Manuals / Nortel Networks / Computer Equipment / Switch

Nortel Networks 42C4911 manual 4Default TACACS+ Authorization Levels

Models: 42C4911

1 260

Download 260 pages 54.2 Kb

Page 49

Alteon OS Application Guide

Authorization

Authorization is the action of determining a user’s privileges on the device, and usually takes place after authentication.

The default mapping between TACACS+ authorization levels and Alteon OS management access levels is shown in Table 1-4. The authorization levels must be defined on the TACACS+ server.

Table 1-4Default TACACS+ Authorization Levels

Alteon OS User Access Level

TACACS+ level

user0

oper3

admin6

Alternate mapping between TACACS+ authorization levels and Alteon OS management access levels is shown in Table 1-5. Use the command /cfg/sys/tacacs/cmap ena to use the alternate TACACS+ authorization levels.

Table 1-5Alternate TACACS+ Authorization Levels

Alteon OS User Access Level

TACACS+ level

user0 - 1

oper6 - 8

admin14 - 15

If the remote user is successfully authenticated by the authentication server, the switch verifies the privileges of the remote user and authorizes the appropriate access. The administrator has an option to allow backdoor access via Telnet (/cfg/sys/tacacs/telnet). The default value for Telnet access is disabled. The administrator also can enable secure backdoor (/cfg/sys/tacacs/secbd), to allow access if both the primary and the secondary TACACS+ servers fail to respond.

NOTE – To obtain the TACACS+ backdoor password for your GbESM, contact your IBM Service and Support line.

42C4911, January 2007

Chapter 1: Accessing the Switch 49

Image 49

Nortel Networks 42C4911 manual 4Default TACACS+ Authorization Levels

Contents

Application Guide Alteon OS Application Guide Contents Port-based Network Access Control Rapid Spanning Tree Protocol/Multiple Spanning Tree Protocol Part 2 IP Routing Border Gateway Protocol Part 3 High Availability Fundamentals Part 4 Appendices Alteon OS Application Guide Figures 3Two trunks, one Failover Trigger Tables Alteon OS Application Guide Who Should Use This Guide PrefaceWhat You’ll Find in This Guide Part 1 Basic SwitchingPart 3 High Availability Fundamentals AaBbCc123 Typographic ConventionsHow to Get Help Alteon OS Application Guide 20 „ Preface Part 1 Basic Switching Alteon OS Application Guide Accessing the Switch Factory-Default vs. MM assigned IP Addresses Management module setupConfiguring management module for switch access Default Gateway1Switch management on the BladeCenter management module Alteon OS Application Guide Configuring the external management interface External management port setupEnable port EXT7 Connect to the Switch via SSH Using TelnetBootp Relay Agent Telnet switch IP address -m-mgt-e-ext7-d-data# /cfg/l3/bootp Configuring the Bootp Relay Agent# /cfg/l3/if interface number/relay ena Dhcp Relay Agent Dhcp Relay Agent Configuration32 „ Accessing the Switch Configuring BBI Access via Http Using the Browser-Based InterfaceConfiguring BBI Access via Https † TACACS+ † Ldap † NTP Cfg/sys/access/https/generate† FDB Snmp Using SnmpCfg/sys/ssnmp/rcomm Cfg/sys/ssnmp/wcomm Cfg/sys/ssnmp/trsrcUser Configuration Default configurationCLI User equivalent View based ConfigurationsConfigure a user with no authentication and password Configuring Snmp Trap HostsSNMPv1 trap host Sys/ssnmp/snmpv3/tparam x/uname Configure an entry in the notify tableSNMPv3 trap host configuration SNMPv2 trap host configuration42 „ Accessing the Switch Securing Access to the Switch How Radius Authentication Works Radius Authentication and AuthorizationConfiguring Radius on the Switch Main# /cfg/sys/radius Configure the Radius secretPrisrv SecsrvRadius Authentication Features in Alteon OS Radius Attributes for Alteon OS User Privileges Switch User AccountsHow TACACS+ Authentication Works TACACS+ AuthenticationTACACS+ Authentication Features in Alteon OS 4Default TACACS+ Authorization Levels AuthorizationAccounting Command Authorization and LoggingCfg/sys/tacacs/chpasss Cfg/sys/tacacs/chpasspConfigure the TACACS+ secret and second secret Configuring TACACS+ Authentication on the SwitchApply and save the configuration Main# /cfg/sys/tacacs+Configuring the Ldap Server Ldap Authentication and AuthorizationConfigure the domain name Configuring Ldap Authentication on the SwitchMain# /cfg/sys/ldap Secure Shell and Secure Copy # /cfg/sys/sshd/on Configuring SSH/SCP features on the switch# /cfg/sys/sshd/off # /cfg/sys/sshd/disUsing SSH and SCP Client Commands Configuring the SCP Administrator PasswordSsh 205.178.15.157 Login-name # scp scpadmin@205.178.15.157getcfg ad4.cfg# scp ad4.cfg scpadmin@205.178.15.157putcfg To apply and save the configurationSSH and SCP Encryption of Management Messages Cfg/sys/sshd/hkeygen Generating RSA Host and Server Keys for SSH AccessCfg/sys/sshd/skeygen SSH/SCP Integration with TACACS+ Authentication SSH/SCP Integration with Radius AuthenticationConsiderations for Configuring End User Accounts End User Access ControlUser Access Control Menu Strong Passwords# /cfg/sys/access/user # /cfg/sys/access/user/uidPasswd Name user1# cur Listing Current Users # /cfg/sys/access/user/curLogging into an End User Account Alteon OS Application Guide 42C4911, January Alteon OS Application Guide 66 „ Accessing the Switch Port-based Network Access Control Extensible Authentication Protocol over LAN Port Unauthorized 802.1x Authentication ProcessEAPoL Message Exchange „ Unauthorized 802.1x Port States„ Authorized „ Force UnauthorizedSupport for Radius Attributes Supported Radius AttributesConfiguration Guidelines 42C4911, January VLANs Overview Vlan Numbers VLANs and Port Vlan ID NumbersPvid Numbers Viewing VLANsCfg/port INT7/pvid Viewing and Configuring PVIDsAlteon OS Application Guide Vlan Tagging 1Default Vlan settings 2Port-based Vlan assignment 4802.1Q tag assignment Vlan Topologies and Design Considerations Vlan configuration rulesComponent Description Example 1 Multiple VLANs with Tagging Adapters86 „ VLANs Protocol-based VLANs Pvlan Priority Levels Port-based vs. Protocol-based VLANsPvlan Tagging Configuring Pvlan Pvlan Configuration GuidelinesConfigure the priority value for the protocol Cfg/l2/vlanEnable the Pvlan Configure Vlan tagging for portsAdd member ports for this Pvlan Info/l2/vlan Verify Pvlan operationAlteon OS Application Guide 92 „ VLANs Ports and Trunking 1Port Trunk Group Before you configure static trunks Built-In Fault ToleranceStatistical Load Distribution Trunk group configuration rules Port Trunking Example Example below, three ports are trunked between two switchesRepeat the process on the other switch Info/l2/trunk Examine the trunking information on each switchConfigurable Trunk Hash Algorithm Link Aggregation Control Protocol Admin key102 „ Ports and Trunking Configuring Lacp Alteon OS Application Guide 104 „ Ports and Trunking Spanning Tree Group 1Ports, Trunk Groups, and VLANs Determining the Path for Forwarding BPDUs Bridge Protocol Data Units BPDUsBridge Priority Port PriorityPort Path Cost Spanning Tree Group configuration guidelinesAdding a Vlan to a Spanning Tree Group Creating a VlanAdding and removing ports from STGs Rules for Vlan Tagged portsMultiple Spanning Trees Default Spanning Tree configurationSwitch-Centric Spanning Tree Group Why Do We Need Multiple Spanning Trees?2Implementing Multiple Spanning Tree Groups Vlan Participation in Spanning Tree GroupsConfigure the following on application switch a Configuring Multiple Spanning Tree GroupsConfigure the following on GbE Switch Module B # /cfg/l2/vlan2# /cfg/l2/vlan3 Configure the following on application switch CPort Fast Forwarding Configuring Port Fast Forwarding# /cfg/port ext1 Fastfwd enaFast Uplink Convergence Configuring Fast Uplink Convergence# /cfg/l2/upfast ena # applyRapid Spanning Tree Protocol/Multiple Spanning Tree Protocol Port State Changes Rapid Spanning Tree ProtocolPort Type and Link Type Rstp Configuration GuidelinesEdge Port Link TypeConfigure Rapid Spanning Tree Rstp Configuration ExampleSet the Spanning Tree mode to Rapid Spanning Tree Configure STP Group 1 parametersMstp Region Multiple Spanning Tree ProtocolCommon Internal Spanning Tree Mstp Configuration Example Mstp Configuration GuidelinesConfigure Multiple Spanning Tree Protocol Assign VLANs to Spanning Tree GroupsQuality of Service ACL Quality of Service „ Summary of packet classifiers Using ACL Filters2Well-Known Application Ports Understanding ACL Precedence Summary of ACL Actions„ Access Control Lists Using ACL GroupsACL Metering and Re-marking „ Access Control GroupsMetering Viewing ACL StatisticsRe-Marking Configure an Access Control List ACL Configuration ExamplesExample Add ACL 1 to port EXT1ACL 3# ipv4/sip 100.10.1.0 Add ACL 3 to port EXT1ACL 3# action deny Differentiated Services Concepts Using Dscp Values to Provide QoSPer Hop Behavior Dscp QoS Levels Default QoS Service LevelsDscp Re-marking and Mapping Enable Dscp re-marking on a port Dscp Re-marking Configuration ExampleMain# cfg/qos/dscp/on Main# cfg/port EXT13Layer 2 802.1q/802.1p Vlan tagged packet Using 802.1p Priorities to Provide QoSConfigure a port’s default 802.1p priority 802.1p Configuration ExampleQueuing and Scheduling Port EXT1# 8021ppriPart 2 IP Routing 142 42C4911, January Basic IP Routing IP Routing Benefits 1The Router Legacy Network Routing Between IP Subnets2Switch-Based Routing Topology Alteon OS Application Guide 1Subnet Routing Example IP Address Assignments Example of Subnet Routing# addr # /cfg/l3/if# ../if Add the switch ports to their respective VLANs Using VLANs to Segregate Broadcast DomainsVlan 3# /cfg/l3/if Add each IP interface to the appropriate VlanVlan # /info/vlanDynamic Host Configuration Protocol Dhcp Relay Agent # /cfg/l3/bootp Dhcp Relay Agent ConfigurationDistance Vector Protocol Routing Information ProtocolStability RIPv1 Routing UpdatesRIPv2 RIP Features RIPv2 in RIPv1 compatibility modeTriggered updates PoisonDefault RIP Configuration ExampleAuthentication MetricAdd VLANs for routing interfaces Turn on RIP globally and enable RIP for each interfaceAdd IP interfaces to VLANs 42C4911, January Igmp Igmp Snooping Configure Igmp Snooping Igmp Snooping Configuration ExampleAdd VLANs to Igmp Snooping and enable the feature View dynamic Igmp informationApply, verify, and save the configuration Configure a Static Multicast RouterStatic Multicast Router Cfg/l3/igmp/mrouterIgmp Relay Configuration GuidelinesConfigure an IP interface and assign VLANs Configure Igmp RelayEnable Igmp Relay and add VLANs to the downstream network Configure the upstream MroutersMulticast Router Apply Configuring the Range Additional Igmp FeaturesFastLeave Igmp FilteringConfigure Igmp Filtering Configuring the ActionEnable Igmp Filtering on the switch Define an Igmp filterFilt ena Assign the Igmp filter to a portBorder Gateway Protocol 1iBGP and eBGP Internal Routing Versus External RoutingForming BGP Peer Routers # /cfg/l3/rmap What is a Route Map?Incoming and Outgoing Route Maps 2Distributing Network Filters in Access Lists and Route MapsPrecedence Configuration OverviewDefine network filter Set up the BGP attributes Optional Configure the attributes in the AS filter menuEnable the route map Assign the route map to a peer routerAggregating Routes Redistributing Routes Local Preference Attribute BGP AttributesMetric Multi-Exit Discriminator Attribute Selecting Route Paths in BGP 3BGP Failover Configuration Example BGP Failover ConfigurationDefine the VLANs Enable IP forwardingDefine the IP interfaces On the switch, apply and save your configuration changes Configure BGP peer router 1# /cfg/l3/bgp Default Redistribution and Route Aggregation ExampleConfigure redistribution for Peer Configure internal peer router 1 and external peer routerConfigure aggregation policy control Ospf Types of Ospf Areas Ospf OverviewNssa 2OSPF Domain and an Autonomous System Types of Ospf Routing DevicesLink-State Database Neighbors and AdjacenciesInternal Versus External Routing Shortest Path First TreeOspf Implementation in Alteon OS Configurable ParametersAssigning the Area Index Defining AreasAttaching an Area to a Network Using the Area ID to Assign the Ospf Area NumberInterface Cost Electing the Designated Router and BackupSummarizing Routes # /cfg/l3/ospf/default metric value metric type 1 or Default Routes# /cfg/l3/ospf/aindex area index/type transit Virtual LinksRouter ID Authentication# /cfg/l3/ospf/if Enable Ospf authentication for Area 0 on switches 1, 2,Enable Ospf MD5 authentication for Area 0 on switches 1, 2, Enable Ospf authentication for Area 2 on switchConfigure MD5 key ID for Area 0 on switches 1, 2, Assign MD5 key ID to Ospf interfaces on switches 1, 2,Host Routes for Load Balancing Assign MD5 key ID to Ospf virtual link on switches 2Ospf Features Not Supported in This Release Configure IP interfaces Ospf Configuration ExamplesOptional Configure the router ID # enable Enable OspfExample 1 Simple Ospf Domain # /cfg/l3/if # addrDefine the backbone Apply and save the configuration changesDefine the stub area Attach the network interface to the backboneConfigure the router ID Configuring Ospf for a Virtual Link on Switch #1Example 2 Virtual Links IP # /cfg/l3/ospf/onDefine the transit area Configure the virtual linkAttach the network interface to the transit area # ../aindex Configuring Ospf for a Virtual Link on Switch #2Define the stub area Other Virtual Link Options7Summarizing Routes Example 3 Summarizing Routes# ena # /cfg/l3/if # addr36.128.192.0 Verifying Ospf Configuration36.128.200.0 Alteon OS Application Guide 214 „ Ospf Part 3 High Availability Fundamentals 216 42C4911, January High Availability Vlan Monitor Layer 2 FailoverL2 Failover with Other Features Setting the Failover LimitSpanning Tree Protocol InternetI t t L2 Failover Configurations2Two trunks, each in a different Failover Trigger 3Two trunks, one Failover Trigger Configure Failover parameters Configuring Trunk Failover# /cfg/failovr/on Vrrp Components Vrrp OverviewVirtual Router Virtual Router MAC AddressVirtual Interface Router Master and Backup Virtual RouterSelecting the Master Vrrp Router Vrrp OperationFailover Methods 4A Non-VRRP, Hot-Standby Configuration5Active-Active Redundancy Active-Active RedundancyVirtual Router Group Hot-Standby RedundancyTracking Vrrp Router Priority Alteon OS extensions to VrrpVirtual Router Deployment Considerations Configuring the Switch for TrackingAssigning Vrrp Virtual Router ID 232 „ High Availability Active-Active Configuration High Availability ConfigurationsConfigure client and server interfaces Task 1 Configure GbESMConfigure ports Turn on Vrrp and configure two Virtual Interface RoutersTurn off Spanning Tree Protocol globally Task 2 Configure GbESM Cfg/l3/vrrp/vr Hot-Standby Configuration 8Hot-Standby Configuration Enable Vrrp Hot Standby Configure Virtual Interface RoutersRouter Group# track/ports enaEnable tracking on ports 242 „ High Availability Part 4 Appendices 244 42C4911, January Troubleshooting Figure A-1Monitoring Ports Monitoring PortsLayer 2 Port Mirroring Port Mirroring behavior248 „ Appendix a Troubleshooting Layer 3 Port Mirroring Both Ports in Different GEAs /info/geaport command Enable port mirroring Configuring Port MirroringSpecify the monitoring port Select the ports that you want to mirrorPortMirroring # cur View the current configurationRadius Server Configuration Notes „ @alteon.dct Translation GlossaryVrid Virtual Router Numerics IndexIcmp 188 Snmp