Nortel Networks 212777 Secure Switch Management

212777-A, February 2002 99

CHAPTER 5

Secure Switch Management

This chapter discusses the use of secure tunnels so that the data on the network is encrypted

and secured for messages between a remote administrator and the switch.

To limit access to the switch’s Management Processor without having to configure filters for

each switch port, you can set a source IP address (or range) that will be allowed to connect to

the switch IP interface through Telnet, SSH, SNMP, or the Web OS Browser-Based Interface

(BBI). This will also help prevent spoofing or attacks on the switch’s TCP/IP stack. The fol-

lowing sections are addressed in this chapter:

n“Setting Allowable Source IP Address Ranges” on page 100

n“Secure Switch Management” on page 101

n“RADIUS Authentication and Authorization” on page 103

n“Secure Shell and Secure Copy” on page 107

n“Port Mirroring” on page 113

Contents

Main Web OS Contents Part 1: Basic Switching & Routing Page Part 2: Web Switching Fundamentals Page Page Page Part 3: Advanced Web Switching Page Page Page Figures Page Page Page Tables Page New Features The following table lists the new features in Web OS 10.0 and the supported platforms: Page Preface Who Should Use This Guide What Youll Find in This Guide Part 1: Basic Switching & Routing Part 2: Web Switching Fundamentals Part 3: Advanced Web Switching Typographic Conventions Contacting Us Page Page CHAPTER 1 Basic IP Routing IP Routing Benefits Routing Between IP Subnets Page Page Example of Subnet Routing Page Using VLANs to Segregate Broadcast Domains Page Defining IP Address Ranges for the Local Route Cache Border Gateway Protocol (BGP) Internal Routing Versus External Routing Forming BGP Peer Routers BGP Failover Configuration Page Page Page DHCP Relay DHCP Overview DHCP Relay Agent Configuration CHAPTER 2 VLANs VLAN ID Numbers VLAN Tagging VLANs and the IP Interfaces VLAN Topologies and Design Issues Example 1: Multiple VLANS with Tagging Adapters Page WebOS 10.0 Application Guide 48 Chapter 2: VLANs 212777-A, February 2002 Example 2: Parallel Links with VLANs Web Switch Gigabit Ethernet Port 8 VLAN #32, VLAN #109 Gigabit Ethernet Port 7 VLAN #10, VLAN #22 VLANs and Spanning Tree Protocol Bridge Protocol Data Units (BPDUs) Determining the Path for Forwarding BPDUs Multiple Spanning Trees Why Do We Need Multiple Spanning Trees? Example of a Four-Switch Topology with a Single Spanning Tree Example of a Four-Switch Topology with Multiple Spanning Trees Switch-Centric Spanning Tree Protocol VLAN Participation in Spanning Tree Groups Configuring Multiple Spanning Tree Groups Page VLANs and Default Gateways Segregating VLAN Traffic Internet Page Configuring the Local Network Configuring Default Gateways per VLAN Page Page VLANs and Jumbo Frames Isolating Jumbo Frame Traffic using VLANs Routing Jumbo Frames to Non-Jumbo Frame VLANs CHAPTER 3 Port Trunking Aggregate Port Trunk Statistical Load Distribution Built-In Fault Tolerance Chapter 3: Port Trunking 67 Port Trunking Example Trunk 1: Ports 2, 4, and 5 on Switch 1 Trunk 3: Ports 4, 6, and 9 on Switch 2 In the example below, three ports will be trunked between two Alteon Web switches. Switch #2Switch #1 2 4 5 4 6 9 Page CHAPTER 4 OSPF OSPF Overview Types of OSPF Areas Backbone Area 0 Stub Area Not-So-Stubby Area (NSSA) Transit Area Types of OSPF Routing Devices OSPF Autonomous System Area 3 Area 2 Neighbors and Adjacencies The Link-State Database The Shortest Path First Tree Internal Versus External Routing OSPF Implementation in Web OS Configurable Parameters Defining Areas Assigning the Area Index Using the Area ID to Assign the OSPF Area Number Attaching an Area to a Network Interface Cost Electing the Designated Router and Backup Summarizing Routes Default Routes Virtual Links Router ID Authentication Page Host Routes for Load Balancing OSPF Features Not Supported in This Release OSPF Configuration Examples Example 1: Simple OSPF Domain Area 0 Area 1 Backbone Stub Area Page Example 2: Virtual Links Configuring OSPF for a Virtual Link on Switch #1 Page Configuring OSPF for a Virtual Link on Switch #2 Other Virtual Link Options Example 3: Summarizing Routes 3. Define the backbone. 4. Define the stub area. 9. Apply and save the configuration changes. 8. Use the hide command to prevent a range of addresses from advertising to the backbone. Example 4: Host Routes Configuring OSPF for Host Routes on Web Switch #1 Page Page Configuring OSPF for Host Routes on Web Switch 2 3. Configure IP interfaces for each network that will be attached to OSPF areas. >> Page Verifying OSPF Configuration CHAPTER 5 Secure Switch Management Setting Allowable Source IP Address Ranges Secure Switch Management Authentication and Authorization Page RADIUS Authentication and Authorization RADIUS Authentication Features in Web OS Web Switch User Accounts Page Secure Shell and Secure Copy Encryption of Management Messages SCP Services RSA Host and Server Keys Radius Authentication SecurID Support Configuring SSH/SCP Some Supported Client Commands Port Mirroring Page Page Page CHAPTER 6 Server Load Balancing Understanding Server Load Balancing Identifying Your Network Needs How Server Load Balancing Works Page Implementing Basic Server Load Balancing AB C Network Topology Requirements Page Configuring Server Load Balancing Page Page Page Additional Server Load Balancing Options Supported Services and Applications Disabling and Enabling Real Servers IP Address Ranges Using imask Health Checks for Real Servers Configuring Multiple Services Metrics for Real Server Groups Minimum Misses Hash Least Connections Round Robin Response Time Bandwidth Weights for Real Servers Connection Time-outs for Real Servers Maximum Connections for Real Servers Backup/Overflow Servers Extending SLB Topologies Proxy IP Addresses Page Page Mapping Ports Mapping a Virtual Server Port to a Real Server Port Mapping a Single Virtual Server Port to Multiple Real Server Ports Page Load Balancing Metric Configuring Multiple Service Ports Direct Server Interaction Using Direct Server Return Using Direct Access Mode Internet Assigning Multiple IP Addresses Using Proxy IP Addresses Mapping Ports Monitoring Real Servers Delayed Binding Page Configuring Delayed Binding Detecting SYN Attacks Load Balancing Special Services IP Server Load Balancing FTP Server Load Balancing FTP Network Topology Restrictions Configuring FTP Server Load Balancing Domain Name Server (DNS) Load Balancing Preconfiguration Tasks Configuring UDP-based DNS Load Balancing Configuring TCP-based DNS Load Balancing Real Time Streaming Protocol SLB How RTSP Server Load Balancing Works RTSP Implementation Configuring RTSP Load Balancing Wireless Application Protocol SLB Using RADIUS Static Session Entries How WAP SLB Works Using Static Session Entries Using RADIUS Snooping How WAP SLB Works Using RADIUS Snooping Preconfiguring WAP Server Load Balancing Enabling Wireless Application Protocol SLB Configuring RADIUS Snooping Page Intrusion Detection System Server Load Balancing How Intrusion Detection Server Load Balancing Works Load Balancing Metrics for IDS Configuring IDS Server Load Balancing Page WAN Link Load Balancing How WAN Link Load Balancing Works Configuring WAN Link Load Balancing Page Page CHAPTER 7 Filtering Filtering Benefits Filtering Criteria nproto: protocol number or name as shown in Table 7- 1 Table 7-1 Well-Known Protocol Types Table 7-2 Well-Known Application Ports Stacking Filters Overlapping Filters The Default Filter VLAN-based Filtering Configuring VLAN-based Filtering Optimizing Filter Performance Filter Logs Page IP Address Ranges Cache-Enabled versus Cache-Disabled Filters TCP Rate Limiting Configuring TCP Rate Limiting Filters Basic TCP Rate Limiting Filter Page TCP Rate Limiting Filter Based on Source IP Address TCP Rate Limiting Filter Based on Virtual Server IP Address S1 S2 Tunable Hash for Filter Redirection Filter-based Security Configuring a Filter-Based Security Solution Page Page For UDP: Similarly, for TCP: Page Network Address Translation Static NAT In this example, clients on the Internet require access to servers on the private network: 1 2 Figure 7-8 Static Network Address Translation Configuring Static NAT Dynamic NAT Configuring Dynamic NAT FTP Client NAT Configuring Active FTP Client NAT Matching TCP Flags Configuring the TCP Flag Filter Page Page 5. A default filter is required to deny all other traffic. 6. Apply the filters to the appropriate switch ports. Matching ICMP Message Types Page CHAPTER 8 Application Redirection Web Cache Redirection Environment Additional Application Redirection Options AB C Web Cache Configuration Example Page Page Page Delayed Binding for Web Cache Redirection RTSP Web Cache Redirection RTSP Web Cache Redirection Example Page IP Proxy Addresses for NAT Page Excluding Noncacheable Sites Page CHAPTER 9 Virtual Matrix Architecture Proxy IP Addresses and VMA Page CHAPTER 10 Health Checking Page Real Server Health Checks DSR Health Checks Configuring the Switch for DSR Health Checks Link Health Checks Configuring the Switch for Link Health Checks TCP Health Checks ICMP Health Checks Script-Based Health Checks Configuring the Switch for Script-Based Health Checks Script Format Scripting Guidelines Script Configuration Examples Script Example 1: A Basic Health Check Script Example 2: GSLB URL Health Check Verifying Script-Based Health Checks Application-Specific Health Checks HTTP Health Checks Configuring the Switch for HTTP Health Checks UDP-Based DNS Health Checks Configuring the Switch for UDP-based Health Checks FTP Server Health Checks Configuring the Switch for FTP Health Checks POP3 Server Health Checks Configuring the Switch for POP3 Health Checks SMTP Server Health Checks Configuring the Switch for SMTP Health Checks IMAP Server Health Checks Configuring the Switch for IMAP Health Check NNTP Server Health Checks Configuring the Switch for NNTP Health Checks RADIUS Server Health Checks Configuring the Switch for RADIUS Server Content Health Checks Configuring the Switch for RADIUS Secret and Password HTTPS/SSL Server Health Checks WAP Gateway Health Checks WSP Content Health Checks Configuring the Switch for WSP Content Health Checks WTLS Health Checks Configuring the Switch for WTLS Health Checks LDAP Health Checks Configuring the Switch for LDAP Health Checks Determining the Version of LDAP ARP Health Checks Configuring the Switch for ARP Health Checks Failure Types Service Failure Server Failure CHAPTER 11 High Availability VRRP Overview VRRP Components Virtual Interface Router Virtual Router MAC Address Owners and Renters Master and Backup Virtual Router Page VRRP Operation Selecting the Master VRRP Router Active-Standby Failover Failover Methods AB Active-Standby Redundancy Active-Active Redundancy Hot-Standby Redundancy Virtual Router Group Hot-Standby and Inter-Switch Port States Synchronizing Configurations Web OS Extensions to VRRP Virtual Server Routers Sharing/Active-Active Failover Tracking VRRP Router Priority Page High Availability Configurations Active-Standby Virtual Server Router Configuration Page Active-Active VIR and VSR Configuration Page Active/Active Server Load Balancing Configuration Task 1: Background Configuration Page Task 2: SLB Configuration Page Task 3: Virtual Router Redundancy Configuration Page Task 4: Configuring Switch 2 Page VRRP-Based Hot-Standby Configuration Configuration Procedure Virtual Router Deployment Considerations Mixing Active-Standby and Active-Active Virtual Routers Synchronizing Active/Active Failover Eliminating Loops with STP and VLANs Using Spanning Tree Protocol to Eliminate Loops Using VLANs to Eliminate Loops Assigning VRRP Virtual Router ID Configuring the Switch for Tracking Page Synchronizing Configurations Stateful Failover of Layer 4 and Layer 7 Persistent Sessions What Happens When a Switch Fails Stateful Failover Configuration Example On the Master Switch On the Backup Switch Viewing Statistics on Persistent Port Sessions Page Page CHAPTER 12 Global Server Load Balancing GSLB Overview Benefits Compatibility with Other Web OS Features How GSLB Works Foo Corp. California Foo Corp. Denver Client Site Page Configuring GSLB Example GSLB Topology GSLB Requirements California Site Denver Site 200.200.200.X Network 174.14.70.X Network A BC Task 1: Configure the Basics at the California Site Task 2: Configure the California Switch for Standard SLB Page Task 3: Configure the California Site for GSLB Task 4: Configure the Basics at the Denver Site Task 5: Configure the Denver Switch for Standard SLB Page Task 6: Configure the Denver Site for GSLB Page IP Proxy for Non-HTTP Redirects Client Site Internet Site 2 Site 1 How IP Proxy Works Internet Figure 12-4 POP3 Request Fulfilled via IP Proxy Table 12-5 HTTP Versus Non-HTTP Redirects California Site #1 174.14.70.X Network Page Configuring Proxy IP Addresses Verifying GSLB Operation Configuring Client Site Preferences Page 310 Chapter 12: Global Server Load Balancing 212777-A, February 2002 Internet Client Site B Site 3Site 2 Client Site A Site 4Site 1 Page Using Border Gateway Protocol for GSLB CHAPTER 13 Firewall Load Balancing Firewall Overview Page Basic FWLB Basic FWLB Implementation Page Configuring Basic FWLB Figure 13-4 Basic FWLB Example Network Configure the Dirty-Side Web Switch Page Page Configure the Clean-Side Web Switch Page Page Page Four-Subnet FWLB Four-Subnet FWLB Implementation Page Configuring Four-Subnet FWLB Configure the Routers Configure the Firewalls Configure Connectivity for the Primary Dirty-Side Web Switch Page Configure Connectivity for the Secondary Dirty-Side Web Switch 5. Apply and save your configuration. 2. Configure IP interfaces on the secondary dirty-side Web switch. Configure Connectivity for the Primary Clean-Side Web Switch 3. Turn STP off for the primary clean-side Web switch. 2. Configure IP interfaces on the primary clean-side Web switch. Configure Connectivity for the Secondary Clean-Side Web Switch 2. Configure IP interfaces on the secondary clean-side Web switch. 5. Apply and save your changes. Verify Proper Connectivity Configure VRRP Support on the Secondary Dirty-Side Web Switch Configure VRRP Support on the Secondary Clean-Side Web Switch Complete the Configuration of the Primary Dirty-Side Web Switch Page 4. Configure the VRRP peer on the primary dirty-side Web switch. Complete the Configuration of the Primary Clean-Side Web Switch Page Page A third virtual router is required for the virtual server used for optional SLB. Page Advanced FWLB Concepts Free-Metric FWLB Free-Metric with Basic FWLB Chapter 13: Firewall Load Balancing 347 Free-Metric with Four-Subnet FWLB Figure 13-9 Four-Subnet FWLB Example Network For this example, review the four-subnet example network. >> # ../group 1 >> # metric <metric type> Page Adding a Demilitarized Zone (DMZ) Page Firewall Health Checks Firewall Service Monitoring Physical Link Monitoring Using HTTP Health Checks Page Virtual Private Networks How VPN Load Balancing Works Page VPN Load-Balancing Configuration VPN Load-Balancing Configuration Example Configure the First Clean-Side Switch (CA) One static route is required for each VPN device being load balanced. Page Configure the Second Clean-Side Switch (CB) 6. Configure Virtual Router Redundancy Protocol (VRRP) for virtual routers 1 and 2. 8. Configure real servers for health checking VPN devices. 9. Enable the real server group. 10. Enable RTS on the necessary ports. Configure the First Dirty-Side WebSwitch (DA) 8. Configure real servers for health-checking VPN devices. 9. Enable the real server group. Page Configure the Second Dirty-Side WebSwitch (DB) 8. Configure real servers for health checking VPN devices. 9. Enable the real server group, and place real servers 1-4 into the real server group. Page Test Configurations and General Topology Test the VPN Page CHAPTER 15 Content Intelligent Switching 372 Chapter 15: Content Intelligent Switching 212777-A, February 2002 Internet Figure 15-1 Content Intelligent Load Balancing Example 1. 3. 5. 2. 4. Parsing Content HTTP Header Inspection Buffering Content with Multiple Frames Content Intelligent Server Load Balancing URL-Based Server Load Balancing Configuring URL-Based Server Load Balancing Example 1: String with the Forward Slash (/) Example 2: String without the Forward Slash (/) Example 3: String with the Forward Slash (/) Only Page Statistics for URL-Based Server Load Balancing Virtual Hosting Virtual Hosting Configuration Overview Configuring the Host Header for Virtual Hosting Cookie-Based Preferential Load Balancing Configuring Cookie-Based Preferential Load Balancing Page Browser-Smart Load Balancing URL Hashing for Server Load Balancing Virtual Server Load Balancing of Nontransparent Caches Configuring URL Hashing $ $$ Page Header Hash Load Balancing DNS Load Balancing Page Layer 7 RTSP Load Balancing Page Content Intelligent Web Cache Redirection URL-Based Web Cache Redirection Page Network Address Translation Options Configuring URL-Based Web Cache Redirection Page Example 1: String Starting with the Forwardslash (/) Example 2: String without the Forwardslash (/) Example 3: String with the Forwardslash (/) Only Page Page Viewing Statistics for URL-Based Web Cache Redirection HTTP Header-Based Web Cache Redirection Page Browser-Based Web Cache Redirection URL Hashing for Web Cache Redirection Example 1: Hashing on the URL Example 2: Hashing on the Host Header Field Only Example 3: Hashing on the Source IP address Layer 7 RTSP Streaming Cache Redirection Exclusionary String Matching for Real Servers Configuring for Exclusionary URL String Matching Page Regular Expression Matching Standard Regular Expression Characters Configuring Regular Expressions Content Precedence Lookup Using the or and and Operators Assigning Multiple Strings 1 2 3 4 5 Layer 7 Deny Filter Configuring a Layer 7 Deny Filter Page Page CHAPTER 16 Persistence Overview of Persistence Using Source IP Address Using Cookies Using SSL Session ID Cookie-Based Persistence 1 2 3 4 Permanent and Temporary Cookies Cookie Formats Cookie Properties Client Browsers that Do Not Accept Cookies Cookie Modes of Operation Insert Cookie Mode Passive Cookie Mode Rewrite Cookie Mode Configuring Cookie-Based Persistence Page Setting Expiration Timer for Insert Cookie Example 1: Setting the Cookie Location Example 2: Parsing the Cookie Example 3: Using Passive Cookie Mode Example 4: Using Rewrite Cookie Mode Server-Side Multi-Response Cookie Search Configuring Server-Side Multi-Response Cookie Search SSL Session ID-Based Persistence How SSL Session ID-Based Persistence Works Internet Configuring SSL Session ID-Based Persistence Page CHAPTER 17 Bandwidth Management Page Page Bandwidth Policies Rate Limits Bandwidth Policy Configuration Data Pacing Queue 1 Queue 2 Queue 3 Queue 4 Time Classification Criteria Server Output Bandwidth Control Application Bandwidth Control Combinations Precedence Bandwidth Classification Configuration Frame Discard URL-Based Bandwidth Management Page HTTP Header-Based Bandwidth Management Cookie-Based Bandwidth Management Bandwidth Statistics and History Statistics Maintained Statistics and Management Information Bases Packet Coloring (TOS bits) for Burst Limit Operational Keys Configuring Bandwidth Management Page Page Additional Configuration Examples User/Application Fairness Example Page Page Preferential Services Examples Web Site Preference Example Page Page URL-Based Bandwidth Management Example Page Cookie-Based Bandwidth Management Example Page Page Security Management Example Page Page Glossary Page Page Page Index Symbols Numerics A B D E F G H I J L M N O P Q R S T U V W