manualshive.com logo in svg

Cabletron Systems SEHI-22/24, User Manual

Share
Download
Cabletron Systems SEHI-22/24 User Manual Download Page 68

Security

6-4

What is LANVIEWsecure?

Configurable violation response

Before LANVIEW S

ECURE

, any locked port which experienced a violation was 

shut down automatically; now, you can choose to allow ports to remain enabled 
even after an unsecured address has attempted to access a locked port. If you 
choose not to disable a port which has experienced a violation, however, the 
port’s only response to an intruder will be to issue a trap after the first violation; 
all packets, regardless of source address, will be allowed to pass. Ports in this state 
still have active eavesdropper protection (see definition below), and all packets 
addressed to any destination other than the secured address(es) will be scrambled. 

Full or partial security against eavesdropping

In addition to the enhanced intruder protection features described above, 
LANVIEW

SECURE

 provides protection against eavesdroppers by scrambling the 

data portion of each packet to all ports except the port on which the destination 
address has been secured — in other words, the only port that will receive the 
packet in an unscrambled (readable) format is the port to which the packet was 
addressed. Two levels of eavesdropper protection are provided: full security 
scrambles all packets not specifically destined to the secured port, including 
broadcasts and multicasts; partial security scrambles only unicast packets.

The Newest 

LANVIEW

SECURE

 Features

Additional LANVIEW

SECURE

 features available on the newest firmware versions 

(SEHI 2.10.xx and higher) include:

Continuous learning mode

When configuring security on the newest LANVIEW

SECURE

 devices, you can now 

choose between two levels of lock status: Full lock status, which behaves as 
locking has always done, and Continuous lock status, which essentially disables 
intruder protection by allowing the port to continue to learn new source 
addresses even when in a locked state. In this state, eavesdropper protection is 
still active, and will adjust so that packets addressed to the current learned 
address for a secured port are not scrambled.

TIP

If your SEHI is running firmware more recent than 1.05.01 and previous to 2.10.xx, you 
will not have the ability to force a port to unsecurable status; however, for firmware 
versions in that range, ports which have been forced to trunk status will not be locked, so 
you can use the force trunk feature to render a port unsecurable if you wish.

NOTE

Locking ports from a Source Address window automatically provides Full lock status; 
however, locking ports from the repeater- or hub-level Source Address window does not 
override any existing Continuous lock status settings.

Summary of Contents for SEHI-22/24

Page 1: ...Portable Management Application for the SEHI 22 24 and SEHI 32 34 User s Guide The Complete Networking Solution...

Page 2: ......

Page 3: ...ties to the effect that the Licensed Software is virus free Copyright 1996 by Cabletron Systems Inc All rights reserved Printed in the United States of America Order Number 9030954 E9 October 1996 Cab...

Page 4: ...noperative 3 Reproduced for safekeeping archives or backup purposes 4 Modified adapted or combined with other computer software provided that the modified combined or adapted portions of the derivativ...

Page 5: ...ormance 2 7 Port Display Form 2 8 Checking Device Status and Updating Front Panel Info 2 10 Checking Module Status 2 11 Checking Repeater Status 2 12 Checking Port Status 2 13 Checking Statistics 2 15...

Page 6: ...Traps 5 7 Device level Traps 5 8 Module and Port level Traps 5 8 Finding a Source Address 5 11 Chapter 6 Security What is LANVIEWsecure 6 2 The Newest LANVIEWsecure Features 6 4 Security on Non LANVIE...

Page 7: ...s the SEHI 32 has one 50 pin Champ connector providing 12 twisted pair segments and one EPIM slot and the SEHI 34 has two 50 pin Champ connectors providing 24 twisted pair segments and two EPIM slots...

Page 8: ...the mouse within the Hub View the operation of some basic functions available only from within the Hub View changing the Hub View display opening menus and windows enabling and disabling ports checki...

Page 9: ...starting each application from the command line are included in each chapter both in this guide and in the SPMA Tools Guide Conventions The family of SPECTRUM Portable Management Applications can wor...

Page 10: ...a window scroll bars will appear as necessary so that you can scroll to view all the information that is available Figure 1 1 Window Conventions Some windows will also contain a button selecting this...

Page 11: ...s three buttons Procedures within the SPMA document set refer to these buttons as follows Figure 1 3 Mouse Buttons If you re using a two button mouse don t worry SPMA doesn t make use of mouse button...

Page 12: ...provide access to menus will operate according to SPMA convention as documented Getting Help If you need additional support related to SPMA or if you have any questions comments or suggestions related...

Page 13: ...n Systems products visit our World Wide Web site http www cabletron com SEHI Firmware SPMA for the SEHI has been tested against firmware versions 1 10 04 and 1 05 03 if you have an earlier version of...

Page 14: ...Introduction to SPMA for the SEHI 22 24 and SEHI 32 34 1 8 SEHI Firmware...

Page 15: ...ty name you use to start the module must have at least Read access for full management functionality you should use a community name that provides Read Write or Superuser access For more information o...

Page 16: ...1 SEHI Hub View Hub View Front Panel In addition to the graphical display of the modules the Hub View gives you device level summary information The following Front Panel information appears below the...

Page 17: ...e Name A text field that you can use to help identify the device Location A text field that you can use to help identify the device IP Address The device s Internet Protocol address You cannot change...

Page 18: ...lication Launch the Redundancy application Launch the Source Addressing application Launch the Security application Note that the Device menu does not provide access to every application which is avai...

Page 19: ...from the command line or from the icon menu will remain open Using the Mouse in the Hub View Ports Display Each device in your SEHI managed HUBStack will have its own ports display in the Hub View yo...

Page 20: ...ou can change the port display form shown in the Port Status boxes to any one of the following Load of theoretical maximum Traffic Pkts sec Collisions Colls sec Errors Errors sec total or by type Fram...

Page 21: ...management will display as blue Monitoring Hub Performance The information displayed in the Hub View can give you a quick summary of device activity status and configuration SPMA can also provide fur...

Page 22: ...utton to display the Device menu or on the Module Index box to display the Module menu 2 Drag down to Port Display Form then right as necessary to select one of the port display options The current se...

Page 23: ...r that there is no cable attached SEG Segmented indicates that the port has been segmented by the repeater due to an excessive collision level Admin Status displays either ON or OFF an indication of w...

Page 24: ...nfo The Device Status window Figure 2 6 is where you change the information displayed on the Hub View Front Panel and where you can see summary information about the current state of the device To ope...

Page 25: ...Type Displays the type of chassis used for the device stand alone Checking Module Status You can open a Module Status window Figure 2 7 for any device in the SEHI controlled stack To open the Module...

Page 26: ...ntrolled HUBStack as a whole To open the Repeater Status window 1 Click on the Device button to display the Device menu 2 Drag down to Repeater Status and release Figure 2 8 SEHI Repeater Status Windo...

Page 27: ...cludes the module and port number in parentheses the rest of the window contains the following fields Name This text field can help identify the port the information entered here is not displayed anyw...

Page 28: ...dress communicating through the port is counted as an active user If Active Users is greater than one it indicates that the port is supporting a trunk connection Media Type Indicates the type of cable...

Page 29: ...atus simply indicates that no more than two devices are currently active Trunk The port is receiving packets from three or more devices it may be connected to a coax cable with multiple taps or to a r...

Page 30: ...otal Packets The number of packets of all types received by this device module or port since the window was last opened or reset Avg Packet Size The number of bytes per packet received by this device...

Page 31: ...ened or reset Misaligned packets are those which contain any unit of bits which is less than a byte in other words any group of bits fewer than 8 Misaligned packets can result from a packet formation...

Page 32: ...transmitting before the transmission is complete providing for more accurate collision detection Runts can sometimes result from collisions and as such may be the natural by product of a busy network...

Page 33: ...Frame Sizes Runt Frames packets smaller than 64 bytes 64 127 byte Frames 128 255 Frames 256 511 Frames 512 1023 Frames 1024 1518 Frames Giant Frames packets larger than 1518 bytes Viewing the Port So...

Page 34: ...ter in this manual The List window can display about ten addresses at once use the scroll bar to the right of the List window to view additional addresses if necessary Since the SAT is constantly chan...

Page 35: ...ust not be selected or values will revert back to default levels when you click on Apply and your changes will be ignored 5 If you wish to use your new polling interval settings as the default values...

Page 36: ...t statistics counts are updated Enabling Disabling Ports You can enable and disable ports both from the Module menu which affects all ports on a single module or device or from the Port menu which aff...

Page 37: ...3 Using the SEHI Hub View CAUTION When disabling all ports on a module make sure you don t disable the port through which your management station is communicating with the HUBStack or you will lose co...

Page 38: ...Using the SEHI Hub View 2 24 Managing the Hub...

Page 39: ...nsecutive collisions the repeater segments the port to isolate the source of the collisions from the rest of the network When the repeater segments a port it generates a portSegmenting trap As soon as...

Page 40: ...Table utility accessible from the icon menu or from the command line Once traps as a whole have been enabled you can use the Link Seg Traps feature to selectively enable and disable link and segmentat...

Page 41: ...o use this command any time you launch an application from the command line This script is automatically invoked when you launch an application from the icon menu or from within the Hub View If you wi...

Page 42: ...button 1 on the appropriate selection to Enable or Disable link traps for the repeater 4 In the Segmenting Traps field click mouse button 1 on the appropriate selection to Enable or Disable segmenting...

Page 43: ...odule the SetTrap Status For field will automatically revert to the Selected Modules setting To change the setting in the Set Trap Status For field click mouse button 1 on the currently displayed sett...

Page 44: ...ap status will be set for all ports on the same module as the selected port If the selection All Ports on Repeater is displayed in the Set Trap Status For field all available ports will be automatical...

Page 45: ...r more network IP addresses if the link fails the SEHI automatically switches traffic to a backup port To open the main Repeater Redundancy window from the icon 1 Click on the appropriate device icon...

Page 46: ...the environment variables SPMA needs to operate be sure to use this command any time you launch an application from the command line The script is automatically invoked when you launch the application...

Page 47: ...it and click The Change Circuit window Figure 4 3 will appear Figure 4 3 The Change Circuit Window In the appropriate boxes enter a new circuit name up to 16 alphanumeric characters and or number of r...

Page 48: ...Repeat as necessary to add additional addresses Click to exit the window b To delete a circuit address highlight the address in the Circuit Addresses list in the Channel X Redundancy window and click...

Page 49: ...ircuits The SEHI automatically polls all enabled circuits through the Primary port and all Backup ports at the time specified in the Test Time box If the first poll fails results in a no link conditio...

Page 50: ...s between retries if the first attempt is unsuccessful To set the Test Time 1 In the All Circuits box type a new test time in the Test Time field in a 24 hour HH MM SS format and click The Test Time i...

Page 51: ...municating through a port in the SEHI or SEHI controlled hub Each detected source address is also identified by the module and port through which it is communicating with the SEHI To view a SEHI s Sou...

Page 52: ...n you launch an application from the icon menu or from within the Hub View If you wish to change any Source Address settings be sure to use a community name with at least Read Write access If you only...

Page 53: ...ge 5 4 The list window can display about ten addresses at once use the scroll bar to the right of the list window to view additional addresses if necessary Since the SAT is constantly changing as old...

Page 54: ...Address Table by selecting the appropriate hashing algorithm If you are operating in a DECnet environment or one which incorporates some DECnet elements select the DEC hashing algorithm if your networ...

Page 55: ...multi level locking modes and new definitions for station and trunk ports station ports are those detecting zero one or two source addresses trunk ports are those detecting three or more Enabling port...

Page 56: ...and the appropriate trap will be generated Once Source Address Locking has been enabled each port s topology status station or trunk remains fixed and will not change while locking remains enabled re...

Page 57: ...will not issue newSourceAddress traps A sourceAddressTimeout trap is issued anytime a source address is aged out of the Source Address Table due to inactivity The trap s interesting information includ...

Page 58: ...x Again see Locking Source Addresses page 5 5 for more information Device level Traps The current status of the device level source addressing traps is displayed in the Source Address Traps field in t...

Page 59: ...tus For field all available modules will be automatically selected if you de select any module the Set Trap Status For field will automatically revert to the Selected Modules setting To change the set...

Page 60: ...ighlighted port click on it again If the selection All Ports On Module is displayed in the Set Traps Status For field you can select only one port at a time trap status will be set for all ports on th...

Page 61: ...o save your changes Finding a Source Address You can use the button to locate a source address in the list by the module and port through which it is communicating with the SEHI This feature is especi...

Page 62: ...search is initiated the remaining fields in the window will display the module and port through which the address is communicating with the SEHI If the address is not in the table the message MAC Addr...

Page 63: ...Finding a Source Address 5 13 Source Addressing Figure 5 6 Results of MAC Address Search 4 Click on to exit the window...

Page 64: ...Source Addressing 5 14 Finding a Source Address...

Page 65: ...che of up to 32 addresses among ports on a single hub in addition LANVIEWSECURE provides eavesdrop protection by scrambling the data portion of each packet to all ports except the destination port To...

Page 66: ...above When the LANVIEWSECURE feature is enabled it provides two kinds of protection intruder protection will prevent any unauthorized source addresses from communicating with the network via a NOTES...

Page 67: ...ses among the ports of your choosing Trunk port security When locking is enabled all ports will be secured including natural trunk ports Only ports which have been forced to trunk status will remain u...

Page 68: ...curity scrambles all packets not specifically destined to the secured port including broadcasts and multicasts partial security scrambles only unicast packets The Newest LANVIEWSECURE Features Additio...

Page 69: ...esignated as LANVIEWSECURE as indicated by a label on the front panel and an S appended to the hub name Some of the enhanced security features however will apply to all hubs installed in your SEHI con...

Page 70: ...table and allow that port to begin learning and securing new addresses Note that you cannot reset learned addresses on a locked port or on a port which is designated unsecurable Eavesdrop protection s...

Page 71: ...r one or more of the listed ports Note that if you select a group of ports with different security capabilities only those capabilities which apply to every port in the selected group will be active t...

Page 72: ...ble and which should be unsecurable By definition any LANVIEWSECURE port with more than 35 addresses in its source address table or exactly 35 for two consecutive ageing times is unsecurable as are an...

Page 73: ...ew ones as follows a To add a learned address click to highlight the desired address in the Learned Addresses list box then click on A confirmation window will appear click on Yes to secure the select...

Page 74: ...set learned addresses 2 Click mouse button 1 on or to open the appropriate window 3 In the Module or Port window click to select the hub s or port s for which you wish to reset learned addresses NOTE...

Page 75: ...6 12 for details Security must be disabled on any port which is connected to an external bridge or the bridge will discard all packets it receives as error packets since the CRC is not recalculated a...

Page 76: ...s traps A sourceAddressTimeout trap is issued anytime a source address is aged out of the Source Address Table due to inactivity The trap s interesting information includes the board and port index an...

Page 77: ...that locking ports from the Source Address window implements Full lock status by default however this will not override the status of any ports which have already been set to Continuous lock mode Ena...

Page 78: ...o exit the window Hub level Security and Traps Locking ports at the hub level applies all applicable protections as configured via the Port Security window to each port on the selected hub or hubs To...

Page 79: ...ect hubs 4 In the Security Mode field click mouse button 1 on the appropriate selection to apply Full or Continuous lock status to all ports on the selected hubs or to Unlock all ports on the hubs Not...

Page 80: ...automatically as you click to select or de select ports 4 In the Security Mode field click mouse button 1 on the appropriate selection to apply Full or Continuous lock status to the selected port s or...

Page 81: ...curity 5 Click on the appropriate selection in the Send Trap field to Enable or Disable traps for the selected port s 6 Click on to save your changes each port s new status will be displayed in the li...

Page 82: ...Security 6 18 Enabling Security and Traps...

Page 83: ...five components each of which is described below To see the names of the MIB components in your SEHI bring up the Community Names application or use any SNMP Get operation that will allow you to view...

Page 84: ...g functions such as ping Telnet and TFTP SEHI IP Services The IP Services MIB component is not currently used by the SEHI but is reserved for future use A Brief Word About MIB Components and Community...

Page 85: ...nformation you want For devices which support the original component based MIB architecture this means you must use the exact community name you have assigned to a specific component to access that co...

Page 86: ...SEHI MIB Structure A 4 SEHI MIB Structure...

Page 87: ...rrors 2 17 D Date 2 11 default community names A 2 Device button 2 4 Device Configuration 2 22 Device General Status 2 22 Device menu 2 4 2 7 Device Name 2 3 Device Status 2 10 disable ports 2 22 disc...

Page 88: ...6 Port Display Form 2 4 2 8 2 22 port display form options 2 8 port locking 5 5 6 3 Port menu 2 7 Port Operational State 2 22 port security status 5 4 Port Source Address List 2 19 Port Status 2 13 P...

Page 89: ...tics 2 15 2 22 general errors 2 16 protocols frames 2 16 2 19 Status 2 14 T Technical Support 1 6 Test Time 4 5 testing redundant circuits 4 5 TFTP Download 1 3 Time 2 11 topology status 5 6 Topology...

Page 90: ...Index Index 4...

Reviews:

No comments

Brands by name

Popular brands

Load more brands