Security Configuration and Management

Size: px

Start display at page:

Download "Security Configuration and Management"

Gerald Black
6 years ago
Views:

1 Security Configuration and Management ATTENTION Clicking on a PDF hyperlink takes you to the appropriate page If necessary, scroll up or down the page to see the beginning of the referenced section NN ( A)

2 Document status: Standard Document version: 0102 Document date: 7 March 2007 All Rights Reserved The information in this document is subject to change without notice The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Nortel Networks The software described in this document is furnished under a license agreement and can be used only in accordance with the terms of that license The software license agreement is included in this document Trademarks *Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks Adobe and Adobe Reader are trademarks of Adobe Systems Incorporated Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation The asterisk after a name denotes a trademarked item Restricted rights legend Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS Notwithstanding any other license agreement that can pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR Statement of conditions In the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the right to make changes to the products described in this document without notice Nortel Networks does not assume any liability that can occur due to the use or application of the product(s) or circuit layout(s) described herein Portions of the code in this software product can be Copyright 1988, Regents of the University of California All rights reserved Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley The name of the University can not be used to endorse or promote products derived from such portions of the software without specific prior written permission SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that can incorporate by reference certain limitations and notices imposed by third parties) Nortel Networks software license agreement This Software License Agreement ("License Agreement") is between you, the end-user ("Customer") and Nortel Networks Corporation and its subsidiaries and affiliates ("Nortel Networks") PLEASE READ THE FOLLOWING CAREFULLY YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE

3 SOFTWARE USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price "Software" is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies Nortel Networks grants you a license to use the Software only in the country where you acquired the Software You obtain no rights other than those granted to you under this License Agreement You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software 1 Licensed Use of Software Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable To the extent Software is furnished for use with designated hardware or Customer furnished equipment ("CFE"), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software Licensors of intellectual property to Nortel Networks are beneficiaries of this provision Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction Nortel Networks can audit by remote polling or other reasonable means to determine Customer s Software activation or usage levels If suppliers of third party software included in Software require Nortel Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect to such third party software 2 Warranty Except as can be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided "AS IS" without any warranties (conditions) of any kind NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT Nortel Networks is not obligated to provide support of any kind for the Software Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions can not apply 3 Limitation of Remedies IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY The foregoing limitations of remedies also apply to any developer and/or supplier of the Software Such developer and/or supplier is an intended beneficiary of this Section Some jurisdictions do not allow these limitations or exclusions and, in such event, they can not apply 4 General a If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks Software available under this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with US Federal Regulations at 48 CFR Sections (for non-dod entities) and 48 CFR (for DoD entities) b Customer can terminate the license at any time Nortel Networks can terminate the license if Customer fails to comply with the terms and conditions of this license In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction c Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer s use of the Software Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations d Neither party can bring an action, regardless of form, more than two years after the cause of the action arose

4 e The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks f This License Agreement is governed by the laws of the country in which Customer acquires the Software If the Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York

5 5 Contents Preface 13 Before you begin 13 Text conventions 13 Related publications 15 How to get help 16 Getting help from the Nortel Web site 16 Getting help through a Nortel distributor or reseller 16 Getting help over the phone from a Nortel Solutions Center 16 Getting help from a specialist by using an Express Routing Code 16 Chapter 1 Using security in your network 17 Setting management passwords 17 Console/TELNET/Web password Configuration 17 Username and password 17 Logging on 18 Configuring security options 18 RADIUS-based network security 20 MAC address-based security 21 EAPoL-based security 21 EAPoL with Guest VLAN 23 EAPOL Security Configuration 23 Password security 24 Password length and valid characters 24 Password retry 24 Password history 24 Password display 24 Password verification 24 Password aging time 24 Read-Only and Read-Write passwords must be different 25 Applicable passwords 25 Enabling and disabling password security 25 Default passwords 25 HTTP port number change 26 Simple Network Management Protocol March 2007

6 6 Contents SNMP Version 1 (SNMPv1) 26 support for SNMP 27 SNMP MIB support 27 SNMP trap support 27 Chapter 2 Configuring Security Using the CLI 29 Securing your system 29 Setting the username and password 29 Setting password security 31 Configuring the IP manager list 33 Changing the http port number 37 Setting Telnet access 38 Configuring Secure Shell (SSH) 42 Setting server for Web-based management 48 Configuring the RADIUS-based management password authentication 49 Setting SNMP parameters 51 Common SNMP and SNMPv3 CLI commands 51 CLI commands specific to SNMPv3 61 Securing your network 71 Configuring MAC address filter-based security 71 Configuring EAPOL-based security 77 Chapter 3 Configuring security using Device Manager 83 EAPOL tab 83 General tab 84 SecurityList tab 87 Security, Insert SecurityList dialog box 88 AuthConfig tab 89 Security, Insert AuthConfig dialog box 90 AuthStatus tab 92 AuthViolation tab 95 SSH tab 95 SSH Sessions tab 97 Configuring EAPOL on ports 98 EAPOL tab for a port 98 EAPOL Advance tab for ports 101 EAPOL Stats tab for graphing ports 102 EAPOL Diag tab for graphing ports 104 Configuring SNMP 107 SNMP tab 107 Trap Receivers tab 108 Graphing SNMP statistics 110 Working with SNMPv3 113 Initial Login with an SNMPv3 User 114 User-based Security Model March 2007

7 Contents 7 View-based Access Control Model 118 Creating a community 125 Management Targets 127 The Notify Table 131 Chapter 4 Configuring security using Web-based management 135 Configuring system security 135 Setting console, Telnet, and Web passwords 135 Configuring RADIUS dial-in access security 138 Accessing the management interface 139 Configuring MAC address-based security 141 Configuring MAC address-based security 142 Configuring ports 145 Adding MAC addresses 147 Clearing ports 149 Enabling security on ports 150 Deleting ports 152 Filtering MAC destination addresses 152 Deleting MAC DAs 153 About SNMP 154 Configuring SNMPv1 154 Configuring SNMPv3 156 Viewing SNMPv3 system information 156 Configuring user access to SNMPv3 159 Configuring an SNMPv3 system user group membership 162 Configuring SNMPv3 group access rights 165 Configuring an SNMPv3 management information view 168 Configuring an SNMPv3 system notification entry 171 Configuring an SNMPv3 management target address 174 Configuring an SNMPv3 management target parameter 177 Configuring an SNMP trap receiver 179 Appendix A SNMP MIB support 183 Index 186 Figures Figure 1 Login screen 18 Figure 2 Ethernet Routing Switch 2500 Series security feature 19 Figure 3 show ipmgr command output 34 Figure 4 show http-port command output 37 Figure 5 Telnet icon on Device Manager toolbar 38 Figure 6 show telnet-access command output 39 Figure 7 show ssh global command output 43 Figure 8 show ssh session command output 43 Figure 9 show ssh download-auth-key command output March 2007

8 8 Contents Figure 10 show radius-server command output 50 Figure 11 show mac-security command output 72 Figure 12 Sample output from the show eapol command 78 Figure 13 show eapol guest-vlan command output 82 Figure 14 EAPOL tab 84 Figure 15 General tab 85 Figure 16 SecurityList tab 87 Figure 17 Security, Insert SecurityList dialog box 88 Figure 18 AuthConfig tab 89 Figure 19 Security, Insert AuthConfig dialog box 91 Figure 20 AuthStatus tab 93 Figure 21 AuthViolation tab 95 Figure 22 SSH tab 96 Figure 23 SSH Sessions tab 97 Figure 24 EAPOL tab for a port 99 Figure 25 EAPOL Advance tab for a port 102 Figure 26 Graph Port dialog box EAPOL Stats tab 103 Figure 27 Graph Port dialog box EAPOL Diag tab 105 Figure 28 Chassis dialog box SNMP tab 108 Figure 29 Chassis dialog box 109 Figure 30 Chassis, Insert Trap Receivers dialog box 110 Figure 31 Graph Chassis dialog box SNMP tab 111 Figure 32 USM dialog box 115 Figure 33 USM, Insert USM Table dialog box 116 Figure 34 VACM dialog, Group Membership tab 119 Figure 35 Group Access Right tab 120 Figure 36 VACM, Insert Group Access Right dialog box 122 Figure 37 MIB View tab 123 Figure 38 VACM, Insert MIB View dialog box 124 Figure 39 Community Table dialog box 125 Figure 40 Community Table, Insert Community Table dialog box 125 Figure 41 Target Table dialog box, Target Address Table tab 127 Figure 42 Target Table, Insert Target Address Table dialog box 129 Figure 43 Target Params Table tab 130 Figure 44 Target Table, Insert Target Params Table dialog box 130 Figure 45 NotifyTable dialog box 132 Figure 46 Notify Table, Insert dialog box 133 Figure 47 Console password setting page 136 Figure 48 Radius page 138 Figure 49 Web-based management interface log on page 139 Figure 50 System Information Page 140 Figure 51 Security Configuration page 142 Figure 52 Port Lists page 145 Figure 53 Port List View, Port List page 146 Figure 54 Port List View, Learn by Ports page 147 Figure 55 Security Table page 148 Figure 56 Port List View, Clear By Ports page 150 Figure 57 Port Configuration page 151 Figure 58 DA MAC Filtering page 152 Figure 59 SNMPv1 page March 2007

9 Contents 9 Figure 60 System Information page 157 Figure 61 User Specification page 160 Figure 62 Group Membership page 163 Figure 63 Group Access Rights page 166 Figure 64 Management Information View page 169 Figure 65 Notification page 172 Figure 66 Target Address page 174 Figure 67 Target Parameter page 177 Figure 68 SNMP Trap Receiver page 180 Tables Table 1 username command parameters and variables 30 Table 2 cli password command parameters and variables 31 Table 3 ipmgr command for system management parameters and variables 34 Table 4 no ipmgr command for management system 35 Table 5 ipmgr command for source IP addresses parameters and Table 6 variables 36 no ipmgr command for source IP addresses parameters and variables 36 Table 7 http-port command parameters and variables 38 Table 8 telnet-access command parameters and variables 40 Table 9 no telnet-access command parameters and variables 41 Table 10 ssh timeout command parameters and variables 45 Table 11 ssh port command parameters and variables 47 Table 12 ssh download-auth-key command parameters and variables 47 Table 13 default ssh command parameters and variables 48 Table 14 web-server command parameters and variables 49 Table 15 radius-server command parameters and variables 50 Table 16 snmp-server command parameters and variables 52 Table 17 snmp-server authentication-trap command 53 Table 18 snmp-server community for read/write command 54 Table 19 no snmp-server community command parameters and variables 55 Table 20 default snmp-server community command parameters and variables 56 Table 21 snmp-server contact command parameters and variables 56 Table 22 snmp-server location command parameters and variables 57 Table 23 no snmp-server location command parameters and variables 58 Table 24 snmp-server name command parameters and variables 58 Table 25 no snmp-server name command parameters and variables 59 Table 26 default snmp-server name command parameters and variables 59 Table 27 snmp trap link-ststus command parameters and variables 60 Table 28 Table 29 no snmp trap link-status command parameters and variables 60 default snmp trap link-status command parameters and variables 61 Table 30 snmp-server user command parameters and variables 62 Table 31 no snmp-server user command parameters and variables March 2007

10 10 Contents Table 32 snmp-server view command parameters and variables 65 Table 33 no snmp-server view command parameters and variables 66 Table 34 snmp-server host for the new-style table command parameters and variables 66 Table 35 no snmp-server host for the new-style command parameters and variables 67 Table 36 snmp-server community command parameters and variables 68 Table 37 show snmp-server command parameters and variables 70 Table 38 snmp-server bootstrap command parameters and variables 71 Table 39 show mac-security command parameters and variables 72 Table 40 mac-security command parameters and values 73 Table 41 mac-security mac-address-table address parameters and values 74 Table 42 mac-security security-list command parameters and values 75 Table 43 no mac-security mac-address-table command parameters and values 75 Table 44 no mac-security security-list command parameters and values 76 Table 45 mac-security command for a single port parameters and variables 76 Table 46 mac-security mac-da-filter command parameters and values 77 Table 47 show interface eapol command parameters and variables 79 Table 48 eapol command parameters and variables 79 Table 49 eapol command for modifying parameters and variables 80 Table 50 eapol guest-vlan command parameters and variables 81 Table 51 General tab fields 85 Table 52 SecurityList tab fields 88 Table 53 Security, Insert SecurityList dialog box fields 89 Table 54 AuthConfig tab fields 90 Table 55 Security, Insert AuthConfig dialog box fields 91 Table 56 AuthStatus tab fields 93 Table 57 SSH tab fields 96 Table 58 SSH Sessions tab fields 98 Table 59 EAPOL tab fields for a port 99 Table 60 EAPOL Advance tab fields for a port 102 Table 61 EAPOL Stats tab fields 103 Table 62 EAPOL Diag tab fields 105 Table 63 SNMP tab fields 108 Table 64 Chassis dialog box Trap Receivers tab fields 109 Table 65 SNMP tab fields 111 Table 66 SNMPv3 user configuration method 115 Table 67 USM dialog box fields 116 Table 68 USM, Insert USM Table dialog box fields 117 Table 69 View-based access control mapping 118 Table 70 Group Membership tab fields 119 Table 71 VACM dialog box Group Access Right tab fields 121 Table 72 VACM dialog box MIB View tab fields 123 Table 73 Community Table dialog box fields 126 Table 74 Management target tables 127 Table 75 Target Address Table fields 128 Table 76 Target Params Table tab fields 131 Table 77 Notify Table dialog box fields 132 Table 78 Console page fields March 2007

11 Contents 11 Table 79 Password Types 137 Table 80 RADIUS page fields 138 Table 81 User levels and access levels 141 Table 82 Security Configuration page items 143 Table 83 Port Lists page items 146 Table 84 Security Table page items 148 Table 85 Port Configuration page items 151 Table 86 DA MAC Filtering page items 153 Table 87 SNMPv1 page items 155 Table 88 System Information section fields 157 Table 89 SNMPv3 Counters section fields 158 Table 90 User Specification Table section items 160 Table 91 User Specification Creation section items 161 Table 92 Group Membership page items 163 Table 93 Group Access Rights page items 166 Table 94 Management Information View page fields 170 Table 95 Notification page items 172 Table 96 Target Address page items 175 Table 97 Target Parameter page items 178 Table 98 SNMP Trap Receiver page fields 180 Table 99 SNMP MIB support 183 Table 100 Support SNMP traps March 2007

12 12 Contents 40 7 March 2007

13 13 Preface This guide provides information about configuring and managing security features on the This guide describes the features of the following Nortel switches: Nortel Ethernet Routing Switch 2526T Nortel Ethernet Routing Switch 2526T-PWR Nortel Ethernet Routing Switch 2550T Nortel Ethernet Routing Switch 2550T-PWR The term "Ethernet Routing Switch 2500 Series" is used in this document to describe the features common to the switches mentioned above A switch is referred to by its specific name when a feature is described that is exclusive to the switch Before you begin This guide is intended for network administrators who have the following background: basic knowledge of networks, Ethernet bridging, and IP routing familiarity with networking concepts and terminology basic knowledge of network topologies Text conventions This guide uses the following text conventions: angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets Do not type the brackets when entering the command Example: If the command syntax is ping <ip_address>, you enter ping March 2007

14 14 Preface bold body text braces ({}) Indicates objects such as window names, dialog box names, and icons, as well as user interface objects such as buttons, tabs, and menu items Indicate required elements in syntax descriptions where there is more than one option You must choose only one of the options Do not type the braces when entering the command Example: If the command syntax is show ip {alerts routes}, you must enter either show ip or show ip routes, but not both brackets ([ ]) Indicate optional elements in syntax descriptions Do not type the brackets when entering the command Example: If the command syntax is show ip interfaces [-alerts], you can enter either show ip interfaces or show ip interfaces -alerts italic text Indicates variables in command syntax descriptions Also indicates new terms and book titles Where a variable is two or more words, the words are connected by an underscore Example: If the command syntax is show at <valid_route>,valid_route is one variable, and you substitute one value for it plain Courier text Indicates command syntax and system output, for example, prompts and system messages Example: Set Trap Monitor Filters 40 7 March 2007

15 Related publications 15 separator ( > ) Shows menu paths Example: Protocols > IP identifies the IP command on the Protocols menu vertical line ( ) Separates choices for command keywords and arguments Enter only one of the choices Do not type the vertical line when entering the command Example: If the command syntax is show ip {alerts routes}, you enter either show ip alerts or show ip routes, but not both Related publications For more information about using the Ethernet Routing Switch 2500 Series, see the following publications: Release Notes Software Release 40 (NN ) Documents important changes about the software and hardware that are not covered in other related publications Overview System Configuration (NN ) Describes the various management interfaces and how to use them to configure basic switching features for the Nortel Ethernet Routing Switch 2500 Series Configuration VLANs, Spanning Tree, and MultiLink Trunking (NN ) Describes how to configure Virtual Local Area Networks (VLAN), Spanning Tree Protocol (STP), and MultiLink Trunk (MLT) features for the Configuration Quality of Service (NN ) Describes how to configure and manage Quality of Service features for the Performance Management System Monitoring (NN ) Describes how to configure system logging and network monitoring, and how to display system statistics for the Nortel Ethernet Routing Switch 2500 Series 40 7 March 2007

16 16 Preface Configuration IP Multicast (NN ) Describes how to configure IP Multicast Routing Protocol features for the How to get help This section explains how to get help for Nortel products and services Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products More specifically, the site enables you to: download software, documentation, and product bulletins search the Technical Support web site and the Nortel Knowledge Base for answers to technical issues sign up for automatic notification of new software and documentation for Nortel equipment open and manage technical support cases Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller Getting help over the phone from a Nortel Solutions Center If you do not find the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center In North America, call NORTEL ( ) Outside North America, go to the following web site to obtain the phone number for your region: Getting help from a specialist by using an Express Routing Code An Express Routing Code (ERC) is available for many Nortel products and services When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service To locate the ERC for your product or service, go to: 40 7 March 2007

17 17 Chapter 1 Using security in your network This chapter describes the security features available with the Ethernet Routing Switch 2500 Series This chapter discusses the following topics: "Setting management passwords" (page 17) "Configuring security options" (page 18) "EAPOL Security Configuration" (page 23) "HTTP port number change" (page 26) "Simple Network Management Protocol" (page 26) Setting management passwords To provide security on your switch, you can configure a local or RADIUS password for management access, or set SNMP community strings Console/TELNET/Web password Configuration Telnet, and Web access allow a user at a remote console terminal to communicate with the Ethernet Routing Switch 2500 Series as if the console terminal were directly connected to the Switch You can establish up to four active Telnet or Web sessions at one time, in addition to one active Console connection, for a total of five possible concurrent users Username and password You can set a local username and password to restrict access to the switch The username and password can provide read/write access or read-only access to the switch For more information, refer to <x-refs> Note: If you set a password, the next time you log on to the switch, you are prompted to enter a valid username Therefore, ensure you are aware of the valid usernames (default RW and RO) before you change passwords For information about modifying existing usernames, see "Setting the username and password" (page 29) 40 7 March 2007

18 18 Chapter 1 Using security in your network Figure 1 Login screen Logging on If you set a password, the next time you access the switch, you are prompted for a username and password as shown in thelogin screen (default usernames are RW and RO) Enter a valid username and password and press Enter You are then directed to the CLI For information about modifying the existing usernames, see "Setting the username and password" (page 29) Configuring security options Ethernet Routing Switch 2500 Series security features provide three levels of security for your LAN: RADIUS-based security limits administrative access to the switch through user authentication MAC address-based security limits access to the switch based on allowed source MAC addresses EAPOL-based security Figure 2 "Ethernet Routing Switch 2500 Series security feature" (page 19) shows a typical campus configuration that uses the Ethernet Routing Switch 2500 security features This example assumes that the switch, the teachers offices and classrooms, and the library are physically secured The student dormitory can (or can not be) physically secure 40 7 March 2007

19 Configuring security options 19 Figure 2 Ethernet Routing Switch 2500 Series security feature In this configuration example, the following security measures are implemented: The switch RADIUS-based security is used to limit administrative access to the switch through user authentication (see "RADIUS-based network security" (page 20)) MAC address-based security is used to allow up to 448 authorized stations (MAC addresses) access to one or more switch ports (see "MAC address-based security" (page 21)) The switch is located in a locked closet, accessible only by authorized Technical Services personnel Student dormitory Dormitory rooms are typically occupied by two students and are prewired with two RJ-45 jacks Only students who are authorized (as specified by the MAC address-based security feature) can access the switch on the secured ports Teachers offices and classrooms 40 7 March 2007

20 20 Chapter 1 Using security in your network The PCs that are located in the teachers offices and in the classrooms are assigned MAC address-based security that is specific for each classroom and office location The security feature logically locks each wall jack to the specified station and prevents unauthorized access to the switch if someone attempts to connect a personal laptop PC into the wall jack The printer is assigned as a single station and is allowed full bandwidth on that switch port It is assumed that all PCs are password protected and that the classrooms and offices are physically secured Library The wall jacks in the library are set up so that the PCs can be connected to any wall jack in the room With this arrangement, you can move the PCs anywhere in the room The exception is the printer, which is assigned as a single station with full bandwidth to that port It is assumed that all PCs are password protected and that access to the library is physically secured RADIUS-based network security The RADIUS-based security feature lets you set up network access control by using the Remote Authentication Dial-In User Services (RADIUS) security protocol The RADIUS-based security feature uses the RADIUS protocol to authenticate local console, Telnet, SSH, and Web access login sessions You need to set up specific user accounts (user names and passwords, and Service-Type attributes) on your RADIUS server before you can initiate the authentication process These accounts provide you with appropriate levels of access to the switch Set the following username attributes on your RADIUS server: Read-write access set the Service-Type field value to Administrative Read-only access set the Service-Type field value to NAS-Prompt For detailed instructions to set up your RADIUS server, see your RADIUS server documentation RADIUS password fallback enhancement With Release 40 software, you can configure RADIUS password fallback as an option when using RADIUS authentication for login and password When RADIUS password fallback is enabled and the RADIUS server is unavailable or unreachable, you can use the local switch password to log on to the switch 40 7 March 2007

21 Configuring security options 21 When RADIUS password fallback is disabled, you must specify the RADIUS username and password from the NetLogin screen Unless the RADIUS server is configured and reachable, you cannot log on to the switch to authenticate the login and password The Radius password fallback feature is disabled by default You can use the following CLI commands to enable and disable this feature: radius-server password fallback no radius-server Note: The no radius-server CLI command disables the RADIUS fallback feature, along with the remaining RADIUS configuration MAC address-based security The MAC address-based security feature lets you set up network access control, based on source MAC addresses of authorized stations You can: Create a list of up to 448 MAC addresses and specify which addresses are authorized to connect to your switch Specify which of your switch ports each MAC address is allowed to access The options for allowed port access include: NONE, ALL, and single or multiple ports that are specified in a list Specify optional actions to be exercised by your switch if the software detects a security violation The response can be to send a trap, turn on destination address (DA) filtering, disable a specific port, or any combination of these three options The MAC address-based security feature is based on Nortel BaySecure LAN Access for Ethernet, a real-time security system that safeguards Ethernet networks from unauthorized surveillance and intrusion EAPoL-based security The Ethernet Routing Switch 2500 Series provides security on the basis of Extensible Authentication Protocol over LAN (EAPoL), and it uses the EAP as is given in the IEEE 802IX so that you can set up a network access control over LANs With EAP, you can authenticate user information through a connection between a client and the switch by using an authentication service such as RADIUS This security feature works hand-in-hand with the Radius-based server and thus provides the advantages of remote authentication to internal LAN clients 40 7 March 2007

22 22 Chapter 1 Using security in your network An example follows to show how an Ethernet Routing Switch 2500 Series reacts when it is configured to the EAPoL security feature and a new network connection: When the switch finds a new connection in one of its ports, the following occurs: 1 The switch asks for a User ID of the new client 2 The User ID is covered by EAPoL, and it passes on to the Radius server 3 The response from the Radius server is to ask for a password of the user Within the EAPoL packet, the new client forwards a password to the switch: The EAPoL packet is relayed to the Radius server If the Radius server validates the password, the new client is allowed to access the switch and the network The EAPoL-based security is composed of the following terms: Supplicant- the device applying for network access Authenticator- a software with the main purpose of authorizing the supplicant who is attached at the other end of the LAN segment Authentication server- a Radius server that provides authorization services to an authenticator Port Access Entity (PAE)- an entity that supports each port to the Authenticator or Supplicants In the example above, the authenticator PAE is present in the switch Controlled Port is a switch port with EAPOL based security The authenticator communicates with the Supplicant through EAP over LAN (EAPoL), which is an encapsulation mechanism The authenticator PAE encapsulates the EAP through the RADIUS server packet and sends it to the authentication server The authenticator server sends the packet in an exchange that occurs between the supplicant and authentication server This exchange occurs when the EAP message is encapsulated to make it suitable for the destination of the packet The authenticator determines the operational state of the controlled port The RADIUS server notifies the authenticator PAE of the success or failure of the authentication to change the operational state of the controlled port PAE functions are then available for each port to forward, or else the controlled port state depends upon the operational traffic 40 7 March 2007

23 EAPOL Security Configuration 23 control field in the EAPoL configuration screen Operational traffic can be of two types: Incoming and Outgoing- In regards to an unauthorized controlled port, the frames received and transmitted are discarded, and state of the port is blocked Incoming- Although the frames received for an unauthorized port are discarded, the transmit frames are forwarded through the port EAPoL with Guest VLAN Basic EAP (8021x) Authentication supports Port Based User Access At any time, only one user (MAC) can be authenticated on a port, and the port can be assigned to only one Port-based VLAN Only the MAC address of the device/user that completed the EAP negotiations on the port has access to that port for traffic Any tagging of ingress packets are to the PVID of that port This remains the default configuration With Software Release 40, EAP also allows Guest VLANs to be configured for access to that port Any active VLAN can be made a Guest VLAN EAPOL Security Configuration EAPOL security lets you selectively limit access to the switch based on an authentication mechanism that uses Extensible Authentication Protocol (EAP) to exchange authentication information between the switch and an authentication server Note 1: Before you enable EAPOL, you must configure your Primary RADIUS Server and RADIUS Shared Secret You also need to set up specific user accounts on your RADIUS server: User names Passwords VLAN IDs Port priority You can set up these parameters directly on your RADIUS server For detailed instructions about configuring your RADIUS server, see your RADIUS server documentation Note 2: Do not enable EAPOL security on the switch port that is connected to the RADIUS server 40 7 March 2007

24 24 Chapter 1 Using security in your network Password security The Ethernet Routing Switch 2500 Series supports the password security feature that provides enhanced security for switch passwords With password security enabled, the following enhanced security features are applied: Password length and valid characters Valid passwords must be between 10 and 15 characters long The password must contain a minimum of the following: two lower-case letters two capital letters two numbers two special symbols, such as:!@#$%^&*() The password is case sensitive Password retry If the user fails to provide the correct password after a number of consecutive attempts, the switch resets the logon process The number of failed logon attempts is configurable and the default is three Password history The switch keeps a history of the last three passwords You cannot reuse a password stored in history When you set the password for the fourth time, you can reuse the password that you used the first time Password display The password is not displayed as clear text Each character of the password is substituted with an asterisk (*) Password verification When you provide a new password, you must retype the password to confirm it If the two passwords do not match, the password update process fails In this case, you must try to update the password once again There is no limit on the number of times you are allowed to update the password Password aging time Passwords expire after a specified aging period The aging period is configurable, with a range of 1 day to approximately 75 years (2730 days) The default is 180 days When a password has aged out, the user is prompted to create a new password Only users with a valid RW password can create a new RW or RO password 40 7 March 2007

25 Password security 25 Read-Only and Read-Write passwords must be different The RO and RW passwords cannot be the same Applicable passwords The password security feature applies these enhanced features to the following passwords: Switch RO password Switch RW password The password security feature applies only the display and verification restrictions to the following passwords: RADIUS Shared Secret Read-Only community string Read-Write community string Enabling and disabling password security Password security can only be enabled or disabled from the CLI When password security is enabled, the following occurs: Current passwords remain unchanged if they meet the required specifications If they do not meet the required specifications, the user is prompted to change them to valid passwords An empty password history bank is established Password verification is enabled When password security is disabled, the following occurs: Current passwords remain valid Password history bank is removed Password verification is disabled Note: By default, password security is disabled for the non-ssh software image and enabled for the SSH software image Default passwords For the standard software image, the default password for RO is "user" and "secure" for RW For the secure software image, the default password for RO is "userpasswd" and "securepasswd" for RW 40 7 March 2007

26 26 Chapter 1 Using security in your network HTTP port number change With this feature, you can define the UDP or TCP port number used for HTTP connections to the switch This feature provides enhanced security and network access Port number 80 is the default port for communication between the Web client and the server With this feature, you can modify the HTTP port while the switch is running The HTTP port value is saved in NVRAM, and also is saved across reboots of the switch For more information, see "Changing the http port number" (page 37) Simple Network Management Protocol The supports Simple Network Management Protocol (SNMP) SNMP is traditionally used to monitor Unix systems, Windows systems, printers, modem racks, switches, routers, power supplies, Web servers, and databases Any device that runs software that can retrieve SNMP information can be monitored You can also use SNMP to change the state of SNMP-based devices For example, you can use SNMP to shut down an interface on your device SNMP Version 1 (SNMPv1) SNMP Version 1 (SNMPv1) is a historic version of the SNMP protocol It is defined in RFC 1157 and is an Internet Engineering Task Force (IETF) standard SNMPv1 security is based on communities, which are nothing more than passwords: plain-text strings that allow any SNMP-based application that knows the strings to gain access to the management information of a device There are typically three communities in SNMPv1: read-only, read-write, and trap SNMP Version 2 (SNMPv2) SNMP Version 2 (SNMPv2) is another historic version of SNMP and is often referred to as community string-based SNMPv2 This version of SNMP is technically called SNMPv2c It is defined in RFC 1905, RFC 1906, and RFC 1907 SNMP Version 3 (SNMPv3) SNMP Version 3 (SNMPv3) is the current formal SNMP standard defined in RFCs 3410 through 3419, and in RFC 3584 It provides support for strong authentication and private communication between managed entities 40 7 March 2007

27 Simple Network Management Protocol 27 support for SNMP The SNMP agent in the supports SNMPv1, SNMPv2c, and SNMPv3 Support for SNMPv2c introduces a standards-based GetBulk retrieval capability using SNMPv1 communities SNMPv3 support in the introduces industrial-grade user authentication and message security This includes MD5- and SHA-based user authentication and message integrity verification, as well as AES- and DES-based privacy encryption With the you can configure SNMPv3 by using the Device Manager, Web-based management, or the CLI SNMP MIB support The supports an SNMP agent with industry-standard Management Information Bases (MIB), as well as private MIB extensions, which ensures compatibility with existing network management tools The IETF standard MIBs supported on the switch include MIB-II (originally published as RFC 1213, then split into separate MIBs as described in RFCs 4293, 4022, and 4113), Bridge MIB (RFC 4188), and the RMON MIB (RFC 2819), which provides access to detailed management statistics SNMP trap support With SNMP management, you can configure SNMP traps (on individual ports) to generate automatically for conditions such as an unauthorized access attempt or changes in port operating status The supports both industry-standard SNMP traps, as well as private Nortel enterprise traps 40 7 March 2007

28 28 Chapter 1 Using security in your network 40 7 March 2007

29 29 Chapter 2 Configuring Security Using the CLI This chapter describes the security commands available with the CLI This chapter covers the following topics: "Securing your system" (page 29) "Securing your network" (page 71) Securing your system You can secure your system using the following CLI commands: "Setting the username and password" (page 29) "Configuring the IP manager list" (page 33) "Changing the http port number" (page 37) "Setting Telnet access" (page 38) "Configuring Secure Shell (SSH)" (page 42) "Setting server for Web-based management" (page 48) "Configuring the RADIUS-based management password authentication" (page 49) "Setting SNMP parameters" (page 51) Setting the username and password This section contains information about the following topics: "username command" (page 29) "cli password command" (page 30) username command The username command sets the system username and password for access through the serial console port, Telnet, and Web-based management This command supports only one read-only and one read-write user on the switch 40 7 March 2007

30 30 Chapter 2 Configuring Security Using the CLI The syntax for the username command is: username <username> <password> [ro rw] The username command is in the config command mode The following table describes the parameters and variables for the username command Table 1 username command parameters and variables Parameters and variables <username> <password> Enter your username for the first variable, and your password for the second variable The default username values are RO for read-only access and RW for read/write access ro rw Specifies that you are modifying the read-only (ro) username or the read-write (rw) username The ro/rw variable is optional If it is omitted, the command applies to the read-only mode Note: After you configure the username and password with the username command, if you then update the password using the cli password command (or through Web-based management), the new password is set, but the username is unchanged cli password command You can set passwords using the cli password command for selected types of access using the CLI, Telnet, or RADIUS security The CLI password is in two forms and performs the following functions for the switch: changes the password for access through the serial console port or Telnet and Web-based management specifies changing the password for the serial console port, or Telnet and Web-based management access, and whether to authenticate the password locally or with the RADIUS server The syntax for the cli password commands is: 40 7 March 2007

31 Securing your system 31 cli password {read-only read-write} <NAME> <PASSWORD> cli password {serial telnet} {none local radius} The cli password command is in the config command mode The following table describes the parameters and variables for the cli password command Table 2 cli password command parameters and variables Parameters and variables read-only readwrite <NAME> <PASSWORD> serial telnet none local radi us Specifies that you are modifying the read-only (ro) password or the read-write (rw) password Enter your username for the first variable, and your password for the second variable Specifies that you are modifying the password for serial console access or for Telnet and Web-based management access Specifies the password that you are modifying: none disables the password local use the locally defined password for serial console or Telnet access radius use RADIUS authentication for serial console or Telnet access Setting password security The following commands can be used in the global command mode to enable, disable and configure Password Security: "password security command" (page 32) "no password security command" (page 32) "show password security command" (page 32) "password aging-time day command" (page 32) "show password aging-time day command" (page 33) "Configuring the number of password logon attempts" (page 33) 40 7 March 2007

32 32 Chapter 2 Configuring Security Using the CLI password security command The password security command enables password security on the switch The syntax for the command is: password security The password security command has no parameters or variables no password security command The no password security command disables password security on the switch The syntax for the command is: no password security The no password security command has no parameters or variables show password security command The show password security command displays the current status of password security on the switch The syntax for the command is: show password security The following shows a sample output for this command: 2550T (config)#show password security Password security is enabled The show password security command has no parameters or variables password aging-time day command The password aging-time day command sets the password aging time Password security must be enabled for the command to be available The syntax of the command is: password aging-time <aging-value> where <aging-value> is between A value of 0 causes the password to age out immediately If a new aging time is set from the CLI, the password aging counters are not reset 40 7 March 2007

33 Securing your system 33 show password aging-time day command The password aging-time day command shows the configured password aging-time The syntax of the command is: show password aging-time The following shows a sample output for this command: 2550T (config)#show password aging-time Aging time: 100 days Configuring the number of password logon attempts The telnet-access retry command configures the number of times a user can attempt a password: The syntax of the command is: telnet-access retry <number> where <number> is an integer in the range that specifies the allowed number of failed logon attempts The default is 3 If a new aging time is set from the CLI, the password aging counters are not reset Configuring the IP manager list When enabled, the IP manager list determines which source IP addresses are allowed access to the switch No other source IP addresses have access to the switch You configure the IP manager list by using the following commands: "show ipmgr command" (page 33) "ipmgr command for management system" (page 34) "no ipmgr command for management system" (page 35) "ipmgr command for source IP address" (page 35) "no ipmgr command for source IP address" (page 36) show ipmgr command The show ipmgr command displays whether Telnet, SNMP, and Web access are enabled; whether the IP manager list is used to control access to Telnet, SNMP, and the Web-based management system; and the current IP manager list configuration The syntax for the show ipmgr command is: show ipmgr 40 7 March 2007

34 Chapter 2 Configuring Security Using the CLI The show ipmgr command is in the privexec command mode The show ipmgr command has no parameters or variables The following figure displays sample

34 34 Chapter 2 Configuring Security Using the CLI The show ipmgr command is in the privexec command mode The show ipmgr command has no parameters or variables The following figure displays sample output from the show ipmgr command Figure 3 show ipmgr command output ipmgr command for management system The ipmgr command for the management systems enables the IP manager list for Telnet, SNMP, or HTTP access The syntax for the ipmgr command for the management systems is: ipmgr {telnet snmp web} [source-ip <1-10> <XXXXXXXXXXXX> [mask <XXXXXXXXXXXX>]] The ipmgr command for the management systems is in the config mode The following table describes the parameters and variables for the ipmgr command Table 3 ipmgr command for system management parameters and variables Parameters and variables telnet snmp web Enables IP manager list checking for access to various management systems: telnet provides list access using Telnet access snmp provides list access using SNMP, including the Device Manager web provides list access using the Web-based management system 40 7 March 2007

35 Securing your system 35 Parameters and variables source-ip <1-10> <XXXXXXXXXXXX> [mask <XXXXXXXXX XXX>] Specifies the source IP address from which access is allowed Enter the IP address either as an integer or in dotted-decimal notation Specifies the subnet mask from which access is allowed; enter the IP mask in dotted-decimal notation no ipmgr command for management system The no ipmgr command disables the IP manager list for Telnet, SNMP, or HTTP access The syntax for the no ipmgr command for the management systems is: no ipmgr {telnet snmp web} The no ipmgr command is in the config mode The following table describes the parameters and variables for the no ipmgr command Table 4 no ipmgr command for management system Parameters and variables telnet snmp web Disables IP manager list checking for access to various management systems: telnet disables list check for Telnet access snmp disables list check for SNMP, including the Device Manager web disables list check for the Web-based management system ipmgr command for source IP address You can use the ipmgr command for source IP addresses to enter the source IP addresses or address ranges for which you want to provide access to the switch The syntax for the ipmgr command for source IP addresses is: 40 7 March 2007

36 36 Chapter 2 Configuring Security Using the CLI ipmgr {source-ip <1-10> <XXXXXXXXXXXX>[mask <XXXXXXXXX XXX>]} The ipmgr command for the source IP addresses is in the config mode The following table describes the parameters and variables for the ipmgr command for the source IP addresses Table 5 ipmgr command for source IP addresses parameters and variables Parameters and variables source-ip <1-10> <XXXXXXXXXXXX> Specifies the source IP address from which access is allowed Enter the IP address either as an integer or in dotted-decimal notation [mask <XXXXXXXXX XXX>] Specifies the subnet mask from which access is allowed; enter the IP mask in dotted-decimal notation no ipmgr command for source IP address The no ipmgr command for source IP addresses disables access for specified source IP addresses or address ranges, and denies them access to the switch The syntax for the no ipmgr command for source IP addresses is: no ipmgr {source-ip [<1-10>]} The no ipmgr command for the source IP addresses is in the config mode The following table describes the parameters and variables for the no ipmgr command for the source IP addresses Table 6 no ipmgr command for source IP addresses parameters and variables Parameters and variables source-ip [<1-10>] When you specify an option, this command sets the IP address and mask for the specified entry to and When you omit the optional parameter, the list is reset to the factory defaults 40 7 March 2007

37 Securing your system 37 Changing the http port number This feature provides enhanced security and network access The default HTTP port typically used to communicate between the Web client and the server is the well-known port 80 With this feature, you can change the HTTP port You can configure this feature by using the following commands: "show http-port command" (page 37) "http-port command" (page 37) "default http-port" (page 38) show http-port command The show http-port command displays the port number of the HTTP port The syntax for the show http-port command is: show http-port The show http-port command is in the privexec command mode The show http-port command has no parameters or variables The following figure displays sample output from the show http-port command Figure 4 show http-port command output http-port command The http-port command sets the port number for the HTTP port The syntax for the http-port command is: http-port < > The http-port command is in the config command mode 40 7 March 2007

38 38 Chapter 2 Configuring Security Using the CLI The following table describes the parameters and variables for the http-port command Table 7 http-port command parameters and variables Parameters and variables < > Enter the port number you want to be the HTTP port Note: To set the HTTP port to 80, use the default http-port command The default value for this parameter is port 80 default http-port The default http-port command sets the port number for the HTTP port to the default value of 80 The syntax for the default http-port command is: default http-port The default http-port command is in the config command mode The default http-port command has no parameters or variables Setting Telnet access You can also access CLI through a Telnet session To access CLI remotely, the management port must have an assigned IP address and remote access must be enabled You can log on to the switch using Telnet from a terminal that has access to the Ethernet Routing Switch 2500 Series To open a Telnet session from Device Manager, click on the Telnet icon on the tool bar (Figure 5 "Telnet icon on Device Manager toolbar" (page 38)) or click Action > Telnet on the Device Manager tool bar Figure 5 Telnet icon on Device Manager toolbar Note: Multiple users can access the CLI system simultaneously, through the serial port, Telnet, and modems The maximum number of simultaneous users is four plus one at the serial port for a total of five users on the switch All users can configure simultaneously 40 7 March 2007

39 Securing your system 39 You can view the Telnet allowed IP addresses and settings, change the settings, or disable the Telnet connection This section covers the following topics: "show telnet-access command" (page 39) "telnet-access command" (page 39) "no telnet-access command" (page 41) "default telnet-access command" (page 42) show telnet-access command The show telnet-access command displays the current settings for Telnet access The syntax for the show telnet-access command is: show telnet-access The show telnet-access command is in the privexec command mode The show telnet-access command has no parameters or variables The following figure displays sample output from the show telnet-access command Figure 6 show telnet-access command output telnet-access command With the telnet-access command, you can configure the Telnet connection that is used to manage the switch The syntax for the telnet-access command is: telnet-access [enable disable] [login-timeout <1-10>] [retry <1-100>] [inactive-timeout <0-60>] [logging {none access failures all}] [source-ip <1-10> <XXXXXXXXXXXX>[mask <XXXXXXXXXXXX>]] 40 7 March 2007

40 40 Chapter 2 Configuring Security Using the CLI The telnet-access command is in the config command mode The following table describes the parameters and variables for the telnet-access command Table 8 telnet-access command parameters and variables Parameters and variables enable disable login-timeout <1-10> retry <1-100> inactive timeout <0-60> logging {none access fail ures all] Enables or disables Telnet connections Specifies the time in minutes that you want to wait between an initial Telnet connection and acceptance of a password before closing the Telnet connection; enter an integer between 1 and 10 Specifies the number of times that the user can enter an incorrect password before closing the connection; enter an integer between 1 and 100 Specifies in minutes how long to wait before closing an inactive session; enter an integer between 0 and 60 Specifies what types of events you want to save in the event log: all Save all access events in the log: Telnet connect indicates the IP address and access mode of a Telnet session Telnet disconnect indicates the IP address of the remote host and the access mode, due to either a log off or inactivity Failed Telnet connection attempts indicates the IP address of the remote host that is not on the list of allowed addresses, or indicates the IP address of the remote host that did not supply the correct password none No Telnet events are saved in the event log access Connect and disconnect events are saved in the event log failure Only failed Telnet connection attempts are saved in the event log 40 7 March 2007

41 Securing your system 41 Parameters and variables [source-ip <1-10> <XX XXXXXXXXXX>[mask <XXXXXXXXXXXX>] Specifies up to 10 source IP addresses from which connections are allowed Enter the IP address either as an integer or in dotted-decimal notation Specifies the subnet mask from which connections are allowed; enter the IP mask in dotted-decimal notation Note: These are the same source IP addresses as in the IP Manager list For more information on the IP Manager list, see "Configuring the IP manager list" (page 33) no telnet-access command With the no telnet-access command, you can disable the Telnet connection The syntax for the no telnet-access command is: no telnet-access [source-ip [<1-10>]] The no telnet-access command is in the config mode The following table describes the parameters and variables for the no telnet-access command Table 9 no telnet-access command parameters and variables Parameters and variables source-ip [<1-10>] Disables the Telnet access When you do not use the optional parameter, the source-ip list is cleared, meaning that the 1st index is set to 0000/0000 and the 2nd to 10th indexes are set to / When you do specify a source-ip value, the specified pair is set to / Note: These are the same source IP addresses as in the IP Manager list For more information on the IP Manager list, see "Configuring the IP manager list" (page 33) 40 7 March 2007

42 42 Chapter 2 Configuring Security Using the CLI default telnet-access command The default telnet-access command sets the Telnet settings to the default values The syntax for the default telnet-access command is: default telnet-access The default telnet-access command is in the config command mode The default telnet-access command has no parameters or values Configuring Secure Shell (SSH) This section provides the Configuring SSH using the Command Line Interface commands for configuring and managing SSH on the Ethernet Routing Switch 2500 Series The SSH protocol provides secure access to the CLI By using the CLI, you can execute the following commands: "show ssh global command" (page 42) "show ssh session command" (page 43) "show ssh download-auth-key command" (page 43) "ssh dsa-host-key command" (page 44) "no ssh dsa-host-key command" (page 44) "ssh command" (page 44) "no ssh command" (page 45) "ssh secure command" (page 45) "ssh timeout command" (page 45) "ssh dsa-auth command" (page 46) "no ssh dsa-auth command" (page 46) "ssh pass-auth command" (page 46) "no ssh pass-auth command" (page 46) "ssh port command" (page 46) "ssh download-auth-key command" (page 47) "no ssh dsa-auth-key command" (page 47) "default ssh command" (page 47) show ssh global command The show ssh global command displays the secure shell configuration information The syntax for the show ssh global command is: show ssh global The show ssh global command is in the privexec command mode 40 7 March 2007

43 Securing your system 43 The show ssh global command has no parameters or variables The following figure displays sample output from the show ssh global command Figure 7 show ssh global command output show ssh session command The show ssh session command displays the SSH session information The session information includes the session ID and the host IP address A host address of 0000 indicates no connection for that session ID The syntax for the show ssh session command is: show ssh session The show ssh session command is in the privexec command mode The show ssh session command has no parameters or variables The following figure displays sample output from the show ssh session command Figure 8 show ssh session command output show ssh download-auth-key command The show ssh download-auth-key command displays the results of the most recent attempt to download the DSA public key from the TFTP server The syntax for the show ssh download-auth-key command is: show ssh download-auth-key The show ssh download-auth-key command is in the privexec command mode 40 7 March 2007

44 44 Chapter 2 Configuring Security Using the CLI The show ssh download-auth-key command has no parameters or variables The following figure displays sample output from the show ssh download-auth-key command Figure 9 show ssh download-auth-key command output ssh dsa-host-key command The switch starts generating the DSA host keys immediately after the ssh dsa-host-key command is given A reboot is not necessary Note: You cannot enable SSH while the host key is being generated This command can only be executed in SSH disable mode The syntax of the ssh dsa-host-key command is: ssh dsa-host-key The ssh dsa-host-key command is in the config command mode There are no parameters or variables for the ssh dsa-host-key command no ssh dsa-host-key command The no ssh dsa-host-key-gen command deletes the DSA host key in the switch The syntax of the no ssh dsa-host-key-gen command is: no ssh dsa-host-key The no ssh dsa-host-key command is in the config command mode There are no parameters or variables for the no ssh dsa-host-key command ssh command The ssh command enables the SSH server on the Ethernet Routing Switch 2500 Series in nonsecure mode In addition to accepting SSH connections, the Ethernet Routing Switch 2500 Series continues to accept Web, SNMP, and Telnet connections while in this modethe syntax of the ssh command is: 40 7 March 2007

45 Securing your system 45 ssh The ssh command is in the config command mode There are no parameters or variables for the ssh command no ssh command The no ssh command disables the SSH server on the Ethernet Routing Switch 2500 Series The syntax of the no ssh command is: no ssh The no ssh command is in the config command mode There are no parameters or variables for the no ssh command ssh secure command The ssh secure command enables the SSH server on the Ethernet Routing Switch 2500 Series in secure mode In secure mode, the Ethernet Routing Switch 2500 Series does not accept Web, SNMP, or Telnet connections The syntax of the ssh secure command is: ssh secure The ssh secure command is in the config command mode There are no parameters or variables for the ssh secure command ssh timeout command The ssh timeout command sets the timeout value for session authentication The syntax of the ssh timeout command is: ssh timeout <1-120> The ssh timeout command is in the config command mode The following table describes the parameters and variables for the ssh timeout command Table 10 ssh timeout command parameters and variables Parameters and variables <1-120> Specifies the timeout value for authentication The default is March 2007

46 46 Chapter 2 Configuring Security Using the CLI ssh dsa-auth command The ssh dsa-auth command enables DSA authentication The syntax of the ssh dsa-auth command is: ssh dsa-auth The ssh dsa-auth command is in the config command mode There are no parameters or variables for the ssh dsa-auth command no ssh dsa-auth command The no ssh dsa-auth command disables DSA authentication The syntax for the no ssh dsa-auth command is: no ssh dsa-auth The no ssh dsa-auth command is in the config command mode There are no parameters or variables for the no ssh dsa-auth command ssh pass-auth command The ssh pass-auth command enables password authentication The syntax of the ssh pass-auth command is: ssh pass-auth The ssh pass-auth command is in the config command mode There are no parameters or variables for the ssh pass-auth command no ssh pass-auth command The no ssh pass-auth command disables password authentication The syntax of the no ssh pass-auth command is: no ssh pass-auth The no ssh pass-auth command is in the config command mode There are no parameters or variables for the no ssh pass-auth command ssh port command The ssh port command sets the SSH connection port The syntax of the ssh port command is: ssh port < > The ssh port command is in the config command mode 40 7 March 2007

47 Securing your system 47 The following table describes the parameters and variables for the ssh port command Table 11 ssh port command parameters and variables Parameters and variables < > Specifies the SSH connection port The default is 22 ssh download-auth-key command The ssh download-auth-key command downloads the client public key from the TFTP server to the Ethernet Routing Switch 2500 Series The syntax for the ssh download-auth-key is: ssh download-auth-key [address <XXXXXXXXXXXX>] [key-name <file>] The ssh download-auth-key command is in the config command mode The following table describes the parameters and variables for the ssh download-auth-key command Table 12 ssh download-auth-key command parameters and variables Parameters and variables address <XXXXXXXXXXXX> key-name <file> The IP address of the TFTP server The name of the public key file on the TFTP server no ssh dsa-auth-key command The no ssh dsa-auth-key command deletes the SSH DSA authentication key The syntax for the command is: no ssh dsa-auth-key The no ssh dsa-auth-key command is in the config command mode There are no parameters or variables for the no ssh dsa-auth-key command default ssh command The default ssh command resets the specific secure shell configuration parameter to the default value The syntax of the default ssh command is: 40 7 March 2007

48 48 Chapter 2 Configuring Security Using the CLI default ssh [dsa-auth pass-auth port timeout] The default ssh command is in the config command mode The following table describes the parameters and variables for the default ssh command Table 13 default ssh command parameters and variables Parameters and variables dsa-auth pass-auth port timeout Resets dsa-auth to the default value Default is True Resets pass-auth to the default value Default is True Resets the port number for SSH connections to the default Default is 22 Resets the timeout value for session authentication to the default Default is 60 Setting server for Web-based management You can enable or disable the Web server to use for the Web-based management system This section discusses the following commands: "web-server" (page 48) "no web-server" (page 49) web-server The web-server command enables or disables the Web server that you use for Web-based management The syntax for the web-server command is: web-server {enable disable} The web-server command is in the config mode 40 7 March 2007

49 Securing your system 49 The following table describes the parameters and variables for the web-server command Table 14 web-server command parameters and variables Parameters and variables enable disab le Enables or disables the Web server no web-server The no web-server command disables the Web server that you use for Web-based management The syntax for the no web-server command is: no web-server The no web-server command is in the config mode The no web-server command has no parameters or values Configuring the RADIUS-based management password authentication By using the RADIUS protocol and server, you can configure the Ethernet Routing Switch 2500 Series for authentication To configure this authentication by using the CLI system, you can use the following commands: "show radius-server command" (page 49) "radius-server command" (page 50) "no radius-server command" (page 50) "default radius-server command" (page 51) "radius-server password fallback command" (page 51) show radius-server command The show radius-server command displays the RADIUS server configuration The syntax for the show radius-server command is: show radius-server The show radius-server command is in the privexec command mode The show radius-server command has no parameters or variables The following figure shows sample output from the show radius-server command 40 7 March 2007

50 Chapter 2 Configuring Security Using the CLI Figure 10 show radius-server command output radius-server command The radius-server command changes the RADIUS server settings The syntax for the

50 50 Chapter 2 Configuring Security Using the CLI Figure 10 show radius-server command output radius-server command The radius-server command changes the RADIUS server settings The syntax for the radius-server command is: radius-server host <address> [secondary-host <address>] port <num> key <string> Note: When password security is enabled, you must omit the <string> variable from the command line and end the command immediately after key The switch then prompts you to enter and confirm the string The radius-server command is in the config command mode The following table describes the parameters and variables for the radius-server command Table 15 radius-server command parameters and variables Parameters and variables primary-host <address> secondary-host <address> port <num> key <string> Specifies the primary RADIUS server Enter the IP address of the RADIUS server Specifies the secondary RADIUS server Enter the IP address of the secondary RADIUS server Enter the port number of the RADIUS server Specifies a secret text string that is shared between the switch and the RADIUS server for authentication Enter the secret string, which is an alphanumeric string of up to 16 characters no radius-server command The no radius-server command clears the RADIUS server settings The syntax for the no radius-server command is: no radius-server The no radius-server command is in the config command mode 40 7 March 2007

51 Securing your system 51 The no radius-server command has no parameters or values default radius-server command The default radius-server command sets the RADIUS server settings to the default values The syntax for the default radius-server command is: default radius-server The default radius-server command is in the config command mode The default radius-server command has no parameters or values radius-server password fallback command With the radius-server password fallback command, you can configure password fallback as an option when you use RADIUS authentication for login and password The syntax for the radius-server password fallback command is: radius-server password fallback The radius-server password fallback command is in the config command mode Setting SNMP parameters For information about setting SNMP parameters and traps, see the following sections: "Common SNMP and SNMPv3 CLI commands" (page 51) "CLI commands specific to SNMPv3" (page 61) Common SNMP and SNMPv3 CLI commands This section describes the common CLI commands that you can use to configure SNMP and SNMPv3 For details about the SNMP CLI commands that are specific to SNMPv3, see "CLI commands specific to SNMPv3" (page 61) The switch provides the following CLI commands to configure SNMP and SNMPv3: "snmp-server command" (page 52) "no snmp-server command" (page 52) "snmp-server authentication-trap command" (page 53) "no snmp-server authentication-trap command" (page 53) "default snmp-server authentication-trap command" (page 53) "snmp-server community for read/write command" (page 54) 40 7 March 2007

52 52 Chapter 2 Configuring Security Using the CLI "no snmp-server community command" (page 55) "default snmp-server community command" (page 55) "show snmp-server community command" (page 56) "snmp-server contact command" (page 56) "no snmp-server contact command" (page 57) "default snmp-server contact command" (page 57) "snmp-server location command" (page 57) "no snmp-server location command" (page 57) "default snmp-server location command" (page 58) "snmp-server name command" (page 58) "no snmp-server name command" (page 59) "default snmp-server name command" (page 59) "snmp trap link-status command" (page 59) "no snmp trap link-status command" (page 60) "default snmp trap link-status command" (page 60) snmp-server command The snmp-server command enables or disables the SNMP server The syntax for the snmp-server command is: snmp-server {enable disable} The snmp-server command is in the config command mode The following table describes the parameters and variables for the snmp-server command Table 16 snmp-server command parameters and variables Parameters and variables enable disable Enables or disables the SNMP server no snmp-server command The no snmp-server command disables SNMP access The syntax for the no snmp-server command is: no snmp-server The no snmp-server command is in the config command mode 40 7 March 2007

53 Securing your system 53 The no snmp-server command has no parameters or variables Note: Disabling SNMP access also locks you out of the Device Manager management system snmp-server authentication-trap command The snmp-server authentication-trap command enables or disables the generation of SNMP authentication failure traps The syntax for the snmp-server authentication-trap command is: snmp-server authentication-trap {enable disable} The snmp-server authentication-trap command is in the config command mode The following table describes the parameters and variables for the snmp-server authentication-trap command Table 17 snmp-server authentication-trap command Parameters and variables enable disable Enables or disables the generation of authentication failure traps no snmp-server authentication-trap command The no snmp-server authentication-trap command disables the generation of SNMP authentication failure traps The syntax for the no snmp-server authentication-trap command is: no snmp-server authentication-trap The no snmp-server authentication-trap command is in the config command mode The no snmp-server authentication-trap command has no parameters or variables default snmp-server authentication-trap command The default snmp-server authentication-trap command restores SNMP authentication trap configuration to the default settings The syntax for the default snmp-server authentication-trap command is: default snmp-server authentication-trap 40 7 March 2007

54 54 Chapter 2 Configuring Security Using the CLI The default snmp-server authentication-trap command is in the config command mode The default snmp-server authentication-trap command has no parameters or variables snmp-server community for read/write command The snmp-server community command for read/write modifies the community strings for SNMP v1 and SNMPv2c access The syntax for the snmp-server community for read/write command is: snmp-server community <community-string> [ro rw] The snmp-server community read/write command is in the config command mode This command configures a single read-only or a single read/write community A community configured using this command has no access to any of the SNMPv3 MIBs This command affects community strings created prior to Release 30 software These community strings have a fixed MIB view The following table describes the parameters and variables for the snmp-server community for read/write command Table 18 snmp-server community for read/write command Parameters and variables <community-string> Changes community strings for SNMP v1 and SNMPv2c access Enter a community string that functions as a password and permits access to the SNMP protocol If you set the value to NONE, it is disabled Note: This parameter is not available when Password Security is enabled, in which case, the switch prompts you to enter and confirm the new community string ro rw Specifies read-only or read/write access Stations with ro access can retrieve only MIB objects, and stations with rw access can retrieve and modify MIB objects 40 7 March 2007

55 Securing your system 55 Parameters and variables Note: If neither ro nor rw is specified, ro is assumed (default) no snmp-server community command The no snmp-server community command clears the snmp-server community configuration The syntax for the no snmp-server community command is: no snmp-server community {ro rw <community-string>} The no snmp-server community command is in the config command mode If you do not specify a read-only or read/write community parameter, all community strings are removed, including all communities controlled by the snmp-server community command and the snmp-server community command for read-write If you specify read-only or read/write, then only the read-only or read/write community is removed If you specify the name of a community string, then the community string with that name is removed The following table describes the parameters and variables for the no snmp-server community command Table 19 no snmp-server community command parameters and variables Parameters and variables ro rw Sets the specified community string value to NONE, thereby disabling it <community-string> Deletes the specified community string from the SNMPv3 MIBs (that is, from the new-style configuration) default snmp-server community command The default snmp-server community command restores the community string configuration to the default settings The syntax for the default snmp-server community command is: default snmp-server community [ro rw] 40 7 March 2007

56 56 Chapter 2 Configuring Security Using the CLI The default snmp-server community command is in the config command mode If the read-only or read/write parameter is omitted from the command, all communities are restored to their default settings The read-only community is set to public, the read/write community is set to private, and all other communities are deleted The following table describes the parameters and variables for the default snmp-server community command Table 20 default snmp-server community command parameters and variables Parameters and variables ro rw Restores the read-only community to public, or the read/write community to private show snmp-server community command The show snmp-server community command displays the SNMP community string configuration (The community strings are not displayed when Password Security is enabled) The syntax for the show snmp-server community command is: show snmp-server community The show snmp-server command is in the privexec command mode snmp-server contact command The snmp-server contact command configures the SNMP syscontact value The syntax for the snmp-server contact command is: snmp-server contact <text> The snmp-server contact command is in the config command mode The following table describes the parameters and variables for the snmp-server contact command Table 21 snmp-server contact command parameters and variables Parameters and variables <text> Specifies the SNMP syscontact value; enter an alphanumeric string 40 7 March 2007

57 Securing your system 57 no snmp-server contact command The no snmp-server contact command clears the syscontact value The syntax for the no snmp-server contact command is: no snmp-server contact The no snmp-server contact command is in the config command mode The no snmp-server contact command has no parameters or variables default snmp-server contact command The default snmp-server contact command restores the syscontact value to the default value The syntax for the default snmp-server contact command is: default snmp-server contact The default snmp-server contact command is in the config command mode The default snmp-server contact command has no parameters or variables snmp-server location command The snmp-server location command configures the SNMP syslocation value The syntax for the snmp-server location command is: snmp-server location <text> The snmp-server location command is in the config command mode The following table describes the parameters and variables for the snmp-server location command Table 22 snmp-server location command parameters and variables Parameters and variables <text> Specifies the SNMP syslocation value; enter an alphanumeric string of up to 255 characters no snmp-server location command The no snmp-server location command clears the SNMP syslocation value The syntax for the no snmp-server location command is: no snmp-server location <text> 40 7 March 2007

58 58 Chapter 2 Configuring Security Using the CLI The no snmp-server location command is in the config command mode The following table describes the parameters and variables for the no snmp-server location command Table 23 no snmp-server location command parameters and variables Parameters and variables <text> Specifies the SNMP syslocation value Enter a string of up to 255 characters default snmp-server location command The default snmp-server location command restores syslocation to the default value The syntax for the default snmp-server location command is: default snmp-server location The default snmp-server location command is in the config command mode The default snmp-server location command has no parameters or variables snmp-server name command The snmp-server name command configures the SNMP sysname value The syntax for the snmp-server name command is: snmp-server name <text> The snmp-server name command is in the config command mode The following table describes the parameters and variables for the snmp-server name command Table 24 snmp-server name command parameters and variables Parameters and variables <text> Specifies the SNMP sysname value; enter an alphanumeric string of up to 255 characters 40 7 March 2007

59 Securing your system 59 no snmp-server name command The no snmp-server name command clears the SNMP sysname value The syntax for the no snmp-server name command is: no snmp-server name <text> The no snmp-server name command is in the config command mode The following table describes the parameters and variables for the no snmp-server name command Table 25 no snmp-server name command parameters and variables Parameters and variables <text> Specifies the SNMP sysname value; enter an alphanumeric string of up to 255 characters default snmp-server name command The default snmp-server name command restores sysname to the default value The syntax for the default snmp-server name command is: default snmp-server name The default snmp-server name command is in the config command mode The following table describes the parameters and variables for the default snmp-server name command Table 26 default snmp-server name command parameters and variables Parameters and variables <text> Specifies the SNMP sysname value; enter an alphanumeric string of up to 255 characters snmp trap link-status command The snmp trap link-status command enables the linkup/linkdown traps for the port The syntax of the command is: snmp trap link-status [port <portlist>] The snmp trap link-status command is in the config-if command mode 40 7 March 2007

60 60 Chapter 2 Configuring Security Using the CLI The following table describes the parameters and variables for the snmp trap link-status command Table 27 snmp trap link-ststus command parameters and variables Parameters and variables port <portlist> Specifies the port numbers on which to enable the linkup/linkdown traps Enter the port numbers or all Note: If you omit this parameter, the system uses the port number specified with the interface command disable enable Disables or Enables generation of linkup/down traps no snmp trap link-status command The no snmp trap link-status command disables the linkup/linkdown traps for the port The syntax of the no snmp trap link-status command is: no snmp trap link-status [port <portlist>] The no snmp trap link-status command is in the config-if command mode The following table describes the parameters and variables for the no snmp trap link-status command Table 28 no snmp trap link-status command parameters and variables Parameters and variables port <portli st> Specifies the port numbers on which to disable the linkup/linkdown traps Enter the port numbers or all Note: If you omit this parameter, the system uses the port number specified with the interface command default snmp trap link-status command The default snmp trap link-status command disables the linkup/linkdown traps for the port The syntax of the command is: 40 7 March 2007

61 Securing your system 61 default snmp trap link-status [port <portlist>] The default snmp trap link-status command is in the config-if command mode The following table describes the parameters and variables for the default snmp trap link-status command Table 29 default snmp trap link-status command parameters and variables Parameters and variables port <portlist> Specifies the port numbers on which to disable the linkup/linkdown traps Enter the port numbers or all Note: If you omit this parameter, the system uses the port number specified with the interface command CLI commands specific to SNMPv3 This section describes the unique CLI commands for configuring SNMPv3 For details about the CLI commands that are common to both SNMP and SNMPv3, see "Common SNMP and SNMPv3 CLI commands" (page 51) The following SNMP commands are specific to SNMPv3: "snmp-server user command" (page 61) "no snmp-server user command" (page 64) "snmp-server view command" (page 64) "no snmp-server view command" (page 65) "snmp-server host for new-style table command" (page 66) "no snmp-server host for new-style table command" (page 67) "default snmp-server host command" (page 67) "snmp-server community command" (page 68) "snmp-server bootstrap command" (page 70) snmp-server user command The snmp-server user command creates an SNMPv3 user The syntax for the snmp-server user command is: snmp-server user [engine-id <engineid>] <username> [read-view <view-name>] 40 7 March 2007

62 62 Chapter 2 Configuring Security Using the CLI [write-view <view-name>][notify-view <view-name>] [{md5 sha} <password>[read-view <view-name>] [write-view <view-name>][notify-view <view-name>] [{3des aes des} <password> [read-view <view-name>] [write-view <view-name>][notify-view <view-name>] The snmp-server user command is in the config command mode The sha and des parameters are available only if the switch image has full SHA/DES support The command shows three sets of read/write/notify views The first set specifies unauthenticated access The second set specifies authenticated access The third set specifies authenticated and encrypted access You can specify authenticated access only if the md5 or sha parameter is included Likewise, you can specify authenticated and encrypted access only if the des, aes, or 3des parameter is included If you omit the authenticated view parameters, authenticated access uses the views specified for unauthenticated access If you omit all the authenticated and encrypted view parameters, the authenticated and encrypted access uses the same views that are used for authenticated access These views are the unauthenticated views, if all the authenticated views are also omitted The following table describes the parameters and variables for the snmp-server user command Table 30 snmp-server user command parameters and variables Parameters and variables engine-id <engineid> <username> Specifies the SNMP engine ID of the remote SNMP entity Specifies the user names; enter an alphanumeric string of up to 255 characters 40 7 March 2007

63 Securing your system 63 Parameters and variables md5 <password> Specifies the use of an md5 password password specifies the new user md5 password; enter an alphanumeric string If this parameter is omitted, the user is created with only unauthenticated access rights Note: This parameter is not available when Password Security is enabled, in which case the switch prompts you to enter and confirm the new password read-view <view-name> Specifies the read view to which the new user has access: view-name specifies the view name; enter an alphanumeric string of up to 255 characters write-view <view-name> Specifies the write view to which the new user has access: view-name specifies the view name; enter an alphanumeric string of up to 255 characters notify-view <view-name> Specifies the notify view to which the new user has access: view-name specifies the view name; enter an alphanumeric string of up to 255 characters sha/des/3des/aes Specifies SHA authentication or one of the following: DES, 3DES, or AES privacy encryption 40 7 March 2007

64 64 Chapter 2 Configuring Security Using the CLI Parameters and variables Note: This parameter is not available when Password Security is enabled, in which case the switch prompts you to enter and confirm the new password no snmp-server user command The no snmp-server user command deletes the specified user The syntax for the no snmp-server user command is: no snmp-server user [engine-id <engineid>] <username> The no snmp-server user command is in the config command mode The following table describes the parameters and variables for the no snmp-server user command Table 31 no snmp-server user command parameters and variables Parameters and variables engine-id <engineid> <username> Specifies the SNMP engine ID of the remote SNMP entity Specifies the user to be removed snmp-server view command The snmp-server view command creates an SNMPv3 view The view is a set of MIB object instances that can be accessed The syntax for the snmp-server view command is: snmp-server view <view-name> <OID> [<OID> [<OID> [<OID> [<OID> [<OID> [<OID> [<OID> [<OID> [<OID>]]]]]]]]] The snmp-server view command is in the config command mode 40 7 March 2007

65 Securing your system 65 The following table describes the parameters and variables for the snmp-server view command Table 32 snmp-server view command parameters and variables Parameters and variables <viewname> <OID> Specifies the name of the new view; enter an alphanumeric string Specifies the Object identifier OID can be entered as a MIB object English descriptor, a dotted form OID, or a mix of the two Each OID can also be preceded by a plus (+) or minus ( ) sign (if the minus sign is omitted, a plus sign is implied) For the dotted form, a subidentifier can be an asterisk (*), which indicates a wildcard Some examples of valid OID parameters are as follows: sysname +sysname -sysname +sysname0 +ifindex1 -ifentry*1 (matches all objects in the if Table with an instance of 1, that is, the entry for interface #1) (dotted form of sysdescr) The plus (+) or minus ( ) sign indicates whether the specified OID is included in or excluded from, respectively, the set of MIB objects that are accessible by using this view For example, if you create a view as follows: snmp-server view myview +system -sysdescr and you use that view for the read-view of a user, then the user can read only the system group, except for sysdescr no snmp-server view command The no snmp-server view command deletes the specified view The syntax for the no snmp-server view command is: 40 7 March 2007

66 66 Chapter 2 Configuring Security Using the CLI no snmp-server view <viewname> The no snmp-server view is in the config command mode The following table describes the parameters and variables for the no snmp-server view command Table 33 no snmp-server view command parameters and variables Parameters and variables <viewname> Specifies the name of the view to be removed If no view is specified, all views are removed snmp-server host for the new-style table command The snmp-server host for the new-style table command adds a trap receiver to the new-style configuration (that is, to the SNMPv3 tables) You can create several entries in this table, and each can generate v1, v2c, or v3 traps You must previously configure the community string or user that is specified with a notify-view The syntax for the snmp-server host for the new-style table command is: snmp-server host <host-ip> [port < >] {<community-string> v2c <community-string> v3 {auth no-auth auth-priv} <username>} The snmp-server host for the new-style table command is in the config command mode The following table describes the parameters and variables for the snmp-server host for the new-style table command Table 34 snmp-server host for the new-style table command parameters and variables Parameters and variables <host-ip> port < > <community-string> v2c <community-string> Enter a dotted-decimal IP address of a host to be the trap destination Sets SNMP trap port If you do not specify a trap type, this variable creates v1 trap receivers in the SNMPv3 MIBs You can create multiple trap receivers with varying access levels Using v2c creates v2c trap receivers in the SNMPv3 MIBs You can create multiple trap receivers with varying access levels 40 7 March 2007

67 Securing your system 67 Parameters and variables v3 {auth no-auth auth-priv} Using v3 creates v3 trap receivers in the SNMPv3 MIBs You can create multiple trap receivers with varying access levels by entering the following variables: auth no-auth Specifies whether SNMPv3 traps can be authenticated auth-priv This parameter is only available if the image has full SHA/DES support <username> Specifies the SNMPv3 username for trap destination; enter an alphanumeric string no snmp-server host for the new-style table command The no snmp-server for new-style table command deletes trap receivers from the new-style table (SNMPv3 MIB) Any trap receiver that matches the IP address and SNMP version is deleted The syntax for the no snmp-server host for new-style table command is: no snmp-server host <host-ip> {v1 v2c v3} The no snmp-server host for the new-style table command is in the config command mode The following table describes the parameters and variables for the no snmp-server host for the new-style table command Table 35 no snmp-server host for the new-style command parameters and variables Parameters and variables <host-ip> v1 v2c v3 Enter the IP address of a trap destination host Specifies the trap receivers in the SNMPv3 MIBs default snmp-server host command The default snmp-server host command restores the table to defaults (that is, it clears the table) The syntax for the default snmp-server host command is: default snmp-server host 40 7 March 2007

68 68 Chapter 2 Configuring Security Using the CLI The default snmp-server host command is in the config command mode The default snmp-server host command has no parameters or variables snmp-server community command With the snmp-server community command, you can create community strings with varying levels of read, write, and notification access based on SNMPv3 views These community strings are separate from those created by using the snmp-server community command for read/write This command affects community strings stored in the SNMPv3 snmpcommunitytable, which allows several community strings to be created These community strings can have any MIB view The syntax for the snmp-server community command is: snmp-server community <community-string> {read-view <view-name> write-view <view-name> notify-view <view-name>} The snmp-server community command is in the config command mode The following table describes the parameters and variables for the snmp-server community command Table 36 snmp-server community command parameters and variables Parameters and variables <communitystring> Enter a community string to be created with access to the specified views Note: This parameter is not available when Password Security is enabled, in which case, the switch prompts you to enter and confirm the new community string 40 7 March 2007

69 Securing your system 69 Parameters and variables read-view <view-name> Changes the read view used by the new community string for different types of SNMP operations view-name specifies the name of the view that is a set of MIB objects/instances that can be accessed; enter an alphanumeric string ro rw write-view <view-name> Read-only access with this community string Read-write access with this community string Changes the write view used by the new community string for different types of SNMP operations view-name specifies the name of the view that is a set of MIB objects/instances that can be accessed; enter an alphanumeric string notify-view <view-name> Changes the notify view settings used by the new community string for different types of SNMP operations view-name specifies the name of the view that is a set of MIB objects/instances that can be accessed; enter an alphanumeric string show snmp-server command The show snmp-server command displays the SNMP v3 configuration The syntax for the show snmp-server command is: show snmp-server {community host user view} The show snmp-server command is in the privexec command mode 40 7 March 2007

70 70 Chapter 2 Configuring Security Using the CLI The following table describes the parameters and variables for the show snmp-server command Table 37 show snmp-server command parameters and variables Parameters and variables community host user view Displays SNMPv3 configuration information: community strings as configured in SNMPv3 MIBs (this parameter is not displayed when Password Security is enabled) trap receivers as configured in SNMPv3 MIBs SNMPv3 users, including views accessible to each user SNMPv3 views snmp-server bootstrap command With the snmp-server bootstrap command, you can specify how you wish to secure SNMP communications, as described in the SNMPv3 standards This command creates an initial set of configuration data for SNMPv3 This configuration data follows the conventions described in the SNMPv3 standard (in RFC 3414 and 3415) The data consists of a set of initial users, groups, and views This snmp-server bootstrap command deletes all existing SNMP configurations, so use the command with caution The syntax for the snmp-server bootstrap command is: snmp-server bootstrap <minimum-secure> <semi-secure> <very-secure> The snmp-server bootstrap command is in the config command mode 40 7 March 2007

71 Securing your network 71 The following table describes the parameters and variables for the snmp-server bootstrap command Table 38 snmp-server bootstrap command parameters and variables Parameters and variables <minimum-secure> <semi-secure> <very-secure> Specifies a minimum security configuration that allows read access to everything using noauthnopriv, and write access to everything using authnopriv Specifies a partial security configuration that allows read access to a small subset of system information using noauthnopriv, and read and write access to everything using authnopriv Specifies a maximum security configuration that allows no access Securing your network You can secure your network using the following CLI commands "Configuring MAC address filter-based security" (page 71) "Configuring EAPOL-based security" (page 77) Configuring MAC address filter-based security You configure the BaySecure* application using MAC addresses with the following commands: "show mac-security command" (page 71) "mac-security command" (page 72) "mac-security mac-address-table address command" (page 74) "mac-security security-list command" (page 74) "no mac-security command" (page 75) "no mac-security mac-address-table command" (page 75) "no mac-security security-list command" (page 76) "mac-security command for specific ports" (page 76) "mac-security mac-da-filter command" (page 77) show mac-security command The show mac-security command displays configuration information for the BaySecure application The syntax for the show mac-security command is: 40 7 March 2007

72 Chapter 2 Configuring Security Using the CLI show mac-security {config mac-address-table [address <macaddr>] port security-lists mac-da-filter} The show mac-security command is in the privexec

72 72 Chapter 2 Configuring Security Using the CLI show mac-security {config mac-address-table [address <macaddr>] port security-lists mac-da-filter} The show mac-security command is in the privexec command mode The following table describes the parameters and variables for the show mac-security command Table 39 show mac-security command parameters and variables Parameters and variables config mac-address-t able [address <macaddr>] Displays the general BaySecure configuration Displays contents of the BaySecure table of allowed MAC addresses: address specifies a single MAC address to display; enter the MAC address port security-lists mac-da-filter Displays the BaySecure status of all ports Displays the port membership of all security lists Displays MAC DA filtering addresses The following figure shows sample output from the show mac-security command Figure 11 show mac-security command output mac-security command The mac-security command modifies the BaySecure configuration The syntax for the mac-security command is: mac-security [disable enable] [filtering {enable disable}] [intrusion-detect {enable disable forever}] [intrusion-timer < >] [learning-ports <portlist>] [learning {enable disable}] mac-address-table mac-da-filter security list [snmp-lock {enable disable}] [snmp-trap {enable disable}] 40 7 March 2007

73 Securing your network 73 The mac-security command is in the config command mode The following table describes the parameters and variables for the mac-security command Table 40 mac-security command parameters and values Parameters and variables disable enable filtering {enab le disable} intrusion-detec t {enable disab le forever} Disables or enables MAC address-based security Enables or disables destination address (DA) filtering when an intrusion is detected Specifies the partitioning of a port when an intrusion is detected: enable port is partitioned for a period of time disabled port is not partitioned on detection forever port is partitioned until manually changed intrusion-timer < > learning {enabl e disable} Specifies, in seconds, length of time a port is partitioned when an intrusion is detected; enter the number of seconds to specify Specifies MAC address learning: enable enables learning by ports disable disables learning by ports Note: The MAC address learning enable command must be executed to specify learning ports learning-ports <portlist> mac-address-tab le mac-da-filter Specifies MAC address learning Learned addresses are added to the table of allowed MAC addresses Enter the ports you want to learn; this can be a single port, a range of ports, several ranges, all, or none Adds addresses to the MAC security address table Adds or deletes MAC DA filtering addresses 40 7 March 2007

74 74 Chapter 2 Configuring Security Using the CLI Parameters and variables security-list snmp-lock {enab le disable} snmp-trap {enab le disable} Modifies security list port membership Enables or disables a lock on SNMP write-access to the BaySecure MIBs Enables or disables trap generation when an intrusion is detected mac-security mac-address-table address command The mac-security mac-address-table address command assigns either a specific port or a security list to the MAC address This removes any previous assignment to the specified MAC address and creates an entry in the BaySecure table of allowed MAC addresses The syntax for the mac-security mac-address-table address command is: mac-security mac-address-table address <HHH> {port <portlist> security-list <1-32>} Note: In this command, portlist must specify only a single port The mac-security mac-address-table address command is in the config command mode The following table describes the parameters and variables for the mac-security mac-address-table address command Table 41 mac-security mac-address-table address parameters and values Parameters and variables <HHH> port <portlist > security-list <1-32> Enter the MAC address in the form of HHH Enter the port number or the security list number mac-security security-list command The mac-security security-list command assigns a list of ports to a security list The syntax for the mac-security security-list command is: mac-security security-list <1-32> <portlist> The mac-security security-list command is in the config command mode 40 7 March 2007

75 Securing your network 75 The following table describes the parameters and variables for the mac-security security-list command Table 42 mac-security security-list command parameters and values Parameters and variables <1-32> Enter the number of the security list that you want to use <portlist> Enter a list or range of port numbers no mac-security command The no mac-security command disables MAC source address-based security The syntax for the no mac-security command is: no mac-security The no mac-security command is in the config command mode The no mac-security command has no parameters or values no mac-security mac-address-table command The no mac-security mac-address-table command clears entries from the MAC address security table The syntax for the no mac-security mac-address-table command is: no mac-security mac-address-table {address <HHH> port <portlist> security-list <1-32>} The no mac-security mac-address-table command is in the config command mode The following table describes the parameters and variables for the no mac-security mac-address-table command Table 43 no mac-security mac-address-table command parameters and values Parameters and variables address <HHH> port <portlist> security-list <1-32> Enter the MAC address in the form of HHH Enter a list or range of port numbers Enter the security list number 40 7 March 2007

76 76 Chapter 2 Configuring Security Using the CLI no mac-security security-list command The no mac-security security-list command clears the port membership of a security list The syntax for the no mac-security security-list command is: no mac-security security-list <1-32> The no mac-security security-list command is in the config command mode The following table describes the parameters and variables for the no mac-security security-list command Table 44 no mac-security security-list command parameters and values Parameters and variables <1-32> Enter the number of the security list that you want to clear mac-security command for specific ports The mac-security command for specific ports configures the BaySecure status of specific ports The syntax for the mac-security command for specific ports is: mac-security [port <portlist>] {disable enable learning} The mac-security command for specific ports is in the config-if command mode The following table describes the parameters and variables for the mac-security command for specific ports Table 45 mac-security command for a single port parameters and variables Parameters and variables port <portlist> disable enable learni ng Enter the port numbers Directs the specific port: disable disables BaySecure on the specified port and removes the port from the list of ports for which MAC address learning is performed 40 7 March 2007

77 Securing your network 77 Parameters and variables enable enables BaySecure on the specified port and removes the port from the list of ports for which MAC address learning is performed learning disables BaySecure on the specified port and adds these port to the list of ports for which MAC address learning is performed mac-security mac-da-filter command With the mac-security mac-da-filter command, you can filter packets from up to 10 specified MAC DAs You also can use this command to delete such a filter and then receive packets from the specified MAC DA The syntax for the mac-security mac-da-filter command is: mac-security mac-da-filter {add delete}<hhh> The mac-security mac-da-filter command is in the config command mode The following table describes the parameters and variables for the mac-security mac-da-filter command Table 46 mac-security mac-da-filter command parameters and values Parameters and variables {add delete} <HHH> Add or delete the specified MAC address; enter the MAC address in the form of HHH Note: Ensure that you do not enter the MAC address of the management unit Configuring EAPOL-based security You can configure security based on the Extensible Authentication Protocol over LAN (EAPOL) by using the following CLI commands: "show eapol command" (page 78) "eapol command" (page 79) "show interface eapol command" (page 78) "eapol command for modifying parameters" (page 79) "eapol guest-vlan command" (page 81) 40 7 March 2007

78 78 Chapter 2 Configuring Security Using the CLI "no eapol guest-vlan command" (page 81) "default eapol guest-vlan command" (page 82) show eapol command The show eapol command displays the status of the EAPOL-based security The syntax for the show eapol command is: show eapol [port <portlist>] The show eapol command is in the privexec command mode The following figure displays sample output from the show eapol command Figure 12 Sample output from the show eapol command show interface eapol command The show interface eapol command displays port-based statistics on EAPOL-based security The syntax for the show interface eapol command is: show interface FastEthernet eapol [auth-diags <portlist>] [auth-stats <portlist>] The show interface eapol command is in the privexec command mode 40 7 March 2007

79 Securing your network 79 The following table describes the parameters and variables for the show interface eapol command Table 47 show interface eapol command parameters and variables Parameters and variables auth-diags <portlist> auth-stats <portlist> Displays EAPOL diags Displays EAPOL statistics eapol command The eapol command enables or disables EAPOL-based security The syntax of the eapol command is: eapol {disable enable} The eapol command is in the config command mode The following table describes the parameters and variables for the eapol command Table 48 eapol command parameters and variables Parameters and variables disable enable Disables or enables EAPOL-based security eapol command for modifying parameters The eapol command for modifying parameters modifies EAPOL-based security parameters for a specific port The syntax of the eapol command for modifying parameters is: eapol [port <portlist>] [init] [status authorized unauthor ized auto] [traffic-control in-out in] [re-authentication enable disable] [re-authentication-period < >] [re-authenticate] [quiet-interval <num>] [transmit-interval <num>] [supplicant-timeout <num>] [server-timeout <num>][max-request <num>] The eapol command for modifying parameters is in the config-if command mode 40 7 March 2007

80 80 Chapter 2 Configuring Security Using the CLI The following table describes the parameters and variables for the eapol command for modifying parameters Table 49 eapol command for modifying parameters and variables Parameters and variables port <portllist> Specifies the ports to configure for EAPOL; enter the port numbers you want to use Note: If you omit this parameter, the system uses the port number that you specified when you issued the interface command init status authorized unaut horized auto Reinitiates EAP authentication Specifies the EAP status of the port: authorized Port is always authorized unauthorized Port is always unauthorized auto Port authorization status depends on the result of the EAP authentication traffic-control in-outiin Sets the level of traffic control: in-out If EAP authentication fails, both ingressing and egressing traffic are blocked in If EAP authentication fails, only ingressing traffic is blocked re-authenticatio n enable disable re-authenticatio n-period < > re-authenticate Enables or disables reauthentication Enter the number of seconds that you want between re-authentication attempts Use either this variable or the reauthentication-interval variable; do not use both variables because they control the same setting Specifies an immediate reauthentication 40 7 March 2007

81 Securing your network 81 Parameters and variables quiet-interval <num> transmit-interva l <num> supplicant-timeo ut <num> server-timeout <num> max-request <num> Enter the number of seconds that you want between an authentication failure and the start of a new authentication attempt; the range is 1 to Specifies a waiting period for response from supplicant for EAP Request/Identity packets Enter the number of seconds that you want to wait; the range is Specifies a waiting period for response from supplicant for all EAP packets, except EAP Request/Identity packets Enter the number of seconds that you want to wait; the range is Specifies a waiting period for response from the server Enter the number of seconds that you want to wait; the range is Enter the number of times to retry sending packets to supplicant eapol guest-vlan command The eapol guest-vlan command sets the guest VLAN for the EAP-controlled port The syntax for the eapol guest-vlan command is: eapol guest-vlan [vid <1-4094> enable] The eapol guest-vlan command is executed in the config command mode The following table describes the parameters and variables for the eapol guest-vlan command Table 50 eapol guest-vlan command parameters and variables Parameters and variables <vid> enable Guest VLAN ID Enable Guest VLAN no eapol guest-vlan command The no eapol guest-vlan command disables the guest VLAN The syntax for the no eapol guest-vlan command is: 40 7 March 2007

82 82 Chapter 2 Configuring Security Using the CLI no eapol guest-vlan [enable] The no eapol guest-vlan command is executed in the config command mode default eapol guest-vlan command The default eapol guest-vlan command disables the guest VLAN The syntax for the default eapol guest-vlan command is: default eapol guest-vlan The default eapol guest-vlan command is executed in the config command mode The default eapol guest-vlan command has no parameters or variables show eapol guest-vlan command The show eapol guest-vlan command displays the current guest VLAN configuration The syntax for the show eapol guest-vlan command is: show eapol guest-vlan The show eapol guest-vlan command is executed in the config command mode The show eapol guest-vlan command has no parameters or variables The following figure displays sample output from the show eapol guest-vlan command Figure 13 show eapol guest-vlan command output 40 7 March 2007

83 83 Chapter 3 Configuring security using Device Manager You can set the security features for a switch so that when a violation occurs the right actions are performed by the software The security actions that you specify are applied to all ports of the switch This chapter describes the Security information available in Device Manager, and includes the following topics: "EAPOL tab" (page 83) "General tab" (page 84) "SecurityList tab" (page 87) "AuthConfig tab" (page 89) "AuthStatus tab" (page 92) "AuthViolation tab" (page 95) "SSH tab" (page 95) "SSH Sessions tab" (page 97) "Configuring EAPOL on ports" (page 98) "Configuring SNMP" (page 107) "Working with SNMPv3" (page 113) EAPOL tab The EAPOL tab lets you set and view EAPOL security information for the switch 40 7 March 2007

84 Chapter 3 Configuring security using Device Manager To view the EAPOL tab, use the following procedure: From the Device Manager menu bar, select Edit > Security The Security dialog box appears

84 84 Chapter 3 Configuring security using Device Manager To view the EAPOL tab, use the following procedure: From the Device Manager menu bar, select Edit > Security The Security dialog box appears with the EAPOL tab displayed The following figure displays the EAPOL tab Figure 14 EAPOL tab General tab The General tab lets you set and view general security information for the switch To view the General tab, use the following procedure: Step Action 1 From the Device Manager menu bar, select Edit > Security The Security dialog box appears with the EAPOL tab displayed (EAPOL tab) 2 Click the General tab The General tab appears The following figure displays the General tab 40 7 March 2007

General tab 85 Figure 15 General tab End General tab fields The following table describes the General tab fields Table 51 General tab fields Field AuthSecurityLock If this parameter is listed as

85 General tab 85 Figure 15 General tab End General tab fields The following table describes the General tab fields Table 51 General tab fields Field AuthSecurityLock If this parameter is listed as locked, the agent refuses all requests to modify the security configuration Entries also include: other notlocked AuthCtlPartTime SSecurityStatus This value indicates the duration of the time for port partitioning in seconds The default is zero When the value is zero, the port remains partitioned until it is manually reenabled Indicates whether or not the switch security feature is enabled 40 7 March 2007

86 86 Chapter 3 Configuring security using Device Manager Field SecurityMode Mode of switch security Entries include: maclist: Indicates that the switch is in the MAC-list mode You can configure more than one MAC address per port autolearn: Indicates that the switch learns the first MAC address on each port as an allowed address of that port SecurityAction Actions performed by the software when a violation occurs (when SecurityStatus is enabled) The security action specified here applies to all ports of the switch A blocked address causes the port to be partitioned when unauthorized access is attempted Selections include: noaction: Port does not have any security assigned to it, or the security feature is turned off trap: Listed trap partitionport: Port is partitioned partitionportandsendtrap: Port is partitioned, and traps are sent to the trap receiver dafiltering: Port filters out the frames where the destination address field is the MAC address of the unauthorized station dafilteringandsendtrap: Port filters out the frames where the desitnation address field is the MAC address of unauthorized station Traps are sent to trap receivers partitionportanddafiltering: Port is partitioned and filters out the frames with the destination address field is the MAC address of unauthorized station partitionportdafilteringandsendtrap: Port is partitioned and filters out the frames where the destination address field is the MAC address of the unauthorized station Traps are sent to trap receivers 40 7 March 2007

SecurityList tab 87 Field CurrNodesAllowed MaxNodesAllowed PortSecurityStatus PortLearnStatus CurrSecurityLists MaxSecurityLists Current number of entries of the nodes allowed in the AuthConfig tab

87 SecurityList tab 87 Field CurrNodesAllowed MaxNodesAllowed PortSecurityStatus PortLearnStatus CurrSecurityLists MaxSecurityLists Current number of entries of the nodes allowed in the AuthConfig tab Maximum number of entries of the nodes allowed in the AuthConfig tab Set of ports for which security is enabled Set of ports where autolearning is enabled Current number of entries of the Security listed in the SecurityList tab Maximum entries of the Security listed in the SecurityList tab SecurityList tab The SecurityList tab contains a list of Security port fields To view the SecurityList tab, use the following procedure: Step Action 1 From the Device Manager menu bar, select Edit > Security The Security window appears with the EAPOL tab displayed (EAPOL tab) 2 Click the SecurityList tab The SecurityList tab appears The following figure displays the SecurityList tab Figure 16 SecurityList tab End 40 7 March 2007

88 Chapter 3 Configuring security using Device Manager SecurityList tab fields The following table describes the SecurityList tab fields Table 52 SecurityList tab fields Field SecurityListIndx

88 88 Chapter 3 Configuring security using Device Manager SecurityList tab fields The following table describes the SecurityList tab fields Table 52 SecurityList tab fields Field SecurityListIndx SecurityListMembers An index of the security list This corresponds to the SecurityList field into AuthConfig tab The set of ports that are currently members in the Port list Security, Insert SecurityList dialog box To view the Security, Insert AuthConfig dialog box, use the following procedure: Step Action 1 From the Device Manager menu bar, select Edit > Security The Security window appears with the EAPOL tab displayed (EAPOL tab) 2 Click the SecurityList tab The SecurityList tab appears (Figure 16 "SecurityList tab" (page 87)) 3 Click Insert The Security, Insert SecurityList dialog box appears Figure 17 Security, Insert SecurityList dialog box 4 To add ports to the security list, in the SecurityListMembes field, click the ellipsis () The SecurityListMembers dialog box appears 5 Select the ports to include in the SecurityList, and click OK 6 Click Insert End 40 7 March 2007

89 AuthConfig tab 89 The following table describes the Security, Insert SecurityList dialog box fields Table 53 Security, Insert SecurityList dialog box fields Field SecurityListIndx SecurityListMembers An index of the security list This corresponds to the Security port list that can be used as an index into AuthConfig tab The set of ports that are currently members in the Port list AuthConfig tab The AuthConfig tab contains a list of boards, ports, and MAC addresses that have the security configuration An SNMP SET PDU for a row in the tab requires the entire sequence of the MIB objects in each entry to be stored in one PDU Otherwise, the GENERR return-value is returned To view the AuthConfig tab, use the following procedure: Step Action 1 From the Device Manager menu bar, select Edit > Security The Security window appears with the EAPOL tab displayed (EAPOL tab) 2 Click the AuthConfig tab The AuthConfig tab appears Figure 18 "AuthConfig tab" (page 89) Figure 18 AuthConfig tab End 40 7 March 2007

90 90 Chapter 3 Configuring security using Device Manager The following table describes the AuthConfig tab fields Table 54 AuthConfig tab fields Field BrdIndx PortIndx MACIndx AccessCtrlType SecureList Index of the slot that contains the board on which the port is located If you specify SecureList, this field must be zero Index of the port on the board If you specify SecureList, this field must be zero An index of MAC addresses that are designated as allowed (station) Displays the node entry as node allowed A MAC address can be allowed on multiple ports The index of the security list This value is meaningful only if BrdIndx and PortIndx values are set to zero For other board and port index values, this index must also have the value of zero The corresponding MAC Address of this entry is allowed or blocked on all ports of this port list Security, Insert AuthConfig dialog box To view the Security, Insert AuthConfig dialog box, use the following procedure: Step Action 1 From the Device Manager menu bar, select Edit > Security The Security window appears with the EAPOL tab displayed 2 Click the AuthConfig tab The AuthConfig tab appears 3 Click Insert The Security, Insert AuthConfig dialog box appears 40 7 March 2007

AuthConfig tab 91 Figure 19 Security, Insert AuthConfig dialog box 4 Complete the fields as required (see the following table for details) and click Insert The new entry appears in theauthconfig tab

91 AuthConfig tab 91 Figure 19 Security, Insert AuthConfig dialog box 4 Complete the fields as required (see the following table for details) and click Insert The new entry appears in theauthconfig tab End Security, Insert AuthConfig dialog box fields The following table describes the Security, Insert AuthConfig dialog box fields Table 55 Security, Insert AuthConfig dialog box fields Field BrdIndx PortIndx MACIndx Index of the board This corresponds to the index of the unit that contains the board, but only if the index is greater than zero A zero index is a wild card Index of the port on the board This corresponds to the index of the last manageable port on the board, but only if the index is greater than zero A zero index is a wild card An index of MAC addresses that are either designated as allowed (station) or not-allowed (station) 40 7 March 2007

92 92 Chapter 3 Configuring security using Device Manager Field AccessCtrlType SecureList Displays whether the node entry isnode allowed or node blocked A MAC address can be allowed on multiple ports The index of the security list This value is meaningful only if BrdIndx and PortIndx values are set to zero For other board and port index values, this index must also have the value of zero The corresponding MAC Address of this entry is allowed or blocked on all ports of this port list AuthStatus tab The AuthStatus tab displays information about the authorized boards and port status data collection This information includes actions to be performed when an unauthorized station is detected, and the current security status of a port Entries in this tab can include: a single MAC address all MAC addresses on a single port a single port all the ports on a single board a particular port on all the boards all the ports on all the boards To view the AuthStatus tab, use the following procedure: Step Action 1 From the Device Manager menu bar, select Edit > Security The Security window appears with the EAPOL tab displayed (Figure 15 "General tab" (page 85)) 2 Click the AuthStatus tab The AuthStatus tab appears The following figure displays the AuthStatus tab 40 7 March 2007

AuthStatus tab 93 Figure 20 AuthStatus tab End "AuthStatus tab fields" (page 93) AuthStatus tab fields The following table describes the AuthStatus tab fields Table 56 AuthStatus tab fields Field

93 AuthStatus tab 93 Figure 20 AuthStatus tab End "AuthStatus tab fields" (page 93) AuthStatus tab fields The following table describes the AuthStatus tab fields Table 56 AuthStatus tab fields Field AuthStatusBrdIndx AuthStatusPortIndx AuthStatusMACIndx CurrentAccessCtrlT ype The index of the board This corresponds to the index of the slot that contains the board if the index is greater than zero The index of the port on the board This corresponds to the index of the last manageable port on the board if the index is greater than zero The index of MAC address on the port This corresponds to the index of the MAC address on the port if the index is greater than zero Displays whether the node entry is the node allowed or node blocked type 40 7 March 2007

94 94 Chapter 3 Configuring security using Device Manager Field CurrentActionMode A value representing the type of information contained, including: noaction: Port does not have any security assigned to it, or the security feature is turned off partitionport: Port is partitioned partitionportandsendtrap: Port is partitioned and traps are sent to the trap receiver Filtering: Port filters out the frames where the destination address field is the MAC address of the unauthorized station FilteringAndsendTrap: Port filters out the frames where the destination address field is the MAC address of the unauthorized station Traps are sent to the trap receiver sendtrap: A trap is sent to the trap receiver(s) partitionportanddafiltering: Port is partitioned and filters out the frames where the destination address field is the MAC address of the unauthorized station partitionportdafilteringandsendtrap: Port is partitioned and filters out the frames where the destination address field is the MAC address of the unauthorized station Traps are sent to trap receiver(s) CurrentPortSecur Status Displays the security status of the current port, including: If the port is disabled, notapplicable is returned If the port is in a normal state, portsecure is returned If the port is partitioned, portpartition is returned 40 7 March 2007

SSH tab 95 AuthViolation tab The AuthViolation tab contains a list of boards and ports on which network access violations have occurred, and also the identity of the offending MAC addresses To view

95 SSH tab 95 AuthViolation tab The AuthViolation tab contains a list of boards and ports on which network access violations have occurred, and also the identity of the offending MAC addresses To view the AuthViolation tab, use the following procedure: Step Action 1 From the Device Manager menu bar, select Edit > Security The Security window appears with the EAPOL tab displayed (EAPOL tab ) 2 Click the AuthViolation tab The AuthViolation tab appears The following figure displays the AuthViolation tab Figure 21 AuthViolation tab End SSH tab The SSH tab displays the parameters available for SSH To view the SSH tab, use the following procedure: 40 7 March 2007

96 Chapter 3 Configuring security using Device Manager Step Action 1 From the Device Manager menu bar, select Edit > Security The Security window appears with the EAPOL tab displayed (EAPOL tab) 2

96 96 Chapter 3 Configuring security using Device Manager Step Action 1 From the Device Manager menu bar, select Edit > Security The Security window appears with the EAPOL tab displayed (EAPOL tab) 2 Click the SSH tab The SSH tab appears The following figure displays the SSH tab Figure 22 SSH tab End The following table describes the SSH tab fields Table 57 SSH tab fields Field Enable Version Port Timeout KeyAction Enables, disables, or securely enables SSH Securely enable turns off other daemon flag, and it takes effect after a reboot Indicates the SSH version Indicates the SSH connection port Indicates the SSH connection timeout in seconds Indicates the SSH key action 40 7 March 2007

SSH Sessions tab 97 Field DsaAuth PassAuth DsaHostKeyStatus LoadServerAddr TftpFile TftpAction TftpResult Enables or disables the SSH DSA authentication Enables or disables the SSH RSA authentication

97 SSH Sessions tab 97 Field DsaAuth PassAuth DsaHostKeyStatus LoadServerAddr TftpFile TftpAction TftpResult Enables or disables the SSH DSA authentication Enables or disables the SSH RSA authentication Indicates the current status of the SSH DSA host key: notgenerated: DSA host key has not yet been generated generated: DSA host key has been generated generating: DSA host key is currently being generated Indicates the current server IP address Indicates the name of the file for the TFTP transfer Indicates the SSH public keys that are set to initiate a TFTP download Indicates the retrieved value of the TFTP transfer SSH Sessions tab The SSH Sessions tab displays the currently active SSH sessions To view the SSH Sessions tab, use the following procedure: Step Action 1 From the Device Manager menu bar, select Edit > Security The Security window appears with the EAPOL tab displayed (EAPOL tab) 2 Click the SSH Sessions tab The SSH Sessions tab appears The following figure displays the SSH Sessions tab Figure 23 SSH Sessions tab End 40 7 March 2007

98 98 Chapter 3 Configuring security using Device Manager The following table describes the SSH Sessions tab fields Table 58 SSH Sessions tab fields Field SSHSessionsIP Lists the currently active SSH sessions Configuring EAPOL on ports This section contains the following topics: "EAPOL tab for multiple ports" (page 98) "EAPOL Advance tab for multiple ports" (page 101) "EAPOL Stats tab for graphing ports" (page 102) "EAPOL Diag tab for graphing ports" (page 104) EAPOL tab for a port The EAPOL tab shows EAPOL for the selected port To view or edit the EAPOL tab for a port, use the following procedure: Step Action 1 Select the port that you want to edit 2 Do one of the following: From the shortcut menu, choose Edit From the Device Manager main menu, choose Edit > Port From the toolbar, click Edit The Port dialog box appears with the Interface tab displayed 3 Click the EAPOL tab The EAPOL tab appears 40 7 March 2007

Configuring EAPOL on ports 99 Figure 24 EAPOL tab for a port End The following table describes the EAPOL tab fields for ports Table 59 EAPOL tab fields for a port Field PortProtocolVersion

99 Configuring EAPOL on ports 99 Figure 24 EAPOL tab for a port End The following table describes the EAPOL tab fields for ports Table 59 EAPOL tab fields for a port Field PortProtocolVersion PortCapabilities PortInitialize PortReauthenticate Now The EAP Protocol version that is running on this port The PAE functionality that is implemented on this port Always returns dot1xpaeportauthcapable Enables and disables EAPOL authentication for the specified port Activates EAPOL authentication for the specified port immediately, without waiting for the Re-Authentication Period to expire 40 7 March 2007

100 100 Chapter 3 Configuring security using Device Manager Field PaeState BackendAuthState AdminControlled Directions OperControlled Directions AuthControlledPort Status AuthControlledPort Control QuietPeriod TransmitPeriod SupplicantTimeout ServerTimeout MaximumRequests Displays the EAPOL authorization status for the switch: Force Authorized: The authorization status is always authorized Force Unauthorized: The authorization status is always unauthorized Auto: The authorization status depends on the EAP authentication results The current state of the Backend Authentication state for the switch Specifies whether EAPOL authentication is set for incoming and outgoing traffic (both) or for incoming traffic only (in) For example, if you set the specified port field value to both, and EAPOL authentication fails, then both incoming and outgoing traffic on the specified port is blocked A read-only field that indicates the current operational value for the traffic control direction for the port (see the preceding field description) Displays the current EAPOL authorization status for the port: authorized unauthorized Specifies the EAPOL authorization status for the port: Force Authorized: The authorization status is always authorized Force Unauthorized: The authorization status is always unauthorized Auto: The authorization status depends on the EAP authentication results The current value of the time interval between any single EAPOL authentication failure and the start of a new EAPOL authentication attempt Time to wait for response from supplicant for EAP requests/identity packets Time to wait for response from supplicant for all EAP packets, except EAP Request/Identity Time to wait for a response from the RADIUS server for all EAP packets The number of times the switch attempts to resend EAP packets to a supplicant 40 7 March 2007

101 Configuring EAPOL on ports 101 Field ReAuthentication Period ReAuthentication Enabled KeyTxEnabled LastEapolFrame Version LastEapolFrame Source Time interval between successive reauthentications When the ReAuthenticationEnabled field (see the following field) is enabled, you can specify the time period between successive EAPOL authentications for the specified port When enabled, the switch performs a reauthentication of the existing supplicants at the time interval specified in the ReAuthenticationPeriod field (see preceding field description) The value of the KeyTranmissionEnabled constant currently in use by the Authenticator PAE state of the switch This always returns false as key transmission is irrelevant The protocol version number carried in the most recently received EAPOL frame The source MAC address carried in the most recently received EAPOL frame EAPOL Advance tab for ports The EAPOL Advance tab lets you configure additional EAPOL-based security parameters for ports To view or edit the EAPOL Advance tab for ports, use the following procedure: Step Action 1 Select the ports that you want to edit For multiple ports, press Ctrl+left-click the ports that you want to edit A yellow outline appears around the selected ports 2 Do one of the following: From the shortcut menu, choose Edit From the Device Manager main menu, choose Edit > Port On the toolbar, click Edit The Port dialog box appears with the Interface tab displayed 3 Click the EAPOL Advance tab The EAPOL Advance tab for a port appears 40 7 March 2007

102 Chapter 3 Configuring security using Device Manager Figure 25 EAPOL Advance tab for a port End The following table describes the EAPOL Advance tab fields for a port Table 60 EAPOL Advance tab

102 102 Chapter 3 Configuring security using Device Manager Figure 25 EAPOL Advance tab for a port End The following table describes the EAPOL Advance tab fields for a port Table 60 EAPOL Advance tab fields for a port Field GuestVlan Enabled GuestVlanId Enables and disables Guest VLAN on the port Specifies the ID of a Guest VLAN that the port is able to access while unauthorized This value overrides the Guest VLAN ID value set for the switch in the EAPOL tab Specifies zero when switch global guest VLAN ID is used for this port EAPOL Stats tab for graphing ports The EAPOL Stats tab displays EAPOL statistics To open the EAPOL Stats tab for graphing, use the following procedure: Step Action 1 Select the port or ports you want to graph To select multiple ports, press Ctrl+left-click the ports that you want to configure A yellow outline appears around the selected ports 2 Do one of the following: From the Device Manager main menu, choose Graph > Port From the shortcut menu, choose Graph On thetoolbar, click Graph 40 7 March 2007

Configuring EAPOL on ports 103 The Graph Port dialog box for a single port or for multiple ports appears with the Interface tab displayed 3 Click the EAPOL Stats tab The EAPOL Stats tab for graphing

103 Configuring EAPOL on ports 103 The Graph Port dialog box for a single port or for multiple ports appears with the Interface tab displayed 3 Click the EAPOL Stats tab The EAPOL Stats tab for graphing multiple ports appears The following figure displays the Graph port dialog box EAPOL Stats tab Figure 26 Graph Port dialog box EAPOL Stats tab End EAPOL Stats tab fields The following table describes the EAPOL Stats tab fields Table 61 EAPOL Stats tab fields Field EapolFramesRx EapolFramesTx EapolStartFramesRx EapolLogoffFramesRx EapolRespIdFramesRx The number of valid EAPOL frames of any type that are received by this authenticator The number of EAPOL frame types of any type that are transmitted by this authenticator The number of EAPOL start frames that are received by this authenticator The number of EAPOL Logoff frames that are received by this authenticator The number of EAPOL Resp/Id frames that are received by this authenticator 40 7 March 2007

104 104 Chapter 3 Configuring security using Device Manager Field EapolRespFramesRx EapolReqIdFramesTx EapolReqFramesTx InvalidEapolFramesRx EapLengthError FramesRx The number of valid EAP Response frames (Other than Resp/Id frames) that are received by this authenticator The number of EAPOL Req/Id frames that are transmitted by this authenticator The number of EAP Req/Id frames (Other than Req/Id frames) that are transmitted by this authenticator The number of EAPOL frames that are received by this authenticator in which the frame type is not recognized The number of EAPOL frames that are received by this authenticator in which the packet body length field is not valid EAPOL Diag tab for graphing ports The EAPOL Diag tab displays EAPOL diagnostics statistics To open the EAPOL Diag tab for graphing, use the following procedure: Step Action 1 Select the port or ports you want to graph To select multiple ports, press Ctrl+left-click the ports that you want to configure A yellow outline appears around the selected ports 2 Do one of the following: From the Device Manager main menu, choose Graph > Port From the shortcut menu, choose Graph On the toolbar, click Graph The Graph Port dialog box for a single port or for multiple ports appears with the Interface tab displayed 3 Click the EAPOL Diag tab The EAPOL Diag tab for graphing multiple ports appears The following figure displays the Graph Port dialog box EAPOL Diag tab End 40 7 March 2007

Configuring EAPOL on ports 105 Figure 27 Graph Port dialog box EAPOL Diag tab EAPOL Diag fields The following table describes the EAPOL Diag tab fields Table 62 EAPOL Diag tab fields Field

105 Configuring EAPOL on ports 105 Figure 27 Graph Port dialog box EAPOL Diag tab EAPOL Diag fields The following table describes the EAPOL Diag tab fields Table 62 EAPOL Diag tab fields Field EntersConnecting EapLogoffsWhileConnecting EntersAuthenticating AuthSuccessWhile Authenticating AuthTimeoutsWhile Authenticating Counts the number of times that the state machine transitions to the connecting state from any other state Counts the number of times that the state machine transitions from connecting to disconnecting as a result of receiving an EAPOL-Logoff message Counts the number of times that the state machine transitions from connecting to authenticating, as a result of an EAP-Response or Identity message being received from the Supplicant Counts the number of times that the state machine transitions from authenticating to authenticated, as a result of the Backend Authentication state machine indicating a successful authentication of the Supplicant Counts the number of times that the state machine transitions from authenticating to aborting, as a result of the Backend Authentication state machine indicating an authentication timeout 40 7 March 2007

106 106 Chapter 3 Configuring security using Device Manager Field AuthFailWhileAuthenticating AuthReauthsWhile Authenticating AuthEapStartsWhile Authenticating AuthEapLogoffWhile Authenticating AuthReauthsWhile Authenticated AuthEapStartsWhile Authenticated AuthEapLogoffWhile Authenticated BackendResponses BackendAccessChallenges Counts the number of times that the state machine transitions from authenticating to held, as a result of the Backend Authentication state machine indicating an authentication failure Counts the number of times that the state machine transitions from authenticating to aborting, as a result of a reauthentication request Counts the number of times that the state machine transitions from authenticating to aborting, as a result of an EAPOL-Start message being received from the Supplicant Counts the number of times that the state machine transitions from authenticating to aborting, as a result of an EAPOL-Logoff message being received from the Supplicant Counts the number of times that the state machine transitions from authenticated to connecting, as a result of a reauthentication request Counts the number of times that the state machine transitions from authenticated to connecting, as a result of an EAPOL-Start message being received from the Supplicant Counts the number of times that the state machine transitions from authenticated to disconnected, as a result of an EAPOL-Logoff message being received from the Supplicant Counts the number of times that the state machine sends an initial Access-Request packet to the Authentication server Indicates that the Authenticator attempted communication with the Authentication Server Counts the number of times that the state machine receives an initial Access-Challenge packet from the Authentication server Indicates that the Authentication Server has communication with the Authenticator 40 7 March 2007

107 Configuring SNMP 107 Field BackendOtherRequestsTo Supplicant BackendNonNakResponses FromSupplicant BackendAuthSuccesses BackendAuthFails Counts the number of times that the state machine sends an EAP-Request packet, other than an Identity, Notification, Failure or Success message, to the Supplicant Indicates that the Authenticator chooses an EAP-method Counts the number of times that the state machine receives a response from the Supplicant to an initial EAP-Request, and the response is something other than EAP-NAK Indicates that the Supplicant can respond to the EAP-method that the Authenticator chooses Counts the number of times that the state machine receives an EAP-Success message from the Authentication Server Indicates that the Supplicant has successfully authenticated to the Authentication Server Counts the number of times that the state machine receives an EAP-Failure message from the Authentication Server Indicates that the Supplicant has not authenticated to the Authentication Server Configuring SNMP This section contains the following topics: "SNMP tab" (page 107) "Trap Receivers tab" (page 108) "Graphing SNMP statistics" (page 110) SNMP tab The SNMP tab provides read-only information about the addresses that the agent software uses to identify the switch To open the SNMP tab, use the following procedure: Step Action 1 Select the chassis 2 Choose Edit > Chassis The Chassis dialog box appears with the System tab displayed 3 Click the SNMP tab 40 7 March 2007

108 Chapter 3 Configuring security using Device Manager The SNMP tab appears End Figure 28 Chassis dialog box SNMP tab The following table describes the SNMP tab fields Table 63 SNMP tab fields Field

108 108 Chapter 3 Configuring security using Device Manager The SNMP tab appears End Figure 28 Chassis dialog box SNMP tab The following table describes the SNMP tab fields Table 63 SNMP tab fields Field LastUnauthenticatedIpAddress LastUnauthenticatedCommunityString TrpRcvrMaxEnt TrpRcvrCurEnt TrpRcvrNext The last IP address that is not authenticated by the device The last community string that is not authenticated by the device The maximum number of trap receiver entries The current number of trap receiver entries The next trap receiver entry to be created Trap Receivers tab The Trap Receivers tab lists the devices that receive SNMP traps from the Ethernet Routing Switch 2500 Series To open the Trap Receivers tab, use the following procedure: Step Action 1 Select the chassis 2 Choose Edit > Chassis The Chassis dialog box appears with the System tab displayed 40 7 March 2007

Configuring SNMP 109 3 Click the Trap Receivers tab The Trap Receivers tab appears End Figure 29 Chassis dialog box The following table describes the Trap Receivers tab fields Table 64 Chassis dialog

109 Configuring SNMP Click the Trap Receivers tab The Trap Receivers tab appears End Figure 29 Chassis dialog box The following table describes the Trap Receivers tab fields Table 64 Chassis dialog box Trap Receivers tab fields Field Indx NetAddr Community An index of the trap receiver entry Trap receivers are numbered from one to four Each trap receiver has an associated community string (see the following Community field description in this table) The address (or DNS hostname) for the trap receiver Community string used for trap messages to this trap receiver Adding a Trap Receiver To edit the network traps table, use the following procedure: Step Action 1 In the Trap Receivers tab, click Insert The Chassis, Insert Trap Receivers dialog box appears The following figure displays the Chassis, Insert Trap Receivers dialog box 40 7 March 2007

110 Chapter 3 Configuring security using Device Manager Figure 30 Chassis, Insert Trap Receivers dialog box 2 Type the Index, NetAddr, and Community information 3 Click Insert End Graphing SNMP

110 110 Chapter 3 Configuring security using Device Manager Figure 30 Chassis, Insert Trap Receivers dialog box 2 Type the Index, NetAddr, and Community information 3 Click Insert End Graphing SNMP statistics In the Graph Chassis dialog box, the SNMP tab provides read-only information about the addresses that the agent software uses to identify the switch To open the SNMP tab, use the following procedure: Step Action 1 Select the chassis 2 Choose Graph > Chassis The Graph Chassis dialog box appears with the SNMP tab displayed 3 Click the SNMP tab End 40 7 March 2007

Configuring SNMP 111 Figure 31 Graph Chassis dialog box SNMP tab The following table describes the SNMP tab fields Table 65 SNMP tab fields Field InPkts OutPkts InTotalReqVars InTotalSetVars

111 Configuring SNMP 111 Figure 31 Graph Chassis dialog box SNMP tab The following table describes the SNMP tab fields Table 65 SNMP tab fields Field InPkts OutPkts InTotalReqVars InTotalSetVars InGetRequests InGetNexts InSetRequests InGetResponses The total number of messages delivered to the SNMP from the transport service The total number of SNMP messages passed from the SNMP protocol to the transport service The total number of MIB objects retrieved successfully by the SNMP protocol as the result of receiving valid SNMP Get-Request and Get-Next PDUs The total number of MIB objects altered successfully by the SNMP protocol as the result of receiving valid SNMP Set-Request PDUs The total number of SNMP Get-Request PDUs that are accepted and processed by the SNMP protocol The total number of SNMP Get-Next PDUs that are accepted and processed by the SNMP protocol The total number of SNMP Set-Request PDUs that are accepted and processed by the SNMP protocol The total number of SNMP Get-Response PDUs that are accepted and processed by the SNMP protocol 40 7 March 2007

112 112 Chapter 3 Configuring security using Device Manager Field OutTraps OutTooBigs OutNoSuchNames OutBadValues OutGenErrs InBadVersions InBadCommunity Names InBadCommunity Uses InASNParseErrs InTooBigs InNoSuchNames InBadValues The total number of SNMP Trap PDUs generated by the SNMP protocol The total number of SNMP PDUs generated by the SNMP protocol for which the value of the error-status field is toobig The total number of SNMP PDUs generated by the SNMP protocol for which the value of the error-status field is nosuchname The total number of SNMP PDUs generated by the SNMP protocol for which the value of the error-status field is badvalue The total number of SNMP PDUs generated by the SNMP protocol for which the value of the error-status field is generr The total number of SNMP messages delivered to the SNMP protocol for an unsupported SNMP version The total number of SNMP messages delivered to the SNMP protocol that used an unknown SNMP community name The total number of SNMP messages delivered to the SNMP protocol that represented an SNMP operation not allowed by the SNMP community named in the message The total number of ASN1 or BER errors encountered by the SNMP protocol when decoding received SNMP messages The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is toobig The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is nosuchname The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is badvalue 40 7 March 2007

113 Working with SNMPv3 113 Field InReadOnlys InGenErrs The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is readonly It is a protocol error to generate an SNMP PDU containing the value readonly in the error-status field This object is provided to detect incorrect implementations of the SNMP The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is generr Working with SNMPv3 Simple Network Management Protocol (SNMP) provides a mechanism to remotely configure and manage a network device An SNMP agent is a software process that listens on UDP port 161 for SNMP messages, and sends trap messages using the destination UDP port 162 SNMPv3 is based on the architecture of SNMPv1 and SNMPv2c It supports better authentication and data encryption than SNMPv1 and SNMPv2c SNMPv3 provides protection against the following security threats: modification of SNMP messages by a third party impersonation of an authorized SNMP user by an unauthorized person disclosure of network management information to unauthorized parties delayed SNMP message replays or message redirection attacks The configuration parameters introduced in SNMPv3 makes it more secure and flexible than the other versions of SNMP For more information on the SNMPv3 architecture, see RFC 3411 This chapter describes the following concepts associated with SNMPv3: "Initial Login with an SNMPv3 User" (page 114) "User-based Security Model" (page 114) "View-based Access Control Model" (page 118) "Creating a community" (page 125) "Management Targets" (page 127) "The Notify Table" (page 131) 40 7 March 2007

114 Chapter 3 Configuring security using Device Manager Initial Login with an SNMPv3 User In order to configure SNMPv3 with Device Manager, you must first log on and create an SNMPv3 user through the

114 114 Chapter 3 Configuring security using Device Manager Initial Login with an SNMPv3 User In order to configure SNMPv3 with Device Manager, you must first log on and create an SNMPv3 user through the CLI or Web interface If you specify only read and write community strings at the time you log on, you do not have sufficient rights to view or change the SNMPv3 settings of the switch CAUTION By default, the CLI and Web interface are not password protected Nortel strongly recommends that after you set up an SNMPv3 user, you change or delete all factory default settings that can allow an unauthorized person to log on to your device For more information on how to configure an initial SNMPv3 user by using Web-based management, see "Setting SNMP parameters" (page 51), and by using the CLI, see "Configuring SNMPv3" (page 156) To log on to the Ethernet Routing Switch 2500 Series Device Manager as an SNMPv3 user, use the following procedure: Step Action 1 On the Device Manager menu bar, select Device > Open 2 In the Device Name field, enter the DNS name or the IP address of the switch 3 Select the v3 Enabled checkbox (the default Read and Write community strings are grayed out when SNMPv3 is enabled) 4 Enter the log on name of the SNMPv3 user 5 From the Authentication Protocol pull-down list, select MD5, SHA, or None 6 If the user is configured to use an authentication protocol, enter the authentication password in the Authentication Password field 7 If the user is configured to use a privacy protocol, choose the appropriate protocol from the Privacy Protocol field (DES or AES) 8 In the Privacy Password field, enter the privacy password End User-based Security Model The User-based Security Model (USM) provides a mechanism to authenticate and encrypt SNMPv3 messages 40 7 March 2007

Working with SNMPv3 115 A message, if configured, is authenticated with the help of a one-way hash function that is associated with an individual user ID In the Ethernet Routing Switch 2500 Series, a

115 Working with SNMPv3 115 A message, if configured, is authenticated with the help of a one-way hash function that is associated with an individual user ID In the Ethernet Routing Switch 2500 Series, a user can be configured to use the HMAC-MD5-96 or the HMAC-SHA-96 algorithm for the authentication of SNMPv3 messages An SNMPv3 message, if configured, is encrypted with the help of the Cipher Block Chaining - Data Encryption Standard (CBC-DEC) An SNMPv3 user can be configured in three ways The following table describes the ways in which an SNMPv3 user can be configured Table 66 SNMPv3 user configuration method SNMPv3 Configuration Method NoAuthNoPriv AuthNoPriv AuthPriv The user cannot use an authentication or an encryption mechanism The user can use an authentication but not an encryption mechanism The user can use an authentication as well as an encryption mechanism For more information on USM, see RFC 3414 Configuring the User-based Security Model To create a user in the USM table, use the following procedure: Step Action 1 From the Device Manager menu bar, choose Edit > SnmpV3 > USM Table The USM dialog box appears The following figure displays the USM dialog box Figure 32 USM dialog box 40 7 March 2007

116 Chapter 3 Configuring security using Device Manager USM tab fields The following table describes the USM tab fields Table 67 USM dialog box fields Field EngineID Name SecurityName AuthProtocol

116 116 Chapter 3 Configuring security using Device Manager USM tab fields The following table describes the USM tab fields Table 67 USM dialog box fields Field EngineID Name SecurityName AuthProtocol PrivProtocol StorageType Indicates the administratively-unique identifier of the SNMP engine Indicates the name of the user in usmuser Creates the name that is used as an index to the table The range is 1 to 32 characters Identifies the authentication protocol used Identifies the privacy protocol used Specifies whether the table entry (row) will be stored in volatile or nonvolatile memory If the entry is stored in volatile memory, it does not persist if the switch loses power 2 Click Insert The USM, Insert USM Table dialog box appears The following figure displays the USM, Insert USM Table dialog box Figure 33 USM, Insert USM Table dialog box 3 Enter a name 4 In the Clone From User list, select a security name from which the new entry will copy authentication data and privacy data For 40 7 March 2007

117 Working with SNMPv3 117 example, Authentication Protocol, Authentication password, Privacy Protocol, and Privacy password Note: The Clone From User you select defines the maximum authentication and privacy settings for a new user For example, if the Clone From User does not use an authentication or encryption protocol, users created from this clone cannot use the authentication or the encryption protocol For this reason, it is recommended that you assign both an authentication and encryption protocol to the first user you create through the CLI or Web interface 5 From the Auth Protocol pull-down list, select an authentication protocol for this user If you select an authentication protocol, enter an old and new authentication password in the next two fields 6 In the Cloned User s Auth Password field, enter the authentication password of the Cloned From User 7 In the New User s Auth Password field, enter a new authentication password for this user 8 Select a privacy protocol If you choose to specify a privacy protocol, enter an old and new privacy password in the next two fields This is optional but recommended 9 Enter the Cloned User s Priv Password 10 Enter a new privacy password for this user 11 Click Insert The USM table appears and the new entry is shown End The following table describes the USM, Insert USM Table dialog box fields Table 68 USM, Insert USM Table dialog box fields Field New User Name Clone From User Creates the new entry with this security name The name is used as an index to the table The range is 1 to 32 characters Specifies the security name from which the new entry must copy privacy and authentication parameters The range is 1 to 32 characters 40 7 March 2007

118 118 Chapter 3 Configuring security using Device Manager Field Auth Protocol Cloned User s Auth Password New User s Auth Password Priv Protocol (Optional) Cloned User s Priv Password New User s Priv Password Storage Type Assigns an authentication protocol (or no authentication) from a shortcut menu If you select this protocol, enter an old AuthPass and a new AuthPass Specifies the current authentication password Specifies the new authentication password to use for this user Assigns a privacy protocol (or no privacy) from a menu Specifies the current privacy password Specifies the new privacy password to use for this user entry Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory If the entry is stored in volatile memory, it does not persist if the switch loses power View-based Access Control Model The View-based Access Control Model (VACM) is used to map a user to a set of access rights and MIB views This mapping is done with the help of three tables The following table describes the which help of to map a user to access rights and MIB views Table 69 View-based access control mapping Table Name Group Membership table Group Access Right table MIB View table Defines a set of users that can be referenced by a single group name Associates a group with Read, Write, and Notify views Defines a set of MIB subtrees or objects For more detailed information on VACM, see RFC 3415 Defining Group Membership with VACM To add members to a group in the View-based Access Control Model (VACM) table, use the following procedure: 40 7 March 2007

Working with SNMPv3 119 Step Action 1 From the Device Manager menu bar, choose Edit > SnmpV3 > VACM table The VACM dialog box with the Group Membership tab options visible appears The following

119 Working with SNMPv3 119 Step Action 1 From the Device Manager menu bar, choose Edit > SnmpV3 > VACM table The VACM dialog box with the Group Membership tab options visible appears The following figure displays the VACM dialog, Group Membership tab Figure 34 VACM dialog, Group Membership tab VACM dialog tab fields The following table describes the Group Membership tab fields Table 70 Group Membership tab fields Field SecurityModel SecurityName GroupName StorageType The security model for the entry The name of an entry in the USM table or the Community Table The name of the group to which this entry belongs When multiple entries in this table have the same GroupName, they all belong to the same group Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory If the entry is stored in volatile memory, it does not persist if the switch loses power 40 7 March 2007

120 Chapter 3 Configuring security using Device Manager 2 Click Insert The VACM, Insert Group Membership dialog box appears The following figure displays the VACM, Insert Group Membership dialog box

120 120 Chapter 3 Configuring security using Device Manager 2 Click Insert The VACM, Insert Group Membership dialog box appears The following figure displays the VACM, Insert Group Membership dialog box 3 Select a SecurityModel 4 Enter a SecurityName 5 Enter a GroupName 6 Click Insert The VACM dialog box appears The new group membership is shown in the list End Assigning Group Access Rights with VACM To assign new access rights to a group, use the following procedure: Step Action 1 From the Device Manager menu bar, choose Edit > SnmpV3 > VACM table The VACM dialog box appears (Figure 34 "VACM dialog, Group Membership tab" (page 119)) 2 Click the Group Access Right tab The Group Access Right tab appears The following figure displays the Group Access Right tab Figure 35 Group Access Right tab 40 7 March 2007

121 Working with SNMPv3 121 The following table describes the Group Access Right tab fields Table 71 VACM dialog box Group Access Right tab fields Field vacmgroupname ContextPrefix SecurityModel SecurityLevel ContextMatch ReadViewName WriteViewName NotifyViewName StorageType A GroupName from the Group Membership table The Context Prefix for this entry By default, the field is empty This is an optional field The security model assigned to users in the Group Membership table Options are SNMPv1, SNMPv2c, or USM The security level assigned to users in the Group Membership table Options are noauthnopriv, authnopriv, or authpriv Specifies whether to use an exact match or the context prefix for assigning the rights defined in this row to a user The default is exact This is an optional field The name of the MIB View to which the user is assigned read access The name of the MIB View to which the user is assigned write access The name of the MIB View from which the user receives notifications Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory If the entry is stored in volatile memory, it does not persist if the switch loses power 3 Click Insert The VACM, Insert Group Access Right dialog box appears The following figure displays the VACM, Insert Group Access Right dialog box 40 7 March 2007

122 Chapter 3 Configuring security using Device Manager Figure 36 VACM, Insert Group Access Right dialog box 4 Enter the name of a group 5 Enter the context prefix 6 Select the security model 7

122 122 Chapter 3 Configuring security using Device Manager Figure 36 VACM, Insert Group Access Right dialog box 4 Enter the name of a group 5 Enter the context prefix 6 Select the security model 7 Select the security level 8 Enter the name of a MIB View that enables a user to read the MIB subtrees and objects 9 Enter the name of a MIB View that enables a user to write to the MIB subtrees and objects 10 Enter the name of a MIB View from which a user can receive traps or inform messages 11 Click Insert The VACM window reappears, and the new Group Access Right entry is shown in the table End Defining a MIB view To assign MIB view access for an object, use the following procedure: Step Action 1 From the Device Manager menu bar, choose Edit > SnmpV3 > VACM table 40 7 March 2007

Working with SNMPv3 123 The VACM dialog box appears (Figure 34 "VACM dialog, Group Membership tab" (page 119)) 2 Select the MIB View tab The MIB View tab appears The following figure displays the MIB

123 Working with SNMPv3 123 The VACM dialog box appears (Figure 34 "VACM dialog, Group Membership tab" (page 119)) 2 Select the MIB View tab The MIB View tab appears The following figure displays the MIB View tab Figure 37 MIB View tab MIB View tab fields The following table describes the MIB View tab fields Table 72 VACM dialog box MIB View tab fields Field ViewName Subtree Creates a new entry with this group name The range is 1 to 32 characters Refers to any valid object identifier that defines the set of MIB objects accessible by this SNMP entity, for example, org, iso8802, or OID string 40 7 March 2007

124 Chapter 3 Configuring security using Device Manager Field Mask (Optional) Type StorageType Specifies that a bit mask be used with vacmviewtreefamilysubtree to determine whether an OID falls under

124 124 Chapter 3 Configuring security using Device Manager Field Mask (Optional) Type StorageType Specifies that a bit mask be used with vacmviewtreefamilysubtree to determine whether an OID falls under a view subtree Determines whether access to a MIB object is granted (Included) or denied (Excluded) The default is Included Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory If the entry is stored in volatile memory, it does not persist if the switch loses power 3 Click Insert The VACM, Insert MIB View dialog box appears The following figure displays VACM, Insert MIB View dialog box Figure 38 VACM, Insert MIB View dialog box 4 Enter a ViewName 5 Enter a MIB Subtree name, for example, org, iso8802, or a dotted-decimal OID string 6 Enter a Mask to specify wild cards in the OID string The default is to leave this field blank, which is the same as specifying a mask of all ones (exact match) 7 Select whether to include or exclude this MIB subtree from the collection of all MIB objects with this same ViewName 8 Click Insert The assigned MIB view appears in the list 40 7 March 2007

Working with SNMPv3 125 End Creating a community A community table contains objects for mapping between community strings and the security name created in VACM Group Member To

The following figure displays the Community Table dialog box Figure 39 Community Table dialog box 2 Click Insert The Community Table, Insert Community Table dialog box appears

125 Working with SNMPv3 125 End Creating a community A community table contains objects for mapping between community strings and the security name created in VACM Group Member To create a community, use the following procedure: Step Action 1 From the Device Manager menu bar, chooseedit > SnmpV3 > Community Table The Community Table dialog box appears The following figure displays the Community Table dialog box Figure 39 Community Table dialog box 2 Click Insert The Community Table, Insert Community Table dialog box appears The following figure displays the Community Table, Insert Community Table dialog box Figure 40 Community Table, Insert Community Table dialog box 3 Enter an Index 40 7 March 2007

126 126 Chapter 3 Configuring security using Device Manager 4 Enter Name that is a community string 5 Enter a SecurityName 6 Click Insert The new community is shown in the list End Community Table dialog box fields The following table describes the Community Table dialog box fields Table 73 Community Table dialog box fields Field Index Name SecurityName ContextEngineID ContextName TransportTag StorageType The unique index value of a row in this table The SnmpAdminString range is 1-32 characters The community string for which a row in this table represents a configuration The security name assigned to this entry in the Community table The range is 1 to 32 characters The contextengineid that indicates the location of the context in which management information is accessed when using the community string specified by the corresponding instance of snmpcommunityname The default value is the snmpengineid of the entity in which this object is instantiated The context in which management information is accessed when using the community string specified by the corresponding instance of snmpcommunityname This object specifies a set of transport endpoints that are associated a community string The community string is only valid when found in an SNMPv1 or SNMPv2c message received from one of these transport endpoints, or when used in an SNMPv1 or SNMPv2c message that is sent to one of these transport endpoints The storage type for this conceptual row in the snmpcommunitytable Conceptual rows that have the value permanent do not allow write-access to any columnar object in the row 40 7 March 2007

Working with SNMPv3 127 Management Targets The concept of the SNMPv3 management target is similar to trap receivers in SNMPv1 and SNMPv2c Management targets are defined with the help of three tables

127 Working with SNMPv3 127 Management Targets The concept of the SNMPv3 management target is similar to trap receivers in SNMPv1 and SNMPv2c Management targets are defined with the help of three tables Management Target Tables The following table describes the that help to define the management targets Table 74 Management target tables Table Name Target Address table Target Parameters table Notify table Lists the IP address and destination UDP port number of stations that receive trap or inform messages Specifies how to format and process an outgoing message that is sent to an associated target address Specifies the type of message to send to a management target: trap or inform Creating a Management Target Address To create an entry in the Management Target Address table, use the following procedure: Step Action 1 From the Device Manager menu bar, choose Edit > SnmpV3 > Target Table The Target Table dialog box appears, with the Target Address Table tab appears The following figure displays the Target Table dialog box, target Address Table tab Figure 41 Target Table dialog box, Target Address Table tab Target Address Table fields 40 7 March 2007

128 128 Chapter 3 Configuring security using Device Manager The following table describes the Target Address Table fields Table 75 Target Address Table fields Field Name TDomain TAddress Timeout RetryCount Taglist Params StorageType Specifies the name for this target table entry Specifies the domain of the management target The default is snmpudpdomain Specifies the IP address and destination UDP port for this management target, for example, :162 Specifies the length of the time to wait in 1/100 th of a second, for an acknowledgement from this management target before declaring the message as timed-out The default is 1500 milliseconds Specifies the number of times this device can resend messages to this management target if initial messages are not acknowledged The default is 3 Refers to zero or more Notify tags that are used to link this entry with entries in the Notify table By default, you can enter either traporinform without having to create new entries in the Notification table Specifies the entry in the Target Parameter table which is associated with this Management Target Address Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory If the entry is stored in volatile memory, it does not persist if the switch loses power 2 Click Insert The Target Table, Insert Target Address Table dialog box appears The following figure displays the Target Table, Insert Target Address Table dialog box 40 7 March 2007

Working with SNMPv3 129 Figure 42 Target Table, Insert Target Address Table dialog box 3 Enter a Name 4 Enter a TDomain name 5 Enter the IP address and UDP port number for this management target, for

129 Working with SNMPv3 129 Figure 42 Target Table, Insert Target Address Table dialog box 3 Enter a Name 4 Enter a TDomain name 5 Enter the IP address and UDP port number for this management target, for example, :162 6 Accept or modify the default values in the TimeOut and RetryCount fields 7 In the Taglist field, enter the name of the tags (trap or inform), separated by a comma if more than one tag is entered For more details, see Table 77 "Notify Table dialog box fields" (page 132) 8 In the Params field, enter the name of an entry in the Target Param table 9 Click Insert The new Target address is shown in the list End Creating Target Parameters To create a target parameter, use the following procedure: Step Action 1 From the Device Manager menu bar, choose Edit > SnmpV3 > Target Table The Target Table dialog box appears, with the Target Address Table displayedfigure 41 "Target Table dialog box, Target Address Table tab" (page 127) 40 7 March 2007

130 Chapter 3 Configuring security using Device Manager 2 Select the Target Params Table tab The Target Params Table tab appears The following figure displays the Target Params table tab Figure 43

130 130 Chapter 3 Configuring security using Device Manager 2 Select the Target Params Table tab The Target Params Table tab appears The following figure displays the Target Params table tab Figure 43 Target Params Table tab 3 Click Insert The Target Table, Insert Target Params Table dialog box appears The following figure displays the Target Table, Insert Target Params Table dialog box Figure 44 Target Table, Insert Target Params Table dialog box 4 Enter a Name for this set of parameters 5 Select the MPModel 6 Select the SecurityModel 7 Enter a SecurityName 8 Specify a SecurityLevel value 9 Enter the StorageType 10 Click Insert The new target parameter is shown in the list 40 7 March 2007

131 Working with SNMPv3 131 End Target Params Table tab fields The following table describes the Target Params Table dialog box fields Table 76 Target Params Table tab fields Field Name MPModel SecurityModel SecurityName SecurityLevel Storage Type Specifies the name of the target parameters table Specifies the Message Processing model: SNMPv1, SNMPv2c, or SNMPv3/USM Specifies the security model: SNMPv1, SNMPv2c, or SNMPv3/USM Specifies the security name for generating SNMP messages Specifies the security level for SNMP messages: noauthnopriv, authnopriv, or authpriv Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory If the entry is stored in volatile memory, it doesl not persist if the switch loses power The Notify Table The Notify Table contains default entries for a trap notification type and inform notification type To create a Notify Table entry, use the following procedure: Step Action 1 From the Device Manager menu bar, choose Edit > SnmpV3 > Notify The Notify Table dialog box appears Figure 45 "NotifyTable dialog box" (page 132) Notify Table dialog box fields 40 7 March 2007

132 Chapter 3 Configuring security using Device Manager Figure 45 NotifyTable dialog box The following table describes the Notify Table dialog box fields Table 77 Notify Table dialog box fields Field

132 132 Chapter 3 Configuring security using Device Manager Figure 45 NotifyTable dialog box The following table describes the Notify Table dialog box fields Table 77 Notify Table dialog box fields Field Name Tag Type A name or index value for this row in the table A single tag value that is used to associate this entry with an entry in the Target Address Table This selection specifies the type of notification sent to a management target address If the value is trap, sent messages contain SNMPv2-Trap PDUs If the value is inform, messages will contain Inform PDUs Note: If an SNMP entity only supports trap (and not inform) messages, this object can be read-only StorageType Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory If the entry is stored in volatile memory, it does not persist if the switch loses power 2 Click Insert The Notify Table, Insert dialog box appears The following figure displays the Notify Table, Insert dialog box 40 7 March 2007

Working with SNMPv3 133 Figure 46 Notify Table, Insert dialog box 3 Enter a Name for this table row 4 Enter a Tag name which connects this entry to one or more Target Address table entries 5 Specify

133 Working with SNMPv3 133 Figure 46 Notify Table, Insert dialog box 3 Enter a Name for this table row 4 Enter a Tag name which connects this entry to one or more Target Address table entries 5 Specify the Type of message Protocol Data Units (PDUs) to send to an associated Management Target Address: trap or inform 6 Specify the StorageType 7 Click Insert The new notify entry is shown in the list End 40 7 March 2007

134 134 Chapter 3 Configuring security using Device Manager 40 7 March 2007

135 Chapter 4 Configuring security using Web-based management 135 The options available to configure application settings are: "Configuring system security" (page 135) "Accessing the management interface" (page 139) "Configuring MAC address-based security" (page 141) "Configuring MAC address-based security" (page 141) "About SNMP" (page 154) "Configuring SNMPv1" (page 154) "Configuring SNMPv3" (page 156) Configuring system security This section describes the steps you use to build and manage security by using the Web-based management interface Note: When you install the switch, Nortel recommends that you set the initial system usernames and passwords by using the Command Line Interface For more information, see "Setting the username and password" (page 29) Setting console, Telnet, and Web passwords Note: For information about modifying existing system usernames, see "Setting the username and password" (page 29) To set Console, Telnet, and Web passwords, use the following procedure: Step Action 1 From the main menu, choose Administration > Security 40 7 March 2007

136 Chapter 4 Configuring security using Web-based management 2 Choose Console, Telnet, Web, or RADIUS as required The selected password page appears Console password setting page 3 Click Submit

136 136 Chapter 4 Configuring security using Web-based management 2 Choose Console, Telnet, Web, or RADIUS as required The selected password page appears Console password setting page 3 Click Submit Note: The title of the page corresponds to the menu selection you choose In Console password setting page, the network administrator selected Administration > Security > Console Figure 47 Console password setting page The following table describes the items on the Console page Table 78 Console page fields Section Fields Setting Note: Console, Telnet, and Web connections share the same switch password type and password 40 7 March 2007

137 Configuring system security 137 Section Fields Setting Console Switch Password Setting Console Switch Password Type (1) None (2) Local Password (3) RADIUS Authentication Displays the switch password types Note: The default is None Console Stack Password Read-Only Swi tch Password Read-Write Switch Pass word Console Stack Password Type Read-only Sta ck Password Read-Write Sta ck Password 115 Type the read-only password setting for the read-only access user 115 Type the read-write password setting for the read-write access user These fields are not applicable in this release 4 Choose the type of password The following table describes the options available in the Console Switch Password Type list box Table 79 Password Types Password Type None Local Password RADIUS Authentic ation Indicates that no password is required for this type of access Sets a password for access through a direct network connection or a direct Console port connection Sets a password for remote dial-up If you select this password type, you must also set up RADIUS authentication from the Radius management page 5 Type the password for read-only and read/write user access 6 Click Submit to save the changes 40 7 March 2007

138 Chapter 4 Configuring security using Web-based management End Configuring RADIUS dial-in access security To configure remote dial-in access security parameters, use the following procedure: Step

138 138 Chapter 4 Configuring security using Web-based management End Configuring RADIUS dial-in access security To configure remote dial-in access security parameters, use the following procedure: Step Action 1 From the main menu, choose Administration > Security > Radius The Radius page appears Figure 48 Radius page Table 80 RADIUS page fields The following table describes the items on the RADIUS page Field Setting Primary RADIUS Server XXXXXXXXXXXX Type a Primary Radius server IP address in the appropriate format Secondary RADIUS Server XXXXXXXXXXXX Type a Secondary Radius server IP address in the appropriate format UDP RADIUS Port Integer Type the UDP Radius port number 40 7 March 2007

139 Accessing the management interface 139 Field Setting RADIUS Timeout Period 160 Type the RADIUS timeout period RADIUS Shared Secret 116 Type a unique character string to create a secret password Reenter the password to verify 2 Type the IP addresses of the primary and secondary RADIUS (Remote Authentication Dial In User Services) servers 3 Type the number of the User Datagram Protocol (UDP) port for the RADIUS server The default value is Type the number of seconds for the RADIUS timeout period The range is 1 to 60 seconds 5 Type a character string for the RADIUS Shared Secret This parameter is a special switch security code that provides authentication to the RADIUS server The value can be any contiguous ASCII string that contains at least one printable character, up to a maximum of 16 6 Reenter the character string to confirm the RADIUS Shared Secret 7 Click Submit End Accessing the management interface After switch passwords and RADIUS authentication settings are integrated into the Web-based management user interface, anyone who attempts to use the application is presented with a log on page See Figure 49 "Web-based management interface log on page" (page 139) Figure 49 Web-based management interface log on page 40 7 March 2007

140 Chapter 4 Configuring security using Web-based management To log on to the Web-based management interface, use the following procedure: Step Action 1 In the Username text box, type a valid

140 140 Chapter 4 Configuring security using Web-based management To log on to the Web-based management interface, use the following procedure: Step Action 1 In the Username text box, type a valid username (default values are RO [uppercase] for read-only access or RW [uppercase] for read/write access) 2 In the Password text box, type your password 3 Click Log On The System Information page appears Note: For information about modifying existing system usernames, see "Setting the username and password" (page 29) Figure 50 System Information Page End With Web access enabled, the switch can support a maximum of four concurrent Web page users Two predefined user levels are available, and each user level has a corresponding username and password 40 7 March 2007

141 Configuring MAC address-based security 141 Table 81 "User levels and access levels" (page 141) shows an example of the two predefined user levels available and their access level within the Web-based management user interface Table 81 User levels and access levels User level User name for each level Password for each user level Access Level Read-only RO XXXXXXXX Read only Read/write RW XXXXXXXX Full read/write access Configuring MAC address-based security The MAC address-based security system lets you specify a range of system responses to unauthorized network access to your switch by using the Web-based management system The system response can range from sending a trap to disabling the port The network access control is based on the MAC Source Addresses (SAs) of the authorized stations You can specify a list of up to 448 MAC SAs that are authorized to access the switch You can also specify the ports that each MAC SA is allowed to access The options for allowed MAC SA port access include: NONE, ALL, and single or multiple ports that are specified in a list, for example, one to four, six, nine, and so on You must also include the MAC SA of any router connected to any secure ports When the switch software detects an SA security violation, the response can be to send a trap, turn on Destination Address (DA) filtering for all SAs, disable the specific port, or any combination of these three options You can also configure the Ethernet Routing Switch 2500 Series to drop all packets that have a specified MAC Destination Address (DA) You can create a list of up to 10 MAC DAs that you want to filter The packet with the specified MAC DA is dropped regardless of the ingress port, Source Address (SA) intrusion, or VLAN membership Note 1: Ensure that you do not enter the MAC address of the switch on which you are working Note 2: After configuring the switch for MAC address-based security, you must enable the ports you want by using the Port Configuration page 40 7 March 2007

142 Chapter 4 Configuring security using Web-based management Configuring MAC address-based security You can use the Security Configuration page to enable or disable the MAC address security feature

142 142 Chapter 4 Configuring security using Web-based management Configuring MAC address-based security You can use the Security Configuration page to enable or disable the MAC address security feature and specify the appropriate system responses to any unauthorized network access to your switch To configure MAC address-based security by using the Web-based management system, use the following procedure: Step Action 1 From the main menu, choose Application > MAC Address Security > Security Configuration The Security Configuration page appears The following figure displays the Security Configuration page Figure 51 Security Configuration page 40 7 March 2007

143 Configuring MAC address-based security 143 Table 82 Security Configuration page items The following table describes the items on the Security Configuration page Section Item Range MAC Address Security Setting MAC Addre ss Security MAC Addre ss Security SNMP- Locked Partition Port on Intrusion Detected (1) Enabled (2) Disabled (1) Enabled (2) Disabled (1) Forever (2) Enabled (3) Disabled Enables the MAC address security features When this field is set to enabled, the software checks the source MAC addresses of the packets that arrive on the secure ports against MAC addresses listed in the MAC Address Security Table for allowed membership If the software detects a source MAC address that is not an allowed member, the software registers a MAC intrusion event When this field is set to enabled, the MAC address security screens cannot be modified by using SNMP Configures how the switch reacts to an intrusion event (see MAC Address Security field): Disabled The port remains enabled, even if an intrusion event is detected Enabled The port is disabled, then automatically reset to enabled after the time specified in the Partition Time field elapses Forever The port is disabled and remains disabled (partitioned) until reset The port does not reset after the Partition Time elapses You must manually reenable the port 40 7 March 2007

144 144 Chapter 4 Configuring security using Web-based management Section Item Range Partition Time 1 to Sets the time to partition a port on intrusion Note: Use this field only if the Partition Port on Intrusion Detected field is set to Enabled MAC Security Table/Clear by Ports MAC Security Table/Learn by Ports DA Filtering on Intrusion Detected Generate SNMP Trap on Intrusion Action Port List Current Learning Mode Action Port List Current Learning Mode (1) Enabled (2) Disabled (1) Enabled (2) Disabled (1) Enabled (2) Disabled When enabled, the switch isolates the intruding node by filtering (discarding) the packets sent to that MAC address Enables generation of an SNMP trap to all registered SNMP trap addresses when an intrusion is detected Lets you clear specific ports from participation in the MAC address security features Blank Blank Lets you identify ports that learn incoming MAC addresses All source MAC addresses of any packets received on specified ports are added to the MAC Security Table (a maximum of 448 MAC addresses are allowed) Displays all the ports that learn incoming MAC addresses to detect intrusions (unallowed MAC addresses) Enables learning 2 On the Security Configuration page, type the necessary information in the text boxes, or select from a list 3 Click Submit End 40 7 March 2007

Configuring MAC address-based security 145 Configuring ports You can use the Port Lists page, to create port lists that can be used as allowed source port lists to be referenced in the Security Table

145 Configuring MAC address-based security 145 Configuring ports You can use the Port Lists page, to create port lists that can be used as allowed source port lists to be referenced in the Security Table page You can create up to 32 port lists To activate an entry or add or delete ports from a list, use the following procedure: Step Action 1 From the main menu, choose Application > MAC Address Security > Port Lists The Port Lists page appears The following figure displays the Port Lists page Figure 52 Port Lists page 40 7 March 2007

146 Chapter 4 Configuring security using Web-based management The following table describes the items on the Port Lists page Table 83 Port Lists page items Item Entry Action Port List These are the

146 146 Chapter 4 Configuring security using Web-based management The following table describes the items on the Port Lists page Table 83 Port Lists page items Item Entry Action Port List These are the lists of ports Lets you create a port list that you can use as an Allowed Source in the Security Table screen Displays which ports are associated with each list 2 To add or delete ports to a list, click in the Action column in the list row that you want The Port List View, Port List page appears The following figure displays the Port List View, Port List page Figure 53 Port List View, Port List page a Click the ports you want to add to the selected list, or click All b To delete a port from a list, clear the box by clicking it c Click Submit 3 From the main menu, choose Application > MAC Address Security > Security Configuration The Security Configuration page appears 4 In the MAC Security Table section, click in the Action column of the Learn By Ports row The Port List View, Learn by Ports page appears The following figure displays the Port List View, Learn by Ports page 40 7 March 2007

Configuring MAC address-based security 147 Figure 54 Port List View, Learn by Ports page a Click the ports through which you want the switch to learn MAC addresses, or click All b If you want that

147 Configuring MAC address-based security 147 Figure 54 Port List View, Learn by Ports page a Click the ports through which you want the switch to learn MAC addresses, or click All b If you want that port to no longer learn MAC addresses, click the checked box to clear it c Click Submit 5 In the MAC Security Table section, choose Enabled in the Current Learning Mode column of the Learn By Ports row 6 Click Submit Note: You cannot include any of the port values that you choose for the secure ports field End Adding MAC addresses You can use the Security Table page to specify the ports that each MAC address is allowed to access (You must also include the MAC addresses of any routers that are connected to any secure ports) To add MAC addresses to the MAC address security table, use the following procedure: Step Action 1 In the main menu, choose Applications > MAC Address Security > Security Table It can take a few moments for the required addresses to be learned Then, the Security Table page appears The following figure displays the Security Table page 40 7 March 2007

148 Chapter 4 Configuring security using Web-based management Figure 55 Security Table page Note: By using this page, you instruct the switch to allow the specified MAC address access only through

148 148 Chapter 4 Configuring security using Web-based management Figure 55 Security Table page Note: By using this page, you instruct the switch to allow the specified MAC address access only through the specified port or port list The following table describes the items on the Security Table page Table 84 Security Table page items Section Item Range MAC Addre ss Security Table MAC Addre ss Security Table Entry Creation Action MAC Addres s Allowe d Sourc e MAC Addres s Port Entry Lets you delete a MAC address Displays the MAC address Displays the entry through which the MAC address is allowed Lets you specify up to 448 MAC addresses that are authorized to access the switch You can specify the ports that each MAC address is allowed to access by using the Allowed Source field (see the next item description) The specified MAC address does not take effect until the Allowed Source field is set to some value (a single port number or a port list value that you previously configured in the Port Lists screen) 40 7 March 2007

149 Configuring MAC address-based security 149 Section Item Range Allowe d Sourc e Lets you specify the ports that each MAC address is allowed to access The options for the Allowed Source field include a single port number or a port list value that you have previously configured in the Port Lists screen 2 Complete fields as described in the table Note: If you choose an Entry as the Allowed Source, you must have configured that specific entry on the Port View List, Port List page 3 On the Security Table page, type the required information in the text boxes or select from a list 4 Click Submit Note: Include the MAC address for the default LAN router as an allowed source MAC address End Clearing ports You can clear all information from the specified port(s) in the list of ports that learn MAC addresses If Learn by Ports is enabled, the specified ports begin to learn the MAC addresses To clear information from selected ports, use the following procedure: Step Action 1 From the main menu, choose Application > MAC Address Security > Security Configuration The Security Configuration page appears (Figure 51 "Security Configuration page" (page 142)) 2 In the MAC Security Table section, click in the Action column of the Clear By Ports row The Port List View, Clear By Ports page appears The following figure displays the Port List View, Clear By Ports page 40 7 March 2007

150 Chapter 4 Configuring security using Web-based management Figure 56 Port List View, Clear By Ports page 3 Select the ports you want to clear or click All 4 Click Submit Note: When you specify a

150 150 Chapter 4 Configuring security using Web-based management Figure 56 Port List View, Clear By Ports page 3 Select the ports you want to clear or click All 4 Click Submit Note: When you specify a port (or ports) to be cleared by using this field, the specific port are cleared for each of the entries listed in the MAC Address Security Table If you clear all the allowed Source Ports field (leaving a blank field) for an entry, the associated MAC address for that entry is also cleared End Enabling security on ports To enable or disable MAC address-based security on the port, use the following procedure: Step Action 1 From the main menu, choose Application > MAC Address Security > Port Configuration The Port Configuration page appears The following figure displays the Port Configuration page 40 7 March 2007

Configuring MAC address-based security 151 Figure 57 Port Configuration page The following table describes the items on the Port Configuration page Table 85 Port Configuration page items Item Range

151 Configuring MAC address-based security 151 Figure 57 Port Configuration page The following table describes the items on the Port Configuration page Table 85 Port Configuration page items Item Range Port 1to52 Lists each port on the unit Trunk Blank, 1 to 6 Displays the MultiLink Trunk to which the port belongs to Security (1) Enabled (2) Disabled Enables MAC address-based security on that port End 40 7 March 2007

152 Chapter 4 Configuring security using Web-based management Deleting ports You can delete ports from the security system in a variety of ways: In the Ports List View, Port List page (Figure 53

152 152 Chapter 4 Configuring security using Web-based management Deleting ports You can delete ports from the security system in a variety of ways: In the Ports List View, Port List page (Figure 53 "Port List View, Port List page" (page 146)), click the checkmark of a selected port that you want to delete from the specified port list In the Ports List View, Learn by Ports page (Figure 54 "Port List View, Learn by Ports page" (page 147)), click the checkmark of a port that you want to remove from those ports that learn MAC addresses In the Port Configuration page (Figure 57 "Port Configuration page" (page 151)), click Disabled to remove that port from the MAC address-based security system; this action disables all MAC address-based security on that port Filtering MAC destination addresses To drop all packets from a specified MAC Destination Address (DA), use the following procedure: Step Action 1 From the main menu, choose Application > MAC Address Security > DA MAC Filtering The DA MAC Filtering page appears The following figure displays the DA MAC Filtering page Figure 58 DA MAC Filtering page 40 7 March 2007

153 Configuring MAC address-based security 153 The following table describes the items on the DA MAC Filtering page Table 86 DA MAC Filtering page items Section Item Range Destination MAC Addre ss Filtering Table DA MAC Fil tering Entry Creation Action Index MAC Addres s DA MAC Addre ss To drop all packets to and from a specified MAC Destination Address (DA) The number of the MAC address 1-10 Displays the MAC address XX:XX:XX:XX: XX:XX Enter the MAC DA that you want to filter Note: Ensure that you do not enter the MAC address of the management station 2 In the DA MAC Filtering Entry Creation area, enter the MAC DA that you want to filter You can list up to 10 MAC DAs to filter 3 Click Submit The system returns you to the DA MAC Filtering page (Figure 58 "DA MAC Filtering page" (page 152)) with the new DA listed in the table End Deleting MAC DAs To delete a MAC DA, use the following procedure: Step Action 1 From the main menu, choose Application > MAC Address Security > DA MAC Filtering The DA MAC Filtering page appears (Figure 58 "DA MAC Filtering page" (page 152)) 40 7 March 2007

154 154 Chapter 4 Configuring security using Web-based management 2 In the Destination MAC Address Filtering Table, click the Delete icon for the entry that you want to delete A message appears prompting you to confirm your request 3 Do one of the following: Click Yes to delete the target parameter configuration Click Cancel to return to the table without making changes End About SNMP Simple Network Management Protocol (SNMP) is the standard for network management that uses a common software agent to manage local and wide area network equipment from different vendors; part of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite as defined in RFC115 SNMPv1 is version one, the original standard protocol SNMPv3 is a combination of proposal updates to SNMP, most of which deal with security Configuring SNMPv1 You can configure SNMPv1 read/write and read-only community strings, enable or disable trap mode settings, and/or enable or disable the autotopology feature The autotopology feature, when enabled, performs a process that recognizes any device on the managed network and defines and maps its relation to other network devices in real time To configure the community string, trap mode, and autotopology settings and features, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv1 The SNMPv1 page appears The following figure displays the SNMPv1 page 40 7 March 2007

Configuring SNMPv1 155 Figure 59 SNMPv1 page The following table describes the items on the SNMPv1 page Table 87 SNMPv1 page items Section Item Range Community Strin g Setting Read- Only Comm u- nity

155 Configuring SNMPv1 155 Figure 59 SNMPv1 page The following table describes the items on the SNMPv1 page Table 87 SNMPv1 page items Section Item Range Community Strin g Setting Read- Only Comm u- nity Stri ng 132 Type a character string to identify the community string for the SNMPv1 read-only community, for example, public or private Reenter the same character string to confirm the community string for the SNMPv1 read-only community The default value is public Read- Write Comm u- nity Stri ng 132 Type a character string to identify the community string for the SNMPv1 read-write community, for example, public or private Reenter the same character string to confirm the community string for the SNMPv1 read-write community 40 7 March 2007

156 156 Chapter 4 Configuring security using Web-based management Section Item Range The default value is private Trap Mode Setting Authentication Trap (1) Ena ble (2) Dis able Choose to enable or disable the authentication trap, which sends a trap when an SNMP authentication failure occurs Auto Topology Setting Auto Topolog y (1) Ena ble (2) Dis able Choose to enable or disable the autotopology feature, which allows network topology mapping of other switches in your network 2 Type the required information in the text boxes or select from a list 3 Click Submit in any section to save your changes End Configuring SNMPv3 This section describes the steps to build and manage SNMPv3 in the Web-based management user interface Viewing SNMPv3 system information You can view information about the SNMPv3 engine that exists and the private protocols that are supported in your network configuration You can also view information about packets received by the system that have particular errors, such as unavailable contexts, unknown contexts, decrypting errors, or unknown user names To view SNMPv3 system information, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > System Information The System Information page appears The following figure displays the System Information page 40 7 March 2007

Configuring SNMPv3 157 Figure 60 System Information page The following table describes the fields on the System Information section of the SNMPv3 System Information page Table 88 System Information

157 Configuring SNMPv3 157 Figure 60 System Information page The following table describes the fields on the System Information section of the SNMPv3 System Information page Table 88 System Information section fields Item SNMP Engine ID SNMP Engine Boots SNMP Engine Time SNMP Engine Maximum Message Size SNMP Engine Dialects The identification number for the SNMP engine The number of times that the SNMP engine has reinitialized itself since its initial configuration The number of seconds since the SNMP engine last incremented the snmpengineboots object The maximum length, in octets, of an SNMP message that this SNMP engine can send or receive and process This is determined as the minimum of the maximum message size values supported among all transports available to and supported by the engine The SNMP dialect that the engine recognizes The dialects are: SNMP1v1, SNMPv2C, and SNMPv March 2007

158 158 Chapter 4 Configuring security using Web-based management Item Authen tication Protocols Supported The registration point for standards-track authentication protocols used in SNMP Management Frameworks The registration points are: None, HMAC MD5, and HMAC SHA Note: The Ethernet Routing Switch 2500 Series supports only the MD5 authentication protocol Private Protocols Supported The registration point for standards-track privacy protocols used in SNMP Management Frameworks The registration points are: None or CBC-DES Note: The Ethernet Routing Switch 2500 Series does not support privacy protocols The following table describes the fields on the SNMPv3 Counters section of the SNMPv3 System Information page Table 89 SNMPv3 Counters section fields Item Unavailable Contexts Unknown Contexts Unsupported Security Levels Not in Time Windows Unknown User Names Unknown Engine IDs The total number of packets dropped by the SNMP engine because the context contained in the message is unavailable The total number of packets dropped by the SNMP engine because the context contained in the message is unknown The total number of packets dropped by the SNMP engine because they requested a security level that is unknown to the SNMP engine or otherwise unavailable The total number of packets dropped by the SNMP engine because they appeared outside of the authoritative SNMP window of the engine The total number of packets dropped by the SNMP engine because they referenced an unknown user The total number of packets dropped by the SNMP engine because they referenced an snmpengineid that is not known to the SNMP engine 40 7 March 2007

159 Configuring SNMPv3 159 Item Wrong Digests Decryption Errors The total number of packets dropped by the SNMP engine because they did not contain the expected digest value The total number of packets dropped by the SNMP engine because they could not be decrypted End Configuring user access to SNMPv3 You can view a table of all current SNMPv3 user security information such as authentication/privacy protocols in use, and create or delete SNMPv3 system user configurations Creating an SNMPv3 system user configuration To create an SNMPv3 system user configuration, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > User Specification The User Specification page appears 40 7 March 2007

160 Chapter 4 Configuring security using Web-based management Figure 61 User Specification page Table 90 User Specification Table section items Item and MIB association The following table describes

160 160 Chapter 4 Configuring security using Web-based management Figure 61 User Specification page Table 90 User Specification Table section items Item and MIB association The following table describes the items on the User Specification Table section of the User Specification page Deletes the row User Name(usmUser SecurityName) Authentication Protocol(usmUser AuthProtocol) The name of an existing SNMPv3 user Indicates whether the message sent on behalf of this user to/from the SNMP engine identified by the UserEngineID can be authenticated by the MD5 authentication protocol 40 7 March 2007

161 Configuring SNMPv3 161 Item and MIB association Private Protocol(usmUser PrivProtocol) Entry Storage Displays whether or not messages sent on behalf of this user to or from the SNMP engine identified by the usmuserengineid can be protected from disclosure, and if so, the type of privacy protocol which is used The current storage type for this row If Volatile is displayed, information is dropped (lost) when you turn off the power If nonvolatile is displayed, information is saved in NVRAM when you turn off the power Table 91 User Specification Creation section items Item and MIB association The following table describes the items on the User Specification Creation section of the User Specification page Range User Name 132 Type a string of characters to create an identity for the user Authentication Protocol(usmUser AuthProtocol) Authentication Passphrase(usm UserAuthPassword) Privacy Protocol None MD5, SHA Choose whether or not the message sent on behalf of this user to/from the SNMP engine identified by the UserEngineID can be authenticated with the MD5 protocol 132 Type a string of characters to create a passphrase to use in conjunction with the authorization protocol None, DES, 3DES, AES Privacy Passphrase XXX Type a string of characters to create a passphrase to use in conjunction with the privacy protocol Entry Storage(usmUser StorageType) (1) Volatile (2) Non-Volatile Choose your storage preference Selecting Volatile requests information to be dropped (lost) when you turn off the power Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power 2 In the User Specification Creation section, type the required information in the text boxes or select from a list 3 Click Submit The new configuration is displayed in the User Specification Table (User Specification page) 40 7 March 2007

162 162 Chapter 4 Configuring security using Web-based management End Deleting an SNMPv3 system user configuration To delete an existing SNMPv3 user configuration, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > User Specification The User Specification page appears (User Specification page) 2 In the User Specification Table, click the Delete icon for the entry you want to delete A message appears prompting you to confirm your request 3 Do one of the following: Click Yes to delete the SNMPv3 user configuration Click Cancel to return to the User Specification page without making changes End Configuring an SNMPv3 system user group membership You can view a table of existing SNMPv3 group membership configurations and map or delete an SNMPv3 user to a group configuration Mapping an SNMPv3 system user to a group To map an SNMPv3 system user to a group, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > Group Membership The Group Membership page appears The following figure displays the Group Membership page 40 7 March 2007

163 Configuring SNMPv3 163 Figure 62 Group Membership page The following table describes the items on the Group Membership page Table 92 Group Membership page items Item and MIB association Range Deletes the row 40 7 March 2007

164 164 Chapter 4 Configuring security using Web-based management Item and MIB association Range Security Name(vacmSec urityto GroupStatus) Security Model(vacmSec urityto GroupStatus) Group Name(vacmGroup Name) Entry Storage(vacmSecu rityto GroupStorageType) 132 Type a string of characters to create a security name for the principal that is mapped by this entry to a group name (1) SNMPv1 (2) SNMPv2c (3) USM Choose the security model within which the security name to group name mapping is valid 132 Type a string of characters to specify the group name (1) Volatile (2) Non-Vola tile Choose your storage preference Selecting Volatile requests information to be dropped (lost) when you turn off the power Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power 2 In the Group Membership Creation section, type the required information in the text boxes or select from a list 3 Click Submit The new entry is displayed in the Group Membership Table (Figure 62 "Group Membership page" (page 163)) End Deleting an SNMPv3 group membership configuration To delete an SNMPv3 group membership configuration, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > Group Membership 40 7 March 2007

165 Configuring SNMPv3 165 The Group Membership page appears (Figure 62 "Group Membership page" (page 163)) 2 In the Group Membership Table, click the Delete icon for the entry you want to delete A message appears prompting you to confirm your request 3 Do one of the following: Click Yes to delete the group membership configuration Click Cancel to return to the Group Membership page without making changes Note: This Group Membership Table section of the Group Membership page contains hyperlinks to the SNMPv3 User Specification and Group Access Rights pages For more information on these pages, see "Configuring user access to SNMPv3" (page 159) and "Configuring SNMPv3 group access rights" (page 165) End Configuring SNMPv3 group access rights You can view a table of existing SNMPv3 group access rights configurations, and you can create or delete a SNMPv3 system-level access rights for a group Creating an SNMPv3 group access rights configuration To create a SNMPv3 system-level access right configuration for a group, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > Group Access Rights The Group Access Rights page appears The following figure displays the Group Access Rights page 40 7 March 2007

166 Chapter 4 Configuring security using Web-based management Figure 63 Group Access Rights page The following table describes the items on the Group Access Rights page Table 93 Group Access Rights

166 166 Chapter 4 Configuring security using Web-based management Figure 63 Group Access Rights page The following table describes the items on the Group Access Rights page Table 93 Group Access Rights page items Item and MIB association Range Deletes the row Group Name(vacm AccessToGroup Status) Security Model(vacm AccessSecurity Model)l 132 Type a character string to specify the group name to which access is granted (1) SNMPv1 (2) SNMPv2c (3) USM Choose the security model to which access is granted 40 7 March 2007

167 Configuring SNMPv3 167 Item and MIB association Security Level(vacm AccessSecurity Level) Read View(vacm AccessReadView Name) Write View(vacm AccessWriteView Name) Notify View(vacm AccessNotifyView Name) Entry Storage(vacm SecurityToGroup StorageType) Range (1) noauthnop riv (2) authnopriv (3) authpriv Choose the minimum level of security required in order to gain the access rights allowed to the group 132 Type a character string to identify the MIB view of the SNMP context to which this entry authorizes read access 132 Type a character string to identify the MIB view of the SNMP context to which this entry authorizes write access 132 Type a character string to identify the MIB view to which this entry authorizes access to notifications (1) Volatile (2) Non- Volatile Choose your storage preference Selecting Volatile requests information to be dropped (lost) when you turn off the power Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power 2 In the Group Access Creation section, type the required information in the text boxes or select from a list 3 Click Submit The new entry is displayed in the Group Access Table (Figure 63 "Group Access Rights page" (page 166)) End Deleting an SNMPv3 group access rights configuration To delete an SNMPv3 group access configuration, use the following procedure: 40 7 March 2007

168 168 Chapter 4 Configuring security using Web-based management Step Action 1 From the main menu, choose Configuration > SNMPv3 > Group Access Rights The Group Access Rights page appears (Figure 63 "Group Access Rights page" (page 166)) 2 In the Group Access Table, click the Delete icon for the entry you want to delete A message appears prompting you to confirm your request 3 Do one of the following: Click Yes to delete the group access configuration Click Cancel to return to the Group Access Rights page without making changes Note: This Group Access Table section of the Group Access Rights page contains hyperlinks to the Management Information View page End Configuring an SNMPv3 management information view You can view a table of existing SNMPv3 management information view configurations, and you can create or delete SNMPv3 management information view configurations Note: A view can consist of multiple entries in the table, each with the same view name, but a different view subtree Creating an SNMPv3 management information view configuration To create an SNMPv3 management information view configuration, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > Management Info View The Management Information View page appears The following figure displays the Management Information View page 40 7 March 2007

169 Configuring SNMPv3 169 Figure 64 Management Information View page 40 7 March 2007

170 170 Chapter 4 Configuring security using Web-based management The following table describes the fields on the Management Information View page Table 94 Management Information View page fields Fields and MIB association Range Deletes the row View Name(vacm View TreeFamilyView Name) View Subtree(vac mview TreeFamilySubtre e) 132 Type a character string to create a name for a family of view subtrees XXXXX Type an object identifier (OID) to specify the MIB subtree that, when combined with the corresponding instance of vacmviewtreefamilymask, defines a family of view subtrees Note: If no OID is entered and the field is blank, a default mask value consisting of 1s is recognized View Mask(vacmVi ew TreeFamilyMask) View Type(vacmVi ew TreeFamilyType) Entry Storage(vac msecu-ritytogrou pstoragetype) Octet Strin g (016) (1) Include (2) Exclude (1) Volatile (2) Non-Vol atile Type the bit mask that, in combination with the corresponding instance of vacmviewfamilysubtree, defines a family of view subtrees Choose to include or exclude a family of view subtrees Choose your storage preference Selecting Volatile requests information to be dropped (lost) when you turn off the power Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power 2 In the Management Information Creation section, type the required information in the text boxes or select from a list 40 7 March 2007

171 Configuring SNMPv Click Submit The new entry appears in the Management Information Table (Figure 64 "Management Information View page" (page 169)) End Deleting an SNMPv3 management information view configuration To delete an existing SNMPv3 management information view configuration, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > Management Info View The Management Information page appears (Figure 64 "Management Information View page" (page 169)) 2 In the Management Information Table, click the Delete icon for the entry you want to delete A message appears prompting you to confirm your request 3 Do one of the following: Click Yes to delete the management information view configuration Click Cancel to return to the table without making changes End Configuring an SNMPv3 system notification entry You can view a table of existing SNMPv3 system notification configurations, and you can configure specific SNMPv3 system notification types with particular message recipients and delete SNMPv3 notification configurations Creating an SNMPv3 system notification configuration To create an SNMPv3 system notification configuration, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > Notification 40 7 March 2007

172 Chapter 4 Configuring security using Web-based management The Notification page appears The following figure displays the Notification page Figure 65 Notification page The following table

172 172 Chapter 4 Configuring security using Web-based management The Notification page appears The following figure displays the Notification page Figure 65 Notification page The following table describes the items on the Notification page Table 95 Notification page items Item and MIB association Range Deletes the row Notify Name(snmpN otify RowStatus) 132 Type a character string to identify the entry 40 7 March 2007

173 Configuring SNMPv3 173 Item and MIB association Notify Tag(snmp NotifyTag) Notify Type(snmp NotifyType) Entry Storage(snmp NotifyStorageType) Range 132 Type a value to use to select entries in the snmptargetaddrtable Any entry in the snmptargetaddrtable which contains a tag value which is equal to the value of an instance of this object is selected If this object carries a zero length, no entries are selected (1) Trap (2) Inform (1) Volatile (2) Non-Vo latile Choose the type of notification to generate Choose your storage preference Selecting Volatile requests information to be dropped (lost) when you turn off the power Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power 2 In the Notification Creation section, type the required information in the text boxes or select from a list 3 Click Submit The new entry is displayed in the Notification Table Figure 65 "Notification page" (page 172) End Note: This Notification Table section of the Notification page contains hyperlinks to the Target Parameter page Deleting an SNMPv3 system notification configuration To delete an SNMPv3 notification configuration, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > Notification The Notification page appears (Figure 65 "Notification page" (page 172)) 40 7 March 2007

174 Chapter 4 Configuring security using Web-based management 2 In the Notification Table, click the Delete icon for the entry you want to delete A message appears prompting you to confirm your

174 174 Chapter 4 Configuring security using Web-based management 2 In the Notification Table, click the Delete icon for the entry you want to delete A message appears prompting you to confirm your request 3 Do one of the following: Click Yes to delete the notification configuration Click Cancel to return to the table without making changes End Configuring an SNMPv3 management target address You can view a table of existing SNMPv3 management target configurations, create SNMPv3 management target address configurations that associate notifications with particular recipients, and delete SNMPv3 target address configurations Creating an SNMPv3 target address configuration To create an SNMPv3 target address configuration, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > Target Address The Target Address page appears The following figure displays the Target Address page Figure 66 Target Address page 40 7 March 2007

175 Configuring SNMPv3 175 The following table describes the items on the Target Address page Table 96 Target Address page items Item and MIB association Range Deletes the row Target Name(snmpTar getaddrname) Target Address(snmp TargetAddrT Address) 132 Type a character string to create a target name XXXXXX XXXXXX :XXX Type a transport address in the format of an IP address, colon, and UDP port number For example: :162 Target Timeout(snmp TargetAddrTimeout) Target Retry Count(snmpTarget AddrRetryCount) Target Tag List(snmpTarget AddrTagList) Integer Type the number, in seconds, to designate as the maximum time to wait for a response to an inform notification before resending theinform notification 0255 Type the default number of retires to be attempted when a response is not received for a generated message An application can provide its own retry count, in which case the value of this object is ignored 120 Type the space-separated list of tag values to be used to select target addresses for a particular operation 40 7 March 2007

176 176 Chapter 4 Configuring security using Web-based management Item and MIB association Target Parameter Entry(snmpTarget Addr) Entry Storage Range 132 Type a numeric string to identify an entry in the snmptargetparamstable The identified entry contains SNMP parameters to be used when generated messages are sent to this transport address (1) Volatil e (2) Non-V olatile Choose your storage preference Selecting Volatile requests information to be dropped (lost) when you turn off the power Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power 2 In the Target Address Creation section, type the required information in the text boxes or select from a list 3 Click Submit The new entry is displayed in the Target Address Table (Figure 66 "Target Address page" (page 174)) Note: This Target Address Table section of the Target Address page contains hyperlinks to the Target Parameter page End Deleting an SNMPv3 target address configuration To delete an SNMPv3 target address configuration, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > Target Address The Target Address page appears (Figure 66 "Target Address page" (page 174)) 2 In the Target Address Table, click the Delete icon for the entry you want to delete A message appears prompting you to confirm your request 40 7 March 2007

Configuring SNMPv3 177 3 Do one of the following: Click Yes to delete the target address configuration Click Cancel to return to the table without making changes End Configuring an SNMPv3 management

177 Configuring SNMPv Do one of the following: Click Yes to delete the target address configuration Click Cancel to return to the table without making changes End Configuring an SNMPv3 management target parameter SNMPv3 management target parameters are used during notification generation to specify the communication parameters that are used for exchanges with notification recipients You can view a table of existing SNMPv3 target parameter configurations, create SNMPv3 target parameters that associate notifications with particular recipients, and delete existing SNMPv3 target parameter configurations Creating an SNMPv3 target parameter configuration To create an SNMPv3 target parameter configuration, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMPv3 > Target Parameter The Target Parameter page appears The following figure displays the Target Parameter page Figure 67 Target Parameter page 40 7 March 2007

178 178 Chapter 4 Configuring security using Web-based management Table 97 Target Parameter page items The following table describes the items on the Target Parameter page Item Range Deletes the row Parameter Tag(snmpTarget ParamsRowStatus) Msg Processing Model(snmpTarget ParamsMPModel) Security Name(snmpTarge tparamssecuirty Name) Security Level(snmpTarget ParamsSecuirtyLevel) Entry Storage(snmpTarget ParamsStorage Type) 132 Type a unique character string to identify the parameter tag (0) SNMPv1 (1) SNMPv2c (2) SNMPv3 /USM Choose the message processing model to be used when generating SNMP messages using this entry 132 Type the principal on whose behalf SNMP messages are generated using this entry (1) noauthnopri v (2) authnopriv (3) authpriv (1) Volatile (2) Non-Volatile Choose the level of security to be used when generating SNMP messages using this entry Choose your storage preference Selecting Volatile requests information to be dropped (lost) when you turn off the power Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power 2 In the Target Parameter Creation section, type the required information in the text boxes or select from a list 3 Click Submit The new entry appears in the Target Parameter Table (Figure 67 "Target Parameter page" (page 177)) End Deleting an SNMPv3 target parameter configuration To delete an SNMPv3 target parameter configuration, use the following procedure: 40 7 March 2007

179 Configuring SNMPv3 179 Step Action 1 From the main menu, choose Configuration > SNMPv3 > Target Parameter The Target Parameter page appears (Figure 67 "Target Parameter page" (page 177)) 2 In the Target Parameter Table, click the Delete icon for the entry you want to delete A message appears prompting you to confirm your request 3 Do one of the following: Click Yes to delete the target parameter configuration Click Cancel to return to the table without making changes End Configuring an SNMP trap receiver You can configure the IP address and community string for a new SNMP trap receiver, view a table of existing SNMP trap receiver configurations, or delete an existing SNMP trap receiver configuration(s) Note: The SNMP Trap Receiver Table is an alternative to using the SNMPv3 Target Table and SNMPv3 Parameter Table However, only SNMPv1 traps are configurable using this table Creating an SNMP trap receiver configuration To create an SNMP trap receiver configuration, use the following procedure: Step Action 1 From the main menu, choose Configuration > SNMP Trap The SNMP Trap Receiver page appears The following figure displays the SNMP Trap Receiver page 40 7 March 2007

180 Chapter 4 Configuring security using Web-based management Figure 68 SNMP Trap Receiver page The following table describes the fields on the Trap Receiver Table and Trap Receiver Creation sections

180 180 Chapter 4 Configuring security using Web-based management Figure 68 SNMP Trap Receiver page The following table describes the fields on the Trap Receiver Table and Trap Receiver Creation sections of the SNMP Trap Receiver page Table 98 SNMP Trap Receiver page fields Fields Range Deletes the row Trap Receiver Index IP Address 14 Choose the number of the trap receiver to create or modify XXXXXXXXX XXX Type the network address for the SNMP manager that is to receive the specified trap Community 032 Type the community string for the specified trap receiver Reenter the community string for the specified trap receiver to confirm 2 In the Trap Receiver Creation section, type the required information in the text boxes or select from a list 3 Click Submit The new entry is displayed in the Trap Receiver Table (SNMP Trap Receiver page) 40 7 March 2007

Installing Enterprise Switch Manager

Installing Enterprise Switch Manager ATTENTION Clicking on a PDF hyperlink takes you to the appropriate page If necessary, scroll up or down the page to see the beginning of the referenced section NN47300-300