Professional Documents
Culture Documents
Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Published March 2006 Part number: ESF-300/3
2005 Extreme Networks, Inc. All Rights Reserved. Alpine, Altitude, BlackDiamond, EPICenter, Ethernet Everywhere, Extreme Ethernet Everywhere, Extreme Networks, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, GlobalPx Content Director, the Go Purple Extreme Solution Partners Logo, ServiceWatch, Summit, the Summit7i Logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and other countries. Other names and marks may be the property of their respective owners. 2005 Extreme Networks, Inc. All Rights Reserved. Specifications are subject to change without notice. The ExtremeWare XOS operating system is based, in part, on the Linux operating system. The machine-readable copy of the corresponding source code is available for the cost of distribution. Please direct requests to Extreme Networks for more information at the following address: Software Licensing Department 3585 Monroe Street Santa Clara CA 95051 NetWare and Novell are registered trademarks of Novell, Inc. Merit is a registered trademark of Merit Network, Inc. Solaris and Java are trademarks of Sun Microsystems, Inc. F5, BIG/ip, and 3DNS are registered trademarks of F5 Networks, Inc. see/ IT is a trademark of F5 Networks, Inc.
All other registered trademarks, trademarks and service marks are property of their respective owners.
SNMPv3 MIB Access Control .....................................................................................................46 Displaying MIB Views ..........................................................................................................46 SNMPv3 Notification: Target Addresses ......................................................................................48 Configuring Target Address ..................................................................................................48 Displaying Target Addresses .................................................................................................48 Deleting Target Addresses ....................................................................................................48 SNMPv3 Notification: Target Parameters.....................................................................................50 Displaying Target Parameters ...............................................................................................50 Deleting Target Parameters ..................................................................................................50 SNMPv3 Notification: Filter Profiles and Filters ...........................................................................52 Displaying SNMPv3 Notification ...........................................................................................52 Deleting and Removing SNMPv3 Filters ................................................................................52 SNMPv3 Notification: Tags ........................................................................................................54 Displaying SNMPv3 Notification Tags ...................................................................................54 Deleting SNMPv3 Notification Tags ......................................................................................54 Configuring Notifications .....................................................................................................54 Secure Shell 2 (SSH2) ..............................................................................................................56 SSH2 Module Request ........................................................................................................56 Installing the SSH2 Module .......................................................................................................58 Downloading the module to the switch ..................................................................................58 Activating the Installed Modular Software Package .......................................................................60 Uninstalling the Module.......................................................................................................60 Private Key, Public Key, and Host Key ........................................................................................62 Configuring SSH2 .....................................................................................................................64 Enabling SSH2 ...................................................................................................................64 Using ACLs to Control SSH2 Access ...........................................................................................66 Sample SSH2 Policies .........................................................................................................66 Configuring SSH2 to Use ACL Policies ..................................................................................66 Logging in with SSH2 Client ......................................................................................................68 SSH2 Connection Settings ...................................................................................................68 Host Key Acceptance...........................................................................................................68 Valid User and Password Entry .............................................................................................68 Secure Copy Protocol 2 (SCP2) ..................................................................................................70 Switch as SSH2 Client ..............................................................................................................72 Verifying SSH2 .........................................................................................................................74 Troubleshooting SSH2...............................................................................................................76 Secure Socket Layer (SSL) .........................................................................................................78 Enabling and Disabling SSL .......................................................................................................80 Creating Certificates and Private Keys .........................................................................................80 Downloading a Certificate Key from a TFTP Server .......................................................................82 Displaying SSL Information ..................................................................................................82 Downloading a Private Key from a TFTP Server ............................................................................84 Configuring Pre-generated Certificates and Keys ..........................................................................84 Authenticating Users Logging into Switch....................................................................................86 RADIUS ...................................................................................................................................88 RADIUS Packet Format........................................................................................................88 RADIUS Authentication Process .................................................................................................90
Configuring the RADIUS Client...................................................................................................92 Configuring the Shared Secret Password for RADIUS Servers.........................................................92 Enabling and Disabling RADIUS .................................................................................................94 Verifying the RADIUS Client .................................................................................................94 Troubleshooting RADIUS .....................................................................................................94 Configuring RADIUS Accounting.................................................................................................96 Configuring the RADIUS Accounting Timeout Value................................................................96 Configuring the Shared Secret Password for RADIUS Accounting Servers..................................96 Verifying the RADIUS Accounting .........................................................................................96 RADIUS Server Support .............................................................................................................98 Using RADIUS Servers with Extreme Networks Switches .............................................................100 Extreme RADIUS...............................................................................................................100 Merit RADIUS Server Configuration Example .............................................................................102 Summary................................................................................................................................104
Detailed MAC Security Information for a Specified Port ..........................................................22 Verifying MAC Security Information.............................................................................................24 FDB Table Entries ...............................................................................................................24 Logs...................................................................................................................................24 Disabling MAC Address Learning ................................................................................................26 Disabling Egress Flooding ..........................................................................................................28 Guidelines for Enabling or Disabling Egress Flooding ..............................................................28 Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only .....................................................................................................................30 Enabling Egress Flooding .....................................................................................................30 Disabling Egress Flooding ....................................................................................................30 Disabling Egress Flooding on the BlackDiamond 10K Switch Only .................................................32 Displaying Learning and Flooding Settings...................................................................................34 Layer 3 Blackholes ....................................................................................................................36 Configuring a Layer 3 Blackhole ...........................................................................................36 Configuring a Layer 3 Default Blackhole ................................................................................36 Deleting Layer 3 Blackholes .................................................................................................36 Verifying Layer 3 Blackholes.................................................................................................36 Summary..................................................................................................................................38
Extreme Radius Implementation Configuration Example..........................................................26 Local Database Authentication ...................................................................................................28 Configuring Local Database Authentication ..................................................................................30 Creating a Local Netlogin User Name and Password Only ........................................................30 Specifying a Destination VLAN in a Local NetLogin Account..........................................................32 Adding VLANs when Creating a Local Netlogin Account ..........................................................32 Adding VLANs at a Later Time ..............................................................................................32 Modifying an Existing Local Netlogin Account ..............................................................................34 Updating the Local Netlogin Password ..................................................................................34 Updating VLAN Attributes ....................................................................................................34 Displaying Local Netlogin Accounts.......................................................................................34 Deleting a Local Netlogin Account ........................................................................................34 802.1x Authentication...............................................................................................................36 Interoperability Requirements...............................................................................................36 802.1x Network Login Configuration Example..............................................................................38 Configuring Guest VLANs ...........................................................................................................40 Guest VLAN scenario ...........................................................................................................40 Configuring a Guest VLAN..........................................................................................................42 Enabling a Guest VLAN........................................................................................................42 Modifying the Supplicant Response Timer .............................................................................42 Disabling a Guest VLAN .......................................................................................................42 Post-authentication VLAN Movement ..........................................................................................42 Web-Based Authentication .........................................................................................................44 HTTPS Support...................................................................................................................44 Configuring Web-Based Authentication.......................................................................................46 Configuring the Base URL ....................................................................................................46 Configuring the Redirect Page ..............................................................................................46 Configuring Session Refresh .................................................................................................46 Configuring Logout Privilege.................................................................................................46 Web-Based Network Login Configuration Example ........................................................................48 Web-Based Authentication User Login.........................................................................................50 MAC-Based Authentication ........................................................................................................52 Configuring MAC-Based Authentication .......................................................................................54 Associating a MAC Address to a Specific Port ........................................................................54 Adding and Deleting MAC Addresses.....................................................................................54 Displaying the MAC Address List ..........................................................................................54 Secure MAC Configuration Example ............................................................................................56 MAC-Based Network Login Configuration Example.......................................................................58 Netlogin MAC-Based VLANs .......................................................................................................60 Netlogin MAC-Based VLANs Rules and Restrictions................................................................60 Configuring Netlogin MAC-Based VLANs......................................................................................62 Configuring the Port Mode ...................................................................................................62 Displaying Netlogin MAC-Based VLAN Information .......................................................................64 FDB Information .................................................................................................................64 VLAN and Port Information ..................................................................................................64 Netlogin MAC-Based VLAN Example ...........................................................................................66 Disconnecting Network Login Sessions ........................................................................................68 Automatic Netlogin logouts occur when: ................................................................................68
BlackDiamond 8800 Family of Switches and Summit X450 Switch QOS Profile Display ............50 BlackDiamond 10K Switch Display .............................................................................................52 Verifying QoS Configuration and Performance ..............................................................................54 Monitoring PerformanceBlackDiamond 10K Switch Only .....................................................54 Displaying QoS Profile Information on the BlackDiamond 10K Switch Only...............................54 Displaying QoS Profile Information on the BlackDiamond 8800 Family of Switches and Summit X450 Switch Only ...............................................................................................................54 Other Useful QoS Display Commands..........................................................................................56 Egress Traffic Rate LimitingBlackDiamond 8800 Family and Summit X450 Switch Only ..............58 Bi-Directional Rate ShapingBlackDiamond 10K Switch Only......................................................60 Viewing Discarded Traffic Statistics ......................................................................................60 Black Diamond 10K Bandwidth Settings .....................................................................................62 Configuring Bi-Directional Rate Shaping......................................................................................64 Modifying a QoS Policy ..............................................................................................................66 Assigning Policy-Based QoS: Review ...........................................................................................68 Summary..................................................................................................................................70
Module 9 sFlow
Student Objectives ......................................................................................................................2 sFlow .........................................................................................................................................4 Applications .........................................................................................................................4 Additional Information ...........................................................................................................4 sFlow Components ................................................................................................................6 Network Equipment...............................................................................................................6 Software Applications ............................................................................................................6 Configuring sFlow......................................................................................................................10 Configuring the Local Agent .................................................................................................10 Configuring the Remote Collector Address .............................................................................10 Configuring sFlow......................................................................................................................12 Enabling sFlow Globally on the Switch ..................................................................................12 Enabling sFlow on the Desired Ports .....................................................................................12 Additional sFlow Configuration Options .......................................................................................14 Polling Interval ...................................................................................................................14 Global Sampling Rate ..........................................................................................................14 Per Port Sampling Rate .......................................................................................................14 Maximum CPU Sample Limit ...............................................................................................14 Resetting sFlow Values and Verifying sFlow Information ................................................................16 Unconfiguring sFlow ............................................................................................................16 Displaying sFlow Information................................................................................................16 Summary..................................................................................................................................18
10
Target Audience
The primary audiences for this class are end-users, partners, and Extreme Networks technical personnel that are seeking ENA certification.
Module Content
Module one presents an introduction to the course content, training facilities, student objectives, course prerequisites, agenda, and certification curriculum.
Introductions
Provide your name, company, job title, and experience. Please share your previous networking experience as well as any Extreme Networks product exposure. This helps the instructor to adjust the class according to student skill sets.
Introductions
Figure 2: Introduction
Facilities
Familiarize yourself with the facilities, particularly where the Emergency Exits and First Aid Stations are. Pick up a name badge from the receptionist if available. Telephones are found near the student lounge (if there are any). The instructor provides the training site telephone number where messages can be sent. However, only urgent messages are immediately posted for the attention of the student concerned. The instructor specifies any special parking considerations when necessary.
Facilities
Figure 3: Facilities
Student Kit
The illustration lists the contents of the student kit.
Student Kit
Administrative
The instructor circulates a class roster during the student introductions. Each student should check his or her own information on the Class Roster. When all information is verified, initial your name. Ensure that your name is spelled correctly the way you want it to be on the certificate at the completion of this course. Breaks are typically 15 minutes each and lunch is about an hour. However, the times may vary at the discretion of the instructor. Please silence all pagers and cell phones by turning off the audio beeps and/or muting the volume. At the instructor's discretion, pagers/phones in vibrate mode are permitted. If you need to take a phone call, go outside the classroom in consideration of the other students. Questions are encouraged at any time. Lab exercises are performed after each major topic is discussed. A student completing all the requirements of the Extreme Networks Associate (ENA) is certified and provided an Extreme Networks Certified Training Certificate.
10
Administrative
Figure 5: Administrative
11
Course Prerequisite
To be successful in this class, students must have ENA certification or the equivalent experience.
12
Course Prerequisite
page 7
13
14
Overall Objectives
Students will be able to: Identify the steps necessary for securing a network Identify potential threats to the network Describe and configure port based security Describe and configure MAC-based security Setup encrypted and authenticated sessions between a
client machine and switch
page 8
page 9
15
Agenda
16
Agenda
Day 1 - Agenda
Module 1 - Introduction and Orientation Module 2 Security and Traffic Engineering Lab1 Lab Environment Familiarization LUNCH Module 3 Switch Access Lab2 Switch access
page 10
Day 2 Agenda
Module 6 Denial of Service Lab5 CPU-DOS feature (Optional) Module 7 MAC address security Lab6 Port & MAC Address Security (Optional) LUNCH Module 8 Netlogin Lab 7 Netlogin ISP & Campus mode
page 11
17
Agenda
18
Agenda
Day 3 Agenda
Module 9 Policy-based QoS Lab 8 PB QoS Module 10 sFlow Course Wrap-Up Certificate Evaluation Others
page 12
19
Certification Levels:
Level 1 Extreme Networks Associate (ENA) Level 2 Extreme Networks Specialist (ENS)
20
21
22
23
Configure Extreme Networks advanced redundancy features. Configure Extreme Networks advanced multicast routing features. Configure Extreme Networks switches in complex routing environments. Configure Extreme Networks switches advanced security features. Troubleshoot Extreme Networks switches for layer-2 and layer-3 networking problems.
ENS certification is valid for 2 years. The exam is administered by selected Extreme Networks Authorized Training Partners.
ENS Exam
Scheduling this exam is similar to scheduling the ENA exam. Direct your web browser to www.extremenetworks.com. From the web page you can select an Extreme Networks ATP test center in your region. The ENS exam is a 4-hour hands-on exam performed at and guided by one of Extreme Networks ATP test centers. The exam is comprised of four parts. One part consists of 30 multiple choice questions. The other three parts consists of hands-on practical exams based on three of the four training classes in the ENS curriculum. Candidates must achieve a score of 75% to be certified. The price for this exam is a single one-day training voucher. Successful candidates receive an ENS certificate with a unique certification number immediately upon passing the exam. Be sure to bring a valid, government issued, photo identification to the testing location.
24
25
Login to the switch and create new user accounts. Download software updates and backup configuration files. Configure layer-2 switching functions. Create port-based, protocol-based, and tagged VLANS. Create vMan VLAN tunnels. Configure the Spanning Tree Protocol. Configure basic RIP and OSPF functions.
Students are also introduced to advanced features. This course is based primarily on ExtremeWare XOS.
26
27
28
29
Supportive Curriculum
The following courses are currently elective.
30
Supportive Curriculum
31
Summary
32
Summary
33
34
Student Objectives
Module two introduces you to the importance of network security and how ExtremeWare XOS handles various types of network threats. Also this module explains traffic engineering, and its dual function in network security and network optimization. Upon completion of this module, the successful student will be able to:
Identify four major threats to network security. For a green field network deployment, sequence the security implementation steps. Describe ExtremeWare XOS security features. Identify three requirements for secure remote access. Describe three traffic engineering goals. Identify ExtremeWare XOS traffic engineering features.
Student Objectives
Student Objectives
Upon completion of this module, the successful student will be able to: Identify four major threats to network security. Sequence the security implementation steps for a green field network deployment. Describe ExtremeWare XOS security features. Identify three requirements for secure remote access. Describe three traffic engineering goals Describe ExtremeWare XOS traffic engineering features.
page 2
When a network is down or compromised due to a virus or other attack, the consequences include:
Productivity Loss When a network is down, workers can not access internal resources to perform their work. Productivity loss for an enterprise size company can be immense.
Revenue Loss If the business conducts web based business transactions or relies heavily on the data network for revenue generation, even one hour of network downtime is damaging.
Confidential Data Loss Any confidential and proprietary data stored on the internal network is potentially accessible by malicious individuals.
Customer Confidence Loss Your current customers will lose faith in your companys ability to manage and protect their interests, resulting in a major credibility loss.
NOTE
This course addresses the protection and optimization of the network. It does not go into corporate security policies. Every corporation has a different security policy to meet their needs.
NOTE
Physical site security is not a major topic in this course. It is assumed you have physically protected all network nodes and critical servers.
page 3
Layers of Security
It is useful to approach network security in terms of layers. At each layer, you can impose restrictions on the associated layer host (PC client machine, web server, device) to limit the any potential attack initiated at or against it. For example, if an insecure PC client machine in the internal user layer is used to launch a network attack, you can configure the switch to route suspect data packets out of the network resulting in minimal impact on the other layers. 1 Outside Layer Outside refers to the public and private network you do not control. You must assume all outside hosts are potentially infected and hostile. A customer accessing your website can be considered a host from the outside. 2 Demilitarized Zone (DMZ) The DMZ is the network area that is between an outside network and the internal network. In the DMZ, you can configure specific ports to allow certain types of network traffic through. For example, web servers in the DMZ are typically accessible through Transmission Control Protocol (TCP) ports 80 and 443. As the switch administrator, you should only open specific ports in the firewall to allow only the services that need to available from the outside. 3 Remote Access Layer The remote access layer allows a host from the outside layer to access services available on the internal network. Users remotely accessing the internal network require the same level of unrestricted access to internal network resources. Three major components for securing remote access are authentication, encryption, and intrusion detection. Authentications primary function is to ensure a user is authorized to access the internal network. User verification is typically based on a username and password. Encryption makes the data sent to and from a remote user to the internal network illegible, only allowing those authorized to read the data. Allowing remote access is a point of entry and weakness for an internal network. Intrusion detection systems enable the network administrator to monitor the remote access points for any potential attacks. Secondarily, the intrusion detection system will collect data associated with an attack, data which may be used for possible future criminal prosecution. 4 Internal User Layer At the internal user layer, end users require access to internally networked resources and outside resources. Unfortunately, internal end users are often targets of attack. An internal user may unwittingly launch a virus that would propagate throughout the network and possibly shut down critical business services. As a network administrator, you must seamlessly allow end-user authentication, providing them access to the resources required for their work while limiting their access to resources they do not need. 5 Internal Administration Layer Network switch administrators require extensive access to networked resources to keep the network running smoothly and efficiently. Just like limiting network access to internal end users, internal administrators should only have access to the network services and servers they are responsible for. Network administrators with extensive privileges and rights have the potential to cause major damage to a network.
Layers of Security
Layers of Security
1. Outside Layer 2. Demilitarized Zone (DMZ) 3. Remote Access Layer 4. Internal User Layer 5. Internal Administration Layer
page 4
Networked Resources
Protected Resources
Protected resources are the resources that end users need to perform their work. Protected resources are not servers located in the DMZ but are servers located in the internal network vulnerable to attacks from compromised internal hosts. There should never be a direct connection from any remote access host to a protected resource without encryption, otherwise, the data transmitted and received is sent in the clear. Access to a protected resource from the internet should only be accessible from a server in the DMZ. All remotely accessed data requests from a protected resource must go through the server in the DMZ. The server in the DMZ then accesses the data on the protected resource on behalf of the remote client. Protected resources also act as a front end for the critical servers.
Critical Resources
Primary domain controllers, database servers, email servers, and other servers essential to the business are considered critical resources. To minimize any potential threat to the critical resource, it is a good security practice to have a front end protected resource to serve as a buffer between the end user and critical resource. For example, an end user accesses a website and enters queries. These queries are then sent to the actual backend database.
Networked Resources
Networked Resources
Protected Resources Critical Resources
page 5
Route Table Poisoning Every host on an IP-based network has a routing table that tells the IP software hot to forward packets. Core network routers generally maintain their routing tables dynamically using a routing protocol, enabling routers to exchange routing information with each other. Route table poisoning occurs when an attacker intentionally sends bogus information to a router. With the route table corrupted, the network may experience network congestion, network looping, or even network misdirection to an exploited system (allowing the attacker to sniff the packets).
Denial of Service (DoS) DoS attacks are designed to knock hosts or networks offline, making their services unavailable. DoS attacks primarily target a specific operating system with the intention of crashing the host. Typically, the DoS attack attempts to overwhelm a target with a flood of traffic which occupies the processing power of the router or consumes major network bandwidth. DoS attacks can be launched from single or multiple maliciously controlled hosts.
Packet Mistreatment Packet mistreatment refers to attacks on live packet traffic. An attacker alters the packet parameters that subsequently causes the distorted packet to be mishandled by the network and/or receiving client. For example, changing the destination IP address in a large set of packets can cause localized network congestion. A martian attack is also another example of packet mistreatment. A martian packet has a source address that does not have its return traffic routed back to the sender.
Unauthorized Access Unauthorized access to the network is a major security issue. Once inside an internal network where the security maybe lighter, a malicious hacker may steal confidential data or launch attacks from systems regarded safe. Wireless data traffic busily streaming through access points can provide a malicious hacker with enough information to crack 128bit WEP keys. All points of network entries are also points of weakness. NOTE
Domain Name Server (DNS) attacks are also common. DNS is the distributed database on the Internet that translates between IP addresses and host names, as well as mapping e-mail and name servers to Internet domains. DNS attacks slow or cripple the Internet. While DNS hacking is a potential issue for any network, Extreme Networks devices do not implement DNS services, therefore not subject to these particular attacks.
10
page 6
11
Switch Access Options Extreme Networks employs a number of mechanism that protect the AlpineTM, BlackDiamond, and SummitTM from unauthorized access, which includes a combination of:
In-Band / Out-of-Band node management Switch Administrator Access Profiles and User Authentication
Secure Communication Protocols ExtremeWare supports many standard secure communication protocols such as Simple Network Management Protocol version 3 (SNMPv3), Secure Shell version 2 (SSH2), Secure File Transfer Program version 2 (SFTP2), Secure Copy Program version 2 (SCP2), Message Digest 5 (MD5), and others. For example, when OSPF and BGP have both been configured for MD5 and access profiles, route table poisoning is minimized. The MD5 and access profile configuration ensures routing table updates only come from legitimate sources.
DoS-Protect DoS-Protect is an administrator configurable feature that detects and filters out possible DoS generated traffic.
Blackhole Options It is possible to forward suspect data packets to a blackhole configured on a switch where they are promptly discarded. For example, a malicious IP packet flood can be immediately sent to a blackhole, minimizing the attacks influence on network performance.
Port and Mac-Based Security ExtremeWare also allows security options based on ports and MAC addresses. For example with MAC limit-learning enabled, you can limit the number of dynamically learned MAC addresses allowed per virtual port.
Network Login Network Login requires a user to authenticate their username and password. When the user is authenticated, the user is placed on a preapproved and specific port on the Virtual Local Area Network (VLAN).
Access Control Lists and Access Profiles An access control list (ACL) enables a switch to identify specific network traffic and decide to block or forward the packets. The ACL criteria is configured by the network administrator. An access profile is similar to an ACL but it only deals with management and control packets destined to or sent by a switch.
12
page 7
13
14
Power the switch. Change the administrator password. Enable DOS protection. Enable RADIUS. Create Access Profiles. Configure SNMP settings. Turn off web configuration. Enable SSHv2. Turn off Telnet.
15
Traffic Engineering
In addition to identifying any potential security threat and implementing an appropriate security policy, networks should also address traffic engineering needs. With the increasing use of time sensitive data applications such as Voice over IP (VoIP) and streaming media, tuning the network for minimal congestion and maximum efficiency are important.
Purpose
Traffic engineering has three primary goals: 1 Optimize network usage 2 Optimize network performance 3 Increase the robustness of the network infrastructure
Access Profiles Quality of Service (QoS) By configuring QoS parameters, a network administrator can prioritize traffic flows, ensuring time sensitive packets are transmitted and received at high priority.
Policy Based Routing Routing based on source and/or destination ip information on port number is known as policy based routing.
16
Traffic Engineering
page 10
page 11
17
Summary
Module two presented the importance of network security and how ExtremeWare handles various types of network threats. Traffic engineering concepts were also introduced.
Identify four major threats to network security. For a green field network deployment, sequence the security implementation steps. Describe ExtremeWare XOS security features. Identify three requirements for secure remote access. Describe three traffic engineering goals. Identify ExtremeWare XOS traffic engineering features.
18
Summary
Summary
Identify four major threats to network security. Sequence the security implementation steps for a green field network deployment. Describe ExtremeWare XOS security features. Identify three requirements for secure remote access. Describe three traffic engineering goals Describe ExtremeWare XOS traffic engineering features.
page 12
19
20
Student Objectives
Upon completion of this module, the successful student will be able to:
Identify the five switch access options Configure Safe-Default-Script Disable nonessential switch access options Create management accounts on the switch Configure a Failsafe Account Manage Passwords Configure an Access Control List (ACL) to control telnet access Display management accounts Configure the banner that displays during login attempts Configure switch idle timeouts View active switch sessions Configure SNMPv3 Configure SSH2 Configure an ACL to control SSH2 access Configure SCP2 Describe RADIUS Configure the RADIUS client Configure RADIUS accounting Describe TACACS+
Student Objectives
Student Objectives
Upon completion of this module, the successful student will be able to: Identify the five switch access options Configure Safe-Default-Script Disable nonessential switch access options Create management accounts on the switch Configure a Failsafe Account Manage Passwords Configure an Access Control List (ACL) to control telnet access Display management accounts Configure the banner that displays during login attempts Configure switch idle timeouts
page 2
Student Objectives
View active switch sessions Configure SNMPv3 Configure SSH2 Configure an ACL to control SSH2 access Configure SCP2 Describe RADIUS Configure the RADIUS client Configure RADIUS accounting Describe TACACS+
page 3
Console SSH2 Telnet HTTP (via ExtremeWare Vista web-based management application) SNMPv3 NOTE
Not all configuration is possible using the Extreme Ware Vista interface
The console can be used for direct local management, and the port settings are as follows:
Baud rate - 9600 Data bits - 8 Stop bit - 1 Parity - None Flow Control - XON/XOFF
The PC/Terminal connected to the switch's console port must be configured with the same settings. The CLI console port connection requires a serial crossover cable (a.k.a. Null modem) with DB9 female connectors.
The 9-pin serial port labeled as modem on some switches does not allow any connectivity to the device.
page 4
Management Accounts
By default, the switch is configured with two default user accounts, admin and user. The switch can have a total of 16 management accounts. You can use the default names (admin and user), or you can create new names and passwords for the accounts. Passwords can have a minimum of 0 characters and a maximum of 32 characters.
View and edit all switch parameters. Add and delete accounts, and change the password associated with any account name. Disconnect a management session that has been established by a Telnet connection. When a switch administrator cancels a users Telnet session, the user is notified that the session has been terminated. The command syntax to cancel a Telnet connection is: clear session <id>
An administrator level count login is indicated by the command-line prompt that ends with a pound sign (#). Prompt type: Summit450 #
Showing the switch configuration Showing switch management details Showing and configuring user account database Showing and configuring SNMP community strings
A user level account can use the ping command to test if a device is reachable. Also, a user level account end user can change the password assigned to its own account. A user level account login is indicated by the command-line prompt that ends with a greater than (>) sign. Prompt type: Summit450>
Management Accounts
Management Accounts
Administration account can
- View and change anything - Add/Remove users - Change user passwords - Can disconnect Telnet sessions Prompt type: SummitX450 #
page 7
User Name Access (read write or read only) Number of successful and failed login attempts per account
10
11
NOTE
The information that you use to configure the failsafe account cannot be recovered by Extreme Networks. Technical support cannot retrieve passwords or account names for this account. Protect this information carefully.
To access your switch using the failsafe account, you must connect to the serial port of the switch. You cannot access the failsafe account through any other port. At the switch login prompt, carefully enter the failsafe account name. If you enter an erroneous account name, you cannot re-enter the correct name. Once you have entered the failsafe account name, you are prompted to enter the password. You will have three tries to enter the password correctly. Once you have successfully logged in to the failsafe account, you see the following prompt: failsafe> From here, you have the following four command choices:
LoginUse this command to access the switch CLI. You will have full administrator capabilities. RebootUse this command to reboot the current MSM (MSM on modular switches only). HelpUse this command to display a short help text. ExitUse this command to exit the failsafe account and return to the login prompt.
Typically, you use the Login command to correct the problem that initially required you to use the failsafe account.
12
13
Managing Passwords
When you first access the switch you, have a default account. You configure a password for your default account. As you create other accounts, you configure passwords for those accounts. Beginning with ExtremeWare XOS version 11.2, the software allows you to apply additional security to the passwords. You can enforce a specific format and minimum length for the password. Additionally, you can age out the password, prevent a user from employing a previously used password, and lock users out of the account after three consecutive failed login attempts.
NOTE
The entered passwords are not displayed on the screen.
14
Managing Passwords
15
To set this format for the password, enter the following command:
configure account [all | <name>] password-policy char-validation [none | all-chargroups]
You can enforce a minimum length for the password and set a maximum time limit, after which the password will not be accepted. To set a minimum length for the password, issue the following command:
configure account [all | <name>] password-policy min-length [<num_characters> | none]
To age out the password after a specified time, issue the following command:
configure account [all | <name>] password-policy max-age [<num_days> | none]
You can block users from employing previously used passwords by issuing the command:
configure account [all | <name>] password-policy history [<num_passwords> | none]
By default, the system terminates a session once the user has 3 consecutive failed login attempts. The user may then launch another session (which again would terminate after 3 consecutive failed login attempts). To increase security, you can lock users out of the system entirely after 3 failed consecutive login attempts. To use this feature, issue the following command:
configure account [all | <name>] password-policy lockout-on-login-failures [on | off]
NOTE
If you are not working on SSH, you can configure the number of failed logins that trigger lockout, using the configure cli max-failed-logins <num-of-logins> command. (This command also sets the number of failed logins that terminate the particular session.)
Once locked out (using the configure account password-policy lockout-on-login-failures command), the users account must be specifically re-enabled by an administrator. To re-enable a locked-out account, issue the following command: clear account [all | <name>] lockout Selecting the all option affects the setting of all existing and future new accounts. The default admin
account and failsafe accounts are never locked out, no matter how many consecutive failed login attempts.
16
17
18
19
Up to 24 rows of 79 characters wide text can be entered Pressing [Enter] at the beginning of a new line saves the previously entered text and enables the login display banner Pressing [Enter] at the beginning of the first line clears the login display banner
20
21
The minutes of inactivity can range from 1 minute to 240 minutes, the default setting is 20 minutes.
22
23
24
25
You can create the policy directly on the switch. Enter the following command to launch a VI like editor to create the policy file: edit policy To transfer a policy that you created using a text editor on another system to the switch, enter the following command: tftp
MyAccessProfile_2.pol
The switch does not permit connections from the subnet 10.203.133.0/24 but accepts connections from all other addresses.
NOTE
Extreme Advanced Security: Access Control Lists goes into more detail about ACLs, Access Profile, Policy Manager, and CLEARFlow.
26
27
SNMP Access
Any network manager program running the Simple Network Management Protocol (SNMP) can manage the switch, provided the Management Information Base (MIB) is installed correctly on the management station. Each network manager program provides its own user interface to the management facilities. Please note, when using a network manager program to create a VLAN, Extreme Networks does not support the SNMP create and wait operation. To create a VLAN with SNMP, use the create and go operation. The following sections describe how to get started if you want to use an SNMP manager. It assumes you are already familiar with SNMP management. If not, refer to the following publication: The Simple Book by Marshall T. Rose ISBN 0-13-8121611-9 Published by Prentice Hall.
Supported MIBs
In addition to private MIBs, the switch supports standard MIBs. Please refer to ExtremeWare XOS Concepts Guide Software Version 11.3 Appendix D for a listing of supported MIBs.
28
SNMP Access
SNMP Access
At least one VLAN per switch must have an IP address IT can then access the SNMP agent from the management workstation
10.1.6.1
10.1.4.1
IP Network/ Intranet
10.1.5.1
NMS
page 22
Any SNMP based network manager can manage a switch The Switch MIB should be installed correctly on the management workstation
29
To prevent access using SNMPv1/v2c methods and allow access using SNMPv3 methods only, type the following commands:
enable snmp access disable snamp access snmp-v1v2c
There is no way to configure the switch to simultaneously allow SNMPv1/v2c access and prevent SNMPv3 access. Most of the commands that support SNMPv1/v2c use the keyword snmp; most of the commands that support SNMPv3 use the keyword snmpv3. After a switch reboot, all slots must be in the "Operational" state before SNMP can manage and access the slots. To verify the current state of the slot, type the following command: show slot
30
31
Community Strings
The community strings allow a simple method of authentication between the switch and the remote network manager. There are two types of community strings on the switch:
Read community strings provide read-only access to the switch. The default read-only community string is public. Read-write community strings provide read- and-write access to the switch. The default readwrite community string is private.
As these two community strings are well known, it is highly recommended to change the default community strings when implementing SNMP. To change the read only and readwrite SNMP community strings, enter the following commands: configure snmp community readonly (new-community-name) configure snmp community readwrite (new-community-name2)
System contact (optional)The system contact is a text field that enables you to enter the name of the person(s) responsible for managing the switch. System name (optional)The system name enables you to enter a name that you have assigned to this switch. The default name is the model name of the switch (for example, BD-1.2). System location (optional)Using the system location field, you can enter the location of the switch.
32
page 24
10.1.5.1
33
SNMP community strings SNMP trap receiver list SNMP trap receiver source IP address SNMP statistics counter Enable/disable state for Remote Monitoring (RMON)
34
35
SNMPv3
SNMPv3 is an enhanced standard for SNMP that improves the security and privacy of SNMP access to managed devices and provides sophisticated control of access to the device MIB. The prior standard versions of SNMP, SNMPv1 and SNMPv2c, provided no privacy and little security. The SNMPv3 standards for network management were primarily driven by the need for greater security and access control. The new standards use a modular design and model management information by cleanly defining a message processing (MP) subsystem, a security subsystem, and an access control subsystem. The MP subsystem helps identify the MP model to be used when processing a received Protocol Data Unit (PDU), which are the packets used by SNMP for communication. The MP layer helps in implementing a multilingual agent, so that various versions of SNMP can coexist simultaneously in the same network. The security subsystem features the use of various authentication and privacy protocols with various timeliness checking and engine clock synchronization schemes. SNMPv3 is designed to be secure against:
Modification of information, where an in-transit message is altered. Masquerades, where an unauthorized entity assumes the identity of an authorized entity. Message stream modification, where packets are delayed and/or replayed. Disclosure, where packet exchanges are sniffed (examined) and information is learned about the contents.
The access control subsystem provides the ability to configure whether access to a managed object in a local MIB is allowed for a remote principal. The access control scheme allows you to define access policies based on MIB views, groups, and multiple security levels. In addition, the SNMPv3 target and notification MIBs provide a more procedural approach for generating and filtering of notifications. SNMPv3 objects are stored in non-volatile memory unless specifically assigned to volatile storage. Objects defined as permanent cannot be deleted.
NOTE
In SNMPv3, many objects can be identified by a human-readable string or by a string of hexadecimal octets. In many commands, you can use either a character string, or a colon-separated string of hexadecimal octets to specify objects. To indicate hexadecimal octets, use the keyword hex in the command.
Message Processing
A particular network manager may require messages that conform to a particular version of SNMP. The choice of the SNMPv1, SNMPv2c, or SNMPv3 MP model can be configured for each network manager as its target address is configured. To configured the mp-model selection, enter the following command:
configure snmpv3 add target-params [[hex <hex_param_name>] | <param_name>] user [[hex <hex_user_name>] | <user_name>] mp-model [snmpv1 | snmpv2c | snmpv3] sec-model [snmpv1 | snmpv2c | usm] {sec-level [noauth | authnopriv | priv]} {volatile}
36
SNMPv3
SNMPv3
Enhanced SNMP standard Improved SNMP security and privacy Modular design using subsystems Message Processing (MP) Security Access Control
page 26
37
SNMPv3 Security
In SNMPv3 the User-Based Security Model (USM) for SNMP was introduced. USM deals with security related aspects like authentication, encryption of SNMP messages, and defining users and their various access security levels. This standard also encompasses protection against message delay and message replay.
SNMPEngineBoots can also be configured from the command line. SNMPEngineBoots can be set to any desired value but will latch on its maximum, 2147483647. To set the SNMPEngineBoots, type the following command:
configure snmpv3 engine-boots <(1-2147483647)>
38
SNMPv3 Security
39
SNMPv3 Users
Creating SNMPv3 Users
Users are created by specifying a user name. Depending on whether the user will be using authentication and/or privacy, you would also specify an authentication protocol (MD5 or SHA) with password or key, and/or privacy (DES) password or key. To create a user, type the following command:
configure snmpv3 add user [[hex <hex_user_name>] | <user_name>] {authentication [md5 | sha] [hex <hex_auth_password> | <auth_password>]} {privacy [hex <hex_priv_password> | <priv_password>]} {volatile}
A number of default, permanent users are initially available. The default user names are: admin, initial, initialmd5, initialsha, initialmd5Priv, initialshaPriv. The default password for admin is password. For the other default users, the default password is the user name.
NOTE
The SNMPv3 specifications describe the concept of a security name. In the ExtremeWare XOS implementation, the user name and security name are identical. In this manual, both terms are used to refer to the same thing.
40
SNMPv3 Users
41
SNMPv3 Groups
Groups are used to manage access for the MIB. You use groups to define the security model, the security level, and the portion of the MIB that members of the group can read or write. To underscore the access function of groups, groups are defined by typing the following command:
configure snmpv3 add access [[hex <hex_group_name>] | <group_name>] {sec-model [snmpv1 | snmpv2c | usm]} {sec-level [noauth | authnopriv | priv]} {read-view [[hex <hex_read_view_name>] | <read_view_name>]} {write-view [[hex <hex_write_view_name>]] | <write_view_name>]} {notify-view [[hex <hex_notify_view_name]] | <notify_view_name>]} {volatile}
The view names associated with a group define a subset of the MIB (subtree) that can be accessed by members of the group. The read view defines the subtree that can be read, write view defines the subtree that can be written to, and notify view defines the subtree that notifications can originate from.
When you delete a group, you do not remove the association between the group and users of the group. To delete the association between a user and a group, type the following command:
configure snmpv3 delete group {[[hex <hex_group_name>] | <group_name>]} user [allnon-defaults | {[[hex <hex_user_name>] | <user_name>] {sec-model [snmpv1|snmpv2c|usm]}}]
42
SNMPv3 Groups
43
The default is USM. You can select the security model based on the network manager in your network. The three security levels supported by USM are:
noAuthnoPrivNo authentication, no privacy. This is the case with existing SNMPv1/v2c agents. AuthnoPrivAuthentication, no privacy. Messages are tested only for authentication. AuthPrivAuthentication, privacy. This represents the highest level of security and requires every message exchange to pass the authentication and encryption tests.
When a user is created, an authentication method is selected, and the authentication and privacy passwords or keys are entered. When MD5 authentication is specified, HMAC-MD5-96 is used to achieve authentication with a 16-octet key, which generates an 128-bit authorization code. This authorization code is inserted in msgAuthenticationParameters field of SNMPv3 PDUs when the security level is specified as either AuthnoPriv or AuthPriv. Specifying SHA authentication uses the HMAC-SHA protocol with a 20-octet key for authentication. For privacy, a 16-octet key is provided as input to DES-CBS encryption protocol, which generates an encrypted PDU to be transmitted. DES uses bytes 1-7 to make a 56 bit key. This key (encrypted itself) is placed in msgPrivacyParameters of SNMPv3 PDUs when the security level is specified as AuthPriv.
44
page 30
page 31
45
After the view has been created, you can repeatedly use the configure snmpv3 add mib-view command to include and/or exclude MIB subtree/mask combinations to precisely define the items you want to control access to.
46
47
In configuring the target address you supply an address name that identifies the target address, a parameters name that indicates the MP model and security for the messages sent to that target address, and the IP address and port for the receiver. The parameters name also is used to indicate the filter profile used for notifications. The from option sets the source IP address in the notification packets. The tag-list option allows you to associate a list of tags with the target address. The tag defaultNotify is set by default.
48
49
50
51
After the profile name has been created, you associate filters with it using the following command:
configure snmpv3 add filter [[hex <hex_profile_name>] | <profile_name>] subtree <object_identifier> {/<subtree_mask>} type [included | excluded] {volatile}
You can add filters together, including and excluding different subtrees of the MIB until your filter meets your needs.
To display the filters that belong a filter profile, enter the following command:
show snmpv3 filter {[[hex <hex_profile_name>] | <profile_name>] {{subtree} <object_identifier>}
To remove the association of a filter profile or all filter profiles with a parameter name, enter the following command:
configure snmpv3 delete filter-profile [all |[[hex <hex_profile_name>] | <profile_name>] {param [[hex <hex_param_name>] | <param_name>}]]
52
page 35
53
Any targets associated with tags in the snmpNotifyTable are notified, based on the filter profile associated with the target.
You cannot delete the default entry from the table, so any targets configured with the defaultNotify tag will always receive notifications consistent with any filter profile specified.
Configuring Notifications
Because the target parameters name points to a number of objects used for notifications, configure the target parameter name entry first. You can then configure the target address, filter profiles and filters, and any necessary notification tags.
54
55
56
Ethernet
page 37
57
You can install a modular software package on the active partition or on the inactive partition. You would install on the active partition if you want to add the package functionality to the currently running core image without having to reboot the switch. You would install on the inactive partition if you want the functionality available after a switch reboot.Downloading a new image involves the following steps:
Loading the new module onto a TFTP server on your network (if you are using TFTP). Loading the new module onto an external compact flash memory card (if you are using the external compact flash slot). This method is available only on modular switches. For more information about installing the external compact flash memory card into the external compact flash slot of the MSM, please refer to the Extreme Networks Consolidated XOS Hardware Installation Guide.
To download the module to the switch, enter the following command: download image [[<hostname> | <ipaddress>] <filename> {{vr} <vrname>} | memorycard <filename>] {<partition>} {msm <slotid>}
Before the download begins, the switch asks if you want to install the module immediately after the download is finished. If you install the module to the active partition, you must reboot the switch. If you install the module to the inactive partition, you do not need to reboot the switch. Enter y to install the image after download. Enter n to install the image at a later time.
58
page 38
59
Enter y to continue the installation and reboot the switch. Enter n to cancel. If you install the module at a later time, the module is still downloaded and saved to the switch, but you must use enter following command to install the software: install image <fname> {<partition>} {msm <slotid>} {reboot} NOTE
Unlike ExtremeWare, the download image command in ExtremeWare XOS causes the switch to use the newly downloaded software image during the next switch reboot. To modify or reset the software image used during a switch reboot, issue the use image command.
You activate the installed modular software package either by rebooting the switch or by entering the following command: run update
60
page 39
61
private key is one of two keys used in public-key encryption. The user keeps the private key secret and uses it to encrypt outgoing messages and decrypt incoming messages. The private key is stored in the users local machine and is used to verify the identity of the user when the user attempts to connect to the SSH2 server. public key is one of two keys used in public-key encryption. The user releases a copy of this key to the public to allow anyone to use it for encrypting messages to be sent to the user and for decrypting messages received from the user.
When a client connects to a server, the server sends a host key to the client (the server keeps the private key secret). The first time the client connects to a server, the clients user is asked if they want to save the host key. If the user chooses to save the host key, the client adds the key to its host key database. Each time the client connects to that server, the client expects to receive the same key. If the server sends a different host key, the client is alerted to the fact that there may be a problem, which could be anything from a corrupt key file to a fraudulent server. The client then takes the action that it is required to accept or reject the connection host key is the public key in a public-private key pair that is used to identify a server to a client in SSH2 connections. The SSH2 client saves the host key in a database.
62
63
Configuring SSH2
There are two steps in successfully configuring SSH2: 1 Generating the host key on the SSH2 server 2 Enabling SSH2 on the switch An authentication key must be generated before the switch can accept incoming SSH2 sessions. To have the key generated by the switch, enter the following command: configure ssh2 key You are prompted to enter information to be used in generating the key, you should enter random letters and numbers. The key generation process takes approximately ten minutes. Once the key has been generated, you should save your configuration to preserve the host key. The key generation process generates the SSH2 private host key. The SSH2 public host key is derived from the private host key, and is automatically transmitted to the SSH2 client at the beginning of an SSH2 session. To use a key that has been previously created, enter the following command: configure ssh2 key pregenerated You is then prompted to enter the previous key. It is recommended you cut and paste in the previously generated host key.
NOTE
The pregenerated key must be one that was generated by the switch. To get such key, you can use the command show configuration exsshd to display the key on the console. Copy the key to a text editor and remove the carriage return/line feeds from the key. Finally, copy and paste the key into the command line. The key must be entered as one line.
Enabling SSH2
To enable SSH2, enter the following command: enable ssh2 {access-profile [<access_profile> | none]} {port <tcp_port_number>} {vr [<vr_name> | all | default]} To disable SSH2, enter the following command: disable ssh2 You can also specify a TCP port number to be used for SSH2 communication. By default the TCP port number is 22. Beginning with ExtremeWare XOS 11.2, the switch accepts IPv6 connections. Before you initiate a session from an SSH2 client, ensure that the client is configured for any nondefault access list or TCP port information that you have configured on the switch. Once these tasks are accomplished, you may establish an SSH2-encrypted session with the switch. Clients must have a valid user name and password on the switch in order to log in to the switch after the SSH2 session has been established.
64
Configuring SSH2
65
Use the edit policy command to launch a VI-like editor on the switch. You can create the policy directly on the switch. Use the tft[ command to transfer a policy that you created using a text editor on another system to the switch.
MyAccessProfile.pol
For this example , the switch permits connections from the subnet 10.203.133.0/24 and denies connections from all other addresses.
MyAccessProfile_2.pol
In this example, the switch does not permit connections from the subnet 10.203.133.0/24 but accepts connections from all other addresses.
66
67
Host: IP address of the switch Service: SSH selected TCP port: SSH default port number is 22
68
69
In the following examples, you are using a Linux system to move files to and from the switch at 192.168.0.120, using the switch administrator account admin.You are logged into your Linux system as user. To transfer the primary configuration file from the switch to your current Linux directory using SCP2, enter the following command:
[user@linux-server]# scp2 admin@192.168.0.120:/config/primary.cfg primary.cfg
To copy the policy filename test.pol from your Linux system to the switch, enter the following command: [user@linux-server]# scp2 test.pol admin@192.168.0.120:/config/test.pol
70
page 46
71
NOTE
The BlackDiamond 8800 family of switches and the Summit X450 switch do not support user-created VRs.
To send commands to a remote system using SSH2, enter the following command: ssh2 {cipher [3des | blowfish]} {port <portnum>} {compression [on | off]} {user <username>} {debug <debug_level>} {<username>@} [<host> | <ipaddress>] {<remote command>} {vr <vr_name>} The remote commands can be any command acceptable by the remote system. You can specify the login user name as a separate argument or as part of the user@host specification. If the login user name for the remote system is the same as your user name on the switch, you can omit the username parameter entirely. For example, to obtain a directory listing from a remote Linux system with IP address 10.10.0.2 using SSH2, enter the following command: ssh2 admin@10.10.0.2 ls To initiate a file copy from a remote system to the switch using SCP2, enter the following command: scp2 {cipher [3des | blowfish]} {port <portnum>} {debug <debug_level>} <user>@ [<hostname> | <ipaddress>]:<remote_file> <local_file> {vr <vr_name>} For example, to copy the configuration file test.cfg on host system1 to the switch, enter the following command: scp2 admin@system1:/config/test.cfg localtest.cfg To initiate a file copy to a remote system from the switch using SCP2, enter the following command: scp2 {cipher [3des | blowfish]} {port <portnum>} {debug <debug_level>} <local_file> <user>@ [<hostname> | <ipaddress>]:<remote_file> {vr <vr_name>} For example, to copy the configuration file engineering.cfg from the switch to host system1, enter the following command:
scp2 engineering.cfg admin@system1:/config/engineering.cfg
72
73
Verifying SSH2
Troubleshooting SSH2 requires you to look at the SSH2 server (switch) and SSH2 client (remotely connected PC). You can start the SSH2 troubleshooting process by verifying SSH2 is setup and configured correctly on the switch. To verify the host key generation is valid, enter the following command: show management The SSH Access field should indicate key valid and specify the enabled tcp port number.
74
Verifying SSH2
75
Troubleshooting SSH2
To view the fully generated SSH2 host key, enter the following command: show configuration
When SSH2 sessions are not set-up properly, the syslog file, can provide you with SSH related information. To view the syslog file, enter the following command: show log
If the SSH2 is correctly configured and enabled on the switch, you should look at the SSH2 client setup. Please consult with the documentation that accompanies the SSH2 client software. You should verify the following are correct and valid:
SSH2 client is using valid user name and password on switch SSH2 host IP address and other SSH2 connection settings
76
Troubleshooting SSH2
77
RSA for public key cryptography (generation of certificate and public-private key pair, certificate signing). RSA key size between 1024 and 4096 bits. Symmetric ciphers (for data encryption): RC4, DES, and 3DES. Message Authentication Code (MAC) algorithms: MD5 and SHA.
78
page 51
79
To use SSL with web-based login (secure HTTP access, HTTPS) you must specify the HTTPS protocol when configuring the redirect URL. If you are downloading the SSH module for the first time and want to immediately use SSL for secure HTTPS web-based login, restart the http process after installing the SSH module.
To enable SSL and allow secure HTTP (HTTPS) access on the default port (443), enter the following command: enable web https To disable SSL and HTTPS, enter the following command: disable web https NOTE
Prior to ExtremeWare XOS 11.2, the Extreme Networks SSH module did not include SSL. To use SSL for secure HTTPS web-based login, you must upgrade your core software image to ExtremeWare XOS 11.2 or later, install the SSH module that works in concert with that core software image, and reboot the switch.
Country code (maximum size of 2 characters) Organization name (maximum size of 64 characters) Common name (maximum size of 64)
Any existing certificate and private key is overwritten. The size of the certificate depends on the RSA key length (privkeylen) and the length of the other parameters (country, organization name, and so forth) supplied by the user. If the RSA key length is 1024, then the certificate is approximately 1 kb. For an RSA key length of 4096, the certificate length is approximately 2 kb, and the private key length is approximately 3 kb.
80
81
To see whether the private key matches with the public key stored in the certificate, enter the following command:
HTTPS port configured. This is the port on which the clients will connect. Length of the RSA key (the number of bits used to generate the private key). Basic information about the stored certificate.
82
83
NOTE
For security reasons, when downloading private keys, Extreme Networks recommends obtaining a pre-generated key rather than downloading a private key from a TFTP server.
Downloaded certificates and keys are not saved across switch reboots unless you save your current switch configuration. Once you issue the save command, the downloaded certificate is stored in the configuration file and the private key is stored in the EEPROM.
84
Figure 55: Configuring Switch to Receive Pregenerated SSL Certificate from User
85
RADIUS, TACACS+, local database of accounts and passwords, and SSH are management access security features that control access to the management functions available on the switch. These features help ensure that any configuration changes to the switch can be done only by authorized users.RADIUS versus TACACS+ Terminal Access Controller Access Control System Plus (TACACS+) is a Cisco proprietary AAA implementation similar in function to RADIUS.
Routing Protocol
UDP, best effort delivery. Default port number 1646. Encrypts password in access-request packet. Rest of RADIUS packet containing username, authorized services, and accounting fields are sent in clear Industry Standard RADIUS AAA server combines authentication and authorization. Accessaccept packets sent by RADIUS server to the client contains authorization information, making it difficult to decouple authentication and authorization.
TCP, connection oriented. Default port number 49. Entire TACACS+ packet encrypted
Cisco proprietary TACACS+ separates authentication, authorization, and accounting services. Enables AAA services to be spread over multiple servers. For example, possible to use Kerberos for an authentication server and TACACS+ server for authorization and accounting. AppleTalk Remote Access Net Bios Frame Protocol Control Novell Asynchronous Services Interface X.25 PAD connection
AAA architecture
NOTE
RADIUS and TACACS+ cannot be active at the same time on an Extreme Networks switch.
86
page 55
87
RADIUS
The RADIUS protocol is developed by Livingston Enterprises, Inc., as an access authentication, authorization, and accounting (AAA) protocol. The RADIUS specification is described in RFCs 2138 and 2865.
Authentication: The process of validating the claimed identity of an end user or a device, such as a host, server, switch, router, and so on. Authorization: The act of granting access rights to a user, groups of users, system, or a process. Accounting: The methods to establish who, or what, performed a certain action, such as tracking user connection and logging system users.
RADIUS is a client/server protocol, with the Extreme Networks switch as the client. The RADIUS client is known as a Network Access Server (NAS). The RADIUS server is usually a daemon process running on a UNIX or Windows machine. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver services to the user. The password is hidden using the RSA Message Digest Algorithm MD5. Communication between a client (NAS) and a RADIUS server is based on the connectionless User Datagram Protocol (UDP) service. The RADIUS enabled devices instead of the transmission protocol handle potential issues, related to server availability. The RADIUS implementation can be used to perform per-command authentication allowing you to define several levels of user capabilities by controlling the permitted command sets based on the RADIUS username and password. You do not need to configure any additional switch parameters to take advantage of this capability. The RADIUS server implementation automatically negotiates the percommand authentication capability with the switch.
88
RADIUS
RADIUS
Authorization, Authentication & Accounting (AAA) protocol Distributed access control with centrally stored authentication information. Requires Radius Client (NAS) / Radius Server IP/UDP based Per-Command authentication (server)
page 56
89
2 The Access-Request is submitted to the RADIUS server via the network. If no response is returned within a length of time, the request is resent. The client can also forward requests to a secondary RADIUS server in the event that the primary RADIUS server is down or unreachable. 3 When the RADIUS server receives the request, it validates the sending client. A request from a client for which the RADIUS server does not have the shared secret password, the request is discarded. If the client is valid, the RADIUS server consults a database of users to find the user whose name matches the request.
If any condition is not met, the RADIUS server sends an Access-Reject response indicating that this user request is invalid. If all conditions are met the RADIUS server sends an Access-Accept response indicating that this user request is valid. If all conditions are met and the RADIUS server wishes to issue a challenge to which the user must respond, the RADIUS server sends an Access-Challenge response.
4 If the RADIUS client receives an Access-Challenge and supports challenge/response, it prompt the user for a response. The client then resubmits the original Access-Request with a new request ID, with the User-Password Attribute replaced by the response. 5 The server can respond to this new Access-Request with an Access-Accept, an Access-Reject, or another Access-Challenge.
90
page 57
Note: Username and Radius exchanges are sent in the clear. Only the password is encrypted.
91
92
Figure 60: Configuring the Shared Secret Password for RADIUS Servers
93
Troubleshooting RADIUS
RADIUS troubleshooting is not limited to the switch (RADIUS client). The configuration files required on the RADIUS server need to be properly configured. RADIUS Server log files will provide additional information on the RADIUS Client and RADIUS server communication.
94
95
96
97
98
page 62
99
Read-only Read-write
Because no command line interface (CLI) commands are available to modify the privilege level, access rights are determined when you log in. For a RADIUS server to identify the administrative privileges of a user, Extreme Networks switches expect a RADIUS server to transmit the Service-Type attribute in the Access-Accept packet, after successfully authenticating the user. Extreme Networks switches grant a RADIUS-authenticated user read-write privilege if a Service-Type value of 6 is transmitted as part of the Access-Accept message from the RADIUS server. Other ServiceType values or no value, result in the switch granting read-only access to the user. Different implementations of RADIUS handle attribute transmission differently. You should consult the documentation for your specific implementation of RADIUS when you configure users for read-write access.
Extreme RADIUS
Extreme Networks provides its users, free of charge, a radius server based on Merit RADIUS. Extreme RADIUS provides per-command authentication capabilities in addition to the standard set of radius features. Source code for Extreme RADIUS can be obtained from the Extreme Networks Technical Assistance Center and has been tested on Red Hat Linux. When Extreme RADIUS is up and running, the two most commonly changed files will be users and profiles. The users file contains entries specifying login names and the profiles used for per-command authentication after they have logged in. Sending a HUP signal to the RADIUS process is sufficient to get changes in the users file to take place. Extreme RADIUS uses the file named profiles to specify command lists that are either permitted or denied to a user based on their login identity. Changes to the profiles file require the RADIUS server to be shutdown and restarted. Sending a HUP signal to the RADIUS process is not enough to force changes to the profiles file to take effect. When you create command profiles, you can use an asterisk to indicate any possible ending to any particular command. The asterisk cannot be used as the beginning of a command. Reserved words for commands are matched exactly to those in the profiles file. Due to the exact match, it is not enough to simply enter sh for show in the profiles file, the complete word must be used. Commands can still be entered in the switch in partial format. When you use per-command authentication, you must ensure that communication between the switch(es) and radius server(s) is not lost. If the RADIUS server crashes while users are logged in, they will have full administrative access to the switch until they log out. Using two RADIUS servers and enabling idle timeouts on all switches will greatly reduce the chance of a user gaining elevated access due to RADIUS
100
Read-only Read-write
Free RADIUS Servers
Extreme Networks EPICenter RSA ACE Funk Software Steel Belted Radius
page 63
101
102
103
Summary
You should now be able to:
Identify the five switch access options Configure Safe-Default-Script Disable nonessential switch access options Create management accounts on the switch Configure a Failsafe Account Manage Passwords Configure an Access Control List (ACL) to control telnet access Display management accounts Configure the banner that displays during login attempts Configure switch idle timeouts View active switch sessions Configure SNMPv3 Configure SSH2 Configure an ACL to control SSH2 access Configure SCP2 Describe RADIUS Configure the RADIUS client Configure RADIUS accounting Describe TACACS+
104
Summary
page 64
TACACS+
Cisco proprietary AAA protocol TCP based Support legacy protocols On an Extreme Networks switch, RADIUS and TACACS+ can not be active at the same time
page 65
105
106
107
Student Objectives
Upon completion of this module, the successful student will be able to:
Describe EXOS Packet Filtering Structure and Components Know how to use policies and edit policy files Describe the differences between ACL policies and Routing policies Understand Dynamic ACL and Static ACL (ACL Policy File), matching conditions, syntax, and troubleshooting Understand ACL rule evaluation process Understand routing policies Routing policy syntax and rule evaluation process Routing policy match conditions and actions Know how to apply routing policies Practice hands-on labs to reinforce the concept
108
Student Objectives
109
110
111
Types of Policies
There are two types of policies: ACL Policy and Routing Policy.
Policies are used by the access control list (ACL) application to perform packet filtering and forwarding decisions on packets. The ACL application will program these policies into the packet filtering hardware on the switch. Packets can be dropped, forwarded, moved to a different QoS profile, or counted, based on the policy statements provided by the policy manager. Policies are also used by the routing protocols to control the advertisement, reception, and use of routing information by the switch. Using policies, a set of routes can be selectively permitted (or denied) based on their attributes, for advertisements in the routing domain. The routing protocol application can also modify the attributes of the routing information, based on the policy statements. ExtremeWare XOS does not prohibit mixing ACL policy and routing policy entries in a single policy file. However, it is strongly recommended that you write separate policy files for ACL entries and for routing entries. ACLs can be created in two ways. One method is to use the ACL policy file mentioned above, which is created and applied to a list of ports or VLANs/interfaces. This method can be persistent across switch reboots, can contain a large number of rule entries, and are all applied at the same time. The other way to create Dynamic ACLs. Dynamic ACLs do not persist across a reboot and consist of only a single rule. Multiple dynamic ACLs can be applied to an interface, and the precedence of the ACLs is determined as they are being configured. Details will be discovered later in this module.
112
Types of Policies
113
The Dynamic ACL does not persist across a reboot and consist of only a single rule. Multiple dynamic ACLs can be applied to an interface, and the precedence of the ACLs is determined as they are being configured.
ACL Overview
ACLs are used to perform packet filtering and forwarding decisions on incoming traffic.
Each packet arriving on an ingress port is compared to the access list applied to that port and is either permitted or denied. Permitted packets can also be forwarded to a specified QoS profile. On the BD10K and DB12K platforms, egress packets can also be filtered. This is a new feature in ExtremeWare EXOS 11.3.
Additionally, you can configure the switch to count permitted and denied (dropped) packets, log packet headers, mirror traffic to a monitor port, send the packet to a QoS profile, and, for the BlackDiamond 8800 family and Summit X450 switches only, meter the packets to control bandwidth.
ACLs in ExtremeWare XOS apply to all traffic. This is somewhat different from the behavior in ExtremeWare. For example, if you deny all the traffic to a port, no traffic, including control packets, such as OSPF or RIP, will reach the switch and the adjacency will be dropped. You must explicitly allow those type of packets (if desired). In ExtremeWare, an ACL that denied all traffic would allow control packets (those bound for the CPU) to reach the switch.
ACLs are created in two different ways: One method is to create an ACL is to use the CLI to specify a single rule, called a dynamic ACL. Dynamic ACLs do not persist across a reboot and consist of only a single rule. Multiple dynamic ACLs can be applied to an interface, and the precedence of the ACLs is determined as they are being configured. The second method to create an ACL policy file and apply that ACL policy file to a list of ports, a VLAN, or to all interfaces. This method creates ACLs that can be persistent across switch reboots, can contain a large number of rule entries, and are all applied at the same time.
114
ACL Overview
115
IP source address and mask IP destination address and mask TCP or UDP source port range TCP or UDP destination port range
Actions:
The action is either permit or deny or no action is specified. No action specified permits the packet. The deny action drops the packet.
Action Modifiers:
The action modifiers are count <countername>, qosprofile <qosprofilename>, and meter <metername>. The count action increments the counter named in the condition. The QoS profile action forwards the packet to the specified QoS profile; The meter action modifier associates a rule entry with an ACL meter, and is only available on BD 8810 and Summit X450 platforms. (Metering is a QoS feature and is not discussed into details in this course.)
See these fields on the lower slide of the next page. Prefix:IP source and destination address prefixes. To specify the address prefix, use the notation prefix/prefix-length. For a host address, prefix-length should be set to 32. Number: Numeric value, such as TCP or UDP source and destination port number, IP protocol number. Range:A range of numeric values, such as TCP or UDP port number ranges. To specify the numeric range, use the notation: number-number. Bit-field: Used to match specific bits in an IP packet, such as TCP flags and the fragment flag.MAC: 6-byte hardware address
116
117
118
119
Often an ACL will have a rule entry at the end of the ACL with no match conditions. This entry will match any packets not otherwise processed, so that user can specify an action to overwrite the default permit action.
L2 rulea rule containing only Layer 2 (L2) matching conditions, such as Ethernet MAC address and Ethernet type. L3 rulea rule containing only Layer 3 (L3) matching conditions, such as source or destination IP address and protocol. L4 rulea rule containing both Layer 3 (L3) and Layer 4 (L4) matching conditions, such as TCP/ UDP port number.
When an ACL file contains both L2 and L3/L4 rules, for BlackDiamond 10K,
L3/L4 rules have higher precedence over L2 rules. L3/L4 rules are evaluated before any L2 rules. The precedence among L3/L4 rules is determined by their relative position in the ACL file. Rules are evaluated sequentially from top to bottom. The precedence among L2 rules is determined by their position in the ACL file. Rules are evaluated sequentially from top to bottom.
It is recommended that L2 and L3/L4 rules be grouped together for easy debugging.
For BD 8810 and Summit X450, rule precedence is solely determined by the rules relative order in the policy file. L2, L3, and L4 rules are evaluated in the order found in the file.
120
121
For example, a physical port 1:2 is member port of a VLAN yellow. The ACL evaluation is performed in the following sequence: 1 2 3 If the ACL is configured on port 1:2, the port-based ACL is evaluated and the evaluation ends. If the ACL is configured on the VLAN yellow, the VLAN-based ACL is evaluated and the evaluation process terminates. If the wildcard ACL is configured, the wildcard ACL is evaluated and evaluation process terminates.
Conserving ACL Masks and Rules on BlackDiamond 8800 and Summit X450 only
An ACL mask defines a unique match criteria and relative rule precedence, and are automatically generated based on the contents of an ACL policy. Only adjacent rules within the policy that have identical match criteria will utilize the same ACL mask, therefore, list all rules with the same match criteria together unless relative precedence with other policy rules is required. There are 16 ACL masks supported per port, 128 rules supported per Gigabit Ethernet port, and 1024 rules supported per 10 Gigabit Ethernet port. As you can see, it is important to conserve and carefully plan the use of ACL masks to avoid exhausting the masks available on the BD8800 and Summit X450 switches. To display the number of masks and rules used by a particular port: #show access-list usage [acl-mask | acl-rule] port <port> Additionally, certain non-ACL features allocate ACL masks and use ACL rules in order to function. Here are is a list by feature
dot1p examination1 mask, 8 rules (default enabled) DiffServ examination1 mask, 64 rules for 10G ports; 0 masks, 0 rules for 1G ports (default disabled) IGMP snooping2 masks, 2 rules (default enabled) IP interface2 masks, 2 rules (default disabled) VLAN QoS1 mask, 1 rule per VLAN (default disabled) port QoS1 mask, 1 rule (default disabled) VRRP1 mask, 1 rule EAPS1 master config + 1 transit config masks, 1 + number of transit-mode EAPS domains on the port rules ESRP1 mask, 1 rule LLDP1 mask, 1 rule Netlogin1 mask, 1 rule IPv61 mask, 1 rule
122
Conserving ACL Masks and Rules on BlackDiamond 8800 and Summit X450 only
Figure 81: Conserving ACL Masks and Rules on BlackDiamond 8800 and Summit X450
123
124
125
Dynamic ACL
Dynamic ACLs are created using the CLI. They use a similar syntax as the ACL Policy, and can accomplish the same actions as single rule entries used in ACL policy files. Once a dynamic ACL rule has been created, it can be applied to a port, VLAN, or to the wildcard any interface. More than one ACLs can be applied to an interface. When the ACL is applied, you will specify the precedence of the rule among the dynamic ACL rules. Dynamic ACLs have a higher precedence than ACLs applied using a policy file.
Actions:
permitthe packet is forwarded. denythe packet is dropped. The default action is permit, so if no action is specified in a rule entry, the packet is forwarded.
126
127
128
129
Slides on the right page demonstrate how to configure dynamic ACL rules.
130
131
3 Apply test.pol policy file to all ports and interfaces. #configure access-list test any 4 Verify by using command: #show access-list counter To use the built-in vi-like editor on switch to create or edit a policy file, use the command #edit policy test.pol
132
133
134
135
136
137
Routing Policies
Routing polices :
are used to control the advertisement or reception of routes using routing protocols may hide entire networks or trust specific sources for routes or ranges of routes may modify and filter routing information received and advertised by a switch
138
Routing Policies
139
140
141
match allAll the match conditions must be true for a match to occur. This is the default. match anyIf any match condition is true, then a match occurs.
The slide on the right shows the possible policy entry match conditions. Please note that these match conditions only apply to routing policies, not ACL policies. For ACL policies, there is only match all.
Examples
The following AS-Path statement matches AS paths that contain only (begin and end with) AS number 65535: as-path "^65535$ The following AS-Path statement matches AS paths beginning with AS number 65535, ending with AS number 14490, and containing no other AS paths: as-path "^65535 14490$ The following AS-Path statement matches AS paths beginning with AS number 1, followed by any AS number from 2 - 8, and ending with either AS number 11, 13, or 15: as-path "^1 2-8 [11 13 15]$" The following AS-Path statement matches AS paths beginning with AS number 111 and ending with any AS number from 2 - 8: as-path "111 [2-8]$" The following AS-Path statement matches AS paths beginning with AS number 111 and ending with any additional AS number, or beginning and ending with AS number 111: as-path "111.?"
142
143
Policies applied with commands that use the keyword import-policy control the routes imported to the protocol from the switch routing table. The following are examples for the BGP and RIP protocols:
#configure bgp import-policy [<policy-name> | none] #configure rip import-policy [<policy-name> | none]
Commands that use the keyword route-policy control the routes advertised or received by the protocol. For BGP and RIP, here are some examples:
#configure bgp neighbor [<remoteaddr>|all]{address-family[ipv4-unicast|ipv4-multicast]}route-policy [in|out][none|<policy>] #configure bgp peer-group <peer-group-name> route-policy [in | out] [none | <policy>] #configure rip vlan [<vlan-name> | all] route-policy [in | out] [<policy-name> | none]
Other examples of commands that use route policies include: #configure ospf area <area-identifier> external-filter [<policy-map> |none] #configure ospf area <area-identifier> interarea-filter [<policy-map> | none] #configure rip vlan [<vlan-name> | all] trusted-gateway [<policy-name> | none]
144
145
1 Create a rule entry by using any text editor: #entry RouteRule { if match all { route-origin rip } then { cost 10 } }
2 TFTP the file to the switch, and rename it as RouteRule.pol. Verify the policy file syntax and integrity. #tftp 192.168.1.2 -g -r RouteRule.pol #check policy RouteRule
3 Apply RouteRule.pol policy file to all VLANs. #configure rip vlan all route-policy RouteRule.pol in
146
147
148
Student Objectives
Upon completion of this module, the successful student is able to:
Describe DoS attacks Describe two common DoS attack modes Describe at least five different types of DoS attacks Describe DoS countermeasures Describe IP broadcast forwarding Configure IP broadcast forwarding Describe DoS-Protect Sequence the steps for required to implement DoS-Protect Configure DoS-Protect Verify DoS-Protect Troubleshoot DoS-Protect Identify appropriate actions to take during a DoS attack
Student Objectives
Student Objectives
Describe DoS attacks Describe two common DoS attack modes Describe at least five different DoS attack types Describe basic DoS countermeasures Describe IP broadcast forwarding Configure IP broadcast forwarding
page 2
Student Objectives
Describe DoS-Protect Sequence the steps required to implement DoS-Protect Configure DoS-Protect Verify DoS-Protect Troubleshoot DoS-Protect Identify appropriate actions to take during a DoS attack
page 3
Learning new traffic (BlackDiamond 10K switch only; the BlackDiamond 8800 family of switches and the Summit X450 switch learn in hardware) Routing and control protocols including ICMP, BGP, OSPF, STP, EAPS, ESRP, and so forth Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, and so forth) Other packets directed to the switch that must be discarded by the CPU
If any one of these functions is overwhelmed, the CPU may be too busy to service other functions and switch performance will suffer. Even with very fast CPUs, there will always be ways to overwhelm the CPU with packets requiring costly processing.
page 4
Distributed
Distributed DoS attack tools were written to evade asymmetrical countermeasures. Using a wide array of individual computers that have been maliciously hi jacked, DoS traffic from different IP addresses simultaneously target the intended system. Distributed DoS attack tools freely available include Trinoo, Tribal Flood Network, mstream, and Stacheldraght.
page 5
Martian Attacks
Use invalid IP source and/or IP destination addresses to overwhelm a router, data packets accumulate in router, causing the system to crash or reboot.
page 6
10
1.
2 4 6
TCP SYN from 10.10.10.1 to 10.10.10.2 Change address from 10.10.10.1 to 20.20.20.1 TCP SYN, ACK from 10.10.10.2 to 10.10.10.1 No longer there TCP SYN from 20.20.20.1 to 10.10.10.2 Change address from 20.20.20.1 to 30.30.30.1 TCP SYN, ACK from 10.10.10.2 to 20.20.20.1 No longer there
2.
20.20.20.1
3.
5
4.
30.30.30.1
5.
page 7
6.
11
Ingress address filtering: At the router level, ensure incoming packets from the local network segment have an IP address that matches the local network's IP NETID. This scheme will not eliminate all address spoofing attacks, it will cut down on the vast majority of them. Prevent broadcast amplification: Block any inbound traffic addressed to the broadcast address, stopping broadcast amplication. Turn off unused TCP and UDP services: Most systems come with more services on by default than any actual use. By shutting off unnecessary services, ports are no longer accessible the outside. This protection must be applied on a server-by-server basis. ACL entries: Prevent IP address spoofing IP Broadcast forwarding: Disable this feature ExtremeWare XOS DoS-Protect feature: Enable this feature
Actively policing data flows to identify DoS attacks and protect users and subnets against their impacts Protecting the infrastructures equipment to ensure resiliency against DoS attacks.
12
page 8
13
IP Forwarding Broadcast
IP forwarding must first be enabled before IP broadcast forwarding can be enabled. When IP broadcast forwarding is enabled, your network can be used as a broadcast amplification site that floods other networks with DoS attacks such as the smurf attack. Controlling ICMP distribution on a per-type, perVLAN basis, restricts the success of tools that can be used to find an application, host, or topology information). To disable the IP forwarding broadcast, enter the following command: disable ipforwarding broadcast
ICMP Userredirects
Disables the modification of route table information when an ICMP redirect message is received, enter the following command (the default setting is disabled): disable icmp useredirects
14
page 9
15
DoS-Protect
DoS Protection is designed to help prevent this degraded performance by attempting to characterize the problem and filter out the offending traffic so that other functions can continue. When a flood of CPU bound packets reach the switch, DoS Protection will count these packets. When the packet count nears the alert threshold, packets headers will be saved. If the threshold is reached, then these headers are analyzed, and a hardware access control list (ACL) is created to limit the flow of these packets to the CPU. This ACL will remain in place to provide relief to the CPU. Periodically, the ACL will expire, and if the attack is still occurring, it will be re-enabled. With the ACL in place, the CPU will have the cycles to process legitimate traffic and continue other services. DoS Protection will send a notification when the notify threshold is reached. You can also specify some ports as trusted ports, so that DoS protection will not be applied to those ports.
16
DoS-Protect
DoS-Protect
Tracks CPU demanding traffic Activated when specified threshold reached Dynamically creates ACL on the fly
page 10
Figure 9: DoS-Protect
17
18
DoS-Protect
19
Implementing DoS-Protect
To properly implement DoS-Protect, you need to enable the simulated mode, configure the DoS-Protect parameters, and then enable DoS-Protect.
Simulated Mode
A conservative and safe way to deploy DoS Protection is to use the simulated mode first to determine the traffic thresholds. In simulated mode, DoS Protection is enabled, but no ACL is generated. Traffic is not discarded. In simulated mode, legitimate traffic is not blocked. Examples include:
Route Loss During this period, the switch may receive lots of routing updates that cause heavy traffic. Configuration or Image Upload/Download
To enable the simulated mode, enter the following command: enable dos-protect simulated
20
Implementing DoS-Protect
Implementing DoS-Protect
1. Learn your network data-streams
enable dos-protect simulated
2. Configure the DoS-Protect parameters configure dos-protect type l3-protect alert-threshold <packets> configure dos-protect type l3-protect notify-threshold <packets> 3. Configure Trusted Ports (optional)
configure dos-protect trusted ports <ports>
4. Enable DoS-Protect
enable dos-protect
page 12
21
intervalHow often, in seconds, the switch evaluates the DoS counter (default: 1 second) alert thresholdThe number of packets received in an interval that will generate an ACL (default: 4000 packets) notify thresholdThe number of packets received in an interval that will generate a notice (default: 3500 packets) ACL expiration timeThe amount of time, in seconds, that the ACL will remain in place (default: 5 seconds)
To configure the interval at which the switch checks for DoS attacks, enter the following command: configure dos-protect interval <seconds> To configure the alert threshold, enter the following command: configure dos-protect type l3-protect alert-threshold <packets> To configure the notification threshold, enter the following command: configure dos-protect type l3-protect notify-threshold <packets> To configure the ACL expiration time, enter the following command: configure dos-protect acl-expire <seconds
22
page 13
23
24
page 14
25
Troubleshooting CPU-DoS-Protect
Useful Information from the Show cpu-dos-protect Command
During an attack, one can view the status of cpu-dos-protect with the show cpu-dos-protect command. This command shows the user, how long the acl will remain active. Once the timer expires, the acl is deleted, and monitoring of slow path packets will continue. In the event the attack is ongoing, and the flow of slow path packets remains constantly above the threshold, the acl is recreated over and over again.
26
Troubleshooting CPU-DoS-Protect
Troubleshooting dos-protect
show log
10/07/2003 11:42.15 <DBUG:SYST> DOSprotect notice: this second: raw packets to cpu: 4002 dropped in software: 0 10/07/2003 11:42.15 <DBUG:SYST> DOSprotect: create ACL block from PhysPorts 1:1 to 10.201.30.29 10/07/2003 11:42.15 <WARN:SYST> DOSprotect: possible Denial-of-Service: best guess origin: physport 1:1 mac 00:50:70:50:26:a6 to 10.201.30.29 10/07/2003 11:42.15 <DBUG:SYST> DOSprotect timeout: remove ACL block from PhysPorts 1:1 to 10.201.30.29
page 15
27
Computer Emergency Response Team website maintained by the Carnegie Mellon University.
http://www.rfc-editor.org/
28
page 16
29
Summary
You should now be able to:
Describe DoS attacks Describe two common DoS attack modes Describe at least five different types of DoS attacks Describe DoS countermeasures Describe IP broadcast forwarding Configure IP broadcast forwarding Describe DoS-Protect Sequence the steps for required to implement DoS-Protect Configure DoS-Protect Verify DoS-Protect Troubleshoot DoS-ProtectIdentify appropriate actions to take during a DoS attack
30
Summary
Summary
Describe DoS attacks Describe two common DoS attack modes Describe at least five different DoS attack types Describe basic DoS countermeasures Describe IP broadcast forwarding Configure IP broadcast forwarding
page 17
Summary
Describe DoS-Protect Sequence the steps required to implement DoS-Protect Configure DoS-Protect Verify DoS-Protect Troubleshoot DoS-Protect Identify appropriate actions to take during a DoS attack
page 18
31
32
Student Objectives
Upon completion of this module, the successful student is able to:
Describe the Forwarding Database (FDB) Identify four FDB types List two types of port address security Describe limit-learning Configure limit-learning Identify configuration guideline when implementing limit-learning on ESRP ports. Troubleshoot limit-learning Describe lock-learning Configure lock-learning Troubleshoot lock-learning Disable MAC Address Learning List guidelines when enabling or disabling egress flooding Enable and disable egress flooding on the BlackDiamond 8800 family of switches and the Summit X450 only Enable and disable egress flooding on the BlackDiamond 10K switch only Configure a Layer 3 blackhole
Student Objectives
Student Objectives
Upon completion of this module, the successful student will be able to: Describe the Forwarding Database (FDB) Identify four FDB types List two types of port address security Describe limit-learning Configure limit-learning Identify configuration guideline when implementing limit-learning on ESRP ports Troubleshoot limit-learning
page 2
page 3
MAC-Based Security
MAC-based security allows you to control the way the FDB is learned and populated. By managing entries in the FDB, you can block and control packet flows on a per-address basis. MAC-based security allows you to limit the number of dynamically-learned MAC addresses allowed per virtual port. You can also lock the FDB entries for a virtual port, so that the current entries will not change, and no additional addresses can be learned on the port. You can also prioritize or stop packet flows based on the source MAC address of the ingress VLAN or the destination MAC address of the egress VLAN using ACLS. With ACLs, you can also prioritize or stop packet flows based on the source MAC address of the ingress virtual LAN (VLAN) or the destination MAC address of the egress VLAN.
MAC address of the device identifier for the port on which it was received identifier for the VLAN to which the device belongs
MAC-Based Security
Mac-Based Security
Manages the way Forwarding Database (FDB) is learned and populated Allows limit to the number of dynamically-learned MAC addresses allowed per virtual port Using ACLs, can prioritize or stop packet flows based on source MAC address of the ingress VLAN or destination MAC address of the egress VLAN
page 4
FDB
FDB
page 5
Dynamic entriesA dynamic entry is learned by the switch by examining packets to determine the source MAC address, VLAN, and port information. The switch then creates or updates an FDB entry for that MAC address. Initially, all entries in the database are dynamic, except for certain entries created by the switch at boot-up. Entries in the database are removed (aged-out) if, after a period of time (aging time), the device has not transmitted. This prevents the database from becoming full with obsolete entries by ensuring that when a device is removed from the network, its entry is deleted from the database. Dynamic entries are flushed and relearned (updated) when any of the following take place:
A VLAN is deleted. A VLAN identifier (VLANid) is changed. A port mode is changed (tagged/untagged). A port is deleted from a VLAN. A port is disabled. A port enters blocking state. A port goes down (link down).
A non-permanent dynamic entry is initially created when the switch identifies a new source MAC address that does not yet have an entry in the FDB. The entry may then be updated as the switch continues to encounter the address in the packets it examines. These entries are identified by the d flag in show fdb output. Dynamic entries agethat is, a dynamic entry is removed from the FDB (aged-out) if the device does not transmit for a specified period of time (the aging time). This aging process prevents the FDB from becoming full with obsolete entries by ensuring that when a device is removed from the network, its entry is deleted from the database. The aging time is configurable.
Static entriesA static entry does not age and does not get updated through the learning process. A static entry is maintained exactly as it was created. Conditions that cause dynamic entries to be updated, such as VLAN or port configuration changes, do not affect static entries. A locked static entry is an entry that was originally learned dynamically, but has been made static (locked) using the MAC address lock-down feature. It is identified by the s, p, and l flags in show fdb output and can be deleted using the delete fdbentry command. If the FDB entry aging time is set to zero, all entries in the database are considered static, non-aging entries. This means that the entries do not age, but they are still deleted if the switch is reset. NOTE
On the BlackDiamond 8800 family of switches (formerly known as Aspen) and the Summit X450 switch, if the same MAC address is detected on another virtual port that is not defined in the static FDB entry for the MAC address, that address is handled as a blackhole entry.
Permanent entriesPermanent entries are retained in the database if the switch is reset or a power off/on cycle occurs. Permanent entries must be created by the system administrator through the CLI. Permanent entries are static, meaning they do not age or get updated.
FDB
page 6
Limit-Learning: Limit the number of dynamically learned MAC address allowed per virtual port Lock-Learning: Lock the FDB entries to a virtual port, so FDB entries will not change and no additional addresses can be learned
A virtual port is a switch index ID for a combination of a physical port in a VLAN. Port address security is not foolproof because it is possible for end-users to alter their PCs MAC address and assume the MAC-level identity of another computer (known as spoofing).
NOTE
You can either limit dynamic MAC FDB entries or lock down the current MAC FDB entries, but not both.
page 7
block rogue networks from being added to the corporate backbone prevent a user from adding their own devices (e.g., printer, IP phone) to the network keep foreign switches and illegal wireless snooping devices off the infrastructure NOTE
Blackhole FDB entries added due to MAC security violations on the BlackDiamond 8800 family of switches (formerly known as Aspen) and the Summit X450 switch are removed after each FDB aging period regardless of whether the MAC addresses in question are still sending traffic. If the MAC addresses are still sending traffic, the blackhole entries will be re-added after they have been deleted.
10
llimit
l100BASE-TX/ l1000BASE-T l5
l6
l7
l8
l1 l2 l3 l4 l5 l6 l7
lBOTTOM ROWS lAMBER l= ACTIVITY lGREEN l= LINK OK lFLASHING GREEN DISABLED l= l9 l10 l11 l12 l13 l14 l15 l16
l9
l10
l11
l12
l1000BASE-X l15
l16
li l5
MAC n more MAC addresses are not allowed and will be blackholed
page 8
11
switch still learns new MAC addresses switch creates a blackhole fdb entry flag is Bb, B - Engress Blackhole, b - Ingress Blackhole blackholed pockets drop in hardware ASIC FDB aging timer applies
For ports that have learning limit in place, the following traffic will still flow to the port:
Packets destined for permanent MAC addresses and other non-blackholed MAC addresses Broadcast traffic from non-blackholed MAC addresses. EDP traffic
Dynamically learned entries still get aged, and can be cleared. When entries are cleared or aged out after the learning limit has been reached, new entries will then be able to be learned until the limit is reached again.
12
page 9
13
Configuring Limit-Learning
Adding MAC Address Limit-Learning
To limit the number of dynamic MAC addresses that can participate in the network, enter the following command: configure ports <portlist> vlan <vlan name> [limit-learning <number> | lock-learning | unlimited-learning | unlock-learning] This command specifies the number of dynamically-learned MAC entries allowed for these ports in this VLAN. The range is 0 to 500,000 addresses. When the learned limit is reached, all new source MAC addresses are blackholed at the ingress and egress points. This prevents these MAC addresses from learning and responding to ICMP and ARP packets. Dynamically learned entries still get aged and can be cleared. If entries are cleared or aged out after the learning limit has been reached, new entries will then be able to be learned until the limit is reached again. Permanent static and permanent dynamic entries can still be added and deleted using the create fdbentry and disable flooding port commands. These override any dynamically learned entries. For ports that have a learning limit in place, the following traffic still flows to the port:
Packets destined for permanent MAC addresses and other non-blackholed MAC addresses Broadcast traffic EDP traffic
Traffic from the permanent MAC and any other non-blackholed MAC addresses still flows from the virtual port.
14
Configuring Limit-Learning
Limit-Learning Commands
Adding MAC Address Limit-Learning configure ports <portlist> vlan <vlan name> limitlearning <number> Removing MAC Address Limit-Learning configure ports <portlist> vlan <vlan name> unlimited-learning Creating and Deleting FDB Entries create fdbentry delete fdbentry
page 11
15
16
VLAN 1
Master
Switch 3
H/A
Work Station
page 12
Switch 2
17
Lock-Learning
In addition to limit-learning on virtual ports, you can lock down the existing dynamic FDB entries and prevent (per port per VLAN basis) any additional learning.
Lock-Learning Enabled
FDB entries (within the specified VLAN and ports) are converted to locked static entries and the learning limit to zero, so that no new entries can be learned.
All new dynamic source MAC addresses are blackholed. Locked entries do not get aged, but can be cleared. Dynamic entries active at time of lock-learning remain in the FDB after the switch is reset or a power off/on cycle occurs. Permanent static entries can still be added and deleted. Permanent dynamic entries do not override locked static entries.
For ports that have lock-learning in effect, the following traffic will still flow to the port:
Packets destined for the permanent MAC and other non-blackholed MAC addresses Broadcast traffic from non-blackholed MAC addresses EDP traffic NOTE
You can either limit dynamic MAC FDB entries per vlan/port, or lock down the current MAC FDB entries per vlan/ port, but not both.
18
Lock-Learning
is
Lock-Learning
Once enabled, existing FDB entries converted to locked static entries Learning limit set to zero New entries blackholed
TOP ROW S: GREEN 1 2 3 4 5
1
= 10 00 M b ps 6 7 8
100BASE-TX/ 1000BASE-T
10
11
12
13
14
1000BASE-X
15
16
10 11 12 13 14 15 1 6
5i
Unknown MAC
Known MAC
page 13
Summit
19
Configuring Lock-Learning
Adding Lock-Learning
In contrast to limiting learning on virtual ports, you can lock down the existing dynamic FDB entries and prevent any additional learning using the lock-learning option from the following command: configure ports <portlist> vlan <vlan name> [limit-learning <number> | lock-learning | unlimited-learning | unlock-learning] This command causes all dynamic FDB entries associated with the specified VLAN and ports to be converted to locked static entries. It also sets the learning limit to zero, so that no new entries can be learned. All new source MAC addresses are blackholed.
NOTE
Blackhole FDB entries added due to MAC security violations on the BlackDiamond 8800 family of switches and the Summit X450 switch are removed after each FDB aging period regardless of whether the MAC addresses in question are still sending traffic. If the MAC addresses are still sending traffic, the blackhole entries will be re-added after they have been deleted.
Locked entries do not get aged, but can be deleted like a regular permanent entry. For ports that have lock-down in effect, the following traffic still flows to the port:
Packets destined for the permanent MAC and other non-blackholed MAC addresses Broadcast traffic EDP traffic
Traffic from the permanent MAC still flows from the virtual port.
Removing Lock-Learning
To remove MAC address lock down, type the following command: configure ports <portlist> vlan <vlan name>unlock-learning] When you remove the lock down using the unlock-learning option, the learning-limit is reset to unlimited, and all associated entries in the FDB are flushed.
20
Configuring Lock-Learning
Lock-Learning Commands
Adding Lock-Learning configure ports <portlist> vlan <vlan name> locklearning Removing Lock-Learning configure ports <portlist> vlan <vlan name>unlocklearning]
page 15
21
22
23
Logs
To display the local switch log, enter the following command: show log {chronological} {<priority>}
Chronological: displays messages in ascending chronological order. Priority: filters the log to display messages with the selected priority or higher (more critical). Priorities include alert, critical, debug, emergency, error, info, notice, and warning.
By default, log entries that are assigned a critical or warning level remain in the log after a switch reboot. Issuing a clear log command does not remove these static entries. To remove log entries of all levels (including warning or critical), enter the following command: clear log static
24
page 18
25
NOTE
On BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only, when Mac Address Learning is disabled, packets with unknown source MAC addresses are dropped.
26
page 19
27
NOTE
Disabling egress flooding can affect many protocols, such as IP and ARP among others.
Figure 18 illustrates a case where you want to disable Layer 2 egress flooding on specified ports to enhance security and network performance. In this example, the three ports are in an ISP-access VLAN. Ports 1 and 2 are connected to clients 1 and 2, respectively, and port 3 is an uplink to the ISP network. Because clients 1 and 2 are in the same VLAN, client 1 could possible learn about the other clients traffic by sniffing client 2s broadcast traffic; client 1 could then possibly launch an attack on client 2. However, when you disable all egress flooding on ports 1 and 2, this sort of attack is impossible, for the following reasons:
Broadcast and multicast traffic from the clients is forwarded only to the uplink port. Any packet with unlearned destination MAC addresses is forwarded only to the uplink port. One client cannot learn any information from the other client. Because egress flooding is disabled on the access ports, the only packets forwarded to each access port are those packets that are specifically targeted for one of the ports. There is no traffic leakage.
In this way, the communication between client 1 and client 2 is controlled. If client 1 needs to communicate with client 2 and has that IP address, client 1 sends out an ARP request to resolve the IP address for client 2.
Egress flooding can be disabled on ports that are in a load-sharing group. If that is the situation, the ports in the group take on the egress flooding state of the master port; each member port of the loadsharing group has the same state as the master port. FDB learning is independent of egress flooding; either can be enabled or disabled independently. Disabling unicast (or all) egress flooding to a port also stops packets with unknown MAC addresses to be flooded to that port. Disabling broadcast (or all) egress flooding to a port also stops broadcast packets to be flooded to that port.
28
page 20
page 21
29
Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
You can enable or disable egress flooding for unicast, multicast, or broadcast MAC addresses, as well as for all packets on the ports of the BlackDiamond 8800 family of switches (formerly known as Aspen) or the Summit X450 switch. Disabling multicasting egress flooding does not affect those packets within an IGMP membership group at all; those packets are still forwarded out. If IGMP snooping is disabled, multicast packets with static FDB entries are forwarded according to the FDB entry.
30
Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
page 22
Figure 21: Enabling and Disabling Egress Flooding on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
31
To disable egress flooding on the BlackDiamond 10K switch, issue this command:
disable flooding all_cast port [<port_list> | all]
NOTE
When you disable egress flooding on the BlackDiamond 10K switch, you also turn off broadcasting.
32
Enabling and Disabling Egress Flooding on the BlackDiamond 10K Switch Only
page 23
Figure 22: Enabling and Disabling Egress Flooding on the BlackDiamond 10K Switch Only
33
34
QB_Mariner.4 > show port 3:1 info Port Diag Flags Link Link Num Num Num Jumbo QOS Load State UPS STP VLAN Proto Size profile Master =========================================================================== ===== 3:1 P Em------e-- ready 0 0 1 1 9216 =========================================================================== ===== Flags : a - Load Sharing Algorithm address-based, D - Port Disabled, e - Extreme Discovery Protocol Enabled, E - Port Enabled, f - Flooding Enabled, g - Egress TOS Enabled, j - Jumbo Frame Enabled, l - Load Sharing Enabled, m - MACLearning Enabled, n - Ingress TOS Enabled, o - Dot1p Replacement Enabled, P - Software redundant port(Primary), q - Background QOS Monitoring Enabled, R - Software redundant port(Redundant), s - diffserv Replacement Enabled, v - Vman Enabled, f - Unicast Flooding Enabled M - Multicast Flooding Enabled, B - Broadcast Flooding Enabled
35
Layer 3 Blackholes
Blackholes may be configured at Layer 3. At Layer 3, the blackhole address is stored in the routing table. All traffic destined for a configured blackhole IP address is silently dropped and no Internet Control Message Protocol (ICMP) message is generated.
treated like permanent entries in the event of a switch reset or power off/on cycle never aged out of the forwarding database
36
Layer 3 Blackholes
Layer 3 Blackholes
Blackholes maybe configured at Layer 3 All traffic destined for a configured blackhole IP address is dropped No ICMP message is generated
page 25
page 26
37
Summary
You should now be able to:
Describe the Forwarding Database (FDB) Identify four FDB types List two types of port address security Describe limit-learning Configure limit-learning Identify configuration guideline when implementing limit-learning on ESRP ports. Troubleshoot limit-learning Describe lock-learning Configure lock-learning Troubleshoot lock-learning Disable MAC Address Learning List guidelines when enabling or disabling egress flooding Enable and disable egress flooding on the BlackDiamond 8800 family of switches and the Summit X450 only Enable and disable egress flooding on the BlackDiamond 10K switch only Configure a Layer 3 blackhole
38
Summary
Summary
Describe the Forwarding Database (FDB) Identify four FDB types List two types of port address security Describe limit-learning Configure limit-learning Identify configuration guideline when implementing limit-learning on ESRP ports Troubleshoot limit-learning
page 28
Summary
Describe lock-learning Configure lock-learning Troubleshoot lock-learning Disable MAC Address Learning List guidelines when enabling or disabling egress flooding Enable and disable egress flooding on the BlackDiamond 8800 family of switches and the Summit X450 only Enable and disable egress flooding on the BlackDiamond 10K switch only Configure a Layer 3 blackhole
page 29
39
40
Student Objectives
Upon completion of this module, the successful student will be able to:
Describe Network Login List three Network Login authentication types Identify the advantages and disadvantages of Web-Based Authentication Identify the advantages and disadvantages of MAC-Based Authentication Identify the advantages and disadvantages of 802.1x Describe the DHCP server authentication role Configure DHCP server Describe the Network Login sequence Describe Campus Mode Describe ISP Mode Describe multiple supplicant support Identify Network Login design considerations List methods of authenticating network login users Identify RADIUS attributes used bye Network Login Configure Network Login with local database authentication Configure Network Login with 802.1x authentication Configure Network Login with Web-Based authentication Terminate a Network Login session Display Network Login information
Student Objectives
Student Objectives
Describe Network Login List three Network Login authentication types Identify the advantages and disadvantages of WebBased Authentication Identify the advantages and disadvantages of MACBased Authentication Identify the advantages and disadvantages of 802.1x Describe the DHCP server authentication role Configure DHCP server Describe the Network Login sequence
page 2
Student Objectives
Describe multiple supplicant support Identify Network Login Design considerations List methods of authenticating network login users Identify RADIUS attributes used by Network Login Configure Network Login with local database authentication Configure Network Login with 802.1x authentication Configure Network Login with Web-Based authentication Terminate a Network Login session Display Network Login information
page 3
Web-based login using HTTP available on each port Web-based login using HTTPSif you install the SSH software module that includes SSLavailable on each port Multiple supplicants for web-based, MAC-based, and 802.1x authentication on each port
Authentication Types
Authentication is handled as a web-based process, MAC-based process, or as described in the IEEE 802.1x specification. Web-based network login does not require any specific client software and can work with any HTTP-compliant web browser. By contrast, 802.1x authentication may require additional software installed on the client workstation, making it less suitable for a user walk-up situation, such as a cyber-caf or coffee shop.1 Extreme Networks supports a smooth transition from web-based to 802.1x authentication. MAC-based authentication is used for supplicants that do not support a network login mode, or supplicants that are not aware of the existence of such security measures, for example an IP phone. If a MAC address is detected on a MAC-based enabled network login port, an authentication request is sent once to the AAA application. AAA tries to authenticate the MAC address against the configured Remote Authentication Dial In User Server (RADIUS) server and its configured parameters (timeout, retries, and so on) or the configured local database.The credentials used for this are the supplicants MAC address in ASCII representation and a locally configured password on the switch. If no password is configured the MAC address is also used as the password. You can also group MAC addresses together using a mask.
1.
show netlogin {port <portlist> vlan <vlan_name>} {dot1x {detail}} {mac} {web-based}
Works with any operating system that is capable of obtaining an IP address using DHCP. There is no need for special client side software; only a web browser is needed.
Disadvantages
The login process involves manipulation of IP addresses and must be done outside the scope of a normal computer login process. It is not tied to a Windows login. The client must bring up a login page and initiate a login. Supplicants cannot be re-authenticated transparently. They cannot be re-authenticated from the authenticator side. This method is not as effective in maintaining privacy protection.
MAC-Based Authentication
Advantages
Works with any operating system or network enabled device. Works silently. The user, client, or device does not know that it gets authenticated. Ease of management. A set of devices can easily be grouped by the vendor part of the MAC address.
Disadvantages
There is no re-authentication mechanism. The FDB aging timer determines the logout. Security is based on the MAC address of the client, so the network is more vulnerable to spoofing attacks.
page 6
page 7
In cases where the 802.1x is natively supported, login and authentication happens transparently. Authentication happens at Layer 2. It does not involve getting a temporary IP address and subsequent release of the address to obtain a permanent IP address. Allows for periodic, transparent re-authentication of supplicants.
Disadvantages
802.1x native support is available only on newer operating systems, such as Windows XP. 802.1x requires an Extensible Authentication Protocol (EAP) -capable RADIUS Server. Most current RADIUS servers support EAP, so this is not a major disadvantage. Transport Layer Security (TLS) and Tunneled TLS (TTLS) authentication methods involve Public Key Infrastructure (PKI), which adds to the administrative requirements.
page 8
authenticateNetwork login authenticates the first client that requests a move and moves that client to the requested VLAN. Network login authenticates the second client but does not move that client to the requested VLAN. The second client moves to the first clients authenticated VLAN. denyNetwork login authenticates the first client that requests a move and moves that client.
10
page 9
11
NOTE
The built in DHCP server is only meant to provide temporary DCHP leases used in network login, it is not meant to replace a fully dedicated DHCP server.
12
page 10
Web-Based Authentication
Advantages Works with any operating system that has a DHCP client Disadvantages Client must bring up a login page and initiate a login Supplicants cannot be re-authenticated transparently Not effective in maintaining privacy protection
page 11
13
To set the default gateway, Domain Name Servers (DNS) addresses, or Windows Internet Naming Service (WINS) server, enter the following command:
configure vlan <vlan_name> dhcp-options [default-gateway | dns-server | wins-server] <ipaddress>
The next two commands were retained for compatibility with earlier versions of ExtremeWare. To view only the address allocation of the DHCP server on a VLAN, enter the following command:
show vlan <vlan_name> dhcp-address-allocation
To view only the configuration of the DHCP server on a VLAN, enter the following command:
show vlan <vlan_name> dhcp-config
14
1 2
DHCP request
Temporary IP address
Request Username/Password
Provide Username/Password
7 8 page 12 9 10
DHCP release DHCP request Allow forwarding on port and assign VLAN
Check Username/Password
15
16
1) Login-attempt
2) Successful login
page 14
17
DHCP Server
Required
18
page 15
19
All unauthenticated MACs will be seeing broadcasts and multicasts sent to the port if even a single MAC is authenticated on that port. Network login must be disabled on a port before that port can be deleted from a VLAN. In Campus mode on the BlackDiamond 8800 family of switches and the Summit X450 switch, with untagged VLANs and the netlogin ports mode configured as port-mode, after the port moves to the destination VLAN, the original VLAN for that port is not displayed. A network login VLAN port should not be a part of following protocols:
Ethernet Automatic Protection Switching (EAPS) Extreme Standby Router Protocol (ESRP) Spanning Tree Protocol (STP) Link Aggregation
20
Web-Based Authentication
Requires the configuration of Switch DNS name Default redirect page Session refresh Logout-privilege If redirected URL is https, Extreme Networks XOS requires the SSH software module
page 17
page 18
21
Authenticating Users
Network login uses two methods to authenticate users trying to access the network:
All three network login protocols, web-based, MAC-based, and 802.1x netlogin, support RADIUS authentication. Only web-based and MAC-based netlogin support local database authentication.
Extreme:Extreme-Netlogin-Only = Disabled Add the following line to the RADIUS server users file for netlogin-only enabled users: Extreme:Extreme-Netlogin-Only = Enabled Table 1 contains the Vendor Specific Attribute (VSA) definitions for web-based, MAC-based, and 802.1x network login. The Extreme Network Vendor ID is 1916.
Table 1: VSA Definitions for Web-based, MAC-based, and 802.1x network login
VSA Extreme: NetloginExtended-VLAN Vendor Type 211 Type String Sent-in Access-Accept Description Name or ID of the destination VLAN after successful authentication (must already exist on switch). NOTE: When using this attribute, specify whether the port should be moved tagged or untagged to the VLAN. Extreme: NetloginVLAN-Name Extreme: NetloginVLAN-ID Extreme: Netlogin-URL Extreme: NetloginURL-Desc Extreme: Netlogin-Only 203 209 204 205 206 String Integer String String Integer Access-Accept Access-Accept Access-Accept Access-Accept Access-Accept Name of destination VLAN after successful authentication (must already exist on switch). ID of destination VLAN after successful authentication (must already exist on switch). Destination web page after successful authentication. Text description of network login URL attribute. Indication of whether the user can authenticate using other means, such as telnet, console, SSH, or Vista. A value of 1 (enabled) indicates that the user can only authenticate via network login. A value of zero (disabled) indicates that the user can also authenticate via other methods.
22
Authenticating Users
page 19
23
IETF: Tunnel-Private-Group-ID
81
String
Access-Accept
The NetLogin-Url and NetLogin-Url-Desc attributes are used in case of Web-based login as the page to use for redirection after a successful login. Other authentication methods will ignore these attributes. The other attributes are used in the following order to determine the destination VLAN to use:
Extreme: Netlogin-Extended-VLAN (VSA 211) Extreme: Netlogin-VLAN-Name (VSA 203) Extreme: Netlogin-VLAN-ID (VSA 209) IETF: Tunnel-Private-Group-ID representing the VLAN TAG as a string, but only if IETF: TunnelType == VLAN(13) and IETF: Tunnel-Medium-Type == 802 (6).
If none of the previously described attributes are present ISP mode is assumed, and the client remains in the configured VLAN.
24
MAC-Based Authentication
Advantages Works with any operating system or network enabled device Works transparently, client does not know that it gets
authenticated
Ease of management
Disadvantages No re-authentication mechanism Security is based on MAC address, MAC address spoofing
possible
page 21
25
Extreme Radius based on Merit AAA server implementation Alternate 3rd party Radius server such as Steel Belted Radius
26
27
If both the primary and secondary (if configured) RADIUS servers timeout or are unable to respond to authentication requests. If no RADIUS servers are configured. If the RADIUS server used for network login authentication is disabled.
If any of the above conditions are met, the switch checks for a local user account and attempts to authenticate against that local account. For local authentication to occur, you must configure the switchs local database with a user name and password for network login. Beginning with ExtremeWare XOS 11.3 you can also specify the destination VLAN to enter upon a successful authentication.
NOTE
If you have a BlackDiamond 8800 family switch or a Summit X450 switch, you can also use local database authentication in conjunction with netlogin MAC-based VLANs.
28
page 23
29
30
31
taggedSpecifies that the client be added as tagged untaggedSpecifies that the client be added as untagged vlan_nameSpecifies the name of the destination VLAN vlan_tagSpecifies the VLAN ID, tag, of the destination VLAN
Creates a new local netlogin user name Creates a password associated with the local netlogin user name Adds the VLAN test1 as the destination VLAN
taggedSpecifies that the client be added as tagged untaggedSpecifies that the client be added as untagged vlan_nameSpecifies the name of the destination VLAN vlan_tagSpecifies the VLAN ID, tag, of the destination VLAN noneSpecifies that the VSA 211 wildcard (*) is applied, only if you do not specify tagged or untagged
32
33
Password of the local netlogin account Destination VLAN attributes including: adding clients tagged or untagged, the name of the VLAN, and the VLAN ID
Where user_name specifies the name of the existing local netlogin account. After you enter the local netlogin user name, press [Enter]. The switch prompts you to enter a password. At the prompt enter the new password and press [Enter]. The switch then prompts you to reenter the password. After you complete these steps, the password has been updated.
34
35
802.1x Authentication
802.1x authentication methods govern interactions between the supplicant (client) and the authentication server. The most commonly used methods are Transport Layer Security (TLS); Tunneled TLS (TTLS), which is a Funk/Certicom standards proposal; and PEAP. TLS is the most secure of the currently available protocols, although TTLS is advertised to be as strong as TLS. Both TLS and TTLS are certificate-based and require a Public Key Infrastructure (PKI) that can issue, renew, and revoke certificates. TTLS is easier to deploy, as it requires only server certificates, by contrast with TLS, which requires client and server certificates. With TTLS, the client can use the MD5 mode of user name/password authentication. If you plan to use 802.1x authentication, refer to the documentation for your particular RADIUS server, and 802.1x client on how to set up a PKI configuration.
Interoperability Requirements
For network login to operate, the user (supplicant) software and the authentication server must support common authentication methods. Not all combinations provide the appropriate functionality.
Supplicant Side
The supported 802.1x clients (supplicants) are Windows 2000 SP4 native client, Windows XP native clients, and Meetinghouse AEGIS. A Windows XP 802.1x supplicant can be authenticated as a computer or as a user. Computer authentication requires a certificate installed in the computer certificate store, and user authentication requires a certificate installed in the individual user's certificate store. By default, the Windows XP machine performs computer authentication as soon as the computer is powered on, or at link-up when no user is logged into the machine. User authentication is performed at link-up when the user is logged in. Windows XP also supports guest authentication, but this is disabled by default. Refer to relevant Microsoft documentation for further information. The Windows XP machine can be configured to perform computer authentication at link-up even if user is logged in.
Types of authentication methods supported on RADIUS, as mentioned previously. Need to support VSAs. Parameters such as Extreme-Netlogin-Vlan-Name (destination vlan for port movement after authentication) and Extreme-NetLogin-Only (authorization for network login only) are brought back as VSAs. Need to support both EAP and traditional user name-password authentication. These are used by network login and switch console login respectively.
36
802.1x Authentication
page 27
37
The following example is for the FreeRADIUS server; the configuration might be different for your RADIUS server: #RADIUS Server Setting, in this example the user name is eaptest eaptest Auth-Type := EAP, User-Password == "eaptest" Session-Timeout = 120, Termination-Action =1
38
39
NOTE
The supplicant does not move to a guest VLAN if it fails authentication after an 802.1x exchange; the supplicant moves to the guest VLAN only if it does not respond to an 802.1x authentication request.
40
page 29
41
42
43
Web-Based Authentication
For web-based authentication, you need to configure the switch DNS name, default redirect page, session refresh, and logout-privilege. URL redirection requires the switch to be assigned a DNS name. The default name is network-access.net. Any DNS query coming to the switch to resolve switch DNS name in unauthenticated mode is resolved by the DNS server on the switch in terms of the interface (to which the network login port is connected to) IP-address.
HTTPS Support
To support https in a URL redirect, you must first download and install the separate Extreme Networks SSH software module (ssh.xmod). This additional module allows you to configure both SSH2 and SSL on the switch.
44
Web-Based Authentication
802.1x Authentication
Authentication method between supplicant and authentication server Common methods include: Transport Layer Security (TLS) Tunneled Transport Layer Security (TTLS) Protected Extensible Authentication Protocol (PEAP)
page 31
45
46
page 32
47
ISP ModeNetwork login clients connected to ports 1:10 - 1:14, VLAN corp, will be logged into the network in ISP mode. This is controlled by the fact that the VLAN in which they reside in unauthenticated mode and the RADIUS server Vendor Specific Attributes (VSA), ExtremeNetlogin-Vlan, are the same, corp. So there will be no port movement. Also if this VSA is missing from RADIUS server, it is assumed to be ISP Mode. Campus ModeOn the other hand, clients connected to ports 4:1 - 4:4, VLAN temp, will be logged into the network in Campus mode since the port will move to the VLAN corp after getting authenticated. A port moves back and forth from one VLAN to the other as its authentication state changes.
Both ISP and Campus mode are not tied to ports but to a user profile. In other words, if the VSA
Extreme:Extreme-Netlogin-Vlan represents a VLAN different from the one in which the user
currently resides, then VLAN movement will occur after login and after logout. In following example, it is assumed that campus users are connected to ports 4:1-4:4, while ISP users are logged in through ports 1:10-1:14. The following example is for the FreeRADIUS server; the configuration might be different for your RADIUS server: #RADIUS Server Setting (VSAs)(optional) Extreme:Extreme-Netlogin-Only = Enabled (if no CLI authorization) Extreme:Extreme-Netlogin-Vlan = "corp" (destination vlan for CAMPUS mode network login)
48
49
The idea of explicit release/renew is required to bring the network login client machine in the same subnet as the connected VLAN. When using we-based authentication, this requirement is mandatory after every logout and before login again as the port moves back and forth between the temporary and permanent VLANs. At this point, the client will have its temporary IP address. In this example, the client should have obtained the an IP address in the range 198.162.32.20 - 198.162.32.80.
5 Bring up the browser and enter any URL as http://www.123.net or http://1.2.3.4 or switch IP address as http://<IP address>/login (where IP address could be either temporary or Permanent VLAN Interface for Campus Mode). URL redirection redirects any URL and IP address to the network login page. This is significant where security matters most, as no knowledge of VLAN interfaces is required to be provided to network login users, as they can login using a URL or IP address. URL redirection requires that the switch is configured with a DNS client. A page opens with a link for Network Login. 6 Click the Network Login link. A dialog box opens requesting a user name and password. 7 Enter the user name and password configured on the RADIUS server. After the user has successfully logged in, the user will be redirected to the URL configured on the RADIUS server. During the user login process, the following takes place:
Authentication is done through the RADIUS server. After successful authentication, the connection information configured on the RADIUS server is returned to the switch:
The permanent VLAN The URL to be redirected to (optional) The URL description (optional)
After a successful login has been achieved, there are several ways that a port can return to a nonauthenticated, non-forwarding state:
The user successfully logs out using the logout web browser window. The link from the user to the switchs port is lost. There is no activity on the port for 20 minutes. An administrator changes the port state. NOTE
Because network login is sensitive to state changes during the authentication process, Extreme Networks recommends that you do not log out until the login process is complete. The login process is complete when you receive a permanent address.
50
page 34
51
MAC-Based Authentication
MAC-based authentication is used for supplicants that do not support a network login mode, or supplicants that are not aware of the existence of such security measure, for example an IP phone. If a MAC address is detected on a MAC-Based enabled netlogin port, an authentication request will be sent once to the AAA application. AAA tries to authenticate the MAC address against the configured radius server and its configured parameters (timeout, retries, and so on) or the local database. The credentials used for this are the supplicants MAC address in ASCII representation, and a locally configured password on the switch. If no password is configured, the MAC address is used as the password. You can also group MAC addresses together using a mask. You can configure a MAC list or a table of MAC entries to filter and authenticate clients based on their MAC addresses. If there a match is found in the table of MAC entries, authentication occurs. If no match is found in the table of MAC entries, and a default entry exists, the default will be used to authenticate the client. All entries in the list are automatically sorted in longest prefix order. All passwords are stored and showed encrypted. Beginning with ExtremeWare XOS 11.3, you can associate a MAC address with one or more ports. By learning a MAC address, the port confirms the supplicant before sending an authorization request to the RADIUS server. This additional step protects your network against unauthorized supplicants because the port accepts only authorization requests from the MAC address learned on that port. The port blocks all other requests that do not have a matching entry.
52
MAC-Based Authentication
Authenticating Users
RADIUS Servers Web-based MAC-based 802.1x Local database Web-based MAC-based
page 35
53
54
(partial list)
page 36
55
Create a VLAN used for netlogin Configure the VLAN for netlogin Enable MAC-based netlogin on the switch Enable MAC-based netlogin on the ports used for authentication Specify one or more ports to accept authentication requests from a specific MAC address
00:00:00:00:00:10 are only accepted on ports 1:1 through 1:5 00:00:00:00:00:11 are only accepted on ports 1:6 through 1:10 00:00:00:00:00:12 are accepted on all other ports
56
57
The following example is for the FreeRADIUS server; the configuration might be different for your RADIUS server: #RADIUS Server Setting 00E018A8C540 Auth-Type := Local,
User-Password == "00E018A8C540"
58
59
You must configure and enable netlogin on the switch and before you configure netlogin MACbased VLANs. If you attempt to configure the ports mode of operation before enabling netlogin, the switch displays an error message similar to the following:
ERROR: The following ports do not have NetLogin enabled; 1
10 Gigabit Ethernet ports such as those on the 10G4X I/O module and the uplink ports on the Summit X450 switch do not support netlogin MAC-based VLANs. If you attempt to configure netlogin MAC-based VLANs on 10 Gigabit Ethernet ports, the switch displays an error message similar to the following:
ERROR: The following ports do not support the MAC-Based VLAN mode; 1, 2, 10
You can have a maximum of 1,024 MAC addresses per I/O module or per Summit X450 switch.
60
No RADIUS servers are configured RADIUS server used for network login authentication is
disabled
page 39
61
62
page 40
63
FDB Information
To view FDB entries, type the following command: show fdb netlogin [all | mac-based-vlans] By specifying netlogin, you see only FDB entries related to netlogin or netlogin MAC-based VLANs. The flags associated with netlogin include:
vIndicates the FDB entry was added because the port is part of a MAC-Based virtual port/VLAN combination. nIndicates the FDB entry was added by network login.
VLAN cfgThe term MAC-based appears next to the tag number. Netlogin port modeThis output was added to display the port mode of operation. Mac based appears and the network login port mode of operation.
To view information about the ports that are temporarily added in MAC-based mode for netlogin, due to discovered MAC addresses, type the following command:
show vlan detail
By specifying detail, the output displays detailed information including the ports associated with the VLAN. The flags associated with netlogin include:
aIndicates an authenticated network login port. uIndicates an unauthenticated network login port. mIndicates that the netlogin port operates in MAC-based mode.
64
page 41
65
Expanding upon the previous example, you can also utilize the local database for authentication rather than the RADIUS server: create netlogin local-user 000000000012 vlan-vsa untagged default create netlogin local-user 000000000010 vlan-vsa untagged users12
66
67
User initiates log-out by using the Logout Pop-Up window User inactivity for the configured session refresh-interval, if session-refresh is enabled Physical link state change on the users port
An administrator-level account can disconnect a management session that has been established. To view active sessions on the switch, enter the following command: show session The show session command lists the following parameters
The login date and time The user name The type of session
New users will be prevented from authenticating if Netlogin is disabled. Users with authenticated sessions will not be disconnected if disabled, they will be prevented from logging in if they logout. Default value is enabled
68
page 14
69
Whether netlogin is enabled or disabled. Base-URL Default redirect page logout privileges setting Netlogin session-refresh setting and time
Port and VLAN for which the information is displayed Port state: Authenticated or Not Authenticated Temporary IP assigned, if known DHCP state: Enabled or Disabled User name, if known MAC address of the attached client, if know
70
71
Summary
You should now be able to:
Describe Network Login List three Network Login authentication types Identify the advantages and disadvantages of Web-Based Authentication Identify the advantages and disadvantages of MAC-Based Authentication Identify the advantages and disadvantages of 802.1x Describe the DHCP server authentication role Configure DHCP server Describe the Network Login sequence Describe Campus Mode Describe ISP Mode Describe multiple supplicant support Identify Network Login design considerations List methods of authenticating network login users Identify RADIUS attributes used bye Network Login Configure Network Login with local database authentication Configure Network Login with 802.1x authentication Configure Network Login with Web-Based authentication Terminate a Network Login session Display Network Login information
72
Summary
Summary
Describe Network Login List three Network Login authentication types Identify the advantages and disadvantages of WebBased Authentication Identify the advantages and disadvantages of MACBased Authentication Identify the advantages and disadvantages of 802.1x Describe the DHCP server authentication role Configure DHCP server Describe the Network Login sequence
page 46
Summary
Describe multiple supplicant support Identify Network Login Design considerations List methods of authenticating network login users Identify RADIUS attributes used bye Network Login Configure Network Login with local database authentication Configure Network Login with 802.1x authentication Configure Network Login with Web-Based authentication Terminate a Network Login session
page 47
73
74
Student Objectives
Upon completion of this module, the successful student is able to:
Define QoS Identify two major benefits of QoS Identify five major traffic types Describe policy-based QoS Sequence the three steps required to assign QoS attributes Define QoS profile Describe QoS profile parameters Configure QoS profile Identify differences between configuring QoS on BlackDiamond 8800 Family of Switches and Summit X$50 with configuring QoS on a BlackDiamond 10K Define traffic grouping Sequence traffic groupings in order of precedence (highest to lowest) Describe IP-based traffic grouping Describe destination MAC address traffic grouping Configure destination MAC address traffic grouping Describe Explicit Class of Service traffic grouping Configure Explicit Class of Service traffic grouping Describe physical and logical groupings Describe QoS policy Verify QoS traffic grouping priority settings Reset priority setting to default values Monitor QoS Modify a QoS policy Configure Egress Traffic Rate Limiting on the Black Diamond 8800 family of switches and Summit X450 Configure Bi-Directional Rate Shaping on the BlackDiamond 10K switch
Student Objectives
Student Objectives
Upon completion of this module, the successful student will be able to: Define QoS Identify two major benefits of QoS Identify five major traffic types Sequence the three steps required to assign QoS attributes Define QoS profile Describe QoS profile parameters Configure QoS profile
page 2
Student Objectives
Define traffic grouping Sequence traffic groupings in order of precedence (highest to lowest) Describe IP-based traffic grouping Describe destination MAC address traffic grouping Configure destination MAC address traffic grouping Describe Explicit Class of Service traffic grouping Configure Explicit Class of Service traffic grouping Describe physical and logical traffic groupings Describe QoS Policy
page 3
NOTE
Policy-based QoS has no impact on switch performance. Using even the most complex traffic groupings has no cost in terms of switch performance.
QoS consists of mechanisms and protocols designed to facilitate the delivery of delay and bandwidth sensitive material across data networks.
page 4
In an Ethernet Network, QoS is used to create unequal access in an essentially equal-access network.
NOTE
QoS does not increase the available bandwidth; it ensures that it is used in a controlled manner. The network designer still has to make sure that the network has sufficient capacity and throughput to deliver the service required.
No QoS Required
If there is insufficient bandwidth... ...and the network has an oversubscribed configuration, then QoS can provide prioritized traffic for applications sensitive to the resultant latencies or delays.
100Mbps Desktop Links 1 . . 16 Gigabit Server Link
page 5
Oversubscribed Configuration
Desktop Video Conferencing Multicast Streaming Video Real-Time Data Feeds SNA, TN3270
Congestion Management
Another benefit of QoS is its ability to manage the sharing of available bandwidth between different types of traffic. This is typically by allocating a maximum or minimum percentage of the available bandwidth to a specified class of traffic. The example highlights the QoS ability to allocate specific bandwidth to different traffic groups. QoS can only share what is available; the network designer has to ensure that the overall bandwidth is adequate.
Latency Control
Provides consistent end-to-end delay of traffic flows Important QoS parameter for delay sensitive applications is minimum bandwidth
Switch Latency
page 6
Congestion Management
A B C
100Mbps Links
200Mbps Trunk
Option 1 Traffic Group A gets QP2 Other Traffic Groups get QP1 Option 2 Traffic Group A gets MinBW=50% Other Traffic Groups get MinBW=25%
page 7
Voice Applications
Voice applications, or voice over IP (VoIP), typically demand small amounts of bandwidth. However, the bandwidth must be constant and predictable because voice applications are typically sensitive to latency (inter-packet delay) and jitter (variation in inter-packet delay). The most important QoS parameter to establish for voice applications is minimum bandwidth, followed by priority.
Video Applications
Video applications are similar in needs to voice applications, with the exception that bandwidth requirements are somewhat larger, depending on the encoding. It is important to understand the behavior of the video application being used. For example, in the playback of stored video streams, some applications can transmit large amounts of data for multiple streams in one spike, with the expectation that the endstations will buffer significant amounts of video-stream data. This can present a problem to the network infrastructure, because the network must be capable of buffering the transmitted spikes where there are speed differences (for example, going from gigabit Ethernet to Fast Ethernet). Key QoS parameters for video applications include minimum bandwidth and priority, and possibly buffering (depending upon the behavior of the application).
10
File Server
page 8
11
Policy-Based QoS
The main benefit of QoS is that it allows you to have control over the types of traffic that receive enhanced service from the system. For example: If video traffic requires a higher priority than data traffic, using QoS you can assign a different QoS profile to those VLANs that are transmitting video traffic. This QoS profile will assign the video traffic more than a simple high priority, it will provide it with a service level from the underlying network. The specified QoS profile will provide the video traffic with additional characteristics such as maximum or minimum bandwidth guarantees. As with all Extreme Networks Switch products, Policy-Based QoS has zero impact on switch performance. Using even the most complex traffic groupings is costless in terms of switch performance.
Assign different service levels to traffic by specifying bandwidth management and prioritization parameters to hardware queues Track and enforce minimum and maximum percentage of bandwidth utilization, transmitted on every hardware queue, for every port. Prioritize bandwidth use, when two or more hardware queues on the same physical port are contending for transmission (as long as their respective bandwidth management parameters are satisfied)
12
Policy-Based QoS
Policy-Based QoS
Specify different service levels to traffic traversing the switch Prioritize bandwidth use between queues in the same port Up to 8 physical queues per port
page 9
Voice = service level 1 Video = service level 2 Web = service level 3 File transfer = service level 4
Policy-Based QoS
Contains separate hardware queues on every physical port specifies each queues bandwidth management and
prioritization parameters
Tracks and enforce minimum and max percentage bandwidth use by hardware queue
QP1 to 8
QP1 to 8
Switch
page 10
QP1 to 8
13
Traffic groupings transmitting out of the same port that are assigned to a particular QoS profile share the assigned bandwidth and prioritization characteristics, resulting in sharing the class of service. 3 Apply QoS policy. QoS policy The combination that results from assigning a traffic grouping to a QoS profile. After applying the QoS policy, you should monitor the performance of the application to determine whether the policies are achieving the desired results. Later in the module, we will go into more detail about QoS monitoring options.
14
page 12
15
Configuring QoS on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
The BlackDiamond 8800 family of switches and the Summit X450 switch allow dynamic creation and deletion of QoS queues, with Q1 and Q8 always available, rather than the 8 fixed queues on the BlackDiamond 10K switch. NOTE
The sFlow application uses QP2 to sample traffic on the BlackDiamond 8800 family of switches and the Summit X450 switch. Any traffic grouping using QP2 may encounter unexpected results when sFlow is enabled.
The following considerations apply only to QoS on the BlackDiamond 8800 family of switches and the Summit X450 switch:
The BlackDiamond 8800 family of switches and the Summit X450 switch do not support QoS monitor. The following QoS features share resources on the BlackDiamond 8800 family of switches and the Summit X450 switch:
You may receive an error message when configuring a QoS feature in the above list on the BlackDiamond 8800 family of switches and the Summit X450 switch; it is possible that the shared resource is depleted. In this case, unconfigure one of the other QoS features and reconfigure the one you are working on.
16
Configuring QoS on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
Configuring QoS on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only Able to dynamically create and delete QoS queues Default queues Q1 and Q8 always available Does not support QoS monitor command Command that monitors QoS running in the background Following QoS features share the switch resources ACLs DiffServ Dot1p VLAN-based QoS Port-based QoS
page 13
17
QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
The BlackDiamond 8800 family of switches and the Summit X450 switch have two default queues, QP1 and QP8, which are based on traffic flows. QP1 has the lowest priority, and QP8 has the highest priority. You can configure up to six additional QoS profiles, or queues, on the switch, QP2 through QP7. Creating a queue dynamically will not cause loss of traffic. You can also modify the default parameters of each QoS profile. The names of the QoS profiles, QP1 through QP8, are not configurable. The parameters that make up a QoS profile on the BlackDiamond 8800 family of switches and the Summit X450 switch include:
BufferThis parameter is the maximum amount of packet buffer memory available to all packets associated with the configured QoS profile within all affected ports. All QoS profiles use 100% of available packet buffer memory by default. You can configure the buffer amount from 1 to 100%, in whole integers. Regardless of the maximum buffer setting, the system does not drop any packets if any packet buffer memory remains to hold the packet and the current QoS profile buffer use is below the maximum setting. NOTE
Use of all 8 queues on all ports may result in insufficient buffering to sustain 0 packet loss throughput during full-mesh connectivity with large packets.
WeightThis parameter is the relative weighting for each QoS profile; 1 through 16 are the available weight values. The default value for each QoS profile is 1, giving each queue equal weighting. When you configure a QoS profile with a weight of 4, that queue is serviced 4 times as frequently as a queue with a weight of 1. However, if you configure all QoS profiles with a weight of 16, each queue is serviced equally but for a longer period of time.
Finally, you configure the scheduling method that the entire switch will use to empty the queues. The scheduling applies globally to the entire switch, not to each port. You can configure the scheduling to be strict priority, which is the default, or weighted round robin. In the strict priority method, the switch services the higher-priority queues first. As long as a queued packet remains in a higher-priority queue, any lower-priority queues are not serviced. If you configure the switch for weighted-round-robin scheduling, the system services all queues based on the weight assigned to the QoS profile. The hardware services higher-weighted queues more frequently, but lower-weighted queues continue to be serviced at all times. When configured to do so, the priority of a QoS profile can determine the 802.1p bits used in the priority field of a transmitted packet. The priority of a QoS profile determines the DiffServ code point value used in an IP packet when the packet is transmitted. A QoS profile switch does not alter the behavior of the switch until it is assigned to a traffic grouping. The default QoS profiles cannot be deleted. The settings for the default QoS parameters on the BlackDiamond 8800 family of switches and the Summit X450 switch are summarized in the following table.
18
QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only QP1 and QP8 Default Queues Can neither be deleted nor renamed QoS Profile Parameters Buffer Weight Scheduling Method
page 14
Figure 14: QoS Profiles on the BlackDiamond 8800 Family of Switches and the Summit X450 Switch Only
Table 1: Default BlackDiamond 8800 and Summit X450 Switch Only QoS Parameters
Profile name QP1 QP8 Priority Low High Buffer 100% 100% Weight 1 1
19
Minimum bandwidthThe minimum total link bandwidth that is reserved for use by a hardware queue on a physical port (each physical port has eight hardware queues, corresponding to a QoS profile). The minimum bandwidth value is configured either as a percentage of the total link bandwidth or using absolute committed rates in Kbps or Mbps. Bandwidth unused by the queue can be used by other queues. The minimum bandwidth for all queues should add up to less than 100%. The default value on all minimum bandwidth parameters is 0%. Maximum bandwidthThe maximum total link bandwidth that can be transmitted by a hardware queue on a physical port (each physical port has eight hardware queues, corresponding to a QoS profile). The maximum bandwidth value is configured either as a percentage of the total link bandwidth or using absolute peak rates in Kbps or Mbps. The default value on all maximum bandwidth parameters is 100%. PriorityThe level of priority assigned to a hardware egress queue on a physical port. There are eight different available priority settings and eight different hardware queues. By default, each of the default QoS profiles is assigned a unique priority. You use prioritization when two or more hardware queues on the same physical port are contending for transmission on the same physical port, only after their respective bandwidth management parameters have been satisfied. If two hardware queues on the same physical port have the same priority, a round-robin algorithm is used for transmission, depending on the available link bandwidth.
When configured to do so, the priority of a QoS profile can determine the 802.1p bits used in the priority field of a transmitted packet. The priority of a QoS profile determines the DiffServ code point value used in an IP packet when the packet is transmitte).
A QoS profile does not alter the behavior of the switch until it is assigned to a traffic grouping. Recall that QoS profiles on the BlackDiamond 10K switch are linked to hardware queues. There are multiple hardware queues per physical port. By default, a QoS profile links to the identical hardware queue across all the physical ports of the switch. The default QoS profiles cannot be deleted. Also by default, a QoS profile maps directly to a specific hardware queue across all physical ports.
20
QoS Profiles on the BlackDiamond 10K Switch 8 hardware queues for each egress port linked QP1 through QP8 QoS Profile Parameters Minimum bandwidth Maximum bandwidth Priority
802.1p bits based DiffServe code point based
page 15
21
22
QoS Building Block: Profile Create a QoS Profile* create qosprofile [qp2 |qp3 | qp4 | qp5 | qp6 | qp7]
Configure QoS Profile Weight configure qosprofile <qosprofile> {maxbuffer <percent>} {weight <value>}
page 16
23
ACL-based information Explicit packet class of service information, such as 802.1p or DiffServ (IP TOS) Physical/Logical configuration (physical source port or VLAN association
24
page 17
page 18
25
26
VLAN Urgent
Example:
London:3 # config vlan urgent qosprofile QP4 The traffic grouping category of logical traffic grouping vlan urgent was assigned a QoS profile of QP4.
page 19
27
IP ACL MAC ACL DiffServ (IP TOS) 802.1p Source port VLAN NOTE
Physical/logical groupings
The source port and VLAN QoS apply only to untagged packets, and 802.1p QoS applies only to tagged packets. If you use 802.1p or DiffServ QoS in conjunction with ACLs, you must configure the 802.1p or DiffServ action within the ACL itself.
In general, the more specific traffic grouping takes precedence. Those groupings listed at the top of the table are evaluated first. By default, all traffic groupings are placed in the QoS profile QP1. The groupings are listed in order of precedence (highest to lowest). The three types of traffic groupings are described in detail on the following pages.
NOTE
On the BlackDiamond 8800 family of switches and the Summit X450 switch, the precedence of IP ACL or MAC ACL depends on specifications in the ACL file itself.
28
29
IP source or destination address IP protocol TCP flag TCP/UDP or other Layer 4 protocol TCP/UDP port information IP fragmentation MAC source or destination address Ethertype
30
31
Prioritization bits used in IEEE 802.1p packets IP Differentiated Services (DiffServ) code points, formerly known as IP Type of Service (TOS) bits
Class of service information can be carried through the network infrastructure, without repeating what may be complex traffic grouping policies at each switch location. End stations can perform their own packet marking on an application-specific basis Extreme Networks switch products have the capability of observing and manipulating packet marking information with no performance penalty.
The documented capabilities for 802.1p priority markings or DiffServ capabilities (if supported) are not impacted by the switching or routing configuration of the switch. For example, 802.1p information may be preserved across a routed switch boundary and DiffServ code points may be observed or overwritten across a layer 2 switch boundary.
Packet Diagram
Extreme Networks switches support the standard IEEE 802.1p priority bits that are part of a tagged Ethernet packet. The 802.1p bits can be used to prioritize the packet and to assign that packet to a particular QoS profile. When a tagged packet arrives at the switch, the switch examines the 802.1p priority field and maps the packet to a specific queue when subsequently transmitting the packet. The 802.1p priority field is located directly following the 802.1Q type field and preceding the 802.1Q VLAN ID, as shown in Figure 20.
32
TPI TAG
Type
Data
FCS
6 bytes
2 bytes
4 bytes
DiffServ IP Packet
Total Length DiffServ IHL Frag. Offset Flags Identifier Header Checksum Protocol TTL Source Address Destination Address
Information includes
IP DiffServ code points (former IP TOS bits) Prioritization bits used in IEEE 802.1p packets
33
802.1p Information
802.1p information on the BlackDiamond 10K only
If a port is in more than one virtual router, you cannot use the QoS 802.1p features. The default VLAN DiffServ examination mappings apply on ports in more than one VR. If you attempt to configure examining or replacing 802.1p information on a port that is in more than one virtual router, the system returns the following message: Warning: Port belongs to more than one VR. Port properties related to diff serv and code replacement will not take effect.
34
page 23
35
However, the switch is capable of inserting and/or overwriting 802.1p priority information when it transmits an 802.1Q tagged frame. If 802.1p replacement is enabled, the 802.1p priority information that is transmitted is determined by the queue that is used when transmitting the packet. The 802.1p replacement configuration is based on the ingress port. To replace 802.1p priority information, enter the following command: enable dot1p replacement ports [<port_list> | all] The port in this command is the ingress port. This command affects only that traffic based on explicit packet class of service information and physical/logical configuration. To disable this feature, enter the following command: disable dot1p replacement ports [<port_list> | all] NOTE
On the BlackDiamond 8800 family of switches and the Summit X450 switch, only QP1 and QP8 exist by default; you must create QP2 to QP7. If you have not created these QPs, the replacement feature will not take effect.
The 802.1p priority information is replaced according to the queue that is used when transmitting from the switch. The mapping is described in Table 4. This mapping cannot be changed.
36
To disable 802.1p priority information: disable dot1p replacement ports [<port_list> | all]
page 24
37
DiffServ
Contained in the header of every IP packet is a field for IP Type of Service (TOS), now also called the Differentiated Services (DiffServ) field. The DiffServ field is used by the switch to determine the type of service provided to the packet. Observing DiffServ code points as a traffic grouping mechanism for defining QoS policies and overwriting the Diffserv code point fields are supported.
To disable DiffServ examination, enter the following command: disable diffserv examination port [<port_list> | all]
38
Diffserv Replacement
In order to make DiffServ replacement take effect, dot1p replacement has to be enabled on the same port.
Code point
QoS Profile Hardware i-chipset Queue qp1 Q0 qp2 Q1 qp3 Q2 qp4 Q3 qp5 Q4 qp6 Q5 qp7 ==== Q6 qp7 Q6 qp8 Q7
0- 7 8 - 15 10 16 - 23 24 - 31 32 - 39 40 - 47 48 - 55 56 - 63
* London: 2 # enable diffserv exam port 9 * London: 3 # config diffserv exam code_point 10 qosp qp7 port 9 * London: 4 # enable dot1p replacement port 3
page 25
* London: 5 # enable diffserv replace port 3 * London: 6 # config diffserv replace priority vpri 6 code-point 31 port 3
QoS Profile
qp1 qp2 qp3 qp4 qp5 qp6 qp7 qp8
Hardware Queue
Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7
port 9
port n
page 26
CP = 1 QP3
CP = 1
39
Configuring DiffServ
Diffserv Code Point Mapping
Because the DiffServ code point uses six bits, it has 64 possible values (26 = 64). By default, the values are grouped and assigned to the default QoS profiles listed in Table 5.
40
Configuring DiffServ
To change the QoS profile assignment for each of the 64 code points: configure diffserv examination code-point <codepoint> {qosprofile} <qosprofile> To replace DiffServe code point, DiffServ replacement must be enabled:: enable diffserv all] replacement ports [<port_list> |
page 27
41
By doing so, the queue used to transmit a packet determines the DiffServ value replaced in the IP packet. To view currently configured DiffServ information, enter the following command: show diffserv [examination | replacement]
42
43
BlackDiamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example
In this example on the BlackDiamond 8800 family of switches and the Summit X450 switch, we use DiffServ to signal a class of service throughput and assign any traffic coming from network 10.1.2.x with a specific DiffServ code point. This allows all other network switches to send and observe the Diffserv code point instead of repeating the same QoS configuration on every network switch. To configure the switch, follow these steps: 1 Using ACLs, assign a traffic grouping for traffic from network 10.1.2.x to QP3:
configure access-list qp3sub any
entry QP3-subnet { if { source-address 10.1.2.0/24 } then { Qosprofile qp3; } 2 Configure the switch so that other switches can signal calls of service that this switch should observe by entering the following:
enable diffserv examination ports all
44
BlackDiamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example
Black Diamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example
#filename: qp3sub.pol entry QP3-subnet { if { source-address 10.1.2.0/24 } then { Qosprofile qp3; }
1. Using ACLs, assign a traffic grouping for traffic from network 10.1.2.x to QP3: configure access-list qp3sub any 2. Configure the switch so that other switches can signal calls of service that switch should observe enable diffserv examination ports all
page 29
Figure 29: BlackDiamond 8800 Family of Switches and the Summit X450 Switch DiffServ Example
45
entry QP3-subnet { if { source-address 10.1.2.0/24 } then { Qosprofile qp3; replace-dscp; } 2 Configure the switch so that other switches can signal calls of service that this switch should observe by entering the following:
enable diffserv examination ports all
NOTE
The switch only observes the DiffServ code points if the traffic does not match the configured access list. Otherwise, the ACL QoS setting overrides the QoS DiffServ configuration.
46
1. Using ACLs, assign a traffic grouping for traffic from network 10.1.2.x to QP3: configure access-list qp3sub any 2. Configure the switch so that other switches can signal calls of service that switch should observe enable diffserv examination ports all
page 30
47
Source Port
A source port traffic grouping implies that any traffic sourced from this physical port uses the indicated QoS profile when the traffic is transmitted out to any other port. To configure a source port traffic grouping, enter the following command: configure ports <port_list> {qosprofile} <qosprofile> In the following modular switch example, all traffic sourced from slot 5 port 7 uses the QoS profile named QP8 when being transmitted. configure ports 5:7 qosprofile qp8 NOTE
On the BlackDiamond 10K switch, this command applies only to untagged packets. On the BlackDiamond 8800 family of switches and the Summit X450 switch, this command applies to all packets.
VLAN
A VLAN traffic grouping indicates that all intra-VLAN switched traffic and all routed traffic sourced from the named VLAN uses the indicated QoS profile. To configure a VLAN traffic grouping, enter the following command: configure vlan <vlan_name> {qosprofile} <qosprofile> For example, all devices on VLAN servnet require use of the QoS profile QP1. The command to configure this example is as follows: configure vlan servnet qosprofile qp1 NOTE
On the BlackDiamond 10K switch, this command applies only to untagged packets. On the BlackDiamond 8800 family of switches and the Summit X450 switch, this command applies to all packets.
On the BlackDiamond 10K switch, the screen displays both ingress and egress QoS settings. The 10Gbps ports have 8 ingress queues, and the 1 Gbps ports have 2 ingress queues.
48
page 31
page 32
49
BlackDiamond 8800 Family of Switches and Summit X450 Switch QOS Profile Display
You display which QoS profile, if any, is configured on the BlackDiamond 8800 family of switches and the Summit X450 switch using the show ports <port_list> information detail command. Following is a sample output of this command for an BlackDiamond 8810 switch: NOTE
To ensure that you display the QoS information, you must use the detail variable.
50
Port:
8:1 Virtual-router: VR-Default Type: EW Random Early drop: Disabled Admin state: Enabled with auto-speed sensing auto-duplex Link State: Active Link Counter: Up 1 time(s) VLAN cfg: Name: Default, Internal Tag = 1, MAC-limit = No-limit STP cfg: s0(disable), Tag=(none), Mode=802.1D, State=FORWARDING Protocol: Name: Default Protocol: ANY Trunking: Load sharing is not enabled. EDP: Enabled DLCS: Unsupported lbDetect: Unsupported Learning: Enabled Flooding: Enabled Jumbo: Disabled BG QoS monitor: Unsupported Egress Port Rate: No-limit Broadcast Rate: No-limit Multicast Rate: No-limit Unknown Dest Mac Rate: No-limit QoS Profile: Qp3 Configured by user Ingress Rate Shaping : Unsupported Ingress IPTOS Examination: Disabled Egress IPTOS Replacement: Disabled Egress 802.1p Replacement: Disabled NetLogIn: Disabled Smart redundancy: Enabled Software redundant port: Disabled Match all protocols.
51
52
Port:
8:1 Virtual-router: VR-Default Type: XENPAK Random Early drop: Disabled Admin state: Enabled with 10G full-duplex Link State: Ready Link Counter: Up 0 time(s) VLAN cfg: STP cfg: Protocol: Trunking: Load sharing is not enabled. EDP: Enabled DLCS: Unsupported lbDetect: Unsupported Learning: Enabled Flooding: Enabled Jumbo: Disabled BG QoS monitor: Unsupported QoS Profile: None configured Queue: Qp1 MinBw=0% MaxBw=100% Pri=1 Qp2 MinBw=0% MaxBw=100% Pri=2 Qp3 MinBw=0% MaxBw=100% Pri=3 Qp4 MinBw=0% MaxBw=100% Pri=4 Qp5 MinBw=0% MaxBw=100% Pri=5 Qp6 MinBw=0% MaxBw=100% Pri=6 Qp7 MinBw=0% MaxBw=100% Pri=7 Qp8 MinBw=0% MaxBw=100% Pri=8 Ingress Rate Shaping : support IQP1-8 IQP1 MinBw= 0% MaxBw=100% Pri=1 IQP2 MinBw= 0% MaxBw=100% Pri=2 IQP3 MinBw= 0% MaxBw=100% Pri=3 IQP4 MinBw= 0% MaxBw=100% Pri=4 IQP5 MinBw= 0% MaxBw=100% Pri=5 IQP6 MinBw= 0% MaxBw=100% Pri=6 IQP7 MinBw= 0% MaxBw=100% Pri=7 IQP8 MinBw= 0% MaxBw=100% Pri=8 Ingress IPTOS: Disabled Egress IPTOS: Replacement disabled Egress 802.1p: Replacement disabled Smart Redundancy: Unsupported VLANs monitored for stats: Unsupported Software redundant port: Unsupported jitter-tolerance: Unsupported
Unsupported
53
Displaying QoS Profile Information on the BlackDiamond 8800 Family of Switches and Summit X450 Switch Only
To display QoS information on the BlackDiamond 8800 family of switches and the Summit X450 switch, enter the following command:
show qos profile
54
page 35
55
56
Other Useful QoS Display Commands To display destination QoS profile assignments to the VLAN: show vlan To display information including QoS for the port: show ports <list> info {detail} To display policy file information: show policy {detail}
page 36
57
Egress Traffic Rate LimitingBlackDiamond 8800 Family of Switches and Summit X450 Switch Only
You can configure the maximum egress traffic allowed per port by specifying the committed rate, or you can allow the egress traffic to pass an unlimited flow. You can limit egress traffic on a 1 Gbps port in increments of 64 Kbps; on a 10 Gbps port, you can limit egress traffic in increments of 1 Mbps. Optionally, you can also configure a maximum burst size, which is higher than the limit, allowed to egress the specified port(s) for a burst, or short duration. The default behavior is to have no limit on the egress traffic per port. To configure an egress traffic rate limit for a port or groups of ports, enter the following command: configure ports <port_list> rate-limit egress [no-limit | <cir-rate> [Kbps | Mbps | Gbps] {max-burst-size <burst-size> [Kb | Mb]}]
Syntax Description
port_list no-limit cir-rate max-burst-size Specifies one or more ports or slots and ports. Specifies traffic be transmitted without limit; use to reconfigure or unconfigure previous rate-limiting parameters. Specifies the desired rate limit in Kbps, Mbps, or Gbps. Specifies amount of traffic above the cir-rate that is allowed to burst (for a short duration) from the port in K bits (Kb) or M bits (Mb).
To view the configured egress port rate-limiting behavior, issue the following command:
show ports {mgmt | <port_list>} information {detail}
You must use the detail parameter to display the Egress Port Rate configuration and, if configured, the Max Burst size. You can also display this information using the following command: show configuration vlan
58
Egress Traffic Rate LimitingBlackDiamond 8800 Family of Switches and Summit X450 Switch Only
Egress Traffic Rate Limiting* Possible to configure maximum egress traffic allowed per port Limit egress traffic on 1Gbps port in 64Kbp increments 10Gbps port in 1Mbps increments Configurable maximum burst rate
page 37
Figure 35: Egress Traffic Rate Limiting - BlackDiamond 8800 Family of Switches and Summit X450 Switch Only
59
60
Ethernet
page 39
Q0 Q6 Q7
Port
Figure 37: Bi-Directional Rate Shaping Table 7: Ingress queue mapping for I/O modules on the BlackDiamond 10k Switch
I/O module 1 Gbps module 10 Gbps module Ingress queues IQP1 IQP2 IQP1 IQP2 IQP3 IQP4 IQP5 IQP6 IQP7 IQP8 Priority value 1 to 4 5 to 8 1 2 3 4 5 6 7 8
61
NOTE
Cumulative percentages of minimum bandwidth of the queues on a given port should not exceed 100%
If you choose a setting not listed in the tables, the setting is rounded up to the next value. If the actual bandwidth used is below the minimum bandwidth, the additional bandwidth is not available for other queues on that physical port.
62
Black Diamond 10K Bandwidth Settings Ingress QoS profile values must be entered as either percentage of bandwidth or absolute value in Kpbs or Mbps Bandwidth settings applied to queues on physical ports Port speed (1 or 10Gbps) affects bandwidth
page 40
Table 8: Maximum committed rates per port for I/0 module on the BlackDiamond 10k Switch
I/O module 1 Gbps module 10 Gbps module MSM configuration Single MSM Dual MSM Single MSM Dual MSM Maximum committed rate 200 Mbps 400 Mbps 2 Gbps 4 Gbps
63
committed information rates for each queue different ingress and egress rates
You can then provide traffic groupings (such as physical port, VLAN,.1P, DiffServ, IP address, or layer 4 flow) for the predefined QoS Profiles, directing specific types of traffic to the desired queue. The maximum bandwidth or rate defined in the BlackDiamond 10K switch ingress QoS profile defines the rate limit for ingress traffic on rate-shaped ports. You set minimum and maximum rates for each port on the ingress port, using either percentage of total bandwidth or absolute values for committed and peak rates in Kbps or Mbps. You also set the priority level for each queue. To define rate shaping on a port, you assign a minimum and maximum bandwidth or rate plus a priority value to each queue on the ingress port, enter the following command to define rate shaping:
configure qosprofile ingress <iqp> [{committed_rate <committed_bps> [k | m]} {maxbw <maxbw_number>} {minbw <minbw_number>} {peak_rate <peak_bps> [k | m} {priority [<priority> | <priority_number]}] ports [<port_list> | all]
If you choose to use committed rate and peak rate values, be aware of the interactions between the values and the command line interface (CLI) management system. You can enter any integer from 0 in the CLI; however, functionally the switch operates only in multiples of 62.5 Kbps. Also note that the CLI system does not accept decimals. Rate shaping is disabled by default on all ports; the system does use existing 802.1p, port, and VLAN values to assign packets to the ingress queue. The rate shaping function is used to assign specific priorities by absolute rates or percentages of the bandwidth. To enable this rate shaping feature, use the configuration command. To disable the rate shaping, enter the following command: unconfigure qosprofile ingress ports all To display the parameters for rate shaping (the values for the IQPs), enter the following commands:
show qosprofile {ingress | egress} {ports [ all | <port_list>]} show ports {mgmt | <port_list>} information {detail}
Additionally, you can monitor the performance on the BlackDiamond 10K switch by using the following command: show ports <port_list> qosmonitor {ingress | egress} {no-refresh} NOTE
You must specify ingress to view ingress rate shaping performance.
64
Configuring Bi-Directional Rate Shaping To enable and configure rate shaping on a port:
configure qosprofile ingress <iqp> [{committed_rate <committed_bps> [k | m]} {maxbw <maxbw_number>} {minbw <minbw_number>} {peak_rate <peak_bps> [k | m} {priority [<priority> | <priority_number]}] ports [<port_list> | all]
65
For destination MAC-based grouping (other than permanent), you must clear the MAC FDB. To clear the MAC FDB, enter the following command. clear fdb This command should also be issued after a policy is first formed, as the policy must be in place before an entry is made in the MAC FDB.
For permanent destination MAC-based grouping, re-apply the QoS profile to the static FDB entry For physical and logical groupings of a source port or VLAN, re-apply the QoS profile to the source port or VLAN
66
page 42
67
68
Configure a default QoS Profile Assign one or more traffic groupings to a QoS profile to create a QoS Policy
Classification
Packets IN
Ordered Hierarchy Layer 1,2,3,4, .1p, IP DiffServ packet info
QoS Profile
QpX - Eessential Traffic Packet 5% Min/100% Max
Policy
High Priority
Packets Out
Low Priority
page 43
69
Summary
You should now be able to:
Define QoS Identify two major benefits of QoS Identify five major traffic types Describe policy-based QoS Sequence the three steps required to assign QoS attributes Define QoS profile Describe QoS profile parameters Configure QoS profile Identify differences between configuring QoS on BlackDiamond 8800 Family of Switches and Summit X$50 with configuring QoS on a BlackDiamond 10K Define traffic grouping Sequence traffic groupings in order of precedence (highest to lowest) Describe IP-based traffic grouping Describe destination MAC address traffic grouping Configure destination MAC address traffic grouping Describe Explicit Class of Service traffic grouping Configure Explicit Class of Service traffic grouping Describe physical and logical groupings Describe QoS policy Verify QoS traffic grouping priority settings Reset priority setting to default values Monitor QoS Modify a QoS policy Configure Egress Traffic Rate Limiting on the Black Diamond 8800 family of switches and Summit X450 switch Configure Bi-Directional Rate Shaping on the BlackDiamond 10K switch
70
Summary
Summary
Upon completion of this module, the successful student will be able to: Define QoS Identify two major benefits of QoS Identify five major traffic types Describe policy-based QoS Sequence the three steps required to assign QoS attributes Define QoS profile Describe QoS profile parameters Configure QoS profile Identify differences between configuring QoS on BlackDiamond 8800 Family of Switches and Summit X$50 with configuring QoS on a BlackDiamond 10K Define traffic grouping Sequence traffic groupings in order of precedence (highest to lowest)
page 44
Summary
Describe IP-based traffic grouping Describe destination MAC address traffic grouping Configure destination MAC address traffic grouping Describe Explicit Class of Service traffic grouping Configure Explicit Class of Service traffic grouping Describe physical and logical groupings Describe QoS policy Verify QoS traffic grouping priority settings Reset priority setting to default values Monitor QoS Modify a QoS policy Configure Egress Traffic Rate Limiting on the Black Diamond 8800 family of switches and Summit X450 switch
page 45
71
72
10 Module 9 sFlow
Module 9 sFlow
Student Objectives
Upon completion of this module, the successful student is able to:
Define sFlow Identify sFlow applications List components required for sFlow Describe ExtremeWare XOS sFlow implementation Sequence the sFlow configuration steps on an Extreme Networks switch Configure sFlow on an Extreme Networks switch Reset sFlow values to their default values on an Extreme Networks switch Display sFlow configuration and statistics related information
Student Objectives
Student Objectives
Upon completion of this module, the successful student will be able to: Identify four major threats to network security. Sequence the security implementation steps for a green field network deployment. Describe ExtremeWare XOS security features. Identify three requirements for secure remote access. Describe three traffic engineering goals Describe ExtremeWare XOS traffic engineering features.
page 2
Module 9 sFlow
sFlow
sFlow is a technology for monitoring traffic in data networks containing switches and routers. It relies on statistical sampling of packets from high-speed networks, plus periodic gathering of the statistics. A User Datagram Protocol (UDP) datagram format is defined to send the information to an external entity for analysis. sFlow consists of a Management Information Base (MIB) and a specification of the packet format for forwarding information to a remote agent.
Applications
Network Troubleshooting
sFlows enables the viewing of network traffic. Normal traffic would serve as a baseline metric. Irregular network traffic patterns would be visible, facilitating analysis and resolution.
Controlling Congestion
Using sFlow, it is possible to monitor traffic flows through ports. Highly subscribed links could be identified with their associated traffic sources. sFlow data could help determine the appropriate response such as selective bandwitdh provisioning or traffic priority.
Route Profiling
Active traffic routes and flow sFlow data can be analyzed, enabling a network administrator the ability to optimize and tune the network routing.
Additional Information
Details of sFlow specifications can be found in RFC 3176, and specifications and more information can be found at the following website: http://www.sflow.org
sFlow
sFlow
Traffic monitoring technology Supported by various switch and router manufacturers Applications Network Troubleshooting Controlling Congestion Security and Audit Trail Analysis Route Profiling Accounting and Billing for Usage
page 3
Figure 2: sFlow
http://www.sflow.org
page 4
Figure 3: http://www.sflow.org
Module 9 sFlow
sFlow Components
sFlow solution consists of network equipment and software applications.
Network Equipment
At the network management software level of a switch, an sFlow Agent software process resides. The switching and routing ASICs feed traffic data to the sFlow Agent. sFlow Agent performs minimal processing, it just packages data into sFlow datagrams that are immediately forwarded.
Software Applications
Actual sFlow Datagrams are captured sFlow Collector applications. sFLow applications provide a variety of functionality, including: ntework traffic analysis, troubleshooting, audi trail security analysis, and accounting for billing.
sFlow
sFlow Components
Network Equipment sFlow Agents Software Applications sFlow Collectors
page 5
Module 9 sFlow
NOTE
On the BlackDiamond 8800 family of switches, sFlow and mirroring are mutually exclusive. You can enable either sFlow, or mirroring, but not both.
However, you should be aware of a few limitations in the current release. The current release supports:
Generic port statistics reported to the sFlow collector Non-extended data Only those packets that do not match an ACL rule are considered for sampling Only port-based sampling No MIB support
sFlow
page 6
Module 9 sFlow
Configuring sFlow
ExtremeWare XOS allows you to collect sFlow statistics on a per port basis. An agent, residing locally on the switch, sends data to a collector that resides on another machine. You configure the local agent, the address of the remote collector, and the ports of interest for sFlow statistics gathering. You can also modify default values for how frequently on average a sample is taken and the maximum number of samples allowed before throttling the sample gathering. To configure sFlow on a switch, you must do the following tasks:
Configure the local agent Configure the addresses of the remote collectors Enable sFlow globally on the switch Enable sFlow on the desired ports
Optionally, you may also change the default values of the following items:
How often the statistics are collected How frequently a sample is taken, globally or per port How many samples per second can be sent to the CPU
10
Configuring sFlow
Configuring sFlow
1. Configure the local agent 2. Configure the addresses of the remote
collectors
3. Enable sFlow globally on the switch 4. Enable sFlow on the desired ports
page 7
page 8
11
Module 9 sFlow
Configuring sFlow
Enabling sFlow Globally on the Switch
Before the switch will start sampling packets for sFlow, you must enable sFlow globally on the switch. To enable sFlow globally, type the following command: enable sflow You disable sFlow globally with the following command: disable sflow When you disable sFlow globally, the individual ports are also put into the disabled state. If you later enable the global sFlow state, individual ports return to their previous state.
12
Configuring sFlow
page 9
13
Module 9 sFlow
Polling Interval
Each port counter is periodically polled to gather the statistics to send to the collector. If there is more than one counter to be polled, the polling is distributed in such a way that each counter is visited once during each polling interval, and the data flows are spaced in time. For example, assume that the polling interval is 20 seconds and there are 40 counters to poll. Two ports will be polled each second, until all 40 are polled. To configure the polling interval, type the following command: configure sflow poll-interval <seconds>
14
page 10
15
Module 9 sFlow
16
To display sFlow configuration, enter the following command: show sflow {configuration}
page 11
To display sFlow statistics, enter the following command: show sflow statistics
17
Module 9 sFlow
Summary
You should now be able to:
Define sFlow Identify sFlow applications List components required for sFlow Describe ExtremeWare XOS sFlow implementation Sequence the sFlow configuration steps on an Extreme Networks switch Configure sFlow on an Extreme Networks switch Reset sFlow values to their default values on an Extreme Networks switch Display sFlow configuration and statistics related information
18
Summary
Summary
Define sFlow Identify sFlow applications List components required for sFlow Describe ExtremeWare XOS sFlow implementation Sequence the sFlow configuration steps on an Extreme Networks switch Configure sFlow on an Extreme Networks switch Reset sFlow values to their default values on an Extreme Networks switch Display sFlow configuration and statistics related information
page 13
19
Module 9 sFlow
20
Clear a switch of all previous configurations Assign an SNMP name to the switch Configure network VLANs with IP addresses Enable VLANs for IP forwarding Configure OSPF Add switches to Bbone vlan Display the following:
IP route table on the switch Forwarding database ARP table IP forwarding database
Materials Required
One i-series Extreme Networks switch with Ethernet interfaces and no existing configuration One PC to switch console cable One PC to switch Ethernet cable connected to port 2 of the switch
Network Diagram
Remark
There are two cables connected between the switches instead of using an 802.1Q trunk. This is only done to demonstrate dynamic routing protocols due to topology changes in the following labs. Normally you would use only one cable and configure an 802.1Q trunk.
Lab 1 Basic Switch and Routing Configuration 3 Add the following ports (untagged) to the VLANS, by entering the following command: configure <vlan name> add port <number>
VLAN Bbone Alpha Beta Charlie One Two Three Four Five Six 2 2 2 2 2 2 EAS_LAB_1 4 3 EAS_LAB_2 4,5 3 3 3 3 3 EAS_LAB_3 4,5 EAS_LAB_4 4,5 EAS_LAB_5 4,5 EAS_LAB_6 5
PC 1 2 3 4 5 6
2 Display general OSPF information, by entering the following command: show ospf 3 Display area specific information, by entering the following command: show ospf area 4 Display OSPF interface information, by entering the following command: show ospf interfaces 5 Configure the ports in VLAN Bbone at the lowest possible fixed speed, full duplex, and check the impact of this change in the routing table. 6 Save your current configuration in preparation for the next lab exercise.
Create new user account Disable SNMP access Set the switch idle-timer Configure the switch banner message. Load the SSH module Set-up a connection between an SSH2 client and a SSH2 server. Configure the switch as a RADIUS client
Materials Required
(optional) Packet sniffer or Ethernet Analyzer An additional PC/Laptop + cabling is introduced to act as the RADIUS server (10.0.0.100/24). Trainer info: The RADIUS server (EPICenter recommended) needs all switches pre-configured as clients with the correct shared secret (12secure) and a user account for each switch (user-id team_x with password access)
Network Diagram
Network
.101 VLAN One 10.1.1.0/24 .1 .1
Physical
2 .1 3 4 .2SA_LAB_1
SA_LAB_1
.1
VLAN A 10.1.0.0/24
.2
3 2 .2
SA_LAB_2
SA_LAB_2
4
.100
5 2
SA_LAB_3
.3
.3
SA_LAB_3
1 3 3 4 5
VLAN B 10.2.0.0/24
.4
SA_LAB_4
SA_LAB_4
4 3
SA_LAB_5
.5
.5 3 3 .6 2
SA_LAB_5
4
VLAN C 10.3.0.0/24
.6
SA_LAB_6
SA_LAB_6
NOTE
Only on switch 3, add port 1 (This is the port where the RADIUS server is connected) untagged to VLAN Bbone, by entering the following command:
Part 1 Creating a New User Account, Disabling SNMP Access, and Configuring Idletimeouts
1 Create a new administrator account with name team_x (x = switch ID number) password access, by entering the following command: create account admin team_x 2 Prevent SNMP access to the switch, by entering the following command: disable snmp access 3 Activate the switch idle-timeout feature, by entering the following command: enable idletimeouts 4 Configure the threshold to 10 minutes, by entering the following command: configure idletimeouts 10 5 Verify your configuration modifications, by entering the following command: show management
Up to 24 rows of 79 characters wide text can be entered Pressing [Enter] at the beginning of a new line saves the previously entered text and enables the login display banner Pressing [Enter] at the beginning of the first line clears the login display banner
2 Verify the switch banner message is configured correctly by logging out and then logging in.
2, switch 3
4 and switch 5
6).
You can see the difference in packets between Telnet (plain text) and SSH2 (encrypted) access if you capture login attempts using both protocols. Make sure you disconnect any Telnet or SSH session you have to the other switches when sniffing traffic.
10
Lab2 Switch Access 3 After configuring your switch as a RADIUS client with the specified RADIUS server and sharedsecret, enable RADIUS, by entering the following command: enable RADIUS mgmt-access 4 Confirm the RADIUS settings (default port is 1812, RADIUS enabled etc...), by entering the following command: show radius 5 Verify RADIUS authentication is working. Create a new ssh2 session to the switch using the team_x account and see if you are being authenticated by RADIUS, by entering the following command: show session 6 Remove the cable from switch 3 port 1 and make a new connection (either Telnet, SSH2 or console) using the team_x account. Note what happens. Existing connections stay present when the RADIUS server becomes unreachable. While new connections are (after the timeout interval) authenticated from the local user database. 7 Connect the cable back to port 1 switch 3. 8 Save your current configuration in preparation for the next lab exercise.
11
Configure and enable the DoS-Protect feature. Verify the DoS-Protect configuration and status Troubleshoot CPU-DoS-Protect
Materials Required
Each workstation should have pre-installed WSTTCP.exe for the purpose of traffic generation and 3Cdeamon to act as SYSLOG server.
12
Troubleshooting DoS-Protect
1 Troubleshoot the network state during an active cpu-dos-protect situation on your switch. What is still reachable and from where? Depending on the destination, your findings could be influenced by the DoS-Protect activity on the other switches.
Ping from your PC to the switch ip address under attack. Result ___________________________ Ping or telnet from your PC to another ip address of your switch. Result ___________________ Ping from your PC to the RADIUS server (10.0.0.100). Result ________________________________ Ping from your PC to the neighbors switch ip address that is under attack by their traffic generation. Result _________________________________________________________________
2 The combination of physical port and destination address determines the ACL rule. In addition to protecting the switch, what can this feature bring to protect clients and server? _________________ As long as an attack is based on a traffic type that requires the switch CPU (like ICMP) the target (server) is protected as soon as the threshold is reached. 3 Save your current configuration in preparation for the next lab exercise.
13
Configure limit-learning Configure lock-learning Configure secure-mac features Uncofigure port and MAC address based security
Materials Required
The syslog server from Lab 5 is used again . If Lab 5 was skipped you still need to configure a syslog server on the switch, by entering the following commands: configure syslog add <ip address pc> local7 enable syslog
Network Diagram
Network
.101 VLAN One 10.1.1.0/24 .1 .1
Physical
2 .1 3 4 .2SA_LAB_1
SA_LAB_1
.1
VLAN A 10.1.0.0/24
.2
3 2 .2
SA_LAB_2
SA_LAB_2
4
.100
5 2
SA_LAB_3
.3
.3
SA_LAB_3
1 3 3 4 5
VLAN B 10.2.0.0/24
.4
SA_LAB_4
SA_LAB_4
4 3
SA_LAB_5
.5
.5 3 3 .6 2
SA_LAB_5
4
VLAN C 10.3.0.0/24
.6
SA_LAB_6
SA_LAB_6
14
NOTE
The provided CLI examples in this lab show the command information for switch 1; translate the ports and VLANS for your own switch requirements. Example: Instead of 10.1.1.101/32, Team 5 would use 10.3.5.105/32. Refer to the Lab IP Address table found in the front Lab Introduction page.
15
Module 10 Lab Exercises 2 Save and reboot your switch. Check the post-reboot switch FDB table and switch operation by entering the following commands: show show show show vlan <vlan name>security log fdb <vlan name> fdb permanent
3 Clear the fdb entries for the VLAN bbone, by entering the following command: clear fdb bbone 4 Unconfigure lock-learning, by entering the following command: configure port 4,5 VLAN Bbone unlimited-learning 5 Unconfigure limit-learning, by entering the following command: configure port 2 VLAN one unlock-learning 6 Remove the secure-mac related entries, by entering the following command: delete fdbentry all 7 Save your current switch configuration in preparation for the next lab.
16
Configure Netlogin on a permanent VLAN. Configure the NetLogin Base URL Configure the Redirect Page URL Configure the NetLogin Banner. Configure the switch as DHCP server. Verify Netlogin configuration
Optional Materials
Additional software is required on the PC that acts as RADIUS server. This PC will now also act as the DNS Name Server 1.
Trainer:
Configure the PC as a DNS server. (Bind8, MS W2000 DNS or any other dns server) Configure a domain called eas-300.com and add all switch ip addresses belonging to the workstation VLANS (VLAN one, two etc) as host records in this DNS server Use the following naming convention for the switches: switchx.eas-300.com. Include your PC (RADIUS & DNS server 10.0.0.100) as a host record in the NS1 with the hostname server.eas-300.com
17
Network Diagram
Network
.101 VLAN One 10.1.1.0/24 .1 .1 Loopx x.1.1.x/24 Loopxx xx.1.1.x/24 2 .1 3 4 .2 NLG_LAB_1
Physical
NLG_LAB_1
.1
VLAN A 10.1.0.0/24
.2
3 2 .2
NLG_LAB_2
Loopx x.1.1.x/24 Loopxx xx.1.1.x/24
NLG_LAB_2
4
Loopx x.1.1.x/24
Loopxx xx.1.1.x/24 .3
.100 2
NLG_LAB_3
.3
NLG_LAB_3
3 3 4 5
VLAN B 10.2.0.0/24
.4
NLG_LAB_4
Loopx x.1.1.x/24 Loopxx xx.1.1.x/24
NLG_LAB_4
4 3
Loopx x.1.1.x/24
Loopxx xx.1.1.x/24 2 .5
NLG_LAB_5
.5
NLG_LAB_5
3 3 4
VLAN C 10.3.0.0/24
.6 .6 Loopxx xx.1.1.x/24
NLG_LAB_6
Loopx x.1.1.x/24
NLG_LAB_6
NOTE
The provided CLI example shows the command information for switch 1; translate the variables in the information to your own requirements
18
3 Remove the ports from the vlan default by entering the following command: configure vlan default delete ports all
19
20
Lab 8 QoS
Lab 8 QoS
Objectives
Upon successful completion of this Lab Exercise, the student is able to:
During a looped broadcast storm, configure Policy-based QoS that allows smooth video playback
Materials Required
Two Summit X450 Switches Two PCs VLC Application for videostreaming Movie file
21
Network Diagram
QoS
Switch 1
2 12 (to be added later) vlan three 10.0.0.x/24
11
Switch 2
7 vlan v2 10.0.2.1/24
PC2 10.0.2.200/24
Version:
NOTE
The provided CLI example shows the command information for switch 1 and switch 2; translate the variables in the information to your own requirements.
22
Lab 8 QoS
4 To simulate a network running near capacity. limit the port speed on switch 1 by entering the following command: configure ports 2 auto off speed 10 duplex half 5 Configure the PC with the following parameters:
PC 1 2 IP Address 10.0.1.100 10.0.2.200 Subnet Mask 255.255.255.0 255.255.255.0 Default Gateway 10.0.1.1 10.0.2.1
6 Configure a routing protocol using the following statement: configure rip add vlan all enable rip 7 Start VLC application on PC 1 to send and PC 2 to receive. 8 Generate broadcast storm on VLAN between the switch by creating a loop by enabling ports 12 and 11 on switches 1 and 2 , respectively. Ping 10.0.0.254 to generate an ARP request that causes a broadcast storm. 9 On PC 2, play the movie file streaming from PC 1.
23
24