Documente Academic
Documente Profesional
Documente Cultură
NN47215-505 (323165-B)
.
Document status: Standard Document version: 02.01 Document date: 19 November 2007 Copyright 2007, Nortel Networks All Rights Reserved. Sourced in Canada, India, and the United States of America The information in this document is subject to change without notice. The statements, congurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specied in this document. The information in this document is proprietary to Nortel Networks. The software described in this document is furnished under a license agreement and can be used only in accordance with the terms of that license. The software license agreement is included in this document.
Trademarks
*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. Adobe and Adobe Reader are trademarks of Adobe Systems Incorporated. Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation. Trademarks are acknowledged with an asterisk (*) at their rst appearance in the document. All other trademarks are the property of their respective owners.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the right to make changes to the products described in this document without notice. Nortel Networks does not assume any liability that can occur due to the use or application of the product(s) or circuit layout(s) described herein. Portions of the code in this software product can be Copyright 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University can not be used to endorse or promote products derived from such portions of the software without specic prior written permission. SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that can incorporate by reference certain limitations and notices imposed by third parties).
2.
3.
4.
b.
c.
Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customers use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations. Neither party can bring an action, regardless of form, more than two years after the cause of the action arose. The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.
d. e. f.
Contents
New in this release
Features 9 Advanced Security features 9
Introduction
Before you begin 11 Text conventions 11 Related publications 13 How to get help 14 Getting help from the Nortel Web site 14 Getting help through a Nortel distributor or reseller 14 Getting help over the phone from a Nortel Solutions Center 14 Getting help from a specialist by using an Express Routing Code 15
11
17
25
6 Contents Default passwords 26 HTTP port number change 26 Simple Network Management Protocol 26 SNMP Version 1 (SNMPv1) 26 Nortel Ethernet Routing Switch 2500 Series support for SNMP 27 SNMP MIB support 27 SNMP trap support 28 Advanced EAPOL features 28 Non-EAP hosts on EAP-enabled ports 30
35
56
169
Contents 7 Viewing SNMPv3 system information 190 Conguring user access to SNMPv3 193 Conguring an SNMPv3 system user group membership 196 Conguring SNMPv3 group access rights 199 Conguring an SNMPv3 management information view 202 Conguring an SNMPv3 system notication entry 205 Conguring an SNMPv3 management target address 208 Conguring an SNMPv3 management target parameter 211 Conguring an SNMP trap receiver 213
Index
220
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
8 Contents
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Features
See "Advanced Security features" (page 9)for information about feature changes.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
11
Introduction
This guide provides information about conguring and managing security features on the Nortel Ethernet Routing Switch 2500 Series. This guide describes the features of the following Nortel switches: Nortel Ethernet Routing Switch 2526T Nortel Ethernet Routing Switch 2526T-PWR Nortel Ethernet Routing Switch 2550T Nortel Ethernet Routing Switch 2550T-PWR
The term "Ethernet Routing Switch 2500 Series" is used in this document to describe the features common to the switches mentioned above. A switch is referred to by its specic name when a feature is described that is exclusive to the switch.
Text conventions
This guide uses the following text conventions:
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
12 Introduction
Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is ping <ip_address>, you enter ping 192.32.10.12
Indicates objects such as window names, dialog box names, and icons, as well as user interface objects such as buttons, tabs, and menu items. Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command. Example: If the command syntax is show ip {alerts|routes}, you must either enter show ip or show ip routes, but not both.
braces ({})
brackets ([ ])
Indicate optional elements in syntax descriptions. Do not type the brackets when entering the command. Example: If the command syntax is show ip interfaces [-alerts], you can either enter show ip interfaces or show ip interfaces -alerts.
italic text
Indicates variables in command syntax descriptions. Also indicates new terms and book titles. Where a variable is two or more words, the words are connected by an underscore. Example: If the command syntax is show at <valid_route>,valid_route is one variable, and you substitute one value for it.
Indicates command syntax and system output, for example, prompts and system messages. Example: Set Trap Monitor Filters
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Related publications
13
separator ( > )
Shows menu paths. Example: Protocols > IP identifies the IP command on the Protocols menu.
vertical line ( | )
Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is show ip {alerts|routes}, you can either enter show ip alerts or show ip routes, but not both.
Related publications
For more information about using the Ethernet Routing Switch 2500 Series, see the following publications: Nortel Ethernet Routing Switch 2500 Series Release Notes Software Release 4.1 (NN47215-400) Documents important changes about the software and hardware that are not covered in other related publications. Nortel Ethernet Routing Switch 2500 Series Overview System Conguration (NN47215-500) Describes the various management interfaces and how to use them to congure basic switching features for the Nortel Ethernet Routing Switch 2500 Series. Nortel Ethernet Routing Switch 2500 Series Conguration VLANs, Spanning Tree, and MultiLink Trunking (NN47215-501) Describes how to congure Virtual Local Area Networks (VLAN), Spanning Tree Protocol (STP), and MultiLink Trunk (MLT) features for the Nortel Ethernet Routing Switch 2500 Series. Nortel Ethernet Routing Switch 2500 Series Conguration Quality of Service (NN47215-504) Describes how to congure and manage Quality of Service features for the Nortel Ethernet Routing Switch 2500 Series. Nortel Ethernet Routing Switch 2500 Series Performance Management System Monitoring (NN47215-502) Describes how to congure system logging and network monitoring, and how to display system statistics for the Nortel Ethernet Routing Switch 2500 Series.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
14 Introduction
Nortel Ethernet Routing Switch 2500 Series Conguration IP Multicast (NN47215-503) Describes how to congure IP Multicast Routing Protocol features for the Nortel Ethernet Routing Switch 2500 Series.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
15
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
16 Introduction
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
17
ATTENTION
If you set a password, the next time you log on to the switch, you are prompted to enter a valid username. Therefore, ensure you are aware of the valid usernames (default RW and RO) before you change passwords. For information about modifying existing usernames, see "Setting the username and password" (page 35).
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Logging on
If you set a password, the next time you access the switch, you are prompted for a username and password as shown in the (default usernames are RW and RO). Enter a valid username and password and press Enter. You are then directed to the CLI. For information about modifying the existing usernames, see Login screen"Setting the username and password" (page 35)
Login screen
Figure 1 "Ethernet Routing Switch 2500 Series security feature" (page 19) shows a typical campus conguration that uses the Ethernet Routing Switch 2500 security features. This example assumes that the switch, the teachers ofces and classrooms, and the library are physically secured. The student dormitory can (or can not be) physically secure.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring Security options Figure 1 Ethernet Routing Switch 2500 Series security feature
19
In this conguration example, the following security measures are implemented: The switch RADIUS-based security is used to limit administrative access to the switch through user authentication (see "RADIUS-based network security" (page 20)). MAC address-based security is used to allow up to 448 authorized stations (MAC addresses) access to one or more switch ports (see "MAC address-based security" (page 21)). The switch is located in a locked closet, accessible only by authorized Technical Services personnel. Student dormitory Dormitory rooms are typically occupied by two students and are prewired with two RJ-45 jacks. Only students who are authorized (as specied by the MAC address-based security feature) can access the switch on the secured ports.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Teachers ofces and classrooms The PCs that are located in the teachers ofces and in the classrooms are assigned MAC address-based security that is specic for each classroom and ofce location. The security feature logically locks each wall jack to the specied station and prevents unauthorized access to the switch if someone attempts to connect a personal laptop PC into the wall jack. The printer is assigned as a single station and is allowed full bandwidth on that switch port. It is assumed that all PCs are password protected and that the classrooms and ofces are physically secured.
Library The wall jacks in the library are set up so that the PCs can be connected to any wall jack in the room. With this arrangement, you can move the PCs anywhere in the room. The exception is the printer, which is assigned as a single station with full bandwidth to that port. It is assumed that all PCs are password protected and that access to the library is physically secured.
For detailed instructions to set up your RADIUS server, see your RADIUS server documentation.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
21
When RADIUS password fallback is disabled, you must specify the RADIUS username and password from the NetLogin screen. Unless the RADIUS server is congured and reachable, you cannot log on to the switch to authenticate the login and password. The Radius password fallback feature is disabled by default. You can use the following CLI commands to enable and disable this feature: radius-server password fallback no radius-server
ATTENTION
The no radius-server CLI command disables the RADIUS fallback feature, along with the remaining RADIUS conguration.
EAPOL-based security
The Ethernet Routing Switch 2500 Series provides security on the basis of Extensible Authentication Protocol over LAN (EAPOL), and it uses the EAP as is given in the IEEE 802.IX so that you can set up a network access control over LANs. With EAP, you can authenticate user information through a connection between a client and the switch by using an authentication
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
service such as RADIUS. This security feature works hand-in-hand with the Radius-based server and thus provides the advantages of remote authentication to internal LAN clients. An example follows to show how an Ethernet Routing Switch 2500 Series reacts when it is congured to the EAPoL security feature and a new network connection: When the switch nds a new connection in one of its ports, the following occurs: 1. The switch asks for a User ID of the new client. 2. The User ID is covered by EAPoL, and it passes on to the Radius server. 3. The response from the Radius server is to ask for a password of the user. Within the EAPoL packet, the new client forwards a password to the switch: The EAPoL packet is relayed to the Radius server. If the Radius server validates the password, the new client is allowed to access the switch and the network. The EAPoL-based security is composed of the following terms: Supplicant- the device applying for network access. Authenticator- a software with the main purpose of authorizing the supplicant who is attached at the other end of the LAN segment. Authentication server- a Radius server that provides authorization services to an authenticator. Port Access Entity (PAE)- an entity that supports each port to the Authenticator or Supplicants. In the example above, the authenticator PAE is present in the switch. Controlled Port is a switch port with EAPOL based security. The authenticator communicates with the Supplicant through EAP over LAN (EAPoL), which is an encapsulation mechanism. The authenticator PAE encapsulates the EAP through the RADIUS server packet and sends it to the authentication server. The authenticator server sends the packet in an exchange that occurs between the supplicant and authentication server. This exchange occurs when the EAP message is encapsulated to make it suitable for the destination of the packet. The authenticator determines the operational state of the controlled port. The RADIUS server noties the authenticator PAE of the success
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
23
or failure of the authentication to change the operational state of the controlled port. PAE functions are then available for each port to forward, or else the controlled port state depends upon the operational trafc control eld in the EAPoL conguration screen. Operational trafc can be of two types: Incoming and Outgoing- In regards to an unauthorized controlled port, the frames received and transmitted are discarded, and state of the port is blocked. Incoming- Although the frames received for an unauthorized port are discarded, the transmit frames are forwarded through the port.
ATTENTION
Before you enable EAPOL, you must congure your Primary RADIUS Server and RADIUS Shared Secret. You also need to set up specic user accounts on your RADIUS server:
User names Passwords VLAN IDs Port priority You can set up these parameters directly on your RADIUS server. For detailed instructions about conguring your RADIUS server, see your RADIUS server documentation.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
ATTENTION
Do not enable EAPOL security on the switch port that is connected to the RADIUS server.
Password security
The Ethernet Routing Switch 2500 Series supports the password security feature that provides enhanced security for switch and stack passwords. With password security enabled, the following enhanced security features are applied:
Password retry
If the user fails to provide the correct password after a number of consecutive attempts, the switch resets the logon process. The number of failed logon attempts is congurable and the default is three.
Password history
The switch keeps a history of the last three passwords. You cannot reuse a password stored in history. When you set the password for the fourth time, you can reuse the password that you used the rst time.
Password display
The password is not displayed as clear text. Each character of the password is substituted with an asterisk (*).
Password verication
When you provide a new password, you must retype the password to conrm it. If the two passwords do not match, the password update process fails. In this case, you must try to update the password once again. There is no limit on the number of times you are allowed to update the password.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Password security 25
Applicable passwords
The password security feature applies these enhanced features to the following passwords: Switch RO password Switch RW password Stack RO password Stack RW password
The password security feature applies only the display and verication restrictions to the following passwords: RADIUS Shared Secret Read-Only community string Read-Write community string
When password security is disabled, the following occurs: Current passwords remain valid. Password history bank is removed. Password verication is disabled.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
ATTENTION
By default, password security is disabled for the non-SSH software image and enabled for the SSH software image.
Default passwords
For the standard software image, the default password for RO is "user" and "secure" for RW. For the secure software image, the default password for RO is "userpasswd" and "securepasswd" for RW.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
27
SNMPv1 security is based on communities, which are nothing more than passwords: plain-text strings that allow any SNMP-based application that knows the strings to gain access to the management information of a device. There are typically three communities in SNMPv1: read-only, read-write, and trap.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
29
Only unicast packets are sent to a specic port so that the packets reach the correct destination. Receiving EAPOL packets The EAPOL packets are directed to the correct logical port for state machine action. Trafc on an authorized port Only a set of authorized MAC addresses is allowed access to a port. MHMA support for EAP clients includes the following features: A port remains on the Guest VLAN when no authenticated hosts exist on it. Until the rst authenticated host, both EAP and non EAP clients are allowed on the port. After the rst successful authentication, only EAPOL packets and data from the authenticated MAC addresses are allowed on a particular port. Only a predened number of authenticated MAC users are allowed on a port. When RADIUS VLAN assignment is disabled for ports in MHMA mode, only precongured VLAN assignment for the port is used. Upon successful authentication, untagged trafc is put it in a VLAN congured for the port. When RADIUS VLAN assignment is enabled for ports in MHMA mode, upon successful RADIUS authentication, the port gets a VLAN value in a RADIUS Attribute with EAP success. The port is added and the PVID is set to the rst such VLAN value from the RADIUS server. Conguration of timer parameters is per physical port, not per user session. However, the timers are used by the individual sessions on the port. Reauthenticate Now, when enabled, causes all sessions on the port to reauthenticate. Reauthentication timers are used to determine when a MAC is disconnected so as to enable another MAC to log in to the port. Conguration settings are saved across resets.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
address may not have a Radius-assigned VLAN value. At this point, the port is moved to a congured VLAN. A later authenticated EAP MAC address (for instance, the third one on the port) can get a Radius-assigned VLAN value. This port is then added, and the port VLAN ID (PVID) is set to the rst such VLAN value from the Radius server. The VLAN remains the same irrespective of which MAC leaves, and a change in the VLAN takes place only when there are no authenticated hosts on the port. This enhancement works in a very similar manner with the already existing Radius assigned VLANs feature in SHSA mode. It is basically an extension of that feature which gives the user the ability to move a port to a specic VLAN, even if that switch port operates in EAP MHMA mode. The only restriction of this enhancement is that if you have multiple EAP clients authenticating on a given switch port (as you normally can in MHMA mode), each one congured with a different VLAN ID on the Radius server, the switch moves the port to the VLAN of the rst authenticated client. In this way, a permanent bounce between different VLANs of the switch port is avoided. Following are the steps to enable the enhancement : Enable Radius assigned VLANs in Global Conguration command mode:
By default, the Radius assigned VLANs in MHMA enhancement is disabled in global cong and interface modes, for all switch ports.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
31
Support for non-EAPOL hosts on EAPOL-enabled ports is primarily intended to accommodate printers and other dumb devices sharing a hub with EAPOL clients. Support for non-EAPOL hosts on EAPOL-enabled ports includes the following features: EAPOL and authenticated non-EAPOL clients are allowed on the port at the same time. Authenticated non-EAPOL clients are hosts that satisfy one of the following criteria: Host MAC address matches an entry in an allowed list precongured for the port. Host MAC address is authenticated by RADIUS. Non-EAPOL hosts are allowed even if no authenticated EAPOL hosts exist on the port. When a new host is seen on the port, non-EAPOL authentication is performed as follows: If the MAC address matches an entry in the precongured allowed MAC list, the host is allowed. If the MAC address does not match an entry in the precongured allowed MAC list, the switch generates a <username, password> pair, which it forwards to the network RADIUS server for authentication. For more information about the generated credentials, see "Non-EAPOL MAC RADIUS authentication" (page 32). If the MAC address is authenticated by RADIUS, the host is allowed. If the MAC address does not match an entry in the precongured allowed MAC list and also fails RADIUS authentication, the host is counted as an intruder. Data packets from that MAC address are dropped. EAPOL authentication is not affected. For RADIUS-authenticated non-EAPOL hosts, VLAN information from RADIUS is ignored. Upon successful authentication, untagged trafc is put in a VLAN precongured for the port. For RADIUS-authenticated non-EAPOL hosts, VLAN information from RADIUS is ignored. Upon successful authentication, untagged trafc follows the PVID of the port. Non-EAPOL hosts continue to be allowed on the port until the maximum number of non-EAPOL hosts is reached. The maximum number of non-EAPOL hosts allowed is congurable. After the maximum number of allowed non-EAPOL hosts is reached, any data packets received from additional non-EAPOL hosts are dropped.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The additional non-EAPOL hosts are counted as intruders. New EAPOL hosts can continue to negotiate EAPOL authentication. When the intruder count reaches 32, a SNMP trap and system log message are generated. The port administrative status is set to force-unauthorized, and you must reset the port administrative status (from force-unauthorized to auto) to allow new EAPOL and non-EAPOL negotiations on the port. The feature uses enterprise-specic MIBs. Conguration settings are saved across resets.
ATTENTION
Guest VLAN and non-EAPOL host support on a port are mutually exclusive. If you have congured a port to support Guest VLAN, you cannot enable support for non-EAPOL hosts on that port. Similarly, if you have congured an EAPOL-enabled port to support non-EAPOL hosts, you cannot enable Guest VLAN on that port. Also, you cannot enable non-EAPOL support on uplink or call server ports.
For information about conguring non-EAPOL host support, see Conguring support for non-EAPOL hosts on EAPOL-enabled ports.
ATTENTION
Use only lowercase letters for usernames and passwords congured on the Radius server. Follow these global conguration examples, to select a password format that combines one or more of these 3 elements: password = 010010011253..0305 (when the switch IP address, unit and port are used). password = 010010011253.. (when only the switch IP address is used).
The following example illustrates the <username, password> pair format: switch IP address = 10.10.11.253
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
33
non-EAP host MAC address = 00 C0 C1 C2 C3 C4 unit = 3 port = 25 username = 00c0c1c2c3c4 password = 010010011253.00c0c1c2c3c4.0325
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The maximum value for the maximum number of non-EAPOL hosts allowed on an MHSA-enabled port is 32. However, Nortel expects that the usual maximum value congured for a port is 2. This translates to around 200 for a box and 800 for a stack.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
35
username command
The username command sets the system username and password for access through the serial console port, Telnet, and Web-based management. This command supports only one read-only and one read-write user on the switch. The parameters are set for the standalone or stack environment depending on the current operational mode.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The username command is executed in the Global Conguration command mode. Table 1 "username command parameters and variables" (page 36) describes the parameters and variables for the username command.
Table 1 username command parameters and variables Parameters and variables <username> <password> Description Enter your username for the first variable, and your password for the second variable. The default username values are RO for read-only access and RW for read/write access.
ro|rw
Specifies that you are modifying the read-only (ro) username or the read-write (rw) username. The ro/rw variable is optional. If it is omitted, the command applies to the read-only mode.
ATTENTION
After you congure the username and password with the username command, if you then update the password using the cli password command (or through Web-based management), the new password is set, but the username is unchanged.
37
The cli password command is executed in the Global Conguration command mode.
Table 2 cli password command parameters and variables Parameters and variables read-only|read-w rite <NAME> <PASSWORD> serial|telnet Description Specifies that you are modifying the read-only (ro) password or the read-write (rw) password. Enter your username for the first variable, and your password for the second variable. Specifies that you are modifying the password for serial console access or for Telnet and Web-based management access. Specifies the password that you are modifying: none disables the password local use the locally defined password for serial console or Telnet access radius use RADIUS authentication for serial console or Telnet access
none|local|radiu s
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The following shows a sample output for this command: 2550T (config)#show password security Password security is enabled The show password security command has no parameters or variables.
where <aging-value> is between 0 - 2730. A value of 0 causes the password to age out immediately. If a new aging time is set from the CLI, the password aging counters are not reset.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
39
The following shows a sample output for this command: 2550T (config)#show password aging-time Aging time: 100 days
where <number> is an integer in the range 1-100 that species the allowed number of failed logon attempts. The default is 3. If a new aging time is set from the CLI, the password aging counters are not reset.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The show ipmgr command is executed in the Privileged EXEC command mode. The show ipmgr command has no parameters or variables. Figure 2 "show ipmgr command output" (page 40) displays sample output from the show ipmgr command.
Figure 2 show ipmgr command output
The ipmgr command for the management systems is executed in the Global Conguration command mode. Table 3 "ipmgr command for system management parameters and variables" (page 40) describes the parameters and variables for the ipmgr command.
Table 3 ipmgr command for system management parameters and variables Parameters and variables telnet|snmp|web Description Enables IP manager list checking for access to various management systems:
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
41
Description snmp provides list access using SNMP, including the Device Manager web provides list access using the Web-based management system
Specifies the source IP address from which access is allowed. Enter the IP address either as an integer or in dotted-decimal notation. Specifies the subnet mask from which access is allowed; enter the IP mask in dotted-decimal notation.
The no ipmgr command is executed in the Global Conguration command mode. Table 4 "no ipmgr command for management system" (page 41) describes the parameters and variables for the no ipmgr command.
Table 4 no ipmgr command for management system Parameters and variables telnet|snmp|web Description Disables IP manager list checking for access to various management systems:
telnet disables list check for Telnet access snmp disables list check for SNMP, including the Device Manager web disables list check for the Web-based management system
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The ipmgr command for the source IP addresses is executed in the Global Conguration command mode. Table 5 "ipmgr command for source IP addresses parameters and variables" (page 42) describes the parameters and variables for the ipmgr command for the source IP addresses.
Table 5 ipmgr command for source IP addresses parameters and variables Parameters and variables source-ip <1-10> <XXX.XXX.XXX.XXX> Description Specifies the source IP address from which access is allowed. Enter the IP address either as an integer or in dotted-decimal notation. Specifies the subnet mask from which access is allowed; enter the IP mask in dotted-decimal notation.
The no ipmgr command for the source IP addresses is executed in the Global Conguration command mode. Table 6 "no ipmgr command for source IP addresses parameters and variables" (page 43) describes the parameters and variables for the no ipmgr command for the source IP addresses.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Securing your system Table 6 no ipmgr command for source IP addresses parameters and variables Parameters and variables source-ip [<1-10>] Description When you specify an option, this command sets the IP address and mask for the specified entry to 255.255.255.255 and 255.255.255.255. When you omit the optional parameter, the list is reset to the factory defaults.
43
The show http-port command is executed in the Privileged EXEC command mode. The show http-port command has no parameters or variables. Figure 3 "show http-port command output" (page 43) displays sample output from the show http-port command command.
Figure 3 show http-port command output
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
http-port command
The http-port command sets the port number for the HTTP port. The syntax for the http-port command is:
http-port <1024-65535>
The http-port command is executed in the Global Conguration command mode. Table 7 "http-port command parameters and variables" (page 44) describes the parameters and variables for the http-port command.
Table 7 http-port command parameters and variables Parameters and variables <1024-65535> Description Enter the port number you want to be the HTTP port.
ATTENTION
To set the HTTP port to 80, use the default http-port command.
default http-port
The default http-port command sets the port number for the HTTP port to the default value of 80. The syntax for the default http-port command is:
default http-port
The default http-port command is executed in the Global Conguration command mode. The default http-port command has no parameters or variables.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
45
ATTENTION
Multiple users can access the CLI system simultaneously, through the serial port, Telnet, and modems. The maximum number of simultaneous users is four plus one at the serial port for a total of ve users on the switch. All users can congure simultaneously.
You can view the Telnet allowed IP addresses and settings, change the settings, or disable the Telnet connection. This section covers the following topics: "show telnet-access command" (page 45) "telnet-access command" (page 46) "no telnet-access command" (page 47) "default telnet-access command" (page 48)
The show telnet-access command is executed in the Privileged EXEC command mode. The show telnet-access command has no parameters or variables. Figure 5 "show telnet-access command output" (page 46) displays sample output from the show telnet-access command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
46 Conguring Security using the CLI Figure 5 show telnet-access command output
telnet-access command
With the telnet-access command, you can congure the Telnet connection that is used to manage the switch. The syntax for the telnet-access command is:
telnet-access [enable|disable] [login-timeout <1-10>] [retry <1-100>] [inactive-timeout <0-60>] [logging {none|access |failures|all}] [source-ip <1-10> <XXX.XXX.XXX.XXX>[mask <XXX.XXX.XXX.XXX>]]
The telnet-access command is executed in the Global Conguration command mode. Table 8 "telnet-access command parameters and variables" (page 46) describes the parameters and variables for the telnet-access command.
Table 8 telnet-access command parameters and variables Parameters and variables enable|disable login-timeout <1-10> Description Enables or disables Telnet connections. Specifies the time in minutes that you want to wait between an initial Telnet connection and acceptance of a password before closing the Telnet connection; enter an integer between 1 and 10. Specifies the number of times that the user can enter an incorrect password before closing the connection; enter an integer between 1 and 100. Specifies in minutes how long to wait before closing an inactive session; enter an integer between 0 and 60.
retry <1-100>
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
47
Description Specifies what types of events you want to save in the event log:
all Save all access events in the log: Telnet connect indicates the IP address and access mode of a Telnet session. Telnet disconnect indicates the IP address of the remote host and the access mode, due to either a log off or inactivity. Failed Telnet connection attempts indicates the IP address of the remote host that is not on the list of allowed addresses, or indicates the IP address of the remote host that did not supply the correct password.
none No Telnet events are saved in the event log. access Connect and disconnect events are saved in the event log. failure Only failed Telnet connection attempts are saved in the event log.
Specifies up to 10 source IP addresses from which connections are allowed. Enter the IP address either as an integer or in dotted-decimal notation. Specifies the subnet mask from which connections are allowed; enter the IP mask in dotted-decimal notation.
ATTENTION
These are the same source IP addresses as in the IP Manager list. For more information on the IP Manager list, see "Configuring the IP manager list" (page 39).
no telnet-access command
With the no telnet-access command, you can disable the Telnet connection. The syntax for the no telnet-access command is:
no telnet-access [source-ip [<1-10>]]
Table 9 "no telnet-access command parameters and variables" (page 48) describes the parameters and variables for the no telnet-access command.
Table 9 no telnet-access command parameters and variables Parameters and variables source-ip [<1-10>] Description Disables the Telnet access. When you do not use the optional parameter, the source-ip list is cleared, meaning that the 1st index is set to 0.0.0.0./0.0.0.0. and the 2nd to 10th indexes are set to 255.255.255.255/255.255.255.255. When you do specify a source-ip value, the specified pair is set to 255.255.255.255/255.255.255.255.
ATTENTION
These are the same source IP addresses as in the IP Manager list. For more information on the IP Manager list, see "Configuring the IP manager list" (page 39).
The default telnet-access command is executed in the Global Conguration command mode. The default telnet-access command has no parameters or values.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
49
"ssh dsa-host-key command" (page 51) "no ssh dsa-host-key command" (page 51) "ssh command" (page 51) "no ssh command" (page 51) "ssh secure command" (page 52) "ssh timeout command" (page 52) "ssh dsa-auth command" (page 52) "no ssh dsa-auth command" (page 53) "ssh pass-auth command" (page 53) "no ssh pass-auth command" (page 53) "ssh port command" (page 53) "ssh download-auth-key command" (page 54) "no ssh dsa-auth-key command" (page 54) "default ssh command" (page 54)
The show ssh global command is executed in the Privileged EXEC command mode. The show ssh global command has no parameters or variables. Figure 6 "show ssh global command output" (page 49) displays sample output from the show ssh global command
Figure 6 show ssh global command output
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The show ssh session command is executed in the Privileged EXEC command mode. The show ssh session command has no parameters or variables. Figure 7 "show ssh session command output" (page 50) displays sample output from the show ssh session command.
Figure 7 show ssh session command output
The show ssh download-auth-key command is executed in the Privileged EXEC command mode. The show ssh download-auth-key command has no parameters or variables. Figure 8 "show ssh download-auth-key command output" (page 50) displays sample output from the ssh download-auth-key command.
Figure 8 show ssh download-auth-key command output
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
51
ATTENTION
You cannot enable SSH while the host key is being generated.
This command can only be executed in SSH disable mode. The syntax of the ssh dsa-host-key command is:
ssh dsa-host-key
The ssh dsa-host-key command is executed in the Global Conguration command mode. There are no parameters or variables for the ssh dsa-host-key command.
The no ssh dsa-host-key command is executed in the Global Conguration command mode. There are no parameters or variables for the no ssh dsa-host-key command.
ssh command
The ssh command enables the SSH server on the Ethernet Routing Switch 2500 Series in nonsecure mode. In addition to accepting SSH connections, the Ethernet Routing Switch 2500 Series continues to accept Web, SNMP, and Telnet connections while in this mode.The syntax of the ssh command is:
ssh
The ssh command is executed in the Global Conguration command mode. There are no parameters or variables for the ssh command.
no ssh command
The no ssh command disables the SSH server on the Ethernet Routing Switch 2500 Series. The syntax of the no ssh command is:
no ssh
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The no ssh command executed in the Global Conguration command mode. There are no parameters or variables for the no ssh command.
The ssh secure command executed in the Global Conguration command mode. There are no parameters or variables for the ssh secure command.
The ssh timeout command executed in the Global Conguration command mode. Table 10 "ssh timeout command parameters and variables" (page 52) describes the parameters and variables for the ssh timeout command.
Table 10 ssh timeout command parameters and variables Parameters and variables <1-120> Description Specifies the timeout value for authentication. The default is 60.
The ssh dsa-auth commandexecuted in the Global Conguration command mode. There are no parameters or variables for the ssh dsa-auth command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
53
The no ssh dsa-auth command executed in the Global Conguration command mode. There are no parameters or variables for the no ssh dsa-auth command.
The ssh pass-auth command executed in the Global Conguration command mode. There are no parameters or variables for the ssh pass-auth command.
The no ssh pass-auth command executed in the Global Conguration command mode. There are no parameters or variables for the no ssh pass-auth command.
The ssh portcommand is executed in the Global Conguration command mode. Table 11 "ssh port command parameters and variables" (page 54) describes the parameters and variables for the ssh port command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
54 Conguring Security using the CLI Table 11 ssh port command parameters and variables Parameters and variables <1-65535> Description Specifies the SSH connection port. The default is 22.
The ssh download-auth-key command is executed in the Global Conguration command mode. Table 12 "ssh download-auth-key command parameters and variables" (page 54) describes the parameters and variables for the ssh download-auth-key command.
Table 12 ssh download-auth-key command parameters and variables Parameters and variables address <XXX.XXX.XXX.XXX> key-name <file> Description The IP address of the TFTP server. The name of the public key file on the TFTP server.
The no ssh dsa-auth-key command is executed in the Global Conguration command mode. There are no parameters or variables for the no ssh dsa-auth-key command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
55
The default ssh command is executed in the Global Conguration command mode. Table 13 "default ssh command parameters and variables" (page 55) describes the parameters and variables for the default ssh command.
Table 13 default ssh command parameters and variables Parameters and variables dsa-auth pass-auth port timeout Description Resets dsa-auth to the default value. Default is True. Resets pass-auth to the default value. Default is True. Resets the port number for SSH connections to the default. Default is 22. Resets the timeout value for session authentication to the default. Default is 60.
web-server
The web-server command enables or disables the Web server that you use for Web-based management. The syntax for the web-server command is:
web-server {enable|disable}
The web-server command is executed in the Global Conguration command mode. Table 14 "web-server command parameters and variables" (page 56) describes the parameters and variables for the web-server command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
56 Conguring Security using the CLI Table 14 web-server command parameters and variables Parameters and variables enable|disabl e Description Enables or disables the Web server.
no web-server
The no web-server command disables the Web server that you use for Web-based management. The syntax for the no web-server command is:
no web-server
The no web-server command is executed in the Global Conguration command mode. The no web-server command has no parameters or values.
The show radius-server command is executed in the Privileged EXEC command mode. The show radius-server command has no parameters or variables. Figure 9 "show radius-server command output" (page 57) shows sample output from the show radius-server command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
57
radius-server command
The radius-server command changes the RADIUS server settings. The syntax for the radius-server command is:
radius-server host <address> [secondary-host <address>] port <num> key <string> timeout <num>
ATTENTION
When password security is enabled, you must omit the <string> variable from the command line and end the command immediately after key. The switch then prompts you to enter and conrm the string.
The radius-server command is executed in the Global Conguration command mode. Table 15 "radius-server command parameters and variables" (page 57) describes the parameters and variables for the radius-server command.
Table 15 radius-server command parameters and variables Parameters and variables primary-host <address> secondary-host <address> port <num> key <string> Description Specifies the primary RADIUS server. Enter the IP address of the RADIUS server. Specifies the secondary RADIUS server. Enter the IP address of the secondary RADIUS server. Enter the port number of the RADIUS server. Specifies a secret text string that is shared between the switch and the RADIUS server for authentication. Enter the secret string, which is an alphanumeric string of up to 16 characters. Specifies the RADIUS time-out period.
timeout <num>
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
no radius-server command
The no radius-server command clears the RADIUS server settings. The syntax for the no radius-server command is:
no radius-server
The no radius-server command is executed in the Global Conguration command mode. The no radius-server command has no parameters or values.
The default radius-server command is executed in the Global Conguration command mode. The default radius-server command has no parameters or values.
The radius-server password fallback command is executed in the Global Conguration command mode.
59
The switch provides the following CLI commands to congure SNMP and SNMPv3: "snmp-server command" (page 59) "no snmp-server command" (page 60) "snmp-server authentication-trap command" (page 60) "no snmp-server authentication-trap command" (page 61) "default snmp-server authentication-trap command" (page 61) "snmp-server community for read/write command" (page 61) "no snmp-server community command" (page 62) "default snmp-server community command" (page 63) "show snmp-server community command" (page 64) "snmp-server contact command" (page 64) "no snmp-server contact command" (page 64) "default snmp-server contact command" (page 64) "snmp-server location command" (page 65) "no snmp-server location command" (page 65) "default snmp-server location command" (page 66) "snmp-server name command" (page 66) "no snmp-server name command" (page 66) "default snmp-server name command" (page 67) "snmp trap link-status command" (page 67) "no snmp trap link-status command" (page 68) "default snmp trap link-status command" (page 69)
snmp-server command
The snmp-server command enables or disables the SNMP server. The syntax for the snmp-server command is:
snmp-server {enable|disable}
The snmp-server command is executed in the Global Conguration command mode. Table 16 "snmp-server command parameters and variables" (page 60) describes the parameters and variables for the snmp-servercommand.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
60 Conguring Security using the CLI Table 16 snmp-server command parameters and variables Parameters and variables enable|disable Description Enables or disables the SNMP server.
no snmp-server command
The no snmp-server command disables SNMP access. The syntax for the no snmp-server command is:
no snmp-server
The no snmp-server command is executed in the Global Conguration command mode. The no snmp-server command has no parameters or variables.
ATTENTION
Disabling SNMP access also locks you out of the Device Manager management system.
The snmp-server authentication-trap command is executed in the Global Conguration command mode. Table 17 "snmp-server authentication-trap command parameters and variables" (page 60) describes the parameters and variables for the snmp-server authentication-trap command.
Table 17 snmp-server authentication-trap command parameters and variables Parameters and variables enable|disable Description Enables or disables the generation of authentication failure traps.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
61
The no snmp-server authentication-trap command is executed in the Global Conguration command mode. The no snmp-server authentication-trap command has no parameters or variables.
The default snmp-server authentication-trap command is executed in the Global Conguration command mode. The default snmp-server authentication-trap command has no parameters or variables.
The snmp-server community read/write command is executed in the Global Conguration command mode. This command congures a single read-only or a single read/write community. A community congured using this command has no access to any of the SNMPv3 MIBs. This command affects community strings created prior to Release 3.0 software. These community strings have a xed MIB view. Table 18 "snmp-server community for read/write command parameters and variables" (page 62) describes the parameters and variables for the snmp-server community for read/write command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
62 Conguring Security using the CLI Table 18 snmp-server community for read/write command parameters and variables Parameters and variables <community-string> Description Changes community strings for SNMP v1 and SNMPv2c access. Enter a community string that functions as a password and permits access to the SNMP protocol. If you set the value to NONE, it is disabled.
ATTENTION
This parameter is not available when Password Security is enabled, in which case, the switch prompts you to enter and confirm the new community string.
ro|rw
Specifies read-only or read/write access. Stations with ro access can retrieve only MIB objects, and stations with rw access can retrieve and modify MIB objects.
ATTENTION
If neither ro nor rw is specified, ro is assumed (default).
The no snmp-server community command is executed in the Global Conguration command mode. If you do not specify a read-only or read/write community parameter, all community strings are removed, including all communities controlled by the snmp-server community command and the snmp-server community command for read-write.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
63
If you specify read-only or read/write, then only the read-only or read/write community is removed. If you specify the name of a community string, then the community string with that name is removed. Table 19 "no snmp-server community command parameters and variables" (page 63) describes the parameters and variables for the no snmp-server community command.
Table 19 no snmp-server community command parameters and variables Parameters and variables ro|rw| Description Sets the specified community string value to NONE, thereby disabling it. Deletes the specified community string from the SNMPv3 MIBs (that is, from the new-style configuration).
<community-string>
The default snmp-server community command is executed in the Global Conguration command mode. If the read-only or read/write parameter is omitted from the command, all communities are restored to their default settings. The read-only community is set to public, the read/write community is set to private, and all other communities are deleted. Table 20 "default snmp-server community command parameters and variables" (page 63) describes the parameters and variables for the default snmp-server community command.
Table 20 default snmp-server community command parameters and variables Parameters and variables ro|rw Description Restores the read-only community to public, or the read/write community to private.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The show snmp-server command is executed in the Privileged EXEC command mode.
The snmp-server contact command is executed in the Global Conguration command mode. Table 16 "snmp-server command parameters and variables" (page 60) describes the parameters and variables for the snmp-server contact command.
Table 21 snmp-server contact command parameters and variables Parameters and variables <text> Description Specifies the SNMP sysContact value; enter an alphanumeric string.
The no snmp-server contact command is executed in the Global Conguration command mode. The no snmp-server contact command has no parameters or variables.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
65
The default snmp-server contact command is executed in the Global Conguration command mode. The default snmp-server contact command has no parameters or variables.
The snmp-server location command is executed in the Global Conguration command mode. Table 22 "snmp-server location command parameters and variables" (page 65) describes the parameters and variables for the snmp-server location command command.
Table 22 snmp-server location command parameters and variables Parameters and variables <text> Description Specifies the SNMP sysLocation value; enter an alphanumeric string of up to 255 characters.
The no snmp-server location command is executed in the Global Conguration command mode. Table 23 "no snmp-server location command parameters and variables" (page 65) describes the parameters and variables for the no snmp-server location command.
Table 23 no snmp-server location command parameters and variables Parameters and variables <text> Description Specifies the SNMP sysLocation value. Enter a string of up to 255 characters.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The default snmp-server location command is executed in the Global Conguration command mode. The default snmp-server location command has no parameters or variables.
The snmp-server name command is executed in the Global Conguration command mode. Table 24 "snmp-server name command parameters and variables" (page 66) describes the parameters and variables for the snmp-server name command.
Table 24 snmp-server name command parameters and variables Parameters and variables <text> Description Specifies the SNMP sysName value; enter an alphanumeric string of up to 255 characters.
The no snmp-server name command is executed in the Global Conguration command mode. Table 25 "no snmp-server name command parameters and variables" (page 67) describes the parameters and variables for the no snmp-server name command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Securing your system Table 25 no snmp-server name command parameters and variables Parameters and variables <text> Description Specifies the SNMP sysName value; enter an alphanumeric string of up to 255 characters.
67
The default snmp-server name command is executed in the Global Conguration command mode. Table 26 "default snmp-server name command parameters and variables" (page 67) describes the parameters and variables for the default snmp-server name command.
Table 26 default snmp-server name command parameters and variables Parameters and variables <text> Description Specifies the SNMP sysName value; enter an alphanumeric string of up to 255 characters.
The snmp trap link-status command is executed in the Interface Conguration command mode. Table 27 "snmp trap link-status command parameters and variables" (page 68) describes the parameters and variables for the snmp trap link-status command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
68 Conguring Security using the CLI Table 27 snmp trap link-status command parameters and variables Parameters and variables port <portlist> Description Specifies the port numbers on which to enable the linkUp/linkDown traps. Enter the port numbers or all.
ATTENTION
If you omit this parameter, the system uses the port number specified with the interface command.
disable|enable
The no snmp trap link-status command is executed in the Interface Conguration command mode. Table 28 "no snmp trap link-status command parameters and variables" (page 68) describes the parameters and variables for the no snmp trap link-status command.
Table 28 no snmp trap link-status command parameters and variables Parameters and variables port <portlis t> Description Specifies the port numbers on which to disable the linkUp/linkDown traps. Enter the port numbers or all.
ATTENTION
If you omit this parameter, the system uses the port number specified with the interface command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
69
The default snmp trap link-status command is executed in the Interface Conguration command mode. Table 29 "default snmp trap link-status command parameters and variables" (page 69) describes the parameters and variables for the no snmp trap link-status command.
Table 29 default snmp trap link-status command parameters and variables Parameters and variables port <portlist> Description Specifies the port numbers on which to disable the linkUp/linkDown traps. Enter the port numbers or all.
ATTENTION
If you omit this parameter, the system uses the port number specified with the interface command.
The snmp-server user command is executed in the Global Conguration command mode. The sha and des parameters are available only if the switch image has full SHA/DES support. The command shows three sets of read/write/notify views. The rst set species unauthenticated access. The second set species authenticated access. The third set species authenticated and encrypted access. You can specify authenticated access only if the md5 or sha parameter is included. Likewise, you can specify authenticated and encrypted access only if the des, aes, or 3des parameter is included. If you omit the authenticated view parameters, authenticated access uses the views specied for unauthenticated access. If you omit all the authenticated and encrypted view parameters, the authenticated and encrypted access uses the same views that are used for authenticated access. These views are the unauthenticated views, if all the authenticated views are also omitted. Table 30 "snmp-server user command parameters and variables" (page 70) describes the parameters and variables for the snmp-server user command.
Table 30 snmp-server user command parameters and variables Parameters and variables engine-id <engineid> <username> Description Specifies the SNMP engine ID of the remote SNMP entity. Specifies the user names; enter an alphanumeric string of up to 255 characters.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
71
password specifies the new users md5 /sha authentication passphrase; enter an alphanumeric string.
If this parameter is omitted, the user is created with only unauthenticated access rights.
ATTENTION
This parameter is not available when Password Security is enabled, in which case the switch prompts you to enter and confirm the new password.
read-view <view-name>
Specifies the read view to which the new user has access:
view-name specifies the view name; enter an alphanumeric string of up to 255 characters.
write-view <view-name>
Specifies the write view to which the new user has access:
view-name specifies the view name; enter an alphanumeric string of up to 255 characters.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Description Specifies the notify view to which the new user has access:
view-name specifies the view name; enter an alphanumeric string of up to 255 characters.
des/aes/3des <password>
Specifies the use of a des/aes/3des privacy passphrase. password specifies the new users des/aes/3des privacy passphrase; enter an alphanumeric string of minimum 8 characters. If this parameter is omitted, the user is created with only authenticated access rights.
ATTENTION
This parameter is not available when Password Security is enabled, in which case the switch prompts you to enter and confirm the new password.
The no snmp-server user command is executed in the Global Conguration command mode. Table 31 "no snmp-server user command parameters and variables" (page 73) describes the parameters and variables for the no snmp-server user command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Securing your system Table 31 no snmp-server user command parameters and variables Parameters and variables engine-id <engineid> <username> Description Specifies the SNMP engine ID of the remote SNMP entity. Specifies the user to be removed.
73
The snmp-server view command is executed in the Global Conguration command mode. T Table 32 "snmp-server view command parameters and variables" (page 73)describes the parameters and variables for the snmp-server view command.
Table 32 snmp-server view command parameters and variables Parameters and variables <viewname> <OID> Description Specifies the name of the new view; enter an alphanumeric string. Specifies the Object identifier. OID can be entered as a MIB object English descriptor, a dotted form OID, or a mix of the two. Each OID can also be preceded by a plus (+) or minus () sign (if the minus sign is omitted, a plus sign is implied). For the dotted form, a subidentifier can be an asterisk (*), which indicates a wildcard. Some examples of valid OID parameters are as follows:
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Description
sysName +sysName -sysName +sysName.0 +ifIndex.1 -ifEntry.*.1 (matches all objects in the if Table with an instance of 1, that is, the entry for interface #1) 1.3.6.1.2.1.1.1.0 (dotted form of sysDescr)
The plus (+) or minus () sign indicates whether the specified OID is included in or excluded from, respectively, the set of MIB objects that are accessible by using this view. For example, if you create a view as follows: snmp-server view myview +system -sysDescr and you use that view for the read-view of a user, then the user can read only the system group, except for sysDescr.
The no snmp-server view is executed in the Global Conguration command mode. Table 33 "no snmp-server view command parameters and variables" (page 74) describes the parameters and variables for the no snmp-server view command.
Table 33 no snmp-server view command parameters and variables Parameters and variables <viewname> Description Specifies the name of the view to be removed. If no view is specified, all views are removed.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
75
The snmp-server host for the new-style table command is executed in the Global Conguration command mode. Table 34 "snmp-server host for the new-style table command parameters and variables" (page 75) describes the parameters and variables for the snmp-server host for the new-style table command.
Table 34 snmp-server host for the new-style table command parameters and variables Parameters and variables <host-ip> port <1-65535> <community-string> Description Enter a dotted-decimal IP address of a host to be the trap destination. Sets SNMP trap port. If you do not specify a trap type, this variable creates v1 trap receivers in the SNMPv3 MIBs. You can create multiple trap receivers with varying access levels. Using v2c creates v2c trap receivers in the SNMPv3 MIBs. You can create multiple trap receivers with varying access levels. Using v3 creates v3 trap receivers in the SNMPv3 MIBs. You can create multiple trap receivers with varying access levels by entering the following variables:
v2c <community-string>
v3 {auth|no-auth| auth-priv}
auth|no-auth Specifies whether SNMPv3 traps can be authenticated. auth-privThis parameter is only available if the image has full SHA/DES support.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Description
<username>
Specifies the SNMPv3 username for trap destination; enter an alphanumeric string.
The no snmp-server host for the new-style table command is executed in the Global Conguration command mode. Table 35 "no snmp-server host for the new-style command parameters and variables" (page 76) describes the parameters and variables for the no snmp-server for the new-style table command.
Table 35 no snmp-server host for the new-style command parameters and variables Parameters and variables <host-ip> v1|v2c|v3 Description Enter the IP address of a trap destination host. Specifies the trap receivers in the SNMPv3 MIBs.
The default snmp-server host command is executed in the Global Conguration command mode. The default snmp-server host command has no parameters or variables.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
77
The snmp-server community command is executed in the Global Conguration command mode. Table 36 "snmp-server community command parameters and variables" (page 77) describes the parameters and variables for the snmp-server community command.
Table 36 snmp-server community command parameters and variables Parameters and variables <communitystring> Description Enter a community string to be created with access to the specified views.
ATTENTION
This parameter is not available when Password Security is enabled, in which case, the switch prompts you to enter and confirm the new community string.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Description Changes the read view used by the new community string for different types of SNMP operations.
view-name specifies the name of the view that is a set of MIB objects/instances that can be accessed; enter an alphanumeric string.
ro rw write-view <view-name>
Read-only access with this community string. Read-write access with this community string. Changes the write view used by the new community string for different types of SNMP operations.
view-name specifies the name of the view that is a set of MIB objects/instances that can be accessed; enter an alphanumeric string.
notify-view <view-name>
Changes the notify view settings used by the new community string for different types of SNMP operations.
view-name specifies the name of the view that is a set of MIB objects/instances that can be accessed; enter an alphanumeric string.
The show snmp-server command is executed in the Privileged EXEC command mode. Table 37 "show snmp-server command parameters and variables" (page 79) describes the parameters and variables for the show snmp-server command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Securing your system Table 37 show snmp-server command parameters and variables Parameters and variables community|host| user|view Description Displays SNMPv3 configuration information:
79
community strings as configured in SNMPv3 MIBs (this parameter is not displayed when Password Security is enabled) trap receivers as configured in SNMPv3 MIBs SNMPv3 users, including views accessible to each user SNMPv3 views
The snmp-server bootstrap command is executed in the Global Conguration command mode. Table 38 "snmp-server bootstrap command parameters and variables" (page 79) describes the parameters and variables for the snmp-server bootstrap command.
Table 38 snmp-server bootstrap command parameters and variables Parameters and variables <minimum-secure> Description Specifies a minimum security configuration that allows read access to everything using noAuthNoPriv, and write access to everything using authNoPriv.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Description Specifies a partial security configuration that allows read access to a small subset of system information using noAuthNoPriv, and read and write access to everything using authNoPriv. Specifies a maximum security configuration that allows no access.
<very-secure>
The show mac-security command is executed in the Privileged EXEC command mode. Table 39 "show mac-security command parameters and variables" (page 81) describes the parameters and variables for the show mac-security command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Securing your network Table 39 show mac-security command parameters and variables Parameters and variables config mac-address-t able [address <macaddr>] Description Displays the general BaySecure configuration. Displays contents of the BaySecure table of allowed MAC addresses:
81
address specifies a single MAC address to display; enter the MAC address.
Displays the BaySecure status of all ports. Displays the port membership of all security lists. Displays MAC DA filtering addresses.
Figure 10 "show mac-security command output" (page 81) shows sample output from the show mac-security command.
Figure 10 show mac-security command output
mac-security command
The mac-security command modies the BaySecure conguration. The syntax for the mac-security command is:
mac-security [disable|enable] [filtering {enable|disable}] [intrusion-detect {enable|disable|forever}] [intrusion-timer <1-65535>] [learning-ports <portlist>] [learning {enable |disable}]|mac-address-table|mac-da-filter|security list [snmp-lock {enable|disable}] [snmp-trap {enable|disable}]
The mac-security command is executed in the Global Conguration command mode. Table 40 "mac-security command parameters and values" (page 82) describes the parameters and variables for the mac-security command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
82 Conguring Security using the CLI Table 40 mac-security command parameters and variables Parameters and variables disable|enable filtering {enable|disable} intrusion-detect {enable|disable| forever} Description Disables or enables MAC address-based security. Enables or disables destination address (DA) filtering when an intrusion is detected. Specifies the partitioning of a port when an intrusion is detected:
enable port is partitioned for a period of time. disabled port is not partitioned on detection. forever port is partitioned until manually changed.
Specifies, in seconds, length of time a port is partitioned when an intrusion is detected; enter the number of seconds to specify. Specifies MAC address learning:
ATTENTION
The MAC address learning enable command must be executed to specify learning ports.
learning-ports <portlist>
Specifies MAC address learning. Learned addresses are added to the table of allowed MAC addresses. Enter the ports you want to learn; this can be a single port, a range of ports, several ranges, all, or none. Adds addresses to the MAC security address table. Adds or deletes MAC DA filtering addresses. Modifies security list port membership.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
83
Description Enables or disables a lock on SNMP write-access to the BaySecure MIBs. Enables or disables trap generation when an intrusion is detected.
ATTENTION
In this command, portlist must specify only a single port.
The mac-security mac-address-table address command is executed in the Global Conguration command mode. Table 41 "mac-security mac-address-table address parameters and values" (page 83) describes the parameters and variables for the mac-security mac-address-table address command.
Table 41 mac-security mac-address-table address parameters and variables Parameters and variables <H.H.H> port <portlist >|security-list <1-32> Description Enter the MAC address in the form of H.H.H. Enter the port number or the security list number.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The mac-security security-list command is executed in the Global Conguration command mode. Table 42 "mac-security security-list command parameters and values" (page 84) describes the parameters and variables for the mac-security security-list command.
Table 42 mac-security security-list command parameters and variables Parameters and variables <1-32> <portlist> Description Enter the number of the security list that you want to use. Enter a list or range of port numbers.
no mac-security command
The no mac-security command disables MAC source address-based security. The syntax for the no mac-security command is:
no mac-security
The no mac-security command is executed in the Global Conguration command mode. The no mac-security command has no parameters or values.
The no mac-security mac-address-table command is executed in the Global Conguration command mode. Table 43 "no mac-security mac-address-table command parameters and variables" (page 84) describes the parameters and variables for the no mac-security mac-address-table command.
Table 43 no mac-security mac-address-table command parameters and variables Parameters and variables address <H.H.H> Description Enter the MAC address in the form of H.H.H.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
85
Description Enter a list or range of port numbers. Enter the security list number.
The no mac-security security-list command is executed in the Global Conguration command mode. Table 44 "no mac-security security-list command parameters and variables" (page 85) describes the parameters and variables for the no mac-security security-list command.
Table 44 no mac-security security-list command parameters and variables Parameters and variables <1-32> Description Enter the number of the security list that you want to clear.
The mac-security command for specic ports is executed in the Interface Conguration command mode Table 45 "mac-security command for a single port parameters and variables" (page 86) describes the parameters and variables for the mac-security command for specic ports.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
86 Conguring Security using the CLI Table 45 mac-security command for a single port parameters and variables Parameters and variables port <portlist> disable|enable|learnin g Description Enter the port numbers. Directs the specific port:
disable disables BaySecure on the specified port and removes the port from the list of ports for which MAC address learning is performed enable enables BaySecure on the specified port and removes the port from the list of ports for which MAC address learning is performed learning disables BaySecure on the specified port and adds these port to the list of ports for which MAC address learning is performed
The mac-security mac-da-filter command is executed in the Global Conguration command mode. Table 46 "mac-security mac-da-lter command parameters and values" (page 86) describes the parameters and variables for the mac-security mac-da-filter command.
Table 46 mac-security mac-da-lter command parameters and values Parameters and variables {add|delete} <H.H.H> Description Add or delete the specified MAC address; enter the MAC address in the form of H.H.H.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
87
ATTENTION
Ensure that you do not enter the MAC address of the management unit.
The show eapol command is executed in the Privileged EXEC command mode. Figure 11 "show eapol command output" (page 88) displays sample output from the show eapol command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
88 Conguring Security using the CLI Figure 11 show eapol command output
Table 47 "show eapol command output parameters and variables" (page 88) describes the parameters and variables for the show eapol command output.
Table 47 show eapol command output parameters and variables Parameters and variables Port Description Specifies the port on which to change EAPOL settings Specifies the EAP status of the port: Administrative Status Auth Force Unauthorized - Port is always unauthorized Auto - Port authorization status depends on the result of the EAP authentication Force Authorized - Port is always authorized
Displays the current EAPOL authorization status for the port Yes - Authorized No - Unauthorized
This field only specifies the authorization status of the port for EAPoL users and not for NonEAPoL users. Use the show eapol multihost non-eap status command for Non-EAPoL users.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
89
Description Specifies whether EAPOL authentication is set for incoming and outgoing traffic (Both) or for incoming traffic only (In). For example, if you set the specified port field value to both, and EAPOL authentication fails, then both incoming and outgoing traffic on the specified port is blocked. Specifies the current operational value for the traffic control direction for the port. Enables or disables re-authentication Specifies the time interval between successive re-authentications; the range is <1-604800> Specifies the time interval between authentication failure and start of new authentication; the range is <0-65535> Specifies a waiting period for response from supplicant for EAP Request or Identity packets; the range is <1-65535> Specifies a waiting period for response from supplicant for all EAP packets; the range is <1-65535> Specifies the time to wait for response from RADIUS server; the range is <1-65535> Specifies the number of times to retry sending packets to supplicant; the range is <1-10>
Oper Dir Re-authentication Re-authentication Period Quite Period Transmit Period Supplicant Timeout
The show eapol auth-diags interface command is executed in the Privileged EXEC command mode. Figure 12 "show eapol auth-diags interface command output" (page 90) displays sample output from the show eapol auth-diags interface command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
90 Conguring Security using the CLI Figure 12 show eapol auth-diags interface command output
The show eapol auth-stats interface command is executed in the Privileged EXEC command mode. Figure 13 "show eapol auth-stats interface command output" (page 90) displays sample output from the show eapol auth-stats interface command.
Figure 13 show eapol auth-stats interface command output
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
91
eapol command
The eapol command enables or disables EAPOL-based security. The syntax of the eapol command is:
eapol {disable|enable}
The eapol command is executed in the Global Conguration command mode. Table 48 "eapol command parameters and variables" (page 91) describes the parameters and variables for the eapol command.
Table 48 eapol command parameters and variables Parameters and variables disable|enable Description Disables or enables EAPOL-based security.
The eapol command for modifying parameters is executed in the Interface Conguration command mode. Table 49 "eapol command for modifying parameters and variables" (page 91) describes the parameters and variables for the eapol command for modifying parameters.
Table 49 eapol command for modifying parameters and variables Parameters and variables port <portllist> Description Specifies the ports to configure for EAPOL; enter the port numbers you want to use.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Description
ATTENTION
If you omit this parameter, the system uses the port number that you specified when you issued the interface command.
authorized Port is always authorized. unauthorized Port is always unauthorized. auto Port authorization status depends on the result of the EAP authentication.
traffic-control in-outIin
in-out If EAP authentication fails, both ingressing and egressing traffic are blocked. in If EAP authentication fails, only ingressing traffic is blocked.
Enables or disables reauthentication. Enter the number of seconds that you want between re-authentication attempts. Use either this variable or the reauthentication-interval variable; do not use both variables because they control the same setting. Specifies an immediate reauthentication. Enter the number of seconds that you want between an authentication failure and the start of a new authentication attempt; the range is 1 to 65535. Specifies a waiting period for response from supplicant for EAP Request/Identity packets. Enter the number of seconds that you want to wait; the range is 1-65535.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
93
Description Specifies a waiting period for response from supplicant for all EAP packets, except EAP Request/Identity packets. Enter the number of seconds that you want to wait; the range is 1-65535. Specifies a waiting period for response from the server. Enter the number of seconds that you want to wait; the range is 1-65535. Enter the number of times to retry sending packets to supplicant.
The eapol guest-vlan command is executed in the Global Conguration command mode and Interface Conguration command mode. Table 50 "eapol guest-vlan command parameters and variables" (page 93) describes the parameters and variables for the eapol guest-vlan command.
Table 50 eapol guest-vlan command parameters and variables Parameters and variables <vid> enable Description Guest VLAN ID. Enable Guest VLAN.
The no eapol guest-vlan command is executed in the Global Conguration command mode and Interface Conguration command mode.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The default eapol guest-vlan command is executed in the Global Conguration command mode and Interface Conguration command mode. The default eapol guest-vlan command has no parameters or variables.
The show eapol guest-vlan command is executed in the Global Conguration command mode and Interface Conguration command mode. The show eapol guest-vlan command has no parameters or variables. Figure 14 "show eapol guest-vlan command output" (page 94) displays sample output from the eapol guest-vlan command.
Figure 14 show eapol guest-vlan command output
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
95
This command is executed in the Global Conguration command mode. "eapol multihost parameters and variables" (page 95) describes the parameters and variables for the eapol multihost command.
eapol multihost command parameters and variables Parameters and variables allow-non-eap-enable auto-non-eap-mhsa-enable radius-non-eap-enable use-radius-assigned-vlan non-eap-pwd-fmt { [ip-addr] [mac-addr] [port-number] } Description Enables MAC addresses of non-EAP clients. Enables auto-authentication of non-EAP clients in MHSA mode Enables Radius authentication of non-EAP clients Allows use of Radius-assigned VLAN value Sets bits in RADIUS non-EAPOL password format
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
"no eapol multihost parameters" (page 96) describes the parameters and variables for theno eapol multihost command.
no eapol multihost command parameters and variables Parameters and variables allow-non-eap-enable auto-non-eap-mhsa-enable radius-non-eap-enable use-radius-assigned-vlan non-eap-pwd-fmt { [ip-addr] [mac-addr] [portnumber] } Description Disables control of non-EAP clients (MAC addresses) Disables auto-authentication of non-EAP clients in MHSA mode Disables Radius authentication of non-EAP clients Allows use of Radius-assigned VLAN value Clears bits from RADIUS non-EAPOL password format
default eapol multihost command The default eapol multihost command sets the EAPoL multihost feature to default. This command is executed in the global conguration mode. The syntax for the default eapol multihost command is:
default eapol multihost { [allow-non-eap-enable] [auto-non-eap-mhsa-enable] [radius-non-eap-enable] [use-radius-assigned-vlan] [non-eap-pwd-fmt {[ip-addr] [mac-addr] [port-number]}] }
"default eapol multihost parameters" (page 96) describes the parameters and variables for thedefault eapol multihost command.
default eapol multihost command parameters and variables Parameters and variables allow-non-eap-enable auto-non-eap-mhsa-enable radius-non-eap-enable Description Resets control of non-EAP clients (MAC addresses) Disables auto-authentication of non-EAP clients in MHSA mode Disables Radius authentication of non-EAP clients
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
97
Description Allows use of Radius-assigned VLAN value Restores default format for RADIUS non-EAPOL password attribute
eapol multihost command for a port The eapol multihost command controls the multihost settings for a specic port or for all ports on an interface. This command is executed in the Interface Conguration mode. The syntax for the eapol multihost command is:
eapol multihost [allow-non-eap-enable][auto-non-eap-mhsa-e nable][eap-mac-max {<1-32>}][enable][non-eap-map-max{<1-32 >}][radius-non-eap-enable][use-radius-assigned-vlan][port {<portlist>}][non-eap-mac {H.H.H | port}]
"eapol multihost parameters and variables" (page 97) describes the parameters and variables for the eapol multihost command.
eapol multihost command parameters and variables Parameters and variables allow-non-eap-enable auto-non-eap-mhsa-enable eap-mac-max {<1-32>} Description Enables MAC addresses of non-EAP clients. Enables auto-authentication of non-EAP clients in MHSA mode Specifies the maximum number of EAP-authenticated MAC addresses allowed Allows EAP clients (MAC addresses) Specifies the maximum number of non-EAP authenticated MAC addresses allowed Displays port number on which to apply EAPOL multihost settings Enables Radius authentication of non-EAP clients Allows use of Radius-assigned VLAN value Allows non-EAPoL MAC address
enable non-eap-mac-max
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
no eapol multihost command for a port The no eapol multihost command disables the EAPOL multihost settings for a specic port or for all ports on an interface. This command is executed in the Interface conguration mode. The syntax for the no eapol multihost command is:
no eapol multihost [allow-non-eap-enable] [auto-non-eap-mhsaenable][enable][port][radius-non-eap-enable][use-radius-assi gned-vlan][non-eap-mac {H.H.H | port}]
"no eapol multihost parameters and variables" (page 98) describes the parameters and variables for the no eapol multihost command.
no eapol multihost command parameters and variables Parameter and Variables allow-non-eap-enable auto-non-eap-mhsa-enable enable port radius-non-eap-enable use-radius-assigned-vlan non-eap-mac {H.H.H | port} non-eap-mac-max {<1-32>} Description Disables MAC addresses of non-EAP clients. Disables auto-authentication of non-EAP clients in MHSA mode Disallows EAP clients (MAC addresses) Displays port number on which to apply EAPOL multihost settings Disables Radius authentication of non-EAP clients Disallows use of Radius-assigned VLAN value Allows non-EAPoL MAC address Specifies the maximum number of non-EAP authenticated MAC addresses allowed
default eapol multihost command for a port The default eapol multihost command sets the multihost settings for a specic port or for all the ports on an interface to default. This command is executed in the Interface conguration mode. The syntax for the default eapol multihost command is:
default eapol multihost [allow-non-eap-enable] [auto-non-e ap-mhsa-enable] [eap-mac-max {<1-32>}][enable] [non-eap-ma p-max{<1-32>}] [port {<portlist>}][radius-non-eap-enable] [use-radius-assigned-vlan][non-eap-mac {H.H.H | port}]
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
99
"default eapol multihost parameters" (page 99) describes the parameters and variables for the default eapol multihost command.
default eapol multihost command parameters and variables Parameter and Variables allow-non-eap-enable auto-non-eap-mhsa-enable eap-mac-max <1-32> Description Resets control of non-EAP clients (MAC addresses) to default Disables auto-authentication of non-EAP clients Resets maximum number of EAP-authenticated MAC addresses allowed to default Resets control of whether EAP Clients (MAC addresses) are allowed to default Resets maximum number of non-EAP authenticated MAC addresses allowed to default Displays port number on which to disable EAPOL Enables Radius authentication of non-EAP clients Allows use of RADIUS-assigned VLAN values Resets the non-EAP MAC addresses to default
eapol multihost non-eap-mac command The eapol multihost non-eap-mac command congures the MAC addresses of non-EAPOL hosts on a specic port or on all ports on an interface. This command is executed in the Interface conguration mode. The syntax for the eapol multihost non-eap-maccommand is:
eapol multihost non-eap-mac [port<portlist>] <H.H.H>
"eapol multihost non-eap-mac command parameters and variables" (page 100) describes the parameters and variables for theeapol multihost non-eap-mac command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
100 Conguring Security using the CLI eapol multihost non-eap-mac command parameters and variables Parameter and Variables port H.H.H Description Port on which to apply EAPOL settings MAC address of the allowed non-EAPOL host
show eapol multihost command The show eapol multihostcommand displays global settings for non-EAPOL hosts on EAPOL-enabled ports. This command is executed in the privExec, Global, and Interface conguration mode. The syntax for the show eapol multihost command is:
show eapol multihost
"show eapol multihost command parameters and variables" (page 100) describes the parameters and variables for the show eapol multihost command.
show eapol multihost command parameters and variables Parameters and variables interface non-eap-mac status Description Displays EAPOL multihost port configuration Displays allowed non-EAPoL MACaddress Displays EAPOL multihost port status
"show eapol multihost command output" (page 100) displays sample output from the show eapol multihost command:
show eapol multihost command output
show eapol multihost interface command The show eapol multihost interface command displays non-EAPOL support settings for each port.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
101
This command is executed in the privExec, Global, and Interface conguration mode. The syntax for the show eapol multihost interfacecommand is:
show eapol multihost interface [<portList>]
"show eapol multihost interface parameters and variables" (page 101) describes the parameters and variables for the show eapol multihost interface command.
show eapol multihost interface command parameters and variables Parameter and Variables portList Description List of ports
"show eapol multihost interface command output" (page 101) displays sample output from the show eapol multihost interface command:
show eapol multihost interface command output
show eapol multihost non-eap-mac status command The show eapol multihost non-eap-mac status command displays information about non-EAPOL hosts currently active on the switch. This command is executed in the Privileged EXEC, Global, and Interface Conguration mode.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The syntax for the show eapol multihost non-eap-mac status command is:
show eapol multihost non-eap-mac status [<portList>]
"show eapol multihost non-eap-mac status command parameters and variables" (page 102) describes the parameters and variables for the show eapol multihost non-eap-mac status command.
show eapol multihost non-eap-mac status command parameters and variables Parameter and Variables portList Description List of ports
The following gure displays sample output from the show eapol multihost non-eap-mac status command:
Figure 15 show eapol multihost non-eap-mac status command output
103
By default, support for non-EAPOL hosts on EAPOL-enabled ports is disabled. Enabling local authentication of non-EAPOL hosts on EAPOL-enabled ports For local authentication of non-EAPOL hosts on EAPOL-enabled ports, you must enable the feature globally on the switch and locally for ports on the interface. To enable local authentication of non-EAPOL hosts globally on the switch, use the following command in Global conguration mode:
eapol multihost allow-non-eap-enable
To enable local authentication of non-EAPOL hosts for a specic port or for all ports on an interface, use the following command in Interface conguration mode:
eapol multihost [port <portlist>] allow-non-eap-enable
where <portlist> is the list of ports on which you want to enable non-EAPOL hosts using local authentication. You can enter a single port, a range of ports, several ranges, or all. If you do not specify a port parameter, the command applies to all ports on the interface. To discontinue local authentication of non-EAPOL hosts on EAPOL-enabled ports, use the no or default keywords at the start of the commands in both the Global and Interface conguration modes. Enabling RADIUS authentication of non-EAPOL hosts on EAPOL-enabled ports For RADIUS authentication of non-EAPOL hosts on EAPOL-enabled ports, you must enable the feature globally on the switch and locally for ports on the interface. To enable RADIUS authentication of non-EAPOL hosts globally on the switch, use the following command in Global conguration mode:
eapol multihost radius-non-eap-enable
"eapol multihost radius-non-eap-enable command parameters and variables" (page 103) describes the parameters and variables for the eapol multihost radius-non-eap-enable command.
eapol multihost radius-non-eap-enable command parameters and variables Parameter and Variable radius-non-eap-enable Description Globally enables RADIUS authentication for non-EAPOL hosts
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
To enable RADIUS authentication of non-EAPOL hosts for a specic port or for all ports on an interface, use the following command in Interface conguration mode:
eapol multihost [port <portlist>] radius-non-eap-enable
"eapol multihost radius-non-eap-enable command: Interface mode" (page 104) describes the parameters and variables for the eapol multihost radius-non-eap-enable command: Interface mode command.
eapol multihost radius-non-eap-enable command: Interface mode parameters and variables Parameters and Variables portlist Description Specifies the port or ports on which you want RADIUS authentication enabled. You can enter a single port, several ports or a range of ports. If you do not specify a port parameter, the command enables RADIUS authentication of non-EAP hosts on all ports on the interface. Enables RADIUS authentication on the desired interface or on a specific port, for non-EAPOL hosts.
radius-non-eap-enable
The default for this feature is disabled. To discontinue RADIUS authentication of non-EAPOL hosts on EAPOL-enabled ports, use the no or default keywords at the start of the commands in both the Global and Interface conguration modes. Conguring the format of the RADIUS password attribute when authenticating non-EAP MAC addresses using RADIUS To congure the format of the RADIUS password when authenticating non-EAP MAC addresses using RADIUS, use the following command in the Global conguration mode:
eapol multihost non-eap-pwd-fmt
"eapol multihost non-eap-pwd-fmt command parameters and variables" (page 105) describes the parameters and variables for the eapol multihost non-eap-pwd-fmt command.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Securing your network eapol multihost non-eap-pwd-fmt command parameters and variables Parameter ip-addr mac-addr port-number Description
105
Specifies the IP address of the non-EAP client. Specifies the MAC address of the non-EAP client. Specifies the port number for which you want the RADIUS password attribute configured.
To discontinue conguration of the RADIUS password attribute format, use the no or default keywords at the start of the commands, in the Global conguration mode. Specifying the maximum number of non-EAPOL hosts allowed To congure the maximum number of non-EAPOL hosts allowed for a specic port or for all ports on an interface, use the following command in Interface conguration mode:
eapol multihost [port <portlist>] non-eap-mac-max <value>
where <portlist> is the list of ports to which you want the setting to apply. You can enter a single port, a range of ports, several ranges, or all. If you do not specify a port parameter, the command sets the value for all ports on the interface. <value> is an integer in the range 132 that species the maximum number of non-EAPOL clients allowed on the port at any one time. The default is 1.
ATTENTION
The congurable maximum number of non-EAPOL clients for each port is 32, but Nortel expects that the usual maximum allowed for each port be lower. Nortel expects that the combined maximum will be approximately 200 for each box and 800 for a stack.
Creating the allowed non-EAPOL MAC address list To specify the MAC addresses of non-EAPOL hosts allowed on a specic port or on all ports on an interface, for local authentication, use the following command in Interface conguration mode:
eapol multihost non-eap-mac [port <portlist>] <H.H.H>
where <portlist> is the list of ports on which you want to allow the specied non-EAPOL hosts. You can enter a single port, a range of ports, several
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
ranges, or all. If you do not specify a port parameter, the command applies to all ports on the interface. <H.H.H> is the MAC address of the allowed non-EAPOL host. Viewing non-EAPOL host settings and activity Various show commands allow you to view: global settings (see "Viewing global settings for non-EAPOL hosts" (page 106)) port settings (see "Viewing port settings for non-EAPOL hosts" (page 106)"Viewing port settings for non-EAPOL hosts" (page 106)) allowed MAC addresses, for local authentication (see "Viewing allowed MAC addresses" (page 106)) current non-EAPOL hosts active on the switch (see "Viewing current non-EAPOL host activity" (page 107)) status in the Privilege Exec mode (see "show eapol multihost status command" (page 107))
Viewing global settings for non-EAPOL hosts To view global settings for non-EAPOL hosts on EAPOL-enabled ports, use the following command in Privileged EXEC, Global conguration, or Interface conguration mode:
show eapol multihost
The display shows whether local and RADIUS authentication of non-EAPOL clients is enabled or disabled. Viewing port settings for non-EAPOL hosts To view non-EAPOL support settings for each port, use the following command in Privileged EXEC, Global conguration, or Interface conguration mode:
show eapol multihost interface [<portlist>]
where <portlist> is the list of ports you want to view. You can enter a single port, a range of ports, several ranges, or all. If you do not specify a port parameter, the command displays all ports. For each port, the display shows whether local and RADIUS authentication of non-EAPOL clients is enabled or disabled, and the maximum number of non-EAPOL clients allowed at a time. Viewing allowed MAC addresses To view the MAC addresses of non-EAPOL hosts allowed to access ports on an interface, use the following command in Privileged EXEC, Global conguration, or Interface conguration mode:
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
107
where <portlist> is the list of ports you want to view. You can enter a single port, a range of ports, several ranges, or all. If you do not specify a port parameter, the command displays all ports. The display lists the ports and the associated allowed MAC addresses. Viewing current non-EAPOL host activity To view information about non-EAPOL hosts currently active on the switch, use the following command in Privileged EXEC, Global conguration, or Interface conguration mode:
show eapol multihost non-eap-mac status [<portlist>]
where <portlist> is the list of ports you want to view. You can enter a single port, a range of ports, several ranges, or all. If you do not specify a port parameter, the command displays all ports. show eapol multihost status command The show eapol multihost status command displays the multihost status of eapol clients on EAPOL-enabled ports. The syntax for the show eapol multihost status command is:
show eapol multihost status [<interface-type>] [<interface-i d>]
"show eapol multihost status command parameters and variables" (page 107)"show eapol multihost status command parameters and variables" (page 107) describes the parameters and variables for theshow eapol multihost status command.
show eapol multihost status command parameters and variables Parameter interface-id interface-type Description Displays the interface ID Displays the type of interface used
The show eapol multihost status command is executed in the Privileged EXEC command mode. Conguring MultiHost Single-Autentication (MHSA) To congure MHSA support, do the following: 1. Enable MHSA globally on the switch (see "Globally enabling support for MHSA" (page 108)).
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
2. Congure MHSA settings for the interface or for specic ports on the interface (see "Conguring interface and port settings for MHSA" (page 108)): a. Enable MHSA support. b. Specify the maximum number of non-EAPOL MAC addresses allowed. By default, MHSA support on EAP-enabled ports is disabled. Globally enabling support for MHSA To enable support for MHSA globally on the switch, use the following command in Global conguration mode:
eapol multihost auto-non-eap-mhsa-enable
To discontinue support for MHSA globally on the switch, use one of the following commands in Global conguration mode:
no eapol multihost auto-non-eap-mhsa-enable default eapol multihost auto-non-eap-mhsa-enable
Conguring interface and port settings for MHSA To congure MHSA settings for a specic port or for all ports on an interface, use the following command in Interface conguration mode:
eapol multihost [port <portlist>]
where <portlist> is the list of ports to which you want the settings to apply. You can enter a single port, a range of ports, several ranges, or all. If you do not specify a port parameter, the command applies the settings to all ports on the interface. This command includes the following parameters for conguring MHSA:
eapol multihost [port <portlist> followed by: auto-non-eap-mhsa-enable Enables MHSA on the port. The default is disabled. To disable MHSA, use the no or default keywords at the start of the command. Sets the maximum number of non-EAPOL clients allowed on the port at any one time. <value> is an integer in the range 1 to 32. The default is 1.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
non-eap-mac-max <value>
109
ATTENTION
The configurable maximum number of non-EAPOL clients for each port is 32, but Nortel expects that the usual maximum allowed for each port will be lower. Nortel expects that the combined maximum will be approximately 200 for each box and 800 for a stack.
Viewing MHSA settings and activity For information about the commands to view MHSA settings and non-EAPOL host activity, see "Viewing non-EAPOL host settings and activity" (page 106).
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
EAPOL tab
The EAPOL tab lets you set and view EAPOL security information for the switch. To view the EAPOL tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security dialog box appears with the EAPOL tab displayed. The following gure displays the EAPOL tab. End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
111
General tab
The General tab lets you set and view general security information for the switch. To view the General tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security dialog box appears with the EAPOL tab displayed . 2 Click the General tab. The General tab appears. The following gure displays the General tab.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
End
other notlocked
AuthCtlPartTime
This value indicates the duration of the time for port partitioning in seconds. The default is zero. When the value is zero, the port remains partitioned until it is manually enabled. Indicates whether or not the switch security feature is enabled.
SSecurityStatus
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
113
Field SecurityMode
macList: Indicates that the switch is in the MAC-list mode. You can configure more than one MAC address per port. autoLearn: Indicates that the switch learns the first MAC address on each port as an allowed address of that port.
SecurityAction
Actions performed by the software when a violation occurs (when SecurityStatus is enabled). The security action specified here applies to all ports of the switch. A blocked address causes the port to be partitioned when unauthorized access is attempted. Selections include: noAction: Port does not have any security assigned to it, or the security feature is turned off. trap: Listed trap. partitionPort: Port is partitioned. partitionPortAndsendTrap: Port is partitioned, and traps are sent to the trap receiver. daFiltering: Port filters out the frames where the destination address field is the MAC address of the unauthorized station. daFilteringAndsendTrap: Port filters out the frames where the desitnation address field is the MAC address of unauthorized station. Traps are sent to trap receivers. partitionPortAnddaFiltering: Port is partitioned and filters out the frames with the destination address field is the MAC address of unauthorized station. partitionPortdaFilteringAndsendTrap: Port is partitioned and filters out the frames where the destination address field is the MAC address of the unauthorized station. Traps are sent to trap receivers.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Description Current number of entries of the nodes allowed in the AuthConfig tab. Maximum number of entries of the nodes allowed in the AuthConfig tab. Set of ports for which security is enabled. Set of ports where autolearning is enabled. Current number of entries of the Security listed in the SecurityList tab. Maximum entries of the Security listed in the SecurityList tab.
SecurityList tab
The SecurityList tab contains a list of Security port elds. To view the SecurityList tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security window appears with the EAPOL tab displayed. 2 Click the SecurityList tab. The SecurityList tab appears. The following gure displays the SecurityList tab.
Figure 18 SecurityList tab
End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring Security using Device Manager Table 52 SecurityList tab elds Field SecurityListIndx SecurityListMembers Description
115
An index of the security list. This corresponds to the SecurityList field into AuthConfig tab. The set of ports that are currently members in the Port list.
4 5 6
To add ports to the security list, in the SecurityListMembers eld, click the ellipsis (...). The SecurityListMembers dialog box appears. Select the ports to include in the SecurityList, and click OK. Click Insert. End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
"Security, Insert AuthCong dialog box elds" (page 118) describes the Security, Insert SecurityList dialog box elds.
Table 53 Security, Insert SecurityList dialog box elds Field SecurityListIndx Description An index of the security list. This corresponds to the Security port list that can be used as an index into AuthConfig tab. The set of ports that are currently members in the Port list.
SecurityListMembers
AuthCong tab
The AuthCong tab contains a list of boards, ports, and MAC addresses that have the security conguration. An SNMP SET PDU for a row in the tab requires the entire sequence of the MIB objects in each entry to be stored in one PDU. Otherwise, the GENERR return-value is returned. To view the AuthCong tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security window appears with the EAPOL tab displayed (EAPOL tab). 2 Click the AuthCong tab. The AuthCong tab appears AuthCong tab .
Figure 20 AuthCong tab
End
"AuthCong tab elds" (page 116) describes the AuthCong tab elds.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring Security using Device Manager Table 54 AuthCong tab elds Field BrdIndx Description
117
Index of the slot that contains the board on which the port is located. If you specify SecureList, this field must be zero. Index of the port on the board. If you specify SecureList, this field must be zero. An index of MAC addresses that are designated as allowed (station). Displays the node entry as node allowed. A MAC address can be allowed on multiple ports. The index of the security list. This value is meaningful only if BrdIndx and PortIndx values are set to zero. For other board and port index values, this index must also have the value of zero. The corresponding MAC Address of this entry is allowed or blocked on all ports of this port list.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
118 Conguring Security using the CLI Figure 21 Security, Insert AuthCong dialog box
Complete the elds as required and click Insert. The new entry appears in theAuthCong tab End
PortIndx
MACIndx AccessCtrlType
SecureList
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
119
AuthStatus tab
The AuthStatus tab displays information about the authorized boards and port status data collection. This information includes actions to be performed when an unauthorized station is detected, and the current security status of a port. Entries in this tab can include: a single MAC address all MAC addresses on a single port a single port all the ports on a single board a particular port on all the boards all the ports on all the boards
To view the AuthStatus tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security window appears with the EAPOL tab displayed. 2 Click the AuthStatus tab. The AuthStatus tab appears. The following gure displays the AuthStatus tab.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
End
AuthStatusPortIndx
AuthStatusMACIndx
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
121
Description Displays whether the node entry is the node allowed or node blocked type. A value representing the type of information contained, including: noAction: Port does not have any security assigned to it, or the security feature is turned off. partitionPort: Port is partitioned. partitionPortAndsendTrap: Port is partitioned and traps are sent to the trap receiver. Filtering: Port filters out the frames where the destination address field is the MAC address of the unauthorized station. FilteringAndsendTrap: Port filters out the frames where the destination address field is the MAC address of the unauthorized station. Traps are sent to the trap receiver. sendTrap: A trap is sent to the trap receiver(s). partitionPortAnddaFiltering: Port is partitioned and filters out the frames where the destination address field is the MAC address of the unauthorized station. partitionPortdaFilteringAndsendTrap: Port is partitioned and filters out the frames where the destination address field is the MAC address of the unauthorized station. Traps are sent to trap receiver(s).
CurrentPortSecur Status
If the port is disabled, notApplicable is returned. If the port is in a normal state, portSecure is returned. If the port is partitioned, portPartition is returned.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
AuthViolation tab
The AuthViolation tab contains a list of boards and ports on which network access violations have occurred, and also the identity of the offending MAC addresses. To view the AuthViolation tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security. The Security window appears with the EAPOL tab displayed. 2 Click the AuthViolation tab. The AuthViolation tab appears. The following gure displays the AuthViolation tab.
Figure 23 AuthViolation tab
End
SSH tab
The SSH tab displays the parameters available for SSH. To view the SSH tab, use the following procedure: Step 1 Action From the Device Manager menu bar, select Edit > Security.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
123
The Security window appears with the EAPOL tab displayed. 2 Click the SSH tab. The SSH tab appears. The following gure displays the SSH tab.
Figure 24 SSH tab
End
"SSH tab elds" (page 123) describes the SSH tab elds.
Table 57 SSH tab elds Field Enable Description Enables, disables, or securely enables SSH. Securely enable turns off other daemon flag, and it takes effect after a reboot. Indicates the SSH version. Indicates the SSH connection port. Indicates the SSH connection timeout in seconds. Indicates the SSH key action. Enables or disables the SSH DSA authentication. Enables or disables the SSH RSA authentication.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Field DsaHostKeyStatus
Description Indicates the current status of the SSH DSA host key: notGenerated: DSA host key has not yet been generated. generated: DSA host key is generated. generating: DSA host key is currently being generated.
Indicates the current server IP address. Indicates the name of the file for the TFTP transfer. Indicates the SSH public keys that are set to initiate a TFTP download. Indicates the retrieved value of the TFTP transfer.
End
"SSH Sessions tab elds" (page 124) describes the SSH Sessions tab elds.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring Security using Device Manager Table 58 SSH Sessions tab elds Field SSHSessionsIP Description Lists the currently active SSH sessions.
125
End
Table 59 "Radius Server tab elds" (page 126) describes the Radius Server tab elds.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
126 Conguring Security using the CLI Table 59 Radius Server tab elds Field Addresstype PrimaryRadiusServer Description Specifies the type of IP address used by the Radius server. IPv4 is currently the only available option. Specifies the IP address of the primary server (default: 0.0.0.0).
ATTENTION
If there is no primary Radius server, set the value of this field to 0.0.0.0 . SecondaryRadiusServer Specifies the IP address of the secondary Radius server (default: 0.0.0.0). The secondary Radius server is used only if the primary server is unavailable or unreachable. Specifies the UDP port the client is using to send requests to this server. Specifies the time interval in seconds before the client retransmit the packet to RADIUS server Specifies the value of the shared secret key.
ATTENTION
The shared secret key has a maximum of 16 characters. ConfirmedSharedSecret(K ey) Confirms the value of the shared secret key specified in the SharedSecret(Key) field. This field usually does not display anything (just a blank field). It is used when user is changing the SharedSecret(key) field. User usually need to enter twice to confirm the string already being entered in the SharedSecret(Key).
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
127
The Port dialog box appears with the Interface tab displayed. 3 Click the EAPOL tab. The EAPOL tab appears.
Figure 27 EAPOL tab for a port
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
End
"EAPOL tab elds for a port" (page 128) describes the EAPOL tab elds for ports.
Table 60 EAPOL tab elds for a port Field PortProtocolVersion PortCapabilities PortInitialize PortReauthenticateNow Description The EAP Protocol version that is running on this port. The PAE functionality that is implemented on this port. Always returns dot1xPaePortAuthCapable. Enables and disables EAPOL authentication for the specified port. Activates EAPOL authentication for the specified port immediately, without waiting for the Re-Authentication Period to expire. Displays the EAPOL authorization status for the switch: BackendAuthState AdminControlled Directions Force Authorized: The authorization status is always authorized. Force Unauthorized: The authorization status is always unauthorized. Auto: The authorization status depends on the EAP authentication results.
PaeState
The current state of the Backend Authentication state for the switch. Specifies whether EAPOL authentication is set for incoming and outgoing traffic (both) or for incoming traffic only (in). For example, if you set the specified port field value to both, and EAPOL authentication fails, then both incoming and outgoing traffic on the specified port is blocked. A read-only field that indicates the current operational value for the traffic control direction for the port (see the preceding field description). Displays the current EAPOL authorization status for the port: authorized unauthorized
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
129
Description Specifies the EAPOL authorization status for the port: Force Authorized: The authorization status is always authorized. Force Unauthorized: The authorization status is always unauthorized. Auto: The authorization status depends on the EAP authentication results.
QuietPeriod
The current value of the time interval between any single EAPOL authentication failure and the start of a new EAPOL authentication attempt. Time to wait for response from supplicant for EAP requests/Identity packets. Time to wait for response from supplicant for all EAP packets, except EAP Request/Identity. Time to wait for a response from the RADIUS server for all EAP packets. The number of times the switch attempts to resend EAP packets to a supplicant. Time interval between successive reauthentications. When the ReAuthenticationEnabled field (see the following field) is enabled, you can specify the time period between successive EAPOL authentications for the specified port. When enabled, the switch performs a reauthentication of the existing supplicants at the time interval specified in the ReAuthenticationPeriod field (see preceding field description). The value of the KeyTranmissionEnabled constant currently in use by the Authenticator PAE state of the switch. This always returns false as key transmission is irrelevant. The protocol version number carried in the most recently received EAPOL frame. The source MAC address carried in the most recently received EAPOL frame.
ReAuthentication Enabled
KeyTxEnabled
ATTENTION
The Multi Hosts and Non-EAP MAC buttons are not available when conguring multiple ports on the EAPOL Advance tab. To make use of these two options, only one port can be selected.
To view or edit the EAPOL Advance tab for ports, use the following procedure: Step 1 Action Select the ports that you want to edit. For multiple ports, press Ctrl+left-click the ports that you want to edit. A yellow outline appears around the selected ports. 2 Do one of the following: From the shortcut menu, choose Edit. From the Device Manager main menu, choose Edit > Port. On the toolbar, click Edit.
The Port dialog box appears with the Interface tab displayed. 3 Click the EAPOL Advance tab. The EAPOL Advance tab for a port appears.
Figure 28 EAPOL Advance tab for a port
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
131
Table 61 "EAPOL Advance tab elds for a port" (page 131) describes the EAPOL Advance tab elds for a port.
Table 61 EAPOL Advance tab elds for a port Field GuestVlan Enabled GuestVlanId Description Enables and disables Guest VLAN on the port. Specifies the ID of a Guest VLAN that the port is able to access while unauthorized. This value overrides the Guest VLAN ID value set for the switch in the EAPOL tab. Specifies zero when switch global guest VLAN ID is used for this port. Enables or disables EAPOL multihost on the port. Specifies the maximum number of allowed EAP clients on the port. Enables or disables non-EAPOL on the port. Specifies the maximum number of allowed non-EAPOL clients on the port. Enables or disables EAPOL Multiple Host with Single Authentication (MHSA) on the port. Enables or disables non-EAPOL RADIUS authentication on the port Enables or disables multihost RADIUS assigned Vlans on the port
MultiHostEnabled MultiHostEapMaxNumMacs MultiHostAllowNonEapClie nt MultiHostNonEapMaxNum Macs MultiHostSingleAuthEnable d MultiHostRadiusAuthNonE apClient MultiHostAllowRadiusAssig nedVlan
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Step 1
Action From the EAPOL Advance tab of the Port screen, click the Multi Hosts button. The EAPOL MultiHosts screen appears with the Multi Host Status tab selected. The following gure displays the Multihost status tab.
Figure 29 EAPOL MultiHosts screen -- Multi Host Status tab
"EAPOL MultiHosts screen -- Multi Host Status tab" (page 132) describes the elds on this screen.
EAPOL MultiHosts screen -- Multi Host Status tab Field PortNumber ClientMACAddr PaeState BackendAuthState Reauthenticate Description The port number in use The MAC address of the client The current state of the authenticator PAE state machin The current state of the Backend Authentication state machine The value used to reauthenticate the EAPOL client
End
From the EAPOL Advance tab of the Port screen, click the Multi Hosts button. The EAPOL MultiHosts screen appears. Select the Multi Host Session tab. The following gure displays the Multihost sessions tab.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring Security using Device Manager Figure 30 EAPOL MultiHosts screen -- Multi Host Session tab
133
"EAPOL MultiHosts screen -- Multi Host Session tab" (page 133) describes the elds on this tab.
EAPOL MultiHosts screen -- Multi Host Session tab Field PortNumber ClientMACAddr Id Description The port number in use. The MAC address of the client. A unique identifier for the session, in the form of a printable ASCII string of at least three characters. The authentication method used to establish the session. The elapsed time of the session. The cause of the session termination. The username representing the identity of the supplicant PAE.
End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
with the Allowed non-EAP MAC tab selected. The following gure illustrates this tab.
Figure 31 Non-EAPOL MAC screen -- Allowed non-EAP MAC tab
"Non-EAPOL MAC screen -- Allowed non-EAP MAC tab" (page 134) describes the elds on this screen.
Non-EAPOL MAC screen -- Allowed non-EAP MAC tab Field PortNumber ClientMACAddr Description The port number in use. The MAC address of the client.
To add a MAC address to the list of allowed non-EAPOL clients: a. Click the Insert button. The Insert Allowed non-EAP MAC screen appears. The following gure illustrates this tab.
Figure 32 Insert Allowed non-EAP MAC screen
b. Enter the MAC address of the non-EAPOL client you want to add to the list. c. Click Insert. 3 To remove a MAC address from the list of allowed non-EAPOL clients: a. Select the MAC address in the ClientMACAddr column on the Allowed non-EAP MAC tab. b. Click Delete.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
135
End
Viewing non-EAPOL host support status To view the status of non-EAPOL host support on the port, do the following: Step 1 Action From the EAPOL Advance tab of the Port screen, click the Non-EAP MAC button. The Non-EAPOL MAC screen appears with the Allowed non-EAP MAC tab selected. Select the Non-EAP Status tab. The following gure illustrates this tab.
Figure 33 Non-EAPOL MAC screen -- Non-EAP Status tab
"Non-EAPOL MAC screen -- Non-EAP Status tab" (page 135) describes the elds on this screen.
Non-EAPOL MAC screen -- Non-EAP Status tab Field PortNumber ClientMACAddr Description The port number in use. The MAC address of the client. The authentication status. Possible values are: State rejected: the MAC address cannot be authenticated on this port. locallyAuthenticated: the MAC address was authenticated using the local table of allowed clients radiusPending: the MAC address is awaiting authentication by a RADIUS server radiusAuthenticated: the MAC address was authenticated by a RADIUS server
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Field
Description adacAuthenticated: the MAC address was authenticated using ADAC configuration tables mhsaAuthenticated: the MAC address was auto-authenticated on a port following a successful authentication of an EAP client
Reauthenticate
The value used to reauthenticate the MAC address of the client on the port
End
The Graph Port dialog box for a single port or for multiple ports appears with the Interface tab displayed. 3 Click the EAPOL Stats tab. The EAPOL Stats tab for graphing multiple ports appears. The following gure displays the Graph port dialog box EAPOL Stats tab.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring Security using Device Manager Figure 34 Graph port dialog box EAPOL Stats tab
137
End
EapolReqIdFramesTx EapolReqFramesTx
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Field InvalidEapolFramesRx
Description The number of EAPOL frames that are received by this authenticator in which the frame type is not recognized. The number of EAPOL frames that are received by this authenticator in which the packet body length field is not valid.
EapLengthError FramesRx
The Graph Port dialog box for a single port or for multiple ports appears with the Interface tab displayed. 3 Click the EAPOL Diag tab. The EAPOL Diag tab for graphing multiple ports appears. The following gure displays the Graph Port dialog box EAPOL Diag tab.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring Security using Device Manager Figure 35 Graph Port dialog box EAPOL Diag tab
139
End
EapLogoffsWhileConnecting
EntersAuthenticating
AuthSuccessWhile Authenticating
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Description Counts the number of times that the state machine transitions from authenticating to aborting, as a result of the Backend Authentication state machine indicating an authentication timeout. Counts the number of times that the state machine transitions from authenticating to held, as a result of the Backend Authentication state machine indicating an authentication failure. Counts the number of times that the state machine transitions from authenticating to aborting, as a result of a reauthentication request. Counts the number of times that the state machine transitions from authenticating to aborting, as a result of an EAPOL-Start message being received from the Supplicant. Counts the number of times that the state machine transitions from authenticating to aborting, as a result of an EAPOL-Logoff message being received from the Supplicant. Counts the number of times that the state machine transitions from authenticated to connecting, as a result of a reauthentication request. Counts the number of times that the state machine transitions from authenticated to connecting, as a result of an EAPOL-Start message being received from the Supplicant. Counts the number of times that the state machine transitions from authenticated to disconnected, as a result of an EAPOL-Logoff message being received from the Supplicant. Counts the number of times that the state machine sends an initial Access-Request packet to the Authentication server. Indicates that the Authenticator attempted communication with the Authentication Server. Counts the number of times that the state machine receives an initial Access-Challenge packet from the Authentication server. Indicates that the Authentication Server has communication with the Authenticator.
AuthFailWhileAuthenticating
AuthReauthsWhile Authenticating
AuthEapStartsWhile Authenticating
AuthEapLogoffWhile Authenticating
AuthReauthsWhile Authenticated
AuthEapStartsWhile Authenticated
AuthEapLogoffWhile Authenticated
BackendResponses
BackendAccessChallenges
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
141
Description Counts the number of times that the state machine sends an EAP-Request packet, other than an Identity, Notification, Failure or Success message, to the Supplicant. Indicates that the Authenticator chooses an EAP-method. Counts the number of times that the state machine receives a response from the Supplicant to an initial EAP-Request, and the response is something other than EAP-NAK. Indicates that the Supplicant can respond to the EAP-method that the Authenticator chooses. Counts the number of times that the state machine receives an EAP-Success message from the Authentication Server. Indicates that the Supplicant has successfully authenticated to the Authentication Server. Counts the number of times that the state machine receives an EAP-Failure message from the Authentication Server. Indicates that the Supplicant has not authenticated to the Authentication Server.
BackendNonNakResponses FromSupplicant
BackendAuthSuccesses
BackendAuthFails
Conguring SNMP
This section contains the following topics: "SNMP tab" (page 141) "Trap Receivers tab" (page 142) "Graphing SNMP statistics" (page 144)
SNMP tab
The SNMP tab provides read-only information about the addresses that the agent software uses to identify the switch. To open the SNMP tab, use the following procedure: Step 1 2 Action Select the chassis. Choose Edit > Chassis. The Chassis dialog box appears with the System tab displayed. 3 Click the SNMP tab. The SNMP tab appears.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
End
"SNMP tab elds" (page 142) describes the SNMP tab elds.
Table 64 SNMP tab elds Field LastUnauthenticatedIpAddress LastUnauthenticatedCommunityString TrpRcvrMaxEnt TrpRcvrCurEnt TrpRcvrNext Description The last IP address that is not authenticated by the device. The last community string that is not authenticated by the device. The maximum number of trap receiver entries. The current number of trap receiver entries. The next trap receiver entry to be created.
143
"Trap Receivers tab elds" (page 143) describes the Trap Receivers tab elds.
Table 65 Trap Receivers tab elds Field Indx Description An index of the trap receiver entry. Trap receivers are numbered from one to four. Each trap receiver has an associated community string (see the following Community field description in this table). The address (or DNS hostname) for the trap receiver. Community string used for trap messages to this trap receiver.
NetAddr Community
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
144 Conguring Security using the CLI Figure 38 Chassis, Insert Trap Receivers dialog box
2 3
Type the Index, NetAddr, and Community information. Click Insert. End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring Security using Device Manager Figure 39 Graph Chassis dialog box SNMP tab
145
"SNMP tab elds" (page 142) describes the SNMP tab elds.
Table 66 SNMP tab elds Field InPkts OutPkts InTotalReqVars Description The total number of messages delivered to the SNMP from the transport service. The total number of SNMP messages passed from the SNMP protocol to the transport service. The total number of MIB objects retrieved successfully by the SNMP protocol as the result of receiving valid SNMP Get-Request and Get-Next PDUs. The total number of MIB objects altered successfully by the SNMP protocol as the result of receiving valid SNMP Set-Request PDUs. The total number of SNMP Get-Request PDUs that are accepted and processed by the SNMP protocol. The total number of SNMP Get-Next PDUs that are accepted and processed by the SNMP protocol. The total number of SNMP Set-Request PDUs that are accepted and processed by the SNMP protocol. The total number of SNMP Get-Response PDUs that are accepted and processed by the SNMP protocol.
InTotalSetVars
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Description The total number of SNMP Trap PDUs generated by the SNMP protocol. The total number of SNMP PDUs generated by the SNMP protocol for which the value of the error-status field is tooBig. The total number of SNMP PDUs generated by the SNMP protocol for which the value of the error-status field is noSuchName. The total number of SNMP PDUs generated by the SNMP protocol for which the value of the error-status field is badValue. The total number of SNMP PDUs generated by the SNMP protocol for which the value of the error-status field is genErr. The total number of SNMP messages delivered to the SNMP protocol for an unsupported SNMP version. The total number of SNMP messages delivered to the SNMP protocol that used an unknown SNMP community name. The total number of SNMP messages delivered to the SNMP protocol that represented an SNMP operation not allowed by the SNMP community named in the message. The total number of ASN.1 or BER errors encountered by the SNMP protocol when decoding received SNMP messages. The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is tooBig. The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is noSuchName. The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is badValue.
OutNoSuchNames
OutBadValues
OutGenErrs
InASNParseErrs
InTooBigs
InNoSuchNames
InBadValues
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
147
Field InReadOnlys
Description The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is readOnly. It is a protocol error to generate an SNMP PDU containing the value readOnly in the error-status field. This object is provided to detect incorrect implementations of the SNMP. The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is genErr.
InGenErrs
The conguration parameters introduced in SNMPv3 makes it more secure and exible than the other versions of SNMP. For more information on the SNMPv3 architecture, see RFC 3411. This chapter describes the following concepts associated with SNMPv3: "Initial Login with an SNMPv3 User" (page 148) "User-based Security Model" (page 149) "View-based Access Control Model" (page 152) "Creating a community" (page 159) "Management Targets" (page 161) "The Notify Table" (page 166)
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
CAUTION
By default, the CLI and Web interface are not password protected. Nortel strongly recommends that after you set up an SNMPv3 user, you change or delete all factory default settings that can allow an unauthorized person to log on to your device.
For more information on how to congure an initial SNMPv3 user by using Web-based management, see "Setting SNMP parameters" (page 58), and by using the CLI, see "Conguring SNMPv3" (page 190). To log on to the Ethernet Routing Switch 2500 Series Device Manager as an SNMPv3 user, use the following procedure: Step 1 2 3 4 5 6 7 Action On the Device Manager menu bar, select Device > Open. In the Device Name eld, enter the DNS name or the IP address of the switch. Select the v3 Enabled checkbox (the default Read and Write community strings are grayed out when SNMPv3 is enabled). Enter the log on name of the SNMPv3 user. From the Authentication Protocol pull-down list, select MD5, SHA, or None. If the user is congured to use an authentication protocol, enter the authentication password in the Authentication Password eld. If the user is congured to use a privacy protocol, choose the appropriate protocol from the Privacy Protocol eld (DES, AES or 3DES). In the Privacy Password eld, enter the privacy password. End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
149
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
150 Conguring Security using the CLI Figure 40 USM dialog box
USM tab elds The following table describes the USM tab elds.
Table 68 USM dialog box elds Field EngineID Name SecurityName AuthProtocol PrivProtocol StorageType Description Indicates the administratively-unique identifier of the SNMP engine. Indicates the name of the user in usmUser. Creates the name that is used as an index to the table. The range is 1 to 32 characters. Identifies the authentication protocol used. Identifies the privacy protocol used. Specifies whether the table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
Click Insert. The USM, Insert USM Table dialog box appears. The following gure displays the USM, Insert USM Table dialog box.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring Security using Device Manager Figure 41 USM, Insert USM Table dialog box
151
3 4
Enter a name. In the Clone From User list, select a security name from which the new entry copies authentication data and privacy data. For example, Authentication Protocol, Authentication password, Privacy Protocol, and Privacy password.
ATTENTION
The Clone From User you select denes the maximum authentication and privacy settings for a new user. For example, if the Clone From User does not use an authentication or encryption protocol, users created from this clone cannot use the authentication or the encryption protocol. For this reason, it is recommended that you assign both an authentication and encryption protocol to the rst user you create through the CLI or Web interface.
From the Auth Protocol pull-down list, select an authentication protocol for this user. If you select an authentication protocol, enter an old and new authentication password in the next two elds. In the Cloned Users Auth Password eld, enter the authentication password of the Cloned From User. In the New Users Auth Password eld, enter a new authentication password for this user. Select a privacy protocol. If you choose to specify a privacy protocol, enter an old and new privacy password in the next two elds. This is optional but recommended.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
6 7 8
9 10 11
Enter the Cloned Users Priv Password. Enter a new privacy password for this user. Click Insert. The USM table appears and the new entry is shown. End
"USM Insert USM Table dialog box elds" (page 152) describes the USM, Insert USM Table dialog box elds.
Table 69 USM, Insert USM Table dialog box elds Field New User Name Description Creates the new entry with this security name. The name is used as an index to the table. The range is 1 to 32 characters. Specifies the security name from which the new entry must copy privacy and authentication parameters. The range is 1 to 32 characters. Assigns an authentication protocol (or no authentication) from a shortcut menu. If you select this protocol, enter an old AuthPass and a new AuthPass. Specifies the current authentication password. Specifies the new authentication password to use for this user. Assigns a privacy protocol (or no privacy) from a menu. Specifies the current privacy password. Specifies the new privacy password to use for this user entry. Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
Auth Protocol
Cloned Users Auth Password New Users Auth Password Priv Protocol (Optional) Cloned Users Priv Password New Users Priv Password Storage Type
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
153
Table 70 "View-based access control mapping" (page 153) describes the which help of to map a user to access rights and MIB views.
Table 70 View-based access control mapping Table Name Group Membership table Group Access Right table MIB View table Description Defines a set of users that can be referenced by a single group name. Associates a group with Read, Write, and Notify views. Defines a set of MIB subtrees or objects.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
VACM dialog tab elds The following table describes the Group Membership tab elds.
Table 71 Group Membership tab elds Field SecurityModel SecurityName GroupName Description The security model for the entry. The name of an entry in the USM table or the Community Table. The name of the group to which this entry belongs. When multiple entries in this table have the same GroupName, they all belong to the same group. Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
StorageType
Click Insert. The VACM, Insert Group Membership dialog box appears. The following gure displays the VACM, Insert Group Membership dialog box.
3 4 5 6
Select a SecurityModel. Enter a SecurityName. Enter a GroupName. Click Insert. The VACM dialog box appears. The new group membership is shown in the list. End
155
Click the Group Access Right tab. The Group Access Right tab appears. The following gure displays the Group Access Right tab.
Figure 43 Group Access Right tab
The following table describes the Group Access Right tab elds.
Table 72 VACM dialog box Group Access Right tab elds Field vacmGroupName ContextPrefix SecurityModel Description A GroupName from the Group Membership table. The Context Prefix for this entry. By default, the field is empty. This is an optional field. The security model assigned to users in the Group Membership table. Options are SNMPv1, SNMPv2c, or USM. The security level assigned to users in the Group Membership table. Options are noAuthNoPriv, authNoPriv, or authPriv. Specifies whether to use an exact match or the context prefix for assigning the rights defined in this row to a user. The default is exact. This is an optional field. The name of the MIB View to which the user is assigned read access. The name of the MIB View to which the user is assigned write access.
SecurityLevel
ContextMatch
ReadViewName WriteViewName
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Description The name of the MIB View from which the user receives notifications. Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
Click Insert. The VACM, Insert Group Access Right dialog box appears. The following gure displays the VACM, Insert Group Access Right dialog box.
Figure 44 VACM, Insert Group Access Right dialog box
4 5 6 7 8 9 10
Enter the name of a group. Enter the context prex. Select the security model. Select the security level. Enter the name of a MIB View that enables a user to read the MIB subtrees and objects. Enter the name of a MIB View that enables a user to write to the MIB subtrees and objects. Enter the name of a MIB View from which a user can receive traps or inform messages.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
157
11
Click Insert. The VACM window reappears, and the new Group Access Right entry is shown in the table. End
Subtree
Mask (Optional)
Type
StorageType
Click Insert. The VACM, Insert MIB View dialog box appears. The following gure displays VACM, Insert MIB View dialog box.
Figure 46 VACM, Insert MIB View dialog box
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
159
4 5 6
Enter a ViewName. Enter a MIB Subtree name, for example, org, iso8802, or a dotted-decimal OID string. Enter a Mask to specify wild cards in the OID string. The default is to leave this eld blank, which is the same as specifying a mask of all ones (exact match). Select whether to include or exclude this MIB subtree from the collection of all MIB objects with this same ViewName. Click Insert. The assigned MIB view appears in the list. End
7 8
Creating a community
A community table contains objects for mapping between community strings and the security name created in VACM Group Member. To create a community, use the following procedure: Step 1 Action From the Device Manager menu bar, chooseEdit > SnmpV3 > Community Table. The Community Table dialog box appears. The following gure displays the Community Table dialog box.
Figure 47 Community Table dialog box
Click Insert. The Community Table, Insert Community Table dialog box appears. The following gure displays the Community Table, Insert Community Table dialog box.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
160 Conguring Security using the CLI Figure 48 Community Table, Insert Community Table dialog box
3 4 5 6
Enter an Index. Enter Name that is a community string. Enter a SecurityName. Click Insert. The new community is shown in the list. End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
161
Field ContextEngineID
Description The contextEngineID that indicates the location of the context in which management information is accessed when using the community string specified by the corresponding instance of snmpCommunityName. The default value is the snmpEngineID of the entity in which this object is instantiated. The context in which management information is accessed when using the community string specified by the corresponding instance of snmpCommunityName. This object specifies a set of transport endpoints that are associated a community string. The community string is only valid when found in an SNMPv1 or SNMPv2c message received from one of these transport endpoints, or when used in an SNMPv1 or SNMPv2c message that is sent to one of these transport endpoints. The storage type for this conceptual row in the snmpCommunityTable. Conceptual rows that have the value permanent do not allow write-access to any columnar object in the row.
ContextName
TransportTag
StorageType
Management Targets
The concept of the SNMPv3 management target is similar to trap receivers in SNMPv1 and SNMPv2c. Management targets are dened with the help of three tables.
Notify table
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Target Address Table elds The following table describes the Target Address Table elds.
Table 76 Target Address Table elds Field Name TDomain TAddress Timeout Description Specifies the name for this target table entry. Specifies the domain of the management target. The default is snmpUDPDomain. Specifies the IP address and destination UDP port for this management target, for example, 10.0.4.27:162. Specifies the length of the time to wait in 1/100th of a second, for an acknowledgement from this management target before declaring the message as timed-out. The default is 1500 milliseconds. Specifies the number of times this device can resend messages to this management target if initial messages are not acknowledged. The default is 3.
RetryCount
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
163
Field Taglist
Description Refers to zero or more Notify tags that are used to link this entry with entries in the Notify table. By default, you can enter either traporinform without having to create new entries in the Notification table. Specifies the entry in the Target Parameter table which is associated with this Management Target Address. Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
Params
StorageType
Click Insert. The Target Table, Insert Target Address Table dialog box appears. The following gure displays the Target Table, Insert Target Address Table dialog box.
Figure 50 Target Table, Insert Target Address Table dialog box
3 4 5 6 7
Enter a Name. Enter a TDomain name. Enter the IP address and UDP port number for this management target, for example, 10.0.4.27:162. Accept or modify the default values in the TimeOut and RetryCount elds. In the Taglist eld, enter the name of the tags (trap or inform), separated by a comma if more than one tag is entered. For more details, see Table 78 "Notify Table dialog box elds" (page 166).
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
8 9
In the Params eld, enter the name of an entry in the Target Param table. Click Insert. The new Target address is shown in the list. End
Click Insert. The Target Table, Insert Target Params Table dialog box appears. The following gure displays the Target Table, Insert Target Params Table dialog box.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring Security using Device Manager Figure 52 Target Table, Insert Target Params Table dialog box
165
4 5 6 7 8 9 10
Enter a Name for this set of parameters. Select the MPModel. Select the SecurityModel. Enter a SecurityName. Specify a SecurityLevel value. Enter the StorageType. Click Insert. The new target parameter is shown in the list. End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Description Specifies the security level for SNMP messages: noAuthnoPriv, authnoPriv, or authPriv. Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it doesl not persist if the switch loses power.
The following table describes the Notify Table dialog box elds.
Table 78 Notify Table dialog box elds Field Name Tag Description A name or index value for this row in the table. A single tag value that is used to associate this entry with an entry in the Target Address Table.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
167
Field Type
Description This selection specifies the type of notification sent to a management target address. If the value is trap, sent messages contain SNMPv2-Trap PDUs. If the value is inform, messages contains Inform PDUs.
ATTENTION
If an SNMP entity only supports trap (and not inform) messages, this object can be read-only.
StorageType
Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power.
Click Insert. The Notify Table, Insert dialog box appears . The following gure displays the Notify Table, Insert dialog box.
Figure 54 Notify Table, Insert dialog box
3 4 5 6 7
Enter a Name for this table row. Enter a Tag name which connects this entry to one or more Target Address table entries. Specify the Type of message Protocol Data Units (PDUs) to send to an associated Management Target Address: trap or inform. Specify the StorageType. Click Insert. The new notify entry is shown in the list.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
169
ATTENTION
When you install the switch, Nortel recommends that you set the initial system usernames and passwords by using the Command Line Interface. For more information, see "Setting the username and password" (page 35).
To set Console, Telnet, and Web passwords, use the following procedure:
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Step 1 2
Action From the main menu, choose Administration > Security. Choose Console, Telnet, Web, or RADIUS as required. The selected password page appears .
Click Submit.
ATTENTION
The title of the page corresponds to the menu selection you choose. In , the network administrator selected Administration > Security > Console. Figure 55 Console password setting page
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring system security 171 Table 79 Console page elds Section Fields Setting Description
ATTENTION
Console, Telnet, and Web connections share the same switch password type and password. These connections also share the same stack password type and password.
ATTENTION
The default is None.
1..15
Type the read-only password setting for the read-only access user. Type the read-write password setting for the read-write access user. Displays the switch password types.
1..15
None
ATTENTION
The default is None. Read-only Stack Password 1..15 Type the read-only password setting for the read-only access user. Type the read-write password setting for the read-write access user.
1..15
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Choose the type of password. The following table describes the options available in the Console Switch Password Type list box.
Table 80 Password Types Password Type None Local Password Description Indicates that no password is required for this type of access. Sets a password for access through a direct network connection or a direct Console port connection. Sets a password for remote dial-up. If you select this password type, you must also set up RADIUS authentication from the Radius management page.
5 6
Type the password for read-only and read/write user access. Click Submit to save the changes. End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
2 3 4 5
Type the IP addresses of the primary and secondary RADIUS (Remote Authentication Dial In User Services) servers. Type the number of the User Datagram Protocol (UDP) port for the RADIUS server. The default value is 1645. Type the number of seconds for the RADIUS timeout period. The range is 1 to 60 seconds. Type a character string for the RADIUS Shared Secret. This parameter is a special switch security code that provides authentication to the RADIUS server. The value can be any contiguous ASCII string that contains at least one printable character, up to a maximum of 16. Reenter the character string to conrm the RADIUS Shared Secret. Click Submit. End
6 7
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
174 Conguring Security using web-based management Figure 57 Web-based management interface log on page
To log on to the Web-based management interface, use the following procedure: Step 1 Action In the Username text box, type a valid username (default values are RO [uppercase] for read-only access or RW [uppercase] for read/write access). In the Password text box, type your password. Click Log On. The System Information page appears .
2 3
ATTENTION
For information about modifying existing system usernames, see "Setting the username and password" (page 35). Figure 58 System Information Page
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
End
With Web access enabled, the switch can support a maximum of four concurrent Web page users. Two predened user levels are available, and each user level has a corresponding username and password. Table 82 "User levels and access levels" (page 175) shows an example of the two predened user levels available and their access level within the Web-based management user interface.
Table 82 User levels and access levels User level Read-only Read/write User name for each level RO RW Password for each user level XXXXXXXX XXXXXXXX Access Level Read only Full read/write access
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
ATTENTION
Ensure that you do not enter the MAC address of the switch on which you are working.
ATTENTION
After conguring the switch for MAC address-based security, you must enable the ports you want by using the Port Conguration page.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The following table describes the items on the Security Conguration page.
Table 83 Security Conguration page items Section MAC Address Security Setting Item MAC Addres s Security Range (1) Enabled (2) Disabled Description Enables the MAC address security features. After this field is set to enabled, the software checks the source MAC addresses of the packets that arrive on the secure ports against MAC addresses listed in the MAC Address Security Table for allowed membership. If the software detects a source MAC address that is not an allowed member, the software registers a MAC intrusion event. After this field is set to enabled, the MAC address security screens cannot be modified by using SNMP. Configures how the switch reacts to an intrusion event (see MAC Address Security field): Disabled The port remains enabled, even if an intrusion event is detected. Enabled The port is disabled, then automatically reset to enabled after the time specified in the Partition Time field elapses. Forever The port is disabled and remains disabled (partitioned) until reset. The port does not reset after the Partition Time elapses. You must manually reenable the port.
Partition Port (1) Forever on Intrusion (2) Enabled Detected (3) Disabled
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Section
Range 1 to 65535
ATTENTION
Use this field only if the Partition Port on Intrusion Detected field is set to Enabled.
DA Filtering on Intrusion Detected Generate SNMP Trap on Intrusion MAC Security Table/Clear by Ports Action
When enabled, the switch isolates the intruding node by filtering (discarding) the packets sent to that MAC address. Enables generation of an SNMP trap to all registered SNMP trap addresses when an intrusion is detected. Lets you clear specific ports from participation in the MAC address security features. Blank. Blank.
Port List Current Learning Mode MAC Security Table/Learn by Ports Action
Lets you identify ports that learn incoming MAC addresses. All source MAC addresses of any packets received on specified ports are added to the MAC Security Table (a maximum of 448 MAC addresses are allowed). Displays all the ports that learn incoming MAC addresses to detect intrusions (unallowed MAC addresses). (1) Enabled (2) Disabled Enables learning.
Port List
2 3
On the Security Conguration page, type the necessary information in the text boxes, or select from a list. Click Submit. End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring ports
You can use the Port Lists page, to create port lists that can be used as allowed source port lists to be referenced in the Security Table page. You can create up to 32 port lists. To activate an entry or add or delete ports from a list, use the following procedure: Step 1 Action From the main menu, choose Application > MAC Address Security > Port Lists. The Port Lists page appears. The following gure displays the Port Lists page.
Figure 60 Port Lists page
The following table describes the items on the Port Lists page.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
180 Conguring Security using web-based management Table 84 Port Lists page items Item Entry Action Port List Description These are the lists of ports. Lets you create a port list that you can use as an Allowed Source in the Security Table screen. Displays which ports are associated with each list.
To add or delete ports to a list, click in the Action column in the list row that you want. The Port List View, Port List page appears. The following gure displays the Port List View, Port List page.
Figure 61 Port List View, Port List page
a. Click the ports you want to add to the selected list, or click All. b. To delete a port from a list, clear the box by clicking it. c. Click Submit. 3 From the main menu, choose Application > MAC Address Security > Security Conguration. The Security Conguration page appears. 4 In the MAC Security Table section, click in the Action column of the Learn By Ports row. The Port List View, Learn by Ports page appears. The following gure displays the Port List View, Learn by Ports page.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring MAC address-based security 181 Port List View, Learn by Ports page
a. Click the ports through which you want the switch to learn MAC addresses, or click All. b. If you want that port to no longer learn MAC addresses, click the checked box to clear it. c. Click Submit. 5 6 In the MAC Security Table section, choose Enabled in the Current Learning Mode column of the Learn By Ports row. Click Submit.
ATTENTION
You cannot include any of the port values that you choose for the secure ports eld.
End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
182 Conguring Security using web-based management Figure 62 Security Table page
ATTENTION
By using this page, you instruct the switch to allow the specied MAC address access only through the specied port or port list.
The following table describes the items on the Security Table page.
Table 85 Security Table page items Section MAC Addre ss Security Table Item Action MAC Address Allowed Source MAC Addre ss Security Table Entry Creation MAC Address Port Entry Range Description Lets you delete a MAC address. Displays the MAC address. Displays the entry through which the MAC address is allowed. Lets you specify up to 448 MAC addresses that are authorized to access the switch. You can specify the ports that each MAC address is allowed to access by using the Allowed Source field (see the next item description). The specified MAC address does not take effect until the Allowed Source field is set to some value (a single port number or a port list value that you previously configured in the Port Lists screen).
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Section
Range
Description Lets you specify the ports that each MAC address is allowed to access. The options for the Allowed Source field include a single port number or a port list value that you have previously configured in the Port Lists screen.
ATTENTION
If you choose an Entry as the Allowed Source, you must have congured that specic entry on the Port View List, Port List page.
3 4
On the Security Table page, type the required information in the text boxes or select from a list. Click Submit.
ATTENTION
Include the MAC address for the default LAN router as an allowed source MAC address.
End
Clearing ports
You can clear all information from the specied port(s) in the list of ports that learn MAC addresses. If Learn by Ports is enabled, the specied ports begin to learn the MAC addresses. To clear information from selected ports, use the following procedure: Step 1 Action From the main menu, choose Application > MAC Address Security > Security Conguration. The Security Conguration page appears (Figure 59 "Security Conguration page" (page 176)). 2 In the MAC Security Table section, click in the Action column of the Clear By Ports row. The Port List View, Clear By Ports page appears.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The following gure displays the Port List View, Clear By Ports page.
Figure 63 Port List View, Clear By Ports page
3 4
Select the ports you want to clear or click All. Click Submit.
ATTENTION
When you specify a port (or ports) to be cleared by using this eld, the specic port are cleared for each of the entries listed in the MAC Address Security Table. If you clear all the allowed Source Ports eld (leaving a blank eld) for an entry, the associated MAC address for that entry is also cleared.
End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
The following table describes the items on the Port Conguration page.
Table 86 Port Conguration page items Item Port Trunk Security Range 1 to 52 Blank, 1 to 6 (1) Enabled (2) Disabled Description Lists each port on the unit. Displays the MultiLink Trunk to which the port belongs to. Enables MAC address-based security on that port.
End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Deleting ports
You can delete ports from the security system in a variety of ways: In the Ports List View, Port List page (Figure 61 "Port List View, Port List page" (page 180)), click the checkmark of a selected port that you want to delete from the specied port list. In the Ports List View, Learn by Ports page ("Port List View, Learn by Ports page" (page 181)), click the checkmark of a port that you want to remove from those ports that learn MAC addresses. In the Port Conguration page (Figure 64 "Port Conguration page" (page 185)), click Disabled to remove that port from the MAC address-based security system; this action disables all MAC address-based security on that port.
The following table describes the items on the DA MAC Filtering page.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring MAC address-based security 187 Table 87 DA MAC Filtering page items Section Destination MAC Addre ss Filtering Table Item Action Range Description To drop all packets to and from a specified MAC Destination Address (DA). 1 -10 The number of the MAC address. Displays the MAC address. XX:XX:XX:XX:X X:XX Enter the MAC DA that you want to filter.
DA MAC Address
ATTENTION
Ensure that you do not enter the MAC address of the management station.
In the DA MAC Filtering Entry Creation area, enter the MAC DA that you want to lter. You can list up to 10 MAC DAs to lter.
Click Submit. The system returns you to the DA MAC Filtering page (Figure 65 "DA MAC Filtering page" (page 186)) with the new DA listed in the table. End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Do one of the following: Click Yes to delete the target parameter conguration. Click Cancel to return to the table without making changes. End
About SNMP
Simple Network Management Protocol (SNMP) is the standard for network management that uses a common software agent to manage local and wide area network equipment from different vendors; part of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite as dened in RFC115. SNMPv1 is version one, the original standard protocol. SNMPv3 is a combination of proposal updates to SNMP, most of which deal with security.
Conguring SNMPv1
You can congure SNMPv1 read/write and read-only community strings, enable or disable trap mode settings, and/or enable or disable the autotopology feature. The autotopology feature, when enabled, performs a process that recognizes any device on the managed network and denes and maps its relation to other network devices in real time. To congure the community string, trap mode, and autotopology settings and features, use the following procedure: Step 1 Action From the main menu, choose Conguration > SNMPv1. The SNMPv1 page appears. The following gure displays the SNMPv1 page.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
189
1..32
Type a character string to identify the community string for the SNMPv1 read-write community, for example, public or private. Reenter the same character string to confirm the community string for the SNMPv1 read-write community.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Section
Item
Range
(1) Enab le (2) Disa ble (1) Enab le (2) Disa ble
Choose to enable or disable the authentication trap, which sends a trap when an SNMP authentication failure occurs. Choose to enable or disable the autotopology feature, which allows network topology mapping of other switches in your network.
2 3
Type the required information in the text boxes or select from a list. Click Submit in any section to save your changes. End
Conguring SNMPv3
This section describes the steps to build and manage SNMPv3 in the Web-based management user interface.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
191
Table 89 "System Information section elds" (page 191) describes the elds on the System Information section of the SNMPv3 System Information page.
Table 89 System Information section elds Item SNMP Engine ID SNMP Engine Boots SNMP Engine Time SNMP Engine Maximum Message Size SNMP Engine Dialects Description The identification number for the SNMP engine. The number of times that the SNMP engine has reinitialized itself since its initial configuration. The number of seconds because the SNMP engine last incremented the snmpEngineBoots object. The maximum length, in octets, of an SNMP message that this SNMP engine can send or receive and process. This is determined as the minimum of the maximum message size values supported among all transports available to and supported by the engine. The SNMP dialect that the engine recognizes. The dialects are: SNMP1v1, SNMPv2C, and SNMPv3.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Description The registration point for standards-track authentication protocols used in SNMP Management Frameworks. The registration points are: None, HMAC MD5, and HMAC SHA.
ATTENTION
The Ethernet Routing Switch 2500 Series supports only the MD5 authentication protocol.
The registration point for standards-track privacy protocols used in SNMP Management Frameworks. The registration points are: None, CBC-DES, AES or 3DES.
ATTENTION
The Ethernet Routing Switch 2500 Series does not support privacy protocols.
Table 90 "SNMPv3 Counters section elds" (page 192) describes the elds on the SNMPv3 Counters section of the SNMPv3 System Information page.
Table 90 SNMPv3 Counters section elds Item Unavailable Contexts Unknown Contexts Unsupported Security Levels Not in Time Windows Description The total number of packets dropped by the SNMP engine because the context contained in the message is unavailable. The total number of packets dropped by the SNMP engine because the context contained in the message is unknown. The total number of packets dropped by the SNMP engine because they requested a security level that is unknown to the SNMP engine or otherwise unavailable. The total number of packets dropped by the SNMP engine because they appeared outside of the authoritative SNMP window of the engine.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring SNMPv3
193
Description The total number of packets dropped by the SNMP engine because they referenced an unknown user. The total number of packets dropped by the SNMP engine because they referenced an snmpEngineID that is not known to the SNMP engine. The total number of packets dropped by the SNMP engine because they did not contain the expected digest value. The total number of packets dropped by the SNMP engine because they could not be decrypted.
Decryption Errors
End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
194 Conguring Security using web-based management Figure 68 User Specication page
describes the items on the User Specication Table section of the User Specication page.
Table 91 User Specication Table section items Item and MIB association Description Deletes the row.
The name of an existing SNMPv3 user. Indicates whether the message sent on behalf of this user to/from the SNMP engine identified by the UserEngineID can be authenticated by the MD5 authentication protocol.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring SNMPv3
195
Description Displays whether or not messages sent on behalf of this user to or from the SNMP engine identified by the usmUserEngineID can be protected from disclosure, and if so, the type of privacy protocol which is used. The current storage type for this row. If Volatile is displayed, information is dropped (lost) when you turn off the power. If nonvolatile is displayed, information is saved in NVRAM when you turn off the power.
Entry Storage
The following table describes the items on the User Specication Creation section of the User Specication page.
Table 92 User Specication Creation section items Item and MIB association User Name Authentication Protocol(usmUser AuthProtocol) Authentication Passphrase(usm UserAuthPassword) Privacy Protocol Range 1..32 None MD5 SHA 1..32 Description Type a string of characters to create an identity for the user. Choose whether or not the message sent on behalf of this user to/from the SNMP engine identified by the UserEngineID can be authenticated with the MD5 or SHA protocol. Type a string of characters to create a passphrase to use in conjunction with the authorization protocol. Choose the privacy protocol you want to use.
Privacy Passphrase
X..XX
Type a string of characters to create a passphrase to use in conjunction with the privacy protocol. The alphanumeric string must be at least 8 characters long. Choose your storage preference. Selecting Volatile requests information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power.
In the User Specication Creation section, type the required information in the text boxes or select from a list.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Click Submit. The new conguration is displayed in the User Specication Table (Table 91 "User Specication Table section items" (page 194)). End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
197
The following table describes the items on the Group Membership page.
Table 93 Group Membership page items Item and MIB association Range Description Deletes the row.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Range 1..32
Description Type a string of characters to create a security name for the principal that is mapped by this entry to a group name. Choose the security model within which the security name to group name mapping is valid. Type a string of characters to specify the group name. Choose your storage preference. Selecting Volatile requests information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power.
Security Model(vacmSecu rityTo GroupStatus) Group Name(vacmGroupN ame) Entry Storage(vacmSecuri tyTo GroupStorageType)
(1) SNMPv1 (2) SNMPv2c (3) USM 1..32 (1) Volatile (2) Non-Volati le
2 3
In the Group Membership Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry is displayed in the Group Membership Table (Figure 69 "Group Membership page" (page 197)). End
Conguring SNMPv3
199
A message appears prompting you to conrm your request. 3 Do one of the following: Click Yes to delete the group membership conguration. Click Cancel to return to the Group Membership page without making changes.
ATTENTION
This Group Membership Table section of the Group Membership page contains hyperlinks to the SNMPv3 User Specication and Group Access Rights pages. For more information on these pages, see "Conguring user access to SNMPv3" (page 193) and "Conguring SNMPv3 group access rights" (page 199) .
End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
200 Conguring Security using web-based management Figure 70 Group Access Rights page
The following table describes the items on the Group Access Rights page.
Table 94 Group Access Rights page items Item and MIB association Range Description Deletes the row.
1..32
Type a character string to specify the group name to which access is granted. Choose the security model to which access is granted.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring SNMPv3
201
Item and MIB association Security Level(vacm AccessSecurity Level) Read View(vacm AccessReadView Name)
Description Choose the minimum level of security required to gain the access rights allowed to the group. Type a character string to identify the MIB view of the SNMP context to which this entry authorizes read access. Type a character string to identify the MIB view of the SNMP context to which this entry authorizes write access. Type a character string to identify the MIB view to which this entry authorizes access to notifications. Choose your storage preference. Selecting Volatile requests information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power.
1..32
1..32
2 3
In the Group Access Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry is displayed in the Group Access Table (Figure 70 "Group Access Rights page" (page 200)). End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Step 1
Action From the main menu, choose Conguration > SNMPv3 > Group Access Rights. The Group Access Rights page appears (Figure 70 "Group Access Rights page" (page 200)).
In the Group Access Table, click the Delete icon for the entry you want to delete. A message appears prompting you to conrm your request.
Do one of the following: Click Yes to delete the group access conguration. Click Cancel to return to the Group Access Rights page without making changes.
ATTENTION
This Group Access Table section of the Group Access Rights page contains hyperlinks to the Management Information View page.
End
ATTENTION
A view can consist of multiple entries in the table, each with the same view name, but a different view subtree.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring SNMPv3
203
The following table describes the elds on the Management Information View page.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
204 Conguring Security using web-based management Table 95 Management Information View page elds Fields and MIB association Range Description Deletes the row.
1..32
X.X.X.X.X...
Type an object identifier (OID) to specify the MIB subtree that, when combined with the corresponding instance of vacmViewTreeFamilyMask, defines a family of view subtrees.
ATTENTION
If no OID is entered and the field is blank, a default mask value consisting of 1s is recognized.
Type the bit mask that, in combination with the corresponding instance of vacmViewFamilySubtree, defines a family of view subtrees. Choose to include or exclude a family of view subtrees.
(1) Volatile Choose your storage preference. (2) Non-Vola Selecting Volatile requests tile information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring SNMPv3
205
2 3
In the Management Information Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry appears in the Management Information Table (Figure 71 "Management Information View page" (page 203)). End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Step 1
Action From the main menu, choose Conguration > SNMPv3 > Notication. The Notication page appears. The following gure displays the Notication page.
1..32
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring SNMPv3
207
Range 1..32
Description Type a value to use to select entries in the snmpTargetAddrTable. Any entry in the snmpTargetAddrTable which contains a tag value which is equal to the value of an instance of this object is selected. If this object carries a zero length, no entries are selected Choose the type of notification to generate. Choose your storage preference. Selecting Volatile requests information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power.
2 3
In the Notication Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry is displayed in the Notication Table "Notication page" (page 206) . End
ATTENTION
This Notication Table section of the Notication page contains hyperlinks to the Target Parameter page.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
In the Notication Table, click the Delete icon for the entry you want to delete. A message appears prompting you to conrm your request.
Do one of the following: Click Yes to delete the notication conguration. Click Cancel to return to the table without making changes. End
The following table describes the items on the Target Address page.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring SNMPv3 Table 97 Target Address page items Item and MIB association Range Description Deletes the row.
209
Type a character string to create a target name. Type a transport address in the format of an IP address, colon, and UDP port number. For example: 10.30.31.99:162.
Integer
Type the number, in seconds, to designate as the maximum time to wait for a response to an inform notification before resending theInform notification. Type the default number of retires to be attempted when a response is not received for a generated message. An application can provide its own retry count, in which case the value of this object is ignored. Type the space-separated list of tag values to be used to select target addresses for a particular operation. Type a numeric string to identify an entry in the snmpTargetParamsTable. The identified entry contains SNMP parameters to be used when generated messages are sent to this transport address. Choose your storage preference. Selecting Volatile requests information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests
0..255
1..20
1..32
Entry Storage
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Range
Description information to be saved in NVRAM when you turn off the power.
2 3
In the Target Address Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry is displayed in the Target Address Table ("Target Address page" (page 208)).
ATTENTION
This Target Address Table section of the Target Address page contains hyperlinks to the Target Parameter page.
End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring SNMPv3
211
The following table describes the items on the Target Parameter page.
Table 98 Target Parameter page items Item Range Description Deletes the row.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Item Parameter Tag(snmpTarget ParamsRowStatus) Msg Processing Model(snmpTarget ParamsMPModel) Security Name(snmpTarget ParamsSecuirty Name) Security Level(snmpTarget ParamsSecuirtyLevel) Entry Storage(snmpTargetP aramsStorage Type)
Range 1..32
Description Type a unique character string to identify the parameter tag. Choose the message processing model to be used when generating SNMP messages using this entry. Type the principal on whose behalf SNMP messages are generated using this entry. Choose the level of security to be used when generating SNMP messages using this entry. Choose your storage preference. Selecting Volatile requests information to be dropped (lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power.
(1) noAuthNoPriv (2) authNoPriv (3) authPriv (1) Volatile (2) Non-Volatile
2 3
In the Target Parameter Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry appears in the Target Parameter Table ("Target Parameter page" (page 211)). End
Conguring SNMPv3
213
Click Yes to delete the target parameter conguration. Click Cancel to return to the table without making changes. End
ATTENTION
The SNMP Trap Receiver Table is an alternative to using the SNMPv3 Target Table and SNMPv3 Parameter Table. However, only SNMPv1 traps are congurable using this table.
The following table describes the elds on the Trap Receiver Table and Trap Receiver Creation sections of the SNMP Trap Receiver page.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
214 Conguring Security using web-based management Table 99 SNMP Trap Receiver page elds Fields Range Description Deletes the row.
Choose the number of the trap receiver to create or modify. Type the network address for the SNMP manager that is to receive the specified trap. Type the community string for the specified trap receiver. Reenter the community string for the specified trap receiver to confirm.
Community
2 3
In the Trap Receiver Creation section, type the required information in the text boxes or select from a list. Click Submit. The new entry is displayed in the Trap Receiver Table (). End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Conguring SNMPv3
215
End
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
217
Standard MIBs
rfc1757.mib rcMLT
MIB2 IF-MIB Etherlike MIB Interface Extension MIB Switch Bay Secure System Log MIB S5 Autotopology MIB VLAN Entity MIB
Proprietary MIBs
Management Agent The SNMP agent is trilingual and supports exchanges by using SNMPv1, SNMPv2c, and SNMPv3. SNMPv1 communities provide support for SNMPv2c by introducing standards-based GetBulk retrieval capability. SNMPv3 support provides MD5 and SHA-based user authentication and message security as well as DES-based message encryption. Modules that support MIB are: Standard MIBs MIB II (RFC 1213) Bridge MIB (RFC 1493) and proposed VLAN extensions 802.1Q Bridge MIB 802.1p Ethernet MIB (RFC 1643) RMON MIB (RFC 1757) SMON MIB High Capacity RMON Interface MIB (RFC2233) Entity MIB (RFC2037) SNMPv3 MIBs (RFC 2271 RFC 2275)
Proprietary MIBs s5Chassis MIB s5Agent MIB Interface Extension MIB s5 Multi-segment topology MIB s5 Switch BaySecure MIB System Log MIB RapidCity Enterprise MIB rcDiag (Conversation steering) MIB rcVLAN MIB rcMLT MIB
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
219
RFC 1215 (industry standard): linkUp linkDown authenticationFailure coldStart warmStart Per port Per port System wide Always on Always on The link state changes to up on a port. The link state changes to down on a port. SNMP authentication failure occurs. The system is powered on. The system restarts due to a management reset.
s5CtrMIB (Nortel proprietary traps): s5CtrUnitUp s5CtrUnitDown s5CtrHotSwap s5CtrProblem Always on Always on Always on Always on A unit is added to an operational stack. A unit is removed from an operational stack. A unit is hot-swapped in an operational stack. A component or subcomponent has a problem condition either a warning, nonfatal, or fatal condition. A MAC address violation is detected. A rising Alarm is fired. A falling Alarm is fired. All switch configuration is saved to NVRAM. A failed log in on a telnet or console session occurs.
Always on
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
220
Index
A
access 39, 46 SNMP 176 administrative options logging on 173 security, conguring passwords 169 remote dial-in access 172 allowed IP addresses 39 Allowed Source eld 182 AuthCong tab 116 AccessCtrlType eld 117 BrdIndx eld 117 MACIndx eld 117 PortIndx eld 117 SecureList eld 117 authentication 56 authentication traps, enabling 188 AuthStatus tab 119 AuthStatusBrdIndx eld 120 AuthStatusMACIndx eld 120 AuthStatusPortIndx eld 120 CurrentAccessCtrlType eld 121 CurrentActionMode eld 121 CurrentPortSecurStatus eld 121 AuthViolation tab 122 Autotopo-logy Setting eld 190 autotopology, enabling 188
C
Clear By Ports page 184 cli password command 36 Commu-nity String Setting eld 189 community strings, conguring 188 Community Table dialog box 159 ContextEngineID eld 161 ContextName eld 161 Index eld 160 Name eld 160 SecurityName eld 160 StorageType eld 161 TransportTag eld 161 Console Password Setting page 170 Console/TELNET/Web access conguration 17 conventions, text 11 Current Learning Mode eld 178 customer support 14
D
DA ltering 80 DA Filtering on Intrusion Detected eld 178 DA MAC Address eld 187 DA MAC Filtering page 186 default eapol guest-vlan command 93 default http-port 44 default radius-server command 58 default snmp trap link-status command 69 default snmp-server authentication-trap command 61 default snmp-server community command 63
B
BaySecure 80
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Index 221
default snmp-server contact command 64 default snmp-server host command 76 default snmp-server name command 67 default ssh command 54 default telnet-access command 48 Device Manager 40
EapolFramesRx eld 137 EapolFramesTx Field 137 EapolLogoffFramesRx eld 137 EapolReqFramesTx eld 137 EapolReqIdFramesTx eld 137 EapolRespFramesRx eld 137 EapolRespldFramesRx 137 EapolStartFramesRx eld 137 InvalidEapolFramesRx eld 138 EAPOL Advance tab for a port EAPOL tab 110 GuestVlanEnabled eld 131 EAPOL tab for a port 127 GuestVlanId eld 131 EAPOL tab for ports EAPOL Advance tab for ports 129 AdminControlledDirections eld 128 eapol command 91, 91 AuthControlledPortControl eld 129 EAPOL Diag tab 138 AuthControlledPortStatus eld 128 AuthEapLogoffWhileAuthenticated BackendAuthState eld 128 eld 140 KeyTxEnabled eld 129 AuthEapLogoffWhileAuthenticating LastEapolFrameSource eld 129 eld 140 LastEapolFrameVersion eld 129 AuthEapStartsWhileAuthenticated MaximumRequests eld 129 eld 140 OperControlledDirections eld 128 AuthEapStartsWhileAuthenticating PaeState eld 128 eld 140 PortCapabilities eld 128 AuthFailWhileAuthenticating eld 140 PortInitialize eld 128 AuthReauthsWhileAuthenticated PortProtocolVersion eld 128 eld 140 PortReauthenticateNow eld 128 AuthReauthsWhileAuthenticating QuietPeriod eld 129 eld 140 ReAuthenticationEnabled eld 129 AuthSuccessWhileAuthenticating ReAuthenticationPeriod eld 129 eld 139 ServerTimeout 129 AuthTimeoutsWhileAuthenticating SupplicantTimeout eld 129 eld 140 TransmitPeriod eld 129 BackendAccessChallenges eld 140 EAPoL-based security 21 BackendAuthFails eld 141 with Guest VLAN 23 BackendAuthSuccesses eld 141 EAPOL-based security 87 BackendNonNakResponsesFromSuppliEntry eld 180 cant eld 141 Entry Storage eld 198, 201, 204 BackendOtherRequestsToSupplicant eld 141 BackendResponses eld 140 EapLogoffsWhileConnecting eld 139 General tab 111 EntersAuthenticating eld 139 AuthCtlPartTime eld 112 EntersConnecting eld 139 AuthSecurityLock eld 112 eapol guest-vlan command 93 CurrNodesAllowed eld 114 EAPOL Security Conguration 23 CurrSecurityLists eld 114 EAPOL Stats tab 136 MaxNodesAllowed eld 114 EapLengthErrorFramesRx eld 138 MaxSecurityLists eld 114
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
222 Index
learn by ports 180 PortLearnStatus eld 114 learning 178 PortSecurityStatus eld 114 MAC DA 175, 186 SecurityAction eld 113 ports 184 SecurityMode eld 113 security list 179 SecurityStatus 112 Generate SNMP Trap on Intrusion eld 178 security table 181 MAC Address Security eld 177 Group Access Right tab MAC Address Security SNMP-Locked ContextMatch eld 155 eld 177 ContextPrex eld 155 MAC address-based network security 21, NotifyViewName eld 156 21 ReadViewName eld 155 MAC DA ltering 80, 186 SecurityLevel eld 155 MAC security SecurityModel eld 155 DA ltering 80 StorageType eld 156 source-address based 80 WriteViewName eld 155 mac-security command 81 Group Access Rights page 199 mac-security command for specic ports 85 Group Membership page 196 mac-security mac-da-lter command 86 Group Membership tab mac-security mad-address-table address GroupName eld 154 command 83, 83, 84, 85 SecurityModel eld 154 mac-security security-list command 83 SecurityName eld 154 Management Information View page 202 StorageType eld 154 management systems 40 Group Name eld 198, 200 Management Target Address table 162 Guest VLAN 23 Management target tables 161 MHMA 28 MHSA 33 HTTP port number change 26 conguring with CLI 107 http-port command 44 MIB View tab Mask eld 158 StorageType eld 158 IP 39 Subtree eld 158 IP manager list 39 Type eld 158 ipmgr command 40, 42 ViewName eld 158 modifying parameters 91 Multiple Host with Multiple Authentication (MHMA) 28 Learn by Ports page 180 Multiple Host with Single Authentication 33 logging on 173 Login screen 18
H I
M
MAC Address eld 182, 187 MAC address security 176 allowed source 181 clearing 184 deleting ports 186
Name eld 166 New User Name eld 152 no eapol guest-vlan command 93 no ipmgr command 41, 42 no mac-security command 84
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Index 223
no mac-security mac-address-table command 84 no mac-security security-list command 85 no radius-server command 58 no smnp-server command 60 no snmp trap link-status command 68 no snmp-server authentication-trap command 61 no snmp-server command 72 no snmp-server community command 62 no snmp-server contact command 64 no snmp-server host 76 no snmp-server location command 65 no snmp-server name command 66 no snmp-server view command 74 no ssh command 51 no ssh dsa-auth command 53 no ssh dsa-auth-key command 54 no ssh dsa-host-key command 51 no ssh pass-auth command 53 no telnet-access command 47 no web-server command 56 Non-EAP hosts on EAP-enabled ports 30 Non-EAP MAC RADIUS authentication 32 Notication page 206 Notify Table dialog box 166 StorageType eld 167 Tag eld 166 Type eld 167 Notify View eld 201
R
RADIUS access 36 RADIUS authentication 56 Radius page 172 RADIUS password fallback 20 RADIUS Shared Secret eld 173 RADIUS Timeout Period eld 173 RADIUS-based network security 20 RADIUS-based security 20 radius-server command 57 radius-server password fallback 58 Read View eld 201 read-only access 172 read-write access 172 remote access requirements 44, 44 remote dial-in access, conguring 172 requirements remote access 44
Secondary RADIUS Server eld 173 Security MAC address-based network security 21 RADIUS-based network security 20 security 36, 39, 46, 56, 80, 87 MAC address-based 176 Security Conguration page 176 Security eld 185 Security Level eld 201 security lists 80 Security Model eld 198, 200 Security Name eld 198 Partition Port on Intrusion Detected eld 177security options 18 Partition Time eld 178 Security page 176 passwords 36 Security parameters passwords, setting General tab console 169 SecurityStatus eld 112 remote dial-in access 172 Security Table page 181 Telnet 169 security, conguring Web 169 passwords 169 Port Conguration page 184 remote dial-in access 172 Port List eld 178, 180 Security, Insert AuthCong dialog box 117 Port List page 180 AccessCtrlType eld 118 Port Lists page 179 BrdIndx eld 118 Primary RADIUS Server eld 173 MACIndx eld 118 product support 14 PortIndx eld 118
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
224 Index
SecureList eld 118 SecurityListIndx eld 116 SecurityListMembers eld 116 Security, Insert SecurityList dialog box 115 SecurityList tab 114 SecurityListIndx eld 115 SecurityListMembers eld 115 show dsa-host-key command 51 show eapol auth-diags interface command 89, 90 show eapol command 87 show eapol guest-vlan command 94 show http-port command 43 show ipmgr command 39 show mac-security command 80 show radius-server command 56 show snmp-server command 64, 78 show ssh download-auth-key command 50 show ssh global command 49 show ssh session command 50 show telnet-access command 45 SNMP 26 about 188 MAC address security 177 trap receivers conguring 213 deleting 214 SNMP Graph tab 145 InASNParseErrs eld 146 InBadCommunityNames eld 146 InBadCommunityUses eld 146 InBadValues eld 146 InBadVersions eld 146 InGenErrs eld 147 InGetNexts eld 145 InGetRequests eld 145 InGetResponses eld 145 InNoSuchNames eld 146 Inpkts eld 145 InReadOnlys eld 147 InSetRequests eld 145 InTooBigs eld 146 InTotalReqVars eld 145 InTotalSetVars eld 145 OutBadValues eld 146 OutGenErrs eld 146 OutNoSuchNames eld 146
Outpkts eld 145 OutTooBigs eld 146 OutTraps eld 146 SNMP tab 141, 141 LastUnauthenticatedCommunityString eld 142 LastUnauthenticatedIpAddress eld 142 TrpRcvrCurEnt eld 142 TrpRcvrMaxEnt eld 142 TrpRcvrNext eld 142 snmp trap link-status command 67 SNMP Trap Receiver page 213 snmp-server authentication-trap command 60 snmp-server command 59 snmp-server community command 61, 77, 77 snmp-server contact command 64 snmp-server host command 75 snmp-server location command 65 snmp-server name command 66, 79, 79, 79, 79, 79, snmp-server user command 70 snmp-server view command 73 SNMPv1 about 188 conguring 188 SNMPv1 page 188 SNMPv3 147 about 188 conguring 190 group access rights conguring 199 deleting 201 group membership conguring 196 deleting 198 initial login 148 management information views conguring 202 deleting 205 management target 161 system information, viewing 190 system notication entries conguring 205 deleting 207 target addresses
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
Index 225
conguring 208 deleting 210 target parameters 164 conguring 211 deleting 212 user access conguring 193 deleting 196 User-based Security Model (USM) 149 View-based Access Control Model (VACM) 152 SNMPv3 user conguration methods 149 source IP addresses 42 ssh command 51 ssh download-auth-key command 54 ssh dsa-auth command 52 ssh pass-auth command 53, 53 ssh port command 53, 53 ssh secure command 52 SSH Sessions tab 124, 125 SSHSessionsIP eld 125 SSH tab 122 DsaAuth eld 123 Enable eld 123 KeyAction eld 123 LoadServerAddr eld 124 PassAuth eld 123 Port eld 123 TftpAction eld 124 TftpResult eld 124 Timeout eld 123 Version eld 123 ssh timeout command 52 support, Nortel 14 switch conguration options autotopology feature 188 community string settings 188 SNMP trap receivers 213 SNMPv3 group access rights 199 management information views 202 management target addresses 208 management target parameters 211 system information, viewing 190 system notication entries 205 user access 193 user group membership 196
trap mode settings 188 switches supported 11 System Information page 190
T
Target Address page 208 Target Address Table Name eld 162 Params eld 163 RetryCount eld 162 StorageType eld 163 TAddress eld 162 Taglist eld 163 TDomain eld 162 Timeout eld 162 Target Parameter page 211 Target Params Table MPModel eld 165 Name eld 165 SecurityLevel eld 166 SecurityModel eld 165 SecurityName eld 165 Storage Type eld 166 technical support 14 Telnet 36, 40, 44, 46 Telnet Password Setting page 170 telnet-access command 46 text conventions 11 TftpFile eld 124 Trap Mode Setting eld 190 Trap Receiver adding 143 Trap Receivers tab 142 Community eld 143 Indx eld 143 NetAddr eld 143 traps 67 troubleshooting 83 access 39, 44, 56, 80
U
UDP RADIUS Port eld 173 username command 35 USM dialog box 149 AuthProtocol eld 150 EngineID eld 150
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.
226 Index
Name eld 150 PrivProtocol eld 150 SecurityName eld 150 StorageType eld 150 USM Insert USM Table dialog box Cloned User Auth Password eld 152 Cloned User Priv Password eld 152 New User Auth Password eld 152 New User Priv Password eld 152 Priv Protocol eld 152 StorageType eld 152 USM, Insert USM Table dialog box Auth Protocol eld 152 Clone From User eld 152
V
VACM dialog box 153 VACM tables 153 vacmGroupName eld 155 View Mask eld 204 View Name eld 204 View Subtree eld 204 View Type eld 204
W
Web Password Setting page 170 Web-based management system 40 web-server command 55 Write View eld 201
Nortel Ethernet Routing Switch 2500 Series Security Conguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007
Copyright 2007, Nortel Networks
.