2500 Series - Security Config and Manegement

Nortel Ethernet Routing Switch 2500 Series

Security — Configuration andManagement

NN47215-505 (323165-B).

Document status: StandardDocument version: 02.01Document date: 19 November 2007

Copyright © 2007, Nortel NetworksAll Rights Reserved.

Sourced in Canada, India, and the United States of America

The information in this document is subject to change without notice. The statements, configurations, technicaldata, and recommendations in this document are believed to be accurate and reliable, but are presented withoutexpress or implied warranty. Users must take full responsibility for their applications of any products specified in thisdocument. The information in this document is proprietary to Nortel Networks.

The software described in this document is furnished under a license agreement and can be used only in accordancewith the terms of that license. The software license agreement is included in this document.

Trademarks*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

Adobe and Adobe Reader are trademarks of Adobe Systems Incorporated.

Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation.

Trademarks are acknowledged with an asterisk (*) at their first appearance in the document.

All other trademarks are the property of their respective owners.

Restricted rights legendUse, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that can pertain to, or accompany the delivery of, this computersoftware, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forthin the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

Statement of conditionsIn the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the rightto make changes to the products described in this document without notice.

Nortel Networks does not assume any liability that can occur due to the use or application of the product(s) orcircuit layout(s) described herein.

Portions of the code in this software product can be Copyright © 1988, Regents of the University of California. Allrights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that theabove copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertisingmaterials, and other materials related to such distribution and use acknowledge that such portions of the softwarewere developed by the University of California, Berkeley. The name of the University can not be used to endorse orpromote products derived from such portions of the software without specific prior written permission.

SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY ANDFITNESS FOR A PARTICULAR PURPOSE.

In addition, the program and information contained herein are licensed only pursuant to a license agreement thatcontains restrictions on use and disclosure (that can incorporate by reference certain limitations and noticesimposed by third parties).

Nortel Networks software license agreementThis Software License Agreement ("License Agreement") is between you, the end-user ("Customer") and NortelNetworks Corporation and its subsidiaries and affiliates ("Nortel Networks"). PLEASE READ THE FOLLOWINGCAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THESOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT.If you do not accept these terms and conditions, return the Software, unused and in the original shipping container,within 30 days of purchase to obtain a credit for the full purchase price.

"Software" is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and iscopyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data,audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all wholeor partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired theSoftware. You obtain no rights other than those granted to you under this License Agreement. You are responsible forthe selection of the Software and for the installation of, use of, and results obtained from the Software.

1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of theSoftware on only one machine at any one time or to the extent of the activation or authorized usage level,whichever is applicable. To the extent Software is furnished for use with designated hardware or Customerfurnished equipment ("CFE"), Customer is granted a nonexclusive license to use Software only on suchhardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software asconfidential information using the same care and discretion Customer uses with its own similar information that itdoes not wish to disclose, publish or disseminate. Customer ensures that anyone who uses the Software doesso only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer ordistribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineeror otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d)sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneficiaries ofthis provision. Upon termination or breach of the license by Customer or in the event designated hardware orCFE is no longer in use, Customer promptly returns the Software to Nortel Networks or certify its destruction.Nortel Networks can audit by remote polling or other reasonable means to determine Customer’s Softwareactivation or usage levels. If suppliers of third party software included in Software require Nortel Networks toinclude additional or different terms, Customer agrees to abide by such terms provided by Nortel Networkswith respect to such third party software.

2. Warranty. Except as can be otherwise expressly agreed to in writing between Nortel Networks and Customer,Software is provided "AS IS" without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMSALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligatedto provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties,and, in such event, the above exclusions can not apply.

3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BELIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSSOF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOURUSE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEENADVISED OF THEIR POSSIBILITY. The foregoing limitations of remedies also apply to any developer and/orsupplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Somejurisdictions do not allow these limitations or exclusions and, in such event, they can not apply.

4. General

a. If Customer is the United States Government, the following paragraph shall apply: All Nortel NetworksSoftware available under this License Agreement is commercial computer software and commercialcomputer software documentation and, in the event Software is licensed for or on behalf of the United StatesGovernment, the respective rights to the software and software documentation are governed by NortelNetworks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).

b. Customer can terminate the license at any time. Nortel Networks can terminate the license if Customer failsto comply with the terms and conditions of this license. In either event, upon termination, Customer musteither return the Software to Nortel Networks or certify its destruction.

c. Customer is responsible for payment of any taxes, including personal property taxes, resulting fromCustomer’s use of the Software. Customer agrees to comply with all applicable laws including all applicableexport and import laws and regulations.

d. Neither party can bring an action, regardless of form, more than two years after the cause of the action arose.

e. The terms and conditions of this License Agreement form the complete and exclusive agreement betweenCustomer and Nortel Networks.

f. This License Agreement is governed by the laws of the country in which Customer acquires the Software.If the Software is acquired in the United States, then this License Agreement is governed by the laws ofthe state of New York.

5

Contents

New in this release 9Features 9

Advanced Security features 9

Introduction 11Before you begin 11Text conventions 11Related publications 13How to get help 14

Getting help from the Nortel Web site 14Getting help through a Nortel distributor or reseller 14Getting help over the phone from a Nortel Solutions Center 14Getting help from a specialist by using an Express Routing Code 15

Using security in your network 17Setting management passwords 17

Console/TELNET/Web password Configuration 17Username and password 17Logging on 18

Configuring Security options 18RADIUS-based network security 20MAC address-based security 21EAPOL-based security 21EAPoL with Guest VLAN 23

EAPOL Security Configuration 23Password security 24

Password length and valid characters 24Password retry 24Password history 24Password display 24Password verification 24Password aging time 25Read-Only and Read-Write passwords must be different 25Applicable passwords 25Enabling and disabling password security 25

Nortel Ethernet Routing Switch 2500 SeriesSecurity — Configuration and Management

NN47215-505 (323165-B) 02.01 Standard4.1 19 November 2007

Copyright © 2007, Nortel Networks

.

6 Contents

Default passwords 26HTTP port number change 26Simple Network Management Protocol 26

SNMP Version 1 (SNMPv1) 26Nortel Ethernet Routing Switch 2500 Series support for SNMP 27SNMP MIB support 27SNMP trap support 28

Advanced EAPOL features 28Non-EAP hosts on EAP-enabled ports 30

Configuring Security using the CLI 35Securing your system 35

Setting the username and password 35Setting password security 37Configuring the IP manager list 39Changing the http port number 43Setting Telnet access 44Configuring Secure Shell (SSH) 48Setting server for Web-based management 55Configuring the RADIUS-based management password authentication 56Setting SNMP parameters 58Common SNMP and SNMPv3 CLI commands 58CLI commands specific to SNMPv3 69

Securing your network 80Configuring MAC address filter-based security 80Configuring EAPOL-based security 87Configuring advanced EAPOL features 94

Configuring Security using web-based management 169Configuring system security 169

Setting console, Telnet, and Web passwords 169Configuring RADIUS dial-in access security 172Accessing the management interface 173Configuring MAC address-based security 175

Configuring MAC address-based security 176Configuring ports 179Adding MAC addresses 181Clearing ports 183Enabling security on ports 184Deleting ports 186Filtering MAC destination addresses 186Deleting MAC DAs 187

About SNMP 188Configuring SNMPv1 188Configuring SNMPv3 190




.

Contents 7

Viewing SNMPv3 system information 190Configuring user access to SNMPv3 193Configuring an SNMPv3 system user group membership 196Configuring SNMPv3 group access rights 199Configuring an SNMPv3 management information view 202Configuring an SNMPv3 system notification entry 205Configuring an SNMPv3 management target address 208Configuring an SNMPv3 management target parameter 211Configuring an SNMP trap receiver 213

Index 220




.

8 Contents




.

9

New in this release

The following sections detail what’s new in Security — Configuration andManagement (NN47215-505) for Release 4.1.

FeaturesSee "Advanced Security features" (page 9)for information about featurechanges.

Advanced Security featuresThe Nortel Ethernet Routing Switch 2500 Release 4.1 supports advancedEAPOL security features. For more information, see the following sections:

• "Advanced EAPOL features" (page 28)

• "Configuring multihost support" (page 95)

• "Configuring support for non-EAPOL hosts on EAPOL-enabled ports"(page 102)

• "Configuring MultiHost Single-Autentication (MHSA)" (page 107)




.

10 New in this release




.

11

Introduction

This guide provides information about configuring and managing securityfeatures on the Nortel Ethernet Routing Switch 2500 Series.

This guide describes the features of the following Nortel switches:

• Nortel Ethernet Routing Switch 2526T

• Nortel Ethernet Routing Switch 2526T-PWR

• Nortel Ethernet Routing Switch 2550T

• Nortel Ethernet Routing Switch 2550T-PWR

The term "Ethernet Routing Switch 2500 Series" is used in this document todescribe the features common to the switches mentioned above.

A switch is referred to by its specific name when a feature is describedthat is exclusive to the switch.

Before you beginThis guide is intended for network administrators who have the followingbackground:

• basic knowledge of networks, Ethernet bridging, and IP routing

• familiarity with networking concepts and terminology

• basic knowledge of network topologies

Text conventionsThis guide uses the following text conventions:




.

12 Introduction

angle brackets (< >) Indicate that you choose the text to enter based onthe description inside the brackets. Do not type thebrackets when entering the command.

Example: If the command syntax is ping<ip_address>, you enter ping 192.32.10.12

bold body text Indicates objects such as window names, dialogbox names, and icons, as well as user interfaceobjects such as buttons, tabs, and menu items.

braces ({}) Indicate required elements in syntax descriptionswhere there is more than one option. You mustchoose only one of the options. Do not type thebraces when entering the command.

Example: If the command syntax is show ip{alerts|routes}, you must either enter showip or show ip routes, but not both.

brackets ([ ]) Indicate optional elements in syntax descriptions.Do not type the brackets when entering thecommand.

Example: If the command syntax is show ipinterfaces [-alerts], you can eitherenter show ip interfaces or show ipinterfaces -alerts.

italic text Indicates variables in command syntax descriptions.Also indicates new terms and book titles. Wherea variable is two or more words, the words areconnected by an underscore.

Example: If the command syntax is show at<valid_route>,valid_route is one variable,and you substitute one value for it.

plain Courier text Indicates command syntax and system output, forexample, prompts and system messages.

Example: Set Trap Monitor Filters




.

Related publications 13

separator ( > ) Shows menu paths.

Example: Protocols > IP identifies the IP commandon the Protocols menu.

vertical line ( | ) Separates choices for command keywords andarguments. Enter only one of the choices. Do nottype the vertical line when entering the command.

Example: If the command syntax is show ip{alerts|routes}, you can either enter show ipalerts or show ip routes, but not both.

Related publicationsFor more information about using the Ethernet Routing Switch 2500 Series,see the following publications:

• Nortel Ethernet Routing Switch 2500 Series Release Notes — SoftwareRelease 4.1 (NN47215-400)

Documents important changes about the software and hardware thatare not covered in other related publications.

• Nortel Ethernet Routing Switch 2500 Series Overview — SystemConfiguration (NN47215-500)

Describes the various management interfaces and how to use themto configure basic switching features for the Nortel Ethernet RoutingSwitch 2500 Series.

• Nortel Ethernet Routing Switch 2500 Series Configuration — VLANs,Spanning Tree, and MultiLink Trunking (NN47215-501)

Describes how to configure Virtual Local Area Networks (VLAN),Spanning Tree Protocol (STP), and MultiLink Trunk (MLT) features forthe Nortel Ethernet Routing Switch 2500 Series.

• Nortel Ethernet Routing Switch 2500 Series Configuration — Quality ofService (NN47215-504)

Describes how to configure and manage Quality of Service features forthe Nortel Ethernet Routing Switch 2500 Series.

• Nortel Ethernet Routing Switch 2500 Series Performance Management— System Monitoring (NN47215-502)

Describes how to configure system logging and network monitoring,and how to display system statistics for the Nortel Ethernet RoutingSwitch 2500 Series.




.

14 Introduction

• Nortel Ethernet Routing Switch 2500 Series Configuration — IPMulticast (NN47215-503)

Describes how to configure IP Multicast Routing Protocol features forthe Nortel Ethernet Routing Switch 2500 Series.

How to get helpThis section explains how to get help for Nortel products and services.

Getting help from the Nortel Web siteThe best way to get technical support for Nortel products is from the NortelTechnical Support Web site:

www.nortel.com/support

This site provides quick access to software, documentation, bulletins, andtools to address issues with Nortel products. More specifically, the siteenables you to:

• download software, documentation, and product bulletins

• search the Technical Support web site and the Nortel Knowledge Basefor answers to technical issues

• sign up for automatic notification of new software and documentationfor Nortel equipment

• open and manage technical support cases

Getting help through a Nortel distributor or resellerIf you purchase a service contract for your Nortel product from a distributoror authorized reseller, contact the technical support staff for that distributoror reseller.

Getting help over the phone from a Nortel Solutions CenterIf you do not find the information you require on the Nortel Technical SupportWeb site, and have a Nortel support contract, you can also get help over thephone from a Nortel Solutions Center.

In North America, call 1-800-4NORTEL (1-800-466-7835).

Outside North America, go to the following web site to obtain the phonenumber for your region:

www.nortel.com/callus




.

http://www.nortel.com/support

http://www.nortel.com/callus

How to get help 15

Getting help from a specialist by using an Express Routing CodeAn Express Routing Code (ERC) is available for many Nortel products andservices. When you use an ERC, your call is routed to a technical supportperson who specializes in supporting that product or service. To locate theERC for your product or service, go to:

www.nortel.com/erc




.

http://www.nortel.com/erc

16 Introduction




.

17

Using security in your network

This chapter describes the security features available with the EthernetRouting Switch 2500 Series. This chapter discusses the following topics:

• "Setting management passwords" (page 17)

• "Configuring security options" (page 18)

• "EAPOL Security Configuration" (page 23)

• "HTTP port number change" (page 26)

• "Simple Network Management Protocol" (page 26)

• "Advanced EAPOL features" (page 28)

Setting management passwordsTo provide security on your switch, you can configure a local or RADIUSpassword for management access, or set SNMP community strings.

Console/TELNET/Web password ConfigurationTelnet, and Web access allow a user at a remote console terminal tocommunicate with the Ethernet Routing Switch 2500 Series as if the consoleterminal were directly connected to the Switch. You can establish up to fouractive Telnet or Web sessions at one time, in addition to one active Consoleconnection, for a total of five possible concurrent users.

Username and passwordYou can set a local username and password to restrict access to the switch.The username and password can provide read/write access or read-onlyaccess to the switch. For more information, refer to <x-refs>

ATTENTIONIf you set a password, the next time you log on to the switch, you are prompted toenter a valid username. Therefore, ensure you are aware of the valid usernames(default RW and RO) before you change passwords. For information aboutmodifying existing usernames, see "Setting the username and password" (page35).




.

18 Using security in your network

Logging onIf you set a password, the next time you access the switch, you areprompted for a username and password as shown in the (default usernamesare RW and RO).

Enter a valid username and password and press Enter. You are thendirected to the CLI.

For information about modifying the existing usernames, see Loginscreen"Setting the username and password" (page 35)

Login screen

Configuring Security optionsEthernet Routing Switch 2500 Series security features provide three levelsof security for your LAN:

• RADIUS-based security—limits administrative access to the switchthrough user authentication.

• MAC address-based security—limits access to the switch based onallowed source MAC addresses.

• EAPOL-based security

Figure 1 "Ethernet Routing Switch 2500 Series security feature" (page19) shows a typical campus configuration that uses the Ethernet RoutingSwitch 2500 security features. This example assumes that the switch, theteachers’ offices and classrooms, and the library are physically secured.The student dormitory can (or can not be) physically secure.




.

Configuring Security options 19

Figure 1Ethernet Routing Switch 2500 Series security feature

In this configuration example, the following security measures areimplemented:

• The switch

— RADIUS-based security is used to limit administrative access to theswitch through user authentication (see "RADIUS-based networksecurity" (page 20)).

— MAC address-based security is used to allow up to 448 authorizedstations (MAC addresses) access to one or more switch ports (see"MAC address-based security" (page 21)).

— The switch is located in a locked closet, accessible only byauthorized Technical Services personnel.

• Student dormitory

Dormitory rooms are typically occupied by two students and areprewired with two RJ-45 jacks. Only students who are authorized (asspecified by the MAC address-based security feature) can access theswitch on the secured ports.




.


• Teachers’ offices and classrooms

The PCs that are located in the teachers’ offices and in the classroomsare assigned MAC address-based security that is specific for eachclassroom and office location. The security feature logically locks eachwall jack to the specified station and prevents unauthorized access tothe switch if someone attempts to connect a personal laptop PC into thewall jack. The printer is assigned as a single station and is allowedfull bandwidth on that switch port.

It is assumed that all PCs are password protected and that theclassrooms and offices are physically secured.

• Library

The wall jacks in the library are set up so that the PCs can be connectedto any wall jack in the room. With this arrangement, you can movethe PCs anywhere in the room. The exception is the printer, which isassigned as a single station with full bandwidth to that port.

It is assumed that all PCs are password protected and that access tothe library is physically secured.

RADIUS-based network securityThe RADIUS-based security feature lets you set up network access controlby using the Remote Authentication Dial-In User Services (RADIUS) securityprotocol. The RADIUS-based security feature uses the RADIUS protocol toauthenticate local console, Telnet, SSH, and Web access login sessions.

You need to set up specific user accounts (user names and passwords, andService-Type attributes) on your RADIUS server before you can initiatethe authentication process. These accounts provide you with appropriatelevels of access to the switch.

Set the following username attributes on your RADIUS server:

• Read-write access—set the Service-Type field value to Administrative.

• Read-only access—set the Service-Type field value to NAS-Prompt.

For detailed instructions to set up your RADIUS server, see your RADIUSserver documentation.

RADIUS password fallback enhancementWith Release 4.1 software, you can configure RADIUS password fallback asan option when using RADIUS authentication for login and password.

When RADIUS password fallback is enabled and the RADIUS server isunavailable or unreachable, you can use the local switch password to logon to the switch.




.

Configuring Security options 21

When RADIUS password fallback is disabled, you must specify the RADIUSusername and password from the NetLogin screen. Unless the RADIUSserver is configured and reachable, you cannot log on to the switch toauthenticate the login and password.

The Radius password fallback feature is disabled by default.

You can use the following CLI commands to enable and disable this feature:

• radius-server password fallback

• no radius-server

ATTENTIONThe no radius-server CLI command disables the RADIUS fallback feature,along with the remaining RADIUS configuration.

MAC address-based securityThe MAC address-based security feature lets you set up network accesscontrol, based on source MAC addresses of authorized stations.

You can:

• Create a list of up to 448 MAC addresses and specify which addressesare authorized to connect to your switch. The 448 MAC addressescan be configured within a single standalone switch, or they can bedistributed in any order among the units in a single stack configuration.

• Specify which of your switch ports each MAC address is allowed toaccess.

The options for allowed port access include: NONE, ALL, and single ormultiple ports that are specified in a list.

• Specify optional actions to be exercised by your switch if the softwaredetects a security violation.

The response can be to send a trap, turn on destination address (DA)filtering, disable a specific port, or any combination of these threeoptions.

The MAC address-based security feature is based on Nortel BaySecureLAN Access for Ethernet, a real-time security system that safeguardsEthernet networks from unauthorized surveillance and intrusion.

EAPOL-based securityThe Ethernet Routing Switch 2500 Series provides security on the basisof Extensible Authentication Protocol over LAN (EAPOL), and it uses theEAP as is given in the IEEE 802.IX so that you can set up a network accesscontrol over LANs. With EAP, you can authenticate user information througha connection between a client and the switch by using an authentication




.


service such as RADIUS. This security feature works hand-in-hand withthe Radius-based server and thus provides the advantages of remoteauthentication to internal LAN clients.

An example follows to show how an Ethernet Routing Switch 2500 Seriesreacts when it is configured to the EAPoL security feature and a newnetwork connection:

• When the switch finds a new connection in one of its ports, the followingoccurs:

1. The switch asks for a User ID of the new client.

2. The User ID is covered by EAPoL, and it passes on to the Radiusserver.

3. The response from the Radius server is to ask for a password ofthe user.

• Within the EAPoL packet, the new client forwards a password to theswitch:

— The EAPoL packet is relayed to the Radius server.

— If the Radius server validates the password, the new client is allowedto access the switch and the network.

The EAPoL-based security is composed of the following terms:

• Supplicant- the device applying for network access.

• Authenticator- a software with the main purpose of authorizing thesupplicant who is attached at the other end of the LAN segment.

• Authentication server- a Radius server that provides authorizationservices to an authenticator.

• Port Access Entity (PAE)- an entity that supports each port to theAuthenticator or Supplicants. In the example above, the authenticatorPAE is present in the switch.

Controlled Port is a switch port with EAPOL based security. Theauthenticator communicates with the Supplicant through EAP over LAN(EAPoL), which is an encapsulation mechanism.

The authenticator PAE encapsulates the EAP through the RADIUSserver packet and sends it to the authentication server. Theauthenticator server sends the packet in an exchange that occursbetween the supplicant and authentication server. This exchangeoccurs when the EAP message is encapsulated to make it suitable forthe destination of the packet.

The authenticator determines the operational state of the controlledport. The RADIUS server notifies the authenticator PAE of the success




.

EAPOL Security Configuration 23

or failure of the authentication to change the operational state of thecontrolled port. PAE functions are then available for each port to forward,or else the controlled port state depends upon the operational trafficcontrol field in the EAPoL configuration screen. Operational traffic canbe of two types:

• Incoming and Outgoing- In regards to an unauthorized controlled port,the frames received and transmitted are discarded, and state of theport is blocked.

• Incoming- Although the frames received for an unauthorized port arediscarded, the transmit frames are forwarded through the port.

EAPoL with Guest VLANBasic EAP (802.1x) Authentication supports Port Based User Access. Atany time, only one user (MAC) can be authenticated on a port, and the portcan be assigned to only one Port-based VLAN. Only the MAC address ofthe device/user that completed the EAP negotiations on the port has accessto that port for traffic. Any tagging of ingress packets are to the PVID of thatport. This remains the default configuration.

With Software Release 4.1, EAP also allows Guest VLANs to be configuredfor access to that port. Any active VLAN can be made a Guest VLAN.

EAPOL Security ConfigurationEAPOL security lets you selectively limit access to the switch based on anauthentication mechanism that uses Extensible Authentication Protocol(EAP) to exchange authentication information between the switch and anauthentication server.

ATTENTIONBefore you enable EAPOL, you must configure your Primary RADIUS Serverand RADIUS Shared Secret.You also need to set up specific user accounts on your RADIUS server:

• User names

• Passwords

• VLAN IDs

• Port priority

You can set up these parameters directly on your RADIUS server. Fordetailed instructions about configuring your RADIUS server, see yourRADIUS server documentation.




.


ATTENTIONDo not enable EAPOL security on the switch port that is connected to theRADIUS server.

Password securityThe Ethernet Routing Switch 2500 Series supports the password securityfeature that provides enhanced security for switch and stack passwords.With password security enabled, the following enhanced security featuresare applied:

Password length and valid charactersValid passwords must be between 10 and 15 characters long. The passwordmust contain a minimum of the following:

• two lower-case letters

• two capital letters

• two numbers

• two special symbols, such as:!@#$%^&*()

The password is case sensitive.

Password retryIf the user fails to provide the correct password after a number of consecutiveattempts, the switch resets the logon process. The number of failed logonattempts is configurable and the default is three.

Password historyThe switch keeps a history of the last three passwords. You cannot reuse apassword stored in history. When you set the password for the fourth time,you can reuse the password that you used the first time.

Password displayThe password is not displayed as clear text. Each character of the passwordis substituted with an asterisk (*).

Password verificationWhen you provide a new password, you must retype the password toconfirm it. If the two passwords do not match, the password update processfails. In this case, you must try to update the password once again. There isno limit on the number of times you are allowed to update the password.




.

Password security 25

Password aging timePasswords expire after a specified aging period. The aging period isconfigurable, with a range of 1 day to approximately 7.5 years (2730 days).The default is 180 days. When a password has aged out, the user isprompted to create a new password. Only users with a valid RW passwordcan create a new RW or RO password.

Read-Only and Read-Write passwords must be differentThe RO and RW passwords cannot be the same.

Applicable passwordsThe password security feature applies these enhanced features to thefollowing passwords:

• Switch RO password

• Switch RW password

• Stack RO password

• Stack RW password

The password security feature applies only the display and verificationrestrictions to the following passwords:

• RADIUS Shared Secret

• Read-Only community string

• Read-Write community string

Enabling and disabling password securityPassword security can only be enabled or disabled from the CLI. Whenpassword security is enabled, the following occurs:

• Current passwords remain unchanged if they meet the requiredspecifications. If they do not meet the required specifications, the user isprompted to change them to valid passwords.

• An empty password history bank is established.

• Password verification is enabled.

When password security is disabled, the following occurs:

• Current passwords remain valid.

• Password history bank is removed.

• Password verification is disabled.




.


ATTENTIONBy default, password security is disabled for the non-SSH software image andenabled for the SSH software image.

Default passwordsFor the standard software image, the default password for RO is "user"and "secure" for RW.

For the secure software image, the default password for RO is "userpasswd"and "securepasswd" for RW.

HTTP port number changeWith this feature, you can define the UDP or TCP port number used forHTTP connections to the switch.

This feature provides enhanced security and network access. Port number80 is the default port for communication between the Web client and theserver. With this feature, you can modify the HTTP port while the switch isrunning. The HTTP port value is saved in NVRAM, and also is saved acrossreboots of the switch.

For more information, see "Changing the http port number" (page 43).

Simple Network Management ProtocolThe Nortel Ethernet Routing Switch 2500 Series supports Simple NetworkManagement Protocol (SNMP).

SNMP is traditionally used to monitor Unix systems, Windows systems,printers, modem racks, switches, routers, power supplies, Web servers,and databases. Any device that runs software that can retrieve SNMPinformation can be monitored.

You can also use SNMP to change the state of SNMP-based devices. Forexample, you can use SNMP to shut down an interface on your device.

SNMP Version 1 (SNMPv1)SNMP Version 1 (SNMPv1) is a historic version of the SNMP protocol. Itis defined in RFC 1157 and is an Internet Engineering Task Force (IETF)standard.




.

Simple Network Management Protocol 27

SNMPv1 security is based on communities, which are nothing more thanpasswords: plain-text strings that allow any SNMP-based application thatknows the strings to gain access to the management information of adevice. There are typically three communities in SNMPv1: read-only,read-write, and trap.

SNMP Version 2 (SNMPv2)SNMP Version 2 (SNMPv2) is another historic version of SNMP and is oftenreferred to as community string-based SNMPv2. This version of SNMP istechnically called SNMPv2c. It is defined in RFC 1905, RFC 1906, andRFC 1907.

SNMP Version 3 (SNMPv3)SNMP Version 3 (SNMPv3) is the current formal SNMP standard defined inRFCs 3410 through 3419, and in RFC 3584. It provides support for strongauthentication and private communication between managed entities.

Nortel Ethernet Routing Switch 2500 Series support for SNMPThe SNMP agent in the Nortel Ethernet Routing Switch 2500 Seriessupports SNMPv1, SNMPv2c, and SNMPv3. Support for SNMPv2cintroduces a standards-based GetBulk retrieval capability using SNMPv1communities.

SNMPv3 support in the Nortel Ethernet Routing Switch 2500 Seriesintroduces industrial-grade user authentication and message security. Thisincludes MD5- and SHA-based user authentication and message integrityverification, as well as AES, DES, and 3DES-based privacy encryption.

With the Nortel Ethernet Routing Switch 2500 Series you can configureSNMPv3 by using the Device Manager, Web-based management, or theCLI.

SNMP MIB supportThe Nortel Ethernet Routing Switch 2500 Series supports an SNMP agentwith industry-standard Management Information Bases (MIB), as well asprivate MIB extensions, which ensures compatibility with existing networkmanagement tools.

The IETF standard MIBs supported on the switch include MIB-II (originallypublished as RFC 1213, then split into separate MIBs as described in RFCs4293, 4022, and 4113), Bridge MIB (RFC 4188), and the RMON MIB (RFC2819), which provides access to detailed management statistics.




.


SNMP trap supportWith SNMP management, you can configure SNMP traps (on individualports) to generate automatically for conditions such as an unauthorizedaccess attempt or changes in port operating status.

The Nortel Ethernet Routing Switch 2500 Series supports bothindustry-standard SNMP traps, as well as private Nortel enterprise traps.

Advanced EAPOL featuresEAPOL supports the following advanced features:

• Multihost (MH) support:

— Multiple Host with Multiple Authentication (MHMA) (see MultipleHost with Multiple Authentication)

— Non-EAP hosts on EAP-enabled ports (see Non-EAP hosts onEAP-enabled ports)

— Multiple Host with Single Authentication (MHSA) (see Multiple Hostwith Single Authentication)

Multiple Host with Multiple AuthenticationFor an EAP-enabled port configured for Multiple Host with MultipleAuthentication (MHMA), a finite number of EAP users or devices with uniqueMAC addresses are allowed on the port.

Each user must complete EAP authentication before the port allows trafficfrom the corresponding MAC address. Only traffic from the authorized hostsis allowed on that port.

Radius-assigned VLAN values are allowed in the MHMA mode. Forinformation about Radius-assigned VLANs in the MHMA mode, seeRadius-assigned VLAN use in MHMA mode.

MHMA support is on a per-port basis for an EAP-enabled port.

The following are some of the concepts associated with MHMA:

• Logical and physical ports

Each unique port and MAC address combination is treated as a logicalport. MAX_MAC_PER_PORT defines the maximum number of MACaddresses that can perform EAP authentication on a port at any giventime. Each logical port is treated as if it is in the SHSA mode.

• Indexing for MIBs

Logical ports are indexed by a port and source MAC address(src-mac) combination. Enterprise-specific MIBs are defined for statemachine-related MIB information for individual MACs.

• Transmitting EAPOL packets




.

Advanced EAPOL features 29

Only unicast packets are sent to a specific port so that the packetsreach the correct destination.

• Receiving EAPOL packets

The EAPOL packets are directed to the correct logical port for statemachine action.

• Traffic on an authorized port

Only a set of authorized MAC addresses is allowed access to a port.

MHMA support for EAP clients includes the following features:

• A port remains on the Guest VLAN when no authenticated hosts existon it. Until the first authenticated host, both EAP and non EAP clientsare allowed on the port.

• After the first successful authentication, only EAPOL packets and datafrom the authenticated MAC addresses are allowed on a particular port.

• Only a predefined number of authenticated MAC users are allowed ona port.

• When RADIUS VLAN assignment is disabled for ports in MHMA mode,only preconfigured VLAN assignment for the port is used. Uponsuccessful authentication, untagged traffic is put it in a VLAN configuredfor the port.

• When RADIUS VLAN assignment is enabled for ports in MHMA mode,upon successful RADIUS authentication, the port gets a VLAN value ina RADIUS Attribute with EAP success. The port is added and the PVIDis set to the first such VLAN value from the RADIUS server.

• Configuration of timer parameters is per physical port, not per usersession. However, the timers are used by the individual sessions onthe port.

• Reauthenticate Now, when enabled, causes all sessions on the port toreauthenticate.

• Reauthentication timers are used to determine when a MAC isdisconnected so as to enable another MAC to log in to the port.

• Configuration settings are saved across resets.

Radius-assigned VLAN use in MHMA modeRadius-assigned VLAN use in the MHMA mode is allowed to give yougreater flexibility and a more centralized assignment than existed. Thisfeature is also useful in an IP Phone set up, when the phone traffic canbe directed to the Voice over IP (VoIP) VLAN and the PC Data traffic canbe directed to the assigned VLAN. When Radius-assigned VLAN valuesare allowed, the port behaves as follows: the first authenticated EAP MAC




.


address may not have a Radius-assigned VLAN value. At this point, the portis moved to a configured VLAN. A later authenticated EAP MAC address(for instance, the third one on the port) can get a Radius-assigned VLANvalue. This port is then added, and the port VLAN ID (PVID) is set to thefirst such VLAN value from the Radius server. The VLAN remains the sameirrespective of which MAC leaves, and a change in the VLAN takes placeonly when there are no authenticated hosts on the port.

This enhancement works in a very similar manner with the already existingRadius assigned VLANs feature in SHSA mode. It is basically an extensionof that feature which gives the user the ability to move a port to a specificVLAN, even if that switch port operates in EAP MHMA mode.

The only restriction of this enhancement is that if you have multiple EAPclients authenticating on a given switch port (as you normally can in MHMAmode), each one configured with a different VLAN ID on the Radius server,the switch moves the port to the VLAN of the first authenticated client. Inthis way, a permanent bounce between different VLANs of the switch port isavoided.

Following are the steps to enable the enhancement :

• Enable Radius assigned VLANs in Global Configuration commandmode:

2526T(config)#eapol multihost use-radius-assigned-vlan

• Enable Radius assigned VLANs in interface mode for switch port 1:

2526T(config-if)#eapol multihost port 1 use-radius-assigned-vlan

By default, the Radius assigned VLANs in MHMA enhancement is disabledin global config and interface modes, for all switch ports.

Non-EAP hosts on EAP-enabled portsFor an EAPOL-enabled port configured for non-EAPOL host support, a finitenumber of non-EAPOL users or devices with unique MAC addresses areallowed access to the port.

The following types of non-EAPOL users are allowed:

• Hosts that match entries in a local list of allowed MAC addresses. Youcan specify the allowed MAC addresses when you configure the port toallow non-EAPOL access. These hosts are allowed on the port withoutauthentication.

• Non-EAPOL hosts whose MAC addresses are authenticated byRADIUS.

• Nortel IP Phones.




.


Support for non-EAPOL hosts on EAPOL-enabled ports is primarilyintended to accommodate printers and other dumb devices sharing a hubwith EAPOL clients.

Support for non-EAPOL hosts on EAPOL-enabled ports includes thefollowing features:

• EAPOL and authenticated non-EAPOL clients are allowed on the port atthe same time. Authenticated non-EAPOL clients are hosts that satisfyone of the following criteria:

— Host MAC address matches an entry in an allowed list preconfiguredfor the port.

— Host MAC address is authenticated by RADIUS.

• Non-EAPOL hosts are allowed even if no authenticated EAPOL hostsexist on the port.

• When a new host is seen on the port, non-EAPOL authentication isperformed as follows:

— If the MAC address matches an entry in the preconfigured allowedMAC list, the host is allowed.

— If the MAC address does not match an entry in the preconfiguredallowed MAC list, the switch generates a <username, password> pair,which it forwards to the network RADIUS server for authentication.For more information about the generated credentials, see"Non-EAPOL MAC RADIUS authentication" (page 32).

If the MAC address is authenticated by RADIUS, the host is allowed.

— If the MAC address does not match an entry in the preconfiguredallowed MAC list and also fails RADIUS authentication, the host iscounted as an intruder. Data packets from that MAC address aredropped.

EAPOL authentication is not affected.

• For RADIUS-authenticated non-EAPOL hosts, VLAN information fromRADIUS is ignored. Upon successful authentication, untagged traffic isput in a VLAN preconfigured for the port.

• For RADIUS-authenticated non-EAPOL hosts, VLAN information fromRADIUS is ignored. Upon successful authentication, untagged trafficfollows the PVID of the port.

• Non-EAPOL hosts continue to be allowed on the port until the maximumnumber of non-EAPOL hosts is reached. The maximum number ofnon-EAPOL hosts allowed is configurable.

• After the maximum number of allowed non-EAPOL hosts is reached, anydata packets received from additional non-EAPOL hosts are dropped.




.


The additional non-EAPOL hosts are counted as intruders. New EAPOLhosts can continue to negotiate EAPOL authentication.

• When the intruder count reaches 32, a SNMP trap and system logmessage are generated. The port administrative status is set toforce-unauthorized, and you must reset the port administrative status(from force-unauthorized to auto) to allow new EAPOL and non-EAPOLnegotiations on the port.

• The feature uses enterprise-specific MIBs.

• Configuration settings are saved across resets.

ATTENTIONGuest VLAN and non-EAPOL host support on a port are mutually exclusive.If you have configured a port to support Guest VLAN, you cannot enablesupport for non-EAPOL hosts on that port. Similarly, if you have configured anEAPOL-enabled port to support non-EAPOL hosts, you cannot enable GuestVLAN on that port. Also, you cannot enable non-EAPOL support on uplink orcall server ports.

For information about configuring non-EAPOL host support, see Configuringsupport for non-EAPOL hosts on EAPOL-enabled ports.

Non-EAPOL MAC RADIUS authenticationFor RADIUS authentication of a non-EAPOL host MAC address, the switchgenerates a <username, password> pair as follows:

• The username is the non-EAPOL MAC address in string format.

• The password is a string that combines the MAC address, switch IPaddress, unit, and port.

• The password is a string that combines the MAC address, switch IPaddress, unit, and port.

ATTENTIONUse only lowercase letters for usernames and passwords configured on theRadius server.

Follow these global configuration examples, to select a password format thatcombines one or more of these 3 elements:

password = 010010011253..0305 (when the switch IP address, unit and portare used).

password = 010010011253.. (when only the switch IP address is used).

The following example illustrates the <username, password> pair format:

switch IP address = 10.10.11.253




.


non-EAP host MAC address = 00 C0 C1 C2 C3 C4unit = 3port = 25

• username = 00c0c1c2c3c4

• password = 010010011253.00c0c1c2c3c4.0325

Multiple Host with Single AuthenticationMultiple Host with Single Authentication (MHSA) is a more restrictiveimplementation of support for non-EAPOL hosts on EAPOL-enabled ports.

For an EAPOL-enabled port configured for MHSA, one EAPOL user mustsuccessfully authenticate before a finite number of non-EAPOL users ordevices with unique MAC addresses are allowed to access the port withoutauthentication.

The MHSA feature is intended primarily to accommodate printers and otherdumb devices sharing a hub with EAPOL clients.

MHSA support is on a per-port basis for an EAPOL-enabled port.

MHSA support for non-EAPOL hosts includes the following features:

• The port remains unauthorized when no authenticated hosts exist onit. Before the first successful authentication occurs, both EAPOL andnon-EAPOL clients are allowed on the port to negotiate access, but atany time, only one host can negotiate EAPOL authentication.

• After the first EAPOL client successfully authenticates, EAPOL packetsand data from that client are allowed on the port. No other clientsare allowed to negotiate EAPOL authentication. The port is set topreconfigured VLAN assignments and priority values or to valuesobtained from RADIUS for the authenticated user.

• After the first successful authentication, any new hosts, up to aconfigured maximum number, are automatically allowed on the port,without authentication.

• After the maximum number of allowed non-EAPOL hosts is reached, anydata packets received from additional non-EAPOL hosts are dropped.The additional non-EAPOL hosts are counted as intruders.

• When the intruder count reaches 32, a SNMP trap and system logmessage are generated. The port administrative status is set toforce-unauthorized, and you must reset the port administrative status(from force-unauthorized to auto) to allow new EAPOL negotiationson the port.

• If the EAPOL-authenticated user logs off, the port returns to anunauthorized state and non-EAPOL hosts are not allowed.

• This feature uses enterprise-specific MIBs.




.


The maximum value for the maximum number of non-EAPOL hosts allowedon an MHSA-enabled port is 32. However, Nortel expects that the usualmaximum value configured for a port is 2. This translates to around 200 fora box and 800 for a stack.




.

35

Configuring Security using the CLI

This chapter describes the security commands available with the CLI. Thischapter covers the following topics:

• "Securing your system" (page 35)

• "Securing your network" (page 80)

Securing your systemYou can secure your system using the following CLI commands:

• "Setting the username and password" (page 35)

• "Configuring the IP manager list" (page 39)

• "Changing the http port number" (page 43)

• "Setting Telnet access" (page 44)

• "Configuring Secure Shell (SSH)" (page 48)

• "Setting server for Web-based management" (page 55)

• "Configuring the RADIUS-based management password authentication"(page 56)

• "Setting SNMP parameters" (page 58)

Setting the username and passwordThis section contains information about the following topics:

• "username command" (page 35)

• "cli password command" (page 36)

username commandThe username command sets the system username and passwordfor access through the serial console port, Telnet, and Web-basedmanagement. This command supports only one read-only and oneread-write user on the switch. The parameters are set for the standalone orstack environment depending on the current operational mode.




.

36 Configuring Security using the CLI

The syntax for the username command is:

username <username> <password> [ro|rw]

The username command is executed in the Global Configuration commandmode.

Table 1 "username command parameters and variables" (page 36) describesthe parameters and variables for the username command.

Table 1username command parameters and variables

Parameters andvariables

Description

<username><password>

Enter your username for the first variable, and yourpassword for the second variable.

The default username values are RO for read-onlyaccess and RW for read/write access.

ro|rw Specifies that you are modifying the read-only (ro)username or the read-write (rw) username.

The ro/rw variable is optional. If it is omitted, thecommand applies to the read-only mode.

ATTENTIONAfter you configure the username and password with the username command,if you then update the password using the cli password command (orthrough Web-based management), the new password is set, but the username isunchanged.

cli password commandYou can set passwords using the cli password command for selectedtypes of access using the CLI, Telnet, or RADIUS security.

The CLI password is in two forms and performs the following functions forthe switch:

• changes the password for access through the serial console port orTelnet and Web-based management

• specifies changing the password for the serial console port, or Telnetand Web-based management access, and whether to authenticate thepassword locally or with the RADIUS server




.

Securing your system 37

The syntax for the cli password commands is:

cli password {read-only|read-write} <NAME> <PASSWORD>

cli password {serial|telnet}{none|local|radius}

The cli password command is executed in the Global Configurationcommand mode.

Table 2cli password command parameters and variables


Description

read-only|read-write

Specifies that you are modifying the read-only (ro)password or the read-write (rw) password.

<NAME><PASSWORD>

Enter your username for the first variable, and yourpassword for the second variable.

serial|telnet Specifies that you are modifying the password forserial console access or for Telnet and Web-basedmanagement access.

none|local|radius

Specifies the password that you are modifying:

none

disables the passwordlocal

use the locally defined password for serial console orTelnet accessradius

use RADIUS authentication for serial console or Telnetaccess

Setting password securityThe following commands can be used in the Global Configuration commandmode to enable, disable and configure Password Security:

• "password security command" (page 38)

• "no password security command" (page 38)

• "show password security command" (page 38)

• "password aging-time day command" (page 38)

• "show password aging-time day command" (page 39)

• "Configuring the number of password logon attempts" (page 39)




.


password security commandThe password security command enables password security on theswitch.

The syntax for the command is:

password security

The password security command has no parameters or variables.

no password security commandThe no password security command disables password security onthe switch.


no password security

The no password security command has no parameters or variables.

show password security commandThe show password security command displays the current statusof password security on the switch.


show password security

The following shows a sample output for this command:

2550T (config)#show password securityPassword security is enabled

The show password security command has no parameters orvariables.

password aging-time day commandThe password aging-time day command sets the password agingtime. Password security must be enabled for the command to be available.

The syntax of the command is:

password aging-time <aging-value>

where <aging-value> is between 0 - 2730. A value of 0 causes the passwordto age out immediately.

If a new aging time is set from the CLI, the password aging counters arenot reset.




.


show password aging-time day commandThe password aging-time day command shows the configuredpassword aging-time.


show password aging-time

The following shows a sample output for this command:

2550T (config)#show password aging-timeAging time: 100 days

Configuring the number of password logon attemptsThe telnet-access retry command configures the number of times auser can attempt a password:.


telnet-access retry <number>

where <number> is an integer in the range 1-100 that specifies the allowednumber of failed logon attempts. The default is 3.

If a new aging time is set from the CLI, the password aging counters arenot reset.

Configuring the IP manager listWhen enabled, the IP manager list determines which source IP addressesare allowed access to the switch. No other source IP addresses haveaccess to the switch. You configure the IP manager list by using thefollowing commands:

• "show ipmgr command" (page 39)

• "ipmgr command for management system" (page 40)

• "no ipmgr command for management system" (page 41)

• "ipmgr command for source IP address" (page 42)

• "no ipmgr command for source IP address" (page 42)

show ipmgr commandThe show ipmgr command displays whether Telnet, SNMP, and Webaccess are enabled; whether the IP manager list is used to control accessto Telnet, SNMP, and the Web-based management system; and the currentIP manager list configuration. The syntax for the show ipmgr command is:

show ipmgr




.


The show ipmgr command is executed in the Privileged EXEC commandmode.

The show ipmgr command has no parameters or variables.

Figure 2 "show ipmgr command output" (page 40) displays sample outputfrom the show ipmgr command.

Figure 2show ipmgr command output

ipmgr command for management systemThe ipmgr command for the management systems enables the IP managerlist for Telnet, SNMP, or HTTP access. The syntax for the ipmgr commandfor the management systems is:

ipmgr {telnet|snmp|web} [source-ip <1-10> <XXX.XXX.XXX.XXX>[mask <XXX.XXX.XXX.XXX>]]

The ipmgr command for the management systems is executed in theGlobal Configuration command mode.

Table 3 "ipmgr command for system management parameters and variables"(page 40) describes the parameters and variables for the ipmgr command.

Table 3ipmgr command for system management parameters and variables

Parameters andvariables Description

telnet|snmp|web Enables IP manager list checking for access tovarious management systems:

• telnet— provides list access using Telnetaccess




.



Description

• snmp— provides list access using SNMP,including the Device Manager

• web— provides list access using the Web-basedmanagement system

source-ip <1-10><XXX.XXX.XXX.XXX>

Specifies the source IP address from which accessis allowed. Enter the IP address either as an integeror in dotted-decimal notation.

[mask <XXX.XXX.XXX.XXX>]

Specifies the subnet mask from which accessis allowed; enter the IP mask in dotted-decimalnotation.

no ipmgr command for management systemThe no ipmgr command disables the IP manager list for Telnet, SNMP, orHTTP access. The syntax for the no ipmgr command for the managementsystems is:

no ipmgr {telnet|snmp|web}

The no ipmgr command is executed in the Global Configuration commandmode.

Table 4 "no ipmgr command for management system" (page 41) describesthe parameters and variables for the no ipmgr command.

Table 4no ipmgr command for management system


Description

telnet|snmp|web Disables IP manager list checking for access tovarious management systems:

• telnet— disables list check for Telnet access

• snmp— disables list check for SNMP, includingthe Device Manager

• web— disables list check for the Web-basedmanagement system




.


ipmgr command for source IP addressYou can use the ipmgr command for source IP addresses to enter thesource IP addresses or address ranges for which you want to provideaccess to the switch. The syntax for the ipmgr command for source IPaddresses is:

ipmgr {source-ip <1-10> <XXX.XXX.XXX.XXX>[mask <XXX.XXX.XXX.XXX>]}

The ipmgr command for the source IP addresses is executed in the GlobalConfiguration command mode.

Table 5 "ipmgr command for source IP addresses parameters and variables"(page 42) describes the parameters and variables for the ipmgr commandfor the source IP addresses.

Table 5ipmgr command for source IP addresses parameters and variables


Description

source-ip <1-10><XXX.XXX.XXX.XXX>

Specifies the source IP address from which accessis allowed. Enter the IP address either as an integeror in dotted-decimal notation.

[mask <XXX.XXX.XXX.XXX>]

Specifies the subnet mask from which accessis allowed; enter the IP mask in dotted-decimalnotation.

no ipmgr command for source IP addressThe no ipmgr command for source IP addresses disables access forspecified source IP addresses or address ranges, and denies them accessto the switch. The syntax for the no ipmgr command for source IPaddresses is:

no ipmgr {source-ip [<1-10>]}

The no ipmgr command for the source IP addresses is executed in theGlobal Configuration command mode.

Table 6 "no ipmgr command for source IP addresses parameters andvariables" (page 43) describes the parameters and variables for the noipmgr command for the source IP addresses.




.


Table 6no ipmgr command for source IP addresses parameters and variables


Description

source-ip [<1-10>] When you specify an option, this command setsthe IP address and mask for the specified entry to255.255.255.255 and 255.255.255.255.

When you omit the optional parameter, the list isreset to the factory defaults.

Changing the http port numberThis feature provides enhanced security and network access. The defaultHTTP port typically used to communicate between the Web client and theserver is the well-known port 80. With this feature, you can change theHTTP port.

You can configure this feature by using the following commands:

• "show http-port command" (page 43)

• "http-port command" (page 44)

• "default http-port" (page 44)

show http-port commandThe show http-port command displays the port number of the HTTPport. The syntax for the show http-port command is:

show http-port

The show http-port command is executed in the Privileged EXECcommand mode.

The show http-port command has no parameters or variables.

Figure 3 "show http-port command output" (page 43) displays sample outputfrom the show http-port command command.

Figure 3show http-port command output




.


http-port commandThe http-port command sets the port number for the HTTP port. Thesyntax for the http-port command is:

http-port <1024-65535>

The http-port command is executed in the Global Configurationcommand mode.

Table 7 "http-port command parameters and variables" (page 44) describesthe parameters and variables for the http-port command.

Table 7http-port command parameters and variables


Description

<1024-65535> Enter the port number you want to be the HTTP port.

ATTENTIONTo set the HTTP port to 80, use the default http-port command.

The default value for this parameter is port 80.

default http-portThe default http-port command sets the port number for the HTTPport to the default value of 80. The syntax for the default http-portcommand is:

default http-port

The default http-port command is executed in the GlobalConfiguration command mode.

The default http-port command has no parameters or variables.

Setting Telnet accessYou can also access CLI through a Telnet session. To access CLI remotely,the management port must have an assigned IP address and remoteaccess must be enabled. You can log on to the switch using Telnet from aterminal that has access to the Ethernet Routing Switch 2500 Series.

To open a Telnet session from Device Manager, click on the Telnet icon onthe tool bar (Figure 4 "Telnet icon on Device Manager toolbar" (page 45)) orclick Action > Telnet on the Device Manager tool bar.




.


Figure 4Telnet icon on Device Manager toolbar

ATTENTIONMultiple users can access the CLI system simultaneously, through the serialport, Telnet, and modems. The maximum number of simultaneous users is fourplus one at the serial port for a total of five users on the switch. All users canconfigure simultaneously.

You can view the Telnet allowed IP addresses and settings, change thesettings, or disable the Telnet connection. This section covers the followingtopics:

• "show telnet-access command" (page 45)

• "telnet-access command" (page 46)

• "no telnet-access command" (page 47)

• "default telnet-access command" (page 48)

show telnet-access commandThe show telnet-access command displays the current settings forTelnet access. The syntax for the show telnet-access command is:

show telnet-access

The show telnet-access command is executed in the Privileged EXECcommand mode.

The show telnet-access command has no parameters or variables.

Figure 5 "show telnet-access command output" (page 46) displays sampleoutput from the show telnet-access command.




.


Figure 5show telnet-access command output

telnet-access commandWith the telnet-access command, you can configure the Telnetconnection that is used to manage the switch. The syntax for thetelnet-access command is:

telnet-access [enable|disable] [login-timeout <1-10>] [retry<1-100>] [inactive-timeout <0-60>] [logging {none|access|failures|all}] [source-ip <1-10> <XXX.XXX.XXX.XXX>[mask<XXX.XXX.XXX.XXX>]]

The telnet-access command is executed in the Global Configurationcommand mode.

Table 8 "telnet-access command parameters and variables" (page46) describes the parameters and variables for the telnet-accesscommand.

Table 8telnet-access command parameters and variables

Parameters and variables Description

enable|disable Enables or disables Telnet connections.

login-timeout <1-10> Specifies the time in minutes that you want to wait between aninitial Telnet connection and acceptance of a password beforeclosing the Telnet connection; enter an integer between 1 and10.

retry <1-100> Specifies the number of times that the user can enter anincorrect password before closing the connection; enter aninteger between 1 and 100.

inactive timeout <0-60> Specifies in minutes how long to wait before closing aninactive session; enter an integer between 0 and 60.




.



logging {none|access|failures|all]

Specifies what types of events you want to save in the eventlog:

• all — Save all access events in the log:

— Telnet connect — indicates the IP address and accessmode of a Telnet session.

— Telnet disconnect — indicates the IP address of theremote host and the access mode, due to either alog off or inactivity.

— Failed Telnet connection attempts — indicates the IPaddress of the remote host that is not on the list ofallowed addresses, or indicates the IP address of theremote host that did not supply the correct password.

• none — No Telnet events are saved in the event log.

• access — Connect and disconnect events are savedin the event log.

• failure — Only failed Telnet connection attempts aresaved in the event log.

[source-ip <1-10> <XXX.XXX.XXX.XXX>[mask<XXX.XXX.XXX.XXX>]

Specifies up to 10 source IP addresses from whichconnections are allowed. Enter the IP address either as aninteger or in dotted-decimal notation. Specifies the subnetmask from which connections are allowed; enter the IPmask in dotted-decimal notation.

ATTENTIONThese are the same source IP addresses as in the IPManager list. For more information on the IP Manager list,see "Configuring the IP manager list" (page 39).

no telnet-access commandWith the no telnet-access command, you can disable the Telnetconnection. The syntax for the no telnet-access command is:

no telnet-access [source-ip [<1-10>]]

The no telnet-access command is executed in the Global Configurationcommand mode.




.


Table 9 "no telnet-access command parameters and variables" (page48) describes the parameters and variables for the no telnet-accesscommand.

Table 9no telnet-access command parameters and variables


Description

source-ip[<1-10>]

Disables the Telnet access.When you do not use the optional parameter, thesource-ip list is cleared, meaning that the 1st index isset to 0.0.0.0./0.0.0.0. and the 2nd to 10th indexesare set to 255.255.255.255/255.255.255.255. Whenyou do specify a source-ip value, the specified pair isset to 255.255.255.255/255.255.255.255.

ATTENTIONThese are the same source IP addresses as in theIP Manager list. For more information on the IPManager list, see "Configuring the IP manager list"(page 39).

default telnet-access commandThe default telnet-access command sets the Telnet settings to thedefault values. The syntax for the default telnet-access command is:

default telnet-access

The default telnet-access command is executed in the GlobalConfiguration command mode.

The default telnet-access command has no parameters or values.

Configuring Secure Shell (SSH)This section provides the Configuring SSH using the Command LineInterface commands for configuring and managing SSH on the EthernetRouting Switch 2500 Series. The SSH protocol provides secure access tothe CLI. By using the CLI, you can execute the following commands:

• "show ssh global command" (page 49)

• "show ssh session command" (page 50)

• "show ssh download-auth-key command" (page 50)




.


• "ssh dsa-host-key command" (page 51)

• "no ssh dsa-host-key command" (page 51)

• "ssh command" (page 51)

• "no ssh command" (page 51)

• "ssh secure command" (page 52)

• "ssh timeout command" (page 52)

• "ssh dsa-auth command" (page 52)

• "no ssh dsa-auth command" (page 53)

• "ssh pass-auth command" (page 53)

• "no ssh pass-auth command" (page 53)

• "ssh port command" (page 53)

• "ssh download-auth-key command" (page 54)

• "no ssh dsa-auth-key command" (page 54)

• "default ssh command" (page 54)

show ssh global commandThe show ssh global command displays the secure shell configurationinformation. The syntax for the show ssh global command is:

show ssh global

The show ssh global command is executed in the Privileged EXECcommand mode.

The show ssh global command has no parameters or variables.

Figure 6 "show ssh global command output" (page 49) displays sampleoutput from the show ssh global command

Figure 6show ssh global command output




.


show ssh session commandThe show ssh session command displays the SSH session information.The session information includes the session ID and the host IP address.A host address of 0.0.0.0 indicates no connection for that session ID. Thesyntax for the show ssh session command is:

show ssh session

The show ssh session command is executed in the Privileged EXECcommand mode.

The show ssh session command has no parameters or variables.

Figure 7 "show ssh session command output" (page 50) displays sampleoutput from the show ssh session command.

Figure 7show ssh session command output

show ssh download-auth-key commandThe show ssh download-auth-key command displays the results ofthe most recent attempt to download the DSA public key from the TFTPserver. The syntax for the show ssh download-auth-key command is:

show ssh download-auth-key

The show ssh download-auth-key command is executed in thePrivileged EXEC command mode.

The show ssh download-auth-key command has no parameters orvariables.

Figure 8 "show ssh download-auth-key command output" (page 50) displayssample output from the ssh download-auth-key command.

Figure 8show ssh download-auth-key command output




.


ssh dsa-host-key commandThe switch starts generating the DSA host keys immediately after the sshdsa-host-key command is given. A reboot is not necessary.

ATTENTIONYou cannot enable SSH while the host key is being generated.

This command can only be executed in SSH disable mode. The syntax ofthe ssh dsa-host-key command is:

ssh dsa-host-key

The ssh dsa-host-key command is executed in the Global Configurationcommand mode.

There are no parameters or variables for the ssh dsa-host-keycommand.

no ssh dsa-host-key commandThe no ssh dsa-host-key-gen command deletes the DSA host key inthe switch. The syntax of the no ssh dsa-host-key-gen command is:

no ssh dsa-host-key

The no ssh dsa-host-key command is executed in the GlobalConfiguration command mode.

There are no parameters or variables for the no ssh dsa-host-keycommand.

ssh commandThe ssh command enables the SSH server on the Ethernet Routing Switch2500 Series in nonsecure mode. In addition to accepting SSH connections,the Ethernet Routing Switch 2500 Series continues to accept Web, SNMP,and Telnet connections while in this mode.The syntax of the ssh commandis:

ssh

The ssh command is executed in the Global Configuration command mode.

There are no parameters or variables for the ssh command.

no ssh commandThe no ssh command disables the SSH server on the Ethernet RoutingSwitch 2500 Series. The syntax of the no ssh command is:

no ssh




.


The no ssh command executed in the Global Configuration commandmode.

There are no parameters or variables for the no ssh command.

ssh secure commandThe ssh secure command enables the SSH server on the EthernetRouting Switch 2500 Series in secure mode. In secure mode, the EthernetRouting Switch 2500 Series does not accept Web, SNMP, or Telnetconnections. The syntax of the ssh secure command is:

ssh secure

The ssh secure command executed in the Global Configuration commandmode.

There are no parameters or variables for the ssh secure command.

ssh timeout commandThe ssh timeout command sets the timeout value for sessionauthentication. The syntax of the ssh timeout command is:

ssh timeout <1-120>

The ssh timeout command executed in the Global Configurationcommand mode.

Table 10 "ssh timeout command parameters and variables" (page52) describes the parameters and variables for the ssh timeoutcommand.

Table 10ssh timeout command parameters and variables


<1-120> Specifies the timeout value for authentication. Thedefault is 60.

ssh dsa-auth commandThe ssh dsa-auth command enables DSA authentication. The syntax ofthe ssh dsa-auth command is:

ssh dsa-auth

The ssh dsa-auth commandexecuted in the Global Configurationcommand mode.

There are no parameters or variables for the ssh dsa-auth command.




.


no ssh dsa-auth commandThe no ssh dsa-auth command disables DSA authentication. Thesyntax for the no ssh dsa-auth command is:

no ssh dsa-auth

The no ssh dsa-auth command executed in the Global Configurationcommand mode.

There are no parameters or variables for the no ssh dsa-auth command.

ssh pass-auth commandThe ssh pass-auth command enables password authentication. Thesyntax of the ssh pass-auth command is:

ssh pass-auth

The ssh pass-auth command executed in the Global Configurationcommand mode.

There are no parameters or variables for the ssh pass-auth command.

no ssh pass-auth commandThe no ssh pass-auth command disables password authentication. Thesyntax of the no ssh pass-auth command is:

no ssh pass-auth

The no ssh pass-auth command executed in the Global Configurationcommand mode.

There are no parameters or variables for the no ssh pass-authcommand.

ssh port commandThe ssh port command sets the SSH connection port. The syntax ofthe ssh port command is:

ssh port <1-65535>

The ssh portcommand is executed in the Global Configuration commandmode.

Table 11 "ssh port command parameters and variables" (page 54) describesthe parameters and variables for the ssh port command.




.


Table 11ssh port command parameters and variables


Description

<1-65535> Specifies the SSH connection port. The default is 22.

ssh download-auth-key commandThe ssh download-auth-key command downloads the client public keyfrom the TFTP server to the Ethernet Routing Switch 2500 Series. Thesyntax for the ssh download-auth-key is:

ssh download-auth-key [address <XXX.XXX.XXX.XXX>] [key-name<file>]

The ssh download-auth-key command is executed in the GlobalConfiguration command mode.

Table 12 "ssh download-auth-key command parameters and variables"(page 54) describes the parameters and variables for the sshdownload-auth-key command.

Table 12ssh download-auth-key command parameters and variables


Description

address<XXX.XXX.XXX.XXX>

The IP address of the TFTP server.

key-name <file> The name of the public key file on the TFTP server.

no ssh dsa-auth-key commandThe no ssh dsa-auth-key command deletes the SSH DSAauthentication key. The syntax for the command is:

no ssh dsa-auth-key

The no ssh dsa-auth-key command is executed in the GlobalConfiguration command mode.

There are no parameters or variables for the no ssh dsa-auth-keycommand.

default ssh commandThe default ssh command resets the specific secure shell configurationparameter to the default value. The syntax of the default ssh commandis:




.


default ssh [dsa-auth|pass-auth|port|timeout]

The default ssh command is executed in the Global Configurationcommand mode.

Table 13 "default ssh command parameters and variables" (page55) describes the parameters and variables for the default sshcommand.

Table 13default ssh command parameters and variables


Description

dsa-auth Resets dsa-auth to the default value. Default isTrue.

pass-auth Resets pass-auth to the default value. Default isTrue.

port Resets the port number for SSH connections to thedefault. Default is 22.

timeout Resets the timeout value for session authenticationto the default. Default is 60.

Setting server for Web-based managementYou can enable or disable the Web server to use for the Web-basedmanagement system. This section discusses the following commands:

• "web-server" (page 55)

• "no web-server" (page 56)

web-serverThe web-server command enables or disables the Web server thatyou use for Web-based management. The syntax for the web-servercommand is:

web-server {enable|disable}

The web-server command is executed in the Global Configurationcommand mode.

Table 14 "web-server command parameters and variables" (page56) describes the parameters and variables for the web-server command.




.


Table 14web-server command parameters and variables


Description

enable|disable

Enables or disables the Web server.

no web-serverThe no web-server command disables the Web server that you use forWeb-based management. The syntax for the no web-server commandis:

no web-server

The no web-server command is executed in the Global Configurationcommand mode.

The no web-server command has no parameters or values.

Configuring the RADIUS-based management password authenticationBy using the RADIUS protocol and server, you can configure theEthernet Routing Switch 2500 Series for authentication. To configurethis authentication by using the CLI system, you can use the followingcommands:

• "show radius-server command" (page 56)

• "radius-server command" (page 57)

• "no radius-server command" (page 58)

• "default radius-server command" (page 58)

• "radius-server password fallback command" (page 58)

show radius-server commandThe show radius-server command displays the RADIUS serverconfiguration. The syntax for the show radius-server command is:

show radius-server

The show radius-server command is executed in the Privileged EXECcommand mode.

The show radius-server command has no parameters or variables.

Figure 9 "show radius-server command output" (page 57) shows sampleoutput from the show radius-server command.




.


Figure 9show radius-server command output

radius-server commandThe radius-server command changes the RADIUS server settings. Thesyntax for the radius-server command is:

radius-server host <address> [secondary-host <address>] port<num> key <string> timeout <num>

ATTENTIONWhen password security is enabled, you must omit the <string> variable from thecommand line and end the command immediately after key. The switch thenprompts you to enter and confirm the string.

The radius-server command is executed in the Global Configurationcommand mode.

Table 15 "radius-server command parameters and variables" (page57) describes the parameters and variables for the radius-servercommand.

Table 15radius-server command parameters and variables


Description

primary-host<address>

Specifies the primary RADIUS server. Enter the IPaddress of the RADIUS server.

secondary-host<address>

Specifies the secondary RADIUS server. Enter the IPaddress of the secondary RADIUS server.

port <num> Enter the port number of the RADIUS server.

key <string> Specifies a secret text string that is shared betweenthe switch and the RADIUS server for authentication.Enter the secret string, which is an alphanumeric stringof up to 16 characters.

timeout <num> Specifies the RADIUS time-out period.




.


no radius-server commandThe no radius-server command clears the RADIUS server settings.The syntax for the no radius-server command is:

no radius-server

The no radius-server command is executed in the Global Configurationcommand mode.

The no radius-server command has no parameters or values.

default radius-server commandThe default radius-server command sets the RADIUS server settingsto the default values. The syntax for the default radius-servercommand is:

default radius-server

The default radius-server command is executed in the GlobalConfiguration command mode.

The default radius-server command has no parameters or values.

radius-server password fallback commandWith the radius-server password fallback command, youcan configure password fallback as an option when you use RADIUSauthentication for login and password. When both RADIUS servers areunreachable the user can log in using the local passwords.

The syntax for the radius-server password fallback command is:

radius-server password fallback

The radius-server password fallback command is executed in theGlobal Configuration command mode.

Setting SNMP parametersFor information about setting SNMP parameters and traps, see the followingsections:

• "Common SNMP and SNMPv3 CLI commands" (page 58)

• "CLI commands specific to SNMPv3" (page 69)

Common SNMP and SNMPv3 CLI commandsThis section describes the common CLI commands that you can use toconfigure SNMP and SNMPv3. For details about the SNMP CLI commandsthat are specific to SNMPv3, see "CLI commands specific to SNMPv3"(page 69).




.


The switch provides the following CLI commands to configure SNMP andSNMPv3:

• "snmp-server command" (page 59)

• "no snmp-server command" (page 60)

• "snmp-server authentication-trap command" (page 60)

• "no snmp-server authentication-trap command" (page 61)

• "default snmp-server authentication-trap command" (page 61)

• "snmp-server community for read/write command" (page 61)

• "no snmp-server community command" (page 62)

• "default snmp-server community command" (page 63)

• "show snmp-server community command" (page 64)

• "snmp-server contact command" (page 64)

• "no snmp-server contact command" (page 64)

• "default snmp-server contact command" (page 64)

• "snmp-server location command" (page 65)

• "no snmp-server location command" (page 65)

• "default snmp-server location command" (page 66)

• "snmp-server name command" (page 66)

• "no snmp-server name command" (page 66)

• "default snmp-server name command" (page 67)

• "snmp trap link-status command" (page 67)

• "no snmp trap link-status command" (page 68)

• "default snmp trap link-status command" (page 69)

snmp-server commandThe snmp-server command enables or disables the SNMP server. Thesyntax for the snmp-server command is:

snmp-server {enable|disable}

The snmp-server command is executed in the Global Configurationcommand mode.

Table 16 "snmp-server command parameters and variables" (page60) describes the parameters and variables for the snmp-servercommand.




.


Table 16snmp-server command parameters and variables


enable|disable Enables or disables the SNMP server.

no snmp-server commandThe no snmp-server command disables SNMP access. The syntax forthe no snmp-server command is:

no snmp-server

The no snmp-server command is executed in the Global Configurationcommand mode.

The no snmp-server command has no parameters or variables.

ATTENTIONDisabling SNMP access also locks you out of the Device Manager managementsystem.

snmp-server authentication-trap commandThe snmp-server authentication-trap command enables ordisables the generation of SNMP authentication failure traps. The syntax forthe snmp-server authentication-trap command is:

snmp-server authentication-trap {enable|disable}

The snmp-server authentication-trap command is executed in theGlobal Configuration command mode.

Table 17 "snmp-server authentication-trap command parameters andvariables" (page 60) describes the parameters and variables for thesnmp-server authentication-trap command.

Table 17snmp-server authentication-trap command parameters and variables


Description

enable|disable Enables or disables the generation of authenticationfailure traps.




.


no snmp-server authentication-trap commandThe no snmp-server authentication-trap command disables thegeneration of SNMP authentication failure traps. The syntax for the nosnmp-server authentication-trap command is:

no snmp-server authentication-trap

The no snmp-server authentication-trap command is executed inthe Global Configuration command mode.

The no snmp-server authentication-trap command has noparameters or variables.

default snmp-server authentication-trap commandThe default snmp-server authentication-trap commandrestores SNMP authentication trap configuration to the default settings.The syntax for the default snmp-server authentication-trapcommand is:

default snmp-server authentication-trap

The default snmp-server authentication-trap command isexecuted in the Global Configuration command mode.

The default snmp-server authentication-trap command hasno parameters or variables.

snmp-server community for read/write commandThe snmp-server community command for read/write modifies thecommunity strings for SNMP v1 and SNMPv2c access. The syntax for thesnmp-server community for read/write command is:

snmp-server community <community-string> [ro|rw]

The snmp-server community read/write command is executed in theGlobal Configuration command mode.

This command configures a single read-only or a single read/writecommunity. A community configured using this command has no access toany of the SNMPv3 MIBs.

This command affects community strings created prior to Release 3.0software. These community strings have a fixed MIB view.

Table 18 "snmp-server community for read/write command parametersand variables" (page 62) describes the parameters and variables for thesnmp-server community for read/write command.




.


Table 18snmp-server community for read/write command parameters and variables


<community-string> Changes community strings for SNMP v1 andSNMPv2c access. Enter a community stringthat functions as a password and permitsaccess to the SNMP protocol. If you set thevalue to NONE, it is disabled.

ATTENTIONThis parameter is not available whenPassword Security is enabled, in whichcase, the switch prompts you to enter andconfirm the new community string.

ro|rw Specifies read-only or read/write access.Stations with ro access can retrieve onlyMIB objects, and stations with rw access canretrieve and modify MIB objects.

ATTENTIONIf neither ro nor rw is specified, ro isassumed (default).

no snmp-server community commandThe no snmp-server community command clears the snmp-servercommunity configuration. The syntax for the no snmp-servercommunity command is:

no snmp-server community {ro|rw|<community-string>}

The no snmp-server community command is executed in the GlobalConfiguration command mode.

If you do not specify a read-only or read/write community parameter, allcommunity strings are removed, including all communities controlledby the snmp-server community command and the snmp-servercommunity command for read-write.




.


If you specify read-only or read/write, then only the read-only or read/writecommunity is removed. If you specify the name of a community string, thenthe community string with that name is removed.

Table 19 "no snmp-server community command parameters and variables"(page 63) describes the parameters and variables for the no snmp-servercommunity command.

Table 19no snmp-server community command parameters and variables


ro|rw| Sets the specified community string value toNONE, thereby disabling it.

<community-string> Deletes the specified community string fromthe SNMPv3 MIBs (that is, from the new-styleconfiguration).

default snmp-server community commandThe default snmp-server community command restores thecommunity string configuration to the default settings. The syntax for thedefault snmp-server community command is:

default snmp-server community [ro|rw]

The default snmp-server community command is executed in theGlobal Configuration command mode.

If the read-only or read/write parameter is omitted from the command, allcommunities are restored to their default settings. The read-only communityis set to public, the read/write community is set to private, and all othercommunities are deleted.

Table 20 "default snmp-server community command parameters andvariables" (page 63) describes the parameters and variables for thedefault snmp-server community command.

Table 20default snmp-server community command parameters and variables


ro|rw Restores the read-only community to public,or the read/write community to private.




.


show snmp-server community commandThe show snmp-server community command displays the SNMPcommunity string configuration. (The community strings are notdisplayed when Password Security is enabled.) The syntax for the showsnmp-server community command is:

show snmp-server community

The show snmp-server command is executed in the Privileged EXECcommand mode.

snmp-server contact commandThe snmp-server contact command configures the SNMP sysContactvalue. The syntax for the snmp-server contact command is:

snmp-server contact <text>

The snmp-server contact command is executed in the GlobalConfiguration command mode.

Table 16 "snmp-server command parameters and variables" (page60) describes the parameters and variables for the snmp-servercontact command.

Table 21snmp-server contact command parameters and variables


<text> Specifies the SNMP sysContact value; enteran alphanumeric string.

no snmp-server contact commandThe no snmp-server contact command clears the sysContact value.The syntax for the no snmp-server contact command is:

no snmp-server contact

The no snmp-server contact command is executed in the GlobalConfiguration command mode.

The no snmp-server contact command has no parameters or variables.

default snmp-server contact commandThe default snmp-server contact command restores the sysContactvalue to the default value. The syntax for the default snmp-servercontact command is:

default snmp-server contact




.


The default snmp-server contact command is executed in theGlobal Configuration command mode.

The default snmp-server contact command has no parametersor variables.

snmp-server location commandThe snmp-server location command configures the SNMPsysLocation value. The syntax for the snmp-server location commandis:

snmp-server location <text>

The snmp-server location command is executed in the GlobalConfiguration command mode.

Table 22 "snmp-server location command parameters and variables"(page 65) describes the parameters and variables for the snmp-serverlocation command command.

Table 22snmp-server location command parameters and variables


Description

<text> Specifies the SNMP sysLocation value; enter analphanumeric string of up to 255 characters.

no snmp-server location commandThe no snmp-server location command clears the SNMP sysLocationvalue. The syntax for the no snmp-server location command is:

no snmp-server location <text>

The no snmp-server location command is executed in the GlobalConfiguration command mode.

Table 23 "no snmp-server location command parameters and variables"(page 65) describes the parameters and variables for the no snmp-serverlocation command.

Table 23no snmp-server location command parameters and variables


Description

<text> Specifies the SNMP sysLocation value. Enter a string ofup to 255 characters.




.


default snmp-server location commandThe default snmp-server location command restores sysLocationto the default value. The syntax for the default snmp-serverlocation command is:

default snmp-server location

The default snmp-server location command is executed in theGlobal Configuration command mode.

The default snmp-server location command has no parametersor variables.

snmp-server name commandThe snmp-server name command configures the SNMP sysName value.The syntax for the snmp-server name command is:

snmp-server name <text>

The snmp-server name command is executed in the Global Configurationcommand mode.

Table 24 "snmp-server name command parameters and variables" (page66) describes the parameters and variables for the snmp-server namecommand.

Table 24snmp-server name command parameters and variables


Description

<text> Specifies the SNMP sysName value; enter analphanumeric string of up to 255 characters.

no snmp-server name commandThe no snmp-server name command clears the SNMP sysName value.The syntax for the no snmp-server name command is:

no snmp-server name <text>

The no snmp-server name command is executed in the GlobalConfiguration command mode.

Table 25 "no snmp-server name command parameters and variables" (page67) describes the parameters and variables for the no snmp-servername command.




.


Table 25no snmp-server name command parameters and variables


Description


default snmp-server name commandThe default snmp-server name command restores sysName to thedefault value. The syntax for the default snmp-server name commandis:

default snmp-server name

The default snmp-server name command is executed in the GlobalConfiguration command mode.

Table 26 "default snmp-server name command parameters and variables"(page 67) describes the parameters and variables for the defaultsnmp-server name command.

Table 26default snmp-server name command parameters and variables


Description


snmp trap link-status commandThe snmp trap link-status command enables the linkUp/linkDowntraps for the port. The syntax of the command is:

snmp trap link-status [port <portlist>]

The snmp trap link-status command is executed in the InterfaceConfiguration command mode.

Table 27 "snmp trap link-status command parameters and variables"(page 68) describes the parameters and variables for the snmp traplink-status command.




.


Table 27snmp trap link-status command parameters and variables


Description

port <portlist> Specifies the port numbers on which to enable thelinkUp/linkDown traps. Enter the port numbers or all.

ATTENTIONIf you omit this parameter, the system uses the portnumber specified with the interface command.

disable|enable Disables or Enables generation of linkUp/Down traps.

no snmp trap link-status commandThe no snmp trap link-status command disables thelinkUp/linkDown traps for the port. The syntax of the no snmp traplink-status command is:

no snmp trap link-status [port <portlist>]

The no snmp trap link-status command is executed in the InterfaceConfiguration command mode.

Table 28 "no snmp trap link-status command parameters and variables"(page 68) describes the parameters and variables for the no snmp traplink-status command.

Table 28no snmp trap link-status command parameters and variables


port <portlist>

Specifies the port numbers on which to disable thelinkUp/linkDown traps. Enter the port numbers or all.





.


default snmp trap link-status commandThe default snmp trap link-status command disables thelinkUp/linkDown traps for the port. The syntax of the command is:

default snmp trap link-status [port <portlist>]

The default snmp trap link-status command is executed in theInterface Configuration command mode.

Table 29 "default snmp trap link-status command parameters and variables"(page 69) describes the parameters and variables for the no snmp traplink-status command.

Table 29default snmp trap link-status command parameters and variables


Description

port <portlist> Specifies the port numbers on which to disable thelinkUp/linkDown traps. Enter the port numbers or all.


CLI commands specific to SNMPv3This section describes the unique CLI commands for configuring SNMPv3.For details about the CLI commands that are common to both SNMP andSNMPv3, see "Common SNMP and SNMPv3 CLI commands" (page 58).

The following SNMP commands are specific to SNMPv3:

• "snmp-server user command" (page 70)

• "no snmp-server user command" (page 72)

• "snmp-server view command" (page 73)

• "no snmp-server view command" (page 74)

• "snmp-server host for new-style table command" (page 75)

• "no snmp-server host for new-style table command" (page 76)

• "default snmp-server host command" (page 76)

• "snmp-server community command" (page 77)

• "snmp-server bootstrap command" (page 79)




.


snmp-server user commandThe snmp-server user command creates an SNMPv3 user. The syntaxfor the snmp-server user command is:

snmp-server user [engine-id <engineid>] <username>[read-view <view-name>][write-view <view-name>][notify-view <view-name>][{md5|sha} <password>[read-view <view-name>][write-view <view-name>][notify-view <view-name>][{3des|aes|des} <password> [read-view <view-name>][write-view <view-name>][notify-view <view-name>]

The snmp-server user command is executed in the Global Configurationcommand mode.

The sha and des parameters are available only if the switch image hasfull SHA/DES support.

The command shows three sets of read/write/notify views. The first setspecifies unauthenticated access. The second set specifies authenticatedaccess. The third set specifies authenticated and encrypted access.

You can specify authenticated access only if the md5 or sha parameter isincluded. Likewise, you can specify authenticated and encrypted accessonly if the des, aes, or 3des parameter is included.

If you omit the authenticated view parameters, authenticated accessuses the views specified for unauthenticated access. If you omit all theauthenticated and encrypted view parameters, the authenticated andencrypted access uses the same views that are used for authenticatedaccess. These views are the unauthenticated views, if all the authenticatedviews are also omitted.

Table 30 "snmp-server user command parameters and variables" (page70) describes the parameters and variables for the snmp-server usercommand.

Table 30snmp-server user command parameters and variables


Description

engine-id<engineid>

Specifies the SNMP engine ID of the remote SNMPentity.

<username> Specifies the user names; enter an alphanumericstring of up to 255 characters.




.



Description

md5/sha <password> Specifies the use of an md5/sha authenticationpassphrase.

•password — specifies the new user’s md5/sha authentication passphrase; enter analphanumeric string.

If this parameter is omitted, the user is created withonly unauthenticated access rights.

ATTENTIONThis parameter is not available when PasswordSecurity is enabled, in which case the switchprompts you to enter and confirm the newpassword.

read-view<view-name>

Specifies the read view to which the new user hasaccess:

• view-name — specifies the view name; enter analphanumeric string of up to 255 characters.

write-view<view-name>

Specifies the write view to which the new user hasaccess:

• view-name — specifies the view name; enter analphanumeric string of up to 255 characters.




.



Description

notify-view<view-name>

Specifies the notify view to which the new user hasaccess:

• view-name— specifies the view name; enter analphanumeric string of up to 255 characters.

des/aes/3des<password>

Specifies the use of a des/aes/3des privacypassphrase.

•password — specifies the new user’sdes/aes/3des privacy passphrase; enter analphanumeric string of minimum 8 characters.If this parameter is omitted, the user is createdwith only authenticated access rights.

ATTENTIONThis parameter is not available when PasswordSecurity is enabled, in which case the switchprompts you to enter and confirm the newpassword.

no snmp-server user commandThe no snmp-server user command deletes the specified user. Thesyntax for the no snmp-server user command is:

no snmp-server user [engine-id <engineid>] <username>

The no snmp-server user command is executed in the GlobalConfiguration command mode.

Table 31 "no snmp-server user command parameters and variables" (page73) describes the parameters and variables for the no snmp-serveruser command.




.


Table 31no snmp-server user command parameters and variables


Description

engine-id<engineid>

Specifies the SNMP engine ID of the remote SNMPentity.

<username> Specifies the user to be removed.

snmp-server view commandThe snmp-server view command creates an SNMPv3 view. The viewis a set of MIB object instances that can be accessed. The syntax for thesnmp-server view command is:

snmp-server view <view-name> <OID> [<OID> [<OID>[<OID> [<OID> [<OID> [<OID> [<OID> [<OID> [<OID>]]]]]]]]]

The snmp-server view command is executed in the Global Configurationcommand mode.

T Table 32 "snmp-server view command parameters and variables" (page73)describes the parameters and variables for the snmp-server viewcommand.

Table 32snmp-server view command parameters and variables


Description

<viewname> Specifies the name of the new view; enter analphanumeric string.

<OID> Specifies the Object identifier. OID can be entered asa MIB object English descriptor, a dotted form OID, ora mix of the two. Each OID can also be preceded by aplus (+) or minus (–) sign (if the minus sign is omitted, aplus sign is implied). For the dotted form, a subidentifiercan be an asterisk (*), which indicates a wildcard. Someexamples of valid OID parameters are as follows:




.



Description

• sysName

• +sysName

• -sysName

• +sysName.0

• +ifIndex.1

• -ifEntry.*.1 (matches all objects in the if Tablewith an instance of 1, that is, the entry for interface#1)

• 1.3.6.1.2.1.1.1.0 (dotted form of sysDescr)

The plus (+) or minus (–) sign indicates whetherthe specified OID is included in or excluded from,respectively, the set of MIB objects that are accessibleby using this view. For example, if you create a viewas follows:

snmp-server view myview +system -sysDescrand you use that view for the read-view of a user, thenthe user can read only the system group, except forsysDescr.

no snmp-server view commandThe no snmp-server view command deletes the specified view. Thesyntax for the no snmp-server view command is:

no snmp-server view <viewname>

The no snmp-server view is executed in the Global Configurationcommand mode.

Table 33 "no snmp-server view command parameters and variables" (page74) describes the parameters and variables for the no snmp-serverview command.

Table 33no snmp-server view command parameters and variables


<viewname> Specifies the name of the view to be removed. If noview is specified, all views are removed.




.


snmp-server host for the new-style table commandThe snmp-server host for the new-style table command adds a trapreceiver to the new-style configuration (that is, to the SNMPv3 tables). Youcan create several entries in this table, and each can generate v1, v2c, orv3 traps. You must previously configure the community string or user thatis specified with a notify-view. The syntax for the snmp-server hostfor the new-style table command is:

snmp-server host <host-ip> [port <1-65535>]{<community-string>|v2c <community-string>|v3 {auth|no-auth|auth-priv} <username>}

The snmp-server host for the new-style table command is executed inthe Global Configuration command mode.

Table 34 "snmp-server host for the new-style table command parametersand variables" (page 75) describes the parameters and variables for thesnmp-server host for the new-style table command.

Table 34snmp-server host for the new-style table command parameters and variables


<host-ip> Enter a dotted-decimal IP address of a host tobe the trap destination.

port <1-65535> Sets SNMP trap port.

<community-string> If you do not specify a trap type, this variablecreates v1 trap receivers in the SNMPv3 MIBs.You can create multiple trap receivers withvarying access levels.

v2c <community-string> Using v2c creates v2c trap receivers in theSNMPv3 MIBs. You can create multiple trapreceivers with varying access levels.

v3 {auth|no-auth|auth-priv}

Using v3 creates v3 trap receivers in theSNMPv3 MIBs. You can create multiple trapreceivers with varying access levels by enteringthe following variables:

• auth|no-auth —Specifies whetherSNMPv3 traps can be authenticated.

• auth-priv—This parameter is onlyavailable if the image has full SHA/DESsupport.




.



<username> Specifies the SNMPv3 username for trapdestination; enter an alphanumeric string.

no snmp-server host for the new-style table commandThe no snmp-server for new-style table command deletes trap receiversfrom the new-style table (SNMPv3 MIB). Any trap receiver that matchesthe IP address and SNMP version is deleted. The syntax for the nosnmp-server host for new-style table command is:

no snmp-server host <host-ip> {v1|v2c|v3}

The no snmp-server host for the new-style table command is executedin the Global Configuration command mode.

Table 35 "no snmp-server host for the new-style command parameters andvariables" (page 76) describes the parameters and variables for the nosnmp-server for the new-style table command.

Table 35no snmp-server host for the new-style command parameters and variables


Description

<host-ip> Enter the IP address of a trap destination host.

v1|v2c|v3 Specifies the trap receivers in the SNMPv3 MIBs.

default snmp-server host commandThe default snmp-server host command restores the tableto defaults (that is, it clears the table). The syntax for the defaultsnmp-server host command is:

default snmp-server host

The default snmp-server host command is executed in the GlobalConfiguration command mode.

The default snmp-server host command has no parameters orvariables.




.


snmp-server community commandWith the snmp-server community command, you can create communitystrings with varying levels of read, write, and notification access based onSNMPv3 views. These community strings are separate from those createdby using the snmp-server community command for read/write.

This command affects community strings stored in the SNMPv3snmpCommunityTable, which allows several community strings to becreated. These community strings can have any MIB view.

The syntax for the snmp-server community command is:

snmp-server community <community-string>{read-view <view-name>|write-view <view-name>|

notify-view <view-name>}

The snmp-server community command is executed in the GlobalConfiguration command mode.

Table 36 "snmp-server community command parameters and variables"(page 77) describes the parameters and variables for the snmp-servercommunity command.

Table 36snmp-server community command parameters and variables


Description

<community-string>

Enter a community string to be created with access tothe specified views.

ATTENTIONThis parameter is not available when PasswordSecurity is enabled, in which case, the switchprompts you to enter and confirm the newcommunity string.




.



Description

read-view<view-name>

Changes the read view used by the new communitystring for different types of SNMP operations.

• view-name — specifies the name of the viewthat is a set of MIB objects/instances that can beaccessed; enter an alphanumeric string.

ro Read-only access with this community string.

rw Read-write access with this community string.

write-view<view-name>

Changes the write view used by the new communitystring for different types of SNMP operations.


notify-view<view-name>

Changes the notify view settings used by the newcommunity string for different types of SNMP operations.


show snmp-server commandThe show snmp-server command displays the SNMP v3 configuration.The syntax for the show snmp-server command is:

show snmp-server {community|host|user|view}

The show snmp-server command is executed in the Privileged EXECcommand mode.

Table 37 "show snmp-server command parameters and variables" (page79) describes the parameters and variables for the show snmp-servercommand.




.


Table 37show snmp-server command parameters and variables


Description

community|host|user|view

Displays SNMPv3 configuration information:

• community strings as configured in SNMPv3 MIBs(this parameter is not displayed when PasswordSecurity is enabled)

• trap receivers as configured in SNMPv3 MIBs

• SNMPv3 users, including views accessible to eachuser

• SNMPv3 views

snmp-server bootstrap commandWith the snmp-server bootstrap command, you can specify howyou wish to secure SNMP communications, as described in the SNMPv3standards. This command creates an initial set of configuration data forSNMPv3. This configuration data follows the conventions described in theSNMPv3 standard (in RFC 3414 and 3415). The data consists of a set ofinitial users, groups, and views. This snmp-server bootstrap commanddeletes all existing SNMP configurations, so use the command with caution.

The syntax for the snmp-server bootstrap command is:

snmp-server bootstrap <minimum-secure> | <semi-secure>|<very-secure>

The snmp-server bootstrap command is executed in the GlobalConfiguration command mode.

Table 38 "snmp-server bootstrap command parameters and variables"(page 79) describes the parameters and variables for the snmp-serverbootstrap command.

Table 38snmp-server bootstrap command parameters and variables


Description

<minimum-secure> Specifies a minimum security configuration that allowsread access to everything using noAuthNoPriv, andwrite access to everything using authNoPriv.




.



Description

<semi-secure> Specifies a partial security configuration that allowsread access to a small subset of system informationusing noAuthNoPriv, and read and write access toeverything using authNoPriv.

<very-secure> Specifies a maximum security configuration that allowsno access.

Securing your networkYou can secure your network using the following CLI commands.

• "Configuring MAC address filter-based security" (page 80)

• "Configuring EAPOL-based security" (page 87)

Configuring MAC address filter-based securityYou configure the BaySecure* application using MAC addresses with thefollowing commands:

• "show mac-security command" (page 80)

• "mac-security command" (page 81)

• "mac-security mac-address-table address command" (page 83)

• "mac-security security-list command" (page 83)

• "no mac-security command" (page 84)

• "no mac-security mac-address-table command" (page 84)

• "no mac-security security-list command" (page 85)

• "mac-security command for specific ports" (page 85)

• "mac-security mac-da-filter command" (page 86)

show mac-security commandThe show mac-security command displays configuration informationfor the BaySecure application. The syntax for the show mac-securitycommand is:

show mac-security {config|mac-address-table [address<macaddr>]|port|security-lists|mac-da-filter}

The show mac-security command is executed in the Privileged EXECcommand mode.

Table 39 "show mac-security command parameters and variables" (page81) describes the parameters and variables for the show mac-securitycommand.




.

Securing your network 81

Table 39show mac-security command parameters and variables


Description

config Displays the general BaySecure configuration.

mac-address-table [address<macaddr>]

Displays contents of the BaySecure table of allowedMAC addresses:

• address specifies a single MAC address to display;enter the MAC address.

port Displays the BaySecure status of all ports.

security-lists Displays the port membership of all security lists.

mac-da-filter Displays MAC DA filtering addresses.

Figure 10 "show mac-security command output" (page 81) shows sampleoutput from the show mac-security command.

Figure 10show mac-security command output

mac-security commandThe mac-security command modifies the BaySecure configuration. Thesyntax for the mac-security command is:

mac-security [disable|enable] [filtering {enable|disable}][intrusion-detect {enable|disable|forever}] [intrusion-timer<1-65535>] [learning-ports <portlist>] [learning {enable|disable}]|mac-address-table|mac-da-filter|security list[snmp-lock {enable|disable}] [snmp-trap {enable|disable}]

The mac-security command is executed in the Global Configurationcommand mode.

Table 40 "mac-security command parameters and values" (page82) describes the parameters and variables for the mac-securitycommand.




.


Table 40mac-security command parameters and variables


Description

disable|enable Disables or enables MAC address-based security.

filtering{enable|disable}

Enables or disables destination address (DA) filteringwhen an intrusion is detected.

intrusion-detect{enable|disable|forever}

Specifies the partitioning of a port when an intrusionis detected:

• enable— port is partitioned for a period of time.

• disabled— port is not partitioned on detection.

• forever— port is partitioned until manuallychanged.

intrusion-timer<1-65535>

Specifies, in seconds, length of time a port is partitionedwhen an intrusion is detected; enter the number ofseconds to specify.

learning{enable|disable}

Specifies MAC address learning:

•enable— enables learning by ports

•disable— disables learning by ports

ATTENTIONThe MAC address learning enable command mustbe executed to specify learning ports.

learning-ports<portlist>

Specifies MAC address learning. Learned addressesare added to the table of allowed MAC addresses. Enterthe ports you want to learn; this can be a single port, arange of ports, several ranges, all, or none.

mac-address-table

Adds addresses to the MAC security address table.

mac-da-filter Adds or deletes MAC DA filtering addresses.

security-list Modifies security list port membership.




.



Description

snmp-lock{enable|disable}

Enables or disables a lock on SNMP write-access tothe BaySecure MIBs.

snmp-trap{enable|disable}

Enables or disables trap generation when an intrusionis detected.

mac-security mac-address-table address commandThe mac-security mac-address-table address command assignseither a specific port or a security list to the MAC address. This removesany previous assignment to the specified MAC address and creates anentry in the BaySecure table of allowed MAC addresses. The syntax for themac-security mac-address-table address command is:

mac-security mac-address-table address <H.H.H.> {port<portlist>|security-list <1-32>}

ATTENTIONIn this command, portlist must specify only a single port.

The mac-security mac-address-table address command isexecuted in the Global Configuration command mode.

Table 41 "mac-security mac-address-table address parameters and values"(page 83) describes the parameters and variables for the mac-securitymac-address-table address command.

Table 41mac-security mac-address-table address parameters and variables


Description

<H.H.H> Enter the MAC address in the form of H.H.H.

port <portlist>|security-list<1-32>

Enter the port number or the security list number.

mac-security security-list commandThe mac-security security-list command assigns a list of portsto a security list. The syntax for the mac-security security-listcommand is:

mac-security security-list <1-32> <portlist>




.


The mac-security security-list command is executed in the GlobalConfiguration command mode.

Table 42 "mac-security security-list command parameters and values"(page 84) describes the parameters and variables for the mac-securitysecurity-list command.

Table 42mac-security security-list command parameters and variables


Description

<1-32> Enter the number of the security list that you want to use.

<portlist> Enter a list or range of port numbers.

no mac-security commandThe no mac-security command disables MAC source address-basedsecurity. The syntax for the no mac-security command is:

no mac-security

The no mac-security command is executed in the Global Configurationcommand mode.

The no mac-security command has no parameters or values.

no mac-security mac-address-table commandThe no mac-security mac-address-table command clearsentries from the MAC address security table. The syntax for the nomac-security mac-address-table command is:

no mac-security mac-address-table {address <H.H.H.> |port<portlist>|security-list <1-32>}

The no mac-security mac-address-table command is executed inthe Global Configuration command mode.

Table 43 "no mac-security mac-address-table command parameters andvariables" (page 84) describes the parameters and variables for the nomac-security mac-address-table command.

Table 43no mac-security mac-address-table command parameters and variables


Description

address <H.H.H> Enter the MAC address in the form of H.H.H.




.



Description

port <portlist> Enter a list or range of port numbers.

security-list<1-32>

Enter the security list number.

no mac-security security-list commandThe no mac-security security-list command clears the portmembership of a security list. The syntax for the no mac-securitysecurity-list command is:

no mac-security security-list <1-32>

The no mac-security security-list command is executed in theGlobal Configuration command mode.

Table 44 "no mac-security security-list command parameters andvariables" (page 85) describes the parameters and variables for the nomac-security security-list command.

Table 44no mac-security security-list command parameters and variables

Parametersand variables

Description

<1-32> Enter the number of the security list that you want toclear.

mac-security command for specific portsThe mac-security command for specific ports configures the BaySecurestatus of specific ports. The syntax for the mac-security command forspecific ports is:

mac-security [port <portlist>] {disable|enable|learning}

The mac-security command for specific ports is executed in the InterfaceConfiguration command mode

Table 45 "mac-security command for a single port parameters and variables"(page 86) describes the parameters and variables for the mac-securitycommand for specific ports.




.


Table 45mac-security command for a single port parameters and variables


port <portlist> Enter the port numbers.

disable|enable|learning

Directs the specific port:

• disable— disables BaySecure on thespecified port and removes the port fromthe list of ports for which MAC addresslearning is performed

• enable— enables BaySecure on thespecified port and removes the port fromthe list of ports for which MAC addresslearning is performed

• learning— disables BaySecure on thespecified port and adds these port to the listof ports for which MAC address learning isperformed

mac-security mac-da-filter commandWith the mac-security mac-da-filter command, you can filterpackets from up to 10 specified MAC DAs. You also can use this commandto delete such a filter and then receive packets from the specified MAC DA.The syntax for the mac-security mac-da-filter command is:

mac-security mac-da-filter {add|delete}<H.H.H.>

The mac-security mac-da-filter command is executed in the GlobalConfiguration command mode.

Table 46 "mac-security mac-da-filter command parameters and values"(page 86) describes the parameters and variables for the mac-securitymac-da-filter command.

Table 46mac-security mac-da-filter command parameters and values


{add|delete} <H.H.H> Add or delete the specified MAC address; enterthe MAC address in the form of H.H.H.




.


ATTENTIONEnsure that you do not enter the MAC address of the management unit.

Configuring EAPOL-based securityYou can configure security based on the Extensible Authentication Protocolover LAN (EAPOL) by using the following CLI commands:

• "show eapol command" (page 87)

• "show eapol auth-diags interface command" (page 89)

• "show eapol auth-stats interface command" (page 90)

• "eapol command" (page 91)

• "eapol command for modifying parameters" (page 91)

• "eapol guest-vlan command" (page 93)

• "no eapol guest-vlan command" (page 93)

• "default eapol guest-vlan command" (page 93)

show eapol commandThe show eapol command displays the status of the EAPOL-basedsecurity. The syntax for the show eapol command is:

show eapol [port <portlist>]

The show eapol command is executed in the Privileged EXEC commandmode.

Figure 11 "show eapol command output" (page 88) displays sample outputfrom the show eapol command.




.


Figure 11show eapol command output

Table 47 "show eapol command output parameters and variables" (page88) describes the parameters and variables for the show eapol commandoutput.

Table 47show eapol command output parameters and variables


Description

Port Specifies the port on which to change EAPOL settings

Administrative Status

Specifies the EAP status of the port:

• Force Unauthorized - Port is always unauthorized

• Auto - Port authorization status depends on the result of the EAPauthentication

• Force Authorized - Port is always authorized

Auth Displays the current EAPOL authorization status for the port

• Yes - Authorized

• No - Unauthorized

This field only specifies the authorization status of the port for EAPoLusers and not for NonEAPoL users. Use the show eapol multihostnon-eap status command for Non-EAPoL users.




.



Description

Admin Dir Specifies whether EAPOL authentication is set for incoming and outgoingtraffic (Both) or for incoming traffic only (In).For example, if you set the specified port field value to both, and EAPOLauthentication fails, then both incoming and outgoing traffic on thespecified port is blocked.

Oper Dir Specifies the current operational value for the traffic control directionfor the port.

Re-authentication Enables or disables re-authentication

Re-authentication Period Specifies the time interval between successive re-authentications;the range is <1-604800>

Quite Period Specifies the time interval between authentication failure and start of newauthentication; the range is <0-65535>

Transmit Period Specifies a waiting period for response from supplicant for EAP Requestor Identity packets; the range is <1-65535>

Supplicant Timeout Specifies a waiting period for response from supplicant for all EAPpackets;the range is <1-65535>

Server Timeout Specifies the time to wait for response from RADIUS server;the range is <1-65535>

Max Request Specifies the number of times to retry sending packets to supplicant;the range is <1-10>

show eapol auth-diags interface commandThe show eapol auth-diags interface command displays EAPOLdiags.The syntax for the show eapol auth-diags interfacecommand is:

show eapol auth-diags interface

The show eapol auth-diags interface command is executed in thePrivileged EXEC command mode.

Figure 12 "show eapol auth-diags interface command output" (page90) displays sample output from the show eapol auth-diagsinterface command.




.


Figure 12show eapol auth-diags interface command output

show eapol auth-stats interface commandThe show eapol auth-stats interface command displays EAPOLdiags.The syntax for the show eapol auth-stats interfacecommand is:

show eapol auth-stats interface

The show eapol auth-stats interface command is executed in thePrivileged EXEC command mode.

Figure 13 "show eapol auth-stats interface command output" (page90) displays sample output from the show eapol auth-statsinterface command.

Figure 13show eapol auth-stats interface command output




.


eapol commandThe eapol command enables or disables EAPOL-based security. Thesyntax of the eapol command is:

eapol {disable|enable}

The eapol command is executed in the Global Configuration commandmode.

Table 48 "eapol command parameters and variables" (page 91) describesthe parameters and variables for the eapol command.

Table 48eapol command parameters and variables


Description

disable|enable Disables or enables EAPOL-based security.

eapol command for modifying parametersThe eapol command for modifying parameters modifies EAPOL-basedsecurity parameters for a specific port. The syntax of the eapol commandfor modifying parameters is:

eapol [port <portlist>] [init] [status authorized|unauthorized|auto] [traffic-control in-out|in] [re-authenticationenable|disable] [re-authentication-period <1-604800>][re-authenticate] [quiet-interval <num>] [transmit-interval<num>] [supplicant-timeout <num>] [server-timeout<num>][max-request <num>]

The eapol command for modifying parameters is executed in the InterfaceConfiguration command mode.

Table 49 "eapol command for modifying parameters and variables" (page91) describes the parameters and variables for the eapol command formodifying parameters.

Table 49eapol command for modifying parameters and variables


Description

port <portllist> Specifies the ports to configure for EAPOL; enter theport numbers you want to use.




.



Description

ATTENTIONIf you omit this parameter, the system uses theport number that you specified when you issuedthe interface command.

init Reinitiates EAP authentication.

statusauthorized|unauthorized|auto

Specifies the EAP status of the port:

• authorized— Port is always authorized.

• unauthorized— Port is always unauthorized.

• auto— Port authorization status depends on theresult of the EAP authentication.

traffic-controlin-outIin

Sets the level of traffic control:

• in-out— If EAP authentication fails, bothingressing and egressing traffic are blocked.

• in— If EAP authentication fails, only ingressingtraffic is blocked.

re-authenticationenable|disable

Enables or disables reauthentication.

re-authentication-period<1-604800>

Enter the number of seconds that you want betweenre-authentication attempts.Use either this variable or the reauthentication-intervalvariable; do not use both variables because theycontrol the same setting.

re-authenticate Specifies an immediate reauthentication.

quiet-interval<num>

Enter the number of seconds that you want betweenan authentication failure and the start of a newauthentication attempt; the range is 1 to 65535.

transmit-interval<num>

Specifies a waiting period for response from supplicantfor EAP Request/Identity packets. Enter the number ofseconds that you want to wait; the range is 1-65535.




.



Description

supplicant-timeout <num>

Specifies a waiting period for response from supplicantfor all EAP packets, except EAP Request/Identitypackets. Enter the number of seconds that you want towait; the range is 1-65535.

server-timeout<num>

Specifies a waiting period for response from the server.Enter the number of seconds that you want to wait;the range is 1-65535.

max-request <num> Enter the number of times to retry sending packets tosupplicant.

eapol guest-vlan commandThe eapol guest-vlan command sets the guest VLAN globally.

The syntax for the eapol guest-vlan command is:

eapol guest-vlan [vid <1-4094> | enable]

The eapol guest-vlan command is executed in the Global Configurationcommand mode and Interface Configuration command mode.

Table 50 "eapol guest-vlan command parameters and variables" (page93) describes the parameters and variables for the eapol guest-vlancommand.

Table 50eapol guest-vlan command parameters and variables


Description

<vid> Guest VLAN ID.

enable Enable Guest VLAN.

no eapol guest-vlan commandThe no eapol guest-vlan command disables the guest VLAN.

The syntax for the no eapol guest-vlan command is:

no eapol guest-vlan [enable]

The no eapol guest-vlan command is executed in the GlobalConfiguration command mode and Interface Configuration command mode.

default eapol guest-vlan commandThe default eapol guest-vlan command disables the guest VLAN.




.


The syntax for the default eapol guest-vlan command is:

default eapol guest-vlan

The default eapol guest-vlan command is executed in the GlobalConfiguration command mode and Interface Configuration command mode.

The default eapol guest-vlan command has no parameters orvariables.

show eapol guest-vlan commandThe show eapol guest-vlan command displays the current guest VLANconfiguration.

The syntax for the show eapol guest-vlan command is:

show eapol guest-vlan

The show eapol guest-vlan command is executed in the GlobalConfiguration command mode and Interface Configuration command mode.

The show eapol guest-vlan command has no parameters or variables.

Figure 14 "show eapol guest-vlan command output" (page 94) displayssample output from the eapol guest-vlan command.

Figure 14show eapol guest-vlan command output

Configuring advanced EAPOL featuresEthernet Routing Switch 2500 Series, Software Release 4.1 supportsadvanced EAPOL features that allow multiple hosts and non-EAPOL clientson a port.

This section provides information about configuring the following features:

• Multiple Host with Multiple Authentication (MHMA) (see "Configuringmultihost support" (page 95))

• Non-EAPOL hosts on EAPOL-enabled ports (see "Configuring supportfor non-EAPOL hosts on EAPOL-enabled ports" (page 102))

• Multiple Host with Single Authentication (MHSA) (see "ConfiguringMultiHost Single-Autentication (MHSA)" (page 107))




.


Configuring multihost supportTo configure multihost support, do the following:

1. Enable multihost support for the interface. The relevant command isexecuted in Interface Configuration mode. You can issue the commandfor the interface selected when you enter the Interface Configurationmode (so that all ports have the same setting), or you can issue thecommand for specific ports on the interface.

2. Specify the maximum number of EAP clients allowed on each multihostport. You can issue the command for the interface selected when youenter the Interface Configuration mode (so that all ports have the samesetting), or you can issue the command for specific ports on the interface.

eapol multihost command The eapol multihost command controlsthe global multihost settings.

The syntax for the eapol multihost command is:

eapol multihost { [allow-non-eap-enable] [auto-non-eap-mhsa-enable] [radius-non-eap-enable] [use-radius-assigned-vlan][non-eap-pwd-fmt {[ip-addr] [mac-addr] [port-number]}]}

This command is executed in the Global Configuration command mode.

"eapol multihost parameters and variables" (page 95) describes theparameters and variables for the eapol multihost command.

eapol multihost command parameters and variables


allow-non-eap-enable Enables MAC addresses of non-EAPclients.

auto-non-eap-mhsa-enable Enables auto-authentication ofnon-EAP clients in MHSA mode

radius-non-eap-enable Enables Radius authentication ofnon-EAP clients

use-radius-assigned-vlan Allows use of Radius-assigned VLANvalue

non-eap-pwd-fmt { [ip-addr][mac-addr] [port-number] }

Sets bits in RADIUS non-EAPOLpassword format

no eapol multihost command The no eapol multihost commanddisables EAPOL multihost.

This command is executed in the Global Configuration command mode.




.


The syntax for the no eapol multihost command is:

no eapol multihost { [allow-non-eap-enable] [auto-non-eap-mhsa-enable] [radius-non-eap-enable] [use-radius-assigned-vlan][non-eap-pwd-fmt {[ip-addr] [mac-addr] [port-number]}]}

"no eapol multihost parameters" (page 96) describes the parameters andvariables for theno eapol multihost command.

no eapol multihost command parameters and variables


allow-non-eap-enable Disables control of non-EAP clients(MAC addresses)

auto-non-eap-mhsa-enable Disables auto-authentication ofnon-EAP clients in MHSA mode

radius-non-eap-enable Disables Radius authentication ofnon-EAP clients


non-eap-pwd-fmt { [ip-addr][mac-addr] [portnumber] }

Clears bits from RADIUS non-EAPOLpassword format

default eapol multihost command The default eapol multihostcommand sets the EAPoL multihost feature to default.

This command is executed in the global configuration mode.

The syntax for the default eapol multihost command is:

default eapol multihost { [allow-non-eap-enable][auto-non-eap-mhsa-enable] [radius-non-eap-enable][use-radius-assigned-vlan] [non-eap-pwd-fmt {[ip-addr][mac-addr] [port-number]}] }

"default eapol multihost parameters" (page 96) describes the parametersand variables for thedefault eapol multihost command.

default eapol multihost command parameters and variables


allow-non-eap-enable Resets control of non-EAP clients(MAC addresses)






.




non-eap-pwd-fmt { [ip-addr][mac-addr] [portnumber] }

Restores default format for RADIUSnon-EAPOL password attribute

eapol multihost command for a port The eapol multihost commandcontrols the multihost settings for a specific port or for all ports on aninterface.

This command is executed in the Interface Configuration mode.

The syntax for the eapol multihost command is:

eapol multihost [allow-non-eap-enable][auto-non-eap-mhsa-enable][eap-mac-max {<1-32>}][enable][non-eap-map-max{<1-32>}][radius-non-eap-enable][use-radius-assigned-vlan][port{<portlist>}][non-eap-mac {H.H.H | port}]

"eapol multihost parameters and variables" (page 97) describes theparameters and variables for the eapol multihost command.

eapol multihost command parameters and variables


allow-non-eap-enable Enables MAC addresses of non-EAPclients.

auto-non-eap-mhsa-enable Enables auto-authentication ofnon-EAP clients in MHSA mode

eap-mac-max {<1-32>} Specifies the maximum number ofEAP-authenticated MAC addressesallowed

enable Allows EAP clients (MAC addresses)

non-eap-mac-max Specifies the maximum numberof non-EAP authenticated MACaddresses allowed

port Displays port number on which to applyEAPOL multihost settings



non-eap-mac {H.H.H | port} Allows non-EAPoL MAC address




.


no eapol multihost command for a port The no eapol multihostcommand disables the EAPOL multihost settings for a specific port or for allports on an interface.

This command is executed in the Interface configuration mode.

The syntax for the no eapol multihost command is:

no eapol multihost [allow-non-eap-enable] [auto-non-eap-mhsa-enable][enable][port][radius-non-eap-enable][use-radius-assigned-vlan][non-eap-mac {H.H.H | port}]

"no eapol multihost parameters and variables" (page 98) describes theparameters and variables for the no eapol multihost command.

no eapol multihost command parameters and variables

Parameter and Variables Description

allow-non-eap-enable Disables MAC addresses of non-EAPclients.


enable Disallows EAP clients (MAC addresses)

port Displays port number on which to applyEAPOL multihost settings


use-radius-assigned-vlan Disallows use of Radius-assignedVLAN value

non-eap-mac {H.H.H | port} Allows non-EAPoL MAC address

non-eap-mac-max {<1-32>} Specifies the maximum numberof non-EAP authenticated MACaddresses allowed

default eapol multihost command for a port The default eapolmultihost command sets the multihost settings for a specific port or forall the ports on an interface to default.


The syntax for the default eapol multihost command is:

default eapol multihost [allow-non-eap-enable] [auto-non-eap-mhsa-enable] [eap-mac-max {<1-32>}][enable] [non-eap-map-max{<1-32>}] [port {<portlist>}][radius-non-eap-enable][use-radius-assigned-vlan][non-eap-mac {H.H.H | port}]




.


"default eapol multihost parameters" (page 99) describes the parametersand variables for the default eapol multihost command.

default eapol multihost command parameters and variables


allow-non-eap-enable Resets control of non-EAP clients(MAC addresses) to default

auto-non-eap-mhsa-enable Disables auto-authentication ofnon-EAP clients

eap-mac-max <1-32> Resets maximum number ofEAP-authenticated MAC addressesallowed to default

enable Resets control of whether EAP Clients(MAC addresses) are allowed to default

non-eap-mac-max <1-32> Resets maximum number of non-EAPauthenticated MAC addresses allowedto default

port<portlist> Displays port number on which todisable EAPOL


use-radius-assigned-vlan Allows use of RADIUS-assigned VLANvalues

non-eap-mac {H.H.H | port} Resets the non-EAP MAC addressesto default

eapol multihost non-eap-mac command The eapol multihostnon-eap-mac command configures the MAC addresses of non-EAPOLhosts on a specific port or on all ports on an interface.


The syntax for the eapol multihost non-eap-maccommand is:

eapol multihost non-eap-mac [port<portlist>] <H.H.H>

"eapol multihost non-eap-mac command parameters and variables" (page100) describes the parameters and variables for theeapol multihostnon-eap-mac command.




.


eapol multihost non-eap-mac command parameters and variables


port Port on which to apply EAPOL settings

H.H.H MAC address of the allowednon-EAPOL host

show eapol multihost command The show eapolmultihostcommand displays global settings for non-EAPOLhosts on EAPOL-enabled ports.

This command is executed in the privExec, Global, and Interfaceconfiguration mode.

The syntax for the show eapol multihost command is:

show eapol multihost

"show eapol multihost command parameters and variables" (page100) describes the parameters and variables for the show eapolmultihost command.

show eapol multihost command parameters and variables


interface Displays EAPOL multihost portconfiguration

non-eap-mac Displays allowed non-EAPoLMACaddress

status Displays EAPOL multihost port status

"show eapol multihost command output" (page 100) displays sample outputfrom the show eapol multihost command:

show eapol multihost command output

show eapol multihost interface command The show eapolmultihost interface command displays non-EAPOL support settingsfor each port.




.


This command is executed in the privExec, Global, and Interfaceconfiguration mode.

The syntax for the show eapol multihost interfacecommand is:

show eapol multihost interface [<portList>]

"show eapol multihost interface parameters and variables" (page101) describes the parameters and variables for the show eapolmultihost interface command.

show eapol multihost interface command parameters and variables


portList List of ports

"show eapol multihost interface command output" (page 101) displayssample output from the show eapol multihost interface command:

show eapol multihost interface command output

show eapol multihost non-eap-mac status command The showeapol multihost non-eap-mac status command displaysinformation about non-EAPOL hosts currently active on the switch.

This command is executed in the Privileged EXEC, Global, and InterfaceConfiguration mode.




.


The syntax for the show eapol multihost non-eap-mac statuscommand is:

show eapol multihost non-eap-mac status [<portList>]

"show eapol multihost non-eap-mac status command parameters andvariables" (page 102) describes the parameters and variables for the showeapol multihost non-eap-mac status command.

show eapol multihost non-eap-mac status command parameters and variables


portList List of ports

The following figure displays sample output from the show eapol multihostnon-eap-mac status command:

Figure 15show eapol multihost non-eap-mac status command output

Configuring support for non-EAPOL hosts on EAPOL-enabledportsThis section describes how to configure nonE-APOL authentication.

To configure support for non-EAPOL hosts on EAPOL-enabled ports, dothe following:

1. Enable non-EAPOL support globally on the switch and locally (for thedesired interface ports), using one or both of the following authenticationmethods:

a. local authentication (see "Enabling local authentication ofnon-EAPOL hosts on EAPOL-enabled ports" (page 103))

b. RADIUS authentication (see "Enabling RADIUS authentication ofnon-EAPOL hosts on EAPOL-enabled ports" (page 103))

2. Enable EAPOL multihost on ports

3. Specify the maximum number of non-EAPOL MAC addresses allowedon a port (see "Specifying the maximum number of non-EAPOL hostsallowed" (page 105)).

4. For local authentication only, identify the MAC addresses of non-EAPOLhosts allowed on the ports (see "Creating the allowed non-EAPOL MACaddress list" (page 105)).




.


By default, support for non-EAPOL hosts on EAPOL-enabled ports isdisabled.

Enabling local authentication of non-EAPOL hosts on EAPOL-enabledports For local authentication of non-EAPOL hosts on EAPOL-enabledports, you must enable the feature globally on the switch and locally forports on the interface.

To enable local authentication of non-EAPOL hosts globally on the switch,use the following command in Global configuration mode:

eapol multihost allow-non-eap-enable

To enable local authentication of non-EAPOL hosts for a specific portor for all ports on an interface, use the following command in Interfaceconfiguration mode:

eapol multihost [port <portlist>] allow-non-eap-enable

where

<portlist> is the list of ports on which you want to enable non-EAPOLhosts using local authentication. You can enter a single port, a range ofports, several ranges, or all. If you do not specify a port parameter, thecommand applies to all ports on the interface.

To discontinue local authentication of non-EAPOL hosts on EAPOL-enabledports, use the no or default keywords at the start of the commands inboth the Global and Interface configuration modes.

Enabling RADIUS authentication of non-EAPOL hosts onEAPOL-enabled ports For RADIUS authentication of non-EAPOL hostson EAPOL-enabled ports, you must enable the feature globally on the switchand locally for ports on the interface.

To enable RADIUS authentication of non-EAPOL hosts globally on theswitch, use the following command in Global configuration mode:

eapol multihost radius-non-eap-enable

"eapol multihost radius-non-eap-enable command parameters andvariables" (page 103) describes the parameters and variables for the eapolmultihost radius-non-eap-enable command.

eapol multihost radius-non-eap-enable command parameters and variables

Parameter and Variable Description

radius-non-eap-enable Globally enables RADIUS authentication fornon-EAPOL hosts




.


To enable RADIUS authentication of non-EAPOL hosts for a specific portor for all ports on an interface, use the following command in Interfaceconfiguration mode:

eapol multihost [port <portlist>] radius-non-eap-enable

"eapol multihost radius-non-eap-enable command: Interface mode" (page104) describes the parameters and variables for the eapol multihostradius-non-eap-enable command: Interface mode command.

eapol multihost radius-non-eap-enable command: Interface mode parameters and variables

Parameters and Variables Description

portlist Specifies the port or ports on which you wantRADIUS authentication enabled. You can entera single port, several ports or a range of ports.If you do not specify a port parameter, thecommand enables RADIUS authentication ofnon-EAP hosts on all ports on the interface.

radius-non-eap-enable Enables RADIUS authentication on the desiredinterface or on a specific port, for non-EAPOLhosts.

The default for this feature is ’disabled’.

To discontinue RADIUS authentication of non-EAPOL hosts onEAPOL-enabled ports, use the no or default keywords at the start of thecommands in both the Global and Interface configuration modes.

Configuring the format of the RADIUS password attribute whenauthenticating non-EAP MAC addresses using RADIUS To configurethe format of the RADIUS password when authenticating non-EAP MACaddresses using RADIUS, use the following command in the Globalconfiguration mode:

eapol multihost non-eap-pwd-fmt

The syntax for the eapol multihost non-eap-pwd-fmt command is:

eapol multihost non-eap-pwd-fmt { [ip-addr] [mac-addr][port-number] }

"eapol multihost non-eap-pwd-fmt command parameters and variables"(page 105) describes the parameters and variables for the eapolmultihost non-eap-pwd-fmt command.




.


eapol multihost non-eap-pwd-fmt command parameters and variables

Parameter Description

ip-addr Specifies the IP address of the non-EAP client.

mac-addr Specifies the MAC address of the non-EAPclient.

port-number Specifies the port number for which you want theRADIUS password attribute configured.

To discontinue configuration of the RADIUS password attribute format, usethe no or default keywords at the start of the commands, in the Globalconfiguration mode.

Specifying the maximum number of non-EAPOL hosts allowed Toconfigure the maximum number of non-EAPOL hosts allowed for a specificport or for all ports on an interface, use the following command in Interfaceconfiguration mode:

eapol multihost [port <portlist>] non-eap-mac-max <value>

where

<portlist> is the list of ports to which you want the setting to apply.You can enter a single port, a range of ports, several ranges, or all. Ifyou do not specify a port parameter, the command sets the value forall ports on the interface.<value> is an integer in the range 1–32 that specifies the maximumnumber of non-EAPOL clients allowed on the port at any one time. Thedefault is 1.

ATTENTIONThe configurable maximum number of non-EAPOL clients for each port is 32, butNortel expects that the usual maximum allowed for each port be lower. Nortelexpects that the combined maximum will be approximately 200 for each boxand 800 for a stack.

Creating the allowed non-EAPOL MAC address list To specify the MACaddresses of non-EAPOL hosts allowed on a specific port or on all ports onan interface, for local authentication, use the following command in Interfaceconfiguration mode:

eapol multihost non-eap-mac [port <portlist>] <H.H.H>

where

<portlist> is the list of ports on which you want to allow the specifiednon-EAPOL hosts. You can enter a single port, a range of ports, several




.


ranges, or all. If you do not specify a port parameter, the commandapplies to all ports on the interface.<H.H.H> is the MAC address of the allowed non-EAPOL host.

Viewing non-EAPOL host settings and activity Various showcommands allow you to view:

• global settings (see "Viewing global settings for non-EAPOL hosts"(page 106))

• port settings (see "Viewing port settings for non-EAPOL hosts" (page106)"Viewing port settings for non-EAPOL hosts" (page 106))

• allowed MAC addresses, for local authentication (see "Viewing allowedMAC addresses" (page 106))

• current non-EAPOL hosts active on the switch (see "Viewing currentnon-EAPOL host activity" (page 107))

• status in the Privilege Exec mode (see "show eapol multihost statuscommand" (page 107))

Viewing global settings for non-EAPOL hosts To view global settingsfor non-EAPOL hosts on EAPOL-enabled ports, use the following commandin Privileged EXEC, Global configuration, or Interface configuration mode:

show eapol multihost

The display shows whether local and RADIUS authentication of non-EAPOLclients is enabled or disabled.

Viewing port settings for non-EAPOL hosts To view non-EAPOLsupport settings for each port, use the following command in PrivilegedEXEC, Global configuration, or Interface configuration mode:

show eapol multihost interface [<portlist>]

where

<portlist> is the list of ports you want to view. You can enter a singleport, a range of ports, several ranges, or all. If you do not specify a portparameter, the command displays all ports.

For each port, the display shows whether local and RADIUS authenticationof non-EAPOL clients is enabled or disabled, and the maximum number ofnon-EAPOL clients allowed at a time.

Viewing allowed MAC addresses To view the MAC addresses ofnon-EAPOL hosts allowed to access ports on an interface, use thefollowing command in Privileged EXEC, Global configuration, or Interfaceconfiguration mode:




.


show eapol multihost non-eap-mac interface [<portlist>]

where


The display lists the ports and the associated allowed MAC addresses.

Viewing current non-EAPOL host activity To view information aboutnon-EAPOL hosts currently active on the switch, use the following commandin Privileged EXEC, Global configuration, or Interface configuration mode:

show eapol multihost non-eap-mac status [<portlist>]

where


show eapol multihost status command The show eapol multihoststatus command displays the multihost status of eapol clients onEAPOL-enabled ports.

The syntax for the show eapol multihost status command is:

show eapol multihost status [<interface-type>] [<interface-id>]

"show eapol multihost status command parameters and variables" (page107)"show eapol multihost status command parameters and variables"(page 107) describes the parameters and variables for theshow eapolmultihost status command.

show eapol multihost status command parameters and variables

Parameter Description

interface-id Displays the interface ID

interface-type Displays the type of interface used

The show eapol multihost status command is executed in thePrivileged EXEC command mode.

Configuring MultiHost Single-Autentication (MHSA) To configureMHSA support, do the following:

1. Enable MHSA globally on the switch (see "Globally enabling support forMHSA" (page 108)).




.


2. Configure MHSA settings for the interface or for specific ports on theinterface (see "Configuring interface and port settings for MHSA" (page108)):

a. Enable MHSA support.

b. Specify the maximum number of non-EAPOL MAC addressesallowed.

By default, MHSA support on EAP-enabled ports is disabled.

Globally enabling support for MHSA To enable support for MHSAglobally on the switch, use the following command in Global configurationmode:

eapol multihost auto-non-eap-mhsa-enable

To discontinue support for MHSA globally on the switch, use one of thefollowing commands in Global configuration mode:

no eapol multihost auto-non-eap-mhsa-enable

default eapol multihost auto-non-eap-mhsa-enable

Configuring interface and port settings for MHSA To configure MHSAsettings for a specific port or for all ports on an interface, use the followingcommand in Interface configuration mode:

eapol multihost [port <portlist>]

where

<portlist> is the list of ports to which you want the settings to apply.You can enter a single port, a range of ports, several ranges, or all. If youdo not specify a port parameter, the command applies the settings toall ports on the interface.

This command includes the following parameters for configuring MHSA:

eapol multihost [port <portlist>

followed by:

auto-non-eap-mhsa-enable Enables MHSA on the port. The default is disabled.To disable MHSA, use the no or default keywords at thestart of the command.

non-eap-mac-max <value> Sets the maximum number of non-EAPOL clients allowedon the port at any one time.

•<value> is an integer in the range 1 to 32. The defaultis 1.




.


ATTENTIONThe configurable maximum number of non-EAPOLclients for each port is 32, but Nortel expects that theusual maximum allowed for each port will be lower.Nortel expects that the combined maximum will beapproximately 200 for each box and 800 for a stack.

Viewing MHSA settings and activity For information about thecommands to view MHSA settings and non-EAPOL host activity, see"Viewing non-EAPOL host settings and activity" (page 106).




.


Configuring Security using Device Manager

You can set the security features for a switch so that when a violation occursthe right actions are performed by the software. The security actions thatyou specify are applied to all ports of the switch.

This chapter describes the Security information available in Device Manager,and includes the following topics:

• "EAPOL tab" (page 110)

• "General tab" (page 111)

• "SecurityList tab" (page 114)

• "AuthConfig tab" (page 116)

• "AuthStatus tab" (page 119)

• "AuthViolation tab" (page 122)

• "SSH tab" (page 122)

• "SSH Sessions tab" (page 124)

• "Radius Server tab" (page 125)

• "Configuring EAPOL on ports" (page 126)

• "Configuring SNMP" (page 141)

• "Working with SNMPv3" (page 147)

EAPOL tabThe EAPOL tab lets you set and view EAPOL security information for theswitch.

To view the EAPOL tab, use the following procedure:

Step Action

1 From the Device Manager menu bar, select Edit > Security. TheSecurity dialog box appears with the EAPOL tab displayed.

The following figure displays the EAPOL tab.

—End—




.

Configuring Security using Device Manager 111

Figure 16EAPOL tab

General tabThe General tab lets you set and view general security information for theswitch.

To view the General tab, use the following procedure:

Step Action

1 From the Device Manager menu bar, select Edit > Security.

The Security dialog box appears with the EAPOL tab displayed .

2 Click the General tab.

The General tab appears.

The following figure displays the General tab.




.


Figure 17General tab

—End—

General tab fieldsTable 51 "General tab fields" (page 112) describes the General tab fields.

Table 51General tab fields

Field Description

AuthSecurityLock If this parameter is listed as locked, the agent refusesall requests to modify the security configuration. Entriesalso include:

• other

• notlocked

AuthCtlPartTime This value indicates the duration of the time for portpartitioning in seconds. The default is zero. When thevalue is zero, the port remains partitioned until it ismanually enabled.

SSecurityStatus Indicates whether or not the switch security feature isenabled.




.


Field Description

SecurityMode Mode of switch security. Entries include:

• macList: Indicates that the switch is in the MAC-listmode. You can configure more than one MACaddress per port.

• autoLearn: Indicates that the switch learns the firstMAC address on each port as an allowed addressof that port.

SecurityAction Actions performed by the software when a violationoccurs (when SecurityStatus is enabled). The securityaction specified here applies to all ports of the switch.

A blocked address causes the port to be partitionedwhen unauthorized access is attempted. Selectionsinclude:

• noAction: Port does not have any security assignedto it, or the security feature is turned off.

• trap: Listed trap.

• partitionPort: Port is partitioned.

• partitionPortAndsendTrap: Port is partitioned, andtraps are sent to the trap receiver.

• daFiltering: Port filters out the frames where thedestination address field is the MAC address of theunauthorized station.

• daFilteringAndsendTrap: Port filters out the frameswhere the desitnation address field is the MACaddress of unauthorized station. Traps are sent totrap receivers.

• partitionPortAnddaFiltering: Port is partitioned andfilters out the frames with the destination addressfield is the MAC address of unauthorized station.

• partitionPortdaFilteringAndsendTrap: Port ispartitioned and filters out the frames where thedestination address field is the MAC address ofthe unauthorized station. Traps are sent to trapreceivers.




.


Field Description

CurrNodesAllowed Current number of entries of the nodes allowed in theAuthConfig tab.

MaxNodesAllowed Maximum number of entries of the nodes allowed in theAuthConfig tab.

PortSecurityStatus Set of ports for which security is enabled.

PortLearnStatus Set of ports where autolearning is enabled.

CurrSecurityLists Current number of entries of the Security listed in theSecurityList tab.

MaxSecurityLists Maximum entries of the Security listed in the SecurityListtab.

SecurityList tabThe SecurityList tab contains a list of Security port fields.

To view the SecurityList tab, use the following procedure:

Step Action


The Security window appears with the EAPOL tab displayed.

2 Click the SecurityList tab.

The SecurityList tab appears.

The following figure displays the SecurityList tab.

Figure 18SecurityList tab

—End—

SecurityList tab fieldsTable 52 "SecurityList tab fields" (page 115) describes the SecurityList tabfields.




.


Table 52SecurityList tab fields

Field Description

SecurityListIndx An index of the security list. This corresponds tothe SecurityList field into AuthConfig tab.

SecurityListMembers The set of ports that are currently members in thePort list.

Security, Insert SecurityList dialog boxTo view the Security, Insert AuthConfig dialog box, use the followingprocedure:

Step Action


The Security window appears with the EAPOL tab displayed(EAPOL tab).

2 Click the SecurityList tab.

The SecurityList tab appears (SecurityList tab).

3 Click Insert.

The Security, Insert SecurityList dialog box appears.

Figure 19Security, Insert SecurityList dialog box

4 To add ports to the security list, in the SecurityListMembers field,click the ellipsis (...). The SecurityListMembers dialog box appears.

5 Select the ports to include in the SecurityList, and click OK.

6 Click Insert.

—End—




.


"Security, Insert AuthConfig dialog box fields" (page 118) describes theSecurity, Insert SecurityList dialog box fields.

Table 53Security, Insert SecurityList dialog box fields

Field Description

SecurityListIndx An index of the security list. This corresponds to theSecurity port list that can be used as an index intoAuthConfig tab.

SecurityListMembers The set of ports that are currently members in the Portlist.

AuthConfig tabThe AuthConfig tab contains a list of boards, ports, and MAC addresses thathave the security configuration. An SNMP SET PDU for a row in the tabrequires the entire sequence of the MIB objects in each entry to be stored inone PDU. Otherwise, the GENERR return-value is returned.

To view the AuthConfig tab, use the following procedure:

Step Action


The Security window appears with the EAPOL tab displayed(EAPOL tab).

2 Click the AuthConfig tab.

The AuthConfig tab appears AuthConfig tab .

Figure 20AuthConfig tab

—End—

"AuthConfig tab fields" (page 116) describes the AuthConfig tab fields.




.


Table 54AuthConfig tab fields

Field Description

BrdIndx Index of the slot that contains the board on which theport is located. If you specify SecureList, this field mustbe zero.

PortIndx Index of the port on the board. If you specify SecureList,this field must be zero.

MACIndx An index of MAC addresses that are designated asallowed (station).

AccessCtrlType Displays the node entry as node allowed. A MACaddress can be allowed on multiple ports.

SecureList The index of the security list. This value is meaningfulonly if BrdIndx and PortIndx values are set to zero. Forother board and port index values, this index must alsohave the value of zero.

The corresponding MAC Address of this entry is allowedor blocked on all ports of this port list.

Security, Insert AuthConfig dialog boxTo view the Security, Insert AuthConfig dialog box, use the followingprocedure:

Step Action



2 Click the AuthConfig tab.

The AuthConfig tab appears.

3 Click Insert.

The Security, Insert AuthConfig dialog box appears .




.


Figure 21Security, Insert AuthConfig dialog box

4 Complete the fields as required and click Insert.

The new entry appears in theAuthConfig tab

—End—

Security, Insert AuthConfig dialog box fieldsTable 55 "Security, Insert AuthConfig dialog box fields" (page 118) describesthe Security, Insert AuthConfig dialog box fields.

Table 55Security, Insert AuthConfig dialog box fields

Field Description

BrdIndx Index of the board. This corresponds to the index ofthe unit that contains the board, but only if the index isgreater than zero. A zero index is a wild card.

PortIndx Index of the port on the board. This corresponds to theindex of the last manageable port on the board, butonly if the index is greater than zero. A zero index isa wild card.

MACIndx An index of MAC addresses that are either designatedas allowed (station) or not-allowed (station).

AccessCtrlType Displays whether the node entry isnode allowed or nodeblocked. A MAC address can be allowed on multipleports.

SecureList The index of the security list. This value is meaningfulonly if BrdIndx and PortIndx values are set to zero. Forother board and port index values, this index must alsohave the value of zero.

The corresponding MAC Address of this entry is allowedor blocked on all ports of this port list.




.


AuthStatus tabThe AuthStatus tab displays information about the authorized boardsand port status data collection. This information includes actions to beperformed when an unauthorized station is detected, and the currentsecurity status of a port. Entries in this tab can include:

• a single MAC address

• all MAC addresses on a single port

• a single port

• all the ports on a single board

• a particular port on all the boards

• all the ports on all the boards

To view the AuthStatus tab, use the following procedure:

Step Action



2 Click the AuthStatus tab.

The AuthStatus tab appears.

The following figure displays the AuthStatus tab.




.


Figure 22AuthStatus tab

—End—

• "AuthStatus tab fields" (page 120)

AuthStatus tab fields"AuthStatus tab fields" (page 120) describes the AuthStatus tab fields.

Table 56AuthStatus tab fields

Field Description

AuthStatusBrdIndx The index of the board. This corresponds to the indexof the slot that contains the board if the index is greaterthan zero.

AuthStatusPortIndx The index of the port on the board. This corresponds tothe index of the last manageable port on the board if theindex is greater than zero.

AuthStatusMACIndx The index of MAC address on the port. This correspondsto the index of the MAC address on the port if the indexis greater than zero.




.


Field Description

CurrentAccessCtrlType

Displays whether the node entry is the node allowedor node blocked type.

CurrentActionMode A value representing the type of information contained,including:

noAction: Port does not have any security assigned to it,or the security feature is turned off.

partitionPort: Port is partitioned.

partitionPortAndsendTrap: Port is partitioned and trapsare sent to the trap receiver.

Filtering: Port filters out the frames where the destinationaddress field is the MAC address of the unauthorizedstation.

FilteringAndsendTrap: Port filters out the frames wherethe destination address field is the MAC address of theunauthorized station. Traps are sent to the trap receiver.

sendTrap: A trap is sent to the trap receiver(s).

partitionPortAnddaFiltering: Port is partitioned and filtersout the frames where the destination address field is theMAC address of the unauthorized station.

partitionPortdaFilteringAndsendTrap: Port is partitionedand filters out the frames where the destination addressfield is the MAC address of the unauthorized station.Traps are sent to trap receiver(s).

CurrentPortSecurStatus

Displays the security status of the current port, including:

• If the port is disabled, notApplicable is returned.

• If the port is in a normal state, portSecure is returned.

• If the port is partitioned, portPartition is returned.




.


AuthViolation tabThe AuthViolation tab contains a list of boards and ports on which networkaccess violations have occurred, and also the identity of the offending MACaddresses.

To view the AuthViolation tab, use the following procedure:

Step Action



2 Click the AuthViolation tab.

The AuthViolation tab appears.

The following figure displays the AuthViolation tab.

Figure 23AuthViolation tab

—End—

SSH tabThe SSH tab displays the parameters available for SSH.

To view the SSH tab, use the following procedure:

Step Action





.



2 Click the SSH tab.

The SSH tab appears.

The following figure displays the SSH tab.

Figure 24SSH tab

—End—

"SSH tab fields" (page 123) describes the SSH tab fields.

Table 57SSH tab fields

Field Description

Enable Enables, disables, or securely enables SSH. Securelyenable turns off other daemon flag, and it takes effectafter a reboot.

Version Indicates the SSH version.

Port Indicates the SSH connection port.

Timeout Indicates the SSH connection timeout in seconds.

KeyAction Indicates the SSH key action.

DsaAuth Enables or disables the SSH DSA authentication.

PassAuth Enables or disables the SSH RSA authentication.




.


Field Description

DsaHostKeyStatus Indicates the current status of the SSH DSA host key:

• notGenerated: DSA host key has not yet beengenerated.

• generated: DSA host key is generated.

• generating: DSA host key is currently beinggenerated.

LoadServerAddr Indicates the current server IP address.

TftpFile Indicates the name of the file for the TFTP transfer.

TftpAction Indicates the SSH public keys that are set to initiate aTFTP download.

TftpResult Indicates the retrieved value of the TFTP transfer.

SSH Sessions tabThe SSH Sessions tab displays the currently active SSH sessions.

To view the SSH Sessions tab, use the following procedure:

Step Action



2 Click the SSH Sessions tab.

The SSH Sessions tab appears.The following figure displays the SSH Sessions tab.

Figure 25SSH Sessions tab

—End—

"SSH Sessions tab fields" (page 124) describes the SSH Sessions tab fields.




.


Table 58SSH Sessions tab fields

Field Description

SSHSessionsIP Lists the currently active SSH sessions.

Radius Server tabThe Radius Server tab is used to configure the primary and secondaryRADIUS server settings. "Radius Server tab" (page 125)illustrates theRadius Server tab.

To view the Radius Server tab, use the following procedure:

Step Action


Select the Radius Server tab.

2 Click the Radius Server tab.

The Radius Server tab appears.The following figure displays the Radius Server tab.

Figure 26Radius Server tab

—End—

Table 59 "Radius Server tab fields" (page 126) describes the Radius Servertab fields.




.


Table 59Radius Server tab fields

Field Description

Addresstype Specifies the type of IP address used by the Radiusserver. IPv4 is currently the only available option.

PrimaryRadiusServer Specifies the IP address of the primary server(default: 0.0.0.0).

ATTENTIONIf there is no primary Radius server, set thevalue of this field to 0.0.0.0 .

SecondaryRadiusServer Specifies the IP address of the secondary Radiusserver (default: 0.0.0.0). The secondary Radiusserver is used only if the primary server isunavailable or unreachable.

RadiusServerUdpPor Specifies the UDP port the client is using to sendrequests to this server.

RadiusServerTimeout Specifies the time interval in seconds before theclient retransmit the packet to RADIUS server

SharedSecret(Key) Specifies the value of the shared secret key.

ATTENTIONThe shared secret key has a maximum of 16characters.

ConfirmedSharedSecret(Key)

Confirms the value of the shared secret keyspecified in the SharedSecret(Key) field.This field usually does not display anything (just ablank field). It is used when user is changing theSharedSecret(key) field.User usually need to enter twice to confirm the stringalready being entered in the SharedSecret(Key).

Configuring EAPOL on portsThis section contains the following topics:

• "EAPOL tab for a port" (page 127)

• "EAPOL Advance tab for ports" (page 129)

• "EAPOL Stats tab for graphing ports" (page 136)

• "EAPOL Diag tab for graphing ports" (page 138)




.


EAPOL tab for a portThe EAPOL tab shows EAPOL for the selected port.

To view or edit the EAPOL tab for a port, use the following procedure:

Step Action

1 Select the port that you want to edit.

2 Do one of the following:

• From the shortcut menu, choose Edit.

• From the Device Manager main menu, choose Edit > Port.

• From the toolbar, click Edit.

The Port dialog box appears with the Interface tab displayed.

3 Click the EAPOL tab.

The EAPOL tab appears.

Figure 27EAPOL tab for a port




.


—End—

"EAPOL tab fields for a port" (page 128) describes the EAPOL tab fieldsfor ports.

Table 60EAPOL tab fields for a port

Field Description

PortProtocolVersion The EAP Protocol version that is running on thisport.

PortCapabilities The PAE functionality that is implemented on thisport. Always returns dot1xPaePortAuthCapable.

PortInitialize Enables and disables EAPOL authentication forthe specified port.

PortReauthenticateNow Activates EAPOL authentication for the specifiedport immediately, without waiting for theRe-Authentication Period to expire.

PaeState Displays the EAPOL authorization status for theswitch:

• Force Authorized: The authorization status isalways authorized.

• Force Unauthorized: The authorization statusis always unauthorized.

• Auto: The authorization status depends on theEAP authentication results.

BackendAuthState The current state of the Backend Authenticationstate for the switch.

AdminControlledDirections

Specifies whether EAPOL authentication is setfor incoming and outgoing traffic (both) or forincoming traffic only (in). For example, if you setthe specified port field value to both, and EAPOLauthentication fails, then both incoming andoutgoing traffic on the specified port is blocked.

OperControlledDirections

A read-only field that indicates the currentoperational value for the traffic control direction forthe port (see the preceding field description).

AuthControlledPortStatus

Displays the current EAPOL authorization statusfor the port:

• authorized

• unauthorized




.


Field Description

AuthControlledPortControl

Specifies the EAPOL authorization status for theport:

• Force Authorized: The authorization status isalways authorized.

• Force Unauthorized: The authorization statusis always unauthorized.

• Auto: The authorization status depends on theEAP authentication results.

QuietPeriod The current value of the time interval between anysingle EAPOL authentication failure and the startof a new EAPOL authentication attempt.

TransmitPeriod Time to wait for response from supplicant for EAPrequests/Identity packets.

SupplicantTimeout Time to wait for response from supplicant for allEAP packets, except EAP Request/Identity.

ServerTimeout Time to wait for a response from the RADIUSserver for all EAP packets.

MaximumRequests The number of times the switch attempts to resendEAP packets to a supplicant.

ReAuthenticationPeriod

Time interval between successivereauthentications.When the ReAuthenticationEnabled field (seethe following field) is enabled, you can specifythe time period between successive EAPOLauthentications for the specified port.

ReAuthenticationEnabled

When enabled, the switch performs areauthentication of the existing supplicantsat the time interval specified in theReAuthenticationPeriod field (see preceding fielddescription).

KeyTxEnabled The value of the KeyTranmissionEnabled constantcurrently in use by the Authenticator PAE stateof the switch. This always returns false as keytransmission is irrelevant.

LastEapolFrameVersion

The protocol version number carried in the mostrecently received EAPOL frame.

LastEapolFrameSource

The source MAC address carried in the mostrecently received EAPOL frame.

EAPOL Advance tab for portsThe EAPOL Advance tab lets you configure additional EAPOL-basedsecurity parameters for ports.




.


ATTENTIONThe Multi Hosts and Non-EAP MAC buttons are not available when configuringmultiple ports on the EAPOL Advance tab. To make use of these two options,only one port can be selected.

To view or edit the EAPOL Advance tab for ports, use the followingprocedure:

Step Action

1 Select the ports that you want to edit.

For multiple ports, press Ctrl+left-click the ports that you want toedit.A yellow outline appears around the selected ports.


• From the shortcut menu, choose Edit.

• From the Device Manager main menu, choose Edit > Port.

• On the toolbar, click Edit.

The Port dialog box appears with the Interface tab displayed.

3 Click the EAPOL Advance tab.

The EAPOL Advance tab for a port appears.

Figure 28EAPOL Advance tab for a port




.


4 Click Apply after making any changes.

—End—

Table 61 "EAPOL Advance tab fields for a port" (page 131) describes theEAPOL Advance tab fields for a port.

Table 61EAPOL Advance tab fields for a port

Field Description

GuestVlanEnabled

Enables and disables Guest VLAN on the port.

GuestVlanId Specifies the ID of a Guest VLAN that the port isable to access while unauthorized.This value overrides the Guest VLAN ID value setfor the switch in the EAPOL tab. Specifies zerowhen switch global guest VLAN ID is used for thisport.

MultiHostEnabled Enables or disables EAPOL multihost on the port.

MultiHostEapMaxNumMacs Specifies the maximum number of allowed EAPclients on the port.

MultiHostAllowNonEapClient

Enables or disables non-EAPOL on the port.

MultiHostNonEapMaxNumMacs

Specifies the maximum number of allowednon-EAPOL clients on the port.

MultiHostSingleAuthEnabled

Enables or disables EAPOL Multiple Host withSingle Authentication (MHSA) on the port.

MultiHostRadiusAuthNonEapClient

Enables or disables non-EAPOL RADIUSauthentication on the port

MultiHostAllowRadiusAssignedVlan

Enables or disables multihost RADIUS assignedVlans on the port

Viewing Multihost informationFrom the EAPOL Advance tab on the Port screen, it is possible to viewMultihost information by clicking the Multi Hosts button on this tab.

For details, refer to:

• "Multihost Status" (page 131)

• "Multihost sessions" (page 132)

Multihost Status To view multihost status information, do the following:




.


Step Action

1 From the EAPOL Advance tab of the Port screen, click the MultiHosts button. The EAPOL MultiHosts screen appears with theMulti Host Status tab selected.The following figure displays the Multihost status tab.

Figure 29EAPOL MultiHosts screen -- Multi Host Status tab

"EAPOL MultiHosts screen -- Multi Host Status tab" (page132) describes the fields on this screen.

EAPOL MultiHosts screen -- Multi Host Status tab

Field Description

PortNumber The port number in use

ClientMACAddr The MAC address of the client

PaeStateThe current state of the authenticator PAEstate machin

BackendAuthState The current state of the BackendAuthentication state machine

Reauthenticate The value used to reauthenticate theEAPOL client

—End—

Multihost sessions To view multihost session information, do thefollowing:

Step Action

1 From the EAPOL Advance tab of the Port screen, click the MultiHosts button. The EAPOL MultiHosts screen appears. Select theMulti Host Session tab. The following figure displays the Multihostsessions tab.




.


Figure 30EAPOL MultiHosts screen -- Multi Host Session tab

"EAPOL MultiHosts screen -- Multi Host Session tab" (page133) describes the fields on this tab.

EAPOL MultiHosts screen -- Multi Host Session tab

Field Description

PortNumber The port number in use.

ClientMACAddr The MAC address of the client.

IdA unique identifier for the session, in theform of a printable ASCII string of at leastthree characters.

AuthenticMethodThe authentication method used toestablish the session.

Time The elapsed time of the session.

TerminateCause The cause of the session termination.

UserNameThe username representing the identity ofthe supplicant PAE.

—End—

Non-EAPOL host support settingsFrom the EAPOL Advance tab on the Port screen, it is possible to viewnon-EAP host information and to configure the allowed non-EAP MACaddress list by clicking the Non-EAP MAC button on this tab.

Managing the allowed non-EAP MAC address list To view and configurethe list of MAC addresses for non-EAPOL clients that are authorized toaccess the port, do the following:

Step Action

1 From the EAPOL Advance tab of the Port screen, click theNon-EAP MAC button. The Non-EAPOL MAC screen appears




.


with the Allowed non-EAP MAC tab selected. The following figureillustrates this tab.

Figure 31Non-EAPOL MAC screen -- Allowed non-EAP MAC tab

"Non-EAPOL MAC screen -- Allowed non-EAP MAC tab" (page134) describes the fields on this screen.

Non-EAPOL MAC screen -- Allowed non-EAP MAC tab

Field Description



2 To add a MAC address to the list of allowed non-EAPOL clients:

a. Click the Insert button. The Insert Allowed non-EAP MACscreen appears. The following figure illustrates this tab.

Figure 32Insert Allowed non-EAP MAC screen

b. Enter the MAC address of the non-EAPOL client you want toadd to the list.

c. Click Insert.

3 To remove a MAC address from the list of allowed non-EAPOLclients:

a. Select the MAC address in the ClientMACAddr column on theAllowed non-EAP MAC tab.

b. Click Delete.




.


—End—

Viewing non-EAPOL host support status To view the status ofnon-EAPOL host support on the port, do the following:

Step Action

1 From the EAPOL Advance tab of the Port screen, click theNon-EAP MAC button. The Non-EAPOL MAC screen appears withthe Allowed non-EAP MAC tab selected. Select the Non-EAPStatus tab. The following figure illustrates this tab.

Figure 33Non-EAPOL MAC screen -- Non-EAP Status tab

"Non-EAPOL MAC screen -- Non-EAP Status tab" (page135) describes the fields on this screen.

Non-EAPOL MAC screen -- Non-EAP Status tab

Field Description



State

The authentication status. Possible valuesare:

• rejected: the MAC address cannot beauthenticated on this port.

• locallyAuthenticated: the MAC addresswas authenticated using the local tableof allowed clients

• radiusPending: the MAC address isawaiting authentication by a RADIUSserver

• radiusAuthenticated: the MAC addresswas authenticated by a RADIUS server




.


Field Description

• adacAuthenticated: the MAC addresswas authenticated using ADACconfiguration tables

• mhsaAuthenticated: the MAC addresswas auto-authenticated on a portfollowing a successful authenticationof an EAP client

ReauthenticateThe value used to reauthenticate the MACaddress of the client on the port

—End—

EAPOL Stats tab for graphing portsThe EAPOL Stats tab displays EAPOL statistics.

To open the EAPOL Stats tab for graphing, use the following procedure:

Step Action

1 Select the port or ports you want to graph.

To select multiple ports, press Ctrl+left-click the ports that youwant to configure.A yellow outline appears around the selected ports.


• From the Device Manager main menu, choose Graph > Port.

• From the shortcut menu, choose Graph.

• On thetoolbar, click Graph.

The Graph Port dialog box for a single port or for multiple portsappears with the Interface tab displayed.

3 Click the EAPOL Stats tab.

The EAPOL Stats tab for graphing multiple ports appears.

The following figure displays the Graph port dialog box EAPOL Statstab.




.


Figure 34Graph port dialog box EAPOL Stats tab

—End—

EAPOL Stats tab fields"EAPOL Stats tab fields" (page 137) describes the EAPOL Stats tab fields.

Table 62EAPOL Stats tab fields

Field Description

EapolFramesRx The number of valid EAPOL frames of any type thatare received by this authenticator.

EapolFramesTx The number of EAPOL frame types of any type thatare transmitted by this authenticator.

EapolStartFramesRx The number of EAPOL start frames that are receivedby this authenticator.

EapolLogoffFramesRx The number of EAPOL Logoff frames that arereceived by this authenticator.

EapolRespIdFramesRx The number of EAPOL Resp/Id frames that arereceived by this authenticator.

EapolRespFramesRx The number of valid EAP Response frames (Otherthan Resp/Id frames) that are received by thisauthenticator.

EapolReqIdFramesTx The number of EAPOL Req/Id frames that aretransmitted by this authenticator.

EapolReqFramesTx The number of EAP Req/Id frames (Other than Req/Idframes) that are transmitted by this authenticator.




.


Field Description

InvalidEapolFramesRx The number of EAPOL frames that are receivedby this authenticator in which the frame type is notrecognized.

EapLengthErrorFramesRx

The number of EAPOL frames that are received bythis authenticator in which the packet body lengthfield is not valid.

EAPOL Diag tab for graphing portsThe EAPOL Diag tab displays EAPOL diagnostics statistics.

To open the EAPOL Diag tab for graphing, use the following procedure:

Step Action

1 Select the port or ports you want to graph.

To select multiple ports, press Ctrl+left-click the ports that youwant to configure.A yellow outline appears around the selected ports.


• From the Device Manager main menu, choose Graph > Port.

• From the shortcut menu, choose Graph.

• On the toolbar, click Graph.

The Graph Port dialog box for a single port or for multiple portsappears with the Interface tab displayed.

3 Click the EAPOL Diag tab.

The EAPOL Diag tab for graphing multiple ports appears.

The following figure displays the Graph Port dialog box EAPOL Diagtab.




.


Figure 35Graph Port dialog box EAPOL Diag tab

—End—

EAPOL Diag fields"EAPOL Diag fields" (page 139) describes the EAPOL Diag tab fields.

Table 63EAPOL Diag tab fields

Field Description

EntersConnecting Counts the number of times that the statemachine transitions to the connecting statefrom any other state.

EapLogoffsWhileConnecting Counts the number of times that the statemachine transitions from connecting todisconnecting as a result of receiving anEAPOL-Logoff message.

EntersAuthenticating Counts the number of times that thestate machine transitions from connecting toauthenticating, as a result of an EAP-Responseor Identity message being received from theSupplicant.

AuthSuccessWhileAuthenticating

Counts the number of times that the statemachine transitions from authenticating toauthenticated, as a result of the BackendAuthentication state machine indicating asuccessful authentication of the Supplicant.




.


Field Description

AuthTimeoutsWhileAuthenticating

Counts the number of times that the statemachine transitions from authenticatingto aborting, as a result of the BackendAuthentication state machine indicating anauthentication timeout.

AuthFailWhileAuthenticating Counts the number of times that the statemachine transitions from authenticating to held,as a result of the Backend Authentication statemachine indicating an authentication failure.

AuthReauthsWhileAuthenticating

Counts the number of times that the statemachine transitions from authenticating toaborting, as a result of a reauthenticationrequest.

AuthEapStartsWhileAuthenticating

Counts the number of times that the statemachine transitions from authenticating toaborting, as a result of an EAPOL-Startmessage being received from the Supplicant.

AuthEapLogoffWhileAuthenticating

Counts the number of times that the statemachine transitions from authenticating toaborting, as a result of an EAPOL-Logoffmessage being received from the Supplicant.

AuthReauthsWhileAuthenticated

Counts the number of times that the statemachine transitions from authenticated toconnecting, as a result of a reauthenticationrequest.

AuthEapStartsWhileAuthenticated

Counts the number of times that the statemachine transitions from authenticated toconnecting, as a result of an EAPOL-Startmessage being received from the Supplicant.

AuthEapLogoffWhileAuthenticated

Counts the number of times that the statemachine transitions from authenticated todisconnected, as a result of an EAPOL-Logoffmessage being received from the Supplicant.

BackendResponses Counts the number of times that the statemachine sends an initial Access-Requestpacket to the Authentication server.Indicates that the Authenticator attemptedcommunication with the Authentication Server.

BackendAccessChallenges Counts the number of times that the statemachine receives an initial Access-Challengepacket from the Authentication server.Indicates that the Authentication Server hascommunication with the Authenticator.




.


Field Description

BackendOtherRequestsToSupplicant

Counts the number of times that the statemachine sends an EAP-Request packet,other than an Identity, Notification, Failureor Success message, to the Supplicant.Indicates that the Authenticator chooses anEAP-method.

BackendNonNakResponsesFromSupplicant

Counts the number of times that the statemachine receives a response from theSupplicant to an initial EAP-Request, and theresponse is something other than EAP-NAK.Indicates that the Supplicant can respond to theEAP-method that the Authenticator chooses.

BackendAuthSuccesses Counts the number of times that the statemachine receives an EAP-Success messagefrom the Authentication Server. Indicates thatthe Supplicant has successfully authenticatedto the Authentication Server.

BackendAuthFails Counts the number of times that the statemachine receives an EAP-Failure messagefrom the Authentication Server. Indicates thatthe Supplicant has not authenticated to theAuthentication Server.

Configuring SNMPThis section contains the following topics:

• "SNMP tab" (page 141)

• "Trap Receivers tab" (page 142)

• "Graphing SNMP statistics" (page 144)

SNMP tabThe SNMP tab provides read-only information about the addresses that theagent software uses to identify the switch.

To open the SNMP tab, use the following procedure:

Step Action

1 Select the chassis.

2 Choose Edit > Chassis.

The Chassis dialog box appears with the System tab displayed.

3 Click the SNMP tab.

The SNMP tab appears.




.


—End—

Figure 36Chassis dialog box SNMP tab

"SNMP tab fields" (page 142) describes the SNMP tab fields.

Table 64SNMP tab fields

Field Description

LastUnauthenticatedIpAddress The last IP address that is notauthenticated by the device.

LastUnauthenticatedCommunityString The last community string that is notauthenticated by the device.

TrpRcvrMaxEnt The maximum number of trap receiverentries.

TrpRcvrCurEnt The current number of trap receiverentries.

TrpRcvrNext The next trap receiver entry to becreated.

Trap Receivers tabThe Trap Receivers tab lists the devices that receive SNMP traps from theEthernet Routing Switch 2500 Series.

To open the Trap Receivers tab, use the following procedure:

Step Action


2 Choose Edit > Chassis.

The Chassis dialog box appears with the System tab displayed.

3 Click the Trap Receivers tab.




.


The Trap Receivers tab appears.

—End—

Figure 37Chassis dialog box Trap Receivers tab

"Trap Receivers tab fields" (page 143) describes the Trap Receivers tabfields.

Table 65Trap Receivers tab fields

Field Description

Indx An index of the trap receiver entry. Trap receivers arenumbered from one to four. Each trap receiver has anassociated community string (see the following Communityfield description in this table).

NetAddr The address (or DNS hostname) for the trap receiver.

Community Community string used for trap messages to this trapreceiver.

Adding a Trap ReceiverTo edit the network traps table, use the following procedure:

Step Action

1 In the Trap Receivers tab, click Insert.

The Chassis, Insert Trap Receivers dialog box appears.

The following figure displays the Chassis, Insert Trap Receiversdialog box.




.


Figure 38Chassis, Insert Trap Receivers dialog box

2 Type the Index, NetAddr, and Community information.

3 Click Insert.

—End—

Graphing SNMP statisticsIn the Graph Chassis dialog box, the SNMP tab provides read-onlyinformation about the addresses that the agent software uses to identifythe switch.

To open the SNMP tab, use the following procedure:

Step Action


2 Choose Graph > Chassis.

The Graph Chassis dialog box appears with the SNMP tab displayed.

3 Click the SNMP tab.

—End—




.


Figure 39Graph Chassis dialog box SNMP tab

"SNMP tab fields" (page 142) describes the SNMP tab fields.

Table 66SNMP tab fields

Field Description

InPkts The total number of messages delivered to the SNMPfrom the transport service.

OutPkts The total number of SNMP messages passed from theSNMP protocol to the transport service.

InTotalReqVars The total number of MIB objects retrieved successfullyby the SNMP protocol as the result of receiving validSNMP Get-Request and Get-Next PDUs.

InTotalSetVars The total number of MIB objects altered successfullyby the SNMP protocol as the result of receiving validSNMP Set-Request PDUs.

InGetRequests The total number of SNMP Get-Request PDUs that areaccepted and processed by the SNMP protocol.

InGetNexts The total number of SNMP Get-Next PDUs that areaccepted and processed by the SNMP protocol.

InSetRequests The total number of SNMP Set-Request PDUs that areaccepted and processed by the SNMP protocol.

InGetResponses The total number of SNMP Get-Response PDUs thatare accepted and processed by the SNMP protocol.




.


Field Description

OutTraps The total number of SNMP Trap PDUs generated bythe SNMP protocol.

OutTooBigs The total number of SNMP PDUs generated by theSNMP protocol for which the value of the error-statusfield is tooBig.

OutNoSuchNames The total number of SNMP PDUs generated by theSNMP protocol for which the value of the error-statusfield is noSuchName.

OutBadValues The total number of SNMP PDUs generated by theSNMP protocol for which the value of the error-statusfield is badValue.

OutGenErrs The total number of SNMP PDUs generated by theSNMP protocol for which the value of the error-statusfield is genErr.

InBadVersions The total number of SNMP messages delivered to theSNMP protocol for an unsupported SNMP version.

InBadCommunityNames

The total number of SNMP messages delivered to theSNMP protocol that used an unknown SNMP communityname.

InBadCommunityUses

The total number of SNMP messages delivered to theSNMP protocol that represented an SNMP operationnot allowed by the SNMP community named in themessage.

InASNParseErrs The total number of ASN.1 or BER errors encounteredby the SNMP protocol when decoding received SNMPmessages.

InTooBigs The total number of SNMP PDUs delivered to the SNMPprotocol for which the value of the error-status field istooBig.

InNoSuchNames The total number of SNMP PDUs delivered to the SNMPprotocol for which the value of the error-status field isnoSuchName.

InBadValues The total number of SNMP PDUs delivered to the SNMPprotocol for which the value of the error-status field isbadValue.




.


Field Description

InReadOnlys The total number of SNMP PDUs delivered to theSNMP protocol for which the value of the error-statusfield is readOnly. It is a protocol error to generatean SNMP PDU containing the value readOnly in theerror-status field. This object is provided to detectincorrect implementations of the SNMP.

InGenErrs The total number of SNMP PDUs delivered to the SNMPprotocol for which the value of the error-status field isgenErr.

Working with SNMPv3Simple Network Management Protocol (SNMP) provides a mechanism toremotely configure and manage a network device. An SNMP agent is asoftware process that listens on UDP port 161 for SNMP messages, andsends trap messages using the destination UDP port 162.

SNMPv3 is based on the architecture of SNMPv1 and SNMPv2c. It supportsbetter authentication and data encryption than SNMPv1 and SNMPv2c.

SNMPv3 provides protection against the following security threats:

• modification of SNMP messages by a third party

• impersonation of an authorized SNMP user by an unauthorized person

• disclosure of network management information to unauthorized parties

• delayed SNMP message replays or message redirection attacks

The configuration parameters introduced in SNMPv3 makes it more secureand flexible than the other versions of SNMP.

For more information on the SNMPv3 architecture, see RFC 3411.

This chapter describes the following concepts associated with SNMPv3:

• "Initial Login with an SNMPv3 User" (page 148)

• "User-based Security Model" (page 149)

• "View-based Access Control Model" (page 152)

• "Creating a community" (page 159)

• "Management Targets" (page 161)

• "The Notify Table" (page 166)




.


Initial Login with an SNMPv3 UserTo configure SNMPv3 with Device Manager, you must first log on andcreate an SNMPv3 user through the CLI or Web interface. If you specifyonly read and write community strings at the time you log on, you do nothave sufficient rights to view or change the SNMPv3 settings of the switch.

CAUTIONBy default, the CLI and Web interface are not password protected.Nortel strongly recommends that after you set up an SNMPv3user, you change or delete all factory default settings that canallow an unauthorized person to log on to your device.

For more information on how to configure an initial SNMPv3 user by usingWeb-based management, see "Setting SNMP parameters" (page 58), andby using the CLI, see "Configuring SNMPv3" (page 190).

To log on to the Ethernet Routing Switch 2500 Series Device Manager asan SNMPv3 user, use the following procedure:

Step Action

1 On the Device Manager menu bar, select Device > Open.

2 In the Device Name field, enter the DNS name or the IP address ofthe switch.

3 Select the v3 Enabled checkbox (the default Read and Writecommunity strings are grayed out when SNMPv3 is enabled).

4 Enter the log on name of the SNMPv3 user.

5 From the Authentication Protocol pull-down list, select MD5, SHA, orNone.

6 If the user is configured to use an authentication protocol, enter theauthentication password in the Authentication Password field.

7 If the user is configured to use a privacy protocol, choose theappropriate protocol from the Privacy Protocol field (DES, AES or3DES).

8 In the Privacy Password field, enter the privacy password.

—End—




.


User-based Security ModelThe User-based Security Model (USM) provides a mechanism toauthenticate and encrypt SNMPv3 messages.

A message, if configured, is authenticated with the help of a one-way hashfunction that is associated with an individual user ID. In the Ethernet RoutingSwitch 2500 Series, a user can be configured to use the HMAC-MD5-96 orthe HMAC-SHA-96 algorithm for the authentication of SNMPv3 messages.

An SNMPv3 message, if configured, is encrypted with the help of the CipherBlock Chaining - Data Encryption Standard (CBC-DEC).

An SNMPv3 user can be configured in three ways.

Table 67 "SNMPv3 user configuration method" (page 149) describes theways in which an SNMPv3 user can be configured.

Table 67SNMPv3 user configuration method

SNMPv3 ConfigurationMethod

Description

NoAuthNoPriv The user cannot use an authentication or anencryption mechanism.

AuthNoPriv The user can use an authentication but not anencryption mechanism.

AuthPriv The user can use an authentication as well as anencryption mechanism.

For more information on USM, see RFC 3414.

Configuring the User-based Security ModelTo create a user in the USM table, use the following procedure:

Step Action

1 From the Device Manager menu bar, choose Edit > SnmpV3 >USM Table.

The USM dialog box appears.

The following figure displays the USM dialog box.




.


Figure 40USM dialog box

USM tab fields

The following table describes the USM tab fields.

Table 68USM dialog box fields

Field Description

EngineID Indicates the administratively-unique identifier of theSNMP engine.

Name Indicates the name of the user in usmUser.

SecurityName Creates the name that is used as an index to thetable. The range is 1 to 32 characters.

AuthProtocol Identifies the authentication protocol used.

PrivProtocol Identifies the privacy protocol used.

StorageType Specifies whether the table entry (row) will be storedin volatile or nonvolatile memory. If the entry is storedin volatile memory, it does not persist if the switchloses power.

2 Click Insert.

The USM, Insert USM Table dialog box appears.

The following figure displays the USM, Insert USM Table dialog box.




.


Figure 41USM, Insert USM Table dialog box

3 Enter a name.

4 In the Clone From User list, select a security name from which thenew entry copies authentication data and privacy data. For example,Authentication Protocol, Authentication password, Privacy Protocol,and Privacy password.

ATTENTIONThe Clone From User you select defines the maximum authentication andprivacy settings for a new user. For example, if the Clone From User doesnot use an authentication or encryption protocol, users created from thisclone cannot use the authentication or the encryption protocol. For thisreason, it is recommended that you assign both an authentication andencryption protocol to the first user you create through the CLI or Webinterface.

5 From the Auth Protocol pull-down list, select an authenticationprotocol for this user. If you select an authentication protocol, enteran old and new authentication password in the next two fields.

6 In the Cloned User’s Auth Password field, enter the authenticationpassword of the Cloned From User.

7 In the New User’s Auth Password field, enter a new authenticationpassword for this user.

8 Select a privacy protocol. If you choose to specify a privacy protocol,enter an old and new privacy password in the next two fields. This isoptional but recommended.




.


9 Enter the Cloned User’s Priv Password.

10 Enter a new privacy password for this user.

11 Click Insert.

The USM table appears and the new entry is shown.

—End—

"USM Insert USM Table dialog box fields" (page 152) describes the USM,Insert USM Table dialog box fields.

Table 69USM, Insert USM Table dialog box fields

Field Description

New User Name Creates the new entry with this security name. The nameis used as an index to the table. The range is 1 to 32characters.

Clone From User Specifies the security name from which the new entry mustcopy privacy and authentication parameters. The range is 1to 32 characters.

Auth Protocol Assigns an authentication protocol (or no authentication)from a shortcut menu. If you select this protocol, enter anold AuthPass and a new AuthPass.

Cloned User’sAuth Password

Specifies the current authentication password.

New User’s AuthPassword

Specifies the new authentication password to use for thisuser.

Priv Protocol(Optional)

Assigns a privacy protocol (or no privacy) from a menu.

Cloned User’s PrivPassword

Specifies the current privacy password.

New User’s PrivPassword

Specifies the new privacy password to use for this userentry.

Storage Type Specifies whether this table entry (row) will be stored involatile or nonvolatile memory. If the entry is stored involatile memory, it does not persist if the switch loses power.

View-based Access Control ModelThe View-based Access Control Model (VACM) is used to map a user toa set of access rights and MIB views. This mapping is done with the helpof three tables.




.


Table 70 "View-based access control mapping" (page 153) describes thewhich help of to map a user to access rights and MIB views.

Table 70View-based access control mapping

Table Name Description

Group Membership table Defines a set of users that can be referenced by asingle group name.

Group Access Right table Associates a group with Read, Write, and Notifyviews.

MIB View table Defines a set of MIB subtrees or objects.

For more detailed information on VACM, see RFC 3415.

Defining Group Membership with VACMTo add members to a group in the View-based Access Control Model(VACM) table, use the following procedure:

Step Action

1 From the Device Manager menu bar, choose Edit > SnmpV3 >VACM table.

The VACM dialog box with the Group Membership tab options visibleappears.

The following figure displays the VACM dialog, Group Membershiptab.

Figure 42VACM dialog, Group Membership tab




.


VACM dialog tab fields

The following table describes the Group Membership tab fields.

Table 71Group Membership tab fields

Field Description

SecurityModel The security model for the entry.

SecurityName The name of an entry in the USM table or theCommunity Table.

GroupName The name of the group to which this entry belongs.When multiple entries in this table have the sameGroupName, they all belong to the same group.

StorageType Specifies whether this table entry (row) will be storedin volatile or nonvolatile memory. If the entry is storedin volatile memory, it does not persist if the switchloses power.

2 Click Insert.

The VACM, Insert Group Membership dialog box appears.

The following figure displays the VACM, Insert Group Membershipdialog box.

3 Select a SecurityModel.

4 Enter a SecurityName.

5 Enter a GroupName.

6 Click Insert.

The VACM dialog box appears. The new group membership isshown in the list.

—End—

Assigning Group Access Rights with VACMTo assign new access rights to a group, use the following procedure:

Step Action


The VACM dialog box appears (Figure 42 "VACM dialog, GroupMembership tab" (page 153)).




.


2 Click the Group Access Right tab.

The Group Access Right tab appears.

The following figure displays the Group Access Right tab.

Figure 43Group Access Right tab

The following table describes the Group Access Right tab fields.

Table 72VACM dialog box Group Access Right tab fields

Field Description

vacmGroupName A GroupName from the Group Membership table.

ContextPrefix The Context Prefix for this entry. By default, thefield is empty. This is an optional field.

SecurityModel The security model assigned to users in theGroup Membership table. Options are SNMPv1,SNMPv2c, or USM.

SecurityLevel The security level assigned to users in the GroupMembership table. Options are noAuthNoPriv,authNoPriv, or authPriv.

ContextMatch Specifies whether to use an exact match or thecontext prefix for assigning the rights defined inthis row to a user. The default is exact. This is anoptional field.

ReadViewName The name of the MIB View to which the user isassigned read access.

WriteViewName The name of the MIB View to which the user isassigned write access.




.


Field Description

NotifyViewName The name of the MIB View from which the userreceives notifications.

StorageType Specifies whether this table entry (row) will bestored in volatile or nonvolatile memory. If theentry is stored in volatile memory, it does notpersist if the switch loses power.

3 Click Insert.

The VACM, Insert Group Access Right dialog box appears.

The following figure displays the VACM, Insert Group Access Rightdialog box.

Figure 44VACM, Insert Group Access Right dialog box

4 Enter the name of a group.

5 Enter the context prefix.

6 Select the security model.

7 Select the security level.

8 Enter the name of a MIB View that enables a user to read the MIBsubtrees and objects.

9 Enter the name of a MIB View that enables a user to write to theMIB subtrees and objects.

10 Enter the name of a MIB View from which a user can receive trapsor inform messages.




.


11 Click Insert.

The VACM window reappears, and the new Group Access Rightentry is shown in the table.

—End—

Defining a MIB viewTo assign MIB view access for an object, use the following procedure:

Step Action


The VACM dialog box appears (Figure 42 "VACM dialog, GroupMembership tab" (page 153)).

2 Select the MIB View tab.

The MIB View tab appears.

The following figure displays the MIB View tab.

Figure 45MIB View tab

MIB View tab fields




.


The following table describes the MIB View tab fields.

Table 73VACM dialog box MIB View tab fields

Field Description

ViewName Creates a new entry with thisgroup name. The range is 1 to 32characters.

Subtree Refers to any valid object identifierthat defines the set of MIB objectsaccessible by this SNMP entity,for example, org, iso8802, or1.3.6.1.1.5 OID string.

Mask (Optional) Specifies that a bit mask be usedwith vacmViewTreeFamilySubtreeto determine whether an OID fallsunder a view subtree.

Type Determines whether access to aMIB object is granted (Included) ordenied (Excluded). The default isIncluded.

StorageType Specifies whether this table entry(row) will be stored in volatile ornonvolatile memory. If the entryis stored in volatile memory, itdoes not persist if the switch losespower.

3 Click Insert.

The VACM, Insert MIB View dialog box appears.

The following figure displays VACM, Insert MIB View dialog box.

Figure 46VACM, Insert MIB View dialog box




.


4 Enter a ViewName.

5 Enter a MIB Subtree name, for example, org, iso8802, or adotted-decimal OID string.

6 Enter a Mask to specify wild cards in the OID string. The default isto leave this field blank, which is the same as specifying a maskof all ones (exact match).

7 Select whether to include or exclude this MIB subtree from thecollection of all MIB objects with this same ViewName.

8 Click Insert.

The assigned MIB view appears in the list.

—End—

Creating a communityA community table contains objects for mapping between community stringsand the security name created in VACM Group Member. To create acommunity, use the following procedure:

Step Action

1 From the Device Manager menu bar, chooseEdit > SnmpV3 >Community Table.

The Community Table dialog box appears.

The following figure displays the Community Table dialog box.

Figure 47Community Table dialog box

2 Click Insert.

The Community Table, Insert Community Table dialog box appears.

The following figure displays the Community Table, Insert CommunityTable dialog box.




.


Figure 48Community Table, Insert Community Table dialog box

3 Enter an Index.

4 Enter Name that is a community string.


6 Click Insert.

The new community is shown in the list.

—End—

Community Table dialog box fields"Community Table dialog box fields" (page 160) describes the CommunityTable dialog box fields.

Table 74Community Table dialog box fields

Field Description

Index The unique index value of a row in this table. TheSnmpAdminString range is 1-32 characters.

Name The community string for which a row in this tablerepresents a configuration.

SecurityName The security name assigned to this entry in theCommunity table. The range is 1 to 32 characters.




.


Field Description

ContextEngineID The contextEngineID that indicates the locationof the context in which management informationis accessed when using the community stringspecified by the corresponding instance ofsnmpCommunityName. The default value is thesnmpEngineID of the entity in which this object isinstantiated.

ContextName The context in which management informationis accessed when using the community stringspecified by the corresponding instance ofsnmpCommunityName.

TransportTag This object specifies a set of transport endpointsthat are associated a community string. Thecommunity string is only valid when found in anSNMPv1 or SNMPv2c message received from oneof these transport endpoints, or when used in anSNMPv1 or SNMPv2c message that is sent to oneof these transport endpoints.

StorageType The storage type for this conceptual row in thesnmpCommunityTable. Conceptual rows that havethe value permanent do not allow write-access toany columnar object in the row.

Management TargetsThe concept of the SNMPv3 management target is similar to trap receiversin SNMPv1 and SNMPv2c. Management targets are defined with the helpof three tables.

Management Target Tables"Management Target Tables" (page 161) describes the that help to definethe management targets.

Table 75Management target tables

Table Name Description

Target Address table Lists the IP address and destination UDP portnumber of stations that receive trap or informmessages.

Target Parameters table Specifies how to format and process an outgoingmessage that is sent to an associated targetaddress.

Notify table Specifies the type of message to send to amanagement target: trap or inform.




.


Creating a Management Target AddressTo create an entry in the Management Target Address table, use thefollowing procedure:

Step Action

1 From the Device Manager menu bar, choose Edit > SnmpV3 >Target Table.

The Target Table dialog box appears, with the Target Address Tabletab appears.

The following figure displays the Target Table dialog box, targetAddress Table tab.

Figure 49Target Table dialog box, Target Address Table tab

Target Address Table fields

The following table describes the Target Address Table fields.

Table 76Target Address Table fields

Field Description

Name Specifies the name for this target table entry.

TDomain Specifies the domain of the management target. Thedefault is snmpUDPDomain.

TAddress Specifies the IP address and destination UDP port forthis management target, for example, 10.0.4.27:162.

Timeout Specifies the length of the time to wait in 1/100th

of a second, for an acknowledgement from thismanagement target before declaring the message astimed-out. The default is 1500 milliseconds.

RetryCount Specifies the number of times this device canresend messages to this management target if initialmessages are not acknowledged. The default is 3.




.


Field Description

Taglist Refers to zero or more Notify tags that are used to linkthis entry with entries in the Notify table. By default,you can enter either traporinform without having tocreate new entries in the Notification table.

Params Specifies the entry in the Target Parameter tablewhich is associated with this Management TargetAddress.


2 Click Insert.

The Target Table, Insert Target Address Table dialog box appears.

The following figure displays the Target Table, Insert Target AddressTable dialog box.

Figure 50Target Table, Insert Target Address Table dialog box

3 Enter a Name.

4 Enter a TDomain name.

5 Enter the IP address and UDP port number for this managementtarget, for example, 10.0.4.27:162.

6 Accept or modify the default values in the TimeOut and RetryCountfields.

7 In the Taglist field, enter the name of the tags (trap or inform),separated by a comma if more than one tag is entered. For moredetails, see Table 78 "Notify Table dialog box fields" (page 166).




.


8 In the Params field, enter the name of an entry in the Target Paramtable.

9 Click Insert.

The new Target address is shown in the list.

—End—

Creating Target ParametersTo create a target parameter, use the following procedure:

Step Action

1 From the Device Manager menu bar, choose Edit > SnmpV3 >Target Table.

The Target Table dialog box appears, with the Target Address Tabledisplayed.Figure 49 "Target Table dialog box, Target Address Tabletab" (page 162) .

2 Select the Target Params Table tab.

The Target Params Table tab appears.

The following figure displays the Target Params table tab.

Figure 51Target Params Table tab

3 Click Insert.

The Target Table, Insert Target Params Table dialog box appears.

The following figure displays the Target Table, Insert Target ParamsTable dialog box.




.


Figure 52Target Table, Insert Target Params Table dialog box

4 Enter a Name for this set of parameters.

5 Select the MPModel.

6 Select the SecurityModel.


8 Specify a SecurityLevel value.

9 Enter the StorageType.

10 Click Insert.

The new target parameter is shown in the list.

—End—

Target Params Table tab fields"Target Params Table tab fields" (page 165) describes the Target ParamsTable dialog box fields.

Table 77Target Params Table tab fields

Field Description

Name Specifies the name of the target parameters table.

MPModel Specifies the Message Processing model: SNMPv1,SNMPv2c, or SNMPv3/USM.

SecurityModel Specifies the security model: SNMPv1, SNMPv2c, orSNMPv3/USM.

SecurityName Specifies the security name for generating SNMP messages.




.


Field Description

SecurityLevel Specifies the security level for SNMP messages:noAuthnoPriv, authnoPriv, or authPriv.

Storage Type Specifies whether this table entry (row) will be stored involatile or nonvolatile memory. If the entry is stored in volatilememory, it doesl not persist if the switch loses power.

The Notify TableThe Notify Table contains default entries for a trap notification type andinform notification type.

To create a Notify Table entry, use the following procedure:

Step Action

1 From the Device Manager menu bar, choose Edit > SnmpV3 >Notify.

The Notify Table dialog box appears Figure 53 "NotifyTable dialogbox" (page 166) .

Notify Table dialog box fields

Figure 53NotifyTable dialog box

The following table describes the Notify Table dialog box fields.

Table 78Notify Table dialog box fields

Field Description

Name A name or index value for this row in the table.

Tag A single tag value that is used to associate this entrywith an entry in the Target Address Table.




.


Field Description

Type This selection specifies the type of notification sentto a management target address. If the value is trap,sent messages contain SNMPv2-Trap PDUs. If thevalue is inform, messages contains Inform PDUs.

ATTENTIONIf an SNMP entity only supports trap (and notinform) messages, this object can be read-only.


2 Click Insert.

The Notify Table, Insert dialog box appears .

The following figure displays the Notify Table, Insert dialog box.

Figure 54Notify Table, Insert dialog box

3 Enter a Name for this table row.

4 Enter a Tag name which connects this entry to one or more TargetAddress table entries.

5 Specify the Type of message Protocol Data Units (PDUs) to send toan associated Management Target Address: trap or inform.

6 Specify the StorageType.

7 Click Insert.The new notify entry is shown in the list.




.


—End—




.

169

Configuring Security using web-basedmanagement

The options available to configure application settings are:

• "Configuring system security" (page 169)

• "Accessing the management interface" (page 173)

• "Configuring MAC address-based security" (page 175)

• "Configuring MAC address-based security" (page 175)

• "About SNMP" (page 188)

• "Configuring SNMPv1" (page 188)

• "Configuring SNMPv3" (page 190)

Configuring system securityThis section describes the steps you use to build and manage security byusing the Web-based management interface.

ATTENTIONWhen you install the switch, Nortel recommends that you set the initial systemusernames and passwords by using the Command Line Interface. For moreinformation, see "Setting the username and password" (page 35).

Setting console, Telnet, and Web passwords

ATTENTIONFor information about modifying existing system usernames, see "Setting theusername and password" (page 35).

To set Console, Telnet, and Web passwords, use the following procedure:




.

170 Configuring Security using web-based management

Step Action

1 From the main menu, choose Administration > Security.

2 Choose Console, Telnet, Web, or RADIUS as required.

The selected password page appears .

3 Click Submit.

ATTENTIONThe title of the page corresponds to the menu selection you choose.In , the network administrator selected Administration > Security >Console.

Figure 55Console password setting page

The following table describes the items on the Console page.




.

Configuring system security 171

Table 79Console page fields

Section Fields Setting Description

ATTENTIONConsole, Telnet, and Web connections share the same switchpassword type and password. These connections also share thesame stack password type and password.

Console SwitchPassword Type

(1) None(2) LocalPassword(3) RADIUSAuthentication

Displays theswitch passwordtypes.

ATTENTIONThe default isNone.

Read-Only Switch Password

1..15 Type the read-onlypassword settingfor the read-onlyaccess user.

ConsoleSwitchPasswordSetting

Read-Write Switch Password

1..15 Type the read-writepassword settingfor the read-writeaccess user.

Console StackPassword Type

None Displays theswitch passwordtypes.

ATTENTIONThe default isNone.

Read-only StackPassword

1..15 Type the read-onlypassword settingfor the read-onlyaccess user.

Console Stack Password

Read-WriteStack Password

1..15 Type the read-writepassword settingfor the read-writeaccess user.




.


4 Choose the type of password. The following table describes theoptions available in the Console Switch Password Type list box.

Table 80Password Types

Password Type Description

None Indicates that no password is required for this typeof access.

Local Password Sets a password for access through a directnetwork connection or a direct Console portconnection.

RADIUS Authentication

Sets a password for remote dial-up. If you selectthis password type, you must also set up RADIUSauthentication from the Radius management page.

5 Type the password for read-only and read/write user access.

6 Click Submit to save the changes.

—End—

Configuring RADIUS dial-in access securityTo configure remote dial-in access security parameters, use the followingprocedure:

Step Action

1 From the main menu, choose Administration > Security > Radius.

The Radius page appears.

Figure 56Radius page




.

Accessing the management interface 173

The following table describes the items on the RADIUS page.

Table 81RADIUS page fields

Field Setting Description

Primary RADIUS Server XXX.XXX.XXX.XXX Type a Primary Radius server IPaddress in the appropriate format.

Secondary RADIUS Server XXX.XXX.XXX.XXX Type a Secondary Radius serverIP address in the appropriateformat.

UDP RADIUS Port Integer Type the UDP Radius portnumber.

RADIUS Timeout Period 1..60 Type the RADIUS timeout period.

RADIUS Shared Secret 1..16 Type a unique character stringto create a secret password.Reenter the password to verify.

2 Type the IP addresses of the primary and secondary RADIUS(Remote Authentication Dial In User Services) servers.

3 Type the number of the User Datagram Protocol (UDP) port for theRADIUS server. The default value is 1645.

4 Type the number of seconds for the RADIUS timeout period. Therange is 1 to 60 seconds.

5 Type a character string for the RADIUS Shared Secret. Thisparameter is a special switch security code that providesauthentication to the RADIUS server. The value can be anycontiguous ASCII string that contains at least one printablecharacter, up to a maximum of 16.

6 Reenter the character string to confirm the RADIUS Shared Secret.

7 Click Submit.

—End—

Accessing the management interfaceAfter switch passwords and RADIUS authentication settings are integratedinto the Web-based management user interface, anyone who attemptsto use the application is presented with a log on page. See Figure 57"Web-based management interface log on page" (page 174).




.


Figure 57Web-based management interface log on page

To log on to the Web-based management interface, use the followingprocedure:

Step Action

1 In the Username text box, type a valid username (default values areRO [uppercase] for read-only access or RW [uppercase] for read/writeaccess).

2 In the Password text box, type your password.

3 Click Log On.

The System Information page appears .

ATTENTIONFor information about modifying existing system usernames, see "Settingthe username and password" (page 35).

Figure 58System Information Page




.

Configuring MAC address-based security 175

—End—

With Web access enabled, the switch can support a maximum of fourconcurrent Web page users. Two predefined user levels are available, andeach user level has a corresponding username and password.

Table 82 "User levels and access levels" (page 175) shows an example ofthe two predefined user levels available and their access level within theWeb-based management user interface.

Table 82User levels and access levels

User levelUser name foreach level

Password for eachuser level

Access Level

Read-only RO XXXXXXXX Read only

Read/write RW XXXXXXXX Full read/writeaccess

Configuring MAC address-based securityThe MAC address-based security system lets you specify a range of systemresponses to unauthorized network access to your switch by using theWeb-based management system.

The system response can range from sending a trap to disabling the port.The network access control is based on the MAC Source Addresses (SAs)of the authorized stations. You can specify a list of up to 448 MAC SAs thatare authorized to access the switch. You can also specify the ports thateach MAC SA is allowed to access. The options for allowed MAC SA portaccess include: NONE, ALL, and single or multiple ports that are specifiedin a list, for example, one to four, six, nine, and so on. You must also includethe MAC SA of any router connected to any secure ports.

After the switch software detects an SA security violation, the response canbe to send a trap, turn on Destination Address (DA) filtering for all SAs,disable the specific port, or any combination of these three options.

You can also configure the Ethernet Routing Switch 2500 Series to dropall packets that have a specified MAC Destination Address (DA). You cancreate a list of up to 10 MAC DAs that you want to filter. The packet withthe specified MAC DA is dropped regardless of the ingress port, SourceAddress (SA) intrusion, or VLAN membership.




.


ATTENTIONEnsure that you do not enter the MAC address of the switch on which you areworking.

ATTENTIONAfter configuring the switch for MAC address-based security, you must enable theports you want by using the Port Configuration page.

Configuring MAC address-based securityYou can use the Security Configuration page to enable or disable the MACaddress security feature and specify the appropriate system responsesto any unauthorized network access to your switch. To configure MACaddress-based security by using the Web-based management system,use the following procedure:

Step Action

1 From the main menu, choose Application > MAC Address Security> Security Configuration.

The Security Configuration page appears.

The following figure displays the Security Configuration page.

Figure 59Security Configuration page




.


The following table describes the items on the Security Configurationpage.

Table 83Security Configuration page items

Section Item Range Description

MAC Address Security

(1) Enabled(2) Disabled

Enables the MAC address security features.After this field is set to enabled, the softwarechecks the source MAC addresses ofthe packets that arrive on the secureports against MAC addresses listed in theMAC Address Security Table for allowedmembership. If the software detects asource MAC address that is not an allowedmember, the software registers a MACintrusion event.

MAC Address SecuritySNMP-Locked


After this field is set to enabled, theMAC address security screens cannot bemodified by using SNMP.

MAC AddressSecurity Setting

Partition Porton IntrusionDetected

(1) Forever(2) Enabled(3) Disabled

Configures how the switch reacts to anintrusion event (see MAC Address Securityfield):

Disabled— The port remains enabled, evenif an intrusion event is detected.

Enabled— The port is disabled, thenautomatically reset to enabled after the timespecified in the Partition Time field elapses.

Forever— The port is disabled and remainsdisabled (partitioned) until reset. The portdoes not reset after the Partition Timeelapses.

You must manually reenable the port.




.



PartitionTime

1 to 65535 Sets the time to partition a port onintrusion.

ATTENTIONUse this field only if the Partition Porton Intrusion Detected field is set toEnabled.

DA Filteringon IntrusionDetected


When enabled, the switch isolates theintruding node by filtering (discarding) thepackets sent to that MAC address.

GenerateSNMP Trapon Intrusion


Enables generation of an SNMP trap to allregistered SNMP trap addresses when anintrusion is detected.

Action Lets you clear specific ports fromparticipation in the MAC address securityfeatures.

Port List Blank.

MAC SecurityTable/Clear byPorts

CurrentLearningMode

Blank.

Action Lets you identify ports that learn incomingMAC addresses. All source MAC addressesof any packets received on specified portsare added to the MAC Security Table(a maximum of 448 MAC addresses areallowed).

Port List Displays all the ports that learn incomingMAC addresses to detect intrusions(unallowed MAC addresses).

MAC SecurityTable/Learn byPorts

CurrentLearningMode


Enables learning.

2 On the Security Configuration page, type the necessaryinformation in the text boxes, or select from a list.

3 Click Submit.

—End—




.


Configuring portsYou can use the Port Lists page, to create port lists that can be used asallowed source port lists to be referenced in the Security Table page. Youcan create up to 32 port lists.

To activate an entry or add or delete ports from a list, use the followingprocedure:

Step Action

1 From the main menu, choose Application > MAC Address Security> Port Lists.

The Port Lists page appears.

The following figure displays the Port Lists page.

Figure 60Port Lists page

The following table describes the items on the Port Lists page.




.


Table 84Port Lists page items

Item Description

Entry These are the lists of ports.

Action Lets you create a port list that you can use as an AllowedSource in the Security Table screen.

Port List Displays which ports are associated with each list.

2 To add or delete ports to a list, click in the Action column in the listrow that you want.

The Port List View, Port List page appears.

The following figure displays the Port List View, Port List page.

Figure 61Port List View, Port List page

a. Click the ports you want to add to the selected list, or click All.

b. To delete a port from a list, clear the box by clicking it.

c. Click Submit.


The Security Configuration page appears.

4 In the MAC Security Table section, click in the Action column ofthe Learn By Ports row.

The Port List View, Learn by Ports page appears.

The following figure displays the Port List View, Learn by Ports page.




.


Port List View, Learn by Ports page

a. Click the ports through which you want the switch to learn MACaddresses, or click All.

b. If you want that port to no longer learn MAC addresses, click thechecked box to clear it.

c. Click Submit.

5 In the MAC Security Table section, choose Enabled in the CurrentLearning Mode column of the Learn By Ports row.

6 Click Submit.

ATTENTIONYou cannot include any of the port values that you choose for the secureports field.

—End—

Adding MAC addressesYou can use the Security Table page to specify the ports that each MACaddress is allowed to access. (You must also include the MAC addresses ofany routers that are connected to any secure ports.)

To add MAC addresses to the MAC address security table, use the followingprocedure:

Step Action

1 In the main menu, choose Applications > MAC Address Security> Security Table.

It can take a few moments for the required addresses to be learned.Then, the Security Table page appears.

The following figure displays the Security Table page.




.


Figure 62Security Table page

ATTENTIONBy using this page, you instruct the switch to allow the specified MACaddress access only through the specified port or port list.

The following table describes the items on the Security Table page.

Table 85Security Table page items


Action Lets you delete a MAC address.

MACAddress

Displays the MAC address.

MAC Address SecurityTable

AllowedSource

PortEntry

Displays the entry through whichthe MAC address is allowed.

MACAddress

Lets you specify up to 448 MACaddresses that are authorized toaccess the switch. You can specifythe ports that each MAC addressis allowed to access by using theAllowed Source field (see the nextitem description). The specifiedMAC address does not take effectuntil the Allowed Source field isset to some value (a single portnumber or a port list value that youpreviously configured in the PortLists screen).

MAC Address SecurityTable EntryCreation




.



AllowedSource

Lets you specify the ports that eachMAC address is allowed to access.The options for the Allowed Sourcefield include a single port numberor a port list value that you havepreviously configured in the PortLists screen.

2 Complete fields as described in the table.

ATTENTIONIf you choose an Entry as the Allowed Source, you must have configuredthat specific entry on the Port View List, Port List page.

3 On the Security Table page, type the required information in thetext boxes or select from a list.

4 Click Submit.

ATTENTIONInclude the MAC address for the default LAN router as an allowed sourceMAC address.

—End—

Clearing portsYou can clear all information from the specified port(s) in the list of ports thatlearn MAC addresses. If Learn by Ports is enabled, the specified portsbegin to learn the MAC addresses.

To clear information from selected ports, use the following procedure:

Step Action


The Security Configuration page appears (Figure 59 "SecurityConfiguration page" (page 176)).

2 In the MAC Security Table section, click in the Action column ofthe Clear By Ports row.

The Port List View, Clear By Ports page appears.




.


The following figure displays the Port List View, Clear By Ports page.

Figure 63Port List View, Clear By Ports page

3 Select the ports you want to clear or click All.

4 Click Submit.

ATTENTIONWhen you specify a port (or ports) to be cleared by using this field, thespecific port are cleared for each of the entries listed in the MAC AddressSecurity Table. If you clear all the allowed Source Ports field (leavinga blank field) for an entry, the associated MAC address for that entryis also cleared.

—End—

Enabling security on portsTo enable or disable MAC address-based security on the port, use thefollowing procedure:

Step Action

1 From the main menu, choose Application > MAC Address Security> Port Configuration.

The Port Configuration page appears.

The following figure displays the Port Configuration page.




.


Figure 64Port Configuration page

The following table describes the items on the Port Configurationpage.

Table 86Port Configuration page items

Item Range Description

Port 1 to 52 Lists each port on the unit.

Trunk Blank, 1 to 6 Displays the MultiLink Trunk towhich the port belongs to.

Security (1) Enabled(2) Disabled

Enables MAC address-basedsecurity on that port.

—End—




.


Deleting portsYou can delete ports from the security system in a variety of ways:

• In the Ports List View, Port List page (Figure 61 "Port List View, Port Listpage" (page 180)), click the checkmark of a selected port that you wantto delete from the specified port list.

• In the Ports List View, Learn by Ports page ("Port List View, Learn byPorts page" (page 181)), click the checkmark of a port that you want toremove from those ports that learn MAC addresses.

• In the Port Configuration page (Figure 64 "Port Configurationpage" (page 185)), click Disabled to remove that port from theMAC address-based security system; this action disables all MACaddress-based security on that port.

Filtering MAC destination addressesTo drop all packets from a specified MAC Destination Address (DA), use thefollowing procedure:

Step Action

1 From the main menu, choose Application > MAC Address Security> DA MAC Filtering.

The DA MAC Filtering page appears.

The following figure displays the DA MAC Filtering page.

Figure 65DA MAC Filtering page

The following table describes the items on the DA MAC Filteringpage.




.


Table 87DA MAC Filtering page items


Action To drop all packets toand from a specified MACDestination Address (DA).

Index 1 -10 The number of the MACaddress.

DestinationMAC Address FilteringTable

MACAddress

Displays the MAC address.

DA MAC Filtering EntryCreation

DA MACAddress

XX:XX:XX:XX:XX:XX

Enter the MAC DA that youwant to filter.

ATTENTIONEnsure that you do not enter the MAC address of the management station.

2 In the DA MAC Filtering Entry Creation area, enter the MAC DAthat you want to filter.

You can list up to 10 MAC DAs to filter.

3 Click Submit.

The system returns you to the DA MAC Filtering page (Figure 65"DA MAC Filtering page" (page 186)) with the new DA listed in thetable.

—End—

Deleting MAC DAsTo delete a MAC DA, use the following procedure:

Step Action

1 From the main menu, choose Application > MAC Address Security> DA MAC Filtering.

The DA MAC Filtering page appears (Figure 65 "DA MAC Filteringpage" (page 186)).

2 In the Destination MAC Address Filtering Table, click the Delete iconfor the entry that you want to delete.

A message appears prompting you to confirm your request.




.



• Click Yes to delete the target parameter configuration.

• Click Cancel to return to the table without making changes.

—End—

About SNMPSimple Network Management Protocol (SNMP) is the standard for networkmanagement that uses a common software agent to manage local and widearea network equipment from different vendors; part of the TransmissionControl Protocol/Internet Protocol (TCP/IP) suite as defined in RFC115.SNMPv1 is version one, the original standard protocol. SNMPv3 is acombination of proposal updates to SNMP, most of which deal with security.

Configuring SNMPv1You can configure SNMPv1 read/write and read-only community strings,enable or disable trap mode settings, and/or enable or disable theautotopology feature. The autotopology feature, when enabled, performs aprocess that recognizes any device on the managed network and definesand maps its relation to other network devices in real time.

To configure the community string, trap mode, and autotopology settingsand features, use the following procedure:

Step Action

1 From the main menu, choose Configuration > SNMPv1.

The SNMPv1 page appears.

The following figure displays the SNMPv1 page.




.

Configuring SNMPv1 189

Figure 66SNMPv1 page

The following table describes the items on the SNMPv1 page.

Table 88SNMPv1 page items


Read-OnlyCommu-nity String

1..32 Type a character string to identify thecommunity string for the SNMPv1read-only community, for example,public or private.

Reenter the same character string toconfirm the community string for theSNMPv1 read-only community.

The default value is public.

Commu-nity StringSetting

Read-WriteCommu-nity String

1..32 Type a character string to identify thecommunity string for the SNMPv1read-write community, for example,public or private.

Reenter the same character string toconfirm the community string for theSNMPv1 read-write community.




.



The default value is private.

Trap Mode Setting

Authen-ticationTrap

(1) Enable(2) Disable

Choose to enable or disable theauthentication trap, which sends atrap when an SNMP authenticationfailure occurs.

AutoTopologySetting

AutoTopology

(1) Enable(2) Disable

Choose to enable or disable theautotopology feature, which allowsnetwork topology mapping of otherswitches in your network.

2 Type the required information in the text boxes or select from a list.

3 Click Submit in any section to save your changes.

—End—

Configuring SNMPv3This section describes the steps to build and manage SNMPv3 in theWeb-based management user interface.

Viewing SNMPv3 system informationYou can view information about the SNMPv3 engine that exists and theprivate protocols that are supported in your network configuration. Youcan also view information about packets received by the system thathave particular errors, such as unavailable contexts, unknown contexts,decrypting errors, or unknown user names.

To view SNMPv3 system information, use the following procedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 > SystemInformation.

The System Information page appears.

The following figure displays the System Information page.




.


Figure 67System Information page

Table 89 "System Information section fields" (page 191) describesthe fields on the System Information section of the SNMPv3 SystemInformation page.

Table 89System Information section fields

Item Description

SNMPEngine ID

The identification number for the SNMP engine.

SNMPEngineBoots

The number of times that the SNMP engine hasreinitialized itself since its initial configuration.

SNMPEngine Time

The number of seconds because the SNMP engine lastincremented the snmpEngineBoots object.

SNMPEngineMaximumMessageSize

The maximum length, in octets, of an SNMP message thatthis SNMP engine can send or receive and process. Thisis determined as the minimum of the maximum messagesize values supported among all transports available toand supported by the engine.

SNMPEngineDialects

The SNMP dialect that the engine recognizes. Thedialects are: SNMP1v1, SNMPv2C, and SNMPv3.




.


Item Description

Authentication ProtocolsSupported

The registration point for standards-track authenticationprotocols used in SNMP Management Frameworks.The registration points are: None, HMAC MD5, andHMAC SHA.

ATTENTIONThe Ethernet Routing Switch 2500 Series supportsonly the MD5 authentication protocol.

PrivateProtocolsSupported

The registration point for standards-track privacyprotocols used in SNMP Management Frameworks.The registration points are: None, CBC-DES, AES or3DES.

ATTENTIONThe Ethernet Routing Switch 2500 Series does notsupport privacy protocols.

Table 90 "SNMPv3 Counters section fields" (page 192) describesthe fields on the SNMPv3 Counters section of the SNMPv3 SystemInformation page.

Table 90SNMPv3 Counters section fields

Item Description

UnavailableContexts

The total number of packets dropped by the SNMPengine because the context contained in the messageis unavailable.

UnknownContexts

The total number of packets dropped by the SNMPengine because the context contained in the messageis unknown.

UnsupportedSecurityLevels

The total number of packets dropped by the SNMPengine because they requested a security level that isunknown to the SNMP engine or otherwise unavailable.

Not in TimeWindows

The total number of packets dropped by the SNMPengine because they appeared outside of theauthoritative SNMP window of the engine.




.


Item Description

Unknown UserNames

The total number of packets dropped by the SNMPengine because they referenced an unknown user.

UnknownEngine IDs

The total number of packets dropped by the SNMPengine because they referenced an snmpEngineID thatis not known to the SNMP engine.

Wrong Digests The total number of packets dropped by the SNMPengine because they did not contain the expecteddigest value.

DecryptionErrors

The total number of packets dropped by the SNMPengine because they could not be decrypted.

—End—

Configuring user access to SNMPv3You can view a table of all current SNMPv3 user security information suchas authentication/privacy protocols in use, and create or delete SNMPv3system user configurations.

Creating an SNMPv3 system user configurationTo create an SNMPv3 system user configuration, use the followingprocedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 > UserSpecification.

The User Specification page appears.




.


Figure 68User Specification page

describes the items on the User Specification Table section of theUser Specification page.

Table 91User Specification Table section items

Item and MIBassociation

Description

Deletes the row.

User Name(usmUserSecurityName)

The name of an existing SNMPv3 user.

AuthenticationProtocol(usmUserAuthProtocol)

Indicates whether the message sent on behalf of this user to/from theSNMP engine identified by the UserEngineID can be authenticatedby the MD5 authentication protocol.




.



Description

Private Protocol(usmUserPrivProtocol)

Displays whether or not messages sent on behalf of this user to orfrom the SNMP engine identified by the usmUserEngineID can beprotected from disclosure, and if so, the type of privacy protocolwhich is used.

Entry Storage The current storage type for this row. If Volatile is displayed,information is dropped (lost) when you turn off the power. Ifnonvolatile is displayed, information is saved in NVRAM when youturn off the power.

The following table describes the items on the User SpecificationCreation section of the User Specification page.

Table 92User Specification Creation section items


Range Description

User Name 1..32 Type a string of characters to create an identityfor the user.

AuthenticationProtocol(usmUserAuthProtocol)

NoneMD5SHA

Choose whether or not the message senton behalf of this user to/from the SNMPengine identified by the UserEngineID can beauthenticated with the MD5 or SHA protocol.

AuthenticationPassphrase(usmUserAuthPassword)

1..32 Type a string of characters to create apassphrase to use in conjunction with theauthorization protocol.

Privacy Protocol (1) None(2) DES(3) 3DES(4) AES

Choose the privacy protocol you want to use.

Privacy Passphrase X..XX Type a string of characters to create apassphrase to use in conjunction with the privacyprotocol.The alphanumeric string must be at least 8characters long.

Type an alphanumericstring of minimum8 charactersEntryStorage(usmUserStorageType)

(1) Volatile(2) Non-Volatile

Choose your storage preference. SelectingVolatile requests information to be dropped(lost) when you turn off the power. SelectingNon-Volatile requests information to be saved inNVRAM when you turn off the power.

2 In the User Specification Creation section, type the requiredinformation in the text boxes or select from a list.




.


3 Click Submit.

The new configuration is displayed in the User Specification Table(Table 91 "User Specification Table section items" (page 194)).

—End—

Deleting an SNMPv3 system user configurationTo delete an existing SNMPv3 user configuration, use the followingprocedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 > UserSpecification.

The User Specification page appears ().

2 In the User Specification Table, click the Delete icon for the entryyou want to delete.



• Click Yes to delete the SNMPv3 user configuration.

• Click Cancel to return to the User Specification page withoutmaking changes.

—End—

Configuring an SNMPv3 system user group membershipYou can view a table of existing SNMPv3 group membership configurationsand map or delete an SNMPv3 user to a group configuration.

Mapping an SNMPv3 system user to a groupTo map an SNMPv3 system user to a group, use the following procedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 > GroupMembership.

The Group Membership page appears.

The following figure displays the Group Membership page.




.


Figure 69Group Membership page

The following table describes the items on the Group Membershippage.

Table 93Group Membership page items

Item and MIB association Range Description

Deletes the row.




.


Item and MIB association Range Description

Security Name(vacmSecurityToGroupStatus)

1..32 Type a string of charactersto create a security namefor the principal that ismapped by this entry to agroup name.

Security Model(vacmSecurityToGroupStatus)

(1) SNMPv1(2) SNMPv2c(3) USM

Choose the securitymodel within which thesecurity name to groupname mapping is valid.

Group Name(vacmGroupName)

1..32 Type a string of charactersto specify the group name.

Entry Storage(vacmSecurityToGroupStorageType)


Choose your storagepreference. SelectingVolatile requestsinformation to be dropped(lost) when you turn offthe power. SelectingNon-Volatile requestsinformation to be saved inNVRAM when you turn offthe power.

2 In the Group Membership Creation section, type the requiredinformation in the text boxes or select from a list.

3 Click Submit.

The new entry is displayed in the Group Membership Table (Figure69 "Group Membership page" (page 197)).

—End—

Deleting an SNMPv3 group membership configurationTo delete an SNMPv3 group membership configuration, use the followingprocedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 > GroupMembership.

The Group Membership page appears (Figure 69 "GroupMembership page" (page 197)).

2 In the Group Membership Table, click the Delete icon for the entryyou want to delete.




.




• Click Yes to delete the group membership configuration.

• Click Cancel to return to the Group Membership page withoutmaking changes.

ATTENTIONThis Group Membership Table section of the Group Membershippage contains hyperlinks to the SNMPv3 User Specification andGroup Access Rights pages. For more information on these pages,see "Configuring user access to SNMPv3" (page 193) and "ConfiguringSNMPv3 group access rights" (page 199) .

—End—

Configuring SNMPv3 group access rightsYou can view a table of existing SNMPv3 group access rights configurations,and you can create or delete a SNMPv3 system-level access rights fora group.

Creating an SNMPv3 group access rights configurationTo create a SNMPv3 system-level access right configuration for a group,use the following procedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 > GroupAccess Rights.

The Group Access Rights page appears.

The following figure displays the Group Access Rights page.




.


Figure 70Group Access Rights page

The following table describes the items on the Group Access Rightspage.

Table 94Group Access Rights page items


Range Description

Deletes the row.

Group Name(vacmAccessToGroupStatus)

1..32 Type a character string tospecify the group name towhich access is granted.

Security Model(vacmAccessSecurityModel)l

(1) SNMPv1(2) SNMPv2c(3) USM

Choose the security modelto which access is granted.




.



Range Description

Security Level(vacmAccessSecurityLevel)

(1) noAuthNoPriv(2) authNoPriv(3) authPriv

Choose the minimum levelof security required to gainthe access rights allowed tothe group.

Read View(vacmAccessReadViewName)

1..32 Type a character string toidentify the MIB view ofthe SNMP context to whichthis entry authorizes readaccess.

Write View(vacmAccessWriteViewName)

1..32 Type a character string toidentify the MIB view ofthe SNMP context to whichthis entry authorizes writeaccess.

Notify View(vacmAccessNotifyViewName)

1..32 Type a character string toidentify the MIB view towhich this entry authorizesaccess to notifications.

Entry Storage(vacmSecurityToGroupStorageType)


Choose your storagepreference. SelectingVolatile requests informationto be dropped (lost) whenyou turn off the power.Selecting Non-Volatilerequests information to besaved in NVRAM when youturn off the power.

2 In the Group Access Creation section, type the required informationin the text boxes or select from a list.

3 Click Submit.

The new entry is displayed in the Group Access Table (Figure 70"Group Access Rights page" (page 200)).

—End—

Deleting an SNMPv3 group access rights configurationTo delete an SNMPv3 group access configuration, use the followingprocedure:




.


Step Action

1 From the main menu, choose Configuration > SNMPv3 > GroupAccess Rights.

The Group Access Rights page appears (Figure 70 "Group AccessRights page" (page 200)).

2 In the Group Access Table, click the Delete icon for the entry youwant to delete.



• Click Yes to delete the group access configuration.

• Click Cancel to return to the Group Access Rights page withoutmaking changes.

ATTENTIONThis Group Access Table section of the Group Access Rights pagecontains hyperlinks to the Management Information View page.

—End—

Configuring an SNMPv3 management information viewYou can view a table of existing SNMPv3 management information viewconfigurations, and you can create or delete SNMPv3 managementinformation view configurations.

ATTENTIONA view can consist of multiple entries in the table, each with the same view name,but a different view subtree.

Creating an SNMPv3 management information view configurationTo create an SNMPv3 management information view configuration, use thefollowing procedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 >Management Info View.

The Management Information View page appears.




.


The following figure displays the Management Information Viewpage.

Figure 71Management Information View page

The following table describes the fields on the ManagementInformation View page.




.


Table 95Management Information View page fields

Fields and MIBassociation

Range Description

Deletes the row.

View Name(vacmViewTreeFamilyViewName)

1..32 Type a character string to create aname for a family of view subtrees.

View Subtree(vacmViewTreeFamilySubtree)

X.X.X.X.X... Type an object identifier (OID)to specify the MIB subtreethat, when combined with thecorresponding instance ofvacmViewTreeFamilyMask,defines a family of view subtrees.

ATTENTIONIf no OID is entered andthe field is blank, a defaultmask value consisting of 1s isrecognized.

View Mask(vacmViewTreeFamilyMask)

Octet String(0..16)

Type the bit mask that,in combination with thecorresponding instance ofvacmViewFamilySubtree, defines afamily of view subtrees.

View Type(vacmViewTreeFamilyType)

(1) Include(2) Exclude

Choose to include or exclude afamily of view subtrees.

Entry Storage(vacmSecu-rityToGroupStorageType)


Choose your storage preference.Selecting Volatile requestsinformation to be dropped (lost)when you turn off the power.Selecting Non-Volatile requestsinformation to be saved in NVRAMwhen you turn off the power.




.


2 In the Management Information Creation section, type the requiredinformation in the text boxes or select from a list.

3 Click Submit.

The new entry appears in the Management Information Table(Figure 71 "Management Information View page" (page 203)).

—End—

Deleting an SNMPv3 management information view configurationTo delete an existing SNMPv3 management information view configuration,use the following procedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 >Management Info View.

The Management Information page appears (Figure 71"Management Information View page" (page 203)).

2 In the Management Information Table, click the Delete icon for theentry you want to delete.



• Click Yes to delete the management information viewconfiguration.


—End—

Configuring an SNMPv3 system notification entryYou can view a table of existing SNMPv3 system notification configurations,and you can configure specific SNMPv3 system notification typeswith particular message recipients and delete SNMPv3 notificationconfigurations.

Creating an SNMPv3 system notification configurationTo create an SNMPv3 system notification configuration, use the followingprocedure:




.


Step Action

1 From the main menu, choose Configuration > SNMPv3 >Notification.

The Notification page appears.

The following figure displays the Notification page.

The following table describes the items on the Notification page.

Table 96Notification page items


Range Description

Deletes the row.

Notify Name(snmpNotifyRowStatus)

1..32 Type a character string to identifythe entry.




.



Range Description

Notify Tag(snmpNotifyTag)

1..32 Type a value to useto select entries in thesnmpTargetAddrTable. Any entryin the snmpTargetAddrTablewhich contains a tag value whichis equal to the value of an instanceof this object is selected. If thisobject carries a zero length, noentries are selected

Notify Type(snmpNotifyType)

(1) Trap(2) Inform

Choose the type of notification togenerate.

Entry Storage(snmpNotifyStorageType)


Choose your storage preference.Selecting Volatile requestsinformation to be dropped (lost)when you turn off the power.Selecting Non-Volatile requestsinformation to be saved in NVRAMwhen you turn off the power.

2 In the Notification Creation section, type the required informationin the text boxes or select from a list.

3 Click Submit.

The new entry is displayed in the Notification Table "Notificationpage" (page 206) .

—End—

ATTENTIONThis Notification Table section of the Notification page contains hyperlinks tothe Target Parameter page.

Deleting an SNMPv3 system notification configurationTo delete an SNMPv3 notification configuration, use the following procedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 >Notification.

The Notification page appears ("Notification page" (page 206)).




.


2 In the Notification Table, click the Delete icon for the entry you wantto delete.



• Click Yes to delete the notification configuration.


—End—

Configuring an SNMPv3 management target addressYou can view a table of existing SNMPv3 management target configurations,create SNMPv3 management target address configurations that associatenotifications with particular recipients, and delete SNMPv3 target addressconfigurations.

Creating an SNMPv3 target address configurationTo create an SNMPv3 target address configuration, use the followingprocedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 > TargetAddress.

The Target Address page appears.

The following figure displays the Target Address page.

The following table describes the items on the Target Address page.




.


Table 97Target Address page items


Range Description

Deletes the row.

Target Name(snmpTargetAddrName)

1..32 Type a character string to createa target name.

Target Address(snmpTargetAddrTAddress)

XXX.XXX.XXX.XXX:XXX

Type a transport address in theformat of an IP address, colon,and UDP port number.

For example: 10.30.31.99:162.

Target Timeout(snmpTargetAddrTimeout)

Integer Type the number, in seconds,to designate as the maximumtime to wait for a response toan inform notification beforeresending theInform notification.

Target RetryCount(snmpTargetAddrRetryCount)

0..255 Type the default number ofretires to be attempted whena response is not receivedfor a generated message. Anapplication can provide its ownretry count, in which case thevalue of this object is ignored.

Target TagList(snmpTargetAddrTagList)

1..20 Type the space-separated list oftag values to be used to selecttarget addresses for a particularoperation.

Target ParameterEntry(snmpTargetAddr)

1..32 Type a numeric string toidentify an entry in thesnmpTargetParamsTable.The identified entry containsSNMP parameters to be usedwhen generated messages aresent to this transport address.

Entry Storage (1) Volatile(2) Non-Volatile

Choose your storagepreference. Selecting Volatilerequests information to bedropped (lost) when you turnoff the power. SelectingNon-Volatile requests




.



Range Description

information to be saved inNVRAM when you turn off thepower.

2 In the Target Address Creation section, type the requiredinformation in the text boxes or select from a list.

3 Click Submit.

The new entry is displayed in the Target Address Table ("TargetAddress page" (page 208)).

ATTENTIONThis Target Address Table section of the Target Address page containshyperlinks to the Target Parameter page.

—End—

Deleting an SNMPv3 target address configurationTo delete an SNMPv3 target address configuration, use the followingprocedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 > TargetAddress.

The Target Address page appears ("Target Address page" (page208)).

2 In the Target Address Table, click the Delete icon for the entry youwant to delete.



• Click Yes to delete the target address configuration.


—End—




.


Configuring an SNMPv3 management target parameterSNMPv3 management target parameters are used during notificationgeneration to specify the communication parameters that are used forexchanges with notification recipients.

You can view a table of existing SNMPv3 target parameter configurations,create SNMPv3 target parameters that associate notifications with particularrecipients, and delete existing SNMPv3 target parameter configurations.

Creating an SNMPv3 target parameter configurationTo create an SNMPv3 target parameter configuration, use the followingprocedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 > TargetParameter.

The Target Parameter page appears.

The following figure displays the Target Parameter page.

The following table describes the items on the Target Parameterpage.

Table 98Target Parameter page items


Deletes the row.




.



ParameterTag(snmpTargetParamsRowStatus)

1..32 Type a unique character string to identify theparameter tag.

Msg ProcessingModel(snmpTargetParamsMPModel)

(0) SNMPv1(1) SNMPv2c(2) SNMPv3 /USM

Choose the message processing model to beused when generating SNMP messages usingthis entry.

Security Name(snmpTargetParamsSecuirtyName)

1..32 Type the principal on whose behalf SNMPmessages are generated using this entry.

Security Level(snmpTargetParamsSecuirtyLevel)

(1) noAuthNoPriv(2) authNoPriv (3)authPriv

Choose the level of security to be used whengenerating SNMP messages using this entry.

Entry Storage(snmpTargetParamsStorageType)


Choose your storage preference. SelectingVolatile requests information to be dropped(lost) when you turn off the power. SelectingNon-Volatile requests information to be saved inNVRAM when you turn off the power.

2 In the Target Parameter Creation section, type the requiredinformation in the text boxes or select from a list.

3 Click Submit.

The new entry appears in the Target Parameter Table ("TargetParameter page" (page 211)).

—End—

Deleting an SNMPv3 target parameter configurationTo delete an SNMPv3 target parameter configuration, use the followingprocedure:

Step Action

1 From the main menu, choose Configuration > SNMPv3 > TargetParameter.

The Target Parameter page appears ("Target Parameter page"(page 211)).

2 In the Target Parameter Table, click the Delete icon for the entryyou want to delete.






.


• Click Yes to delete the target parameter configuration.


—End—

Configuring an SNMP trap receiverYou can configure the IP address and community string for a new SNMPtrap receiver, view a table of existing SNMP trap receiver configurations, ordelete an existing SNMP trap receiver configuration(s).

ATTENTIONThe SNMP Trap Receiver Table is an alternative to using the SNMPv3 TargetTable and SNMPv3 Parameter Table. However, only SNMPv1 traps areconfigurable using this table.

Creating an SNMP trap receiver configurationTo create an SNMP trap receiver configuration, use the following procedure:

Step Action

1 From the main menu, choose Configuration > SNMP Trap.

The SNMP Trap Receiver page appears.

The following figure displays the SNMP Trap Receiver page.

Figure 72SNMP Trap Receiver page

The following table describes the fields on the Trap Receiver Tableand Trap Receiver Creation sections of the SNMP Trap Receiverpage.




.


Table 99SNMP Trap Receiver page fields

Fields Range Description

Deletes the row.

Trap ReceiverIndex

1..4 Choose the number of the trapreceiver to create or modify.

IP Address XXX.XXX.XXX.XXX

Type the network address for theSNMP manager that is to receivethe specified trap.

Community 0..32 Type the community string for thespecified trap receiver. Reenter thecommunity string for the specifiedtrap receiver to confirm.

2 In the Trap Receiver Creation section, type the required informationin the text boxes or select from a list.

3 Click Submit.

The new entry is displayed in the Trap Receiver Table ().

—End—

Deleting an SNMP trap receiver configurationTo delete SNMP trap receiver configurations, use the following procedure:

Step Action

1 From the main menu, choose Configuration > SNMP TrapReceiver.

The SNMP Trap Receiver page appears ().

2 In the Trap Receiver Table, click the Delete icon for the entry youwant to delete.



• Click Yes to delete the SNMP trap receiver configuration.





.


—End—




.





.

217

Appendix ASNMP MIB support

The Ethernet Routing Switch 2500 Series supports an SNMP agent withindustry standard MIBs, as well as private MIB extensions, which ensurescompatibility with existing network management tools. The switch supportsthe MIB-II (RFC 1213), Bridge MIB (RFC 1493), and the RMON MIB (RFC1757), which provide access to detailed management statistics. WithSNMP management, you can configure SNMP traps (on individual ports)to generate automatically for conditions such as an unauthorized accessattempt or changes in the operating status of a port. Table 100 "SNMP MIBsupport" (page 217) lists the supported SNMP MIBs.

Table 100SNMP MIB support

Application Standard MIBs Proprietary MIBs

S5 Chassis MIB s5cha127.mib

S5 Agent MIB s5age140.mib

RMON rfc1757.mib

MLT rcMLT

SNMPv3 MIBs RFCs 2571, 2572,2573, 2574, 2575,2576

MIB2 rfc1213.mib

IF-MIB rfc2233.mib

Etherlike MIB rfc1643.mib

Interface Extension MIB s5ifx100.mib

Switch Bay Secure s5sbs102.mib

System Log MIB bnlog.mib

S5 Autotopology MIB s5emt104.mib

VLAN rcVlan

Entity MIB RFC 2037




.

218 Appendix A SNMP MIB support

Application Standard MIBs Proprietary MIBs

Spanning Tree RFC1493 Bridge MIB

LLDP-MIB IEEE 802.1ab

Management Agent The SNMP agent is trilingual and supportsexchanges by using SNMPv1, SNMPv2c, and SNMPv3. SNMPv1communities provide support for SNMPv2c by introducing standards-basedGetBulk retrieval capability. SNMPv3 support provides MD5 and SHA-baseduser authentication and message security as well as DES-based messageencryption.

Modules that support MIB are:

Standard MIBs

• MIB II (RFC 1213)

• Bridge MIB (RFC 1493) and proposed VLAN extensions

• 802.1Q Bridge MIB

• 802.1p

• Ethernet MIB (RFC 1643)

• RMON MIB (RFC 1757)

• SMON MIB

• High Capacity RMON

• Interface MIB (RFC2233)

• Entity MIB (RFC2037)

• SNMPv3 MIBs (RFC 2271 –RFC 2275)

Proprietary MIBs

• s5Chassis MIB

• s5Agent MIB

• Interface Extension MIB

• s5 Multi-segment topology MIB

• s5 Switch BaySecure MIB

• System Log MIB

• RapidCity Enterprise MIB

• rcDiag (Conversation steering) MIB

• rcVLAN MIB

• rcMLT MIB




.

219

SNMP trap supportThe Ethernet Routing Switch 2500 Series supports an SNMP agentwith industry standard SNMPv1 traps, as well as private SNMPv1 trapextensions (Table 101 "Support SNMP traps" (page 219)).

Table 101Support SNMP traps

Trap name Configurable Sent when

RFC 1215 (industry standard):

linkUp Per port The link state changes to up on aport.

linkDown Per port The link state changes to down ona port.

authenticationFailure System wide SNMP authentication failureoccurs.

coldStart Always on The system is powered on.

warmStart Always on The system restarts due to amanagement reset.

s5CtrMIB (Nortel proprietary traps):

s5CtrUnitUp Always on A unit is added to an operationalstack.

s5CtrUnitDown Always on A unit is removed from anoperational stack.

s5CtrHotSwap Always on A unit is hot-swapped in anoperational stack.

s5CtrProblem Always on A component or subcomponenthas a problem condition – either awarning, nonfatal, or fatal condition.

s5EtrSbsMacAccessViolation

Always on A MAC address violation isdetected.

risingAlarm Always on A rising Alarm is fired.

fallingAlarm Always on A falling Alarm is fired.

bsnConfigurationSavedToNvram

Always on All switch configuration is saved toNVRAM.

bsnNotifications.6.0 Always on A failed log in on a telnet or consolesession occurs.




.

220

Index

Aaccess 39, 46

SNMP 176administrative options

logging on 173security, configuring

passwords 169remote dial-in access 172

allowed IP addresses 39Allowed Source field 182AuthConfig tab 116

AccessCtrlType field 117BrdIndx field 117MACIndx field 117PortIndx field 117SecureList field 117

authentication 56authentication traps, enabling 188AuthStatus tab 119

AuthStatusBrdIndx field 120AuthStatusMACIndx field 120AuthStatusPortIndx field 120CurrentAccessCtrlType field 121CurrentActionMode field 121CurrentPortSecurStatus field 121

AuthViolation tab 122Autotopo-logy Setting field 190autotopology, enabling 188

BBaySecure 80

CClear By Ports page 184cli password command 36Commu-nity String Setting field 189community strings, configuring 188Community Table dialog box 159

ContextEngineID field 161ContextName field 161Index field 160Name field 160SecurityName field 160StorageType field 161TransportTag field 161

Console Password Setting page 170Console/TELNET/Web access configuration

17conventions, text 11Current Learning Mode field 178customer support 14

DDA filtering 80DA Filtering on Intrusion Detected field 178DA MAC Address field 187DA MAC Filtering page 186default eapol guest-vlan command 93default http-port 44default radius-server command 58default snmp trap link-status command 69default snmp-server authentication-trap

command 61default snmp-server community

command 63




.

Index 221

default snmp-server contact command 64default snmp-server host command 76default snmp-server name command 67default ssh command 54default telnet-access command 48Device Manager 40

EEAPOL Advance tab for a port

GuestVlanEnabled field 131GuestVlanId field 131

EAPOL Advance tab for ports 129eapol command 91, 91EAPOL Diag tab 138

AuthEapLogoffWhileAuthenticatedfield 140

AuthEapLogoffWhileAuthenticatingfield 140

AuthEapStartsWhileAuthenticatedfield 140

AuthEapStartsWhileAuthenticatingfield 140

AuthFailWhileAuthenticating field 140AuthReauthsWhileAuthenticated

field 140AuthReauthsWhileAuthenticating

field 140AuthSuccessWhileAuthenticating

field 139AuthTimeoutsWhileAuthenticating

field 140BackendAccessChallenges field 140BackendAuthFails field 141BackendAuthSuccesses field 141BackendNonNakResponsesFromSuppli-

cant field 141BackendOtherRequestsToSupplicant

field 141BackendResponses field 140EapLogoffsWhileConnecting field 139EntersAuthenticating field 139EntersConnecting field 139

eapol guest-vlan command 93EAPOL Security Configuration 23EAPOL Stats tab 136

EapLengthErrorFramesRx field 138

EapolFramesRx field 137EapolFramesTx Field 137EapolLogoffFramesRx field 137EapolReqFramesTx field 137EapolReqIdFramesTx field 137EapolRespFramesRx field 137EapolRespldFramesRx 137EapolStartFramesRx field 137InvalidEapolFramesRx field 138

EAPOL tab 110EAPOL tab for a port 127EAPOL tab for ports

AdminControlledDirections field 128AuthControlledPortControl field 129AuthControlledPortStatus field 128BackendAuthState field 128KeyTxEnabled field 129LastEapolFrameSource field 129LastEapolFrameVersion field 129MaximumRequests field 129OperControlledDirections field 128PaeState field 128PortCapabilities field 128PortInitialize field 128PortProtocolVersion field 128PortReauthenticateNow field 128QuietPeriod field 129ReAuthenticationEnabled field 129ReAuthenticationPeriod field 129ServerTimeout 129SupplicantTimeout field 129TransmitPeriod field 129

EAPoL-based security 21with Guest VLAN 23

EAPOL-based security 87Entry field 180Entry Storage field 198, 201, 204

GGeneral tab 111

AuthCtlPartTime field 112AuthSecurityLock field 112CurrNodesAllowed field 114CurrSecurityLists field 114MaxNodesAllowed field 114MaxSecurityLists field 114




.

222 Index

PortLearnStatus field 114PortSecurityStatus field 114SecurityAction field 113SecurityMode field 113SecurityStatus 112

Generate SNMP Trap on Intrusion field 178Group Access Right tab

ContextMatch field 155ContextPrefix field 155NotifyViewName field 156ReadViewName field 155SecurityLevel field 155SecurityModel field 155StorageType field 156WriteViewName field 155

Group Access Rights page 199Group Membership page 196Group Membership tab

GroupName field 154SecurityModel field 154SecurityName field 154StorageType field 154

Group Name field 198, 200Guest VLAN 23

HHTTP port number change 26http-port command 44

IIP 39IP manager list 39ipmgr command 40, 42

LLearn by Ports page 180logging on 173Login screen 18

MMAC Address field 182, 187MAC address security 176

allowed source 181clearing 184deleting ports 186

learn by ports 180learning 178MAC DA 175, 186ports 184security list 179security table 181

MAC Address Security field 177MAC Address Security SNMP-Locked

field 177MAC address-based network security 21,

21MAC DA filtering 80, 186MAC security

DA filtering 80source-address based 80

mac-security command 81mac-security command for specific ports 85mac-security mac-da-filter command 86mac-security mad-address-table address

command 83, 83, 84, 85mac-security security-list command 83Management Information View page 202management systems 40Management Target Address table 162Management target tables 161MHMA 28MHSA 33

configuring with CLI 107MIB View tab

Mask field 158StorageType field 158Subtree field 158Type field 158ViewName field 158

modifying parameters 91Multiple Host with Multiple Authentication

(MHMA) 28Multiple Host with Single Authentication 33

NName field 166New User Name field 152no eapol guest-vlan command 93no ipmgr command 41, 42no mac-security command 84




.

Index 223

no mac-security mac-address-tablecommand 84

no mac-security security-list command 85no radius-server command 58no smnp-server command 60no snmp trap link-status command 68no snmp-server authentication-trap

command 61no snmp-server command 72no snmp-server community command 62no snmp-server contact command 64no snmp-server host 76no snmp-server location command 65no snmp-server name command 66no snmp-server view command 74no ssh command 51no ssh dsa-auth command 53no ssh dsa-auth-key command 54no ssh dsa-host-key command 51no ssh pass-auth command 53no telnet-access command 47no web-server command 56Non-EAP hosts on EAP-enabled ports 30Non-EAP MAC RADIUS authentication 32Notification page 206Notify Table dialog box 166

StorageType field 167Tag field 166Type field 167

Notify View field 201

PPartition Port on Intrusion Detected field 177Partition Time field 178passwords 36passwords, setting

console 169remote dial-in access 172Telnet 169Web 169

Port Configuration page 184Port List field 178, 180Port List page 180Port Lists page 179Primary RADIUS Server field 173product support 14

RRADIUS access 36RADIUS authentication 56Radius page 172RADIUS password fallback 20RADIUS Shared Secret field 173RADIUS Timeout Period field 173RADIUS-based network security 20RADIUS-based security 20radius-server command 57radius-server password fallback 58Read View field 201read-only access 172read-write access 172remote access requirements 44, 44remote dial-in access, configuring 172requirements

remote access 44

SSecondary RADIUS Server field 173Security

MAC address-based network security 21RADIUS-based network security 20

security 36, 39, 46, 56, 80, 87MAC address-based 176

Security Configuration page 176Security field 185Security Level field 201security lists 80Security Model field 198, 200Security Name field 198security options 18Security page 176Security parameters

General tabSecurityStatus field 112

Security Table page 181security, configuring

passwords 169remote dial-in access 172

Security, Insert AuthConfig dialog box 117AccessCtrlType field 118BrdIndx field 118MACIndx field 118PortIndx field 118




.

224 Index

SecureList field 118SecurityListIndx field 116SecurityListMembers field 116

Security, Insert SecurityList dialog box 115SecurityList tab 114

SecurityListIndx field 115SecurityListMembers field 115

show dsa-host-key command 51show eapol auth-diags interface

command 89, 90show eapol command 87show eapol guest-vlan command 94show http-port command 43show ipmgr command 39show mac-security command 80show radius-server command 56show snmp-server command 64, 78show ssh download-auth-key command 50show ssh global command 49show ssh session command 50show telnet-access command 45SNMP 26

about 188MAC address security 177trap receivers

configuring 213deleting 214

SNMP Graph tab 145InASNParseErrs field 146InBadCommunityNames field 146InBadCommunityUses field 146InBadValues field 146InBadVersions field 146InGenErrs field 147InGetNexts field 145InGetRequests field 145InGetResponses field 145InNoSuchNames field 146Inpkts field 145InReadOnlys field 147InSetRequests field 145InTooBigs field 146InTotalReqVars field 145InTotalSetVars field 145OutBadValues field 146OutGenErrs field 146OutNoSuchNames field 146

Outpkts field 145OutTooBigs field 146OutTraps field 146

SNMP tab 141, 141LastUnauthenticatedCommunityString

field 142LastUnauthenticatedIpAddress field 142TrpRcvrCurEnt field 142TrpRcvrMaxEnt field 142TrpRcvrNext field 142

snmp trap link-status command 67SNMP Trap Receiver page 213snmp-server authentication-trap

command 60snmp-server command 59snmp-server community command 61, 77,

77snmp-server contact command 64snmp-server host command 75snmp-server location command 65snmp-server name command 66, 79, 79,

79, 79, 79,snmp-server user command 70snmp-server view command 73SNMPv1

about 188configuring 188

SNMPv1 page 188SNMPv3 147

about 188configuring 190group access rights


group membershipconfiguring 196deleting 198

initial login 148management information views


management target 161system information, viewing 190system notification entries


target addresses




.

Index 225


target parameters 164configuring 211deleting 212

user accessconfiguring 193deleting 196

User-based Security Model (USM) 149View-based Access Control Model

(VACM) 152SNMPv3 user configuration methods 149source IP addresses 42ssh command 51ssh download-auth-key command 54ssh dsa-auth command 52ssh pass-auth command 53, 53ssh port command 53, 53ssh secure command 52SSH Sessions tab 124, 125

SSHSessionsIP field 125SSH tab 122

DsaAuth field 123Enable field 123KeyAction field 123LoadServerAddr field 124PassAuth field 123Port field 123TftpAction field 124TftpResult field 124Timeout field 123Version field 123

ssh timeout command 52support, Nortel 14switch configuration options

autotopology feature 188community string settings 188SNMP trap receivers 213SNMPv3

group access rights 199management information views 202management target addresses 208management target parameters 211system information, viewing 190system notification entries 205user access 193user group membership 196

trap mode settings 188switches supported 11System Information page 190

TTarget Address page 208Target Address Table

Name field 162Params field 163RetryCount field 162StorageType field 163TAddress field 162Taglist field 163TDomain field 162Timeout field 162

Target Parameter page 211Target Params Table

MPModel field 165Name field 165SecurityLevel field 166SecurityModel field 165SecurityName field 165Storage Type field 166

technical support 14Telnet 36, 40, 44, 46Telnet Password Setting page 170telnet-access command 46text conventions 11TftpFile field 124Trap Mode Setting field 190Trap Receiver

adding 143Trap Receivers tab 142

Community field 143Indx field 143NetAddr field 143

traps 67troubleshooting 83

access 39, 44, 56, 80

UUDP RADIUS Port field 173username command 35USM dialog box 149

AuthProtocol field 150EngineID field 150




.

226 Index

Name field 150PrivProtocol field 150SecurityName field 150StorageType field 150

USM Insert USM Table dialog boxCloned User Auth Password field 152Cloned User Priv Password field 152New User Auth Password field 152New User Priv Password field 152Priv Protocol field 152StorageType field 152

USM, Insert USM Table dialog boxAuth Protocol field 152Clone From User field 152

VVACM dialog box 153VACM tables 153vacmGroupName field 155View Mask field 204View Name field 204View Subtree field 204View Type field 204

WWeb Password Setting page 170Web-based management system 40web-server command 55Write View field 201




.

Nortel Ethernet Routing Switch 2500 Series

Security — Configuration and ManagementCopyright © 2007, Nortel NetworksAll Rights Reserved.

Publication: NN47215-505 (323165-B)Document status: StandardDocument version: 02.01Document date: 19 November 2007

To provide feedback or report a problem in this document, go to www.nortel.com/feedback

Sourced in Canada, India, and the United States of America

The information in this document is subject to change without notice. Nortel Networks reserves the right to make changes in designor components as progress in engineering and manufacturing warrants.

*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation.

Trademarks are acknowledged with an asterisk (*) at their first appearance in the document.

All other trademarks are the property of their respective owners.

http://www.nortel.com/documentfeedback