions (continued) Diagnosing and correcting problems Normal power-up sequence Port connection problems Autonegotiation modes Port interface Appendix A Technical specifications This appendix provides technical specifications for the Business Policy Switch 2000. Table 6 2 lists power electrical parameters for the Business Policy Switch. Environmental Table 6 1 lists environmental specifications. Physical dimensions Table 6 3 lists physical dimensions. Table 6 4 lists performance specifications. Performance specifications Appendix A Technical specifications 337 Data rate The data rate is 10Mb/s Manchester encoded or 100 Mb/s 4B/5B encoded. The safety certifications follow: Interface options Table 6 5 lists interface options. Electromagnetic emissions Electromagnetic immunity Declaration of Conformity Appendix B Interoperability in a mixed stack configuration Setting up your mixed stack configuration Configuration requirements Base unit Merging the Business Policy Switch into a mixed stack Automatic failover Temporary base unit In a mixed stack containing only one Business Policy Switch In a mixed stack containing more than one Business Policy Switch Compatible software versions Using cascade modules Using the console interface Console/Comm port For more information about the console/comm port, see Chapter 1. Troubleshooting problems Page Appendix C Media dependent adapters 1000BASE-SX: 450-1SR MDA and 450-1SX MDA The 450-1SX MDA is a single Phy MDA. 1000BASE-LX: 450-1LR MDA and 450-1LX MDA Page Page 10BASE-T/100BASE-TX: BPS2000-4TX MDA Page 100BASE-FX: BPS2000-2FX MDA and BPS2000-4FX MDA Page GBIC MDA Page Page 360 Appendix C Media dependent adapters Installing GBICs Table 70 450-1GBIc MDA description Table 71 Available GBIC models Installation Removing an Installed GBIC Cabling Specifications for GBICs Installing an MDA Page Page Replacing an MDA with a different model 1000BASE-LX multimode applications Page Appendix D Quick steps to features The flowcharts cover the following features: Configuring 802.1Q VLANs 370 Appendix D Quick steps to features Figure 141 Configuring 802.1Q VLANs (1 of 3) Appendix D Quick steps to features 371 Figure 142 Configuring 802.1Q VLANs (2 of 3) 372 Appendix D Quick steps to features Figure 143 Configuring 802.1Q VLANs (3 of 3) Appendix D Quick steps to features 373 Configuring MultiLink Trunks Configuration Menu screen Figure 144 Configuring MultiLink Trunks 374 Appendix D Quick steps to features Configuring Port Mirroring Configuration Menu screen Figure 145 Configuring Port Mirroring (1 of 2) Appendix D Quick steps to features 375 Figure 146 Configuring Port Mirroring (2 of 2) Configuring IGMP Snooping To create or modify IGMP Snooping ports, follow the flowcharts in Figures Figure147 to Figure 149. To open the IGMP Configuration screen: Menu screen. 376 Appendix D Quick steps to features Figure 147 Configuring IGMP Snooping (1 of 3) Appendix D Quick steps to features 377 Figure 148 Configuring IGMP Snooping (2 of 3) 378 Appendix D Quick steps to features Figure 149 Configuring IGMP Snooping (3 of 3) Configuring authentication process for EAPOL-based security To create or modify EAPOL-based security parameter s, follow the flowcharts in Figure 150 and Figure151. Appendix D Quick steps to features 379 380 Appendix D Quick steps to features Figure 151 Authenticaton process flowchart (2 of 2) Appendix E Connectors and pin assignments RJ-45 (10BASE-T/100BASE-TX) port connectors Table 7 2 lists the RJ-45 (8-pin modular) port connector pin assignments. MDI and MDI-X devices Appendix E Connectors and pin assignments 383 MDI-X to MDI cable connections Figure 153 MDI-X to MDI cable connections MDI-X to MDI-X cable connections 384 Appendix E Connectors and pin assignments Figure 154 MDI-X to MDI-X cable connections DB-9 (RS-232-D) Console/Comm Port connector Figure 155 DB-9 Console port connector Table 7 3 lists the DB-9 Console connector pin assignments. Page Appendix F Default Settings Tabl e 74 Factory default settings Page Appendix F Defa ult Settings 389 Page Appendix F Defa ult Settings 391 Page Page Page Appendix G Sample BootP Configuration File 396 Appendix G Sample BootP Configuration File Index Numbers A B C D E F G H I L M N O P Q R S T U V W