background image

Configuring Security

6-11

Security

4.

Click to select the Reset Learned Addresses option. A confirmation window 
will appear; click on 

 to reset addresses, or on 

 to cancel. 

The port’s address table will be cleared of all Learned and Secure addresses, 
and the learning process will restart.

Tips for Successfully Implementing Eavesdropper Protection

There are a couple of things to note about eavesdropper protection, or scrambling, 
that must be taken into consideration as you are planning security for your 
network.

Security can only be implemented by locking a port, and can only be 
completely disabled by unlocking the port. You cannot enable intruder 
protection on a LANVIEW

SECURE

 hub without also enabling eavesdropper 

protection. You can, however, effectively enable eavesdropper protection 
alone by selecting the noDisable option for the violation response; selecting 
noDisable basically eliminates intruder protection, as all packets will be 
allowed to pass regardless of their source address. (Note, however, that the 
port will issue a trap after the first violation.) You can also enable eavesdropper 
protection without intruder protection by selecting the Continuous lock mode; 
see 

Enabling Security and Traps

page 6-12

, for details.

Security must be disabled on any port which is connected to an external bridge, 
or the bridge will discard all packets it receives as error packets (since the CRC 
is not recalculated after a packet is scrambled). 

Security should also be disabled on any port which is supporting a trunk 
connection, unless you are sure that no more than 34 source addresses will 
attempt to use the port, and you have secured all necessary addresses. Note 
that, with the newest versions of security, a LANVIEW

SECURE

 port that sees 

more than 35 addresses in its Source Address table (or exactly 35 addresses for 
two consecutive ageing intervals) is considered unsecurable and cannot be 
locked.

Full security should not be implemented on any port which supports a Name 
Server or a BootP server, as those devices would not receive the broadcast and 
multicast messages they are designed to respond to (partial security — which 
does not scramble broadcasts or multicasts — will not affect their operation). 
Note that users who require responses to broadcast or multicast requests can 
still operate successfully if their ports are fully secured, as the reply to a 
broadcast has a single, specific destination address.

In general, scrambling is most effective when employed in a single hubstack 
which contains only LANVIEW

SECURE

 hubs; remember, non-LANVIEW

SECURE

 

hubs do not support scrambling as part of their security functionality.

Содержание SEHI-22/24

Страница 1: ...Portable Management Application for the SEHI 22 24 and SEHI 32 34 User s Guide The Complete Networking Solution...

Страница 2: ......

Страница 3: ...ties to the effect that the Licensed Software is virus free Copyright 1996 by Cabletron Systems Inc All rights reserved Printed in the United States of America Order Number 9030954 E9 October 1996 Cab...

Страница 4: ...noperative 3 Reproduced for safekeeping archives or backup purposes 4 Modified adapted or combined with other computer software provided that the modified combined or adapted portions of the derivativ...

Страница 5: ...ormance 2 7 Port Display Form 2 8 Checking Device Status and Updating Front Panel Info 2 10 Checking Module Status 2 11 Checking Repeater Status 2 12 Checking Port Status 2 13 Checking Statistics 2 15...

Страница 6: ...Traps 5 7 Device level Traps 5 8 Module and Port level Traps 5 8 Finding a Source Address 5 11 Chapter 6 Security What is LANVIEWsecure 6 2 The Newest LANVIEWsecure Features 6 4 Security on Non LANVIE...

Страница 7: ...s the SEHI 32 has one 50 pin Champ connector providing 12 twisted pair segments and one EPIM slot and the SEHI 34 has two 50 pin Champ connectors providing 24 twisted pair segments and two EPIM slots...

Страница 8: ...the mouse within the Hub View the operation of some basic functions available only from within the Hub View changing the Hub View display opening menus and windows enabling and disabling ports checki...

Страница 9: ...starting each application from the command line are included in each chapter both in this guide and in the SPMA Tools Guide Conventions The family of SPECTRUM Portable Management Applications can wor...

Страница 10: ...a window scroll bars will appear as necessary so that you can scroll to view all the information that is available Figure 1 1 Window Conventions Some windows will also contain a button selecting this...

Страница 11: ...s three buttons Procedures within the SPMA document set refer to these buttons as follows Figure 1 3 Mouse Buttons If you re using a two button mouse don t worry SPMA doesn t make use of mouse button...

Страница 12: ...provide access to menus will operate according to SPMA convention as documented Getting Help If you need additional support related to SPMA or if you have any questions comments or suggestions related...

Страница 13: ...n Systems products visit our World Wide Web site http www cabletron com SEHI Firmware SPMA for the SEHI has been tested against firmware versions 1 10 04 and 1 05 03 if you have an earlier version of...

Страница 14: ...Introduction to SPMA for the SEHI 22 24 and SEHI 32 34 1 8 SEHI Firmware...

Страница 15: ...ty name you use to start the module must have at least Read access for full management functionality you should use a community name that provides Read Write or Superuser access For more information o...

Страница 16: ...1 SEHI Hub View Hub View Front Panel In addition to the graphical display of the modules the Hub View gives you device level summary information The following Front Panel information appears below the...

Страница 17: ...e Name A text field that you can use to help identify the device Location A text field that you can use to help identify the device IP Address The device s Internet Protocol address You cannot change...

Страница 18: ...lication Launch the Redundancy application Launch the Source Addressing application Launch the Security application Note that the Device menu does not provide access to every application which is avai...

Страница 19: ...from the command line or from the icon menu will remain open Using the Mouse in the Hub View Ports Display Each device in your SEHI managed HUBStack will have its own ports display in the Hub View yo...

Страница 20: ...ou can change the port display form shown in the Port Status boxes to any one of the following Load of theoretical maximum Traffic Pkts sec Collisions Colls sec Errors Errors sec total or by type Fram...

Страница 21: ...management will display as blue Monitoring Hub Performance The information displayed in the Hub View can give you a quick summary of device activity status and configuration SPMA can also provide fur...

Страница 22: ...utton to display the Device menu or on the Module Index box to display the Module menu 2 Drag down to Port Display Form then right as necessary to select one of the port display options The current se...

Страница 23: ...r that there is no cable attached SEG Segmented indicates that the port has been segmented by the repeater due to an excessive collision level Admin Status displays either ON or OFF an indication of w...

Страница 24: ...nfo The Device Status window Figure 2 6 is where you change the information displayed on the Hub View Front Panel and where you can see summary information about the current state of the device To ope...

Страница 25: ...Type Displays the type of chassis used for the device stand alone Checking Module Status You can open a Module Status window Figure 2 7 for any device in the SEHI controlled stack To open the Module...

Страница 26: ...ntrolled HUBStack as a whole To open the Repeater Status window 1 Click on the Device button to display the Device menu 2 Drag down to Repeater Status and release Figure 2 8 SEHI Repeater Status Windo...

Страница 27: ...cludes the module and port number in parentheses the rest of the window contains the following fields Name This text field can help identify the port the information entered here is not displayed anyw...

Страница 28: ...dress communicating through the port is counted as an active user If Active Users is greater than one it indicates that the port is supporting a trunk connection Media Type Indicates the type of cable...

Страница 29: ...atus simply indicates that no more than two devices are currently active Trunk The port is receiving packets from three or more devices it may be connected to a coax cable with multiple taps or to a r...

Страница 30: ...otal Packets The number of packets of all types received by this device module or port since the window was last opened or reset Avg Packet Size The number of bytes per packet received by this device...

Страница 31: ...ened or reset Misaligned packets are those which contain any unit of bits which is less than a byte in other words any group of bits fewer than 8 Misaligned packets can result from a packet formation...

Страница 32: ...transmitting before the transmission is complete providing for more accurate collision detection Runts can sometimes result from collisions and as such may be the natural by product of a busy network...

Страница 33: ...Frame Sizes Runt Frames packets smaller than 64 bytes 64 127 byte Frames 128 255 Frames 256 511 Frames 512 1023 Frames 1024 1518 Frames Giant Frames packets larger than 1518 bytes Viewing the Port So...

Страница 34: ...ter in this manual The List window can display about ten addresses at once use the scroll bar to the right of the List window to view additional addresses if necessary Since the SAT is constantly chan...

Страница 35: ...ust not be selected or values will revert back to default levels when you click on Apply and your changes will be ignored 5 If you wish to use your new polling interval settings as the default values...

Страница 36: ...t statistics counts are updated Enabling Disabling Ports You can enable and disable ports both from the Module menu which affects all ports on a single module or device or from the Port menu which aff...

Страница 37: ...3 Using the SEHI Hub View CAUTION When disabling all ports on a module make sure you don t disable the port through which your management station is communicating with the HUBStack or you will lose co...

Страница 38: ...Using the SEHI Hub View 2 24 Managing the Hub...

Страница 39: ...nsecutive collisions the repeater segments the port to isolate the source of the collisions from the rest of the network When the repeater segments a port it generates a portSegmenting trap As soon as...

Страница 40: ...Table utility accessible from the icon menu or from the command line Once traps as a whole have been enabled you can use the Link Seg Traps feature to selectively enable and disable link and segmentat...

Страница 41: ...o use this command any time you launch an application from the command line This script is automatically invoked when you launch an application from the icon menu or from within the Hub View If you wi...

Страница 42: ...button 1 on the appropriate selection to Enable or Disable link traps for the repeater 4 In the Segmenting Traps field click mouse button 1 on the appropriate selection to Enable or Disable segmenting...

Страница 43: ...odule the SetTrap Status For field will automatically revert to the Selected Modules setting To change the setting in the Set Trap Status For field click mouse button 1 on the currently displayed sett...

Страница 44: ...ap status will be set for all ports on the same module as the selected port If the selection All Ports on Repeater is displayed in the Set Trap Status For field all available ports will be automatical...

Страница 45: ...r more network IP addresses if the link fails the SEHI automatically switches traffic to a backup port To open the main Repeater Redundancy window from the icon 1 Click on the appropriate device icon...

Страница 46: ...the environment variables SPMA needs to operate be sure to use this command any time you launch an application from the command line The script is automatically invoked when you launch the application...

Страница 47: ...it and click The Change Circuit window Figure 4 3 will appear Figure 4 3 The Change Circuit Window In the appropriate boxes enter a new circuit name up to 16 alphanumeric characters and or number of r...

Страница 48: ...Repeat as necessary to add additional addresses Click to exit the window b To delete a circuit address highlight the address in the Circuit Addresses list in the Channel X Redundancy window and click...

Страница 49: ...ircuits The SEHI automatically polls all enabled circuits through the Primary port and all Backup ports at the time specified in the Test Time box If the first poll fails results in a no link conditio...

Страница 50: ...s between retries if the first attempt is unsuccessful To set the Test Time 1 In the All Circuits box type a new test time in the Test Time field in a 24 hour HH MM SS format and click The Test Time i...

Страница 51: ...municating through a port in the SEHI or SEHI controlled hub Each detected source address is also identified by the module and port through which it is communicating with the SEHI To view a SEHI s Sou...

Страница 52: ...n you launch an application from the icon menu or from within the Hub View If you wish to change any Source Address settings be sure to use a community name with at least Read Write access If you only...

Страница 53: ...ge 5 4 The list window can display about ten addresses at once use the scroll bar to the right of the list window to view additional addresses if necessary Since the SAT is constantly changing as old...

Страница 54: ...Address Table by selecting the appropriate hashing algorithm If you are operating in a DECnet environment or one which incorporates some DECnet elements select the DEC hashing algorithm if your networ...

Страница 55: ...multi level locking modes and new definitions for station and trunk ports station ports are those detecting zero one or two source addresses trunk ports are those detecting three or more Enabling port...

Страница 56: ...and the appropriate trap will be generated Once Source Address Locking has been enabled each port s topology status station or trunk remains fixed and will not change while locking remains enabled re...

Страница 57: ...will not issue newSourceAddress traps A sourceAddressTimeout trap is issued anytime a source address is aged out of the Source Address Table due to inactivity The trap s interesting information includ...

Страница 58: ...x Again see Locking Source Addresses page 5 5 for more information Device level Traps The current status of the device level source addressing traps is displayed in the Source Address Traps field in t...

Страница 59: ...tus For field all available modules will be automatically selected if you de select any module the Set Trap Status For field will automatically revert to the Selected Modules setting To change the set...

Страница 60: ...ighlighted port click on it again If the selection All Ports On Module is displayed in the Set Traps Status For field you can select only one port at a time trap status will be set for all ports on th...

Страница 61: ...o save your changes Finding a Source Address You can use the button to locate a source address in the list by the module and port through which it is communicating with the SEHI This feature is especi...

Страница 62: ...search is initiated the remaining fields in the window will display the module and port through which the address is communicating with the SEHI If the address is not in the table the message MAC Addr...

Страница 63: ...Finding a Source Address 5 13 Source Addressing Figure 5 6 Results of MAC Address Search 4 Click on to exit the window...

Страница 64: ...Source Addressing 5 14 Finding a Source Address...

Страница 65: ...che of up to 32 addresses among ports on a single hub in addition LANVIEWSECURE provides eavesdrop protection by scrambling the data portion of each packet to all ports except the destination port To...

Страница 66: ...above When the LANVIEWSECURE feature is enabled it provides two kinds of protection intruder protection will prevent any unauthorized source addresses from communicating with the network via a NOTES...

Страница 67: ...ses among the ports of your choosing Trunk port security When locking is enabled all ports will be secured including natural trunk ports Only ports which have been forced to trunk status will remain u...

Страница 68: ...curity scrambles all packets not specifically destined to the secured port including broadcasts and multicasts partial security scrambles only unicast packets The Newest LANVIEWSECURE Features Additio...

Страница 69: ...esignated as LANVIEWSECURE as indicated by a label on the front panel and an S appended to the hub name Some of the enhanced security features however will apply to all hubs installed in your SEHI con...

Страница 70: ...table and allow that port to begin learning and securing new addresses Note that you cannot reset learned addresses on a locked port or on a port which is designated unsecurable Eavesdrop protection s...

Страница 71: ...r one or more of the listed ports Note that if you select a group of ports with different security capabilities only those capabilities which apply to every port in the selected group will be active t...

Страница 72: ...ble and which should be unsecurable By definition any LANVIEWSECURE port with more than 35 addresses in its source address table or exactly 35 for two consecutive ageing times is unsecurable as are an...

Страница 73: ...ew ones as follows a To add a learned address click to highlight the desired address in the Learned Addresses list box then click on A confirmation window will appear click on Yes to secure the select...

Страница 74: ...set learned addresses 2 Click mouse button 1 on or to open the appropriate window 3 In the Module or Port window click to select the hub s or port s for which you wish to reset learned addresses NOTE...

Страница 75: ...6 12 for details Security must be disabled on any port which is connected to an external bridge or the bridge will discard all packets it receives as error packets since the CRC is not recalculated a...

Страница 76: ...s traps A sourceAddressTimeout trap is issued anytime a source address is aged out of the Source Address Table due to inactivity The trap s interesting information includes the board and port index an...

Страница 77: ...that locking ports from the Source Address window implements Full lock status by default however this will not override the status of any ports which have already been set to Continuous lock mode Ena...

Страница 78: ...o exit the window Hub level Security and Traps Locking ports at the hub level applies all applicable protections as configured via the Port Security window to each port on the selected hub or hubs To...

Страница 79: ...ect hubs 4 In the Security Mode field click mouse button 1 on the appropriate selection to apply Full or Continuous lock status to all ports on the selected hubs or to Unlock all ports on the hubs Not...

Страница 80: ...automatically as you click to select or de select ports 4 In the Security Mode field click mouse button 1 on the appropriate selection to apply Full or Continuous lock status to the selected port s or...

Страница 81: ...curity 5 Click on the appropriate selection in the Send Trap field to Enable or Disable traps for the selected port s 6 Click on to save your changes each port s new status will be displayed in the li...

Страница 82: ...Security 6 18 Enabling Security and Traps...

Страница 83: ...five components each of which is described below To see the names of the MIB components in your SEHI bring up the Community Names application or use any SNMP Get operation that will allow you to view...

Страница 84: ...g functions such as ping Telnet and TFTP SEHI IP Services The IP Services MIB component is not currently used by the SEHI but is reserved for future use A Brief Word About MIB Components and Community...

Страница 85: ...nformation you want For devices which support the original component based MIB architecture this means you must use the exact community name you have assigned to a specific component to access that co...

Страница 86: ...SEHI MIB Structure A 4 SEHI MIB Structure...

Страница 87: ...rrors 2 17 D Date 2 11 default community names A 2 Device button 2 4 Device Configuration 2 22 Device General Status 2 22 Device menu 2 4 2 7 Device Name 2 3 Device Status 2 10 disable ports 2 22 disc...

Страница 88: ...6 Port Display Form 2 4 2 8 2 22 port display form options 2 8 port locking 5 5 6 3 Port menu 2 7 Port Operational State 2 22 port security status 5 4 Port Source Address List 2 19 Port Status 2 13 P...

Страница 89: ...tics 2 15 2 22 general errors 2 16 protocols frames 2 16 2 19 Status 2 14 T Technical Support 1 6 Test Time 4 5 testing redundant circuits 4 5 TFTP Download 1 3 Time 2 11 topology status 5 6 Topology...

Страница 90: ...Index Index 4...

Отзывы: