NN47205 505 05.03 Configuration Security

Nortel Ethernet Routing Switch 4500 Series

Configuration — SecurityRelease: 5.3Document Revision: 05.03

www.nortel.com

NN47205-505.

Nortel Ethernet Routing Switch 4500 SeriesRelease: 5.3Publication: NN47205-505Document status: StandardDocument release date: 14 May 2009

Copyright © 2008-2009 Nortel NetworksAll Rights Reserved.

LEGAL NOTICE

While the information in this document is believed to be accurate and reliable, except as otherwise expresslyagreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OFANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document aresubject to change without notice.

THE SOFTWARE DESCRIBED IN THIS DOCUMENT IS FURNISHED UNDER A LICENSE AGREEMENT ANDMAY BE USED ONLY IN ACCORDANCE WITH THE TERMS OF THAT LICENSE.

Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

.

3.

ContentsSoftware license 13Nortel Networks Inc. software license agreement 13

New in this release 17Features 17

802.1X or non-EAP and Guest VLAN on the same port 17802.1X or non-EAP with Fail Open VLAN 17802.1X or non-EAP with VLAN names 18802.1X authentication and Wake on LAN 18NNCLI audit log configuration 18RADIUS Request use Management IP 18RADIUS Management Accounting 19

Introduction 21NNCLI command modes 21

Security fundamentals 23Hardware-based security 23

Serial console port and USB port control 23Software-based security 23

MAC address-based security 24RADIUS-based network security 26Campus security example 29EAPOL-based security 31Advanced EAPOL features 35802.1X dynamic authorization extension (RFC 3576) 52TACACS+ 54IP Manager 59Password security 60NNCLI audit 62Simple Network Management Protocol 63Secure Socket Layer protocol 65Secure Shell protocol 66DHCP snooping 68Dynamic ARP inspection 70

Nortel Ethernet Routing Switch 4500 SeriesConfiguration — Security

NN47205-505 05.03 Standard14 May 2009

Copyright © 2008-2009 Nortel Networks

.

4

IP Source Guard 71Nortel Secure Network Access 72Summary of security features 91

Configuring and managing security using NNCLI 99Setting user access limitations 100USB port and serial console port control using NNCLI 100

Disabling serial console ports using NNCLI 100Enabling serial console ports using NNCLI 101Viewing serial console port status using NNCLI 102Disabling USB ports using NNCLI 102Enabling USB ports using NNCLI 103Viewing USB port status using NNCLI 104

Configuring MAC address-based security 105NNCLI commands for MAC address security 105NNCLI commands for MAC address autolearning 110

Configuring RADIUS authentication 111Configuring RADIUS server settings 112Enabling RADIUS password fallback 112Viewing RADIUS information 113

Configuring EAPOL security 113eapol command 114eapol command for modifying parameters 114show eapol command 116show eapol multihost status command 116

Configuring features 117no eapol multihost use radius-assigned-vlan command 117

802.1X or non-EAP Last Assigned RADIUS VLAN configuration usingNNCLI 119

802.1X or non-EAP Last Assigned RADIUS VLAN configuration using NNCLInavigation 119

Enabling use-most-recent-RADIUS assigned VLAN 119Disabling use-most-recent-RADIUS assigned VLAN 119Restoring use-most-recent-RADIUS assigned VLAN 120Selecting the packet mode for EAP requests 121

Configuring guest VLANs 122eapol guest-vlan command 123no eapol guest-vlan command 123default eapol guest-vlan command 123

802.1X or non-EAP and Guest VLAN on the same port configuration usingNNCLI 124

Non-EAP and Guest VLAN on the same port configuration using NNCLInavigation 124

Enabling EAPOL VoIP VLAN 124Disabling EAPOL VoIP VLAN 125


NN47205-505 05.03 Standard14 May 2009


.

5

Configuring EAPOL VoIP VLAN as the default VLAN 125Displaying EAPOL VoIP VLAN 126

802.1X or non-EAP with Fail Open VLAN configuration using NNCLI 126802.1X non-EAP with Fail Open VLAN configuration using NNCLI

navigation 126Enabling EAPOL Fail Open VLAN 127Disabling EAPOL Fail Open VLAN 127Setting EAPOL Fail Open VLAN as the default 128Displaying EAPOL Fail Open VLAN 129

Configuring multihost support 129eapol multihost command 129no eapol multihost command 130default eapol multihost command 131eapol multihost enable command 132no eapol multihost enable command 132eapol multihost eap-mac-max command 133

eapol multihost use radius-assigned-vlan command 134Configuring support for non-EAPOL hosts on EAPOL-enabled ports 134

Enabling local authentication of non EAPOL hosts on EAPOL-enabledports 135

Enabling RADIUS authentication of non EAPOL hosts on EAPOL-enabledports 136

Configuring the format of the RADIUS password attribute when authenticatingnon-EAP MAC addresses using RADIUS 137

Enabling RADIUS-assigned VLAN for non-EAP MACs 137Disabling RADIUS-assigned VLAN for non-EAP MACs 138Specifying the maximum number of non EAPOL hosts allowed 139Creating the allowed non EAPOL MAC address list 140Viewing non EAPOL host settings and activity 140

802.1X dynamic authorization extension (RFC 3576) configuration usingNNCLI 142

Configuring 802.1X dynamic authorization extension (RFC 3576) usingNNCLI 143

Disabling 802.1X dynamic authorization extension (RFC 3576) usingNNCLI 144

Viewing 802.1X dynamic authorization extension (RFC 3576) configurationusing NNCLI 145

Viewing 802.1X dynamic authorization extension (RFC 3576) statistics usingNNCLI 145

Enabling 802.1X dynamic authorization extension (RFC 3576) on EAP portsusing NNCLI 146

Disabling 802.1X dynamic authorization extension (RFC 3576) on EAP portsusing NNCLI 147

Enabling 802.1X dynamic authorization extension (RFC 3576) default on EAPports using NNCLI 148


NN47205-505 05.03 Standard14 May 2009


.

6

Configuring Wake on LAN with simultaneous 802.1X Authentication usingNNCLI 148

Enabling Nortel IP Phone clients on an EAP-enabled port 150Globally enabling Nortel IP Phone clients as a non-EAP type 150Enabling Nortel IP Phone clients in the interface mode 151

Configuring MHSA 152Globally enabling support for MHSA 153Configuring interface and port settings for MHSA 153Viewing MHSA settings and activity 154

Setting SNMP v1, v2c, v3 Parameters 154SNMPv3 table entries stored in NVRAM 155

Configuring SNMP using NNCLI 155show snmp-server command 156snmp-server authentication-trap command 157no snmp-server authentication-trap command 157default snmp-server authentication-trap command 158snmp-server community for read or write command 158snmp-server community command 159no snmp-server community command 160default snmp-server community command 161snmp-server contact command 162no snmp-server contact command 162default snmp-server contact command 162snmp-server command 162no snmp-server command 163snmp-server host command 163no snmp-server host command 165default snmp-server host command 166default snmp-server port 166snmp-server location command 167no snmp-server location command 167default snmp-server location command 167snmp-server name command 168no snmp-server name command 168default snmp-server name command 168Enabling SNMP server notification control 168Disabling snmp-server notification control 169Setting SNMP server control to default 169Viewing SNMP server notification 170snmp-server user command 170no snmp-server user command 172snmp-server view command 173no snmp-server view command 174snmp-server host for old-style table command 175


NN47205-505 05.03 Standard14 May 2009


.

7

snmp-server host for new-style table command 175snmp-server bootstrap command 176

RADIUS accounting configuration using NNCLI 177RADIUS accounting configuration using NNCLI navigation 178Enabling RADIUS accounting 178Disabling RADIUS accounting 178

TACACS+ configuration using NNCLI 178Configuring switch TACACS+ server settings using NNCLI 179Disabling switch TACACS+ server settings using NNCLI 180Enabling remote TACACS+ services using NNCLI 181Enabling or disabling TACACS+ authorization using NNCLI 181Configuring TACACS+ authorization privilege levels using NNCLI 182Enabling or disabling TACACS+ accounting using NNCLI 183Configuring the switch TACACS+ level using NNCLI 183Viewing TACACS+ information using NNCLI 184

Configuring IP Manager 184Enabling IP Manager 185Configuring the IP Manager list 185Removing IP Manager list entries 185Viewing IP Manager settings 186

Setting the user name and password 186username command 186

Setting NNCLI password 187cli password command 187

Configuring password security 188password security command 188no password security command 188Configuring the number of retries 189

Password history configuration using NNCLI 189Configuring password history using NNCLI 189Configuring password history to default using NNCLI 190Viewing password history using NNCLI 190

NNCLI Audit log configuration 191Displaying NNCLI Audit log 191Enabling and disabling NNCLI Audit log 191Configuring NNCLI Audit log to default 192

Secure Socket Layer services 192Secure Shell protocol 194

show ssh command 194ssh dsa-host-key command 194no ssh dsa-host-key command 195ssh download-auth-key command 195no ssh dsa-auth-key command 195ssh command 196


NN47205-505 05.03 Standard14 May 2009


.

8

no ssh command 196ssh secure command 196ssh dsa-auth command 197no ssh dsa-auth 197default ssh dsa-auth command 197ssh pass-auth command 197no ssh pass-auth command 198default ssh pass-auth command 198ssh port command 198default ssh port command 198ssh timeout command 198default ssh timeout command 199

Configuring DHCP snooping using NNCLI 199Enabling DHCP snooping globally 199Enabling DHCP snooping on the VLANs 200Configuring trusted and untrusted ports 200Viewing DHCP snooping settings 201Viewing the DHCP binding table 202DHCP Snooping layer 2 configuration example 202

Configuring dynamic ARP inspection 206Enabling dynamic ARP inspection on the VLANs 206Configuring trusted and untrusted ports 207Viewing dynamic ARP inspection settings 208Dynamic ARP inspection layer 2 configuration example 208

IP Source Guard configuration using NNCLI 210Enabling IP Source Guard using NNCLI 211Viewing IP Source Guard port configuration information using NNCLI 212Viewing IP Source Guard-allowed addresses using NNCLI 213Disabling IP Source Guard using NNCLI 214

RADIUS Request use Management IP configuration using NNCLI 215Enabling the RADIUS Request use Management IP 215Disabling the RADIUS Request use Management IP 215Setting the RADIUS Request use Management IP to default mode 216

Configuring and managing security using the Web-basedmanagement interface 217Setting user access limitations 217Configuring EAPOL-based security 217Configuring MAC address-based security 219

Security Configuration 219Enabling Port Security 222Port Lists 222Adding MAC Addresses 223DA MAC Filtering 224


NN47205-505 05.03 Standard14 May 2009


.

9

Deleting MAC DAs 224Configuring RADIUS security 224Configuring IP Manager 227Configuring SNMP using the Web-based management interface 228

Configuring SNMPv1 229Configuring SNMPv3 230Viewing SNMPv3 system information 230Configuring user access to SNMPv3 232Configuring an SNMPv3 system user group membership 235Configuring SNMPv3 group access rights 236Configuring an SNMPv3 management information view 238Configuring an SNMPv3 system notification entry 240Configuring an SNMPv3 management target address 242Configuring an SNMPv3 management target parameter 244Configuring SNMP traps 245

IP Source Guard configuration using the Web-based management interface 247Enabling or disabling IP Source Guard using the Web-based management

interface 248Viewing IP Source Guard Binding information using the Web-based

management interface 249Viewing IP Source Guard port statistics using the Web-based management

interface 249Configuring TACACS+ using the Web-based management interface 250Configuring Wake on LAN with simultaneous 802.1X Authentication using

Web-based management 251RADIUS Request use Management IP configuration using Web-based

Management 253Enabling the RADIUS Request use Management IP 253Disabling the RADIUS Request use Management IP 254

Configuring and managing security using Device Manager 255EAPOL configuration using Device Manager 256

Configuring EAPOL globally using Device Manager 256Configuring port-based EAPOL using Device Manager 257Configuring advanced port-based EAPOL using Device Manager 259Viewing Multihost status information using Device Manager 260Viewing Multihost session information using Device Manager 261Allowed non-EAP MAC address list configuration using Device Manager 262Viewing port non-EAP host support status using Device Manager 264Graphing EAPOL statistics using Device Manager 265

802.1X or non-EAP and Guest VLAN on the same port configuration using DeviceManager 265

802.1X or non-EAP and Guest VLAN on the same port configuration usingDevice Manager navigation 265

Enabling VoIP VLAN 265


NN47205-505 05.03 Standard14 May 2009


.

10

802.1X or non-EAP with Fail Open VLAN configuration using DeviceManager 266

802.1X or non-EAP with Fail Open VLAN configuration using Device Managernavigation 266

Enabling EAPOL multihost Fail Open VLAN 266802.1X or non-EAP Last Assigned RADIUS VLAN configuration using Device

Manager 267802.1X non-EAP Last Assigned RADIUS VLAN configuration using Device

Manager navigation 267Configuring Last Assigned VLAN on a port 268

Configuring Wake on LAN with simultaneous 802.1X Authentication using DeviceManager 268

Configuring general switch security using Device Manager 270Security list configuration using Device Manager 272

Adding ports to a security list using Device Manager 273Deleting specific ports from a security list using Device Manager 273Deleting all ports from a security list using Device Manager 274

AuthConfig list configuration using Device Manager 275Adding entries to the AuthConfig list using Device Manager 275Deleting entries from the AuthConfig list using Device Manager 276

Configuring MAC Address AutoLearn using Device Manager 277Viewing AuthStatus information using Device Manager 277Viewing AuthViolation information using Device Manager 279Viewing MacViolation information using Device Manager 280Configuring the Secure Shell protocol using Device Manager 280Viewing SSH Sessions information using Device Manager 282Configuring SSL using Device Manager 283RADIUS Server security configuration using Device Manager 284

Configuring the RADIUS server using Device Manager 284Viewing RADIUS Dynamic Authorization server information using Device

Manager 286802.1X dynamic authorization extension (RFC 3576) configuration using Device

Manager 287Viewing RADIUS Dynamic Server statistics using Device Manager 290Graphing RADIUS Dynamic Server statistics using Device Manager 290

DHCP snooping configuration using Device Manager 291Configuring DHCP snooping globally using Device Manager 291Configuring DHCP snooping on a VLAN using Device Manager 292Configuring DHCP snooping port trust using Device Manager 292Viewing the DHCP binding information using Device Manager 293

Dynamic ARP inspection configuration using Device Manager 294Configuring dynamic ARP inspection on VLANs using Device Manager 294Configuring dynamic ARP inspection on ports using Device Manager 295

IP Source Guard configuration using Device Manager 295Configuring IP Source Guard on a port using Device Manager 296


NN47205-505 05.03 Standard14 May 2009


.

11

Filtering IP Source Guard addresses using Device Manager 297Viewing IP Source Guard port statistics using Device Manager 298

SNMP configuration using Device Manager 299Configuring the switch to use SNMP using Device Manager 299Using SNMPv3 in Device Manager 301

RADIUS Request use Management IP configuration using Device Manager 316Enabling the RADIUS Request use Management IP 317Disabling the RADIUS Request use Management IP 317

Configuring Nortel Secure Network Access using NNCLI 319Configuring the Nortel SNAS 4050 subnet 319

Viewing Nortel SNAS 4050 subnet information 320Removing the Nortel SNAS 4050 subnet 320

Configuring QoS for the Nortel SNA solution 321Configuring Nortel SNA per VLAN 321

Viewing Nortel SNA VLAN information 322Removing a Nortel SNA VLAN 322Configuration example: Configuring the Nortel SNA per VLANs 322

Enabling Nortel SNA on ports using NNCLI 324Viewing Nortel SNA port information 325Removing a Nortel SNA port 325Configuration example: Adding the uplink port 325Configuration example: Adding client ports 326

Viewing information about Nortel SNA clients 327Entering phone signatures for Nortel SNA 327

Removing Nortel SNA phone signatures 327Viewing Nortel SNA phone signatures 327

Configuring Nortel Secure Network Access Fail Open 328Configuration example 328

Enabling Nortel SNA 328Disabling Nortel SNA 328Viewing the Nortel SNA state 329

Configuration example 330Scenario 330Steps 331

Configuring Nortel Secure Network Access using DeviceManager 335Configuring the Nortel SNAS 4050 subnet using Device Manager 336

Removing the Nortel SNAS 4050 subnet 337Configuring QoS for the Nortel SNA solution using Device Manager 337Configuring Nortel SNA per VLAN using Device Manager 337

Removing a Nortel SNA VLAN 339Enabling Nortel SNA on ports using Device Manager 340Viewing information about Nortel SNA clients using Device Manager 341


NN47205-505 05.03 Standard14 May 2009


.

12

Entering phone signatures for Nortel SNA using Device Manager 342Removing Nortel SNA phone signatures 342

Configuring Fail Open using Device Manager using Device Manager 343Enabling Nortel SNA using Device Manager 344

TACACS+ server configuration examples and supported SNMPMIBs 345TACACS+ server configuration examples 345

Configuration example: Cisco ACS (version 3.2) server 345Configuration example: ClearBox server 350Configuration example: Linux freeware server 357

Supported SNMP MIBs and traps 359Supported MIBs 359Supported traps 361


NN47205-505 05.03 Standard14 May 2009


.

13.

Software licenseThis section contains the Nortel Networks software license.

Nortel Networks Inc. software license agreementThis Software License Agreement ("License Agreement") is betweenyou, the end-user ("Customer") and Nortel Networks Corporation andits subsidiaries and affiliates ("Nortel Networks"). PLEASE READ THEFOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSETERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE.USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OFTHIS LICENSE AGREEMENT. If you do not accept these terms andconditions, return the Software, unused and in the original shippingcontainer, within 30 days of purchase to obtain a credit for the fullpurchase price.

"Software" is owned or licensed by Nortel Networks, its parent or one ofits subsidiaries or affiliates, and is copyrighted and licensed, not sold.Software consists of machine-readable instructions, its components, data,audio-visual content (such as images, text, recordings or pictures) andrelated licensed materials including all whole or partial copies. NortelNetworks grants you a license to use the Software only in the countrywhere you acquired the Software. You obtain no rights other than thosegranted to you under this License Agreement. You are responsible for theselection of the Software and for the installation of, use of, and resultsobtained from the Software.

1. Licensed Use of Software. Nortel Networks grants Customer anonexclusive license to use a copy of the Software on only one machineat any one time or to the extent of the activation or authorized usage level,whichever is applicable. To the extent Software is furnished for use withdesignated hardware or Customer furnished equipment ("CFE"), Customeris granted a nonexclusive license to use Software only on such hardwareor CFE, as applicable. Software contains trade secrets and Customeragrees to treat Software as confidential information using the same careand discretion Customer uses with its own similar information that it doesnot wish to disclose, publish or disseminate. Customer will ensure thatanyone who uses the Software does so only in compliance with the terms


NN47205-505 05.03 Standard14 May 2009


.

14 Software license

of this Agreement. Customer shall not a) use, copy, modify, transferor distribute the Software except as expressly authorized; b) reverseassemble, reverse compile, reverse engineer or otherwise translate theSoftware; c) create derivative works or modifications unless expresslyauthorized; or d) sublicense, rent or lease the Software. Licensors ofintellectual property to Nortel Networks are beneficiaries of this provision.Upon termination or breach of the license by Customer or in the eventdesignated hardware or CFE is no longer in use, Customer will promptlyreturn the Software to Nortel Networks or certify its destruction. NortelNetworks may audit by remote polling or other reasonable means todetermine Customer’s Software activation or usage levels. If suppliers ofthird party software included in Software require Nortel Networks to includeadditional or different terms, Customer agrees to abide by such termsprovided by Nortel Networks with respect to such third party software.

2. Warranty. Except as may be otherwise expressly agreed to in writingbetween Nortel Networks and Customer, Software is provided "AS IS"without any warranties (conditions) of any kind. NORTEL NETWORKSDISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE,EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITEDTO THE IMPLIED WARRANTIES OF MERCHANTABILITY ANDFITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OFNON-INFRINGEMENT. Nortel Networks is not obligated to provide supportof any kind for the Software. Some jurisdictions do not allow exclusionof implied warranties, and, in such event, the above exclusions may notapply.

3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKSOR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THEFOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM;b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES ORDATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE,OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITSOR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE(INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THESOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS ORSUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. Theforgoing limitations of remedies also apply to any developer and/or supplierof the Software. Such developer and/or supplier is an intended beneficiaryof this Section. Some jurisdictions do not allow these limitations orexclusions and, in such event, they may not apply.

4. General 1. If Customer is the United States Government, the followingparagraph shall apply: All Nortel Networks Software available under thisLicense Agreement is commercial computer software and commercialcomputer software documentation and, in the event Software is licensedfor or on behalf of the United States Government, the respective rights


NN47205-505 05.03 Standard14 May 2009


.

Nortel Networks Inc. software license agreement 15

to the software and software documentation are governed by NortelNetworks standard commercial license in accordance with U.S. FederalRegulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48C.F.R. 227.7202 (for DoD entities).

2. Customer may terminate the license at any time. Nortel Networksmay terminate the license if Customer fails to comply with the terms andconditions of this license. In either event, upon termination, Customer musteither return the Software to Nortel Networks or certify its destruction.

3. Customer is responsible for payment of any taxes, including personalproperty taxes, resulting from Customer’s use of the Software. Customeragrees to comply with all applicable laws including all applicable exportand import laws and regulations.

4. Neither party may bring an action, regardless of form, more than twoyears after the cause of the action

5. The terms and conditions of this License Agreement form the completeand exclusive agreement between Customer and Nortel Networks.

6. This License Agreement is governed by the laws of the country in whichCustomer acquires the Software. If the Software is acquired in the UnitedStates, then this License Agreement is governed by the laws of the stateof New York.


NN47205-505 05.03 Standard14 May 2009


.

16 Software license


NN47205-505 05.03 Standard14 May 2009


.

17.

New in this releaseThe following section details what’s new in Nortel Ethernet Routing Switch4500 Security — Configuration (NN47205-505) for Release 5.3.

FeaturesSee the following sections for information about feature changes:

802.1X or non-EAP and Guest VLAN on the same port802.1X or non-EAP and Guest VLAN on the same port removes theprevious restrictions while configuring the 802.1X and non-EAP function onthe same port simultaneously. In the 5.3 release, the 802.1X functionalitysupports multiple modes simultaneously on the port. See:

• “802.1X or non-EAP and Guest VLAN on the same port ” (page 38)

• “802.1X or non-EAP and Guest VLAN on the same port configurationusing NNCLI” (page 124)

• “802.1X or non-EAP and Guest VLAN on the same port configurationusing Device Manager” (page 265)

802.1X or non-EAP with Fail Open VLAN802.1X or non-EAP with Fail Open VLAN provides network connectivity toreach the RADIUS server when the switch cannot connect to the server.When connectivity to the RADIUS servers is lost, all authenticated devicesmove into the configured Fail Open VLAN. See:

• “802.1X or non-EAP with Fail Open VLAN” (page 38)

• “802.1X or non-EAP with Fail Open VLAN configuration using NNCLI”(page 126)

• “802.1X or non-EAP with Fail Open VLAN configuration using DeviceManager” (page 266)


NN47205-505 05.03 Standard14 May 2009


.

18 New in this release

802.1X or non-EAP Last Assigned RADIUS VLAN802.1X or non-EAP Last Assigned RADIUS VLAN functionality helpsyou to configure the switch such that the last received RADIUS VLANassignment is always honoured on a port. See:

• “802.1X or non-EAP Last Assigned RADIUS VLAN” (page 44)

• “802.1X or non-EAP Last Assigned RADIUS VLAN configuration usingNNCLI” (page 119)

• “802.1X or non-EAP Last Assigned RADIUS VLAN configuration usingDevice Manager” (page 267)

802.1X or non-EAP with VLAN names802.1X or non-EAP with VLAN names functionality enhances the EthernetRouting Switch 4500 to match the RADIUS assigned VLANs based oneither the VLAN number or VLAN name. In the previous release, a matchwas based on the VLAN number of the Tunnel-Private-Group-Id attributereturned by the RADIUS server. See:

• “802.1X or non-EAP with VLAN names” (page 45)

802.1X authentication and Wake on LANThe Wake on LAN (WoL) networking standard allows you to remotelyturn on a computer from a sleeping state. Wake on LAN comprisescomponents on the end device, network, and control system. You canuse this tool while performing maintenance activities on systems duringoff hours. See:

• “802.1X authentication and Wake on LAN” (page 49)

• “Configuring Wake on LAN with simultaneous 802.1X Authenticationusing Device Manager” (page 268)

NNCLI audit log configurationIn previous releases NNCLI audit log was permanently enabled, but in thisrelease the software is enhanced to disable the audit log functionality.See:

• “NNCLI audit” (page 62)

• “NNCLI Audit log configuration” (page 191)

RADIUS Request use Management IPThe RADIUS Request use Management IP allows you to configurethe switch to use the specific Management IP address when routing isenabled. By default, the switch uses any of the configured IP addresses


NN47205-505 05.03 Standard14 May 2009


.

Features 19

as the source IP address for RADIUS requests generated by the switch,but for some networks, you must use the specific Management IP addressof the switch or stack. Enabling the RADIUS Request use Management IPfeature ensures that the switch uses the IP address of the managementVLAN as the source IP address for RADIUS requests when routing isenabled. See:

• “RADIUS Request use Management IP ” (page 27)

• “RADIUS Request use Management IP configuration using NNCLI”(page 215)

• “RADIUS Request use Management IP configuration using Web-basedManagement” (page 253)

• “RADIUS Request use Management IP configuration using DeviceManager” (page 316)

RADIUS Management AccountingThe RADIUS Management Accounting feature enhances the EthernetRouting Switch 4500 to record the management logon activities to theswitch. The authentication messages are returned to the RADIUS server.See:

• “RADIUS Management Accounting” (page 28)

• “RADIUS accounting configuration using NNCLI” (page 177)

• “Configuring RADIUS security” (page 224)


NN47205-505 05.03 Standard14 May 2009


.

20 New in this release


NN47205-505 05.03 Standard14 May 2009


.

21.

IntroductionThis guide describes security features and how to configure securityservices for the Ethernet Routing Switch 4500.

NNCLI command modesNNCLI provides the following command modes:

• User EXEC

• Privileged EXEC

• Global Configuration

• Interface Configuration

Mode access is determined by access permission levels and passwordprotection.

If no password is set, you can enter NNCLI in User EXEC mode and usethe enable command to move to the next level (Privileged EXEC mode).However, if you have read-only access, you cannot progress beyond UserEXEC mode, the default mode. If you have read-write access you canprogress from the default mode through all of the available modes.

With sufficient permission, you can use the rules in the following table tomove between the command modes.

Table 1NNCLI command modes

Command mode and sampleprompt

Entrance commands Exit commands

User EXEC4526>

No entrance command, defaultmode

exitorlogout

Privileged EXEC4526#

enable exitorlogout


NN47205-505 05.03 Standard14 May 2009


.

22 Introduction

Table 1NNCLI command modes (cont’d.)

Command mode and sampleprompt

Entrance commands Exit commands

Global Configuration4526(config)#

From Privileged EXEC mode,type:configure terminal

To return to Privileged EXECmode, type:endorexit

To exit NNCLI completely,type:logout

Interface Configuration4526(config-if)#

From Global Configurationmode:

To configure a port, type:interface fastethernet<port number>

To configure a VLAN, type:interface fastethernet<vlan number>

To return to GlobalConfiguration mode, enter:exit

To return to Privileged EXECmode, type:end

To exit NNCLI completely,type:logout

For more information about NNCLI command modes, see Nortel EthernetRouting Switch 4500 Series Fundamentals (NN47205-102).

Navigation• “Security fundamentals” (page 23)

• “Configuring and managing security using NNCLI” (page 99)

• “Configuring and managing security using the Web-based managementinterface” (page 217)

• “ Configuring and managing security using Device Manager” (page255)

• “Configuring Nortel Secure Network Access using NNCLI” (page 319)

• “Configuring Nortel Secure Network Access using Device Manager ”(page 335)

• “TACACS+ server configuration examples and supported SNMP MIBs”(page 345)


NN47205-505 05.03 Standard14 May 2009


.

23.

Security fundamentalsThis chapter describes the hardware-based and software-based securityfeatures supported by the Ethernet Routing Switch 4500.

Navigation• “Hardware-based security ” (page 23)

• “Software-based security” (page 23)

Hardware-based securityThis section describes hardware-based methods, supported by theEthernet Routing Switch 4500. Network administrators apply thesemethods to provide security to your network.

Serial console port and USB port controlNetwork administrators enable or disable the USB or serial console portson the Ethernet Routing Switch 4500 to control access to an operationalswitch. To prevent unauthorized access and configuration, the networkadministrators disable the USB or serial console ports.

Software-based securityThis section describes software-based methods, supported by the EthernetRouting Switch 4500, that network administrators apply to provide securityto your network.

Software-based security navigation

• “MAC address-based security” (page 24)

• “RADIUS-based network security” (page 26)

• “Campus security example” (page 29)

• “EAPOL-based security” (page 31)

• “Advanced EAPOL features” (page 35)

• “802.1X dynamic authorization extension (RFC 3576)” (page 52)


NN47205-505 05.03 Standard14 May 2009


.

24 Security fundamentals

• “TACACS+” (page 54)

• “IP Manager” (page 59)

• “Password security” (page 60)

• “NNCLI audit” (page 62)

• “Simple Network Management Protocol” (page 63)

• “Secure Socket Layer protocol” (page 65)

• “Secure Shell protocol” (page 66)

• “DHCP snooping” (page 68)

• “Dynamic ARP inspection” (page 70)

• “IP Source Guard” (page 71)

• “Nortel Secure Network Access” (page 72)

• “Summary of security features” (page 91)

MAC address-based securityThe Media Access Control (MAC) address-based security feature is basedon Nortel Networks BaySecure local area network (LAN) Access forEthernet, a real-time security system that safeguards Ethernet networksfrom unauthorized surveillance and intrusion.

You can use the MAC-address-based security feature to set up networkaccess control based on source MAC addresses of authorized stations.

You can use MAC-address-based security to perform the followingactivities:

• Create a list of up to 10 MAC addresses to filter

— as destination addresses (DA)—all packets with one of thespecified MAC addresses as the DAs are dropped regardless of theingress port, source address intrusion, or virtual local area network(VLAN) membership

— as source addresses (SA)—all packets with one of the specifiedMAC addresses as the SAs are dropped

ATTENTIONEnsure that you do not enter the MAC address of units in the stack usingMAC security. This can impact operation of switch management or thestack.

• Create a list of up to 448 MAC SAs and specify SAs that areauthorized to connect to the switch or stack configuration.


NN47205-505 05.03 Standard14 May 2009


.

Software-based security 25

You can configure the 448 MAC SAs within a single stand-aloneor distribute them in any order among the units in a single stackconfiguration.

When you configure MAC-based security, you must specify the following:

• Switch ports that can be controlled for each MAC address securityassociation.The options for allowed port access include NONE, ALL, and single ormultiple ports that are specified in a list (for example, 1/1-4, 1/6, 2/9).

• Optional actions that the switch can perform if the software detects asource MAC address security violation.The options are to send an SNMP trap, turn on DA filtering forthe specified source MAC address, disable the specific port, or acombination of these three options.

Use either the Nortel Networks Command Line Interface (NNCLI) orthe Web-based management system to configure MAC-address basedsecurity features.

MAC address-based security autolearningThe MAC address-based security autolearning feature provides the abilityto add allowed MAC addresses to the MAC Security Address Tableautomatically without user intervention.

MAC address-based security autolearning has the following features:

• You can specify the number of addresses that can be learned onthe ports, to a maximum of 25 addresses for each port. The switchforwards traffic only for those MAC addresses statically associated witha port or learned with the autolearning process.

• You can configure an aging timer, in minutes, after which autolearnedentries are refreshed in the MAC Security Address Table. If you set theaging time value to 0, the entries never age out. To force relearningof entries in the MAC Security Address Table you must reset learningfor the port.

• If a port link goes down, the autolearned entries associated with thatport in the MAC Security Address Table are removed.

• You cannot modify autolearned MAC addresses in the MAC SecurityAddress Table.

• MAC Security port configuration including the aging timer and staticMAC address entries are saved to the switch configuration file. MACaddresses learned with autolearning are not saved to the configurationfile. They are dynamically learned by the switch.


NN47205-505 05.03 Standard14 May 2009


.


• You can reset the MAC address table for a port by disabling thesecurity on the port and then enabling it.

• If a MAC address is already learned on a port (port x) and the addressmigrates to another port (port y), the entry in the MAC SecurityAddress Table changes to associate that MAC address with the newport (port y). The aging timer for the entry is reset.

• If you disable autolearning on a port, all autolearned MAC entriesassociated with that port in the MAC Security Address Table areremoved.

• If a static MAC address is associated with a port (which is or is notconfigured with the autolearning feature) and the same MAC addressis learned on a different port, an autolearn entry associating that MACaddress with the second port is not created in the MAC SecurityAddress Table. In other words, user settings have priority overautolearning.

RADIUS-based network securityRemote Access Dial-In User Services (RADIUS) is a distributed clientserver system that helps secure networks against unauthorized access,allowing a number of communication servers and clients to authenticateuser identities through a central database. The database within theRADIUS server stores information about clients, users, passwords, andaccess privileges; these are protected with a shared secret.

RADIUS authentication is a fully open and standard protocol defined byRFC 2865.

How RADIUS worksA RADIUS application has two components:

• RADIUS server—a computer equipped with RADIUS server software(for example, a UNIX workstation). The RADIUS server stores clientor user credentials, password, and access privileges, protected with ashared secret.

• RADIUS client—a router, PC, or a remote access server equipped withthe appropriate client software.

A switch can be configured to use RADIUS authentication to authenticateusers attempting to log on to the switch using telnet, SSH, the Web-basedmanagement interface, or the console port.

Nortel recommends that you configure two RADIUS servers so that if oneserver is unreachable, the switch will attempt authentication using thesecondary server. If the primary server is unavailable, the switch retries


NN47205-505 05.03 Standard14 May 2009


.


three times before moving to the secondary server. The retry interval canbe configured according to network requirements so that false retries donot occur.

RADIUS server configurationYou must set up specific user accounts on the RADIUS server beforeyou can use RADIUS authentication in the Ethernet Routing Switch 4500Series network. User account information about the RADIUS servercontains user names, passwords, and service-type attributes.

Provide each user with the appropriate level of access.

• for read-write access, set the Service-Type field value to Administrative

• for read-only access, set the Service-Type field value to NAS-Prompt

For more information about configuring the RADIUS server, see thedocumentation that came with the server software.

RADIUS password fallbackWith the RADIUS password fallback feature the user can log on to theswitch or stack by using the local password, if the RADIUS server isunavailable or unreachable for authentication.

RADIUS password fallback is disabled by default.

Configuring RADIUS authenticationConfigure and manage RADIUS authentication using NNCLI, DeviceManager (DM), or the Web-based Management interface.

RADIUS Request use Management IPWhen the switch is operating in Layer 2 mode, by default, all RADIUSrequests generated by the switch use the stack or switch management IPaddress as the source address in RADIUS requests or status reports. TheRADIUS Request use Management IP configuration has no impact whenthe switch operates in Layer 2 mode.

When the switch is operating in Layer 3 mode, by default, a RADIUSrequest uses one of the routing IP addresses on the switch. Whenthe switch is operating in Layer 3 mode, the RADIUS Request useManagement IP configuration ensures that the switch or stack generatesRADIUS requests using the source IP address of the management VLAN.In some customer networks, the source IP in the RADIUS request is


NN47205-505 05.03 Standard14 May 2009


.


used to track management access to the switch, or it may be used whennon-EAP is enabled. Because Non-EAP can use an IP in the passwordmask it is important to have a consistent IP address.

Note: If the management VLAN is not operational, then the switchcannot send any RADIUS requests when

• the switch is operating in Layer 2 mode

• the switch is operating in Layer 3 (routing) and RADIUSRequest Use Management IP is enabled

This is normal behavior in Layer 2 mode; if the Management VLAN isunavailable, then there is no active Management IP instance. In Layer3 mode, if RADIUS Request Use Management IP is enabled, then theswitch does not use any of the other routing instances to send RADIUSrequests when the Management VLAN is inactive or disabled.

RADIUS Management AccountingYou can use the Radius Management Accounting feature to send radiusaccounting packets when management events such as user logon orlogoff, or session timeout for a logged on user occur. The feature canrecord management logon activity to the switch. The switch generatesan authentication message, to the RADIUS server, which includesbasic information such as: NAS-IP-Address, Service-Type, User-Name,Client-IP-Address, and Timestamp.

The RADIUS Management accounting records are generated when theswitch is accessed using the console, telnet, SSH, or when a session isdisconnected either by logging out or through time-out.

The following table describes the additional information fields inthe RADIUS accounting message. This information enhances theinteroperability of the switch in environments where other vendors use theirswitches.

Table 2RADIUS Management Accounting Records

RADIUS attribute Definition

NAS-IP-Address The IP address of the device generating theRADIUS accounting message (the switch orstack IP address).

NAS-IPv6-Address The IPv6 address of the device generating theRADIUS Accounting message (the switch orstack address).


NN47205-505 05.03 Standard14 May 2009


.


Table 2RADIUS Management Accounting Records (cont’d.)

RADIUS attribute Definition

NAS-Port-Type The type of port through which the connectionis made to the switch, as defined in RFC2865.In case of logon through the console port, theport takes a value of 1, which corresponds toAsync or 5 representing Virtual for the networkconnections.

NAS-Port This is equal to the unit number in a stackif the customer uses the console port. If theconnection is virtual, Nortel recommends thatthis value be set to the protocol used to accessthe switch, for example, IPv4.

Service-Type Set to Administrative-User for access to theswitch through management.

User-Name The user name used to connect the currentadministrative session to the switch.

Acct-Status-Type Indicates if this is an accounting Start or Stoprecord, used to respectively identify connectionor disconnection to or from the switch.

Acct-Terminate- Cause This is used in the accounting stop recordsthat the switch generates after a session isdisconnected from the switch. Possible valuescould include the following options.• User-Request - used when user signs off

• Idle-Timeout - used when timeout occurs

• Lost-Carrier - used when a serial login wasperformed and the serial cable is unplugged(works with serialsecurity enabled)

Client-IP-Address Indicates the end client IP address, if thecustomer connects through IP. If the customerconnects through the console, this is the sameas the switch or stack address.

Timestamp The timestamp of the RADIUS accountingrecord.

RADIUS Management accounting mode can be configured using CLI andWeb interface.

Campus security exampleThe following figure shows a typical campus configuration using theRADIUS-based and MAC-address-based security features for the NortelEthernet Routing Switch 4500.


NN47205-505 05.03 Standard14 May 2009


.


Figure 1Ethernet Routing Switch 4500 Series security features

This example is based on the assumption that the teachers’ offices,classrooms, and the library are physically secure. The student dormitorycan also be physically secure.

In the configuration example, the security measures are implemented inthe following locations, as follows:

• The switchRADIUS-based security limits administrative access to theswitch through user authentication. For more information, see“RADIUS-based network security” (page 26).MAC address-based security permits up to 448 authorized stationsaccess to one or more switch ports. For more information, see “MACaddress-based security” (page 24).The switch is in a locked closet, accessible only by authorizedTechnical Services personnel.

• Student dormitoryDormitory rooms are typically occupied by two students and areprewired with two RJ-45 jacks.As specified by the MAC address-based security feature, onlyauthorized students can access the switch on the secured ports.


NN47205-505 05.03 Standard14 May 2009


.


• Teachers’ offices and classroomsThe PCs that are in the teachers’ offices and in the classrooms areassigned MAC address-based security, which is specific for eachclassroom and office location.The security feature logically locks each wall jack to the specifiedstation, thereby preventing unauthorized access to the switch.The printer is assigned to a single station and has full bandwidth onthat switch port.This scenario is based on the assumption that all PCs are passwordprotected and that the classrooms and offices are physically secured.

• LibraryThe PCs can connect to any wall jack in the room. However, theprinter is assigned to a single station with full bandwidth to that port.This scenario is based on the assumption that all PCs are passwordprotected and that access to the library is physically secured.

EAPOL-based securityThe switch uses an encapsulation mechanism, Extensible AuthenticationProtocol over LAN (EAPOL), to provide security. This concept uses theExtensible Authentication Protocol (EAP) as described in the IEEE 802.1Xso you can set up network access control on internal LANs. EAPOL filterstraffic based on source MAC address. An unauthorized client, whetherEAPOL or NonEAPOL, can receive traffic from authorized clients.

With EAP, the exchange of authentication information can occur betweenend stations or servers connected to the switch and an authenticationserver, such as a RADIUS server. The EAPOL-based security featureoperates in conjunction with a RADIUS-based server to extend the benefitsof remote authentication to internal LAN clients.

The following example illustrates how the Ethernet Routing Switch 4500Series, configured with the EAPOL-based security feature, reacts to a newnetwork connection:

• The switch detects a new connection on a port.

— The switch requests a user ID from the new client.

— EAPOL encapsulates the user ID and forwards it to the RADIUSserver.

— The RADIUS server responds with a request for the user’spassword.

• The new client forwards a password to the switch within the EAPOLpacket.


NN47205-505 05.03 Standard14 May 2009


.


— The switch relays the EAPOL packet to the RADIUS server.

— If the RADIUS server validates the password, the new client canaccess the switch and the network.

Some components and terms used with EAPOL-based security includethe following:

• Supplicant: The device that applies for access to the network.

• Authenticator: The software that authorizes a supplicant attached tothe other end of a LAN segment. For SHSA mode, the authenticatorsends the EAP Request Identity to the supplicant using the MACdestination address—the EAP MAC address (01:80:C2:00:00:03). ForMHMA mode, the authenticator sends the EAP Request Identity to thesupplicant using the MAC destination address—the supplicant MACaddress.

• Authentication Server: The RADIUS server that provides authorizationservices to the Authenticator.

• Port Access Entity (PAE): The software entity that is associated witheach port that supports the Authenticator or Supplicant functionality.

• Controlled Port: A switch port with EAPOL-based security enabled.

The Authenticator communicates with the Supplicant using anencapsulation mechanism known as EAP over LANs (EAPOL).

The Authenticator PAE encapsulates the EAP message into a RADIUSpacket before sending the packet to the Authentication Server. TheAuthenticator facilitates the authentication exchanges that occur betweenthe Supplicant and the Authentication Server by encapsulating the EAPmessage to make it suitable for the packet destination.

The Authenticator PAE functionality is implemented for each controlledport on the switch. At system initialization, or when a supplicant is initiallyconnected to the switch controlled port, the controlled port state is set toUnauthorized. During this time, the authenticator processes EAP packets.

When the Authentication server returns a success or failure message, thecontrolled port state changes accordingly. If the authorization succeeds,the controlled port operational state is Authorized. The blocked trafficdirection on the controlled port depends on the Operational Traffic Controlfield value in the EAPOL Security Configuration screen.

The Operational Traffic Control field can have one of the following twovalues:


NN47205-505 05.03 Standard14 May 2009


.


• Incoming and Outgoing: If the controlled port is unauthorized, framesare not transmitted through the port. All frames received on thecontrolled port are discarded.

• Incoming: If the controlled port is unauthorized, frames received onthe port are discarded, but the transmit frames are forwarded throughthe port.

EAPOL dynamic VLAN assignmentIf you allow EAPOL-based security on an authorized port, the EAPOLfeature dynamically changes the port VLAN configuration and assignsa new VLAN. The new VLAN configuration values apply according topreviously stored parameters in the Authentication server.

The following VLAN configuration values are affected:

• port membership

• PVID

• port priority

When you disable EAPOL-based security on a port that was previouslyauthorized, the port VLAN configuration values are restored directly fromthe switch nonvolatile random access memory (NVRAM).

The following exceptions apply to dynamic VLAN assignments:

• The dynamic VLAN configuration values assigned by EAPOL are notstored in the switch NVRAM.

• If an EAPOL connection is active on a port, then changes to the portmembership, PVID, or port priority are not saved to NVRAM.

• When you enable EAPOL on a port, and you configure values otherthan VLAN configuration values, these values are applied and storedin NVRAM.

You can set up your Authentication server (RADIUS server) for EAPOLdynamic VLAN assignments. With the Authentication server, you canconfigure user-specific settings for VLAN memberships and port priority.

When you log on to a system that is configured for EAPOL authentication,the Authentication server recognizes your user ID and notifies the switch toassign preconfigured (user-specific) VLAN membership and port prioritiesto the switch. The configuration settings are based on configurationparameters customized for your user ID and previously stored on theAuthentication server.


NN47205-505 05.03 Standard14 May 2009


.


To set up the Authentication server, set the following return list attributesfor all user configurations. For more information, see your Authenticationserver documentation.

• VLAN membership attributes (automatically configures PVID)

— Tunnel-Type: value 13, Tunnel-Type-VLAN

— Tunnel-Medium-Type: value 6, Tunnel-Medium-Type-802

— Tunnel-Private-Group-ID: ASCII value 1 to 4094 or an ASCII stringstarting with a non-numeric character (this value identifies thespecified VLAN)

• Port priority (vendor-specific) attributes

— Vendor Id: value 562, Nortel Networks vendor ID

— Attribute Number: value 1, Port Priority

— Attribute Value: value 0 (zero) to 7 (this value indicates the portpriority value assigned to the specified user)

System requirementsThe following are the minimum system requirements for the EAPOL-basedsecurity feature:

• at least one switch

• RADIUS server (Microsoft Windows 2003 Server or other RADIUSserver with EAPOL support)

• client software that supports EAPOL (Microsoft Windows XP Client)

You must configure the Nortel devices with the RADIUS server IP addressfor the Primary RADIUS server.

EAPOL-based security configuration rulesThe following configuration rules apply to the Ethernet Routing Switch4500 Series when you use EAPOL-based security:

• Before configuring your you must configure the Primary RADIUSServer and Shared Secret fields.

• You cannot configure EAPOL-based security on ports that are currentlyconfigured for

— shared segments

— MultiLink Trunking

— MAC-address-based security


NN47205-505 05.03 Standard14 May 2009


.


— IGMP (Static Router Ports)

— port mirroring

• With EAPOL SHSA (the simplest EAPOL port operating mode),you can connect only one client on each port that is configured forEAPOL-based security. If you attempt to add additional clients to aport, that port state changes to Unauthorized.

RADIUS-based security uses the RADIUS protocol to authenticate localconsole, Telnet, and EAPOL-authorized logons.

Advanced EAPOL featuresEAPOL supports the following advanced features:

• Single Host with Single Authentication (SHSA) and Guest VLAN . Formore information, see “Single Host with Single Authentication andGuest VLAN” (page 36).

• Multihost (MH) support:

— Multiple Host with Multiple Authentication (MHMA). For moreinformation, see “Multiple Host with Multiple Authentication” (page39).

— Non EAP hosts on EAP-enabled ports. For more information, see“Non EAP hosts on EAP-enabled ports” (page 45).

— Multiple Host with Single Authentication (MHSA). For moreinformation, see “Multiple Host with Single Authentication” (page47).

• 802.1X or non-EAP and Guest VLAN on the same port. For moreinformation, see “802.1X or non-EAP and Guest VLAN on the sameport ” (page 38).

• 802.1X or non-EAP with Fail Open VLAN . For more information, see“802.1X or non-EAP with Fail Open VLAN” (page 38).

• 802.1X or non-EAP Last Assigned RADIUS VLAN. For moreinformation, see “802.1X or non-EAP Last Assigned RADIUS VLAN”(page 44)

• 802.1X or non-EAP with VLAN names. For more information, see“802.1X or non-EAP with VLAN names” (page 45)

ATTENTIONSupport exists only for untagged traffic when you use the multihost features.

Client reauthenticationIf your system is configured for SHSA and MHSA, when clients arereauthenticated the system moves them into the new RADIUS-assignedVLAN, if the new RADIUS-assigned VLAN differs from the current VLAN.


NN47205-505 05.03 Standard14 May 2009


.


If you use RADIUS-assigned VLAN in multi-host mode and, if theRADIUS-assigned VLAN of the first authenticated clients is invalid, theswitch ignores those RADIUS VLAN assignments and assigns the port tothe first valid RADIUS VLAN assignment if Last RADIUS Assigned VLANis disabled. If Last RADIUS Assigned VLAN is enabled, the port remainsassigned to the last valid RADIUS Assigned VLAN.If your system is configured for MHMA, when clients are reauthenticatedthe system does not move them into the new RADIUS-assigned VLAN.

Single Host with Single Authentication and Guest VLANSingle Host with Single Authentication (SHSA) support is the defaultconfiguration for an EAP-enabled port. At any time, only one MACuser can be authenticated on a port, and the port assigned to only oneport-based VLAN.

If you configure no guest VLAN, only the particular device or user thatcompletes EAP negotiations on the port can access that port for traffic.Tagged ingress packets are sent to the PVID of that port. The onlyexceptions are reserved addresses.

You can configure a guest VLAN for non authenticated users to access theport. Any active VLAN can be a guest VLAN.

The following rules apply for SHSA:

• When the port is EAP enabled

— If Guest VLAN is enabled, the port is placed on a Guest VLAN.PVID of the port = Guest VLAN ID

— If Guest VLAN is not enabled, the port handles EAPOL packetsonly until successful authentication.

• During EAP authentication

— If Guest VLAN is enabled, the port is placed on a Guest VLAN.

— If Guest VLAN is not enabled, the port handles EAPOL packetsonly.

• If authentication succeeds

— The port is placed on a preconfigured VLAN or a RADIUS-assignedVLAN. Only packets with the authenticated MAC (authMAC) can beon that port. Other packets are dropped.

• If authentication fails


NN47205-505 05.03 Standard14 May 2009


.


— If Guest VLAN is enabled, the port is placed on a Guest VLAN.

— If Guest VLAN is not enabled, the port handles EAPOL packetsonly.

• Reauthentication can be enabled for the authenticated MAC address. Ifreauthentication fails, the port is placed back in the Guest VLAN.

The EAP-enabled port belongs to the Guest VLAN, RADIUS-assignedVLAN, or configured VLANs.

Guest VLANYou can configure a global default Guest VLAN ID for the stack or theswitch. Set the VLAN ID as Valid when you configure the switch or thestack.

Guest VLAN support contains the following features:

• Guest VLAN support is available for each port. Guest VLANs canhave a valid Guest VLAN ID on each port. If a Guest VLAN ID is notspecified for a port, the global default value is used. You cannot enablethis feature on a particular port if the global default value or the localGuest VLAN ID is invalid.

• The Guest VLAN chosen must be an active VLAN configured onthe switch. EAP registers with the VLAN module, so that it can berecovered if you delete a VLAN.When a VLAN that is in use by EAP is deleted, the following actionsare performed:

— A message is sent to the syslog.

— The port is blocked.

• When an authentication failure occurs, a port is placed back in theGuest VLAN.

• This feature affects ports that have EAP-Auto enabled. Therefore, theport must always be in a forwarding mode. It does not affect ports withadministrative state, force-authorized, or force-unauthorized.

• This feature uses Enterprise Specific Management Information Bases(MIB).

• The Guest VLAN configuration settings are saved across resets.

ATTENTIONThe EAP enabled port is not moved to the Guest VLAN, if the Guest VLAN andoriginal VLAN are associated with different Spanning Tree Groups. The EAPport does not forward traffic in the guest VLAN or the original VLAN. If EAPauthentication succeeds, packets are transmitted properly in the original VLAN.


NN47205-505 05.03 Standard14 May 2009


.


802.1X or non-EAP and Guest VLAN on the same port802.1X or non-EAP and Guest VLAN on the same port removes theprevious restrictions on configuring the 802.1X and non-EAP function onthe same port simultaneously. In the current release, 802.1X functionalitysupports multiple modes simultaneously on the port allowing Guest VLANto function along with non-EAP and various 802.1X operational modes.

For example, the switch supports authenticating an IP Phone usingnon-EAP according to the DHCP signature of the phone. The data VLANremains in the Guest VLAN until a device on that port is appropriatelyauthenticated using 802.1X and optionally placed in the appropriateRADIUS assigned VLAN.

802.1X or non-EAP with Fail Open VLAN802.1X or non-EAP with Fail Open VLAN provides network connectivitywhen the switch cannot connect to the RADIUS server. Every threeminutes, the switch verifies whether the RADIUS servers are reachable. Ifthe switch cannot connect to the primary and secondary RADIUS servers,then after a specified number of attempts to restore connectivity, the switchdeclares the RADIUS servers unreachable.

All authenticated devices move into the configured Fail Open VLAN, whenthe switch declares the RADIUS servers unreachable. This preventsthe clients from being disconnected when the reauthentication timerexpires and provides the devices some form of network connectivity. Toprovide the level of connectivity as required by corporate security policies,configure the Fail Open VLAN within the customer’s network. For example,the Fail Open VLAN configured to provide access to corporate IT servicesmay be restricted from access to financial and other critical systems. Inthese situations clients receive a limited level of network connectivity whenthe RADIUS servers are unreachable rather than receiving no access.

When a switch is operating in the Fail Open mode, which means thatthe RADIUS servers are unreachable, the switch regularly verifies theconnectivity. When the RADIUS servers become reachable, the clientsare reauthenticated and, as appropriate, moved to the assigned VLANs,allowing normal network connectivity to resume.

When a client operates in the Fail Open VLAN, because RADIUS serversare unreachable, any 802.1X logoff messages received from the EAPsupplicant are not processed by the switch.


NN47205-505 05.03 Standard14 May 2009


.


For an EAP or non-EAP enabled port, by default, the Fail Open VLANfeature is disabled. When the RADIUS servers are unreachable, if the FailOpen VLAN is defined, then

• the port becomes a member of both the EAP Fail Open VLAN andEAP Fail Open VoIP VLAN

• the switch sets the PVID of the switch port to EAP Fail Open VLAN

• all the EAP-enabled ports move to the Fail Open VLANs across theunits in a stack

ATTENTIONWhen the switch is operating in Fail Open mode, it does not send EAPauthentication requests to the RADIUS Server and instead performs a dummyreauthentication of the client within the Fail Open VLAN.

ATTENTIONWhen the port transitions from normal EAP operation to Fail Open, the endclient is not aware that the port has transitioned to a different VLAN. Dependingupon the association of the IP addressing scheme to VLANs, it is necessaryfor the client to obtain a new IP address when transitioning to or from the FailOpen VLAN. An enhancement calls for the port to be administratively turned off,and then back on again when the port transitions between Fail Open VLAN. Ifthe PC is directly connected to the switch, this results in the client automaticallyrefreshing the IP address. If the PC is located behind an IP handset, anotherswitch, or a hub, the client must perform a manual renewal of the IP address.

After the switch accesses the RADIUS server and authenticationsucceeds, the ports move to the Guest VLAN, or to configured VLANs, andage to allow the authentication of all incoming MAC addresses on the port.If there is at least one authenticated MAC address on the port, it blocks allother unauthenticated MAC addresses on the port. You must turn on thedebug counters to track server reachability changes.

Multiple Host with Multiple AuthenticationFor an EAP-enabled port configured for Multiple Host with MultipleAuthentication (MHMA), a finite number of EAP users or devices withunique MAC addresses are allowed on the port.

Each user must complete EAP authentication before the port allows trafficfrom the corresponding MAC address. Only traffic from the authorizedhosts is allowed on that port.

RADIUS-assigned VLAN values are allowed in the MHMA mode. For moreinformation about RADIUS-assigned VLANs in the MHMA mode, see“RADIUS-assigned VLAN use in MHMA mode” (page 41)

MHMA support is available for an EAP-enabled port.


NN47205-505 05.03 Standard14 May 2009


.


The following are some of the concepts associated with MHMA:

• Logical and physical portsEach unique port and MAC address combination is treated as a logicalport. MAX_MAC_PER_PORT defines the maximum number of MACaddresses that can perform EAP authentication on a port. Each logicalport is treated as if it is in the SHSA mode.

• Indexing for MIBsLogical ports are indexed by a port and source MAC address(src-mac) combination. Enterprise-specific MIBs are defined for statemachine-related MIB information for individual MACs.

• Transmitting EAPOL packetsOnly unicast packets are sent to a specific port so that the packetsreach the correct destination.

• Receiving EAPOL packetsThe EAPOL packets are directed to the correct logical port for statemachine action.

• Traffic on an authorized portOnly a set of authorized MAC addresses is allowed access to a port.

MHMA support for EAP clients contains the following features:

• A port remains on the Guest VLAN when no authenticated hosts existon it. Until the first authenticated host, both EAP and non-EAP clientsare allowed on the port.

• After the first successful authentication, only EAPOL packets and datafrom the authenticated MAC addresses are allowed on a particularport.

• Only a predefined number of authenticated MAC users are allowed ona port.

• RADIUS VLAN assignment is enabled for ports in MHMA mode. Uponsuccessful RADIUS authentication, the port gets a VLAN value in aRADIUS attribute with EAP success. The port is added and the PVIDis set to the first such VLAN value from the RADIUS server.

• Configuration of timer parameters is for each physical port, not for eachuser session. However, the timers are used by the individual sessionson the port.

• Reauthenticate Now, when enabled, causes all sessions on the port toreauthenticate.

• Reauthentication timers are used to determine when a MAC isdisconnected so as to enable another MAC to log on to the port.

• Configuration settings are saved across resets.


NN47205-505 05.03 Standard14 May 2009


.


RADIUS-assigned VLAN use in MHMA modeRADIUS-assigned VLAN use in the MHMA mode gives you greaterflexibility and a more centralized assignment. This feature is useful inan IP Phone set up also, where the phone traffic is directed to the Voiceover IP (VoIP) VLAN and the PC Data traffic is directed to the assignedVLAN. When RADIUS-assigned VLAN values are allowed for the port, thefirst authenticated EAP MAC address cannot have a RADIUS-assignedVLAN value; at this point, the port is moved to a configured VLAN. Alater authenticated EAP MAC address (for instance, the third one on theport) receives a RADIUS-assigned VLAN value. This port is then added,and the port VLAN ID (PVID) is set to the first such VLAN value from theRADIUS server. The VLAN remains the same irrespective of which MACleaves, and a change in the VLAN takes place only when there are noauthenticated hosts on the port.

In the 5.3 Release, the 802.1X or non-EAP Last Assigned RADIUSVLAN functionality allows you to configure the switch such that the lastreceived radius-vlan assignment is always honoured on a port. For moreinformation, see “802.1X or non-EAP Last Assigned RADIUS VLAN” (page44).

ATTENTIONAll VLAN movement in an EAP-enabled state is dynamic and is not savedacross resets.

Consider the following setup in Figure 2 "RADIUS-assigned VLAN inMHMA mode" (page 42):

• Ethernet Routing Switch 4550T stand-alone switch with default settings

• IP Phone connected to the switch in port 1

• PC connected to the PC port of the IP Phone

• RADIUS server connected to switch port 24 (directly or through anetwork)


NN47205-505 05.03 Standard14 May 2009


.


Figure 2RADIUS-assigned VLAN in MHMA mode

EAP multihost mode needs to be configured on the switch (global settingsand local settings for switch port 1/1):

1. Put a valid IP address on the switch.

2. Configure at least the Primary RADIUS server IP address (you canalso fill the IP address of the Secondary one).

3. Enable EAP globally.

4. Enable EAP (status Auto) for switch port 1.

5. Enable EAP multihost mode for switch port 1.The EAP clients will authenticate using MD5 credentials, but youcan use other available types of authentication (such as TLS,PEAP-MSCHAPv2, PEAP-TLS, TTLS). The RADIUS server can beproperly configured to authenticate the EAP users with at least MD5authentication.

Non-EAP IP Phone authentication:

This enhancement is useful mainly for the IP Phones that cannotauthenticate themselves with EAP. On an EAP capable IP Phone, EAPmust be disabled if the user specifically wants to use the non-EAP IPPhone authentication. DHCP must be enabled on the phone, because theswitch examines the phone signature in the DHCP Discover packet sentby the phone.

Following are the steps to enable the enhancement:


NN47205-505 05.03 Standard14 May 2009


.


1. Enable non-EAP IP Phone authentication in the Global Configurationmode4550T(config)#eapol multihost non-eap-phone-enable

2. Enable non-EAP IP Phone authentication in the interface mode forswitch port 14550T(config-if)#eapol multihost port 1 non-eap-phone-enable

The switch waits for DHCP Discover packets on port 1. After a DHCPDiscover packet is received on port 1, the switch looks for the phonesignature (for example, Nortel-i2004-A), which can be enclosed in theDHCP Discover packet. If the proper signature is found, the switchregisters the MAC address of the IP Phone as an authenticated MACaddress and lets the phone traffic pass through the port.By default, the non-EAP IP Phone authentication enhancement isdisabled in both Global Configuration and Interface Configurationmodes, for all switch ports.

Unicast EAP Requests in MHMA

When you enable this enhancement, the switch no longer periodicallyqueries the connected MAC addresses to a port with EAP Request Identitypackets. The clients can initiate for themselves the EAP authenticationsessions (send EAP Start packets to the switch). Not all EAP supplicantscan support this operating mode.

Following are the steps to enable the enhancement:

1. enable unicast EAP requests in the Global Configuration mode:4550T(config)#eapol multihost eap-packet-mode unicast

2. enable Unicast EAP Requests in the interface mode for switch port 1:4550T(config-if)#eapol multihost port 1 eap-packet-modeunicast

By default, multicast mode is selected in both Global Configuration andInterface Configuration modes, for all switch ports. You must set theEAP packet mode to Unicast in both global and Interface Configurationmodes for a switch port, to enable this feature. Other combinations (forexample, multicast in global, unicast in the interface mode) will selectthe multicast operating mode.

RADIUS Assigned VLANs in MHMA

This enhancement is basically an extension of the RADIUS assignedVLANs feature in SHSA mode; you can move a port to a specific VLANeven if that switch port operates in EAP MHMA mode.

This enhancement has one restriction. If you have multiple EAP clientsauthenticating on a switch port (as you normally can in MHMA mode),each one configured with a different VLAN ID on the RADIUS server, the


NN47205-505 05.03 Standard14 May 2009


.


switch moves the port to the VLAN of the first authenticated client. In thisway, you can avoid a permanent bounce between different VLANs of theswitch port.

Enable the enhancement by following these steps:

1. Enable RADIUS assigned VLANs in the Global Configuration mode:4550T(config)#eapol multihost use-radius-assigned-vlan

2. Enable RADIUS assigned VLANs in the interface mode for switch port1:4550T(config-if)#eapol multihost port 1 use-radius-assigned-vlan

By default, the RADIUS assigned VLANs in the MHMA enhancement isdisabled in the Global Configuration and Interface Configuration modes, forall switch ports.

802.1X or non-EAP Last Assigned RADIUS VLANThe 802.1X or non-EAP Last Assigned RADIUS VLAN functionality allowsyou to configure the switch such that the last received RADIUS VLANassignment is always honoured on a port. In the previous release, ifyou enable the use-radius-assigned-vlan option, then only the first validRADIUS-assigned VLAN (by EAP or non-EAP authentication) on that portis honoured. The subsequent RADIUS VLAN assignments are ignoredfor any user on that port. The last RADIUS-assigned VLAN (either EAPor non-EAP) determines the VLAN membership and PVID replacing anyprevious RADIU-assigned VLAN values for that port.

The functional examples are as follows:

• Multiple EAP and non-EAP clients authenticate on a port.

• The EAP clients can reauthenticate; the non-EAP clients age out andreauthenticate. The Last Assigned VLAN setting for either EAP ornon-EAP clients is always applied to the port when you enable theLast Assigned VLAN. This can result in the port moving unexpectedlybetween VLANs.

The feature supports NNCLI, SNMP, and ACG interfaces. Weber is notavailable for this function.

NNCLI commands

For more information on the commands and procedures for configuringthe most recent RADIUS-VLAN assignments on a port, see “802.1X ornon-EAP Last Assigned RADIUS VLAN configuration using NNCLI” (page119).


NN47205-505 05.03 Standard14 May 2009


.


802.1X or non-EAP with VLAN namesThe 802.1X or non-EAP with VLAN names functionality enhancesthe Ethernet Routing Switch 4500 to match RADIUS assignedVLANs based on either the VLAN number or a VLAN name. Priorto this release, a match occurred based on the VLAN number of theTunnel-Private-Group-Id attribute returned by the RADIUS server.Now you can use the VLAN number or names for configuring VLANmembership of EAP or non-EAP clients.

The Tunnel-Private-Group-Id attribute is converted to either a VLAN IDor VLAN name, based on the first character of the returned attribute. Ifthe first character in the attribute is a number, the switch processes it asa VLAN number. In other cases, the attribute is taken as a VLAN andmatched on the full string. The maximum length of a VLAN name can be16 characters. You do not have to configure this feature as this mode isalways enabled.

Non EAP hosts on EAP-enabled portsFor an EAPOL-enabled port configured for non-EAPOL host support, afinite number of non-EAPOL users or devices with unique MAC addressesare allowed access to the port.

Allow the following types of non-EAPOL users:

• Hosts that match entries in a local list of allowed MAC addresses. Youcan specify the allowed MAC addresses when you configure the port toallow non-EAPOL access. These hosts are allowed on the port withoutauthentication.

• Non-EAPOL hosts whose MAC addresses are authenticated byRADIUS.

• IP Phones configured for Auto-Detection and Auto-Configuration(ADAC).

• Nortel IP Phones.

Support for non-EAPOL hosts on EAPOL-enabled ports is primarilyintended to accommodate printers and other passive devices sharing ahub with EAPOL clients.

Support for non-EAPOL hosts on EAPOL-enabled ports includes thefollowing features:

• EAPOL and authenticated non-EAPOL clients are allowed on the portat the same time. Authenticated non-EAPOL clients are hosts thatsatisfy one of the following criteria:


NN47205-505 05.03 Standard14 May 2009


.


— Host MAC address matches an entry in an allowed listpreconfigured for the port.

— Host MAC address is authenticated by RADIUS.

• Non-EAPOL hosts are allowed even if no authenticated EAPOL hostsexist on the port.

• When a new host is seen on the port, non-EAPOL authentication isperformed as follows:

— If the MAC address matches an entry in the preconfigured allowedMAC list, the host is allowed.

— If the MAC address does not match an entry in the preconfiguredallowed MAC list, the switch generates a <username, password>pair, which it forwards to the network RADIUS server forauthentication. For more information about the generatedcredentials, see “Non-EAPOL MAC RADIUS authentication” (page47).

— If RADIUS authenticates the MAC address, the host is allowed.

— If the MAC address does not match an entry in the preconfiguredallowed MAC list and fails RADIUS authentication, the host iscounted as an intruder. Data packets from that MAC address aredropped.

EAPOL authentication is not affected.

• For RADIUS-authenticated non-EAPOL hosts, VLAN information fromRADIUS is ignored. Upon successful authentication, untagged trafficfollows the PVID of the port.

• Non-EAPOL hosts continue to be allowed on the port until themaximum number of non-EAPOL hosts is reached. You can configurethe maximum number of non-EAPOL hosts allowed.

• After the maximum number of allowed non-EAPOL hosts has beenreached, data packets received from additional non-EAPOL hosts aredropped. The additional non-EAPOL hosts are counted as intruders.New EAPOL hosts can continue to negotiate EAPOL authentication.

• When the intruder count reaches 32, the system generates a SNMPtrap and system message. The port shuts down, and you must resetthe port administrative status (from force-unauthorized to auto) to allownew EAPOL and non-EAPOL negotiations on the port. The intrudercounter is reset to zero.

• The feature uses enterprise-specific MIBs.

• Configuration settings are saved across resets.


NN47205-505 05.03 Standard14 May 2009


.


For more information about configuring non-EAPOL host support, see“Configuring support for non-EAPOL hosts on EAPOL-enabled ports”(page 134).

Non-EAPOL MAC RADIUS authenticationFor RADIUS authentication of a non-EAPOL host MAC address, the switchgenerates a <username, password> pair as follows:

• The username is the non-EAPOL MAC address in string format.

• The password is a string that combines the MAC address, switch IPaddress, unit, and port.

ATTENTIONFollow these Global Configuration examples to select a password formatthat combines one or more of these three elements:

password = 010010011253..0305 (when the switch IP address, unit and portare used).

password = 010010011253.. (when only the switch IP address is used).

password= 000011220001 (when only the user’s MAC address is used).

The following example illustrates the <username, password> pair format:

switch IP address = 10.10.11.253non-EAP host MAC address = 00 C0 C1 C2 C3 C4unit = 3port = 25

• username = 00C0C1C2C3C4

• password = 010010011253.00C0C1C2C3C4.0325

Multiple Host with Single AuthenticationMultiple Host with Single Authentication (MHSA) is a more restrictiveimplementation of support for non-EAPOL hosts on EAPOL-enabled ports.

For an EAPOL-enabled port configured for MHSA, one EAPOL usermust successfully authenticate before a finite number of non-EAPOLusers or devices with unique MAC addresses can access the port withoutauthentication.

The MHSA feature is intended primarily to accommodate printers andother passive devices sharing a hub with EAPOL clients.

MHSA support is on a port by port basis for an EAPOL-enabled port.


NN47205-505 05.03 Standard14 May 2009


.


MHSA support for non-EAPOL hosts includes the following features:

• The port remains unauthorized when no authenticated hosts exist onit. Before the first successful authentication occurs, both EAPOL andnon-EAPOL clients are allowed on the port to negotiate access, butonly one host can negotiate EAPOL authentication.

• After the first EAPOL client successfully authenticates, EAPOL packetsand data from that client are allowed on the port. No other clientsare allowed to negotiate EAPOL authentication. The port is set topreconfigured VLAN assignments and priority values or to valuesobtained from RADIUS for the authenticated user.

• After the first successful authentication, new hosts, up to a configuredmaximum number, are automatically allowed on the port, withoutauthentication.

• After the maximum number of allowed non-EAPOL hosts has beenreached, data packets received from additional non-EAPOL hosts aredropped. The additional non-EAPOL hosts are counted as intruders.

• When the intruder count reaches 25, a SNMP trap and systemmessage are generated. The port shuts down, and you must reset theport administrative status (from force-unauthorized to auto) to allownew EAPOL negotiations on the port. The intruder counter is reset tozero.

• If the EAPOL-authenticated user logs off, the port returns to anunauthorized state and non-EAPOL hosts are not allowed.

• This feature uses enterprise-specific MIBs.

The maximum value for the maximum number of non-EAPOL hostsallowed on an MHSA-enabled port is 32. However, Nortel expects that theusual maximum value configured for a port is 2. This translates to around200 for a box and 800 for a stack.

Summary of multiple host access on EAPOL-enabled portsThe following table summarizes the order of the checks performed by theswitch when a new host is seen on an EAPOL multihost port. If all thechecks fail, the new host is counted as an intruder.

Table 3EAPOL Multihost access

Scenario Action

• No authenticated hosts on the port.

• Guest VLAN is enabled.

Allow

• New host MAC address is authenticated. Allow


NN47205-505 05.03 Standard14 May 2009


.


Table 3EAPOL Multihost access (cont’d.)

Scenario Action

• Port is configured for MHSA.

• One EAPOL-authenticated host exists on the port.

• The number of existing non-EAPOL hosts on the port isless than the configured maximum number allowed.

Allow

• Host is an IP Phone.

• Port is configured for ADAC (allowed PhoneMac, notcallSvr, not Uplink).

Allow

• Port is configured for non-EAPOL host support.

• Host MAC address is in a preconfigured list of allowedMAC addresses.


Allow

• Port is configured for non-EAPOL host support.

• Host MAC address is authenticated by RADIUS.


Disallow pendingRADIUSauthentication;allow whenauthenticationsucceeds.

802.1X authentication and Wake on LANWoL networking standard enables remotely powering-up a shutdowncomputer from a sleeping state. In this process, the computer is shutdownwith power reserved for the network card. A packet known as MagicPacket is broadcast on the local LAN or subnet. The network card onreceiving the Magic Packet verifies the information. If the information isvalid, the network card powers-up the shutdown computer.

The WoL Magic Packet is a broadcast frame sent over a variety ofconnectionless protocols like UDP and IPX. The most commonly usedconnectionless protocol is UDP. The Magic Packet contains data that isa defined constant represented in hexadecimal as FF:FF:FF:FF:FF:FF,followed by 16 repetitions of the target computer’s MAC address andpossibly by a four or six byte password.

If you implement enhanced network security using 802.1X, thetransmission of Magic Packets to sleeping or unauthorized networkdevices is blocked. An interface specific 802.1X feature known astraffic-control can be used to address this requirement of supporting bothWoL and 802.1X Authentication simultaneously. The default mode oftraffic-control operation blocks both ingress and egress unauthenticated


NN47205-505 05.03 Standard14 May 2009


.


traffic on an 802.1X port. Setting the traffic control mode to in enables thetransmission of Magic Packets to sleeping or unauthenticated devices.This mode allows any network control traffic, such as a WoL Magic Packetto be sent to a workstation irrespective of the authentication or sleepstatus.

ATTENTIONIf a PC client is assigned to a VLAN based on a previous RADIUS AssignedVLAN, when the client goes into sleep or hibernation mode it reverts to eitherthe default port-based VLAN or Guest VLAN configured for that port. So, theWoL Magic Packet must be sent to the default VLAN or Guest VLAN.

EAP (802.1X) accountingEAP accounting provides RADIUS accounting for EAP-authenticatedclients in the network.

The RADIUS accounting protocol is defined in RFC 2866.

RADIUS accounting in the current Ethernet Routing Switch 4500 Seriesimplementation utilizes the same RADIUS server used for RADIUSauthentication. The RADIUS Accounting UDP port is the RADIUSauthentication port + 1.

Feature operationRADIUS accounting logs all of the activity, of each remote user in asession on the centralized RADIUS accounting server.

Session IDs for each RADIUS account are generated as 12-characterstrings. The first four characters in the string form a random number inhexadecimal format. The last eight characters in the string indicate, inhexadecimal format, the number of user sessions started since reboot.

The Network Access Server (NAS) IP address for a session is the IPaddress of the switch management VLAN.

The following table summarizes the events and associated accountinginformation logged at the RADIUS accounting server.

Table 4Accounting events and logged information

Event Accounting information logged atserver

Accounting is turned on at therouter

Accounting on request:NAS IP address

Accounting is turned off at therouter

Accounting off request:NAS IP address


NN47205-505 05.03 Standard14 May 2009


.


Table 4Accounting events and logged information (cont’d.)

Event Accounting information logged atserver

User logs on Account start request:• NAS IP address

• NAS port

• Account session ID

• Account status type

• User name

User logs off or port is forced tounauthorized state

Account stop request:• NAS IP address

• NAS port

• Account session ID

• Account status type

• User name

• Account session time

• Account terminate cause

• Input octet count for the session*

• Output octet count for the session*

• Input packet count for the session*

• Output packet count for the session*

*Note: Octet and packet counts areby port and therefore provide usefulinformation only when ports operate inthe SHSA mode.

The following table summarizes the accounting termination causessupported.

Table 5Supported Account Terminate causes

Cause CauseID

When logged at server

ACCT_TERM_USER_REQUEST 1 on User LogOff

ACCT_TERM_LOST_CARRIER 2 on Port Link Down/Failure

ACCT_TERM_ADMIN_RESET 6 on Authorised toForceUnAuthorised


NN47205-505 05.03 Standard14 May 2009


.


Table 5Supported Account Terminate causes (cont’d.)

Cause CauseID

When logged at server

ACCT_TERM_SUPP_RESTART 19 on EapStart on AuthenticatedPort

ACCT_TERM_REAUTH_FAIL 20 on ReAuth Failure

ACCT_TERM_PORT_INIT 21 on Port ReInitialization

ACCT_TERM_PORT_ADMIN_DISABLE

22 on Port AdministrativelyShutdown

802.1X dynamic authorization extension (RFC 3576)With 802.1X dynamic authorization extension (RFC 3576), you can enablea third party device to dynamically change VLANs on switches or closeuser sessions.

The 802.1X dynamic authorization extension devices include the following:

• Network Access Server (NAS) — the Ethernet Routing Switch 4500that authenticates each 802.1X client at a RADIUS server.

• RADIUS server sends disconnect and Change of Authorization(CoA) requests to the NAS. A CoA command modifies user sessionauthorization attributes, and a disconnect command ends a usersession.

ATTENTIONThe term RADIUS server, which designates the device that sends therequests, is replaced in RFC 5176 with the term Dynamic AuthorizationClient (DAC). The NAS is the Dynamic Authorization Server (DAS).

• 802.1X client — the device that requires authentication and uses theEthernet Routing Switch 4500 services.

ATTENTIONRequests from the RADIUS server to the NAS must include at least one NASidentification attribute and one session identification attribute.

An Ethernet Routing Switch 4500 can receive disconnect or CoAcommands in the following conditions:


NN47205-505 05.03 Standard14 May 2009


.


• a user authenticated session exists on a port (one user sessionfor single-host configuration or multiple user sessions for Multihostconfiguration)

• the port maintains the original VLAN membership (Guest VLAN andRADIUS VLAN configurations)

• the port is added to a RADIUS-assigned VLAN (port VLAN ID (PVID) isthe RADIUS-assigned VLAN ID)

802.1X dynamic authorization extension (RFC 3576) applies only toExtensible Authentication Protocol (EAP) clients and does not impactnon-EAP clients.

802.1X dynamic authorization extension supports the following configuredfeatures:

• Guest VLAN

• RADIUS VLAN for EAP clients

• RADIUS VLAN for non-EAP clients

802.1X dynamic authorization extension functions when either of theRADIUS VLAN assignment features are active on a port.

802.1X dynamic authorization extension functions with SHSA, MHMA, andMHSA port operating modes.

The following authorization considerations apply:

• Enable only used servers to prevent receiving and processing requestsfrom servers not trusted.

• The requirements for the shared secret between the NAS and theRADIUS server are the same as those for a well chosen password.

• If user identity is essential, do not use specific user identificationattributes as the user identity. Use attributes that can identify thesession without disclosing user identification attributes, such as port orcalling-station-id session identification attributes.

To enable the 802.1X dynamic authorization extension feature on theEthernet Routing Switch 4500, you must do the following:

• Enable EAP globally.

• Enable EAP on each applicable port.

• Enable the dynamic authorization extensions commands globally.

• Enable the dynamic authorization extensions commands on eachapplicable port.


NN47205-505 05.03 Standard14 May 2009


.


ATTENTIONThe switch ignores disconnect or CoA commands if the commands address aport on which 802.1X dynamic authorization extension is not enabled.

While listening for request traffic from the DAC, the NAS can copy andsend a UDP packet, which can disconnect a user. Nortel recommendsthat you implement reply protection by including the Event Timestampattribute in both the request and response. To correctly process the EventTimestamp attribute, you must synchronize the DAC and the NAS (anSNTP server must be used by both the DAC and the NAS).

The DAC must use the source IP address of the RADIUS UDP packetto determine which shared secret to accept for RADIUS requests tobe forwarded by a proxy. When a proxy forwards RADIUS requests,the NAS-IP-Address or NAS-IPv6-Address attributes do not match thesource IP address observed by the DAC. The DAC cannot resolve theNAS-Identifier attribute, whether a proxy is present or not. The authenticitycheck performed by the DAC does not verify the NAS identificationattributes, and an unauthorized NAS can forge identification attributes andimpersonate an authorized NAS in your network.

To prevent these vulnerabilities, Nortel recommends that you configureproxies to confirm that NAS identification attributes match the source IPaddress of the RADIUS UDP packet.

802.1X dynamic authorization extension complies with the followingstandards and RFCs:

• IEEE 802.1X standard (EAP)

• RFC 2865–RADIUS

• RFC 3576–Dynamic Authorization Extensions to RADIUS

TACACS+The Ethernet Routing Switch 4500 supports the Terminal AccessController Access Control System plus (TACACS+) client. TACACS+ isa security application implemented as a client/server based protocol thatprovides centralized validation of users attempting to gain access to arouter or network access server.

TACACS+ differs from RADIUS in two important ways:

• TACACS+ is a TCP-based protocol.

• TACACS+ uses full packet encryption, rather than just encrypting thepassword (RADIUS authentication request).


NN47205-505 05.03 Standard14 May 2009


.


ATTENTIONTACACS+ encrypts the entire body of the packet but uses a standard TACACS+header.

TACACS+ separates authentication, authorization, and accountingservices. This means that you can selectively implement one or moreTACACS+ service.

TACACS+ provides management of users who access the switch throughTelnet, serial, and SSH v2 connections. TACACS+ supports users only onNNCLI.

Access to SNMP and the Web-based management interface are disabledwhen TACACS+ is enabled.

For more information about TACACS+, go to the Microsoft Web site:http://www.microsoft.com

ATTENTIONTACACS+ is not compatible with previous versions of TACACS.

TACACS+ architectureYou can configure TACACS+ on the Ethernet Routing Switch 4500 usingthe following methods:

• Connect the TACACS+ server through a local interface. ManagementPCs can reside on an out-of-band management port or serial port,or on the corporate network. The TACACS+ server is placed on thecorporate network so that it can be routed to the Ethernet RoutingSwitch 4500.

• Connect the TACACS+ server through the management interface usingan out-of-band management network.

You can configure a secondary TACACS+ server for backupauthentication. You specify the primary authentication server when youconfigure the switch for TACACS+.

Feature operationDuring the log on process, the TACACS+ client initiates the TACACS+authentication session with the server. After successful authentication,if TACACS+ authorization enables, the TACACS+ client initiates theTACACS+ authorization session with the server. After successfulauthentication, if TACACS+ accounting enables, the TACACS+ clientsends accounting information to the TACACS+ server.


NN47205-505 05.03 Standard14 May 2009


.

http://www.microsoft.com


TACACS+ authenticationTACACS + authentication offers complete control of authentication throughlog on and password dialog, and response. The authentication sessionprovides user name and password functionality.

You cannot enable both RADIUS and TACACS+ authentication on thesame interface. However, you can enable RADIUS and TACACS+ ondifferent interfaces; for example, RADIUS on the serial connection andTACACS+ on the Telnet connection.

ATTENTIONPrompts for log on and password occur prior to the authentication process.If TACACS+ fails because there are no valid servers, the user name andpassword are used for the local database. If TACACS+ or the local databasereturn an access denied packet, the authentication process stops. No otherauthentication methods are attempted.

TACACS+ authorizationThe transition from TACACS+ authentication to the authorization phase istransparent to the user. Upon successful completion of the authenticationsession, an authorization session starts with the authenticated user name.The authorization session provides access level functionality.

With TACACS+ authorization, you can limit the switch commandsavailable to a user. When TACACS+ authorization enables, the NASuses information retrieved from the user profile, which is located either inthe local user database or on the security server, to configure the usersession. The user is granted access to a requested command only if theinformation in the user profile allows it.

TACACS+ authorization is not mandatory for all privilege levels.

After the NAS requests authorization, the entire command is sent tothe TACACS+ daemon for authorization. You preconfigure commandauthorization on the TACACS+ server by specifying a list of regularexpressions that match command arguments, and associating eachcommand with an action to deny or permit. For more information about theconfiguration required on the TACACS+ server, see “TACACS+ serverconfiguration example” (page 57).

Authorization is recursive over groups. If you place a user in a group, thedaemon looks in the group for authorization parameters if it cannot findthem in the user declaration.


NN47205-505 05.03 Standard14 May 2009


.


If authorization is enabled for a privilege level to which a user is assigned,the TACACS+ server denies commands for which access is not explicitlygranted for the specific user or for the user group. On the daemon, ensureyou authorize each group to access basic commands such as enableor logout.

If the TACACS+ server is not available or an error occurs during theauthorization process, the only command available is logout.

In the TACACS+ server configuration, if a privilege level is not defined fora user but the user can execute at least one command, the user defaultsto privilege level 0. If all commands are explicitly denied for a user, theuser cannot access the switch at all.

Changing privilege levels at runtimeUsers can change their privilege levels at runtime by using the followingcommand on the switch:tacacs switch level [<level>]

[<level>] is the privilege level you want to access.

You are prompted to provide the required password. If you do not specifya level in the command, the administration level (15) is selected by default.

To return to the original privilege level, enter the following command on theswitch:tacacs switch back

To support runtime switching of users to a particular privilege level, youmust preconfigure a dummy user for that level on the daemon. The formatof the user name for the dummy user is $enab<n>$.The privilege level to which you want to allow access is<n> .

For more information about the configuration required on the TACACS+server, see “TACACS+ server configuration example” (page 57).

TACACS+ server configuration exampleThe following figure shows a sample configuration for a Linux TACACS+server. In this example, the privilege level is defined for the group, not theindividual user. The dummy user is created to support runtime switching ofprivilege levels.


NN47205-505 05.03 Standard14 May 2009


.


Figure 3Example: TACACS+ server configuration

TACACS+ accountingTACACS+ accounting enables you to track

• the services accessed by users

• the amount of network resources consumed by users

When you enable TACACS+ accounting, the NAS reports user activity tothe TACACS+ server in the form of accounting records. Each accountingrecord contains accounting attribute=value (AV) pairs. The accountingrecords are stored on the security server. The accounting data can beanalyzed for network management and auditing.

TACACS+ accounting provides information about user NNCLI terminalsessions within serial, Telnet, or SSH shells (from NNCLI managementinterface).

The accounting record includes the following information:

• user name

• date

• start, stop, and elapsed time


NN47205-505 05.03 Standard14 May 2009


.


• access server IP address

• reason

You cannot customize the set of events that are monitored and logged byTACACS+ accounting. TACACS+ accounting logs the following events:

• user logon and logoff

• logoff generated because of activity timeout

• unauthorized command

• Telnet session closed (not logged off)

TACACS+ configurationYou can use NNCLI to configure TACACS+ on the Ethernet RoutingSwitch 4500. You cannot configure TACACS+ using Device Manager.

For more information about configuring TACACS+ server information andTACACS+ authentication, authorization, and accounting using NNCLI, see“TACACS+ configuration using NNCLI” (page 178).

You can also use the console interface to enable or disable TACACS+authentication on serial and Telnet connections. On the Console/CommPort Configuration menu, select Telnet/WEB Switch Password Type orTelnet/WEB Stack Password Type, and select TACACS+ Authentication.

IP ManagerYou can limit access to the management features of the Nortel EthernetRouting Switch 4500 by defining the IP addresses that are allowed accessto the switch.

The IP Manager allows you to do the following:

• Define up to 50 Ipv4 and 50 Ipv6 addresses and masks that canaccess the switch. No other source IP addresses have managementaccess to the switches.

• Enable or disable access to Telnet, SNMP, SSH, and the Web-basedmanagement system.

You cannot change the Telnet access field if you are connected to theswitch through Telnet. Use a non-Telnet connection to modify the Telnetaccess field.

ATTENTIONTo avoid locking a user out of the switch, Nortel recommends that you configureranges of IP addresses that are allowed to access the switch.


NN47205-505 05.03 Standard14 May 2009


.


Changes you make to the IP Manager list are applied immediately.

Password securityThe provides enhanced password security for the following passwords:

• Switch read-only password

• Switch read-write password

• Stack read-only password

• Stack read-write password

• RADIUS Shared Secret (display limitation feature only)

• Read-only community string (display limitation feature only)

• Read-write community string (display limitation feature only)

Password length and valid charactersValid passwords are from 10 to 15 characters long. The password mustcontain a minimum of the following:

• two lowercase letters

• two capital letters

• two numbers

• two special symbols, such as !@#$%^&*()

The password is case-sensitive.

Password retryIf the user fails to provide the correct password after a number ofconsecutive retries, the switch resets the log-on process. You canconfigure the number of retries, using NNCLI. The default is three. Formore information, see “Configuring the number of retries” (page 189).

Password historyYou can configure the Ethernet Routing Switch 4500 to keep a maximumhistory of the last ten passwords. If you set the password for the fourthtime and the history size is set to 3, you can reuse the password that youused the first time. You cannot reuse a password stored in history.

Password displayThe password is not displayed as clear text. Each character of thepassword is substituted with an asterisk (*).


NN47205-505 05.03 Standard14 May 2009


.


Password verificationWhen you provide a new password, you must confirm it by retyping thepassword. If the two passwords do not match, the password updateprocess fails. In this case, you must try to update the password onceagain. No limit exists on the number of times you are allowed to updatethe password.

Password aging timePasswords expire after a specified aging period. The aging period isconfigurable, with a range of 1 day to approximately 7.5 years (2730 days).The default is 180 days. When a password has aged out, the user isprompted to create a new password. Only users with a valid Read-Write(RW) password can create a new RW password or Read-Only (RO)password.

Read-Only and Read-Write passwordsThe RO and RW passwords cannot be the same.

Default password and default password securityFor the non-SSH image, the default password for RO is user and securefor RW. For the SSH software image, the default password for RO isuserpasswd and securepasswd for RW.

Password security enabled or disabledBy default, password security is disabled for the non-SSH software imageand enabled for the SSH software image.

You can enable password security from NNCLI only. When it is enabled,the following happens:

• Current passwords remain unchanged if they meet the requiredspecifications. If they do not meet the required specifications, theuser is prompted to change them to passwords that do meet therequirements.

• An empty password history bank is established. The password bankstores three used passwords.

• Password verification is required.

You can enable password security from NNCLI only. When it is disabled,the following happens:

• Current passwords remain valid.

• Password history bank is removed.

• Password verification is not required.


NN47205-505 05.03 Standard14 May 2009


.


Password security commandsFor more information about NNCLI commands to enable or disablepassword security, see “Configuring password security” (page 188).

Password security features and requirementsThe following table describes the password security features andrequirements in place when you enable password security.

Table 6Password security features and requirements summary

Feature requirement Description

Password composition The password must contain a minimum of twoof each of the following types of characters:lowercase letters, capital letters, numbers, andspecial symbols such as !@#$%^&*().

Password length The password must consist of between 10 and15 characters.

Login attempts The switch allows only a specified maximumnumber of consecutive failed log on attempts.The number of allowed retries is configurable.The default is three.

Password history The previous three passwords used are savedon the switch and cannot be reused until theypass out of the history table.

Password updateverification

Password change must be verified by typing thenew password twice.

Password aging time Passwords expire after a specified period. Theaging time is configurable. The default is 180days.

Password display masking When a password appears or is entered inNNCLI, each character of the password isdisplayed as an asterisk (*).

Password security factorydefault

By default, password security is enabled onthe SSH software image and disabled on thenon-SSH software image.

NNCLI auditNNCLI audit provides a means for tracking NNCLI commands.

A special area of flash memory reserved for NNCLI audit stores thecommand history. Access to this area is read-only. When you enableremote logging, the audit message is also forwarded to a remote syslogserver, no matter the logging level.


NN47205-505 05.03 Standard14 May 2009


.


Every time you issue a NNCLI command, the switch generates an auditmessage. Each log entry consists of the following information:

• timestamp

• fixed priority setting of 30 (= informational message)

• command source

— serial console and the unit connected

— Telnet or SSH connection and the IP address

• command status (success or failure)

• NNCLI command itself

By default NNCLI audit is enabled. You can disable the audit log that stopslog messages from being written to the FLASH memory and the syslogserver, if configured.

Simple Network Management ProtocolThe Nortel Ethernet Routing Switch 4500 supports Simple NetworkManagement Protocol (SNMP).

SNMP is traditionally used to monitor devices running software that allowsthe retrieval of SNMP information (for example, UNIX systems, Windowssystems, printers, modem racks, switches, routers, power supplies, Webservers, and databases).

You can also use SNMP to change the state of SNMP-based devices. Forexample, you can use SNMP to turn off an interface on your device.

SNMP Version 1 (SNMPv1)SNMP Version 1 (SNMPv1) is a historic version of the SNMP protocol,defined in RFC 1157 and is an Internet Engineering Task Force (IETF)standard.

SNMPv1 security is based on communities, which are passwords (plaintext strings allowing SNMP-based applications, which know the strings, togain access to device management information). SNMPv1 typically hasthree communities: read-only, read-write, and trap.

SNMP Version 2 (SNMPv2)SNMP Version 2 (SNMPv2) is another historic version of SNMP, and isoften referred to as community string-based SNMPv2. This version ofSNMP is technically called SNMPv2c, defined in RFC 1905, RFC 1906,and RFC 1907.


NN47205-505 05.03 Standard14 May 2009


.


SNMP Version 3 (SNMPv3)SNMP Version 3 (SNMPv3) is the current formal SNMP standard, definedin RFCs 3410 through 3419, and in RFC 3584. It provides support forstrong authentication and private communication between managedentities.

Nortel Ethernet Routing Switch 4500 Series support for SNMPThe SNMP agent in the supports SNMPv1, SNMPv2c, and SNMPv3.Support for SNMPv2c introduces a standards-based GetBulk retrievalcapability using SNMPv1 communities.

SNMPv3 support in the introduces industrial-grade user authentication andmessage security. This includes MD5- and SHA-based user authenticationand message integrity verification, as well as AES- and DES-based privacyencryption.

The allows you to configure SNMPv3 using Device Manager, Web-basedmanagement, or NNCLI.

SNMP MIB supportThe Ethernet Routing Switch 4500 supports an SNMP agent withindustry-standard Management Information Bases (MIB) as well asprivate MIB extensions, which ensures compatibility with existing networkmanagement tools.

The IETF standard MIBs supported on the switch include MIB-II (originallypublished as RFC 1213, then split into separate MIBs as described inRFCs 4293, 4022, and 4113), Bridge MIB (RFC 4188), and the RMONMIB (RFC 2819), which provides access to detailed managementstatistics.

For more information about the MIBs supported by the Ethernet RoutingSwitch 4500, see “Supported SNMP MIBs and traps” (page 359).

SNMP trap supportWith SNMP management, you can configure SNMP traps (on individualports) to generate automatically for conditions such as an unauthorizedaccess attempt or changes in port operating status.

The Ethernet Routing Switch 4500 supports both industry-standard SNMPtraps, as well as private Nortel enterprise traps.

For more information about the MIBs and traps supported by the EthernetRouting Switch 4500, see “Supported SNMP MIBs and traps” (page 359).


NN47205-505 05.03 Standard14 May 2009


.


You can use NNCLI to enable or disable SNMP traps for the followingfeatures so that the system can generate SNMP traps for operationalconditions and errors:

• DHCP Snooping

• Dynamic ARP Inspection (DAI)

• IP Source Guard (IPSG)

See “Configuring SNMP using NNCLI” (page 155).

Secure Socket Layer protocolSecure Socket Layer (SSL) deployment provides a secure Webmanagement interface.

The SSL server has the following features:

• SSLv3-compliant

• PKI key exchange

• key size of 1024-bit encryption

• RC4 and 3DES cryptography

• MAC algorithms MD5 and SHA-1

Generally, an SSL certificate is generated when

• The system is powered up for the first time and the NVRAM does notcontain a certificate that can be used to initialize the SSL server.

• The management interface (NNCLI and SNMP) requests that a newcertificate to be generated. A certificate cannot be used until the nextsystem reset or SSL server reset.

Secure versus Non-secure modeThe management interfaces (NNCLI and SNMP) can configure the Webserver to operate in a secure or nonsecure mode. The SSL ManagementLibrary interacts with the Web server to this effect.

In the secure mode, the Web server listens on TCP port 443 and respondsonly to HTTPS client browser requests. All existing nonsecure connectionswith the browser are closed down.

In the nonsecure mode, the Web server listens on TCP port 80, by default,and responds only to HTTP client browser requests. All existing secureconnections with the browser are closed down. You can designate theTCP port as a number between 1024 and 65535.


NN47205-505 05.03 Standard14 May 2009


.


ATTENTIONIf the TCP port is set to a number other than 80, you must configure the HttpPortattribute for the device properties to match the switch configuration to access thedevice home page with the Web-based Management Interface.

SSL Certificate AuthoritySSL certificates are issued and signed by a Certificate Authority (CA) suchas VeriSign. Because the management and cost of purchasing a certificatefrom a CA is a client concern, Nortel issues and signs the SSL certificatewith the understanding that it is not a recognized CA.

The SSL certificate contains the following information. The first three items(Issuer, Start Date, End Date) are constant. The remaining items arederived from the RSA host key associated with the certificate.

Issuer : Nortel NetworksStart Date : May 26 2003, 00:01:26End Date : May 24 2033, 23:01:26SHA1 Finger Print:d6:b3:31:0b:ed:e2:6e:75:80:02:f2:fd:77:cf:a5:fe:9d:6d:6b:e0MD5 Finger Print:fe:a8:41:11:f7:26:69:e2:5b:16:8b:d9:fc:56:ff:ccRSA Host Key (length= 1024 bits):40e04e564bcfe8b7febf1f7139b0fde9f5289f01020d5a59b66ce7207895545fb3abd694f836a9243651fd8cee502f665f47de8da44786e0ef292a3309862273d36644561472bb8eac4d1db9047c35ad40c930961b343dd03f77cd88e8ddd3dda02ae29189b4690a1f47a5fa71b75ffcac305fae37c56ca87696dd9986aa7d19

SSL configuration and managementFor more information about configuring and managing SSL services, see“Secure Socket Layer services” (page 192)

Secure Shell protocolSecure Shell (SSH) protocol replaces Telnet to provide secure access toNNCLI interface.

The SSH protocol includes two versions: SSH1 and SSH2. The SSHimplementation in the Nortel Ethernet Routing Switch 4500 supportsSSH2.


NN47205-505 05.03 Standard14 May 2009


.


Components of SSH2You can use SSH2 for secure remote log on and other secure networkservices over an insecure network. SSH2 consists of three majorcomponents:

• The Transport Layer Protocol (SSH-TRANS): SSH-TRANS is one ofthe fundamental building blocks, providing initial connection, packetprotocol, server authentication, and basic encryption, and integrityservices. The protocol can also provide compression. The transportlayer is used over a TCP/IP connection and can be used on top ofother reliable data streams.

• The User Authentication Protocol (SSH-USERAUTH) authenticatesthe client-side user to the server. It runs over the transport layerprotocol. SSH-AUTH supports two methods: public key and passwordauthentication. To authenticate, an SSH2 client tries a sequence ofauthentication methods chosen from the set allowed by the server (forexample, public key, password) until one succeeds or all fail.

• The Connection Protocol (SSH-CONNECT) multiplexes the encryptedtunnel into several logical channels. This protocol runs over the userauthentication protocol.

SSH service configurationThe SSH service engine allows you to configure the SSH service. You canconfigure SSH through NNCLI interface and the SNMP interface.

ATTENTIONIf you enable SSH on the switch and you load an ASCII configuration filecontaining SSH related commands, those commands will fail. You must disableSSH on the switch before you load an ASCII configuration file containing SSHrelated commands.

The management objects are:

• SSH enable or disableWhen SSH is enabled, you can configure the SSH server to disableother non-secured interfaces. This is referred to as the SSH securedmode. Otherwise, when you enable SSH, it operates in unsecuredmode.

• DSA authentication enable or disable


NN47205-505 05.03 Standard14 May 2009


.


You can configure the SSH server to allow or disallow DSAauthentication. The other authentication method supported by theNortel Ethernet Routing Switch 4500 is password authentication.

Note: If SSH is enabled on the switch and you load an ASCIIconfiguration file containing SSH related commands, thosecommands will fail. You must disable SSH on the switch before youload an ASCII configuration file containing SSH related commands.

• Password authentication enable or disableIf password authentication is not enabled, you are not allowed toinitiate connections. After you have access, you cannot disable bothDSA and password authentication.

• DSA public key upload and download

• SSH information dump: shows all the SSH-related information

SSH clientsThe following SSH clients are supported by the switch:

• Putty SSH (Windows 2000)

• F-secure SSH, v5.3 (Windows 2000)

• SSH Secure Shell 3.2.9 (Windows 2000)

• SecureCRT 4.1

• Cygwin OpenSSH (Windows 2000)

• AxeSSH (Windows 2000)

• SSHPro (Windows 2000)

• Solaris SSH (Solaris)

• Mac OS X OpenSSH (Mac OS X)

DHCP snoopingDynamic Host Configuration Protocol (DHCP) snooping provides securityto the network by preventing DHCP spoofing. DHCP spoofing refers to anattacker’s ability to respond to DHCP requests with false IP information.DHCP snooping acts like a firewall between untrusted hosts and the DHCPservers, so that DHCP spoofing cannot occur.


NN47205-505 05.03 Standard14 May 2009


.


DHCP snooping classifies ports into two types:

• Untrusted—ports that are configured to receive messages from outsidethe network or firewall. Only DHCP requests are allowed.

• Trusted—ports that are configured to receive messages only fromwithin the network, such as switch-to-switch and DHCP server ports.All types of DHCP messages are allowed.

DHCP snooping operates as follows to eliminate the capability to set uprogue DHCP servers on untrusted ports:

• DHCP snooping allows only DHCP requests from untrusted ports.DHCP replies and all other types of DHCP messages from untrustedports are dropped.

• DHCP snooping verifies the source of DHCP packets.

— When the switch receives a DHCP request on an untrusted port,DHCP snooping compares the source MAC address and theDHCP client hardware address. If the addresses match, the switchforwards the packet. If the addresses do not match, the switchdrops the packet.

— When the switch receives a DHCP release or DHCP declinebroadcast message from a client, DHCP snooping verifies thatthe port on which the message was received matches the portinformation for the client MAC address in the DHCP binding table.If the port information matches, the switch forwards the DHCPpacket.

DHCP binding tableDHCP snooping dynamically creates and maintains a binding table. TheDHCP binding table includes the following information about DHCP leaseson untrusted interfaces:

• source MAC address

• IP address

• lease duration

• time to expiry

• VLAN ID

• port

The maximum size of the DHCP binding table is 512 entries.

You can view the DHCP binding table during runtime, but you cannotmodify it manually. In particular, you cannot configure static entries.


NN47205-505 05.03 Standard14 May 2009


.


The DHCP binding table is stored in RAM, and therefore is not savedacross restarts.

DHCP snooping configuration and managementDHCP snooping is configured on a VLAN to VLAN basis.

Configure and manage DHCP snooping using the Nortel NetworksCommand Line Interface (NNCLI), Device Manager (JDM), and SNMP.For more information about configuring DHCP snooping through NNCLIsee “Configuring DHCP snooping using NNCLI” (page 199). For moreinformation about configuring DHCP snooping through JDM, see “DHCPsnooping configuration using Device Manager” (page 291).

DHCP snooping Global ConfigurationThis configuration enables or disables DHCP snooping for the entire unitor stack. If you enable DHCP snooping globally, the agent determineswhether the DHCP reply packets will be forwarded, based on the DHCPsnooping mode (enable or disable) of the VLAN and the untrusted ortrusted state of the port. You must enable DHCP snooping globally beforeusing DHCP snooping on a VLAN. If you disable DHCP snooping globally,the switch or stack will forward DHCP reply packets to all required ports,irregardless of whether the port is configured as trusted or untrusted.

Dynamic ARP inspectionDynamic Address Resolution Protocol (Dynamic ARP) inspection is asecurity feature that validates ARP packets in the network.

Without dynamic ARP inspection, a malicious user can attack hosts,switches, and routers connected to the Layer 2 network by poisoning theARP caches of systems connected to the subnet and by intercepting trafficintended for other hosts on the subnet. Dynamic ARP inspection preventsthis type of attack. It intercepts, logs, and discards ARP packets withinvalid IP-to-MAC address bindings.

The address binding table is dynamically built from information gatheredin the DHCP request and reply when DHCP snooping is enabled. TheMAC address from the DHCP request is paired with the IP address fromthe DHCP reply to create an entry in the DHCP binding table. For moreinformation about the DHCP binding table, see “DHCP binding table” (page69).

When you enable Dynamic ARP inspection, ARP packets on untrustedports are filtered based on the source MAC and IP addresses seen on theswitch port. The switch forwards an ARP packet when the source MACand IP address matches an entry in the address binding table. Otherwise,the ARP packet is dropped.


NN47205-505 05.03 Standard14 May 2009


.


For dynamic ARP inspection to function, DHCP snooping must be globallyenabled.

Dynamic ARP inspection is configured on a VLAN to VLAN basis.

Configure and manage dynamic ARP inspection using NNCLI. Formore information about configuring this feature with NNCLI, see“Configuring dynamic ARP inspection” (page 206). For more informationabout configuring this feature with JDM, see “Dynamic ARP inspectionconfiguration using Device Manager” (page 294).

IP Source GuardIP Source Guard provides security to the network by filtering clients withinvalid IP addresses. IP Source Guard is a Layer 2 (L2), port-to-port basisfeature that works closely with information in the Dynamic Host ControlProtocol (DHCP) snooping binding table. For more information aboutDHCP snooping, see “DHCP snooping” (page 68). When you enable IPSource Guard on an untrusted port with DHCP snooping enabled, anIP filter entry is created or deleted for that port automatically, based onIP information stored in the corresponding DHCP snooping binding tableentry. When a connecting client receives a valid IP address from theDHCP server, a filter is installed on the port to allow traffic only from theassigned IP address. A maximum of 10 IP addresses are allowed on eachIP Source Guard-enabled port. When this number is reached, no morefilters are set up and traffic is dropped.

IP Source Guard is available to the Ethernet Routing Switch 4500 utilizingBroadcom 569x ASICs, and is implemented with the facility provided bythe port ContentAware Processor (CAE) in the ASIC.

ATTENTIONEnable IP Source Guard only on an untrusted DHCP snooping port.

Nortel recommends that you do not enable IPSG on MLT, DMLT and LAG ports.

The following table shows you how IP Source Guard works with DHCPsnooping.

Table 7IP Source Guard and DHCP snooping

IP Source Guardconfiguration state

DHCP snoopingconfiguration state

DHCP snoopingBinding Entry action(untrusted ports)

IP Source Guardaction

disabled or enabled enabled creates a binding entry creates a filter for theIP address using theIP address from thebinding table entry


NN47205-505 05.03 Standard14 May 2009


.


Table 7IP Source Guard and DHCP snooping (cont’d.)

IP Source Guardconfiguration state

DHCP snoopingconfiguration state

DHCP snoopingBinding Entry action(untrusted ports)

IP Source Guardaction

enabled enabled creates a binding entry creates a filter for theIP address using theIP address from thebinding table entry

enabled enabled deletes a binding entry deletes the IP filterand installs a defaultfilter to block all IPtraffic on the port

enabled enabled deletes binding entrieswhen one of thefollowing conditionsoccurs• DHCP is released

• the port link isdown, or theadministrator isdisabled

• the lease time hasexpired

deletes thecorresponding IP Filterand installs a defaultfilter to block all IPtraffic

enabled or disabled enabled not applicable deletes the installed IPfilter for the port

disabled enabled creates a binding entry not applicable

disabled enabled deletes a binding entry not applicable

You can configure IP Source Guard using the Nortel Networks commandline interface (NNCLI), Device Manager, Web-based managementinterface, and SNMP.

Nortel Secure Network AccessThe Nortel Secure Network Access (Nortel SNA) solution is a protectiveframework to completely secure the network from endpoint vulnerability.The Nortel SNA solution addresses endpoint security and enforces policycompliance. Nortel SNA delivers endpoint security by enabling onlytrusted, role-based access privileges premised on the security level of thedevice, user identity, and session context. Nortel SNA enforces policycompliance, such as for Sarbanes-Oxley and COBIT, ensuring that therequired antivirus applications or software patches are installed beforeusers are granted network access.

You must make any modifications to NSNA QoS filters before you enableNSNA globally or on any switch port.


NN47205-505 05.03 Standard14 May 2009


.


The Nortel SNA solution provides both authentication and enforcement(operating system, antivirus, firewall code revision enforcement, Windowsregistry content verification and enforcement, and file system verificationand enforcement).

The Ethernet Routing Switch 4500 supports NSNA release 2.0.

Note: After you configure NSNA, Nortel recommends that you disablethe autosave to NVRAM function. Configuration changes must beexplicitly saved to NVRAM.

When a large number of NSNA logon or logout events occur in parallel, afew may fail. The NSNAs resets the switch port after a few minutes andyou can log back in. You can also disconnect and reconnect the link to theswitch to log in.

You can configure the switch as a network access device for the NortelSecure Network Access (Nortel SNA) solution. Host computers canconnect using dynamic or static IP addressing. Windows, MacOSX, andLinux operating systems are supported.

Access to the corporate network requires successful:

• authentication (user name and password or MAC address)

• host integrity check and remediation (as needed and when configured)

To access the network proceed as follows:

1. Three enforcement zones—Red, Yellow, and Green—provide layeredaccess to the corporate network. Connection requests are directedto a specific zone based on filter sets that are predefined on NSNAnetwork access devices. You can configure the Red, Yellow, andGreen enforcement zones using the filter sets in conjunction withunique VLANs for each zone, or by using the filter sets within a single(Red) VLAN. You can customize the filter sets, if necessary.

2. Initial connection requests are directed to the Red zone. The defaultNortel SNA Red filter set allows access only to the Nortel SNAS 4050and the Windows domain controller (or other network log on controller,for example, Novell netware log on). The connection remains in theRed zone pending successful authentication. You can use either theMAC address of the host or a user name and password of the end userfor authentication.

3. After successful authentication, a security agent, the TunnelGuardapplet, provides host integrity checking. You can configureTunnelGuard to run once, continuously, or never. Integrity checking


NN47205-505 05.03 Standard14 May 2009


.


is performed on hosts that support Windows operating systems whenTunnelGuard is set to run once or continuously.

4. If the TunnelGuard applet determines that the host does not meet therequired integrity criteria, the host is placed in the Yellow zone. TheYellow zone provides access to the remediation network only.

5. If the host passes authentication, and integrity checking whenconfigured, the connection is transferred to the Green zone. This givesthe user full access to the network, depending on the user profile.

Nortel SNA requires the secure runtime image of the software.

Nortel IP Phones are supported under the Nortel SNA solution thoughthey are not required to pass authentication and integrity checking. NortelIP Phones access to a preconfigured VoIP subnet, and are allowed apre-specified type of communication. The VoIP filters are such that they donot allow the VoIP traffic to go anywhere except to a specific subnet. Thissubnet is specified by the VoIP VLAN.

For more information about the Nortel SNA solution and deploymentscenarios, see Nortel Secure Network Access Solution Guide (320817-A).For more information about configuring the Nortel SNAS 4050, see NortelSecure Network Access Switch 4050 User Guide (320818-A).

For more information about configuring the Nortel Ethernet Routing Switch4500 for the Nortel SNA solution, see “Configuring Nortel Secure NetworkAccess using NNCLI” (page 319) or “Configuring Nortel Secure NetworkAccess using Device Manager ” (page 335).

NSNA configuration example for MAC authorizationenhancementThis enhancement is to distinguish the trusted users from untrusted usersand grant quick access.

The MAC addresses of devices are known and you can use thisknowledge to authenticate such devices in a simple, centralized way.

MAC authentication support on NSNA ports

• Mac Authentication by the SNAS is automatically enabled on a NSNADynamic Port.

• Mac Authentication is used for PCs and Passive devices.

• Phones will still be authenticated by their DHCP signature. Provision toconfigure a list of signatures is provided.

• Initial state of an NSNA port will be in Red VLAN and Red Filter


NN47205-505 05.03 Standard14 May 2009


.


New MAC event at the port

• If the Mac comes in on a VoIP VLAN, it is treated as a phone andinforms SNAS, or else the switch sends an Authenticate Request to theSNAS using SSCP

• If SNAS has the MAC in its Data Base (DB), it will send back anAuthenticateResponse=Success to the switch using SSCP.

• SSCP message changes are handled between the switch and SNASinternals.

MAC Age Event at the Port

The MAC will remain in the list (as aged out) until replaced by anotherMAC.

Reset Event at the port

The port can be reset by physical link down and up or through an SSCPmessage from the SNAS either case, all devices will be deleted and theport moved to the red VLAN filter.

VLAN-Filter Change at the port

4500 5.2 with NSNAS 2.0 supports vlan_filter change on macauthentication.

MAC Authentication Success

The Success Response contains the following:

• Auth. Result = Success

• Device Type = PC or Passive

• Filter Id (as VID) to indicate Red, Yellow, or Green filter

• Client IP Address if available or 0

The switch saves the device Information in its local list and moves the portto the appropriate filter. If the device has a static IP, it will be populated inthe SNAS and the switch will learn it in the Auth-Response. If the devicesupports DHCP, the IP Address is learned by DHCP filtering at the switch.When a Device-IP is learned, the SNAS is informed by SSCP

MAC Authentication Failure

No Response sent on Auth-Failure, but TG (TunnelGuard) Authenticationcan still happen.


NN47205-505 05.03 Standard14 May 2009


.


Port modesNortel supports the following three modes of operation on a port:

• Default modeIn this mode, the switch port does not have user-based security (forexample, 802.1X or EAP or Nortel SNA). You can, however, configureMAC-based security on these ports.

• 802.1X (client mode—that is, the 802.1 supplicant is present)In this mode, the user is authenticated by EAP using an externalauthentication server, such as a RADIUS server. In this scenario, thereis a client (for example, the EAP supplicant) present in the PC.

• NSNA dynamic portsOn NSNA dynamic ports you can connect dynamic IP PCs and passivedevices, static IP PCs and passive devices, or phones. Authenticationcan be done through TunnelGuard (for devices that support this) or byMAC authentication on NSNAS controller.

ATTENTIONYou can configure ports in different modes within the same switch. However,you cannot configure a single port into multiple modes.

ATTENTIONThe Spanning Tree Protocol (STP) state of the dynamic Nortel SNA ports is setautomatically to Fast Learning.

Filters in the Nortel SNA solutionA corresponding Nortel SNA filter set is provisioned for Nortel SNA Red,Yellow, and Green VLANs. Nortel recommends that you use the defaultfilter sets. You can, however, create customized filter sets and attachthese to the Nortel SNA VLANs. You can also modify the default filtersafter you have enabled them and assigned them to the Nortel SNA VLANs.

For more information about modifying the filter sets, see Nortel EthernetRouting Switch 4500 Series Configuration — Quality of Service(NN47205-504).

ATTENTIONWhen you apply the Nortel SNA filters to a port, existing Quality of Service(QoS) filters on that port are disabled, and the Nortel SNA filters are applied(preexisting policies are reenabled when Nortel SNA is disabled). For moreinformation, see “Rolling back Nortel SNA mode to default mode” (page 91) and“Nortel SNA solution deployment in an active network” (page 88).

ATTENTIONYou must make any modifications to NSNA QoS filters before you enable NSNAglobally or on any switch port.


NN47205-505 05.03 Standard14 May 2009


.


You can configure the Nortel SNA filters manually if, for example, you havespecific parameters or proprietary applications.

In certain configurations, workstation boot processes depend on specificnetwork communications. System startup can be negatively impactedif certain network communications are blocked by the initial Red filters.Ensure you are aware of which communications are required for systemstartup and user authentication prior to the Nortel SNA log on.

If you must configure filters manually to best address your circumstances,Nortel recommends that you use the default filters as your template. Youmust include manually configured custom filters in the Nortel SNA filter set.

ATTENTIONNortel does not support Nortel SNA filter sets and non Nortel SNA filter setscoexisting on Nortel SNA ports.

You must configure Red, Yellow, and Green VLANs on the Nortel SNAuplink ports of the NSNA network access device when the NSNA filter setsfor each enforcement zone are assigned to specific VLANs. When only thefilter sets are used, a Red VLAN must be configured on the Nortel SNAuplink ports. To configure the uplink ports, use nsna port <portlist>uplink vlans <vidlist> . For more information, see “Enabling NortelSNA on ports using NNCLI” (page 324) or “Enabling Nortel SNA on portsusing Device Manager” (page 340).

Only Nortel SNA ports (uplink or dynamic) can be in the Red, Yellow,Green, and VoIP VLANs.

Nortel SNA ports become members of Nortel SNA VLANs when NortelSNA is enabled. Manually attaching dynamic Nortel SNA ports to a nonNortel SNA VLAN is not allowed.

Uplink ports can be members of non Nortel SNA VLANs.

The Nortel SNA software puts all user ports (dynamic NSNA ports) inthe Red, Yellow, or Green state dynamically. When the switch initiallycomes up, all Nortel SNA ports are moved to the Red state with Red filtersattached.

You can configure the uplinks as tagged or untagged. A typical uplink onthe edge switch is one or more MLTs connected to two core EthernetRouting Switches 8600 (to provide redundancy). The core routing switchesimplement SMLT, but that is transparent to the edge switch. In Layer 2,the Nortel SNA uplink is always tagged.


NN47205-505 05.03 Standard14 May 2009


.


ATTENTIONNortel recommends that you set the Nortel SNA uplink port STP to either FastLearning or disabled.

The Red, Yellow, and Green VLANs can be Layer 2. For more information,see “Topologies” (page 82).

You must have one Red VLAN on each switch. You can, however, havemultiple Yellow, Green, and VoIP VLANs on each switch.

ATTENTIONWith the Ethernet Routing Switch 4500, each switch can support five YellowVLANs, five Green VLANs, and five VoIP VLANs.

Only 128 filters per precedence level are available per chip (1/1-24,1/25-48) Because of this there is one more limitation regarding the number of VoIPVLANs supported, as each VoIP VLAN consumes 2 filters on the sameprecedence level. Example: If there are 5 VoIP VLANs defined, then NSNA Redfilter can be enabled on 12 ports per chip.

Completing the combinations, the Red default filter set can be applied to thefollowing number of ports assigned the specified VoIP VLANs:

• 1 VoIP VLANs -> 24 ports (128 / [1 VoIP VLANs * 2 filters])





The VoIP filters are part of the Red and Yellow filters by default, but youcan define a separate set of VoIP filters (with different VoIP policingvalues), if necessary. In the Green VLAN, all traffic is allowed by thedefault filter, therefore VoIP filters are not specifically added.

You can create multiple Yellow and Green VLANs, as well as multipleVoIP filter sets. When you create the Red, Yellow, and Green VLANs, youattach the Red, Yellow, and Green filters (and a set of VoIP filters to thenew Red and Yellow VLANs). For example, when the Nortel SNA softwareadds a port to the Yellow VLAN, it installs the Yellow filters and the VoIPfilters that you attached to the Yellow VLAN.

ATTENTIONManual configuration of filters is optional. If filters are not manually configuredprior to configuring the Nortel SNA VLANs, the switch automatically generatesdefault filters when you configure the Red, Yellow, Green, and VoIP VLANs.


NN47205-505 05.03 Standard14 May 2009


.


The devices that connect to a Nortel SNA port can be DHCP PCs andpassive devices, as well as static PCs and passive devices. To haveGreen access you can add the MAC of the passive devices to the SNASMAC address database.

The following table shows filter consumption when using the default NortelSNA filters.

Table 8Default Nortel SNA filter consumption

Filter set Filters consumed Precedence levels consumed

Red 6, plus 2 filters for each VoIP VLANconfigured

4, plus 1 precedence level for VoIPVLANs (see note)

Yellow 7, plus 2 filters for each VoIP VLANconfigured

5, plus 1 precedence level for VoIPVLANs (see note)

Although each additional VoIP VLAN consumes two more filters, no additional precedence levelsare consumed (that is, the first VoIP VLAN consumes one precedence level, but additional VoIPVLANs do not consume more precedence levels).

ATTENTIONWith the default NSNA QoS filters there are two free precedences for Red VLAN and one forYellow VLAN. You can use these for manual added NSNA QoS entries

Filter parameters

ATTENTIONIf you plan to use the default filters, it is not necessary to configure filters beforeenabling Nortel SNA.

The default Nortel SNA filters protect the workstations.

Only 128 filters per precedence level are available per chip (1/1-24,2/25-48and so on) because there is a limitation on the number of VoIP vlanssupported. Also, each VOIP VLAN consumes two filters on the sameprecedence level.

Example: If there are five VoIP VLANs defined, then nsna red filter isenabled on 12 ports per chip.Completing the combinations, the Red default filter set can be applied tothe following number of ports assigned the specified VoIP VLANs:

• 1 VoIP VLANs -> 24 ports (128 / (1 VoIP VLANs * 2 filters))






NN47205-505 05.03 Standard14 May 2009


.


The following table describes the traffic allowed by each default NortelSNA filter set.

Table 9Traffic allowed in the default Nortel SNA filter sets

Traffic typeFilterset DNS HTTP HTTPS ARP DHCP UDP ICMP Yellow

subnetAll

Red Traffic toNortel SNAS 4050allowed

Trafficto NortelSNAS4050allowed


Yes Yes Yes

Yellow Traffic toNortel SNAS 4050allowed



Yes Yes Yes Yes

Green Yes Yes

VoIP Yes Yes Yes Yes

Note: Nortel recommends that you use filters to allow all traffic to your WINS domain controller inthe Red VLAN. You must specify a destination IP address for all WINS domain controllers. Forexample, if you have two WINS domain controllers, use the following two commands:qos nsna classifier name <Red VLAN name> dst-ip <win1-ipaddr/mask> ethertype0x0800 drop-action disable block wins-prim-sec eval-order 70

qos nsna classifier name <Red VLAN name> dst-ip <win2-ipaddr/mask> ethertype0x0800 drop-action disable block wins-prim-sec eval-order 71

For more information about configuring the filters for Novell Netware log on, see “Configuring filtersfor Novell Netware log on” (page 81). If you use another log on controller, you must modify thefilter set to allow the log on to work

ATTENTIONIn the Yellow VLAN, the default filters allow all IP traffic for the Yellow subnet. You specifythe Yellow subnet in the command nsna vlan <vid> color yellow filter <filtername> yellow-subnet <ipaddr/mask>. For more information, see “Configuration example:Configuring the Nortel SNA per VLANs” (page 322). You can enter the remediation serverIP/subnet as the Yellow subnet IP.You can also add multiple IP addresses manually in the Yellowfilter set. For example:

qos nsna classifier name ALPHAYELLOW dst-ip 10.80.22.25/32 ethertype 0x0800drop-action disable block remedial eval-order 70

qos nsna classifier name ALPHAYELLOW dst-ip 10.16.50.30/32 ethertype 0x0800drop-action disable block remedial eval-order 71

qos nsna classifier nameALPHAYELLOW dst-ip 10.81.2.21/32 ethertype 0x0800drop-action disable block remedial eval-order 72


NN47205-505 05.03 Standard14 May 2009


.


Adding these two filters consumes another precedence level. For more information about theqos nsna commands, seeNortel Ethernet Routing Switch 4500 Series Configuration — Qualityof Service (NN47205-504).

ATTENTIONIf you want to add new entries on nsna qos filters, you must add the entries before enabling nsnaglobally or on ports; if NSNA is enabled and you need to add new nsna qos entries to existingnsna qos filters, first disable nsna.

Selective broadcast is allowed by the Red default filter set (DHCPbroadcast [response] coming in on the uplink port goes out on the relevantNortel SNA port only).

A rate-limiting rule applies to the Red filter set (committed rate = 1000Kbps).

Configuring filters for Novell Netware log on

If you use Novell Netware as your domain log on, the following is oneexample of IPX filters for the Red VLAN. These filters require additionalmodification based on your specific configuration (the filter set name inthis example is “red”; modify the command to use your actual Red filter setname):

qos nsna classifier name red protocol 17 dst-port-min 427dst-port-max 427 ethertype 0x0800 drop-action disable blocknovell eval-order 101








NN47205-505 05.03 Standard14 May 2009


.





Adding these filters consumes another precedence level.

If you want to open traffic to specific IP addresses (for example, IPaddress 1 to IP address 6), use the following commands:

qos nsna classifier name red dst-ip <ipaddr1> ethertype 0x0800drop-action disable block novell-ips eval-order 111






Adding these filters consumes another precedence level.

TopologiesYou can configure the Ethernet Routing Switch 4500 Series to function inLayer 2 or for the Nortel SNA solution. In Layer 2, routing is disabled in theswitch.

Layer 2In Layer 2 mode, DHCP-relay is done on a central router or routingswitch. Figure 4 "Network access device-Layer 2 mode" (page 83) showsa network where the Ethernet Routing Switch 8600 is the core routingdevice. The Ethernet Routing Switch 4500, the network access device inthis case, functions in Layer 2 mode. All Nortel SNA VLANs (Red, Yellow,Green, and VoIP) are Layer 2.

A tagged uplink exists between the network access device and the routingdevice. You must configure this link as a Nortel SNA uplink port andspecify all VLANs (Nortel SNA or non Nortel SNA) in which it must be


NN47205-505 05.03 Standard14 May 2009


.


placed. When you do this, it is automatically tagged. This link can beMLT or LACP. You can configure multiple Nortel SNA uplink ports on theswitch.

You must configure MLTs and LAGs before NSNA is globally enabled.After you globally enable NSNA, you cannot disable the MLT or LAG.

Figure 4Network access device-Layer 2 mode

Fail openWith the NSNA Fail Open enhancement users can deploy NSNA onswitches at remote sites and still access the network. If connections to theSNAS fail, then clients are placed in a Fail Open VLAN. VLAN transitionwith MAC DB enables the Ethernet Routing Switch 4500 to support FailOpen for NSNA v2.0. This supports MAC processing where NSNA has alist of MAC addresses that can be trusted or not trusted by the system.With Fail Open, you can transition a PVID on a port based on a deviceMAC address.


NN47205-505 05.03 Standard14 May 2009


.


A Status Quo time interval applies to all Nortel Secure Network AccessServer (NSNAS) connections to the Ethernet Routing Switch 5000 Series.The expiration of this interval indicates that the NSNAS connection withthe switch has failed. When Fail Open is enabled on the switch and theconnection to the NSNAS fails or is never established, the following apply:

• New clients connecting on ports without any pre-authenticated clientswill be moved to the Fail Open VLAN and filter. If the Fail Open filteris the red or yellow VLAN, the clients cannot gain full access to thenetwork.

• New clients cannot connect on ports that already have authenticatedclients connected (non-phone).

• Network access is not interrupted for devices pre-authenticated withMAC-authentication, TG-authentication, or 802.1X authentication.

If the NSNAS reconnects, ports are moved to the red VLAN and red filterand all MACs on the ports are aged out. Any previous blocked MACs areunblocked.

If a connection to a NSNAS is never established on switch startup and FailOpen is enabled, Fail Open actions apply to all new clients.

Basic switch configuration for Nortel SNA

ATTENTIONNortel recommends that you configure the core routing device, if it exists in yournetwork, before you configure the network access device.

ATTENTIONIf clients come up when NSNAS connects to the switch and receives portinformation, those clients may need to redo DHCP (if they are dynamic clients).This can be done from the Windows command line:ipconfig/releaseipconfig/renew

ATTENTIONWhen a large number of NSNA logon or logout events occur in parallel, a fewmay fail. The NSNAs resets the switch port after a few minutes and you can logback in. You can also disconnect and reconnect the link to the switch to log in.

Prerequisites

• Generate the SSH keys on the Nortel SNAS 4050, and upload thepublic key to a TFTP server.

• Identify the Nortel SNAS 4050 portal Virtual IP address (pVIP) andmask.


NN47205-505 05.03 Standard14 May 2009


.


• Identify VLAN IDs for Nortel SNA use (that is, for Red and VoIPVLANs; plus Yellow and Green when enforcement zones areconfigured with VLANs and filters).

• Identify ports to use for uplink ports (in Layer 2 mode only).

• Identify ports to use for Nortel SNA client ports.

ATTENTIONNortel SNA requires the secure runtime image of the software.

Configuring the network access deviceTo configure the Nortel Ethernet Routing Switch 4500 to function as anetwork access device in the Nortel SNA solution, Nortel recommends youcomplete the following steps in the order in which they are listed.

For more information about NNCLI commands to configure the Nortel SNAsolution, see “Configuring Nortel Secure Network Access using NNCLI”(page 319). For more information about configuring the Nortel SNAsolution using Device Manager, see “Configuring Nortel Secure NetworkAccess using Device Manager ” (page 335).

1. Configure static routes to all the networks behind the core routingdevice.This can be automated, as RIP and OSPF routing protocols aresupported.

2. Configure the switch management VLAN, if necessary.

3. Configure SSH. For more information, see “Configuring SSH on the4500 Series switch for Nortel SNA” (page 87).

a. Download the Nortel SNAS 4050 SSH public key to the switch.

b. Enable SSH on the switch.

ATTENTIONYou must enable SSH before you enable Nortel SNA globally. Thecommand to enable Nortel SNA fails if SSH is not enabled.

c. Import the switch SSH public key on the Nortel SNAS 4050(perform this step on the Nortel SNAS 4050, not on the edgeswitch).

4. Configure the Nortel SNAS 4050 portal IP address (pVIP)/subnet. Formore information, see “Configuring the Nortel SNAS 4050 subnet ”(page 319) for NNCLI, or “Configuring the Nortel SNAS 4050 subnetusing Device Manager” (page 336).

5. Configure port tagging, if applicable.


NN47205-505 05.03 Standard14 May 2009


.


ATTENTIONFor a Layer 2 the uplink ports are tagged automatically to allow them toparticipate in multiple VLANs.

6. Create the port-based VLANs.The VLANs are configured as VoIP, Red, Yellow, and Green VLANslater.

7. (Optional) Configure the filters (Red, Yellow, Green, and VoIP).

ATTENTIONManual configuration of the filters is optional. The filters are configuredautomatically as predefined defaults when you configure the Red, Yellow,Green, and VoIP VLANs. You can modify default filter sets and manuallycreated filter sets after Nortel SNA is enabled.

8. Configure the VoIP VLANs. For more information, see “ConfiguringNortel SNA per VLAN ” (page 321) for NNCLI, or “Configuring NortelSNA per VLAN using Device Manager” (page 337).

9. Configure the Red, Yellow, and Green VLANs, associating each withthe applicable filters. For more information, see “Configuring NortelSNA per VLAN ” (page 321) for NNCLI, or “Configuring Nortel SNA perVLAN using Device Manager” (page 337).When you configure the Yellow VLAN, you must configure the Yellowsubnet. When a port is in the Yellow state, only traffic on the Yellowsubnet is allowed (if you are using the default filters). Therefore, onlydevices in the Yellow subnet are accessible. Nortel recommends thatyou put the remediation server in the Yellow subnet.

10.Configure the Nortel SNA ports. For more information, see “EnablingNortel SNA on ports using NNCLI” (page 324) for NNCLI, or “EnablingNortel SNA on ports using Device Manager” (page 340).Identify switch ports as uplink or dynamic. When you configure theuplink ports, you associate the Nortel SNA VLANs with those ports.Clients are connected on the dynamic ports.

ATTENTIONIf the network access device itself is the DHCP relay agent for the Red,Yellow, Green, or VoIP VLANs, it is not necessary to configure an uplinkport in that VLAN. You can configure Nortel SNA ports (both dynamic anduplink) after Nortel SNA is enabled globally.

If an end device is allocated a DHCP lease in the NSNA Fail_Open VLAN,the client will keep that address until the lease expired, even if the deviceis moved to another NSNA VLAN. If a client is transitioned to a differentNSNA VLAN then issuing ipconfig /release and ipconfig /renew obtains anew DHCP lease.

11.Enable Nortel SNA globally. For more information, see “EnablingNortel SNA on ports using NNCLI” (page 324) for NNCLI, or “EnablingNortel SNA on ports using Device Manager” (page 340).


NN47205-505 05.03 Standard14 May 2009


.


Configuring SSH on the 4500 Series switch for Nortel SNAThe Secure Shell (SSH) protocol provides secure and encryptedcommunication between the Nortel SNAS 4050 and the network accessdevices. For secure communication between the Nortel SNAS 4050 andthe network access device, each must have knowledge of the other devicepublic SSH key.

To configure SSH communication between the Ethernet Routing Switch4500 Series and the Nortel SNAS 4050, follow this procedure:

Step Action

1 Download the SSH public key from the Nortel SNAS 4050 to theswitch:

ATTENTIONEnsure you have generated the Nortel SNAS 4050 key. Use thefollowing command on the Nortel SNAS 4050 to generate the SSHpublic and private keys for the Nortel SNAS 4050: cfg/domain#/sshkey/generate

a On the Nortel SNAS 4050, use the /cfg/domain#/sshkey/export command to upload the key to a TFTPserver, for manual retrieval from the switch.

b On the 4500 Series load the Nortel SNAS 4050 public keyto the switch using the following commands from the GlobalConfiguration mode:

ssh download-auth-key address <ipaddr> key-name<filename>

where

<ipaddr> is the IP address of the server(entered as A.B.C.D) where you placed thekey.

2 On the 4500 Series enable SSH using the following commandfrom the Global Configuration mode:

ssh

3 On the Nortel SNAS 4050, import the 4500 Series switch publickey:

/cfg/domain #/switch #/sshkey/importapply

For more information, see Nortel Secure Network Access Switch4050 User Guide (320818-A).


NN47205-505 05.03 Standard14 May 2009


.


ATTENTIONIf you subsequently reset the switch to factory defaults, a new publickey is generated on the switch. Consequently, you must repeat thisprocedure each time the switch is set to factory default settings. Youmust re-import the switch key on the Nortel SNAS 4050 and applythis change.

--End--

Nortel SNA solution deployment in an active networkYou can deploy the Nortel SNA solution on an existing, active switch.

The term ’network access device’ is used to refer to the edge switch whenit is configured for the Nortel SNA environment.

About the portsA port on the network access device can operate in one of two modes:

• Nortel SNA

• non Nortel SNA

There are two kinds of Nortel SNA ports: dynamic and uplink.

Note: If clients come up when NSNAS connects to the switch andreceives port information, those clients may need to renew DHCP (ifthey are dynamic clients). This is achieved from the Windows commandline: ipconfig/release ipconfig/renew

When you configure a port as a dynamic Nortel SNA port and you enableNortel SNA, the following properties are changed on the port:

• The port is removed from the existing VLAN and placed in the RedVLAN, and in the VoIP VLAN that was configured for that port.

• The client port tagging behavior changes to untagpvidonly.

• The Port VLAN ID (PVID) of the port is changed to the Red PVID.

• If the port has existing QoS filters, they are replaced by the Nortel SNAfilter set, and the port Spanning Tree state is changed to Fast Learning(if STP was set as Normal Learning before enabling Nortel SNA).

During runtime, Nortel SNA changes the port VLAN membership,the filters, and the PVID properties dynamically, based on the clientauthentication state.


NN47205-505 05.03 Standard14 May 2009


.


If you subsequently disable Nortel SNA, the port returns to the pre-NortelSNA state. For more information, see “Rolling back Nortel SNA mode todefault mode” (page 91).

When the port is a Nortel SNA uplink port and Nortel SNA is enabled, theport can be a member of Nortel SNA and non Nortel SNA VLANs. Formore information, see “Configuration example: Adding the uplink port”(page 325).

ATTENTIONNortel recommends that the Spanning Tree Protocol (STP) on the Nortel SNAuplink port and on the router port be either Fast Learning or disabled. EnsureSTP is the same on both ports (that is, if STP is Fast Learning enabled on theNortel SNA uplink port, it must be Fast Learning enabled on the router port,also).

You can configure multiple Nortel SNA uplink ports.

You can add the uplink port to a non Nortel SNA VLAN or delete it from anon Nortel SNA VLAN. The membership of the Nortel SNA uplink port innon Nortel SNA VLANs is not affected by globally enabling or disablingNortel SNA. No other Nortel SNA port can be a member of a non NortelSNA VLAN.

The PVID of the uplink port can be modified.

If a port is a Nortel SNA uplink port, enabling Nortel SNA changes the portto a tagall port.

About the VLANs and filtersVLANs that you plan to configure as Nortel SNA VLANs must be empty(that is, they have no port members assigned).

Nortel SNA enforcement zones have corresponding default Nortel SNAfilter sets. Nortel recommends that you use the default filter sets. Youcan, however, create customized filters sets and attach these to the NortelSNA VLANs. You can also modify the default filters, if necessary, after youhave enabled them. For more information, see Nortel Ethernet RoutingSwitch 4500 Series Configuration — Quality of Service (NN47205-504).

When you apply the Nortel SNA filters to a port, existing QoS filters onthat port are disabled, and the Nortel SNA filters are applied (preexistingpolicies are reenabled when Nortel SNA is disabled).


NN47205-505 05.03 Standard14 May 2009


.


Nortel does not support Nortel SNA filter sets and non Nortel SNA filtersets coexisting on Nortel SNA ports. Nortel SNA VLANs are divided intofour categories:

• Red

• Yellow

• Green

• VoIP

Each network access device must have one Red VLAN. Each switchcan, however, have multiple Yellow and multiple Green VLANs. With theEthernet Routing Switch 4500, you can configure only five Yellow, fiveGreen, and five VoIP VLANs on each switch.

Only 128 filters per precedence level are available per chip (1/1-24,1/25-48 and so on). Because of this there is one more limitation regardingthe number of VOIP VLANs supported, as each VOIP VLAN consumestwo filters on same precedence level. Example: If there are 5 VoiP VLANsdefined, then nsna red filter can be enabled on 12 ports per chip.

Completing the combinations, the Red default filter set can be applied tothe following number of ports assigned the specified VoIP VLANs:






Updating the filter setsEnsure you thoroughly plan your Nortel SNA deployment. For example, aspart of the Nortel SNA configuration on the Nortel Ethernet Routing Switch4500, you must configure the Nortel SNAS 4050 portal Virtual IP (pVIP)address and mask. This address is added to the Nortel SNA filter sets only(this applies to VoIP VLAN IDs and the Yellow subnet, also).

If you change the Nortel SNAS 4050 pVIP subnet (or VoIP VLAN IDs, orthe Yellow subnet), you must update the filter sets. You update the filtersets in one of two ways:

1. Manually update them using the qos nsna command. For moreinformation, see Nortel Ethernet Routing Switch 4500 SeriesConfiguration — Quality of Service (NN47205-504).

2. Remove the filters and reconfigure:


NN47205-505 05.03 Standard14 May 2009


.


a. Disable Nortel SNA globally.

b. Disable Nortel SNA on the ports.

c. Mark the VLANs as non Nortel SNA (mark VoIP VLANs last).

d. Delete the filters using one of the following methods:

i. Delete all the filters at once:enable con ter qos agent reset-default

ii. Delete the filters one by one:no qos nsna name <filter-name-red> no qos nsnaname <filter-name-yellow> no qos nsna name<filter-name-green>

e. Remove the Nortel SNAS 4050 (no nsna nsnas).

f. Reconfigure Nortel SNA.

Rolling back Nortel SNA mode to default modeWhen you enable Nortel SNA on the Ethernet Routing Switch 4500 Series,Nortel SNA dynamically changes the following port settings:

• VLAN settings

• QoS parameters

• Spanning Tree configuration

When you disable Nortel SNA, the changes to those port settings arerolled back automatically, and pre-Nortel SNA settings are applied on theport.

There is one exception: when Nortel SNA is enabled on a port, STP runsin FAST START mode to enable faster convergence. The Spanning Treestate of the LAN port can stay in FAST START mode when Nortel SNA isdisabled if the client ports were set to Normal Learning in the pre-NortelSNA state. If the pre-Nortel SNA Spanning Tree state was Fast Learningor disabled, the port rolls back correctly.

If you physically moved existing users from a legacy switch, to a NortelSNA-enabled switch, the only task you must complete to roll back portsettings is: to physically reconnect the users to the legacy switch.

Summary of security featuresFor more information about some of the security features available onthe Ethernet Routing Switch 4500, see Table 10 "MAC security" (page92) through Table 14 "SNMPv3 security" (page 94).


NN47205-505 05.03 Standard14 May 2009


.


Table 10MAC security

MAC security Description

Description Use the MAC address-based security feature to setup network access control based on source MACaddresses of authorized stations.

What is being secured Access to the network or specific subnets or hosts.

For each port or eachswitch

Each port.

Layer Layer 2.

Level of security Forwarding.

Violations SA filtering, DA filtering, Port Partitioning, SNMP Trap.

Requirements forsetup

Not applicable.

Configuring usinginterfaces

Web, NNCLI, ASCII configuration file, SNMP, andJDM.

Restrictions andlimitations

—

Reference s5sbs MIB (S5-SWITCH-BAYSECURE-MIB)

Comments —

Table 11Password Authentication security

Password authentication

Description

Description Security feature.

What is being secured User access to a switch or stack.

Port to port or switch toswitch

For RADIUS authentication.

• The RADIUS server needs to be accessible fromswitch.

• The RADIUS client from the switch must beprovided with the RADIUS server IP and UDPPort and a shared secret.

Layer Not applicable.

Level of security Provides Read Only and Read Write access. Theaccess rights are checked against Local Passwordand RADIUS Server.

Violations Not applicable.


NN47205-505 05.03 Standard14 May 2009


.


Table 11Password Authentication security (cont’d.)

Password authentication

Description

Requirements for setup For RADIUS authentication.

• The RADIUS server needs to be accessible fromthe switch.

• The RADIUS client from the switch must beprovisioned with the RADIUS server IP, the UDPPort, and a shared secret.


Web, NNCLI, ASCII configuration file.


Not applicable.

Table 12EAPOL security

EAPOL Description

Description Extensible Authentication Protocol Over LAN(Ethernet)—you can use this to set up networkaccess control on internal LANs.

What is being secured User access to the network.


User authentication by port.

Layer Layer 2.

Level of security Network access encryption.

Violations The switch blocks a port if intruder is seen on thatport. Administration has to reenable port.

Requirements for setup RADIUS Server configuration on the switch.EAP-RADIUS server needs to be accessible from theswitch.


Device Manger (DM), Nortel Networks CommandLine (NNCLI), Web-based management system.


Not allowed: shared segments and ports configuredfor MultiLink Trunking, MAC address-based security,IGMP (static router ports), or port mirroring.

Reference IEEE802.1X, RFC 2284.


NN47205-505 05.03 Standard14 May 2009


.


Table 13IP Manager security

IP Manager Description

Description IP Manager is an extension of Telnet. It providesan option to enable or disable access for TELNET(Telnet On or Off), SNMP (SNMP On or Off) andWeb Page Access (Web On or Off) with or without alist of 50 IP Addresses and masks.

What is being secured User access to the switch through Telnet, SNMP, orWeb.


By switch.

Layer IP.

Level of security Access.

Violations User is not allowed to access the switch.

Requirements for setup Optional IP Addresses or Masks, Individual Access(enable or disable) for Telnet, SNMP or Web page.


Web and NNCLI.


Not applicable.

Table 14SNMPv3 security

SNMPv3 Description

Description The latest version of SNMP provides strongauthentication and privacy for Simple NetworkManagement Protocol (SNMP)—using hashmessage authentication codes message digest 5(HMAC-MD5), HMAC-secure hash algorithm (SHA),cipher block chaining Data Encryption Standard(CSCDES), Advanced Encryption Standard (AES),and Triple DES (3DES)—plus access control ofManagement Information Base (MIB) objects basedon user names.

What is being secured Access to MIBs using SNMPv3 is secured. Access toMIBs using SNMPv1 or v2c can be restricted.


By switch.

Layer SNMP Port 161, 162.

Level of security Access and Encryption.


NN47205-505 05.03 Standard14 May 2009


.


Table 14SNMPv3 security (cont’d.)

SNMPv3 Description

Violations Received SNMPv3 packets that cannot beauthenticated are discarded. For authenticatedpackets that try to access MIB objects in anunauthorized manner, an error is returned to thesender. Various MIB counters are incremented whena violation occurs. (These can be monitored to detectintrusions, for example, by using RMON alarms.)

Requirements for setup For maximum security, initial configuration ofviews, users, and keys must be done through theconsole port or over a physical network connection.Subsequent secure configuration changes can beaccomplished using SNMPv3 using a secure SHA orDES connection.


Device Manger (DM), Nortel Networks CommandLine Interface (NNCLI), Web-based managementsystem, ASCII configuration file, and SNMP Setrequests.

Table 15NSNA

NSNA Description

Description Nortel Secure Network Access (NSNA) used toprotect the network from DoS attacks and endpointvulnerability.

What is being secured The network is secured from the devices that are notcompliant with network policies.


User authentication is done by port.

Layer Layer 2-7.

Level of security Network access.

Violations The switch will keep the ports in RED VLAN(restricted access zone) for the nonauthenticatedclients. If after successful authentication the PC clientis not compliant with network policies the port will beplaced in YELLOW VLAN (remediation zone).

Requirements for setup SNAS server IP address or port and NSNA VLANsconfiguration on the switch. SNAS server can beaccessible from the switch and the switch to SNASCommunication Protocol (SSCP) can be up.


NN47205-505 05.03 Standard14 May 2009


.


Table 15NSNA (cont’d.)

NSNA Description


Nortel Networks Command Line (NNCLI) and DeviceManger (DM).


Not allowed on ports configured for EAP, MACaddress-based security, port mirroring (monitor port),BRouter port, ADAC and VLACP.

Table 16DHCP Snooping security

DHCP Snooping Description

Description Use the Dynamic Host ControlProtocol (DHCP) snooping securityfeature to provide security to thenetwork by filtering untrusted DHCPmessages to prevent DHCP spoofing.

What is being secured Access to the network.

Port to port or switch to switch Per port.

Layer Layer 2 and 3.


Violations Allows only DHCP requests fromuntrusted ports. DHCP replies and allother types of DHCP messages aredropped. If the source MAC addressand the DHCP client hardwareaddress do not match, the switchdrops the packet.

Requirements for setup Not applicable.

Configuring using interfaces Nortel Networks Command LineInterface (NNCLI) and DeviceManager (JDM).

Table 17Dynamic ARP Inspection security

Dynamic ARP Inspection Description

Description Use the dynamic Address ResolutionProtocol (ARP) Inspection to validateARP packets in a network.

What is being secured Access to the network.

Per port or per switch Per port.

Layer Layer 2 and 3.


NN47205-505 05.03 Standard14 May 2009


.


Table 17Dynamic ARP Inspection security (cont’d.)


Violations Dynamic ARP Inspection intercepts,logs, and discards ARP packets withinvalid IP-to-MAC address bindings.

Requirements for setup DHCP snooping must be globallyenabled.

Configuring using interfaces Nortel Networks Command LineInterface (NNCLI) and DeviceManager (JDM).


NN47205-505 05.03 Standard14 May 2009


.



NN47205-505 05.03 Standard14 May 2009


.

99.

Configuring and managing securityusing NNCLI

This chapter describes the methods and procedures necessary toconfigure security on the Nortel Ethernet Routing Switch 4500 using theNortel Networks Command Line Interface (NNCLI).

Depending on the scope and usage of the commands listed in this chapter,different command modes are needed to execute them.

Navigation• “Setting user access limitations” (page 100)

• “USB port and serial console port control using NNCLI” (page 100)

• “Configuring MAC address-based security” (page 105)

• “Configuring RADIUS authentication” (page 111)

• “Configuring EAPOL security” (page 113)

• “Configuring features” (page 117)

• “Configuring support for non-EAPOL hosts on EAPOL-enabled ports”(page 134)

• “802.1X dynamic authorization extension (RFC 3576) configurationusing NNCLI” (page 142)

• “RADIUS accounting configuration using NNCLI” (page 177)

• “TACACS+ configuration using NNCLI” (page 178)

• “Configuring IP Manager” (page 184)

• “Configuring password security” (page 188)

• “Password history configuration using NNCLI” (page 189)

• “NNCLI Audit log configuration” (page 191)

• “Secure Socket Layer services” (page 192)


NN47205-505 05.03 Standard14 May 2009


.

100 Configuring and managing security using NNCLI

• “Secure Shell protocol” (page 194)

• “RADIUS Request use Management IP configuration using NNCLI”(page 215)

Setting user access limitationsFor more information about the configuration and management of useraccess limitations using NNCLI, see the Nortel Ethernet Routing Switch4500 Series Overview – System Configuration (NN47205-500).

USB port and serial console port control using NNCLIThis section describes how you can control access to the Ethernet RoutingSwitch 4500 by enabling or disabling the USB port or serial console port.All serial console ports on the Ethernet Routing Switch 4500 are enabledby default.

USB port and serial console port control using NNCLI navigation

• “Disabling serial console ports using NNCLI” (page 100)

• “Enabling serial console ports using NNCLI” (page 101)

• “Viewing serial console port status using NNCLI” (page 102)

• “Disabling USB ports using NNCLI” (page 102)

• “Enabling USB ports using NNCLI” (page 103)

• “Viewing USB port status using NNCLI” (page 104)

Disabling serial console ports using NNCLIDisable serial console ports to deny users console access to the EthernetRouting Switch 4500 uses the following procedure.

Prerequisites

• Log on to the Global Configuration mode in NNCLI.

Procedure steps

Step Action

1 Disable serial console ports on all Ethernet Routing Switch4500s in a stack by using the following command:

no serial-console <enable>

2 Disable the serial console port on a specific Ethernet RoutingSwitch 4500 unit in a stack by using the following command:


NN47205-505 05.03 Standard14 May 2009


.

USB port and serial console port control using NNCLI 101

no serial-console [unit <1-8>] <enable>

--End--

Variable definitionsThe following table defines optional parameters that you enter with the noserial-console [unit <1-8>] <enable> command.

Variable Value

[unit <1-8>] Identifies the unit number of an EthernetRouting Switch 4500 in a stack. Valuesrange from 1 to 8.

Enabling serial console ports using NNCLIEnable serial console ports to grant users console access to the EthernetRouting Switch 4500 by following this procedure.

Prerequisites


Procedure steps

Step Action

1 Enable serial console ports on all Ethernet Routing Switch 4500sin a stack by using either of the following commands:

serial-console <enable>

OR

default serial-console <enable>

2 Enable the serial console port on a specific Ethernet RoutingSwitch 4500 unit in a stack by using the following command:

serial-console [unit <1-8>] <enable>

OR

default serial-console [unit <1-8>]<enable>

--End--

Variable definitionsThe following table defines variables that you enter with theserial-console [unit <1-8>] <enable> command.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

[unit <1-8>] Identifies the unit number of a EthernetRouting Switch 4500 in a stack.Values range from 1 to 8.

Viewing serial console port status using NNCLIView serial console port status to display the operational status of serialconsole ports on all Ethernet Routing Switch 4500s in a stack or on astand-alone Ethernet Routing Switch 4500 by following this procedure.

Prerequisites

• Log on to the Privileged EXEC mode in NNCLI.

Procedure steps

Step Action

1 View the status of all serial console ports on the switch by usingthe following command:

show serial-console

2 View the status of a specific serial console port on the switch byusing the following command:

show serial-console [unit <1-8>]

--End--

Variable definitionsThe following table defines variables that you enter with the showserial-console [unit <1-8>] command.

Variable Value

[unit <1-8>] Identifies the serial console port unitnumber. Values range from 1 to 8.

Disabling USB ports using NNCLIDisable USB ports to deny users console access to USB ports on theEthernet Routing Switch 4500.

Prerequisites



NN47205-505 05.03 Standard14 May 2009


.

USB port and serial console port control using NNCLI 103

Procedure steps

Step Action

1 Disable USB ports on all Ethernet Routing Switch 4500s in astack by using the following command:

no usb-host-port <enable>

2 Disable the USB port on a stand-alone Ethernet Routing Switch4500 by using the following command:

no usb-host-port [unit <1-8>] <enable>

--End--

Variable definitionsThe following table defines variables that you enter with theusb-host-port [unit <1-8>] <enable> command.

Variable Value


Enabling USB ports using NNCLIEnable USB ports to grant users console access to the Ethernet RoutingSwitch 4500 by following this procedure.

Prerequisites


Procedure steps

Step Action

1 Enable USB ports on all Ethernet Routing Switch 4500s in astack by using either of the following commands:

usb-host-port <enable>

OR

default usb-host-port <enable>

2 Enable the USB port on a stand-alone Ethernet Routing Switch4500 by using either of the following commands:

usb-host-port [unit <1-8>] <enable>

OR


NN47205-505 05.03 Standard14 May 2009


.


default usb-host-port [unit <1-8>] <enable>

--End--

Variable definitionsThe following table defines variables that you enter with theusb-host-port [unit <1-8>] <enable> command.

Variable Value


Viewing USB port status using NNCLIView USB port status to display the operational status of USB ports on allEthernet Routing Switch 4500s in a stack or on a stand-alone EthernetRouting Switch 4500 by following this procedure.

Prerequisites


Procedure steps

Step Action

1 View the status of USB ports on all Ethernet Routing Switch4500s in a stack by using the following command:

show usb-host-port

2 View the status of the USB port on a stand-alone EthernetRouting Switch 4500 by using the following command:

show usb-host-port [unit <1-8>]

--End--

Variable definitionsThe following table defines variables that you enter with the showserial-console [unit <1-8>] command.

Variable Value



NN47205-505 05.03 Standard14 May 2009


.

Configuring MAC address-based security 105

Configuring MAC address-based securityThe following NNCLI commands allow for the configuration of theBaySecure application using Media Access Control (MAC) addresses.

ATTENTIONThe MAC Security feature shares resources with QoS. Precedence values fornon QoS features are allocated dynamically in descending order of availability.Therefore, the precedence value used depends on the order in which featuresare configured. With DHCP Relay enabled by default and assigned the highestprecedence value (15), a QoS policy with a precedence value of 15 cannotbe installed. If the MAC Security feature is also enabled, it is assigned aprecedence value of 14. Therefore, a QoS policy with a precedence value of14 cannot be installed.

For more information about QoS policies, see Nortel Ethernet Routing Switch4500 Series Configuration — Quality of Service (NN47205-504).

NNCLI commands for MAC address securityYou can use NNCLI commands in this section to configure and manageMAC address security.

show mac-security commandThe show mac-security command displays configuration information forthe BaySecure application.

The syntax for the show mac-security command is

show mac-security {config|mac-address-table [address<macaddr>]|mac-da-filter|port <portlist> |security-lists}

The following table outlines the parameters for this command.

Table 18show mac-security parameters

Parameter Description

config Displays general BaySecure configuration.

mac-address-table [address<macaddr>]

Displays contents of BaySecure table ofallowed MAC addresses:

• address — specifies a single MAC addressto display; enter the MAC address

mac-da-filter Displays MAC DA filtering addresses.

port <portlist> Displays the BaySecure status of all ports.

security-lists Displays port membership of all security lists.

The show mac-security command is executed in the Privileged EXECcommand mode.


NN47205-505 05.03 Standard14 May 2009


.


show mac-security mac-da-filter commandThe show mac-security mac-da-filter command displaysconfiguration information for filtering MAC destination addresses (DA).Packets can be filtered from up to 10 MAC DAs or MAC SAs.

The syntax for the show mac-security mac-da-filter command is

show mac-security mac-da-filter

The show mac-security mac-da-filter command is executed in thePrivileged EXEC command mode.

The show mac-security mac-da-filter command has no parametersor variables.

mac-security commandThe mac-security command modifies the BaySecure configuration.

The syntax for the mac-security command is

mac-security [disable|enable] [filtering {enable|disable}][intrusion-detect {enable|disable|forever}] [intrusion-timer<1-65535>] [auto-learning][learning-ports <portlist>][learning {enable|disable}][mac-adress-table] [mac-da-filter{add|delete}] [security-list][snmp-lock {enable|disable}][snmp-trap {enable|disable}]


Table 19mac-security parameters


disable|enable Disables or enables MAC address-basedsecurity.

filtering {enable|disable} Enables or disables destination address (DA)filtering on intrusion detected.

intrusion-detect{enable|disable|forever}

Specifies partitioning of a port when anintrusion is detected:

• enable — port is partitioned for a period oftime

• disabled — port is not partitioned ondetection

• forever —- port is partitioned until manuallychanged


NN47205-505 05.03 Standard14 May 2009


.


Table 19mac-security parameters (cont’d.)


intrusion-timer <1-65535> Specifies, in seconds, length of time a port ispartitioned when an intrusion is detected; enterthe number of seconds desired.

auto-learning Configures MAC Autolearning.

learning-ports <portlist> Specifies MAC address learning. Learnedaddresses are added to the table of allowedMAC addresses. Enter the ports to learn; asingle port, a range of ports, several ranges, allports, or no ports can be entered.

learning {enable|disable} Specifies MAC address learning:

• enable — enables learning by ports

• disable — disables learning by ports

mac-address-table Specifies MAC address to be added.

mac-da-filter {add|delete} Add or delete MAC DA filtering addresses.

security-list Specifies the security list number from 1 to 32.

snmp-lock {enable|disable} Enables or disables a lock on SNMPwrite-access to the BaySecure MIBs.

snmp-trap {enable|disable} Enables or disables trap generation uponintrusion detection.

The mac-security command is executed in the Global Configurationcommand mode.

mac-security mac-address-table address commandThe mac-security mac-address-table address command assignseither a specific port or a security list to the MAC address. This removesprevious assignments to the specified MAC address and creates an entryin the BaySecure table of allowed MAC addresses.

The syntax for the mac-security mac-address-table addresscommand is

mac-security mac-address-table address <H.H.H.> {port<portlist>| security-list <1-32>}



NN47205-505 05.03 Standard14 May 2009


.


Table 20mac-security mac-address-table address parameters


<H.H.H> Enter the MAC address in the form of H.H.H.

port <portlist>|security-list<1-32>

Enter the port number or the security listnumber. In this command the port list must bea single port.

The mac-security mac-address-table address command isexecuted in the Global Configuration command mode.

no mac-security mac-address-table commandThe no mac-security mac-address-table command clears staticentries from the MAC address security table. MAC addresses autolearnedon ports are not deleted.

The syntax for the no mac-security mac-address-table command is

no mac-security mac-address-table {address <H.H.H.> |port<portlist> |security-list <1-32>}


Table 21no mac-security mac-address-table parameters


address <H.H.H> Enter the MAC address in the form of H.H.H.

port <portlist> Enter the port number.

security-list <1-32> Enter the security list number.

The no mac-security mac-address-table command is executed inthe Global Configuration command mode.

show mac-security mac-address-table commandThe show mac-security mac-address-table command displays thecurrent global MAC Address security table. The syntax for this command is

show mac-security mac-address-table.

This command is executed in the Privileged EXEC command mode.

mac-security security-list commandThe mac-security security-list command assigns a list of portsto a security list.

The syntax for the mac-security security-list command is

mac-security security-list <1-32> <portlist>


NN47205-505 05.03 Standard14 May 2009


.



Table 22mac-security security-list parameters


<1-32> Enter the number of the security list you wantto use.

<portlist> Enter the port number.

The mac-security security-list command is executed in the GlobalConfiguration command mode.

no mac-security security-list commandThe no mac-security security-list command clears the portmembership of a security list.

The syntax for the no mac-security security-list command is

no mac-security security-list <1-32>

Substitute the <1-32> with the number of the security list to be cleared.

The no mac-security security-list command is executed in theGlobal Configuration command mode.

mac-security command for specific portsThe mac-security command for specific ports configures the BaySecurestatus of specific ports.

The syntax for the mac-security command for specific ports is:

mac-security [port <portlist>] {disable|enable|learning}


Table 23mac-security parameters


port <portlist> Enter the port numbers.

disable | enable | learning Directs the specific port:

• disable - disables BaySecure on thespecified port and removes the port fromthe list of ports for which MAC addresslearning is being performed

• enable — enables BaySecure on thespecified port and removes the port from


NN47205-505 05.03 Standard14 May 2009


.



the list of ports for which MAC addresslearning is being performed

• learning — disables BaySecure on thespecified port and adds this port to the listof ports for which MAC address learning isbeing performed

The mac-security command for specific ports is executed in theInterface Configuration command mode.

show mac-security commandThe show mac-security command displays the current MAC Addresssecurity table for the ports entered. The syntax for this command is

show mac-security port <portlist>.

Substitute <portlist> with the ports to be displayed.

This command is executed in the Privileged EXEC command mode.

mac-security mac-da-filter commandThe mac-security mac-da-filter command allows packets to befiltered from up to ten specified MAC DAs or MAC SAs. You can also usethis command to delete such a filter, and then receive packets from thespecified MAC DA.

The syntax for the mac-security mac-da-filter command is

mac-security mac-da-filter {add|delete} <H.H.H.>

Substitute the {add|delete} <H.H.H.> with either the command to addor delete a MAC address and the MAC address in the form of H.H.H.

The mac-security mac-da-filter command is executed in the GlobalConfiguration command mode.

NNCLI commands for MAC address autolearningYou can use NNCLI commands in this section to configure and manageMAC autolearning.

mac-security auto-learning aging-time commandThe mac-security auto-learning aging-time command sets theaging time for the autolearned addresses in the MAC Security Table.

The syntax for the command is

mac-security auto-learning aging-time <0-65535>


NN47205-505 05.03 Standard14 May 2009


.

Configuring RADIUS authentication 111

Substitute <0-65535> with the aging time in minutes. An aging time of0 means that the learned addresses never age out. The default is 60minutes.

The mac-security auto-learning aging-time command isexecuted in the Global Configuration command mode.

no mac-security auto-learning aging-time commandThe no mac-security auto-learning aging-time command setsthe aging time for the autolearned addresses in the MAC Security Table to0. In this way, it disables the removal of autolearned MAC addresses.


no mac-security auto-learning aging-time

The no mac-security aging-time command is executed in the GlobalConfiguration command mode.

default mac-security auto-learning aging-time commandThe default mac-security auto-learning aging-time commandsets the aging time for the autolearned addresses in the MAC SecurityTable to the default of 60 minutes.


default mac-security auto-learning aging-time

The default mac-security auto-learning aging-time commandis executed in the Global Configuration command mode.

Configuring RADIUS authenticationFor more information about the function and operation of RADIUS in anetwork, see “RADIUS-based network security” (page 26).

To configure RADIUS to perform authentication services for system users,do the following:

• Configure the RADIUS server itself. For more information, see thevendor documentation for your server. In particular, ensure that you setthe appropriate Service-Type attribute in the user accounts:

— for read-write access, Service-Type = Administrative

— for read-only access, Service-Type = NAS-Prompt

• Configure RADIUS server settings on the switch. For more information,see “Configuring RADIUS server settings” (page 112).

• (Optional) Enable the RADIUS password fallback feature. For moreinformation, see “Enabling RADIUS password fallback” (page 112).


NN47205-505 05.03 Standard14 May 2009


.


Configuring RADIUS server settingsTo add a RADIUS server, use the following command in the Global orInterface Command mode:

radius-server [host{ipaddr}] [key{key}] [port <port>][secondary-host{ipaddr}] [timeout <1-60>] [password {word}]

This command contains the following parameters:

radius-server

followed by:

host <ipaddr> Specifies the IP address of the primary server youwant to add or configure.

key <key> Specifies the secret authentication and encryptionkey used for all communications between theNAS and the RADIUS server. The key, alsoreferred to as the shared secret, must be thesame as the one defined on the server. You areprompted to enter and confirm the key.

port <port> Specifies the UDP port for RADIUS.• <port> is an integer in the range 0 to 65535.

The default port number is 1812.

secondary-host <IPaddr> Specifies the IP address of the secondary server.The secondary server is used only if the primaryserver does not respond.

timeout <timeout> Specifies the number of seconds before theservice request times out. RADIUS allows threeretries for each server (primary and secondary).<timeout> is an integer in the range 1 to 60.The default timeout interval is 2 seconds.

To delete a RADIUS server and restore default RADIUS settings, use oneof the following commands in the Global or Interface Command mode:

no radius-server

default radius-server

Enabling RADIUS password fallbackTo enable the RADIUS password fallback feature, use the followingcommand in the Global or Interface Command mode:

radius-server password fallback

When RADIUS password fallback is enabled, users can log on to theswitch or the stack using the local password if the RADIUS server isunavailable or unreachable. The default is disabled.


NN47205-505 05.03 Standard14 May 2009


.

Configuring EAPOL security 113

To disable the RADIUS password fallback feature, use one of the followingcommands in the Global or Interface Command mode:

no radius-server password fallback

default radius-server password fallback

The command erases settings for the RADIUS primary and secondaryservers and secret key, and restores default RADIUS settings.

Viewing RADIUS informationYou can view RADIUS information using NNCLI.

Prerequisites

• Log on to the Global or Interface command mode in NNCLI.

Procedure stepsPerform this procedure to view RADIUS information.

Step Action

1 To display RADIUS configuration status, enter the followingcommand:

show radius-server

--End--

Job aidThe following example shows sample output for the command.

show radius-serverPassword Fallback: DisabledPrimary Host: 10.10.10.5Secondary Host: 0.0.0.0Port: 1812Time-out: 2Key: ***************RADIUS Accounting is DisabledAcctPort: 1813

Configuring EAPOL securityUse the following NNCLI commands to configure and manage ExtensibleAuthentication Protocol over LAN (EAPOL) security. EAPOL filters trafficbased on the source MAC address.


NN47205-505 05.03 Standard14 May 2009


.


ATTENTIONYou must enable EAPOL before you enable UDP Forwarding, IP Source Guard,and other features that use QoS policies.

eapol commandThe eapol command enables or disables EAPOL-based security.

The syntax for the eapol command is

eapol {disable|enable}

Use either disable or enable to enable or disable EAPOL-basedsecurity.

The eapol command is executed in the Global Configuration commandmode.

eapol command for modifying parametersThe eapol command for modifying parameters modifies EAPOL-basedsecurity parameters for a specific port.

The syntax for the eapol command for modifying parameters is:

eapol [port <portlist>] [init] [status {authorized|unauthorized|auto}] [traffic-control {in-out|in}] [reauthentication{enable|disable}] [reauthentication-period <1-604800>][re-authenticate] [quiet-interval <num>] [transmit-interval<num>] [supplicant-timeout <num>] [server-timeout <num>][max-request <num>]


Table 24eapol parameters


port <portllist> Specifies the ports to configure for EAPOL;enter the desired port numbers

ATTENTIONIf this parameter is omitted, the system usesthe port number specified when the interfacecommand was issued.

init Reinitiates EAP authentication.


NN47205-505 05.03 Standard14 May 2009


.

Configuring EAPOL security 115

Table 24eapol parameters (cont’d.)


status {authorized |unauthorized | auto}

Specifies the EAP status of the port:

• authorized — port is always authorized

• unauthorized — port is alwaysunauthorized

• auto — port authorization status dependson the result of the EAP authentication

traffic-control {in-out I in} Sets the level of traffic control:

• in-out — if EAP authentication fails, bothingressing and egressing traffic are blocked

• in —- if EAP authentication fails, onlyingressing traffic is blocked

EAPOL filters traffic based on the source MACaddress.

An unauthorized client, whether EAPOL orNonEAPOL, can receive traffic from authorizedclients.

reauthenticationenable|disable

Enables or disables reauthentication forEAPOL clients.

reauthentication-period<1-604800>

Enter the desired number of seconds betweenreauthentication attempts.

re-authenticate Specifies an immediate reauthentication.NonEAP clients are not reauthenticated even ifreauthentication is enabled on the port.

quiet-interval <num> Enter the desired number of seconds betweenan authentication failure and the start of a newauthentication attempt; range is 1 to 65535.

transmit-interval <num> Specifies a waiting period for response fromsupplicant for EAP Request/Identity packets.Enter the number of seconds to wait; range is1 to 65535.

supplicant-timeout <num> Specifies a waiting period for response fromsupplicant for all EAP packets except EAPRequest/Identity packets. Enter the number ofseconds to wait; range is 1 to 65535.


NN47205-505 05.03 Standard14 May 2009


.


Table 24eapol parameters (cont’d.)


server-timeout <num> Specifies a waiting period for response fromthe server. Enter the number of seconds towait; range is 1 to 65535.

max-request <num> Enter the number of times to retry sendingpackets to supplicant; range is 1 to10.

The eapol command for modifying parameters is executed in theInterface Configuration command mode.

show eapol commandThe show eapol command displays the EAPOL-based security.

The syntax for the show eapol command is

show eapol [<portlist>] [multihost {interface|status}][guest-vlan {interface}][auth-diags {interface}] [auth-stats{interface}]


Table 25show eapol parameters


port The list of ports for which EAPOL security is toappear.

multihost {interface |status } Displays EAPOL multihost configuration.Select interface to display multihost portconfiguration and status to display multihostport status.

guest-vlan {interface} Displays EAPOL port Guest VLAN settings.

auth-diags {interface} Displays the EAPOL authentication diagnosticsinterface.

auth-stats {interface} Displays the authentication statistics interface.

The show eapol command is executed in the Privileged EXEC commandmode.

show eapol multihost status commandThe show eapol multihost status command displays the multihoststatus of eapol clients on EAPOL-enabled ports.

The syntax for the show eapol multihost status command is

show eapol multihost status [<interface-type>] [<interface-id>]


NN47205-505 05.03 Standard14 May 2009


.

Configuring features 117


Table 26show eapol multihost status parameters


<interface-id> Displays the interface ID.

<interface-type> Displays the type of interface used.

The show eapol multihost status command is executed in thePrivileged Exec command mode.

Configuring featuresThe Ethernet Routing Switch 4500 supports advanced EAPOL featuresthat allow multiple hosts on a port. For more information about theadvanced EAPOL features, see “Advanced EAPOL features” (page 35).

This section provides information about configuring the following features:

• Single Host with Single Authentication (SHSA) and Guest VLAN. Formore information, see “Configuring guest VLANs” (page 122).

• Multiple Host with Multiple Authentication (MHMA). For moreinformation, see “Multiple Host with Multiple Authentication” (page 39).

• Multiple Host with Single Authentication (MHSA). For more information,see “Multiple Host with Single Authentication” (page 47).

• Non EAP hosts on EAP-enabled ports. For more information, see “NonEAP hosts on EAP-enabled ports” (page 45).

SHSA is the default configuration.

no eapol multihost use radius-assigned-vlan commandTo globally disable RADIUS-assigned VLAN use in MHMA mode, use oneof the following commands in the Global Configuration mode:

no eapol multihost [use-radius-assigned-vlan]

or

default eapol multihost [use-radius-assigned-vlan]

The following tables outline the parameters for the no and default versionsof this command respectively:


NN47205-505 05.03 Standard14 May 2009


.


Table 27no eapol multihost [use-radius-assigned-vlan] parameters


use-radius-assigned-vlan globally disables RADIUS-assigned VLANuse in the MHMA mode.

Table 28default eapol multihost [use-radius-assigned-vlan] parameters


use-radius-assigned-vlan globally sets the default (disable) forRADIUS-assigned VLAN use in theMHMA mode.

To disable RADIUS-assigned VLAN use in the MHMA mode for thedesired interface, use one of the following commands:

no eapol multihost [port <portlist>] [use-radius-assigned-vlan]

or

default eapol multihost [port <portlist>] [use-radius-assigned-vlan]

The following tables outline the parameters for the no and defaultversions of this command respectively:

Table 29no eapol multihost [use-radius-assigned-vlan] parameters: Interface mode


<portlist> specifies the port on which you wantRADIUS-assigned VLAN use disabled in theMHMA mode. You can enter a port, severalports or a range of ports.

use-radius-assigned-vlan disables RADIUS-assigned VLAN use in theMHMA mode, on the desired interface.

Table 30default eapol multihost [use-radius-assigned-vlan] parameters: Interfacemode


<portlist> specifies the port on which you wantRADIUS-assigned VLAN use disabled in theMHMA mode. You can enter a port, severalports or a range of ports.

use-radius-assigned-vlan sets the default (disable) for RADIUS-assignedVLAN use in the MHMA mode, on the desiredport.


NN47205-505 05.03 Standard14 May 2009


.

802.1X or non-EAP Last Assigned RADIUS VLAN configuration using NNCLI 119

802.1X or non-EAP Last Assigned RADIUS VLAN configurationusing NNCLI

This section describes the procedures for the configuration of 802.1Xnon-EAP Last Assigned RADIUS VLAN using NNCLI.

802.1X or non-EAP Last Assigned RADIUS VLAN configuration usingNNCLI navigation

• “Enabling use-most-recent-RADIUS assigned VLAN” (page 119)

• “Disabling use-most-recent-RADIUS assigned VLAN” (page 119)

• “Restoring use-most-recent-RADIUS assigned VLAN” (page 120)

Enabling use-most-recent-RADIUS assigned VLANPerform this procedure to allow the system to use the most recentlyassigned RADIUS VLAN.

Prerequisites

• Log on to the Global configuration mode using NNCLI.

Procedure steps

Step Action

1 Enable the most recent RADIUS VLAN by using the followingcommand:

eap multihost use-most-recent-radius-vlan

--End--

Variable DefinitionsThe following table defines variable parameters that you enter with the eapmultihost use-most-recent-radius-vlan command.

Variable Value

use-most-recent-radius-vlan Allows the use of most recent RADIUS VLAN.

Disabling use-most-recent-RADIUS assigned VLANPerform this procedure to prevent the system from using the most recentlyassigned RADIUS VLAN.

Prerequisites



NN47205-505 05.03 Standard14 May 2009


.


Procedure steps

Step Action

1 Disable the use of most recent RADIUS VLAN by using thefollowing command:

no eap multihost use-most-recent-radius-vlan

--End--

Variable DefinitionsThe following table defines variable parameters that you enter with the noeap multihost use-most-recent-radius-vlan command.

Variable Value

use-most-recent-radius-vlan Disables the use of most recent RADIUS VLAN.

Restoring use-most-recent-RADIUS assigned VLANPerform this procedure to restore the default EAPol multihost settings.

Prerequisites


Procedure steps

Step Action

1 Restore the default EAPol multihost settings by using thefollowing command:

default eap multihost use-most-recent-radius-vlan

--End--

Variable DefinitionsThe following table defines variable parameters that you enter withthe default eap multihost use-most-recent-radius-vlancommand.

Variable Value

use-most-recent-radius-vlan Disables the use of most recent RADIUS VLAN.


NN47205-505 05.03 Standard14 May 2009


.

802.1X or non-EAP Last Assigned RADIUS VLAN configuration using NNCLI 121

Selecting the packet mode for EAP requestsThis feature prevents repeated EAP responses from an EAP-capabledevice that has already been authenticated.

Use the following command to globally select the packet mode for EAPrequests:

eapol multihost [eap-packet-mode {multicast | unicast}]


Table 31eapol multihost [eap-packet-mode {multicast | unicast}] parameters


[eap-packet-mode {multicast |unicast}]

globally enables the desired packet mode(multicast or unicast) for EAP requests.

Use the following command to select the packet mode on the desiredinterface or on specific ports:

eapol multihost [port <portlist>] [eap-packet-mode {multicast |unicast}]


Table 32eapol multihost [eap-packet-mode {multicast | unicast}] parameters:Interface mode


<portlist> the port or ports for which you want to selectthe packet mode. You can enter a singleport, several ports or a range of ports.


enables the desired packet mode (multicastor unicast) on the desired port or ports.

Use one of the following commands to globally disable the selection ofpacket mode:

no eapol multihost [eap-packet-mode {multicast | unicast}]

or

default eapol multihost [eap-packet-mode {multicast | unicast}]

The following tables outline the parameters for the no and defaultversions of this command, respectively:


NN47205-505 05.03 Standard14 May 2009


.


Table 33no eapol multihost [eap-packet-mode {multicast | unicast}] parameters



globally disables selection of the packetmode.

Table 34default eapol multihost [eap-packet-mode {multicast | unicast}] parameters



globally sets the default (disable) for theselection of packet mode.

Use one of the following commands to disable the selection of packetmode on the desired interface:

no eapol multihost [port <portlist>][[eap-packet-mode{multicast | unicast}]

or

default eapol multihost [<portlist>][eap-packet-mode {multicast| unicast}]

The following tables outline the parameters for the no and defaultversions of this command, respectively:

Table 35no eapol multihost [eap-packet-mode {multicast | unicast}] commandparameters



disables selection of packet mode on thedesired interface.

Table 36default eapol multihost [eap-packet-mode {multicast | unicast}] commandparameters



sets the default (disable) for the selection ofpacket mode on the desired interface.

Configuring guest VLANsTo configure guest VLAN support, do the following:

1. Enable guest VLAN globally, and set the guest VLAN ID.

2. Enable guest VLAN on specific ports on an interface.


NN47205-505 05.03 Standard14 May 2009


.

Configuring guest VLANs 123

eapol guest-vlan commandThe eapol guest-vlan command sets the guest VLAN forEAP-controlled ports.

The syntax for the eapol guest-vlan command is

eapol guest-vlan enable vid <1-4094>


Table 37eapol guest-vlan parameters


enable Enable Guest VLAN.

<vid> Guest VLAN ID.

The eapol guest-vlan command is executed in the GlobalConfiguration command mode.

no eapol guest-vlan commandThe no eapol guest-vlan command disables the guest VLAN.

The syntax for the no eapol guest-vlan command is

no eapol guest-vlan [enable]

The no eapol guest-vlan command is executed in the GlobalConfiguration command mode.

default eapol guest-vlan commandThe default eapol guest-vlan command disables the guest VLAN.

The syntax for the default eapol guest-vlan command is

default eapol guest-vlan [enable] [vid]

The default eapol guest-vlan command is executed in the GlobalConfiguration command mode.

The default eapol guest-vlan command has no parameters orvariables.

ATTENTIONEAP enabled port is not moved to guest VLAN, if guest VLAN and original VLANare associated with different STGs. EAP port does not forward traffic in guestVLAN or original VLAN; if EAP authentication succeeds packets are transmittedproperly in the original VLAN.


NN47205-505 05.03 Standard14 May 2009


.


802.1X or non-EAP and Guest VLAN on the same portconfiguration using NNCLI

Use the commands in this section to allow a non-EAP phone to functionwith the Guest VLAN enabled.

Non-EAP and Guest VLAN on the same port configuration using NNCLInavigation

• “Enabling EAPOL VoIP VLAN” (page 124)

• “Disabling EAPOL VoIP VLAN” (page 125)

• “Configuring EAPOL VoIP VLAN as the default VLAN” (page 125)

• “Displaying EAPOL VoIP VLAN ” (page 126)

Enabling EAPOL VoIP VLANPerform this procedure to enable the EAPOL multihost VoIP VLAN.

Prerequisites


Procedure steps

Step Action

1 Enable the EAPOL multihost VoIP VLAN by using the followingcommand:

eapol multihost voip-vlan <1-5> {[enable] [vid<1-4094>]}

--End--

Variable definitionsThe following table defines variables you can use with the eapolmultihost voip-vlan <1-5> {[enable] [vid <1-4094>]}command.

Variable Value

enable Enables VoIP VLAN.

voip-vlan <1-5> Sets number of VoIP VLAN from 1 to 5.

vid <1-4094> Sets VLAN ID, which ranges from 1 to 4094.


NN47205-505 05.03 Standard14 May 2009


.

802.1X or non-EAP and Guest VLAN on the same port configuration using NNCLI 125

Disabling EAPOL VoIP VLANPerform this procedure to disable the EAPOL multihost VoIP VLAN.

Prerequisites


Procedure steps

Step Action

1 Disable the EAPOL multihost VoIP VLAN by using the followingcommand:

no eapol multihost voip-vlan <1-5> [enable]

--End--

Variable DefinitionsThe following table defines variables you can use with the no eapolmultihost voip-vlan <1-5> [enable] command.

Variable Value

enable Disables VoIP VLAN.


Configuring EAPOL VoIP VLAN as the default VLANPerform this procedure to configure the EAPOL multihost VoIP VLAN asthe default setting.

Prerequisites


Procedure steps

Step Action

1 Configure the EAPOL multihost VoIP VLAN by using thefollowing command:

default eapol multihost voip-vlan <1-5> [enable][vid]

--End--


NN47205-505 05.03 Standard14 May 2009


.


Variable DefinitionsThe following table defines variables you can use with the defaulteapol multihost voip-vlan <1-5> [enable] [vid] command.

Variable Value

enable Disables VoIP VLAN.

vid Default VoIP VLAN ID.


Displaying EAPOL VoIP VLANPerform this procedure to display information related to the EAPOLmultihost VoIP VLAN.

Prerequisites


Procedure steps

Step Action

1 Display information related to the EAPOL multihost VoIP VLANby using the following command:

show eapol multihost voip-vlan

--End--

802.1X or non-EAP with Fail Open VLAN configuration using NNCLIUse the procedures in this section to configure the 802.1X non-EAP withFail Open VLAN using NNCLI.

Note: The switch does not validate that Radius Assigned VLANattribute is not the same as the Fail_Open VLAN. This means that ifyou configure the Fail_Open VLAN name or ID the same as one of theVLAN names or IDs which can be returned from the RADIUS server,then EAP or NEAP clients could be assigned to the Fail_Open VLANeven though no failure to conenct to the RADIUS server has occurred.

802.1X non-EAP with Fail Open VLAN configuration using NNCLInavigation

• “Enabling EAPOL Fail Open VLAN” (page 127)

• “ Disabling EAPOL Fail Open VLAN” (page 127)


NN47205-505 05.03 Standard14 May 2009


.

802.1X or non-EAP with Fail Open VLAN configuration using NNCLI 127

• “Setting EAPOL Fail Open VLAN as the default ” (page 128)

• “Displaying EAPOL Fail Open VLAN ” (page 129)

Enabling EAPOL Fail Open VLANPerform this procedure to enable the EAPOL Fail Open VLAN.

Prerequisites


Procedure steps

Step Action

1 Enable the EAPOL Fail Open VLAN by using the followingcommand:

eapol multihost fail-open-vlan {[enable] [vid<1-4094>]}

--End--

Variable DefinitionsThe following table defines variables you can use with the eapolmultihost fail-open-vlan {[enable] [vid <1-4094>]}command.

Variable Value

Enable Enables fail-open-vlan.

Vid <1-4094> Specifies a guest VLAN ID in a range from<1-4094>.

Disabling EAPOL Fail Open VLANPerform this procedure to disable the EAPOL Fail Open VLAN.

Prerequisites



NN47205-505 05.03 Standard14 May 2009


.


Procedure steps

Step Action

1 Disable the EAPOL Fail Open VLAN by using the followingcommand:

no eapol multihost fail-open-vlan [enable]

--End--

Variable DefinitionsThe following table defines variables you can use with the no eapolmultihost fail-open-vlan [enable] command.

Variable Value

Enable Disables the Fail Open VLAN.

Setting EAPOL Fail Open VLAN as the defaultPerform this procedure to set the EAPOL Fail Open VLAN as the default.

Prerequisites


Procedure steps

Step Action

1 Set the EAPOL Fail Open VLAN as the default by using thefollowing command:

default eapol multihost fail-open-vlan [enable][vid]

--End--

Variable DefinitionsThe following table defines variables you can use with the defaulteapol multihost fail-open-vlan [enable] [vid] command.

Variable Value

Enable Disables the Fail Open VLAN.

Vid Sets the default Fail Open VLAN ID.


NN47205-505 05.03 Standard14 May 2009


.

Configuring multihost support 129

Displaying EAPOL Fail Open VLANPerform this procedure to display information related to the EAPOL FailOpen VLAN.

Prerequisites

• Log on to the privileged exec mode and configuration mode usingNNCLI.

Procedure steps

Step Action

1 Display the status of the fail-open VLAN by using the followingcommand:

show eapol multihost fail-open-vlan

--End--

Configuring multihost supportConfigure multihost support by completing the following steps:

1. Enable multihost support for the interface. The relevant commandis executed in the Interface Configuration mode. You can issue thecommand for the interface selected when you enter the InterfaceConfiguration mode (so that all ports have the same setting), or youcan issue the command for specific ports on the interface.

2. Specify the maximum number of EAP clients allowed on each multihostport. You can issue the command for the interface selected whenyou enter the Interface Configuration mode (so that all ports have thesame setting), or you can issue the command for specific ports on theinterface.

eapol multihost commandThis command is executed in the Interface Configuration mode.

The syntax for the eapol multihost command is

eapol multihost { [enable] [eap-mac-max <1-32>] [non-eap-mac-max<1-32>] [allow-non-eap-enable] [radius-non-eap-enable][auto-non-eap-mhsa-enable] [non-eap-phone-enable][use-radius-assigned-vlan] [eap-packet-mode {multicast |unicast}]}



NN47205-505 05.03 Standard14 May 2009


.


Table 38eapol multihost parameters


enable Globally enables EAPOL.

eap-mac-max Specifies the maximum number of EAPMAC addresses allowed.

non-eap-mac-max Specifies the maximum number of non-EAPMAC addresses allowed.

allow-non-eap-enable Enables MAC addresses of non-EAP clients.

radius-non-eap-enable Enables RADIUS authentication of non-EAPclients.

auto-non-eap-mhsa-enable Enables autoauthentication of non-EAPclients in the Multiple Host with SingleAuthentication (MHSA) mode.

non-eap-phone-enable Enables Nortel IP Phone clients as anothernon-EAP type.

use-radius-assigned-vlan Enables use of RADIUS-assigned VLANvalues in the multihost mode.

eap-packet-mode {multicast |unicast}

Enables the packet mode (multicast orunicast) for EAP requests.

no eapol multihost commandThe no eapol multihost command disables EAPOL multihost. Thiscommand is executed in the Interface Configuration mode.

The syntax for the no eapol multihost command is

no eapol multihost [enable] [eap-mac-max] [non-eap-mac-max][allow-non-eap-enable] [radius-non-eap-enable] [auto-non-eap-mhsa-enable] [non-eap-phone-enable] [use-radius-assigned-vlan][eap-packet-mode]

The following table outlines the parameters for this command. If you donot specify parameters, the command resets all EAPOL multihost settingsto the defaults.

Table 39no eapol multihost parameters


eap-mac-max specifies the maximum number of EAP clientsallowed on the port.

non-eap-mac-max specifies the maximum number of non-EAPauthenticated MAC addresses allowed.


NN47205-505 05.03 Standard14 May 2009


.


Table 39no eapol multihost parameters (cont’d.)


non-eap-mac disables allowing a non-EAPOL MAC address.

allow-non-eap-enable disables MAC addresses of non-EAP clients.

radius-non-eap-enable disables RADIUS authentication of non-EAPclients.

auto-non-eap-mhsa-enable

disables auto-authentication of non-EAP clients.

non-eap-phone-enable disables authentication of Nortel IP Phone clientsas another non-EAP type.

use-radius-assigned-vlan disables use of RADIUS-assigned VLAN values inthe MHMA mode.

eap-packet-mode disables the EAP packet mode request feature.

default eapol multihost commandThe default eapol multihost command sets the EAPOL multihostfeature to the defaults.

The syntax for the default EAPOL multihost command is

default eapol multihost [enable] [eap-mac-max] [non-eap-mac-max] [allow-non-eap-enable] [radius-non-eap-enable][auto-non-eap-mhsa-enable] [non-eap-phone-enable][use-radius-assigned-vlan] [eap-packet-mode]

The following table outlines the parameters for this command. If you donot specify parameters, the command resets all EAPOL multihost settingsto the defaults.

Table 40default eapol multihost parameters


enable restores EAPOL multihost support status to thedefault value (disabled).

eap-mac-max resets the maximum number of EAP clientsallowed on the port to the default value (1).

non-eap-mac-max resets the maximum number of non-EAPauthenticated MAC addresses allowed to thedefault value (1).

non-eap-mac resets the non-EAP MAC addresses to the default.

allow-non-eap-enable resets control of non-EAP clients (MAC addresses)to the default (disabled).


NN47205-505 05.03 Standard14 May 2009


.


Table 40default eapol multihost parameters (cont’d.)


radius-non-eap-enable disables RADIUS authentication of non-EAPclients.


disables auto-authentication of non-EAP clients.

non-eap-phone-enable disables authentication of Nortel IP Phone clientsas non-EAP type.

use-radius-assigned-vlan disables use of RADIUS-assigned VLAN values inthe MHMA mode.

eap-packet-mode Resets the EAP packet mode to the default(multicast).

eapol multihost enable commandThe eapol multihost enable command enables multihost support forEAPOL.

The syntax for the eapol multihost enable command is

eapol multihost [port <portlist>] enable

where

<portlist> is the list of ports on which you want toenable EAPOL support. You can enter a singleport, a range of ports, several ranges, or all.If you do not specify a port parameter, thecommand applies to all ports on the interface.

The default is disabled.

The eapol multihost [port <portlist>] enable command isexecuted in the Interface Configuration mode.

no eapol multihost enable commandThe no eapol multihost enable command disables the EAPOLmultihost.

The syntax for the no eapol multihost enable command is

no eapol multihost [<portlist>] [enable] [allow-non-eap-enable][radius-non-eap-enable] [auto-non-eap-mhsa-enable][non-eap-phone-enable] [use-radius-assigned-vlan]


NN47205-505 05.03 Standard14 May 2009


.


Table 41no eapol multihost command parameters

Variable Description

<portlist> is the list of ports on which you want to disableEAPOL support. You can enter a single port,a range of ports, several ranges, or all. If youdo not specify a port parameter, the commandapplies to all ports on the interface

enable Disables eapol on the desired port(s).

radius-non-eap-enable Disables RADIUS authentication of non-EAPclients.

allow-non-eap-enable Disables control of non-EAP clients (MACaddresses).

auto-non-eap-mhsa-enable Disables auto-authentication of non-EAP clients.

non-eap-phone-enable Disables Nortel IP Phone clients.

use-radius-assigned-vlan Disables use of RADIUS-assigned VLAN.

where

<portlist> is the list of ports on which you want todisable EAPOL support. You can enter a singleport, a range of ports, several ranges, or all.If you do not specify a port parameter, thecommand applies to all ports on the interface.

The no eapol multihost enable command is executed in the InterfaceConfiguration mode.

eapol multihost eap-mac-max commandThe eapol multihost eap-mac-max command sets the maximumnumber of EAP clients.

The syntax for the eapol multihost eap-mac-max command is

eapol multihost [port <portlist>] eap-mac-max <num>

where

<portlist> is the list of ports for which you aresetting the maximum number of EAP clients.You can enter a single port, a range of ports,several ranges, or all. If you do not specifya port parameter, the command applies to allports on the interface.

<num> is an integer in the range 1–32 that specifiesthe maximum number of EAP clients allowed. Thedefault is 1.


NN47205-505 05.03 Standard14 May 2009


.


The eapol multihost [port <portlist>] eap-mac-max commandis executed in the Interface Configuration mode.

eapol multihost use radius-assigned-vlan commandTo enable RADIUS-assigned VLAN use in the MHMA mode, use thefollowing command in the Global Configuration mode:

eapol multihost [use-radius-assigned-vlan]


Table 42eapol multihost [use-radius-assigned-vlan] parameters


use-radius-assigned-vlan globally enables RADIUS-assigned VLANuse in the MHMA mode.

To enable RADIUS-assigned VLAN use in the MHMA mode for the desiredinterface, use the following command:

eapol multihost [port <portlist>] [use-radius-assigned-vlan]


Table 43eapol multihost [use-radius-assigned-vlan] parameters: Interface mode


<portlist> the port on which you want RADIUS-assigned VLAN use configured in the MHMA mode.You can enter a single port, several ports ora range of ports.

use-radius-assigned-vlan enables RADIUS-assigned VLAN use on thedesired interface.

Configuring support for non-EAPOL hosts on EAPOL-enabledports

To configure support for non-EAPOL hosts on EAPOL-enabled ports, dothe following:

1. Ensure that:


NN47205-505 05.03 Standard14 May 2009


.

Configuring support for non-EAPOL hosts on EAPOL-enabled ports 135

a. EAPOL is enabled globally and locally (for the desired interfaceports). For more information, see “Configuring EAPOL security”(page 113).

b. the desired ports have been enabled for multihost mode. For moreinformation, see “Configuring multihost support” (page 129).

c. guest VLAN is disabled locally (for the desired interface ports). Formore information, see “Configuring guest VLANs” (page 122).

2. Enable non EAPOL support globally on the switch and locally (forthe desired interface ports), using one or both of the followingauthentication methods:

a. local authentication. For more information, see “Enabling localauthentication of non EAPOL hosts on EAPOL-enabled ports”(page 135).

b. RADIUS authentication. For more information, see “EnablingRADIUS authentication of non EAPOL hosts on EAPOL-enabledports” (page 136).

3. Specify the maximum number of non EAPOL MAC addresses allowedon a port. For more information, see “Specifying the maximum numberof non EAPOL hosts allowed” (page 139).

4. For local authentication only, identify the MAC addresses of nonEAPOL hosts allowed on the ports. For more information, see“Creating the allowed non EAPOL MAC address list” (page 140).

By default, support for non EAPOL hosts on EAPOL-enabled ports isdisabled.

Enabling local authentication of non EAPOL hosts on EAPOL-enabledports

For local authentication of non EAPOL hosts on EAPOL-enabled ports,you must enable the feature globally on the switch and locally for portson the interface.

To enable local authentication of non EAPOL hosts globally on the use thefollowing command in Global Configuration mode:

eapol multihost allow-non-eap-enable

To enable local authentication of non EAPOL hosts for a specific portor for all ports on an interface, use the following command in Interfaceconfiguration mode:

eapol multihost [port <portlist>] allow-non-eap-enable

where


NN47205-505 05.03 Standard14 May 2009


.


<portlist> is the list of ports on which youwant to enable non EAPOL hosts using localauthentication. You can enter a single port,a range of ports, several ranges, or all. Ifyou do not specify a port parameter, the commandapplies to all ports on the interface.

To discontinue local authentication of non EAPOL hosts onEAPOL-enabled ports, use the no or default keywords at the start of thecommands in both the Global and Interface configuration modes.

Enabling RADIUS authentication of non EAPOL hosts onEAPOL-enabled ports

For RADIUS authentication of non EAPOL hosts on EAPOL-enabled ports,you must enable the feature globally on the switch and locally for portson the interface.

To enable RADIUS authentication of non EAPOL hosts globally, use thefollowing command in Global Configuration mode:

eapol multihost radius-non-eap-enable


Table 44eapol multihost radius-non-eap-enable command


radius-non-eap-enable globally enables RADIUS authentication fornon EAPOL hosts.

To enable RADIUS authentication of non EAPOL hosts for a specific portor for all ports on an interface, use the following command in Interfaceconfiguration mode:

eapol multihost [port <portlist>] radius-non-eap-enable


Table 45eapol multihost radius-non-eap-enable command: Interface mode


<portlist> the port or ports on which you want RADIUSauthentication enabled. You can enter a singleport, several ports or a range of ports. If youdo not specify a port parameter, the command


NN47205-505 05.03 Standard14 May 2009


.


enables RADIUS authentication of non-EAPhosts on all ports on the interface.

radius-non-eap-enable enables RADIUS authentication on the desiredinterface or on a specific port, for non EAPOLhosts.

The default setting for this feature is: -disabled.

To discontinue RADIUS authentication of non-EAPOL hosts onEAPOL-enabled ports, use the no or default keywords at the start of thecommands, in both the Global and Interface configuration modes.

Configuring the format of the RADIUS password attribute whenauthenticating non-EAP MAC addresses using RADIUS

To configure the format of the RADIUS password when authenticatingnon-EAP MAC addresses using RADIUS, use the following command inthe Global Configuration mode:

eapol multihost non-eap-pwd-fmt

The syntax for the eapol multihost non-eap-pwd-fmt command is

eapol multihost non-eap-pwd-fmt { [ip-addr] [mac-addr][port-number] }


Table 46eapol multihost non-eap-pwd-fmt parameters


<ip-addr> the IP address of the non-EAP client.

<mac-addr> the MAC address of the non-EAP client.

<port-number> the port number for which you want theRADIUS password attribute configured.

If you configure the password string to include only MAC address, enterthe password string with no delimiting periods. For example, the MACaddress format is 00:C0:C1:C2:C3:C4, enter the password string in theformat: 00c0c1c2c3c4.

To discontinue configuration of the RADIUS password attribute format, usethe no or default keywords at the start of the commands, in the GlobalConfiguration mode.

Enabling RADIUS-assigned VLAN for non-EAP MACsTo enable RADIUS-assigned VLAN use for non-EAP MACs in the MHMAmode, use the following command in the Global Configuration mode:


NN47205-505 05.03 Standard14 May 2009


.


eapol multihost [non-eap-use-radius-assigned-vlan]

RADIUS-assigned VLAN use for non-EAP MACs in the MHMA mode isdisabled by default.

To enable RADIUS-assigned VLAN use for non-EAP MACs in the MHMAmode for a specific interface, use the following command in the InterfaceConfiguration mode:

eapol multihost [port <portlist>] [non-eap-use-radius-assigned-vlan]


Variable definitionsThe following table outlines the parameters for the eapol multihost[non-eap-use-radius-assigned-vlan command in the GlobalConfiguration mode:

[non-eap-use-radius-assigned-vlan]

Globally enables RADIUS-assignedVLAN use for non-EAP MACs in theMHMA mode.

The following table outlines the parameters for the eapol multihost[port <portlist>] [non-eap-use-radius-assigned-vlan]command in the Interface Configuration mode:

<portlist> Defines the port on which to enableRADIUS-assigned VLAN use fornon-EAP configured in the MHMAmode. You can enter a single port,several ports or a range of ports.


Enables RADIUS-assigned VLANuse on the interface.

Disabling RADIUS-assigned VLAN for non-EAP MACsTo disable RADIUS-assigned VLAN use for non-EAP macs in the MHMAmode, use one of the following commands in the Global Configurationmode:

no eapol multihost [non-eap-use-radius-assigned-vlan]

OR

default eapol multihost [non-eap-use-radius-assigned-vlan]



NN47205-505 05.03 Standard14 May 2009


.


To disable RADIUS-assigned VLAN use for non-EAP MACs in the MHMAmode for a specific interface, use the following command in the InterfaceConfiguration mode:

no eapol multihost [port <portlist>] [non-eap-use-radius-assigned-vlan]

OR

default eapol multihost [non-eap-use-radius-assigned-vlan]


Variable definitionsThe following table outlines the parameters for the no eapol multihost[non-eap-use-radius-assigned-vlan] and default eapolmultihost [non-eap-use-radius-assigned-vlan] commands inthe Global Configuration mode:


Globally disables RADIUS-assignedVLAN use for non-EAP MACs in theMHMA mode.

The following table outlines the parameters for the no eapol multihost[port <portlist>] [non-eap-use-radius-assigned-vlan] anddefault eapol multihost [non-eap-use-radius-assigned-vlan] commands in the Interface Configuration mode:

<portlist> Defines the port on which to enableRADIUS-assigned VLAN use fornon-EAP configured in the MHMAmode. You can enter a single port,several ports or a range of ports.


Disables RADIUS-assigned VLANuse on the interface.

Specifying the maximum number of non EAPOL hosts allowedTo configure the maximum number of non EAPOL hosts allowed for aspecific port or for all ports on an interface, use the following command inInterface configuration mode:

eapol multihost [port <portlist>] non-eap-mac-max <value>

where

<portlist> is the list of ports to which you want thesetting to apply. You can enter a single port,a range of ports, several ranges, or all. If


NN47205-505 05.03 Standard14 May 2009


.


you do not specify a port parameter, the commandsets the value for all ports on the interface.

<value> is an integer in the range 1–32 thatspecifies the maximum number of non EAPOLclients allowed on the port at one time. Thedefault is 1.

ATTENTIONThe configurable maximum number of non- EAPOL clients for each port is 32,but Nortel recommends that the maximum allowed for each port be lower. Nortelrecommends that the combined maximum be approximately 200 for each boxand 800 for a stack.

Creating the allowed non EAPOL MAC address listTo specify the MAC addresses of non EAPOL hosts allowed on a specificport or on all ports on an interface, for local authentication, use thefollowing command in Interface configuration mode:

eapol multihost non-eap-mac [port <portlist>] <H.H.H>

where

<portlist> is the list of ports on which you want toallow the specified non EAPOL hosts. You canenter a single port, a range of ports, severalranges, or all. If you do not specify a portparameter, the command applies to all ports onthe interface.

<H.H.H> is the MAC address of the allowed non EAPOLhost.

Viewing non EAPOL host settings and activityVarious show commands allow you to view:

• global settings. For more information, see “Viewing global settings fornon EAPOL hosts” (page 141).

• port settings. For more information, see “Viewing port settings for nonEAPOL hosts” (page 141).

• allowed MAC addresses, for local authentication. For more information,see “Viewing allowed MAC addresses” (page 141).

• current non EAPOL hosts active on the switch. For more information,see “Viewing current non EAPOL host activity” (page 141).

• status in the Privilege Exec mode. For more information, see “showeapol multihost status command” (page 116).


NN47205-505 05.03 Standard14 May 2009


.


Viewing global settings for non EAPOL hostsTo view global settings for non EAPOL hosts on EAPOL-enabled ports,use the following command in Privileged Exec, Global Configuration, orInterface configuration mode:

show eapol multihost

The display shows whether local and RADIUS authentication of nonEAPOL clients is enabled or disabled.

Viewing port settings for non EAPOL hostsTo view non EAPOL support settings for each port, use the followingcommand in Privileged Exec, Global Configuration, or Interfaceconfiguration mode:

show eapol multihost interface [<portlist>]

where

<portlist> is the list of ports you want to view.You can enter a single port, a range of ports,several ranges, or all. If you do not specify aport parameter, the command displays all ports.

For each port, the display shows whether local and RADIUS authenticationof non EAPOL clients is enabled or disabled, and the maximum number ofnon EAPOL clients allowed at a time.

Viewing allowed MAC addressesTo view the MAC addresses of non EAPOL hosts allowed to access portson an interface, use the following command in Privileged Exec, GlobalConfiguration, or Interface configuration mode:

show eapol multihost non-eap-mac interface [<portlist>]

where


The display lists the ports and the associated allowed MAC addresses.

Viewing current non EAPOL host activityTo view information about non EAPOL hosts currently, use the followingcommand in Privileged Exec, Global Configuration, or Interfaceconfiguration mode:

show eapol multihost non-eap-mac status [<portlist>]


NN47205-505 05.03 Standard14 May 2009


.


where


The following example shows sample output for the command.

show eapol multihost non-eap-mac statusUnit/Port Client MAC Address State--------- ---------------------------- -----------------------1/5 00:01:00:07:00:01 Authenticated By RADIUS1/7 00:02:B3:BC:AF:6E Authenticated By RADIUS1/7 00:C0:C1:C2:C3:C4 Authenticated Locally1/7 00:C0:C1:C2:C3:C7 Authenticated Locally2/21 00:02:00:21:00:80 Authenticated By RADIUS3/12 00:03:12:21:00:82 Auto-Learned For MHSA3/15 00:0A:E4:01:10:21 Authenticated For IP Telephony3/15 00:0A:E4:01:10:22 Authenticated For IP Telephony

---------------------------------------------------------------

802.1X dynamic authorization extension (RFC 3576) configurationusing NNCLI

You can configure 802.1X dynamic authorization extension (RFC 3576) fora third party device to dynamically change VLANs on switches or closeuser sessions.

802.1X dynamic authorization extension (RFC 3576) configurationusing NNCLI navigation

• “Configuring 802.1X dynamic authorization extension (RFC 3576) usingNNCLI” (page 143)

• “Disabling 802.1X dynamic authorization extension (RFC 3576) usingNNCLI” (page 144)

• “Viewing 802.1X dynamic authorization extension (RFC 3576)configuration using NNCLI” (page 145)

• “Viewing 802.1X dynamic authorization extension (RFC 3576) statisticsusing NNCLI” (page 145)

• “Enabling 802.1X dynamic authorization extension (RFC 3576) on EAPports using NNCLI” (page 146)


NN47205-505 05.03 Standard14 May 2009


.

802.1X dynamic authorization extension (RFC 3576) configuration using NNCLI 143

• “Disabling 802.1X dynamic authorization extension (RFC 3576) onEAP ports using NNCLI” (page 147)

• “Enabling 802.1X dynamic authorization extension (RFC 3576) defaulton EAP ports using NNCLI” (page 148)

Configuring 802.1X dynamic authorization extension (RFC 3576) usingNNCLI

Configure RADIUS dynamic authorization extension (802.1X RFC 3576)to enable the RADIUS server to send a change of authorization (CoA) ordisconnect command to the Network Access Server (NAS).

Prerequisites

• Enable EAP globally and on each applicable port.

• Enable the dynamic authorization extensions commands globally andon each applicable port.

ATTENTIONDisconnect or CoA commands are ignored if the commands address a porton which the feature is not enabled


Procedure steps

Step Action

1 Configure RADIUS dynamic authorization extension by using thefollowing command:

radius dynamic-server client A.B.C.D [ secret] [port <1024-65535> ] [ enable ] [process-disconnect-requests] [process-change-of-auth-requests]

--End--

Variable definitionsThe following table defines parameters that you enter with theradius dynamic-server client A.B.C.D [ secret] [ port<1024-65535> ] [ enable ] [process-disconnect-requests][process-change-of-auth-requests] command.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

<A.B.C.D.> Adds a new RADIUS dynamicauthorization client or changesthe configuration of an existingRADIUS dynamic authorization client.<A.B.C.D.> is an IP address.

enable Enables packet receiving from theRADIUS Dynamic Authorization Client.

port Configures the server and NAS UDPport to listen for requests from theRADIUS Dynamic Authorization Client.Values range from 1024 to 65535.

process-change-of-auth-requests

Enables change of authorization (CoA)request processing.

process-disconnect-requests Enables disconnect requestprocessing.

secret Configures the RADIUS DynamicAuthorization Client secret word.

Disabling 802.1X dynamic authorization extension (RFC 3576) usingNNCLI

Disable RADIUS dynamic authorization extension (802.1X RFC 3576) toprevent the RADIUS server to send a change of authorization (CoA) ordisconnect command to the Network Access Server (NAS).

Procedure steps

Step Action

1 Disable RADIUS dynamic authorization extension by using thefollowing command:

no radius dynamic-server client <A.B.C.D.> enable

--End--

Variable definitionsThe following table defines variable parameters that you enter with the noradius dynamic-server client <A.B.C.D.> enable command.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

<A.B.C.D.> Adds a new RADIUS dynamicauthorization client or changesthe configuration of an existingRADIUS dynamic authorization client.<A.B.C.D.> is an IP address.

Viewing 802.1X dynamic authorization extension (RFC 3576)configuration using NNCLI

View RADIUS dynamic authorization client configuration to displayand confirm the configuration of RADIUS dynamic authorization clientparameters.

Prerequisites


Procedure steps

Step Action

1 Configure View RADIUS dynamic authorization clientconfiguration by using the following command:

show radius dynamic-server client <A.B.C.D.>

--End--

Variable definitionsThe following table defines parameters that you enter with the showradius dynamic-server client <A.B.C.D.> command.

Variable Value

<A.B.C.D.> Identifies the IP address of theRADIUS dynamic authorization client.

Viewing 802.1X dynamic authorization extension (RFC 3576) statisticsusing NNCLI

View RADIUS dynamic authorization client statistics to display RADIUSdynamic authorization client statistical information.

Prerequisites



NN47205-505 05.03 Standard14 May 2009


.


Procedure steps

Step Action

1 Configure View RADIUS dynamic authorization clientconfiguration by using the following command:

show radius dynamic-server statistics client<A.B.C.D.>

--End--

Variable definitionsThe following table defines parameters that you enter with the showradius dynamic-server statistics client <A.B.C.D.>command.

Variable Value

<A.B.C.D.> Identifies the IP address of theRADIUS dynamic authorization client.

Enabling 802.1X dynamic authorization extension (RFC 3576) on EAPports using NNCLI

Enable 802.1X dynamic authorization extension (RFC 3576) on EAP portsfor the ports to process CoA and disconnect requests from the RADIUSserver.

Prerequisites

• Log on to the Interface Configuration mode in NNCLI.

Procedure steps

Step Action

1 Enable 802.1X dynamic authorization extension (RFC 3576) onan EAP port by using the following command:

eapol radius-dynamic-server enable

2 Enable 802.1X dynamic authorization extension (RFC 3576) ona specific EAP port or a list of EAP ports by using the followingcommand:

eapol port <LINE> radius-dynamic-server enable

--End--


NN47205-505 05.03 Standard14 May 2009


.


Variable definitionsThe following table defines variable parameters that you enter with theeapol port <LINE> radius-dynamic-server enable command.

Variable Value

<LINE> Indicates an individual port or list ofports.

Disabling 802.1X dynamic authorization extension (RFC 3576) on EAPports using NNCLI

Disable 802.1X dynamic authorization extension (RFC 3576) on EAP portsto discontinue the ports from processing CoA and disconnect requestsfrom the RADIUS server.

Prerequisites


Procedure steps

Step Action

1 Disable 802.1X dynamic authorization extension (RFC 3576) onan EAP port by using the following command:

no eapol radius-dynamic-server enable

2 Disable 802.1X dynamic authorization extension (RFC 3576) ona specific EAP port or a list of EAP ports by using the followingcommand:

no eapol port <LINE> radius-dynamic-server enable

--End--

Variable definitionsThe following table defines variable parameters that you enter with the noeapol port <LINE> radius-dynamic-server enable command.

Variable Value



NN47205-505 05.03 Standard14 May 2009


.


Enabling 802.1X dynamic authorization extension (RFC 3576) defaulton EAP ports using NNCLI

Enable 802.1X dynamic authorization extension (RFC 3576) default onEAP ports to return the ports to the default configuration for processingCoA and disconnect requests from the RADIUS server.

Prerequisites


Procedure steps

Step Action

1 Enable 802.1X dynamic authorization extension (RFC 3576)default on an EAP port by using the following command:

default eapol radius-dynamic-server enable

2 Enable 802.1X dynamic authorization extension (RFC 3576)default on a specific EAP port or a list of EAP ports by using thefollowing command:

default eapol port <LINE> radius-dynamic-serverenable

--End--

Variable definitionsThe following table defines variable parameters that you enter with thedefault eapol port <LINE> radius-dynamic-server enablecommand.

Variable Value


Configuring Wake on LAN with simultaneous 802.1X Authenticationusing NNCLI

Authenticate 802.1X and Wake on LAN simultaneously by changing the802.1X port configuration control.

Prerequisites

• Configure the primary RADIUS server

• Configure the shared secret

• Enable EAPOL


NN47205-505 05.03 Standard14 May 2009


.

Configuring Wake on LAN with simultaneous 802.1X Authentication using NNCLI 149

Procedure steps

Step Action

1 Enter the Interface Configurationg mode

2 Enable the EAPOL administrative state by using the followingcommang:

eapol port #/# traffic-control in

--End--

Variable DefinitionsThe following table defines variable parameters that you enter with theeapol port #/# traffic-control in command.

Variable Definition

# represents the unit number

# represents the port number

Job aidTo verify the EAPOL administrative state, use the following command:

show eapol port #/#

Following is a sample show eapol port #/# command output:

EAPOL administrative state enabled – Wake onLAN available

EAPOL administrative state disabled – no Wakeon LAN

4526FX(config-if)#show eapol port 1/1EAPOL AdministrativeState: EnabledUnit/Port: 1/1Admin Status: AutoAuth: NoAdmin Dir: InOper Dir: InReAuth Enable: NoReAuth Period: 3600Quiet Period: 60Xmit Period: 30Supplic Timeout: 30Server Timeout: 30Max Req: 2RDS DSE: No

4526FX(config-if)#show eapol port 1/1EAPOL AdministrativeState: DisabledUnit/Port: 1/1Admin Status: AutoAuth: YesAdmin Dir: InOper Dir: InReAuth Enable: NoReAuth Period: 3600Quiet Period: 60Xmit Period: 30Supplic Timeout: 30Server Timeout: 30Max Req: 2RDS DSE: No


NN47205-505 05.03 Standard14 May 2009


.


Enabling Nortel IP Phone clients on an EAP-enabled portEnable this feature to allow a Nortel IP Phone client and an EAP PCto exist together on a port. To enable Nortel IP Phone clients on anEAP-enabled port, do the following:

1. Ensure that:

— EAP is enabled globally and locally (on the desired interface ports).(See “Configuring EAPOL security” (page 113)).

— Multihost is enabled on the desired ports. (See “Configuringmultihost support” (page 129)).

— NonEAP is enabled globally and locally (on the desired interfaceports). (See “Configuring support for non-EAPOL hosts onEAPOL-enabled ports” (page 134)).

— Filtering is enabled (to capture DHCP packets and to look for theNortel Phone Signature).

ATTENTIONNortel recommends that the following two features not be enabled atthe same time:

– Guest VLAN.This is to ensure that the Call server and VoIP informationpackets the phone receives from the DHCP server are sent on theconfigured VLAN, so correct information (such as the IP address)is obtained.

– EAP at the phone.

2. Enable Nortel IP Phone clients globally on the switch. (See “Globallyenabling Nortel IP Phone clients as a non-EAP type” (page 150)).

3. Enable Nortel IP Phone clients locally or for specific ports on theinterface. (See “Enabling Nortel IP Phone clients in the interface mode”(page 151)).

4. Specify the maximum number of non EAPOL MAC addresses allowed:the maximum number allowed is 32.

Globally enabling Nortel IP Phone clients as a non-EAP typeTo globally enable Nortel IP Phone clients as a non-EAP type, use thefollowing command in the Global Configuration mode:

eapol multihost {[non-eap-phone-enable]}



NN47205-505 05.03 Standard14 May 2009


.

Enabling Nortel IP Phone clients on an EAP-enabled port 151

Table 47eapol multihost non-eap-phone-enable parameters


non-eap-phone-enable globally enables Nortel IP Phone clients as anon-EAP type.

To globally disable Nortel IP Phone clients as a non-EAP type, use one ofthe following commands in the Global Configuration mode:

no eapol multihost {[non-eap-phone-enable]}

or

default eapol multihost {[non-eap-phone-enable]}


Table 48no eapol multihost non-eap-phone-enable parameters


non-eap-phone-enable globally disables Nortel IP Phone clients as anon-EAP type.

Table 49default eapol multihost non-eap-phone-enable parameters


non-eap-phone-enable globally sets the default (disable) for Nortel IPPhone clients as a non-EAP type.

Enabling Nortel IP Phone clients in the interface modeTo enable Nortel IP Phone clients in the interface mode, use the followingcommand:

eapol multihost [port <portlist>][non-eap-phone-enable]

Table 50eapol multihost non-eap-phone-enable parameters: Interface mode


<portlist> the port or ports on which you want Nortel IPPhone clients enabled as a non-EAP type.You can enter a single port, several ports or arange of ports.

non-eap-phone-enable enables Nortel IP Phone clients as a non-EAPtype, on the desired port or ports.

To disable Nortel IP Phone clients in the interface mode, use one of thefollowing commands:


NN47205-505 05.03 Standard14 May 2009


.


no eapol multihost [port <portlist>] [non-eap-phone-enable]

or

default eapol multihost [port <portlist>] [non-eap-phone-enable]


Table 51no eapol multihost non-eap-phone-enable parameters: Interface mode


<portlist> the port or ports on which you want Nortel IPPhone clients disabled as a non-EAP type.You can enter a single port, several ports or arange of ports.

non-eap-phone-enable disables Nortel IP Phone clients as a non-EAPtype, on the desired port or ports.

Table 52default eapol multihost non-eap-phone-enable parameters: Interface mode


<portlist> the port or ports on which you want thedefaults for Nortel IP Phone clients set. Youcan enter a single port, several ports or arange of ports.

non-eap-phone-enable sets the default (disable) for Nortel IP Phoneclients, on the desired port or ports.

Configuring MHSATo configure MHSA support, do the following:

1. Ensure that:


NN47205-505 05.03 Standard14 May 2009


.

Configuring MHSA 153

a. EAPOL is enabled globally and locally (for the desired interfaceports). For more information, see “Configuring EAPOL security”(page 113).

b. the desired ports have been enabled for multihost mode. For moreinformation, see “Configuring multihost support” (page 129).

c. guest VLAN is disabled locally (for the desired interface ports). Formore information, see “Configuring guest VLANs” (page 122).

2. Enable MHSA globally on the switch. For more information, see“Globally enabling support for MHSA” (page 153).

3. Configure MHSA settings for the interface or for specific ports on theinterface. For more information, see “Configuring interface and portsettings for MHSA” (page 153) .

a. Enable MHSA support.

b. Specify the maximum number of non EAPOL MAC addressesallowed.

By default, MHSA support on EAP-enabled ports is disabled.

Globally enabling support for MHSATo enable support for MHSA globally, use the following command inGlobal Configuration mode:

eapol multihost auto-non-eap-mhsa-enable

To discontinue support for MHSA globally, use one of the followingcommands in Global Configuration mode:

no eapol multihost auto-non-eap-mhsa-enable

default eapol multihost auto-non-eap-mhsa-enable

Configuring interface and port settings for MHSATo configure MHSA settings for a specific port or for all ports on aninterface, use the following command in Interface configuration mode:

eapol multihost [port <portlist>]

where

<portlist> is the list of ports to which you wantthe settings to apply. You can enter a singleport, a range of ports, several ranges, or all.If you do not specify a port parameter, thecommand applies the settings to all ports on theinterface.

This command includes the following parameters for configuring MHSA:


NN47205-505 05.03 Standard14 May 2009


.


eapol multihost [port <portlist>

followed by:


Enables MHSA on the port. The default isdisabled.To disable MHSA, use the no or defaultkeywords at the start of the command.

non-eap-mac-max<value>

Sets the maximum number of non EAPOL clientsallowed on the port at one time.• <value> is an integer in the range 1 to 32. The

default is 1.

ATTENTIONThe configurable maximum number of nonEAPOL clients for each port is 32, but Nortelexpects that the usual maximum allowed foreach port will be lower. Nortel expects that thecombined maximum will be approximately 200 foreach box and 800 for a stack.

Viewing MHSA settings and activityFor more information about the commands to view MHSA settings and nonEAPOL host activity, see “Viewing non EAPOL host settings and activity”(page 140).

Setting SNMP v1, v2c, v3 ParametersEarlier releases of SNMP used a proprietary method for configuringSNMP communities and trap destinations for specifying SNMPv1configuration that included up to four trap destinations and associatedcommunity strings that can be configured using SNMP Set requests on thes5AgTrpRcvrTable.

With the support for SNMPv3, you can configure SNMP using the newstandards-based method of configuring SNMP communities, users,groups, views, and trap destinations.

The also supports the previous proprietary SNMP configuration methodsfor backward compatibility.

All the configuration data configured in the proprietary method ismapped into the SNMPv3 tables as read-only table entries. In the newstandards-based SNMPv3 method of configuring SNMP, all processes areconfigured and controlled through the SNMPv3 MIBs. The Command LineInterface commands change or display the single read-only community,


NN47205-505 05.03 Standard14 May 2009


.

Configuring SNMP using NNCLI 155

read-write community, or four trap destinations of the proprietary method ofconfiguring SNMP. Otherwise, the commands change or display SNMPv3MIB data.

The software supports MD5 and SHA authentication, as well as AES DES,and 3DES encryption.

The SNMP agent supports exchanges using SNMPv1, SNMPv2c andSNMPv3. Support for SNMPv2c introduces a standards-based GetBulkretrieval capability using SNMPv1 communities. SNMPv3 supportintroduces high security user authentication and message security. Thisincludes MD5 and SHA-based user authentication and message integrityverification, as well as AES-, DES-, and 3DES-based privacy encryption.Export restrictions on SHA and DES necessitate support for domestic andnon domestic executable images or defaulting to no encryption for allcustomers.

The traps can be configured in SNMPv1, v2, or v3 format. If you do notidentify the version (v1, v2, or v3), the system formats the traps in the v1format. A community string can be entered if the system requires one.

SNMPv3 table entries stored in NVRAMThe number of nonvolatile entries (entries stored in NVRAM) allowed in theSNMPv3 tables are shown in the following list. The system does not allowyou to create more entries marked nonvolatile when you reach these limits:

• snmpCommunityTable: 20

• vacmViewTreeFamilyTable: 60

• vacmSecurityToGroupTable: 40

• vacmAccessTable: 40

• usmUserTable: 20

• snmpNotifyTable: 20

• snmpTargetAddrTabel: 20

• snmpTargetParamsTable: 20

Configuring SNMP using NNCLIUse the following commands to configure and manage SNMP:

• “show snmp-server command” (page 156)

• “snmp-server authentication-trap command” (page 157)

• “no snmp-server authentication-trap command” (page 157)

• “default snmp-server authentication-trap command” (page 158)


NN47205-505 05.03 Standard14 May 2009


.


• “snmp-server community for read or write command” (page 158)

• “snmp-server community command” (page 159)

• “no snmp-server community command” (page 160)

• “default snmp-server community command” (page 161)

• “snmp-server contact command” (page 162)

• “no snmp-server contact command” (page 162)

• “default snmp-server contact command” (page 162)

• “snmp-server command” (page 162)

• “no snmp-server command” (page 163)

• “snmp-server host command” (page 163)

• “no snmp-server host command” (page 165)

• “default snmp-server host command” (page 166)

• “snmp-server location command” (page 167)

• “no snmp-server location command” (page 167)

• “default snmp-server location command” (page 167)

• “snmp-server name command” (page 168)

• “no snmp-server name command” (page 168)

• “default snmp-server name command” (page 168)

• “Enabling SNMP server notification control ” (page 168)

• “Disabling snmp-server notification control ” (page 169)

• “Setting SNMP server control to default ” (page 169)

• “Viewing SNMP server notification ” (page 170)

• “snmp-server user command” (page 170)

• “no snmp-server user command” (page 172)

• “snmp-server view command” (page 173)

• “no snmp-server view command” (page 174)

• “snmp-server bootstrap command” (page 176)

show snmp-server commandThe show snmp-server command displays the SNMP configuration.

The syntax for the show snmp-server command is

show snmp-server {community|host|user|view}


NN47205-505 05.03 Standard14 May 2009


.


The show snmp-server command is executed in the Privileged EXECcommand mode.

Table 53 "show snmp-server command parameters and variables" (page157) describes the parameters and variables for the show snmp-servercommand.

Table 53show snmp-server command parameters and variables

Parameters andvariables Description

community Displays SNMP community strings.

host Displays the trap receivers configured in the SNMPv3MIBs.

user Displays the SNMPv3 users, including viewsaccessible to each user.

view Displays SNMPv3 views.

snmp-server authentication-trap commandThe snmp-server authentication-trap command enables ordisables the generation of SNMP authentication failure traps.

The syntax for the snmp-server authentication-trap command is

snmp-server authentication-trap {enable|disable}

The snmp-server authentication-trap command is executed in theGlobal Configuration command mode.

Table 54 "snmp-server authentication-trap command parameters andvariables" (page 157) describes the parameters and variables for thesnmp-server authentication-trap command.

Table 54snmp-server authentication-trap command parameters and variables

Parameters andvariables

Description

enable|disableEnables or disables the generation of authenticationfailure traps.

no snmp-server authentication-trap commandThe no snmp-server authentication-trap command disablesgeneration of SNMP authentication failure traps.


NN47205-505 05.03 Standard14 May 2009


.


The syntax for the no snmp-server authentication-trap commandis

no snmp-server authentication-trap

The no snmp-server authentication-trap command is executed inthe Global Configuration command mode.

default snmp-server authentication-trap commandThe default snmp-server authentication-trap command restoresthe SNMP authentication trap configuration to the default settings.

The syntax for the default snmp-server authentication-trapcommand is

default snmp-server authentication-trap

The default snmp-server authentication-trap command isexecuted in the Global Configuration command mode.

snmp-server community for read or write commandThis command configures a single read-only or a single read-writecommunity. A community configured using this command does not haveaccess to the SNMPv3 MIBs. These community strings have a fixed MIBview.

The snmp-server community command for read/write modifies thecommunity strings for SNMPv1 and SNMPv2c access.

The syntax for the snmp-server community for read/write command is

snmp-server community [word{notify-view|read-view|ro|rw|write-view}]

The snmp-server community for read/write command is executed in theGlobal Configuration command mode.

Table 55 "snmp-server community for read/write command" (page159) describes the parameters and variables for the snmp-servercommunity for read/write command.


NN47205-505 05.03 Standard14 May 2009


.


Table 55snmp-server community for read/write command


Description

word [notify-view|read-view|ro|rw|write-view]

The following list describes the snmp-server communityparameters:

• notify-view specifies the notify (trap) access viewname.

• Read-view specifies the read access view name.

• ro specifies read-only access with this communitystring.

• rw specifies read-write access with this communitystring.

• write-view specifies the write-access view name.

ATTENTIONStations with ro access can retrieve MIB objects,and stations with rw access can retrieve and modifyMIB objects. If neither ro nor rw is specified, ro isassumed (default).

snmp-server community commandThe snmp-server community command allows you to create communitystrings with varying levels of read, write, and notification access based onSNMPv3 views. These community strings are separate from those createdusing the snmp-server community for read/write command.

This command affects community strings stored in the SNMPv3snmpCommunity Table, which allows several community strings to becreated. These community strings can have any MIB view.

The syntax for the snmp-server community command is

snmp-server community {read-view <view-name>|write-view<view-name>|notify-view <view-name>}

The snmp-server community command is executed in the GlobalConfiguration command mode.

Table 56 "snmp-server community command parameters and variables"(page 160) describes the parameters and variables for the snmp-servercommunity command.


NN47205-505 05.03 Standard14 May 2009


.


Table 56snmp-server community command parameters and variables

Parameters and variables Description

read-view <view-name> Changes the read view used by the newcommunity string for different types of SNMPoperations.

view-name: specifies the name of the viewwhich is a set of MIB objects/instances thatcan be accessed; enter an alphanumericstring.

write-view <view-name> Changes the write view used by the newcommunity string for different types of SNMPoperations.


notify-view <view-name> Changes the notify view settings used by thenew community string for different types ofSNMP operations.


no snmp-server community commandThe no snmp-server community command clears the snmp-servercommunity configuration.

The syntax for the no snmp-server community command is

no snmp-server community {ro|rw|<community-string>}

The no snmp-server community command is executed in the GlobalConfiguration command mode.

If you do not specify a read-only or read-write community parameter, allcommunity strings are removed, including all the communities controlledby the snmp-server community command and the snmp-servercommunity for read-write command.


NN47205-505 05.03 Standard14 May 2009


.


If you specify read-only or read-write, then just the read-only or read-writecommunity is removed. If you specify the name of a community string,then the community string with that name is removed.

Table 57 "no snmp-server community command parameters andvariables" (page 161) describes the parameters and variables for the nosnmp-server community command.

Table 57no snmp-server community command parameters and variables


ro |rw|<community-string>

Changes the settings for SNMP:• ro|rw: sets the specified old-style community

string value to NONE, thereby disabling it.

• community-string: deletes the specifiedcommunity string from the SNMPv3 MIBs (thatis, from the new-style configuration).

default snmp-server community commandThe default snmp-server community command restores thecommunity string configuration to the default settings.

The syntax for the default snmp-server community command is

default snmp-server community [ro|rw]

The default snmp-server community command is executed in theGlobal Configuration command mode.

If the read-only or read-write parameter is omitted from the command,then all communities are restored to their default settings. The read-onlycommunity is set to Public, the read-write community is set to Private, andall other communities are deleted.

Table 58 "default snmp-server community command parameters andvariables" (page 161) describes the parameters and variables for thedefault snmp-server community command.

Table 58default snmp-server community command parameters and variables


Description

ro|rw Restores the read-only community to Public, or theread-write community to Private.


NN47205-505 05.03 Standard14 May 2009


.


snmp-server contact commandThe snmp-server contact command configures the SNMP sysContactvalue.

The syntax for the snmp-server contact command is

snmp-server contact <text>

The snmp-server contact command is executed in the GlobalConfiguration command mode.

Table 59 "snmp-server contact command parameters and variables"(page 162) describes the parameters and variables for the snmp-servercontact command.

Table 59snmp-server contact command parameters and variables


text Specifies the SNMP sysContact value.

no snmp-server contact commandThe no snmp-server contact command clears the sysContact value.

The syntax for the no snmp-server contact command is

no snmp-server contact

The no snmp-server contact command is executed in the GlobalConfiguration command mode.

default snmp-server contact commandThe default snmp-server contact command restores sysContactto the default value.

The syntax for the default snmp-server contact command is

default snmp-server contact

The default snmp-server contact command is executed in theGlobal Configuration command mode.

snmp-server commandThe snmp-server command enables or disables the SNMP server.

The syntax for the snmp-server command is

snmp-server {enable|disable}


NN47205-505 05.03 Standard14 May 2009


.


The snmp-server command is executed in the Global Configurationcommand mode.

Table 60 "snmp-server command parameters and variables" (page163) describes the parameters and variables for the snmp-servercommand.

Table 60snmp-server command parameters and variables


enable | disable Enables or disables the SNMP server.

no snmp-server commandThe no snmp-server command disables SNMP access.

The syntax for the no snmp-server command is

no snmp-server

The no snmp-server command is executed in the Global Configurationcommand mode.

The no snmp-server command has no parameters or variables.

ATTENTIONIf you disable SNMP access you cannot use Device Manager for the switch.

snmp-server host commandThe snmp-server host command adds a trap receiver to thetrap-receiver table.

In the proprietary method, the table has a maximum of four entries, andthese entries can generate only SNMPv1 traps. This command controlsthe contents of the s5AgTrpRcvrTable.

The proprietary method syntax for the snmp-server host for commandis

snmp-server host <host-ip> <community-string>

Using the new standards-based SNMP method, you can create severalentries in this table, and each can generate v1, v2c, or v3 traps.

ATTENTIONBefore using the desired community string or user in this command, ensure thatit has been configured with a notify-view.


NN47205-505 05.03 Standard14 May 2009


.


The new standards-based method syntax for the snmp-server hostcommand is

snmp-server host <host-ip> [port <trap-port>] {v1 <community-string>| v2c <community-string> {inform [timeout <1-2147483647>][retries <0-255>]} |v3 {auth|no-auth|auth-priv} <username>}{inform [timeout <1-2147483647>] [retries <0-255>]}

The snmp-server host command is executed in the GlobalConfiguration command mode.

Table 61 "snmp-server host command parameters and variables" (page164) describes the parameters and variables for the snmp-server hostcommand.

Table 61snmp-server host command parameters and variables


host-ip Enter a dotted-decimal IP address of a hostto be the trap destination.

community-string If you are using the proprietary method forSNMP, enter a community string that worksas a password and permits access to theSNMP protocol.

port <trap-port> If you are using the new standards-basedtables, enter a value from 1 to 65535 for theSNMP trap port.

v1 <community-string> To configure the new standards-basedtables, using v1 creates trap receivers in theSNMPv3 MIBs. Multiple trap receivers withvarying access levels can be created.

v2c <community-string> To configure the new standards-basedtables, using v2c creates trap receivers in theSNMPv3 MIBs. Multiple trap receivers withvarying access levels can be created.

v3 {auth|no-auth|auth-priv} To configure the new standards-basedtables, using v3 creates trap receivers in theSNMPv3 MIBs. Multiple trap receivers withvarying access levels can be created.The variables are:


NN47205-505 05.03 Standard14 May 2009


.


Table 61snmp-server host command parameters and variables (cont’d.)


• auth: auth specifies SNMPv3 traps aresent using authentication and no privacy;

• no-auth: no-auth specifies SNMPv3 trapsare sent using with no authentication andno privacy.

• auth-priv: specifies traps are sent usingauthentication and privacy; this parameteris available only if the image has fullSHA/DES support.

username To configure the new standards-based tables;specifies the SNMPv3 user name for trapdestination; enter an alphanumeric string.

{inform [timeout <1-2147483647>] [retries <0-255>]}

Generates acknowledge Inform requests.

no snmp-server host commandThe no snmp-server host command deletes trap receivers from thetable.

The proprietary method syntax for the no snmp-server host commandis

no snmp-server host [<host-ip> [<community-string>]]

Using the standards-based method of configuring SNMP, trap receiversmatching the IP address and SNMP version are deleted.

The standards-based method syntax for the no snmp-server hostcommand is

no snmp-server host <host-ip> [port <trap-port>] {v1|v2c|v3<community-string>}

The no snmp-server host command is executed in the GlobalConfiguration command mode.

If you do not specify parameters, this command deletes all trapdestinations from the s5AgTrpRcvrTable and from SNMPv3 tables.

Table 62 "no snmp-server host command parameters and variables" (page166) describes the parameters and variables for the no snmp-serverhost command.


NN47205-505 05.03 Standard14 May 2009


.


Table 62no snmp-server host command parameters and variables


<host-ip> [<community-string>] In the proprietary method, enter the followingvariables:• host-ip: the IP address of a trap

destination host.

• community-string: the community stringthat works as a password and permitsaccess to the SNMP protocol.

If both parameters are omitted, nothingis cleared. If a host IP is included, thecommunity-string is required or an error isreported.

<host-ip> Using the standards-based method, enter theIP address of a trap destination host.

port <trap-port> Using the standards-based method, enter theSNMP trap port.

v1 | v2c | v3 <community-string> Using the standards-based method, specifiestrap receivers in the SNMPv3 MIBs.<community-string>: the community stringthat works as a password and permitsaccess to the SNMP protocol.

default snmp-server host commandThe default snmp-server host command restores the old-style SNMPserver and the standards based tables are reset (cleared).

The syntax for the default snmp-server host command is

default snmp-server host

The default snmp-server host command is executed in the GlobalConfiguration command mode.

The default snmp-server host command has no parameters orvariables.

default snmp-server portdefault snmp-server port command restores all trap receiversconfigured ports to the default port used for listening traps. The defaultport is 162.

The syntax for the default snmp-server port command is

default snmp-server port


NN47205-505 05.03 Standard14 May 2009


.


The default snmp-server port command is executed in the Globalconfiguration command mode.

The default snmp-server port command has no parameters orvariables.

snmp-server location commandThe snmp-server location command configures the SNMPsysLocation value.

The syntax for the snmp-server location command is

snmp-server location <text>

The snmp-server location command is executed in the GlobalConfiguration command mode.

Table 63 "snmp-server location command parameters and variables"(page 167) describes the parameters and variables for the snmp-serverlocation command.

Table 63snmp-server location command parameters and variables

Parameters Description

text Specify the SNMP sysLocation value; enter analphanumeric string of up to 255 characters.

no snmp-server location commandThe no snmp-server location command clears the SNMP sysLocationvalue.

The syntax for the no snmp-server location command is

no snmp-server location

The no snmp-server location command is executed in the GlobalConfiguration command mode.

default snmp-server location commandThe default snmp-server location command restores sysLocationto the default value.

The syntax for the default snmp-server location command is

default snmp-server location

The default snmp-server location command is executed in theGlobal Configuration command mode.


NN47205-505 05.03 Standard14 May 2009


.


snmp-server name commandThe snmp-server name command configures the SNMP sysName value.

The syntax for the snmp-server name command is

snmp-server name <text>

The snmp-server name command is executed in the GlobalConfiguration command mode.

Table 64 "snmp-server name command parameters and variables" (page168) describes the parameters and variables for the snmp-server namecommand.

Table 64snmp-server name command parameters and variables


Description

text Specify the SNMP sysName value; enter analphanumeric string of up to 255 characters.Note: On the console, the SNMP server name istruncated. On the Web interface, the full SNMP servername appears.

no snmp-server name commandThe no snmp-server name command clears the SNMP sysName value.

The syntax for the no snmp-server name command is

no snmp-server name

The no snmp-server name command is executed in the GlobalConfiguration command mode.

default snmp-server name commandThe default snmp-server name command restores sysName to thedefault value.

The syntax for the default snmp-server name command is

default snmp-server name

The default snmp-server name command is executed in the GlobalConfiguration command mode.

Enabling SNMP server notification controlPerform this procedure to enable SNMP server notification control.


NN47205-505 05.03 Standard14 May 2009


.


Prerequisites


Procedure steps

Step Action

1 Enable the SNMP server notification control by using the following command: snmp-server notification-control<WORD>

--End--

Disabling snmp-server notification controlPerform this procedure to disable SNMP server notification control.

Prerequisites


Procedure steps

Step Action

1 Enable the SNMP server notification control by using thefollowing command: no snmp-server notification-control<WORD>

--End--

Setting SNMP server control to defaultPerform this procedure to set SNMP server control to default.

Prerequisites



NN47205-505 05.03 Standard14 May 2009


.


Procedure steps

Step Action

1 Set the SNMP server notification control to default byusing the following command:default snmp-servernotification-control<WORD>

--End--

Viewing SNMP server notificationPerform this procedure to display SNMP server notification.

Prerequisites

• Log on to the PrivExecutive mode in NNCLI.

Procedure steps

Step Action

1 Display the SNMP server notification control to defaultby using the following command: show snmp-servernotification-control

--End--

Variable definitionsThe following table defines variables you can use with thesnmp-server notification-control<WORD> no snmp-servernotification-control<WORD> default snmp-servernotification-control<WORD> show snmp-server notification-controlcommands.

Variable Value

<WORD> Is the SNMP description or the OID of asupported notification type.

snmp-server user commandThe snmp-server user command creates an SNMPv3 user.


NN47205-505 05.03 Standard14 May 2009


.


For each user, you can create three sets of read/write/notify views:

• for unauthenticated access

• for authenticated access

• for authenticated and encrypted access

The syntax for the snmp-server user command for unauthenticatedaccess is:

snmp-server user [engine-id <engine-id>] <username>] [read-view<view-name>] [write-view <view-name>] [notify-view <view-name>]

The syntax for the snmp-server user command for authenticatedaccess is:

snmp-server user <username> [[read-view <view-name>][write-view <view-name>] [notify-view <view-name>]] md5|sha<password> [read-view <view-name>] [write-view <view-name>][notify-view <view-name>]

The syntax for the snmp-server user command for authenticated andencrypted access is:

snmp-server user <username>[[read-view <view-name>] [write-view<view-name>] [notify-view <view-name>]] md5|sha <password>[[read-view <view-name>] [write-view <view-name>] [notify-view<view-name>]] {3des|aes|des} <password> [read-view <view-name>][write-view <view-name>] [notify-view <view-name>]

The snmp-server user command is executed in the GlobalConfiguration command mode.

The sha and 3des/aes/des parameters are only available if theswitch/stack image has SSH support.

For authenticated access, you must specify the md5 or sha parameter.For authenticated and encrypted access, you must also specify the 3des,aes, or des parameter.

For each level of access, you can specify read, write, and notify views.If you do not specify view parameters for authenticated access, the userwill have access to the views specified for unauthenticated access. Ifyou do not specify view parameters for encrypted access, the user willhave access to the views specified for authenticated access or, if noauthenticated views were specified, the user will have access to the viewsspecified for unauthenticated access.

Table 65 "snmp-server user parameters" (page 172) describes theparameters and variables for the snmp-server user command.


NN47205-505 05.03 Standard14 May 2009


.


Table 65snmp-server user parameters

Parameters Description

username Specifies the user name. Enter analphanumeric string of up to 255 characters.

md5 <password> Specifies the use of an md5 password.<password> specifies the new user md5password; enter an alphanumeric string. Ifthis parameter is omitted, the user is createdwith only unauthenticated access rights.

read-view <view-name> Specifies the read view to which the new userhas access:• view-name: specifies the viewname;

enter an alphanumeric string of up to 255characters.

write-view <view-name> Specifies the write view to which the new userhas access:• view-name: specifies the viewname; enter

an alphanumeric string that can containat least some of the non alphanumericcharacters.

notify-view <view-name> Specifies the notify view to which the newuser has access:• view-name: specifies the viewname; enter

an alphanumeric string that can containat least some of the non alphanumericcharacters.

SHA Specifies SHA authentication.

3DES Specifies 3DES privacy encryption.

AES Specifies AES privacy encryption.

DES Specifies DES privacy encryption.

engine-id Specifies the SNMP engine ID of the remoteSNMP entity.

ATTENTIONIf a view parameter is omitted from the command, that view type cannot beaccessed.

no snmp-server user commandThe no snmp-server user command deletes the specified user.

The syntax for the no snmp-server user command is

no snmp-server user [engine-id <engine ID>] <username>


NN47205-505 05.03 Standard14 May 2009


.


The no snmp-server user command is executed in the GlobalConfiguration command mode.

Table 66 "no snmp-server user command parameters and variables" (page173) describes the parameters and variables for the no snmp-serveruser command.

Table 66no snmp-server user command parameters and variables


[engine-id <engine ID>]Specifies the SNMP engine ID of the remoteSNMP entity.

username Specifies the user to be removed.

snmp-server view commandThe snmp-server view command creates an SNMPv3 view. The view isa set of MIB object instances which can be accessed.

The syntax for the snmp-server view command is

snmp-server view <view-name> <OID> [<OID> [<OID> [<OID> [<OID>[<OID> [<OID> [<OID> [<OID> [<OID>]]]]]]]]]

The snmp-server view command is executed in the GlobalConfiguration command mode.

Table 67 "snmp-server view command parameters and variables" (page173) describes the parameters and variables for the snmp-server viewcommand.

Table 67snmp-server view command parameters and variables


viewname Specifies the name of the new view; enter analphanumeric string.

OID Specifies Object identifier. OID can be enteredas a dotted form OID. Each OID must bepreceded by a + or - sign (if this is omitted, a +sign is implied).The + is not optional.


NN47205-505 05.03 Standard14 May 2009


.



For the dotted form, a sub-identifier can be anasterisk, indicating a wildcard. Here are someexamples of valid OID parameters:

• sysName

• +sysName

• -sysName

• +sysName.0

• +ifIndex.1

• -ifEntry.*.1 (this matches all objects in theifTable with an instance of 1; that is, theentry for interface #1)

• 1.3.6.1.2.1.1.1.0 (the dotted form ofsysDescr)

The + or - indicates whether the specified OID isincluded in or excluded from, respectively, theset of MIB objects that are accessible using thisview. For example, if you create a view like this:

• snmp-server view myview +system-sysDescr

And you use that view for the read-view of auser, then the user can read only the systemgroup except for sysDescr.

ATTENTIONThere are ten possible OID values.

no snmp-server view commandThe no snmp-server view command deletes the specified view.

The syntax for the no snmp-server view is:

no snmp-server view <viewname>

The no snmp-server view is executed in the Global Configurationcommand mode.

Table 68 "no snmp-server view command parameters and variables" (page175) describes the parameters and variables for the no snmp-serverview command.


NN47205-505 05.03 Standard14 May 2009


.


Table 68no snmp-server view command parameters and variables


Description

viewname Specifies the name of the view to be removed. If noview is specified, all views are removed.

snmp-server host for old-style table commandThe snmp-server host for old-style table command adds a trap receiverto the old-style trap-receiver table. The table has a maximum of fourentries, and the entries can generate only SNMPv1 traps. This commandcontrols the contents of the s5AGTrpRcvrTable, which is the set of trapdestinations controlled by the SNMP Configuration screen in the consoleinterface.

The syntax for the snmp-server host for old-style table command is

snmp-server host <host-ip> [port <1-65535>] <community-string>

Run the snmp-server host for old-style table command in GlobalConfiguration command mode.

Table 69 " snmp-server host for old-style table command parametersand variables" (page 175) describes the parameters and variables for thesnmp-server host for old-style table command.

Table 69snmp-server host for old-style table command parameters and variables


port <1-65535> Assign SNMP trap port.

<host-ip> Enter a dotted-decimal IP address of a hostthat is the trap destination.

<community-string> Enter a community string that works as apassword and permits access to the SNMPprotocol.

snmp-server host for new-style table commandThe snmp-server host for new-style table command adds a trapreceiver to the new-style configuration (that is, to the SNMPv3 tables). Youcan create several entries in this table, and each can generate v1, v2c, orv3 traps. You must have previously configured the community string oruser that is specified with a notify-view. The syntax for the snmp-serverhost for new-style table command is


NN47205-505 05.03 Standard14 May 2009


.


snmp-server host <host-ip> [port <1-65535>] {v1 <community-string>|v2c <community-string>| v3 {auth|no-auth|auth-priv}<username>}

Run the snmp-server host for new-style table command in GlobalConfiguration command mode.

Table 70 " snmp-server host for new-style table command parametersand variables" (page 176) describes the parameters and variables for thesnmp-server host for new-style table command.

Table 70snmp-server host for new-style table command parameters and variables


<host-ip> Enter a dotted-decimal IP address of a host(trap destination).

port <1-65535> Assign SNMP trap port.

v1 <community-string> Using v1 creates trap receivers in the SNMPv3MIBs. You can create multiple trap receiverswith varying access levels.

v2c <community-string> Using v2c creates trap receivers in theSNMPv3 MIBs. You can create multiple trapreceivers with varying access levels.

v3 {auth|no-auth|auth-priv}

Using v3 creates trap receivers in the SNMPv3MIBs. You can create multiple trap receiverswith varying access levels.

Enter the following variables:

• auth|no-auth: specifies whetherSNMPv3 traps are authenticated

• auth-priv: this parameter is available ifthe image has full SHA/DES support.

<username> The SNMPv3 user name for trap destination;enter an alphanumeric string.

snmp-server bootstrap commandThe snmp-server bootstrap command allows you to specify howyou wish to secure SNMP communications, as described in the SNMPv3standards. It creates an initial set of configuration data for SNMPv3. Thisconfiguration data follows the conventions described in the SNMPv3standard (in RFC 3414 and 3415). This command creates a set of initialusers, groups, and views.


NN47205-505 05.03 Standard14 May 2009


.

RADIUS accounting configuration using NNCLI 177

ATTENTIONThis command deletes all existing SNMP configurations.

The syntax for the snmp-server bootstrap command is

snmp-server bootstrap <minimum-secure>|<semi-secure>|<very-secure>

The snmp-server bootstrap command is executed in the GlobalConfiguration command mode.

Table 71 "snmp-server bootstrap command parameters and variables"(page 177) describes the parameters and variables for the snmp-serverbootstrap command.

Table 71snmp-server bootstrap command parameters and variables


<minimum-secure> Specifies a minimum security configurationthat allows read access and notify accessto all processes (or Internet views) usingno authentication and no privacy; and writeaccess to all processes using authenticationand no privacy.

<semi-secure> Specifies a partial security configuration thatallows read access and notify access butno write access to a small subset of systeminformation (or restricted views) using noauthentication and no privacy; and read,write, and notify access to all processes usingauthentication and no privacy. (Refer to RFCs3414 and 3415 for a list of the MIB views in thesemi-secure restricted set.)

<very-secure> Specifies a maximum security configurationthat allows no access to the users.

RADIUS accounting configuration using NNCLIRADIUS accounting utilizes the same network server settings used forRADIUS authentication. For more information about the commands toconfigure the RADIUS server settings, see “Configuring RADIUS serversettings” (page 112).

The RADIUS accounting UDP port is the RADIUS authentication port +1.By default, the RADIUS accounting UDP port is port 1813.

By default, RADIUS accounting is disabled.


NN47205-505 05.03 Standard14 May 2009


.


RADIUS accounting configuration using NNCLI navigation

• “Enabling RADIUS accounting” (page 178)

• “Disabling RADIUS accounting” (page 178)

• “Viewing RADIUS information” (page 113)

Enabling RADIUS accountingPerform this procedure to enable RADIUS accounting.

Prerequisites

• Log on to Global Configuration or Interface Command mode in NNCLI.

Procedure steps

Step Action

1 To enable RADIUS accounting, use the following command:

radius accounting enable

--End--

Disabling RADIUS accountingPerform this procedure to disable RADIUS accounting.

Prerequisites

• Log on to Global Configuration or Interface Command mode in NNCLI.

Procedure steps

Step Action

1 To disable RADIUS accounting, use the following command:

no radius accounting enable

--End--

TACACS+ configuration using NNCLIThis section describes how you configure TACACS+ to perform AAAservices for system users.


NN47205-505 05.03 Standard14 May 2009


.

TACACS+ configuration using NNCLI 179

TACACS+ configuration using NNCLI navigation

• “Configuring switch TACACS+ server settings using NNCLI” (page 179)

• “Disabling switch TACACS+ server settings using NNCLI” (page 180)

• “Enabling remote TACACS+ services using NNCLI” (page 181)

• “Enabling or disabling TACACS+ authorization using NNCLI” (page181)

• “Configuring TACACS+ authorization privilege levels using NNCLI”(page 182)

• “Enabling or disabling TACACS+ accounting using NNCLI” (page 183)

• “Configuring the switch TACACS+ level using NNCLI” (page 183)

• “Viewing TACACS+ information using NNCLI” (page 184)

Configuring switch TACACS+ server settings using NNCLIConfigure switch TACACS+ server settings to add a TACACS+ server toyour system.

Prerequisites

• Configure the TACACS+ server to be added to your system.


Procedure steps

Step Action

1 Configure switch TACACS+ server settings by using thefollowing command:

tacacs server

--End--

Variable definitionsThe following table describes variables that you use with the tacacsserver command.

Variable Value

host <IPaddr> Specifies the IP address of the primaryserver you want to add or configure.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

key <key> Specifies the secret authenticationand encryption key used for allcommunications between the NAS andthe TACACS+ server. The key, alsoreferred to as the shared secret, mustbe the same as the one defined on theserver. You are prompted to confirmthe key when you enter it.

ATTENTIONThe key parameter is a requiredparameter when you create a newserver entry. The parameter isoptional when you are modifying anexisting entry.

port <port> Specifies the TCP port for TACACS+.<port> is an integer in the range of 1to 65535. The default port number is49.

secondary host <IPaddr> Specifies the IP address of thesecondary server. The secondaryserver is used only if the primaryserver does not respond.

Disabling switch TACACS+ server settings using NNCLIDisable switch TACACS+ server settings to discontinue using TACACS+services in your system.

Prerequisites


Procedure steps

Step Action

1 Disable switch TACACS+ server settings by using one of thefollowing command:

no tacacsORdefault tacacs


NN47205-505 05.03 Standard14 May 2009


.


These commands erase settings for the TACACS+ primaryand secondary servers and secret key; and restore default portsettings.

--End--

Enabling remote TACACS+ services using NNCLIEnable remote TACACS+ services to provide services to remote usersover serial or Telnet connections.

Prerequisites


• Configure a TACACS+ server on the switch before you can enableremote TACACS+ services. For information see “Configuring switchTACACS+ server settings using NNCLI” (page 179).

Procedure steps

Step Action

1 Enable remote TACACS+ services for serial connections byusing the following command:

cli password serial tacacs

2 Enable remote TACACS+ services for Telnet connections byusing the following command:

cli password telnet tacacs

--End--

Enabling or disabling TACACS+ authorization using NNCLIYou can enable or disable TACACS+ authorization globally on the switchby following this procedure.

ATTENTIONTACACS+ authorization is disabled by default.

Prerequisites



NN47205-505 05.03 Standard14 May 2009


.


Procedure steps

Step Action

1 Enable TACACS+ authorization by using the following command:

tacacs authorization enable

2 Disable TACACS+ authorization by using the followingcommand:

tacacs authorization disable

--End--

Configuring TACACS+ authorization privilege levels using NNCLIConfigure TACACS+ authorization privilege levels to specify the privilegelevels to which TACACS+ authorization applies.

Prerequisites


Procedure steps

Step Action

1 Configure TACACS+ authorization privilege levels by using thefollowing command:

tacacs authorization level

--End--

Variable definitionsThe following table defines the parameters, which you can enter after thetacacs authorization level command.

Variable Value

ALL Enables authorization for all privilegelevels.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

LINE Enables authorization for a specificprivilege level.LINE is a numerical value in the rangeof 0 to 15.

NONE Authorization is not enabled forprivilege levels. All users can executecommands available on the switch.

The default authorization level is NONE

Enabling or disabling TACACS+ accounting using NNCLIEnable or disable TACACS+ accounting globally on the switch by followingthis procedure.

Prerequisites


Procedure steps

Step Action

1 Enable TACACS+ accounting by using the following command:

tacacs accounting enable

2 Disable TACACS+ accounting by using the following command:

tacacs accounting disable

--End--

Configuring the switch TACACS+ level using NNCLIConfigure the switch TACACS+ level to select a new level for a switch oruse the last configured level.

Prerequisites


Procedure steps

Step Action

1 Configure a new TACACS+ level for a switch by using thefollowing command:


NN47205-505 05.03 Standard14 May 2009


.


tacacs switch level

2 Use the last configured TACACS+ level for a switch by using thefollowing command:

tacacs switch back

--End--

Variable definitionsThe following table defines optional parameters that you enter after thetacacs switch level command.

Variable Value

<cr> Selects the default switch TACACS+level (15).

<1-15> Defines the new TACACS+ level forthe switch. Values range from 1 to 15.

Viewing TACACS+ information using NNCLIView TACACS+ information to display TACACS+ configuration status byfollowing this procedure.

Prerequisites


Procedure steps

Step Action

1 View TACACS+ information by using the following command:

show tacacs

--End--

Configuring IP ManagerTo configure the IP Manager to control management access to the do thefollowing:

• Enable IP Manager.

• Configure the IP Manager list.


NN47205-505 05.03 Standard14 May 2009


.

Configuring IP Manager 185

Enabling IP ManagerTo enable IP Manager to control Telnet, SNMP, or HTTP access, use thefollowing command in Global Configuration mode:

ipmgr {telnet|snmp|web}

where

telnet enables the IP Manager list check for Telnetaccess

snmp enables the IP Manager list check for SNMP,including Device Manager

web enables the IP Manager list check for theWeb-based management system

To disable IP Manager for a management system, use the no keyword atthe start of the command.

Configuring the IP Manager listTo specify the source IP addresses or address ranges that have accessthe switch or the stack when IP Manager is enabled, use the followingcommand in Global Configuration mode:

ipmgr source-ip <list ID> <IPaddr> [mask <mask>]

where

<list ID> is an integer in the range of 1 to 50 thatuniquely identifies an ipv4 entry in the IPManager list or in the range of 51 to 100 thatuniquely identifies an ipv6 entry in the IPManager list.

The ipmgr source-ip <list ID> command contains the followingparameters for configuring the IP Manager list:


<IPaddr> Specifies the source IP address from whichaccess is allowed. Enter the IP address either asan integer or in dotted-decimal notation.

[mask <mask>] Specifies the subnet mask from which accessis allowed. Enter the IP mask in dotted-decimalnotation.

Removing IP Manager list entriesTo deny access to the switch or stack for specified source IP addresses oraddress ranges, use the following command in Global Configuration mode:

no ipmgr source-ip [<list ID>]


NN47205-505 05.03 Standard14 May 2009


.


where

<list ID> is an integer in the range of 1 to 50 thatuniquely identifies an ipv4 entry in the IPManager list or in the range of 51 to 100 thatuniquely identifies an ipv6 entry in the IPManager list.

The command sets both the IP address and mask for the specified entry to255.255.255.255. If you do not specify a <list ID> value, the commandresets the whole list to factory defaults.

Viewing IP Manager settingsTo view IP Manager settings, use the following command:

show ipmgr

The command displays:

• whether Telnet, SNMP, SSH, and Web access are enabled

• whether the IP Manager list is being used to control access to Telnet,SNMP, SSH, and the Web-based management system

• the current IP Manager list configuration

Setting the user name and passwordThe username authentication feature enhances the security level ofthe ERS4500 series by adding a user name field to the existing securityinfrastructure. This feature integrates the local authentication methods in ageneral and commonly accepted user name — password framework.

username commandUse the username command in global command mode to configure thesystem user name and password for access through the serial consoleport, Telnet, and Web-based management. The username commandsupports just one read-only and one read/write user on the switch or stack.The parameters are assigned for the stand-alone or stack environmentdepending on the current operational mode.

The syntax for the username command isusername <username> <password> [ro|rw]

Table 72 "username command parameters and variables" (page187) describes the parameters and variables for the username command.


NN47205-505 05.03 Standard14 May 2009


.

Setting NNCLI password 187

Table 72username command parameters and variables


Description

<username><password>

Enter your user name for the first variable, and yourpassword for the second variable.The default user name values are RO for read-onlyaccess and RW for read/write access.

ro | rw Modify the read-only (ro) user name or the read/write(rw) user name.The ro/rw variable is optional. If you omit thisvariable, the command applies to the read-only mode.

ATTENTIONAfter you configure the user name and password with the username command,if you then update the password using the CLI password command, the ConsoleInterface, or Web-based management, the new password is assigned, but theuser name remains unchanged.

Setting NNCLI passwordYou can assign passwords using the cli password command forselected types of access using NNCLI, Telnet, or RADIUS security.

cli password commandThe cli password command has two forms and performs the followingfunctions for either the switch or the entire stack:

• Change the password for access through the serial console port andTelnet.

• Change the password for serial console port or Telnet access andchoose whether to authenticate password locally or with the RADIUSserver.

Configure the password in the current operation mode (either switch orstack). The syntax for the cli password command is

cli password {ro | rw} <WORD>

cli password {serial | telnet} {none | local | radius}

Run the cli password command in Global Configuration commandmode.

Table 73 "cli password command parameters and variables" (page188) describes the parameters and variables for the cli passwordcommand.


NN47205-505 05.03 Standard14 May 2009


.


Table 73cli password command parameters and variables


Description

ro | rw Modify the read—only (ro) password or the read/write (rw)password.

<WORD> Enter your password.

ATTENTIONThis parameter is not available when Password Securityis enabled, in which case the switch prompts you to enterand confirm the new password.

serial |telnet

Modify the password for serial console access or for Telnetaccess.

none | local |radius

Indicates the password type you are modifying:

• none: disable the password

• local: use the locally defined password for serialconsole or Telnet access

• radius: use RADIUS authentication for serial consoleor Telnet access

Configuring password securityNNCLI commands detailed in this section are used to manage passwordsecurity features. These commands can be used in the GlobalConfiguration and Interface Configuration command modes.

password security commandThe password security command enables the Password Securityfeature on the Ethernet Routing Switch 4500 Series.

The syntax of the password security command is

password security

no password security commandThe no password security command disables the Password Securityfeature on the Ethernet Routing Switch 4500 Series.

The syntax for the no password security command is

no password security


NN47205-505 05.03 Standard14 May 2009


.

Password history configuration using NNCLI 189

Configuring the number of retriesTo configure the number of times a user can retry a password, use thefollowing command in Global or Interface Configuration mode:

telnet-access retry <number>

where

number is an integer in the range 1 to 100 thatspecifies the allowed number of failed log onattempts. The default is 3.

Password history configuration using NNCLIYou can configure the Ethernet Routing Switch 4500 to keep a maximumhistory of ten passwords. The default password history configuration isthree.

Password history configuration using NNCLI navigation

• “Configuring password history using NNCLI” (page 189)

• “Configuring password history to default using NNCLI” (page 190)

• “Viewing password history using NNCLI” (page 190)

Configuring password history using NNCLIConfigure password history to select the number of last-used passwordsthe switch keeps a record of.

Prerequisites


Procedure steps

Step Action

1 Configure password history by using the following command:

password password-history <3-10>

--End--

Variable definitionsThe following table defines variable parameters that you enter with thepassword password-history <3-10> command.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

<3-10> Defines the number of passwords theswitch records a history of. Valuesrange from 3 to 10. The default valueis 3.

Configuring password history to default using NNCLIConfigure the password history to default to select the default value of 3for the number of last-used passwords the switch keeps a record of byfollowing this procedure.

Prerequisites


Procedure steps

Step Action

1 Configure the password history to default by using the followingcommand:

default password password-history

--End--

Viewing password history using NNCLIView password history to display the password history configuration byfollowing this procedure.

Prerequisites


Procedure steps

Step Action

1 View password history by using the following command:

show password password-history

--End--


NN47205-505 05.03 Standard14 May 2009


.

NNCLI Audit log configuration 191

NNCLI Audit log configurationNNCLI Audit provides a means for tracking NNCLI commands.

NNCLI Audit log configuration navigation

• “Displaying NNCLI Audit log” (page 191)

• “Enabling and disabling NNCLI Audit log” (page 191)

• “Configuring NNCLI Audit log to default” (page 192)

Displaying NNCLI Audit logPerform this procedure to display NNCLI Audit log.

Prerequisites


Procedure steps

Step Action

1 To display NNCLI audit log enter the following command:

show audit log [asccfg | serial | telnet |config]

--End--

Variable definitionsThe following table defines variable parameters that you enter with theshow audit log command.

Variable Value

asccfg Displays the audit log for ASCII configuration.

serial Displays the audit log for serial connections.

telnet Displays the audit log for Telnet and SSHconnections.

config Displays the status of activation of the Audit log.

Enabling and disabling NNCLI Audit logPerform this procedure to enable or disable NNCLI Audit log.

Prerequisites



NN47205-505 05.03 Standard14 May 2009


.


Procedure steps

Step Action

1 To enable NNCLI Audit enter the following command:

audit log save

2 To disable NNCLI Audit enter the following command:

no audit log

3 To verify NNCLI Audit setting enter the following command:

show audit log config

The following response appears:Audit Log Save To NVRAM:: Disabled

--End--

Configuring NNCLI Audit log to defaultPerform this procedure to set NNCLI Audit log to default.

Prerequisites


Procedure steps

Step Action

1 To set NNCLI Audit log to default mode enter the followingcommand:

default audit log

2 To verify NNCLI Audit settings enter the following command:

show audit log config

The following response appears:Audit Log Save To NVRAM:: Enabled

--End--

Secure Socket Layer servicesThe following table lists NNCLI commands available for working withSecure Socket Layer (SSL).


NN47205-505 05.03 Standard14 May 2009


.

Secure Socket Layer services 193

Table 74SSL commands

Command Description

[no] ssl Enables or disables SSL. The Web serveroperates in a secure mode when SSL isenabled and in non secure mode when theSSL server is disabled.

[no] ssl certificate Creates or deletes a certificate. The newcertificate is used only on the next systemreset or SSL server reset. The new certificateis stored in the NVRAM with the file nameSSLCERT.DAT. The new certificate filereplaces the existing file. On deletion, thecertificate in NVRAM is also deleted. Thecurrent SSL server operation is not affected bythe create or delete operation.

ssl reset Resets the SSL server.When SSL is enabled: existing SSLconnections are closed, the SSL server isrestarted and initialized with the certificate thatis stored in the NVRAM.

When SSL is not enabled: existing non secureconnections are closed, the server is restarted,and non secure operation resumes.

show ssl Shows the SSL server configuration and SSLserver state. Refer to Table 75 "Server stateinformation" (page 193) for more information.

show ssl certificate Displays the certificate which is stored in theNVRAM and is used by the SSL server.

The following table describes the output for the show ssl command.

Table 75Server state information

Field Description

WEB Server SSL secured Shows whether the Web server is using an SSLconnection.

SSL server state Displays one of the following states:• Un-initialized: The server is not running.

• Certificate Initialization: The server isgenerating a certificate during its initializationphase.

• Active: The server is initialized and running.


NN47205-505 05.03 Standard14 May 2009


.


Table 75Server state information (cont’d.)

Field Description

SSL Certificate:Generation in progress

Shows whether SSL is in the process ofgenerating a certificate. The SSL servergenerates a certificate during server startupinitialization, or NNCLI user can regenerate anew certificate.

SSL Certificate:Saved in NVRAM

Shows whether an SSL certificate exists in theNVRAM. The SSL certificate is not present if thesystem is being initialized for the first time orNNCLI user has deleted the certificate.

Secure Shell protocolSecure Shell protocol is used to improve Telnet and provide a secureaccess to NNCLI interface. There are two versions of the SSH Protocol.The Ethernet Routing Switch 4500 Series SSH supports SSH2.

The following NNCLI commands are used in the configuration andmanagement of SSH.

show ssh commandThis command displays information about all active SSH sessions and onother general SSH settings.

The syntax for the show ssh command is

show ssh {global|session|download-auth-key}

Table 76 "show ssh parameters" (page 194) outlines the parameters forthis command.

Table 76show ssh parameters


download-auth-key Display authorization key and TFTP server IPaddress

global Display general SSH settings

session Display SSH session info

The show ssh global command is executed in the Privileged EXECcommand mode.

ssh dsa-host-key commandThe ssh dsa-host-key command triggers the DSA key regeneration.


NN47205-505 05.03 Standard14 May 2009


.

Secure Shell protocol 195

The syntax for the ssh dsa-host-key command is

ssh dsa-host-key

The command is executed in the Global Configuration command mode.

The ssh dsa-host-key command has no parameters or variables.

no ssh dsa-host-key commandThe no ssh dsa-host-key command deletes the DSA keys inthe switch. A new DSA key can be generated by executing thedsa-host-key command.

The syntax for the no ssh dsa-host-key command is

no ssh dsa-host-key

The no ssh dsa-host-key command is executed in the GlobalConfiguration command mode.

The no ssh dsa-host-key command has no parameters or variables.

ssh download-auth-key commandThe ssh download-auth-key command downloads the DSAauthentication key into the switch from the specified TFTP server.

The syntax for the ssh download-auth-key command is

ssh download-auth-key {address <XXX.XXX.XXX> | USB} key-name<key-name>

Table 77 "ssh download-auth-key parameters" (page 195) outlines theparameters for this command.

Table 77ssh download-auth-key parameters


address <XXX.XXX.XXX> Specifies download using the TFTP serverIPv4 and IPv6 addresses.

usb Specifies download using USB

key-name <filename> Specify the TFTP or USB filename

The ssh download-auth-key command is executed in the GlobalConfiguration command mode.

no ssh dsa-auth-key commandThe no ssh dsa-auth-key command deletes the DSA authenticationkey stored in the switch.


NN47205-505 05.03 Standard14 May 2009


.


The syntax for the no ssh dsa-auth-key command is

no ssh dsa-auth-key

The no ssh dsa-auth-key command is executed in the GlobalConfiguration command mode.

ssh commandThe ssh command enables SSH in a non secure mode. If the host keysdo not exist, they are generated.

The syntax for the ssh command is

ssh

The ssh command is executed in the Global Configuration commandmode.

This command has no parameters.

no ssh commandThe no ssh command disables SSH.

The syntax for the no ssh command is

no ssh {dsa-auth|dsa-auth-key|dsa-host-key|pass-auth}

Table 78 "no ssh parameters" (page 196) outlines the parameters for thiscommand.

Table 78no ssh parameters


dsa-auth Disable SSH DSA authentication

dsa-auth-key Delete SSH DSA auth key

dsa-host-key Delete SSH DSA host key

pass-auth Disable SSH password authentication

The no ssh command is executed in the Global Configuration commandmode.

ssh secure commandThe ssh secure command disables Web, SNMP, and Telnetmanagement interfaces permanently.

The no ssh command does NOT turn them back on; they must bere-enabled manually. (A system message warns the user to re-enable oneof the other interfaces before turning off SSH secure mode.)


NN47205-505 05.03 Standard14 May 2009


.

Secure Shell protocol 197

The syntax for the ssh secure command is

ssh secure [force]

where [force] indicates to skip the confirmation.

The ssh secure command is executed in the Global Configurationcommand mode.

ssh dsa-auth commandThe ssh dsa-auth command enables user log on using DSA keyauthentication.


ssh dsa-auth

The ssh dsa-auth command is executed in the Global Configurationcommand mode.

no ssh dsa-authThe no ssh dsa-auth command disables user log on using DSA keyauthentication.

The syntax for the no ssh dsa-auth command is

no ssh dsa-auth

The no ssh dsa-auth command is executed in the Global Configurationcommand mode.

default ssh dsa-auth commandThe default ssh dsa-auth command enables the user log on usingDSA key authentication.

The syntax for the default ssh dsa-auth command is

default ssh dsa-auth

The default ssh dsa-auth command is executed in the GlobalConfiguration command mode.

ssh pass-auth commandThe ssh pass-auth command enables user log on using the passwordauthentication method.

The syntax for the ssh pass-auth command is

ssh pass-auth


NN47205-505 05.03 Standard14 May 2009


.


The ssh pass-auth command is executed in the Global Configurationcommand mode.

no ssh pass-auth commandThe no ssh pass-auth command disables user log on using passwordauthentication.

The syntax for the no ssh pass-auth command is

no ssh pass-auth

The no ssh pass-auth command is executed in the Global Configurationcommand mode.

default ssh pass-auth commandThe default ssh pass-auth command enables user log on usingpassword authentication.

The syntax for the default ssh pass-auth command is

default ssh pass-auth

The default ssh pass-auth command is executed in the GlobalConfiguration command mode.

ssh port commandThe ssh port command sets the TCP port for the SSH daemon.

The syntax for the ssh port command is

ssh port <1-65535>

Substitute the <1-65535> with the number of the TCP port to use.

The ssh port command is executed in the Global Configurationcommand mode.

default ssh port commandThe default ssh port command sets the default TCP port for the SSHdaemon.

The syntax for the default ssh port command is

default ssh port

The default ssh port command is executed in the Global Configurationcommand mode.

ssh timeout commandThe ssh timeout command sets the authentication timeout, in seconds.


NN47205-505 05.03 Standard14 May 2009


.

Configuring DHCP snooping using NNCLI 199

The syntax of the ssh timeout command is

ssh timeout <1-120>

Substitute <1-120> with the desired number of seconds.

The ssh timeout command is executed in the Global Configurationcommand mode.

default ssh timeout commandThe default ssh timeout command sets the default authenticationtimeout to 60 seconds.

The syntax for the default ssh timeout command is

default ssh timeout

The default ssh timeout command is executed in the GlobalConfiguration command mode.

Configuring DHCP snooping using NNCLIFor more information about the function and operation of DHCP snoopingin a Ethernet Routing Switch 4500 Series network, see “DHCP snooping”(page 68).

To configure DHCP snooping, do the following:

1. Enable DHCP snooping globally. For more information, see “EnablingDHCP snooping globally” (page 199).

2. Enable DHCP snooping on the VLANs. For more information, see“Enabling DHCP snooping on the VLANs” (page 200).

3. Identify the ports as trusted (DHCP packets are forwardedautomatically) or untrusted (DHCP packets are filtered throughDHCP snooping). For more information, see “Configuring trusted anduntrusted ports” (page 200).

WARNINGOn the layer 3 mode, dhcp snooping must be enabled on thelayer 3 vlans-spanning towards dhcp-server. Dhcp-relay is alsorequired for the correct functionality

Enabling DHCP snooping globallyBefore DHCP snooping can function on a VLAN or port, you must enableDHCP snooping globally. If DHCP snooping is disabled globally, the switchforwards DHCP reply packets to all applicable ports, regardless of whetherthe port is trusted or untrusted.


NN47205-505 05.03 Standard14 May 2009


.


To enable DHCP snooping globally, use the following command in GlobalConfiguration mode:

ip dhcp-snooping [enable]


To disable DHCP snooping globally, use one of the following commands inGlobal Configuration mode:

no ip dhcp-snooping

default ip dhcp-snooping [enable]

Enabling DHCP snooping on the VLANsYou must enable DHCP snooping separately for each VLAN. If DHCPsnooping is disabled on a VLAN, the switch forwards DHCP replypackets to all applicable ports, regardless of whether the port is trustedor untrusted.

To enable DHCP snooping on a VLAN, use the following command inGlobal Configuration mode:

ip dhcp-snooping vlan <vlanID>

where

<vlanID> is an integer in the range 1–4094 specifyingthe preconfigured VLAN on which you want toenable DHCP snooping


To disable DHCP snooping on a VLAN, use the following command inGlobal Configuration mode:

no ip dhcp-snooping vlan <vlanID>

where

<vlanID> is an integer in the range 1–4094 specifyingthe preconfigured VLAN on which you want todisable DHCP snooping. If you do not specify aVLAN ID, DHCP snooping is disabled on all VLANs.

Configuring trusted and untrusted portsTo specify whether a particular port or range of ports is trusted (DHCPreplies are forwarded automatically) or untrusted (DHCP replies arefiltered through DHCP snooping), use the following command in Interfaceconfiguration mode:


NN47205-505 05.03 Standard14 May 2009


.


ip dhcp-snooping [port <portlist>] <trusted|untrusted>

where

<portlist> is the physical port number of the portyou want to configure. You can enter a singleport, a range of ports, several ranges, or all.If you do not specify a port number, the commandapplies to the ports specified upon enteringthe Interface configuration mode.

The default is untrusted.

To return a port or range of ports to default values, use the followingcommand in Interface configuration mode:

default ip dhcp-snooping <portlist>

where


To return all ports in the interface to default values, use the followingcommand in Interface configuration mode:

default ip dhcp-snooping port ALL

Viewing DHCP snooping settingsTo view the global DHCP snooping state and the VLANs on which DHCPsnooping has been enabled, use the following command in the Global orInterface Command mode:

show ip dhcp-snooping

To view only the VLANs on which DHCP snooping has been enabled, usethe following command in the Global or Interface Command mode:

show ip dhcp-snooping vlan

The output lists only the VLANs enabled for DHCP snooping.

To view port settings, use the following command in the Global or InterfaceCommand mode:

show ip dchp-snooping interface [<interface type>] [<port>]


NN47205-505 05.03 Standard14 May 2009


.


The output lists the ports and their associated DHCP snooping status(trusted or untrusted). If you specify the interface type or port as partof the command, the output includes only the ports specified. If you donot specify the interface type or port as part of the command, the outputdisplays all ports.

Viewing the DHCP binding tableTo view the DHCP binding table, use the following command in the Globalor Interface Command mode:

show ip dhcp-snooping binding

The output reports the total number of entries and lists current DHCPlease information for clients on untrusted ports: source MAC address, IPaddress, lease duration in seconds, VLAN ID, and port.

DHCP Snooping layer 2 configuration exampleFigure 5 "Layer 2 configuration example" (page 203) depicts the networksetup for this example. PC1 and PC2 act as DHCP clients. The deviceunder test (DUT) is in layer 2 mode and must be configured with DHCPSnooping to increase network security. The DHCP server and clients mustbelong to the same L2 VLAN (VLAN #1 by default). You can configure theDHCP client lease time on the DHCP server.


NN47205-505 05.03 Standard14 May 2009


.


Figure 5Layer 2 configuration example

The DHCP server port must always be Trusted, because UntrustedDHCP ports drop DHCP replies coming from the DHCP server. All portsare DHCP Untrusted by default. You must connect DHCP clients toUntrusted DHCP ports, however, PC1 is connected to a Trusted port forthis configuration example case.

This configuration example illustrates a security hole that permits PC1 toinstall a fake DHCP Server. Port10 (DHCP Trusted) allows DHCP repliesto be forwarded to PC2 in this case.


NN47205-505 05.03 Standard14 May 2009


.


DHCP Snooping configuration commandsThe following section describes the detailed NNCLI commands required toconfigure DHCP Snooping for this example.

>en#configure terminal(config)#ip dhcp-snooping(config)#ip dhcp-snooping vlan 1(config)# interface fastEthernet 1,10(config-if)#ip dhcp-snooping trusted(config-if)#exit

Verifying the DHCP Snooping settingsThis section describes the commands used to verify the settings and theexpected response to each command.

(config)#show ip dhcp-snooping

Global DHCP snooping state: EnabledDHCPVLAN Snooping---- --------1 Enabled(config)#show ip dhcp-snooping interface 1,10,11

DHCPPort Snooping---- --------1 Trusted10 Trusted11 Untrusted(config)#show ip dhcp-snooping binding

MAC IP Lease (sec) VID Port ---------------------------------------------------------------Total Entries: 04526GTX-PWR#sho running-config


NN47205-505 05.03 Standard14 May 2009


.


! Embedded ASCII Configuration Generator Script! Model = Ethernet Routing Switch 4526GTX-PWR! Software version = v5.1.0.1enableconfigure terminal!! *** CORE ***!autosave enablemac-address-table aging-time 300autotopologyno radius-serverradius-server host 0.0.0.0radius-server secondary-host 0.0.0.0radius-server port 1812! radius-server key ********radius-server timeout 2telnet-access login-timeout 1telnet-access retry 3telnet-access inactive-timeout 15telnet-access logging allcli password stack serial nonecli password stack telnet local!....! *** IP ***Note information in this section.!ip default-gateway 0.0.0.0ip address netmask 0.0.0.0ip address stack 0.0.0.0ip address switch 0.0.0.0ip bootp server disable!....*** DHCP SNOOPING *** Note information in this section.!ip dhcp-snoopingno ip dhcp-snooping vlanip dhcp-snooping vlan 1interface FastEthernet ALLdefault ip dhcp-snoopingip dhcp-snooping port 1,10 trustedexit!! *** ARP INPSECTION *** Note information in this section!no ip arp-inspection vlaninterface FastEthernet ALLdefault ip arp-inspectionexit! ...


NN47205-505 05.03 Standard14 May 2009


.


Renew the IP addresses for PC1 and PC2. Both PCs obtain IP addressesfrom the DHCP server. A DHCP binding entry for PC2 appears in theDHCP binding table. No binding entry for PC1 exists because port 10 isDHCP Trusted.

(config)#show ip dhcp-snooping binding

MAC IP Lease (sec) VID Port ---------------------------------------------------------------00-02-44-ab-2d-f4 192.168.1.10 86460 1 11Total Entries: 1

Configuring dynamic ARP inspectionFor more information about the function and operation of dynamic AddressResolution Protocol (ARP) inspection in a network, see “Dynamic ARPinspection” (page 70).

To configure dynamic ARP inspection, do the following:

1. Enable dynamic ARP inspection on the VLANs. For more information,see “Enabling dynamic ARP inspection on the VLANs” (page 206).

2. Identify the ports as trusted (ARP traffic is not subjected to dynamicARP inspection) or untrusted (ARP traffic is filtered through dynamicARP inspection). For more information, see “Configuring trusted anduntrusted ports” (page 207).

ATTENTIONFor dynamic ARP inspection to function, DHCP snooping must be globallyenabled. For more information about configuring DHCP snooping, see“Configuring DHCP snooping using NNCLI” (page 199) or “Configuring DHCPsnooping globally using Device Manager” (page 291).

Enabling dynamic ARP inspection on the VLANsYou must enable dynamic ARP inspection separately for each VLAN.

To enable dynamic ARP inspection on a VLAN, use the followingcommand in Global Configuration mode:

ip arp-inspection vlan <vlanID>

where

<vlanID> is an integer in the range 1–4094 thatspecifies the preconfigured VLAN on which youwant to enable dynamic ARP inspection.



NN47205-505 05.03 Standard14 May 2009


.

Configuring dynamic ARP inspection 207

To disable dynamic ARP inspection on a VLAN, use the followingcommand in Global Configuration mode:

no ip arp-inspection vlan <vlanID>

where

<vlanID> is an integer in the range 1–4094 thatspecifies the preconfigured VLAN on which youwant to disable dynamic ARP inspection.

Configuring trusted and untrusted portsTo specify whether a particular port or range of ports is trusted (ARPtraffic is not subject to dynamic ARP inspection) or untrusted (ARP trafficis subject to dynamic ARP inspection), use the following command inInterface configuration mode:

ip arp-inspection [port <portlist>] <trusted|untrusted>

where


The default is untrusted.

To return a port or range of ports to default values, use the followingcommand in Interface configuration mode:

default ip arp-inspection port <portlist>

where


To return all ports in the interface to default values, use the followingcommand in Interface configuration mode:

default ip arp-inspection port ALL


NN47205-505 05.03 Standard14 May 2009


.


Viewing dynamic ARP inspection settingsTo view the VLANs on which dynamic ARP inspection has been enabled,use the following command in the Global or Interface Command mode:

show ip arp-inspection vlan

The output lists only the VLANs enabled for dynamic ARP inspection.

To view port settings, use the following command in the Global or InterfaceCommand mode:

show ip arp-inspection interface [<interface type>] [<port>]

The output lists the ports and their associated dynamic ARP inspectionstatus (trusted or untrusted). If you specify the interface type or port aspart of the command, the output includes only the ports specified. If you donot specify the interface type or port as part of the command, the outputdisplays all ports.

Dynamic ARP inspection layer 2 configuration exampleThis configuration example uses the same network setup and configurationcreated in the “Configuring DHCP snooping using NNCLI” (page199) section and illustrated by theFigure 5 "Layer 2 configuration example"(page 203). To increase security in this network, you must enableDynamic ARP inspection. If the device under test (DUT) has no IP addressassigned, BOOTP must be DISABLED in order for ARP Inspection to work.The DHCP Server port must be ARP Trusted also.

Dynamic ARP inspection configuration commandsThe following section details the commands required to configure DynamicARP Inspection for this example. The following commands are in additionto those specified in the “Configuring DHCP snooping using NNCLI” (page199) section.

>en#configure terminal(config)#ip bootp server disable(config)#ip arp-inspection vlan 1(config)#interface fastEthernet 1,10(config-if)#ip arp-inspection trusted(config-if)#exit

Verifying Dynamic ARP Inspection settingsThis section describes the commands used to verify settings, and theexpected response to each command.

(config)#show ip arp-inspection


NN47205-505 05.03 Standard14 May 2009


.

Configuring dynamic ARP inspection 209

ARPVLAN Inspection---- ----------1 Enabled(config)#show ip arp-inspection interface 1,10,11

ARPPort Inspection---- ----------1 Trusted10 Trusted11 Untrusted4526GTX-PWR#sho running-config

! Embedded ASCII Configuration Generator Script! Model = Ethernet Routing Switch 4526GTX-PWR! Software version = v5.1.0.0enableconfigure terminal!! *** CORE ***!autosave enablemac-address-table aging-time 300autotopologyno radius-serverradius-server host 0.0.0.0radius-server secondary-host 0.0.0.0radius-server port 1812! radius-server key ********radius-server timeout 2telnet-access login-timeout 1telnet-access retry 3telnet-access inactive-timeout 15telnet-access logging allcli password stack serial nonecli password stack telnet local!! *** IP *** Note information in this section.!ip default-gateway 0.0.0.0ip address netmask 0.0.0.0ip address stack 0.0.0.0ip address switch 0.0.0.0ip bootp server disable!


NN47205-505 05.03 Standard14 May 2009


.


! *** DHCP SNOOPING *** Note information in this section.!ip dhcp-snoopingno ip dhcp-snooping vlanip dhcp-snooping vlan 1interface FastEthernet ALLdefault ip dhcp-snoopingip dhcp-snooping port 1,10 trustedexit!! *** ARP INPSECTION *** Note information in this section.!no ip arp-inspection vlanip arp-inspection vlan 1interface FastEthernet ALLdefault ip arp-inspectionip arp-inspection port 1,10 trustedexit!...

Renew the IP addresses for PC1 and PC2. Both PCs will obtain IPaddresses from the DHCP server. A DHCP binding entry for PC2 appearsin the DHCP binding table although it is ARP Untrusted. No binding entryfor PC1 exists because port10 is DHCP Trusted even though it is ARPTrusted.

Now clear the ARP cache on both PCs.

>arp –a>arp -d <IP-address>

Attempt to start communication (use ping) between PCs or between thePCs and the DHCP server. You can establish communication in anydirection because ARPs are allowed on port10 (PC1) (that port is ARPTrusted) and on port 11 (PC2) because ARP packets coming from PC2have an entry for ARP Untrusted port 11 that matches the IP-MAC fromthe DHCP binding table.

Next make a link-down/link-up for port 11 (PC2) or change PC2’s IPaddress to a static one and set port10(PC1) as ARP Untrusted. Clearthe ARP cache on both PCs and the DHCP server. Attempt to startcommunication (use ping) between PCs or between the PCs and theDHCP server. The PCs and DHCP server are unable to communicate withone another.

IP Source Guard configuration using NNCLIThis section describes how you configure IP Source Guard using theNortel Networks Command Line Interface (NNCLI).


NN47205-505 05.03 Standard14 May 2009


.

IP Source Guard configuration using NNCLI 211

ATTENTIONNortel recommends that you do not enable IP Source Guard on trunk ports.

ATTENTIONNortel recommends that you carefully manage the number of applicationsrunning on the Ethernet Routing Switch 4500 that use filters. For example, if youconfigure NSNA on ports and attempt to configure IP Source Guard on thosesame ports, the IP Source Guard configuration can fail due to the limited numberof filters available.

PrerequisitesBefore you can configure IP Source Guard, you must ensure the following:

• Dynamic Host Control Protocol (DHCP) snooping is globally enabled.For information see “Enabling DHCP snooping globally” (page 199).

• The port is a member of a Virtual LAN (VLAN) configured with DHCPsnooping and dynamic Address Resolution Protocol (ARP) Inspection.

• The port is an untrusted DHCP snooping and dynamic ARP Inspectionport.

• The bsSourceGuardConfigMode MIB object exists.This MIB object is used to control the IP Source Guard mode on aninterface.

• The following applications are not enabled:

— Baysecure

— Extensible Authentication Protocol over LAN (EAPOL)

ATTENTIONHardware resources can run out if IP Source Guard is enabled on trunk portswith a large number of VLANs that have DHCP snooping enabled. If thishappens, traffic sending can be interrupted for some clients. Nortel recommendsthat IP Source Guard not be enabled on trunk ports.

IP Source Guard configuration using NNCLI navigation

• “Enabling IP Source Guard using NNCLI” (page 211)

• “Viewing IP Source Guard port configuration information using NNCLI”(page 212)

• “Viewing IP Source Guard-allowed addresses using NNCLI” (page 213)

• “Disabling IP Source Guard using NNCLI” (page 214)

Enabling IP Source Guard using NNCLIEnable IP Source Guard to add a higher level of security to the desiredport by preventing IP spoofing.


NN47205-505 05.03 Standard14 May 2009


.


ATTENTIONThe IP addresses are obtained from DHCP snooping binding table entriesdefined automatically for the port. A maximum of 10 IP addresses from thebinding table are allowed. The rest are dropped.

Prerequisites

• Log on to the Ethernet, FastEthernet, or GigabitEthernet InterfaceConfiguration mode in NNCLI.

Procedure steps

Step Action

1 Enable IP Source Guard by using the following command:

ip verify source interface {<interface type>][<interface id>]}

--End--

Variable definitionsThe following table defines variables that you enter with the ip verifysource [interface {<interface type>] [<interface id>]command.

Variable Value

<interface id> Identifies the ID of the interface onwhich you want IP Source Guardenabled.

<interface type> Identifies the interface on which youwant IP Source Guard enabled.

Viewing IP Source Guard port configuration information using NNCLITo view IP Source Guard port configuration information, open the Tacacsconfiguration screen by selecting Applications configuration settings forinterfaces.

Prerequisites

• Log on to the Privileged Exec mode in NNCLI.


NN47205-505 05.03 Standard14 May 2009


.

IP Source Guard configuration using NNCLI 213

Procedure steps

Step Action

1 View IP Source Guard port configuration information by usingthe following command:

show ip verify source [interface {<interface type>][<interface id>]

--End--

Variable definitionsThe following table defines variables that you enter with the show ipverify source [interface {<interface type>] [<interfaceid>] command.

Variable Value

<interface id> Identifies the ID of the interface forwhich you want to view IP SourceGuard information.

<interface type> Identifies the interface for whichyou want to view IP Source Guardinformation.

Viewing IP Source Guard-allowed addresses using NNCLIView IP Source Guard-allowed addresses to display a single IP address ora group of IP addresses that IP Source Guard allowed.

Prerequisites

• Log on to the Privileged Exec mode in NNCLI.

Procedure steps

Step Action

1 View IP Source Guard-allowed addresses by using the followingcommand:

show ip source binding [<A.B.C.D.>] [interface{[<interface type>] [<interface id>]}]

--End--


NN47205-505 05.03 Standard14 May 2009


.


Variable definitionsThe following table defines variables that you enter with the show ipsource binding [<A.B.C.D.>] [interface {[<interface type>][<interface id>]}] command.

Variable Value

<A.B.C.D> Identifies the IP address or groupof addresses that IP Source Guardallowed.

<interface id> Identifies the ID of the interfacefor which you want IP SourceGuard-allowed addresses displayed.

<interface type> Identifies the type of interfacefor which you want IP SourceGuard-allowed addresses displayed.

Disabling IP Source Guard using NNCLIDisable IP Source Guard to allow all IP traffic to go through without beingfiltered by following this procedure.

Prerequisites

• Log on to the Ethernet, FastEthernet, or GigabitEthernet InterfaceConfiguration mode in NNCLI.

Procedure steps

Step Action

1 Disable IP Source Guard by using the following command:

no ip verify source interface {<interface type>][<interface id>]}

--End--

Variable definitionsThe following table defines variables that you enter with the no ip verifysource interface {<interface type>] [<interface id>]}command.


NN47205-505 05.03 Standard14 May 2009


.

RADIUS Request use Management IP configuration using NNCLI 215

Variable Value

<interface id> Identifies the ID of the interface onwhich you want IP Source Guarddisabled.

<interface type> Identifies the interface on which youwant IP Source Guard disabled.

RADIUS Request use Management IP configuration using NNCLIYou can enable or disable the use of Management VLAN IP by RADIUSrequests, using NNCLI.

RADIUS Request use Management IP configuration using NNCLInavigation

• “Enabling the RADIUS Request use Management IP” (page 215)

• “Disabling the RADIUS Request use Management IP” (page 215)

• “Setting the RADIUS Request use Management IP to default mode”(page 216)

Enabling the RADIUS Request use Management IPPerform this procedure to enable the RADIUS requests to use theManagement VLAN IP address.

Prerequisites

• Log on to the Global configuration mode.

Procedure steps

Step Action

1 To enable RADIUS Request use Management IP enter thefollowing command:

radius use-management-ip

2 To verify the settings enter the following command:

show radius use-management-ip

--End--

Disabling the RADIUS Request use Management IPPerform this procedure, to disable the RADIUS requests to use theManagement VLAN IP address.


NN47205-505 05.03 Standard14 May 2009


.


Prerequisites


Procedure steps

Step Action

1 To disable the RADIUS Request use Management IP, enter thefollowing command:

no radius use-management-ip



--End--

Setting the RADIUS Request use Management IP to default modePerform this procedure to set the RADIUS Request use Management IPto default mode.

Prerequisites


Procedure steps

Step Action

1 To set the RADIUS Request use Management IP to defaultmode, enter the following command:

default radius use-management-ip



--End--


NN47205-505 05.03 Standard14 May 2009


.

217.

Configuring and managing securityusing the Web-based managementinterface

This chapter describes the methods and procedures necessary toconfigure security on the Ethernet Routing Switch 4500 Series using theWeb-based management interface. This chapter contains the followingtopics:

• “Setting user access limitations” (page 217)

• “Configuring EAPOL-based security” (page 217)

• “Configuring MAC address-based security” (page 219)

• “Configuring IP Manager” (page 227)

• “Configuring SNMP using the Web-based management interface”(page 228)

• “IP Source Guard configuration using the Web-based managementinterface” (page 247)

• “Configuring TACACS+ using the Web-based management interface”(page 250)

• “RADIUS Request use Management IP configuration using Web-basedManagement” (page 253)

Setting user access limitationsFor a complete explanation of the configuration and management ofuser access limitations using the Web-based Management interface,see the Nortel Ethernet Routing Switch 4500 Series Overview – SystemConfiguration (NN47205-500).

Configuring EAPOL-based securityUse the following procedure to configure and manage the ExtensibleAuthentication Protocol over LAN (EAPOL) security with the Web-basedManagement interface.


NN47205-505 05.03 Standard14 May 2009


.

218 Configuring and managing security using the Web-based management interface


To configure EAPOL-based security, perform the following steps:

Step Action

1 Open the EAPOL Security Configuration screen by selectingApplications , EAPOL Security.

2 In the EAPOL Administrative State Setting section, selecteither Enabled or Disabled from the EAPOL AdministrativeState list. This enables or disables EAPOL securityconfiguration.

3 Click Submit immediately under the EAPOL AdministrativeState Setting section.

4 In the EAPOL Security Setting section, use the fields providedto configure the EAPOL security for the desired ports. Not allports are displayed in the EAPOL Security Setting section.Links to those ports not listed are provided at the bottom ofthe screen. Table 79 "EAPOL Security Setting fields" (page218) outlines the fields on this screen.

Table 79EAPOL Security Setting fields

Field Description

Port Displays the port number.

Initialize Setting this attribute to Yes causes thisport’s EAPOL state to be initialized.

Administrative Status Allows you to set the EAPOLauthorization status:

• Force Unauthorized - Alwaysunauthorized

• Auto - Status depends on EAPauthentication results

• Force Authorized - Alwaysauthorized

Operational Status Displays the current authorization status.

Administrative TrafficControl

Allows EAPOL authentication to be setfor either incoming and outgoing trafficor for incoming traffic only.

Operational Traffic Control Displays the current administrative trafficcontrol setting.


NN47205-505 05.03 Standard14 May 2009


.


Table 79EAPOL Security Setting fields (cont’d.)

Field Description

Re-authenticate Now Allows EAPOL authentication to beactivated immediately without waiting forthe reauthentication period to expire.

Re-authentication Allows EAPOL authentication to berepeated according to the time valuespecified in Re-authentication Periodfield.

Re-authentication Period With Re-authentication enabled, allowsthe time period to be specified betweensuccessive EAPOL authentications.

Quiet Period Allows the time interval to be specifiedbetween an authentication failureand the start of a new authenticationattempt.

Transmit Period Specifies how long the switch waitsfor the supplicant to respond to EAPRequest/Identity packets.

Supplicant Timeout Specifies how long the switch waits forthe supplicant to respond to all EAPpackets, except EAP Request/Identitypackets.

Server Timeout Specifies how long the switch waits forthe RADIUS server to respond to allEAP packets.

Maximum Requests Specifies the number of times the switchattempts to resend EAP packets to asupplicant.

5 Click Submit immediately under the EAPOL Security Settingsection.

--End--

Configuring MAC address-based securityThe following sections outline how to configure and manage MACAddress-based security in the Web-based Management interface.

Security ConfigurationTo configure the MAC Address-based security, perform the followingprocedure:


NN47205-505 05.03 Standard14 May 2009


.


Step Action

1 Open the Security Configuration screen by selectingApplications , MAC Address Security , SecurityConfiguration.

2 The MAC Address Security Setting section is used to configurethe security settings. Use the fields in this section to performinitial configuration. The fields in this section are outlined inTable 80 "MAC Address Security Setting fields" (page 220).

Table 80MAC Address Security Setting fields

Field Description

MAC Address Security Enables the MAC address securityfeatures.

The default value is Disabled.

MAC Address SecuritySNMP-Locked

Enables locking SNMP, so that youcannot use SNMP to modify the MACaddress security features.


Partition Port on IntrusionDetected

Configures how the switch reacts to anintrusion event:

• Forever - The port is disabled andremains disabled (partitioned)until reset. The port does notreset after the Partition Timeelapses.

• Enabled - The port is disabled,and then automatically reset toenabled after the time specified inthe Partition Time field elapses.

• Disabled - The port remainsenabled, even if an intrusionevent is detected.



NN47205-505 05.03 Standard14 May 2009


.


Table 80MAC Address Security Setting fields (cont’d.)

Field Description

Partition Time Sets the time to partition a port onintrusion.

ATTENTIONUse this field only if the Partition Porton Intrusion Detected field is set toEnabled.

There is no default for this field.

DA Filtering on IntrusionDetected

Enables isolation of the intruding node.


MAC Auto-Learning AgingTime

Specify the MAC address age-out time,in seconds, for the autolearned MACaddresses.

The default value is 60 minutes.

Generate SNMP Trap onIntrusion

Enables generation of an SNMP trapwhen an intrusion is detected.


3 Click Submit immediately under the MAC Address SecuritySetting section.

4 The MAC Security Table section is used to clear ports fromparticipation or allow ports to learn MAC Addresses.

a To clear ports from MAC Address security participation, followthis procedure:

• In the Clear by Ports row, click the button in the Actioncolumn. This opens the Ports List View screen. Uncheckthe ports to be cleared from participation.

• Click Submit.

b To allow ports to learn MAC Addresses, follow this procedure:

• In the Learn by Ports row, click the button in the Actioncolumn. This opens the Ports List View screen. Selectthe ports that will participate in MAC Address learning.

• Click Submit.


NN47205-505 05.03 Standard14 May 2009


.


5 Set the state of port learning by selecting a value from theCurrent Learning Mode list.

6 Click the Submit under the MAC Security Table section.

--End--

Enabling Port SecurityTo enable MAC security on a port, follow this procedure:

Step Action

1 Open the Port Configuration screen by selecting Applications, MAC Address Security , Port Configuration.

2 Select the options from the lists that enable the MAC security tobe set for that port. Table 81 "Port Configuration fields" (page222) outlines the fields on this screen.

Table 81Port Configuration fields

Field Description

Security Enables or disables MAC security onthis port.


Auto-Learning Enables or disables autolearning ofMAC addresses on this port.


MAC Address Number Sets the maximum number of MACaddresses this port can learn.

The default value is 2.

3 Click Submit.

--End--

Port ListsTo add or delete ports in a list, follow this procedure:


NN47205-505 05.03 Standard14 May 2009


.


Step Action

1 Open the Port Lists screen by selecting Applications , MACAddress Security , Port Lists in the menu.

2 Click the button in the Action column of the row containing thelist to be edited.

3 A Port Lists screen similar to the one illustrated in appears.Select the ports to add to the list or uncheck those ports that areto be removed from the list.

4 Click Submit.

--End--

The Port Lists screen re-appears with the new port list displayed.

Adding MAC AddressesTo add a MAC Address to the MAC Address-based security, follow thisprocedure:

Step Action

1 Open the Security Table screen by selecting Applications ,MAC Address Security , Security Table .

2 In the MAC Address Security Table Entry Creation section,enter the MAC address information to enter in the table. Table82 "MAC Address Security Table Entry Creation fields" (page223) outlines the fields in this section.

Table 82MAC Address Security Table Entry Creation fields

Field Description

MAC Address Enter the MAC address that is allowedaccess to the switch.

Allowed Source - Port Select the port through which the MACaddress is allowed.

Allowed Source - Entry Select the port list through which theMAC address is allowed.

3 Click Submit.

--End--


NN47205-505 05.03 Standard14 May 2009


.


DA MAC FilteringTo drop all packets from a specified MAC destination address (DA),perform these tasks:

Step Action

1 Open the DA MAC Filtering screen by selecting Applications ,MAC Address Security , DA MAC Filtering.

2 Enter the MAC Address in the DA MAC Address field.

3 Click Submit.

--End--

Deleting MAC DAsTo delete a MAC DA:

Step Action

1 Open the DA MAC Filtering screen by selecting Applications ,MAC Address Security , DA MAC Filtering.

2 In the Destination MAC Address Filtering Table, click Deleteto delete the entry.

A message is displayed prompting for confirmation of therequest.

3 Click Yes to delete the MAC DA.

--End--

Configuring RADIUS securityUse the following procedure to configure and manage RADIUS-basedsecurity with the Web-based Management interface.

Step Action

1 Browse to Administration , Security , RADIUS .

The RADIUS Authentication Setting dialog box appears.

2 Enter the configuration settings for the RADIUS server andRADIUS authentication in the corresponding fields.


NN47205-505 05.03 Standard14 May 2009


.

Configuring RADIUS security 225

3 Click Submit.

--End--

Variable definitionsUse the information in this table to complete the procedure.

Field Description

RADIUS Password Fallback Allows you to log on to the switch orstack by using the local password, ifthe RADIUS server is unavailable forauthentication.

Primary RADIUS server Specifies the IP address of the primaryRADIUS server.

Secondary RADIUS server Specifies the IP address of the secondaryRADIUS server. The secondary server isused only if the primary server does notrespond.

UDP RADIUS port Specifies the UDP port for RADIUS. Therange is 0-65535. The default is 1812.

RADIUS Timeout Period Specifies the number of seconds beforethe service request times out. RADIUSallows three retries for each server(primary and secondary). The range of thetimeout interval is 1 to 60. The default is2.

RADIUS Shared Secret Specifies the secret authenticationand encryption key used for allcommunications between the NASand the RADIUS server. The sharedsecret must be the same as the onedefined on the server.

RADIUS Accounting Enables or disables Radius Accounting onthis server.

RADIUS Accounting Port Specifies the UDP port the client use tosend accounting requests to this server.The default value is 1813.

RADIUS Use Mgmt IP Controls whether RADIUS uses themanagement IP address of the system asthe source address for RADIUS requests.

Job aidThe following table is an example of the RADIUS accounting record afteryou log on through the console.


NN47205-505 05.03 Standard14 May 2009


.


QUESTION FOR REVIEWER: [The following outputs were not tested onthe switch. Sneha Ramdas 20090227]

RADIUS attribute Details

Thu Feb 21 17:17:23 2008

NAS-IP-Address 10.10.44.5

NAS-Port-Type Async

NAS-Port 1

Service-Type Administrative-User

User-name "bsrw"

Acct-Status-Type Start

Client-IP-Address 10.10.44.5

Timestamp 1203610643

Job aidThe following table is an example of the RADIUS accounting record afteryou log off through the console.


Thu Feb 21 17:17:23 2008


NAS-Port-Type Async

NAS-Port 1


User-name "bsrw"

Acct-Status-Type Stop

Acct-Terminate-Cause Normal-Logout



Job aidThe following table is an example of the RADIUS accounting record afteryou log on through telnet IPv4.


Thu Feb 21 17:17:23 2008


NAS-Port-Type Virtual


NN47205-505 05.03 Standard14 May 2009


.

Configuring IP Manager 227


NAS-Port IPv4


User-name "bsrw"

Acct-Status-Type Start



Job aidThe following table is an example of the RADIUS accounting record duringtelnet IPv4 timeout.


Thu Feb 21 17:17:23 2008


NAS-Port-Type Virtual

NAS-Port IPv4


User-name "bsrw"

Acct-Status-Type Stop

Acct-Terminate-Cause Idle-timeout-expired



Configuring IP ManagerIP Manager is enabled to specify up to 50 IP addresses or address rangesthat have access the switch or the stack.

To configure SNMP for remote access, use the following procedure:

Step Action

1 From the Web page main menu, select Configuration.The Configuration menu appears.

2 From the Configuration menu, select Remote Access.The Configuration , Remote Access page opens.

3 In the Remote Access Settings window, for the SNMP field,select the value as Allowed from the list.

4 Click Submit.


NN47205-505 05.03 Standard14 May 2009


.


5 In the Allowed Source IP and Subnet Mask window enter theIP address of Allowed Source IP and Allowed Source Mask.Use the fields in this section to enter the IP addresses. Thefields in this section are described in the table Table 83 "AllowedSource IP and Subnet Mask Settings" (page 228).

Table 83Allowed Source IP and Subnet Mask Settings


Allowed Source IP Specifies the source IP address fromwhich access is allowed. Enter the IPaddress in dotted-decimal notation.

Allowed Source mask Specifies the subnet mask from whichaccess is allowed. Enter the IP mask indotted-decimal notation.

6 Click Submit.

--End--

Configuring SNMP using the Web-based management interfaceThis section describes the SNMP configuration procedures available in theWeb-based management interface.

ATTENTIONIf you access the system remotely (other than console connection), ensure thatyou configure the remote access settings for SNMP.

The SNMP server name is intentionally truncated on the console to provideenhanced user experience. The full SNMP server name appears on the Webinterface.

To configure SNMP for remote access, use the following procedure:

Step Action

1 From the Web page main menu, select Configuration.The Configuration menu appears.

2 From the Configuration menu, select Remote Access.The Configuration , Remote Access page opens.

3 In the Remote Access Settings window, in the SNMP box,select Allowed.

4 Click Submit.

--End--


NN47205-505 05.03 Standard14 May 2009


.

Configuring SNMP using the Web-based management interface 229

Configuring SNMPv1SNMPv1 read-write and read-only community strings can be configured,enable or disable trap mode settings, enable or disable the Autotopologyfeature. The Autotopology feature, when enabled, performs a process thatrecognizes devices on the managed network and defines and maps theirrelation to other network devices in real time.

To configure the community string, trap mode, and Autotopology settingsand features:

Step Action

1 Open the SNMPv1 screen by selecting Configuration ,SNMPv1 .

Table 84 "SNMPv1 screen items" (page 229) describes the itemson the SNMPv1 screen.

Table 84SNMPv1 screen items

Section Item Range Description

Read-OnlyCommunityString

1 to 32 Type a character string to identifythe community string for theSNMPv1 read-only community; forexample, public or private. Thedefault value is public.

Community StringSetting

Read-WriteCommunityString

1 to 32 Type a character string to identifythe community string for theSNMPv1 read-write community,for example, public or private. Thedefault value is private.

Trap Mode Setting AuthenticationTrap

(1) Enabled

(2) Disabled

Choose to enable or disable theauthentication trap.

AutoTopology Setting AutoTopology (1) Enabled

(2) Disabled

Choose to enable or disable theAutotopology feature.

2 Type information in the text boxes, or select from a list.

3 Click Submit to save the changes.

--End--


NN47205-505 05.03 Standard14 May 2009


.


Configuring SNMPv3This section describes the steps to build and manage SNMPv3 in theWeb-based management user interface.

To use SNMPv3 on the switch you must do the following:

• create an SMPv3 user, see “Creating an SNMPv3 system userconfiguration” (page 232)

• create a group membership, see “Mapping an SNMPv3 system user toa group” (page 235)

• configure group access, see “Creating an SNMPv3 group access rightsconfiguration” (page 236)

When you have completed these tasks, log into Device Manager using theOpen Device page.

On the Open Device page, do the following:

• Enter the Device Name in the Device Name box.

• Select the v3 Enabled box.

• Enter the SNMPv3 user name in the User Name box.

• Click Open.

The switch opens with SNMPv3 enabled.

Viewing SNMPv3 system informationInformation can be viewed about the SNMPv3 engine that exists andthe private protocols that are supported in the network configuration.Information can also be viewed about packets received by the systemhaving particular errors, such as unavailable contexts, unknown contexts,decrypting errors, or unknown user names.

To view SNMPv3 system information:

Step Action

1 Open the System Information screen by selectingConfiguration , SNMPv3 , System Information .

--End--

Table 85 "System Information section fields" (page 231) describesthe fields on the System Information section of the SNMPv3 SystemInformation screen.


NN47205-505 05.03 Standard14 May 2009


.


Table 85System Information section fields

Item Description

SNMP Engine ID The SNMP engine identification number.

SNMP EngineBoots

The number of times that the SNMP engine has re-initialized itself since itsinitial configuration.

SNMP EngineTime

The number of seconds since the SNMP engine last incremented thesnmpEngineBoots object.

SNMP EngineMaximumMessage Size

The maximum length, in octets, of an SNMP message which this SNMPengine can send or receive, and process. This is determined as: the minimumof the maximum message size values supported among all transportsavailable to, and supported by, the engine.

SNMP EngineDialects

The SNMP dialect the engine recognizes. The dialects are: SNMPv1,SNMPv2C, and SNMPv3.

AuthenticationProtocolsSupported

The registration point for standards-track authentication protocols used inSNMP Management Frameworks. The registration points are: None, HMACMD5, HMAC SHA.

Private ProtocolsSupported

The registration point for standards-track privacy protocols used in SNMPManagement Frameworks. The registration points are: DES, AES, 3DES, orNone.

Table 86 "SNMPv3 Counters section fields" (page 231) describes the fieldson the SNMPv3 Counters section of the SNMPv3 System Informationscreen.

Table 86SNMPv3 Counters section fields

Item Description

UnavailableContexts

The total number of packets dropped by the SNMP engine because thecontext contained in the message was unavailable.

UnknownContexts

The total number of packets dropped by the SNMP engine because thecontext contained in the message was unknown.

UnsupportedSecurity Levels

The total number of packets dropped by the SNMP engine because theyrequested a security level that was unknown to the SNMP engine or otherwiseunavailable.

Not in TimeWindows

The total number of packets dropped by the SNMP engine because theyappeared outside of the authoritative SNMP engine window.

Unknown UserNames

The total number of packets dropped by the SNMP engine because theyreferenced an unknown user.

Unknown EngineIDs

The total number of packets dropped by the SNMP engine because theyreferenced an snmpEngineID that was not known to the SNMP engine.


NN47205-505 05.03 Standard14 May 2009


.


Table 86SNMPv3 Counters section fields (cont’d.)

Item Description

Wrong Digests The total number of packets dropped by the SNMP engine because they didnot contain the expected digest value.

Decryption Errors The total number of packets dropped by the SNMP engine because theycannot be decrypted.

Configuring user access to SNMPv3Information can be viewed about all current SNMPv3 user securityparameters, such as authentication/privacy protocols. Also, you can createand delete SNMPv3 system user configurations.

Creating an SNMPv3 system user configurationTo create an SNMPv3 system user configuration:

Step Action

1 Open the User Specification screen by selecting Configuration, SNMPv3 , User Specification.

Table 87 "User Specification Table section items" (page232) describes the items on the User Specification Table sectionof the User Specification screen.

Table 87User Specification Table section items

Item and MIBassociation

Description

Deletes the row.

User Name(usmUserSecurityName)

The name of an existing SNMPv3 user.

Authentication Protocol(usmUserAuthProtocol)

Indicates whether the message sent onbehalf of this user to/from the SNMP engineidentified UserEngineID can be authenticatedby the MD5 and SHA authentication protocols.


NN47205-505 05.03 Standard14 May 2009


.


Table 87User Specification Table section items (cont’d.)


Description

Private Protocol(usmUserPrivProtocol)

Displays whether or not messages senton behalf of this user to or from the SNMPengine identified by usmUserEngineID can beprotected from disclosure, and if so, the typeof privacy protocol that is used.

Entry Storage The current storage type for this row. IfVolatile is displayed, information is dropped(lost) when you turn the power off. If NonVolatile is displayed, information is saved inNVRAM when you turn the power off

Table 88 "User Specification Creation section items" (page233) describes the items on the User Specification Creationsection of the User Specification screen.

Table 88User Specification Creation section items


Range Description

User Name 1..32 Type a string ofcharacters to createan identity for the user.

Authentication Protocol(usmUserAuthProtocol)

NoneMD5SHA

Choose whether or notthe message sent onbehalf of this user to orfrom the SNMP engineidentified UserEngineIDcan be authenticated withthe MD5 protocol.

AuthenticationPassphrase(usmUserAuthPassword)

1..32 Type a string ofcharacters to createa password to use inconjunction with theauthorization protocol.

Privacy Protocol (1) None

(2) 3DES

(3) AES

(4) DES

Choose the privacyprotocol you want touse.


NN47205-505 05.03 Standard14 May 2009


.


Table 88User Specification Creation section items (cont’d.)


Range Description

Privacy Passphrase Must beat least 8characterslong

Enter a string of at least8 characters to createthe passphrase. Thispassphrase is used togenerate an encryptionkey for the user.

Entry Storage(usmUserStorageType)

(1) Volatile(2) Non-Volatile

Choose your storagepreference. SelectingVolatile requestsinformation to be dropped(lost) when you turn thepower off. Selectingnon Volatile requestsinformation to be savedin NVRAM when you turnthe power off.

2 In the User Specification Creation Table section, Actioncolumn, type information in the text boxes, or select from a list.

3 Click Submit.

The new configuration is displayed in the User SpecificationTable.

--End--

Deleting an SNMPv3 system user configurationTo delete an existing SNMPv3 user configuration:

Step Action

1 Open the User Specification screen by selecting Configuration, SNMPv3 , User Specification.

2 In the User Specification Table, click Delete to delete theentry.

3 A message prompts for confirmation of the request. Click OK.

--End--


NN47205-505 05.03 Standard14 May 2009


.


Configuring an SNMPv3 system user group membershipInformation can be viewed about existing SNMPv3 group membershipconfigurations as well as mapping or deleting an SNMPv3 user to groupconfiguration.

Mapping an SNMPv3 system user to a groupTo map an SNMPv3 system user to a group:

Step Action

1 Open the Group Membership screen by selectingConfiguration , SNMPv3 , Group Membership .

Table 89 "Group Membership screen items" (page235) describes the items on the Group Membership screen.

Table 89Group Membership screen items

Item and MIB association Range Description

Deletes the row.

Security Name(vacmSecurityToGroupStatus)

1..32 Type a string ofcharacters to create asecurity name for theprincipal that is mappedby this entry to a groupname.

Security Model(vacmSecurityToGroupStatus)

(1) SNMPv1

(2) SNMPv2c

(3) USM

Choose the securitymodel withinwhich the security-name-to-group-namemapping is valid.

Group Name(vacmGroupName)

1 to 32 Type a string ofcharacters to specifythe group name.

Entry Storage(vacmSecurityToGroupStorageType)


Choose your storagepreference. SelectingVolatile requestsinformation to bedropped (lost) whenyou turn the power off.Selecting non Volatilerequests informationto be saved in NVRAM


NN47205-505 05.03 Standard14 May 2009


.


Table 89Group Membership screen items (cont’d.)


when you turn the poweroff.

2 In the Group Membership Creation section, type information inthe text boxes, or select from a list.

3 Click Submit.

The new entry appears in the Group Membership Table.

--End--

Deleting an SNMPv3 group membership configurationTo delete an SNMPv3 group membership configuration:

Step Action

1 Open the Group Membership screen by selectingConfiguration , SNMPv3 , Group Membership .

2 In the Group Membership Table, click Delete to delete theentry.


ATTENTIONThis Group Membership Table section of the Group Membershippage contains hyperlinks to the SNMPv3 User Specification andGroup Access Rights screens.

--End--

Configuring SNMPv3 group access rightsSNMPv3 group access rights configurations can be viewed, created, ordeleted using the Web-based Management interface.

Creating an SNMPv3 group access rights configurationTo create a group SNMPv3 system-level access right configuration:

Step Action

1 Open the Group Access Rights screen by selectingConfiguration , SNMPv3 , Group Access Rights .


NN47205-505 05.03 Standard14 May 2009


.


Table 90 "Group Access Rights screen items" (page237) describes the items on the Group Access Rights screen.

Table 90Group Access Rights screen items


Deletes the row.

Group Name(vacmAccessToGroupStatus)

1 to 32 Type a character string to specifythe group name to which access isgranted.

Security Model(vacmAccessSecurityModel)l

(1) SNMPv1(2) SNMPv2c(3) USM

Choose the security model to whichaccess is granted.

Security Level(vacmAccessSecurityLevel)

(1) noAuthNoPriv(2) authNoPriv

Choose the minimum level ofsecurity required to gain the accessrights allowed to the group.

Read View(vacmAccessReadViewName)

1 to 32 Type a character string to identifythe MIB view of the SNMP contextto which this entry authorizes readaccess.

Write View(vacmAccessWriteViewName)

1 to 32 Type a character string to identifythe MIB view of the SNMP contextto which this entry authorizes writeaccess.

Notify View(vacmAccessNotifyViewName)

1 to 32 Type a character string to identifythe MIB view to which this entryauthorizes access to notifications.



Choose your storage preference.Selecting Volatile requestsinformation to be dropped (lost)when you turn the power off.Selecting non Volatile requestsinformation to be saved in NVRAMwhen you turn the power off.

2 In the Group Access Creation section, type information in thetext boxes, or select from a list.

3 Click Submit.

The new entry appears in the Group Access Table.

--End--


NN47205-505 05.03 Standard14 May 2009


.


Deleting an SNMPv3 group access rights configurationTo delete an SNMPv3 group access rights configuration:

Step Action

1 Open the Group Access Rights screen by selectingConfiguration , SNMPv3 , Group Access Rights .

2 In the Group Access Table, click Delete to delete the entry.


ATTENTIONThis Group Access Table section of the Group Access Rights screencontains hyperlinks to the Management Information View screen.

--End--

Configuring an SNMPv3 management information viewA table of existing SNMPv3 management information view configurationscan be viewed, and SNMPv3 management information view configurationscan be created or deleted.

ATTENTIONA view can consist of multiple entries in the table, each with the same viewname, but a different view subtree.

Creating an SNMPv3 management information viewconfigurationTo create an SNMPv3 management information view configuration:

Procedure

Step Action

1 Open the Management Info View screen by selectingConfiguration , SNMPv3 , Management Info View .

Table 91 "Management Information View screen items" (page239) describes the items on the Management Information Viewscreen.


NN47205-505 05.03 Standard14 May 2009


.


Table 91Management Information View screen items


Range Description

Deletes the row.

View Name(vacmViewTreeFamilyViewName) 1 to 32 Type a character string tocreate a name for a family ofview subtrees.

View Subtree(vacmViewTreeFamilySubtree) X.X.X.X.X... Type an object identifier (OID)to specify the MIB subtreethat, when combined with thecorresponding instance ofvacmViewTreeFamilyMask,defines a family of viewsubtrees.

ATTENTIONIf no OID is entered andthe field is blank, a defaultmask value consisting of 1sis recognized.

View Mask(vacmViewTreeFamilyMask) Octet String (0 to16)

Type the bit mask which,in combination with thecorresponding instance ofvacmViewFamilySubtree,defines a family of viewsubtrees.

View Type(vacmViewTreeFamilyType) (1) Include(2) Exclude

Choose to include or excludea family of view subtrees.



Choose your storagepreference. Selecting Volatilerequests information to bedropped (lost) when you turnthe power off. Selecting nonVolatile requests informationto be saved in NVRAM whenyou turn the power off.

2 In the Management Information Creation section, typeinformation in the text boxes, or select from a list.

3 Click Submit.


NN47205-505 05.03 Standard14 May 2009


.


The new entry appears in the Management Information Table.

--End--

Deleting an SNMPv3 management information viewconfigurationTo delete an existing SNMPv3 management information viewconfiguration:

Step Action

1 Open the Management Info View screen by selectingConfiguration , SNMPv3 , Management Info View .

2 In the Management Information Table, click Delete to deletethe entry.


--End--

Configuring an SNMPv3 system notification entrySNMPv3 system notification configurations and system notification typescan be viewed, configured, and deleted.

Creating an SNMPv3 system notification configurationTo create an SNMPv3 system notification configuration:

Step Action

1 Open the Notification screen by selecting Configuration ,SNMPv3 , Notification .

Table 92 "Notification page items" (page 240) describes theitems on the Notification screen.

Table 92Notification page items


Deletes the row.

Notify Name(snmpNotifyRowStatus) 1 to 32 Type a character string to identifythe entry.


NN47205-505 05.03 Standard14 May 2009


.


Table 92Notification page items (cont’d.)


Notify Tag(snmpNotifyTag) 1 to 32 Type a value to select entries in thesnmpTargetAddrTable. An entry inthe snmpTargetAddrTable, whichcontains a tag value, which is equalto the value of an instance of thisobject, is selected. If this objectcarries a zero length, no entries areselected.

Notify Type(snmpNotifyType) (1) Trap(2) Inform

Choose the type of notification togenerate.

Entry Storage(snmpNotifyStorageType)



2 In the Notification Creation section, type information in the textboxes, or select from a list.

3 Click Submit.

The new entry appears in the Notification Table section.

--End--

ATTENTIONThis Notification Table section of the Notification screen contains hyperlinks tothe Target Parameter screen.

Deleting an SNMPv3 system notification configurationTo delete an SNMPv3 notification configuration:

Step Action

1 Open the Notification screen by selecting Configuration ,SNMPv3 , Notification .

2 In the Notification Table, click Delete to delete the entry.


--End--


NN47205-505 05.03 Standard14 May 2009


.


Configuring an SNMPv3 management target addressSNMPv3 management target configurations and management targetaddress configurations can be viewed, configured, and deleted.

Creating an SNMPv3 target address configurationTo create an SNMPv3 target address configuration:

Step Action

1 Open the Target Address screen by selecting Configuration ,SNMPv3 , Target Address .

Table 93 "Target Address screen items" (page 242) describesthe items on the Target Address screen.

Table 93Target Address screen items


Range Description

Deletes the row.

Target Name(snmpTargetAddrName) 1 to 32 Type a character string to create atarget name.

Target Domain(snmpTargetAddrTDomain)

1 to 32 Transport type of the addresscontained in the snmpTargetAddrTAddress object.

Target Address(snmpTargetAddrTAddress)

XXX.XXX.XXX.XXX:XXX

Type a transport address in theformat of an IP address, colon, andUDP port number.

For example: 10.30.31.99:162

Target Timeout(snmpTargetAddrTimeout)

Integer Type the number, in seconds, todesignate: the maximum time towait for a response to an informnotification before resending theInform notification.

Target Retry Count(snmpTargetAddrRetryCount)

0 to 255 Type the default number of retriesto be attempted when a responseis not received for a generatedmessage. An application canprovide its own retry count, inwhich case the value of this objectis ignored.


NN47205-505 05.03 Standard14 May 2009


.


Table 93Target Address screen items (cont’d.)


Range Description

Target Tag List(snmpTargetAddrTagList) 1 to 20 Type the space-separated list oftag values to be used to selecttarget addresses for a particularoperation.

Target Parameter Entry(snmpTargetAddr)

1 to 32 Type a numeric string toidentify an entry in thesnmpTargetParamsTable. Theidentified entry contains SNMPparameters to be used whengenerated messages are to be sentto this transport address.

Entry Storage (1) Volatile(2) Non-Volatile


2 In the Target Address Creation section, type information in thetext boxes, or select from a list.

3 Click Submit.

The new entry appears in the Target Address Table.

--End--

ATTENTIONThis Target Address Table section of the Target Address screen containshyperlinks to the Target Parameter screen.

Deleting an SNMPv3 target address configurationTo delete an SNMPv3 target address configuration:

Step Action

1 Open the Target Address screen by selecting Configuration ,SNMPv3 , Target Address .

2 In the Target Address Table, click Delete to delete the entry.


NN47205-505 05.03 Standard14 May 2009


.



--End--

Configuring an SNMPv3 management target parameterSNMPv3 management target parameters are used during notificationgeneration to specify the communication parameters used for exchangeswith notification recipients.

A table of existing SNMPv3 target parameter configurations can beviewed, SNMPv3 target parameters that associate notifications withparticular recipients created, and existing SNMPv3 target parameterconfigurations deleted.

Creating an SNMPv3 target parameter configurationTo create an SNMPv3 target parameter configuration:

Step Action

1 Open the Target Parameter screen by selecting Configuration ,SNMPv3 , Target Parameter .

Table 94 "Target Parameter screen items" (page 244) describesthe items on the Target Parameter screen.

Table 94Target Parameter screen items

Item Range Description

Deletes the row.

Parameter Tag(snmpTargetParamsRowStatus)

1 to 32 Type a unique character string to identifythe parameter tag.

Msg Processing Model(snmpTargetParamsMPModel)

SNMPv1SNMPv2cSNMPv3/USM

Choose the message processing modelto be used when generating SNMPmessages using this entry.

Security Name(snmpTargetParamsSecuirtyName)

1 to 32 Type the principal on whose behalf SNMPmessages are generated using this entry


NN47205-505 05.03 Standard14 May 2009


.


Table 94Target Parameter screen items (cont’d.)

Item Range Description

Security Level(snmpTargetParamsSecuirtyLevel)

(1) noAuthNoPriv(2) authNoPriv

Choose the level of security to be usedwhen generating SNMP messages usingthis entry.

Entry Storage(snmpTargetParamsStorageType)


Choose the storage preference. SelectingVolatile requests information to bedropped (lost) when you turn the poweroff. Selecting non Volatile requestsinformation to be saved in NVRAM whenyou turn the power off.

2 In the Target Parameter Creation section, type information inthe text boxes, or select from a list.

3 Click Submit.

The new entry appears in the Target Parameter Table.

--End--

Deleting an SNMPv3 target parameter configurationTo delete an SNMPv3 target parameter configuration:

Step Action

1 Open the Target Parameter screen by selecting Configuration ,SNMPv3 , Target Parameter .

2 In the Target Parameter Table, click Delete to delete the entry.


--End--

Configuring SNMP trapsSNMP trap receivers can be viewed, configured, or deleted in theWeb-based Management interface.

ATTENTIONThe SNMP Trap Receiver Table is an alternative to using the SNMPv3 TargetTable and SNMPv3 Parameter Table. However, only SNMPv1 traps areconfigurable using this table.


NN47205-505 05.03 Standard14 May 2009


.


Creating an SNMP trap receiver configurationTo create an SNMP trap receiver configuration:

Procedure

Step Action

1 Open the SNMP Trap Receiver screen by selectingConfiguration , SNMP Trap.

Table 95 "SNMP Trap Receiver screen items" (page246) describes the items on the Trap Receiver Table and TrapReceiver Creation sections of the SNMP Trap Receiver screen.

Table 95SNMP Trap Receiver screen items

Items Range Description

Deletes the row.

Trap Receiver Index 1 to 4 Choose the number of the trapreceiver to create or modify.

IP Address XXX.XXX.XXX.XXX

Type the network address for theSNMP manager that is to receivethe specified trap.

Community 0 to 32 Type the community string for thespecified trap receiver.

2 In the Trap Receiver Creation section, type information in thetext boxes, or select from a list.

3 Click Submit.

The new entry appears in the Trap Receiver Table.

--End--

Deleting an SNMP trap receiver configurationTo delete SNMP trap receiver configurations:

Step Action

1 Open the SNMP Trap Receiver screen by selectingConfiguration , SNMP Trap.

2 In the Trap Receiver Table, click Delete to delete the entry.


NN47205-505 05.03 Standard14 May 2009


.

IP Source Guard configuration using the Web-based management interface 247


--End--

IP Source Guard configuration using the Web-based managementinterface

This section describes how to configure IP Source Guard to add orremove a higher level of security on a port or ports, using the Web-basedmanagement interface.




• Dynamic Host Control Protocol (DHCP) snooping is globally enabled.





— Baysecure


ATTENTIONHardware resources can run out if IP Source Guard is enabled on trunk portswith a large number of VLANs that have DHCP snooping enabled. If thishappens, traffic sending can be interrupted for some clients. Nortel recommendsthat IP Source Guard not be enabled on trunk ports.


NN47205-505 05.03 Standard14 May 2009


.


IP Source Guard configuration using the Web-based managementinterface navigation

• “Enabling or disabling IP Source Guard using the Web-basedmanagement interface” (page 248)

• “Viewing IP Source Guard Binding information using the Web-basedmanagement interface” (page 249)

• “Viewing IP Source Guard port statistics using the Web-basedmanagement interface” (page 249)

Enabling or disabling IP Source Guard using the Web-basedmanagement interface

To enable or disable IP Source Guard on a port or group of ports to add orremove a higher level of security from the port or ports, use the followingprocedure.

Procedure steps

Step Action

1 Open the IP Source Guard configuration screen by choosingApplications , IP Source Guard , IP Source Config from themenu.

2 Select enabled or disabled from the port Source Guard Modedialog box.

3 Click Submit.

--End--

Variable definitionsUse the data in the following table to enable IP Source Guard on a port.

Variable Value

Port Identifies the port number.

Source Guard Mode Identifies the Source Guard mode forthe port. The mode can be disabled orenabled. The default mode is disabled.

Unit Selects and specific switch in a groupof stacked switches.


NN47205-505 05.03 Standard14 May 2009


.

IP Source Guard configuration using the Web-based management interface 249

Viewing IP Source Guard Binding information using the Web-basedmanagement interface

To view IP Source Guard Binding information to display, a list of IPaddresses that IP Source Guard allows, use the following procedure.

Procedure steps

Step Action

1 Open the IP Source Guard configuration screen by selectingApplications , IP Source Guard , IP Source Binding from themenu.

--End--


Variable Value

Unit Selects a specific switch in a group ofstacked switches.


Address Identifies the IP address that IPSource Guard has allowed.

Viewing IP Source Guard port statistics using the Web-basedmanagement interface

View IP Source Guard port statistics to display IP Source Guardinformation by following this procedure.

Procedure steps

Step Action

1 Open the IP Source Guard statistics screen by selectingApplications , IP Source Guard , IP Source Statistics fromthe menu.

2 Clear counters as required.

3 Click Submit.

--End--

Variable definitionsUse the data in the following table to display IP Source Guard information.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

Port Identifies the port number, a switch orstack of switches.

Dropped IP Packets Displays the number of droppedIP packets for a port, or stack ofswitches.

Clear Counters Clears counters for a port, switch orstack of switches. Values are yes orno. The default is no.

Unit Selects and specific switch in a groupof stacked switches.

Configuring TACACS+ using the Web-based management interfaceConfigure switch TACACS+ server settings to add a TACACS+ server toyour system by following this procedure.

Procedure steps

Step Action

1 Open the Tacacs configuration screen by selecting Applications, TACACS from the menu.

2 Configure TACACS Server Settings as required.

3 Click Submit.

4 Configure Authorization Settings as required.

5 Click Submit.

6 Configure the Accounting Setting as required.

7 Click Submit.

--End--

Variable definitionsUse the data in the following table to configure switch TACACS+ serversettings.

Variable Value

Primary TACACS Server Specifies the IP address of the primaryserver you want to add or configure.


NN47205-505 05.03 Standard14 May 2009


.

Configuring Wake on LAN with simultaneous 802.1X Authentication using Web-basedmanagement 251

Variable Value

Secondary TACACS Server Specifies the IP address of thesecondary server. The secondaryserver is used only if the primaryserver does not respond.

TACACS Port Specifies the TCP port for TACACS+.The value is an integer in the range of1 to 65535. The default port number is49.

TACACS Shared Secret Specifies the secret authenticationand encryption key used for allcommunications between the NASand the TACACS+ server. The sharedsecret must be the same as theone defined on the server. You areprompted to confirm the key when youenter it.

ATTENTIONThe shared secret is a requiredparameter when you create a newserver entry. The parameter isoptional when you are modifying anexisting entry.

Authorization Enables or disables TACACS+authorization globally on the switch.

Accounting Enables or disables TACACS+accounting globally on the switch.

Configuring Wake on LAN with simultaneous 802.1X Authenticationusing Web-based management

Use Web-based Management to configure Wake on LAN withsimultaneous 802.1X authentication.

Prerequisites



• Enable EAPOL

Step Action

1 From the Web-based management menu, select Applications.


NN47205-505 05.03 Standard14 May 2009


.


2 Select EAPOL Security.

3 In EAPOL Administrative State Setting, select Enabled.

4 Click Submit.

5 In EAPOL Security Setting, select a unit if a stack is present, andselect a port.

6 In Administrative Status, select Auto.

7 In Administrative Traffic Control, select In Only.

8 Click Submit.

--End--

Variable Defintions

Table 96EAPOL Security Setting fields

Variable Definition

Port Identifies the port.

Initialize Setting this attribute to Yes causes thisport’s EAPOL state to be initialized.

Administrative Status Allows you to set the EAPOLauthorization status:

• Force Unauthorized - Alwaysunauthorized

• Auto - Status depends on EAPauthentication results

• Force Authorized - Alwaysauthorized

Operational Status Displays the current authorizationstatus.

Administrative Traffic Control Allows EAPOL authentication to be setfor either incoming and outgoing trafficor for incoming traffic only.

Operational Traffic Control Displays the current administrativetraffic control setting.

Re-authenticate Now Allows EAPOL authentication to beactivated immediately without waitingfor the reauthentication period toexpire.


NN47205-505 05.03 Standard14 May 2009


.

RADIUS Request use Management IP configuration using Web-based Management 253

Table 96EAPOL Security Setting fields (cont’d.)

Variable Definition

Re-authentication Allows EAPOL authentication to berepeated according to the time valuespecified in Re-authentication Periodfield.

Re-authentication Period With Re-authentication enabled, allowsthe time period to be specifiedbetween successive EAPOLauthentications.

Quiet Period Allows the time interval to be specifiedbetween an authentication failureand the start of a new authenticationattempt.

Transmit Period Specifies how long the switch waitsfor the supplicant to respond to EAPRequest/Identity packets.

Supplicant Timeout Specifies how long the switch waits forthe supplicant to respond to all EAPpackets, except EAP Request/Identitypackets.

Server Timeout Specifies how long the switch waits forthe RADIUS server to respond to allEAP packets.

Maximum Requests Specifies the number of times theswitch attempts to resend EAPpackets to a supplicant.

RADIUS Request use Management IP configuration usingWeb-based Management

You can enable or disable the use of the Management VLAN IP usingWeb-based Management.

RADIUS Request use Management IP configuration using Web-basedManagement navigation



Enabling the RADIUS Request use Management IPPerform this procedure to enable the RADIUS requests to use theManagement VLAN IP address.


NN47205-505 05.03 Standard14 May 2009


.


Procedure steps

Step Action

1 Browse to Administration, Security, RADIUS.

2 Select Radius Use Mgmt Ip.

3 Click Submit.

--End--

Disabling the RADIUS Request use Management IPPerform this procedure to disable the use of Management VLAN IP byRADIUS requests.

Procedure steps

Step Action

1 Browse to Administration, Security, RADIUS.

2 Clear Radius Use Mgmt Ip.

3 Click Submit.

--End--


NN47205-505 05.03 Standard14 May 2009


.

255.

Configuring and managing securityusing Device Manager

This chapter describes the methods and procedures necessary toconfigure security on the Ethernet Routing Switch 4500 using DeviceManager.

Navigation• “EAPOL configuration using Device Manager” (page 256)

• “Configuring general switch security using Device Manager” (page 270)

• “Security list configuration using Device Manager” (page 272)

• “AuthConfig list configuration using Device Manager” (page 275)

• “Configuring MAC Address AutoLearn using Device Manager” (page277)

• “Viewing AuthStatus information using Device Manager” (page 277)

• “Viewing AuthViolation information using Device Manager” (page 279)

• “Viewing MacViolation information using Device Manager” (page 280)

• “Configuring the Secure Shell protocol using Device Manager” (page280)

• “Viewing SSH Sessions information using Device Manager” (page 282)

• “Configuring SSL using Device Manager” (page 283)

• “RADIUS Server security configuration using Device Manager” (page284)

• “DHCP snooping configuration using Device Manager” (page 291)

• “Dynamic ARP inspection configuration using Device Manager” (page294)

• “IP Source Guard configuration using Device Manager” (page 295)


NN47205-505 05.03 Standard14 May 2009


.

256 Configuring and managing security using Device Manager

• “SNMP configuration using Device Manager” (page 299)

• “RADIUS Request use Management IP configuration using DeviceManager” (page 316)

EAPOL configuration using Device ManagerThis section describes how you can configure network access controlon an internal Local Area Network (LAN) with Extensible AuthenticationProtocol over LAN (EAPOL), using Device Manager.


EAPOL configuration using Device Manager navigation

• “Configuring EAPOL globally using Device Manager” (page 256)

• “Configuring port-based EAPOL using Device Manager” (page 257)

• “Configuring advanced port-based EAPOL using Device Manager”(page 259)

• “Viewing Multihost status information using Device Manager” (page260)

• “Viewing Multihost session information using Device Manager” (page261)

• “Allowed non-EAP MAC address list configuration using DeviceManager” (page 262)

• “Viewing port non-EAP host support status using Device Manager”(page 264)

• “Graphing EAPOL statistics using Device Manager” (page 265)

Configuring EAPOL globally using Device ManagerConfigure EAPOL globally to configure EAPOL parameters for the switch.

Procedure steps

Step Action

1 From Device Manager menu bar, choose Edit, Security,Security.

2 Click the EAPOL tab.

3 Configure EAPOL parameters as required.


NN47205-505 05.03 Standard14 May 2009


.

EAPOL configuration using Device Manager 257

4 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure EAPOL globally.

Variable Value

SystemAuthControl Enables or disables port access control on theswitch.

GuestVlanEnabled Enables or disables the Guest VLAN.

GuestVlanId Sets the VLAN ID of the Guest VLAN.

MultiHostAllowNonEapClient

Enables or disables support for non EAPOL hostson EAPOL-enabled ports.

MultiHostSingleAuthEnabled

Enables or disables Multiple Host SingleAuthentication (MHSA). When selected, nonEAPOL hosts are allowed on a port if there is oneauthenticated EAPOL client on the port.

MultiHostRadiusAuthNonEapClient

Enables or disables RADIUS authentication of nonEAPOL hosts on EAPOL-enabled ports.

MultiHostAllowNonEapPhones

Enables or disables Nortel IP Phone clients asanother non-EAP type.

MultiHostAllowRadiusAssignedVlan

Enables or disables the use of RADIUS-assignedVLAN values in the Multihost mode.

MultiHostAllowNonEapRadiusAssignedVlan

Enables or disables support for RADIUS-assignedVLANs in multihost-eap mode for non-EAP clients.

MultiHostUseMostRecentRadiusAssignedVlan

Enables or disables the Last Assigned VLAN on aport.

MultiHostEapPacketMode Enables or disables the choice of packet mode(unicast or multicast) in the Multihost mode.

MultiHostFailOpenVlanEnabled

Enables or disables the EAPOL multihost FailOpen VLAN.

MultiHostFailOpenVlanId Sets the VLAN ID of the Fail Open VLAN.

NonEapRadiusPasswordAttributeFormat

Enables or disables setting the format of theRADIUS Server password attribute for non-EAPclients.

Configuring port-based EAPOL using Device ManagerConfigure port-based EAPOL to configure EAPOL security parameters foran individual port or multiple ports.


NN47205-505 05.03 Standard14 May 2009


.


Procedure steps

Step Action

1 From the Device View, select a port.

2 Select Edit, Port .

3 Click the EAPOL tab.

4 Configure EAPOL parameters as required.

5 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure port-based EAPOL.

Variable Value

PortProtocolVersion The EAP Protocol version that is running on this port.

PortCapabilities The PAE functionality that is implemented on this port.Always returns dot1xPaePortAuthCapable (0).

PortInitialize Setting this attribute to True causes this port EAPOLstate to be initialized.

PortReauthenticateNow Setting this attribute to True causes thereauthentication of the client.

PaeStateThe current authenticator PAE state machine statvalue.

BackendAuthState The current state of the Backend Authentication statemachine.

AdminControlledDirections

The current value of the administrative controlleddirections parameter for the port.

OperControlledDirections

The current value of the operational controlleddirections parameter for the port.

AuthControlledPortStatus

The current value of the controlled port statusparameter for the port.

AuthControlledPortControl

The current value of the controlled port controlparameter for the port.

QuietPeriod The current value of the time interval betweenauthentication failure, and the start of a newauthentication.

TransmitPeriod Time to wait for response from supplicant for EAPrequests/Identity packets.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

SupplicantTimeout Time to wait for response from supplicant for all EAPpackets except EAP Request/Identity.

ServerTimeout Time to wait for a response from the RADIUS server

MaximumRequestsNumber of times to retry sending packets to thesupplicant.

ReAuthenticationPeriod Time interval between successive reauthentications.

ReAuthenticationEnabled

Whether to reauthenticate or not. Setting this object toEnabled causes reauthentication of existing supplicantat the time interval specified in the Re-authenticationPeriod field.

KeyTxEnabled The value of the KeyTranmissionEnabled constantcurrently in use by the Authenticator PAE statemachine. This always returns False as keytransmission is irrelevant.

LastEapolFrameVersion

The protocol version number carried in the mostrecently received EAPOL frame.

LastEapolFrameSource The source MAC address carried in the most recentlyreceived EAPOL frame.

Configuring advanced port-based EAPOL using Device ManagerConfigure advanced port-based EAPOL to configure advanced EAPOLsecurity parameters for an individual port or multiple ports.

Procedure steps

Step Action

1 From the Device View, select a port or multiple ports.


3 Click the EAPOL Advance tab.

4 Configure advanced EAPOL parameters as required.

5 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure advanced port-basedEAPOL.

Variable Value

GuestVlanEnabled Enables or disables Guest VLAN functionality.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

GuestVlanId

Specifies the VLAN ID of the VLAN that actsas the Guest VLAN. The default is 0. TheGuest VLAN ID can be between 0 and 4094.

ATTENTIONUse 0 to indicate a global Guest VLAN ID.

MultiHostEnabled Enables or disables Multiple Host/MACsupport with Multiple Authentication (MHMA).

MultiHostEapMaxNumMacs Specifies the maximum number ofEAPOL-authenticated clients allowed onthis port. The default is 1. The maximumnumber can be between 1 and 32.

MultiHostAllowNonEapClient Enables or disables support for non EAPOLclients using local authentication.

MultiHostNonEapMaxNumMacs

Specifies the maximum number of nonEAPOL clients allowed on this port. Thedefault is 1. The maximum number can bebetween 1 and 32.

MultiHostSingleAuthEnabled Enables or disables Multiple Host with SingleAuthentication (MHSA) support for nonEAPOL clients.

MultiHostRadiusAuthNonEapClient

Enables or disables support for non EAPOLclients using RADIUS authentication.

MultiHostAllowNonEapPhones Enables or disables support for Nortel IPPhone clients as another non-EAP type.

MultiHostAllowRadiusAssignedVlan

Enables or disables support for VLAN valuesassigned by the RADIUS server.

MultiHostAllowNonEapRadiusAssignedVlan

Enables or disables support forRADIUS-assigned VLANs in multihost-EAPmode for non-EAP clients.

MultiHostUseMostRecentRadiusAssignedVlan

Enables or disables the Last Assigned VLANon a port.

MultiHostEapPacketMode Specifies the mode of EAPOL packettransmission (multicast or unicast).

ProcessRadiusRequestsServerPackets

Enables or disables the processing ofRADIUS requests-server packets that arereceived on this port.

Viewing Multihost status information using Device ManagerView Multihost status information to display multiple host status for a port.


NN47205-505 05.03 Standard14 May 2009


.


ATTENTIONThe Multi Hosts button is not available when you select multiple ports beforeclicking the EAPOL Advance tab. You can select only one port to use the MultiHosts option.

Procedure steps

Step Action




4 Click Multi Hosts.

--End--

Variable definitionsUse the data in the following table to view Multihost status information.

Variable Value

PortNumber The port number in use.

ClientMACAddr The MAC address of the client.

PaeStateThe current state of the authenticator PAEstate machine.

BackendAuthState The current state of the BackendAuthentication state machine.

Reauthenticate The current reauthentication state of themachine. When the reauthenticate attribute isset to True, the client reauthenticates.

Viewing Multihost session information using Device ManagerView Multihost session information to display multiple host sessioninformation for a port.

ATTENTIONThe Multi Hosts button is not available when you select multiple ports beforeclicking the EAPOL Advance tab. You can select only one port to use the MultiHosts option.

Procedure steps

Step Action




NN47205-505 05.03 Standard14 May 2009


.



4 Click the Multi Hosts button.

5 Click the Multi Host Session tab.

--End--

Variable definitionsUse the data in the following table to view Multihost session information.

Variable Value



IdA unique identifier for the session, in the formof a printable ASCII string of at least threecharacters.

AuthenticMethodThe authentication method used to establishthe session.

Time The elapsed time of the session.

TerminateCause The cause of the session termination.

UserNameThe user name representing the identity of thesupplicant PAE.

Allowed non-EAP MAC address list configuration using DeviceManager

Configure the allowed non-EAP MAC address list to view and configurethe list of MAC addresses for non-EAPOL clients that are authorized toaccess the port.

Allowed non-EAP MAC address list configuration using DeviceManager navigation

• “Adding a MAC address to the allowed non-EAP MAC address listusing Device Manager” (page 262)

• “Deleting a MAC address from the allowed non-EAP MAC address listusing Device Manager” (page 263)

Adding a MAC address to the allowed non-EAP MAC addresslist using Device ManagerAdd a MAC address to the allowed non-EAP MAC address list to insert anew MAC address to the list of MAC addresses for non-EAPOL clients thatare authorized to access the port.


NN47205-505 05.03 Standard14 May 2009


.


ATTENTIONThe Non-EAP MAC button is not available when you select multiple ports beforeclicking the EAPOL Advance tab. You can select only one port to use theNon-EAP MAC option.

Procedure steps

Step Action




4 Click the Non-EAP MAC button.

The Non-EAPOL MAC, Port dialog box appears with the Allowednon-EAP MAC tab selected, displaying the allowed non-EAPMAC address information for the port.

5 Click Insert .

6 In the ClientMACAddr box, type a MAC address to add to thelist of allowed non EAPOL clients.

7 Click Insert.

--End--

Deleting a MAC address from the allowed non-EAP MACaddress list using Device ManagerDelete a MAC address from the allowed non-EAP MAC address list toremove an existing MAC address from the list of MAC addresses fornon-EAPOL clients that are authorized to access the port.

ATTENTIONThe Non-EAP MAC button is not available when you select multiple ports beforeclicking the EAPOL Advance tab. You can select only one port to use theNon-EAP MAC option.

Procedure steps

Step Action





The Non-EAPOL MAC, Port dialog box appears, displaying theallowed non-EAP MAC address information for the port.


NN47205-505 05.03 Standard14 May 2009


.


5 In the ClientMACAddr box click the MAC address to delete.

6 Click Delete.

7 Click Yes.

--End--

Variable definitionsUse the data in the following table to delete a MAC address from theallowed non-EAP MAC address list.

Variable Value



Viewing port non-EAP host support status using Device ManagerView port non-EAP host support status to display the status of non-EAPhost support on the port.

Procedure steps

Step Action





5 Click the Non-EAP Status tab.

--End--

Variable definitionsUse the data in the following table to view port non-EAP host supportstatus.

Variable Value




NN47205-505 05.03 Standard14 May 2009


.

802.1X or non-EAP and Guest VLAN on the same port configuration using Device Manager 265

Variable Value

State

The authentication status. Possible values are:• rejected: the MAC address cannot be

authenticated on this port

• locallyAuthenticated: the MAC addresswas authenticated using the local table ofallowed clients

• radiusPending: the MAC address isawaiting authentication by a RADIUSserver

• radiusAuthenticated: the MAC address wasauthenticated by a RADIUS server

• adacAuthenticated: the MAC address wasauthenticated using ADAC configurationtables

• mhsaAuthenticated: the MAC address wasautoauthenticated on a port following asuccessful authentication of an EAP client

ReauthenticateThe value used to reauthenticate the MACaddress of the client on the port.

Graphing EAPOL statistics using Device ManagerEAPOL port-based statistics can be graphed and analyzed on the GraphPort screen. For more information, see Nortel Ethernet Routing Switch4500 Series Configuration — System Monitoring (NN47205-502).

802.1X or non-EAP and Guest VLAN on the same portconfiguration using Device Manager

Use the procedures in this section to configure 802.1X non-EAP and GuestVLAN on the same port.

802.1X or non-EAP and Guest VLAN on the same port configurationusing Device Manager navigation

• “Enabling VoIP VLAN” (page 265)

Enabling VoIP VLANPerform this procedure to activate the VoIP VLAN.


NN47205-505 05.03 Standard14 May 2009


.


Procedure steps

Step Action


2 Click the EAP VoIP Vlan tab.

3 Configure VoIP vlans as required.

4 Click Apply.

--End--

Variable DefinitionsThe following table defines variables you can use to enable VoIP VLAN.

Variable Value

MultiHostVoipVlanIndex Sets number of VoIP VLAN from 1 to 5.

MultiHostVoipVlanEnabled True-Enables the VoIP VLANFalse-Disables the VoIP VLAN

MultiHostVoipVlanId Sets the VLAN ID, which ranges from 1 to 4094

802.1X or non-EAP with Fail Open VLAN configuration usingDevice Manager

Use the procedures in this section to configure 802.1X or non-EAP withFail Open VLAN.

Note: The switch does not validate that Radius Assigned VLANattribute is not the same as the Fail_Open VLAN. This means that ifyou configure the Fail_Open VLAN name or ID the same as one of theVLAN names or IDs which can be returned from the RADIUS server,then EAP or NEAP clients could be assigned to the Fail_Open VLANeven though no failure to conenct to the RADIUS server has occurred.

802.1X or non-EAP with Fail Open VLAN configuration using DeviceManager navigation

• “Enabling EAPOL multihost Fail Open VLAN” (page 266)

Enabling EAPOL multihost Fail Open VLANPerform this procedure to enable the EAPOL multihost Fail Open VLAN.

Prerequisites

• Guest Vlan and failopen vlan do not have the same vid.


NN47205-505 05.03 Standard14 May 2009


.

802.1X or non-EAP Last Assigned RADIUS VLAN configuration using Device Manager 267

Procedure steps

Step Action


2 Click the EAPol tab.

3 Select the MultihostFailOpenVlanEnabled option.

4 Click Apply.

--End--

Job aidThe following example procedure specifies the use of VoIP VLAN and FailOpen VLAN.

Step Action

1 Specify VoIP VLANs. These must not be Fail Open VLANs orGuest VLANs on any port.

2 Specify Fail Open VLAN. This must not be VoIP VLANs or GuestVLANs on any port.

3 Specify Guest VLANs. These must not be VoIP VLANs or FailOpen VLANs.

4 Enable non-phone-enable on a specific port and globally.

5 Enable GuestVlan on the same port and globally.

6 Enable FailOpen globally.

--End--

802.1X or non-EAP Last Assigned RADIUS VLAN configurationusing Device Manager

Use Device Manager procedures in this section to enable or disable802.1X non-EAP Last Assigned RADIUS VLAN.

802.1X non-EAP Last Assigned RADIUS VLAN configuration usingDevice Manager navigation

• “Configuring Last Assigned VLAN on a port” (page 268)


NN47205-505 05.03 Standard14 May 2009


.


Configuring Last Assigned VLAN on a portPerform this procedure to enable or disable Last Assigned VLAN on a port.

Procedure steps

Step Action

1 From Device Manager menu bar, choose Edit, Port.

2 Click the EAPol advanced tab.

3 Select the MultihostUseMostRecentRadiusAssignedVlanoption.

4 Click Apply.

--End--

Configuring Wake on LAN with simultaneous 802.1X Authenticationusing Device Manager

Use Device Manager procedure in this section to configure Wake on LANwith simultaneous 802.1X authentication.

Prerequisites



• Enable EAPOL

Step Action

1 From the device view, select a port.

2 Select Edit.

3 Select the EAPOL tab.

4 Set AdminControlledDirections to in.

5 Set AuthControlledPortControl to auto.

6 Click Apply.

--End--

Variable DefinitionsUse the data in the following table to configure port-based EAPOL.


NN47205-505 05.03 Standard14 May 2009


.

Configuring Wake on LAN with simultaneous 802.1X Authentication using Device Manager 269

Variable Definition

PortProtocolVersionThe EAP Protocol version that isrunning on this port.

PortCapabilities The PAE functionality that isimplemented on this port. Alwaysreturns dot1xPaePortAuthCapable (0).

PortInitialize Setting this attribute to True causesthis port EAPOL state to be initialized.

PortReauthenticateNow Setting this attribute to True causesthe reauthentication of the client.

PaeStateThe current authenticator PAE statemachine stat value.

BackendAuthState The current state of the BackendAuthentication state machine.

AdminControlledDirections The current value of the administrativecontrolled directions parameter for theport.

OperControlledDirections The current value of the operationalcontrolled directions parameter for theport.

AuthControlledPortStatus The current value of the controlled portstatus parameter for the port.

AuthControlledPortControl The current value of the controlled portcontrol parameter for the port.

QuietPeriod The current value of the time intervalbetween authentication failure, and thestart of a new authentication.

TransmitPeriod Time to wait for response fromsupplicant for EAP requests/Identitypackets.

SupplicantTimeout Time to wait for response fromsupplicant for all EAP packets exceptEAP Request/Identity.

ServerTimeoutTime to wait for a response from theRADIUS server

MaximumRequestsNumber of times to retry sendingpackets to the supplicant.

ReAuthenticationPeriodTime interval between successivereauthentications.


NN47205-505 05.03 Standard14 May 2009


.


Variable Definition

ReAuthenticationEnabled Whether to reauthenticate or not.Setting this object to Enabled causesreauthentication of existing supplicantat the time interval specified in theRe-authentication Period field.

KeyTxEnabled The value of the KeyTranmissionEnabled constant currently in use bythe Authenticator PAE state machine.This always returns False as keytransmission is irrelevant.

LastEapolFrameVersion The protocol version number carriedin the most recently received EAPOLframe.

LastEapolFrameSource The source MAC address carried inthe most recently received EAPOLframe.

Configuring general switch security using Device ManagerConfigure general switch security to configure and manage generalsecurity parameters for the switch.

Procedure steps

Step Action


2 Click the General tab.

3 Configure general switch security parameters as required.

4 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure general switch security.


NN47205-505 05.03 Standard14 May 2009


.

Configuring general switch security using Device Manager 271

Table 97General tab fields

Variable Value

AuthSecurityLock If this parameter is listed as locked, the agentrefuses all requests to modify the securityconfiguration. Entries also include:• other

• notlocked

AuthCtlPartTime This value indicates the duration of timefor port partitioning in seconds. Default: 0(zero). When the value is zero, port remainspartitioned until it is manually reenabled.

SecurityStatus Indicates whether or not the switch securityfeature is enabled.

SecurityMode Mode of switch security. Entries include:• macList—Indicates that the switch is in the

MAC-list mode. You can configure morethan one MAC address for a port.

• autoLearn—Indicates that the switchlearns the MAC addresses on each port asallowed addresses of that port.

SecurityAction Actions performed by the software whena violation occurs (when SecurityStatus isenabled). The security action specified hereapplies to all ports of the switch.A blocked address causes the port to bepartitioned when unauthorized access isattempted. Selections include:

• noAction—Port does not have securityassigned to it, or the security feature isturned off.

• trap—Listed trap.

• partitionPort—Port is partitioned.

• partitionPortAndsendTrap—Port ispartitioned and traps are sent to the trapreceive station.

• daFiltering—Port filters out the frameswhere the destination address field is theMAC address of unauthorized Station.

• daFilteringAndsendTrap—Port filters outthe frames where the destination addressfield is the MAC address of unauthorized


NN47205-505 05.03 Standard14 May 2009


.


Table 97General tab fields (cont’d.)

Variable Value

station. Traps are sent to trap receivestations.

• partitionPortAnddaFiltering— Port ispartitioned and filters out the frames wherethe destination address field is the MACaddress of unauthorized station.

• partitionPortdaFilteringAndsendTrap—Portis partitioned and filters out the frameswhere the destination address field is theMAC address of unauthorized station.Traps are sent to trap receive stations.

ATTENTIONda means destination addresses.

CurrNodesAllowed Current number of entries of the nodesallowed in the AuthConfig tab.

MaxNodesAllowed Maximum number of entries of the nodesallowed in the AuthConfig tab.

PortSecurityStatus Set of ports for which security is enabled.

PortLearnStatus Set of ports where autolearning is enabled.

CurrSecurityLists Current number of entries of the Securitylisted in the SecurityList tab

MaxSecurityLists Maximum entries of the Security listed in theSecurityList tab.

AutoLearningAgingTime Specify the MAC address age-out time, inminutes, for the autolearned MAC addresses.A value of zero (0) indicates that the addressnever ages out.

Security list configuration using Device ManagerConfigure the security list to manage the port members in a security list.

Security list configuration using Device Manager navigation

• “Adding ports to a security list using Device Manager” (page 273)

• “Deleting specific ports from a security list using Device Manager”(page 273)

• “Deleting all ports from a security list using Device Manager” (page274)


NN47205-505 05.03 Standard14 May 2009


.

Security list configuration using Device Manager 273

Adding ports to a security list using Device ManagerAdd ports to the security list to insert new port members into a security list.

Procedure steps

Step Action


2 Click the SecurityList tab.

3 Click Insert.

4 In the SecurityListIndx box, accept the default sequentialsecurity list number provided by the switch.

OR

Type a number for the security list.

5 Click the ellipsis (...) for SecurityListMembers .

6 In the SecurityListMembers select ports to add to the securitylist.

OR

Click All to select all ports.

7 Click Ok .

8 Click Insert.

--End--

Variable definitionsUse the data in the following table to add ports to the security list.

Variable Value

SecurityListIndx A numerical identifier for a security list.Values range from 1 to 32.

SecurityListMembers Defines the security list port members.

Deleting specific ports from a security list using Device ManagerDelete specific ports from a security list to remove specific existing portmembers from a security list.


NN47205-505 05.03 Standard14 May 2009


.


Procedure 1Procedure steps

Step Action



3 Double-click the SecurityListMembers box for a security list.

4 Deselect security list port members as required.

5 Click Ok.

6 Click Apply.

--End--

Variable definitionsUse the data in the following table to delete specific ports from a securitylist.

Variable Value



Deleting all ports from a security list using Device ManagerDelete all ports from a security list to remove all existing port membersfrom a security list.

Procedure 2Procedure steps

Step Action



3 Click the SecurityListMembers box for a security list.

4 Click Delete.

5 Click Yes.

--End--


NN47205-505 05.03 Standard14 May 2009


.

AuthConfig list configuration using Device Manager 275

Variable definitionsUse the data in the following table to delete all ports from a security list.

Variable Value



AuthConfig list configuration using Device ManagerThe AuthConfig list consists of a list of boards, ports and MAC addressesthat have the security configuration. An SNMP SET PDU for a row in thetab requires the entire sequence of the MIB objects in each entry to bestored in one PDU. Otherwise, a GENERR return-value is returned.

AuthConfig list configuration using Device Manager navigation

• “Adding entries to the AuthConfig list using Device Manager” (page275)

• “Deleting entries from the AuthConfig list using Device Manager” (page276)

Adding entries to the AuthConfig list using Device ManagerAdd entries to the AuthConfig list to add information to the list of boards,ports and MAC addresses that have the security configuration.

Procedure steps

Step Action


2 Click the AuthConfig tab.

3 Click Insert.

4 In the Insert AuthConfig dialog box, type new entryinformation.

5 Click Insert.

--End--

Variable definitionsUse the data in the following table to add entries to the AuthConfig list.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

BrdIndx Index of the board. This corresponds to the unit.

ATTENTIONIf this field is specified, the SecureList field is 0.

PortIndx Index of the port.

ATTENTIONIf this field is specified, the SecureList field is 0.

MACIndx An index of MAC addresses that are designated asallowed (station).

AccessCtrlType Displays the node entry node allowed. A MACaddress can be allowed on multiple ports.

SecureList The index of the security list. This value ismeaningful only if BrdIndx and PortIndx values areset to zero. For other board and port index values,this field can also have the value of zero.

The corresponding MAC address of this entry isallowed or blocked on all ports of this port list.

Deleting entries from the AuthConfig list using Device ManagerDelete entries from the AuthConfig list to remove information from the listof boards, ports, and MAC addresses that have security configuration.

Procedure steps

Step Action


2 Click the AuthConfig tab.

3 Select a list entry.

4 Click Delete.

5 Click Yes.

--End--


NN47205-505 05.03 Standard14 May 2009


.

Viewing AuthStatus information using Device Manager 277

Configuring MAC Address AutoLearn using Device ManagerConfigure MAC Address AutoLearn to configure the MAC Address autolearning properties of switch ports.

Procedure steps

Step Action


2 Click the AutoLearn tab.

3 Double-click the Enabled box for a port.

4 Select true to enable AutoLearn on the port.

OR

Select false to disable AutoLearn on the port.

5 Double-click the MaxMacs box for a port.

6 Type a value between 1 and 25.

7 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure MAC Address AutoLearn.

Variable Value

Brd Identifies the board.

Port Identifies the port.

Enabled Enables or disables AutoLearning on aport. Values are true or false.

MaxMacs Defines the maximum number of MACAddresses that the port can learn.

Viewing AuthStatus information using Device ManagerView AuthStatus information to display authorized boards and port statusdata collection information. Displayed information includes actions tobe performed when an unauthorized station is detected and the currentsecurity status of a port.


NN47205-505 05.03 Standard14 May 2009


.


Procedure steps

Step Action


2 Click the AuthStatus tab.

--End--

Variable definitionsUse the data in the following table to view AuthStatus information.

Variable Value

AuthStatusBrdIndx The index of the board. This corresponds tothe index of the slot containing the board ifthe index is greater than zero.

AuthStatusPortIndx The index of the port on the board. Thiscorresponds to the index of the lastmanageable port on the board if the index isgreater than zero.

AuthStatusMACIndx The index of MAC address on the port. Thiscorresponds to the index of the MAC addresson the port if the index is greater than zero.

CurrentAccessCtrlType Displays whether the node entry is nodeallowed or node blocked type.

CurrentActionMode A value representing the type of informationcontained, including:• noAction—Port does not have security

assigned to it, or the security feature isturned off.

• partitionPort—Port is partitioned.

• partitionPortAndsendTrap— Port ispartitioned and traps are sent to the trapreceive station.

• Filtering—Port filters out the frames,where the destination address field is theMAC address of unauthorized station.

• FilteringAndsendTrap—Port filters out theframes, where the destination addressfield is the MAC address of unauthorizedstation. Trap are sent to trap receivestation.


NN47205-505 05.03 Standard14 May 2009


.

Viewing AuthViolation information using Device Manager 279

Variable Value

• sendTrap—A trap is sent to trap receivestations.

• partitionPortAnddaFiltering— Port ispartitioned and will filter out the frameswhere the destination address field is theMAC address of unauthorized station.

• partitionPortdaFilteringAndsendTrap—Port is partitioned and will filter out the frameswhere the destination address field is theMAC address of unauthorized station.Traps are sent to trap receive stations.

CurrentPortSecurStatus Displays the security status of the currentport, including:• If the port is disabled, notApplicable is

returned.

• If the port is in a normal state, portSecureis returned.

• If the port is partitioned, portPartition isreturned.

Viewing AuthViolation information using Device ManagerView AuthViolation information to display a list of boards and ports wherenetwork access violations have occurred, and to display the identity of theoffending MAC addresses.

Procedure steps

Step Action


2 Click the AuthViolation tab.

--End--

Variable definitionsUse the data in the following table to view AuthViolation information.

Variable Value

BrdIndx The index of the board. This corresponds to theslot containing the board. The index is 1 where it isnot applicable.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

PortIndx The index of the port on the board. Thiscorresponds to the port on that a security violationwas seen.

MACAddress The MAC address of the device attemptingunauthorized network access (MAC address-basedsecurity).

Viewing MacViolation information using Device ManagerView MacViolation information to display a list of boards and ports wherenetwork access violations have occurred, and to display the identity of theoffending MAC addresses.

Procedure steps

Step Action


2 Click the MacViolation tab.

--End--

Variable definitionsUse the data in the following table to view MacViolation information.

Variable Value

Address The MAC address of the device attemptingunauthorized network access (MAC address-basedsecurity).

Brd The index of the board. This corresponds to theslot containing the board. The index is 1 when it isnot applicable.

Port The index of the port on the board. Thiscorresponds to the port on which a securityviolation was seen.

Configuring the Secure Shell protocol using Device ManagerConfigure the Secure Shell (SSH) protocol to replace Telnet and providesecure access to NNCLI interface.


NN47205-505 05.03 Standard14 May 2009


.

Configuring the Secure Shell protocol using Device Manager 281

Procedure steps

Step Action


2 Click the SSH tab.

3 Configure SSH parameters as required.

4 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure SSH.

Variable Value

Enable Enables or disables SSH RSA authentication.

Version Displays the SSH version.

Port Defines the SSH connection port. Values rangefrom 1 to 65535.

Timeout Defines the SSH connection timeout in seconds.Values range from 1 to 120 seconds.

KeyAction Specifies the SSH key action.

DsaAuth Enables or disables SSH DSA authentication.

PassAuth Enables or disables SSH password authentication.

DsaHostKeyStatus Indicates the current status of the SSH DSAhost key. If the DSA host key has not yet beengenerated, the value is notGenerated(1). If it hasalready been generated, the value is generated(2).If it is currently being generated, the value isgenerating(3).

LoadServerAddr Indicates the current server IP address TFTPserver for all TFTP operations.

TftpServerInetAddressType

Indicates the type of address stored in the TFTPserver.

TftpServerInetAddress Specifies the IP address of the TFTP server for allTFTP operations.

TftpFile Indicates the name of file for the TFTP transfer.

TftpAction Specifies the action for the TFTP transfer.

TftpResult Displays the result of the last TFTP action request.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

SshAuthKeyFilename Specifies the SSH authentication key file todownload.

UsbTargetUnit Specifies the unit number of the USB port to usefor file uploads and downloads. Values rangefrom 1 to 9. Values 1 to 8 apply to a USB port ina switch stack. Value 9 applies to a standaloneswitch.

DnldSshAuthKeyFromUsb Specifies to download the SSH authentication keyusing the USB port.

DnldSshAuthKeyFromUsbStatus

Indicates the status of the latest SSHauthentication key download using the USBport. Values include the following:• other—no action taken since the switch boot up

• inProgress—authentication key download is inprogress

• success—authentication key downloadcompleted successfully

• fail—authentication key download failed

Viewing SSH Sessions information using Device ManagerView SSH Sessions information to display currently active SSH sessions.

Procedure steps

Step Action


2 Click the SSH Sessions tab.

--End--

Variable definitionsUse the data in the following table to view SSH Sessions information.

Variable Value

SshSessionInetAddressType Indicates the type of IP address ofthe SSH client that opened the SSHsession.

SshSessionInetAddress Indicates the IP address of the SSHclient that opened the SSH session.


NN47205-505 05.03 Standard14 May 2009


.

Configuring SSL using Device Manager 283

Configuring SSL using Device ManagerConfigure Secure Socket Layer (SSL) to provide your network with asecure Web management interface.

Procedure steps

Step Action

1 From Device Manager menu bar, choose Edit, Security,Security .

2 Click the SSL tab.

3 Configure SSL as required.

4 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure SSL.

Variable Value

Enabled Indicates whether SSL is enabled or disabled

CertificateControl Enables the creation and deletion of SSLcertificates. Create allows you to create anSSL certificate, delete allows you to deletean SSL certificate. Setting the value to other(3) results in a wrongValue error. Whenretrieved, the object returns the value of thelast value set, or other (3) if the object wasnever set.

CertificateExists Indicates whether a valid SSL certificate hasbeen created. A valid of true (1) indicates thata valid certificate has been created. A valueof false (2) indicates that no valid certificatehas been created, or that the certificate hasbeen deleted.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

CertificateControlStatus Indicates the status of the most recentattempt to create or delete a certificate. Thepossible status messages are as follows:

• inProgress—the operation is not yetcompleted

• success—the operation is complete

• failure—the operation failed

• other—the s5AgSslCertificateControlobject was never set

ServerControl Resets the SSL server. Values are reset andother. The default is other.

ATTENTIONYou cannot reset the SSL server whilecreating the SSL certificate.

RADIUS Server security configuration using Device ManagerConfigure RADIUS Server security to configure and manageRADIUS-based network security and 802.1X dynamic authorizationextension (RFC 3576).

RADIUS Server configuration using Device Manager navigation

• “Configuring the RADIUS server using Device Manager” (page 284)

• “Viewing RADIUS Dynamic Authorization server information usingDevice Manager” (page 286)

• “802.1X dynamic authorization extension (RFC 3576) configurationusing Device Manager” (page 287)

• “Viewing RADIUS Dynamic Server statistics using Device Manager”(page 290)

• “Graphing RADIUS Dynamic Server statistics using Device Manager”(page 290)

Configuring the RADIUS server using Device ManagerConfigure the RADIUS server to store client or user credentials, password,and access privileges.


NN47205-505 05.03 Standard14 May 2009


.

RADIUS Server security configuration using Device Manager 285

Procedure steps

Step Action

1 From Device Manager menu bar, choose Edit, Security,RADIUS.

2 Click the RADIUS Server tab.

3 Configure RADIUS server parameters as required.

4 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the RADIUS server.

Variable Value

PrimaryRadiusServerAddressType

Specifies the type of primary IP addressused by the Nortel SNAS 4050. Values areunknown, ipv4, and ipv6.

PrimaryRadiusServer Specifies the IP address of the primaryRADIUS server (default: 0.0.0.0).

ATTENTIONIf there is no primary RADIUS server, setthe value of this field to 0.0.0.0 .

SecondaryRadiusServerAddressType

Specifies the type of secondary IP addressused by the Nortel SNAS 4050. Values areunknown, ipv4, and ipv6.

SecondaryRadiusServer Specifies the IP address of the secondaryRADIUS server (default: 0.0.0.0). Thesecondary RADIUS server is used only if theprimary server is unavailable or unreachable.

RadiusServerUdpPort Specifies the UDP port number (default:1812). The port number can range between1 and 65535.

RadiusServerTimeout Specifies the timeout interval between eachretry, for service requests to the RADIUSserver. The default is 2 Seconds. Thetimeout period can range between 1 and 60seconds.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

SharedSecret(key) Specifies the value of the shared secret key.

ATTENTIONThe shared secret key has a maximum of16 characters.

ConfirmedSharedSecret(key) Confirms the value of the shared secret keyspecified in the SharedSecret(Key) field.This field usually does not display anything(just a blank field), and is used when youare changing the SharedSecret(key) field.You must enter the value twice to confirm thestring is entered in SharedSecret(Key).

Viewing RADIUS Dynamic Authorization server information usingDevice Manager

View RADIUS Dynamic Authorization server information to displayRADIUS Dynamic Authorization server information for the switch.

Procedure steps

Step Action


2 Click the RADIUS Dynamic Auth. Server tab.

--End--

Variable definitionsUse the data in the following table to view the number of Disconnect andCoA Requests received from unknown addresses.

Variable Value

Identifier Indicates the Network Access Server(NAS) identifier of the RADIUSDynamic Authorization Server.

DisconInvalidClientAddresses Indicates the number ofDisconnect-Request packets receivedfrom unknown addresses.

CoAInvalidClientAddresses Indicates the number of CoA-Requestpackets received from unknownaddresses.


NN47205-505 05.03 Standard14 May 2009


.


802.1X dynamic authorization extension (RFC 3576) configurationusing Device Manager

Configure 802.1X dynamic authorization extension (RFC 3576) to enablethe RADIUS server to send a change of authorization (CoA) or disconnectcommand to the Network Access Server (NAS)

802.1X dynamic authorization extension (RFC 3576)configuration using Device Manager navigation

• “Configuring 802.1X dynamic authorization extension (RFC 3576)client using Device Manager” (page 287)

• “Editing the 802.1X dynamic authorization extension (RFC 3576) clientinformation using Device Manager” (page 288)

• “Editing the 802.1X dynamic authorization extension (RFC 3576) clientsecret word using Device Manager” (page 289)

Configuring 802.1X dynamic authorization extension (RFC 3576)client using Device ManagerConfigure the RADIUS Dynamic Authorization client parameters for theswitch.

Procedure steps

Step Action


2 Click the RADIUS Dynamic Auth. Client tab.

3 Click Insert.

4 Configure RADIUS Dynamic Authorization client parameters asrequired.

5 Click Insert.

--End--

Variable definitionsUse the data in the following table to configure the RADIUS DynamicAuthorization client parameters.

Variable Value

AddressType Defines the IP address type for theRADIUS Dynamic Authorization Client.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

Address Defines the IP address of the RADIUSDynamic Authorization Client.

Enabled Enables packet receiving from theRADIUS Dynamic Authorization Client.

UdpPort Configures the server and NAS UDPport to listen for requests from theRADIUS Dynamic Authorization Client.Values range from 1025 to 65535.

ProcessCoARequests Enables change of authorization (CoA)request processing.

ProcessDisconnectRequests Enables disconnect requestprocessing.

Secret Configures the RADIUS DynamicAuthorization Client secret word.

ConfirmedSecret Confirms the RADIUS DynamicAuthorization Client secret word.

Editing the 802.1X dynamic authorization extension (RFC 3576)client information using Device ManagerConfigure the RADIUS Dynamic Authorization client parameters for theswitch.

Procedure steps

Step Action



3 Double-click a configurable RADIUS Dynamic Auth. Client dialogbox .

4 Edit RADIUS Dynamic Authorization client parameters asrequired.

5 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the RADIUS DynamicAuthorization client parameters.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

AddressType Defines the IP address type for theRADIUS Dynamic Authorization Client.This is a read only value.

Address Defines the IP address of the RADIUSDynamic Authorization Client. This isa read only value.

Enabled Enables or disables packetreceiving from the RADIUS DynamicAuthorization Client.

• enable—true

• disable—false

UdpPort Configures the server and NAS UDPport to listen for requests from theRADIUS Dynamic Authorization Client.Values range from 1025 to 65535.

ProcessCoARequests Enables change of authorization (CoA)request processing.

ProcessDisconnectRequests Enables disconnect requestprocessing.

Secret The RADIUS Dynamic AuthorizationClient secret word. This box remainsempty.

Editing the 802.1X dynamic authorization extension (RFC 3576)client secret word using Device ManagerEdit the RADIUS Dynamic Authorization client secret word to change theexisting secret word.

Procedure steps

Step Action



3 Click Change Secret.

4 In the Secret dialog box, type a new secret word.

5 In the Confirmed Secret dialog box, retype the new secret word.


NN47205-505 05.03 Standard14 May 2009


.


6 Click Apply.

--End--

Viewing RADIUS Dynamic Server statistics using Device ManagerView RADIUS Dynamic Server statistics to display and review RADIUSDynamic Server statistical information.

Procedure steps

Step Action


2 Click the RADIUS Dynamic Server Stats tab.

--End--

Variable definitionsUse the data in the following table to view RADIUS Dynamic Serverstatistics.

Variable Value

ClientIndex Indicates the RADIUS Dymanic Serverclient index.

ClientAddressType Indicates the type of RADIUS DymanicServer address. Values are ipv4 oripv6.

ClientAddress Indicates the IP address of theRADIUS Dymanic Server.

ServerCounterDiscontinuity Indicates a count of RADIUS DymanicServer discontinuity instances.

Graphing RADIUS Dynamic Server statistics using Device ManagerGraph RADIUS Dynamic Server statistics to display a graphicalrepresentation of statistics for a RADIUS Dynamic Server client.

Procedure steps

Step Action


2 Click the RADIUS Dynamic Server Stats tab.


NN47205-505 05.03 Standard14 May 2009


.

DHCP snooping configuration using Device Manager 291

3 Click any box for a displayed RADIUS Dynamic Server client.

4 Click Graph.

5 Click and drag your cursor to highlight all RADIUS DynamicServer statistical information to graph.

6 Click Line Chart, Area Chart, Bar Chart, or Pie Chart.

--End--

DHCP snooping configuration using Device ManagerConfigure DHCP snooping to provide security to your network bypreventing DHCP spoofing.

DHCP snooping configuration using Device Manager navigation

• “Configuring DHCP snooping globally using Device Manager” (page291)

• “Configuring DHCP snooping on a VLAN using Device Manager” (page292)

• “Configuring DHCP snooping port trust using Device Manager” (page292)

• “Viewing the DHCP binding information using Device Manager” (page293)

Configuring DHCP snooping globally using Device ManagerConfigure DHCP snooping globally to enable or disable DHCP snoopingon the switch.

Procedure steps

Step Action

1 From Device Manager menu bar, choose IP Routing , DHCP .

2 Click the DHCP snooping tab.

3 Select the DhcpSnoopingEnabled box to enable DHCPsnooping globally.

OR

Deselect the DhcpSnoopingEnabled box to disable DHCPsnooping globally.

4 Click Apply .

--End--


NN47205-505 05.03 Standard14 May 2009


.


WARNINGOn the layer 3 mode, dhcp snooping must be enabled on thelayer 3 vlans-spanning towards dhcp-server. Dhcp-relay is alsorequired for the correct functionality.

Configuring DHCP snooping on a VLAN using Device ManagerConfigure DHCP snooping on a VLAN through to enable or disable DHCPsnooping on the VLAN.

ATTENTIONYou must enable DHCP snooping separately for each Vlan ID.

ATTENTIONIf DHCP snooping is disabled on a VLAN, the switch forwards DHCP replypackets to all applicable ports, whether the port is trusted or untrusted.

Procedure steps

Step Action

1 From the Device view select a port.

2 From Device Manager menu bar, choose IP Routing , DHCP.

3 Click the DHCP snooping-VLAN tab.

4 Double-click the DhcpSnoopingEnabled box for the Vlan.

5 Select trueto enable DHCP snooping on the VLAN.

OR

Select false to disable DHCP snooping on the VLAN.

6 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure DHCP snooping on aVLAN.

Variable Value

VlanId Indicates the VlanId on the VLAN.

DhcpSnoopingEnabled Enables or disables DHCP snooping.

Configuring DHCP snooping port trust using Device ManagerConfigure DHCP snooping port trust to specify whether a particular port ormultiple ports are trusted or untrusted. Ports are untrusted by default.


NN47205-505 05.03 Standard14 May 2009


.

DHCP snooping configuration using Device Manager 293

Procedure steps

Step Action

1 From Device Manager menu bar, choose IP Routing,DHCP .

2 Click the DHCP snooping-port tab.

3 Double-click the DhcpSnoopingIfTrusted for a port.

4 Select true to configure the port to be trusted.

OR

Select false to configure the port to be untrusted.

5 Repeat steps 3 and 4 to configure additional ports as required.

6 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure DHCP snooping on ports.

Table 98DHCP Snooping-port tab fields

Variable Value

Port Indicates the port on the switch.

DhcpSnoopingIfTrusted Indicates whether the port is trusted or untrusted.Default is false.

Viewing the DHCP binding information using Device ManagerView the DHCP binding information to review current DHCP leaseinformation.

Procedure steps

Step Action

1 From Device Manager menu bar, choose IP Routing , DHCP .

2 Click the DHCP Bindings tab.

The DHCP Bindings dialog box appears, displaying DHCPBinding information.

--End--


NN47205-505 05.03 Standard14 May 2009


.


Variable definitionsUse the data in the following table to view the DHCP binding information.

Variable Value

VlanId Identifies the VLAN on the switch.

MacAddress Indicates the MAC address of theDHCP client.

AddressType Indicates the MAC address type of theDHCP client.

Address Indicates IP address of the DHCPclient.

Interface Indicates the interface to which theDHCP client is connected.

LeaseTime(sec) Indicates the lease time (in seconds)of the DHCP client binding.

TimeToExpiry(sec) Indicates the time (in seconds) beforea DHCP client binding expires.

Dynamic ARP inspection configuration using Device ManagerUse dynamic ARP inspection to validate ARP packets in a network.

Dynamic ARP inspection configuration using Device Managernavigation

• “Configuring dynamic ARP inspection on VLANs using DeviceManager” (page 294)

• “Configuring dynamic ARP inspection on ports using Device Manager”(page 295)

Configuring dynamic ARP inspection on VLANs using Device ManagerConfigure ARP inspection on a VLAN to enable or disable ARP inspectionon one or more VLANs.

Procedure steps

Step Action

1 From Device Manager menu bar, choose IP Routing , IP.

2 Click the ARP Inspection-VLAN tab.

3 Double-click the ARPInspectionEnabled box for a VLAN.

4 Select true to enable ARP Inspection-VLAN.

OR


NN47205-505 05.03 Standard14 May 2009


.

IP Source Guard configuration using Device Manager 295

Select false to disable ARP Inspection-VLAN.

5 Repeat steps 3 and 4 for additional VLANs as required.

6 Click Apply.

--End--

Configuring dynamic ARP inspection on ports using Device ManagerConfigure ARP inspection on a port to enable or disable ARP inspectionon one or more ports.

Procedure steps

Step Action

1 From Device Manager, select IP Routing,IP. The IP windowappears.

2 Select the ARP Inspection-Port tab.

3 Double-click the ARPInspectionIfTrusted box for a port.

4 Select true to enable ARP Inspection-Port.

OR

Select false to disable ARP Inspection-Port.

5 Repeat steps 3 and 4 for additional ports as required.

6 Click Apply.

--End--

IP Source Guard configuration using Device ManagerThis section describes how to configure IP Source Guard to add a higherlevel of security to a port or ports by preventing IP spoofing




NN47205-505 05.03 Standard14 May 2009


.



• Dynamic Host Control Protocol (DHCP) snooping is globally enabled.For more information, see “DHCP snooping configuration using DeviceManager navigation” (page 291).





— Baysecure


ATTENTIONHardware resources can run out if IP Source Guard is enabled on trunk portswith a large number of VLANs, which have DHCP snooping enabled. If thishappens, traffic sending can be interrupted for some clients. Nortel recommendsthat IP Source Guard not be enabled on trunk ports.

IP Source Guard configuration using Device Manager navigation

• “Configuring IP Source Guard on a port using Device Manager” (page296)

• “Filtering IP Source Guard addresses using Device Manager” (page297)

• “Viewing IP Source Guard port statistics using Device Manager” (page298)

Configuring IP Source Guard on a port using Device ManagerConfigure IP Source Guard to enable or disable a higher level of securityon a port or ports.

Procedure steps

Step Action

1 From Device Manager menu bar, select IP Routing , DHCP.

2 Click the IP Source Guard-port tab.


NN47205-505 05.03 Standard14 May 2009


.

IP Source Guard configuration using Device Manager 297

3 In the IP Source Guard-port dialog box, double-click the Modebox for a port.

4 Select ip from the list to enable IP Source Guard.

OR

Select disabled from the list to disable IP Source Guard.

5 Click Apply.

6 Click Refresh to update the IP Source Guard-port dialog boxdisplay.

--End--


Variable Value


Mode Identifies the Source Guard mode forthe port. The mode can be disabled orip. The default mode is disabled.

Filtering IP Source Guard addresses using Device ManagerFilter IP Source Guard addresses to display IP Source Guard informationfor specific IP addresses.

Procedure steps

Step Action


2 Click the IP Source Guard-addresses tab.

3 Click Filter.

4 In the IP Source Guard-addresses - Filter dialog box, selectthe required parameters for displaying port IP Source Guardinformation.

5 Click Filter.

IP Source Guard information for the specified IP addressesappears in the IP Source Guard-addresses dialog box.

--End--


NN47205-505 05.03 Standard14 May 2009


.


Variable definitionsUse the data in the following table to filter IP Source Guard addresses.

Variable Value

Condition Defines the search condition. Values are:

• AND: Includes keywords specified inboth the Port and Address fields whilefiltering results.

• OR: Includes either one of thekeywords specified in the Port andAddress fields while filtering results.

Ignore Case Ignores the letter case while searching.

Column Specifies the content of the columnsearch. Values are

• Contains

• Does not contain

• Equals to

All records Displays all entries in the table.

Port Searches for the specified port.

Address Searches for the specified IP address.

Use the data in the following table to display IP Source Guard informationfor filtered addresses.

Variable Value

Port The port number.

Type The internet address type.

Address The IP address allowed by IP SourceGuard.

Source The source of the address.

Viewing IP Source Guard port statistics using Device ManagerView IP Source Guard port statistics to display dropped packet statisticsfor IP Source Guard enabled ports.

Procedure steps

Step Action



NN47205-505 05.03 Standard14 May 2009


.

SNMP configuration using Device Manager 299

2 Click the IP Source Guard-stats tab.

--End--

Variable definitionsUse the data in the following table to understand the IP Source Guardstatistics display.

Variable Value

IfIndex Identifies the slot and port number ofthe IP Source Guard enabled ports.

DroppedPackets Displays the number of instancesof dropped packets that occur on IPSource Guard enabled ports.

SNMP configuration using Device ManagerThis section details the configuration options available in the JDM forSNMP. It contains information about the following topics:

• “Configuring the switch to use SNMP using Device Manager” (page299)

• “Using SNMPv3 in Device Manager” (page 301)

Configuring the switch to use SNMP using Device ManagerFor more information about configuring SNMP on the see the following:

• “SNMP tab” (page 299)

• “Trap Receivers tab” (page 300)

SNMP tabThe SNMP tab provides read-only information about the addresses thatthe agent software uses to identify the switch.

Open the SNMP tab by following this procedure.

Step Action

1 Select the chassis in the Device View.

2 Open the Edit Chassis screen by selecting Edit, Chassis .

3 Click the SNMP tab.

The following table describes the SNMP tab fields.


NN47205-505 05.03 Standard14 May 2009


.


Table 99SNMP tab fields

Field Description

LastUnauthenticatedInetAddressType The type of IP address thatwas not authenticated by thedevice last.

LastUnauthenticatedInetAddress The last IP address that wasnot authenticated by thedevice.

LastUnauthenticatedCommunityString The last community stringthat was not authenticatedby the device.

RemoteLoginInetAddressType The type of IP address tolast remotely log on to thesystem.

RemoteLoginInetAddress The last IP address toremotely log on to thesystem.

TrpRcvrMaxEnt The maximum number oftrap receiver entries.

TrpRcvrCurEnt The current number of trapreceiver entries.

TrpRcvrNext The next trap receiver entryto be created.

--End--

Trap Receivers tabThe Trap Receivers tab lists the devices that receive SNMP traps fromthe .

Open the Trap Receivers tab by following this procedure.

Step Action



3 Select the Trap Receivers tab.

The following table describes the Trap Receivers tab fields.


NN47205-505 05.03 Standard14 May 2009


.


Table 100Trap Receivers tab fields

Field Description

Indx The index of the entry in the table.

NetAddr The IP address for the trap receiver.

CommunityCommunity string used for trap messages tothis trap receiver.

--End--

Editing network trapsEdit the network traps table by following this procedure.

Step Action

1 In the Trap Receivers tab, click Insert.

2 Type the Index:, NetAddr:, and Community: information.

3 Click Insert.

--End--

Deleting a Trap Receiver entryDelete a Trap Receiver entry by following this procedure.

Step Action



3 Select the Trap Receivers tab.

4 Select the trap receiver entry to delete.

5 Click Delete. A confirmation message appears.

6 Click OK. The entry is deleted.

--End--

Using SNMPv3 in Device ManagerThe allows for configuration of SNMPv3 using Device Manager,Web-based management, or NNCLI.


NN47205-505 05.03 Standard14 May 2009


.


The SNMP agent supports exchanges using SNMPv1, SNMPv2c, andSNMPv3.

Support for SNMPv2c introduces a standards-based GetBulk retrievalcapability using SNMPv1 communities.

SNMPv3 support introduces industrial-grade user authentication andmessage security. This includes MD5 and SHA-based user authenticationand message integrity verification, as well as AES- and DES-based privacyencryption.

ATTENTIONYou must configure views and users in NNCLI before you can use SNMPv3. Formore information about creating SNMPv3 views and users, see “ConfiguringSNMP using NNCLI” (page 155).

For instructions about configuring SNMPv3 using Device Manager, seethe following:

• “Viewing the details of an SNMPv3 user” (page 302)

• “Creating an SNMPv3 user” (page 303)

• “Viewing group membership” (page 305)

• “Viewing group access rights” (page 306)

• “Viewing MIBs assigned to an object” (page 309)

• “Creating a community” (page 311)

• “Creating a Target Table” (page 312)

• “Creating Target parameters” (page 313)

• “Creating a Notify Table” (page 315)

Viewing the details of an SNMPv3 userTo view the details of an SNMPv3 user, use the following procedure:

Step Action

1 Open the USM Table screen by selecting Edit, SnmpV3, USMTable .

Table 101USM Table screen items

Field Description

EngineID Indicates the SNMP engine unique Identifier.


NN47205-505 05.03 Standard14 May 2009


.


Table 101USM Table screen items (cont’d.)

Field Description

Name Indicates the name of the user in usmUser.

SecurityName Creates the name used as an index to thetable. The range is 1 to 32 characters.

AuthProtocol Identifies the Authentication protocol used.

PrivProtocol Identifies the privacy protocol used.

StorageType Identifies the storage type used.

--End--

Creating an SNMPv3 userTo create an SNMPv3 user, you must clone and then modify the propertiesof an existing SNMPv3 user.

Create an SNMPv3 user by following this procedure:

Step Action


2 Click Insert.

Table 102 "Insert USM Table screen fields" (page 303) describesthe Insert USM Table screen fields.

Table 102Insert USM Table screen fields

Field Description

EngineID Indicates the SNMP engine unique identifier.

New User Name Creates the new entry with this user name. Thename is used as an index to the table. Therange is 1 to 32 characters.

Clone From User Specifies the user name from which the newentry must copy privacy and authenticationparameters. The range is 1 to 32 characters.

Auth Protocol

(Optional)

Assigns an authentication protocol (or noauthentication) from a menu. If this field isselected, an old AuthPass and a new AuthPassmust be entered.


NN47205-505 05.03 Standard14 May 2009


.


Table 102Insert USM Table screen fields (cont’d.)

Field Description

Cloned User AuthPassword

Specifies the cloned password from the userauthentication password.

New User AuthPassword

Specifies the new user authenticationpassword.

Priv Protocol

(Optional)

Assigns a privacy protocol (or no privacy) froma menu.

If this is selected, an old PrivPass and a newPrivPass must be entered.

Cloned User PrivPassword

Specifies the cloned from user privacypassword.

New User PrivPassword

Specifies the name of the new privacypassword.

StorageType Specifies the type of storage:• volatile

• nonVolatile

• readOnly (not available)

3 Type and select the required information in the Insert USMTable screen.

4 Click Insert.

--End--

Delete an SNMPV3 user by following this procedure.

Step Action


2 Select an entry from the list.

3 Click Delete. A prompt message requests confirmation.

4 Click OK. The user is deleted.

--End--


NN47205-505 05.03 Standard14 May 2009


.


Viewing group membershipView group membership details in the view-based access control model(VACM) by following this procedure.

Step Action

1 Open the VACM screen by selecting Edit, SnmpV3, VACMTable... .

Table 103 "VACM screen, Group Membership tab fields" (page305) describes the VACM screen, Group Membership fields.

Table 103VACM screen, Group Membership tab fields

Field Description

SecurityModel The security model currently in use.

SecurityName The name representing the user in usm user.The range is 1 to 32 characters.

GroupName The name of the group to which thisentry (combination of securityModel andsecurityName) belongs.

StorageType The security type of the group to which thisentry belongs.

--End--

Creating membership for a groupCreate memberships for a group by following this procedure.

Step Action


2 Click Insert.

describes the Insert Group Membership tab fields.

Table 104VACM, Insert Group Membership tab fields

Field Description

SecurityModel The authentication checking to communicate tothe switch.

SecurityName The security name assigned to this entry in theVACM table. The range is 1 to 32 characters.


NN47205-505 05.03 Standard14 May 2009


.


Table 104VACM, Insert Group Membership tab fields (cont’d.)

Field Description

GroupName The name assigned to this group in the VACMtable. The range is 1 to 32 characters.

StorageType Choose the type of storage:• volatile

• nonVolatile

• readOnly (not available)

3 Select and type the required information.

4 Click Insert.

--End--

Deleting a membership for a groupDelete a group membership by following this procedure.

Step Action


2 Select an entry to delete.

ATTENTIONYou cannot delete an entry with a Storage Type attribute specifiedas read-only.


4 Click OK. The group membership is deleted.

--End--

Viewing group access rightsView access rights for a group by following this procedure.

Step Action

1 Open the VACM screen by selecting Edit, SnmpV3, VACMTable....

2 Select the Group Access Right tab.


NN47205-505 05.03 Standard14 May 2009


.


Table 105 "VACM screen, Group Access Right tab fields" (page307) describes the VACM screen, Group Access Right tab fields.

Table 105VACM screen, Group Access Right tab fields

Field Description

vacmGroupName The name of the new group name in theVACM table. The name is a numeral.The range is 1 to 32 characters.

ContextPrefix (Optional) The context name of an incoming SNMPpacket must match exactly or partiallythe value of the instance of this object.The range is an SnmpAdminString, 0 to32 characters.

SecurityModel The security model of the entry, eitherSNMPv1, SNMPv2, or SNMPv3.

SecurityLevel The minimum level of security requiredto gain access rights. The security levelsare:• noAuthNoPriv

• authNoPriv

• authPriv

ContextMatch Specifies the exact or prefix-only matchto the contextName for an incomingSNMP packet.

ReadViewName Specifies the MIB view to which readaccess is authorized.

WriteViewName Specifies the MIB view to which writeaccess is authorized.

NotifyViewName Specifies the MIB view to which notifyaccess is authorized.

StorageType Specifies the storage type.

--End--

Creating access for a groupCreate new access for a group by following this procedure.

Step Action




NN47205-505 05.03 Standard14 May 2009


.


3 Click Insert.

describes the Insert Group Access Right screen fields

Table 106Insert Group Access Right screen fields

Field Description

vacmGroupName The name of the new group name in theVACM table. The name is a numeral.The range is 1 to 32 characters.

ContextPrefix The context name of an incoming SNMPpacket must match exactly or partiallythe value of the instance of this object.The range is an SnmpAdminString, 0 to32 characters.

For the Nortel Ethernet Routing Switch4500 Series switches, the ContextPrefixvalue can be an empty string.

SecurityModel The security model of the entry, eitherSNMPv1, SNMPv2, or SNMPv3.

SecurityLevel The minimum level of security requiredto gain access rights. The security levelsare:

• noAuthNoPriv

• authNoPriv

• AuthPriv

ContextMatch (Optional) Specifies the exact or prefix-only matchto the context name for an incomingSNMP packet.

For Nortel Ethernet Routing Switchproducts, the ContextMatch value canbe exact, because these productssupport only a single context.

ReadViewName Specifies the MIB view to which readaccess is authorized.

WriteViewName Specifies the MIB view to which writeaccess is authorized.

NotifyViewName Specifies the MIB view to which notifyaccess is authorized.


4 Type and select the required information.


NN47205-505 05.03 Standard14 May 2009


.


5 Click Insert.

--End--

Deleting access for a groupDelete a Group Access Right by following this procedure.

Step Action



3 Select an entry to delete.

ATTENTIONYou cannot delete an entry specified with a Read Only Storage Type.


5 Click OK. The access is deleted.

--End--

Viewing MIBs assigned to an objectView MIBs assigned to an object by following this procedure.

Step Action


2 Select the MIB View tab.

describes the MIB View tab fields.

Table 107VACM screen, MIB View tab fields

Field Description

ViewName Creates a new entry with this groupname. The range is 1 to 32 characters.

Subtree A valid object identifier that defines theset of MIB objects accessible by thisSNMP entity; for example, 1.3.6.1.1.5.


NN47205-505 05.03 Standard14 May 2009


.


Table 107VACM screen, MIB View tab fields (cont’d.)

Field Description

Mask

(Optional)

Specifies that a bit mask be usedwith vacmViewTreeFamilySubtree todetermine whether an OID falls under aview subtree.

Type Determines whether access to a MIBobject is granted (Included) or denied(Excluded). Included is the default.

StorageType Displays the type of storage for thisview.

--End--

Creating a new MIB viewCreate a new MIB view by following this procedure.

Step Action



3 Click Insert.

describes the Insert MIB View screen fields.

Table 108Insert MIB View screen fields

Field Description

ViewName Creates a new entry with thisgroup name. The range is 1 to 32characters.

Subtree A valid object identifier that definesthe set of MIB objects accessibleby this SNMP entity, for example,1.3.6.1.1.5.

Mask

(Optional)

Specifies that a bit mask be usedwith vacmViewTreeFamilySubtreeto determine whether an OID fallsunder a view subtree.


NN47205-505 05.03 Standard14 May 2009


.


Table 108Insert MIB View screen fields (cont’d.)

Field Description

Type Determines whether access to amib object is granted (Included) ordenied (Excluded). Included is thedefault.

StorageType Displays the type of storage for thisview.


5 Click Insert.

--End--

Deleting a MIB viewDelete a MIB view by following this procedure.

Step Action



3 Select a MIB View entry to delete.

ATTENTIONYou cannot delete a MIB View entry if the Storage Type is ReadOnly.


5 Click OK.

--End--

Creating a communityA community table contains objects for mapping between communitystrings and the security name created in VACM Group Member. Create acommunity by following this procedure.

Step Action

1 Open the Community Table screen by selecting Edit, SnmpV3,Community Table .


NN47205-505 05.03 Standard14 May 2009


.


2 Click Insert.

The following table describes the Community Table screen fields.

Table 109Community Table screen fields

Field Description

Index The unique index value of a row in this table.SnmpAdminString 1 to 32 characters.

Name The community string for which a row in thistable represents a configuration

SecurityName The security name assigned to this entry inthe Community table. The range is 1 to 32characters.

ContextEngineID The context engine ID.

ContextName The context name.

TransportTag The transport tag.

StorageType The storage type.


4 Click Insert.

--End--

Deleting a communityDelete a community by following this procedure.

Step Action

1 Open the Community Table screen by selecting Edit, SnmpV3,Community Table .

2 Select a community to delete.

ATTENTIONYou cannot delete a community if the community Storage Type isRead Only.


4 Click OK.

--End--

Creating a Target TableCreate a Target Address table by following this procedure.


NN47205-505 05.03 Standard14 May 2009


.


Step Action

1 Open the Target Table screen by selecting Edit, SnmpV3,Target Table .

2 Click Insert.

The following table describes the Target Address Table screen.

Table 110Target Address Table screen fields

Field Description

Name Specifies the name of the target table.

TDomain Specifies the TDomain for the target table.

TAddress Specifies the TAddress for the target table.

Timeout Specifies the length of the timeout.

RetryCount Specifies the retrycount.

Taglist Specifies the taglist.

Params Specifies an entry in the Target Params Table.



4 Click Insert.

--End--

Deleting a Target Address entryDelete a Target Address entry by following this procedure.

Step Action


2 Select an entry to delete. NOTE: You cannot delete an entry ifthe Storage Type is Read Only.


4 Click OK. The Target Address entry is deleted.

--End--

Creating Target parametersCreate a target parameter by following this procedure.


NN47205-505 05.03 Standard14 May 2009


.


Step Action

1 Open the Target Table screen by selecting Edit, SnmpV3,Target Table.

2 Select the Target Params Table tab.

3 Click Insert.

The following table describes the Target Params Table screenfields.

Table 111Target Params Table screen fields

Field Description

Name Specifies the name of the target parameterstable.

MPModel Specifies the Message Processing model,SNMPv1, SNMPv2c, or SNMPv3/USM.

SecurityModel Specifies the security model, SNMPv1,SNMPv2c, or SNMPv3/USM.

SecurityName Specifies the security name for generatingSNMP messages.

SecurityLevel Specifies the security level for SNMPmessages: noAuthnoPriv, authnoPriv, orauthPriv.

Storage Type Specifies the storage type: volatile ornonvolatile.


5 Click Insert.

--End--

Deleting Target parametersDelete a Target parameter by following this procedure.

Step Action


2 Select the Target Params Table tab.



NN47205-505 05.03 Standard14 May 2009


.



5 Click OK. The selection is deleted.

--End--

Creating a Notify TableCreate a Notify Table by following this procedure.

Step Action

1 Open the Notify Table screen by selecting Edit, SnmpV3,Notify Table .

2 Click Insert.

The following table describes the Notify Table screen fields.

Table 112Notify Table screen fields

Field Description

Name Specifies the unique identifier associated for thenotify table.

Tag A single tag value used to select entries inthe snmpTargetAddrTable. A entry in thesnmpTargetAddrTable which contains a tagvalue which is equal to the value of an instanceof this object is selected. If this object contains avalue of zero length, no entries are selected.

Type This object determines the type ofnotification generated for entries in thesnmpTargetAddrTable selected by thecorresponding instance of snmpNotifyTag.

If the value of this object is trap, thenmessages generated for selected rows containSNMPv2-Trap PDUs.

If the value of this object is inform, thenmessages generated for selected rows containInform PDUs.

ATTENTION


NN47205-505 05.03 Standard14 May 2009


.


Table 112Notify Table screen fields (cont’d.)

Field Description

If an SNMP entity only supports generation oftraps (and not informs), then this object can beread-only.

StorageType Specifies the type of storage, volatile ornonvolatile.


4 Click Insert.

--End--

Deleting a Notify entryDelete a Notify entry by following this procedure.

Step Action

1 Open the Notify Table screen by selecting Edit, SnmpV3,Notify Table .



4 Click OK. The selection is deleted.

--End--

RADIUS Request use Management IP configuration using DeviceManager

You can enable or disable the use of the Management VLAN IP usingDevice Manager.

RADIUS Request use Management IP configuration using DeviceManager navigation




NN47205-505 05.03 Standard14 May 2009


.

RADIUS Request use Management IP configuration using Device Manager 317

Enabling the RADIUS Request use Management IPPerform this procedure to enable the RADIUS requests to use theManagement VLAN IP.

Procedure steps

Step Action

1 Browse to Edit, Security, RADIUS.

2 Select RadiusUseMgmtIp.

3 Click Apply.

--End--

Disabling the RADIUS Request use Management IPPerform this procedure to disable the RADIUS requests to use theManagement VLAN IP.

Procedure steps

Step Action

1 Browse to Edit, Security, RADIUS.

2 Clear RadiusUseMgmtIp.

3 Click Apply.

--End--


NN47205-505 05.03 Standard14 May 2009


.



NN47205-505 05.03 Standard14 May 2009


.

319.

Configuring Nortel Secure NetworkAccess using NNCLI

This chapter describes how to configure the Nortel Ethernet RoutingSwitch 4500 as a network access device in the Nortel Secure NetworkAccess (Nortel SNA) solution using the Command Line Interface (NNCLI).

ATTENTIONWhen using Nortel SNA along with other applications, such as IP SourceGuard, you must ensure resources are available for each application. It isrecommended that applications such as IP Source Guard be applied to a smallnumber of ports when used along with the QoS SNA solution.

This chapter includes the following topics:

• “Configuring the Nortel SNAS 4050 subnet ” (page 319)

• “Configuring QoS for the Nortel SNA solution ” (page 321)

• “Configuring Nortel SNA per VLAN ” (page 321)

• “Enabling Nortel SNA on ports using NNCLI” (page 324)

• “Entering phone signatures for Nortel SNA ” (page 327)

• “Enabling Nortel SNA” (page 328)

• “Configuring Nortel Secure Network Access Fail Open” (page 328)

• “Configuration example” (page 330)

For an overview of the steps required to configure a network accessdevice in the Nortel SNA solution, see “Basic switch configuration forNortel SNA” (page 84).

Configuring the Nortel SNAS 4050 subnetTo configure the Nortel SNAS 4050 subnet, use the following commandfrom the Global Configuration mode:

nsna nsnas <ipaddr/mask>

where


NN47205-505 05.03 Standard14 May 2009


.

320 Configuring Nortel Secure Network Access using NNCLI

<ipaddr/mask> is the Nortel SNAS 4050 portalVirtual IP (pVIP) address and network mask(a.b.c.d./<0–32>)

This command includes the following parameters:

nsna nsnas <ipaddr/mask>followed by:

port <value> Defines the TCP port number for the Switch toNortel SNAS 4050 Communication Protocol (SSCP)server. Values are in the range 1024–65535. Thedefault setting is 5000.

ATTENTIONThe pVIP address is used in the default Red filter set to restrict thecommunication of clients in the Red state to the Nortel SNAS 4050. If you areusing one Nortel SNAS 4050 in the network, you can use a 32-bit mask tofurther restrict traffic flow. The subnet you specify is added to the filters (Red,Yellow, and VoIP). If you change the Nortel SNAS 4050 subnet after you haveassociated the filters with the Nortel SNA VLANs, you must manually update theNortel SNAS 4050 subnet in the filters.

Viewing Nortel SNAS 4050 subnet informationTo view information related to the Nortel SNAS 4050 pVIP subnet youconfigured, enter the following command from the Privileged EXECconfiguration mode:

show nsna nsnas 10.40.40.0/24

NSNAS IP Address NSNAS NetMask NSNAS Port

---------------------------------------------------------

10.40.40.0 255.255.255.0 5000

Removing the Nortel SNAS 4050 subnetTo remove the Nortel SNAS 4050 pVIP subnet, enter the followingcommand from Global Configuration mode:

no nsna nsnas <ipaddr/mask>

where

<ipaddr/mask> is the pVIP address and network mask(a.b.c.d./<0–32>)

ATTENTIONThis command will work if nsnas subnet is removed from nsna filters.


NN47205-505 05.03 Standard14 May 2009


.

Configuring Nortel SNA per VLAN 321

Configuring QoS for the Nortel SNA solutionFor general information about configuring filters and Quality of Service(QoS) in the Nortel SNA solution, see “Filters in the Nortel SNA solution”(page 76). For more information about configuring the filters, see NortelEthernet Routing Switch 4500 Series Configuration — Quality of Service,(NN47205-504).

Configuring Nortel SNA per VLANATTENTIONVLANs that you plan to configure as Nortel SNA VLANs must be empty (thatis, they have no assigned port members). No non Nortel SNA ports can beassociated with Nortel SNA VLANs.

Ensure that:

• the VLANs that you plan to configure as Nortel SNA VLANs have noport numbers assigned.

• no non Nortel SNA ports are associated with Nortel SNA VLANs.

• the filter name does not begin with a number.

To configure the Nortel SNA VLANs, use the following command from theGlobal Configuration mode:

nsna vlan <vid> color <red|yellow|green|voip>

where

<vid> is the VLAN ID in the range 1–4094. The NortelSNA VLAN is assigned the color you specify inthe command.


nsna vlan <vid> color <red|yellow|green|voip>followed by:

filter <filter name> Sets the Nortel SNA filter set name. Thestring length is 0–255 characters.

ATTENTIONThis parameter is not allowed forconfiguration of a VoIP VLAN. VoIPfilters are part of the Red/Yellow filter sets.Ifthe filter set with this name does not alreadyexist, it is created when you specify it withthis command.If a filter set with the nameyou specify does exist, that filter set is used.

yellow-subnet <ipaddr/mask> Sets the Yellow VLAN subnet IP and mask(a.b.c.d/<0–32>)


NN47205-505 05.03 Standard14 May 2009


.


ATTENTIONThis parameter is only allowed forconfiguration of the Yellow VLAN.

Viewing Nortel SNA VLAN informationTo view information related to the Nortel SNA VLANs, use the followingcommand from the Privileged EXEC configuration mode:

show nsna vlan <vid>

where

<vid> is the VLAN ID in the range 1-4094

Removing a Nortel SNA VLANTo remove a Nortel SNA VLAN, use the following command from theGlobal Configuration mode:

no nsna vlan <vid>

where

<vid> is the VLAN ID in the range 1-4094

VOIP VLANs can only be removed if the corresponding entries from NSNAred and yellow filters are removed.

Configuration example: Configuring the Nortel SNA per VLANsThis example includes configuration of the VoIP, Red, Yellow, andGreen VLANs. It is assumed that VLANs 110, 120, 130, and 140 (usedin this example) were previously created as port-based VLANs. Formore information about creating VLANs using the Nortel EthernetRouting Switch 4500, refer to Nortel Ethernet Routing Switch 4500Series Configuration — VLANs, Spanning Tree, and MultiLink Trunking(NN47205-502).

ATTENTIONYou must configure the Nortel SNAS 4050 pVIP subnet before you configurethe Nortel SNA VLANs.

VoIP VLANs are optional. If you are using VoIP VLANs, you must configurethem before configuring the Red, Yellow, and Green VLANs.

In this example, the following parameters are used:

VLAN Parameters

Red VLAN ID: 110Color: RedFilter name: red


NN47205-505 05.03 Standard14 May 2009


.

Configuring Nortel SNA per VLAN 323

VLAN Parameters

Yellow VLAN ID: 120Color: YellowFilter name: yellowSubnet IP: 10.120.120.0/24

Green VLAN ID: 130Color: GreenFilter name: green

VoIP VLAN ID: 140Color: VoIP

ATTENTIONIf filters are not manually configured prior to configuring the Nortel SNA VLANs,the switch automatically generates default filters when the Red, Yellow, andGreen VLANs are configured.

Configuring the VoIP VLANTo configure the VoIP VLAN, use the following command:

nsna vlan 140 color voip

show nsna vlan 140

VLAN ID Color Filter Set Name Yellow Subnet

---------------------------------------------------------

140 VOIP 0.0.0.0/0

Configuring the Red VLANTo configure the Red VLAN, use the following command:

nsna vlan 110 color red filter red

show nsna vlan 110


---------------------------------------------------------

110 Red red 0.0.0.0/0

Configuring the Yellow VLANTo configure the Yellow VLAN, use the following command:

nsna vlan 120 color yellow filteryellow yellow-subnet 10.120.120.0/24

show nsna vlan 120



NN47205-505 05.03 Standard14 May 2009


.


---------------------------------------------------------

120 Yellow yellow 10.120.120.0/24

Configuring the Green VLANTo configure the Green VLAN, use the following command:

nsna vlan 130 color green filter green

show nsna vlan 130


---------------------------------------------------------

130 Green green 0.0.0.0/0

Enabling Nortel SNA on ports using NNCLIThe following sections describe how to enable Nortel SNA on the ports.For more information about port modes, refer to “Port modes” (page 76).

The Nortel SNA solution introduces the uplink port. Uplink ports aremembers of the Nortel SNA VLANs. For more information about the uplinkport, refer to Nortel Secure Network Access Solution Guide (320817-A).

ATTENTIONThe Ethernet Routing Switch 4526GTX has two XFP GBICs. You can configurethese as uplink ports only. You cannot configure these as dynamic ports.Therefore, you must specify ports 1–24 in a Nortel SNA command whereyou configure dynamic ports. For example, if you enter the nsna port alldynamic voip-vlans <vidlist> command, it fails because the two 10-Gbitports cannot be configured as dynamic ports.

To configure Nortel SNA on ports, use the following command from theEthernet Interface configuration mode:

nsna


nsnafollowed by:

port <portlist> Identifies a port other than that specified whenentering the Ethernet Interface configurationmode. The parameter <portlist> uses theconvention {port[–port][,...]}.


NN47205-505 05.03 Standard14 May 2009


.

Enabling Nortel SNA on ports using NNCLI 325

dynamic voip-vlans <vidlist> Sets the Nortel SNAS 4050 dynamic portconfiguration, where <vidlist> is the VoIP VLANIDs (vlan-id[-vlan-id][,...]).

uplink vlans <vidlist> Defines the Nortel SNAS 4050 uplink VLAN list,where <vidlist> is the Nortel SNA VLAN IDs(vlan-id[-vlan-id][,...]).

Viewing Nortel SNA port informationTo view information related to the Nortel SNA interfaces, use the followingcommand from the Privileged EXEC configuration mode:

show nsna interface [<interface-id>]

where

<interface-id> is the port number. Appropriateentries are {port[-port][,...]}, all, andnone.

Removing a Nortel SNA portTo remove a Nortel SNA port, enter the following command from theEthernet Interface configuration mode:

no nsna

Example: Removing Nortel SNA portsTo disable Nortel SNA on ports 20–24, enter the following commands:

interface fastethernet 20-24no nsnaexit

Configuration example: Adding the uplink portTo add the uplink port to the VLANs, use the following command from theEthernet Interface configuration mode:

nsna uplink vlans <vidlist>

where

<vidlist> is the uplink VLAN IDs, entered using theconvention {vlan-id[-vlan-id][,...]}


NN47205-505 05.03 Standard14 May 2009


.


ATTENTIONAll VLANs specified in the <vidlist> must be Nortel SNA VLANs. You canadd the uplink port to or delete it from non Nortel SNA VLANs (including themanagement VLAN) using the vlan members add command. For moreinformation, see Nortel Ethernet Routing Switch 4500 Series Configuration —VLANs, Spanning Tree, and MultiLink Trunking (NN47205-502).

The membership of Nortel SNA uplink ports in non Nortel SNA VLANs is notaffected by globally enabling or disabling Nortel SNA.

In this example, the following parameters are used:

• uplink port is 20

• Nortel SNA VLAN IDs are 110, 120, 130, 140

interface fastEthernet 20

nsna uplink vlans 110,120,130,140

show nsna interface 20

unit/Port

NSNA Mode VLAN IDs VLAN State DHCP State

------------------------------------------------------------------------

20 Uplink 110,120,130,140 None Unblocked

Configuration example: Adding client portsIn this example, the following parameters are used:

• Client ports are 3, 4, and 5.

• VoIP VLAN ID is 140.

interface fastEthernet 3-5

nsna dynamic voip-vlans 140

show nsna interface 3-5

Unit /Port

NSNA Mode VLAN IDs VLAN State DHCP State

----------------------------------------------------------------------

3 Dynamic 140 Red Unblocked



exit

ATTENTIONIf the pre-Nortel SNA STP state of a port is Normal Learning, when you specifythat port as a Nortel SNA dynamic port and you enable Nortel SNA, the STPstate of the port is changed to Fast Learning automatically. You can change thisto be disabled. You cannot set the state to Normal Learning for Nortel SNA.


NN47205-505 05.03 Standard14 May 2009


.

Entering phone signatures for Nortel SNA 327

Viewing information about Nortel SNA clientsTo view information about Nortel SNA clients, enter the following commandfrom the Privileged EXEC configuration mode:

show nsna client [interface [<interface-id>] | mac-address<H.H.H.>]

where

<interface-id> is the port number<H.H.H.> is the MAC address of the host

The following is an example of the command to view information aboutNortel SNA clients:

show nsna client interface 5Total Number of Clients: 2

Unit/Port

Client MAC Device Type VLAN Id FilterVLAN Id

IP Address Exp

------------------------------------------------------------------------

5 00:0a:e4:0b:47:44 IP Phone 140 (V) 110 (R) 10.100.140.11 No

5 00:0f:ea:88:be:7a PC 110 (R) 110 (R) 10.100.110.116 No

Entering phone signatures for Nortel SNATo specify Nortel IP phone signatures for the Nortel SNA solution, enterthe following command from the Global Configuration mode:

nsna phone-signature <LINE>

where

<LINE> is the Nortel IP phone signature string (forexample: Nortel-i2007-A)

Removing Nortel SNA phone signaturesTo remove a Nortel SNA phone signature, enter the following commandfrom the Global Configuration mode:

no nsna phone-signature <LINE>

where

<LINE> is the phone signature string

Viewing Nortel SNA phone signaturesTo view configured Nortel SNA phone signatures, enter the followingcommand from the Privileged EXEC mode where:

show nsna phone-signature [<LINE>]


NN47205-505 05.03 Standard14 May 2009


.


where

<LINE> is the phone signature string. Use anasterisk (*) at the end of the string to displayall signatures that start with the specifiedstring. For example, if you enter Nort* as theLINE parameter, output displays signaturesthat start with the string Nort.

Configuring Nortel Secure Network Access Fail OpenFail-open is a new feature for the 4500 and does not require NSNASsupport. If the connection to the NSNAS is lost or is never established,new users can still have access to the network. If fail-open is enabled,existing authenticated clients will not have their access to the networkinterrupted. A fail-open vlan and filter can be configured on the switch sothat if the connection to the NSNAS is lost, new clients can move directlyinto the fail-open vlan and filter. The fail-open vlan and filter must be avalid NSNA vlan id either red, yellow or green A red fail-open vlan can bepaired with a red, yellow or green filter. A yellow fail-open vlan can only bepaired with a yellow filter. A green fail-open vlan can only be paired with agreen filter.

To configure the NSNA Fail Open, use the following command from theGlobal Configuration mode:

nsna fail-open vlan-id <vlan-id> filter-vlan-id <filter-id>nsna fail-open enable

Configuration examplensna fail-open vlan-id 120 filter-vlan-id 120nsna fail-open enable

Enabling Nortel SNATo enable Nortel SNA, use the following command from the GlobalConfiguration mode:

nsna enable

ATTENTIONYou must enable SSH before you enable Nortel SNA globally. The commandto enable Nortel SNA fails if SSH is not enabled. For more information, see“Configuring SSH on the 4500 Series switch for Nortel SNA” (page 87).

Disabling Nortel SNATo disable Nortel SNA, use the following command from the GlobalConfiguration mode:


NN47205-505 05.03 Standard14 May 2009


.

Enabling Nortel SNA 329

no nsna enable

Viewing the Nortel SNA stateUse the following command from the Privileged EXEC configuration modefor information about the state of Nortel SNA on the switch:

show nsna

Display NSNA ConfigurationExample:

show nsnaNSNA Enabled: YesNSNAS Connection State: ConnectedNSNAS Address: 10.200.200.22NSNAS Hello Interval: 60NSNAS Inactivity Interval: 120NSNAS Connection Version: SSCPv1NSNAS Status-Quo Interval: 30Fail-Open Enabled: YesFail-Open Vlan ID: 210Fail-Open Filter Vlan ID: 230

Example: Viewing Nortel SNA and Nortel SNAS 4050 informationIf the Nortel SNAS 4050 is connected, the output is the following:

show nsnaNSNA Enabled: YesNSNAS Connection State: ConnectedNSNAS Address: 10.200.200.22NSNAS Hello Interval: 60 secondsNSNAS Inactivity Interval: 120 secondsNSNAS Connection Version: SSCPv1NSNAS Status-Quo Interval: 30 secondsFail-Open Enabled: YesFail-Open Vlan ID: 210Fail-Open Filter Vlan ID: 230

If the Nortel SNAS 4050 is not connected, the output is the following:

show nsnaNSNA Enabled: YesNSNAS Connection State: Not ConnectedNSNAS Status-Quo Interval: 0Fail-Open Enabled: YesFail-Open Vlan ID: 210Fail-Open Filter Vlan ID: 230


NN47205-505 05.03 Standard14 May 2009


.


Configuration exampleThe configuration example is based on the following assumptions:

• You are starting with an installed switch that is not currently configuredas part of the network.

• You have installed , Software Release 5.1 or higher.

• You have configured basic switch connectivity.

• You have initialized the switch and it is ready to accept configuration.

ATTENTIONDefault Nortel SNA filters are used in this example.

ScenarioFigure 6 "Basic network scenario" (page 331) shows the basic networkconfiguration used in this example. The Ethernet Routing Switch 8600functions as the core router.

The following table describes the devices connected in this environmentand their respective VLAN IDs and IP addresses.

Table 113Network devices

Device/Service VLAN ID VLAN IP Device IP Ethernet RoutingSwitch 8600 port

DNS 20 10.20.20.1 10.20.20.2 1/1

DHCP 30 10.30.30.1 10.30.30.2 1/11

Nortel SNAS 4050 40 10.40.40.1 10.40.40.2 1/7

Remediation server 120 10.120.120.1 10.120.120.2 1/31

Call server 50 10.11.11.1 10.11.11.254 1/23

The following table describes the VLANs for the Ethernet Routing Switch4500.

Table 114VLANs for the Ethernet Routing Switch 4500

VLAN VLAN ID Yellow subnet

Management 1 N/A

Red 210 N/A

Yellow 220 10.120.120.0/24

Green 230 N/A

VoIP 240 N/A


NN47205-505 05.03 Standard14 May 2009


.

Configuration example 331

Figure 6Basic network scenario

StepsThe example illustrates the following required configuration steps:

1. “Setting the switch IP address” (page 332)

2. “Configuring SSH” (page 332)

3. “Configuring the Nortel SNAS 4050 pVIP subnet” (page 332)

4. “Creating port-based VLANs” (page 332)

5. “Configuring the VoIP VLANs” (page 332)

6. “Configuring the Red, Yellow, and Green VLANs” (page 332)

7. “Configuring the log on domain controller filters” (page 332)

8. “Configuring the Nortel SNA ports” (page 333)

9. “Enabling Nortel SNA globally” (page 333)


NN47205-505 05.03 Standard14 May 2009


.


Setting the switch IP addressip address 10.200.200.20 netmask 255.255.255.0ip default-gateway 10.200.200.10

Configuring SSHThis example assumes that the Nortel SNAS 4050 public key has alreadybeen uploaded to the TFTP server (10.20.20.20).

ssh download-auth-key address 10.20.20.20 key-namesac_key.1.pub

ssh

ATTENTIONYou must import the switch SSH key on the Nortel SNAS 4050 after enablingSSH on the switch. For more information, see “Configuring SSH on the 4500Series switch for Nortel SNA” (page 87). Also, refer to Nortel Secure NetworkAccess Switch 4050 User Guide (320818-A), for more information aboutconfiguring SSH on the Nortel SNAS 4050.

Configuring the Nortel SNAS 4050 pVIP subnetnsna nsnas 10.40.40.0/24

Creating port-based VLANsvlan create 210 type portvlan create 220 type portvlan create 230 type portvlan create 240 type port

Configuring the VoIP VLANsnsna vlan 240 color voip

Configuring the Red, Yellow, and Green VLANsnsna vlan 210 color red filter rednsna vlan 220 color yellow filter yellow yellow-subnet10.120.120.0/24nsna vlan 230 color green filter green

Configuring the log on domain controller filters

ATTENTIONThis step is optional.

The PC client must be able to access the log on domain controller you configure(that is, clients using the log on domain controller must be able to ping thatcontroller).


NN47205-505 05.03 Standard14 May 2009


.

Configuration example 333

qos nsna classifier name red dst-ip 10.200.2.12/32ethertype 0x0800 drop-action disable block wins-prim-seceval-order 70

qos nsna classifier name red dst-ip 10.200.224.184/32ethertype 0x0800 drop-action disable block wins-prim-seceval-order 71

Configuring the Nortel SNA portsAdd the uplink port:

interface fastEthernet 20nsna uplink vlans 210,220,230,240exit

Add the client ports:

interface fastEthernet 3-5nsna dynamic voip-vlans 240exit

Enabling Nortel SNA globallynsna enable

ATTENTIONAfter configuring NSNA it is recommended to disable autosave. To disableuse the following command:no autosave enable After that, if configurationchanges are done use:copy config nvram

Certain applications can delay saving data to nonvolatile storage, for a shortperiod of time, to optimize access to nonvolatile storage. To account for theseapplications, following completion of configuration commands, wait 30 secondsbefore using the copy command to save configuration data. This ensures thatno configuration data is lost.


NN47205-505 05.03 Standard14 May 2009


.



NN47205-505 05.03 Standard14 May 2009


.

335.

Configuring Nortel Secure NetworkAccess using Device Manager

This chapter describes how to configure the Ethernet Routing Switch 4500Series as a network access device in the Nortel Secure Network Access(Nortel SNA) solution using Device Manager (Device Manager).

ATTENTIONWhen using Nortel SNA along with other applications, such as IP SourceGuard, you must ensure resources are available for each application. It isrecommended that applications such as IP Source Guard be applied to a smallnumber of ports when used along with the QoS SNA solution.

For an overview of the steps required to configure a network accessdevice in the Nortel SNA solution, see “Basic switch configuration forNortel SNA” (page 84).

Navigation• “Configuring the Nortel SNAS 4050 subnet using Device Manager”

(page 336)

• “Configuring QoS for the Nortel SNA solution using Device Manager”(page 337)

• “Configuring Nortel SNA per VLAN using Device Manager” (page 337)

• “Enabling Nortel SNA on ports using Device Manager” (page 340)

• “Viewing information about Nortel SNA clients using Device Manager”(page 341)

• “Entering phone signatures for Nortel SNA using Device Manager”(page 342)

• “Configuring Fail Open using Device Manager using Device Manager”(page 343)

• “Enabling Nortel SNA using Device Manager” (page 344)


NN47205-505 05.03 Standard14 May 2009


.

336 Configuring Nortel Secure Network Access using Device Manager

Configuring the Nortel SNAS 4050 subnet using Device ManagerATTENTIONIn Ethernet Routing Switch 4500 Series only one entry for the Nortel SNAS 4050subnet can be configured.

To configure the Nortel SNAS 4050 portal Virtual IP (pVIP) subnet:

Step Action

1 Select Edit, Security, NSNA from Device Manager menu.

The following table describes the NSNAS tab fields.

Table 115NSNA -- NSNAS tab fields

Field Description

AddressType Specifies the type of IP address used bythe Nortel SNAS 4050. IPv4 is the onlyavailable option at this time.

Address Specifies the pVIP address of the NortelSNAS 4050.

AddressMask Specifies the Nortel SNAS 4050 pVIPaddress subnet mask.

Port Specifies the TCP port number for theSwitch to Nortel SNAS 4050 ServerCommunication Protocol (SSCP). Valuesare in the range of 1024-65535. The defaultsetting is 5000.

2 Click Insert.

3 Enter the pVIP address and subnet mask of the Nortel SNAS4050.

ATTENTIONThe pVIP address is used in the default Red filter set to restrict thecommunication of clients in the Red state to the Nortel SNAS 4050.If you are using one Nortel SNAS 4050 in the network, you can usea 32-bit mask to further restrict traffic flow. The subnet you specifyis added to the filters (Red, Yellow, and VoIP). If you change theNortel SNAS 4050 subnet after you have associated the filters withthe Nortel SNA VLANs, you must manually update the Nortel SNAS4050 subnet in the filters.

4 Enter the port number (if it is different than the default value).

5 Click Insert.


NN47205-505 05.03 Standard14 May 2009


.

Configuring Nortel SNA per VLAN using Device Manager 337

The information for the configured Nortel SNAS 4050 pVIPsubnet appears in the NSNAS tab of the NSNA dialog box.

--End--

Removing the Nortel SNAS 4050 subnetTo remove the currently configured Nortel SNAS 4050:

Step Action


The NSNA dialog box appears with the NSNAS tab selected.

2 Select the row that contains the Nortel SNAS 4050 subnetinformation.

3 Click Delete.

The Nortel SNAS 4050 pVIP subnet information is removed fromthe Nortel SNA configuration.

--End--

Configuring QoS for the Nortel SNA solution using Device ManagerFor general information about configuring filters and Quality of Service(QoS) in the Nortel SNA solution, see “Filters in the Nortel SNA solution”(page 76). For more information about configuring the filters, see NortelEthernet Routing Switch 4500 Series Configuration - Quality of Service(NN47205-504).

Configuring Nortel SNA per VLAN using Device ManagerATTENTIONVLANs that you plan to configure as Nortel SNA VLANs must be empty (that is,they have no port members assigned). Nortel SNA VLANs cannot be associatedwith non Nortel SNA ports.

After you configure NSNA, Nortel recommends that you disable the autosave toNVRAM function. Configuration changes must be saved to NVRAM.

To configure the Nortel SNA VLANs:

Step Action

1 Select VLAN , VLANs from Device Manager menu.


NN47205-505 05.03 Standard14 May 2009


.


2 Create the VLANs that you want to configure as Nortel SNAVLANs.

For more information about creating the VLANs, see NortelEthernet Routing Switch 4500 Series Configuration — VLANs,Spanning Tree, and MultiLink Trunking (NN47205-502).

After you have created a VLAN, the VLAN information appearsin the Basic tab of the VLAN dialog box.

3 Click the NSNA tab.

The following table describes the VLAN NSNA tab fields.

Table 116VLAN NSNA tab fields

Field Description

Id Specifies the VLAN ID.

NsnaColor Specifies the color of the Nortel SNA VLAN(red, yellow, green, voip, or none).

FilterSetName Specifies the name of the filter set.

ATTENTIONThis field is applicable only when theNsnaColor field is set to red, yellow, orgreen.

YellowSubnetType Specifies the Ethernet type for the YellowVLAN subnet (IPv4 is currently the onlyavailable option).

ATTENTIONThis field is applicable only when theNsnaColor field is set to yellow.

YellowSubnet Specifies the subnet of the Yellow VLAN.


YellowSubnetMask Specifies the mask for the Yellow VLANsubnet.


4 Double-click the NsnaColor field for each VLAN to select thecolor from the drop-down menu.

5 Double-click the FilterSetName field for each VLAN to enter thefilter set name of your choice.


NN47205-505 05.03 Standard14 May 2009


.

Configuring Nortel SNA per VLAN using Device Manager 339

6 Click Apply.

ATTENTIONEach switch must have one, and only one, Red VLAN. Each switchcan, however, have multiple Yellow, multiple Green, and multipleVoIP VLANs. With the Ethernet Routing Switch 4500, each switchsupports up to five Yellow, five Green, and five VoIP VLANs. If IPPhones are intended for use in the system, create the VoIP VLANfirst and then create the Red, Green, and Yellow VLANs.

--End--

Removing a Nortel SNA VLANTo remove a Nortel SNA VLAN:

Step Action



2 Click the Globals tab.

3 Ensure the Enabled check box is cleared.

Nortel SNA must be globally disabled before deleting the NortelSNA VLAN.

4 Click Close.

5 Open the VLAN , VLANs , NSNA tab:

a Select VLAN , VLANs from Device Manager menu.

The VLAN dialog box appears with the Basic tab selected.

b Click the NSNA tab.

The NSNA tab is selected.

6 Change the color of the Nortel SNA VLAN to none:

a Double-click the NsnaColor field of the VLAN to be deleted.

b Select the color none from the drop-down list.

7 Click Apply.

8 On the VLAN , VLANs , Basic tab, delete the VLAN from thelist of configured VLANs:

a Click the Basics tab.

The Basics tab is selected.

b Select the row containing the VLAN for which you havechanged the Nortel SNA color to none.


NN47205-505 05.03 Standard14 May 2009


.


c Click Delete.

--End--

Enabling Nortel SNA on ports using Device ManagerTo enable Nortel SNA on ports:

Step Action

1 Select a port that you want to add to the Nortel SNA solution.

2 Select Edit, Port.

3 Click the NSNA tab.

The following table describes the NSNA tab fields.

Table 117Port -- NSNA tab fields

Field Description

Mode Specifies the Nortel SNA mode for the port.Options are the following:

• disabled

• dynamic

• uplink

ATTENTIONWhen you specify a port as dynamic, it ischanged to Spanning Tree Protocol (STP)Fast Learning automatically. You canchange this to be disabled. It cannot beset to Normal Learning for Nortel SNA.

VoipVlans Specifies the VoIP VLANs to which this portbelongs.

ATTENTIONThis field is only available when the portmode is dynamic.

UplinkVlans Specifies the Nortel SNA uplink VLANs towhich this port belongs.

ATTENTIONThis field is only available when the portmode is uplink.


NN47205-505 05.03 Standard14 May 2009


.

Viewing information about Nortel SNA clients using Device Manager 341

Table 117Port -- NSNA tab fields (cont’d.)

Field Description

State Specifies the current Nortel SNA color of theport. Possible states are the following:• none

• red

• yellow

• green

DhcpState Specifies the DHCP state of the port.Possible DHCP states are the following:• blocked

• unblocked

4 Configure the port:

a Select the port mode.

b Enter the VoIP VLAN IDs if that field is available.

c Enter the uplink VLANs if that field is available.

5 Click Apply.

--End--

Viewing information about Nortel SNA clients using DeviceManager

To view information about Nortel SNA clients currently connected to thenetwork access device:

Step Action


The NSNA dialog box appears with the NSNAS tab selected .

2 Click the Nsna Client tab.

The following table describes the Nsna Client fields.

Table 118NSNA -- Nsna client tab fields

Field Description

IfIndex The ifIndex of the port on which the client isattached.


NN47205-505 05.03 Standard14 May 2009


.


Table 118NSNA -- Nsna client tab fields (cont’d.)

Field Description

MacAddress Specifies the MAC address of the client.

Device Type Specifies the type of client device (pc,ipPhone, or a passive device).

VlanId The Vlan ID of the client.

FilterVlanId Specifies the Vlan ID whose associatedfilter set is installed in the selected port.

AddressType Specifies the type of IP address used bythis client (IPv4 is currently the only optionavailable).

Address Specifies the IP address of the client.

Expired Indicates whether this client has beenaged-out.

--End--

Entering phone signatures for Nortel SNA using Device ManagerTo specify IP phone signatures for Nortel SNA:

Step Action



2 Click the IP Phone Signature tab.

3 Click Insert.

4 Enter the IP phone signature string in the field (for example,Nortel-i2007-A).

5 Click Insert.

The IP phone signature you entered appears in the IP PhoneSignature tab of the NSNA dialog box.

--End--

Removing Nortel SNA phone signaturesTo remove a Nortel SNA phone signature:


NN47205-505 05.03 Standard14 May 2009


.

Configuring Fail Open using Device Manager using Device Manager 343

Step Action



2 Click the IP Phone Signature tab.

The IP Phone Signature tab is selected.

3 Select the row containing the IP phone signature you want toremove.

4 Click Delete.

--End--

Configuring Fail Open using Device Manager using DeviceManager

Configure Fail Open to enable and configure Fail Open on the switch.

Procedure steps

Step Action

1 From Device Manager menu bar, choose Edit, Security, NSNA.

Result statement.

2 Click the Fail Open tab.

3 Select the FailOpenEnabled box to enable Fail Open.

4 In the FailOpenVlan dialog box, type a VLAN Id.

5 In the FailOpenFilterVlan dialog box, type a VLAN filter Id.

6 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure Fail Open.

Variable Value

FailOpenEnabled Enables or disables Fail Open on theswitch.


NN47205-505 05.03 Standard14 May 2009


.


Variable Value

FailOpenVlan Identifies the Fail Open VLAN. Valuesrange from 1 to 4094. If no value isselected, the switch applies a value of0.

FailOpenFilterVlan Identifies the VLAN associated withFail Open filters. Values range from1 to 4094. If no value is selected, theswitch applies a value of 0.

Enabling Nortel SNA using Device ManagerATTENTIONYou must enable SSH before you enable Nortel SNA globally. The command toenable Nortel SNA fails if SSH is not enabled.

To globally enable Nortel SNA:

Step Action



2 Click the Globals tab.

The Globals tab is selected.

3 Select the Enabled check box.

4 Click Apply.

ATTENTIONIt can take 2–3 minutes to globally enable/disable Nortel SNA,especially on a fully populated stack.

--End--


NN47205-505 05.03 Standard14 May 2009


.

345.

AppendixTACACS+ server configurationexamples and supported SNMP MIBs

This section contains information about the following topics:

• “TACACS+ server configuration examples” (page 345)

• “Supported SNMP MIBs and traps” (page 359)

TACACS+ server configuration examplesThis section describes basic configuration examples of the TACACS+server:

TACACS+ server configuration examples navigation

• “Configuration example: Cisco ACS (version 3.2) server” (page 345)

• “Configuration example: ClearBox server” (page 350)

• “Configuration example: Linux freeware server” (page 357)

Configuration example: Cisco ACS (version 3.2) serverThe following figure shows the main administration window.


NN47205-505 05.03 Standard14 May 2009


.

346 TACACS+ server configuration examples and supported SNMP MIBs

Figure 7Cisco ACS (version 3.2) main administration window

Step Action

1 Define the users and the corresponding authorization levels.

If you map users to default group settings, it is easier toremember which user belongs to each group. For example, therwa user belongs to group 15 to match Privilege level 15. All rwauser settings are picked up from group 15 by default.

The following figure shows a sample Group Setup window.


NN47205-505 05.03 Standard14 May 2009


.

TACACS+ server configuration examples 347

Figure 8Group Setup window - Cisco ACS server configuration

2 Configure the server settings.

The following figure shows a sample Network Configurationwindow to configure the authentication, authorization, andaccounting (AAA) server for TACACS+.Figure 9Network Configuration window - server setup


NN47205-505 05.03 Standard14 May 2009


.


3 Define the client.

The following figure shows a sample Network Configurationwindow to configure the client. Authenticate using TACACS+.You can use a single-connection, but this must match theconfiguration on the .Figure 10Network Configuration window - client setup

4 Verify the groups you have configured.

In this example, the user is associated with a user group. Formore information, see Figure 11 "Group Setup window - viewingthe group setup" (page 349). The rwa account belongs to group15, and its privilege level corresponds to the settings for group15. The ro accounts belong to group 0 and L1 accounts belongto group 2.


NN47205-505 05.03 Standard14 May 2009


.


Figure 11Group Setup window - viewing the group setup

5 Go to Shared Profile Components , Shell CommandAuthorization Set.

The Shell Command Authorization Set screen appears.Figure 12Shared Profile Components window - defining the command set

6 Select the commands to be added to the command set, andspecify whether the action is permit or deny.


NN47205-505 05.03 Standard14 May 2009


.


7 View users, their status, and the corresponding group to whicheach belongs.

The following figure shows a sample User Setup window. Youcan use this window to find, add, edit, and view users settings.Figure 13User Setup window - Cisco ACS server configuration

--End--

Configuration example: ClearBox server

Step Action

1 Run the General Extension Configurator and configure the userdata source.

In this example, Microsoft Access was used to create a databaseof user names and authorization levels; the general.mdb fileneeds to include these users.


NN47205-505 05.03 Standard14 May 2009


.


Figure 14General Extension Configurator

2 Create a Client entry for the switch management IP address byright-clicking the TACACS+ Clients item.

In this case, the TACACS+ Client is the . Enter the appropriateinformation. The shared secret must match the value configuredon the .Figure 15Creating a client entry

The default realm Authentication tab looks like the followingfigure.


NN47205-505 05.03 Standard14 May 2009


.


Figure 16Default realm - Authentication tab

3 Click the Realms , def , Authorization tab.

A new service is required that allows the server to assign certainlevels of access.

4 Click the + button to add an attribute-value pair for privilegelevels .


NN47205-505 05.03 Standard14 May 2009


.


Figure 17Default realm - Authorization tab

5 Enter information in the window as shown in the following figureto specify the query parameters.Figure 18Adding parameters for the query


NN47205-505 05.03 Standard14 May 2009


.


6 Click + to add the parameters to the query.

7 Use the string shown in the following figure for the authorizationquery.Figure 19Authorization Query window

The following figure shows the final window.Figure 20Query parameters added to Authorization Attribute-Value Pairswindow


NN47205-505 05.03 Standard14 May 2009


.


8 Click OK.

The information appears on the Authorization tab.Figure 21Authorization attribute-value pairs added to Authorization tab

9 Browse the general.mdb file as specified earlier.

The user table can look like the one shown in the followingfigure. If the Privilege column does not exist, create one andpopulate it according to the desired access level.

Microsoft Access or third-party software is required to read thisfile.

If you use the 30-day trial for ClearBox, the user names cannotbe more than four characters in length.Figure 22Users table - Microsoft Access

10 Run the Server Manager.


NN47205-505 05.03 Standard14 May 2009


.


Figure 23ClearBox Server Manager

11 Click Connect .

The Connect to... dialog box appears.Figure 24Connect to... dialog box

12 Click OK (do not fill in fields).

13 Click OK at the warning message.


NN47205-505 05.03 Standard14 May 2009


.


14 Click Start.

The Server Manager can now look like the following figure.Changes to the General Server Extension Configurator requirethat the server be restarted.Figure 25TACACS+ server connected

--End--

Configuration example: Linux freeware server

Step Action

1 After TACACS+ is installed on the Linux server, change thedirectory to

$cd /etc/tacacs

2 Open the configuration file tac_plus.cfg:

$vi tac_plus.cfg

3 Comment out all the existing lines in the configuration file. Addnew lines similar to the following:


NN47205-505 05.03 Standard14 May 2009


.


# Enter your NAS key and user namekey = <secret key>user = <user name> {default service = permitservice = exec {priv-lvl = <Privilege level 1 to 15>}login = <Password type> <password>}# Set the location to store the accounting records

where

<secret key> is the key that is to be configured onthe switch when creating the TACACS+ serverentry

<user name> is the user name used to log on to theswitch

<Privilege level> specifies the privilege level(for example rwa = 6; rw = 5; ro = 1)

<Password type> specifies the type of password --for example, the password can be clear textor from the Linux password file, and so on

<Password> if the password type is clear text, thepassword itself

The following is a sample config file.

$vi tac_plus.cfg

# Created by Joe SMITH([email protected])# Read user_guide and tacacs+ FAQ for more information## Enter your NAS keykey = secretkeyuser = smithJ {

default service = permitservice = exec {priv-lvl = 15}login = cleartext M5xyH8

4 Save the changes to the tac_plus.cfg file.

5 Run the TACACS+ daemon using the following command:

$/usr/local/sbin/tac_plus -C /etc/tacacs/tac_plus.cfg&

where

• tac_plus is stored under /usr/local/sbin

• the configuration file you just edited is stored at /etc/tacacs/


NN47205-505 05.03 Standard14 May 2009


.

Supported SNMP MIBs and traps 359

The TACACS+ server on Linux is ready to authenticate users.

--End--

Supported SNMP MIBs and trapsThis section contains information about:

• “Supported MIBs” (page 359)

• “Supported traps” (page 361)

Supported MIBsThe following tables list supported SNMP MIBs.

Table 119SNMP Standard MIB support

MIB name RFC File name

RMON-MIB 2819 rfc2819.mib

RFC1213-MIB 1213 rfc1213.mib

IF-MIB 2863 rfc2863.mib

SNMPv2-MIB 3418 rfc3418.mib

EtherLike-MIB 2665 rfc2665.mib

ENTITY-MIB 2737 rfc2737.mib

BRIDGE-MIB 4188 rfc4188.mib

P-BRIDGE-MIB 4363 rfc4363-p.mib

Q-BRIDGE-MIB 4363 rfc4363-q.mib

IEEE8021-PAE-MIB n/a eapol-d10.mib

SMIv2-MIB 2578 rfc2578.mib

SMIv2-TC-MIB 2579 rfc2579.mib

SNMPv2-MIB 3418 rfc3418.mib

SNMP-FRAMEWORK-MIB 3411 rfc3411.mib

SNMP-MPD-MIB 3412 rfc3412.mib

SNMP-NOTIFICATION-MIB 3413 rfc3413-notif.mib

SNMP-TARGET-MIB 3413 rfc3413-tgt.mib

SNMP-USER-BASED-MIB 3414 rfc3414.mib

SNMP-VIEW-BASED-ACM-MIB 3415 rfc3415.mib

SNMP-COMMUNITY-MIB 3584 rfc3584.mib


NN47205-505 05.03 Standard14 May 2009


.


Table 120SNMP proprietary MIB support

MIB name File name

S5-AGENT-MIB s5age.mib

S5-CHASSIS.MIB s5cha.mib

S5-CHASSIS-TRAP.MIB s5ctr.trp

S5-ETHERNET-TRAP.MIB s5etr.trp

RAPID-CITY-MIB rapidCity.mib

S5-SWITCH-BAYSECURE-MIB s5sbs.mib

BN-IF-EXTENSIONS-MIB s5ifx.mib

BN-LOG-MESSAGE-MIB bnlog.mib

S5-ETH-MULTISEG-TOPOLOGY-MIB s5emt.mib

NTN-QOS-POLICY-EVOL-PIB pibNtnEvol.mib

BAY-STACK-NOTIFICATIONS-MIB bsn.mib

Table 121Application and related MIBs

Application Related MIBs File name

Autotopology S5-ETH-MULTISEG-TOPOLOGY-MIB

s5emt.mib

BaySecure S5-SWITCH-BAYSECURE-MIB s5sbs.mib

Extensible AuthenticationProtocol over LAN (EAPOL)

IEEE8021-PAE-MIB eapol-d10.mib

IP multicast (IGMPsnooping/proxy)

RAPID-CITY-MIB (rcVlanIgmpgroup)

rcVlan.mib

Link Aggregation ControlProtocol (LACP)

IEEE8023-LAG-MIB; BAY-STACK-LACP-EXT-MIB

ieee8023-lag.mib;bayStackLacpExt.mib

Link Layer DiscoveryProtocol (LLDP)

LLDP-MIB; LLDP-EXT-DOT1-MIB;LLDP-EXT-DOT3-MIB;

lldp.mib; lldpExtDot1.mib;lldpExtDot3.mib;

MIB-2 RFC1213-MIB rfc1213.mib

MultiLink Trunking (MLT) RAPID-CITY-MIB (rcMlt group) rcMlt.mib

Policy management NTN-QOS-POLICY-EVOL-PIB pibNtnEvol.mib

RMON-MIB RMON-MIB rfc2819.mib


NN47205-505 05.03 Standard14 May 2009


.


Table 121Application and related MIBs (cont’d.)

Application Related MIBs File name

SNMP-FRAMEWORK-MIB rfc3411.mib

SNMP-MPD-MIB rfc3412.mib

SNMP-NOTIFICATION-MIB rfc3413-notif.mib

SNMP-TARGET-MIB rfc3413-tgt.mib

SNMP-USER-BASED-SM-MIB rfc3414.mib

SNMP-VIEW-BASED-ACM-MIB rfc3415.mib

SNMPv3

SNMP-COMMUNITY-MIB rfc3584.mib

Spanning Tree BRIDGE-MIB rfc4188.mib

for MSTP NORTEL-NETWORKS-MULTIPLE-SPANNING-TREE-MIB

nnmst.mib

for RSTP NORTEL-NETWORKS-RAPID-SPANNING-TREE-MIB

nnrst.mib

System log BN-LOG-MESSAGE-MIB bnlog.mib

VLAN RAPID-CITY-MIB (rcVlan group) rcVlan.mib

Supported trapsThe following table lists supported SNMP traps.

Table 122Supported SNMP traps

Trap name Configurable Sent when

RFC 2863 (industry standard):

linkUp Per port A port link state changes to up.

linkDown Per port A port link state changes to down.

RFC 3418 (industry standard):

authenticationFailure System wide There is an SNMP authenticationfailure.

coldStart Always on The system is powered on.

warmStart Always on The system restarts due to amanagement reset.

s5CtrMIB (Nortel proprietary traps):

s5CtrUnitUp Always on A unit is added to an operationalstack.

s5CtrUnitDown Always on A unit is removed from anoperational stack.


NN47205-505 05.03 Standard14 May 2009


.


Table 122Supported SNMP traps (cont’d.)


s5CtrHotSwap Always on A unit is hot-swapped in anoperational stack.

s5CtrProblem Always on • Base unit fails

• AC power fails or is restored

• RPSU (DC) power fails or isrestored

• Fan fails or is restored

s5EtrSbsMacAccessViolation Always on A MAC address security violation isdetected.

entConfigChange Always on A hardware change—unit added orremoved from stack, GBIC insertedor removed.

risingAlarmfallingAlarm

Always on An RMON alarm threshold iscrossed.

bsnConfigurationSavedToNvram Always on Each time the system configurationis saved to NVRAM.

bsnEapAccessViolation Always on An EAP access violation occurs.

bsnStackManagerReconfiguration System-wide There has been a stackconfiguration.

LLDP-MIB

lldpRemTablesChange System-wide The value of lldpStatsRemTableLastChangeTime changes.

NORTEL-NETWORKS-RAPID-SPANNING-TREE-MIB:

nnRstGeneralEvent Always on A general event, such as protocolup or protocol down, occurs.

nnRstErrorEvent System-wide An error event occurs. Error eventsinclude memory failure, bufferfailure, protocol migration, newroot, and topology change.

nnRstNewRoot System-wide A new root bridge is selected in thetopology.

nnRstTopologyChange System-wide A topology change is detected.

nnRstProtocolMigration Per port Port protocol migration occurs.

NORTEL-NETWORKS-MULTIPLE-SPANNING-TREE-MIB:

nnMstGeneralEvent Always on A general event, such as protocolup or protocol down, occurs.


NN47205-505 05.03 Standard14 May 2009


.


Table 122Supported SNMP traps (cont’d.)


nnMstErrorEvent System-wide An error event occurs. Error eventsinclude memory failure, bufferfailure, protocol migration, newroot, and topology change.

nnMstNewRoot System-wide A new root bridge is selected in thetopology.

nnMstTopologyChange System-wide A topology change is detected.

nnMstProtocolMigration Per port Port protocol migration occurs.

nnMstRegionConfigChange System-wide The MST region configurationidentifier changes.


NN47205-505 05.03 Standard14 May 2009


.



NN47205-505 05.03 Standard14 May 2009


.

365.

Index

802.1X dynamic authorization extensionconfiguration using Device Manager 287

802.1X dynamic authorization extension(RFC 3576) 52

configuring with NNCLI 142

Aaccess

IP Manager list 59AdminControlledDirections field 258, 269allowed non-EAP MAC address

Adding with Device Manager 262Deleting with Device Manager 263

Allowed non-EAP MAC address listconfiguration with Device Manager 262

ARP Inspectionconfiguring 294

Auth Protocol field 303AuthConfig

configuring with Device Manager 275AuthControlledPortControl field 258, 269AuthControlledPortStatus field 258, 269authentication 31, 64, 171Authentication Passphrase field 233Authentication Protocol field 232–233Authentication Protocols Supported

field 231Authentication Trap field 229authentication traps, enabling 229AuthProtocol field 303AuthStatus tab 277AutoLearn tab 277Autotopology 229AutoTopology field 229

BBackendAuthState field 258, 269BaySecure 24

Ccli password command 187Clone From User field 303Cloned User Auth Password field 304Cloned Users Priv Password field 304Community field 246, 301community strings, configuring 229community-string field 166configuration rules

EAPOL 34console 59ContextEngineID field 312ContextMatch field 307–308ContextName field 312ContextPrefix field 307–308

DDecryption Error field 232default snmp-server authentication-trap

command 158default snmp-server community

command 161default snmp-server contact command 162default snmp-server host command 166default snmp-server name command 168DES field 172destination address filtering 24DHCP snooping 68

configuring 291configuring with NNCLI 199

Dynamic ARP inspection 70configuring with NNCLI 206


NN47205-505 05.03 Standard14 May 2009


.

366

EEAP (802.1X) accounting 50EAPOL

advanced features 35configuring with Device Manager 256configuring with NNCLI 113configuring with Web-based

management 217EAPOL advanced features

configuring with NNCLI 117EAPOL statistics

graphing with Device Manager 265EAPOL-based network security 31

configuration rules 34encryption 64, 171Engine ID field 302–303Entry Storage field 233–234,

236–237, 239, 241, 243, 245example

campus security 29

Ggeneral switch security

configuring with Device Manager 270Group Access Rights page 236Group Membership page 235–236Group Name field 235, 237GroupName field 305–306Guest VLAN 35–37

configuring with NNCLI 122

Hhost-ip field 166

IIEEE 802.1X 31IP Address field 246IP Globals tab

fields 303, 305IP Manager

configuring 227configuring with NNCLI 184

IP Manager list 59IP Source Guard

configuration 210, 295enabling 211, 214

IP Source Guard port configurationinformation

viewing 212IP Source Guard-allowed addresses

viewing 213

KKeyTxEnabled field 259, 270

LLastEapolFrameSource field 259, 270LastEapolFrameVersion field 259, 270LastUnauthenticatedCommunityString

field 300LastUnauthenticatedIpAddress field 300

MMAC address autolearning

configuring with NNCLI 110MAC address-based network security

autolearning 25MAC address-based security 24

configuring with NNCLI 105configuring with Web-based

management 219MAC DA filtering 24MAC DA-based security 24MAC SA-based security 24MAC-address-based security 24Management Information View

page 238, 240Mask field 310MaximumRequests field 259, 269md5 field 172MHMA 39MHSA 47

configuring with NNCLI 152MIBs 64minimum-secure field 177MPModel field 314Msg Processing Model field 244Multihost

Configuring with NNCLI 129Multiple Host with Multiple

Authentication (MHMA) 35, 39Multiple Host with Single Authentication 47

NNetAddr field 301New User Name field 303


NN47205-505 05.03 Standard14 May 2009


.

367

New Users Auth Password field 304New Users Priv Password field 304no snmp-server authentication-trap

command 157no snmp-server command 163, 172no snmp-server community command 160no snmp-server contact command 162no snmp-server host 165no snmp-server location command 167no snmp-server name command 168no snmp-server view command 174non-EAP hosts on EAP-enabled ports 45

configuring with NNCLI 134non-EAP MAC RADIUS authentication 47Nortel IP Phone clients

Enabling 150Nortel Secure Network Access 72

configuration example 74Port modes 76Topologies 82

Nortel SNA 72, 74basic switch configuration 84deploying 88filters 76rolling back to default 91

Not in Time Window field 231Notification page 240Notify Name field 240Notify Tag field 241Notify Type field 241Notify View field 237notify-view field 160, 172NotifyViewName table 307–308

Oobject identifier field 174OID field 174OperControlledDirections field 258, 269

PPaeState field 258, 269Parameter Tag field 244Params field 313Password security

configuring with NNCLI 188Password Security 60passwords 187Port Capabilities field 258, 269port non-EAP host support status

viewing with Device Manager 264port-based EAPOL

configuring with Device Manager 257PortInitialize field 258, 269PortProtocolVersion field 258, 269PortReauthenticate field 258, 269Priv Protocol field 304Privacy Passphrase field 234Privacy Protocol field 233Private Protocols Supported field 231PrivProtocol field 303

QQuietPeriod field 258, 269

RRADIUS access 187RADIUS accounting

configuring with NNCLI 177RADIUS authentication

configuration 27configuring with NNCLI 111

RADIUS securityconfiguring with Web-based

management 224overview 26password fallback 27

RADIUS Server security configurationwith Device Manager 284

Read View field 237Read-Only Community String field 229read-view field 160, 172Read-Write Community String field 229ReadViewName field 307–308ReAuthenticationEnabled field 259, 270ReAuthenticationPeriod field 259, 269remote TACACS+ services

enabling 181RetryCount field 313

SSecure Shell protocol 66security 64, 171, 187

advanced EAPOL features 35EAPOL-based network security 31IP Manager list 59MAC address-based security 24MAC address-based security

autolearning 25


NN47205-505 05.03 Standard14 May 2009


.

368

MAC DA filtering 24RADIUS password fallback 27RADIUS-based network security 26SNMPv3 230

SecurityCLI audit 62Feature summary 91IP Source Guard 71

security featureshardware-based 23software-based 23

Security Level field 237, 245security list

adding ports with Device Manager 273configuration with Device Manager 272deleting all ports with Device

Manager 274deleting specific ports with Device

Manager 273security lists 24Security Model field 235, 237Security Name field 235, 244, 303SecurityLevel field 307–308, 314SecurityModel field 305, 307–308, 314SecurityName field 305, 312, 314semi-secure field 177ServerTimeout field 259, 269Setting NNCLI password 187Setting user access limitations

with Device Manager 100SHA field 172show snmp-server command 156Simple Network Management Protocol 63Single Host with Single Authentication

(SHSA) 35–36SNMP 63

configuration 154configuring with Device Manager 299Configuring with Device Manager 299configuring with NNCLI 155configuring with Web-based

management interface 228new-style 154NVRAM entries 155old-style 154proprietary method 154standards-based method 154trap receivers

configuring with Web-basedmanagement 245

deleting 246SNMP Engine Boot field 231SNMP Engine Dialects field 231SNMP Engine ID field 231SNMP Engine Maximum Message Size

field 231SNMP Engine Time field 231SNMP tab 299SNMP Trap Receiver page 246SNMP traps 245SNMP v1, v2c, v3 64SNMP v3 166snmp-server authentication-trap

command 157snmp-server command 162snmp-server community

command 158–159snmp-server contact command 162snmp-server host command 163, 175snmp-server location command 167snmp-server name command 168, 176snmp-server user command 170snmp-server view command 173snmpTargetAddrTable 242SNMPv1 154

configuring with Web-basedmanagement 229

SNMPv1 page 229SNMPv3 154, 230

community 311configuring with Device Manager 301configuring with Web-based

management 230group access rights 236

deleting 238group membership 235, 305

deleting 236management information views 238

deleting 240notify table 315system information, viewing 230system notification entries 240

deleting 241target addresses 242

deleting 243target parameters 244

deleting 245target parameters and addresses 312user access 232

deleting 234


NN47205-505 05.03 Standard14 May 2009


.

369

user table 302–303SSH 66

configuring with Device Manager 280configuring with NNCLI 194

SSL 65configuring with Device Manager 283configuring with NNCLI 192

StorageType field 303–308, 310–314, 316Subtree field 309–310SupplicantTimeout field 259, 269Supported SNMP MIBs and traps 359System Information page 230

TTACACS+ 54

configuring with NNCLI 178configuring with Web-based

management interface 250TACACS+ accounting

enabling or disabling 183TACACS+ authorization

enabling or disabling 181TACACS+ authorization privilege levels

configuring 182TACACS+ information

viewing 184TACACS+ level

Configuring with NNCLI 183TACACS+ server configuration

examples 345TACACS+ server settings

configuring 179disabling 180

TAddress field 313Tag field 315Taglist field 313Target Address field 242Target Address page 242Target Domain field 242Target Name field 242Target Parameter Entry field 243Target Parameter page 244–245Target Retry Count field 242Target Tag List field 243Target Timeout field 242TDomain field 313Telnet 59, 187Timeout field 313TransmitPeriod field 258, 269TransportTag field 312

Trap Receiver Index field 246Trap Receivers tab 300traps 245troubleshooting

MAC address filtering 24privacy passphrase 234security 59SNMPv3 155

TrpRcvrCurEnt field 300TrpRcvrMaxEnt field 300TrpRcvrNext field 300Type field 310–311

UUnavailable Context field 231Unknown Context field 231Unknown Engine IDs field 231Unknown User Name field 231Unsupported Security Level field 231USB port and serial console port

control using NNCLI 100user access limitations

setting 217user name and password

setting 186User Name field 232–233User Specification page 232username field 172–173USMTable 302–303

VvacmGroupName field 307–308very-secure field 177View Mask field 239View Name field 239View Subtree field 239View Type field 239Viewing RADIUS Dynamic

Authorization server informationwith Device Manager 286

Viewing RADIUS Dynamic Serverstatistics

with Device Manager 290viewname field 175ViewName field 309–310VLANs

EAPOL 33


NN47205-505 05.03 Standard14 May 2009


.

370

WWake on LAN

Configuring with Device Manager 268Configuring with NNCLI 148Configuring with Web-based

management 251Web-based management 59Write View field 237write-view field 160, 172WriteViewName field 307–308Wrong Digest field 232


NN47205-505 05.03 Standard14 May 2009


.

Nortel Ethernet Routing Switch 4500 Series

Configuration — SecurityCopyright © 2008-2009 Nortel NetworksAll Rights Reserved.

Release: 5.3Publication: NN47205-505Document status: StandardDocument revision: 05.03Document release date: 14 May 2009

To provide feedback or to report a problem in this document, go to www.nortel.com/documentfeedback.

www.nortel.comLEGAL NOTICE

While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writingNORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESSOR IMPLIED. The information and/or products described in this document are subject to change without notice.

THE SOFTWARE DESCRIBED IN THIS DOCUMENT IS FURNISHED UNDER A LICENSE AGREEMENT AND MAY BE USEDONLY IN ACCORDANCE WITH THE TERMS OF THAT LICENSE.

Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

NN47205 505 05.03 Configuration Security

Documents

Transcript of NN47205 505 05.03 Configuration Security