Nortel Ethernet Routing Switch 2500 Series
Security — Configuration andManagement
NN47215-505 (323165-B)
.
Страница 1: ...Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B...
Страница 2: ...ny the delivery of this computer software the rights of the United States Government regarding its use reproduction and disclosure are as set forth in the Commercial Computer Software Restricted Right...
Страница 3: ...E is no longer in use Customer promptly returns the Software to Nortel Networks or certify its destruction Nortel Networks can audit by remote polling or other reasonable means to determine Customer s...
Страница 4: ...ty can bring an action regardless of form more than two years after the cause of the action arose e The terms and conditions of this License Agreement form the complete and exclusive agreement between...
Страница 5: ...Configuration 17 Username and password 17 Logging on 18 Configuring Security options 18 RADIUS based network security 20 MAC address based security 21 EAPOL based security 21 EAPoL with Guest VLAN 23...
Страница 6: ...I commands 58 CLI commands specific to SNMPv3 69 Securing your network 80 Configuring MAC address filter based security 80 Configuring EAPOL based security 87 Configuring advanced EAPOL features 94 Co...
Страница 7: ...management information view 202 Configuring an SNMPv3 system notification entry 205 Configuring an SNMPv3 management target address 208 Configuring an SNMPv3 management target parameter 211 Configurin...
Страница 8: ...8 Contents Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B 02 01 Standard 4 1 19 November 2007 Copyright 2007 Nortel Networks...
Страница 9: ...h 2500 Release 4 1 supports advanced EAPOL security features For more information see the following sections Advanced EAPOL features page 28 Configuring multihost support page 95 Configuring support f...
Страница 10: ...10 New in this release Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B 02 01 Standard 4 1 19 November 2007 Copyright 2007 Nortel Networks...
Страница 11: ...ribe the features common to the switches mentioned above A switch is referred to by its specific name when a feature is described that is exclusive to the switch Before you begin This guide is intende...
Страница 12: ...how ip routes but not both brackets Indicate optional elements in syntax descriptions Do not type the brackets when entering the command Example If the command syntax is show ip interfaces alerts you...
Страница 13: ...gement interfaces and how to use them to configure basic switching features for the Nortel Ethernet Routing Switch 2500 Series Nortel Ethernet Routing Switch 2500 Series Configuration VLANs Spanning T...
Страница 14: ...to technical issues sign up for automatic notification of new software and documentation for Nortel equipment open and manage technical support cases Getting help through a Nortel distributor or resel...
Страница 15: ...hen you use an ERC your call is routed to a technical support person who specializes in supporting that product or service To locate the ERC for your product or service go to www nortel com erc Nortel...
Страница 16: ...16 Introduction Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B 02 01 Standard 4 1 19 November 2007 Copyright 2007 Nortel Networks...
Страница 17: ...f the console terminal were directly connected to the Switch You can establish up to four active Telnet or Web sessions at one time in addition to one active Console connection for a total of five pos...
Страница 18: ...or your LAN RADIUS based security limits administrative access to the switch through user authentication MAC address based security limits access to the switch based on allowed source MAC addresses EA...
Страница 19: ...s MAC addresses access to one or more switch ports see MAC address based security page 21 The switch is located in a locked closet accessible only by authorized Technical Services personnel Student do...
Страница 20: ...ts you set up network access control by using the Remote Authentication Dial In User Services RADIUS security protocol The RADIUS based security feature uses the RADIUS protocol to authenticate local...
Страница 21: ...e stack configuration Specify which of your switch ports each MAC address is allowed to access The options for allowed port access include NONE ALL and single or multiple ports that are specified in a...
Страница 22: ...software with the main purpose of authorizing the supplicant who is attached at the other end of the LAN segment Authentication server a Radius server that provides authorization services to an authe...
Страница 23: ...n the port has access to that port for traffic Any tagging of ingress packets are to the PVID of that port This remains the default configuration With Software Release 4 1 EAP also allows Guest VLANs...
Страница 24: ...mpts the switch resets the logon process The number of failed logon attempts is configurable and the default is three Password history The switch keeps a history of the last three passwords You cannot...
Страница 25: ...isplay and verification restrictions to the following passwords RADIUS Shared Secret Read Only community string Read Write community string Enabling and disabling password security Password security c...
Страница 26: ...and also is saved across reboots of the switch For more information see Changing the http port number page 43 Simple Network Management Protocol The Nortel Ethernet Routing Switch 2500 Series support...
Страница 27: ...introduces a standards based GetBulk retrieval capability using SNMPv1 communities SNMPv3 support in the Nortel Ethernet Routing Switch 2500 Series introduces industrial grade user authentication and...
Страница 28: ...he port Each user must complete EAP authentication before the port allows traffic from the corresponding MAC address Only traffic from the authorized hosts is allowed on that port Radius assigned VLAN...
Страница 29: ...in MHMA mode upon successful RADIUS authentication the port gets a VLAN value in a RADIUS Attribute with EAP success The port is added and the PVID is set to the first such VLAN value from the RADIUS...
Страница 30: ...t authenticated client In this way a permanent bounce between different VLANs of the switch port is avoided Following are the steps to enable the enhancement Enable Radius assigned VLANs in Global Con...
Страница 31: ...on For more information about the generated credentials see Non EAPOL MAC RADIUS authentication page 32 If the MAC address is authenticated by RADIUS the host is allowed If the MAC address does not ma...
Страница 32: ...ormation about configuring non EAPOL host support see Configuring support for non EAPOL hosts on EAPOL enabled ports Non EAPOL MAC RADIUS authentication For RADIUS authentication of a non EAPOL host M...
Страница 33: ...n After the first EAPOL client successfully authenticates EAPOL packets and data from that client are allowed on the port No other clients are allowed to negotiate EAPOL authentication The port is set...
Страница 34: ...port is 32 However Nortel expects that the usual maximum value configured for a port is 2 This translates to around 200 for a box and 800 for a stack Nortel Ethernet Routing Switch 2500 Series Securi...
Страница 35: ...ADIUS based management password authentication page 56 Setting SNMP parameters page 58 Setting the username and password This section contains information about the following topics username command p...
Страница 36: ...applies to the read only mode ATTENTION After you configure the username and password with the username command if you then update the password using the cli password command or through Web based man...
Страница 37: ...nd Web based management access none local radiu s Specifies the password that you are modifying none disables the password local use the locally defined password for serial console or Telnet access ra...
Страница 38: ...tax for the command is show password security The following shows a sample output for this command 2550T config show password security Password security is enabled The show password security command h...
Страница 39: ...e IP manager list When enabled the IP manager list determines which source IP addresses are allowed access to the switch No other source IP addresses have access to the switch You configure the IP man...
Страница 40: ...nmp web source ip 1 10 XXX XXX XXX XXX mask XXX XXX XXX XXX The ipmgr command for the management systems is executed in the Global Configuration command mode Table 3 ipmgr command for system managemen...
Страница 41: ...The syntax for the no ipmgr command for the management systems is no ipmgr telnet snmp web The no ipmgr command is executed in the Global Configuration command mode Table 4 no ipmgr command for manage...
Страница 42: ...he source IP address from which access is allowed Enter the IP address either as an integer or in dotted decimal notation mask XXX XXX XXX X XX Specifies the subnet mask from which access is allowed e...
Страница 43: ...re you can change the HTTP port You can configure this feature by using the following commands show http port command page 43 http port command page 44 default http port page 44 show http port command...
Страница 44: ...or the HTTP port to the default value of 80 The syntax for the default http port command is default http port The default http port command is executed in the Global Configuration command mode The def...
Страница 45: ...mmand page 45 telnet access command page 46 no telnet access command page 47 default telnet access command page 48 show telnet access command The show telnet access command displays the current settin...
Страница 46: ...cess command Table 8 telnet access command parameters and variables Parameters and variables Description enable disable Enables or disables Telnet connections login timeout 1 10 Specifies the time in...
Страница 47: ...t connection attempts are saved in the event log source ip 1 10 XX X XXX XXX XXX mask XXX XXX XXX XXX Specifies up to 10 source IP addresses from which connections are allowed Enter the IP address eit...
Страница 48: ...ring the IP manager list page 39 default telnet access command The default telnet access command sets the Telnet settings to the default values The syntax for the default telnet access command is defa...
Страница 49: ...mmand page 54 show ssh global command The show ssh global command displays the secure shell configuration information The syntax for the show ssh global command is show ssh global The show ssh global...
Страница 50: ...show ssh session command output show ssh download auth key command The show ssh download auth key command displays the results of the most recent attempt to download the DSA public key from the TFTP s...
Страница 51: ...e no ssh dsa host key command is executed in the Global Configuration command mode There are no parameters or variables for the no ssh dsa host key command ssh command The ssh command enables the SSH...
Страница 52: ...cation The syntax of the ssh timeout command is ssh timeout 1 120 The ssh timeout command executed in the Global Configuration command mode Table 10 ssh timeout command parameters and variables page 5...
Страница 53: ...and no ssh pass auth command The no ssh pass auth command disables password authentication The syntax of the no ssh pass auth command is no ssh pass auth The no ssh pass auth command executed in the G...
Страница 54: ...key command Table 12 ssh download auth key command parameters and variables Parameters and variables Description address XXX XXX XXX XXX The IP address of the TFTP server key name file The name of the...
Страница 55: ...ssion authentication to the default Default is 60 Setting server for Web based management You can enable or disable the Web server to use for the Web based management system This section discusses the...
Страница 56: ...configure this authentication by using the CLI system you can use the following commands show radius server command page 56 radius server command page 57 no radius server command page 58 default radiu...
Страница 57: ...the parameters and variables for the radius server command Table 15 radius server command parameters and variables Parameters and variables Description primary host address Specifies the primary RADI...
Страница 58: ...gure password fallback as an option when you use RADIUS authentication for login and password When both RADIUS servers are unreachable the user can log in using the local passwords The syntax for the...
Страница 59: ...e 65 no snmp server location command page 65 default snmp server location command page 66 snmp server name command page 66 no snmp server name command page 66 default snmp server name command page 67...
Страница 60: ...command enables or disables the generation of SNMP authentication failure traps The syntax for the snmp server authentication trap command is snmp server authentication trap enable disable The snmp se...
Страница 61: ...rver authentication trap command has no parameters or variables snmp server community for read write command The snmp server community command for read write modifies the community strings for SNMP v1...
Страница 62: ...ations with rw access can retrieve and modify MIB objects ATTENTION If neither ro nor rw is specified ro is assumed default no snmp server community command The no snmp server community command clears...
Страница 63: ...on to the default settings The syntax for the default snmp server community command is default snmp server community ro rw The default snmp server community command is executed in the Global Configura...
Страница 64: ...ameters and variables for the snmp server contact command Table 21 snmp server contact command parameters and variables Parameters and variables Description text Specifies the SNMP sysContact value en...
Страница 65: ...les Description text Specifies the SNMP sysLocation value enter an alphanumeric string of up to 255 characters no snmp server location command The no snmp server location command clears the SNMP sysLo...
Страница 66: ...r name command parameters and variables page 66 describes the parameters and variables for the snmp server name command Table 24 snmp server name command parameters and variables Parameters and variab...
Страница 67: ...default snmp server name command Table 26 default snmp server name command parameters and variables Parameters and variables Description text Specifies the SNMP sysName value enter an alphanumeric st...
Страница 68: ...mand is no snmp trap link status port portlist The no snmp trap link status command is executed in the Interface Configuration command mode Table 28 no snmp trap link status command parameters and var...
Страница 69: ...ENTION If you omit this parameter the system uses the port number specified with the interface command CLI commands specific to SNMPv3 This section describes the unique CLI commands for configuring SN...
Страница 70: ...sha parameter is included Likewise you can specify authenticated and encrypted access only if the des aes or 3des parameter is included If you omit the authenticated view parameters authenticated acce...
Страница 71: ...is enabled in which case the switch prompts you to enter and confirm the new password read view view name Specifies the read view to which the new user has access view name specifies the view name en...
Страница 72: ...NTION This parameter is not available when Password Security is enabled in which case the switch prompts you to enter and confirm the new password no snmp server user command The no snmp server user c...
Страница 73: ...parameters and variables page 73 describes the parameters and variables for the snmp server view command Table 32 snmp server view command parameters and variables Parameters and variables Description...
Страница 74: ...he system group except for sysDescr no snmp server view command The no snmp server view command deletes the specified view The syntax for the no snmp server view command is no snmp server view viewnam...
Страница 75: ...command Table 34 snmp server host for the new style table command parameters and variables Parameters and variables Description host ip Enter a dotted decimal IP address of a host to be the trap desti...
Страница 76: ...d variables page 76 describes the parameters and variables for the no snmp server for the new style table command Table 35 no snmp server host for the new style command parameters and variables Parame...
Страница 77: ...name write view view name notify view view name The snmp server community command is executed in the Global Configuration command mode Table 36 snmp server community command parameters and variables p...
Страница 78: ...alphanumeric string notify view view name Changes the notify view settings used by the new community string for different types of SNMP operations view name specifies the name of the view that is a se...
Страница 79: ...e data consists of a set of initial users groups and views This snmp server bootstrap command deletes all existing SNMP configurations so use the command with caution The syntax for the snmp server bo...
Страница 80: ...ss table address command page 83 mac security security list command page 83 no mac security command page 84 no mac security mac address table command page 84 no mac security security list command page...
Страница 81: ...mmand Figure 10 show mac security command output mac security command The mac security command modifies the BaySecure configuration The syntax for the mac security command is mac security disable enab...
Страница 82: ...rusion is detected enter the number of seconds to specify learning enable disable Specifies MAC address learning enable enables learning by ports disable disables learning by ports ATTENTION The MAC a...
Страница 83: ...ust specify only a single port The mac security mac address table address command is executed in the Global Configuration command mode Table 41 mac security mac address table address parameters and va...
Страница 84: ...o mac security command has no parameters or values no mac security mac address table command The no mac security mac address table command clears entries from the MAC address security table The syntax...
Страница 85: ...4 no mac security security list command parameters and variables Parameters and variables Description 1 32 Enter the number of the security list that you want to clear mac security command for specifi...
Страница 86: ...ac da filter command you can filter packets from up to 10 specified MAC DAs You also can use this command to delete such a filter and then receive packets from the specified MAC DA The syntax for the...
Страница 87: ...difying parameters page 91 eapol guest vlan command page 93 no eapol guest vlan command page 93 default eapol guest vlan command page 93 show eapol command The show eapol command displays the status o...
Страница 88: ...he port Force Unauthorized Port is always unauthorized Auto Port authorization status depends on the result of the EAP authentication Force Authorized Port is always authorized Auth Displays the curre...
Страница 89: ...r response from supplicant for EAP Request or Identity packets the range is 1 65535 Supplicant Timeout Specifies a waiting period for response from supplicant for all EAP packets the range is 1 65535...
Страница 90: ...uth stats interface The show eapol auth stats interface command is executed in the Privileged EXEC command mode Figure 13 show eapol auth stats interface command output page 90 displays sample output...
Страница 91: ...pol port portlist init status authorized unauthor ized auto traffic control in out in re authentication enable disable re authentication period 1 604800 re authenticate quiet interval num transmit int...
Страница 92: ...authentication enable disable Enables or disables reauthentication re authentication period 1 604800 Enter the number of seconds that you want between re authentication attempts Use either this varia...
Страница 93: ...he Global Configuration command mode and Interface Configuration command mode Table 50 eapol guest vlan command parameters and variables page 93 describes the parameters and variables for the eapol gu...
Страница 94: ...gure 14 show eapol guest vlan command output page 94 displays sample output from the eapol guest vlan command Figure 14 show eapol guest vlan command output Configuring advanced EAPOL features Etherne...
Страница 95: ...non eap mhsa enable radius non eap enable use radius assigned vlan non eap pwd fmt ip addr mac addr port number This command is executed in the Global Configuration command mode eapol multihost param...
Страница 96: ...OL password format default eapol multihost command The default eapol multihost command sets the EAPoL multihost feature to default This command is executed in the global configuration mode The syntax...
Страница 97: ...the parameters and variables for the eapol multihost command eapol multihost command parameters and variables Parameters and variables Description allow non eap enable Enables MAC addresses of non EAP...
Страница 98: ...clients MAC addresses port Displays port number on which to apply EAPOL multihost settings radius non eap enable Disables Radius authentication of non EAP clients use radius assigned vlan Disallows us...
Страница 99: ...umber on which to disable EAPOL radius non eap enable Enables Radius authentication of non EAP clients use radius assigned vlan Allows use of RADIUS assigned VLAN values non eap mac H H H port Resets...
Страница 100: ...ge 100 describes the parameters and variables for the show eapol multihost command show eapol multihost command parameters and variables Parameters and variables Description interface Displays EAPOL m...
Страница 101: ...les Description portList List of ports show eapol multihost interface command output page 101 displays sample output from the show eapol multihost interface command show eapol multihost interface comm...
Страница 102: ...n To configure support for non EAPOL hosts on EAPOL enabled ports do the following 1 Enable non EAPOL support globally on the switch and locally for the desired interface ports using one or both of th...
Страница 103: ...ll ports on the interface To discontinue local authentication of non EAPOL hosts on EAPOL enabled ports use the no or default keywords at the start of the commands in both the Global and Interface con...
Страница 104: ...authentication on the desired interface or on a specific port for non EAPOL hosts The default for this feature is disabled To discontinue RADIUS authentication of non EAPOL hosts on EAPOL enabled por...
Страница 105: ...ll If you do not specify a port parameter the command sets the value for all ports on the interface value is an integer in the range 1 32 that specifies the maximum number of non EAPOL clients allowed...
Страница 106: ...terface configuration mode show eapol multihost The display shows whether local and RADIUS authentication of non EAPOL clients is enabled or disabled Viewing port settings for non EAPOL hosts To view...
Страница 107: ...multihost status command displays the multihost status of eapol clients on EAPOL enabled ports The syntax for the show eapol multihost status command is show eapol multihost status interface type inte...
Страница 108: ...settings for a specific port or for all ports on an interface use the following command in Interface configuration mode eapol multihost port portlist where portlist is the list of ports to which you...
Страница 109: ...ed maximum will be approximately 200 for each box and 800 for a stack Viewing MHSA settings and activity For information about the commands to view MHSA settings and non EAPOL host activity see Viewin...
Страница 110: ...tatus tab page 119 AuthViolation tab page 122 SSH tab page 122 SSH Sessions tab page 124 Radius Server tab page 125 Configuring EAPOL on ports page 126 Configuring SNMP page 141 Working with SNMPv3 pa...
Страница 111: ...procedure Step Action 1 From the Device Manager menu bar select Edit Security The Security dialog box appears with the EAPOL tab displayed 2 Click the General tab The General tab appears The following...
Страница 112: ...curity configuration Entries also include other notlocked AuthCtlPartTime This value indicates the duration of the time for port partitioning in seconds The default is zero When the value is zero the...
Страница 113: ...trap partitionPort Port is partitioned partitionPortAndsendTrap Port is partitioned and traps are sent to the trap receiver daFiltering Port filters out the frames where the destination address field...
Страница 114: ...in the SecurityList tab SecurityList tab The SecurityList tab contains a list of Security port fields To view the SecurityList tab use the following procedure Step Action 1 From the Device Manager men...
Страница 115: ...ct Edit Security The Security window appears with the EAPOL tab displayed EAPOL tab 2 Click the SecurityList tab The SecurityList tab appears SecurityList tab 3 Click Insert The Security Insert Securi...
Страница 116: ...that have the security configuration An SNMP SET PDU for a row in the tab requires the entire sequence of the MIB objects in each entry to be stored in one PDU Otherwise the GENERR return value is re...
Страница 117: ...ly if BrdIndx and PortIndx values are set to zero For other board and port index values this index must also have the value of zero The corresponding MAC Address of this entry is allowed or blocked on...
Страница 118: ...corresponds to the index of the last manageable port on the board but only if the index is greater than zero A zero index is a wild card MACIndx An index of MAC addresses that are either designated a...
Страница 119: ...le port a single port all the ports on a single board a particular port on all the boards all the ports on all the boards To view the AuthStatus tab use the following procedure Step Action 1 From the...
Страница 120: ...tains the board if the index is greater than zero AuthStatusPortIndx The index of the port on the board This corresponds to the index of the last manageable port on the board if the index is greater t...
Страница 121: ...of the unauthorized station Traps are sent to the trap receiver sendTrap A trap is sent to the trap receiver s partitionPortAnddaFiltering Port is partitioned and filters out the frames where the des...
Страница 122: ...e Security window appears with the EAPOL tab displayed 2 Click the AuthViolation tab The AuthViolation tab appears The following figure displays the AuthViolation tab Figure 23 AuthViolation tab End S...
Страница 123: ...enables SSH Securely enable turns off other daemon flag and it takes effect after a reboot Version Indicates the SSH version Port Indicates the SSH connection port Timeout Indicates the SSH connection...
Страница 124: ...es the retrieved value of the TFTP transfer SSH Sessions tab The SSH Sessions tab displays the currently active SSH sessions To view the SSH Sessions tab use the following procedure Step Action 1 From...
Страница 125: ...dius Server tab use the following procedure Step Action 1 From the Device Manager menu bar select Edit Security Select the Radius Server tab 2 Click the Radius Server tab The Radius Server tab appears...
Страница 126: ...s before the client retransmit the packet to RADIUS server SharedSecret Key Specifies the value of the shared secret key ATTENTION The shared secret key has a maximum of 16 characters ConfirmedSharedS...
Страница 127: ...one of the following From the shortcut menu choose Edit From the Device Manager main menu choose Edit Port From the toolbar click Edit The Port dialog box appears with the Interface tab displayed 3 C...
Страница 128: ...status is always unauthorized Auto The authorization status depends on the EAP authentication results BackendAuthState The current state of the Backend Authentication state for the switch AdminContro...
Страница 129: ...od Time interval between successive reauthentications When the ReAuthenticationEnabled field see the following field is enabled you can specify the time period between successive EAPOL authentications...
Страница 130: ...s Ctrl left click the ports that you want to edit A yellow outline appears around the selected ports 2 Do one of the following From the shortcut menu choose Edit From the Device Manager main menu choo...
Страница 131: ...Clie nt Enables or disables non EAPOL on the port MultiHostNonEapMaxNum Macs Specifies the maximum number of allowed non EAPOL clients on the port MultiHostSingleAuthEnable d Enables or disables EAPOL...
Страница 132: ...MACAddr The MAC address of the client PaeState The current state of the authenticator PAE state machin BackendAuthState The current state of the Backend Authentication state machine Reauthenticate The...
Страница 133: ...session termination UserName The username representing the identity of the supplicant PAE End Non EAPOL host support settings From the EAPOL Advance tab on the Port screen it is possible to view non E...
Страница 134: ...ss to the list of allowed non EAPOL clients a Click the Insert button The Insert Allowed non EAP MAC screen appears The following figure illustrates this tab Figure 32 Insert Allowed non EAP MAC scree...
Страница 135: ...escribes the fields on this screen Non EAPOL MAC screen Non EAP Status tab Field Description PortNumber The port number in use ClientMACAddr The MAC address of the client State The authentication stat...
Страница 136: ...t or ports you want to graph To select multiple ports press Ctrl left click the ports that you want to configure A yellow outline appears around the selected ports 2 Do one of the following From the D...
Страница 137: ...this authenticator EapolLogoffFramesRx The number of EAPOL Logoff frames that are received by this authenticator EapolRespIdFramesRx The number of EAPOL Resp Id frames that are received by this authen...
Страница 138: ...s you want to graph To select multiple ports press Ctrl left click the ports that you want to configure A yellow outline appears around the selected ports 2 Do one of the following From the Device Man...
Страница 139: ...ing as a result of receiving an EAPOL Logoff message EntersAuthenticating Counts the number of times that the state machine transitions from connecting to authenticating as a result of an EAP Response...
Страница 140: ...ng received from the Supplicant AuthReauthsWhile Authenticated Counts the number of times that the state machine transitions from authenticated to connecting as a result of a reauthentication request...
Страница 141: ...ndicates that the Supplicant has successfully authenticated to the Authentication Server BackendAuthFails Counts the number of times that the state machine receives an EAP Failure message from the Aut...
Страница 142: ...ries TrpRcvrCurEnt The current number of trap receiver entries TrpRcvrNext The next trap receiver entry to be created Trap Receivers tab The Trap Receivers tab lists the devices that receive SNMP trap...
Страница 143: ...wing Community field description in this table NetAddr The address or DNS hostname for the trap receiver Community Community string used for trap messages to this trap receiver Adding a Trap Receiver...
Страница 144: ...information about the addresses that the agent software uses to identify the switch To open the SNMP tab use the following procedure Step Action 1 Select the chassis 2 Choose Graph Chassis The Graph...
Страница 145: ...etVars The total number of MIB objects altered successfully by the SNMP protocol as the result of receiving valid SNMP Set Request PDUs InGetRequests The total number of SNMP Get Request PDUs that are...
Страница 146: ...ity Names The total number of SNMP messages delivered to the SNMP protocol that used an unknown SNMP community name InBadCommunity Uses The total number of SNMP messages delivered to the SNMP protocol...
Страница 147: ...and SNMPv2c It supports better authentication and data encryption than SNMPv1 and SNMPv2c SNMPv3 provides protection against the following security threats modification of SNMP messages by a third par...
Страница 148: ...To log on to the Ethernet Routing Switch 2500 Series Device Manager as an SNMPv3 user use the following procedure Step Action 1 On the Device Manager menu bar select Device Open 2 In the Device Name...
Страница 149: ...n method page 149 describes the ways in which an SNMPv3 user can be configured Table 67 SNMPv3 user configuration method SNMPv3 Configuration Method Description NoAuthNoPriv The user cannot use an aut...
Страница 150: ...acters AuthProtocol Identifies the authentication protocol used PrivProtocol Identifies the privacy protocol used StorageType Specifies whether the table entry row will be stored in volatile or nonvol...
Страница 151: ...hat you assign both an authentication and encryption protocol to the first user you create through the CLI or Web interface 5 From the Auth Protocol pull down list select an authentication protocol fo...
Страница 152: ...n old AuthPass and a new AuthPass Cloned User s Auth Password Specifies the current authentication password New User s Auth Password Specifies the new authentication password to use for this user Priv...
Страница 153: ...subtrees or objects For more detailed information on VACM see RFC 3415 Defining Group Membership with VACM To add members to a group in the View based Access Control Model VACM table use the followin...
Страница 154: ...memory it does not persist if the switch loses power 2 Click Insert The VACM Insert Group Membership dialog box appears The following figure displays the VACM Insert Group Membership dialog box 3 Sel...
Страница 155: ...ity model assigned to users in the Group Membership table Options are SNMPv1 SNMPv2c or USM SecurityLevel The security level assigned to users in the Group Membership table Options are noAuthNoPriv au...
Страница 156: ...Insert Group Access Right dialog box Figure 44 VACM Insert Group Access Right dialog box 4 Enter the name of a group 5 Enter the context prefix 6 Select the security model 7 Select the security level...
Страница 157: ...From the Device Manager menu bar choose Edit SnmpV3 VACM table The VACM dialog box appears Figure 42 VACM dialog Group Membership tab page 153 2 Select the MIB View tab The MIB View tab appears The fo...
Страница 158: ...determine whether an OID falls under a view subtree Type Determines whether access to a MIB object is granted Included or denied Excluded The default is Included StorageType Specifies whether this ta...
Страница 159: ...nity table contains objects for mapping between community strings and the security name created in VACM Group Member To create a community use the following procedure Step Action 1 From the Device Man...
Страница 160: ...ble dialog box fields Table 74 Community Table dialog box fields Field Description Index The unique index value of a row in this table The SnmpAdminString range is 1 32 characters Name The community s...
Страница 161: ...points StorageType The storage type for this conceptual row in the snmpCommunityTable Conceptual rows that have the value permanent do not allow write access to any columnar object in the row Manageme...
Страница 162: ...Field Description Name Specifies the name for this target table entry TDomain Specifies the domain of the management target The default is snmpUDPDomain TAddress Specifies the IP address and destinati...
Страница 163: ...ck Insert The Target Table Insert Target Address Table dialog box appears The following figure displays the Target Table Insert Target Address Table dialog box Figure 50 Target Table Insert Target Add...
Страница 164: ...t Address Table displayed Figure 49 Target Table dialog box Target Address Table tab page 162 2 Select the Target Params Table tab The Target Params Table tab appears The following figure displays the...
Страница 165: ...rams Table tab fields page 165 describes the Target Params Table dialog box fields Table 77 Target Params Table tab fields Field Description Name Specifies the name of the target parameters table MPMo...
Страница 166: ...use the following procedure Step Action 1 From the Device Manager menu bar choose Edit SnmpV3 Notify The Notify Table dialog box appears Figure 53 NotifyTable dialog box page 166 Notify Table dialog...
Страница 167: ...y it does not persist if the switch loses power 2 Click Insert The Notify Table Insert dialog box appears The following figure displays the Notify Table Insert dialog box Figure 54 Notify Table Insert...
Страница 168: ...nfiguring Security using the CLI End Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B 02 01 Standard 4 1 19 November 2007 Copyright 2007 Nortel Net...
Страница 169: ...urity by using the Web based management interface ATTENTION When you install the switch Nortel recommends that you set the initial system usernames and passwords by using the Command Line Interface Fo...
Страница 170: ...ATTENTION The title of the page corresponds to the menu selection you choose In the network administrator selected Administration Security Console Figure 55 Console password setting page The following...
Страница 171: ...rd setting for the read only access user Console Switch Password Setting Read Write Swit ch Password 1 15 Type the read write password setting for the read write access user Console Stack Password Typ...
Страница 172: ...sword for remote dial up If you select this password type you must also set up RADIUS authentication from the Radius management page 5 Type the password for read only and read write user access 6 Clic...
Страница 173: ...port for the RADIUS server The default value is 1645 4 Type the number of seconds for the RADIUS timeout period The range is 1 to 60 seconds 5 Type a character string for the RADIUS Shared Secret This...
Страница 174: ...for read only access or RW uppercase for read write access 2 In the Password text box type your password 3 Click Log On The System Information page appears ATTENTION For information about modifying e...
Страница 175: ...urce Addresses SAs of the authorized stations You can specify a list of up to 448 MAC SAs that are authorized to access the switch You can also specify the ports that each MAC SA is allowed to access...
Страница 176: ...feature and specify the appropriate system responses to any unauthorized network access to your switch To configure MAC address based security by using the Web based management system use the followin...
Страница 177: ...d 1 Enabled 2 Disabled After this field is set to enabled the MAC address security screens cannot be modified by using SNMP MAC Address Security Setting Partition Port on Intrusion Detected 1 Forever...
Страница 178: ...on in the MAC address security features Port List Blank MAC Security Table Clear by Ports Current Learning Mode Blank Action Lets you identify ports that learn incoming MAC addresses All source MAC ad...
Страница 179: ...elete ports from a list use the following procedure Step Action 1 From the main menu choose Application MAC Address Security Port Lists The Port Lists page appears The following figure displays the Po...
Страница 180: ...st page Figure 61 Port List View Port List page a Click the ports you want to add to the selected list or click All b To delete a port from a list clear the box by clicking it c Click Submit 3 From th...
Страница 181: ...MAC addresses You can use the Security Table page to specify the ports that each MAC address is allowed to access You must also include the MAC addresses of any routers that are connected to any secu...
Страница 182: ...ys the entry through which the MAC address is allowed MAC Address Lets you specify up to 448 MAC addresses that are authorized to access the switch You can specify the ports that each MAC address is a...
Страница 183: ...C address for the default LAN router as an allowed source MAC address End Clearing ports You can clear all information from the specified port s in the list of ports that learn MAC addresses If Learn...
Страница 184: ...clear all the allowed Source Ports field leaving a blank field for an entry the associated MAC address for that entry is also cleared End Enabling security on ports To enable or disable MAC address b...
Страница 185: ...em Range Description Port 1 to 52 Lists each port on the unit Trunk Blank 1 to 6 Displays the MultiLink Trunk to which the port belongs to Security 1 Enabled 2 Disabled Enables MAC address based secur...
Страница 186: ...figuration page page 185 click Disabled to remove that port from the MAC address based security system this action disables all MAC address based security on that port Filtering MAC destination addres...
Страница 187: ...u want to filter You can list up to 10 MAC DAs to filter 3 Click Submit The system returns you to the DA MAC Filtering page Figure 65 DA MAC Filtering page page 186 with the new DA listed in the table...
Страница 188: ...t of which deal with security Configuring SNMPv1 You can configure SNMPv1 read write and read only community strings enable or disable trap mode settings and or enable or disable the autotopology feat...
Страница 189: ...to confirm the community string for the SNMPv1 read only community The default value is public Commu nity String Setting Read Write Commu nity Strin g 1 32 Type a character string to identify the com...
Страница 190: ...the steps to build and manage SNMPv3 in the Web based management user interface Viewing SNMPv3 system information You can view information about the SNMPv3 engine that exists and the private protocol...
Страница 191: ...Time The number of seconds because the SNMP engine last incremented the snmpEngineBoots object SNMP Engine Maximum Message Size The maximum length in octets of an SNMP message that this SNMP engine c...
Страница 192: ...n the SNMPv3 Counters section of the SNMPv3 System Information page Table 90 SNMPv3 Counters section fields Item Description Unavailable Contexts The total number of packets dropped by the SNMP engine...
Страница 193: ...ropped by the SNMP engine because they could not be decrypted End Configuring user access to SNMPv3 You can view a table of all current SNMPv3 user security information such as authentication privacy...
Страница 194: ...letes the row User Name usmUser SecurityName The name of an existing SNMPv3 user Authentication Protocol usmUser AuthProtocol Indicates whether the message sent on behalf of this user to from the SNMP...
Страница 195: ...from the SNMP engine identified by the UserEngineID can be authenticated with the MD5 or SHA protocol Authentication Passphrase usm UserAuthPassword 1 32 Type a string of characters to create a passph...
Страница 196: ...o one of the following Click Yes to delete the SNMPv3 user configuration Click Cancel to return to the User Specification page without making changes End Configuring an SNMPv3 system user group member...
Страница 197: ...on the Group Membership page Table 93 Group Membership page items Item and MIB association Range Description Deletes the row Nortel Ethernet Routing Switch 2500 Series Security Configuration and Mana...
Страница 198: ...n off the power Selecting Non Volatile requests information to be saved in NVRAM when you turn off the power 2 In the Group Membership Creation section type the required information in the text boxes...
Страница 199: ...s rights page 199 End Configuring SNMPv3 group access rights You can view a table of existing SNMPv3 group access rights configurations and you can create or delete a SNMPv3 system level access rights...
Страница 200: ...cription Deletes the row Group Name vacm AccessToGroup Status 1 32 Type a character string to specify the group name to which access is granted Security Model vacm AccessSecurity Model l 1 SNMPv1 2 SN...
Страница 201: ...his entry authorizes access to notifications Entry Storage vacm SecurityToGroup StorageType 1 Volatile 2 Non Volatile Choose your storage preference Selecting Volatile requests information to be dropp...
Страница 202: ...agement Information View page End Configuring an SNMPv3 management information view You can view a table of existing SNMPv3 management information view configurations and you can create or delete SNMP...
Страница 203: ...igure 71 Management Information View page The following table describes the fields on the Management Information View page Nortel Ethernet Routing Switch 2500 Series Security Configuration and Managem...
Страница 204: ...sisting of 1s is recognized View Mask vacmVi ew TreeFamilyMask Octet String 0 16 Type the bit mask that in combination with the corresponding instance of vacmViewFamilySubtree defines a family of view...
Страница 205: ...le click the Delete icon for the entry you want to delete A message appears prompting you to confirm your request 3 Do one of the following Click Yes to delete the management information view configur...
Страница 206: ...he following table describes the items on the Notification page Table 96 Notification page items Item and MIB association Range Description Deletes the row Notify Name snmpNo tify RowStatus 1 32 Type...
Страница 207: ...Non Volatile requests information to be saved in NVRAM when you turn off the power 2 In the Notification Creation section type the required information in the text boxes or select from a list 3 Click...
Страница 208: ...anagement target address configurations that associate notifications with particular recipients and delete SNMPv3 target address configurations Creating an SNMPv3 target address configuration To creat...
Страница 209: ...e is not received for a generated message An application can provide its own retry count in which case the value of this object is ignored Target Tag List snmpTarget AddrTagList 1 20 Type the space se...
Страница 210: ...SNMPv3 target address configuration To delete an SNMPv3 target address configuration use the following procedure Step Action 1 From the main menu choose Configuration SNMPv3 Target Address The Target...
Страница 211: ...t parameter configurations Creating an SNMPv3 target parameter configuration To create an SNMPv3 target parameter configuration use the following procedure Step Action 1 From the main menu choose Conf...
Страница 212: ...sts information to be dropped lost when you turn off the power Selecting Non Volatile requests information to be saved in NVRAM when you turn off the power 2 In the Target Parameter Creation section t...
Страница 213: ...r Table However only SNMPv1 traps are configurable using this table Creating an SNMP trap receiver configuration To create an SNMP trap receiver configuration use the following procedure Step Action 1...
Страница 214: ...ect from a list 3 Click Submit The new entry is displayed in the Trap Receiver Table End Deleting an SNMP trap receiver configuration To delete SNMP trap receiver configurations use the following proc...
Страница 215: ...Configuring SNMPv3 215 End Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B 02 01 Standard 4 1 19 November 2007 Copyright 2007 Nortel Networks...
Страница 216: ...uring Security using web based management Nortel Ethernet Routing Switch 2500 Series Security Configuration and Management NN47215 505 323165 B 02 01 Standard 4 1 19 November 2007 Copyright 2007 Norte...
Страница 217: ...attempt or changes in the operating status of a port Table 100 SNMP MIB support page 217 lists the supported SNMP MIBs Table 100 SNMP MIB support Application Standard MIBs Proprietary MIBs S5 Chassis...
Страница 218: ...ion Modules that support MIB are Standard MIBs MIB II RFC 1213 Bridge MIB RFC 1493 and proposed VLAN extensions 802 1Q Bridge MIB 802 1p Ethernet MIB RFC 1643 RMON MIB RFC 1757 SMON MIB High Capacity...
Страница 219: ...trUnitUp Always on A unit is added to an operational stack s5CtrUnitDown Always on A unit is removed from an operational stack s5CtrHotSwap Always on A unit is hot swapped in an operational stack s5Ct...
Страница 220: ...mu nity String Setting field 189 community strings configuring 188 Community Table dialog box 159 ContextEngineID field 161 ContextName field 161 Index field 160 Name field 160 SecurityName field 160...
Страница 221: ...olFramesRx field 137 EapolFramesTx Field 137 EapolLogoffFramesRx field 137 EapolReqFramesTx field 137 EapolReqIdFramesTx field 137 EapolRespFramesRx field 137 EapolRespldFramesRx 137 EapolStartFramesR...
Страница 222: ...ecurity list 179 security table 181 MAC Address Security field 177 MAC Address Security SNMP Locked field 177 MAC address based network security 21 21 MAC DA filtering 80 186 MAC security DA filtering...
Страница 223: ...page 179 Primary RADIUS Server field 173 product support 14 R RADIUS access 36 RADIUS authentication 56 Radius page 172 RADIUS password fallback 20 RADIUS Shared Secret field 173 RADIUS Timeout Perio...
Страница 224: ...ars field 145 InTotalSetVars field 145 OutBadValues field 146 OutGenErrs field 146 OutNoSuchNames field 146 Outpkts field 145 OutTooBigs field 146 OutTraps field 146 SNMP tab 141 141 LastUnauthenticat...
Страница 225: ...11 system information viewing 190 system notification entries 205 user access 193 user group membership 196 trap mode settings 188 switches supported 11 System Information page 190 T Target Address pa...
Страница 226: ...152 USM Insert USM Table dialog box Auth Protocol field 152 Clone From User field 152 V VACM dialog box 153 VACM tables 153 vacmGroupName field 155 View Mask field 204 View Name field 204 View Subtree...
Страница 227: ......
Страница 228: ...dia and the United States of America The information in this document is subject to change without notice Nortel Networks reserves the right to make changes in design or components as progress in engi...
