2500 Series - Security Config and Manegement

Nortel Ethernet Routing Switch 2500 Series
Security Conguration and Management
NN47215-505 (323165-B)
.
Document status: Standard Document version: 02.01 Document date: 19 November 2007 Copyright 2007, Nortel Networks All Rights Reserved. Sourced in Canada, India, and the United States of America The information in this document is subject to change without notice. The statements, congurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specied in this document. The information in this document is proprietary to Nortel Networks. The software described in this document is furnished under a license agreement and can be used only in accordance with the terms of that license. The software license agreement is included in this document.
Trademarks
*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. Adobe and Adobe Reader are trademarks of Adobe Systems Incorporated. Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation. Trademarks are acknowledged with an asterisk (*) at their rst appearance in the document. All other trademarks are the property of their respective owners.
Restricted rights legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013. Notwithstanding any other license agreement that can pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the right to make changes to the products described in this document without notice. Nortel Networks does not assume any liability that can occur due to the use or application of the product(s) or circuit layout(s) described herein. Portions of the code in this software product can be Copyright 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University can not be used to endorse or promote products derived from such portions of the software without specic prior written permission. SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that can incorporate by reference certain limitations and notices imposed by third parties).
Nortel Networks software license agreement

This Software License Agreement ("License Agreement") is between you, the end-user ("Customer") and Nortel Networks Corporation and its subsidiaries and afliates ("Nortel Networks"). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price. "Software" is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or afliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software. 1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment ("CFE"), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as condential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer ensures that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneciaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer promptly returns the Software to Nortel Networks or certify its destruction. Nortel Networks can audit by remote polling or other reasonable means to determine Customers Software activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect to such third party software. Warranty. Except as can be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided "AS IS" without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions can not apply. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMERS RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The foregoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneciary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they can not apply. General a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks Software available under this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). Customer can terminate the license at any time. Nortel Networks can terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction.
2.
3.
4.
b.
c.
Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customers use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations. Neither party can bring an action, regardless of form, more than two years after the cause of the action arose. The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.
d. e. f.
Contents
New in this release
Features 9 Advanced Security features 9
Introduction
Before you begin 11 Text conventions 11 Related publications 13 How to get help 14 Getting help from the Nortel Web site 14 Getting help through a Nortel distributor or reseller 14 Getting help over the phone from a Nortel Solutions Center 14 Getting help from a specialist by using an Express Routing Code 15
11
Using security in your network

Setting management passwords 17 Console/TELNET/Web password Conguration 17 Username and password 17 Logging on 18 Conguring Security options 18 RADIUS-based network security 20 MAC address-based security 21 EAPOL-based security 21 EAPoL with Guest VLAN 23 EAPOL Security Conguration 23 Password security 24 Password length and valid characters 24 Password retry 24 Password history 24 Password display 24 Password verication 24 Password aging time 25 Read-Only and Read-Write passwords must be different Applicable passwords 25 Enabling and disabling password security 25
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
17
25
6 Contents Default passwords 26 HTTP port number change 26 Simple Network Management Protocol 26 SNMP Version 1 (SNMPv1) 26 Nortel Ethernet Routing Switch 2500 Series support for SNMP 27 SNMP MIB support 27 SNMP trap support 28 Advanced EAPOL features 28 Non-EAP hosts on EAP-enabled ports 30
Conguring Security using the CLI

Securing your system 35 Setting the username and password 35 Setting password security 37 Conguring the IP manager list 39 Changing the http port number 43 Setting Telnet access 44 Conguring Secure Shell (SSH) 48 Setting server for Web-based management 55 Conguring the RADIUS-based management password authentication Setting SNMP parameters 58 Common SNMP and SNMPv3 CLI commands 58 CLI commands specic to SNMPv3 69 Securing your network 80 Conguring MAC address lter-based security 80 Conguring EAPOL-based security 87 Conguring advanced EAPOL features 94
35
56
Conguring Security using web-based management

Conguring system security 169 Setting console, Telnet, and Web passwords 169 Conguring RADIUS dial-in access security 172 Accessing the management interface 173 Conguring MAC address-based security 175 Conguring MAC address-based security 176 Conguring ports 179 Adding MAC addresses 181 Clearing ports 183 Enabling security on ports 184 Deleting ports 186 Filtering MAC destination addresses 186 Deleting MAC DAs 187 About SNMP 188 Conguring SNMPv1 188 Conguring SNMPv3 190
.
169
Contents 7 Viewing SNMPv3 system information 190 Conguring user access to SNMPv3 193 Conguring an SNMPv3 system user group membership 196 Conguring SNMPv3 group access rights 199 Conguring an SNMPv3 management information view 202 Conguring an SNMPv3 system notication entry 205 Conguring an SNMPv3 management target address 208 Conguring an SNMPv3 management target parameter 211 Conguring an SNMP trap receiver 213
Index
220
.
8 Contents
.
New in this release

The following sections detail whats new in Security Conguration and Management (NN47215-505) for Release 4.1.
Features
See "Advanced Security features" (page 9)for information about feature changes.
Advanced Security features

The Nortel Ethernet Routing Switch 2500 Release 4.1 supports advanced EAPOL security features. For more information, see the following sections: "Advanced EAPOL features" (page 28) "Conguring multihost support" (page 95) "Conguring support for non-EAPOL hosts on EAPOL-enabled ports" (page 102) "Conguring MultiHost Single-Autentication (MHSA)" (page 107)
.
10 New in this release
.
11
Introduction
This guide provides information about conguring and managing security features on the Nortel Ethernet Routing Switch 2500 Series. This guide describes the features of the following Nortel switches: Nortel Ethernet Routing Switch 2526T Nortel Ethernet Routing Switch 2526T-PWR Nortel Ethernet Routing Switch 2550T Nortel Ethernet Routing Switch 2550T-PWR
The term "Ethernet Routing Switch 2500 Series" is used in this document to describe the features common to the switches mentioned above. A switch is referred to by its specic name when a feature is described that is exclusive to the switch.
Before you begin

This guide is intended for network administrators who have the following background: basic knowledge of networks, Ethernet bridging, and IP routing familiarity with networking concepts and terminology basic knowledge of network topologies
Text conventions
This guide uses the following text conventions:
.
12 Introduction
angle brackets (< >)
Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is ping <ip_address>, you enter ping 192.32.10.12
bold body text
Indicates objects such as window names, dialog box names, and icons, as well as user interface objects such as buttons, tabs, and menu items. Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command. Example: If the command syntax is show ip {alerts|routes}, you must either enter show ip or show ip routes, but not both.
braces ({})
brackets ([ ])
Indicate optional elements in syntax descriptions. Do not type the brackets when entering the command. Example: If the command syntax is show ip interfaces [-alerts], you can either enter show ip interfaces or show ip interfaces -alerts.
italic text
Indicates variables in command syntax descriptions. Also indicates new terms and book titles. Where a variable is two or more words, the words are connected by an underscore. Example: If the command syntax is show at <valid_route>,valid_route is one variable, and you substitute one value for it.
plain Courier text
Indicates command syntax and system output, for example, prompts and system messages. Example: Set Trap Monitor Filters
.
Related publications
13
separator ( > )
Shows menu paths. Example: Protocols > IP identifies the IP command on the Protocols menu.
vertical line ( | )
Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is show ip {alerts|routes}, you can either enter show ip alerts or show ip routes, but not both.
Related publications
For more information about using the Ethernet Routing Switch 2500 Series, see the following publications: Nortel Ethernet Routing Switch 2500 Series Release Notes Software Release 4.1 (NN47215-400) Documents important changes about the software and hardware that are not covered in other related publications. Nortel Ethernet Routing Switch 2500 Series Overview System Conguration (NN47215-500) Describes the various management interfaces and how to use them to congure basic switching features for the Nortel Ethernet Routing Switch 2500 Series. Nortel Ethernet Routing Switch 2500 Series Conguration VLANs, Spanning Tree, and MultiLink Trunking (NN47215-501) Describes how to congure Virtual Local Area Networks (VLAN), Spanning Tree Protocol (STP), and MultiLink Trunk (MLT) features for the Nortel Ethernet Routing Switch 2500 Series. Nortel Ethernet Routing Switch 2500 Series Conguration Quality of Service (NN47215-504) Describes how to congure and manage Quality of Service features for the Nortel Ethernet Routing Switch 2500 Series. Nortel Ethernet Routing Switch 2500 Series Performance Management System Monitoring (NN47215-502) Describes how to congure system logging and network monitoring, and how to display system statistics for the Nortel Ethernet Routing Switch 2500 Series.
.
14 Introduction
Nortel Ethernet Routing Switch 2500 Series Conguration IP Multicast (NN47215-503) Describes how to congure IP Multicast Routing Protocol features for the Nortel Ethernet Routing Switch 2500 Series.
How to get help

This section explains how to get help for Nortel products and services.
Getting help from the Nortel Web site

The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products. More specically, the site enables you to: download software, documentation, and product bulletins search the Technical Support web site and the Nortel Knowledge Base for answers to technical issues sign up for automatic notication of new software and documentation for Nortel equipment open and manage technical support cases
Getting help through a Nortel distributor or reseller

If you purchase a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.
Getting help over the phone from a Nortel Solutions Center

If you do not nd the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center. In North America, call 1-800-4NORTEL (1-800-466-7835). Outside North America, go to the following web site to obtain the phone number for your region: www.nortel.com/callus
.
How to get help
15
Getting help from a specialist by using an Express Routing Code

An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate the ERC for your product or service, go to: www.nortel.com/erc
.
16 Introduction
.
17
Using security in your network

This chapter describes the security features available with the Ethernet Routing Switch 2500 Series. This chapter discusses the following topics: "Setting management passwords" (page 17) "Conguring security options" (page 18) "EAPOL Security Conguration" (page 23) "HTTP port number change" (page 26) "Simple Network Management Protocol" (page 26) "Advanced EAPOL features" (page 28)
Setting management passwords

To provide security on your switch, you can congure a local or RADIUS password for management access, or set SNMP community strings.
Console/TELNET/Web password Conguration

Telnet, and Web access allow a user at a remote console terminal to communicate with the Ethernet Routing Switch 2500 Series as if the console terminal were directly connected to the Switch. You can establish up to four active Telnet or Web sessions at one time, in addition to one active Console connection, for a total of ve possible concurrent users.
Username and password

You can set a local username and password to restrict access to the switch. The username and password can provide read/write access or read-only access to the switch. For more information, refer to <x-refs>
ATTENTION
If you set a password, the next time you log on to the switch, you are prompted to enter a valid username. Therefore, ensure you are aware of the valid usernames (default RW and RO) before you change passwords. For information about modifying existing usernames, see "Setting the username and password" (page 35).
.
18 Using security in your network
Logging on
If you set a password, the next time you access the switch, you are prompted for a username and password as shown in the (default usernames are RW and RO). Enter a valid username and password and press Enter. You are then directed to the CLI. For information about modifying the existing usernames, see Login screen"Setting the username and password" (page 35)
Login screen
Conguring Security options

Ethernet Routing Switch 2500 Series security features provide three levels of security for your LAN: RADIUS-based securitylimits administrative access to the switch through user authentication. MAC address-based securitylimits access to the switch based on allowed source MAC addresses. EAPOL-based security
Figure 1 "Ethernet Routing Switch 2500 Series security feature" (page 19) shows a typical campus conguration that uses the Ethernet Routing Switch 2500 security features. This example assumes that the switch, the teachers ofces and classrooms, and the library are physically secured. The student dormitory can (or can not be) physically secure.
.
Conguring Security options Figure 1 Ethernet Routing Switch 2500 Series security feature
19
In this conguration example, the following security measures are implemented: The switch RADIUS-based security is used to limit administrative access to the switch through user authentication (see "RADIUS-based network security" (page 20)). MAC address-based security is used to allow up to 448 authorized stations (MAC addresses) access to one or more switch ports (see "MAC address-based security" (page 21)). The switch is located in a locked closet, accessible only by authorized Technical Services personnel. Student dormitory Dormitory rooms are typically occupied by two students and are prewired with two RJ-45 jacks. Only students who are authorized (as specied by the MAC address-based security feature) can access the switch on the secured ports.
.
Teachers ofces and classrooms The PCs that are located in the teachers ofces and in the classrooms are assigned MAC address-based security that is specic for each classroom and ofce location. The security feature logically locks each wall jack to the specied station and prevents unauthorized access to the switch if someone attempts to connect a personal laptop PC into the wall jack. The printer is assigned as a single station and is allowed full bandwidth on that switch port. It is assumed that all PCs are password protected and that the classrooms and ofces are physically secured.
Library The wall jacks in the library are set up so that the PCs can be connected to any wall jack in the room. With this arrangement, you can move the PCs anywhere in the room. The exception is the printer, which is assigned as a single station with full bandwidth to that port. It is assumed that all PCs are password protected and that access to the library is physically secured.
RADIUS-based network security

The RADIUS-based security feature lets you set up network access control by using the Remote Authentication Dial-In User Services (RADIUS) security protocol. The RADIUS-based security feature uses the RADIUS protocol to authenticate local console, Telnet, SSH, and Web access login sessions. You need to set up specic user accounts (user names and passwords, and Service-Type attributes) on your RADIUS server before you can initiate the authentication process. These accounts provide you with appropriate levels of access to the switch. Set the following username attributes on your RADIUS server: Read-write accessset the Service-Type eld value to Administrative. Read-only accessset the Service-Type eld value to NAS-Prompt.
For detailed instructions to set up your RADIUS server, see your RADIUS server documentation.
RADIUS password fallback enhancement

With Release 4.1 software, you can congure RADIUS password fallback as an option when using RADIUS authentication for login and password. When RADIUS password fallback is enabled and the RADIUS server is unavailable or unreachable, you can use the local switch password to log on to the switch.
.
Conguring Security options
21
When RADIUS password fallback is disabled, you must specify the RADIUS username and password from the NetLogin screen. Unless the RADIUS server is congured and reachable, you cannot log on to the switch to authenticate the login and password. The Radius password fallback feature is disabled by default. You can use the following CLI commands to enable and disable this feature: radius-server password fallback no radius-server
ATTENTION
The no radius-server CLI command disables the RADIUS fallback feature, along with the remaining RADIUS conguration.
MAC address-based security

The MAC address-based security feature lets you set up network access control, based on source MAC addresses of authorized stations. You can: Create a list of up to 448 MAC addresses and specify which addresses are authorized to connect to your switch. The 448 MAC addresses can be congured within a single standalone switch, or they can be distributed in any order among the units in a single stack conguration. Specify which of your switch ports each MAC address is allowed to access. The options for allowed port access include: NONE, ALL, and single or multiple ports that are specied in a list. Specify optional actions to be exercised by your switch if the software detects a security violation. The response can be to send a trap, turn on destination address (DA) ltering, disable a specic port, or any combination of these three options. The MAC address-based security feature is based on Nortel BaySecure LAN Access for Ethernet, a real-time security system that safeguards Ethernet networks from unauthorized surveillance and intrusion.
EAPOL-based security
The Ethernet Routing Switch 2500 Series provides security on the basis of Extensible Authentication Protocol over LAN (EAPOL), and it uses the EAP as is given in the IEEE 802.IX so that you can set up a network access control over LANs. With EAP, you can authenticate user information through a connection between a client and the switch by using an authentication
.
service such as RADIUS. This security feature works hand-in-hand with the Radius-based server and thus provides the advantages of remote authentication to internal LAN clients. An example follows to show how an Ethernet Routing Switch 2500 Series reacts when it is congured to the EAPoL security feature and a new network connection: When the switch nds a new connection in one of its ports, the following occurs: 1. The switch asks for a User ID of the new client. 2. The User ID is covered by EAPoL, and it passes on to the Radius server. 3. The response from the Radius server is to ask for a password of the user. Within the EAPoL packet, the new client forwards a password to the switch: The EAPoL packet is relayed to the Radius server. If the Radius server validates the password, the new client is allowed to access the switch and the network. The EAPoL-based security is composed of the following terms: Supplicant- the device applying for network access. Authenticator- a software with the main purpose of authorizing the supplicant who is attached at the other end of the LAN segment. Authentication server- a Radius server that provides authorization services to an authenticator. Port Access Entity (PAE)- an entity that supports each port to the Authenticator or Supplicants. In the example above, the authenticator PAE is present in the switch. Controlled Port is a switch port with EAPOL based security. The authenticator communicates with the Supplicant through EAP over LAN (EAPoL), which is an encapsulation mechanism. The authenticator PAE encapsulates the EAP through the RADIUS server packet and sends it to the authentication server. The authenticator server sends the packet in an exchange that occurs between the supplicant and authentication server. This exchange occurs when the EAP message is encapsulated to make it suitable for the destination of the packet. The authenticator determines the operational state of the controlled port. The RADIUS server noties the authenticator PAE of the success
.
EAPOL Security Conguration
23
or failure of the authentication to change the operational state of the controlled port. PAE functions are then available for each port to forward, or else the controlled port state depends upon the operational trafc control eld in the EAPoL conguration screen. Operational trafc can be of two types: Incoming and Outgoing- In regards to an unauthorized controlled port, the frames received and transmitted are discarded, and state of the port is blocked. Incoming- Although the frames received for an unauthorized port are discarded, the transmit frames are forwarded through the port.
EAPoL with Guest VLAN

Basic EAP (802.1x) Authentication supports Port Based User Access. At any time, only one user (MAC) can be authenticated on a port, and the port can be assigned to only one Port-based VLAN. Only the MAC address of the device/user that completed the EAP negotiations on the port has access to that port for trafc. Any tagging of ingress packets are to the PVID of that port. This remains the default conguration. With Software Release 4.1, EAP also allows Guest VLANs to be congured for access to that port. Any active VLAN can be made a Guest VLAN.
EAPOL Security Conguration

EAPOL security lets you selectively limit access to the switch based on an authentication mechanism that uses Extensible Authentication Protocol (EAP) to exchange authentication information between the switch and an authentication server.
ATTENTION
Before you enable EAPOL, you must congure your Primary RADIUS Server and RADIUS Shared Secret. You also need to set up specic user accounts on your RADIUS server:
User names Passwords VLAN IDs Port priority You can set up these parameters directly on your RADIUS server. For detailed instructions about conguring your RADIUS server, see your RADIUS server documentation.
.
ATTENTION
Do not enable EAPOL security on the switch port that is connected to the RADIUS server.
Password security
The Ethernet Routing Switch 2500 Series supports the password security feature that provides enhanced security for switch and stack passwords. With password security enabled, the following enhanced security features are applied:
Password length and valid characters

Valid passwords must be between 10 and 15 characters long. The password must contain a minimum of the following: two lower-case letters two capital letters two numbers two special symbols, such as:!@#$%^&*()
The password is case sensitive.
Password retry
If the user fails to provide the correct password after a number of consecutive attempts, the switch resets the logon process. The number of failed logon attempts is congurable and the default is three.
Password history
The switch keeps a history of the last three passwords. You cannot reuse a password stored in history. When you set the password for the fourth time, you can reuse the password that you used the rst time.
Password display
The password is not displayed as clear text. Each character of the password is substituted with an asterisk (*).
Password verication
When you provide a new password, you must retype the password to conrm it. If the two passwords do not match, the password update process fails. In this case, you must try to update the password once again. There is no limit on the number of times you are allowed to update the password.
.
Password security 25
Password aging time

Passwords expire after a specied aging period. The aging period is congurable, with a range of 1 day to approximately 7.5 years (2730 days). The default is 180 days. When a password has aged out, the user is prompted to create a new password. Only users with a valid RW password can create a new RW or RO password.
Read-Only and Read-Write passwords must be different

The RO and RW passwords cannot be the same.
Applicable passwords
The password security feature applies these enhanced features to the following passwords: Switch RO password Switch RW password Stack RO password Stack RW password
The password security feature applies only the display and verication restrictions to the following passwords: RADIUS Shared Secret Read-Only community string Read-Write community string
Enabling and disabling password security

Password security can only be enabled or disabled from the CLI. When password security is enabled, the following occurs: Current passwords remain unchanged if they meet the required specications. If they do not meet the required specications, the user is prompted to change them to valid passwords. An empty password history bank is established. Password verication is enabled.
When password security is disabled, the following occurs: Current passwords remain valid. Password history bank is removed. Password verication is disabled.
.
ATTENTION
By default, password security is disabled for the non-SSH software image and enabled for the SSH software image.
Default passwords
For the standard software image, the default password for RO is "user" and "secure" for RW. For the secure software image, the default password for RO is "userpasswd" and "securepasswd" for RW.
HTTP port number change

With this feature, you can dene the UDP or TCP port number used for HTTP connections to the switch. This feature provides enhanced security and network access. Port number 80 is the default port for communication between the Web client and the server. With this feature, you can modify the HTTP port while the switch is running. The HTTP port value is saved in NVRAM, and also is saved across reboots of the switch. For more information, see "Changing the http port number" (page 43).
Simple Network Management Protocol

The Nortel Ethernet Routing Switch 2500 Series supports Simple Network Management Protocol (SNMP). SNMP is traditionally used to monitor Unix systems, Windows systems, printers, modem racks, switches, routers, power supplies, Web servers, and databases. Any device that runs software that can retrieve SNMP information can be monitored. You can also use SNMP to change the state of SNMP-based devices. For example, you can use SNMP to shut down an interface on your device.
SNMP Version 1 (SNMPv1)

SNMP Version 1 (SNMPv1) is a historic version of the SNMP protocol. It is dened in RFC 1157 and is an Internet Engineering Task Force (IETF) standard.
.
Simple Network Management Protocol
27
SNMPv1 security is based on communities, which are nothing more than passwords: plain-text strings that allow any SNMP-based application that knows the strings to gain access to the management information of a device. There are typically three communities in SNMPv1: read-only, read-write, and trap.

SNMP Version 2 (SNMPv2) is another historic version of SNMP and is often referred to as community string-based SNMPv2. This version of SNMP is technically called SNMPv2c. It is dened in RFC 1905, RFC 1906, and RFC 1907.

SNMP Version 3 (SNMPv3) is the current formal SNMP standard dened in RFCs 3410 through 3419, and in RFC 3584. It provides support for strong authentication and private communication between managed entities.
Nortel Ethernet Routing Switch 2500 Series support for SNMP

The SNMP agent in the Nortel Ethernet Routing Switch 2500 Series supports SNMPv1, SNMPv2c, and SNMPv3. Support for SNMPv2c introduces a standards-based GetBulk retrieval capability using SNMPv1 communities. SNMPv3 support in the Nortel Ethernet Routing Switch 2500 Series introduces industrial-grade user authentication and message security. This includes MD5- and SHA-based user authentication and message integrity verication, as well as AES, DES, and 3DES-based privacy encryption. With the Nortel Ethernet Routing Switch 2500 Series you can congure SNMPv3 by using the Device Manager, Web-based management, or the CLI.
SNMP MIB support

The Nortel Ethernet Routing Switch 2500 Series supports an SNMP agent with industry-standard Management Information Bases (MIB), as well as private MIB extensions, which ensures compatibility with existing network management tools. The IETF standard MIBs supported on the switch include MIB-II (originally published as RFC 1213, then split into separate MIBs as described in RFCs 4293, 4022, and 4113), Bridge MIB (RFC 4188), and the RMON MIB (RFC 2819), which provides access to detailed management statistics.
.
SNMP trap support

With SNMP management, you can congure SNMP traps (on individual ports) to generate automatically for conditions such as an unauthorized access attempt or changes in port operating status. The Nortel Ethernet Routing Switch 2500 Series supports both industry-standard SNMP traps, as well as private Nortel enterprise traps.
Advanced EAPOL features

EAPOL supports the following advanced features: Multihost (MH) support: Multiple Host with Multiple Authentication (MHMA) (see Multiple Host with Multiple Authentication) Non-EAP hosts on EAP-enabled ports (see Non-EAP hosts on EAP-enabled ports) Multiple Host with Single Authentication (MHSA) (see Multiple Host with Single Authentication)
Multiple Host with Multiple Authentication

For an EAP-enabled port congured for Multiple Host with Multiple Authentication (MHMA), a nite number of EAP users or devices with unique MAC addresses are allowed on the port. Each user must complete EAP authentication before the port allows trafc from the corresponding MAC address. Only trafc from the authorized hosts is allowed on that port. Radius-assigned VLAN values are allowed in the MHMA mode. For information about Radius-assigned VLANs in the MHMA mode, see Radius-assigned VLAN use in MHMA mode. MHMA support is on a per-port basis for an EAP-enabled port. The following are some of the concepts associated with MHMA: Logical and physical ports Each unique port and MAC address combination is treated as a logical port. MAX_MAC_PER_PORT denes the maximum number of MAC addresses that can perform EAP authentication on a port at any given time. Each logical port is treated as if it is in the SHSA mode. Indexing for MIBs Logical ports are indexed by a port and source MAC address (src-mac) combination. Enterprise-specic MIBs are dened for state machine-related MIB information for individual MACs. Transmitting EAPOL packets
.
29
Only unicast packets are sent to a specic port so that the packets reach the correct destination. Receiving EAPOL packets The EAPOL packets are directed to the correct logical port for state machine action. Trafc on an authorized port Only a set of authorized MAC addresses is allowed access to a port. MHMA support for EAP clients includes the following features: A port remains on the Guest VLAN when no authenticated hosts exist on it. Until the rst authenticated host, both EAP and non EAP clients are allowed on the port. After the rst successful authentication, only EAPOL packets and data from the authenticated MAC addresses are allowed on a particular port. Only a predened number of authenticated MAC users are allowed on a port. When RADIUS VLAN assignment is disabled for ports in MHMA mode, only precongured VLAN assignment for the port is used. Upon successful authentication, untagged trafc is put it in a VLAN congured for the port. When RADIUS VLAN assignment is enabled for ports in MHMA mode, upon successful RADIUS authentication, the port gets a VLAN value in a RADIUS Attribute with EAP success. The port is added and the PVID is set to the rst such VLAN value from the RADIUS server. Conguration of timer parameters is per physical port, not per user session. However, the timers are used by the individual sessions on the port. Reauthenticate Now, when enabled, causes all sessions on the port to reauthenticate. Reauthentication timers are used to determine when a MAC is disconnected so as to enable another MAC to log in to the port. Conguration settings are saved across resets.
Radius-assigned VLAN use in MHMA mode

Radius-assigned VLAN use in the MHMA mode is allowed to give you greater exibility and a more centralized assignment than existed. This feature is also useful in an IP Phone set up, when the phone trafc can be directed to the Voice over IP (VoIP) VLAN and the PC Data trafc can be directed to the assigned VLAN. When Radius-assigned VLAN values are allowed, the port behaves as follows: the rst authenticated EAP MAC
.
address may not have a Radius-assigned VLAN value. At this point, the port is moved to a congured VLAN. A later authenticated EAP MAC address (for instance, the third one on the port) can get a Radius-assigned VLAN value. This port is then added, and the port VLAN ID (PVID) is set to the rst such VLAN value from the Radius server. The VLAN remains the same irrespective of which MAC leaves, and a change in the VLAN takes place only when there are no authenticated hosts on the port. This enhancement works in a very similar manner with the already existing Radius assigned VLANs feature in SHSA mode. It is basically an extension of that feature which gives the user the ability to move a port to a specic VLAN, even if that switch port operates in EAP MHMA mode. The only restriction of this enhancement is that if you have multiple EAP clients authenticating on a given switch port (as you normally can in MHMA mode), each one congured with a different VLAN ID on the Radius server, the switch moves the port to the VLAN of the rst authenticated client. In this way, a permanent bounce between different VLANs of the switch port is avoided. Following are the steps to enable the enhancement : Enable Radius assigned VLANs in Global Conguration command mode:
2526T(config)#eapol multihost use-radius-assigned-vlan
Enable Radius assigned VLANs in interface mode for switch port 1:
2526T(config-if)#eapol multihost port 1 use-radius-assigne d-vlan
By default, the Radius assigned VLANs in MHMA enhancement is disabled in global cong and interface modes, for all switch ports.
Non-EAP hosts on EAP-enabled ports

For an EAPOL-enabled port congured for non-EAPOL host support, a nite number of non-EAPOL users or devices with unique MAC addresses are allowed access to the port. The following types of non-EAPOL users are allowed: Hosts that match entries in a local list of allowed MAC addresses. You can specify the allowed MAC addresses when you congure the port to allow non-EAPOL access. These hosts are allowed on the port without authentication. Non-EAPOL hosts whose MAC addresses are authenticated by RADIUS. Nortel IP Phones.
.
31
Support for non-EAPOL hosts on EAPOL-enabled ports is primarily intended to accommodate printers and other dumb devices sharing a hub with EAPOL clients. Support for non-EAPOL hosts on EAPOL-enabled ports includes the following features: EAPOL and authenticated non-EAPOL clients are allowed on the port at the same time. Authenticated non-EAPOL clients are hosts that satisfy one of the following criteria: Host MAC address matches an entry in an allowed list precongured for the port. Host MAC address is authenticated by RADIUS. Non-EAPOL hosts are allowed even if no authenticated EAPOL hosts exist on the port. When a new host is seen on the port, non-EAPOL authentication is performed as follows: If the MAC address matches an entry in the precongured allowed MAC list, the host is allowed. If the MAC address does not match an entry in the precongured allowed MAC list, the switch generates a <username, password> pair, which it forwards to the network RADIUS server for authentication. For more information about the generated credentials, see "Non-EAPOL MAC RADIUS authentication" (page 32). If the MAC address is authenticated by RADIUS, the host is allowed. If the MAC address does not match an entry in the precongured allowed MAC list and also fails RADIUS authentication, the host is counted as an intruder. Data packets from that MAC address are dropped. EAPOL authentication is not affected. For RADIUS-authenticated non-EAPOL hosts, VLAN information from RADIUS is ignored. Upon successful authentication, untagged trafc is put in a VLAN precongured for the port. For RADIUS-authenticated non-EAPOL hosts, VLAN information from RADIUS is ignored. Upon successful authentication, untagged trafc follows the PVID of the port. Non-EAPOL hosts continue to be allowed on the port until the maximum number of non-EAPOL hosts is reached. The maximum number of non-EAPOL hosts allowed is congurable. After the maximum number of allowed non-EAPOL hosts is reached, any data packets received from additional non-EAPOL hosts are dropped.
.
The additional non-EAPOL hosts are counted as intruders. New EAPOL hosts can continue to negotiate EAPOL authentication. When the intruder count reaches 32, a SNMP trap and system log message are generated. The port administrative status is set to force-unauthorized, and you must reset the port administrative status (from force-unauthorized to auto) to allow new EAPOL and non-EAPOL negotiations on the port. The feature uses enterprise-specic MIBs. Conguration settings are saved across resets.
ATTENTION
Guest VLAN and non-EAPOL host support on a port are mutually exclusive. If you have congured a port to support Guest VLAN, you cannot enable support for non-EAPOL hosts on that port. Similarly, if you have congured an EAPOL-enabled port to support non-EAPOL hosts, you cannot enable Guest VLAN on that port. Also, you cannot enable non-EAPOL support on uplink or call server ports.
For information about conguring non-EAPOL host support, see Conguring support for non-EAPOL hosts on EAPOL-enabled ports.
Non-EAPOL MAC RADIUS authentication

For RADIUS authentication of a non-EAPOL host MAC address, the switch generates a <username, password> pair as follows: The username is the non-EAPOL MAC address in string format. The password is a string that combines the MAC address, switch IP address, unit, and port. The password is a string that combines the MAC address, switch IP address, unit, and port.
ATTENTION
Use only lowercase letters for usernames and passwords congured on the Radius server. Follow these global conguration examples, to select a password format that combines one or more of these 3 elements: password = 010010011253..0305 (when the switch IP address, unit and port are used). password = 010010011253.. (when only the switch IP address is used).
The following example illustrates the <username, password> pair format: switch IP address = 10.10.11.253
.
33
non-EAP host MAC address = 00 C0 C1 C2 C3 C4 unit = 3 port = 25 username = 00c0c1c2c3c4 password = 010010011253.00c0c1c2c3c4.0325
Multiple Host with Single Authentication

Multiple Host with Single Authentication (MHSA) is a more restrictive implementation of support for non-EAPOL hosts on EAPOL-enabled ports. For an EAPOL-enabled port congured for MHSA, one EAPOL user must successfully authenticate before a nite number of non-EAPOL users or devices with unique MAC addresses are allowed to access the port without authentication. The MHSA feature is intended primarily to accommodate printers and other dumb devices sharing a hub with EAPOL clients. MHSA support is on a per-port basis for an EAPOL-enabled port. MHSA support for non-EAPOL hosts includes the following features: The port remains unauthorized when no authenticated hosts exist on it. Before the rst successful authentication occurs, both EAPOL and non-EAPOL clients are allowed on the port to negotiate access, but at any time, only one host can negotiate EAPOL authentication. After the rst EAPOL client successfully authenticates, EAPOL packets and data from that client are allowed on the port. No other clients are allowed to negotiate EAPOL authentication. The port is set to precongured VLAN assignments and priority values or to values obtained from RADIUS for the authenticated user. After the rst successful authentication, any new hosts, up to a congured maximum number, are automatically allowed on the port, without authentication. After the maximum number of allowed non-EAPOL hosts is reached, any data packets received from additional non-EAPOL hosts are dropped. The additional non-EAPOL hosts are counted as intruders. When the intruder count reaches 32, a SNMP trap and system log message are generated. The port administrative status is set to force-unauthorized, and you must reset the port administrative status (from force-unauthorized to auto) to allow new EAPOL negotiations on the port. If the EAPOL-authenticated user logs off, the port returns to an unauthorized state and non-EAPOL hosts are not allowed. This feature uses enterprise-specic MIBs.
.
The maximum value for the maximum number of non-EAPOL hosts allowed on an MHSA-enabled port is 32. However, Nortel expects that the usual maximum value congured for a port is 2. This translates to around 200 for a box and 800 for a stack.
.
35
Conguring Security using the CLI

This chapter describes the security commands available with the CLI. This chapter covers the following topics: "Securing your system" (page 35) "Securing your network" (page 80)
Securing your system

You can secure your system using the following CLI commands: "Setting the username and password" (page 35) "Conguring the IP manager list" (page 39) "Changing the http port number" (page 43) "Setting Telnet access" (page 44) "Conguring Secure Shell (SSH)" (page 48) "Setting server for Web-based management" (page 55) "Conguring the RADIUS-based management password authentication" (page 56) "Setting SNMP parameters" (page 58)
Setting the username and password

This section contains information about the following topics: "username command" (page 35) "cli password command" (page 36)
username command
The username command sets the system username and password for access through the serial console port, Telnet, and Web-based management. This command supports only one read-only and one read-write user on the switch. The parameters are set for the standalone or stack environment depending on the current operational mode.
.
36 Conguring Security using the CLI
The syntax for the username command is:

username <username> <password> [ro|rw]
The username command is executed in the Global Conguration command mode. Table 1 "username command parameters and variables" (page 36) describes the parameters and variables for the username command.
Table 1 username command parameters and variables Parameters and variables <username> <password> Description Enter your username for the first variable, and your password for the second variable. The default username values are RO for read-only access and RW for read/write access.
ro|rw
Specifies that you are modifying the read-only (ro) username or the read-write (rw) username. The ro/rw variable is optional. If it is omitted, the command applies to the read-only mode.
ATTENTION
After you congure the username and password with the username command, if you then update the password using the cli password command (or through Web-based management), the new password is set, but the username is unchanged.
cli password command

You can set passwords using the cli password command for selected types of access using the CLI, Telnet, or RADIUS security. The CLI password is in two forms and performs the following functions for the switch: changes the password for access through the serial console port or Telnet and Web-based management species changing the password for the serial console port, or Telnet and Web-based management access, and whether to authenticate the password locally or with the RADIUS server
.
37
The syntax for the cli password commands is:

cli password {read-only|read-write} <NAME> <PASSWORD> cli password {serial|telnet} {none|local|radius}
The cli password command is executed in the Global Conguration command mode.
Table 2 cli password command parameters and variables Parameters and variables read-only|read-w rite <NAME> <PASSWORD> serial|telnet Description Specifies that you are modifying the read-only (ro) password or the read-write (rw) password. Enter your username for the first variable, and your password for the second variable. Specifies that you are modifying the password for serial console access or for Telnet and Web-based management access. Specifies the password that you are modifying: none disables the password local use the locally defined password for serial console or Telnet access radius use RADIUS authentication for serial console or Telnet access
none|local|radiu s
Setting password security

The following commands can be used in the Global Conguration command mode to enable, disable and congure Password Security: "password security command" (page 38) "no password security command" (page 38) "show password security command" (page 38) "password aging-time day command" (page 38) "show password aging-time day command" (page 39) "Conguring the number of password logon attempts" (page 39)
.
password security command

The password security command enables password security on the switch. The syntax for the command is:
password security
The password security command has no parameters or variables.
no password security command

The no password security command disables password security on the switch. The syntax for the command is:
no password security
The no password security command has no parameters or variables.
show password security command

The show password security command displays the current status of password security on the switch. The syntax for the command is:
show password security
The following shows a sample output for this command: 2550T (config)#show password security Password security is enabled The show password security command has no parameters or variables.
password aging-time day command

The password aging-time day command sets the password aging time. Password security must be enabled for the command to be available. The syntax of the command is:
password aging-time <aging-value>
where <aging-value> is between 0 - 2730. A value of 0 causes the password to age out immediately. If a new aging time is set from the CLI, the password aging counters are not reset.
.
39
show password aging-time day command

The password aging-time day command shows the congured password aging-time. The syntax of the command is:
show password aging-time
The following shows a sample output for this command: 2550T (config)#show password aging-time Aging time: 100 days
Conguring the number of password logon attempts

The telnet-access retry command congures the number of times a user can attempt a password:. The syntax of the command is:
telnet-access retry <number>
where <number> is an integer in the range 1-100 that species the allowed number of failed logon attempts. The default is 3. If a new aging time is set from the CLI, the password aging counters are not reset.
Conguring the IP manager list

When enabled, the IP manager list determines which source IP addresses are allowed access to the switch. No other source IP addresses have access to the switch. You congure the IP manager list by using the following commands: "show ipmgr command" (page 39) "ipmgr command for management system" (page 40) "no ipmgr command for management system" (page 41) "ipmgr command for source IP address" (page 42) "no ipmgr command for source IP address" (page 42)
show ipmgr command

The show ipmgr command displays whether Telnet, SNMP, and Web access are enabled; whether the IP manager list is used to control access to Telnet, SNMP, and the Web-based management system; and the current IP manager list conguration. The syntax for the show ipmgr command is:
show ipmgr
.
The show ipmgr command is executed in the Privileged EXEC command mode. The show ipmgr command has no parameters or variables. Figure 2 "show ipmgr command output" (page 40) displays sample output from the show ipmgr command.
Figure 2 show ipmgr command output
ipmgr command for management system

The ipmgr command for the management systems enables the IP manager list for Telnet, SNMP, or HTTP access. The syntax for the ipmgr command for the management systems is:
ipmgr {telnet|snmp|web} [source-ip <1-10> <XXX.XXX.XXX.XXX> [mask <XXX.XXX.XXX.XXX>]]
The ipmgr command for the management systems is executed in the Global Conguration command mode. Table 3 "ipmgr command for system management parameters and variables" (page 40) describes the parameters and variables for the ipmgr command.
Table 3 ipmgr command for system management parameters and variables Parameters and variables telnet|snmp|web Description Enables IP manager list checking for access to various management systems:
telnet provides list access using Telnet access
.
41
Parameters and variables
Description snmp provides list access using SNMP, including the Device Manager web provides list access using the Web-based management system
source-ip <1-10> <XXX.XXX.XXX.XXX>
Specifies the source IP address from which access is allowed. Enter the IP address either as an integer or in dotted-decimal notation. Specifies the subnet mask from which access is allowed; enter the IP mask in dotted-decimal notation.
[mask <XXX.XXX.XXX.X XX>]
no ipmgr command for management system

The no ipmgr command disables the IP manager list for Telnet, SNMP, or HTTP access. The syntax for the no ipmgr command for the management systems is:
no ipmgr {telnet|snmp|web}
The no ipmgr command is executed in the Global Conguration command mode. Table 4 "no ipmgr command for management system" (page 41) describes the parameters and variables for the no ipmgr command.
Table 4 no ipmgr command for management system Parameters and variables telnet|snmp|web Description Disables IP manager list checking for access to various management systems:
telnet disables list check for Telnet access snmp disables list check for SNMP, including the Device Manager web disables list check for the Web-based management system
.
ipmgr command for source IP address

You can use the ipmgr command for source IP addresses to enter the source IP addresses or address ranges for which you want to provide access to the switch. The syntax for the ipmgr command for source IP addresses is:
ipmgr {source-ip <1-10> <XXX.XXX.XXX.XXX>[mask <XXX.XXX.XXX .XXX>]}
The ipmgr command for the source IP addresses is executed in the Global Conguration command mode. Table 5 "ipmgr command for source IP addresses parameters and variables" (page 42) describes the parameters and variables for the ipmgr command for the source IP addresses.
Table 5 ipmgr command for source IP addresses parameters and variables Parameters and variables source-ip <1-10> <XXX.XXX.XXX.XXX> Description Specifies the source IP address from which access is allowed. Enter the IP address either as an integer or in dotted-decimal notation. Specifies the subnet mask from which access is allowed; enter the IP mask in dotted-decimal notation.
[mask <XXX.XXX.XXX.X XX>]
no ipmgr command for source IP address

The no ipmgr command for source IP addresses disables access for specied source IP addresses or address ranges, and denies them access to the switch. The syntax for the no ipmgr command for source IP addresses is:
no ipmgr {source-ip [<1-10>]}
The no ipmgr command for the source IP addresses is executed in the Global Conguration command mode. Table 6 "no ipmgr command for source IP addresses parameters and variables" (page 43) describes the parameters and variables for the no ipmgr command for the source IP addresses.
.
Securing your system Table 6 no ipmgr command for source IP addresses parameters and variables Parameters and variables source-ip [<1-10>] Description When you specify an option, this command sets the IP address and mask for the specified entry to 255.255.255.255 and 255.255.255.255. When you omit the optional parameter, the list is reset to the factory defaults.
43
Changing the http port number

This feature provides enhanced security and network access. The default HTTP port typically used to communicate between the Web client and the server is the well-known port 80. With this feature, you can change the HTTP port. You can congure this feature by using the following commands: "show http-port command" (page 43) "http-port command" (page 44) "default http-port" (page 44)
show http-port command

The show http-port command displays the port number of the HTTP port. The syntax for the show http-port command is:
show http-port
The show http-port command is executed in the Privileged EXEC command mode. The show http-port command has no parameters or variables. Figure 3 "show http-port command output" (page 43) displays sample output from the show http-port command command.
Figure 3 show http-port command output
.
http-port command
The http-port command sets the port number for the HTTP port. The syntax for the http-port command is:
http-port <1024-65535>
The http-port command is executed in the Global Conguration command mode. Table 7 "http-port command parameters and variables" (page 44) describes the parameters and variables for the http-port command.
Table 7 http-port command parameters and variables Parameters and variables <1024-65535> Description Enter the port number you want to be the HTTP port.
ATTENTION
To set the HTTP port to 80, use the default http-port command.
The default value for this parameter is port 80.
default http-port
The default http-port command sets the port number for the HTTP port to the default value of 80. The syntax for the default http-port command is:
default http-port
The default http-port command is executed in the Global Conguration command mode. The default http-port command has no parameters or variables.
Setting Telnet access

You can also access CLI through a Telnet session. To access CLI remotely, the management port must have an assigned IP address and remote access must be enabled. You can log on to the switch using Telnet from a terminal that has access to the Ethernet Routing Switch 2500 Series. To open a Telnet session from Device Manager, click on the Telnet icon on the tool bar (Figure 4 "Telnet icon on Device Manager toolbar" (page 45)) or click Action > Telnet on the Device Manager tool bar.
.
Securing your system Figure 4 Telnet icon on Device Manager toolbar
45
ATTENTION
Multiple users can access the CLI system simultaneously, through the serial port, Telnet, and modems. The maximum number of simultaneous users is four plus one at the serial port for a total of ve users on the switch. All users can congure simultaneously.
You can view the Telnet allowed IP addresses and settings, change the settings, or disable the Telnet connection. This section covers the following topics: "show telnet-access command" (page 45) "telnet-access command" (page 46) "no telnet-access command" (page 47) "default telnet-access command" (page 48)
show telnet-access command

The show telnet-access command displays the current settings for Telnet access. The syntax for the show telnet-access command is:
show telnet-access
The show telnet-access command is executed in the Privileged EXEC command mode. The show telnet-access command has no parameters or variables. Figure 5 "show telnet-access command output" (page 46) displays sample output from the show telnet-access command.
.
46 Conguring Security using the CLI Figure 5 show telnet-access command output
telnet-access command
With the telnet-access command, you can congure the Telnet connection that is used to manage the switch. The syntax for the telnet-access command is:
telnet-access [enable|disable] [login-timeout <1-10>] [retry <1-100>] [inactive-timeout <0-60>] [logging {none|access |failures|all}] [source-ip <1-10> <XXX.XXX.XXX.XXX>[mask <XXX.XXX.XXX.XXX>]]
The telnet-access command is executed in the Global Conguration command mode. Table 8 "telnet-access command parameters and variables" (page 46) describes the parameters and variables for the telnet-access command.
Table 8 telnet-access command parameters and variables Parameters and variables enable|disable login-timeout <1-10> Description Enables or disables Telnet connections. Specifies the time in minutes that you want to wait between an initial Telnet connection and acceptance of a password before closing the Telnet connection; enter an integer between 1 and 10. Specifies the number of times that the user can enter an incorrect password before closing the connection; enter an integer between 1 and 100. Specifies in minutes how long to wait before closing an inactive session; enter an integer between 0 and 60.
retry <1-100>
inactive timeout <0-60>
.
47
Parameters and variables logging {none|access|fail ures|all]
Description Specifies what types of events you want to save in the event log:
all Save all access events in the log: Telnet connect indicates the IP address and access mode of a Telnet session. Telnet disconnect indicates the IP address of the remote host and the access mode, due to either a log off or inactivity. Failed Telnet connection attempts indicates the IP address of the remote host that is not on the list of allowed addresses, or indicates the IP address of the remote host that did not supply the correct password.
none No Telnet events are saved in the event log. access Connect and disconnect events are saved in the event log. failure Only failed Telnet connection attempts are saved in the event log.
[source-ip <1-10> <XX X.XXX.XXX.XXX>[mask <XXX.XXX.XXX.XXX>]
Specifies up to 10 source IP addresses from which connections are allowed. Enter the IP address either as an integer or in dotted-decimal notation. Specifies the subnet mask from which connections are allowed; enter the IP mask in dotted-decimal notation.
ATTENTION
These are the same source IP addresses as in the IP Manager list. For more information on the IP Manager list, see "Configuring the IP manager list" (page 39).
no telnet-access command
With the no telnet-access command, you can disable the Telnet connection. The syntax for the no telnet-access command is:
no telnet-access [source-ip [<1-10>]]
The no telnet-access command is executed in the Global Conguration command mode.

.
Table 9 "no telnet-access command parameters and variables" (page 48) describes the parameters and variables for the no telnet-access command.
Table 9 no telnet-access command parameters and variables Parameters and variables source-ip [<1-10>] Description Disables the Telnet access. When you do not use the optional parameter, the source-ip list is cleared, meaning that the 1st index is set to 0.0.0.0./0.0.0.0. and the 2nd to 10th indexes are set to 255.255.255.255/255.255.255.255. When you do specify a source-ip value, the specified pair is set to 255.255.255.255/255.255.255.255.
ATTENTION
These are the same source IP addresses as in the IP Manager list. For more information on the IP Manager list, see "Configuring the IP manager list" (page 39).
default telnet-access command

The default telnet-access command sets the Telnet settings to the default values. The syntax for the default telnet-access command is:
default telnet-access
The default telnet-access command is executed in the Global Conguration command mode. The default telnet-access command has no parameters or values.
Conguring Secure Shell (SSH)

This section provides the Conguring SSH using the Command Line Interface commands for conguring and managing SSH on the Ethernet Routing Switch 2500 Series. The SSH protocol provides secure access to the CLI. By using the CLI, you can execute the following commands: "show ssh global command" (page 49) "show ssh session command" (page 50) "show ssh download-auth-key command" (page 50)
.
49
"ssh dsa-host-key command" (page 51) "no ssh dsa-host-key command" (page 51) "ssh command" (page 51) "no ssh command" (page 51) "ssh secure command" (page 52) "ssh timeout command" (page 52) "ssh dsa-auth command" (page 52) "no ssh dsa-auth command" (page 53) "ssh pass-auth command" (page 53) "no ssh pass-auth command" (page 53) "ssh port command" (page 53) "ssh download-auth-key command" (page 54) "no ssh dsa-auth-key command" (page 54) "default ssh command" (page 54)
show ssh global command

The show ssh global command displays the secure shell conguration information. The syntax for the show ssh global command is:
show ssh global
The show ssh global command is executed in the Privileged EXEC command mode. The show ssh global command has no parameters or variables. Figure 6 "show ssh global command output" (page 49) displays sample output from the show ssh global command
Figure 6 show ssh global command output
.
show ssh session command

The show ssh session command displays the SSH session information. The session information includes the session ID and the host IP address. A host address of 0.0.0.0 indicates no connection for that session ID. The syntax for the show ssh session command is:
show ssh session
The show ssh session command is executed in the Privileged EXEC command mode. The show ssh session command has no parameters or variables. Figure 7 "show ssh session command output" (page 50) displays sample output from the show ssh session command.
Figure 7 show ssh session command output
show ssh download-auth-key command

The show ssh download-auth-key command displays the results of the most recent attempt to download the DSA public key from the TFTP server. The syntax for the show ssh download-auth-key command is:
show ssh download-auth-key
The show ssh download-auth-key command is executed in the Privileged EXEC command mode. The show ssh download-auth-key command has no parameters or variables. Figure 8 "show ssh download-auth-key command output" (page 50) displays sample output from the ssh download-auth-key command.
Figure 8 show ssh download-auth-key command output
.
51
ssh dsa-host-key command

The switch starts generating the DSA host keys immediately after the ssh dsa-host-key command is given. A reboot is not necessary.
ATTENTION
You cannot enable SSH while the host key is being generated.
This command can only be executed in SSH disable mode. The syntax of the ssh dsa-host-key command is:
ssh dsa-host-key
The ssh dsa-host-key command is executed in the Global Conguration command mode. There are no parameters or variables for the ssh dsa-host-key command.
no ssh dsa-host-key command

The no ssh dsa-host-key-gen command deletes the DSA host key in the switch. The syntax of the no ssh dsa-host-key-gen command is:
no ssh dsa-host-key
The no ssh dsa-host-key command is executed in the Global Conguration command mode. There are no parameters or variables for the no ssh dsa-host-key command.
ssh command
The ssh command enables the SSH server on the Ethernet Routing Switch 2500 Series in nonsecure mode. In addition to accepting SSH connections, the Ethernet Routing Switch 2500 Series continues to accept Web, SNMP, and Telnet connections while in this mode.The syntax of the ssh command is:
ssh
The ssh command is executed in the Global Conguration command mode. There are no parameters or variables for the ssh command.
no ssh command
The no ssh command disables the SSH server on the Ethernet Routing Switch 2500 Series. The syntax of the no ssh command is:
no ssh
.
The no ssh command executed in the Global Conguration command mode. There are no parameters or variables for the no ssh command.
ssh secure command

The ssh secure command enables the SSH server on the Ethernet Routing Switch 2500 Series in secure mode. In secure mode, the Ethernet Routing Switch 2500 Series does not accept Web, SNMP, or Telnet connections. The syntax of the ssh secure command is:
ssh secure
The ssh secure command executed in the Global Conguration command mode. There are no parameters or variables for the ssh secure command.
ssh timeout command

The ssh timeout command sets the timeout value for session authentication. The syntax of the ssh timeout command is:
ssh timeout <1-120>
The ssh timeout command executed in the Global Conguration command mode. Table 10 "ssh timeout command parameters and variables" (page 52) describes the parameters and variables for the ssh timeout command.
Table 10 ssh timeout command parameters and variables Parameters and variables <1-120> Description Specifies the timeout value for authentication. The default is 60.
ssh dsa-auth command

The ssh dsa-auth command enables DSA authentication. The syntax of the ssh dsa-auth command is:
ssh dsa-auth
The ssh dsa-auth commandexecuted in the Global Conguration command mode. There are no parameters or variables for the ssh dsa-auth command.
.
53
no ssh dsa-auth command

The no ssh dsa-auth command disables DSA authentication. The syntax for the no ssh dsa-auth command is:
no ssh dsa-auth
The no ssh dsa-auth command executed in the Global Conguration command mode. There are no parameters or variables for the no ssh dsa-auth command.
ssh pass-auth command

The ssh pass-auth command enables password authentication. The syntax of the ssh pass-auth command is:
ssh pass-auth
The ssh pass-auth command executed in the Global Conguration command mode. There are no parameters or variables for the ssh pass-auth command.
no ssh pass-auth command

The no ssh pass-auth command disables password authentication. The syntax of the no ssh pass-auth command is:
no ssh pass-auth
The no ssh pass-auth command executed in the Global Conguration command mode. There are no parameters or variables for the no ssh pass-auth command.
ssh port command

The ssh port command sets the SSH connection port. The syntax of the ssh port command is:
ssh port <1-65535>
The ssh portcommand is executed in the Global Conguration command mode. Table 11 "ssh port command parameters and variables" (page 54) describes the parameters and variables for the ssh port command.
.
54 Conguring Security using the CLI Table 11 ssh port command parameters and variables Parameters and variables <1-65535> Description Specifies the SSH connection port. The default is 22.
ssh download-auth-key command

The ssh download-auth-key command downloads the client public key from the TFTP server to the Ethernet Routing Switch 2500 Series. The syntax for the ssh download-auth-key is:
ssh download-auth-key [address <XXX.XXX.XXX.XXX>] [key-name <file>]
The ssh download-auth-key command is executed in the Global Conguration command mode. Table 12 "ssh download-auth-key command parameters and variables" (page 54) describes the parameters and variables for the ssh download-auth-key command.
Table 12 ssh download-auth-key command parameters and variables Parameters and variables address <XXX.XXX.XXX.XXX> key-name <file> Description The IP address of the TFTP server. The name of the public key file on the TFTP server.
no ssh dsa-auth-key command

The no ssh dsa-auth-key command deletes the SSH DSA authentication key. The syntax for the command is:
no ssh dsa-auth-key
The no ssh dsa-auth-key command is executed in the Global Conguration command mode. There are no parameters or variables for the no ssh dsa-auth-key command.
default ssh command

The default ssh command resets the specic secure shell conguration parameter to the default value. The syntax of the default ssh command is:
.
55
default ssh [dsa-auth|pass-auth|port|timeout]
The default ssh command is executed in the Global Conguration command mode. Table 13 "default ssh command parameters and variables" (page 55) describes the parameters and variables for the default ssh command.
Table 13 default ssh command parameters and variables Parameters and variables dsa-auth pass-auth port timeout Description Resets dsa-auth to the default value. Default is True. Resets pass-auth to the default value. Default is True. Resets the port number for SSH connections to the default. Default is 22. Resets the timeout value for session authentication to the default. Default is 60.
Setting server for Web-based management

You can enable or disable the Web server to use for the Web-based management system. This section discusses the following commands: "web-server" (page 55) "no web-server" (page 56)
web-server
The web-server command enables or disables the Web server that you use for Web-based management. The syntax for the web-server command is:
web-server {enable|disable}
The web-server command is executed in the Global Conguration command mode. Table 14 "web-server command parameters and variables" (page 56) describes the parameters and variables for the web-server command.
.
56 Conguring Security using the CLI Table 14 web-server command parameters and variables Parameters and variables enable|disabl e Description Enables or disables the Web server.
no web-server
The no web-server command disables the Web server that you use for Web-based management. The syntax for the no web-server command is:
no web-server
The no web-server command is executed in the Global Conguration command mode. The no web-server command has no parameters or values.
Conguring the RADIUS-based management password authentication

By using the RADIUS protocol and server, you can congure the Ethernet Routing Switch 2500 Series for authentication. To congure this authentication by using the CLI system, you can use the following commands: "show radius-server command" (page 56) "radius-server command" (page 57) "no radius-server command" (page 58) "default radius-server command" (page 58) "radius-server password fallback command" (page 58)
show radius-server command

The show radius-server command displays the RADIUS server conguration. The syntax for the show radius-server command is:
show radius-server
The show radius-server command is executed in the Privileged EXEC command mode. The show radius-server command has no parameters or variables. Figure 9 "show radius-server command output" (page 57) shows sample output from the show radius-server command.
.
Securing your system Figure 9 show radius-server command output
57
radius-server command
The radius-server command changes the RADIUS server settings. The syntax for the radius-server command is:
radius-server host <address> [secondary-host <address>] port <num> key <string> timeout <num>
ATTENTION
When password security is enabled, you must omit the <string> variable from the command line and end the command immediately after key. The switch then prompts you to enter and conrm the string.
The radius-server command is executed in the Global Conguration command mode. Table 15 "radius-server command parameters and variables" (page 57) describes the parameters and variables for the radius-server command.
Table 15 radius-server command parameters and variables Parameters and variables primary-host <address> secondary-host <address> port <num> key <string> Description Specifies the primary RADIUS server. Enter the IP address of the RADIUS server. Specifies the secondary RADIUS server. Enter the IP address of the secondary RADIUS server. Enter the port number of the RADIUS server. Specifies a secret text string that is shared between the switch and the RADIUS server for authentication. Enter the secret string, which is an alphanumeric string of up to 16 characters. Specifies the RADIUS time-out period.
timeout <num>
.
no radius-server command
The no radius-server command clears the RADIUS server settings. The syntax for the no radius-server command is:
no radius-server
The no radius-server command is executed in the Global Conguration command mode. The no radius-server command has no parameters or values.
default radius-server command

The default radius-server command sets the RADIUS server settings to the default values. The syntax for the default radius-server command is:
default radius-server
The default radius-server command is executed in the Global Conguration command mode. The default radius-server command has no parameters or values.
radius-server password fallback command

With the radius-server password fallback command, you can congure password fallback as an option when you use RADIUS authentication for login and password. When both RADIUS servers are unreachable the user can log in using the local passwords. The syntax for the radius-server password fallback command is:
radius-server password fallback
The radius-server password fallback command is executed in the Global Conguration command mode.
Setting SNMP parameters

For information about setting SNMP parameters and traps, see the following sections: "Common SNMP and SNMPv3 CLI commands" (page 58) "CLI commands specic to SNMPv3" (page 69)
Common SNMP and SNMPv3 CLI commands

This section describes the common CLI commands that you can use to congure SNMP and SNMPv3. For details about the SNMP CLI commands that are specic to SNMPv3, see "CLI commands specic to SNMPv3" (page 69).
.
59
The switch provides the following CLI commands to congure SNMP and SNMPv3: "snmp-server command" (page 59) "no snmp-server command" (page 60) "snmp-server authentication-trap command" (page 60) "no snmp-server authentication-trap command" (page 61) "default snmp-server authentication-trap command" (page 61) "snmp-server community for read/write command" (page 61) "no snmp-server community command" (page 62) "default snmp-server community command" (page 63) "show snmp-server community command" (page 64) "snmp-server contact command" (page 64) "no snmp-server contact command" (page 64) "default snmp-server contact command" (page 64) "snmp-server location command" (page 65) "no snmp-server location command" (page 65) "default snmp-server location command" (page 66) "snmp-server name command" (page 66) "no snmp-server name command" (page 66) "default snmp-server name command" (page 67) "snmp trap link-status command" (page 67) "no snmp trap link-status command" (page 68) "default snmp trap link-status command" (page 69)
snmp-server command
The snmp-server command enables or disables the SNMP server. The syntax for the snmp-server command is:
snmp-server {enable|disable}
The snmp-server command is executed in the Global Conguration command mode. Table 16 "snmp-server command parameters and variables" (page 60) describes the parameters and variables for the snmp-servercommand.
.
60 Conguring Security using the CLI Table 16 snmp-server command parameters and variables Parameters and variables enable|disable Description Enables or disables the SNMP server.
no snmp-server command
The no snmp-server command disables SNMP access. The syntax for the no snmp-server command is:
no snmp-server
The no snmp-server command is executed in the Global Conguration command mode. The no snmp-server command has no parameters or variables.
ATTENTION
Disabling SNMP access also locks you out of the Device Manager management system.
snmp-server authentication-trap command

The snmp-server authentication-trap command enables or disables the generation of SNMP authentication failure traps. The syntax for the snmp-server authentication-trap command is:
snmp-server authentication-trap {enable|disable}
The snmp-server authentication-trap command is executed in the Global Conguration command mode. Table 17 "snmp-server authentication-trap command parameters and variables" (page 60) describes the parameters and variables for the snmp-server authentication-trap command.
Table 17 snmp-server authentication-trap command parameters and variables Parameters and variables enable|disable Description Enables or disables the generation of authentication failure traps.
.
61
no snmp-server authentication-trap command

The no snmp-server authentication-trap command disables the generation of SNMP authentication failure traps. The syntax for the no snmp-server authentication-trap command is:
no snmp-server authentication-trap
The no snmp-server authentication-trap command is executed in the Global Conguration command mode. The no snmp-server authentication-trap command has no parameters or variables.
default snmp-server authentication-trap command

The default snmp-server authentication-trap command restores SNMP authentication trap conguration to the default settings. The syntax for the default snmp-server authentication-trap command is:
default snmp-server authentication-trap
The default snmp-server authentication-trap command is executed in the Global Conguration command mode. The default snmp-server authentication-trap command has no parameters or variables.
snmp-server community for read/write command

The snmp-server community command for read/write modies the community strings for SNMP v1 and SNMPv2c access. The syntax for the snmp-server community for read/write command is:
snmp-server community <community-string> [ro|rw]
The snmp-server community read/write command is executed in the Global Conguration command mode. This command congures a single read-only or a single read/write community. A community congured using this command has no access to any of the SNMPv3 MIBs. This command affects community strings created prior to Release 3.0 software. These community strings have a xed MIB view. Table 18 "snmp-server community for read/write command parameters and variables" (page 62) describes the parameters and variables for the snmp-server community for read/write command.
.
62 Conguring Security using the CLI Table 18 snmp-server community for read/write command parameters and variables Parameters and variables <community-string> Description Changes community strings for SNMP v1 and SNMPv2c access. Enter a community string that functions as a password and permits access to the SNMP protocol. If you set the value to NONE, it is disabled.
ATTENTION
This parameter is not available when Password Security is enabled, in which case, the switch prompts you to enter and confirm the new community string.
ro|rw
Specifies read-only or read/write access. Stations with ro access can retrieve only MIB objects, and stations with rw access can retrieve and modify MIB objects.
ATTENTION
If neither ro nor rw is specified, ro is assumed (default).
no snmp-server community command

The no snmp-server community command clears the snmp-server community conguration. The syntax for the no snmp-server community command is:
no snmp-server community {ro|rw|<community-string>}
The no snmp-server community command is executed in the Global Conguration command mode. If you do not specify a read-only or read/write community parameter, all community strings are removed, including all communities controlled by the snmp-server community command and the snmp-server community command for read-write.
.
63
If you specify read-only or read/write, then only the read-only or read/write community is removed. If you specify the name of a community string, then the community string with that name is removed. Table 19 "no snmp-server community command parameters and variables" (page 63) describes the parameters and variables for the no snmp-server community command.
Table 19 no snmp-server community command parameters and variables Parameters and variables ro|rw| Description Sets the specified community string value to NONE, thereby disabling it. Deletes the specified community string from the SNMPv3 MIBs (that is, from the new-style configuration).
<community-string>
default snmp-server community command

The default snmp-server community command restores the community string conguration to the default settings. The syntax for the default snmp-server community command is:
default snmp-server community [ro|rw]
The default snmp-server community command is executed in the Global Conguration command mode. If the read-only or read/write parameter is omitted from the command, all communities are restored to their default settings. The read-only community is set to public, the read/write community is set to private, and all other communities are deleted. Table 20 "default snmp-server community command parameters and variables" (page 63) describes the parameters and variables for the default snmp-server community command.
Table 20 default snmp-server community command parameters and variables Parameters and variables ro|rw Description Restores the read-only community to public, or the read/write community to private.
.
show snmp-server community command

The show snmp-server community command displays the SNMP community string conguration. (The community strings are not displayed when Password Security is enabled.) The syntax for the show snmp-server community command is:
show snmp-server community
The show snmp-server command is executed in the Privileged EXEC command mode.
snmp-server contact command

The snmp-server contact command congures the SNMP sysContact value. The syntax for the snmp-server contact command is:
snmp-server contact <text>
The snmp-server contact command is executed in the Global Conguration command mode. Table 16 "snmp-server command parameters and variables" (page 60) describes the parameters and variables for the snmp-server contact command.
Table 21 snmp-server contact command parameters and variables Parameters and variables <text> Description Specifies the SNMP sysContact value; enter an alphanumeric string.
no snmp-server contact command

The no snmp-server contact command clears the sysContact value. The syntax for the no snmp-server contact command is:
no snmp-server contact
The no snmp-server contact command is executed in the Global Conguration command mode. The no snmp-server contact command has no parameters or variables.
default snmp-server contact command

The default snmp-server contact command restores the sysContact value to the default value. The syntax for the default snmp-server contact command is:
default snmp-server contact
.
65
The default snmp-server contact command is executed in the Global Conguration command mode. The default snmp-server contact command has no parameters or variables.
snmp-server location command

The snmp-server location command congures the SNMP sysLocation value. The syntax for the snmp-server location command is:
snmp-server location <text>
The snmp-server location command is executed in the Global Conguration command mode. Table 22 "snmp-server location command parameters and variables" (page 65) describes the parameters and variables for the snmp-server location command command.
Table 22 snmp-server location command parameters and variables Parameters and variables <text> Description Specifies the SNMP sysLocation value; enter an alphanumeric string of up to 255 characters.
no snmp-server location command

The no snmp-server location command clears the SNMP sysLocation value. The syntax for the no snmp-server location command is:
no snmp-server location <text>
The no snmp-server location command is executed in the Global Conguration command mode. Table 23 "no snmp-server location command parameters and variables" (page 65) describes the parameters and variables for the no snmp-server location command.
Table 23 no snmp-server location command parameters and variables Parameters and variables <text> Description Specifies the SNMP sysLocation value. Enter a string of up to 255 characters.
.
default snmp-server location command

The default snmp-server location command restores sysLocation to the default value. The syntax for the default snmp-server location command is:
default snmp-server location
The default snmp-server location command is executed in the Global Conguration command mode. The default snmp-server location command has no parameters or variables.
snmp-server name command

The snmp-server name command congures the SNMP sysName value. The syntax for the snmp-server name command is:
snmp-server name <text>
The snmp-server name command is executed in the Global Conguration command mode. Table 24 "snmp-server name command parameters and variables" (page 66) describes the parameters and variables for the snmp-server name command.
Table 24 snmp-server name command parameters and variables Parameters and variables <text> Description Specifies the SNMP sysName value; enter an alphanumeric string of up to 255 characters.
no snmp-server name command

The no snmp-server name command clears the SNMP sysName value. The syntax for the no snmp-server name command is:
no snmp-server name <text>
The no snmp-server name command is executed in the Global Conguration command mode. Table 25 "no snmp-server name command parameters and variables" (page 67) describes the parameters and variables for the no snmp-server name command.
.
Securing your system Table 25 no snmp-server name command parameters and variables Parameters and variables <text> Description Specifies the SNMP sysName value; enter an alphanumeric string of up to 255 characters.
67
default snmp-server name command

The default snmp-server name command restores sysName to the default value. The syntax for the default snmp-server name command is:
default snmp-server name
The default snmp-server name command is executed in the Global Conguration command mode. Table 26 "default snmp-server name command parameters and variables" (page 67) describes the parameters and variables for the default snmp-server name command.
Table 26 default snmp-server name command parameters and variables Parameters and variables <text> Description Specifies the SNMP sysName value; enter an alphanumeric string of up to 255 characters.
snmp trap link-status command

The snmp trap link-status command enables the linkUp/linkDown traps for the port. The syntax of the command is:
snmp trap link-status [port <portlist>]
The snmp trap link-status command is executed in the Interface Conguration command mode. Table 27 "snmp trap link-status command parameters and variables" (page 68) describes the parameters and variables for the snmp trap link-status command.
.
68 Conguring Security using the CLI Table 27 snmp trap link-status command parameters and variables Parameters and variables port <portlist> Description Specifies the port numbers on which to enable the linkUp/linkDown traps. Enter the port numbers or all.
ATTENTION
If you omit this parameter, the system uses the port number specified with the interface command.
disable|enable
Disables or Enables generation of linkUp/Down traps.
no snmp trap link-status command

The no snmp trap link-status command disables the linkUp/linkDown traps for the port. The syntax of the no snmp trap link-status command is:
no snmp trap link-status [port <portlist>]
The no snmp trap link-status command is executed in the Interface Conguration command mode. Table 28 "no snmp trap link-status command parameters and variables" (page 68) describes the parameters and variables for the no snmp trap link-status command.
Table 28 no snmp trap link-status command parameters and variables Parameters and variables port <portlis t> Description Specifies the port numbers on which to disable the linkUp/linkDown traps. Enter the port numbers or all.
ATTENTION
.
69
default snmp trap link-status command

The default snmp trap link-status command disables the linkUp/linkDown traps for the port. The syntax of the command is:
default snmp trap link-status [port <portlist>]
The default snmp trap link-status command is executed in the Interface Conguration command mode. Table 29 "default snmp trap link-status command parameters and variables" (page 69) describes the parameters and variables for the no snmp trap link-status command.
Table 29 default snmp trap link-status command parameters and variables Parameters and variables port <portlist> Description Specifies the port numbers on which to disable the linkUp/linkDown traps. Enter the port numbers or all.
ATTENTION
CLI commands specic to SNMPv3

This section describes the unique CLI commands for conguring SNMPv3. For details about the CLI commands that are common to both SNMP and SNMPv3, see "Common SNMP and SNMPv3 CLI commands" (page 58). The following SNMP commands are specic to SNMPv3: "snmp-server user command" (page 70) "no snmp-server user command" (page 72) "snmp-server view command" (page 73) "no snmp-server view command" (page 74) "snmp-server host for new-style table command" (page 75) "no snmp-server host for new-style table command" (page 76) "default snmp-server host command" (page 76) "snmp-server community command" (page 77) "snmp-server bootstrap command" (page 79)
.
snmp-server user command

The snmp-server user command creates an SNMPv3 user. The syntax for the snmp-server user command is:
snmp-server user [engine-id <engineid>] <username> [read-view <view-name>] [write-view <view-name>][notify-view <view-name>] [{md5|sha} <password>[read-view <view-name>] [write-view <view-name>][notify-view <view-name>] [{3des|aes|des} <password> [read-view <view-name>] [write-view <view-name>][notify-view <view-name>]
The snmp-server user command is executed in the Global Conguration command mode. The sha and des parameters are available only if the switch image has full SHA/DES support. The command shows three sets of read/write/notify views. The rst set species unauthenticated access. The second set species authenticated access. The third set species authenticated and encrypted access. You can specify authenticated access only if the md5 or sha parameter is included. Likewise, you can specify authenticated and encrypted access only if the des, aes, or 3des parameter is included. If you omit the authenticated view parameters, authenticated access uses the views specied for unauthenticated access. If you omit all the authenticated and encrypted view parameters, the authenticated and encrypted access uses the same views that are used for authenticated access. These views are the unauthenticated views, if all the authenticated views are also omitted. Table 30 "snmp-server user command parameters and variables" (page 70) describes the parameters and variables for the snmp-server user command.
Table 30 snmp-server user command parameters and variables Parameters and variables engine-id <engineid> <username> Description Specifies the SNMP engine ID of the remote SNMP entity. Specifies the user names; enter an alphanumeric string of up to 255 characters.
.
71
Parameters and variables md5/sha <password>
Description Specifies the use of an md5/sha authentication passphrase.
password specifies the new users md5 /sha authentication passphrase; enter an alphanumeric string.
If this parameter is omitted, the user is created with only unauthenticated access rights.
ATTENTION
This parameter is not available when Password Security is enabled, in which case the switch prompts you to enter and confirm the new password.
read-view <view-name>
Specifies the read view to which the new user has access:
view-name specifies the view name; enter an alphanumeric string of up to 255 characters.
write-view <view-name>
Specifies the write view to which the new user has access:
.
Parameters and variables notify-view <view-name>
Description Specifies the notify view to which the new user has access:
des/aes/3des <password>
Specifies the use of a des/aes/3des privacy passphrase. password specifies the new users des/aes/3des privacy passphrase; enter an alphanumeric string of minimum 8 characters. If this parameter is omitted, the user is created with only authenticated access rights.
ATTENTION
This parameter is not available when Password Security is enabled, in which case the switch prompts you to enter and confirm the new password.
no snmp-server user command

The no snmp-server user command deletes the specied user. The syntax for the no snmp-server user command is:
no snmp-server user [engine-id <engineid>] <username>
The no snmp-server user command is executed in the Global Conguration command mode. Table 31 "no snmp-server user command parameters and variables" (page 73) describes the parameters and variables for the no snmp-server user command.
.
Securing your system Table 31 no snmp-server user command parameters and variables Parameters and variables engine-id <engineid> <username> Description Specifies the SNMP engine ID of the remote SNMP entity. Specifies the user to be removed.
73
snmp-server view command

The snmp-server view command creates an SNMPv3 view. The view is a set of MIB object instances that can be accessed. The syntax for the snmp-server view command is:
snmp-server view <view-name> <OID> [<OID> [<OID> [<OID> [<OID> [<OID> [<OID> [<OID> [<OID> [<OID>]]]]]]]]]
The snmp-server view command is executed in the Global Conguration command mode. T Table 32 "snmp-server view command parameters and variables" (page 73)describes the parameters and variables for the snmp-server view command.
Table 32 snmp-server view command parameters and variables Parameters and variables <viewname> <OID> Description Specifies the name of the new view; enter an alphanumeric string. Specifies the Object identifier. OID can be entered as a MIB object English descriptor, a dotted form OID, or a mix of the two. Each OID can also be preceded by a plus (+) or minus () sign (if the minus sign is omitted, a plus sign is implied). For the dotted form, a subidentifier can be an asterisk (*), which indicates a wildcard. Some examples of valid OID parameters are as follows:
.
Description
sysName +sysName -sysName +sysName.0 +ifIndex.1 -ifEntry.*.1 (matches all objects in the if Table with an instance of 1, that is, the entry for interface #1) 1.3.6.1.2.1.1.1.0 (dotted form of sysDescr)
The plus (+) or minus () sign indicates whether the specified OID is included in or excluded from, respectively, the set of MIB objects that are accessible by using this view. For example, if you create a view as follows: snmp-server view myview +system -sysDescr and you use that view for the read-view of a user, then the user can read only the system group, except for sysDescr.
no snmp-server view command

The no snmp-server view command deletes the specied view. The syntax for the no snmp-server view command is:
no snmp-server view <viewname>
The no snmp-server view is executed in the Global Conguration command mode. Table 33 "no snmp-server view command parameters and variables" (page 74) describes the parameters and variables for the no snmp-server view command.
Table 33 no snmp-server view command parameters and variables Parameters and variables <viewname> Description Specifies the name of the view to be removed. If no view is specified, all views are removed.
.
75
snmp-server host for the new-style table command

The snmp-server host for the new-style table command adds a trap receiver to the new-style conguration (that is, to the SNMPv3 tables). You can create several entries in this table, and each can generate v1, v2c, or v3 traps. You must previously congure the community string or user that is specied with a notify-view. The syntax for the snmp-server host for the new-style table command is:
snmp-server host <host-ip> [port <1-65535>] {<community-string>|v2c <community-string>| v3 {auth|no-auth|auth-priv} <username>}
The snmp-server host for the new-style table command is executed in the Global Conguration command mode. Table 34 "snmp-server host for the new-style table command parameters and variables" (page 75) describes the parameters and variables for the snmp-server host for the new-style table command.
Table 34 snmp-server host for the new-style table command parameters and variables Parameters and variables <host-ip> port <1-65535> <community-string> Description Enter a dotted-decimal IP address of a host to be the trap destination. Sets SNMP trap port. If you do not specify a trap type, this variable creates v1 trap receivers in the SNMPv3 MIBs. You can create multiple trap receivers with varying access levels. Using v2c creates v2c trap receivers in the SNMPv3 MIBs. You can create multiple trap receivers with varying access levels. Using v3 creates v3 trap receivers in the SNMPv3 MIBs. You can create multiple trap receivers with varying access levels by entering the following variables:
v2c <community-string>
v3 {auth|no-auth| auth-priv}
auth|no-auth Specifies whether SNMPv3 traps can be authenticated. auth-privThis parameter is only available if the image has full SHA/DES support.
.
Description
<username>
Specifies the SNMPv3 username for trap destination; enter an alphanumeric string.
no snmp-server host for the new-style table command

The no snmp-server for new-style table command deletes trap receivers from the new-style table (SNMPv3 MIB). Any trap receiver that matches the IP address and SNMP version is deleted. The syntax for the no snmp-server host for new-style table command is:
no snmp-server host <host-ip> {v1|v2c|v3}
The no snmp-server host for the new-style table command is executed in the Global Conguration command mode. Table 35 "no snmp-server host for the new-style command parameters and variables" (page 76) describes the parameters and variables for the no snmp-server for the new-style table command.
Table 35 no snmp-server host for the new-style command parameters and variables Parameters and variables <host-ip> v1|v2c|v3 Description Enter the IP address of a trap destination host. Specifies the trap receivers in the SNMPv3 MIBs.
default snmp-server host command

The default snmp-server host command restores the table to defaults (that is, it clears the table). The syntax for the default snmp-server host command is:
default snmp-server host
The default snmp-server host command is executed in the Global Conguration command mode. The default snmp-server host command has no parameters or variables.
.
77
snmp-server community command

With the snmp-server community command, you can create community strings with varying levels of read, write, and notication access based on SNMPv3 views. These community strings are separate from those created by using the snmp-server community command for read/write. This command affects community strings stored in the SNMPv3 snmpCommunityTable, which allows several community strings to be created. These community strings can have any MIB view. The syntax for the snmp-server community command is:
snmp-server community <community-string> {read-view <view-name>|write-view <view-name>| notify-view <view-name>}
The snmp-server community command is executed in the Global Conguration command mode. Table 36 "snmp-server community command parameters and variables" (page 77) describes the parameters and variables for the snmp-server community command.
Table 36 snmp-server community command parameters and variables Parameters and variables <communitystring> Description Enter a community string to be created with access to the specified views.
ATTENTION
This parameter is not available when Password Security is enabled, in which case, the switch prompts you to enter and confirm the new community string.
.
Parameters and variables read-view <view-name>
Description Changes the read view used by the new community string for different types of SNMP operations.
view-name specifies the name of the view that is a set of MIB objects/instances that can be accessed; enter an alphanumeric string.
ro rw write-view <view-name>
Read-only access with this community string. Read-write access with this community string. Changes the write view used by the new community string for different types of SNMP operations.
notify-view <view-name>
Changes the notify view settings used by the new community string for different types of SNMP operations.
show snmp-server command

The show snmp-server command displays the SNMP v3 conguration. The syntax for the show snmp-server command is:
show snmp-server {community|host|user|view}
The show snmp-server command is executed in the Privileged EXEC command mode. Table 37 "show snmp-server command parameters and variables" (page 79) describes the parameters and variables for the show snmp-server command.
.
Securing your system Table 37 show snmp-server command parameters and variables Parameters and variables community|host| user|view Description Displays SNMPv3 configuration information:
79
community strings as configured in SNMPv3 MIBs (this parameter is not displayed when Password Security is enabled) trap receivers as configured in SNMPv3 MIBs SNMPv3 users, including views accessible to each user SNMPv3 views
snmp-server bootstrap command

With the snmp-server bootstrap command, you can specify how you wish to secure SNMP communications, as described in the SNMPv3 standards. This command creates an initial set of conguration data for SNMPv3. This conguration data follows the conventions described in the SNMPv3 standard (in RFC 3414 and 3415). The data consists of a set of initial users, groups, and views. This snmp-server bootstrap command deletes all existing SNMP congurations, so use the command with caution. The syntax for the snmp-server bootstrap command is:
snmp-server bootstrap <minimum-secure> | <semi-secure> |<very-secure>
The snmp-server bootstrap command is executed in the Global Conguration command mode. Table 38 "snmp-server bootstrap command parameters and variables" (page 79) describes the parameters and variables for the snmp-server bootstrap command.
Table 38 snmp-server bootstrap command parameters and variables Parameters and variables <minimum-secure> Description Specifies a minimum security configuration that allows read access to everything using noAuthNoPriv, and write access to everything using authNoPriv.
.
Parameters and variables <semi-secure>
Description Specifies a partial security configuration that allows read access to a small subset of system information using noAuthNoPriv, and read and write access to everything using authNoPriv. Specifies a maximum security configuration that allows no access.
<very-secure>
Securing your network

You can secure your network using the following CLI commands. "Conguring MAC address lter-based security" (page 80) "Conguring EAPOL-based security" (page 87)
Conguring MAC address lter-based security

You congure the BaySecure* application using MAC addresses with the following commands: "show mac-security command" (page 80) "mac-security command" (page 81) "mac-security mac-address-table address command" (page 83) "mac-security security-list command" (page 83) "no mac-security command" (page 84) "no mac-security mac-address-table command" (page 84) "no mac-security security-list command" (page 85) "mac-security command for specic ports" (page 85) "mac-security mac-da-lter command" (page 86)
show mac-security command

The show mac-security command displays conguration information for the BaySecure application. The syntax for the show mac-security command is:
show mac-security {config|mac-address-table [address <macaddr>]|port|security-lists|mac-da-filter}
The show mac-security command is executed in the Privileged EXEC command mode. Table 39 "show mac-security command parameters and variables" (page 81) describes the parameters and variables for the show mac-security command.
.
Securing your network Table 39 show mac-security command parameters and variables Parameters and variables config mac-address-t able [address <macaddr>] Description Displays the general BaySecure configuration. Displays contents of the BaySecure table of allowed MAC addresses:
81
address specifies a single MAC address to display; enter the MAC address.
port security-lists mac-da-filter
Displays the BaySecure status of all ports. Displays the port membership of all security lists. Displays MAC DA filtering addresses.
Figure 10 "show mac-security command output" (page 81) shows sample output from the show mac-security command.
Figure 10 show mac-security command output
mac-security command
The mac-security command modies the BaySecure conguration. The syntax for the mac-security command is:
mac-security [disable|enable] [filtering {enable|disable}] [intrusion-detect {enable|disable|forever}] [intrusion-timer <1-65535>] [learning-ports <portlist>] [learning {enable |disable}]|mac-address-table|mac-da-filter|security list [snmp-lock {enable|disable}] [snmp-trap {enable|disable}]
The mac-security command is executed in the Global Conguration command mode. Table 40 "mac-security command parameters and values" (page 82) describes the parameters and variables for the mac-security command.
.
82 Conguring Security using the CLI Table 40 mac-security command parameters and variables Parameters and variables disable|enable filtering {enable|disable} intrusion-detect {enable|disable| forever} Description Disables or enables MAC address-based security. Enables or disables destination address (DA) filtering when an intrusion is detected. Specifies the partitioning of a port when an intrusion is detected:
enable port is partitioned for a period of time. disabled port is not partitioned on detection. forever port is partitioned until manually changed.
intrusion-timer <1-65535> learning {enable|disable}
Specifies, in seconds, length of time a port is partitioned when an intrusion is detected; enter the number of seconds to specify. Specifies MAC address learning:
enable enables learning by ports disable disables learning by ports
ATTENTION
The MAC address learning enable command must be executed to specify learning ports.
learning-ports <portlist>
Specifies MAC address learning. Learned addresses are added to the table of allowed MAC addresses. Enter the ports you want to learn; this can be a single port, a range of ports, several ranges, all, or none. Adds addresses to the MAC security address table. Adds or deletes MAC DA filtering addresses. Modifies security list port membership.
mac-address-tabl e mac-da-filter security-list
.
83
Parameters and variables snmp-lock {enable|disable} snmp-trap {enable|disable}
Description Enables or disables a lock on SNMP write-access to the BaySecure MIBs. Enables or disables trap generation when an intrusion is detected.
mac-security mac-address-table address command

The mac-security mac-address-table address command assigns either a specic port or a security list to the MAC address. This removes any previous assignment to the specied MAC address and creates an entry in the BaySecure table of allowed MAC addresses. The syntax for the mac-security mac-address-table address command is:
mac-security mac-address-table address <H.H.H.> {port <portlist>|security-list <1-32>}
ATTENTION
In this command, portlist must specify only a single port.
The mac-security mac-address-table address command is executed in the Global Conguration command mode. Table 41 "mac-security mac-address-table address parameters and values" (page 83) describes the parameters and variables for the mac-security mac-address-table address command.
Table 41 mac-security mac-address-table address parameters and variables Parameters and variables <H.H.H> port <portlist >|security-list <1-32> Description Enter the MAC address in the form of H.H.H. Enter the port number or the security list number.
mac-security security-list command

The mac-security security-list command assigns a list of ports to a security list. The syntax for the mac-security security-list command is:
mac-security security-list <1-32> <portlist>
.
The mac-security security-list command is executed in the Global Conguration command mode. Table 42 "mac-security security-list command parameters and values" (page 84) describes the parameters and variables for the mac-security security-list command.
Table 42 mac-security security-list command parameters and variables Parameters and variables <1-32> <portlist> Description Enter the number of the security list that you want to use. Enter a list or range of port numbers.
no mac-security command
The no mac-security command disables MAC source address-based security. The syntax for the no mac-security command is:
no mac-security
The no mac-security command is executed in the Global Conguration command mode. The no mac-security command has no parameters or values.
no mac-security mac-address-table command

The no mac-security mac-address-table command clears entries from the MAC address security table. The syntax for the no mac-security mac-address-table command is:
no mac-security mac-address-table {address <H.H.H.> |port <portlist>|security-list <1-32>}
The no mac-security mac-address-table command is executed in the Global Conguration command mode. Table 43 "no mac-security mac-address-table command parameters and variables" (page 84) describes the parameters and variables for the no mac-security mac-address-table command.
Table 43 no mac-security mac-address-table command parameters and variables Parameters and variables address <H.H.H> Description Enter the MAC address in the form of H.H.H.
.
85
Parameters and variables port <portlist> security-list <1-32>
Description Enter a list or range of port numbers. Enter the security list number.
no mac-security security-list command

The no mac-security security-list command clears the port membership of a security list. The syntax for the no mac-security security-list command is:
no mac-security security-list <1-32>
The no mac-security security-list command is executed in the Global Conguration command mode. Table 44 "no mac-security security-list command parameters and variables" (page 85) describes the parameters and variables for the no mac-security security-list command.
Table 44 no mac-security security-list command parameters and variables Parameters and variables <1-32> Description Enter the number of the security list that you want to clear.
mac-security command for specic ports

The mac-security command for specic ports congures the BaySecure status of specic ports. The syntax for the mac-security command for specic ports is:
mac-security [port <portlist>] {disable|enable|learning}
The mac-security command for specic ports is executed in the Interface Conguration command mode Table 45 "mac-security command for a single port parameters and variables" (page 86) describes the parameters and variables for the mac-security command for specic ports.
.
86 Conguring Security using the CLI Table 45 mac-security command for a single port parameters and variables Parameters and variables port <portlist> disable|enable|learnin g Description Enter the port numbers. Directs the specific port:
disable disables BaySecure on the specified port and removes the port from the list of ports for which MAC address learning is performed enable enables BaySecure on the specified port and removes the port from the list of ports for which MAC address learning is performed learning disables BaySecure on the specified port and adds these port to the list of ports for which MAC address learning is performed
mac-security mac-da-lter command

With the mac-security mac-da-filter command, you can lter packets from up to 10 specied MAC DAs. You also can use this command to delete such a lter and then receive packets from the specied MAC DA. The syntax for the mac-security mac-da-filter command is:
mac-security mac-da-filter {add|delete}<H.H.H.>
The mac-security mac-da-filter command is executed in the Global Conguration command mode. Table 46 "mac-security mac-da-lter command parameters and values" (page 86) describes the parameters and variables for the mac-security mac-da-filter command.
Table 46 mac-security mac-da-lter command parameters and values Parameters and variables {add|delete} <H.H.H> Description Add or delete the specified MAC address; enter the MAC address in the form of H.H.H.
.
87
ATTENTION
Ensure that you do not enter the MAC address of the management unit.
Conguring EAPOL-based security

You can congure security based on the Extensible Authentication Protocol over LAN (EAPOL) by using the following CLI commands: "show eapol command" (page 87) "show eapol auth-diags interface command" (page 89) "show eapol auth-stats interface command" (page 90) "eapol command" (page 91) "eapol command for modifying parameters" (page 91) "eapol guest-vlan command" (page 93) "no eapol guest-vlan command" (page 93) "default eapol guest-vlan command" (page 93)
show eapol command

The show eapol command displays the status of the EAPOL-based security. The syntax for the show eapol command is:
show eapol [port <portlist>]
The show eapol command is executed in the Privileged EXEC command mode. Figure 11 "show eapol command output" (page 88) displays sample output from the show eapol command.
.
88 Conguring Security using the CLI Figure 11 show eapol command output
Table 47 "show eapol command output parameters and variables" (page 88) describes the parameters and variables for the show eapol command output.
Table 47 show eapol command output parameters and variables Parameters and variables Port Description Specifies the port on which to change EAPOL settings Specifies the EAP status of the port: Administrative Status Auth Force Unauthorized - Port is always unauthorized Auto - Port authorization status depends on the result of the EAP authentication Force Authorized - Port is always authorized
Displays the current EAPOL authorization status for the port Yes - Authorized No - Unauthorized
This field only specifies the authorization status of the port for EAPoL users and not for NonEAPoL users. Use the show eapol multihost non-eap status command for Non-EAPoL users.
.
89
Parameters and variables Admin Dir
Description Specifies whether EAPOL authentication is set for incoming and outgoing traffic (Both) or for incoming traffic only (In). For example, if you set the specified port field value to both, and EAPOL authentication fails, then both incoming and outgoing traffic on the specified port is blocked. Specifies the current operational value for the traffic control direction for the port. Enables or disables re-authentication Specifies the time interval between successive re-authentications; the range is <1-604800> Specifies the time interval between authentication failure and start of new authentication; the range is <0-65535> Specifies a waiting period for response from supplicant for EAP Request or Identity packets; the range is <1-65535> Specifies a waiting period for response from supplicant for all EAP packets; the range is <1-65535> Specifies the time to wait for response from RADIUS server; the range is <1-65535> Specifies the number of times to retry sending packets to supplicant; the range is <1-10>
Oper Dir Re-authentication Re-authentication Period Quite Period Transmit Period Supplicant Timeout
Server Timeout Max Request
show eapol auth-diags interface command

The show eapol auth-diags interface command displays EAPOL diags.The syntax for the show eapol auth-diags interface command is:
show eapol auth-diags interface
The show eapol auth-diags interface command is executed in the Privileged EXEC command mode. Figure 12 "show eapol auth-diags interface command output" (page 90) displays sample output from the show eapol auth-diags interface command.
.
90 Conguring Security using the CLI Figure 12 show eapol auth-diags interface command output
show eapol auth-stats interface command

The show eapol auth-stats interface command displays EAPOL diags.The syntax for the show eapol auth-stats interface command is:
show eapol auth-stats interface
The show eapol auth-stats interface command is executed in the Privileged EXEC command mode. Figure 13 "show eapol auth-stats interface command output" (page 90) displays sample output from the show eapol auth-stats interface command.
Figure 13 show eapol auth-stats interface command output
.
91
eapol command
The eapol command enables or disables EAPOL-based security. The syntax of the eapol command is:
eapol {disable|enable}
The eapol command is executed in the Global Conguration command mode. Table 48 "eapol command parameters and variables" (page 91) describes the parameters and variables for the eapol command.
Table 48 eapol command parameters and variables Parameters and variables disable|enable Description Disables or enables EAPOL-based security.
eapol command for modifying parameters

The eapol command for modifying parameters modies EAPOL-based security parameters for a specic port. The syntax of the eapol command for modifying parameters is:
eapol [port <portlist>] [init] [status authorized|unauthor ized|auto] [traffic-control in-out|in] [re-authentication enable|disable] [re-authentication-period <1-604800>] [re-authenticate] [quiet-interval <num>] [transmit-interval <num>] [supplicant-timeout <num>] [server-timeout <num>][max-request <num>]
The eapol command for modifying parameters is executed in the Interface Conguration command mode. Table 49 "eapol command for modifying parameters and variables" (page 91) describes the parameters and variables for the eapol command for modifying parameters.
Table 49 eapol command for modifying parameters and variables Parameters and variables port <portllist> Description Specifies the ports to configure for EAPOL; enter the port numbers you want to use.
.
Description
ATTENTION
If you omit this parameter, the system uses the port number that you specified when you issued the interface command.
init status authorized|unauth orized|auto
Reinitiates EAP authentication. Specifies the EAP status of the port:
authorized Port is always authorized. unauthorized Port is always unauthorized. auto Port authorization status depends on the result of the EAP authentication.
traffic-control in-outIin
Sets the level of traffic control:
in-out If EAP authentication fails, both ingressing and egressing traffic are blocked. in If EAP authentication fails, only ingressing traffic is blocked.
re-authentication enable|disable re-authentication -period <1-604800>
Enables or disables reauthentication. Enter the number of seconds that you want between re-authentication attempts. Use either this variable or the reauthentication-interval variable; do not use both variables because they control the same setting. Specifies an immediate reauthentication. Enter the number of seconds that you want between an authentication failure and the start of a new authentication attempt; the range is 1 to 65535. Specifies a waiting period for response from supplicant for EAP Request/Identity packets. Enter the number of seconds that you want to wait; the range is 1-65535.
re-authenticate quiet-interval <num> transmit-interval <num>
.
93
Parameters and variables supplicant-timeou t <num>
Description Specifies a waiting period for response from supplicant for all EAP packets, except EAP Request/Identity packets. Enter the number of seconds that you want to wait; the range is 1-65535. Specifies a waiting period for response from the server. Enter the number of seconds that you want to wait; the range is 1-65535. Enter the number of times to retry sending packets to supplicant.
server-timeout <num> max-request <num>
eapol guest-vlan command

The eapol guest-vlan command sets the guest VLAN globally. The syntax for the eapol guest-vlan command is:
eapol guest-vlan [vid <1-4094> | enable]
The eapol guest-vlan command is executed in the Global Conguration command mode and Interface Conguration command mode. Table 50 "eapol guest-vlan command parameters and variables" (page 93) describes the parameters and variables for the eapol guest-vlan command.
Table 50 eapol guest-vlan command parameters and variables Parameters and variables <vid> enable Description Guest VLAN ID. Enable Guest VLAN.
no eapol guest-vlan command

The no eapol guest-vlan command disables the guest VLAN. The syntax for the no eapol guest-vlan command is:
no eapol guest-vlan [enable]
The no eapol guest-vlan command is executed in the Global Conguration command mode and Interface Conguration command mode.
default eapol guest-vlan command

The default eapol guest-vlan command disables the guest VLAN.
.
The syntax for the default eapol guest-vlan command is:

default eapol guest-vlan
The default eapol guest-vlan command is executed in the Global Conguration command mode and Interface Conguration command mode. The default eapol guest-vlan command has no parameters or variables.
show eapol guest-vlan command

The show eapol guest-vlan command displays the current guest VLAN conguration. The syntax for the show eapol guest-vlan command is:
show eapol guest-vlan
The show eapol guest-vlan command is executed in the Global Conguration command mode and Interface Conguration command mode. The show eapol guest-vlan command has no parameters or variables. Figure 14 "show eapol guest-vlan command output" (page 94) displays sample output from the eapol guest-vlan command.
Figure 14 show eapol guest-vlan command output
Conguring advanced EAPOL features

Ethernet Routing Switch 2500 Series, Software Release 4.1 supports advanced EAPOL features that allow multiple hosts and non-EAPOL clients on a port. This section provides information about conguring the following features: Multiple Host with Multiple Authentication (MHMA) (see "Conguring multihost support" (page 95)) Non-EAPOL hosts on EAPOL-enabled ports (see "Conguring support for non-EAPOL hosts on EAPOL-enabled ports" (page 102)) Multiple Host with Single Authentication (MHSA) (see "Conguring MultiHost Single-Autentication (MHSA)" (page 107))
.
95
Conguring multihost support

To congure multihost support, do the following: 1. Enable multihost support for the interface. The relevant command is executed in Interface Conguration mode. You can issue the command for the interface selected when you enter the Interface Conguration mode (so that all ports have the same setting), or you can issue the command for specic ports on the interface. 2. Specify the maximum number of EAP clients allowed on each multihost port. You can issue the command for the interface selected when you enter the Interface Conguration mode (so that all ports have the same setting), or you can issue the command for specic ports on the interface. eapol multihost command The eapol multihost command controls the global multihost settings. The syntax for the eapol multihost command is:
eapol multihost { [allow-non-eap-enable] [auto-non-eap-mhsa -enable] [radius-non-eap-enable] [use-radius-assigned-vlan] [non-eap-pwd-fmt {[ip-addr] [mac-addr] [port-number]}]}
This command is executed in the Global Conguration command mode. "eapol multihost parameters and variables" (page 95) describes the parameters and variables for the eapol multihost command.
eapol multihost command parameters and variables Parameters and variables allow-non-eap-enable auto-non-eap-mhsa-enable radius-non-eap-enable use-radius-assigned-vlan non-eap-pwd-fmt { [ip-addr] [mac-addr] [port-number] } Description Enables MAC addresses of non-EAP clients. Enables auto-authentication of non-EAP clients in MHSA mode Enables Radius authentication of non-EAP clients Allows use of Radius-assigned VLAN value Sets bits in RADIUS non-EAPOL password format
no eapol multihost command disables EAPOL multihost.
The no eapol multihost command
This command is executed in the Global Conguration command mode.
.
The syntax for the no eapol multihost command is:

no eapol multihost { [allow-non-eap-enable] [auto-non-eap-mhs a-enable] [radius-non-eap-enable] [use-radius-assigned-vlan] [non-eap-pwd-fmt {[ip-addr] [mac-addr] [port-number]}]}
"no eapol multihost parameters" (page 96) describes the parameters and variables for theno eapol multihost command.
no eapol multihost command parameters and variables Parameters and variables allow-non-eap-enable auto-non-eap-mhsa-enable radius-non-eap-enable use-radius-assigned-vlan non-eap-pwd-fmt { [ip-addr] [mac-addr] [portnumber] } Description Disables control of non-EAP clients (MAC addresses) Disables auto-authentication of non-EAP clients in MHSA mode Disables Radius authentication of non-EAP clients Allows use of Radius-assigned VLAN value Clears bits from RADIUS non-EAPOL password format
default eapol multihost command The default eapol multihost command sets the EAPoL multihost feature to default. This command is executed in the global conguration mode. The syntax for the default eapol multihost command is:
default eapol multihost { [allow-non-eap-enable] [auto-non-eap-mhsa-enable] [radius-non-eap-enable] [use-radius-assigned-vlan] [non-eap-pwd-fmt {[ip-addr] [mac-addr] [port-number]}] }
"default eapol multihost parameters" (page 96) describes the parameters and variables for thedefault eapol multihost command.
default eapol multihost command parameters and variables Parameters and variables allow-non-eap-enable auto-non-eap-mhsa-enable radius-non-eap-enable Description Resets control of non-EAP clients (MAC addresses) Disables auto-authentication of non-EAP clients in MHSA mode Disables Radius authentication of non-EAP clients
.
97
Parameters and variables use-radius-assigned-vlan non-eap-pwd-fmt { [ip-addr] [mac-addr] [portnumber] }
Description Allows use of Radius-assigned VLAN value Restores default format for RADIUS non-EAPOL password attribute
eapol multihost command for a port The eapol multihost command controls the multihost settings for a specic port or for all ports on an interface. This command is executed in the Interface Conguration mode. The syntax for the eapol multihost command is:
eapol multihost [allow-non-eap-enable][auto-non-eap-mhsa-e nable][eap-mac-max {<1-32>}][enable][non-eap-map-max{<1-32 >}][radius-non-eap-enable][use-radius-assigned-vlan][port {<portlist>}][non-eap-mac {H.H.H | port}]
"eapol multihost parameters and variables" (page 97) describes the parameters and variables for the eapol multihost command.
eapol multihost command parameters and variables Parameters and variables allow-non-eap-enable auto-non-eap-mhsa-enable eap-mac-max {<1-32>} Description Enables MAC addresses of non-EAP clients. Enables auto-authentication of non-EAP clients in MHSA mode Specifies the maximum number of EAP-authenticated MAC addresses allowed Allows EAP clients (MAC addresses) Specifies the maximum number of non-EAP authenticated MAC addresses allowed Displays port number on which to apply EAPOL multihost settings Enables Radius authentication of non-EAP clients Allows use of Radius-assigned VLAN value Allows non-EAPoL MAC address
enable non-eap-mac-max
port radius-non-eap-enable use-radius-assigned-vlan non-eap-mac {H.H.H | port}
.
no eapol multihost command for a port The no eapol multihost command disables the EAPOL multihost settings for a specic port or for all ports on an interface. This command is executed in the Interface conguration mode. The syntax for the no eapol multihost command is:
no eapol multihost [allow-non-eap-enable] [auto-non-eap-mhsaenable][enable][port][radius-non-eap-enable][use-radius-assi gned-vlan][non-eap-mac {H.H.H | port}]
"no eapol multihost parameters and variables" (page 98) describes the parameters and variables for the no eapol multihost command.
no eapol multihost command parameters and variables Parameter and Variables allow-non-eap-enable auto-non-eap-mhsa-enable enable port radius-non-eap-enable use-radius-assigned-vlan non-eap-mac {H.H.H | port} non-eap-mac-max {<1-32>} Description Disables MAC addresses of non-EAP clients. Disables auto-authentication of non-EAP clients in MHSA mode Disallows EAP clients (MAC addresses) Displays port number on which to apply EAPOL multihost settings Disables Radius authentication of non-EAP clients Disallows use of Radius-assigned VLAN value Allows non-EAPoL MAC address Specifies the maximum number of non-EAP authenticated MAC addresses allowed
default eapol multihost command for a port The default eapol multihost command sets the multihost settings for a specic port or for all the ports on an interface to default. This command is executed in the Interface conguration mode. The syntax for the default eapol multihost command is:
default eapol multihost [allow-non-eap-enable] [auto-non-e ap-mhsa-enable] [eap-mac-max {<1-32>}][enable] [non-eap-ma p-max{<1-32>}] [port {<portlist>}][radius-non-eap-enable] [use-radius-assigned-vlan][non-eap-mac {H.H.H | port}]
.
99
"default eapol multihost parameters" (page 99) describes the parameters and variables for the default eapol multihost command.
default eapol multihost command parameters and variables Parameter and Variables allow-non-eap-enable auto-non-eap-mhsa-enable eap-mac-max <1-32> Description Resets control of non-EAP clients (MAC addresses) to default Disables auto-authentication of non-EAP clients Resets maximum number of EAP-authenticated MAC addresses allowed to default Resets control of whether EAP Clients (MAC addresses) are allowed to default Resets maximum number of non-EAP authenticated MAC addresses allowed to default Displays port number on which to disable EAPOL Enables Radius authentication of non-EAP clients Allows use of RADIUS-assigned VLAN values Resets the non-EAP MAC addresses to default
enable non-eap-mac-max <1-32>
port<portlist> radius-non-eap-enable use-radius-assigned-vlan non-eap-mac {H.H.H | port}
eapol multihost non-eap-mac command The eapol multihost non-eap-mac command congures the MAC addresses of non-EAPOL hosts on a specic port or on all ports on an interface. This command is executed in the Interface conguration mode. The syntax for the eapol multihost non-eap-maccommand is:
eapol multihost non-eap-mac [port<portlist>] <H.H.H>
"eapol multihost non-eap-mac command parameters and variables" (page 100) describes the parameters and variables for theeapol multihost non-eap-mac command.
.
100 Conguring Security using the CLI eapol multihost non-eap-mac command parameters and variables Parameter and Variables port H.H.H Description Port on which to apply EAPOL settings MAC address of the allowed non-EAPOL host
show eapol multihost command The show eapol multihostcommand displays global settings for non-EAPOL hosts on EAPOL-enabled ports. This command is executed in the privExec, Global, and Interface conguration mode. The syntax for the show eapol multihost command is:
show eapol multihost
"show eapol multihost command parameters and variables" (page 100) describes the parameters and variables for the show eapol multihost command.
show eapol multihost command parameters and variables Parameters and variables interface non-eap-mac status Description Displays EAPOL multihost port configuration Displays allowed non-EAPoL MACaddress Displays EAPOL multihost port status
"show eapol multihost command output" (page 100) displays sample output from the show eapol multihost command:
show eapol multihost command output
show eapol multihost interface command The show eapol multihost interface command displays non-EAPOL support settings for each port.
.
101
This command is executed in the privExec, Global, and Interface conguration mode. The syntax for the show eapol multihost interfacecommand is:
show eapol multihost interface [<portList>]
"show eapol multihost interface parameters and variables" (page 101) describes the parameters and variables for the show eapol multihost interface command.
show eapol multihost interface command parameters and variables Parameter and Variables portList Description List of ports
"show eapol multihost interface command output" (page 101) displays sample output from the show eapol multihost interface command:
show eapol multihost interface command output
show eapol multihost non-eap-mac status command The show eapol multihost non-eap-mac status command displays information about non-EAPOL hosts currently active on the switch. This command is executed in the Privileged EXEC, Global, and Interface Conguration mode.
.
The syntax for the show eapol multihost non-eap-mac status command is:
show eapol multihost non-eap-mac status [<portList>]
"show eapol multihost non-eap-mac status command parameters and variables" (page 102) describes the parameters and variables for the show eapol multihost non-eap-mac status command.
show eapol multihost non-eap-mac status command parameters and variables Parameter and Variables portList Description List of ports
The following gure displays sample output from the show eapol multihost non-eap-mac status command:
Figure 15 show eapol multihost non-eap-mac status command output
Conguring support for non-EAPOL hosts on EAPOL-enabled ports

This section describes how to congure nonE-APOL authentication. To congure support for non-EAPOL hosts on EAPOL-enabled ports, do the following: 1. Enable non-EAPOL support globally on the switch and locally (for the desired interface ports), using one or both of the following authentication methods: a. local authentication (see "Enabling local authentication of non-EAPOL hosts on EAPOL-enabled ports" (page 103)) b. RADIUS authentication (see "Enabling RADIUS authentication of non-EAPOL hosts on EAPOL-enabled ports" (page 103)) 2. Enable EAPOL multihost on ports 3. Specify the maximum number of non-EAPOL MAC addresses allowed on a port (see "Specifying the maximum number of non-EAPOL hosts allowed" (page 105)). 4. For local authentication only, identify the MAC addresses of non-EAPOL hosts allowed on the ports (see "Creating the allowed non-EAPOL MAC address list" (page 105)).
.
103
By default, support for non-EAPOL hosts on EAPOL-enabled ports is disabled. Enabling local authentication of non-EAPOL hosts on EAPOL-enabled ports For local authentication of non-EAPOL hosts on EAPOL-enabled ports, you must enable the feature globally on the switch and locally for ports on the interface. To enable local authentication of non-EAPOL hosts globally on the switch, use the following command in Global conguration mode:
eapol multihost allow-non-eap-enable
To enable local authentication of non-EAPOL hosts for a specic port or for all ports on an interface, use the following command in Interface conguration mode:
eapol multihost [port <portlist>] allow-non-eap-enable
where <portlist> is the list of ports on which you want to enable non-EAPOL hosts using local authentication. You can enter a single port, a range of ports, several ranges, or all. If you do not specify a port parameter, the command applies to all ports on the interface. To discontinue local authentication of non-EAPOL hosts on EAPOL-enabled ports, use the no or default keywords at the start of the commands in both the Global and Interface conguration modes. Enabling RADIUS authentication of non-EAPOL hosts on EAPOL-enabled ports For RADIUS authentication of non-EAPOL hosts on EAPOL-enabled ports, you must enable the feature globally on the switch and locally for ports on the interface. To enable RADIUS authentication of non-EAPOL hosts globally on the switch, use the following command in Global conguration mode:
eapol multihost radius-non-eap-enable
"eapol multihost radius-non-eap-enable command parameters and variables" (page 103) describes the parameters and variables for the eapol multihost radius-non-eap-enable command.
eapol multihost radius-non-eap-enable command parameters and variables Parameter and Variable radius-non-eap-enable Description Globally enables RADIUS authentication for non-EAPOL hosts
.
To enable RADIUS authentication of non-EAPOL hosts for a specic port or for all ports on an interface, use the following command in Interface conguration mode:
eapol multihost [port <portlist>] radius-non-eap-enable
"eapol multihost radius-non-eap-enable command: Interface mode" (page 104) describes the parameters and variables for the eapol multihost radius-non-eap-enable command: Interface mode command.
eapol multihost radius-non-eap-enable command: Interface mode parameters and variables Parameters and Variables portlist Description Specifies the port or ports on which you want RADIUS authentication enabled. You can enter a single port, several ports or a range of ports. If you do not specify a port parameter, the command enables RADIUS authentication of non-EAP hosts on all ports on the interface. Enables RADIUS authentication on the desired interface or on a specific port, for non-EAPOL hosts.
radius-non-eap-enable
The default for this feature is disabled. To discontinue RADIUS authentication of non-EAPOL hosts on EAPOL-enabled ports, use the no or default keywords at the start of the commands in both the Global and Interface conguration modes. Conguring the format of the RADIUS password attribute when authenticating non-EAP MAC addresses using RADIUS To congure the format of the RADIUS password when authenticating non-EAP MAC addresses using RADIUS, use the following command in the Global conguration mode:
eapol multihost non-eap-pwd-fmt
The syntax for the eapol multihost non-eap-pwd-fmt command is:

eapol multihost non-eap-pwd-fmt { [ip-addr] [mac-addr] [port-number] }
"eapol multihost non-eap-pwd-fmt command parameters and variables" (page 105) describes the parameters and variables for the eapol multihost non-eap-pwd-fmt command.
.
Securing your network eapol multihost non-eap-pwd-fmt command parameters and variables Parameter ip-addr mac-addr port-number Description
105
Specifies the IP address of the non-EAP client. Specifies the MAC address of the non-EAP client. Specifies the port number for which you want the RADIUS password attribute configured.
To discontinue conguration of the RADIUS password attribute format, use the no or default keywords at the start of the commands, in the Global conguration mode. Specifying the maximum number of non-EAPOL hosts allowed To congure the maximum number of non-EAPOL hosts allowed for a specic port or for all ports on an interface, use the following command in Interface conguration mode:
eapol multihost [port <portlist>] non-eap-mac-max <value>
where <portlist> is the list of ports to which you want the setting to apply. You can enter a single port, a range of ports, several ranges, or all. If you do not specify a port parameter, the command sets the value for all ports on the interface. <value> is an integer in the range 132 that species the maximum number of non-EAPOL clients allowed on the port at any one time. The default is 1.
ATTENTION
The congurable maximum number of non-EAPOL clients for each port is 32, but Nortel expects that the usual maximum allowed for each port be lower. Nortel expects that the combined maximum will be approximately 200 for each box and 800 for a stack.
Creating the allowed non-EAPOL MAC address list To specify the MAC addresses of non-EAPOL hosts allowed on a specic port or on all ports on an interface, for local authentication, use the following command in Interface conguration mode:
eapol multihost non-eap-mac [port <portlist>] <H.H.H>
where <portlist> is the list of ports on which you want to allow the specied non-EAPOL hosts. You can enter a single port, a range of ports, several
.
ranges, or all. If you do not specify a port parameter, the command applies to all ports on the interface. <H.H.H> is the MAC address of the allowed non-EAPOL host. Viewing non-EAPOL host settings and activity Various show commands allow you to view: global settings (see "Viewing global settings for non-EAPOL hosts" (page 106)) port settings (see "Viewing port settings for non-EAPOL hosts" (page 106)"Viewing port settings for non-EAPOL hosts" (page 106)) allowed MAC addresses, for local authentication (see "Viewing allowed MAC addresses" (page 106)) current non-EAPOL hosts active on the switch (see "Viewing current non-EAPOL host activity" (page 107)) status in the Privilege Exec mode (see "show eapol multihost status command" (page 107))
Viewing global settings for non-EAPOL hosts To view global settings for non-EAPOL hosts on EAPOL-enabled ports, use the following command in Privileged EXEC, Global conguration, or Interface conguration mode:
show eapol multihost
The display shows whether local and RADIUS authentication of non-EAPOL clients is enabled or disabled. Viewing port settings for non-EAPOL hosts To view non-EAPOL support settings for each port, use the following command in Privileged EXEC, Global conguration, or Interface conguration mode:
show eapol multihost interface [<portlist>]
where <portlist> is the list of ports you want to view. You can enter a single port, a range of ports, several ranges, or all. If you do not specify a port parameter, the command displays all ports. For each port, the display shows whether local and RADIUS authentication of non-EAPOL clients is enabled or disabled, and the maximum number of non-EAPOL clients allowed at a time. Viewing allowed MAC addresses To view the MAC addresses of non-EAPOL hosts allowed to access ports on an interface, use the following command in Privileged EXEC, Global conguration, or Interface conguration mode:
.
107
show eapol multihost non-eap-mac interface [<portlist>]
where <portlist> is the list of ports you want to view. You can enter a single port, a range of ports, several ranges, or all. If you do not specify a port parameter, the command displays all ports. The display lists the ports and the associated allowed MAC addresses. Viewing current non-EAPOL host activity To view information about non-EAPOL hosts currently active on the switch, use the following command in Privileged EXEC, Global conguration, or Interface conguration mode:
show eapol multihost non-eap-mac status [<portlist>]
where <portlist> is the list of ports you want to view. You can enter a single port, a range of ports, several ranges, or all. If you do not specify a port parameter, the command displays all ports. show eapol multihost status command The show eapol multihost status command displays the multihost status of eapol clients on EAPOL-enabled ports. The syntax for the show eapol multihost status command is:
show eapol multihost status [<interface-type>] [<interface-i d>]
"show eapol multihost status command parameters and variables" (page 107)"show eapol multihost status command parameters and variables" (page 107) describes the parameters and variables for theshow eapol multihost status command.
show eapol multihost status command parameters and variables Parameter interface-id interface-type Description Displays the interface ID Displays the type of interface used
The show eapol multihost status command is executed in the Privileged EXEC command mode. Conguring MultiHost Single-Autentication (MHSA) To congure MHSA support, do the following: 1. Enable MHSA globally on the switch (see "Globally enabling support for MHSA" (page 108)).
.
2. Congure MHSA settings for the interface or for specic ports on the interface (see "Conguring interface and port settings for MHSA" (page 108)): a. Enable MHSA support. b. Specify the maximum number of non-EAPOL MAC addresses allowed. By default, MHSA support on EAP-enabled ports is disabled. Globally enabling support for MHSA To enable support for MHSA globally on the switch, use the following command in Global conguration mode:
eapol multihost auto-non-eap-mhsa-enable
To discontinue support for MHSA globally on the switch, use one of the following commands in Global conguration mode:
no eapol multihost auto-non-eap-mhsa-enable default eapol multihost auto-non-eap-mhsa-enable
Conguring interface and port settings for MHSA To congure MHSA settings for a specic port or for all ports on an interface, use the following command in Interface conguration mode:
eapol multihost [port <portlist>]
where <portlist> is the list of ports to which you want the settings to apply. You can enter a single port, a range of ports, several ranges, or all. If you do not specify a port parameter, the command applies the settings to all ports on the interface. This command includes the following parameters for conguring MHSA:
eapol multihost [port <portlist> followed by: auto-non-eap-mhsa-enable Enables MHSA on the port. The default is disabled. To disable MHSA, use the no or default keywords at the start of the command. Sets the maximum number of non-EAPOL clients allowed on the port at any one time. <value> is an integer in the range 1 to 32. The default is 1.
.
non-eap-mac-max <value>
109
ATTENTION
The configurable maximum number of non-EAPOL clients for each port is 32, but Nortel expects that the usual maximum allowed for each port will be lower. Nortel expects that the combined maximum will be approximately 200 for each box and 800 for a stack.
Viewing MHSA settings and activity For information about the commands to view MHSA settings and non-EAPOL host activity, see "Viewing non-EAPOL host settings and activity" (page 106).
.
Conguring Security using Device Manager

You can set the security features for a switch so that when a violation occurs the right actions are performed by the software. The security actions that you specify are applied to all ports of the switch. This chapter describes the Security information available in Device Manager, and includes the following topics: "EAPOL tab" (page 110) "General tab" (page 111) "SecurityList tab" (page 114) "AuthCong tab" (page 116) "AuthStatus tab" (page 119) "AuthViolation tab" (page 122) "SSH tab" (page 122) "SSH Sessions tab" (page 124) "Radius Server tab" (page 125) "Conguring EAPOL on ports" (page 126) "Conguring SNMP" (page 141) "Working with SNMPv3" (page 147)
EAPOL tab
The EAPOL tab lets you set and view EAPOL security information for the switch. To view the EAPOL tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security dialog box appears with the EAPOL tab displayed. The following gure displays the EAPOL tab. End
.
Conguring Security using Device Manager Figure 16 EAPOL tab
111
General tab
The General tab lets you set and view general security information for the switch. To view the General tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security dialog box appears with the EAPOL tab displayed . 2 Click the General tab. The General tab appears. The following gure displays the General tab.
.
112 Conguring Security using the CLI Figure 17 General tab
End
General tab elds

Table 51 "General tab elds" (page 112) describes the General tab elds.
Table 51 General tab elds Field AuthSecurityLock Description If this parameter is listed as locked, the agent refuses all requests to modify the security configuration. Entries also include:
other notlocked
AuthCtlPartTime
This value indicates the duration of the time for port partitioning in seconds. The default is zero. When the value is zero, the port remains partitioned until it is manually enabled. Indicates whether or not the switch security feature is enabled.
SSecurityStatus
.
113
Field SecurityMode
Description Mode of switch security. Entries include:
macList: Indicates that the switch is in the MAC-list mode. You can configure more than one MAC address per port. autoLearn: Indicates that the switch learns the first MAC address on each port as an allowed address of that port.
SecurityAction
Actions performed by the software when a violation occurs (when SecurityStatus is enabled). The security action specified here applies to all ports of the switch. A blocked address causes the port to be partitioned when unauthorized access is attempted. Selections include: noAction: Port does not have any security assigned to it, or the security feature is turned off. trap: Listed trap. partitionPort: Port is partitioned. partitionPortAndsendTrap: Port is partitioned, and traps are sent to the trap receiver. daFiltering: Port filters out the frames where the destination address field is the MAC address of the unauthorized station. daFilteringAndsendTrap: Port filters out the frames where the desitnation address field is the MAC address of unauthorized station. Traps are sent to trap receivers. partitionPortAnddaFiltering: Port is partitioned and filters out the frames with the destination address field is the MAC address of unauthorized station. partitionPortdaFilteringAndsendTrap: Port is partitioned and filters out the frames where the destination address field is the MAC address of the unauthorized station. Traps are sent to trap receivers.
.
Field CurrNodesAllowed MaxNodesAllowed PortSecurityStatus PortLearnStatus CurrSecurityLists MaxSecurityLists
Description Current number of entries of the nodes allowed in the AuthConfig tab. Maximum number of entries of the nodes allowed in the AuthConfig tab. Set of ports for which security is enabled. Set of ports where autolearning is enabled. Current number of entries of the Security listed in the SecurityList tab. Maximum entries of the Security listed in the SecurityList tab.
SecurityList tab
The SecurityList tab contains a list of Security port elds. To view the SecurityList tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security window appears with the EAPOL tab displayed. 2 Click the SecurityList tab. The SecurityList tab appears. The following gure displays the SecurityList tab.
Figure 18 SecurityList tab
End
SecurityList tab elds

Table 52 "SecurityList tab elds" (page 115) describes the SecurityList tab elds.
.
Conguring Security using Device Manager Table 52 SecurityList tab elds Field SecurityListIndx SecurityListMembers Description
115
An index of the security list. This corresponds to the SecurityList field into AuthConfig tab. The set of ports that are currently members in the Port list.
Security, Insert SecurityList dialog box

To view the Security, Insert AuthCong dialog box, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security window appears with the EAPOL tab displayed (EAPOL tab). 2 Click the SecurityList tab. The SecurityList tab appears (SecurityList tab). 3 Click Insert. The Security, Insert SecurityList dialog box appears.
Figure 19 Security, Insert SecurityList dialog box
4 5 6
To add ports to the security list, in the SecurityListMembers eld, click the ellipsis (...). The SecurityListMembers dialog box appears. Select the ports to include in the SecurityList, and click OK. Click Insert. End
.
"Security, Insert AuthCong dialog box elds" (page 118) describes the Security, Insert SecurityList dialog box elds.
Table 53 Security, Insert SecurityList dialog box elds Field SecurityListIndx Description An index of the security list. This corresponds to the Security port list that can be used as an index into AuthConfig tab. The set of ports that are currently members in the Port list.
SecurityListMembers
AuthCong tab
The AuthCong tab contains a list of boards, ports, and MAC addresses that have the security conguration. An SNMP SET PDU for a row in the tab requires the entire sequence of the MIB objects in each entry to be stored in one PDU. Otherwise, the GENERR return-value is returned. To view the AuthCong tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security window appears with the EAPOL tab displayed (EAPOL tab). 2 Click the AuthCong tab. The AuthCong tab appears AuthCong tab .
Figure 20 AuthCong tab
End
"AuthCong tab elds" (page 116) describes the AuthCong tab elds.
.
Conguring Security using Device Manager Table 54 AuthCong tab elds Field BrdIndx Description
117
Index of the slot that contains the board on which the port is located. If you specify SecureList, this field must be zero. Index of the port on the board. If you specify SecureList, this field must be zero. An index of MAC addresses that are designated as allowed (station). Displays the node entry as node allowed. A MAC address can be allowed on multiple ports. The index of the security list. This value is meaningful only if BrdIndx and PortIndx values are set to zero. For other board and port index values, this index must also have the value of zero. The corresponding MAC Address of this entry is allowed or blocked on all ports of this port list.
PortIndx MACIndx AccessCtrlType SecureList
Security, Insert AuthCong dialog box

To view the Security, Insert AuthCong dialog box, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security window appears with the EAPOL tab displayed. 2 Click the AuthCong tab. The AuthCong tab appears. 3 Click Insert. The Security, Insert AuthCong dialog box appears .
.
118 Conguring Security using the CLI Figure 21 Security, Insert AuthCong dialog box
Complete the elds as required and click Insert. The new entry appears in theAuthCong tab End
Security, Insert AuthCong dialog box elds

Table 55 "Security, Insert AuthCong dialog box elds" (page 118) describes the Security, Insert AuthCong dialog box elds.
Table 55 Security, Insert AuthCong dialog box elds Field BrdIndx Description Index of the board. This corresponds to the index of the unit that contains the board, but only if the index is greater than zero. A zero index is a wild card. Index of the port on the board. This corresponds to the index of the last manageable port on the board, but only if the index is greater than zero. A zero index is a wild card. An index of MAC addresses that are either designated as allowed (station) or not-allowed (station). Displays whether the node entry isnode allowed or node blocked. A MAC address can be allowed on multiple ports. The index of the security list. This value is meaningful only if BrdIndx and PortIndx values are set to zero. For other board and port index values, this index must also have the value of zero. The corresponding MAC Address of this entry is allowed or blocked on all ports of this port list.
PortIndx
MACIndx AccessCtrlType
SecureList
.
119
AuthStatus tab
The AuthStatus tab displays information about the authorized boards and port status data collection. This information includes actions to be performed when an unauthorized station is detected, and the current security status of a port. Entries in this tab can include: a single MAC address all MAC addresses on a single port a single port all the ports on a single board a particular port on all the boards all the ports on all the boards
To view the AuthStatus tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security window appears with the EAPOL tab displayed. 2 Click the AuthStatus tab. The AuthStatus tab appears. The following gure displays the AuthStatus tab.
.
120 Conguring Security using the CLI Figure 22 AuthStatus tab
End
"AuthStatus tab elds" (page 120)
AuthStatus tab elds

"AuthStatus tab elds" (page 120) describes the AuthStatus tab elds.
Table 56 AuthStatus tab elds Field AuthStatusBrdIndx Description The index of the board. This corresponds to the index of the slot that contains the board if the index is greater than zero. The index of the port on the board. This corresponds to the index of the last manageable port on the board if the index is greater than zero. The index of MAC address on the port. This corresponds to the index of the MAC address on the port if the index is greater than zero.
AuthStatusPortIndx
AuthStatusMACIndx
.
121
Field CurrentAccessCtrlTy pe CurrentActionMode
Description Displays whether the node entry is the node allowed or node blocked type. A value representing the type of information contained, including: noAction: Port does not have any security assigned to it, or the security feature is turned off. partitionPort: Port is partitioned. partitionPortAndsendTrap: Port is partitioned and traps are sent to the trap receiver. Filtering: Port filters out the frames where the destination address field is the MAC address of the unauthorized station. FilteringAndsendTrap: Port filters out the frames where the destination address field is the MAC address of the unauthorized station. Traps are sent to the trap receiver. sendTrap: A trap is sent to the trap receiver(s). partitionPortAnddaFiltering: Port is partitioned and filters out the frames where the destination address field is the MAC address of the unauthorized station. partitionPortdaFilteringAndsendTrap: Port is partitioned and filters out the frames where the destination address field is the MAC address of the unauthorized station. Traps are sent to trap receiver(s).
CurrentPortSecur Status
Displays the security status of the current port, including:
If the port is disabled, notApplicable is returned. If the port is in a normal state, portSecure is returned. If the port is partitioned, portPartition is returned.
.
AuthViolation tab
The AuthViolation tab contains a list of boards and ports on which network access violations have occurred, and also the identity of the offending MAC addresses. To view the AuthViolation tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security window appears with the EAPOL tab displayed. 2 Click the AuthViolation tab. The AuthViolation tab appears. The following gure displays the AuthViolation tab.
Figure 23 AuthViolation tab
End
SSH tab
The SSH tab displays the parameters available for SSH. To view the SSH tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security.
.
123
The Security window appears with the EAPOL tab displayed. 2 Click the SSH tab. The SSH tab appears. The following gure displays the SSH tab.
Figure 24 SSH tab
End
"SSH tab elds" (page 123) describes the SSH tab elds.
Table 57 SSH tab elds Field Enable Description Enables, disables, or securely enables SSH. Securely enable turns off other daemon flag, and it takes effect after a reboot. Indicates the SSH version. Indicates the SSH connection port. Indicates the SSH connection timeout in seconds. Indicates the SSH key action. Enables or disables the SSH DSA authentication. Enables or disables the SSH RSA authentication.
Version Port Timeout KeyAction DsaAuth PassAuth
.
Field DsaHostKeyStatus
Description Indicates the current status of the SSH DSA host key: notGenerated: DSA host key has not yet been generated. generated: DSA host key is generated. generating: DSA host key is currently being generated.
LoadServerAddr TftpFile TftpAction TftpResult
Indicates the current server IP address. Indicates the name of the file for the TFTP transfer. Indicates the SSH public keys that are set to initiate a TFTP download. Indicates the retrieved value of the TFTP transfer.
SSH Sessions tab

The SSH Sessions tab displays the currently active SSH sessions. To view the SSH Sessions tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security window appears with the EAPOL tab displayed. 2 Click the SSH Sessions tab. The SSH Sessions tab appears. The following gure displays the SSH Sessions tab.
Figure 25 SSH Sessions tab
End
"SSH Sessions tab elds" (page 124) describes the SSH Sessions tab elds.
.
Conguring Security using Device Manager Table 58 SSH Sessions tab elds Field SSHSessionsIP Description Lists the currently active SSH sessions.
125
Radius Server tab

The Radius Server tab is used to congure the primary and secondary RADIUS server settings. "Radius Server tab" (page 125)illustrates the Radius Server tab. To view the Radius Server tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. Select the Radius Server tab. 2 Click the Radius Server tab. The Radius Server tab appears. The following gure displays the Radius Server tab.
Figure 26 Radius Server tab
End
Table 59 "Radius Server tab elds" (page 126) describes the Radius Server tab elds.
.
126 Conguring Security using the CLI Table 59 Radius Server tab elds Field Addresstype PrimaryRadiusServer Description Specifies the type of IP address used by the Radius server. IPv4 is currently the only available option. Specifies the IP address of the primary server (default: 0.0.0.0).
ATTENTION
If there is no primary Radius server, set the value of this field to 0.0.0.0 . SecondaryRadiusServer Specifies the IP address of the secondary Radius server (default: 0.0.0.0). The secondary Radius server is used only if the primary server is unavailable or unreachable. Specifies the UDP port the client is using to send requests to this server. Specifies the time interval in seconds before the client retransmit the packet to RADIUS server Specifies the value of the shared secret key.
RadiusServerUdpPor RadiusServerTimeout SharedSecret(Key)
ATTENTION
The shared secret key has a maximum of 16 characters. ConfirmedSharedSecret(K ey) Confirms the value of the shared secret key specified in the SharedSecret(Key) field. This field usually does not display anything (just a blank field). It is used when user is changing the SharedSecret(key) field. User usually need to enter twice to confirm the string already being entered in the SharedSecret(Key).
Conguring EAPOL on ports

This section contains the following topics: "EAPOL tab for a port" (page 127) "EAPOL Advance tab for ports" (page 129) "EAPOL Stats tab for graphing ports" (page 136) "EAPOL Diag tab for graphing ports" (page 138)
.
127
EAPOL tab for a port

The EAPOL tab shows EAPOL for the selected port. To view or edit the EAPOL tab for a port, use the following procedure: Step 1 2 Action Select the port that you want to edit. Do one of the following: From the shortcut menu, choose Edit. From the Device Manager main menu, choose Edit > Port. From the toolbar, click Edit.
The Port dialog box appears with the Interface tab displayed. 3 Click the EAPOL tab. The EAPOL tab appears.
Figure 27 EAPOL tab for a port
.
End
"EAPOL tab elds for a port" (page 128) describes the EAPOL tab elds for ports.
Table 60 EAPOL tab elds for a port Field PortProtocolVersion PortCapabilities PortInitialize PortReauthenticateNow Description The EAP Protocol version that is running on this port. The PAE functionality that is implemented on this port. Always returns dot1xPaePortAuthCapable. Enables and disables EAPOL authentication for the specified port. Activates EAPOL authentication for the specified port immediately, without waiting for the Re-Authentication Period to expire. Displays the EAPOL authorization status for the switch: BackendAuthState AdminControlled Directions Force Authorized: The authorization status is always authorized. Force Unauthorized: The authorization status is always unauthorized. Auto: The authorization status depends on the EAP authentication results.
PaeState
The current state of the Backend Authentication state for the switch. Specifies whether EAPOL authentication is set for incoming and outgoing traffic (both) or for incoming traffic only (in). For example, if you set the specified port field value to both, and EAPOL authentication fails, then both incoming and outgoing traffic on the specified port is blocked. A read-only field that indicates the current operational value for the traffic control direction for the port (see the preceding field description). Displays the current EAPOL authorization status for the port: authorized unauthorized
OperControlled Directions AuthControlledPort Status
.
129
Field AuthControlledPort Control
Description Specifies the EAPOL authorization status for the port: Force Authorized: The authorization status is always authorized. Force Unauthorized: The authorization status is always unauthorized. Auto: The authorization status depends on the EAP authentication results.
QuietPeriod
The current value of the time interval between any single EAPOL authentication failure and the start of a new EAPOL authentication attempt. Time to wait for response from supplicant for EAP requests/Identity packets. Time to wait for response from supplicant for all EAP packets, except EAP Request/Identity. Time to wait for a response from the RADIUS server for all EAP packets. The number of times the switch attempts to resend EAP packets to a supplicant. Time interval between successive reauthentications. When the ReAuthenticationEnabled field (see the following field) is enabled, you can specify the time period between successive EAPOL authentications for the specified port. When enabled, the switch performs a reauthentication of the existing supplicants at the time interval specified in the ReAuthenticationPeriod field (see preceding field description). The value of the KeyTranmissionEnabled constant currently in use by the Authenticator PAE state of the switch. This always returns false as key transmission is irrelevant. The protocol version number carried in the most recently received EAPOL frame. The source MAC address carried in the most recently received EAPOL frame.
TransmitPeriod SupplicantTimeout ServerTimeout MaximumRequests ReAuthentication Period
ReAuthentication Enabled
KeyTxEnabled
LastEapolFrame Version LastEapolFrame Source
EAPOL Advance tab for ports

The EAPOL Advance tab lets you congure additional EAPOL-based security parameters for ports.
.
ATTENTION
The Multi Hosts and Non-EAP MAC buttons are not available when conguring multiple ports on the EAPOL Advance tab. To make use of these two options, only one port can be selected.
To view or edit the EAPOL Advance tab for ports, use the following procedure: Step 1 Action Select the ports that you want to edit. For multiple ports, press Ctrl+left-click the ports that you want to edit. A yellow outline appears around the selected ports. 2 Do one of the following: From the shortcut menu, choose Edit. From the Device Manager main menu, choose Edit > Port. On the toolbar, click Edit.
The Port dialog box appears with the Interface tab displayed. 3 Click the EAPOL Advance tab. The EAPOL Advance tab for a port appears.
Figure 28 EAPOL Advance tab for a port
.
131
Click Apply after making any changes. End
Table 61 "EAPOL Advance tab elds for a port" (page 131) describes the EAPOL Advance tab elds for a port.
Table 61 EAPOL Advance tab elds for a port Field GuestVlan Enabled GuestVlanId Description Enables and disables Guest VLAN on the port. Specifies the ID of a Guest VLAN that the port is able to access while unauthorized. This value overrides the Guest VLAN ID value set for the switch in the EAPOL tab. Specifies zero when switch global guest VLAN ID is used for this port. Enables or disables EAPOL multihost on the port. Specifies the maximum number of allowed EAP clients on the port. Enables or disables non-EAPOL on the port. Specifies the maximum number of allowed non-EAPOL clients on the port. Enables or disables EAPOL Multiple Host with Single Authentication (MHSA) on the port. Enables or disables non-EAPOL RADIUS authentication on the port Enables or disables multihost RADIUS assigned Vlans on the port
MultiHostEnabled MultiHostEapMaxNumMacs MultiHostAllowNonEapClie nt MultiHostNonEapMaxNum Macs MultiHostSingleAuthEnable d MultiHostRadiusAuthNonE apClient MultiHostAllowRadiusAssig nedVlan
Viewing Multihost information

From the EAPOL Advance tab on the Port screen, it is possible to view Multihost information by clicking the Multi Hosts button on this tab. For details, refer to: "Multihost Status" (page 131) "Multihost sessions" (page 132)
Multihost Status To view multihost status information, do the following:
.
Step 1
Action From the EAPOL Advance tab of the Port screen, click the Multi Hosts button. The EAPOL MultiHosts screen appears with the Multi Host Status tab selected. The following gure displays the Multihost status tab.
Figure 29 EAPOL MultiHosts screen -- Multi Host Status tab
"EAPOL MultiHosts screen -- Multi Host Status tab" (page 132) describes the elds on this screen.
EAPOL MultiHosts screen -- Multi Host Status tab Field PortNumber ClientMACAddr PaeState BackendAuthState Reauthenticate Description The port number in use The MAC address of the client The current state of the authenticator PAE state machin The current state of the Backend Authentication state machine The value used to reauthenticate the EAPOL client
End
Multihost sessions following: Step 1 Action
To view multihost session information, do the
From the EAPOL Advance tab of the Port screen, click the Multi Hosts button. The EAPOL MultiHosts screen appears. Select the Multi Host Session tab. The following gure displays the Multihost sessions tab.
.
Conguring Security using Device Manager Figure 30 EAPOL MultiHosts screen -- Multi Host Session tab
133
"EAPOL MultiHosts screen -- Multi Host Session tab" (page 133) describes the elds on this tab.
EAPOL MultiHosts screen -- Multi Host Session tab Field PortNumber ClientMACAddr Id Description The port number in use. The MAC address of the client. A unique identifier for the session, in the form of a printable ASCII string of at least three characters. The authentication method used to establish the session. The elapsed time of the session. The cause of the session termination. The username representing the identity of the supplicant PAE.
AuthenticMethod Time TerminateCause UserName
End
Non-EAPOL host support settings

From the EAPOL Advance tab on the Port screen, it is possible to view non-EAP host information and to congure the allowed non-EAP MAC address list by clicking the Non-EAP MAC button on this tab. Managing the allowed non-EAP MAC address list To view and congure the list of MAC addresses for non-EAPOL clients that are authorized to access the port, do the following: Step 1 Action From the EAPOL Advance tab of the Port screen, click the Non-EAP MAC button. The Non-EAPOL MAC screen appears
.
with the Allowed non-EAP MAC tab selected. The following gure illustrates this tab.
Figure 31 Non-EAPOL MAC screen -- Allowed non-EAP MAC tab
"Non-EAPOL MAC screen -- Allowed non-EAP MAC tab" (page 134) describes the elds on this screen.
Non-EAPOL MAC screen -- Allowed non-EAP MAC tab Field PortNumber ClientMACAddr Description The port number in use. The MAC address of the client.
To add a MAC address to the list of allowed non-EAPOL clients: a. Click the Insert button. The Insert Allowed non-EAP MAC screen appears. The following gure illustrates this tab.
Figure 32 Insert Allowed non-EAP MAC screen
b. Enter the MAC address of the non-EAPOL client you want to add to the list. c. Click Insert. 3 To remove a MAC address from the list of allowed non-EAPOL clients: a. Select the MAC address in the ClientMACAddr column on the Allowed non-EAP MAC tab. b. Click Delete.
.
135
End
Viewing non-EAPOL host support status To view the status of non-EAPOL host support on the port, do the following: Step 1 Action From the EAPOL Advance tab of the Port screen, click the Non-EAP MAC button. The Non-EAPOL MAC screen appears with the Allowed non-EAP MAC tab selected. Select the Non-EAP Status tab. The following gure illustrates this tab.
Figure 33 Non-EAPOL MAC screen -- Non-EAP Status tab
"Non-EAPOL MAC screen -- Non-EAP Status tab" (page 135) describes the elds on this screen.
Non-EAPOL MAC screen -- Non-EAP Status tab Field PortNumber ClientMACAddr Description The port number in use. The MAC address of the client. The authentication status. Possible values are: State rejected: the MAC address cannot be authenticated on this port. locallyAuthenticated: the MAC address was authenticated using the local table of allowed clients radiusPending: the MAC address is awaiting authentication by a RADIUS server radiusAuthenticated: the MAC address was authenticated by a RADIUS server
.
Field
Description adacAuthenticated: the MAC address was authenticated using ADAC configuration tables mhsaAuthenticated: the MAC address was auto-authenticated on a port following a successful authentication of an EAP client
Reauthenticate
The value used to reauthenticate the MAC address of the client on the port
End
EAPOL Stats tab for graphing ports

The EAPOL Stats tab displays EAPOL statistics. To open the EAPOL Stats tab for graphing, use the following procedure: Step 1 Action Select the port or ports you want to graph. To select multiple ports, press Ctrl+left-click the ports that you want to congure. A yellow outline appears around the selected ports. 2 Do one of the following: From the Device Manager main menu, choose Graph > Port. From the shortcut menu, choose Graph. On thetoolbar, click Graph.
The Graph Port dialog box for a single port or for multiple ports appears with the Interface tab displayed. 3 Click the EAPOL Stats tab. The EAPOL Stats tab for graphing multiple ports appears. The following gure displays the Graph port dialog box EAPOL Stats tab.
.
Conguring Security using Device Manager Figure 34 Graph port dialog box EAPOL Stats tab
137
End
EAPOL Stats tab elds

"EAPOL Stats tab elds" (page 137) describes the EAPOL Stats tab elds.
Table 62 EAPOL Stats tab elds Field EapolFramesRx EapolFramesTx EapolStartFramesRx EapolLogoffFramesRx EapolRespIdFramesRx EapolRespFramesRx Description The number of valid EAPOL frames of any type that are received by this authenticator. The number of EAPOL frame types of any type that are transmitted by this authenticator. The number of EAPOL start frames that are received by this authenticator. The number of EAPOL Logoff frames that are received by this authenticator. The number of EAPOL Resp/Id frames that are received by this authenticator. The number of valid EAP Response frames (Other than Resp/Id frames) that are received by this authenticator. The number of EAPOL Req/Id frames that are transmitted by this authenticator. The number of EAP Req/Id frames (Other than Req/Id frames) that are transmitted by this authenticator.
EapolReqIdFramesTx EapolReqFramesTx
.
Field InvalidEapolFramesRx
Description The number of EAPOL frames that are received by this authenticator in which the frame type is not recognized. The number of EAPOL frames that are received by this authenticator in which the packet body length field is not valid.
EapLengthError FramesRx
EAPOL Diag tab for graphing ports

The EAPOL Diag tab displays EAPOL diagnostics statistics. To open the EAPOL Diag tab for graphing, use the following procedure: Step 1 Action Select the port or ports you want to graph. To select multiple ports, press Ctrl+left-click the ports that you want to congure. A yellow outline appears around the selected ports. 2 Do one of the following: From the Device Manager main menu, choose Graph > Port. From the shortcut menu, choose Graph. On the toolbar, click Graph.
The Graph Port dialog box for a single port or for multiple ports appears with the Interface tab displayed. 3 Click the EAPOL Diag tab. The EAPOL Diag tab for graphing multiple ports appears. The following gure displays the Graph Port dialog box EAPOL Diag tab.
.
Conguring Security using Device Manager Figure 35 Graph Port dialog box EAPOL Diag tab
139
End
EAPOL Diag elds

"EAPOL Diag elds" (page 139) describes the EAPOL Diag tab elds.
Table 63 EAPOL Diag tab elds Field EntersConnecting Description Counts the number of times that the state machine transitions to the connecting state from any other state. Counts the number of times that the state machine transitions from connecting to disconnecting as a result of receiving an EAPOL-Logoff message. Counts the number of times that the state machine transitions from connecting to authenticating, as a result of an EAP-Response or Identity message being received from the Supplicant. Counts the number of times that the state machine transitions from authenticating to authenticated, as a result of the Backend Authentication state machine indicating a successful authentication of the Supplicant.
EapLogoffsWhileConnecting
EntersAuthenticating
AuthSuccessWhile Authenticating
.
Field AuthTimeoutsWhile Authenticating
Description Counts the number of times that the state machine transitions from authenticating to aborting, as a result of the Backend Authentication state machine indicating an authentication timeout. Counts the number of times that the state machine transitions from authenticating to held, as a result of the Backend Authentication state machine indicating an authentication failure. Counts the number of times that the state machine transitions from authenticating to aborting, as a result of a reauthentication request. Counts the number of times that the state machine transitions from authenticating to aborting, as a result of an EAPOL-Start message being received from the Supplicant. Counts the number of times that the state machine transitions from authenticating to aborting, as a result of an EAPOL-Logoff message being received from the Supplicant. Counts the number of times that the state machine transitions from authenticated to connecting, as a result of a reauthentication request. Counts the number of times that the state machine transitions from authenticated to connecting, as a result of an EAPOL-Start message being received from the Supplicant. Counts the number of times that the state machine transitions from authenticated to disconnected, as a result of an EAPOL-Logoff message being received from the Supplicant. Counts the number of times that the state machine sends an initial Access-Request packet to the Authentication server. Indicates that the Authenticator attempted communication with the Authentication Server. Counts the number of times that the state machine receives an initial Access-Challenge packet from the Authentication server. Indicates that the Authentication Server has communication with the Authenticator.
AuthFailWhileAuthenticating
AuthReauthsWhile Authenticating
AuthEapStartsWhile Authenticating
AuthEapLogoffWhile Authenticating
AuthReauthsWhile Authenticated
AuthEapStartsWhile Authenticated
AuthEapLogoffWhile Authenticated
BackendResponses
BackendAccessChallenges
.
141
Field BackendOtherRequestsTo Supplicant
Description Counts the number of times that the state machine sends an EAP-Request packet, other than an Identity, Notification, Failure or Success message, to the Supplicant. Indicates that the Authenticator chooses an EAP-method. Counts the number of times that the state machine receives a response from the Supplicant to an initial EAP-Request, and the response is something other than EAP-NAK. Indicates that the Supplicant can respond to the EAP-method that the Authenticator chooses. Counts the number of times that the state machine receives an EAP-Success message from the Authentication Server. Indicates that the Supplicant has successfully authenticated to the Authentication Server. Counts the number of times that the state machine receives an EAP-Failure message from the Authentication Server. Indicates that the Supplicant has not authenticated to the Authentication Server.
BackendNonNakResponses FromSupplicant
BackendAuthSuccesses
BackendAuthFails
Conguring SNMP
This section contains the following topics: "SNMP tab" (page 141) "Trap Receivers tab" (page 142) "Graphing SNMP statistics" (page 144)
SNMP tab
The SNMP tab provides read-only information about the addresses that the agent software uses to identify the switch. To open the SNMP tab, use the following procedure: Step 1 2 Action Select the chassis. Choose Edit > Chassis. The Chassis dialog box appears with the System tab displayed. 3 Click the SNMP tab. The SNMP tab appears.
.
End
Figure 36 Chassis dialog box SNMP tab
"SNMP tab elds" (page 142) describes the SNMP tab elds.
Table 64 SNMP tab elds Field LastUnauthenticatedIpAddress LastUnauthenticatedCommunityString TrpRcvrMaxEnt TrpRcvrCurEnt TrpRcvrNext Description The last IP address that is not authenticated by the device. The last community string that is not authenticated by the device. The maximum number of trap receiver entries. The current number of trap receiver entries. The next trap receiver entry to be created.
Trap Receivers tab

The Trap Receivers tab lists the devices that receive SNMP traps from the Ethernet Routing Switch 2500 Series. To open the Trap Receivers tab, use the following procedure: Step 1 2 Action Select the chassis. Choose Edit > Chassis. The Chassis dialog box appears with the System tab displayed. 3 Click the Trap Receivers tab.
.
143
The Trap Receivers tab appears. End
Figure 37 Chassis dialog box Trap Receivers tab
"Trap Receivers tab elds" (page 143) describes the Trap Receivers tab elds.
Table 65 Trap Receivers tab elds Field Indx Description An index of the trap receiver entry. Trap receivers are numbered from one to four. Each trap receiver has an associated community string (see the following Community field description in this table). The address (or DNS hostname) for the trap receiver. Community string used for trap messages to this trap receiver.
NetAddr Community
Adding a Trap Receiver

To edit the network traps table, use the following procedure: Step 1 Action In the Trap Receivers tab, click Insert. The Chassis, Insert Trap Receivers dialog box appears. The following gure displays the Chassis, Insert Trap Receivers dialog box.
.
144 Conguring Security using the CLI Figure 38 Chassis, Insert Trap Receivers dialog box
2 3
Type the Index, NetAddr, and Community information. Click Insert. End
Graphing SNMP statistics

In the Graph Chassis dialog box, the SNMP tab provides read-only information about the addresses that the agent software uses to identify the switch. To open the SNMP tab, use the following procedure: Step 1 2 Action Select the chassis. Choose Graph > Chassis. The Graph Chassis dialog box appears with the SNMP tab displayed. 3 Click the SNMP tab. End
.
Conguring Security using Device Manager Figure 39 Graph Chassis dialog box SNMP tab
145
"SNMP tab elds" (page 142) describes the SNMP tab elds.
Table 66 SNMP tab elds Field InPkts OutPkts InTotalReqVars Description The total number of messages delivered to the SNMP from the transport service. The total number of SNMP messages passed from the SNMP protocol to the transport service. The total number of MIB objects retrieved successfully by the SNMP protocol as the result of receiving valid SNMP Get-Request and Get-Next PDUs. The total number of MIB objects altered successfully by the SNMP protocol as the result of receiving valid SNMP Set-Request PDUs. The total number of SNMP Get-Request PDUs that are accepted and processed by the SNMP protocol. The total number of SNMP Get-Next PDUs that are accepted and processed by the SNMP protocol. The total number of SNMP Set-Request PDUs that are accepted and processed by the SNMP protocol. The total number of SNMP Get-Response PDUs that are accepted and processed by the SNMP protocol.
InTotalSetVars
InGetRequests InGetNexts InSetRequests InGetResponses
.
Field OutTraps OutTooBigs
Description The total number of SNMP Trap PDUs generated by the SNMP protocol. The total number of SNMP PDUs generated by the SNMP protocol for which the value of the error-status field is tooBig. The total number of SNMP PDUs generated by the SNMP protocol for which the value of the error-status field is noSuchName. The total number of SNMP PDUs generated by the SNMP protocol for which the value of the error-status field is badValue. The total number of SNMP PDUs generated by the SNMP protocol for which the value of the error-status field is genErr. The total number of SNMP messages delivered to the SNMP protocol for an unsupported SNMP version. The total number of SNMP messages delivered to the SNMP protocol that used an unknown SNMP community name. The total number of SNMP messages delivered to the SNMP protocol that represented an SNMP operation not allowed by the SNMP community named in the message. The total number of ASN.1 or BER errors encountered by the SNMP protocol when decoding received SNMP messages. The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is tooBig. The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is noSuchName. The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is badValue.
OutNoSuchNames
OutBadValues
OutGenErrs
InBadVersions InBadCommunity Names InBadCommunity Uses
InASNParseErrs
InTooBigs
InNoSuchNames
InBadValues
.
147
Field InReadOnlys
Description The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is readOnly. It is a protocol error to generate an SNMP PDU containing the value readOnly in the error-status field. This object is provided to detect incorrect implementations of the SNMP. The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is genErr.
InGenErrs
Working with SNMPv3

Simple Network Management Protocol (SNMP) provides a mechanism to remotely congure and manage a network device. An SNMP agent is a software process that listens on UDP port 161 for SNMP messages, and sends trap messages using the destination UDP port 162. SNMPv3 is based on the architecture of SNMPv1 and SNMPv2c. It supports better authentication and data encryption than SNMPv1 and SNMPv2c. SNMPv3 provides protection against the following security threats: modication of SNMP messages by a third party impersonation of an authorized SNMP user by an unauthorized person disclosure of network management information to unauthorized parties delayed SNMP message replays or message redirection attacks
The conguration parameters introduced in SNMPv3 makes it more secure and exible than the other versions of SNMP. For more information on the SNMPv3 architecture, see RFC 3411. This chapter describes the following concepts associated with SNMPv3: "Initial Login with an SNMPv3 User" (page 148) "User-based Security Model" (page 149) "View-based Access Control Model" (page 152) "Creating a community" (page 159) "Management Targets" (page 161) "The Notify Table" (page 166)
.
Initial Login with an SNMPv3 User

To congure SNMPv3 with Device Manager, you must rst log on and create an SNMPv3 user through the CLI or Web interface. If you specify only read and write community strings at the time you log on, you do not have sufcient rights to view or change the SNMPv3 settings of the switch.
CAUTION
By default, the CLI and Web interface are not password protected. Nortel strongly recommends that after you set up an SNMPv3 user, you change or delete all factory default settings that can allow an unauthorized person to log on to your device.
For more information on how to congure an initial SNMPv3 user by using Web-based management, see "Setting SNMP parameters" (page 58), and by using the CLI, see "Conguring SNMPv3" (page 190). To log on to the Ethernet Routing Switch 2500 Series Device Manager as an SNMPv3 user, use the following procedure: Step 1 2 3 4 5 6 7 Action On the Device Manager menu bar, select Device > Open. In the Device Name eld, enter the DNS name or the IP address of the switch. Select the v3 Enabled checkbox (the default Read and Write community strings are grayed out when SNMPv3 is enabled). Enter the log on name of the SNMPv3 user. From the Authentication Protocol pull-down list, select MD5, SHA, or None. If the user is congured to use an authentication protocol, enter the authentication password in the Authentication Password eld. If the user is congured to use a privacy protocol, choose the appropriate protocol from the Privacy Protocol eld (DES, AES or 3DES). In the Privacy Password eld, enter the privacy password. End
.
149
User-based Security Model

The User-based Security Model (USM) provides a mechanism to authenticate and encrypt SNMPv3 messages. A message, if congured, is authenticated with the help of a one-way hash function that is associated with an individual user ID. In the Ethernet Routing Switch 2500 Series, a user can be congured to use the HMAC-MD5-96 or the HMAC-SHA-96 algorithm for the authentication of SNMPv3 messages. An SNMPv3 message, if congured, is encrypted with the help of the Cipher Block Chaining - Data Encryption Standard (CBC-DEC). An SNMPv3 user can be congured in three ways. Table 67 "SNMPv3 user conguration method" (page 149) describes the ways in which an SNMPv3 user can be congured.
Table 67 SNMPv3 user conguration method SNMPv3 Configuration Method NoAuthNoPriv AuthNoPriv AuthPriv Description The user cannot use an authentication or an encryption mechanism. The user can use an authentication but not an encryption mechanism. The user can use an authentication as well as an encryption mechanism.
For more information on USM, see RFC 3414.
Conguring the User-based Security Model

To create a user in the USM table, use the following procedure: Step 1 Action From the Device Manager menu bar, choose Edit > SnmpV3 > USM Table. The USM dialog box appears. The following gure displays the USM dialog box.
.
150 Conguring Security using the CLI Figure 40 USM dialog box
USM tab elds The following table describes the USM tab elds.
Table 68 USM dialog box elds Field EngineID Name SecurityName AuthProtocol PrivProtocol StorageType Description Indicates the administratively-unique identifier of the SNMP engine. Indicates the name of the user in usmUser. Creates the name that is used as an index to the table. The range is 1 to 32 characters. Identifies the authentication protocol used. Identifies the privacy protocol used. Specifies whether the table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
Click Insert. The USM, Insert USM Table dialog box appears. The following gure displays the USM, Insert USM Table dialog box.
.
Conguring Security using Device Manager Figure 41 USM, Insert USM Table dialog box
151
3 4
Enter a name. In the Clone From User list, select a security name from which the new entry copies authentication data and privacy data. For example, Authentication Protocol, Authentication password, Privacy Protocol, and Privacy password.
ATTENTION
The Clone From User you select denes the maximum authentication and privacy settings for a new user. For example, if the Clone From User does not use an authentication or encryption protocol, users created from this clone cannot use the authentication or the encryption protocol. For this reason, it is recommended that you assign both an authentication and encryption protocol to the rst user you create through the CLI or Web interface.
From the Auth Protocol pull-down list, select an authentication protocol for this user. If you select an authentication protocol, enter an old and new authentication password in the next two elds. In the Cloned Users Auth Password eld, enter the authentication password of the Cloned From User. In the New Users Auth Password eld, enter a new authentication password for this user. Select a privacy protocol. If you choose to specify a privacy protocol, enter an old and new privacy password in the next two elds. This is optional but recommended.
6 7 8

.
9 10 11
Enter the Cloned Users Priv Password. Enter a new privacy password for this user. Click Insert. The USM table appears and the new entry is shown. End
"USM Insert USM Table dialog box elds" (page 152) describes the USM, Insert USM Table dialog box elds.
Table 69 USM, Insert USM Table dialog box elds Field New User Name Description Creates the new entry with this security name. The name is used as an index to the table. The range is 1 to 32 characters. Specifies the security name from which the new entry must copy privacy and authentication parameters. The range is 1 to 32 characters. Assigns an authentication protocol (or no authentication) from a shortcut menu. If you select this protocol, enter an old AuthPass and a new AuthPass. Specifies the current authentication password. Specifies the new authentication password to use for this user. Assigns a privacy protocol (or no privacy) from a menu. Specifies the current privacy password. Specifies the new privacy password to use for this user entry. Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
Clone From User
Auth Protocol
Cloned Users Auth Password New Users Auth Password Priv Protocol (Optional) Cloned Users Priv Password New Users Priv Password Storage Type
View-based Access Control Model

The View-based Access Control Model (VACM) is used to map a user to a set of access rights and MIB views. This mapping is done with the help of three tables.
.
153
Table 70 "View-based access control mapping" (page 153) describes the which help of to map a user to access rights and MIB views.
Table 70 View-based access control mapping Table Name Group Membership table Group Access Right table MIB View table Description Defines a set of users that can be referenced by a single group name. Associates a group with Read, Write, and Notify views. Defines a set of MIB subtrees or objects.
For more detailed information on VACM, see RFC 3415.
Dening Group Membership with VACM

To add members to a group in the View-based Access Control Model (VACM) table, use the following procedure: Step 1 Action From the Device Manager menu bar, choose Edit > SnmpV3 > VACM table. The VACM dialog box with the Group Membership tab options visible appears. The following gure displays the VACM dialog, Group Membership tab.
Figure 42 VACM dialog, Group Membership tab
.
VACM dialog tab elds The following table describes the Group Membership tab elds.
Table 71 Group Membership tab elds Field SecurityModel SecurityName GroupName Description The security model for the entry. The name of an entry in the USM table or the Community Table. The name of the group to which this entry belongs. When multiple entries in this table have the same GroupName, they all belong to the same group. Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
StorageType
Click Insert. The VACM, Insert Group Membership dialog box appears. The following gure displays the VACM, Insert Group Membership dialog box.
3 4 5 6
Select a SecurityModel. Enter a SecurityName. Enter a GroupName. Click Insert. The VACM dialog box appears. The new group membership is shown in the list. End
Assigning Group Access Rights with VACM

To assign new access rights to a group, use the following procedure: Step 1 Action From the Device Manager menu bar, choose Edit > SnmpV3 > VACM table. The VACM dialog box appears (Figure 42 "VACM dialog, Group Membership tab" (page 153)).
.
155
Click the Group Access Right tab. The Group Access Right tab appears. The following gure displays the Group Access Right tab.
Figure 43 Group Access Right tab
The following table describes the Group Access Right tab elds.
Table 72 VACM dialog box Group Access Right tab elds Field vacmGroupName ContextPrefix SecurityModel Description A GroupName from the Group Membership table. The Context Prefix for this entry. By default, the field is empty. This is an optional field. The security model assigned to users in the Group Membership table. Options are SNMPv1, SNMPv2c, or USM. The security level assigned to users in the Group Membership table. Options are noAuthNoPriv, authNoPriv, or authPriv. Specifies whether to use an exact match or the context prefix for assigning the rights defined in this row to a user. The default is exact. This is an optional field. The name of the MIB View to which the user is assigned read access. The name of the MIB View to which the user is assigned write access.
SecurityLevel
ContextMatch
ReadViewName WriteViewName
.
Field NotifyViewName StorageType
Description The name of the MIB View from which the user receives notifications. Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
Click Insert. The VACM, Insert Group Access Right dialog box appears. The following gure displays the VACM, Insert Group Access Right dialog box.
Figure 44 VACM, Insert Group Access Right dialog box
4 5 6 7 8 9 10
Enter the name of a group. Enter the context prex. Select the security model. Select the security level. Enter the name of a MIB View that enables a user to read the MIB subtrees and objects. Enter the name of a MIB View that enables a user to write to the MIB subtrees and objects. Enter the name of a MIB View from which a user can receive traps or inform messages.
.
157
11
Click Insert. The VACM window reappears, and the new Group Access Right entry is shown in the table. End
Dening a MIB view

To assign MIB view access for an object, use the following procedure: Step 1 Action From the Device Manager menu bar, choose Edit > SnmpV3 > VACM table. The VACM dialog box appears (Figure 42 "VACM dialog, Group Membership tab" (page 153)). 2 Select the MIB View tab. The MIB View tab appears. The following gure displays the MIB View tab.
Figure 45 MIB View tab
MIB View tab elds

.
The following table describes the MIB View tab elds.

Table 73 VACM dialog box MIB View tab elds Field ViewName Description Creates a new entry with this group name. The range is 1 to 32 characters. Refers to any valid object identifier that defines the set of MIB objects accessible by this SNMP entity, for example, org, iso8802, or 1.3.6.1.1.5 OID string. Specifies that a bit mask be used with vacmViewTreeFamilySubtree to determine whether an OID falls under a view subtree. Determines whether access to a MIB object is granted (Included) or denied (Excluded). The default is Included. Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
Subtree
Mask (Optional)
Type
StorageType
Click Insert. The VACM, Insert MIB View dialog box appears. The following gure displays VACM, Insert MIB View dialog box.
Figure 46 VACM, Insert MIB View dialog box
.
159
4 5 6
Enter a ViewName. Enter a MIB Subtree name, for example, org, iso8802, or a dotted-decimal OID string. Enter a Mask to specify wild cards in the OID string. The default is to leave this eld blank, which is the same as specifying a mask of all ones (exact match). Select whether to include or exclude this MIB subtree from the collection of all MIB objects with this same ViewName. Click Insert. The assigned MIB view appears in the list. End
7 8
Creating a community
A community table contains objects for mapping between community strings and the security name created in VACM Group Member. To create a community, use the following procedure: Step 1 Action From the Device Manager menu bar, chooseEdit > SnmpV3 > Community Table. The Community Table dialog box appears. The following gure displays the Community Table dialog box.
Figure 47 Community Table dialog box
Click Insert. The Community Table, Insert Community Table dialog box appears. The following gure displays the Community Table, Insert Community Table dialog box.
.
160 Conguring Security using the CLI Figure 48 Community Table, Insert Community Table dialog box
3 4 5 6
Enter an Index. Enter Name that is a community string. Enter a SecurityName. Click Insert. The new community is shown in the list. End
Community Table dialog box elds

"Community Table dialog box elds" (page 160) describes the Community Table dialog box elds.
Table 74 Community Table dialog box elds Field Index Name SecurityName Description The unique index value of a row in this table. The SnmpAdminString range is 1-32 characters. The community string for which a row in this table represents a configuration. The security name assigned to this entry in the Community table. The range is 1 to 32 characters.
.
161
Field ContextEngineID
Description The contextEngineID that indicates the location of the context in which management information is accessed when using the community string specified by the corresponding instance of snmpCommunityName. The default value is the snmpEngineID of the entity in which this object is instantiated. The context in which management information is accessed when using the community string specified by the corresponding instance of snmpCommunityName. This object specifies a set of transport endpoints that are associated a community string. The community string is only valid when found in an SNMPv1 or SNMPv2c message received from one of these transport endpoints, or when used in an SNMPv1 or SNMPv2c message that is sent to one of these transport endpoints. The storage type for this conceptual row in the snmpCommunityTable. Conceptual rows that have the value permanent do not allow write-access to any columnar object in the row.
ContextName
TransportTag
StorageType
Management Targets
The concept of the SNMPv3 management target is similar to trap receivers in SNMPv1 and SNMPv2c. Management targets are dened with the help of three tables.
Management Target Tables

"Management Target Tables" (page 161) describes the that help to dene the management targets.
Table 75 Management target tables Table Name Target Address table Description Lists the IP address and destination UDP port number of stations that receive trap or inform messages. Specifies how to format and process an outgoing message that is sent to an associated target address. Specifies the type of message to send to a management target: trap or inform.
Target Parameters table
Notify table
.
Creating a Management Target Address

To create an entry in the Management Target Address table, use the following procedure: Step 1 Action From the Device Manager menu bar, choose Edit > SnmpV3 > Target Table. The Target Table dialog box appears, with the Target Address Table tab appears. The following gure displays the Target Table dialog box, target Address Table tab.
Figure 49 Target Table dialog box, Target Address Table tab
Target Address Table elds The following table describes the Target Address Table elds.
Table 76 Target Address Table elds Field Name TDomain TAddress Timeout Description Specifies the name for this target table entry. Specifies the domain of the management target. The default is snmpUDPDomain. Specifies the IP address and destination UDP port for this management target, for example, 10.0.4.27:162. Specifies the length of the time to wait in 1/100th of a second, for an acknowledgement from this management target before declaring the message as timed-out. The default is 1500 milliseconds. Specifies the number of times this device can resend messages to this management target if initial messages are not acknowledged. The default is 3.
RetryCount
.
163
Field Taglist
Description Refers to zero or more Notify tags that are used to link this entry with entries in the Notify table. By default, you can enter either traporinform without having to create new entries in the Notification table. Specifies the entry in the Target Parameter table which is associated with this Management Target Address. Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
Params
StorageType
Click Insert. The Target Table, Insert Target Address Table dialog box appears. The following gure displays the Target Table, Insert Target Address Table dialog box.
Figure 50 Target Table, Insert Target Address Table dialog box
3 4 5 6 7
Enter a Name. Enter a TDomain name. Enter the IP address and UDP port number for this management target, for example, 10.0.4.27:162. Accept or modify the default values in the TimeOut and RetryCount elds. In the Taglist eld, enter the name of the tags (trap or inform), separated by a comma if more than one tag is entered. For more details, see Table 78 "Notify Table dialog box elds" (page 166).

.
8 9
In the Params eld, enter the name of an entry in the Target Param table. Click Insert. The new Target address is shown in the list. End
Creating Target Parameters

To create a target parameter, use the following procedure: Step 1 Action From the Device Manager menu bar, choose Edit > SnmpV3 > Target Table. The Target Table dialog box appears, with the Target Address Table displayed.Figure 49 "Target Table dialog box, Target Address Table tab" (page 162) . 2 Select the Target Params Table tab. The Target Params Table tab appears. The following gure displays the Target Params table tab.
Figure 51 Target Params Table tab
Click Insert. The Target Table, Insert Target Params Table dialog box appears. The following gure displays the Target Table, Insert Target Params Table dialog box.
.
Conguring Security using Device Manager Figure 52 Target Table, Insert Target Params Table dialog box
165
4 5 6 7 8 9 10
Enter a Name for this set of parameters. Select the MPModel. Select the SecurityModel. Enter a SecurityName. Specify a SecurityLevel value. Enter the StorageType. Click Insert. The new target parameter is shown in the list. End
Target Params Table tab elds

"Target Params Table tab elds" (page 165) describes the Target Params Table dialog box elds.
Table 77 Target Params Table tab elds Field Name MPModel SecurityModel SecurityName Description Specifies the name of the target parameters table. Specifies the Message Processing model: SNMPv1, SNMPv2c, or SNMPv3/USM. Specifies the security model: SNMPv1, SNMPv2c, or SNMPv3/USM. Specifies the security name for generating SNMP messages.
.
Field SecurityLevel Storage Type
Description Specifies the security level for SNMP messages: noAuthnoPriv, authnoPriv, or authPriv. Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it doesl not persist if the switch loses power.
The Notify Table

The Notify Table contains default entries for a trap notication type and inform notication type. To create a Notify Table entry, use the following procedure: Step 1 Action From the Device Manager menu bar, choose Edit > SnmpV3 > Notify. The Notify Table dialog box appears Figure 53 "NotifyTable dialog box" (page 166) . Notify Table dialog box elds
Figure 53 NotifyTable dialog box
The following table describes the Notify Table dialog box elds.
Table 78 Notify Table dialog box elds Field Name Tag Description A name or index value for this row in the table. A single tag value that is used to associate this entry with an entry in the Target Address Table.
.
167
Field Type
Description This selection specifies the type of notification sent to a management target address. If the value is trap, sent messages contain SNMPv2-Trap PDUs. If the value is inform, messages contains Inform PDUs.
ATTENTION
If an SNMP entity only supports trap (and not inform) messages, this object can be read-only.
StorageType
Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
Click Insert. The Notify Table, Insert dialog box appears . The following gure displays the Notify Table, Insert dialog box.
Figure 54 Notify Table, Insert dialog box
3 4 5 6 7
Enter a Name for this table row. Enter a Tag name which connects this entry to one or more Target Address table entries. Specify the Type of message Protocol Data Units (PDUs) to send to an associated Management Target Address: trap or inform. Specify the StorageType. Click Insert. The new notify entry is shown in the list.

.
End
.
169
Conguring Security using web-based management

The options available to congure application settings are: "Conguring system security" (page 169) "Accessing the management interface" (page 173) "Conguring MAC address-based security" (page 175) "Conguring MAC address-based security" (page 175) "About SNMP" (page 188) "Conguring SNMPv1" (page 188) "Conguring SNMPv3" (page 190)
Conguring system security

This section describes the steps you use to build and manage security by using the Web-based management interface.
ATTENTION
When you install the switch, Nortel recommends that you set the initial system usernames and passwords by using the Command Line Interface. For more information, see "Setting the username and password" (page 35).
Setting console, Telnet, and Web passwords ATTENTION

For information about modifying existing system usernames, see "Setting the username and password" (page 35).
To set Console, Telnet, and Web passwords, use the following procedure:
.
170 Conguring Security using web-based management
Step 1 2
Action From the main menu, choose Administration > Security. Choose Console, Telnet, Web, or RADIUS as required. The selected password page appears .
Click Submit.
ATTENTION
The title of the page corresponds to the menu selection you choose. In , the network administrator selected Administration > Security > Console. Figure 55 Console password setting page
The following table describes the items on the Console page.
.
Conguring system security 171 Table 79 Console page elds Section Fields Setting Description
ATTENTION
Console, Telnet, and Web connections share the same switch password type and password. These connections also share the same stack password type and password.
Console Switch Password Setting
Console Switch Password Type
(1) None (2) Local Password (3) RADIUS Authentication
Displays the switch password types.
ATTENTION
The default is None.
Read-Only Swit ch Password
1..15
Type the read-only password setting for the read-only access user. Type the read-write password setting for the read-write access user. Displays the switch password types.
Read-Write Swit ch Password
1..15
Console Sta Console Stack ck Password Password Type
None
ATTENTION
The default is None. Read-only Stack Password 1..15 Type the read-only password setting for the read-only access user. Type the read-write password setting for the read-write access user.
Read-Write Stack Password
1..15
.
Choose the type of password. The following table describes the options available in the Console Switch Password Type list box.
Table 80 Password Types Password Type None Local Password Description Indicates that no password is required for this type of access. Sets a password for access through a direct network connection or a direct Console port connection. Sets a password for remote dial-up. If you select this password type, you must also set up RADIUS authentication from the Radius management page.
RADIUS Authentica tion
5 6
Type the password for read-only and read/write user access. Click Submit to save the changes. End
Conguring RADIUS dial-in access security

To congure remote dial-in access security parameters, use the following procedure: Step 1 Action From the main menu, choose Administration > Security > Radius. The Radius page appears.
Figure 56 Radius page
.
Accessing the management interface 173
The following table describes the items on the RADIUS page.

Table 81 RADIUS page elds Field Primary RADIUS Server Secondary RADIUS Server Setting XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX Description Type a Primary Radius server IP address in the appropriate format. Type a Secondary Radius server IP address in the appropriate format. Type the UDP Radius port number. Type the RADIUS timeout period. Type a unique character string to create a secret password. Reenter the password to verify.
UDP RADIUS Port RADIUS Timeout Period RADIUS Shared Secret
Integer 1..60 1..16
2 3 4 5
Type the IP addresses of the primary and secondary RADIUS (Remote Authentication Dial In User Services) servers. Type the number of the User Datagram Protocol (UDP) port for the RADIUS server. The default value is 1645. Type the number of seconds for the RADIUS timeout period. The range is 1 to 60 seconds. Type a character string for the RADIUS Shared Secret. This parameter is a special switch security code that provides authentication to the RADIUS server. The value can be any contiguous ASCII string that contains at least one printable character, up to a maximum of 16. Reenter the character string to conrm the RADIUS Shared Secret. Click Submit. End
6 7
Accessing the management interface

After switch passwords and RADIUS authentication settings are integrated into the Web-based management user interface, anyone who attempts to use the application is presented with a log on page. See Figure 57 "Web-based management interface log on page" (page 174).
.
174 Conguring Security using web-based management Figure 57 Web-based management interface log on page
To log on to the Web-based management interface, use the following procedure: Step 1 Action In the Username text box, type a valid username (default values are RO [uppercase] for read-only access or RW [uppercase] for read/write access). In the Password text box, type your password. Click Log On. The System Information page appears .
2 3
ATTENTION
For information about modifying existing system usernames, see "Setting the username and password" (page 35). Figure 58 System Information Page
.
Conguring MAC address-based security 175
End
With Web access enabled, the switch can support a maximum of four concurrent Web page users. Two predened user levels are available, and each user level has a corresponding username and password. Table 82 "User levels and access levels" (page 175) shows an example of the two predened user levels available and their access level within the Web-based management user interface.
Table 82 User levels and access levels User level Read-only Read/write User name for each level RO RW Password for each user level XXXXXXXX XXXXXXXX Access Level Read only Full read/write access
Conguring MAC address-based security

The MAC address-based security system lets you specify a range of system responses to unauthorized network access to your switch by using the Web-based management system. The system response can range from sending a trap to disabling the port. The network access control is based on the MAC Source Addresses (SAs) of the authorized stations. You can specify a list of up to 448 MAC SAs that are authorized to access the switch. You can also specify the ports that each MAC SA is allowed to access. The options for allowed MAC SA port access include: NONE, ALL, and single or multiple ports that are specied in a list, for example, one to four, six, nine, and so on. You must also include the MAC SA of any router connected to any secure ports. After the switch software detects an SA security violation, the response can be to send a trap, turn on Destination Address (DA) ltering for all SAs, disable the specic port, or any combination of these three options. You can also congure the Ethernet Routing Switch 2500 Series to drop all packets that have a specied MAC Destination Address (DA). You can create a list of up to 10 MAC DAs that you want to lter. The packet with the specied MAC DA is dropped regardless of the ingress port, Source Address (SA) intrusion, or VLAN membership.
.
ATTENTION
Ensure that you do not enter the MAC address of the switch on which you are working.
ATTENTION
After conguring the switch for MAC address-based security, you must enable the ports you want by using the Port Conguration page.
Conguring MAC address-based security

You can use the Security Conguration page to enable or disable the MAC address security feature and specify the appropriate system responses to any unauthorized network access to your switch. To congure MAC address-based security by using the Web-based management system, use the following procedure: Step 1 Action From the main menu, choose Application > MAC Address Security > Security Conguration. The Security Conguration page appears. The following gure displays the Security Conguration page.
Figure 59 Security Conguration page
.
The following table describes the items on the Security Conguration page.
Table 83 Security Conguration page items Section MAC Address Security Setting Item MAC Addres s Security Range (1) Enabled (2) Disabled Description Enables the MAC address security features. After this field is set to enabled, the software checks the source MAC addresses of the packets that arrive on the secure ports against MAC addresses listed in the MAC Address Security Table for allowed membership. If the software detects a source MAC address that is not an allowed member, the software registers a MAC intrusion event. After this field is set to enabled, the MAC address security screens cannot be modified by using SNMP. Configures how the switch reacts to an intrusion event (see MAC Address Security field): Disabled The port remains enabled, even if an intrusion event is detected. Enabled The port is disabled, then automatically reset to enabled after the time specified in the Partition Time field elapses. Forever The port is disabled and remains disabled (partitioned) until reset. The port does not reset after the Partition Time elapses. You must manually reenable the port.
MAC Addre ss Security SNMPLocked
(1) Enabled (2) Disabled
Partition Port (1) Forever on Intrusion (2) Enabled Detected (3) Disabled
.
Section
Item Partition Time
Range 1 to 65535
Description Sets the time to partition a port on intrusion.
ATTENTION
Use this field only if the Partition Port on Intrusion Detected field is set to Enabled.
DA Filtering on Intrusion Detected Generate SNMP Trap on Intrusion MAC Security Table/Clear by Ports Action
(1) Enabled (2) Disabled (1) Enabled (2) Disabled
When enabled, the switch isolates the intruding node by filtering (discarding) the packets sent to that MAC address. Enables generation of an SNMP trap to all registered SNMP trap addresses when an intrusion is detected. Lets you clear specific ports from participation in the MAC address security features. Blank. Blank.
Port List Current Learning Mode MAC Security Table/Learn by Ports Action
Lets you identify ports that learn incoming MAC addresses. All source MAC addresses of any packets received on specified ports are added to the MAC Security Table (a maximum of 448 MAC addresses are allowed). Displays all the ports that learn incoming MAC addresses to detect intrusions (unallowed MAC addresses). (1) Enabled (2) Disabled Enables learning.
Port List
Current Learning Mode
2 3
On the Security Conguration page, type the necessary information in the text boxes, or select from a list. Click Submit. End
.
Conguring ports
You can use the Port Lists page, to create port lists that can be used as allowed source port lists to be referenced in the Security Table page. You can create up to 32 port lists. To activate an entry or add or delete ports from a list, use the following procedure: Step 1 Action From the main menu, choose Application > MAC Address Security > Port Lists. The Port Lists page appears. The following gure displays the Port Lists page.
Figure 60 Port Lists page
The following table describes the items on the Port Lists page.
.
180 Conguring Security using web-based management Table 84 Port Lists page items Item Entry Action Port List Description These are the lists of ports. Lets you create a port list that you can use as an Allowed Source in the Security Table screen. Displays which ports are associated with each list.
To add or delete ports to a list, click in the Action column in the list row that you want. The Port List View, Port List page appears. The following gure displays the Port List View, Port List page.
Figure 61 Port List View, Port List page
a. Click the ports you want to add to the selected list, or click All. b. To delete a port from a list, clear the box by clicking it. c. Click Submit. 3 From the main menu, choose Application > MAC Address Security > Security Conguration. The Security Conguration page appears. 4 In the MAC Security Table section, click in the Action column of the Learn By Ports row. The Port List View, Learn by Ports page appears. The following gure displays the Port List View, Learn by Ports page.
.
Conguring MAC address-based security 181 Port List View, Learn by Ports page
a. Click the ports through which you want the switch to learn MAC addresses, or click All. b. If you want that port to no longer learn MAC addresses, click the checked box to clear it. c. Click Submit. 5 6 In the MAC Security Table section, choose Enabled in the Current Learning Mode column of the Learn By Ports row. Click Submit.
ATTENTION
You cannot include any of the port values that you choose for the secure ports eld.
End
Adding MAC addresses

You can use the Security Table page to specify the ports that each MAC address is allowed to access. (You must also include the MAC addresses of any routers that are connected to any secure ports.) To add MAC addresses to the MAC address security table, use the following procedure: Step 1 Action In the main menu, choose Applications > MAC Address Security > Security Table. It can take a few moments for the required addresses to be learned. Then, the Security Table page appears. The following gure displays the Security Table page.
.
182 Conguring Security using web-based management Figure 62 Security Table page
ATTENTION
By using this page, you instruct the switch to allow the specied MAC address access only through the specied port or port list.
The following table describes the items on the Security Table page.
Table 85 Security Table page items Section MAC Addre ss Security Table Item Action MAC Address Allowed Source MAC Addre ss Security Table Entry Creation MAC Address Port Entry Range Description Lets you delete a MAC address. Displays the MAC address. Displays the entry through which the MAC address is allowed. Lets you specify up to 448 MAC addresses that are authorized to access the switch. You can specify the ports that each MAC address is allowed to access by using the Allowed Source field (see the next item description). The specified MAC address does not take effect until the Allowed Source field is set to some value (a single port number or a port list value that you previously configured in the Port Lists screen).
.
Section
Item Allowed Source
Range
Description Lets you specify the ports that each MAC address is allowed to access. The options for the Allowed Source field include a single port number or a port list value that you have previously configured in the Port Lists screen.
Complete elds as described in the table.
ATTENTION
If you choose an Entry as the Allowed Source, you must have congured that specic entry on the Port View List, Port List page.
3 4
On the Security Table page, type the required information in the text boxes or select from a list. Click Submit.
ATTENTION
Include the MAC address for the default LAN router as an allowed source MAC address.
End
Clearing ports
You can clear all information from the specied port(s) in the list of ports that learn MAC addresses. If Learn by Ports is enabled, the specied ports begin to learn the MAC addresses. To clear information from selected ports, use the following procedure: Step 1 Action From the main menu, choose Application > MAC Address Security > Security Conguration. The Security Conguration page appears (Figure 59 "Security Conguration page" (page 176)). 2 In the MAC Security Table section, click in the Action column of the Clear By Ports row. The Port List View, Clear By Ports page appears.
.
The following gure displays the Port List View, Clear By Ports page.
Figure 63 Port List View, Clear By Ports page
3 4
Select the ports you want to clear or click All. Click Submit.
ATTENTION
When you specify a port (or ports) to be cleared by using this eld, the specic port are cleared for each of the entries listed in the MAC Address Security Table. If you clear all the allowed Source Ports eld (leaving a blank eld) for an entry, the associated MAC address for that entry is also cleared.
End
Enabling security on ports

To enable or disable MAC address-based security on the port, use the following procedure: Step 1 Action From the main menu, choose Application > MAC Address Security > Port Conguration. The Port Conguration page appears. The following gure displays the Port Conguration page.
.
Conguring MAC address-based security 185 Figure 64 Port Conguration page
The following table describes the items on the Port Conguration page.
Table 86 Port Conguration page items Item Port Trunk Security Range 1 to 52 Blank, 1 to 6 (1) Enabled (2) Disabled Description Lists each port on the unit. Displays the MultiLink Trunk to which the port belongs to. Enables MAC address-based security on that port.
End
.
Deleting ports
You can delete ports from the security system in a variety of ways: In the Ports List View, Port List page (Figure 61 "Port List View, Port List page" (page 180)), click the checkmark of a selected port that you want to delete from the specied port list. In the Ports List View, Learn by Ports page ("Port List View, Learn by Ports page" (page 181)), click the checkmark of a port that you want to remove from those ports that learn MAC addresses. In the Port Conguration page (Figure 64 "Port Conguration page" (page 185)), click Disabled to remove that port from the MAC address-based security system; this action disables all MAC address-based security on that port.
Filtering MAC destination addresses

To drop all packets from a specied MAC Destination Address (DA), use the following procedure: Step 1 Action From the main menu, choose Application > MAC Address Security > DA MAC Filtering. The DA MAC Filtering page appears. The following gure displays the DA MAC Filtering page.
Figure 65 DA MAC Filtering page
The following table describes the items on the DA MAC Filtering page.
.
Conguring MAC address-based security 187 Table 87 DA MAC Filtering page items Section Destination MAC Addre ss Filtering Table Item Action Range Description To drop all packets to and from a specified MAC Destination Address (DA). 1 -10 The number of the MAC address. Displays the MAC address. XX:XX:XX:XX:X X:XX Enter the MAC DA that you want to filter.
Index MAC Address
DA MAC Fil tering Entry Creation
DA MAC Address
ATTENTION
Ensure that you do not enter the MAC address of the management station.
In the DA MAC Filtering Entry Creation area, enter the MAC DA that you want to lter. You can list up to 10 MAC DAs to lter.
Click Submit. The system returns you to the DA MAC Filtering page (Figure 65 "DA MAC Filtering page" (page 186)) with the new DA listed in the table. End
Deleting MAC DAs

To delete a MAC DA, use the following procedure: Step 1 Action From the main menu, choose Application > MAC Address Security > DA MAC Filtering. The DA MAC Filtering page appears (Figure 65 "DA MAC Filtering page" (page 186)). 2 In the Destination MAC Address Filtering Table, click the Delete icon for the entry that you want to delete. A message appears prompting you to conrm your request.
.
Do one of the following: Click Yes to delete the target parameter conguration. Click Cancel to return to the table without making changes. End
About SNMP
Simple Network Management Protocol (SNMP) is the standard for network management that uses a common software agent to manage local and wide area network equipment from different vendors; part of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite as dened in RFC115. SNMPv1 is version one, the original standard protocol. SNMPv3 is a combination of proposal updates to SNMP, most of which deal with security.
Conguring SNMPv1
You can congure SNMPv1 read/write and read-only community strings, enable or disable trap mode settings, and/or enable or disable the autotopology feature. The autotopology feature, when enabled, performs a process that recognizes any device on the managed network and denes and maps its relation to other network devices in real time. To congure the community string, trap mode, and autotopology settings and features, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv1. The SNMPv1 page appears. The following gure displays the SNMPv1 page.
.
Conguring SNMPv1 Figure 66 SNMPv1 page
189
The following table describes the items on the SNMPv1 page.

Table 88 SNMPv1 page items Section Community String Setting Item ReadOnly Community Strin g Range 1..32 Description Type a character string to identify the community string for the SNMPv1 read-only community, for example, public or private. Reenter the same character string to confirm the community string for the SNMPv1 read-only community. The default value is public.
ReadWrite Community Strin g
1..32
Type a character string to identify the community string for the SNMPv1 read-write community, for example, public or private. Reenter the same character string to confirm the community string for the SNMPv1 read-write community.
.
Section
Item
Range
Description The default value is private.
Trap Mod e Setting
Authentication Trap Auto Topology
(1) Enab le (2) Disa ble (1) Enab le (2) Disa ble
Choose to enable or disable the authentication trap, which sends a trap when an SNMP authentication failure occurs. Choose to enable or disable the autotopology feature, which allows network topology mapping of other switches in your network.
Auto Topology Setting
2 3
Type the required information in the text boxes or select from a list. Click Submit in any section to save your changes. End
Conguring SNMPv3
This section describes the steps to build and manage SNMPv3 in the Web-based management user interface.
Viewing SNMPv3 system information

You can view information about the SNMPv3 engine that exists and the private protocols that are supported in your network conguration. You can also view information about packets received by the system that have particular errors, such as unavailable contexts, unknown contexts, decrypting errors, or unknown user names. To view SNMPv3 system information, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > System Information. The System Information page appears. The following gure displays the System Information page.
.
Conguring SNMPv3 Figure 67 System Information page
191
Table 89 "System Information section elds" (page 191) describes the elds on the System Information section of the SNMPv3 System Information page.
Table 89 System Information section elds Item SNMP Engine ID SNMP Engine Boots SNMP Engine Time SNMP Engine Maximum Message Size SNMP Engine Dialects Description The identification number for the SNMP engine. The number of times that the SNMP engine has reinitialized itself since its initial configuration. The number of seconds because the SNMP engine last incremented the snmpEngineBoots object. The maximum length, in octets, of an SNMP message that this SNMP engine can send or receive and process. This is determined as the minimum of the maximum message size values supported among all transports available to and supported by the engine. The SNMP dialect that the engine recognizes. The dialects are: SNMP1v1, SNMPv2C, and SNMPv3.
.
Item Authenticati on Protocols Supported
Description The registration point for standards-track authentication protocols used in SNMP Management Frameworks. The registration points are: None, HMAC MD5, and HMAC SHA.
ATTENTION
The Ethernet Routing Switch 2500 Series supports only the MD5 authentication protocol.
Private Protocols Supported
The registration point for standards-track privacy protocols used in SNMP Management Frameworks. The registration points are: None, CBC-DES, AES or 3DES.
ATTENTION
The Ethernet Routing Switch 2500 Series does not support privacy protocols.
Table 90 "SNMPv3 Counters section elds" (page 192) describes the elds on the SNMPv3 Counters section of the SNMPv3 System Information page.
Table 90 SNMPv3 Counters section elds Item Unavailable Contexts Unknown Contexts Unsupported Security Levels Not in Time Windows Description The total number of packets dropped by the SNMP engine because the context contained in the message is unavailable. The total number of packets dropped by the SNMP engine because the context contained in the message is unknown. The total number of packets dropped by the SNMP engine because they requested a security level that is unknown to the SNMP engine or otherwise unavailable. The total number of packets dropped by the SNMP engine because they appeared outside of the authoritative SNMP window of the engine.
.
Conguring SNMPv3
193
Item Unknown User Names Unknown Engine IDs Wrong Digests
Description The total number of packets dropped by the SNMP engine because they referenced an unknown user. The total number of packets dropped by the SNMP engine because they referenced an snmpEngineID that is not known to the SNMP engine. The total number of packets dropped by the SNMP engine because they did not contain the expected digest value. The total number of packets dropped by the SNMP engine because they could not be decrypted.
Decryption Errors
End
Conguring user access to SNMPv3

You can view a table of all current SNMPv3 user security information such as authentication/privacy protocols in use, and create or delete SNMPv3 system user congurations.
Creating an SNMPv3 system user conguration

To create an SNMPv3 system user conguration, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > User Specication. The User Specication page appears.
.
194 Conguring Security using web-based management Figure 68 User Specication page
describes the items on the User Specication Table section of the User Specication page.
Table 91 User Specication Table section items Item and MIB association Description Deletes the row.
User Name(usmUser SecurityName) Authentication Protocol(usmUser AuthProtocol)
The name of an existing SNMPv3 user. Indicates whether the message sent on behalf of this user to/from the SNMP engine identified by the UserEngineID can be authenticated by the MD5 authentication protocol.
.
Conguring SNMPv3
195
Item and MIB association Private Protocol(usmUser PrivProtocol)
Description Displays whether or not messages sent on behalf of this user to or from the SNMP engine identified by the usmUserEngineID can be protected from disclosure, and if so, the type of privacy protocol which is used. The current storage type for this row. If Volatile is displayed, information is dropped (lost) when you turn off the power. If nonvolatile is displayed, information is saved in NVRAM when you turn off the power.
Entry Storage
The following table describes the items on the User Specication Creation section of the User Specication page.
Table 92 User Specication Creation section items Item and MIB association User Name Authentication Protocol(usmUser AuthProtocol) Authentication Passphrase(usm UserAuthPassword) Privacy Protocol Range 1..32 None MD5 SHA 1..32 Description Type a string of characters to create an identity for the user. Choose whether or not the message sent on behalf of this user to/from the SNMP engine identified by the UserEngineID can be authenticated with the MD5 or SHA protocol. Type a string of characters to create a passphrase to use in conjunction with the authorization protocol. Choose the privacy protocol you want to use.
(1) (2) (3) (4)
None DES 3DES AES
Privacy Passphrase
X..XX
Type a string of characters to create a passphrase to use in conjunction with the privacy protocol. The alphanumeric string must be at least 8 characters long. Choose your storage preference. Selecting Volatile requests information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power.
Type an alphanumeric string of minimum 8 charactersEntry Storage(usmUser StorageType)
(1) Volatile (2) Non-Volatile
In the User Specication Creation section, type the required information in the text boxes or select from a list.
.
Click Submit. The new conguration is displayed in the User Specication Table (Table 91 "User Specication Table section items" (page 194)). End
Deleting an SNMPv3 system user conguration

To delete an existing SNMPv3 user conguration, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > User Specication. The User Specication page appears (). 2 In the User Specication Table, click the Delete icon for the entry you want to delete. A message appears prompting you to conrm your request. 3 Do one of the following: Click Yes to delete the SNMPv3 user conguration. Click Cancel to return to the User Specication page without making changes. End
Conguring an SNMPv3 system user group membership

You can view a table of existing SNMPv3 group membership congurations and map or delete an SNMPv3 user to a group conguration.
Mapping an SNMPv3 system user to a group

To map an SNMPv3 system user to a group, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > Group Membership. The Group Membership page appears. The following gure displays the Group Membership page.
.
Conguring SNMPv3 Figure 69 Group Membership page
197
The following table describes the items on the Group Membership page.
Table 93 Group Membership page items Item and MIB association Range Description Deletes the row.
.
Item and MIB association Security Name(vacmSecu rityTo GroupStatus)
Range 1..32
Description Type a string of characters to create a security name for the principal that is mapped by this entry to a group name. Choose the security model within which the security name to group name mapping is valid. Type a string of characters to specify the group name. Choose your storage preference. Selecting Volatile requests information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power.
Security Model(vacmSecu rityTo GroupStatus) Group Name(vacmGroupN ame) Entry Storage(vacmSecuri tyTo GroupStorageType)
(1) SNMPv1 (2) SNMPv2c (3) USM 1..32 (1) Volatile (2) Non-Volati le
2 3
In the Group Membership Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry is displayed in the Group Membership Table (Figure 69 "Group Membership page" (page 197)). End
Deleting an SNMPv3 group membership conguration

To delete an SNMPv3 group membership conguration, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > Group Membership. The Group Membership page appears (Figure 69 "Group Membership page" (page 197)). 2 In the Group Membership Table, click the Delete icon for the entry you want to delete.
.
Conguring SNMPv3
199
A message appears prompting you to conrm your request. 3 Do one of the following: Click Yes to delete the group membership conguration. Click Cancel to return to the Group Membership page without making changes.
ATTENTION
This Group Membership Table section of the Group Membership page contains hyperlinks to the SNMPv3 User Specication and Group Access Rights pages. For more information on these pages, see "Conguring user access to SNMPv3" (page 193) and "Conguring SNMPv3 group access rights" (page 199) .
End
Conguring SNMPv3 group access rights

You can view a table of existing SNMPv3 group access rights congurations, and you can create or delete a SNMPv3 system-level access rights for a group.
Creating an SNMPv3 group access rights conguration

To create a SNMPv3 system-level access right conguration for a group, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > Group Access Rights. The Group Access Rights page appears. The following gure displays the Group Access Rights page.
.
200 Conguring Security using web-based management Figure 70 Group Access Rights page
The following table describes the items on the Group Access Rights page.
Table 94 Group Access Rights page items Item and MIB association Range Description Deletes the row.
Group Name(vacm AccessToGroup Status) Security Model(vacm AccessSecurity Model)l
1..32
Type a character string to specify the group name to which access is granted. Choose the security model to which access is granted.
(1) SNMPv1 (2) SNMPv2c (3) USM
.
Conguring SNMPv3
201
Item and MIB association Security Level(vacm AccessSecurity Level) Read View(vacm AccessReadView Name)
Range (1) noAuthNoPr iv (2) authNoPriv (3) authPriv 1..32
Description Choose the minimum level of security required to gain the access rights allowed to the group. Type a character string to identify the MIB view of the SNMP context to which this entry authorizes read access. Type a character string to identify the MIB view of the SNMP context to which this entry authorizes write access. Type a character string to identify the MIB view to which this entry authorizes access to notifications. Choose your storage preference. Selecting Volatile requests information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power.
Write View(vacm AccessWriteView Name)
1..32
Notify View(vacm AccessNotifyView Name) Entry Storage(vacm SecurityToGroup StorageType)
1..32
(1) Volatile (2) NonVolatile
2 3
In the Group Access Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry is displayed in the Group Access Table (Figure 70 "Group Access Rights page" (page 200)). End
Deleting an SNMPv3 group access rights conguration

To delete an SNMPv3 group access conguration, use the following procedure:
.
Step 1
Action From the main menu, choose Conguration > SNMPv3 > Group Access Rights. The Group Access Rights page appears (Figure 70 "Group Access Rights page" (page 200)).
In the Group Access Table, click the Delete icon for the entry you want to delete. A message appears prompting you to conrm your request.
Do one of the following: Click Yes to delete the group access conguration. Click Cancel to return to the Group Access Rights page without making changes.
ATTENTION
This Group Access Table section of the Group Access Rights page contains hyperlinks to the Management Information View page.
End
Conguring an SNMPv3 management information view

You can view a table of existing SNMPv3 management information view congurations, and you can create or delete SNMPv3 management information view congurations.
ATTENTION
A view can consist of multiple entries in the table, each with the same view name, but a different view subtree.
Creating an SNMPv3 management information view conguration

To create an SNMPv3 management information view conguration, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > Management Info View. The Management Information View page appears.
.
Conguring SNMPv3
203
The following gure displays the Management Information View page.

Figure 71 Management Information View page
The following table describes the elds on the Management Information View page.
.
204 Conguring Security using web-based management Table 95 Management Information View page elds Fields and MIB association Range Description Deletes the row.
View Name(vacmV iew TreeFamilyView Name) View Subtree(vacm View TreeFamilySubtree)
1..32
Type a character string to create a name for a family of view subtrees.
X.X.X.X.X...
Type an object identifier (OID) to specify the MIB subtree that, when combined with the corresponding instance of vacmViewTreeFamilyMask, defines a family of view subtrees.
ATTENTION
If no OID is entered and the field is blank, a default mask value consisting of 1s is recognized.
View Mask(vacmVi ew TreeFamilyMask)
Octet String (0..16)
Type the bit mask that, in combination with the corresponding instance of vacmViewFamilySubtree, defines a family of view subtrees. Choose to include or exclude a family of view subtrees.
View Type(vacmVie w TreeFamilyType) Entry Storage(vacm Secu-rityToGroupSt orageType)
(1) Include (2) Exclude
(1) Volatile Choose your storage preference. (2) Non-Vola Selecting Volatile requests tile information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power.
.
Conguring SNMPv3
205
2 3
In the Management Information Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry appears in the Management Information Table (Figure 71 "Management Information View page" (page 203)). End
Deleting an SNMPv3 management information view conguration

To delete an existing SNMPv3 management information view conguration, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > Management Info View. The Management Information page appears (Figure 71 "Management Information View page" (page 203)). 2 In the Management Information Table, click the Delete icon for the entry you want to delete. A message appears prompting you to conrm your request. 3 Do one of the following: Click Yes to delete the management information view conguration. Click Cancel to return to the table without making changes. End
Conguring an SNMPv3 system notication entry

You can view a table of existing SNMPv3 system notication congurations, and you can congure specic SNMPv3 system notication types with particular message recipients and delete SNMPv3 notication congurations.
Creating an SNMPv3 system notication conguration

To create an SNMPv3 system notication conguration, use the following procedure:
.
Step 1
Action From the main menu, choose Conguration > SNMPv3 > Notication. The Notication page appears. The following gure displays the Notication page.
The following table describes the items on the Notication page.

Table 96 Notication page items Item and MIB association Range Description Deletes the row.
Notify Name(snmpNo tify RowStatus)
1..32
Type a character string to identify the entry.
.
Conguring SNMPv3
207
Item and MIB association Notify Tag(snmp NotifyTag)
Range 1..32
Description Type a value to use to select entries in the snmpTargetAddrTable. Any entry in the snmpTargetAddrTable which contains a tag value which is equal to the value of an instance of this object is selected. If this object carries a zero length, no entries are selected Choose the type of notification to generate. Choose your storage preference. Selecting Volatile requests information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power.
Notify Type(snmp NotifyType) Entry Storage(snmp NotifyStorageType)
(1) Trap (2) Inform (1) Volatile (2) Non-Vol atile
2 3
In the Notication Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry is displayed in the Notication Table "Notication page" (page 206) . End
ATTENTION
This Notication Table section of the Notication page contains hyperlinks to the Target Parameter page.
Deleting an SNMPv3 system notication conguration

To delete an SNMPv3 notication conguration, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > Notication. The Notication page appears ("Notication page" (page 206)).
.
In the Notication Table, click the Delete icon for the entry you want to delete. A message appears prompting you to conrm your request.
Do one of the following: Click Yes to delete the notication conguration. Click Cancel to return to the table without making changes. End
Conguring an SNMPv3 management target address

You can view a table of existing SNMPv3 management target congurations, create SNMPv3 management target address congurations that associate notications with particular recipients, and delete SNMPv3 target address congurations.
Creating an SNMPv3 target address conguration

To create an SNMPv3 target address conguration, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > Target Address. The Target Address page appears. The following gure displays the Target Address page.
The following table describes the items on the Target Address page.
.
Conguring SNMPv3 Table 97 Target Address page items Item and MIB association Range Description Deletes the row.
209
Target Name(snmpTarg etAddrName) Target Address(snmp TargetAddrT Address)
1..32 XXX.XXX .XXX.XXX: XXX
Type a character string to create a target name. Type a transport address in the format of an IP address, colon, and UDP port number. For example: 10.30.31.99:162.
Target Timeout(snmp TargetAddrTimeout)
Integer
Type the number, in seconds, to designate as the maximum time to wait for a response to an inform notification before resending theInform notification. Type the default number of retires to be attempted when a response is not received for a generated message. An application can provide its own retry count, in which case the value of this object is ignored. Type the space-separated list of tag values to be used to select target addresses for a particular operation. Type a numeric string to identify an entry in the snmpTargetParamsTable. The identified entry contains SNMP parameters to be used when generated messages are sent to this transport address. Choose your storage preference. Selecting Volatile requests information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests
Target Retry Count(snmpTargetA ddrRetryCount)
0..255
Target Tag List(snmpTarget AddrTagList) Target Parameter Entry(snmpTarget Addr)
1..20
1..32
Entry Storage
(1) Volatile (2) Non-Vol atile
.
Item and MIB association
Range
Description information to be saved in NVRAM when you turn off the power.
2 3
In the Target Address Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry is displayed in the Target Address Table ("Target Address page" (page 208)).
ATTENTION
This Target Address Table section of the Target Address page contains hyperlinks to the Target Parameter page.
End
Deleting an SNMPv3 target address conguration

To delete an SNMPv3 target address conguration, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > Target Address. The Target Address page appears ("Target Address page" (page 208)). 2 In the Target Address Table, click the Delete icon for the entry you want to delete. A message appears prompting you to conrm your request. 3 Do one of the following: Click Yes to delete the target address conguration. Click Cancel to return to the table without making changes. End
.
Conguring SNMPv3
211
Conguring an SNMPv3 management target parameter

SNMPv3 management target parameters are used during notication generation to specify the communication parameters that are used for exchanges with notication recipients. You can view a table of existing SNMPv3 target parameter congurations, create SNMPv3 target parameters that associate notications with particular recipients, and delete existing SNMPv3 target parameter congurations.
Creating an SNMPv3 target parameter conguration

To create an SNMPv3 target parameter conguration, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > Target Parameter. The Target Parameter page appears. The following gure displays the Target Parameter page.
The following table describes the items on the Target Parameter page.
Table 98 Target Parameter page items Item Range Description Deletes the row.
.
Item Parameter Tag(snmpTarget ParamsRowStatus) Msg Processing Model(snmpTarget ParamsMPModel) Security Name(snmpTarget ParamsSecuirty Name) Security Level(snmpTarget ParamsSecuirtyLevel) Entry Storage(snmpTargetP aramsStorage Type)
Range 1..32
Description Type a unique character string to identify the parameter tag. Choose the message processing model to be used when generating SNMP messages using this entry. Type the principal on whose behalf SNMP messages are generated using this entry. Choose the level of security to be used when generating SNMP messages using this entry. Choose your storage preference. Selecting Volatile requests information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power.
(0) SNMPv1 (1) SNMPv2c (2) SNMPv3 /USM 1..32
(1) noAuthNoPriv (2) authNoPriv (3) authPriv (1) Volatile (2) Non-Volatile
2 3
In the Target Parameter Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry appears in the Target Parameter Table ("Target Parameter page" (page 211)). End
Deleting an SNMPv3 target parameter conguration

To delete an SNMPv3 target parameter conguration, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv3 > Target Parameter. The Target Parameter page appears ("Target Parameter page" (page 211)). 2 In the Target Parameter Table, click the Delete icon for the entry you want to delete. A message appears prompting you to conrm your request. 3 Do one of the following:
.
Conguring SNMPv3
213
Click Yes to delete the target parameter conguration. Click Cancel to return to the table without making changes. End
Conguring an SNMP trap receiver

You can congure the IP address and community string for a new SNMP trap receiver, view a table of existing SNMP trap receiver congurations, or delete an existing SNMP trap receiver conguration(s).
ATTENTION
The SNMP Trap Receiver Table is an alternative to using the SNMPv3 Target Table and SNMPv3 Parameter Table. However, only SNMPv1 traps are congurable using this table.
Creating an SNMP trap receiver conguration

To create an SNMP trap receiver conguration, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMP Trap. The SNMP Trap Receiver page appears. The following gure displays the SNMP Trap Receiver page.
Figure 72 SNMP Trap Receiver page
The following table describes the elds on the Trap Receiver Table and Trap Receiver Creation sections of the SNMP Trap Receiver page.
.
214 Conguring Security using web-based management Table 99 SNMP Trap Receiver page elds Fields Range Description Deletes the row.
Trap Receiver Index IP Address
1..4 XXX.XXX.XXX .XXX 0..32
Choose the number of the trap receiver to create or modify. Type the network address for the SNMP manager that is to receive the specified trap. Type the community string for the specified trap receiver. Reenter the community string for the specified trap receiver to confirm.
Community
2 3
In the Trap Receiver Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry is displayed in the Trap Receiver Table (). End
Deleting an SNMP trap receiver conguration

To delete SNMP trap receiver congurations, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMP Trap Receiver. The SNMP Trap Receiver page appears (). 2 In the Trap Receiver Table, click the Delete icon for the entry you want to delete. A message appears prompting you to conrm your request. 3 Do one of the following: Click Yes to delete the SNMP trap receiver conguration. Click Cancel to return to the table without making changes.
.
Conguring SNMPv3
215
End
.
.
217
Appendix A SNMP MIB support

The Ethernet Routing Switch 2500 Series supports an SNMP agent with industry standard MIBs, as well as private MIB extensions, which ensures compatibility with existing network management tools. The switch supports the MIB-II (RFC 1213), Bridge MIB (RFC 1493), and the RMON MIB (RFC 1757), which provide access to detailed management statistics. With SNMP management, you can congure SNMP traps (on individual ports) to generate automatically for conditions such as an unauthorized access attempt or changes in the operating status of a port. Table 100 "SNMP MIB support" (page 217) lists the supported SNMP MIBs.
Table 100 SNMP MIB support Application S5 Chassis MIB S5 Agent MIB RMON MLT SNMPv3 MIBs RFCs 2571, 2572, 2573, 2574, 2575, 2576 rfc1213.mib rfc2233.mib rfc1643.mib s5ifx100.mib s5sbs102.mib bnlog.mib s5emt104.mib rcVlan RFC 2037
.
Standard MIBs
Proprietary MIBs s5cha127.mib s5age140.mib
rfc1757.mib rcMLT
MIB2 IF-MIB Etherlike MIB Interface Extension MIB Switch Bay Secure System Log MIB S5 Autotopology MIB VLAN Entity MIB
218 Appendix A SNMP MIB support
Application Spanning Tree LLDP-MIB
Standard MIBs RFC1493 Bridge MIB IEEE 802.1ab
Proprietary MIBs
Management Agent The SNMP agent is trilingual and supports exchanges by using SNMPv1, SNMPv2c, and SNMPv3. SNMPv1 communities provide support for SNMPv2c by introducing standards-based GetBulk retrieval capability. SNMPv3 support provides MD5 and SHA-based user authentication and message security as well as DES-based message encryption. Modules that support MIB are: Standard MIBs MIB II (RFC 1213) Bridge MIB (RFC 1493) and proposed VLAN extensions 802.1Q Bridge MIB 802.1p Ethernet MIB (RFC 1643) RMON MIB (RFC 1757) SMON MIB High Capacity RMON Interface MIB (RFC2233) Entity MIB (RFC2037) SNMPv3 MIBs (RFC 2271 RFC 2275)
Proprietary MIBs s5Chassis MIB s5Agent MIB Interface Extension MIB s5 Multi-segment topology MIB s5 Switch BaySecure MIB System Log MIB RapidCity Enterprise MIB rcDiag (Conversation steering) MIB rcVLAN MIB rcMLT MIB
.
219
SNMP trap support

The Ethernet Routing Switch 2500 Series supports an SNMP agent with industry standard SNMPv1 traps, as well as private SNMPv1 trap extensions (Table 101 "Support SNMP traps" (page 219)).
Table 101 Support SNMP traps Trap name Configurable Sent when
RFC 1215 (industry standard): linkUp linkDown authenticationFailure coldStart warmStart Per port Per port System wide Always on Always on The link state changes to up on a port. The link state changes to down on a port. SNMP authentication failure occurs. The system is powered on. The system restarts due to a management reset.
s5CtrMIB (Nortel proprietary traps): s5CtrUnitUp s5CtrUnitDown s5CtrHotSwap s5CtrProblem Always on Always on Always on Always on A unit is added to an operational stack. A unit is removed from an operational stack. A unit is hot-swapped in an operational stack. A component or subcomponent has a problem condition either a warning, nonfatal, or fatal condition. A MAC address violation is detected. A rising Alarm is fired. A falling Alarm is fired. All switch configuration is saved to NVRAM. A failed log in on a telnet or console session occurs.
s5EtrSbsMacAccess Violation risingAlarm fallingAlarm bsnConfigurationSave dTo Nvram bsnNotifications.6.0
Always on Always on Always on Always on
Always on
.
220
Index
A
access 39, 46 SNMP 176 administrative options logging on 173 security, conguring passwords 169 remote dial-in access 172 allowed IP addresses 39 Allowed Source eld 182 AuthCong tab 116 AccessCtrlType eld 117 BrdIndx eld 117 MACIndx eld 117 PortIndx eld 117 SecureList eld 117 authentication 56 authentication traps, enabling 188 AuthStatus tab 119 AuthStatusBrdIndx eld 120 AuthStatusMACIndx eld 120 AuthStatusPortIndx eld 120 CurrentAccessCtrlType eld 121 CurrentActionMode eld 121 CurrentPortSecurStatus eld 121 AuthViolation tab 122 Autotopo-logy Setting eld 190 autotopology, enabling 188
C
Clear By Ports page 184 cli password command 36 Commu-nity String Setting eld 189 community strings, conguring 188 Community Table dialog box 159 ContextEngineID eld 161 ContextName eld 161 Index eld 160 Name eld 160 SecurityName eld 160 StorageType eld 161 TransportTag eld 161 Console Password Setting page 170 Console/TELNET/Web access conguration 17 conventions, text 11 Current Learning Mode eld 178 customer support 14
D
DA ltering 80 DA Filtering on Intrusion Detected eld 178 DA MAC Address eld 187 DA MAC Filtering page 186 default eapol guest-vlan command 93 default http-port 44 default radius-server command 58 default snmp trap link-status command 69 default snmp-server authentication-trap command 61 default snmp-server community command 63
B
BaySecure 80
.
Index 221
default snmp-server contact command 64 default snmp-server host command 76 default snmp-server name command 67 default ssh command 54 default telnet-access command 48 Device Manager 40
EapolFramesRx eld 137 EapolFramesTx Field 137 EapolLogoffFramesRx eld 137 EapolReqFramesTx eld 137 EapolReqIdFramesTx eld 137 EapolRespFramesRx eld 137 EapolRespldFramesRx 137 EapolStartFramesRx eld 137 InvalidEapolFramesRx eld 138 EAPOL Advance tab for a port EAPOL tab 110 GuestVlanEnabled eld 131 EAPOL tab for a port 127 GuestVlanId eld 131 EAPOL tab for ports EAPOL Advance tab for ports 129 AdminControlledDirections eld 128 eapol command 91, 91 AuthControlledPortControl eld 129 EAPOL Diag tab 138 AuthControlledPortStatus eld 128 AuthEapLogoffWhileAuthenticated BackendAuthState eld 128 eld 140 KeyTxEnabled eld 129 AuthEapLogoffWhileAuthenticating LastEapolFrameSource eld 129 eld 140 LastEapolFrameVersion eld 129 AuthEapStartsWhileAuthenticated MaximumRequests eld 129 eld 140 OperControlledDirections eld 128 AuthEapStartsWhileAuthenticating PaeState eld 128 eld 140 PortCapabilities eld 128 AuthFailWhileAuthenticating eld 140 PortInitialize eld 128 AuthReauthsWhileAuthenticated PortProtocolVersion eld 128 eld 140 PortReauthenticateNow eld 128 AuthReauthsWhileAuthenticating QuietPeriod eld 129 eld 140 ReAuthenticationEnabled eld 129 AuthSuccessWhileAuthenticating ReAuthenticationPeriod eld 129 eld 139 ServerTimeout 129 AuthTimeoutsWhileAuthenticating SupplicantTimeout eld 129 eld 140 TransmitPeriod eld 129 BackendAccessChallenges eld 140 EAPoL-based security 21 BackendAuthFails eld 141 with Guest VLAN 23 BackendAuthSuccesses eld 141 EAPOL-based security 87 BackendNonNakResponsesFromSuppliEntry eld 180 cant eld 141 Entry Storage eld 198, 201, 204 BackendOtherRequestsToSupplicant eld 141 BackendResponses eld 140 EapLogoffsWhileConnecting eld 139 General tab 111 EntersAuthenticating eld 139 AuthCtlPartTime eld 112 EntersConnecting eld 139 AuthSecurityLock eld 112 eapol guest-vlan command 93 CurrNodesAllowed eld 114 EAPOL Security Conguration 23 CurrSecurityLists eld 114 EAPOL Stats tab 136 MaxNodesAllowed eld 114 EapLengthErrorFramesRx eld 138 MaxSecurityLists eld 114
.
222 Index
learn by ports 180 PortLearnStatus eld 114 learning 178 PortSecurityStatus eld 114 MAC DA 175, 186 SecurityAction eld 113 ports 184 SecurityMode eld 113 security list 179 SecurityStatus 112 Generate SNMP Trap on Intrusion eld 178 security table 181 MAC Address Security eld 177 Group Access Right tab MAC Address Security SNMP-Locked ContextMatch eld 155 eld 177 ContextPrex eld 155 MAC address-based network security 21, NotifyViewName eld 156 21 ReadViewName eld 155 MAC DA ltering 80, 186 SecurityLevel eld 155 MAC security SecurityModel eld 155 DA ltering 80 StorageType eld 156 source-address based 80 WriteViewName eld 155 mac-security command 81 Group Access Rights page 199 mac-security command for specic ports 85 Group Membership page 196 mac-security mac-da-lter command 86 Group Membership tab mac-security mad-address-table address GroupName eld 154 command 83, 83, 84, 85 SecurityModel eld 154 mac-security security-list command 83 SecurityName eld 154 Management Information View page 202 StorageType eld 154 management systems 40 Group Name eld 198, 200 Management Target Address table 162 Guest VLAN 23 Management target tables 161 MHMA 28 MHSA 33 HTTP port number change 26 conguring with CLI 107 http-port command 44 MIB View tab Mask eld 158 StorageType eld 158 IP 39 Subtree eld 158 IP manager list 39 Type eld 158 ipmgr command 40, 42 ViewName eld 158 modifying parameters 91 Multiple Host with Multiple Authentication (MHMA) 28 Learn by Ports page 180 Multiple Host with Single Authentication 33 logging on 173 Login screen 18
H I
M
MAC Address eld 182, 187 MAC address security 176 allowed source 181 clearing 184 deleting ports 186
Name eld 166 New User Name eld 152 no eapol guest-vlan command 93 no ipmgr command 41, 42 no mac-security command 84
.
Index 223
no mac-security mac-address-table command 84 no mac-security security-list command 85 no radius-server command 58 no smnp-server command 60 no snmp trap link-status command 68 no snmp-server authentication-trap command 61 no snmp-server command 72 no snmp-server community command 62 no snmp-server contact command 64 no snmp-server host 76 no snmp-server location command 65 no snmp-server name command 66 no snmp-server view command 74 no ssh command 51 no ssh dsa-auth command 53 no ssh dsa-auth-key command 54 no ssh dsa-host-key command 51 no ssh pass-auth command 53 no telnet-access command 47 no web-server command 56 Non-EAP hosts on EAP-enabled ports 30 Non-EAP MAC RADIUS authentication 32 Notication page 206 Notify Table dialog box 166 StorageType eld 167 Tag eld 166 Type eld 167 Notify View eld 201
R
RADIUS access 36 RADIUS authentication 56 Radius page 172 RADIUS password fallback 20 RADIUS Shared Secret eld 173 RADIUS Timeout Period eld 173 RADIUS-based network security 20 RADIUS-based security 20 radius-server command 57 radius-server password fallback 58 Read View eld 201 read-only access 172 read-write access 172 remote access requirements 44, 44 remote dial-in access, conguring 172 requirements remote access 44
Secondary RADIUS Server eld 173 Security MAC address-based network security 21 RADIUS-based network security 20 security 36, 39, 46, 56, 80, 87 MAC address-based 176 Security Conguration page 176 Security eld 185 Security Level eld 201 security lists 80 Security Model eld 198, 200 Security Name eld 198 Partition Port on Intrusion Detected eld 177security options 18 Partition Time eld 178 Security page 176 passwords 36 Security parameters passwords, setting General tab console 169 SecurityStatus eld 112 remote dial-in access 172 Security Table page 181 Telnet 169 security, conguring Web 169 passwords 169 Port Conguration page 184 remote dial-in access 172 Port List eld 178, 180 Security, Insert AuthCong dialog box 117 Port List page 180 AccessCtrlType eld 118 Port Lists page 179 BrdIndx eld 118 Primary RADIUS Server eld 173 MACIndx eld 118 product support 14 PortIndx eld 118
.
224 Index
SecureList eld 118 SecurityListIndx eld 116 SecurityListMembers eld 116 Security, Insert SecurityList dialog box 115 SecurityList tab 114 SecurityListIndx eld 115 SecurityListMembers eld 115 show dsa-host-key command 51 show eapol auth-diags interface command 89, 90 show eapol command 87 show eapol guest-vlan command 94 show http-port command 43 show ipmgr command 39 show mac-security command 80 show radius-server command 56 show snmp-server command 64, 78 show ssh download-auth-key command 50 show ssh global command 49 show ssh session command 50 show telnet-access command 45 SNMP 26 about 188 MAC address security 177 trap receivers conguring 213 deleting 214 SNMP Graph tab 145 InASNParseErrs eld 146 InBadCommunityNames eld 146 InBadCommunityUses eld 146 InBadValues eld 146 InBadVersions eld 146 InGenErrs eld 147 InGetNexts eld 145 InGetRequests eld 145 InGetResponses eld 145 InNoSuchNames eld 146 Inpkts eld 145 InReadOnlys eld 147 InSetRequests eld 145 InTooBigs eld 146 InTotalReqVars eld 145 InTotalSetVars eld 145 OutBadValues eld 146 OutGenErrs eld 146 OutNoSuchNames eld 146
Outpkts eld 145 OutTooBigs eld 146 OutTraps eld 146 SNMP tab 141, 141 LastUnauthenticatedCommunityString eld 142 LastUnauthenticatedIpAddress eld 142 TrpRcvrCurEnt eld 142 TrpRcvrMaxEnt eld 142 TrpRcvrNext eld 142 snmp trap link-status command 67 SNMP Trap Receiver page 213 snmp-server authentication-trap command 60 snmp-server command 59 snmp-server community command 61, 77, 77 snmp-server contact command 64 snmp-server host command 75 snmp-server location command 65 snmp-server name command 66, 79, 79, 79, 79, 79, snmp-server user command 70 snmp-server view command 73 SNMPv1 about 188 conguring 188 SNMPv1 page 188 SNMPv3 147 about 188 conguring 190 group access rights conguring 199 deleting 201 group membership conguring 196 deleting 198 initial login 148 management information views conguring 202 deleting 205 management target 161 system information, viewing 190 system notication entries conguring 205 deleting 207 target addresses
.
Index 225
conguring 208 deleting 210 target parameters 164 conguring 211 deleting 212 user access conguring 193 deleting 196 User-based Security Model (USM) 149 View-based Access Control Model (VACM) 152 SNMPv3 user conguration methods 149 source IP addresses 42 ssh command 51 ssh download-auth-key command 54 ssh dsa-auth command 52 ssh pass-auth command 53, 53 ssh port command 53, 53 ssh secure command 52 SSH Sessions tab 124, 125 SSHSessionsIP eld 125 SSH tab 122 DsaAuth eld 123 Enable eld 123 KeyAction eld 123 LoadServerAddr eld 124 PassAuth eld 123 Port eld 123 TftpAction eld 124 TftpResult eld 124 Timeout eld 123 Version eld 123 ssh timeout command 52 support, Nortel 14 switch conguration options autotopology feature 188 community string settings 188 SNMP trap receivers 213 SNMPv3 group access rights 199 management information views 202 management target addresses 208 management target parameters 211 system information, viewing 190 system notication entries 205 user access 193 user group membership 196
trap mode settings 188 switches supported 11 System Information page 190
T
Target Address page 208 Target Address Table Name eld 162 Params eld 163 RetryCount eld 162 StorageType eld 163 TAddress eld 162 Taglist eld 163 TDomain eld 162 Timeout eld 162 Target Parameter page 211 Target Params Table MPModel eld 165 Name eld 165 SecurityLevel eld 166 SecurityModel eld 165 SecurityName eld 165 Storage Type eld 166 technical support 14 Telnet 36, 40, 44, 46 Telnet Password Setting page 170 telnet-access command 46 text conventions 11 TftpFile eld 124 Trap Mode Setting eld 190 Trap Receiver adding 143 Trap Receivers tab 142 Community eld 143 Indx eld 143 NetAddr eld 143 traps 67 troubleshooting 83 access 39, 44, 56, 80
U
UDP RADIUS Port eld 173 username command 35 USM dialog box 149 AuthProtocol eld 150 EngineID eld 150
.
226 Index
Name eld 150 PrivProtocol eld 150 SecurityName eld 150 StorageType eld 150 USM Insert USM Table dialog box Cloned User Auth Password eld 152 Cloned User Priv Password eld 152 New User Auth Password eld 152 New User Priv Password eld 152 Priv Protocol eld 152 StorageType eld 152 USM, Insert USM Table dialog box Auth Protocol eld 152 Clone From User eld 152
V
VACM dialog box 153 VACM tables 153 vacmGroupName eld 155 View Mask eld 204 View Name eld 204 View Subtree eld 204 View Type eld 204
W
Web Password Setting page 170 Web-based management system 40 web-server command 55 Write View eld 201
.
Nortel Ethernet Routing Switch 2500 Series
Security Conguration and Management

Copyright 2007, Nortel Networks All Rights Reserved. Publication: NN47215-505 (323165-B) Document status: Standard Document version: 02.01 Document date: 19 November 2007 To provide feedback or report a problem in this document, go to www.nortel.com/feedback Sourced in Canada, India, and the United States of America The information in this document is subject to change without notice. Nortel Networks reserves the right to make changes in design or components as progress in engineering and manufacturing warrants. *Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation. Trademarks are acknowledged with an asterisk (*) at their rst appearance in the document. All other trademarks are the property of their respective owners.

2500 Series - Security Config and Manegement

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

2500 Series - Security Config and Manegement

Încărcat de

Drepturi de autor:

Formate disponibile

Nortel Ethernet Routing Switch 2500 Series

Security Conguration and Management

Restricted rights legend

Nortel Networks software license agreement

Using security in your network

Conguring Security using the CLI

Conguring Security using web-based management

New in this release

Advanced Security features

10 New in this release

Before you begin

angle brackets (< >)

bold body text

plain Courier text

How to get help

Getting help from the Nortel Web site

Getting help through a Nortel distributor or reseller

Getting help over the phone from a Nortel Solutions Center

How to get help

Getting help from a specialist by using an Express Routing Code

Using security in your network

Setting management passwords

Console/TELNET/Web password Conguration

Username and password

18 Using security in your network

Conguring Security options

20 Using security in your network

RADIUS-based network security

RADIUS password fallback enhancement

Conguring Security options

MAC address-based security

22 Using security in your network

EAPOL Security Conguration

EAPoL with Guest VLAN

EAPOL Security Conguration

24 Using security in your network

Password length and valid characters

The password is case sensitive.

Password aging time

Read-Only and Read-Write passwords must be different

Enabling and disabling password security

26 Using security in your network

HTTP port number change

Simple Network Management Protocol

SNMP Version 1 (SNMPv1)

Simple Network Management Protocol

SNMP Version 2 (SNMPv2)

SNMP Version 3 (SNMPv3)

Nortel Ethernet Routing Switch 2500 Series support for SNMP

SNMP MIB support

28 Using security in your network

SNMP trap support

Advanced EAPOL features

Multiple Host with Multiple Authentication

Advanced EAPOL features

Radius-assigned VLAN use in MHMA mode

30 Using security in your network

2526T(config)#eapol multihost use-radius-assigned-vlan

Enable Radius assigned VLANs in interface mode for switch port 1:

2526T(config-if)#eapol multihost port 1 use-radius-assigne d-vlan

Non-EAP hosts on EAP-enabled ports

Advanced EAPOL features

32 Using security in your network