2526t PDF

Nortel Ethernet Routing Switch 2500 Series
Security Conguration and

Management
NN47215-505 (323165-B)
.
Downloaded from www.Manualslib.com manuals search engine
Document status: Standard
Document version: 02.01
Document date: 19 November 2007
Copyright 2007, Nortel Networks
All Rights Reserved.
Sourced in Canada, India, and the United States of America
The information in this document is subject to change without notice. The statements, congurations, technical
data, and recommendations in this document are believed to be accurate and reliable, but are presented without
express or implied warranty. Users must take full responsibility for their applications of any products specied in this
document. The information in this document is proprietary to Nortel Networks.
The software described in this document is furnished under a license agreement and can be used only in accordance
with the terms of that license. The software license agreement is included in this document.
Trademarks
*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.
Adobe and Adobe Reader are trademarks of Adobe Systems Incorporated.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation.
Trademarks are acknowledged with an asterisk (*) at their rst appearance in the document.
All other trademarks are the property of their respective owners.
Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that can pertain to, or accompany the delivery of, this computer
software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth
in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the right
to make changes to the products described in this document without notice.
Nortel Networks does not assume any liability that can occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product can be Copyright 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software
were developed by the University of California, Berkeley. The name of the University can not be used to endorse or
promote products derived from such portions of the software without specic prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that
contains restrictions on use and disclosure (that can incorporate by reference certain limitations and notices
imposed by third parties).
Nortel Networks software license agreement
This Software License Agreement ("License Agreement") is between you, the end-user ("Customer") and Nortel
Networks Corporation and its subsidiaries and afliates ("Nortel Networks"). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT.
If you do not accept these terms and conditions, return the Software, unused and in the original shipping container,
within 30 days of purchase to obtain a credit for the full purchase price.
"Software" is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or afliates, and is
copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data,
audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole
or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the
Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for
the selection of the Software and for the installation of, use of, and results obtained from the Software.
1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the
Software on only one machine at any one time or to the extent of the activation or authorized usage level,
whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer
furnished equipment ("CFE"), Customer is granted a nonexclusive license to use Software only on such
hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as
condential information using the same care and discretion Customer uses with its own similar information that it
does not wish to disclose, publish or disseminate. Customer ensures that anyone who uses the Software does
so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or
distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer
or otherwise translate the Software; c) create derivative works or modications unless expressly authorized; or d)
sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneciaries of
this provision. Upon termination or breach of the license by Customer or in the event designated hardware or
CFE is no longer in use, Customer promptly returns the Software to Nortel Networks or certify its destruction.
Nortel Networks can audit by remote polling or other reasonable means to determine Customers Software
activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to
include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks
with respect to such third party software.
2. Warranty. Except as can be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided "AS IS" without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated
to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties,
and, in such event, the above exclusions can not apply.
3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS
OF, OR DAMAGE TO, CUSTOMERS RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),
WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR
USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THEIR POSSIBILITY. The foregoing limitations of remedies also apply to any developer and/or
supplier of the Software. Such developer and/or supplier is an intended beneciary of this Section. Some
jurisdictions do not allow these limitations or exclusions and, in such event, they can not apply.
4. General
a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks
Software available under this License Agreement is commercial computer software and commercial
computer software documentation and, in the event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b. Customer can terminate the license at any time. Nortel Networks can terminate the license if Customer fails
to comply with the terms and conditions of this license. In either event, upon termination, Customer must
either return the Software to Nortel Networks or certify its destruction.
c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from
Customers use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.
d. Neither party can bring an action, regardless of form, more than two years after the cause of the action arose.
e. The terms and conditions of this License Agreement form the complete and exclusive agreement between
Customer and Nortel Networks.
f. This License Agreement is governed by the laws of the country in which Customer acquires the Software.
If the Software is acquired in the United States, then this License Agreement is governed by the laws of
the state of New York.
5
Contents
New in this release 9
Features 9
Advanced Security features 9
Introduction 11
Before you begin 11
Text conventions 11
Related publications 13
How to get help 14
Getting help from the Nortel Web site 14
Getting help through a Nortel distributor or reseller 14
Getting help over the phone from a Nortel Solutions Center 14
Getting help from a specialist by using an Express Routing Code 15
Using security in your network 17
Setting management passwords 17
Console/TELNET/Web password Conguration 17
Username and password 17
Logging on 18
Conguring Security options 18
RADIUS-based network security 20
MAC address-based security 21
EAPOL-based security 21
EAPoL with Guest VLAN 23
EAPOL Security Conguration 23
Password security 24
Password length and valid characters 24
Password retry 24
Password history 24
Password display 24
Password verication 24
Password aging time 25
Read-Only and Read-Write passwords must be different 25
Applicable passwords 25
Enabling and disabling password security 25
Security Conguration and Management
NN47215-505 (323165-B) 02.01 Standard
4.1 19 November 2007
.
6 Contents
Default passwords 26
HTTP port number change 26
Simple Network Management Protocol 26
SNMP Version 1 (SNMPv1) 26
Nortel Ethernet Routing Switch 2500 Series support for SNMP 27
SNMP MIB support 27
SNMP trap support 28
Advanced EAPOL features 28
Non-EAP hosts on EAP-enabled ports 30
Conguring Security using the CLI 35
Securing your system 35
Setting the username and password 35
Setting password security 37
Conguring the IP manager list 39
Changing the http port number 43
Setting Telnet access 44
Conguring Secure Shell (SSH) 48
Setting server for Web-based management 55
Conguring the RADIUS-based management password authentication 56
Setting SNMP parameters 58
Common SNMP and SNMPv3 CLI commands 58
CLI commands specic to SNMPv3 69
Securing your network 80
Conguring MAC address lter-based security 80
Conguring EAPOL-based security 87
Conguring advanced EAPOL features 94
Conguring Security using web-based management 169
Conguring system security 169
Setting console, Telnet, and Web passwords 169
Conguring RADIUS dial-in access security 172
Accessing the management interface 173
Conguring MAC address-based security 175
Conguring ports 179
Adding MAC addresses 181
Clearing ports 183
Enabling security on ports 184
Deleting ports 186
Filtering MAC destination addresses 186
Deleting MAC DAs 187
About SNMP 188
Conguring SNMPv1 188
NN47215-505 (323165-B) 02.01 Standard
.
Contents 7
Viewing SNMPv3 system information 190
Conguring user access to SNMPv3 193
Conguring an SNMPv3 system user group membership 196
Conguring SNMPv3 group access rights 199
Conguring an SNMPv3 management information view 202
Conguring an SNMPv3 system notication entry 205
Conguring an SNMPv3 management target address 208
Conguring an SNMPv3 management target parameter 211
Conguring an SNMP trap receiver 213
Index 220
NN47215-505 (323165-B) 02.01 Standard
.
8 Contents
NN47215-505 (323165-B) 02.01 Standard
.
9
New in this release
The following sections detail whats new in Security Conguration and
Management (NN47215-505) for Release 4.1.
Features
See "Advanced Security features" (page 9)for information about feature
changes.
Advanced Security features
The Nortel Ethernet Routing Switch 2500 Release 4.1 supports advanced
EAPOL security features. For more information, see the following sections:
"Advanced EAPOL features" (page 28)
"Conguring multihost support" (page 95)
"Conguring support for non-EAPOL hosts on EAPOL-enabled ports"
(page 102)
"Conguring MultiHost Single-Autentication (MHSA)" (page 107)
NN47215-505 (323165-B) 02.01 Standard
.
10 New in this release
NN47215-505 (323165-B) 02.01 Standard
.
11
Introduction
This guide provides information about conguring and managing security
features on the Nortel Ethernet Routing Switch 2500 Series.
This guide describes the features of the following Nortel switches:
Nortel Ethernet Routing Switch 2526T
Nortel Ethernet Routing Switch 2526T-PWR
Nortel Ethernet Routing Switch 2550T
Nortel Ethernet Routing Switch 2550T-PWR
The term "Ethernet Routing Switch 2500 Series" is used in this document to
describe the features common to the switches mentioned above.
A switch is referred to by its specic name when a feature is described
that is exclusive to the switch.
Before you begin
This guide is intended for network administrators who have the following
background:
basic knowledge of networks, Ethernet bridging, and IP routing
familiarity with networking concepts and terminology
basic knowledge of network topologies
Text conventions
This guide uses the following text conventions:
NN47215-505 (323165-B) 02.01 Standard
.
12 Introduction
angle brackets (< >) Indicate that you choose the text to enter based on
the description inside the brackets. Do not type the
brackets when entering the command.
Example: If the command syntax is ping
<ip_address>, you enter ping 192.32.10.12
bold body text Indicates objects such as window names, dialog
box names, and icons, as well as user interface
objects such as buttons, tabs, and menu items.
braces ({}) Indicate required elements in syntax descriptions
where there is more than one option. You must
choose only one of the options. Do not type the
braces when entering the command.
Example: If the command syntax is show ip
{alerts|routes}, you must either enter show
ip or show ip routes, but not both.
brackets ([ ]) Indicate optional elements in syntax descriptions.
Do not type the brackets when entering the
command.
interfaces [-alerts], you can either
enter show ip interfaces or show ip
interfaces -alerts.
italic text Indicates variables in command syntax descriptions.
Also indicates new terms and book titles. Where
a variable is two or more words, the words are
connected by an underscore.
Example: If the command syntax is show at
<valid_route>,valid_route is one variable,
and you substitute one value for it.
plain Courier text Indicates command syntax and system output, for
example, prompts and system messages.
Example: Set Trap Monitor Filters
NN47215-505 (323165-B) 02.01 Standard
.
Related publications 13
separator ( > ) Shows menu paths.
Example: Protocols > IP identifies the IP command
on the Protocols menu.
vertical line ( | ) Separates choices for command keywords and
arguments. Enter only one of the choices. Do not
type the vertical line when entering the command.
{alerts|routes}, you can either enter show ip
alerts or show ip routes, but not both.
Related publications
For more information about using the Ethernet Routing Switch 2500 Series,
see the following publications:
Nortel Ethernet Routing Switch 2500 Series Release Notes Software
Release 4.1 (NN47215-400)
Documents important changes about the software and hardware that
are not covered in other related publications.
Nortel Ethernet Routing Switch 2500 Series Overview System
Conguration (NN47215-500)
Describes the various management interfaces and how to use them
to congure basic switching features for the Nortel Ethernet Routing
Switch 2500 Series.
Nortel Ethernet Routing Switch 2500 Series Conguration VLANs,
Spanning Tree, and MultiLink Trunking (NN47215-501)
Describes how to congure Virtual Local Area Networks (VLAN),
Spanning Tree Protocol (STP), and MultiLink Trunk (MLT) features for
the Nortel Ethernet Routing Switch 2500 Series.
Nortel Ethernet Routing Switch 2500 Series Conguration Quality of
Service (NN47215-504)
Describes how to congure and manage Quality of Service features for
Nortel Ethernet Routing Switch 2500 Series Performance Management
System Monitoring (NN47215-502)
Describes how to congure system logging and network monitoring,
and how to display system statistics for the Nortel Ethernet Routing
Switch 2500 Series.
NN47215-505 (323165-B) 02.01 Standard
.
14 Introduction
Nortel Ethernet Routing Switch 2500 Series Conguration IP
Multicast (NN47215-503)
Describes how to congure IP Multicast Routing Protocol features for
How to get help
This section explains how to get help for Nortel products and services.
Getting help from the Nortel Web site
The best way to get technical support for Nortel products is from the Nortel
Technical Support Web site:
www.nortel.com/support
This site provides quick access to software, documentation, bulletins, and
tools to address issues with Nortel products. More specically, the site
enables you to:
download software, documentation, and product bulletins
search the Technical Support web site and the Nortel Knowledge Base
for answers to technical issues
sign up for automatic notication of new software and documentation
for Nortel equipment
open and manage technical support cases
Getting help through a Nortel distributor or reseller
If you purchase a service contract for your Nortel product from a distributor
or authorized reseller, contact the technical support staff for that distributor
or reseller.
Getting help over the phone from a Nortel Solutions Center
If you do not nd the information you require on the Nortel Technical Support
Web site, and have a Nortel support contract, you can also get help over the
phone from a Nortel Solutions Center.
In North America, call 1-800-4NORTEL (1-800-466-7835).
Outside North America, go to the following web site to obtain the phone
number for your region:
www.nortel.com/callus
NN47215-505 (323165-B) 02.01 Standard
.
How to get help 15
Getting help from a specialist by using an Express Routing Code
An Express Routing Code (ERC) is available for many Nortel products and
services. When you use an ERC, your call is routed to a technical support
person who specializes in supporting that product or service. To locate the
ERC for your product or service, go to:
www.nortel.com/erc
NN47215-505 (323165-B) 02.01 Standard
.
16 Introduction
NN47215-505 (323165-B) 02.01 Standard
.
17
Using security in your network
This chapter describes the security features available with the Ethernet
Routing Switch 2500 Series. This chapter discusses the following topics:
"Setting management passwords" (page 17)
"Conguring security options" (page 18)
"EAPOL Security Conguration" (page 23)
"HTTP port number change" (page 26)
"Simple Network Management Protocol" (page 26)
"Advanced EAPOL features" (page 28)
Setting management passwords
To provide security on your switch, you can congure a local or RADIUS
password for management access, or set SNMP community strings.
Console/TELNET/Web password Conguration
Telnet, and Web access allow a user at a remote console terminal to
communicate with the Ethernet Routing Switch 2500 Series as if the console
terminal were directly connected to the Switch. You can establish up to four
active Telnet or Web sessions at one time, in addition to one active Console
connection, for a total of ve possible concurrent users.
Username and password
You can set a local username and password to restrict access to the switch.
The username and password can provide read/write access or read-only
access to the switch. For more information, refer to <x-refs>
ATTENTION
If you set a password, the next time you log on to the switch, you are prompted to
enter a valid username. Therefore, ensure you are aware of the valid usernames
(default RW and RO) before you change passwords. For information about
modifying existing usernames, see "Setting the username and password" (page
35).
NN47215-505 (323165-B) 02.01 Standard
.
18 Using security in your network
Logging on
If you set a password, the next time you access the switch, you are
prompted for a username and password as shown in the (default usernames
are RW and RO).
Enter a valid username and password and press Enter. You are then
directed to the CLI.
For information about modifying the existing usernames, see Login
screen"Setting the username and password" (page 35)
Login screen
Conguring Security options
Ethernet Routing Switch 2500 Series security features provide three levels
of security for your LAN:
RADIUS-based securitylimits administrative access to the switch
through user authentication.
MAC address-based securitylimits access to the switch based on
allowed source MAC addresses.
EAPOL-based security
Figure 1 "Ethernet Routing Switch 2500 Series security feature" (page
19) shows a typical campus conguration that uses the Ethernet Routing
Switch 2500 security features. This example assumes that the switch, the
teachers ofces and classrooms, and the library are physically secured.
The student dormitory can (or can not be) physically secure.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 1
Ethernet Routing Switch 2500 Series security feature
In this conguration example, the following security measures are
implemented:
The switch
RADIUS-based security is used to limit administrative access to the
switch through user authentication (see "RADIUS-based network
security" (page 20)).
MAC address-based security is used to allow up to 448 authorized
stations (MAC addresses) access to one or more switch ports (see
"MAC address-based security" (page 21)).
The switch is located in a locked closet, accessible only by
authorized Technical Services personnel.
Student dormitory
Dormitory rooms are typically occupied by two students and are
prewired with two RJ-45 jacks. Only students who are authorized (as
specied by the MAC address-based security feature) can access the
switch on the secured ports.
NN47215-505 (323165-B) 02.01 Standard
.
Teachers ofces and classrooms
The PCs that are located in the teachers ofces and in the classrooms
are assigned MAC address-based security that is specic for each
classroom and ofce location. The security feature logically locks each
wall jack to the specied station and prevents unauthorized access to
the switch if someone attempts to connect a personal laptop PC into the
wall jack. The printer is assigned as a single station and is allowed
full bandwidth on that switch port.
It is assumed that all PCs are password protected and that the
classrooms and ofces are physically secured.
Library
The wall jacks in the library are set up so that the PCs can be connected
to any wall jack in the room. With this arrangement, you can move
the PCs anywhere in the room. The exception is the printer, which is
assigned as a single station with full bandwidth to that port.
It is assumed that all PCs are password protected and that access to
the library is physically secured.
RADIUS-based network security
The RADIUS-based security feature lets you set up network access control
by using the Remote Authentication Dial-In User Services (RADIUS) security
protocol. The RADIUS-based security feature uses the RADIUS protocol to
authenticate local console, Telnet, SSH, and Web access login sessions.
You need to set up specic user accounts (user names and passwords, and
Service-Type attributes) on your RADIUS server before you can initiate
the authentication process. These accounts provide you with appropriate
levels of access to the switch.
Set the following username attributes on your RADIUS server:
Read-write accessset the Service-Type eld value to Administrative.
Read-only accessset the Service-Type eld value to NAS-Prompt.
For detailed instructions to set up your RADIUS server, see your RADIUS
server documentation.
RADIUS password fallback enhancement
With Release 4.1 software, you can congure RADIUS password fallback as
an option when using RADIUS authentication for login and password.
When RADIUS password fallback is enabled and the RADIUS server is
unavailable or unreachable, you can use the local switch password to log
on to the switch.
NN47215-505 (323165-B) 02.01 Standard
.
When RADIUS password fallback is disabled, you must specify the RADIUS
username and password from the NetLogin screen. Unless the RADIUS
server is congured and reachable, you cannot log on to the switch to
authenticate the login and password.
The Radius password fallback feature is disabled by default.
You can use the following CLI commands to enable and disable this feature:
radius-server password fallback
no radius-server
ATTENTION
The no radius-server CLI command disables the RADIUS fallback feature,
along with the remaining RADIUS conguration.
MAC address-based security
The MAC address-based security feature lets you set up network access
control, based on source MAC addresses of authorized stations.
You can:
Create a list of up to 448 MAC addresses and specify which addresses
are authorized to connect to your switch. The 448 MAC addresses
can be congured within a single standalone switch, or they can be
distributed in any order among the units in a single stack conguration.
Specify which of your switch ports each MAC address is allowed to
access.
The options for allowed port access include: NONE, ALL, and single or
multiple ports that are specied in a list.
Specify optional actions to be exercised by your switch if the software
detects a security violation.
The response can be to send a trap, turn on destination address (DA)
ltering, disable a specic port, or any combination of these three
options.
The MAC address-based security feature is based on Nortel BaySecure
LAN Access for Ethernet, a real-time security system that safeguards
Ethernet networks from unauthorized surveillance and intrusion.
EAPOL-based security
The Ethernet Routing Switch 2500 Series provides security on the basis
of Extensible Authentication Protocol over LAN (EAPOL), and it uses the
EAP as is given in the IEEE 802.IX so that you can set up a network access
control over LANs. With EAP, you can authenticate user information through
a connection between a client and the switch by using an authentication
NN47215-505 (323165-B) 02.01 Standard
.
service such as RADIUS. This security feature works hand-in-hand with
the Radius-based server and thus provides the advantages of remote
authentication to internal LAN clients.
An example follows to show how an Ethernet Routing Switch 2500 Series
reacts when it is congured to the EAPoL security feature and a new
network connection:
When the switch nds a new connection in one of its ports, the following
occurs:
1. The switch asks for a User ID of the new client.
2. The User ID is covered by EAPoL, and it passes on to the Radius
server.
3. The response from the Radius server is to ask for a password of
the user.
Within the EAPoL packet, the new client forwards a password to the
switch:
The EAPoL packet is relayed to the Radius server.
If the Radius server validates the password, the new client is allowed
to access the switch and the network.
The EAPoL-based security is composed of the following terms:
Supplicant- the device applying for network access.
Authenticator- a software with the main purpose of authorizing the
supplicant who is attached at the other end of the LAN segment.
Authentication server- a Radius server that provides authorization
services to an authenticator.
Port Access Entity (PAE)- an entity that supports each port to the
Authenticator or Supplicants. In the example above, the authenticator
PAE is present in the switch.
Controlled Port is a switch port with EAPOL based security. The
authenticator communicates with the Supplicant through EAP over LAN
(EAPoL), which is an encapsulation mechanism.
The authenticator PAE encapsulates the EAP through the RADIUS
server packet and sends it to the authentication server. The
authenticator server sends the packet in an exchange that occurs
between the supplicant and authentication server. This exchange
occurs when the EAP message is encapsulated to make it suitable for
the destination of the packet.
The authenticator determines the operational state of the controlled
port. The RADIUS server noties the authenticator PAE of the success
NN47215-505 (323165-B) 02.01 Standard
.
or failure of the authentication to change the operational state of the
controlled port. PAE functions are then available for each port to forward,
or else the controlled port state depends upon the operational trafc
control eld in the EAPoL conguration screen. Operational trafc can
be of two types:
Incoming and Outgoing- In regards to an unauthorized controlled port,
the frames received and transmitted are discarded, and state of the
port is blocked.
Incoming- Although the frames received for an unauthorized port are
discarded, the transmit frames are forwarded through the port.
EAPoL with Guest VLAN
Basic EAP (802.1x) Authentication supports Port Based User Access. At
any time, only one user (MAC) can be authenticated on a port, and the port
can be assigned to only one Port-based VLAN. Only the MAC address of
the device/user that completed the EAP negotiations on the port has access
to that port for trafc. Any tagging of ingress packets are to the PVID of that
port. This remains the default conguration.
With Software Release 4.1, EAP also allows Guest VLANs to be congured
for access to that port. Any active VLAN can be made a Guest VLAN.
EAPOL Security Conguration
EAPOL security lets you selectively limit access to the switch based on an
authentication mechanism that uses Extensible Authentication Protocol
(EAP) to exchange authentication information between the switch and an
authentication server.
ATTENTION
Before you enable EAPOL, you must congure your Primary RADIUS Server
and RADIUS Shared Secret.
You also need to set up specic user accounts on your RADIUS server:
User names
Passwords
VLAN IDs
Port priority
You can set up these parameters directly on your RADIUS server. For
detailed instructions about conguring your RADIUS server, see your
RADIUS server documentation.
NN47215-505 (323165-B) 02.01 Standard
.
ATTENTION
Do not enable EAPOL security on the switch port that is connected to the
RADIUS server.
Password security
The Ethernet Routing Switch 2500 Series supports the password security
feature that provides enhanced security for switch and stack passwords.
With password security enabled, the following enhanced security features
are applied:
Password length and valid characters
Valid passwords must be between 10 and 15 characters long. The password
must contain a minimum of the following:
two lower-case letters
two capital letters
two numbers
two special symbols, such as:!@#$%^&*()
The password is case sensitive.
Password retry
If the user fails to provide the correct password after a number of consecutive
attempts, the switch resets the logon process. The number of failed logon
attempts is congurable and the default is three.
Password history
The switch keeps a history of the last three passwords. You cannot reuse a
password stored in history. When you set the password for the fourth time,
you can reuse the password that you used the rst time.
Password display
The password is not displayed as clear text. Each character of the password
is substituted with an asterisk (*).
Password verication
When you provide a new password, you must retype the password to
conrm it. If the two passwords do not match, the password update process
fails. In this case, you must try to update the password once again. There is
no limit on the number of times you are allowed to update the password.
NN47215-505 (323165-B) 02.01 Standard
.
Password security 25
Password aging time
Passwords expire after a specied aging period. The aging period is
congurable, with a range of 1 day to approximately 7.5 years (2730 days).
The default is 180 days. When a password has aged out, the user is
prompted to create a new password. Only users with a valid RW password
can create a new RW or RO password.
Read-Only and Read-Write passwords must be different
The RO and RW passwords cannot be the same.
Applicable passwords
The password security feature applies these enhanced features to the
following passwords:
Switch RO password
Switch RW password
Stack RO password
Stack RW password
The password security feature applies only the display and verication
restrictions to the following passwords:
RADIUS Shared Secret
Read-Only community string
Read-Write community string
Enabling and disabling password security
Password security can only be enabled or disabled from the CLI. When
password security is enabled, the following occurs:
Current passwords remain unchanged if they meet the required
specications. If they do not meet the required specications, the user is
prompted to change them to valid passwords.
An empty password history bank is established.
Password verication is enabled.
When password security is disabled, the following occurs:
Current passwords remain valid.
Password history bank is removed.
Password verication is disabled.
NN47215-505 (323165-B) 02.01 Standard
.
ATTENTION
By default, password security is disabled for the non-SSH software image and
enabled for the SSH software image.
Default passwords
For the standard software image, the default password for RO is "user"
and "secure" for RW.
For the secure software image, the default password for RO is "userpasswd"
and "securepasswd" for RW.
HTTP port number change
With this feature, you can dene the UDP or TCP port number used for
HTTP connections to the switch.
This feature provides enhanced security and network access. Port number
80 is the default port for communication between the Web client and the
server. With this feature, you can modify the HTTP port while the switch is
running. The HTTP port value is saved in NVRAM, and also is saved across
reboots of the switch.
For more information, see "Changing the http port number" (page 43).
Simple Network Management Protocol
The Nortel Ethernet Routing Switch 2500 Series supports Simple Network
Management Protocol (SNMP).
SNMP is traditionally used to monitor Unix systems, Windows systems,
printers, modem racks, switches, routers, power supplies, Web servers,
and databases. Any device that runs software that can retrieve SNMP
information can be monitored.
You can also use SNMP to change the state of SNMP-based devices. For
example, you can use SNMP to shut down an interface on your device.
SNMP Version 1 (SNMPv1)
SNMP Version 1 (SNMPv1) is a historic version of the SNMP protocol. It
is dened in RFC 1157 and is an Internet Engineering Task Force (IETF)
standard.
NN47215-505 (323165-B) 02.01 Standard
.
Simple Network Management Protocol 27
SNMPv1 security is based on communities, which are nothing more than
passwords: plain-text strings that allow any SNMP-based application that
knows the strings to gain access to the management information of a
device. There are typically three communities in SNMPv1: read-only,
read-write, and trap.
SNMP Version 2 (SNMPv2) is another historic version of SNMP and is often
referred to as community string-based SNMPv2. This version of SNMP is
technically called SNMPv2c. It is dened in RFC 1905, RFC 1906, and
RFC 1907.
SNMP Version 3 (SNMPv3) is the current formal SNMP standard dened in
RFCs 3410 through 3419, and in RFC 3584. It provides support for strong
authentication and private communication between managed entities.
Nortel Ethernet Routing Switch 2500 Series support for SNMP
The SNMP agent in the Nortel Ethernet Routing Switch 2500 Series
supports SNMPv1, SNMPv2c, and SNMPv3. Support for SNMPv2c
introduces a standards-based GetBulk retrieval capability using SNMPv1
communities.
SNMPv3 support in the Nortel Ethernet Routing Switch 2500 Series
introduces industrial-grade user authentication and message security. This
includes MD5- and SHA-based user authentication and message integrity
verication, as well as AES, DES, and 3DES-based privacy encryption.
With the Nortel Ethernet Routing Switch 2500 Series you can congure
SNMPv3 by using the Device Manager, Web-based management, or the
CLI.
SNMP MIB support
The Nortel Ethernet Routing Switch 2500 Series supports an SNMP agent
with industry-standard Management Information Bases (MIB), as well as
private MIB extensions, which ensures compatibility with existing network
management tools.
The IETF standard MIBs supported on the switch include MIB-II (originally
published as RFC 1213, then split into separate MIBs as described in RFCs
4293, 4022, and 4113), Bridge MIB (RFC 4188), and the RMON MIB (RFC
2819), which provides access to detailed management statistics.
NN47215-505 (323165-B) 02.01 Standard
.
SNMP trap support
With SNMP management, you can congure SNMP traps (on individual
ports) to generate automatically for conditions such as an unauthorized
access attempt or changes in port operating status.
The Nortel Ethernet Routing Switch 2500 Series supports both
industry-standard SNMP traps, as well as private Nortel enterprise traps.
Advanced EAPOL features
EAPOL supports the following advanced features:
Multihost (MH) support:
Multiple Host with Multiple Authentication (MHMA) (see Multiple
Host with Multiple Authentication)
Non-EAP hosts on EAP-enabled ports (see Non-EAP hosts on
EAP-enabled ports)
Multiple Host with Single Authentication (MHSA) (see Multiple Host
with Single Authentication)
Multiple Host with Multiple Authentication
For an EAP-enabled port congured for Multiple Host with Multiple
Authentication (MHMA), a nite number of EAP users or devices with unique
MAC addresses are allowed on the port.
Each user must complete EAP authentication before the port allows trafc
from the corresponding MAC address. Only trafc from the authorized hosts
is allowed on that port.
Radius-assigned VLAN values are allowed in the MHMA mode. For
information about Radius-assigned VLANs in the MHMA mode, see
Radius-assigned VLAN use in MHMA mode.
MHMA support is on a per-port basis for an EAP-enabled port.
The following are some of the concepts associated with MHMA:
Logical and physical ports
Each unique port and MAC address combination is treated as a logical
port. MAX_MAC_PER_PORT denes the maximum number of MAC
addresses that can perform EAP authentication on a port at any given
time. Each logical port is treated as if it is in the SHSA mode.
Indexing for MIBs
Logical ports are indexed by a port and source MAC address
(src-mac) combination. Enterprise-specic MIBs are dened for state
machine-related MIB information for individual MACs.
Transmitting EAPOL packets
NN47215-505 (323165-B) 02.01 Standard
.
Only unicast packets are sent to a specic port so that the packets
reach the correct destination.
Receiving EAPOL packets
The EAPOL packets are directed to the correct logical port for state
machine action.
Trafc on an authorized port
Only a set of authorized MAC addresses is allowed access to a port.
MHMA support for EAP clients includes the following features:
A port remains on the Guest VLAN when no authenticated hosts exist
on it. Until the rst authenticated host, both EAP and non EAP clients
are allowed on the port.
After the rst successful authentication, only EAPOL packets and data
from the authenticated MAC addresses are allowed on a particular port.
Only a predened number of authenticated MAC users are allowed on
a port.
When RADIUS VLAN assignment is disabled for ports in MHMA mode,
only precongured VLAN assignment for the port is used. Upon
successful authentication, untagged trafc is put it in a VLAN congured
for the port.
When RADIUS VLAN assignment is enabled for ports in MHMA mode,
upon successful RADIUS authentication, the port gets a VLAN value in
a RADIUS Attribute with EAP success. The port is added and the PVID
is set to the rst such VLAN value from the RADIUS server.
Conguration of timer parameters is per physical port, not per user
session. However, the timers are used by the individual sessions on
the port.
Reauthenticate Now, when enabled, causes all sessions on the port to
reauthenticate.
Reauthentication timers are used to determine when a MAC is
disconnected so as to enable another MAC to log in to the port.
Conguration settings are saved across resets.
Radius-assigned VLAN use in MHMA mode
Radius-assigned VLAN use in the MHMA mode is allowed to give you
greater exibility and a more centralized assignment than existed. This
feature is also useful in an IP Phone set up, when the phone trafc can
be directed to the Voice over IP (VoIP) VLAN and the PC Data trafc can
be directed to the assigned VLAN. When Radius-assigned VLAN values
are allowed, the port behaves as follows: the rst authenticated EAP MAC
NN47215-505 (323165-B) 02.01 Standard
.
address may not have a Radius-assigned VLAN value. At this point, the port
is moved to a congured VLAN. A later authenticated EAP MAC address
(for instance, the third one on the port) can get a Radius-assigned VLAN
value. This port is then added, and the port VLAN ID (PVID) is set to the
rst such VLAN value from the Radius server. The VLAN remains the same
irrespective of which MAC leaves, and a change in the VLAN takes place
only when there are no authenticated hosts on the port.
This enhancement works in a very similar manner with the already existing
Radius assigned VLANs feature in SHSA mode. It is basically an extension
of that feature which gives the user the ability to move a port to a specic
VLAN, even if that switch port operates in EAP MHMA mode.
The only restriction of this enhancement is that if you have multiple EAP
clients authenticating on a given switch port (as you normally can in MHMA
mode), each one congured with a different VLAN ID on the Radius server,
the switch moves the port to the VLAN of the rst authenticated client. In
this way, a permanent bounce between different VLANs of the switch port is
avoided.
Following are the steps to enable the enhancement :
Enable Radius assigned VLANs in Global Conguration command
mode:
2526T(config)#eapol multihost use-radius-assigned-vlan
Enable Radius assigned VLANs in interface mode for switch port 1:
2526T(config-if)#eapol multihost port 1 use-radius-assigne
d-vlan
By default, the Radius assigned VLANs in MHMA enhancement is disabled
in global cong and interface modes, for all switch ports.
Non-EAP hosts on EAP-enabled ports
For an EAPOL-enabled port congured for non-EAPOL host support, a nite
number of non-EAPOL users or devices with unique MAC addresses are
allowed access to the port.
The following types of non-EAPOL users are allowed:
Hosts that match entries in a local list of allowed MAC addresses. You
can specify the allowed MAC addresses when you congure the port to
allow non-EAPOL access. These hosts are allowed on the port without
authentication.
Non-EAPOL hosts whose MAC addresses are authenticated by
RADIUS.
Nortel IP Phones.
NN47215-505 (323165-B) 02.01 Standard
.
Support for non-EAPOL hosts on EAPOL-enabled ports is primarily
intended to accommodate printers and other dumb devices sharing a hub
with EAPOL clients.
Support for non-EAPOL hosts on EAPOL-enabled ports includes the
following features:
EAPOL and authenticated non-EAPOL clients are allowed on the port at
the same time. Authenticated non-EAPOL clients are hosts that satisfy
one of the following criteria:
Host MAC address matches an entry in an allowed list precongured
for the port.
Host MAC address is authenticated by RADIUS.
Non-EAPOL hosts are allowed even if no authenticated EAPOL hosts
exist on the port.
When a new host is seen on the port, non-EAPOL authentication is
performed as follows:
If the MAC address matches an entry in the precongured allowed
MAC list, the host is allowed.
If the MAC address does not match an entry in the precongured
allowed MAC list, the switch generates a <username, password> pair,
which it forwards to the network RADIUS server for authentication.
For more information about the generated credentials, see
"Non-EAPOL MAC RADIUS authentication" (page 32).
If the MAC address is authenticated by RADIUS, the host is allowed.
If the MAC address does not match an entry in the precongured
allowed MAC list and also fails RADIUS authentication, the host is
counted as an intruder. Data packets from that MAC address are
dropped.
EAPOL authentication is not affected.
For RADIUS-authenticated non-EAPOL hosts, VLAN information from
RADIUS is ignored. Upon successful authentication, untagged trafc is
put in a VLAN precongured for the port.
For RADIUS-authenticated non-EAPOL hosts, VLAN information from
RADIUS is ignored. Upon successful authentication, untagged trafc
follows the PVID of the port.
Non-EAPOL hosts continue to be allowed on the port until the maximum
number of non-EAPOL hosts is reached. The maximum number of
non-EAPOL hosts allowed is congurable.
After the maximum number of allowed non-EAPOL hosts is reached, any
data packets received from additional non-EAPOL hosts are dropped.
NN47215-505 (323165-B) 02.01 Standard
.
The additional non-EAPOL hosts are counted as intruders. New EAPOL
hosts can continue to negotiate EAPOL authentication.
When the intruder count reaches 32, a SNMP trap and system log
message are generated. The port administrative status is set to
force-unauthorized, and you must reset the port administrative status
(from force-unauthorized to auto) to allow new EAPOL and non-EAPOL
negotiations on the port.
The feature uses enterprise-specic MIBs.
Conguration settings are saved across resets.
ATTENTION
Guest VLAN and non-EAPOL host support on a port are mutually exclusive.
If you have congured a port to support Guest VLAN, you cannot enable
support for non-EAPOL hosts on that port. Similarly, if you have congured an
EAPOL-enabled port to support non-EAPOL hosts, you cannot enable Guest
VLAN on that port. Also, you cannot enable non-EAPOL support on uplink or
call server ports.
For information about conguring non-EAPOL host support, see Conguring
support for non-EAPOL hosts on EAPOL-enabled ports.
Non-EAPOL MAC RADIUS authentication
For RADIUS authentication of a non-EAPOL host MAC address, the switch
generates a <username, password> pair as follows:
The username is the non-EAPOL MAC address in string format.
The password is a string that combines the MAC address, switch IP
address, unit, and port.
The password is a string that combines the MAC address, switch IP
address, unit, and port.
ATTENTION
Use only lowercase letters for usernames and passwords congured on the
Radius server.
Follow these global conguration examples, to select a password format that
combines one or more of these 3 elements:
password = 010010011253..0305 (when the switch IP address, unit and port
are used).
password = 010010011253.. (when only the switch IP address is used).
The following example illustrates the <username, password> pair format:
switch IP address = 10.10.11.253
NN47215-505 (323165-B) 02.01 Standard
.
non-EAP host MAC address = 00 C0 C1 C2 C3 C4
unit = 3
port = 25
username = 00c0c1c2c3c4
password = 010010011253.00c0c1c2c3c4.0325
Multiple Host with Single Authentication
Multiple Host with Single Authentication (MHSA) is a more restrictive
implementation of support for non-EAPOL hosts on EAPOL-enabled ports.
For an EAPOL-enabled port congured for MHSA, one EAPOL user must
successfully authenticate before a nite number of non-EAPOL users or
devices with unique MAC addresses are allowed to access the port without
authentication.
The MHSA feature is intended primarily to accommodate printers and other
dumb devices sharing a hub with EAPOL clients.
MHSA support is on a per-port basis for an EAPOL-enabled port.
MHSA support for non-EAPOL hosts includes the following features:
The port remains unauthorized when no authenticated hosts exist on
it. Before the rst successful authentication occurs, both EAPOL and
non-EAPOL clients are allowed on the port to negotiate access, but at
any time, only one host can negotiate EAPOL authentication.
After the rst EAPOL client successfully authenticates, EAPOL packets
and data from that client are allowed on the port. No other clients
are allowed to negotiate EAPOL authentication. The port is set to
precongured VLAN assignments and priority values or to values
obtained from RADIUS for the authenticated user.
After the rst successful authentication, any new hosts, up to a
congured maximum number, are automatically allowed on the port,
without authentication.
After the maximum number of allowed non-EAPOL hosts is reached, any
data packets received from additional non-EAPOL hosts are dropped.
The additional non-EAPOL hosts are counted as intruders.
When the intruder count reaches 32, a SNMP trap and system log
message are generated. The port administrative status is set to
force-unauthorized, and you must reset the port administrative status
(from force-unauthorized to auto) to allow new EAPOL negotiations
on the port.
If the EAPOL-authenticated user logs off, the port returns to an
unauthorized state and non-EAPOL hosts are not allowed.
This feature uses enterprise-specic MIBs.
NN47215-505 (323165-B) 02.01 Standard
.
The maximum value for the maximum number of non-EAPOL hosts allowed
on an MHSA-enabled port is 32. However, Nortel expects that the usual
maximum value congured for a port is 2. This translates to around 200 for
a box and 800 for a stack.
NN47215-505 (323165-B) 02.01 Standard
.
35
Conguring Security using the CLI
This chapter describes the security commands available with the CLI. This
chapter covers the following topics:
"Securing your system" (page 35)
"Securing your network" (page 80)
Securing your system
You can secure your system using the following CLI commands:
"Setting the username and password" (page 35)
"Conguring the IP manager list" (page 39)
"Changing the http port number" (page 43)
"Setting Telnet access" (page 44)
"Conguring Secure Shell (SSH)" (page 48)
"Setting server for Web-based management" (page 55)
"Conguring the RADIUS-based management password authentication"
(page 56)
"Setting SNMP parameters" (page 58)
Setting the username and password
This section contains information about the following topics:
"username command" (page 35)
"cli password command" (page 36)
username command
The username command sets the system username and password
for access through the serial console port, Telnet, and Web-based
management. This command supports only one read-only and one
read-write user on the switch. The parameters are set for the standalone or
stack environment depending on the current operational mode.
NN47215-505 (323165-B) 02.01 Standard
.
36 Conguring Security using the CLI
The syntax for the username command is:
username <username> <password> [ro|rw]
The username command is executed in the Global Conguration command
mode.
Table 1 "username command parameters and variables" (page 36) describes
the parameters and variables for the username command.
Table 1
username command parameters and variables
Parameters and
variables
Description
<username>
<password>
Enter your username for the first variable, and your
password for the second variable.
The default username values are RO for read-only
access and RW for read/write access.
ro|rw Specifies that you are modifying the read-only (ro)
username or the read-write (rw) username.
The ro/rw variable is optional. If it is omitted, the
command applies to the read-only mode.
ATTENTION
After you congure the username and password with the username command,
if you then update the password using the cli password command (or
through Web-based management), the new password is set, but the username is
unchanged.
cli password command
You can set passwords using the cli password command for selected
types of access using the CLI, Telnet, or RADIUS security.
The CLI password is in two forms and performs the following functions for
the switch:
changes the password for access through the serial console port or
Telnet and Web-based management
species changing the password for the serial console port, or Telnet
and Web-based management access, and whether to authenticate the
password locally or with the RADIUS server
NN47215-505 (323165-B) 02.01 Standard
.
The syntax for the cli password commands is:
cli password {read-only|read-write} <NAME> <PASSWORD>
cli password {serial|telnet}
{none|local|radius}
The cli password command is executed in the Global Conguration
command mode.
Table 2
cli password command parameters and variables
Parameters and
variables
Description
read-only|read-w
rite
Specifies that you are modifying the read-only (ro)
password or the read-write (rw) password.
<NAME>
<PASSWORD>
Enter your username for the first variable, and your
password for the second variable.
serial|telnet Specifies that you are modifying the password for
serial console access or for Telnet and Web-based
management access.
none|local|radiu
s
Specifies the password that you are modifying:
none
disables the password
local
use the locally defined password for serial console or
Telnet access
radius
use RADIUS authentication for serial console or Telnet
access
Setting password security
The following commands can be used in the Global Conguration command
mode to enable, disable and congure Password Security:
"password security command" (page 38)
"no password security command" (page 38)
"show password security command" (page 38)
"password aging-time day command" (page 38)
"show password aging-time day command" (page 39)
"Conguring the number of password logon attempts" (page 39)
NN47215-505 (323165-B) 02.01 Standard
.
password security command
The password security command enables password security on the
switch.
The syntax for the command is:
password security
The password security command has no parameters or variables.
no password security command
The no password security command disables password security on
the switch.
no password security
The no password security command has no parameters or variables.
show password security command
The show password security command displays the current status
of password security on the switch.
show password security
The following shows a sample output for this command:
2550T (config)#show password security
Password security is enabled
The show password security command has no parameters or
variables.
password aging-time day command
The password aging-time day command sets the password aging
time. Password security must be enabled for the command to be available.
The syntax of the command is:
password aging-time <aging-value>
where <aging-value> is between 0 - 2730. A value of 0 causes the password
to age out immediately.
If a new aging time is set from the CLI, the password aging counters are
not reset.
NN47215-505 (323165-B) 02.01 Standard
.
show password aging-time day command
The password aging-time day command shows the congured
password aging-time.
show password aging-time
The following shows a sample output for this command:
2550T (config)#show password aging-time
Aging time: 100 days
Conguring the number of password logon attempts
The telnet-access retry command congures the number of times a
user can attempt a password:.
telnet-access retry <number>
where <number> is an integer in the range 1-100 that species the allowed
number of failed logon attempts. The default is 3.
If a new aging time is set from the CLI, the password aging counters are
not reset.
Conguring the IP manager list
When enabled, the IP manager list determines which source IP addresses
are allowed access to the switch. No other source IP addresses have
access to the switch. You congure the IP manager list by using the
following commands:
"show ipmgr command" (page 39)
"ipmgr command for management system" (page 40)
"no ipmgr command for management system" (page 41)
"ipmgr command for source IP address" (page 42)
"no ipmgr command for source IP address" (page 42)
show ipmgr command
The show ipmgr command displays whether Telnet, SNMP, and Web
access are enabled; whether the IP manager list is used to control access
to Telnet, SNMP, and the Web-based management system; and the current
IP manager list conguration. The syntax for the show ipmgr command is:
show ipmgr
NN47215-505 (323165-B) 02.01 Standard
.
The show ipmgr command is executed in the Privileged EXEC command
mode.
The show ipmgr command has no parameters or variables.
Figure 2 "show ipmgr command output" (page 40) displays sample output
from the show ipmgr command.
Figure 2
show ipmgr command output
ipmgr command for management system
The ipmgr command for the management systems enables the IP manager
list for Telnet, SNMP, or HTTP access. The syntax for the ipmgr command
for the management systems is:
ipmgr {telnet|snmp|web} [source-ip <1-10> <XXX.XXX.XXX.XXX>
[mask <XXX.XXX.XXX.XXX>]]
The ipmgr command for the management systems is executed in the
Global Conguration command mode.
Table 3 "ipmgr command for system management parameters and variables"
(page 40) describes the parameters and variables for the ipmgr command.
Table 3
ipmgr command for system management parameters and variables
Parameters and
variables
Description
telnet|snmp|web Enables IP manager list checking for access to
various management systems:
telnet provides list access using Telnet
access
NN47215-505 (323165-B) 02.01 Standard
.
Parameters and
variables
Description
snmp provides list access using SNMP,
including the Device Manager
web provides list access using the Web-based
management system
source-ip <1-10>
<XXX.XXX.XXX.XXX>
Specifies the source IP address from which access
is allowed. Enter the IP address either as an integer
or in dotted-decimal notation.
[mask <XXX.XXX.XXX.X
XX>]
Specifies the subnet mask from which access
is allowed; enter the IP mask in dotted-decimal
notation.
no ipmgr command for management system
The no ipmgr command disables the IP manager list for Telnet, SNMP, or
HTTP access. The syntax for the no ipmgr command for the management
systems is:
no ipmgr {telnet|snmp|web}
The no ipmgr command is executed in the Global Conguration command
mode.
Table 4 "no ipmgr command for management system" (page 41) describes
the parameters and variables for the no ipmgr command.
Table 4
no ipmgr command for management system
Parameters and
variables
Description
telnet|snmp|web Disables IP manager list checking for access to
various management systems:
telnet disables list check for Telnet access
snmp disables list check for SNMP, including
the Device Manager
web disables list check for the Web-based
management system
NN47215-505 (323165-B) 02.01 Standard
.
ipmgr command for source IP address
You can use the ipmgr command for source IP addresses to enter the
source IP addresses or address ranges for which you want to provide
access to the switch. The syntax for the ipmgr command for source IP
addresses is:
ipmgr {source-ip <1-10> <XXX.XXX.XXX.XXX>[mask <XXX.XXX.XXX
.XXX>]}
The ipmgr command for the source IP addresses is executed in the Global
Conguration command mode.
Table 5 "ipmgr command for source IP addresses parameters and variables"
(page 42) describes the parameters and variables for the ipmgr command
for the source IP addresses.
Table 5
ipmgr command for source IP addresses parameters and variables
Parameters and
variables
Description
source-ip <1-10>
<XXX.XXX.XXX.XXX>
Specifies the source IP address from which access
is allowed. Enter the IP address either as an integer
or in dotted-decimal notation.
[mask <XXX.XXX.XXX.X
XX>]
Specifies the subnet mask from which access
is allowed; enter the IP mask in dotted-decimal
notation.
no ipmgr command for source IP address
The no ipmgr command for source IP addresses disables access for
specied source IP addresses or address ranges, and denies them access
to the switch. The syntax for the no ipmgr command for source IP
addresses is:
no ipmgr {source-ip [<1-10>]}
The no ipmgr command for the source IP addresses is executed in the
Table 6 "no ipmgr command for source IP addresses parameters and
variables" (page 43) describes the parameters and variables for the no
ipmgr command for the source IP addresses.
NN47215-505 (323165-B) 02.01 Standard
.
Table 6
no ipmgr command for source IP addresses parameters and variables
Parameters and
variables
Description
source-ip [<1-10>] When you specify an option, this command sets
the IP address and mask for the specified entry to
255.255.255.255 and 255.255.255.255.
When you omit the optional parameter, the list is
reset to the factory defaults.
Changing the http port number
This feature provides enhanced security and network access. The default
HTTP port typically used to communicate between the Web client and the
server is the well-known port 80. With this feature, you can change the
HTTP port.
You can congure this feature by using the following commands:
"show http-port command" (page 43)
"http-port command" (page 44)
"default http-port" (page 44)
show http-port command
The show http-port command displays the port number of the HTTP
port. The syntax for the show http-port command is:
show http-port
The show http-port command is executed in the Privileged EXEC
command mode.
The show http-port command has no parameters or variables.
Figure 3 "show http-port command output" (page 43) displays sample output
from the show http-port command command.
Figure 3
show http-port command output
NN47215-505 (323165-B) 02.01 Standard
.
http-port command
The http-port command sets the port number for the HTTP port. The
syntax for the http-port command is:
http-port <1024-65535>
The http-port command is executed in the Global Conguration
command mode.
Table 7 "http-port command parameters and variables" (page 44) describes
the parameters and variables for the http-port command.
Table 7
http-port command parameters and variables
Parameters and
variables
Description
<1024-65535> Enter the port number you want to be the HTTP port.
ATTENTION
To set the HTTP port to 80, use the default http-port command.
The default value for this parameter is port 80.
default http-port
The default http-port command sets the port number for the HTTP
port to the default value of 80. The syntax for the default http-port
command is:
default http-port
The default http-port command is executed in the Global
The default http-port command has no parameters or variables.
Setting Telnet access
You can also access CLI through a Telnet session. To access CLI remotely,
the management port must have an assigned IP address and remote
access must be enabled. You can log on to the switch using Telnet from a
terminal that has access to the Ethernet Routing Switch 2500 Series.
To open a Telnet session from Device Manager, click on the Telnet icon on
the tool bar (Figure 4 "Telnet icon on Device Manager toolbar" (page 45)) or
click Action > Telnet on the Device Manager tool bar.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 4
Telnet icon on Device Manager toolbar
ATTENTION
Multiple users can access the CLI system simultaneously, through the serial
port, Telnet, and modems. The maximum number of simultaneous users is four
plus one at the serial port for a total of ve users on the switch. All users can
congure simultaneously.
You can view the Telnet allowed IP addresses and settings, change the
settings, or disable the Telnet connection. This section covers the following
topics:
"show telnet-access command" (page 45)
"telnet-access command" (page 46)
"no telnet-access command" (page 47)
"default telnet-access command" (page 48)
show telnet-access command
The show telnet-access command displays the current settings for
Telnet access. The syntax for the show telnet-access command is:
show telnet-access
The show telnet-access command is executed in the Privileged EXEC
command mode.
The show telnet-access command has no parameters or variables.
Figure 5 "show telnet-access command output" (page 46) displays sample
output from the show telnet-access command.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 5
show telnet-access command output
telnet-access command
With the telnet-access command, you can congure the Telnet
connection that is used to manage the switch. The syntax for the
telnet-access command is:
telnet-access [enable|disable] [login-timeout <1-10>] [retry
<1-100>] [inactive-timeout <0-60>] [logging {none|access
|failures|all}] [source-ip <1-10> <XXX.XXX.XXX.XXX>[mask
<XXX.XXX.XXX.XXX>]]
The telnet-access command is executed in the Global Conguration
command mode.
Table 8 "telnet-access command parameters and variables" (page
46) describes the parameters and variables for the telnet-access
command.
Table 8
telnet-access command parameters and variables
Parameters and variables Description
enable|disable Enables or disables Telnet connections.
login-timeout <1-10> Specifies the time in minutes that you want to wait between an
initial Telnet connection and acceptance of a password before
closing the Telnet connection; enter an integer between 1 and
10.
retry <1-100> Specifies the number of times that the user can enter an
incorrect password before closing the connection; enter an
integer between 1 and 100.
inactive timeout <0-60> Specifies in minutes how long to wait before closing an
inactive session; enter an integer between 0 and 60.
NN47215-505 (323165-B) 02.01 Standard
.
logging {none|access|fail
ures|all]
Specifies what types of events you want to save in the event
log:
all Save all access events in the log:
Telnet connect indicates the IP address and access
mode of a Telnet session.
Telnet disconnect indicates the IP address of the
remote host and the access mode, due to either a
log off or inactivity.
Failed Telnet connection attempts indicates the IP
address of the remote host that is not on the list of
allowed addresses, or indicates the IP address of the
remote host that did not supply the correct password.
none No Telnet events are saved in the event log.
access Connect and disconnect events are saved
in the event log.
failure Only failed Telnet connection attempts are
saved in the event log.
[source-ip <1-10> <XX
X.XXX.XXX.XXX>[mask
<XXX.XXX.XXX.XXX>]
Specifies up to 10 source IP addresses from which
connections are allowed. Enter the IP address either as an
integer or in dotted-decimal notation. Specifies the subnet
mask from which connections are allowed; enter the IP
mask in dotted-decimal notation.
ATTENTION
These are the same source IP addresses as in the IP
Manager list. For more information on the IP Manager list,
see "Configuring the IP manager list" (page 39).
no telnet-access command
With the no telnet-access command, you can disable the Telnet
connection. The syntax for the no telnet-access command is:
no telnet-access [source-ip [<1-10>]]
The no telnet-access command is executed in the Global Conguration
command mode.
NN47215-505 (323165-B) 02.01 Standard
.
Table 9 "no telnet-access command parameters and variables" (page
48) describes the parameters and variables for the no telnet-access
command.
Table 9
no telnet-access command parameters and variables
Parameters and
variables
Description
source-ip
[<1-10>]
Disables the Telnet access.
When you do not use the optional parameter, the
source-ip list is cleared, meaning that the 1st index is
set to 0.0.0.0./0.0.0.0. and the 2nd to 10th indexes
are set to 255.255.255.255/255.255.255.255. When
you do specify a source-ip value, the specified pair is
set to 255.255.255.255/255.255.255.255.
ATTENTION
These are the same source IP addresses as in the
IP Manager list. For more information on the IP
Manager list, see "Configuring the IP manager list"
(page 39).
default telnet-access command
The default telnet-access command sets the Telnet settings to the
default values. The syntax for the default telnet-access command is:
default telnet-access
The default telnet-access command is executed in the Global
The default telnet-access command has no parameters or values.
Conguring Secure Shell (SSH)
This section provides the Conguring SSH using the Command Line
Interface commands for conguring and managing SSH on the Ethernet
Routing Switch 2500 Series. The SSH protocol provides secure access to
the CLI. By using the CLI, you can execute the following commands:
"show ssh global command" (page 49)
"show ssh session command" (page 50)
"show ssh download-auth-key command" (page 50)
NN47215-505 (323165-B) 02.01 Standard
.
"ssh dsa-host-key command" (page 51)
"no ssh dsa-host-key command" (page 51)
"ssh command" (page 51)
"no ssh command" (page 51)
"ssh secure command" (page 52)
"ssh timeout command" (page 52)
"ssh dsa-auth command" (page 52)
"no ssh dsa-auth command" (page 53)
"ssh pass-auth command" (page 53)
"no ssh pass-auth command" (page 53)
"ssh port command" (page 53)
"ssh download-auth-key command" (page 54)
"no ssh dsa-auth-key command" (page 54)
"default ssh command" (page 54)
show ssh global command
The show ssh global command displays the secure shell conguration
information. The syntax for the show ssh global command is:
show ssh global
The show ssh global command is executed in the Privileged EXEC
command mode.
The show ssh global command has no parameters or variables.
Figure 6 "show ssh global command output" (page 49) displays sample
output from the show ssh global command
Figure 6
show ssh global command output
NN47215-505 (323165-B) 02.01 Standard
.
show ssh session command
The show ssh session command displays the SSH session information.
The session information includes the session ID and the host IP address.
A host address of 0.0.0.0 indicates no connection for that session ID. The
syntax for the show ssh session command is:
show ssh session
The show ssh session command is executed in the Privileged EXEC
command mode.
The show ssh session command has no parameters or variables.
Figure 7 "show ssh session command output" (page 50) displays sample
output from the show ssh session command.
Figure 7
show ssh session command output
show ssh download-auth-key command
The show ssh download-auth-key command displays the results of
the most recent attempt to download the DSA public key from the TFTP
server. The syntax for the show ssh download-auth-key command is:
show ssh download-auth-key
The show ssh download-auth-key command is executed in the
Privileged EXEC command mode.
The show ssh download-auth-key command has no parameters or
variables.
Figure 8 "show ssh download-auth-key command output" (page 50) displays
sample output from the ssh download-auth-key command.
Figure 8
show ssh download-auth-key command output
NN47215-505 (323165-B) 02.01 Standard
.
ssh dsa-host-key command
The switch starts generating the DSA host keys immediately after the ssh
dsa-host-key command is given. A reboot is not necessary.
ATTENTION
You cannot enable SSH while the host key is being generated.
This command can only be executed in SSH disable mode. The syntax of
the ssh dsa-host-key command is:
ssh dsa-host-key
The ssh dsa-host-key command is executed in the Global Conguration
command mode.
There are no parameters or variables for the ssh dsa-host-key
command.
no ssh dsa-host-key command
The no ssh dsa-host-key-gen command deletes the DSA host key in
the switch. The syntax of the no ssh dsa-host-key-gen command is:
no ssh dsa-host-key
The no ssh dsa-host-key command is executed in the Global
There are no parameters or variables for the no ssh dsa-host-key
command.
ssh command
The ssh command enables the SSH server on the Ethernet Routing Switch
2500 Series in nonsecure mode. In addition to accepting SSH connections,
the Ethernet Routing Switch 2500 Series continues to accept Web, SNMP,
and Telnet connections while in this mode.The syntax of the ssh command
is:
ssh
The ssh command is executed in the Global Conguration command mode.
There are no parameters or variables for the ssh command.
no ssh command
The no ssh command disables the SSH server on the Ethernet Routing
Switch 2500 Series. The syntax of the no ssh command is:
no ssh
NN47215-505 (323165-B) 02.01 Standard
.
The no ssh command executed in the Global Conguration command
mode.
There are no parameters or variables for the no ssh command.
ssh secure command
The ssh secure command enables the SSH server on the Ethernet
Routing Switch 2500 Series in secure mode. In secure mode, the Ethernet
Routing Switch 2500 Series does not accept Web, SNMP, or Telnet
connections. The syntax of the ssh secure command is:
ssh secure
The ssh secure command executed in the Global Conguration command
mode.
There are no parameters or variables for the ssh secure command.
ssh timeout command
The ssh timeout command sets the timeout value for session
authentication. The syntax of the ssh timeout command is:
ssh timeout <1-120>
The ssh timeout command executed in the Global Conguration
command mode.
Table 10 "ssh timeout command parameters and variables" (page
52) describes the parameters and variables for the ssh timeout
command.
Table 10
ssh timeout command parameters and variables
<1-120> Specifies the timeout value for authentication. The
default is 60.
ssh dsa-auth command
The ssh dsa-auth command enables DSA authentication. The syntax of
the ssh dsa-auth command is:
ssh dsa-auth
The ssh dsa-auth commandexecuted in the Global Conguration
command mode.
There are no parameters or variables for the ssh dsa-auth command.
NN47215-505 (323165-B) 02.01 Standard
.
no ssh dsa-auth command
The no ssh dsa-auth command disables DSA authentication. The
syntax for the no ssh dsa-auth command is:
no ssh dsa-auth
The no ssh dsa-auth command executed in the Global Conguration
command mode.
There are no parameters or variables for the no ssh dsa-auth command.
ssh pass-auth command
The ssh pass-auth command enables password authentication. The
syntax of the ssh pass-auth command is:
ssh pass-auth
The ssh pass-auth command executed in the Global Conguration
command mode.
There are no parameters or variables for the ssh pass-auth command.
no ssh pass-auth command
The no ssh pass-auth command disables password authentication. The
syntax of the no ssh pass-auth command is:
no ssh pass-auth
The no ssh pass-auth command executed in the Global Conguration
command mode.
There are no parameters or variables for the no ssh pass-auth
command.
ssh port command
The ssh port command sets the SSH connection port. The syntax of
the ssh port command is:
ssh port <1-65535>
The ssh portcommand is executed in the Global Conguration command
mode.
Table 11 "ssh port command parameters and variables" (page 54) describes
the parameters and variables for the ssh port command.
NN47215-505 (323165-B) 02.01 Standard
.
Table 11
ssh port command parameters and variables
Parameters and
variables
Description
<1-65535> Specifies the SSH connection port. The default is 22.
ssh download-auth-key command
The ssh download-auth-key command downloads the client public key
from the TFTP server to the Ethernet Routing Switch 2500 Series. The
syntax for the ssh download-auth-key is:
ssh download-auth-key [address <XXX.XXX.XXX.XXX>] [key-name
<file>]
The ssh download-auth-key command is executed in the Global
Table 12 "ssh download-auth-key command parameters and variables"
(page 54) describes the parameters and variables for the ssh
download-auth-key command.
Table 12
ssh download-auth-key command parameters and variables
Parameters and
variables
Description
address
<XXX.XXX.XXX.XXX>
The IP address of the TFTP server.
key-name <file> The name of the public key file on the TFTP server.
no ssh dsa-auth-key command
The no ssh dsa-auth-key command deletes the SSH DSA
authentication key. The syntax for the command is:
no ssh dsa-auth-key
The no ssh dsa-auth-key command is executed in the Global
There are no parameters or variables for the no ssh dsa-auth-key
command.
default ssh command
The default ssh command resets the specic secure shell conguration
parameter to the default value. The syntax of the default ssh command
is:
NN47215-505 (323165-B) 02.01 Standard
.
default ssh [dsa-auth|pass-auth|port|timeout]
The default ssh command is executed in the Global Conguration
command mode.
Table 13 "default ssh command parameters and variables" (page
55) describes the parameters and variables for the default ssh
command.
Table 13
default ssh command parameters and variables
Parameters and
variables
Description
dsa-auth Resets dsa-auth to the default value. Default is
True.
pass-auth Resets pass-auth to the default value. Default is
True.
port Resets the port number for SSH connections to the
default. Default is 22.
timeout Resets the timeout value for session authentication
to the default. Default is 60.
Setting server for Web-based management
You can enable or disable the Web server to use for the Web-based
management system. This section discusses the following commands:
"web-server" (page 55)
"no web-server" (page 56)
web-server
The web-server command enables or disables the Web server that
you use for Web-based management. The syntax for the web-server
command is:
web-server {enable|disable}
The web-server command is executed in the Global Conguration
command mode.
Table 14 "web-server command parameters and variables" (page
56) describes the parameters and variables for the web-server command.
NN47215-505 (323165-B) 02.01 Standard
.
Table 14
web-server command parameters and variables
Parameters and
variables
Description
enable|disabl
e
Enables or disables the Web server.
no web-server
The no web-server command disables the Web server that you use for
Web-based management. The syntax for the no web-server command
is:
no web-server
The no web-server command is executed in the Global Conguration
command mode.
The no web-server command has no parameters or values.
Conguring the RADIUS-based management password authentication
By using the RADIUS protocol and server, you can congure the
Ethernet Routing Switch 2500 Series for authentication. To congure
this authentication by using the CLI system, you can use the following
commands:
"show radius-server command" (page 56)
"radius-server command" (page 57)
"no radius-server command" (page 58)
"default radius-server command" (page 58)
"radius-server password fallback command" (page 58)
show radius-server command
The show radius-server command displays the RADIUS server
conguration. The syntax for the show radius-server command is:
show radius-server
The show radius-server command is executed in the Privileged EXEC
command mode.
The show radius-server command has no parameters or variables.
Figure 9 "show radius-server command output" (page 57) shows sample
output from the show radius-server command.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 9
show radius-server command output
radius-server command
The radius-server command changes the RADIUS server settings. The
syntax for the radius-server command is:
radius-server host <address> [secondary-host <address>] port
<num> key <string> timeout <num>
ATTENTION
When password security is enabled, you must omit the <string> variable from the
command line and end the command immediately after key. The switch then
prompts you to enter and conrm the string.
The radius-server command is executed in the Global Conguration
command mode.
Table 15 "radius-server command parameters and variables" (page
57) describes the parameters and variables for the radius-server
command.
Table 15
radius-server command parameters and variables
Parameters and
variables
Description
primary-host
<address>
Specifies the primary RADIUS server. Enter the IP
address of the RADIUS server.
secondary-host
<address>
Specifies the secondary RADIUS server. Enter the IP
address of the secondary RADIUS server.
port <num> Enter the port number of the RADIUS server.
key <string> Specifies a secret text string that is shared between
the switch and the RADIUS server for authentication.
Enter the secret string, which is an alphanumeric string
of up to 16 characters.
timeout <num> Specifies the RADIUS time-out period.
NN47215-505 (323165-B) 02.01 Standard
.
no radius-server command
The no radius-server command clears the RADIUS server settings.
The syntax for the no radius-server command is:
no radius-server
The no radius-server command is executed in the Global Conguration
command mode.
The no radius-server command has no parameters or values.
default radius-server command
The default radius-server command sets the RADIUS server settings
to the default values. The syntax for the default radius-server
command is:
default radius-server
The default radius-server command is executed in the Global
The default radius-server command has no parameters or values.
radius-server password fallback command
With the radius-server password fallback command, you
can congure password fallback as an option when you use RADIUS
authentication for login and password. When both RADIUS servers are
unreachable the user can log in using the local passwords.
The syntax for the radius-server password fallback command is:
radius-server password fallback
The radius-server password fallback command is executed in the
Setting SNMP parameters
For information about setting SNMP parameters and traps, see the following
sections:
"Common SNMP and SNMPv3 CLI commands" (page 58)
"CLI commands specic to SNMPv3" (page 69)
Common SNMP and SNMPv3 CLI commands
This section describes the common CLI commands that you can use to
congure SNMP and SNMPv3. For details about the SNMP CLI commands
that are specic to SNMPv3, see "CLI commands specic to SNMPv3"
(page 69).
NN47215-505 (323165-B) 02.01 Standard
.
The switch provides the following CLI commands to congure SNMP and
SNMPv3:
"snmp-server command" (page 59)
"no snmp-server command" (page 60)
"snmp-server authentication-trap command" (page 60)
"no snmp-server authentication-trap command" (page 61)
"default snmp-server authentication-trap command" (page 61)
"snmp-server community for read/write command" (page 61)
"no snmp-server community command" (page 62)
"default snmp-server community command" (page 63)
"show snmp-server community command" (page 64)
"snmp-server contact command" (page 64)
"no snmp-server contact command" (page 64)
"default snmp-server contact command" (page 64)
"snmp-server location command" (page 65)
"no snmp-server location command" (page 65)
"default snmp-server location command" (page 66)
"snmp-server name command" (page 66)
"no snmp-server name command" (page 66)
"default snmp-server name command" (page 67)
"snmp trap link-status command" (page 67)
"no snmp trap link-status command" (page 68)
"default snmp trap link-status command" (page 69)
snmp-server command
The snmp-server command enables or disables the SNMP server. The
syntax for the snmp-server command is:
snmp-server {enable|disable}
The snmp-server command is executed in the Global Conguration
command mode.
Table 16 "snmp-server command parameters and variables" (page
60) describes the parameters and variables for the snmp-servercommand.
NN47215-505 (323165-B) 02.01 Standard
.
Table 16
snmp-server command parameters and variables
enable|disable Enables or disables the SNMP server.
no snmp-server command
The no snmp-server command disables SNMP access. The syntax for
the no snmp-server command is:
no snmp-server
The no snmp-server command is executed in the Global Conguration
command mode.
The no snmp-server command has no parameters or variables.
ATTENTION
Disabling SNMP access also locks you out of the Device Manager management
system.
snmp-server authentication-trap command
The snmp-server authentication-trap command enables or
disables the generation of SNMP authentication failure traps. The syntax for
the snmp-server authentication-trap command is:
snmp-server authentication-trap {enable|disable}
The snmp-server authentication-trap command is executed in the
Table 17 "snmp-server authentication-trap command parameters and
variables" (page 60) describes the parameters and variables for the
snmp-server authentication-trap command.
Table 17
snmp-server authentication-trap command parameters and variables
Parameters and
variables
Description
enable|disable Enables or disables the generation of authentication
failure traps.
NN47215-505 (323165-B) 02.01 Standard
.
no snmp-server authentication-trap command
The no snmp-server authentication-trap command disables the
generation of SNMP authentication failure traps. The syntax for the no
snmp-server authentication-trap command is:
no snmp-server authentication-trap
The no snmp-server authentication-trap command is executed in
the Global Conguration command mode.
The no snmp-server authentication-trap command has no
parameters or variables.
default snmp-server authentication-trap command
The default snmp-server authentication-trap command
restores SNMP authentication trap conguration to the default settings.
The syntax for the default snmp-server authentication-trap
command is:
default snmp-server authentication-trap
The default snmp-server authentication-trap command is
executed in the Global Conguration command mode.
The default snmp-server authentication-trap command has
no parameters or variables.
snmp-server community for read/write command
The snmp-server community command for read/write modies the
community strings for SNMP v1 and SNMPv2c access. The syntax for the
snmp-server community for read/write command is:
snmp-server community <community-string> [ro|rw]
The snmp-server community read/write command is executed in the
This command congures a single read-only or a single read/write
community. A community congured using this command has no access to
any of the SNMPv3 MIBs.
This command affects community strings created prior to Release 3.0
software. These community strings have a xed MIB view.
Table 18 "snmp-server community for read/write command parameters
and variables" (page 62) describes the parameters and variables for the
snmp-server community for read/write command.
NN47215-505 (323165-B) 02.01 Standard
.
Table 18
snmp-server community for read/write command parameters and variables
<community-string>
Changes community strings for SNMP v1 and
SNMPv2c access. Enter a community string
that functions as a password and permits
access to the SNMP protocol. If you set the
value to NONE, it is disabled.
ATTENTION
This parameter is not available when
Password Security is enabled, in which
case, the switch prompts you to enter and
confirm the new community string.
ro|rw
Specifies read-only or read/write access.
Stations with ro access can retrieve only
MIB objects, and stations with rw access can
retrieve and modify MIB objects.
ATTENTION
If neither ro nor rw is specified, ro is
assumed (default).
no snmp-server community command
The no snmp-server community command clears the snmp-server
community conguration. The syntax for the no snmp-server
community command is:
no snmp-server community {ro|rw|<community-string>}
The no snmp-server community command is executed in the Global
If you do not specify a read-only or read/write community parameter, all
community strings are removed, including all communities controlled
by the snmp-server community command and the snmp-server
community command for read-write.
NN47215-505 (323165-B) 02.01 Standard
.
If you specify read-only or read/write, then only the read-only or read/write
community is removed. If you specify the name of a community string, then
the community string with that name is removed.
Table 19 "no snmp-server community command parameters and variables"
(page 63) describes the parameters and variables for the no snmp-server
community command.
Table 19
no snmp-server community command parameters and variables
ro|rw| Sets the specified community string value to
NONE, thereby disabling it.
<community-string> Deletes the specified community string from
the SNMPv3 MIBs (that is, from the new-style
configuration).
default snmp-server community command
The default snmp-server community command restores the
community string conguration to the default settings. The syntax for the
default snmp-server community command is:
default snmp-server community [ro|rw]
The default snmp-server community command is executed in the
If the read-only or read/write parameter is omitted from the command, all
communities are restored to their default settings. The read-only community
is set to public, the read/write community is set to private, and all other
communities are deleted.
Table 20 "default snmp-server community command parameters and
variables" (page 63) describes the parameters and variables for the
default snmp-server community command.
Table 20
default snmp-server community command parameters and variables
ro|rw Restores the read-only community to public,
or the read/write community to private.
NN47215-505 (323165-B) 02.01 Standard
.
show snmp-server community command
The show snmp-server community command displays the SNMP
community string conguration. (The community strings are not
displayed when Password Security is enabled.) The syntax for the show
snmp-server community command is:
show snmp-server community
The show snmp-server command is executed in the Privileged EXEC
command mode.
snmp-server contact command
The snmp-server contact command congures the SNMP sysContact
value. The syntax for the snmp-server contact command is:
snmp-server contact <text>
The snmp-server contact command is executed in the Global
Table 16 "snmp-server command parameters and variables" (page
60) describes the parameters and variables for the snmp-server
contact command.
Table 21
snmp-server contact command parameters and variables
<text> Specifies the SNMP sysContact value; enter
an alphanumeric string.
no snmp-server contact command
The no snmp-server contact command clears the sysContact value.
The syntax for the no snmp-server contact command is:
no snmp-server contact
The no snmp-server contact command is executed in the Global
The no snmp-server contact command has no parameters or variables.
default snmp-server contact command
The default snmp-server contact command restores the sysContact
value to the default value. The syntax for the default snmp-server
contact command is:
default snmp-server contact
NN47215-505 (323165-B) 02.01 Standard
.
The default snmp-server contact command is executed in the
The default snmp-server contact command has no parameters
or variables.
snmp-server location command
The snmp-server location command congures the SNMP
sysLocation value. The syntax for the snmp-server location command
is:
snmp-server location <text>
The snmp-server location command is executed in the Global
Table 22 "snmp-server location command parameters and variables"
(page 65) describes the parameters and variables for the snmp-server
location command command.
Table 22
snmp-server location command parameters and variables
Parameters and
variables
Description
<text> Specifies the SNMP sysLocation value; enter an
alphanumeric string of up to 255 characters.
no snmp-server location command
The no snmp-server location command clears the SNMP sysLocation
value. The syntax for the no snmp-server location command is:
no snmp-server location <text>
The no snmp-server location command is executed in the Global
Table 23 "no snmp-server location command parameters and variables"
(page 65) describes the parameters and variables for the no snmp-server
location command.
Table 23
no snmp-server location command parameters and variables
Parameters and
variables
Description
<text> Specifies the SNMP sysLocation value. Enter a string of
up to 255 characters.
NN47215-505 (323165-B) 02.01 Standard
.
default snmp-server location command
The default snmp-server location command restores sysLocation
to the default value. The syntax for the default snmp-server
location command is:
default snmp-server location
The default snmp-server location command is executed in the
The default snmp-server location command has no parameters
or variables.
snmp-server name command
The snmp-server name command congures the SNMP sysName value.
The syntax for the snmp-server name command is:
snmp-server name <text>
The snmp-server name command is executed in the Global Conguration
command mode.
Table 24 "snmp-server name command parameters and variables" (page
66) describes the parameters and variables for the snmp-server name
command.
Table 24
snmp-server name command parameters and variables
Parameters and
variables
Description
<text> Specifies the SNMP sysName value; enter an
no snmp-server name command
The no snmp-server name command clears the SNMP sysName value.
The syntax for the no snmp-server name command is:
no snmp-server name <text>
The no snmp-server name command is executed in the Global
Table 25 "no snmp-server name command parameters and variables" (page
67) describes the parameters and variables for the no snmp-server
name command.
NN47215-505 (323165-B) 02.01 Standard
.
Table 25
no snmp-server name command parameters and variables
Parameters and
variables
Description
default snmp-server name command
The default snmp-server name command restores sysName to the
default value. The syntax for the default snmp-server name command
is:
default snmp-server name
The default snmp-server name command is executed in the Global
Table 26 "default snmp-server name command parameters and variables"
(page 67) describes the parameters and variables for the default
snmp-server name command.
Table 26
default snmp-server name command parameters and variables
Parameters and
variables
Description
snmp trap link-status command
The snmp trap link-status command enables the linkUp/linkDown
traps for the port. The syntax of the command is:
snmp trap link-status [port <portlist>]
The snmp trap link-status command is executed in the Interface
Table 27 "snmp trap link-status command parameters and variables"
(page 68) describes the parameters and variables for the snmp trap
link-status command.
NN47215-505 (323165-B) 02.01 Standard
.
Table 27
snmp trap link-status command parameters and variables
Parameters and
variables
Description
port <portlist>
Specifies the port numbers on which to enable the
linkUp/linkDown traps. Enter the port numbers or all.
ATTENTION
If you omit this parameter, the system uses the port
number specified with the interface command.
disable|enable Disables or Enables generation of linkUp/Down traps.
no snmp trap link-status command
The no snmp trap link-status command disables the
linkUp/linkDown traps for the port. The syntax of the no snmp trap
link-status command is:
no snmp trap link-status [port <portlist>]
The no snmp trap link-status command is executed in the Interface
Table 28 "no snmp trap link-status command parameters and variables"
(page 68) describes the parameters and variables for the no snmp trap
Table 28
no snmp trap link-status command parameters and variables
Parameters and
variables
Description
port <portlis
t>
Specifies the port numbers on which to disable the
ATTENTION
NN47215-505 (323165-B) 02.01 Standard
.
default snmp trap link-status command
The default snmp trap link-status command disables the
linkUp/linkDown traps for the port. The syntax of the command is:
default snmp trap link-status [port <portlist>]
The default snmp trap link-status command is executed in the
Interface Conguration command mode.
Table 29 "default snmp trap link-status command parameters and variables"
(page 69) describes the parameters and variables for the no snmp trap
Table 29
default snmp trap link-status command parameters and variables
Parameters and
variables
Description
port <portlist>
Specifies the port numbers on which to disable the
ATTENTION
CLI commands specic to SNMPv3
This section describes the unique CLI commands for conguring SNMPv3.
For details about the CLI commands that are common to both SNMP and
SNMPv3, see "Common SNMP and SNMPv3 CLI commands" (page 58).
The following SNMP commands are specic to SNMPv3:
"snmp-server user command" (page 70)
"no snmp-server user command" (page 72)
"snmp-server view command" (page 73)
"no snmp-server view command" (page 74)
"snmp-server host for new-style table command" (page 75)
"no snmp-server host for new-style table command" (page 76)
"default snmp-server host command" (page 76)
"snmp-server community command" (page 77)
"snmp-server bootstrap command" (page 79)
NN47215-505 (323165-B) 02.01 Standard
.
snmp-server user command
The snmp-server user command creates an SNMPv3 user. The syntax
for the snmp-server user command is:
snmp-server user [engine-id <engineid>] <username>
[read-view <view-name>]
[write-view <view-name>][notify-view <view-name>]
[{md5|sha} <password>[read-view <view-name>]
[{3des|aes|des} <password> [read-view <view-name>]
The snmp-server user command is executed in the Global Conguration
command mode.
The sha and des parameters are available only if the switch image has
full SHA/DES support.
The command shows three sets of read/write/notify views. The rst set
species unauthenticated access. The second set species authenticated
access. The third set species authenticated and encrypted access.
You can specify authenticated access only if the md5 or sha parameter is
included. Likewise, you can specify authenticated and encrypted access
only if the des, aes, or 3des parameter is included.
If you omit the authenticated view parameters, authenticated access
uses the views specied for unauthenticated access. If you omit all the
authenticated and encrypted view parameters, the authenticated and
encrypted access uses the same views that are used for authenticated
access. These views are the unauthenticated views, if all the authenticated
views are also omitted.
Table 30 "snmp-server user command parameters and variables" (page
70) describes the parameters and variables for the snmp-server user
command.
Table 30
snmp-server user command parameters and variables
Parameters and
variables
Description
engine-id
<engineid>
Specifies the SNMP engine ID of the remote SNMP
entity.
<username> Specifies the user names; enter an alphanumeric
string of up to 255 characters.
NN47215-505 (323165-B) 02.01 Standard
.
Parameters and
variables
Description
md5/sha <password>
Specifies the use of an md5/sha authentication
passphrase.
password specifies the new users md5

/sha authentication passphrase; enter an
alphanumeric string.
If this parameter is omitted, the user is created with
only unauthenticated access rights.
ATTENTION
This parameter is not available when Password
Security is enabled, in which case the switch
prompts you to enter and confirm the new
password.
read-view
<view-name>
Specifies the read view to which the new user has
access:
view-name specifies the view name; enter an
write-view
<view-name>
Specifies the write view to which the new user has
access:
NN47215-505 (323165-B) 02.01 Standard
.
Parameters and
variables
Description
notify-view
<view-name>
Specifies the notify view to which the new user has
access:
des/aes/3des
<password>
Specifies the use of a des/aes/3des privacy
passphrase.
password specifies the new users

des/aes/3des privacy passphrase; enter an
alphanumeric string of minimum 8 characters.
If this parameter is omitted, the user is created
with only authenticated access rights.
ATTENTION
Security is enabled, in which case the switch
password.
no snmp-server user command
The no snmp-server user command deletes the specied user. The
syntax for the no snmp-server user command is:
no snmp-server user [engine-id <engineid>] <username>
The no snmp-server user command is executed in the Global
Table 31 "no snmp-server user command parameters and variables" (page
user command.
NN47215-505 (323165-B) 02.01 Standard
.
Table 31
no snmp-server user command parameters and variables
Parameters and
variables
Description
engine-id
<engineid>
Specifies the SNMP engine ID of the remote SNMP
entity.
<username> Specifies the user to be removed.
snmp-server view command
The snmp-server view command creates an SNMPv3 view. The view
is a set of MIB object instances that can be accessed. The syntax for the
snmp-server view command is:
snmp-server view <view-name> <OID> [<OID> [<OID>
[<OID> [<OID> [<OID> [<OID> [<OID> [<OID> [<OID>]]]]]]]]]
The snmp-server view command is executed in the Global Conguration
command mode.
T Table 32 "snmp-server view command parameters and variables" (page
73)describes the parameters and variables for the snmp-server view
command.
Table 32
snmp-server view command parameters and variables
Parameters and
variables
Description
<viewname> Specifies the name of the new view; enter an
alphanumeric string.
<OID> Specifies the Object identifier. OID can be entered as
a MIB object English descriptor, a dotted form OID, or
a mix of the two. Each OID can also be preceded by a
plus (+) or minus () sign (if the minus sign is omitted, a
plus sign is implied). For the dotted form, a subidentifier
can be an asterisk (*), which indicates a wildcard. Some
examples of valid OID parameters are as follows:
NN47215-505 (323165-B) 02.01 Standard
.
Parameters and
variables
Description
sysName
+sysName
-sysName
+sysName.0
+ifIndex.1
-ifEntry.*.1 (matches all objects in the if Table
with an instance of 1, that is, the entry for interface
#1)
1.3.6.1.2.1.1.1.0 (dotted form of sysDescr)
The plus (+) or minus () sign indicates whether
the specified OID is included in or excluded from,
respectively, the set of MIB objects that are accessible
by using this view. For example, if you create a view
as follows:
snmp-server view myview +system -sysDescr
and you use that view for the read-view of a user, then
the user can read only the system group, except for
sysDescr.
no snmp-server view command
The no snmp-server view command deletes the specied view. The
syntax for the no snmp-server view command is:
no snmp-server view <viewname>
The no snmp-server view is executed in the Global Conguration
command mode.
Table 33 "no snmp-server view command parameters and variables" (page
view command.
Table 33
no snmp-server view command parameters and variables
Parameters and
variables
Description
<viewname> Specifies the name of the view to be removed. If no
view is specified, all views are removed.
NN47215-505 (323165-B) 02.01 Standard
.
snmp-server host for the new-style table command
The snmp-server host for the new-style table command adds a trap
receiver to the new-style conguration (that is, to the SNMPv3 tables). You
can create several entries in this table, and each can generate v1, v2c, or
v3 traps. You must previously congure the community string or user that
is specied with a notify-view. The syntax for the snmp-server host
for the new-style table command is:
snmp-server host <host-ip> [port <1-65535>]
{<community-string>|v2c <community-string>|
v3 {auth|no-auth|auth-priv} <username>}
The snmp-server host for the new-style table command is executed in
Table 34 "snmp-server host for the new-style table command parameters
and variables" (page 75) describes the parameters and variables for the
snmp-server host for the new-style table command.
Table 34
snmp-server host for the new-style table command parameters and variables
<host-ip> Enter a dotted-decimal IP address of a host to
be the trap destination.
port <1-65535> Sets SNMP trap port.
<community-string> If you do not specify a trap type, this variable
creates v1 trap receivers in the SNMPv3 MIBs.
You can create multiple trap receivers with
varying access levels.
v2c <community-string> Using v2c creates v2c trap receivers in the
SNMPv3 MIBs. You can create multiple trap
receivers with varying access levels.
v3 {auth|no-auth|
auth-priv}
Using v3 creates v3 trap receivers in the
SNMPv3 MIBs. You can create multiple trap
receivers with varying access levels by entering
the following variables:
auth|no-auth Specifies whether
SNMPv3 traps can be authenticated.
auth-privThis parameter is only
available if the image has full SHA/DES
support.
NN47215-505 (323165-B) 02.01 Standard
.
<username> Specifies the SNMPv3 username for trap
destination; enter an alphanumeric string.
no snmp-server host for the new-style table command
The no snmp-server for new-style table command deletes trap receivers
from the new-style table (SNMPv3 MIB). Any trap receiver that matches
the IP address and SNMP version is deleted. The syntax for the no
snmp-server host for new-style table command is:
no snmp-server host <host-ip> {v1|v2c|v3}
The no snmp-server host for the new-style table command is executed
in the Global Conguration command mode.
Table 35 "no snmp-server host for the new-style command parameters and
snmp-server for the new-style table command.
Table 35
no snmp-server host for the new-style command parameters and variables
Parameters and
variables
Description
<host-ip> Enter the IP address of a trap destination host.
v1|v2c|v3 Specifies the trap receivers in the SNMPv3 MIBs.
default snmp-server host command
The default snmp-server host command restores the table
to defaults (that is, it clears the table). The syntax for the default
snmp-server host command is:
default snmp-server host
The default snmp-server host command is executed in the Global
The default snmp-server host command has no parameters or
variables.
NN47215-505 (323165-B) 02.01 Standard
.
snmp-server community command
With the snmp-server community command, you can create community
strings with varying levels of read, write, and notication access based on
SNMPv3 views. These community strings are separate from those created
by using the snmp-server community command for read/write.
This command affects community strings stored in the SNMPv3
snmpCommunityTable, which allows several community strings to be
created. These community strings can have any MIB view.
The syntax for the snmp-server community command is:
snmp-server community <community-string>
{read-view <view-name>|write-view <view-name>|
notify-view <view-name>}
The snmp-server community command is executed in the Global
Table 36 "snmp-server community command parameters and variables"
community command.
Table 36
snmp-server community command parameters and variables
Parameters and
variables
Description
<community-
string>
Enter a community string to be created with access to
the specified views.
ATTENTION
Security is enabled, in which case, the switch
community string.
NN47215-505 (323165-B) 02.01 Standard
.
Parameters and
variables
Description
read-view
<view-name>
Changes the read view used by the new community
string for different types of SNMP operations.
view-name specifies the name of the view
that is a set of MIB objects/instances that can be
accessed; enter an alphanumeric string.
ro Read-only access with this community string.
rw Read-write access with this community string.
write-view
<view-name>
Changes the write view used by the new community
string for different types of SNMP operations.
notify-view
<view-name>
Changes the notify view settings used by the new
community string for different types of SNMP operations.
show snmp-server command
The show snmp-server command displays the SNMP v3 conguration.
The syntax for the show snmp-server command is:
show snmp-server {community|host|user|view}
The show snmp-server command is executed in the Privileged EXEC
command mode.
Table 37 "show snmp-server command parameters and variables" (page
79) describes the parameters and variables for the show snmp-server
command.
NN47215-505 (323165-B) 02.01 Standard
.
Table 37
show snmp-server command parameters and variables
Parameters and
variables
Description
community|host|
user|view
Displays SNMPv3 configuration information:
community strings as configured in SNMPv3 MIBs
(this parameter is not displayed when Password
Security is enabled)
trap receivers as configured in SNMPv3 MIBs
SNMPv3 users, including views accessible to each
user
SNMPv3 views
snmp-server bootstrap command
With the snmp-server bootstrap command, you can specify how
you wish to secure SNMP communications, as described in the SNMPv3
standards. This command creates an initial set of conguration data for
SNMPv3. This conguration data follows the conventions described in the
SNMPv3 standard (in RFC 3414 and 3415). The data consists of a set of
initial users, groups, and views. This snmp-server bootstrap command
deletes all existing SNMP congurations, so use the command with caution.
The syntax for the snmp-server bootstrap command is:
snmp-server bootstrap <minimum-secure> | <semi-secure>
|<very-secure>
The snmp-server bootstrap command is executed in the Global
Table 38 "snmp-server bootstrap command parameters and variables"
bootstrap command.
Table 38
snmp-server bootstrap command parameters and variables
Parameters and
variables
Description
<minimum-secure> Specifies a minimum security configuration that allows
read access to everything using noAuthNoPriv, and
write access to everything using authNoPriv.
NN47215-505 (323165-B) 02.01 Standard
.
Parameters and
variables
Description
<semi-secure> Specifies a partial security configuration that allows
read access to a small subset of system information
using noAuthNoPriv, and read and write access to
everything using authNoPriv.
<very-secure> Specifies a maximum security configuration that allows
no access.
Securing your network
You can secure your network using the following CLI commands.
"Conguring MAC address lter-based security" (page 80)
"Conguring EAPOL-based security" (page 87)
Conguring MAC address lter-based security
You congure the BaySecure* application using MAC addresses with the
following commands:
"show mac-security command" (page 80)
"mac-security command" (page 81)
"mac-security mac-address-table address command" (page 83)
"mac-security security-list command" (page 83)
"no mac-security command" (page 84)
"no mac-security mac-address-table command" (page 84)
"no mac-security security-list command" (page 85)
"mac-security command for specic ports" (page 85)
"mac-security mac-da-lter command" (page 86)
show mac-security command
The show mac-security command displays conguration information
for the BaySecure application. The syntax for the show mac-security
command is:
show mac-security {config|mac-address-table [address
<macaddr>]|port|security-lists|mac-da-filter}
The show mac-security command is executed in the Privileged EXEC
command mode.
Table 39 "show mac-security command parameters and variables" (page
81) describes the parameters and variables for the show mac-security
command.
NN47215-505 (323165-B) 02.01 Standard
.
Table 39
show mac-security command parameters and variables
Parameters and
variables
Description
config Displays the general BaySecure configuration.
mac-address-t
able [address
<macaddr>]
Displays contents of the BaySecure table of allowed
MAC addresses:
address specifies a single MAC address to display;
enter the MAC address.
port Displays the BaySecure status of all ports.
security-lists Displays the port membership of all security lists.
mac-da-filter Displays MAC DA filtering addresses.
Figure 10 "show mac-security command output" (page 81) shows sample
output from the show mac-security command.
Figure 10
show mac-security command output
mac-security command
The mac-security command modies the BaySecure conguration. The
syntax for the mac-security command is:
mac-security [disable|enable] [filtering {enable|disable}]
[intrusion-detect {enable|disable|forever}] [intrusion-timer
<1-65535>] [learning-ports <portlist>] [learning {enable
|disable}]|mac-address-table|mac-da-filter|security list
[snmp-lock {enable|disable}] [snmp-trap {enable|disable}]
The mac-security command is executed in the Global Conguration
command mode.
Table 40 "mac-security command parameters and values" (page
82) describes the parameters and variables for the mac-security
command.
NN47215-505 (323165-B) 02.01 Standard
.
Table 40
mac-security command parameters and variables
Parameters and
variables
Description
disable|enable Disables or enables MAC address-based security.
filtering
{enable|disable}
Enables or disables destination address (DA) filtering
when an intrusion is detected.
intrusion-detect
{enable|disable|
forever}
Specifies the partitioning of a port when an intrusion
is detected:
enable port is partitioned for a period of time.
disabled port is not partitioned on detection.
forever port is partitioned until manually
changed.
intrusion-timer
<1-65535>
Specifies, in seconds, length of time a port is partitioned
when an intrusion is detected; enter the number of
seconds to specify.
learning
{enable|disable}
Specifies MAC address learning:
enable enables learning by ports
disable disables learning by ports

ATTENTION
The MAC address learning enable command must
be executed to specify learning ports.
learning-ports
<portlist>
Specifies MAC address learning. Learned addresses
are added to the table of allowed MAC addresses. Enter
the ports you want to learn; this can be a single port, a
range of ports, several ranges, all, or none.
mac-address-tabl
e
Adds addresses to the MAC security address table.
mac-da-filter Adds or deletes MAC DA filtering addresses.
security-list Modifies security list port membership.
NN47215-505 (323165-B) 02.01 Standard
.
Parameters and
variables
Description
snmp-lock
{enable|disable}
Enables or disables a lock on SNMP write-access to
the BaySecure MIBs.
snmp-trap
{enable|disable}
Enables or disables trap generation when an intrusion
is detected.
mac-security mac-address-table address command
The mac-security mac-address-table address command assigns
either a specic port or a security list to the MAC address. This removes
any previous assignment to the specied MAC address and creates an
entry in the BaySecure table of allowed MAC addresses. The syntax for the
mac-security mac-address-table address command is:
mac-security mac-address-table address <H.H.H.> {port
<portlist>|security-list <1-32>}
ATTENTION
In this command, portlist must specify only a single port.
The mac-security mac-address-table address command is
executed in the Global Conguration command mode.
Table 41 "mac-security mac-address-table address parameters and values"
(page 83) describes the parameters and variables for the mac-security
mac-address-table address command.
Table 41
mac-security mac-address-table address parameters and variables
Parameters and
variables
Description
<H.H.H> Enter the MAC address in the form of H.H.H.
port <portlist
>|security-list
<1-32>
Enter the port number or the security list number.
mac-security security-list command
The mac-security security-list command assigns a list of ports
to a security list. The syntax for the mac-security security-list
command is:
mac-security security-list <1-32> <portlist>
NN47215-505 (323165-B) 02.01 Standard
.
The mac-security security-list command is executed in the Global
Table 42 "mac-security security-list command parameters and values"
security-list command.
Table 42
mac-security security-list command parameters and variables
Parameters and
variables
Description
<1-32> Enter the number of the security list that you want to use.
<portlist> Enter a list or range of port numbers.
no mac-security command
The no mac-security command disables MAC source address-based
security. The syntax for the no mac-security command is:
no mac-security
The no mac-security command is executed in the Global Conguration
command mode.
The no mac-security command has no parameters or values.
no mac-security mac-address-table command
The no mac-security mac-address-table command clears
entries from the MAC address security table. The syntax for the no
mac-security mac-address-table command is:
no mac-security mac-address-table {address <H.H.H.> |port
<portlist>|security-list <1-32>}
The no mac-security mac-address-table command is executed in
Table 43 "no mac-security mac-address-table command parameters and
mac-security mac-address-table command.
Table 43
no mac-security mac-address-table command parameters and variables
Parameters and
variables
Description
address <H.H.H> Enter the MAC address in the form of H.H.H.
NN47215-505 (323165-B) 02.01 Standard
.
Parameters and
variables
Description
port <portlist> Enter a list or range of port numbers.
security-list
<1-32>
Enter the security list number.
no mac-security security-list command
The no mac-security security-list command clears the port
membership of a security list. The syntax for the no mac-security
security-list command is:
no mac-security security-list <1-32>
The no mac-security security-list command is executed in the
Table 44 "no mac-security security-list command parameters and
mac-security security-list command.
Table 44
no mac-security security-list command parameters and variables
Parameters
and variables
Description
<1-32> Enter the number of the security list that you want to
clear.
mac-security command for specic ports
The mac-security command for specic ports congures the BaySecure
status of specic ports. The syntax for the mac-security command for
specic ports is:
mac-security [port <portlist>] {disable|enable|learning}
The mac-security command for specic ports is executed in the Interface
Conguration command mode
Table 45 "mac-security command for a single port parameters and variables"
command for specic ports.
NN47215-505 (323165-B) 02.01 Standard
.
Table 45
mac-security command for a single port parameters and variables
port <portlist> Enter the port numbers.
disable|enable|learnin
g
Directs the specific port:
disable disables BaySecure on the
specified port and removes the port from
the list of ports for which MAC address
learning is performed
enable enables BaySecure on the
specified port and removes the port from
the list of ports for which MAC address
learning is performed
learning disables BaySecure on the
specified port and adds these port to the list
of ports for which MAC address learning is
performed
mac-security mac-da-lter command
With the mac-security mac-da-filter command, you can lter
packets from up to 10 specied MAC DAs. You also can use this command
to delete such a lter and then receive packets from the specied MAC DA.
The syntax for the mac-security mac-da-filter command is:
mac-security mac-da-filter {add|delete}<H.H.H.>
The mac-security mac-da-filter command is executed in the Global
Table 46 "mac-security mac-da-lter command parameters and values"
mac-da-filter command.
Table 46
mac-security mac-da-lter command parameters and values
{add|delete} <H.H.H> Add or delete the specified MAC address; enter
the MAC address in the form of H.H.H.
NN47215-505 (323165-B) 02.01 Standard
.
ATTENTION
Ensure that you do not enter the MAC address of the management unit.
Conguring EAPOL-based security
You can congure security based on the Extensible Authentication Protocol
over LAN (EAPOL) by using the following CLI commands:
"show eapol command" (page 87)
"show eapol auth-diags interface command" (page 89)
"show eapol auth-stats interface command" (page 90)
"eapol command" (page 91)
"eapol command for modifying parameters" (page 91)
"eapol guest-vlan command" (page 93)
"no eapol guest-vlan command" (page 93)
"default eapol guest-vlan command" (page 93)
show eapol command
The show eapol command displays the status of the EAPOL-based
security. The syntax for the show eapol command is:
show eapol [port <portlist>]
The show eapol command is executed in the Privileged EXEC command
mode.
Figure 11 "show eapol command output" (page 88) displays sample output
from the show eapol command.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 11
show eapol command output
Table 47 "show eapol command output parameters and variables" (page
88) describes the parameters and variables for the show eapol command
output.
Table 47
show eapol command output parameters and variables
Parameters and
variables
Description
Port Specifies the port on which to change EAPOL settings
Administrative Status
Specifies the EAP status of the port:
Force Unauthorized - Port is always unauthorized
Auto - Port authorization status depends on the result of the EAP
authentication
Force Authorized - Port is always authorized
Auth Displays the current EAPOL authorization status for the port
Yes - Authorized
No - Unauthorized
This field only specifies the authorization status of the port for EAPoL
users and not for NonEAPoL users. Use the show eapol multihost
non-eap status command for Non-EAPoL users.
NN47215-505 (323165-B) 02.01 Standard
.
Parameters and
variables
Description
Admin Dir Specifies whether EAPOL authentication is set for incoming and outgoing
traffic (Both) or for incoming traffic only (In).
For example, if you set the specified port field value to both, and EAPOL
authentication fails, then both incoming and outgoing traffic on the
specified port is blocked.
Oper Dir Specifies the current operational value for the traffic control direction
for the port.
Re-authentication Enables or disables re-authentication
Re-authentication Period Specifies the time interval between successive re-authentications;
the range is <1-604800>
Quite Period Specifies the time interval between authentication failure and start of new
authentication; the range is <0-65535>
Transmit Period Specifies a waiting period for response from supplicant for EAP Request
or Identity packets; the range is <1-65535>
Supplicant Timeout Specifies a waiting period for response from supplicant for all EAP
packets;
Server Timeout Specifies the time to wait for response from RADIUS server;
Max Request Specifies the number of times to retry sending packets to supplicant;
the range is <1-10>
show eapol auth-diags interface command
The show eapol auth-diags interface command displays EAPOL
diags.The syntax for the show eapol auth-diags interface
command is:
show eapol auth-diags interface
The show eapol auth-diags interface command is executed in the
Figure 12 "show eapol auth-diags interface command output" (page
90) displays sample output from the show eapol auth-diags
interface command.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 12
show eapol auth-diags interface command output
show eapol auth-stats interface command
The show eapol auth-stats interface command displays EAPOL
diags.The syntax for the show eapol auth-stats interface
command is:
show eapol auth-stats interface
The show eapol auth-stats interface command is executed in the
Figure 13 "show eapol auth-stats interface command output" (page
90) displays sample output from the show eapol auth-stats
interface command.
Figure 13
show eapol auth-stats interface command output
NN47215-505 (323165-B) 02.01 Standard
.
eapol command
The eapol command enables or disables EAPOL-based security. The
syntax of the eapol command is:
eapol {disable|enable}
The eapol command is executed in the Global Conguration command
mode.
Table 48 "eapol command parameters and variables" (page 91) describes
the parameters and variables for the eapol command.
Table 48
eapol command parameters and variables
Parameters and
variables
Description
disable|enable Disables or enables EAPOL-based security.
eapol command for modifying parameters
The eapol command for modifying parameters modies EAPOL-based
security parameters for a specic port. The syntax of the eapol command
for modifying parameters is:
eapol [port <portlist>] [init] [status authorized|unauthor
ized|auto] [traffic-control in-out|in] [re-authentication
enable|disable] [re-authentication-period <1-604800>]
[re-authenticate] [quiet-interval <num>] [transmit-interval
<num>] [supplicant-timeout <num>] [server-timeout
<num>][max-request <num>]
The eapol command for modifying parameters is executed in the Interface
Table 49 "eapol command for modifying parameters and variables" (page
91) describes the parameters and variables for the eapol command for
modifying parameters.
Table 49
eapol command for modifying parameters and variables
Parameters and
variables
Description
port <portllist>
Specifies the ports to configure for EAPOL; enter the
port numbers you want to use.
NN47215-505 (323165-B) 02.01 Standard
.
Parameters and
variables
Description
ATTENTION
If you omit this parameter, the system uses the
port number that you specified when you issued
the interface command.
init Reinitiates EAP authentication.
status
authorized|unauth
orized|auto
Specifies the EAP status of the port:
authorized Port is always authorized.
unauthorized Port is always unauthorized.
auto Port authorization status depends on the
result of the EAP authentication.
traffic-control
in-outIin
Sets the level of traffic control:
in-out If EAP authentication fails, both
ingressing and egressing traffic are blocked.
in If EAP authentication fails, only ingressing
traffic is blocked.
re-authentication
enable|disable
Enables or disables reauthentication.
re-authentication
-period
<1-604800>
Enter the number of seconds that you want between
re-authentication attempts.
Use either this variable or the reauthentication-interval
variable; do not use both variables because they
control the same setting.
re-authenticate Specifies an immediate reauthentication.
quiet-interval
<num>
Enter the number of seconds that you want between
an authentication failure and the start of a new
authentication attempt; the range is 1 to 65535.
transmit-interval
<num>
Specifies a waiting period for response from supplicant
for EAP Request/Identity packets. Enter the number of
seconds that you want to wait; the range is 1-65535.
NN47215-505 (323165-B) 02.01 Standard
.
Parameters and
variables
Description
supplicant-timeou
t <num>
Specifies a waiting period for response from supplicant
for all EAP packets, except EAP Request/Identity
packets. Enter the number of seconds that you want to
wait; the range is 1-65535.
server-timeout
<num>
Specifies a waiting period for response from the server.
Enter the number of seconds that you want to wait;
the range is 1-65535.
max-request <num> Enter the number of times to retry sending packets to
supplicant.
eapol guest-vlan command
The eapol guest-vlan command sets the guest VLAN globally.
The syntax for the eapol guest-vlan command is:
eapol guest-vlan [vid <1-4094> | enable]
The eapol guest-vlan command is executed in the Global Conguration
command mode and Interface Conguration command mode.
Table 50 "eapol guest-vlan command parameters and variables" (page
93) describes the parameters and variables for the eapol guest-vlan
command.
Table 50
eapol guest-vlan command parameters and variables
Parameters and
variables
Description
<vid> Guest VLAN ID.
enable Enable Guest VLAN.
no eapol guest-vlan command
The no eapol guest-vlan command disables the guest VLAN.
The syntax for the no eapol guest-vlan command is:
no eapol guest-vlan [enable]
The no eapol guest-vlan command is executed in the Global
Conguration command mode and Interface Conguration command mode.
default eapol guest-vlan command
The default eapol guest-vlan command disables the guest VLAN.
NN47215-505 (323165-B) 02.01 Standard
.
The syntax for the default eapol guest-vlan command is:
default eapol guest-vlan
The default eapol guest-vlan command is executed in the Global
The default eapol guest-vlan command has no parameters or
variables.
show eapol guest-vlan command
The show eapol guest-vlan command displays the current guest VLAN
conguration.
The syntax for the show eapol guest-vlan command is:
show eapol guest-vlan
The show eapol guest-vlan command is executed in the Global
The show eapol guest-vlan command has no parameters or variables.
Figure 14 "show eapol guest-vlan command output" (page 94) displays
sample output from the eapol guest-vlan command.
Figure 14
show eapol guest-vlan command output
Conguring advanced EAPOL features
Ethernet Routing Switch 2500 Series, Software Release 4.1 supports
advanced EAPOL features that allow multiple hosts and non-EAPOL clients
on a port.
This section provides information about conguring the following features:
Multiple Host with Multiple Authentication (MHMA) (see "Conguring
multihost support" (page 95))
Non-EAPOL hosts on EAPOL-enabled ports (see "Conguring support
for non-EAPOL hosts on EAPOL-enabled ports" (page 102))
Multiple Host with Single Authentication (MHSA) (see "Conguring
MultiHost Single-Autentication (MHSA)" (page 107))
NN47215-505 (323165-B) 02.01 Standard
.
Conguring multihost support
To congure multihost support, do the following:
1. Enable multihost support for the interface. The relevant command is
executed in Interface Conguration mode. You can issue the command
for the interface selected when you enter the Interface Conguration
mode (so that all ports have the same setting), or you can issue the
command for specic ports on the interface.
2. Specify the maximum number of EAP clients allowed on each multihost
port. You can issue the command for the interface selected when you
enter the Interface Conguration mode (so that all ports have the same
setting), or you can issue the command for specic ports on the interface.
eapol multihost command The eapol multihost command controls
the global multihost settings.
The syntax for the eapol multihost command is:
eapol multihost { [allow-non-eap-enable] [auto-non-eap-mhsa
-enable] [radius-non-eap-enable] [use-radius-assigned-vlan]
[non-eap-pwd-fmt {[ip-addr] [mac-addr] [port-number]}]}
This command is executed in the Global Conguration command mode.
"eapol multihost parameters and variables" (page 95) describes the
parameters and variables for the eapol multihost command.
eapol multihost command parameters and variables
allow-non-eap-enable Enables MAC addresses of non-EAP
clients.
auto-non-eap-mhsa-enable Enables auto-authentication of
non-EAP clients in MHSA mode
radius-non-eap-enable Enables Radius authentication of
non-EAP clients
use-radius-assigned-vlan Allows use of Radius-assigned VLAN
value
non-eap-pwd-fmt { [ip-addr]
[mac-addr] [port-number] }
Sets bits in RADIUS non-EAPOL
password format
no eapol multihost command The no eapol multihost command
disables EAPOL multihost.
This command is executed in the Global Conguration command mode.
NN47215-505 (323165-B) 02.01 Standard
.
The syntax for the no eapol multihost command is:
no eapol multihost { [allow-non-eap-enable] [auto-non-eap-mhs
a-enable] [radius-non-eap-enable] [use-radius-assigned-vlan]
[non-eap-pwd-fmt {[ip-addr] [mac-addr] [port-number]}]}
"no eapol multihost parameters" (page 96) describes the parameters and
variables for theno eapol multihost command.
no eapol multihost command parameters and variables
allow-non-eap-enable Disables control of non-EAP clients
(MAC addresses)
auto-non-eap-mhsa-enable Disables auto-authentication of
radius-non-eap-enable Disables Radius authentication of
non-EAP clients
value
[mac-addr] [portnumber] }
Clears bits from RADIUS non-EAPOL
password format
default eapol multihost command The default eapol multihost
command sets the EAPoL multihost feature to default.
This command is executed in the global conguration mode.
The syntax for the default eapol multihost command is:
default eapol multihost { [allow-non-eap-enable]
[auto-non-eap-mhsa-enable] [radius-non-eap-enable]
[use-radius-assigned-vlan] [non-eap-pwd-fmt {[ip-addr]
[mac-addr] [port-number]}] }
"default eapol multihost parameters" (page 96) describes the parameters
and variables for thedefault eapol multihost command.
default eapol multihost command parameters and variables
allow-non-eap-enable Resets control of non-EAP clients
(MAC addresses)
non-EAP clients
NN47215-505 (323165-B) 02.01 Standard
.
value
[mac-addr] [portnumber] }
Restores default format for RADIUS
non-EAPOL password attribute
eapol multihost command for a port The eapol multihost command
controls the multihost settings for a specic port or for all ports on an
interface.
This command is executed in the Interface Conguration mode.
The syntax for the eapol multihost command is:
eapol multihost [allow-non-eap-enable][auto-non-eap-mhsa-e
nable][eap-mac-max {<1-32>}][enable][non-eap-map-max{<1-32
>}][radius-non-eap-enable][use-radius-assigned-vlan][port
{<portlist>}][non-eap-mac {H.H.H | port}]
"eapol multihost parameters and variables" (page 97) describes the
parameters and variables for the eapol multihost command.
eapol multihost command parameters and variables
allow-non-eap-enable Enables MAC addresses of non-EAP
clients.
auto-non-eap-mhsa-enable Enables auto-authentication of
eap-mac-max {<1-32>} Specifies the maximum number of
EAP-authenticated MAC addresses
allowed
enable Allows EAP clients (MAC addresses)
non-eap-mac-max Specifies the maximum number
of non-EAP authenticated MAC
addresses allowed
port Displays port number on which to apply
EAPOL multihost settings
non-EAP clients
value
non-eap-mac {H.H.H | port} Allows non-EAPoL MAC address
NN47215-505 (323165-B) 02.01 Standard
.
no eapol multihost command for a port The no eapol multihost
command disables the EAPOL multihost settings for a specic port or for all
ports on an interface.
This command is executed in the Interface conguration mode.
The syntax for the no eapol multihost command is:
no eapol multihost [allow-non-eap-enable] [auto-non-eap-mhsa-
enable][enable][port][radius-non-eap-enable][use-radius-assi
gned-vlan][non-eap-mac {H.H.H | port}]
"no eapol multihost parameters and variables" (page 98) describes the
parameters and variables for the no eapol multihost command.
no eapol multihost command parameters and variables
Parameter and Variables Description
allow-non-eap-enable Disables MAC addresses of non-EAP
clients.
enable Disallows EAP clients (MACaddresses)
port Displays port number on which to apply
EAPOL multihost settings
non-EAP clients
use-radius-assigned-vlan Disallows use of Radius-assigned
VLAN value
non-eap-mac {H.H.H | port} Allows non-EAPoL MAC address
non-eap-mac-max {<1-32>} Specifies the maximum number
of non-EAP authenticated MAC
addresses allowed
default eapol multihost command for a port The default eapol
multihost command sets the multihost settings for a specic port or for
all the ports on an interface to default.
The syntax for the default eapol multihost command is:
default eapol multihost [allow-non-eap-enable] [auto-non-e
ap-mhsa-enable] [eap-mac-max {<1-32>}][enable] [non-eap-ma
p-max{<1-32>}] [port {<portlist>}][radius-non-eap-enable]
[use-radius-assigned-vlan][non-eap-mac {H.H.H | port}]
NN47215-505 (323165-B) 02.01 Standard
.
"default eapol multihost parameters" (page 99) describes the parameters
and variables for the default eapol multihost command.
default eapol multihost command parameters and variables
allow-non-eap-enable Resets control of non-EAP clients
(MAC addresses) to default
non-EAP clients
eap-mac-max <1-32> Resets maximum number of
EAP-authenticated MAC addresses
allowed to default
enable Resets control of whether EAP Clients
(MAC addresses) are allowed to default
non-eap-mac-max <1-32> Resets maximum number of non-EAP
authenticated MAC addresses allowed
to default
port<portlist> Displays port number on which to
disable EAPOL
non-EAP clients
use-radius-assigned-vlan Allows use of RADIUS-assigned VLAN
values
non-eap-mac {H.H.H | port} Resets the non-EAP MAC addresses
to default
eapol multihost non-eap-mac command The eapol multihost
non-eap-mac command congures the MAC addresses of non-EAPOL
hosts on a specic port or on all ports on an interface.
The syntax for the eapol multihost non-eap-maccommand is:
eapol multihost non-eap-mac [port<portlist>] <H.H.H>
"eapol multihost non-eap-mac command parameters and variables" (page
100) describes the parameters and variables for theeapol multihost
non-eap-mac command.
NN47215-505 (323165-B) 02.01 Standard
.
eapol multihost non-eap-mac command parameters and variables
port Port on which to apply EAPOL settings
H.H.H MAC address of the allowed
non-EAPOL host
show eapol multihost command The show eapol
multihostcommand displays global settings for non-EAPOL
hosts on EAPOL-enabled ports.
This command is executed in the privExec, Global, and Interface
conguration mode.
The syntax for the show eapol multihost command is:
show eapol multihost
"show eapol multihost command parameters and variables" (page
100) describes the parameters and variables for the show eapol
multihost command.
show eapol multihost command parameters and variables
interface Displays EAPOL multihost port
configuration
non-eap-mac Displays allowed non-EAPoL
MACaddress
status Displays EAPOL multihost port status
"show eapol multihost command output" (page 100) displays sample output
from the show eapol multihost command:
show eapol multihost command output
show eapol multihost interface command The show eapol
multihost interface command displays non-EAPOL support settings
for each port.
NN47215-505 (323165-B) 02.01 Standard
.
This command is executed in the privExec, Global, and Interface
conguration mode.
The syntax for the show eapol multihost interfacecommand is:
show eapol multihost interface [<portList>]
"show eapol multihost interface parameters and variables" (page
101) describes the parameters and variables for the show eapol
multihost interface command.
show eapol multihost interface command parameters and variables
portList List of ports
"show eapol multihost interface command output" (page 101) displays
sample output from the show eapol multihost interface command:
show eapol multihost interface command output
show eapol multihost non-eap-mac status command The show
eapol multihost non-eap-mac status command displays
information about non-EAPOL hosts currently active on the switch.
This command is executed in the Privileged EXEC, Global, and Interface
Conguration mode.
NN47215-505 (323165-B) 02.01 Standard
.
The syntax for the show eapol multihost non-eap-mac status
command is:
show eapol multihost non-eap-mac status [<portList>]
"show eapol multihost non-eap-mac status command parameters and
variables" (page 102) describes the parameters and variables for the show
eapol multihost non-eap-mac status command.
show eapol multihost non-eap-mac status command parameters and variables
portList List of ports
The following gure displays sample output from the show eapol multihost
non-eap-mac status command:
Figure 15
show eapol multihost non-eap-mac status command output
Conguring support for non-EAPOL hosts on EAPOL-enabled
ports
This section describes how to congure nonE-APOL authentication.
To congure support for non-EAPOL hosts on EAPOL-enabled ports, do
the following:
1. Enable non-EAPOL support globally on the switch and locally (for the
desired interface ports), using one or both of the following authentication
methods:
a. local authentication (see "Enabling local authentication of
non-EAPOL hosts on EAPOL-enabled ports" (page 103))
b. RADIUS authentication (see "Enabling RADIUS authentication of
non-EAPOL hosts on EAPOL-enabled ports" (page 103))
2. Enable EAPOL multihost on ports
3. Specify the maximum number of non-EAPOL MAC addresses allowed
on a port (see "Specifying the maximum number of non-EAPOL hosts
allowed" (page 105)).
4. For local authentication only, identify the MAC addresses of non-EAPOL
hosts allowed on the ports (see "Creating the allowed non-EAPOL MAC
address list" (page 105)).
NN47215-505 (323165-B) 02.01 Standard
.
By default, support for non-EAPOL hosts on EAPOL-enabled ports is
disabled.
Enabling local authentication of non-EAPOL hosts on EAPOL-enabled
ports For local authentication of non-EAPOL hosts on EAPOL-enabled
ports, you must enable the feature globally on the switch and locally for
ports on the interface.
To enable local authentication of non-EAPOL hosts globally on the switch,
use the following command in Global conguration mode:
eapol multihost allow-non-eap-enable
To enable local authentication of non-EAPOL hosts for a specic port
or for all ports on an interface, use the following command in Interface
conguration mode:
eapol multihost [port <portlist>] allow-non-eap-enable
where
<portlist> is the list of ports on which you want to enable non-EAPOL
hosts using local authentication. You can enter a single port, a range of
ports, several ranges, or all. If you do not specify a port parameter, the
command applies to all ports on the interface.
To discontinue local authentication of non-EAPOL hosts on EAPOL-enabled
ports, use the no or default keywords at the start of the commands in
both the Global and Interface conguration modes.
Enabling RADIUS authentication of non-EAPOL hosts on
EAPOL-enabled ports For RADIUS authentication of non-EAPOL hosts
on EAPOL-enabled ports, you must enable the feature globally on the switch
and locally for ports on the interface.
To enable RADIUS authentication of non-EAPOL hosts globally on the
switch, use the following command in Global conguration mode:
eapol multihost radius-non-eap-enable
"eapol multihost radius-non-eap-enable command parameters and
variables" (page 103) describes the parameters and variables for the eapol
multihost radius-non-eap-enable command.
eapol multihost radius-non-eap-enable command parameters and variables
Parameter and Variable Description
radius-non-eap-enable Globally enables RADIUS authentication for
non-EAPOL hosts
NN47215-505 (323165-B) 02.01 Standard
.
To enable RADIUS authentication of non-EAPOL hosts for a specic port
or for all ports on an interface, use the following command in Interface
conguration mode:
eapol multihost [port <portlist>] radius-non-eap-enable
"eapol multihost radius-non-eap-enable command: Interface mode" (page
104) describes the parameters and variables for the eapol multihost
radius-non-eap-enable command: Interface mode command.
eapol multihost radius-non-eap-enable command: Interface mode parameters and variables
Parameters and Variables Description
portlist Specifies the port or ports on which you want
RADIUS authentication enabled. You can enter
a single port, several ports or a range of ports.
If you do not specify a port parameter, the
command enables RADIUS authentication of
non-EAP hosts on all ports on the interface.
radius-non-eap-enable Enables RADIUS authentication on the desired
interface or on a specific port, for non-EAPOL
hosts.
The default for this feature is disabled.
To discontinue RADIUS authentication of non-EAPOL hosts on
EAPOL-enabled ports, use the no or default keywords at the start of the
commands in both the Global and Interface conguration modes.
Conguring the format of the RADIUS password attribute when
authenticating non-EAP MAC addresses using RADIUS To congure
the format of the RADIUS password when authenticating non-EAP MAC
addresses using RADIUS, use the following command in the Global
conguration mode:
eapol multihost non-eap-pwd-fmt
The syntax for the eapol multihost non-eap-pwd-fmt command is:
eapol multihost non-eap-pwd-fmt { [ip-addr] [mac-addr]
[port-number] }
"eapol multihost non-eap-pwd-fmt command parameters and variables"
(page 105) describes the parameters and variables for the eapol
multihost non-eap-pwd-fmt command.
NN47215-505 (323165-B) 02.01 Standard
.
eapol multihost non-eap-pwd-fmt command parameters and variables
Parameter Description
ip-addr Specifies the IP address of the non-EAP client.
mac-addr Specifies the MAC address of the non-EAP
client.
port-number Specifies the port number for which you want the
RADIUS password attribute configured.
To discontinue conguration of the RADIUS password attribute format, use
the no or default keywords at the start of the commands, in the Global
conguration mode.
Specifying the maximum number of non-EAPOL hosts allowed To
congure the maximum number of non-EAPOL hosts allowed for a specic
port or for all ports on an interface, use the following command in Interface
conguration mode:
eapol multihost [port <portlist>] non-eap-mac-max <value>
where
<portlist> is the list of ports to which you want the setting to apply.
You can enter a single port, a range of ports, several ranges, or all. If
you do not specify a port parameter, the command sets the value for
all ports on the interface.
<value> is an integer in the range 132 that species the maximum
number of non-EAPOL clients allowed on the port at any one time. The
default is 1.
ATTENTION
The congurable maximum number of non-EAPOL clients for each port is 32, but
Nortel expects that the usual maximum allowed for each port be lower. Nortel
expects that the combined maximum will be approximately 200 for each box
and 800 for a stack.
Creating the allowed non-EAPOL MAC address list To specify the MAC
addresses of non-EAPOL hosts allowed on a specic port or on all ports on
an interface, for local authentication, use the following command in Interface
conguration mode:
eapol multihost non-eap-mac [port <portlist>] <H.H.H>
where
<portlist> is the list of ports on which you want to allow the specied
non-EAPOL hosts. You can enter a single port, a range of ports, several
NN47215-505 (323165-B) 02.01 Standard
.
ranges, or all. If you do not specify a port parameter, the command
applies to all ports on the interface.
<H.H.H> is the MAC address of the allowed non-EAPOL host.
Viewing non-EAPOL host settings and activity Various show
commands allow you to view:
global settings (see "Viewing global settings for non-EAPOL hosts"
(page 106))
port settings (see "Viewing port settings for non-EAPOL hosts" (page
106)"Viewing port settings for non-EAPOL hosts" (page 106))
allowed MAC addresses, for local authentication (see "Viewing allowed
MAC addresses" (page 106))
current non-EAPOL hosts active on the switch (see "Viewing current
non-EAPOL host activity" (page 107))
status in the Privilege Exec mode (see "show eapol multihost status
command" (page 107))
Viewing global settings for non-EAPOL hosts To view global settings
for non-EAPOL hosts on EAPOL-enabled ports, use the following command
in Privileged EXEC, Global conguration, or Interface conguration mode:
show eapol multihost
The display shows whether local and RADIUS authentication of non-EAPOL
clients is enabled or disabled.
Viewing port settings for non-EAPOL hosts To view non-EAPOL
support settings for each port, use the following command in Privileged
EXEC, Global conguration, or Interface conguration mode:
show eapol multihost interface [<portlist>]
where
<portlist> is the list of ports you want to view. You can enter a single
port, a range of ports, several ranges, or all. If you do not specify a port
parameter, the command displays all ports.
For each port, the display shows whether local and RADIUS authentication
of non-EAPOL clients is enabled or disabled, and the maximum number of
non-EAPOL clients allowed at a time.
Viewing allowed MAC addresses To view the MAC addresses of
non-EAPOL hosts allowed to access ports on an interface, use the
following command in Privileged EXEC, Global conguration, or Interface
conguration mode:
NN47215-505 (323165-B) 02.01 Standard
.
show eapol multihost non-eap-mac interface [<portlist>]
where
The display lists the ports and the associated allowed MAC addresses.
Viewing current non-EAPOL host activity To view information about
non-EAPOL hosts currently active on the switch, use the following command
in Privileged EXEC, Global conguration, or Interface conguration mode:
show eapol multihost non-eap-mac status [<portlist>]
where
show eapol multihost status command The show eapol multihost
status command displays the multihost status of eapol clients on
EAPOL-enabled ports.
The syntax for the show eapol multihost status command is:
show eapol multihost status [<interface-type>] [<interface-i
d>]
"show eapol multihost status command parameters and variables" (page
107)"show eapol multihost status command parameters and variables"
(page 107) describes the parameters and variables for theshow eapol
multihost status command.
show eapol multihost status command parameters and variables
Parameter Description
interface-id Displays the interface ID
interface-type Displays the type of interface used
The show eapol multihost status command is executed in the
Conguring MultiHost Single-Autentication (MHSA) To congure
MHSA support, do the following:
1. Enable MHSA globally on the switch (see "Globally enabling support for
MHSA" (page 108)).
NN47215-505 (323165-B) 02.01 Standard
.
2. Congure MHSA settings for the interface or for specic ports on the
interface (see "Conguring interface and port settings for MHSA" (page
108)):
a. Enable MHSA support.
b. Specify the maximum number of non-EAPOL MAC addresses
allowed.
By default, MHSA support on EAP-enabled ports is disabled.
Globally enabling support for MHSA To enable support for MHSA
globally on the switch, use the following command in Global conguration
mode:
eapol multihost auto-non-eap-mhsa-enable
To discontinue support for MHSA globally on the switch, use one of the
following commands in Global conguration mode:
no eapol multihost auto-non-eap-mhsa-enable
default eapol multihost auto-non-eap-mhsa-enable
Conguring interface and port settings for MHSA To congure MHSA
settings for a specic port or for all ports on an interface, use the following
command in Interface conguration mode:
eapol multihost [port <portlist>]
where
<portlist> is the list of ports to which you want the settings to apply.
You can enter a single port, a range of ports, several ranges, or all. If you
do not specify a port parameter, the command applies the settings to
all ports on the interface.
This command includes the following parameters for conguring MHSA:
eapol multihost [port <portlist>
followed by:
auto-non-eap-mhsa-enable Enables MHSA on the port. The default is disabled.
To disable MHSA, use the no or default keywords at the
start of the command.
non-eap-mac-max <value>
Sets the maximum number of non-EAPOL clients allowed
on the port at any one time.
<value> is an integer in the range 1 to 32. The default

is 1.
NN47215-505 (323165-B) 02.01 Standard
.
ATTENTION
The configurable maximum number of non-EAPOL
clients for each port is 32, but Nortel expects that the
usual maximum allowed for each port will be lower.
Nortel expects that the combined maximum will be
approximately 200 for each box and 800 for a stack.
Viewing MHSA settings and activity For information about the
commands to view MHSA settings and non-EAPOL host activity, see
"Viewing non-EAPOL host settings and activity" (page 106).
NN47215-505 (323165-B) 02.01 Standard
.
Conguring Security using Device Manager
You can set the security features for a switch so that when a violation occurs
the right actions are performed by the software. The security actions that
you specify are applied to all ports of the switch.
This chapter describes the Security information available in Device Manager,
and includes the following topics:
"EAPOL tab" (page 110)
"General tab" (page 111)
"SecurityList tab" (page 114)
"AuthCong tab" (page 116)
"AuthStatus tab" (page 119)
"AuthViolation tab" (page 122)
"SSH tab" (page 122)
"SSH Sessions tab" (page 124)
"Radius Server tab" (page 125)
"Conguring EAPOL on ports" (page 126)
"Conguring SNMP" (page 141)
"Working with SNMPv3" (page 147)
EAPOL tab
The EAPOL tab lets you set and view EAPOL security information for the
switch.
To view the EAPOL tab, use the following procedure:
Step Action
1 From the Device Manager menu bar, select Edit > Security. The
Security dialog box appears with the EAPOL tab displayed.
The following gure displays the EAPOL tab.
End
NN47215-505 (323165-B) 02.01 Standard
.
Conguring Security using Device Manager 111
Figure 16
EAPOL tab
General tab
The General tab lets you set and view general security information for the
switch.
To view the General tab, use the following procedure:
Step Action
1 From the Device Manager menu bar, select Edit > Security.
The Security dialog box appears with the EAPOL tab displayed .
2 Click the General tab.
The General tab appears.
The following gure displays the General tab.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 17
General tab
End
General tab elds
Table 51 "General tab elds" (page 112) describes the General tab elds.
Table 51
General tab elds
Field Description
AuthSecurityLock If this parameter is listed as locked, the agent refuses
all requests to modify the security configuration. Entries
also include:
other
notlocked
AuthCtlPartTime This value indicates the duration of the time for port
partitioning in seconds. The default is zero. When the
value is zero, the port remains partitioned until it is
manually enabled.
SSecurityStatus Indicates whether or not the switch security feature is
enabled.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
SecurityMode Mode of switch security. Entries include:
macList: Indicates that the switch is in the MAC-list
mode. You can configure more than one MAC
address per port.
autoLearn: Indicates that the switch learns the first
MAC address on each port as an allowed address
of that port.
SecurityAction Actions performed by the software when a violation
occurs (when SecurityStatus is enabled). The security
action specified here applies to all ports of the switch.
A blocked address causes the port to be partitioned
when unauthorized access is attempted. Selections
include:
noAction: Port does not have any security assigned
to it, or the security feature is turned off.
trap: Listed trap.
partitionPort: Port is partitioned.
partitionPortAndsendTrap: Port is partitioned, and
traps are sent to the trap receiver.
daFiltering: Port filters out the frames where the
destination address field is the MAC address of the
unauthorized station.
daFilteringAndsendTrap: Port filters out the frames
where the desitnation address field is the MAC
address of unauthorized station. Traps are sent to
trap receivers.
partitionPortAnddaFiltering: Port is partitioned and
filters out the frames with the destination address
field is the MAC address of unauthorized station.
partitionPortdaFilteringAndsendTrap: Port is
partitioned and filters out the frames where the
destination address field is the MAC address of
the unauthorized station. Traps are sent to trap
receivers.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
CurrNodesAllowed Current number of entries of the nodes allowed in the
AuthConfig tab.
MaxNodesAllowed Maximum number of entries of the nodes allowed in the
AuthConfig tab.
PortSecurityStatus Set of ports for which security is enabled.
PortLearnStatus Set of ports where autolearning is enabled.
CurrSecurityLists Current number of entries of the Security listed in the
SecurityList tab.
MaxSecurityLists Maximum entries of the Security listed in the SecurityList
tab.
SecurityList tab
The SecurityList tab contains a list of Security port elds.
To view the SecurityList tab, use the following procedure:
Step Action
The Security window appears with the EAPOL tab displayed.
2 Click the SecurityList tab.
The SecurityList tab appears.
The following gure displays the SecurityList tab.
Figure 18
SecurityList tab
End
SecurityList tab elds
Table 52 "SecurityList tab elds" (page 115) describes the SecurityList tab
elds.
NN47215-505 (323165-B) 02.01 Standard
.
Table 52
SecurityList tab elds
Field Description
SecurityListIndx An index of the security list. This corresponds to
the SecurityList field into AuthConfig tab.
SecurityListMembers The set of ports that are currently members in the
Port list.
Security, Insert SecurityList dialog box
To view the Security, Insert AuthCong dialog box, use the following
procedure:
Step Action
The Security window appears with the EAPOL tab displayed
(EAPOL tab).
2 Click the SecurityList tab.
The SecurityList tab appears (SecurityList tab).
3 Click Insert.
The Security, Insert SecurityList dialog box appears.
Figure 19
Security, Insert SecurityList dialog box
4 To add ports to the security list, in the SecurityListMembers eld,
click the ellipsis (...). The SecurityListMembers dialog box appears.
5 Select the ports to include in the SecurityList, and click OK.
6 Click Insert.
End
NN47215-505 (323165-B) 02.01 Standard
.
"Security, Insert AuthCong dialog box elds" (page 118) describes the
Security, Insert SecurityList dialog box elds.
Table 53
Security, Insert SecurityList dialog box elds
Field Description
SecurityListIndx An index of the security list. This corresponds to the
Security port list that can be used as an index into
AuthConfig tab.
SecurityListMembers The set of ports that are currently members in the Port
list.
AuthCong tab
The AuthCong tab contains a list of boards, ports, and MAC addresses that
have the security conguration. An SNMP SET PDU for a row in the tab
requires the entire sequence of the MIB objects in each entry to be stored in
one PDU. Otherwise, the GENERR return-value is returned.
To view the AuthCong tab, use the following procedure:
Step Action
The Security window appears with the EAPOL tab displayed
(EAPOL tab).
2 Click the AuthCong tab.
The AuthCong tab appears AuthCong tab .
Figure 20
AuthCong tab
End
"AuthCong tab elds" (page 116) describes the AuthCong tab elds.
NN47215-505 (323165-B) 02.01 Standard
.
Table 54
AuthCong tab elds
Field Description
BrdIndx Index of the slot that contains the board on which the
port is located. If you specify SecureList, this field must
be zero.
PortIndx Index of the port on the board. If you specify SecureList,
this field must be zero.
MACIndx An index of MAC addresses that are designated as
allowed (station).
AccessCtrlType Displays the node entry as node allowed. A MAC
address can be allowed on multiple ports.
SecureList The index of the security list. This value is meaningful
only if BrdIndx and PortIndx values are set to zero. For
other board and port index values, this index must also
have the value of zero.
The corresponding MAC Address of this entry is allowed
or blocked on all ports of this port list.
Security, Insert AuthCong dialog box
To view the Security, Insert AuthCong dialog box, use the following
procedure:
Step Action
2 Click the AuthCong tab.
The AuthCong tab appears.
3 Click Insert.
The Security, Insert AuthCong dialog box appears .
NN47215-505 (323165-B) 02.01 Standard
.
Figure 21
Security, Insert AuthCong dialog box
4 Complete the elds as required and click Insert.
The new entry appears in theAuthCong tab
End
Security, Insert AuthCong dialog box elds
Table 55 "Security, Insert AuthCong dialog box elds" (page 118) describes
the Security, Insert AuthCong dialog box elds.
Table 55
Security, Insert AuthCong dialog box elds
Field Description
BrdIndx Index of the board. This corresponds to the index of
the unit that contains the board, but only if the index is
greater than zero. A zero index is a wild card.
PortIndx Index of the port on the board. This corresponds to the
index of the last manageable port on the board, but
only if the index is greater than zero. A zero index is
a wild card.
MACIndx An index of MAC addresses that are either designated
as allowed (station) or not-allowed (station).
AccessCtrlType Displays whether the node entry isnode allowed or node
blocked. A MAC address can be allowed on multiple
ports.
SecureList The index of the security list. This value is meaningful
only if BrdIndx and PortIndx values are set to zero. For
other board and port index values, this index must also
have the value of zero.
The corresponding MAC Address of this entry is allowed
or blocked on all ports of this port list.
NN47215-505 (323165-B) 02.01 Standard
.
AuthStatus tab
The AuthStatus tab displays information about the authorized boards
and port status data collection. This information includes actions to be
performed when an unauthorized station is detected, and the current
security status of a port. Entries in this tab can include:
a single MAC address
all MAC addresses on a single port
a single port
all the ports on a single board
a particular port on all the boards
all the ports on all the boards
To view the AuthStatus tab, use the following procedure:
Step Action
2 Click the AuthStatus tab.
The AuthStatus tab appears.
The following gure displays the AuthStatus tab.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 22
AuthStatus tab
End
"AuthStatus tab elds" (page 120)
AuthStatus tab elds
"AuthStatus tab elds" (page 120) describes the AuthStatus tab elds.
Table 56
AuthStatus tab elds
Field Description
AuthStatusBrdIndx The index of the board. This corresponds to the index
of the slot that contains the board if the index is greater
than zero.
AuthStatusPortIndx The index of the port on the board. This corresponds to
the index of the last manageable port on the board if the
index is greater than zero.
AuthStatusMACIndx The index of MAC address on the port. This corresponds
to the index of the MAC address on the port if the index
is greater than zero.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
CurrentAccessCtrlTy
pe
Displays whether the node entry is the node allowed
or node blocked type.
CurrentActionMode A value representing the type of information contained,
including:
noAction: Port does not have any security assigned to it,
or the security feature is turned off.
partitionPort: Port is partitioned.
partitionPortAndsendTrap: Port is partitioned and traps
are sent to the trap receiver.
Filtering: Port filters out the frames where the destination
address field is the MAC address of the unauthorized
station.
FilteringAndsendTrap: Port filters out the frames where
the destination address field is the MAC address of the
unauthorized station. Traps are sent to the trap receiver.
sendTrap: A trap is sent to the trap receiver(s).
partitionPortAnddaFiltering: Port is partitioned and filters
out the frames where the destination address field is the
MAC address of the unauthorized station.
partitionPortdaFilteringAndsendTrap: Port is partitioned
and filters out the frames where the destination address
field is the MAC address of the unauthorized station.
Traps are sent to trap receiver(s).
CurrentPortSecur
Status
Displays the security status of the current port, including:
If the port is disabled, notApplicable is returned.
If the port is in a normal state, portSecure is returned.
If the port is partitioned, portPartition is returned.
NN47215-505 (323165-B) 02.01 Standard
.
AuthViolation tab
The AuthViolation tab contains a list of boards and ports on which network
access violations have occurred, and also the identity of the offending MAC
addresses.
To view the AuthViolation tab, use the following procedure:
Step Action
2 Click the AuthViolation tab.
The AuthViolation tab appears.
The following gure displays the AuthViolation tab.
Figure 23
AuthViolation tab
End
SSH tab
The SSH tab displays the parameters available for SSH.
To view the SSH tab, use the following procedure:
Step Action
NN47215-505 (323165-B) 02.01 Standard
.
2 Click the SSH tab.
The SSH tab appears.
The following gure displays the SSH tab.
Figure 24
SSH tab
End
"SSH tab elds" (page 123) describes the SSH tab elds.
Table 57
SSH tab elds
Field Description
Enable Enables, disables, or securely enables SSH. Securely
enable turns off other daemon flag, and it takes effect
after a reboot.
Version Indicates the SSH version.
Port Indicates the SSH connection port.
Timeout Indicates the SSH connection timeout in seconds.
KeyAction Indicates the SSH key action.
DsaAuth Enables or disables the SSH DSA authentication.
PassAuth Enables or disables the SSH RSA authentication.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
DsaHostKeyStatus Indicates the current status of the SSH DSA host key:
notGenerated: DSA host key has not yet been
generated.
generated: DSA host key is generated.
generating: DSA host key is currently being
generated.
LoadServerAddr Indicates the current server IP address.
TftpFile Indicates the name of the file for the TFTP transfer.
TftpAction Indicates the SSH public keys that are set to initiate a
TFTP download.
TftpResult Indicates the retrieved value of the TFTP transfer.
SSH Sessions tab
The SSH Sessions tab displays the currently active SSH sessions.
To view the SSH Sessions tab, use the following procedure:
Step Action
2 Click the SSH Sessions tab.
The SSH Sessions tab appears.
The following gure displays the SSH Sessions tab.
Figure 25
SSH Sessions tab
End
"SSH Sessions tab elds" (page 124) describes the SSH Sessions tab elds.
NN47215-505 (323165-B) 02.01 Standard
.
Table 58
SSH Sessions tab elds
Field Description
SSHSessionsIP Lists the currently active SSH sessions.
Radius Server tab
The Radius Server tab is used to congure the primary and secondary
RADIUS server settings. "Radius Server tab" (page 125)illustrates the
Radius Server tab.
To view the Radius Server tab, use the following procedure:
Step Action
Select the Radius Server tab.
2 Click the Radius Server tab.
The Radius Server tab appears.
The following gure displays the Radius Server tab.
Figure 26
Radius Server tab
End
Table 59 "Radius Server tab elds" (page 126) describes the Radius Server
tab elds.
NN47215-505 (323165-B) 02.01 Standard
.
Table 59
Radius Server tab elds
Field Description
Addresstype Specifies the type of IP address used by the Radius
server. IPv4 is currently the only available option.
PrimaryRadiusServer
Specifies the IP address of the primary server
(default: 0.0.0.0).
ATTENTION
If there is no primary Radius server, set the
value of this field to 0.0.0.0 .
SecondaryRadiusServer Specifies the IP address of the secondary Radius
server (default: 0.0.0.0). The secondary Radius
server is used only if the primary server is
unavailable or unreachable.
RadiusServerUdpPor Specifies the UDP port the client is using to send
requests to this server.
RadiusServerTimeout Specifies the time interval in seconds before the
client retransmit the packet to RADIUS server
SharedSecret(Key)
Specifies the value of the shared secret key.
ATTENTION
The shared secret key has a maximum of 16
characters.
ConfirmedSharedSecret(K
ey)
Confirms the value of the shared secret key
specified in the SharedSecret(Key) field.
This field usually does not display anything (just a
blank field). It is used when user is changing the
SharedSecret(key) field.
User usually need to enter twice to confirm the string
already being entered in the SharedSecret(Key).
Conguring EAPOL on ports
This section contains the following topics:
"EAPOL tab for a port" (page 127)
"EAPOL Advance tab for ports" (page 129)
"EAPOL Stats tab for graphing ports" (page 136)
"EAPOL Diag tab for graphing ports" (page 138)
NN47215-505 (323165-B) 02.01 Standard
.
EAPOL tab for a port
The EAPOL tab shows EAPOL for the selected port.
To view or edit the EAPOL tab for a port, use the following procedure:
Step Action
1 Select the port that you want to edit.
2 Do one of the following:
From the shortcut menu, choose Edit.
From the Device Manager main menu, choose Edit > Port.
From the toolbar, click Edit.
The Port dialog box appears with the Interface tab displayed.
3 Click the EAPOL tab.
The EAPOL tab appears.
Figure 27
EAPOL tab for a port
NN47215-505 (323165-B) 02.01 Standard
.
End
"EAPOL tab elds for a port" (page 128) describes the EAPOL tab elds
for ports.
Table 60
EAPOL tab elds for a port
Field Description
PortProtocolVersion The EAP Protocol version that is running on this
port.
PortCapabilities The PAE functionality that is implemented on this
port. Always returns dot1xPaePortAuthCapable.
PortInitialize Enables and disables EAPOL authentication for
the specified port.
PortReauthenticateNow Activates EAPOL authentication for the specified
port immediately, without waiting for the
Re-Authentication Period to expire.
PaeState Displays the EAPOL authorization status for the
switch:
Force Authorized: The authorization status is
always authorized.
Force Unauthorized: The authorization status
is always unauthorized.
Auto: The authorization status depends on the
EAP authentication results.
BackendAuthState The current state of the Backend Authentication
state for the switch.
AdminControlled
Directions
Specifies whether EAPOL authentication is set
for incoming and outgoing traffic (both) or for
incoming traffic only (in). For example, if you set
the specified port field value to both, and EAPOL
authentication fails, then both incoming and
outgoing traffic on the specified port is blocked.
OperControlled
Directions
A read-only field that indicates the current
operational value for the traffic control direction for
the port (see the preceding field description).
AuthControlledPort
Status
Displays the current EAPOL authorization status
for the port:
authorized
unauthorized
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
AuthControlledPort
Control
Specifies the EAPOL authorization status for the
port:
Force Authorized: The authorization status is
always authorized.
Force Unauthorized: The authorization status
is always unauthorized.
Auto: The authorization status depends on the
EAP authentication results.
QuietPeriod The current value of the time interval between any
single EAPOL authentication failure and the start
of a new EAPOL authentication attempt.
TransmitPeriod Time to wait for response from supplicant for EAP
requests/Identity packets.
SupplicantTimeout Time to wait for response from supplicant for all
EAP packets, except EAP Request/Identity.
ServerTimeout Time to wait for a response from the RADIUS
server for all EAP packets.
MaximumRequests The number of times the switch attempts to resend
EAP packets to a supplicant.
ReAuthentication
Period
Time interval between successive
reauthentications.
When the ReAuthenticationEnabled field (see
the following field) is enabled, you can specify
the time period between successive EAPOL
authentications for the specified port.
ReAuthentication
Enabled
When enabled, the switch performs a
reauthentication of the existing supplicants
at the time interval specified in the
ReAuthenticationPeriod field (see preceding field
description).
KeyTxEnabled The value of the KeyTranmissionEnabled constant
currently in use by the Authenticator PAE state
of the switch. This always returns false as key
transmission is irrelevant.
LastEapolFrame
Version
The protocol version number carried in the most
recently received EAPOL frame.
LastEapolFrame
Source
The source MAC address carried in the most
recently received EAPOL frame.
EAPOL Advance tab for ports
The EAPOL Advance tab lets you congure additional EAPOL-based
security parameters for ports.
NN47215-505 (323165-B) 02.01 Standard
.
ATTENTION
The Multi Hosts and Non-EAP MAC buttons are not available when conguring
multiple ports on the EAPOL Advance tab. To make use of these two options,
only one port can be selected.
To view or edit the EAPOL Advance tab for ports, use the following
procedure:
Step Action
1 Select the ports that you want to edit.
For multiple ports, press Ctrl+left-click the ports that you want to
edit.
A yellow outline appears around the selected ports.
From the shortcut menu, choose Edit.
From the Device Manager main menu, choose Edit > Port.
On the toolbar, click Edit.
The Port dialog box appears with the Interface tab displayed.
3 Click the EAPOL Advance tab.
The EAPOL Advance tab for a port appears.
Figure 28
EAPOL Advance tab for a port
NN47215-505 (323165-B) 02.01 Standard
.
4 Click Apply after making any changes.
End
Table 61 "EAPOL Advance tab elds for a port" (page 131) describes the
EAPOL Advance tab elds for a port.
Table 61
EAPOL Advance tab elds for a port
Field Description
GuestVlan
Enabled
Enables and disables Guest VLAN on the port.
GuestVlanId Specifies the ID of a Guest VLAN that the port is
able to access while unauthorized.
This value overrides the Guest VLAN ID value set
for the switch in the EAPOL tab. Specifies zero
when switch global guest VLAN ID is used for this
port.
MultiHostEnabled Enables or disables EAPOL multihost on the port.
MultiHostEapMaxNumMacs Specifies the maximum number of allowed EAP
clients on the port.
MultiHostAllowNonEapClie
nt
Enables or disables non-EAPOL on the port.
MultiHostNonEapMaxNum
Macs
Specifies the maximum number of allowed
non-EAPOL clients on the port.
MultiHostSingleAuthEnable
d
Enables or disables EAPOL Multiple Host with
Single Authentication (MHSA) on the port.
MultiHostRadiusAuthNonE
apClient
Enables or disables non-EAPOL RADIUS
authentication on the port
MultiHostAllowRadiusAssig
nedVlan
Enables or disables multihost RADIUS assigned
Vlans on the port
Viewing Multihost information
From the EAPOL Advance tab on the Port screen, it is possible to view
Multihost information by clicking the Multi Hosts button on this tab.
For details, refer to:
"Multihost Status" (page 131)
"Multihost sessions" (page 132)
Multihost Status To view multihost status information, do the following:
NN47215-505 (323165-B) 02.01 Standard
.
Step Action
1 From the EAPOL Advance tab of the Port screen, click the Multi
Hosts button. The EAPOL MultiHosts screen appears with the
Multi Host Status tab selected.
The following gure displays the Multihost status tab.
Figure 29
EAPOL MultiHosts screen -- Multi Host Status tab
"EAPOL MultiHosts screen -- Multi Host Status tab" (page
132) describes the elds on this screen.
EAPOL MultiHosts screen -- Multi Host Status tab
Field Description
PortNumber The port number in use
ClientMACAddr The MAC address of the client
PaeState
The current state of the authenticator PAE
state machin
BackendAuthState The current state of the Backend
Authentication state machine
Reauthenticate The value used to reauthenticate the
EAPOL client
End
Multihost sessions To view multihost session information, do the
following:
Step Action
1 From the EAPOL Advance tab of the Port screen, click the Multi
Hosts button. The EAPOL MultiHosts screen appears. Select the
Multi Host Session tab. The following gure displays the Multihost
sessions tab.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 30
EAPOL MultiHosts screen -- Multi Host Session tab
"EAPOL MultiHosts screen -- Multi Host Session tab" (page
133) describes the elds on this tab.
EAPOL MultiHosts screen -- Multi Host Session tab
Field Description
PortNumber The port number in use.
ClientMACAddr The MAC address of the client.
Id
A unique identifier for the session, in the
form of a printable ASCII string of at least
three characters.
AuthenticMethod
The authentication method used to
establish the session.
Time The elapsed time of the session.
TerminateCause The cause of the session termination.
UserName
The username representing the identity of
the supplicant PAE.
End
Non-EAPOL host support settings
From the EAPOL Advance tab on the Port screen, it is possible to view
non-EAP host information and to congure the allowed non-EAP MAC
address list by clicking the Non-EAP MAC button on this tab.
Managing the allowed non-EAP MAC address list To view and congure
the list of MAC addresses for non-EAPOL clients that are authorized to
access the port, do the following:
Step Action
1 From the EAPOL Advance tab of the Port screen, click the
Non-EAP MAC button. The Non-EAPOL MAC screen appears
NN47215-505 (323165-B) 02.01 Standard
.
with the Allowed non-EAP MAC tab selected. The following gure
illustrates this tab.
Figure 31
Non-EAPOL MAC screen -- Allowed non-EAP MAC tab
"Non-EAPOL MAC screen -- Allowed non-EAP MAC tab" (page
Non-EAPOL MAC screen -- Allowed non-EAP MAC tab
Field Description
2 To add a MAC address to the list of allowed non-EAPOL clients:
a. Click the Insert button. The Insert Allowed non-EAP MAC
screen appears. The following gure illustrates this tab.
Figure 32
Insert Allowed non-EAP MAC screen
b. Enter the MAC address of the non-EAPOL client you want to
add to the list.
c. Click Insert.
3 To remove a MAC address from the list of allowed non-EAPOL
clients:
a. Select the MAC address in the ClientMACAddr column on the
Allowed non-EAP MAC tab.
b. Click Delete.
NN47215-505 (323165-B) 02.01 Standard
.
End
Viewing non-EAPOL host support status To view the status of
non-EAPOL host support on the port, do the following:
Step Action
1 From the EAPOL Advance tab of the Port screen, click the
Non-EAP MAC button. The Non-EAPOL MAC screen appears with
the Allowed non-EAP MAC tab selected. Select the Non-EAP
Status tab. The following gure illustrates this tab.
Figure 33
Non-EAPOL MAC screen -- Non-EAP Status tab
"Non-EAPOL MAC screen -- Non-EAP Status tab" (page
Non-EAPOL MAC screen -- Non-EAP Status tab
Field Description
State
The authentication status. Possible values
are:
rejected: the MAC address cannot be
authenticated on this port.
locallyAuthenticated: the MAC address
was authenticated using the local table
of allowed clients
radiusPending: the MAC address is
awaiting authentication by a RADIUS
server
radiusAuthenticated: the MAC address
was authenticated by a RADIUS server
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
adacAuthenticated: the MAC address
was authenticated using ADAC
configuration tables
mhsaAuthenticated: the MAC address
was auto-authenticated on a port
following a successful authentication
of an EAP client
Reauthenticate
The value used to reauthenticate the MAC
address of the client on the port
End
EAPOL Stats tab for graphing ports
The EAPOL Stats tab displays EAPOL statistics.
To open the EAPOL Stats tab for graphing, use the following procedure:
Step Action
1 Select the port or ports you want to graph.
To select multiple ports, press Ctrl+left-click the ports that you
want to congure.
From the Device Manager main menu, choose Graph > Port.
From the shortcut menu, choose Graph.
On thetoolbar, click Graph.
The Graph Port dialog box for a single port or for multiple ports
appears with the Interface tab displayed.
3 Click the EAPOL Stats tab.
The EAPOL Stats tab for graphing multiple ports appears.
The following gure displays the Graph port dialog box EAPOL Stats
tab.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 34
Graph port dialog box EAPOL Stats tab
End
EAPOL Stats tab elds
"EAPOL Stats tab elds" (page 137) describes the EAPOL Stats tab elds.
Table 62
EAPOL Stats tab elds
Field Description
EapolFramesRx The number of valid EAPOL frames of any type that
are received by this authenticator.
EapolFramesTx The number of EAPOL frame types of any type that
are transmitted by this authenticator.
EapolStartFramesRx The number of EAPOL start frames that are received
by this authenticator.
EapolLogoffFramesRx The number of EAPOL Logoff frames that are
received by this authenticator.
EapolRespIdFramesRx The number of EAPOL Resp/Id frames that are
received by this authenticator.
EapolRespFramesRx The number of valid EAP Response frames (Other
than Resp/Id frames) that are received by this
authenticator.
EapolReqIdFramesTx The number of EAPOL Req/Id frames that are
transmitted by this authenticator.
EapolReqFramesTx The number of EAP Req/Id frames (Other than Req/Id
frames) that are transmitted by this authenticator.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
InvalidEapolFramesRx The number of EAPOL frames that are received
by this authenticator in which the frame type is not
recognized.
EapLengthError
FramesRx
The number of EAPOL frames that are received by
this authenticator in which the packet body length
field is not valid.
EAPOL Diag tab for graphing ports
The EAPOL Diag tab displays EAPOL diagnostics statistics.
To open the EAPOL Diag tab for graphing, use the following procedure:
Step Action
1 Select the port or ports you want to graph.
To select multiple ports, press Ctrl+left-click the ports that you
want to congure.
From the Device Manager main menu, choose Graph > Port.
From the shortcut menu, choose Graph.
On the toolbar, click Graph.
The Graph Port dialog box for a single port or for multiple ports
appears with the Interface tab displayed.
3 Click the EAPOL Diag tab.
The EAPOL Diag tab for graphing multiple ports appears.
The following gure displays the Graph Port dialog box EAPOL Diag
tab.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 35
Graph Port dialog box EAPOL Diag tab
End
EAPOL Diag elds
"EAPOL Diag elds" (page 139) describes the EAPOL Diag tab elds.
Table 63
EAPOL Diag tab elds
Field Description
EntersConnecting Counts the number of times that the state
machine transitions to the connecting state
from any other state.
EapLogoffsWhileConnecting Counts the number of times that the state
machine transitions from connecting to
disconnecting as a result of receiving an
EAPOL-Logoff message.
EntersAuthenticating Counts the number of times that the
state machine transitions from connecting to
authenticating, as a result of an EAP-Response
or Identity message being received from the
Supplicant.
AuthSuccessWhile
Authenticating
Counts the number of times that the state
machine transitions from authenticating to
authenticated, as a result of the Backend
Authentication state machine indicating a
successful authentication of the Supplicant.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
AuthTimeoutsWhile
Authenticating
machine transitions from authenticating
to aborting, as a result of the Backend
Authentication state machine indicating an
authentication timeout.
AuthFailWhileAuthenticating Counts the number of times that the state
machine transitions from authenticating to held,
as a result of the Backend Authentication state
machine indicating an authentication failure.
AuthReauthsWhile
Authenticating
aborting, as a result of a reauthentication
request.
AuthEapStartsWhile
Authenticating
aborting, as a result of an EAPOL-Start
message being received from the Supplicant.
AuthEapLogoffWhile
Authenticating
aborting, as a result of an EAPOL-Logoff
AuthReauthsWhile
Authenticated
machine transitions from authenticated to
connecting, as a result of a reauthentication
request.
AuthEapStartsWhile
Authenticated
connecting, as a result of an EAPOL-Start
AuthEapLogoffWhile
Authenticated
disconnected, as a result of an EAPOL-Logoff
BackendResponses Counts the number of times that the state
machine sends an initial Access-Request
packet to the Authentication server.
Indicates that the Authenticator attempted
communication with the Authentication Server.
BackendAccessChallenges Counts the number of times that the state
machine receives an initial Access-Challenge
packet from the Authentication server.
Indicates that the Authentication Server has
communication with the Authenticator.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
BackendOtherRequestsTo
Supplicant
machine sends an EAP-Request packet,
other than an Identity, Notification, Failure
or Success message, to the Supplicant.
Indicates that the Authenticator chooses an
EAP-method.
BackendNonNakResponses
FromSupplicant
machine receives a response from the
Supplicant to an initial EAP-Request, and the
response is something other than EAP-NAK.
Indicates that the Supplicant can respond to the
EAP-method that the Authenticator chooses.
BackendAuthSuccesses Counts the number of times that the state
machine receives an EAP-Success message
from the Authentication Server. Indicates that
the Supplicant has successfully authenticated
to the Authentication Server.
BackendAuthFails Counts the number of times that the state
machine receives an EAP-Failure message
from the Authentication Server. Indicates that
the Supplicant has not authenticated to the
Authentication Server.
Conguring SNMP
This section contains the following topics:
"SNMP tab" (page 141)
"Trap Receivers tab" (page 142)
"Graphing SNMP statistics" (page 144)
SNMP tab
The SNMP tab provides read-only information about the addresses that the
agent software uses to identify the switch.
To open the SNMP tab, use the following procedure:
Step Action
1 Select the chassis.
2 Choose Edit > Chassis.
The Chassis dialog box appears with the System tab displayed.
3 Click the SNMP tab.
The SNMP tab appears.
NN47215-505 (323165-B) 02.01 Standard
.
End
Figure 36
Chassis dialog box SNMP tab
"SNMP tab elds" (page 142) describes the SNMP tab elds.
Table 64
SNMP tab elds
Field Description
LastUnauthenticatedIpAddress The last IP address that is not
authenticated by the device.
LastUnauthenticatedCommunityString The last community string that is not
authenticated by the device.
TrpRcvrMaxEnt The maximum number of trap receiver
entries.
TrpRcvrCurEnt The current number of trap receiver
entries.
TrpRcvrNext The next trap receiver entry to be
created.
Trap Receivers tab
The Trap Receivers tab lists the devices that receive SNMP traps from the
Ethernet Routing Switch 2500 Series.
To open the Trap Receivers tab, use the following procedure:
Step Action
2 Choose Edit > Chassis.
The Chassis dialog box appears with the System tab displayed.
3 Click the Trap Receivers tab.
NN47215-505 (323165-B) 02.01 Standard
.
The Trap Receivers tab appears.
End
Figure 37
Chassis dialog box Trap Receivers tab
"Trap Receivers tab elds" (page 143) describes the Trap Receivers tab
elds.
Table 65
Trap Receivers tab elds
Field Description
Indx An index of the trap receiver entry. Trap receivers are
numbered from one to four. Each trap receiver has an
associated community string (see the following Community
field description in this table).
NetAddr The address (or DNS hostname) for the trap receiver.
Community Community string used for trap messages to this trap
receiver.
Adding a Trap Receiver
To edit the network traps table, use the following procedure:
Step Action
1 In the Trap Receivers tab, click Insert.
The Chassis, Insert Trap Receivers dialog box appears.
The following gure displays the Chassis, Insert Trap Receivers
dialog box.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 38
Chassis, Insert Trap Receivers dialog box
2 Type the Index, NetAddr, and Community information.
3 Click Insert.
End
Graphing SNMP statistics
In the Graph Chassis dialog box, the SNMP tab provides read-only
information about the addresses that the agent software uses to identify
the switch.
To open the SNMP tab, use the following procedure:
Step Action
2 Choose Graph > Chassis.
The Graph Chassis dialog box appears with the SNMP tab displayed.
3 Click the SNMP tab.
End
NN47215-505 (323165-B) 02.01 Standard
.
Figure 39
Graph Chassis dialog box SNMP tab
"SNMP tab elds" (page 142) describes the SNMP tab elds.
Table 66
SNMP tab elds
Field Description
InPkts The total number of messages delivered to the SNMP
from the transport service.
OutPkts The total number of SNMP messages passed from the
SNMP protocol to the transport service.
InTotalReqVars The total number of MIB objects retrieved successfully
by the SNMP protocol as the result of receiving valid
SNMP Get-Request and Get-Next PDUs.
InTotalSetVars The total number of MIB objects altered successfully
by the SNMP protocol as the result of receiving valid
SNMP Set-Request PDUs.
InGetRequests The total number of SNMP Get-Request PDUs that are
accepted and processed by the SNMP protocol.
InGetNexts The total number of SNMP Get-Next PDUs that are
InSetRequests The total number of SNMP Set-Request PDUs that are
InGetResponses The total number of SNMP Get-Response PDUs that
are accepted and processed by the SNMP protocol.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
OutTraps The total number of SNMP Trap PDUs generated by
the SNMP protocol.
OutTooBigs The total number of SNMP PDUs generated by the
SNMP protocol for which the value of the error-status
field is tooBig.
OutNoSuchNames The total number of SNMP PDUs generated by the
field is noSuchName.
OutBadValues The total number of SNMP PDUs generated by the
field is badValue.
OutGenErrs The total number of SNMP PDUs generated by the
field is genErr.
InBadVersions The total number of SNMP messages delivered to the
SNMP protocol for an unsupported SNMP version.
InBadCommunity
Names
The total number of SNMP messages delivered to the
SNMP protocol that used an unknown SNMP community
name.
InBadCommunity
Uses
The total number of SNMP messages delivered to the
SNMP protocol that represented an SNMP operation
not allowed by the SNMP community named in the
message.
InASNParseErrs The total number of ASN.1 or BER errors encountered
by the SNMP protocol when decoding received SNMP
messages.
InTooBigs The total number of SNMP PDUs delivered to the SNMP
protocol for which the value of the error-status field is
tooBig.
InNoSuchNames The total number of SNMP PDUs delivered to the SNMP
noSuchName.
InBadValues The total number of SNMP PDUs delivered to the SNMP
badValue.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
InReadOnlys The total number of SNMP PDUs delivered to the
field is readOnly. It is a protocol error to generate
an SNMP PDU containing the value readOnly in the
error-status field. This object is provided to detect
incorrect implementations of the SNMP.
InGenErrs The total number of SNMP PDUs delivered to the SNMP
genErr.
Working with SNMPv3
Simple Network Management Protocol (SNMP) provides a mechanism to
remotely congure and manage a network device. An SNMP agent is a
software process that listens on UDP port 161 for SNMP messages, and
sends trap messages using the destination UDP port 162.
SNMPv3 is based on the architecture of SNMPv1 and SNMPv2c. It supports
better authentication and data encryption than SNMPv1 and SNMPv2c.
SNMPv3 provides protection against the following security threats:
modication of SNMP messages by a third party
impersonation of an authorized SNMP user by an unauthorized person
disclosure of network management information to unauthorized parties
delayed SNMP message replays or message redirection attacks
The conguration parameters introduced in SNMPv3 makes it more secure
and exible than the other versions of SNMP.
For more information on the SNMPv3 architecture, see RFC 3411.
This chapter describes the following concepts associated with SNMPv3:
"Initial Login with an SNMPv3 User" (page 148)
"User-based Security Model" (page 149)
"View-based Access Control Model" (page 152)
"Creating a community" (page 159)
"Management Targets" (page 161)
"The Notify Table" (page 166)
NN47215-505 (323165-B) 02.01 Standard
.
Initial Login with an SNMPv3 User
To congure SNMPv3 with Device Manager, you must rst log on and
create an SNMPv3 user through the CLI or Web interface. If you specify
only read and write community strings at the time you log on, you do not
have sufcient rights to view or change the SNMPv3 settings of the switch.
CAUTION
By default, the CLI and Web interface are not password protected.
Nortel strongly recommends that after you set up an SNMPv3
user, you change or delete all factory default settings that can
allow an unauthorized person to log on to your device.
For more information on how to congure an initial SNMPv3 user by using
Web-based management, see "Setting SNMP parameters" (page 58), and
by using the CLI, see "Conguring SNMPv3" (page 190).
To log on to the Ethernet Routing Switch 2500 Series Device Manager as
an SNMPv3 user, use the following procedure:
Step Action
1 On the Device Manager menu bar, select Device > Open.
2 In the Device Name eld, enter the DNS name or the IP address of
the switch.
3 Select the v3 Enabled checkbox (the default Read and Write
community strings are grayed out when SNMPv3 is enabled).
4 Enter the log on name of the SNMPv3 user.
5 From the Authentication Protocol pull-down list, select MD5, SHA, or
None.
6 If the user is congured to use an authentication protocol, enter the
authentication password in the Authentication Password eld.
7 If the user is congured to use a privacy protocol, choose the
appropriate protocol from the Privacy Protocol eld (DES, AES or
3DES).
8 In the Privacy Password eld, enter the privacy password.
End
NN47215-505 (323165-B) 02.01 Standard
.
User-based Security Model
The User-based Security Model (USM) provides a mechanism to
authenticate and encrypt SNMPv3 messages.
A message, if congured, is authenticated with the help of a one-way hash
function that is associated with an individual user ID. In the Ethernet Routing
Switch 2500 Series, a user can be congured to use the HMAC-MD5-96 or
the HMAC-SHA-96 algorithm for the authentication of SNMPv3 messages.
An SNMPv3 message, if congured, is encrypted with the help of the Cipher
Block Chaining - Data Encryption Standard (CBC-DEC).
An SNMPv3 user can be congured in three ways.
Table 67 "SNMPv3 user conguration method" (page 149) describes the
ways in which an SNMPv3 user can be congured.
Table 67
SNMPv3 user conguration method
SNMPv3 Configuration
Method
Description
NoAuthNoPriv The user cannot use an authentication or an
encryption mechanism.
AuthNoPriv The user can use an authentication but not an
AuthPriv The user can use an authentication as well as an
For more information on USM, see RFC 3414.
Conguring the User-based Security Model
To create a user in the USM table, use the following procedure:
Step Action
1 From the Device Manager menu bar, choose Edit > SnmpV3 >
USM Table.
The USM dialog box appears.
The following gure displays the USM dialog box.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 40
USM dialog box
USM tab elds
The following table describes the USM tab elds.
Table 68
USM dialog box elds
Field Description
EngineID Indicates the administratively-unique identifier of the
SNMP engine.
Name Indicates the name of the user in usmUser.
SecurityName Creates the name that is used as an index to the
table. The range is 1 to 32 characters.
AuthProtocol Identifies the authentication protocol used.
PrivProtocol Identifies the privacy protocol used.
StorageType Specifies whether the table entry (row) will be stored
in volatile or nonvolatile memory. If the entry is stored
in volatile memory, it does not persist if the switch
loses power.
2 Click Insert.
The USM, Insert USM Table dialog box appears.
The following gure displays the USM, Insert USM Table dialog box.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 41
USM, Insert USM Table dialog box
3 Enter a name.
4 In the Clone From User list, select a security name from which the
new entry copies authentication data and privacy data. For example,
Authentication Protocol, Authentication password, Privacy Protocol,
and Privacy password.
ATTENTION
The Clone From User you select denes the maximum authentication and
privacy settings for a new user. For example, if the Clone From User does
not use an authentication or encryption protocol, users created from this
clone cannot use the authentication or the encryption protocol. For this
reason, it is recommended that you assign both an authentication and
encryption protocol to the rst user you create through the CLI or Web
interface.
5 From the Auth Protocol pull-down list, select an authentication
protocol for this user. If you select an authentication protocol, enter
an old and new authentication password in the next two elds.
6 In the Cloned Users Auth Password eld, enter the authentication
password of the Cloned From User.
7 In the New Users Auth Password eld, enter a new authentication
password for this user.
8 Select a privacy protocol. If you choose to specify a privacy protocol,
enter an old and new privacy password in the next two elds. This is
optional but recommended.
NN47215-505 (323165-B) 02.01 Standard
.
9 Enter the Cloned Users Priv Password.
10 Enter a new privacy password for this user.
11 Click Insert.
The USM table appears and the new entry is shown.
End
"USM Insert USM Table dialog box elds" (page 152) describes the USM,
Insert USM Table dialog box elds.
Table 69
USM, Insert USM Table dialog box elds
Field Description
New User Name Creates the new entry with this security name. The name
is used as an index to the table. The range is 1 to 32
characters.
Clone From User Specifies the security name from which the new entry must
copy privacy and authentication parameters. The range is 1
to 32 characters.
Auth Protocol Assigns an authentication protocol (or no authentication)
from a shortcut menu. If you select this protocol, enter an
old AuthPass and a new AuthPass.
Cloned Users
Auth Password
Specifies the current authentication password.
New Users Auth
Password
Specifies the new authentication password to use for this
user.
Priv Protocol
(Optional)
Assigns a privacy protocol (or no privacy) from a menu.
Cloned Users Priv
Password
Specifies the current privacy password.
New Users Priv
Password
Specifies the new privacy password to use for this user
entry.
Storage Type Specifies whether this table entry (row) will be stored in
volatile or nonvolatile memory. If the entry is stored in
volatile memory, it does not persist if the switch loses power.
View-based Access Control Model
The View-based Access Control Model (VACM) is used to map a user to
a set of access rights and MIB views. This mapping is done with the help
of three tables.
NN47215-505 (323165-B) 02.01 Standard
.
Table 70 "View-based access control mapping" (page 153) describes the
which help of to map a user to access rights and MIB views.
Table 70
View-based access control mapping
Table Name Description
Group Membership table Defines a set of users that can be referenced by a
single group name.
Group Access Right table Associates a group with Read, Write, and Notify
views.
MIB View table Defines a set of MIB subtrees or objects.
For more detailed information on VACM, see RFC 3415.
Dening Group Membership with VACM
To add members to a group in the View-based Access Control Model
(VACM) table, use the following procedure:
Step Action
VACM table.
The VACM dialog box with the Group Membership tab options visible
appears.
The following gure displays the VACM dialog, Group Membership
tab.
Figure 42
VACM dialog, Group Membership tab
NN47215-505 (323165-B) 02.01 Standard
.
VACM dialog tab elds
The following table describes the Group Membership tab elds.
Table 71
Group Membership tab elds
Field Description
SecurityModel The security model for the entry.
SecurityName The name of an entry in the USM table or the
Community Table.
GroupName The name of the group to which this entry belongs.
When multiple entries in this table have the same
GroupName, they all belong to the same group.
StorageType Specifies whether this table entry (row) will be stored
loses power.
2 Click Insert.
The VACM, Insert Group Membership dialog box appears.
The following gure displays the VACM, Insert Group Membership
dialog box.
3 Select a SecurityModel.
4 Enter a SecurityName.
5 Enter a GroupName.
6 Click Insert.
The VACM dialog box appears. The new group membership is
shown in the list.
End
Assigning Group Access Rights with VACM
To assign new access rights to a group, use the following procedure:
Step Action
VACM table.
The VACM dialog box appears (Figure 42 "VACM dialog, Group
Membership tab" (page 153)).
NN47215-505 (323165-B) 02.01 Standard
.
2 Click the Group Access Right tab.
The Group Access Right tab appears.
The following gure displays the Group Access Right tab.
Figure 43
Group Access Right tab
The following table describes the Group Access Right tab elds.
Table 72
VACM dialog box Group Access Right tab elds
Field Description
vacmGroupName A GroupName from the Group Membership table.
ContextPrefix The Context Prefix for this entry. By default, the
field is empty. This is an optional field.
SecurityModel The security model assigned to users in the
Group Membership table. Options are SNMPv1,
SNMPv2c, or USM.
SecurityLevel The security level assigned to users in the Group
Membership table. Options are noAuthNoPriv,
authNoPriv, or authPriv.
ContextMatch Specifies whether to use an exact match or the
context prefix for assigning the rights defined in
this row to a user. The default is exact. This is an
optional field.
ReadViewName The name of the MIB View to which the user is
assigned read access.
WriteViewName The name of the MIB View to which the user is
assigned write access.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
NotifyViewName The name of the MIB View from which the user
receives notifications.
StorageType Specifies whether this table entry (row) will be
stored in volatile or nonvolatile memory. If the
entry is stored in volatile memory, it does not
persist if the switch loses power.
3 Click Insert.
The VACM, Insert Group Access Right dialog box appears.
The following gure displays the VACM, Insert Group Access Right
dialog box.
Figure 44
VACM, Insert Group Access Right dialog box
4 Enter the name of a group.
5 Enter the context prex.
6 Select the security model.
7 Select the security level.
8 Enter the name of a MIB View that enables a user to read the MIB
subtrees and objects.
9 Enter the name of a MIB View that enables a user to write to the
MIB subtrees and objects.
10 Enter the name of a MIB View from which a user can receive traps
or inform messages.
NN47215-505 (323165-B) 02.01 Standard
.
11 Click Insert.
The VACM window reappears, and the new Group Access Right
entry is shown in the table.
End
Dening a MIB view
To assign MIB view access for an object, use the following procedure:
Step Action
VACM table.
The VACM dialog box appears (Figure 42 "VACM dialog, Group
Membership tab" (page 153)).
2 Select the MIB View tab.
The MIB View tab appears.
The following gure displays the MIB View tab.
Figure 45
MIB View tab
MIB View tab elds
NN47215-505 (323165-B) 02.01 Standard
.
The following table describes the MIB View tab elds.
Table 73
VACM dialog box MIB View tab elds
Field Description
ViewName Creates a new entry with this
group name. The range is 1 to 32
characters.
Subtree Refers to any valid object identifier
that defines the set of MIB objects
accessible by this SNMP entity,
for example, org, iso8802, or
1.3.6.1.1.5 OID string.
Mask (Optional) Specifies that a bit mask be used
with vacmViewTreeFamilySubtree
to determine whether an OID falls
under a view subtree.
Type Determines whether access to a
MIB object is granted (Included) or
denied (Excluded). The default is
Included.
StorageType Specifies whether this table entry
(row) will be stored in volatile or
nonvolatile memory. If the entry
is stored in volatile memory, it
does not persist if the switch loses
power.
3 Click Insert.
The VACM, Insert MIB View dialog box appears.
The following gure displays VACM, Insert MIB View dialog box.
Figure 46
VACM, Insert MIB View dialog box
NN47215-505 (323165-B) 02.01 Standard
.
4 Enter a ViewName.
5 Enter a MIB Subtree name, for example, org, iso8802, or a
dotted-decimal OID string.
6 Enter a Mask to specify wild cards in the OID string. The default is
to leave this eld blank, which is the same as specifying a mask
of all ones (exact match).
7 Select whether to include or exclude this MIB subtree from the
collection of all MIB objects with this same ViewName.
8 Click Insert.
The assigned MIB view appears in the list.
End
Creating a community
A community table contains objects for mapping between community strings
and the security name created in VACM Group Member. To create a
community, use the following procedure:
Step Action
1 From the Device Manager menu bar, chooseEdit > SnmpV3 >
Community Table.
The Community Table dialog box appears.
The following gure displays the Community Table dialog box.
Figure 47
Community Table dialog box
2 Click Insert.
The Community Table, Insert Community Table dialog box appears.
The following gure displays the Community Table, Insert Community
Table dialog box.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 48
Community Table, Insert Community Table dialog box
3 Enter an Index.
4 Enter Name that is a community string.
6 Click Insert.
The new community is shown in the list.
End
Community Table dialog box elds
"Community Table dialog box elds" (page 160) describes the Community
Table dialog box elds.
Table 74
Community Table dialog box elds
Field Description
Index The unique index value of a row in this table. The
SnmpAdminString range is 1-32 characters.
Name The community string for which a row in this table
represents a configuration.
SecurityName The security name assigned to this entry in the
Community table. The range is 1 to 32 characters.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
ContextEngineID The contextEngineID that indicates the location
of the context in which management information
is accessed when using the community string
specified by the corresponding instance of
snmpCommunityName. The default value is the
snmpEngineID of the entity in which this object is
instantiated.
ContextName The context in which management information
is accessed when using the community string
specified by the corresponding instance of
snmpCommunityName.
TransportTag This object specifies a set of transport endpoints
that are associated a community string. The
community string is only valid when found in an
SNMPv1 or SNMPv2c message received from one
of these transport endpoints, or when used in an
SNMPv1 or SNMPv2c message that is sent to one
of these transport endpoints.
StorageType The storage type for this conceptual row in the
snmpCommunityTable. Conceptual rows that have
the value permanent do not allow write-access to
any columnar object in the row.
Management Targets
The concept of the SNMPv3 management target is similar to trap receivers
in SNMPv1 and SNMPv2c. Management targets are dened with the help
of three tables.
Management Target Tables
"Management Target Tables" (page 161) describes the that help to dene
the management targets.
Table 75
Management target tables
Table Name Description
Target Address table Lists the IP address and destination UDP port
number of stations that receive trap or inform
messages.
Target Parameters table Specifies how to format and process an outgoing
message that is sent to an associated target
address.
Notify table Specifies the type of message to send to a
management target: trap or inform.
NN47215-505 (323165-B) 02.01 Standard
.
Creating a Management Target Address
To create an entry in the Management Target Address table, use the
following procedure:
Step Action
Target Table.
The Target Table dialog box appears, with the Target Address Table
tab appears.
The following gure displays the Target Table dialog box, target
Address Table tab.
Figure 49
Target Table dialog box, Target Address Table tab
Target Address Table elds
The following table describes the Target Address Table elds.
Table 76
Target Address Table elds
Field Description
Name Specifies the name for this target table entry.
TDomain Specifies the domain of the management target. The
default is snmpUDPDomain.
TAddress Specifies the IP address and destination UDP port for
this management target, for example, 10.0.4.27:162.
Timeout Specifies the length of the time to wait in 1/100
th
of a second, for an acknowledgement from this
management target before declaring the message as
timed-out. The default is 1500 milliseconds.
RetryCount Specifies the number of times this device can
resend messages to this management target if initial
messages are not acknowledged. The default is 3.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
Taglist Refers to zero or more Notify tags that are used to link
this entry with entries in the Notify table. By default,
you can enter either traporinform without having to
create new entries in the Notification table.
Params Specifies the entry in the Target Parameter table
which is associated with this Management Target
Address.
loses power.
2 Click Insert.
The Target Table, Insert Target Address Table dialog box appears.
The following gure displays the Target Table, Insert Target Address
Table dialog box.
Figure 50
Target Table, Insert Target Address Table dialog box
3 Enter a Name.
4 Enter a TDomain name.
5 Enter the IP address and UDP port number for this management
target, for example, 10.0.4.27:162.
6 Accept or modify the default values in the TimeOut and RetryCount
elds.
7 In the Taglist eld, enter the name of the tags (trap or inform),
separated by a comma if more than one tag is entered. For more
details, see Table 78 "Notify Table dialog box elds" (page 166).
NN47215-505 (323165-B) 02.01 Standard
.
8 In the Params eld, enter the name of an entry in the Target Param
table.
9 Click Insert.
The new Target address is shown in the list.
End
Creating Target Parameters
To create a target parameter, use the following procedure:
Step Action
Target Table.
The Target Table dialog box appears, with the Target Address Table
displayed.Figure 49 "Target Table dialog box, Target Address Table
tab" (page 162) .
2 Select the Target Params Table tab.
The Target Params Table tab appears.
The following gure displays the Target Params table tab.
Figure 51
Target Params Table tab
3 Click Insert.
The Target Table, Insert Target Params Table dialog box appears.
The following gure displays the Target Table, Insert Target Params
Table dialog box.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 52
Target Table, Insert Target Params Table dialog box
4 Enter a Name for this set of parameters.
5 Select the MPModel.
6 Select the SecurityModel.
8 Specify a SecurityLevel value.
9 Enter the StorageType.
10 Click Insert.
The new target parameter is shown in the list.
End
Target Params Table tab elds
"Target Params Table tab elds" (page 165) describes the Target Params
Table dialog box elds.
Table 77
Target Params Table tab elds
Field Description
Name Specifies the name of the target parameters table.
MPModel Specifies the Message Processing model: SNMPv1,
SNMPv2c, or SNMPv3/USM.
SecurityModel Specifies the security model: SNMPv1, SNMPv2c, or
SNMPv3/USM.
SecurityName Specifies the security name for generating SNMP messages.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
SecurityLevel Specifies the security level for SNMP messages:
noAuthnoPriv, authnoPriv, or authPriv.
Storage Type Specifies whether this table entry (row) will be stored in
volatile or nonvolatile memory. If the entry is stored in volatile
memory, it doesl not persist if the switch loses power.
The Notify Table
The Notify Table contains default entries for a trap notication type and
inform notication type.
To create a Notify Table entry, use the following procedure:
Step Action
Notify.
The Notify Table dialog box appears Figure 53 "NotifyTable dialog
box" (page 166) .
Notify Table dialog box elds
Figure 53
NotifyTable dialog box
The following table describes the Notify Table dialog box elds.
Table 78
Notify Table dialog box elds
Field Description
Name A name or index value for this row in the table.
Tag A single tag value that is used to associate this entry
with an entry in the Target Address Table.
NN47215-505 (323165-B) 02.01 Standard
.
Field Description
Type
This selection specifies the type of notification sent
to a management target address. If the value is trap,
sent messages contain SNMPv2-Trap PDUs. If the
value is inform, messages contains Inform PDUs.
ATTENTION
If an SNMP entity only supports trap (and not
inform) messages, this object can be read-only.
loses power.
2 Click Insert.
The Notify Table, Insert dialog box appears .
The following gure displays the Notify Table, Insert dialog box.
Figure 54
Notify Table, Insert dialog box
3 Enter a Name for this table row.
4 Enter a Tag name which connects this entry to one or more Target
Address table entries.
5 Specify the Type of message Protocol Data Units (PDUs) to send to
an associated Management Target Address: trap or inform.
6 Specify the StorageType.
7 Click Insert.
The new notify entry is shown in the list.
NN47215-505 (323165-B) 02.01 Standard
.
End
NN47215-505 (323165-B) 02.01 Standard
.
169
Conguring Security using web-based
management
The options available to congure application settings are:
"Conguring system security" (page 169)
"Accessing the management interface" (page 173)
"Conguring MAC address-based security" (page 175)
"Conguring MAC address-based security" (page 175)
"About SNMP" (page 188)
"Conguring SNMPv1" (page 188)
"Conguring SNMPv3" (page 190)
Conguring system security
This section describes the steps you use to build and manage security by
using the Web-based management interface.
ATTENTION
When you install the switch, Nortel recommends that you set the initial system
usernames and passwords by using the Command Line Interface. For more
information, see "Setting the username and password" (page 35).
Setting console, Telnet, and Web passwords
ATTENTION
For information about modifying existing system usernames, see "Setting the
username and password" (page 35).
To set Console, Telnet, and Web passwords, use the following procedure:
NN47215-505 (323165-B) 02.01 Standard
.
170 Conguring Security using web-based management
Step Action
1 From the main menu, choose Administration > Security.
2 Choose Console, Telnet, Web, or RADIUS as required.
The selected password page appears .
3 Click Submit.
ATTENTION
The title of the page corresponds to the menu selection you choose.
In , the network administrator selected Administration > Security >
Console.
Figure 55
Console password setting page
The following table describes the items on the Console page.
NN47215-505 (323165-B) 02.01 Standard
.
Conguring system security 171
Table 79
Console page elds
Section Fields Setting Description
ATTENTION
Console, Telnet, and Web connections share the same switch
password type and password. These connections also share the
same stack password type and password.
Console Switch
Password Type
(1) None
(2) Local
Password
(3) RADIUS
Authentication
Displays the
switch password
types.
ATTENTION
The default is
None.
Read-Only Swit
ch Password
1..15 Type the read-only
password setting
for the read-only
access user.
Console
Switch
Password
Setting
Read-Write Swit
ch Password
1..15 Type the read-write
password setting
for the read-write
access user.
Console Stack
Password Type
None
Displays the
switch password
types.
ATTENTION
The default is
None.
Read-only Stack
Password
1..15 Type the read-only
password setting
for the read-only
access user.
Console Sta
ck Password
Read-Write
Stack Password
1..15 Type the read-write
password setting
for the read-write
access user.
NN47215-505 (323165-B) 02.01 Standard
.
4 Choose the type of password. The following table describes the
options available in the Console Switch Password Type list box.
Table 80
Password Types
Password Type Description
None Indicates that no password is required for this type
of access.
Local Password Sets a password for access through a direct
network connection or a direct Console port
connection.
RADIUS Authentica
tion
Sets a password for remote dial-up. If you select
this password type, you must also set up RADIUS
authentication from the Radius management page.
5 Type the password for read-only and read/write user access.
6 Click Submit to save the changes.
End
Conguring RADIUS dial-in access security
To congure remote dial-in access security parameters, use the following
procedure:
Step Action
1 From the main menu, choose Administration > Security > Radius.
The Radius page appears.
Figure 56
Radius page
NN47215-505 (323165-B) 02.01 Standard
.
Accessing the management interface 173
The following table describes the items on the RADIUS page.
Table 81
RADIUS page elds
Field Setting Description
Primary RADIUS Server XXX.XXX.XXX.XXX Type a Primary Radius server IP
address in the appropriate format.
Secondary RADIUS Server XXX.XXX.XXX.XXX Type a Secondary Radius server
IP address in the appropriate
format.
UDP RADIUS Port Integer Type the UDP Radius port
number.
RADIUS Timeout Period 1..60 Type the RADIUS timeout period.
RADIUS Shared Secret 1..16 Type a unique character string
to create a secret password.
Reenter the password to verify.
2 Type the IP addresses of the primary and secondary RADIUS
(Remote Authentication Dial In User Services) servers.
3 Type the number of the User Datagram Protocol (UDP) port for the
RADIUS server. The default value is 1645.
4 Type the number of seconds for the RADIUS timeout period. The
range is 1 to 60 seconds.
5 Type a character string for the RADIUS Shared Secret. This
parameter is a special switch security code that provides
authentication to the RADIUS server. The value can be any
contiguous ASCII string that contains at least one printable
character, up to a maximum of 16.
6 Reenter the character string to conrm the RADIUS Shared Secret.
7 Click Submit.
End
Accessing the management interface
After switch passwords and RADIUS authentication settings are integrated
into the Web-based management user interface, anyone who attempts
to use the application is presented with a log on page. See Figure 57
"Web-based management interface log on page" (page 174).
NN47215-505 (323165-B) 02.01 Standard
.
Figure 57
Web-based management interface log on page
To log on to the Web-based management interface, use the following
procedure:
Step Action
1 In the Username text box, type a valid username (default values are
RO [uppercase] for read-only access or RW [uppercase] for read/write
access).
2 In the Password text box, type your password.
3 Click Log On.
The System Information page appears .
ATTENTION
For information about modifying existing system usernames, see "Setting
the username and password" (page 35).
Figure 58
System Information Page
NN47215-505 (323165-B) 02.01 Standard
.
End
With Web access enabled, the switch can support a maximum of four
concurrent Web page users. Two predened user levels are available, and
each user level has a corresponding username and password.
Table 82 "User levels and access levels" (page 175) shows an example of
the two predened user levels available and their access level within the
Web-based management user interface.
Table 82
User levels and access levels
User level
User name for
each level
Password for each
user level
Access Level
Read-only RO XXXXXXXX Read only
Read/write RW XXXXXXXX Full read/write
access
Conguring MAC address-based security
The MAC address-based security system lets you specify a range of system
responses to unauthorized network access to your switch by using the
Web-based management system.
The system response can range from sending a trap to disabling the port.
The network access control is based on the MAC Source Addresses (SAs)
of the authorized stations. You can specify a list of up to 448 MAC SAs that
are authorized to access the switch. You can also specify the ports that
each MAC SA is allowed to access. The options for allowed MAC SA port
access include: NONE, ALL, and single or multiple ports that are specied
in a list, for example, one to four, six, nine, and so on. You must also include
the MAC SA of any router connected to any secure ports.
After the switch software detects an SA security violation, the response can
be to send a trap, turn on Destination Address (DA) ltering for all SAs,
disable the specic port, or any combination of these three options.
You can also congure the Ethernet Routing Switch 2500 Series to drop
all packets that have a specied MAC Destination Address (DA). You can
create a list of up to 10 MAC DAs that you want to lter. The packet with
the specied MAC DA is dropped regardless of the ingress port, Source
Address (SA) intrusion, or VLAN membership.
NN47215-505 (323165-B) 02.01 Standard
.
ATTENTION
Ensure that you do not enter the MAC address of the switch on which you are
working.
ATTENTION
After conguring the switch for MAC address-based security, you must enable the
ports you want by using the Port Conguration page.
Conguring MAC address-based security
You can use the Security Conguration page to enable or disable the MAC
address security feature and specify the appropriate system responses
to any unauthorized network access to your switch. To congure MAC
address-based security by using the Web-based management system,
use the following procedure:
Step Action
1 From the main menu, choose Application > MAC Address Security
> Security Conguration.
The Security Conguration page appears.
The following gure displays the Security Conguration page.
Figure 59
Security Conguration page
NN47215-505 (323165-B) 02.01 Standard
.
The following table describes the items on the Security Conguration
page.
Table 83
Security Conguration page items
Section Item Range Description
MAC Addres
s Security
(1) Enabled
(2) Disabled
Enables the MAC address security features.
After this field is set to enabled, the software
checks the source MAC addresses of
the packets that arrive on the secure
ports against MAC addresses listed in the
MAC Address Security Table for allowed
membership. If the software detects a
source MAC address that is not an allowed
member, the software registers a MAC
intrusion event.
MAC Addre
ss Security
SNMP-
Locked
(1) Enabled
(2) Disabled
After this field is set to enabled, the
MAC address security screens cannot be
modified by using SNMP.
MAC Address
Security Setting
Partition Port
on Intrusion
Detected
(1) Forever
(2) Enabled
(3) Disabled
Configures how the switch reacts to an
intrusion event (see MAC Address Security
field):
Disabled The port remains enabled, even
if an intrusion event is detected.
Enabled The port is disabled, then
automatically reset to enabled after the time
specified in the Partition Time field elapses.
Forever The port is disabled and remains
disabled (partitioned) until reset. The port
does not reset after the Partition Time
elapses.
You must manually reenable the port.
NN47215-505 (323165-B) 02.01 Standard
.
Partition
Time
1 to 65535
Sets the time to partition a port on
intrusion.
ATTENTION
Use this field only if the Partition Port
on Intrusion Detected field is set to
Enabled.
DA Filtering
on Intrusion
Detected
(1) Enabled
(2) Disabled
When enabled, the switch isolates the
intruding node by filtering (discarding) the
packets sent to that MAC address.
Generate
SNMP Trap
on Intrusion
(1) Enabled
(2) Disabled
Enables generation of an SNMP trap to all
registered SNMP trap addresses when an
intrusion is detected.
Action Lets you clear specific ports from
participation in the MAC address security
features.
Port List Blank.
MAC Security
Table/Clear by
Ports
Current
Learning
Mode
Blank.
Action Lets you identify ports that learn incoming
MAC addresses. All source MAC addresses
of any packets received on specified ports
are added to the MAC Security Table
(a maximum of 448 MAC addresses are
allowed).
Port List Displays all the ports that learn incoming
MAC addresses to detect intrusions
(unallowed MAC addresses).
MAC Security
Table/Learn by
Ports
Current
Learning
Mode
(1) Enabled
(2) Disabled
Enables learning.
2 On the Security Conguration page, type the necessary
information in the text boxes, or select from a list.
3 Click Submit.
End
NN47215-505 (323165-B) 02.01 Standard
.
Conguring ports
You can use the Port Lists page, to create port lists that can be used as
allowed source port lists to be referenced in the Security Table page. You
can create up to 32 port lists.
To activate an entry or add or delete ports from a list, use the following
procedure:
Step Action
> Port Lists.
The Port Lists page appears.
The following gure displays the Port Lists page.
Figure 60
Port Lists page
The following table describes the items on the Port Lists page.
NN47215-505 (323165-B) 02.01 Standard
.
Table 84
Port Lists page items
Item Description
Entry These are the lists of ports.
Action Lets you create a port list that you can use as an Allowed
Source in the Security Table screen.
Port List Displays which ports are associated with each list.
2 To add or delete ports to a list, click in the Action column in the list
row that you want.
The Port List View, Port List page appears.
The following gure displays the Port List View, Port List page.
Figure 61
Port List View, Port List page
a. Click the ports you want to add to the selected list, or click All.
b. To delete a port from a list, clear the box by clicking it.
c. Click Submit.
The Security Conguration page appears.
4 In the MAC Security Table section, click in the Action column of
the Learn By Ports row.
The Port List View, Learn by Ports page appears.
The following gure displays the Port List View, Learn by Ports page.
NN47215-505 (323165-B) 02.01 Standard
.
Port List View, Learn by Ports page
a. Click the ports through which you want the switch to learn MAC
addresses, or click All.
b. If you want that port to no longer learn MAC addresses, click the
checked box to clear it.
c. Click Submit.
5 In the MAC Security Table section, choose Enabled in the Current
Learning Mode column of the Learn By Ports row.
6 Click Submit.
ATTENTION
You cannot include any of the port values that you choose for the secure
ports eld.
End
Adding MAC addresses
You can use the Security Table page to specify the ports that each MAC
address is allowed to access. (You must also include the MAC addresses of
any routers that are connected to any secure ports.)
To add MAC addresses to the MAC address security table, use the following
procedure:
Step Action
1 In the main menu, choose Applications > MAC Address Security
> Security Table.
It can take a few moments for the required addresses to be learned.
Then, the Security Table page appears.
The following gure displays the Security Table page.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 62
Security Table page
ATTENTION
By using this page, you instruct the switch to allow the specied MAC
address access only through the specied port or port list.
The following table describes the items on the Security Table page.
Table 85
Security Table page items
Action Lets you delete a MAC address.
MAC
Address
Displays the MAC address.
MAC Addre
ss Security
Table
Allowed
Source
Port
Entry
Displays the entry through which
the MAC address is allowed.
MAC
Address
Lets you specify up to 448 MAC
addresses that are authorized to
access the switch. You can specify
the ports that each MAC address
is allowed to access by using the
Allowed Source field (see the next
item description). The specified
MAC address does not take effect
until the Allowed Source field is
set to some value (a single port
number or a port list value that you
previously configured in the Port
Lists screen).
MAC Addre
ss Security
Table Entry
Creation
NN47215-505 (323165-B) 02.01 Standard
.
Allowed
Source
Lets you specify the ports that each
MAC address is allowed to access.
The options for the Allowed Source
field include a single port number
or a port list value that you have
previously configured in the Port
Lists screen.
2 Complete elds as described in the table.
ATTENTION
If you choose an Entry as the Allowed Source, you must have congured
that specic entry on the Port View List, Port List page.
3 On the Security Table page, type the required information in the
text boxes or select from a list.
4 Click Submit.
ATTENTION
Include the MAC address for the default LAN router as an allowed source
MAC address.
End
Clearing ports
You can clear all information from the specied port(s) in the list of ports that
learn MAC addresses. If Learn by Ports is enabled, the specied ports
begin to learn the MAC addresses.
To clear information from selected ports, use the following procedure:
Step Action
The Security Conguration page appears (Figure 59 "Security
Conguration page" (page 176)).
2 In the MAC Security Table section, click in the Action column of
the Clear By Ports row.
The Port List View, Clear By Ports page appears.
NN47215-505 (323165-B) 02.01 Standard
.
The following gure displays the Port List View, Clear By Ports page.
Figure 63
Port List View, Clear By Ports page
3 Select the ports you want to clear or click All.
4 Click Submit.
ATTENTION
When you specify a port (or ports) to be cleared by using this eld, the
specic port are cleared for each of the entries listed in the MAC Address
Security Table. If you clear all the allowed Source Ports eld (leaving
a blank eld) for an entry, the associated MAC address for that entry
is also cleared.
End
Enabling security on ports
To enable or disable MAC address-based security on the port, use the
Step Action
> Port Conguration.
The Port Conguration page appears.
The following gure displays the Port Conguration page.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 64
Port Conguration page
The following table describes the items on the Port Conguration
page.
Table 86
Port Conguration page items
Item Range Description
Port 1 to 52 Lists each port on the unit.
Trunk Blank, 1 to 6 Displays the MultiLink Trunk to
which the port belongs to.
Security (1) Enabled
(2) Disabled
Enables MAC address-based
security on that port.
End
NN47215-505 (323165-B) 02.01 Standard
.
Deleting ports
You can delete ports from the security system in a variety of ways:
In the Ports List View, Port List page (Figure 61 "Port List View, Port List
page" (page 180)), click the checkmark of a selected port that you want
to delete from the specied port list.
In the Ports List View, Learn by Ports page ("Port List View, Learn by
Ports page" (page 181)), click the checkmark of a port that you want to
remove from those ports that learn MAC addresses.
In the Port Conguration page (Figure 64 "Port Conguration
page" (page 185)), click Disabled to remove that port from the
MAC address-based security system; this action disables all MAC
address-based security on that port.
Filtering MAC destination addresses
To drop all packets from a specied MAC Destination Address (DA), use the
Step Action
> DA MAC Filtering.
The DA MAC Filtering page appears.
The following gure displays the DA MAC Filtering page.
Figure 65
DA MAC Filtering page
The following table describes the items on the DA MAC Filtering
page.
NN47215-505 (323165-B) 02.01 Standard
.
Table 87
DA MAC Filtering page items
Action To drop all packets to
and from a specified MAC
Destination Address (DA).
Index 1 -10 The number of the MAC
address.
Destination
MAC Addre
ss Filtering
Table
MAC
Address
Displays the MAC address.
DA MAC Fil
tering Entry
Creation
DA MAC
Address
XX:XX:XX:XX:X
X:XX
Enter the MAC DA that you
want to filter.
ATTENTION
Ensure that you do not enter the MAC address of the management station.
2 In the DA MAC Filtering Entry Creation area, enter the MAC DA
that you want to lter.
You can list up to 10 MAC DAs to lter.
3 Click Submit.
The system returns you to the DA MAC Filtering page (Figure 65
"DA MAC Filtering page" (page 186)) with the new DA listed in the
table.
End
Deleting MAC DAs
To delete a MAC DA, use the following procedure:
Step Action
> DA MAC Filtering.
The DA MAC Filtering page appears (Figure 65 "DA MAC Filtering
page" (page 186)).
2 In the Destination MAC Address Filtering Table, click the Delete icon
for the entry that you want to delete.
A message appears prompting you to conrm your request.
NN47215-505 (323165-B) 02.01 Standard
.
Click Yes to delete the target parameter conguration.
Click Cancel to return to the table without making changes.
End
About SNMP
Simple Network Management Protocol (SNMP) is the standard for network
management that uses a common software agent to manage local and wide
area network equipment from different vendors; part of the Transmission
Control Protocol/Internet Protocol (TCP/IP) suite as dened in RFC115.
SNMPv1 is version one, the original standard protocol. SNMPv3 is a
combination of proposal updates to SNMP, most of which deal with security.
Conguring SNMPv1
You can congure SNMPv1 read/write and read-only community strings,
enable or disable trap mode settings, and/or enable or disable the
autotopology feature. The autotopology feature, when enabled, performs a
process that recognizes any device on the managed network and denes
and maps its relation to other network devices in real time.
To congure the community string, trap mode, and autotopology settings
and features, use the following procedure:
Step Action
1 From the main menu, choose Conguration > SNMPv1.
The SNMPv1 page appears.
The following gure displays the SNMPv1 page.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 66
SNMPv1 page
The following table describes the items on the SNMPv1 page.
Table 88
SNMPv1 page items
Read-
Only
Commu-
nity Strin
g
1..32 Type a character string to identify the
community string for the SNMPv1
read-only community, for example,
public or private.
Reenter the same character string to
confirm the community string for the
SNMPv1 read-only community.
The default value is public.
Commu-
nity String
Setting
Read-
Write
Commu-
nity Strin
g
1..32 Type a character string to identify the
community string for the SNMPv1
read-write community, for example,
public or private.
Reenter the same character string to
confirm the community string for the
SNMPv1 read-write community.
NN47215-505 (323165-B) 02.01 Standard
.
The default value is private.
Trap Mod
e Setting
Authen-
tication
Trap
(1) Enab
le
(2) Disa
ble
Choose to enable or disable the
authentication trap, which sends a
trap when an SNMP authentication
failure occurs.
Auto
Topology
Setting
Auto
Topology
(1) Enab
le
(2) Disa
ble
Choose to enable or disable the
autotopology feature, which allows
network topology mapping of other
switches in your network.
2 Type the required information in the text boxes or select from a list.
3 Click Submit in any section to save your changes.
End
Conguring SNMPv3
This section describes the steps to build and manage SNMPv3 in the
Web-based management user interface.
Viewing SNMPv3 system information
You can view information about the SNMPv3 engine that exists and the
private protocols that are supported in your network conguration. You
can also view information about packets received by the system that
have particular errors, such as unavailable contexts, unknown contexts,
decrypting errors, or unknown user names.
To view SNMPv3 system information, use the following procedure:
Step Action
1 From the main menu, choose Conguration > SNMPv3 > System
Information.
The System Information page appears.
The following gure displays the System Information page.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 67
System Information page
Table 89 "System Information section elds" (page 191) describes
the elds on the System Information section of the SNMPv3 System
Information page.
Table 89
System Information section elds
Item Description
SNMP
Engine ID
The identification number for the SNMP engine.
SNMP
Engine
Boots
The number of times that the SNMP engine has
reinitialized itself since its initial configuration.
SNMP
Engine Time
The number of seconds because the SNMP engine last
incremented the snmpEngineBoots object.
SNMP
Engine
Maximum
Message
Size
The maximum length, in octets, of an SNMP message that
this SNMP engine can send or receive and process. This
is determined as the minimum of the maximum message
size values supported among all transports available to
and supported by the engine.
SNMP
Engine
Dialects
The SNMP dialect that the engine recognizes. The
dialects are: SNMP1v1, SNMPv2C, and SNMPv3.
NN47215-505 (323165-B) 02.01 Standard
.
Item Description
Authenticati
on Protocols
Supported
The registration point for standards-track authentication
protocols used in SNMP Management Frameworks.
The registration points are: None, HMAC MD5, and
HMAC SHA.
ATTENTION
The Ethernet Routing Switch 2500 Series supports
only the MD5 authentication protocol.
Private
Protocols
Supported
The registration point for standards-track privacy
protocols used in SNMP Management Frameworks.
The registration points are: None, CBC-DES, AES or
3DES.
ATTENTION
The Ethernet Routing Switch 2500 Series does not
support privacy protocols.
Table 90 "SNMPv3 Counters section elds" (page 192) describes
the elds on the SNMPv3 Counters section of the SNMPv3 System
Information page.
Table 90
SNMPv3 Counters section elds
Item Description
Unavailable
Contexts
The total number of packets dropped by the SNMP
engine because the context contained in the message
is unavailable.
Unknown
Contexts
engine because the context contained in the message
is unknown.
Unsupported
Security
Levels
engine because they requested a security level that is
unknown to the SNMP engine or otherwise unavailable.
Not in Time
Windows
engine because they appeared outside of the
authoritative SNMP window of the engine.
NN47215-505 (323165-B) 02.01 Standard
.
Item Description
Unknown User
Names
engine because they referenced an unknown user.
Unknown
Engine IDs
engine because they referenced an snmpEngineID that
is not known to the SNMP engine.
Wrong Digests The total number of packets dropped by the SNMP
engine because they did not contain the expected
digest value.
Decryption
Errors
engine because they could not be decrypted.
End
Conguring user access to SNMPv3
You can view a table of all current SNMPv3 user security information such
as authentication/privacy protocols in use, and create or delete SNMPv3
system user congurations.
Creating an SNMPv3 system user conguration
To create an SNMPv3 system user conguration, use the following
procedure:
Step Action
1 From the main menu, choose Conguration > SNMPv3 > User
Specication.
The User Specication page appears.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 68
User Specication page
describes the items on the User Specication Table section of the
User Specication page.
Table 91
User Specication Table section items
Item and MIB
association
Description
Deletes the row.
User Name(usmUser
SecurityName)
The name of an existing SNMPv3 user.
Authentication
Protocol(usmUser
AuthProtocol)
Indicates whether the message sent on behalf of this user to/from the
SNMP engine identified by the UserEngineID can be authenticated
by the MD5 authentication protocol.
NN47215-505 (323165-B) 02.01 Standard
.
Item and MIB
association
Description
Private Protocol(usmUser
PrivProtocol)
Displays whether or not messages sent on behalf of this user to or
from the SNMP engine identified by the usmUserEngineID can be
protected from disclosure, and if so, the type of privacy protocol
which is used.
Entry Storage The current storage type for this row. If Volatile is displayed,
information is dropped (lost) when you turn off the power. If
nonvolatile is displayed, information is saved in NVRAM when you
turn off the power.
The following table describes the items on the User Specication
Creation section of the User Specication page.
Table 92
User Specication Creation section items
Item and MIB
association
Range Description
User Name 1..32 Type a string of characters to create an identity
for the user.
Authentication
Protocol(usmUser
AuthProtocol)
None
MD5
SHA
Choose whether or not the message sent
on behalf of this user to/from the SNMP
engine identified by the UserEngineID can be
authenticated with the MD5 or SHA protocol.
Authentication
Passphrase(usm
UserAuthPassword)
1..32 Type a string of characters to create a
passphrase to use in conjunction with the
authorization protocol.
Privacy Protocol (1) None
(2) DES
(3) 3DES
(4) AES
Choose the privacy protocol you want to use.
Privacy Passphrase X..XX Type a string of characters to create a
passphrase to use in conjunction with the privacy
protocol.
The alphanumeric string must be at least 8
characters long.
Type an alphanumeric
string of minimum
8 charactersEntry
Storage(usmUser
StorageType)
(1) Volatile
(2) Non-Volatile
Choose your storage preference. Selecting
Volatile requests information to be dropped
(lost) when you turn off the power. Selecting
Non-Volatile requests information to be saved in
NVRAM when you turn off the power.
2 In the User Specication Creation section, type the required
information in the text boxes or select from a list.
NN47215-505 (323165-B) 02.01 Standard
.
3 Click Submit.
The new conguration is displayed in the User Specication Table
(Table 91 "User Specication Table section items" (page 194)).
End
Deleting an SNMPv3 system user conguration
To delete an existing SNMPv3 user conguration, use the following
procedure:
Step Action
1 From the main menu, choose Conguration > SNMPv3 > User
Specication.
The User Specication page appears ().
2 In the User Specication Table, click the Delete icon for the entry
you want to delete.
Click Yes to delete the SNMPv3 user conguration.
Click Cancel to return to the User Specication page without
making changes.
End
Conguring an SNMPv3 system user group membership
You can view a table of existing SNMPv3 group membership congurations
and map or delete an SNMPv3 user to a group conguration.
Mapping an SNMPv3 system user to a group
To map an SNMPv3 system user to a group, use the following procedure:
Step Action
1 From the main menu, choose Conguration > SNMPv3 > Group
Membership.
The Group Membership page appears.
The following gure displays the Group Membership page.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 69
Group Membership page
The following table describes the items on the Group Membership
page.
Table 93
Group Membership page items
Item and MIB association Range Description
Deletes the row.
NN47215-505 (323165-B) 02.01 Standard
.
Item and MIB association Range Description
Security Name(vacmSecu
rityTo
GroupStatus)
1..32 Type a string of characters
to create a security name
for the principal that is
mapped by this entry to a
group name.
Security Model(vacmSecu
rityTo
GroupStatus)
(1) SNMPv1
(2) SNMPv2c
(3) USM
Choose the security
model within which the
security name to group
name mapping is valid.
Group Name(vacmGroupN
ame)
1..32 Type a string of characters
to specify the group name.
Entry Storage(vacmSecuri
tyTo
GroupStorageType)
(1) Volatile
(2) Non-Volati
le
Choose your storage
preference. Selecting
Volatile requests
information to be dropped
(lost) when you turn off
the power. Selecting
Non-Volatile requests
information to be saved in
NVRAM when you turn off
the power.
2 In the Group Membership Creation section, type the required
3 Click Submit.
The new entry is displayed in the Group Membership Table (Figure
69 "Group Membership page" (page 197)).
End
Deleting an SNMPv3 group membership conguration
To delete an SNMPv3 group membership conguration, use the following
procedure:
Step Action
Membership.
The Group Membership page appears (Figure 69 "Group
Membership page" (page 197)).
2 In the Group Membership Table, click the Delete icon for the entry
you want to delete.
NN47215-505 (323165-B) 02.01 Standard
.
Click Yes to delete the group membership conguration.
Click Cancel to return to the Group Membership page without
making changes.
ATTENTION
This Group Membership Table section of the Group Membership
page contains hyperlinks to the SNMPv3 User Specication and
Group Access Rights pages. For more information on these pages,
see "Conguring user access to SNMPv3" (page 193) and "Conguring
SNMPv3 group access rights" (page 199) .
End
Conguring SNMPv3 group access rights
You can view a table of existing SNMPv3 group access rights congurations,
and you can create or delete a SNMPv3 system-level access rights for
a group.
Creating an SNMPv3 group access rights conguration
To create a SNMPv3 system-level access right conguration for a group,
Step Action
Access Rights.
The Group Access Rights page appears.
The following gure displays the Group Access Rights page.
NN47215-505 (323165-B) 02.01 Standard
.
Figure 70
Group Access Rights page
The following table describes the items on the Group Access Rights
page.
Table 94
Group Access Rights page items
Item and MIB
association
Range Description
Deletes the row.
Group Name(vacm
AccessToGroup
Status)
1..32 Type a character string to
specify the group name to
which access is granted.
Security Model(vacm
AccessSecurity
Model)l
(1) SNMPv1
(2) SNMPv2c
(3) USM
Choose the security model
to which access is granted.
NN47215-505 (323165-B) 02.01 Standard
.
Item and MIB
association
Range Description
Security Level(vacm
AccessSecurity
Level)
(1) noAuthNoPr
iv
(2) authNoPriv
(3) authPriv
Choose the minimum level
of security required to gain
the access rights allowed to
the group.
Read View(vacm
AccessReadView
Name)
identify the MIB view of
the SNMP context to which
this entry authorizes read
access.
Write View(vacm
AccessWriteView
Name)
identify the MIB view of
the SNMP context to which
this entry authorizes write
access.
Notify View(vacm
AccessNotifyView
Name)
identify the MIB view to
which this entry authorizes
access to notifications.
Entry Storage(vacm
SecurityToGroup
StorageType)
(1) Volatile
(2) Non-
Volatile
Choose your storage
preference. Selecting
Volatile requests information
to be dropped (lost) when
you turn off the power.
Selecting Non-Volatile
requests information to be
saved in NVRAM when you
turn off the power.
2 In the Group Access Creation section, type the required information
in the text boxes or select from a list.
3 Click Submit.
The new entry is displayed in the Group Access Table (Figure 70
"Group Access Rights page" (page 200)).
End
Deleting an SNMPv3 group access rights conguration
To delete an SNMPv3 group access conguration, use the following
procedure:
NN47215-505 (323165-B) 02.01 Standard
.
Step Action
Access Rights.
The Group Access Rights page appears (Figure 70 "Group Access
Rights page" (page 200)).
2 In the Group Access Table, click the Delete icon for the entry you
want to delete.
Click Yes to delete the group access conguration.
Click Cancel to return to the Group Access Rights page without
making changes.
ATTENTION
This Group Access Table section of the Group Access Rights page
contains hyperlinks to the Management Information View page.
End
Conguring an SNMPv3 management information view
You can view a table of existing SNMPv3 management information view
congurations, and you can create or delete SNMPv3 management
information view congurations.
ATTENTION
A view can consist of multiple entries in the table, each with the same view name,
but a different view subtree.
Creating an SNMPv3 management information viewconguration
To create an SNMPv3 management information view conguration, use the
Step Action
1 From the main menu, choose Conguration > SNMPv3 >
Management Info View.
The Management Information View page appears.
NN47215-505 (323165-B) 02.01 Standard
.
The following gure displays the Management Information View
page.
Figure 71
Management Information View page
The following table describes the elds on the Management
Information View page.
NN47215-505 (323165-B) 02.01 Standard
.
Table 95
Management Information View page elds
Fields and MIB
association
Range Description
Deletes the row.
View Name(vacmV
iew
TreeFamilyView
Name)
1..32 Type a character string to create a
name for a family of view subtrees.
View Subtree(vacm
View
TreeFamilySubtree)
X.X.X.X.X...
Type an object identifier (OID)
to specify the MIB subtree
that, when combined with the
corresponding instance of
vacmViewTreeFamilyMask,
defines a family of view subtrees.
ATTENTION
If no OID is entered and
the field is blank, a default
mask value consisting of 1s is
recognized.
View Mask(vacmVi
ew
TreeFamilyMask)
Octet String
(0..16)
Type the bit mask that,
in combination with the
corresponding instance of
vacmViewFamilySubtree, defines a
family of view subtrees.
View Type(vacmVie
w
TreeFamilyType)
(1) Include
(2) Exclude
Choose to include or exclude a
family of view subtrees.
Entry Storage(vacm
Secu-rityToGroupSt
orageType)
(1) Volatile
(2) Non-Vola
tile
Choose your storage preference.
Selecting Volatile requests
information to be dropped (lost)
when you turn off the power.
Selecting Non-Volatile requests
information to be saved in NVRAM
NN47215-505 (323165-B) 02.01 Standard
.
2 In the Management Information Creation section, type the required
3 Click Submit.
The new entry appears in the Management Information Table
(Figure 71 "Management Information View page" (page 203)).
End
Deleting an SNMPv3 management information view conguration
To delete an existing SNMPv3 management information view conguration,
Step Action
Management Info View.
The Management Information page appears (Figure 71
"Management Information View page" (page 203)).
2 In the Management Information Table, click the Delete icon for the
entry you want to delete.
Click Yes to delete the management information view
conguration.
End
Conguring an SNMPv3 system notication entry
You can view a table of existing SNMPv3 system notication congurations,
and you can congure specic SNMPv3 system notication types
with particular message recipients and delete SNMPv3 notication
congurations.
Creating an SNMPv3 system notication conguration
To create an SNMPv3 system notication conguration, use the following
procedure:
NN47215-505 (323165-B) 02.01 Standard
.
Step Action
Notication.
The Notication page appears.
The following gure displays the Notication page.
The following table describes the items on the Notication page.
Table 96
Notication page items
Item and MIB
association
Range Description
Deletes the row.
Notify Name(snmpNo
tify
RowStatus)
1..32 Type a character string to identify
the entry.
NN47215-505 (323165-B) 02.01 Standard
.
Item and MIB
association
Range Description
Notify Tag(snmp
NotifyTag)
1..32 Type a value to use
to select entries in the
snmpTargetAddrTable. Any entry
in the snmpTargetAddrTable
which contains a tag value which
is equal to the value of an instance
of this object is selected. If this
object carries a zero length, no
entries are selected
Notify Type(snmp
NotifyType)
(1) Trap
(2) Inform
Choose the type of notification to
generate.
Entry Storage(snmp
NotifyStorageType)
(1) Volatile
(2) Non-Vol
atile
Choose your storage preference.
Selecting Volatile requests
information to be dropped (lost)
Selecting Non-Volatile requests
information to be saved in NVRAM
2 In the Notication Creation section, type the required information
3 Click Submit.
The new entry is displayed in the Notication Table "Notication
page" (page 206) .
End
ATTENTION
This Notication Table section of the Notication page contains hyperlinks to
the Target Parameter page.
Deleting an SNMPv3 system notication conguration
To delete an SNMPv3 notication conguration, use the following procedure:
Step Action
Notication.
The Notication page appears ("Notication page" (page 206)).
NN47215-505 (323165-B) 02.01 Standard
.
2 In the Notication Table, click the Delete icon for the entry you want
to delete.
Click Yes to delete the notication conguration.
End
Conguring an SNMPv3 management target address
You can view a table of existing SNMPv3 management target congurations,
create SNMPv3 management target address congurations that associate
notications with particular recipients, and delete SNMPv3 target address
congurations.
Creating an SNMPv3 target address conguration
To create an SNMPv3 target address conguration, use the following
procedure:
Step Action
1 From the main menu, choose Conguration > SNMPv3 > Target
Address.
The Target Address page appears.
The following gure displays the Target Address page.
The following table describes the items on the Target Address page.
NN47215-505 (323165-B) 02.01 Standard
.
Table 97
Target Address page items
Item and MIB
association
Range Description
Deletes the row.
Target Name(snmpTarg
etAddrName)
1..32 Type a character string to create
a target name.
Target Address(snmp
TargetAddrT
Address)
XXX.XXX
.XXX.XXX:
XXX
Type a transport address in the
format of an IP address, colon,
and UDP port number.
For example: 10.30.31.99:162.
Target Timeout(snmp
TargetAddrTimeout)
Integer Type the number, in seconds,
to designate as the maximum
time to wait for a response to
an inform notification before
resending theInform notification.
Target Retry
Count(snmpTargetA
ddrRetryCount)
0..255 Type the default number of
retires to be attempted when
a response is not received
for a generated message. An
application can provide its own
retry count, in which case the
value of this object is ignored.
Target Tag
List(snmpTarget
AddrTagList)
1..20 Type the space-separated list of
tag values to be used to select
target addresses for a particular
operation.
Target Parameter
Entry(snmpTarget
Addr)
1..32 Type a numeric string to
identify an entry in the
snmpTargetParamsTable.
The identified entry contains
SNMP parameters to be used
when generated messages are
sent to this transport address.
Entry Storage (1) Volatile
(2) Non-Vol
atile
Choose your storage
preference. Selecting Volatile
requests information to be
dropped (lost) when you turn
off the power. Selecting
Non-Volatile requests
NN47215-505 (323165-B) 02.01 Standard
.
Item and MIB
association
Range Description
information to be saved in
NVRAM when you turn off the
power.
2 In the Target Address Creation section, type the required
3 Click Submit.
The new entry is displayed in the Target Address Table ("Target
Address page" (page 208)).
ATTENTION
This Target Address Table section of the Target Address page contains
hyperlinks to the Target Parameter page.
End
Deleting an SNMPv3 target address conguration
To delete an SNMPv3 target address conguration, use the following
procedure:
Step Action
Address.
The Target Address page appears ("Target Address page" (page
208)).
2 In the Target Address Table, click the Delete icon for the entry you
want to delete.
Click Yes to delete the target address conguration.
End
NN47215-505 (323165-B) 02.01 Standard
.
Conguring an SNMPv3 management target parameter
SNMPv3 management target parameters are used during notication
generation to specify the communication parameters that are used for
exchanges with notication recipients.
You can view a table of existing SNMPv3 target parameter congurations,
create SNMPv3 target parameters that associate notications with particular
recipients, and delete existing SNMPv3 target parameter congurations.
Creating an SNMPv3 target parameter conguration
To create an SNMPv3 target parameter conguration, use the following
procedure:
Step Action
Parameter.
The Target Parameter page appears.
The following gure displays the Target Parameter page.
The following table describes the items on the Target Parameter
page.
Table 98
Target Parameter page items
Deletes the row.
NN47215-505 (323165-B) 02.01 Standard
.
Parameter
Tag(snmpTarget
ParamsRowStatus)
1..32 Type a unique character string to identify the
parameter tag.
Msg Processing
Model(snmpTarget
ParamsMPModel)
(0) SNMPv1
(1) SNMPv2c
(2) SNMPv3 /USM
Choose the message processing model to be
used when generating SNMP messages using
this entry.
Security Name(snmpTarget
ParamsSecuirty
Name)
1..32 Type the principal on whose behalf SNMP
messages are generated using this entry.
Security Level(snmpTarget
ParamsSecuirtyLevel)
(1) noAuthNoPriv
(2) authNoPriv (3)
authPriv
Choose the level of security to be used when
generating SNMP messages using this entry.
Entry Storage(snmpTargetP
aramsStorage
Type)
(1) Volatile
(2) Non-Volatile
Choose your storage preference. Selecting
Volatile requests information to be dropped
(lost) when you turn off the power. Selecting
Non-Volatile requests information to be saved in
NVRAM when you turn off the power.
2 In the Target Parameter Creation section, type the required
3 Click Submit.
The new entry appears in the Target Parameter Table ("Target
Parameter page" (page 211)).
End
Deleting an SNMPv3 target parameter conguration
To delete an SNMPv3 target parameter conguration, use the following
procedure:
Step Action
Parameter.
The Target Parameter page appears ("Target Parameter page"
(page 211)).
2 In the Target Parameter Table, click the Delete icon for the entry
you want to delete.
NN47215-505 (323165-B) 02.01 Standard
.
Click Yes to delete the target parameter conguration.
End
Conguring an SNMP trap receiver
You can congure the IP address and community string for a new SNMP
trap receiver, view a table of existing SNMP trap receiver congurations, or
delete an existing SNMP trap receiver conguration(s).
ATTENTION
The SNMP Trap Receiver Table is an alternative to using the SNMPv3 Target
Table and SNMPv3 Parameter Table. However, only SNMPv1 traps are
congurable using this table.
Creating an SNMP trap receiver conguration
To create an SNMP trap receiver conguration, use the following procedure:
Step Action
1 From the main menu, choose Conguration > SNMP Trap.
The SNMP Trap Receiver page appears.
The following gure displays the SNMP Trap Receiver page.
Figure 72
SNMP Trap Receiver page
The following table describes the elds on the Trap Receiver Table
and Trap Receiver Creation sections of the SNMP Trap Receiver
page.
NN47215-505 (323165-B) 02.01 Standard
.
Table 99
SNMP Trap Receiver page elds
Fields Range Description
Deletes the row.
Trap Receiver
Index
1..4 Choose the number of the trap
receiver to create or modify.
IP Address XXX.XXX.XXX
.XXX
Type the network address for the
SNMP manager that is to receive
the specified trap.
Community 0..32 Type the community string for the
specified trap receiver. Reenter the
community string for the specified
trap receiver to confirm.
2 In the Trap Receiver Creation section, type the required information
3 Click Submit.
The new entry is displayed in the Trap Receiver Table ().
End
Deleting an SNMP trap receiver conguration
To delete SNMP trap receiver congurations, use the following procedure:
Step Action
1 From the main menu, choose Conguration > SNMP Trap
Receiver.
The SNMP Trap Receiver page appears ().
2 In the Trap Receiver Table, click the Delete icon for the entry you
want to delete.
Click Yes to delete the SNMP trap receiver conguration.
NN47215-505 (323165-B) 02.01 Standard
.
End
NN47215-505 (323165-B) 02.01 Standard
.
NN47215-505 (323165-B) 02.01 Standard
.
217
Appendix A
SNMP MIB support
The Ethernet Routing Switch 2500 Series supports an SNMP agent with
industry standard MIBs, as well as private MIB extensions, which ensures
compatibility with existing network management tools. The switch supports
the MIB-II (RFC 1213), Bridge MIB (RFC 1493), and the RMON MIB (RFC
1757), which provide access to detailed management statistics. With
SNMP management, you can congure SNMP traps (on individual ports)
to generate automatically for conditions such as an unauthorized access
attempt or changes in the operating status of a port. Table 100 "SNMP MIB
support" (page 217) lists the supported SNMP MIBs.
Table 100
SNMP MIB support
Application Standard MIBs Proprietary MIBs
S5 Chassis MIB s5cha127.mib
S5 Agent MIB s5age140.mib
RMON rfc1757.mib
MLT rcMLT
SNMPv3 MIBs RFCs 2571, 2572,
2573, 2574, 2575,
2576
MIB2 rfc1213.mib
IF-MIB rfc2233.mib
Etherlike MIB rfc1643.mib
Interface Extension MIB s5ifx100.mib
Switch Bay Secure s5sbs102.mib
System Log MIB bnlog.mib
S5 Autotopology MIB s5emt104.mib
VLAN rcVlan
Entity MIB RFC 2037
NN47215-505 (323165-B) 02.01 Standard
.
218 Appendix A SNMP MIB support
Application Standard MIBs Proprietary MIBs
Spanning Tree RFC1493 Bridge MIB
LLDP-MIB IEEE 802.1ab
Management Agent The SNMP agent is trilingual and supports
exchanges by using SNMPv1, SNMPv2c, and SNMPv3. SNMPv1
communities provide support for SNMPv2c by introducing standards-based
GetBulk retrieval capability. SNMPv3 support provides MD5 and SHA-based
user authentication and message security as well as DES-based message
encryption.
Modules that support MIB are:
Standard MIBs
MIB II (RFC 1213)
Bridge MIB (RFC 1493) and proposed VLAN extensions
802.1Q Bridge MIB
802.1p
Ethernet MIB (RFC 1643)
RMON MIB (RFC 1757)
SMON MIB
High Capacity RMON
Interface MIB (RFC2233)
Entity MIB (RFC2037)
SNMPv3 MIBs (RFC 2271 RFC 2275)
Proprietary MIBs
s5Chassis MIB
s5Agent MIB
Interface Extension MIB
s5 Multi-segment topology MIB
s5 Switch BaySecure MIB
System Log MIB
RapidCity Enterprise MIB
rcDiag (Conversation steering) MIB
rcVLAN MIB
rcMLT MIB
NN47215-505 (323165-B) 02.01 Standard
.
219
SNMP trap support
The Ethernet Routing Switch 2500 Series supports an SNMP agent
with industry standard SNMPv1 traps, as well as private SNMPv1 trap
extensions (Table 101 "Support SNMP traps" (page 219)).
Table 101
Support SNMP traps
Trap name Configurable Sent when
RFC 1215 (industry standard):
linkUp Per port The link state changes to up on a
port.
linkDown Per port The link state changes to down on
a port.
authenticationFailure System wide SNMP authentication failure
occurs.
coldStart Always on The system is powered on.
warmStart Always on The system restarts due to a
management reset.
s5CtrMIB (Nortel proprietary traps):
s5CtrUnitUp Always on A unit is added to an operational
stack.
s5CtrUnitDown Always on A unit is removed from an
operational stack.
s5CtrHotSwap Always on A unit is hot-swapped in an
operational stack.
s5CtrProblem Always on A component or subcomponent
has a problem condition either a
warning, nonfatal, or fatal condition.
s5EtrSbsMacAccess
Violation
Always on A MAC address violation is
detected.
risingAlarm Always on A rising Alarm is fired.
fallingAlarm Always on A falling Alarm is fired.
bsnConfigurationSave
dTo
Nvram
Always on All switch configuration is saved to
NVRAM.
bsnNotifications.6.0 Always on A failed log in on a telnet or console
session occurs.
NN47215-505 (323165-B) 02.01 Standard
.
220
Index
A
access 39, 46
SNMP 176
administrative options
logging on 173
security, conguring
passwords 169
remote dial-in access 172
allowed IP addresses 39
Allowed Source eld 182
AuthCong tab 116
AccessCtrlType eld 117
BrdIndx eld 117
MACIndx eld 117
PortIndx eld 117
SecureList eld 117
authentication 56
authentication traps, enabling 188
AuthStatus tab 119
AuthStatusBrdIndx eld 120
AuthStatusMACIndx eld 120
AuthStatusPortIndx eld 120
CurrentAccessCtrlType eld 121
CurrentActionMode eld 121
CurrentPortSecurStatus eld 121
AuthViolation tab 122
Autotopo-logy Setting eld 190
autotopology, enabling 188
B
BaySecure 80
C
Clear By Ports page 184
cli password command 36
Commu-nity String Setting eld 189
community strings, conguring 188
Community Table dialog box 159
ContextEngineID eld 161
ContextName eld 161
Index eld 160
Name eld 160
SecurityName eld 160
StorageType eld 161
TransportTag eld 161
Console Password Setting page 170
Console/TELNET/Web access conguration
17
conventions, text 11
Current Learning Mode eld 178
customer support 14
D
DA ltering 80
DA Filtering on Intrusion Detected eld 178
DA MAC Address eld 187
DA MAC Filtering page 186
default eapol guest-vlan command 93
default http-port 44
default radius-server command 58
default snmp trap link-status command 69
default snmp-server authentication-trap
command 61
default snmp-server community
command 63
NN47215-505 (323165-B) 02.01 Standard
.
Index 221
default snmp-server contact command 64
default snmp-server host command 76
default snmp-server name command 67
default ssh command 54
default telnet-access command 48
Device Manager 40
E
EAPOL Advance tab for a port
GuestVlanEnabled eld 131
GuestVlanId eld 131
EAPOL Advance tab for ports 129
eapol command 91, 91
EAPOL Diag tab 138
AuthEapLogoffWhileAuthenticated
eld 140
AuthEapLogoffWhileAuthenticating
eld 140
AuthEapStartsWhileAuthenticated
eld 140
AuthEapStartsWhileAuthenticating
eld 140
AuthFailWhileAuthenticating eld 140
AuthReauthsWhileAuthenticated
eld 140
AuthReauthsWhileAuthenticating
eld 140
AuthSuccessWhileAuthenticating
eld 139
AuthTimeoutsWhileAuthenticating
eld 140
BackendAccessChallenges eld 140
BackendAuthFails eld 141
BackendAuthSuccesses eld 141
BackendNonNakResponsesFromSuppli-
cant eld 141
BackendOtherRequestsToSupplicant
eld 141
BackendResponses eld 140
EapLogoffsWhileConnecting eld 139
EntersAuthenticating eld 139
EntersConnecting eld 139
eapol guest-vlan command 93
EAPOL Stats tab 136
EapLengthErrorFramesRx eld 138
EapolFramesRx eld 137
EapolFramesTx Field 137
EapolLogoffFramesRx eld 137
EapolReqFramesTx eld 137
EapolReqIdFramesTx eld 137
EapolRespFramesRx eld 137
EapolRespldFramesRx 137
EapolStartFramesRx eld 137
InvalidEapolFramesRx eld 138
EAPOL tab 110
EAPOL tab for a port 127
EAPOL tab for ports
AdminControlledDirections eld 128
AuthControlledPortControl eld 129
AuthControlledPortStatus eld 128
BackendAuthState eld 128
KeyTxEnabled eld 129
LastEapolFrameSource eld 129
LastEapolFrameVersion eld 129
MaximumRequests eld 129
OperControlledDirections eld 128
PaeState eld 128
PortCapabilities eld 128
PortInitialize eld 128
PortProtocolVersion eld 128
PortReauthenticateNow eld 128
QuietPeriod eld 129
ReAuthenticationEnabled eld 129
ReAuthenticationPeriod eld 129
ServerTimeout 129
SupplicantTimeout eld 129
TransmitPeriod eld 129
EAPoL-based security 21
with Guest VLAN 23
EAPOL-based security 87
Entry eld 180
Entry Storage eld 198, 201, 204
G
General tab 111
AuthCtlPartTime eld 112
AuthSecurityLock eld 112
CurrNodesAllowed eld 114
CurrSecurityLists eld 114
MaxNodesAllowed eld 114
MaxSecurityLists eld 114
NN47215-505 (323165-B) 02.01 Standard
.
222 Index
PortLearnStatus eld 114
PortSecurityStatus eld 114
SecurityAction eld 113
SecurityMode eld 113
SecurityStatus 112
Generate SNMP Trap on Intrusion eld 178
Group Access Right tab
ContextMatch eld 155
ContextPrex eld 155
NotifyViewName eld 156
ReadViewName eld 155
SecurityLevel eld 155
SecurityModel eld 155
StorageType eld 156
WriteViewName eld 155
Group Access Rights page 199
Group Membership page 196
Group Membership tab
GroupName eld 154
StorageType eld 154
Group Name eld 198, 200
Guest VLAN 23
H
HTTP port number change 26
http-port command 44
I
IP 39
IP manager list 39
ipmgr command 40, 42
L
Learn by Ports page 180
logging on 173
Login screen 18
M
MAC Address eld 182, 187
MAC address security 176
allowed source 181
clearing 184
deleting ports 186
learn by ports 180
learning 178
MAC DA 175, 186
ports 184
security list 179
security table 181
MAC Address Security eld 177
MAC Address Security SNMP-Locked
eld 177
MAC address-based network security 21,
21
MAC DA ltering 80, 186
MAC security
DA ltering 80
source-address based 80
mac-security command 81
mac-security command for specic ports 85
mac-security mac-da-lter command 86
mac-security mad-address-table address
command 83, 83, 84, 85
mac-security security-list command 83
Management Information View page 202
management systems 40
Management Target Address table 162
Management target tables 161
MHMA 28
MHSA 33
conguring with CLI 107
MIB View tab
Mask eld 158
StorageType eld 158
Subtree eld 158
Type eld 158
ViewName eld 158
modifying parameters 91
Multiple Host with Multiple Authentication
(MHMA) 28
Multiple Host with Single Authentication 33
N
Name eld 166
New User Name eld 152
no eapol guest-vlan command 93
no ipmgr command 41, 42
no mac-security command 84
NN47215-505 (323165-B) 02.01 Standard
.
Index 223
no mac-security mac-address-table
command 84
no mac-security security-list command 85
no radius-server command 58
no smnp-server command 60
no snmp trap link-status command 68
no snmp-server authentication-trap
command 61
no snmp-server command 72
no snmp-server community command 62
no snmp-server contact command 64
no snmp-server host 76
no snmp-server location command 65
no snmp-server name command 66
no snmp-server view command 74
no ssh command 51
no ssh dsa-auth command 53
no ssh dsa-auth-key command 54
no ssh dsa-host-key command 51
no ssh pass-auth command 53
no telnet-access command 47
no web-server command 56
Non-EAP hosts on EAP-enabled ports 30
Non-EAP MAC RADIUS authentication 32
Notication page 206
Notify Table dialog box 166
StorageType eld 167
Tag eld 166
Type eld 167
Notify View eld 201
P
Partition Port on Intrusion Detected eld 177
Partition Time eld 178
passwords 36
passwords, setting
console 169
Telnet 169
Web 169
Port Conguration page 184
Port List eld 178, 180
Port List page 180
Port Lists page 179
Primary RADIUS Server eld 173
product support 14
R
RADIUS access 36
RADIUS authentication 56
Radius page 172
RADIUS password fallback 20
RADIUS Shared Secret eld 173
RADIUS Timeout Period eld 173
RADIUS-based security 20
radius-server command 57
radius-server password fallback 58
Read View eld 201
read-only access 172
read-write access 172
remote access requirements 44, 44
remote dial-in access, conguring 172
requirements
remote access 44
S
Secondary RADIUS Server eld 173
Security
MAC address-based network security 21
security 36, 39, 46, 56, 80, 87
MAC address-based 176
Security Conguration page 176
Security eld 185
Security Level eld 201
security lists 80
Security Model eld 198, 200
Security Name eld 198
security options 18
Security page 176
Security parameters
General tab
SecurityStatus eld 112
Security Table page 181
security, conguring
passwords 169
Security, Insert AuthCong dialog box 117
AccessCtrlType eld 118
BrdIndx eld 118
MACIndx eld 118
PortIndx eld 118
NN47215-505 (323165-B) 02.01 Standard
.
224 Index
SecureList eld 118
SecurityListIndx eld 116
SecurityListMembers eld 116
Security, Insert SecurityList dialog box 115
SecurityList tab 114
SecurityListIndx eld 115
SecurityListMembers eld 115
show dsa-host-key command 51
show eapol auth-diags interface
command 89, 90
show eapol command 87
show eapol guest-vlan command 94
show http-port command 43
show ipmgr command 39
show mac-security command 80
show radius-server command 56
show snmp-server command 64, 78
show ssh download-auth-key command 50
show ssh global command 49
show ssh session command 50
show telnet-access command 45
SNMP 26
about 188
MAC address security 177
trap receivers
conguring 213
deleting 214
SNMP Graph tab 145
InASNParseErrs eld 146
InBadCommunityNames eld 146
InBadCommunityUses eld 146
InBadValues eld 146
InBadVersions eld 146
InGenErrs eld 147
InGetNexts eld 145
InGetRequests eld 145
InGetResponses eld 145
InNoSuchNames eld 146
Inpkts eld 145
InReadOnlys eld 147
InSetRequests eld 145
InTooBigs eld 146
InTotalReqVars eld 145
InTotalSetVars eld 145
OutBadValues eld 146
OutGenErrs eld 146
OutNoSuchNames eld 146
Outpkts eld 145
OutTooBigs eld 146
OutTraps eld 146
SNMP tab 141, 141
LastUnauthenticatedCommunityString
eld 142
LastUnauthenticatedIpAddress eld 142
TrpRcvrCurEnt eld 142
TrpRcvrMaxEnt eld 142
TrpRcvrNext eld 142
snmp trap link-status command 67
SNMP Trap Receiver page 213
snmp-server authentication-trap
command 60
snmp-server command 59
snmp-server community command 61, 77,
77
snmp-server contact command 64
snmp-server host command 75
snmp-server location command 65
snmp-server name command 66, 79, 79,
79, 79, 79,
snmp-server user command 70
snmp-server view command 73
SNMPv1
about 188
conguring 188
SNMPv1 page 188
SNMPv3 147
about 188
conguring 190
group access rights
conguring 199
deleting 201
group membership
conguring 196
deleting 198
initial login 148
management information views
conguring 202
deleting 205
management target 161
system information, viewing 190
system notication entries
conguring 205
deleting 207
target addresses
NN47215-505 (323165-B) 02.01 Standard
.
Index 225
conguring 208
deleting 210
target parameters 164
conguring 211
deleting 212
user access
conguring 193
deleting 196
User-based Security Model (USM) 149
View-based Access Control Model
(VACM) 152
SNMPv3 user conguration methods 149
source IP addresses 42
ssh command 51
ssh download-auth-key command 54
ssh dsa-auth command 52
ssh pass-auth command 53, 53
ssh port command 53, 53
ssh secure command 52
SSH Sessions tab 124, 125
SSHSessionsIP eld 125
SSH tab 122
DsaAuth eld 123
Enable eld 123
KeyAction eld 123
LoadServerAddr eld 124
PassAuth eld 123
Port eld 123
TftpAction eld 124
TftpResult eld 124
Timeout eld 123
Version eld 123
ssh timeout command 52
support, Nortel 14
switch conguration options
autotopology feature 188
community string settings 188
SNMP trap receivers 213
SNMPv3
group access rights 199
management information views 202
management target addresses 208
management target parameters 211
system information, viewing 190
system notication entries 205
user access 193
user group membership 196
trap mode settings 188
switches supported 11
System Information page 190
T
Target Address page 208
Target Address Table
Name eld 162
Params eld 163
RetryCount eld 162
StorageType eld 163
TAddress eld 162
Taglist eld 163
TDomain eld 162
Timeout eld 162
Target Parameter page 211
Target Params Table
MPModel eld 165
Name eld 165
SecurityLevel eld 166
Storage Type eld 166
technical support 14
Telnet 36, 40, 44, 46
Telnet Password Setting page 170
telnet-access command 46
text conventions 11
TftpFile eld 124
Trap Mode Setting eld 190
Trap Receiver
adding 143
Trap Receivers tab 142
Community eld 143
Indx eld 143
NetAddr eld 143
traps 67
troubleshooting 83
access 39, 44, 56, 80
U
UDP RADIUS Port eld 173
username command 35
USM dialog box 149
AuthProtocol eld 150
EngineID eld 150
NN47215-505 (323165-B) 02.01 Standard
.
226 Index
Name eld 150
PrivProtocol eld 150
StorageType eld 150
USM Insert USM Table dialog box
Cloned User Auth Password eld 152
Cloned User Priv Password eld 152
New User Auth Password eld 152
New User Priv Password eld 152
Priv Protocol eld 152
StorageType eld 152
USM, Insert USM Table dialog box
Auth Protocol eld 152
Clone From User eld 152
V
VACM dialog box 153
VACM tables 153
vacmGroupName eld 155
View Mask eld 204
View Name eld 204
View Subtree eld 204
View Type eld 204
W
Web Password Setting page 170
Web-based management system 40
web-server command 55
Write View eld 201
NN47215-505 (323165-B) 02.01 Standard
.
All Rights Reserved.
Publication: NN47215-505 (323165-B)
Document status: Standard
Document version: 02.01
Document date: 19 November 2007
To provide feedback or report a problem in this document, go to www.nortel.com/feedback
Sourced in Canada, India, and the United States of America
The information in this document is subject to change without notice. Nortel Networks reserves the right to make changes in design
or components as progress in engineering and manufacturing warrants.
*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation.
Trademarks are acknowledged with an asterisk (*) at their rst appearance in the document.
All other trademarks are the property of their respective owners.

2526t PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2526t PDF

Uploaded by

Copyright:

Available Formats

Nortel Ethernet Routing Switch 2500 Series

Security Conguration and

radius-server password fallback

password specifies the new users md5

password specifies the new users

enable enables learning by ports

disable disables learning by ports

<value> is an integer in the range 1 to 32. The default

You might also like