3Com 5112M-TPLS User Manual

®
ONline 10BASE-T Security
Module Installation and
Operation Guide
Document Number 17-00392-3
Printed February 1996
Model Number: 5112M-TPLS
3Com Co rporation
118 Turnpike Road
U.S.A.
(508) 460-8900
FAX (508) 460-8950

Federal Communications Commission Notice

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case you must correct the interference at your own expense.

Canadian Emissions Requirements

Cet appareil numérique respecte les limites de bruits radioélectriques applicables aux appareils numériques de Classe A prescrites dans la norme sur la matériel brouilleur: "Appareils Numériques", NMB-003 édictée par le Ministère des Communications.
This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus as set out in the interference-causing equipment standard entitled "Digital Apparatus", ICES-003 of the Departm en t of Communications.

VDE Class B Compliance

Hiermit wird bescheinigt, dass der 5112M-TPLS in Üebereinstimmung mit den Bestimmungen der Vfg 243/1991 funkentstöert ist.
Der Deutschen Bundespost wurde das Inverkehrbringen dieses Geraetes angezeigt und die Berechtigung zur Üeberprüefung der Serie auf Einhaltung der Bestimmungen eingeräeumt.
Einhaltung mit betreffenden Bestimmugen kommt darauf an, dass geschirmte Ausfuehrungen gebraucht werden. Fuer die Beschaffung richtiger Ausfuehrungen ist der Betreiber verantwortlich.
This is to certify that the 5112M-TPLS is shielded against radio interference in accordance with the provisions of Vfg 243/1991.
The German Postal Services have been advised that this equipment is being placed on the market and that they have been given the right to inspect the series for compliance with regulations.
Compliance with applicable regulations depends on the use of shielded cables. The user is responsible for procuring the appropriate cables.

EN55022/CISPR22 Compliance

This equipment conforms to the Class A emissions limits for a digital device as defined by EN55022 (CISPR22).

VCCI Class 1 Compliance

This equipment is in the 1st Class category (information equipment to be used in commercial or industrial areas) and conforms to the standards set by the Voluntary Control Council for Interference by Information Technology Equipment aimed at preventing radio interference in commercial or industrial areas.
Consequently, when the equipment is used in a residential area or in an adjacent area, radio interference may be caused to radio and TV receivers, and so on.
Read the instructions for correc t handling .

UK General Approval Statement

The ONcore Switching Hub, ONline System Concentrator, and ONsemble StackSystem Hub are manufactured to the International Safety Standard EN 60950 and are approved in the UK under the General Approval Number NS/G/12345/J/100003 for indirect connection to the public telecomm unication network.

Disclaimer

The information in this document is subject to change without notice and should not be construed as a commitment by 3Com Corporation. 3Com Corporation assumes no responsibility for any errors that may appear in this document.

Copyright State me nt

©
1996, by 3Com Corporation. Printed in U.S.A. All rights reserved. 3Com is a registered trademark of 3Com Corporation. ONcore is a registered trademark of 3Com Corporation. The information contained herein is the exclusive and confidential property of 3Com Corporation. No part of this manual may be disclosed or reproduced in whole or in part without permission from 3Com Corporation.

Trademarks

Because of the nature of this material, numerous hardware and software products are mentioned by name. In most, if not all cases, these product names are claimed as tradem arks by th e companies that manufacture the products. It is not our intent to claim these names or trademarks as our own.
Artel, Chipcom, Ethermodem, Galactica, ONcore, ORnet, StarBridge, and TriChannel are registered trademarks of 3Com Corporation.
Chipcom OpenHub, G-Man, LANsentry, MultiProbe, ONdemand, ONline, ONsemble, PowerRing, SL2000, SL3000, SL4000, StackJack, StackSystem, and SwitchCentral are trademarks of 3Com Corporation.
ii ONline 10BASE-T Security Module Installation and Operation Guide
The Chipcom Multichannel Architecture Communications System is registered under U.S. Patent Number 5,301,303.
XNS is a trademark and Ethernet is a registered trademark of Xerox Corporation.
DEC, DECnet, the Digital logo, DELNI, POLYCENTER, VAX, VT100, and VT220 are trademarks of Digital Equipment Corporation.
UNIX is a registered trademark in the U.S.A. and other countries licensed exclusively through X/Open Company, Ltd.
IBM is a registered trademark of International Business Machines. 3ComFacts, Ask 3Com, CardFacts, NetFacts, and CardBoard are
service marks of 3Com Corporation. 3Com, LANplex, BoundaryRouting, LanScanner, LinkBuilder,
NETBuilder, NETBuilderII, ParallelTasking, ViewBuilder, EtherDisk, Etherl\Link, EtherLink Plus, EtherLink II, TokenLink, TokenLink Plus, and TokenDisk are registered trademarks of 3Com Corporation.
3ComLaser Library, 3TECH, CacheCard, FDDILink, FMS, NetProbe, SmartAgent, Star-Tek, and Transcend are trademarks of 3Com Corporation.
CompuServe is a registered trademark of CompuServe, Inc. 3Com registered trademarks are registered in the United States,
and may or may not be registered in other countries. Other brand and product names may be registered trademarks or trademarks of their respective holders.

Restricted Rights

Use, duplication, or disclosure b y the G overnm ent is subject to restrictions as set forth in subparagraph (c)(1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Printed on recycle d paper.
ONline 10BASE-T Security Module Installation and Operation Guide iii
iv ONline 10BASE-T Security Module Installation and Operation Guide
Contents
How to Use This Guide
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Structure of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Docume nt Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
3Com Doc uments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvii
Reference Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvii
Chapter 1 — Introduction
The ONline 10BA SE-T Secu rity Module . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
Theory of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2
Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2
ONline Manageme nt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
Chapter 2 — Designing and Expanding the Network
Understand ing the General Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2
Basic Network Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2
LAN Equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6
Fibe r Backbone, T wisted P air To-T he-Desk . . . . . . . . . . . . . . . . . . . . . . . . . .2- 7
Fibe r Backbone, T wisted P air To-T he-Desk E xample . . . . . . . . . . . . .2-8
Twisted Pair B ackbone, Twisted Pair To-The-D esk . . . . . . . . . . . . . . . . . . .2-10
Patch Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-11
Redundant Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-12
ONline 10BASE-T Security Module Installation and Operation Guide v
Chapter 3 — Installing and Operating the Module
Precautionary Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2
Quick Installation Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2
Unpacking Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4
Setting the Dip Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5
Inst alling t he Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-8
Inst alling t he Cable Tie-Wra p Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3- 8
Inst alling t he Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-11
Configuring the Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-13
Port Enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14
Networ k Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14
Port Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14
Link Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-15
Modul e Securit y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-15
Autopartition Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-16
Savi ng Module Co nfigur ations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-16
Reverting Module Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-16
Showing Module Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-17
Monitoring the Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-18
LED and Network Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-21
Chapter 4 — Configuring Security Features
Quick Reference for Configuring Security . . . . . . . . . . . . . . . . . . . . . . . . . .4-2
Configuring Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-4
Eavesdropping Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-4
Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-5
Defining Port Secur ity Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-6
Defining Port Action on Intrusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-7
Configuring Autole arning Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-8
Enabling Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-8
Configuring Autole arning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-9
Defining a MAC Ad dress Manu ally . . . . . . . . . . . . . . . . . . . . . . . . . . .4-11
Downloading the Autolearning Database . . . . . . . . . . . . . . . . . . . . . .4-12
Configuring Security Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-13
Saving Security Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-14
Reverting Security Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-14
Showing Security Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-14
vi ONline 10BASE-T Security Module Installation and Operation Guide
Showing Port Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-15
Showing Security Aut olearn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-17
Showing Security Intruder List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-18
Clearing Security Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-19
Clearing the MAC Address Table . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-19
Clearing the Autolearning Database . . . . . . . . . . . . . . . . . . . . . . . . . .4-20
Clearing the Security Intruder List . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-20
Using 3Com MIB Security Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-21
EMM Secu rity SNMP Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-21
Using the Security Module SNMP Variables . . . . . . . . . . . . . . . . . . . . .4-22
Chapter 5 — Troubleshooting
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1
Troubleshooting Using the Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . .5-2
Troubleshooting Using the Activity LEDs . . . . . . . . . . . . . . . . . . . . . . . .5-4
Technical Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-5
Appendix A — Specifications
Elec trical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1
Environment al Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Mechanical Specificatio ns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
General Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
50-P in Connec tor and Cab le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A -3
Twisted Pair C onnect ors and Cabl es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A -6
Twisted Pair C onnect ors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7
Twisted Pair C ables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-8
ONline 10BASE-T Security Module Installation and Operation Guide vii
Appendix B — Technical Support
On-line Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-1
Email Technical Sup por t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-2
World Wide Web Sit e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-2
Support from Your Network Supplier . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-2
Support from 3Com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-3
Returning Products for Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-4
Accessing the 3 Com MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-4
3Com Tec hnica l Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-5
Index
viii O Nline 10BASE-T Security Module Installation and Operation Guide
Figures
Figure 1-1. ONline 10BASE-T Security Module Application . . . . . . . . . .1-3
Figure 2-1. Sample Configuration Distance Calculation . . . . . . . . . . . . .2-9
Figure 2-2. Unshielded Twisted Pair Network . . . . . . . . . . . . . . . . . . .2-11
Figure 2-3. Redundant Twisted Pa ir Configu ration . . . . . . . . . . . . . . .2-12
Figure 3-1. Security Module Dip Switch SW1 Location . . . . . . . . . . . . .3-5
Figure 3-2. Attaching the Tie-Wrap Bracket to the Module . . . . . . . . . .3-9
Figure 3-3. Attaching Cables With 90° Connectors . . . . . . . . . . . . . . .3-10
Figure 3-4. Installing an ONline 10BASE-T Security Module . . . . . . . . .3-11
Figure 3-5. ONline 10BASE-T Security Module Cable Connection . . . .3-12
Figure 3-6. Security Module Faceplate . . . . . . . . . . . . . . . . . . . . . . . .3-19
Figure 4-1. Example of Eavesdropping Security . . . . . . . . . . . . . . . . . . .4-5
Figure 4-2. Example of Intrusion Detection . . . . . . . . . . . . . . . . . . . . . .4-6
Figure A-1. 50-Pin Cable Male and Female Connectors . . . . . . . . . . . . A-4
Figure A-2. RJ-45 Connector Pinouts . . . . . . . . . . . . . . . . . . . . . . . . . . A-7
ONline 10BASE-T Security Module Installation and Operation Guide ix
x ONline 10BASE-T Security Module I ns tallation and Operat ion Guide
Tables
Table 2-1. Seven Basic Network Rules . . . . . . . . . . . . . . . . . . . . . . . . .2-3
Table 2-2. LAN Product Equiva lent Distances . . . . . . . . . . . . . . . . . . . .2-6
Table 2-3. Maximum Lin k Distance on Twisted Pair . . . . . . . . . . . . . .2-10
Table 3-1. Procedures for Completing Insta llation . . . . . . . . . . . . . . . .3-2
Table 3-2. DIP Switch S W1 N etwork Se lection Settings . . . . . . . . . . . .3-6
Table 3-3. DIP Switch S W1 Security and Link In tegrity Setti ngs. . . . . . .3-7
Table 3-4. Interpretation of the Security Module LEDs . . . . . . . . . . . .3-20
Table 3-5. Network Check Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2 1
Table 4-1. Quick Reference for Configuring the Security
Modul e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2
Table 5-1. Troubleshooting Using the Port Status LEDs. . . . . . . . . . . . .5-2
Table 5-2. Troubleshooting Using the Activity LEDs . . . . . . . . . . . . . . .5-4
Table A-1. 50-Pin Cable Pinouts and Port Assignments . . . . . . . . . . . . A-5
ONline 10BASE-T Security Module Installation and Operation Guide xi
This guide tells you how to install and operate the 3Com ONline™ 10BASE-T Security Module (referred throughout this guide as the Security Module) for the ONline System Concentrator. A configuration section is provided to help you plan your network configuration. This guide also includes information on moni toring the module us ing an ONline network mana gemen t mod ule . An a pp endi x ex pla ins ca blin g gu idel in es a nd op tion s for this module.

Audience

This guide is intended for the following people at your site:

How to Use This Guide

Network manager or administrator Hard ware installer
ONline 10BASE-T Security Module Installation and Operat ion Guide xiii

Structure of This Guide

This guide contains the following chapters: Chapter 1, Introducti on – Introduces the principal features of the
Security Module. Chapter 2, Designing and Expanding the Network – Explains
examples of possible network configurations using the ONline System Concentrator and the Security Module.
Chapt er 3, I n stall ing and Operating the Mod u le – Provides illustrated procedures for installing the Security Module into the ONline System Concentrator. Also shows front panel LEDs and the DIP switch on the module.
Chapter 4, Configuring Security Features – Describes the security features and provides the management commands to configure these features. Also provided are the commands to show and clear security configurations.
Chapter 5, Troubleshooting – Provides help in isolating and correcting problems that may arise during the installation process and during norma l operation.
Appendi x A, Spec ificat ions – Provides electrical, environmental, and mechanical specifications for the Security Module, plus information on the module's 50-pin Telco connector, RJ-45 connectors, and Twisted Pair cables.
Appendix B, Technical Support – Lists the vario us methods for contacting the 3Com technical support organization and for accessing other product support se rvices.
Index
xiv ONline 10BASE-T Security Module Installation and Operation Guide

Document Conve ntions

The following document conventions are used in this manual:
Convention Indicates Example
Courier text User input In the Agent Information Form,
enter MIS in the New Contact field.
System output After pressing the A pply
button, the sy stem displays the message Transmi tt in g da ta .
Bold command string
Italic text in braces User-substituted
Capitalized text in plain brackets
Italics Text emphasis,
Path names Before you begin, read the
identifiers
Keyboard entry by the user
docu me nt title s
readme.txt file located in /usr/snm/agents.
Use t he following comma nd to show port detail s:
SHOW PORT {
Type your password and press [ENTER].
Ensure that you press the Apply button after you add the new search parameters.
slot
.all} VERBOSE
ONline 10BASE-T Security Module Installation and Operation Guide xv
Convention Indicates Example
Note: A Note. The
Caution: A Caution. A
Warning: A Warning. A

Related Docu me nts

This section provides information on supporting documentation, including:
3Com Documents
information is important
condition may damage software or hardware
condition may threaten personal safety
Note: Use STP lobe cables for yo ur s yste m.
Caution: Do not put your installation diskettes on a magnetic surface. This may damage the diskettes.
Warning: We ar eye protec tion when performing these maintenance procedures.
Reference Do cuments
xvi ONline 10BASE-T Security Module Installation and Operation Guide
3Com Documents
The following documents provide ad ditional information on 3Com products:
17-Slot ONline System Concentrator Installation and Operation Guide – Explains how to install, operate, and manage the 3Com ONline
17-Slot Syste m Concentra tor (Models 5017C-LS and 5017 C with load sharing).
6-Slot ONline System Concentrator Installation and Operation Guide – Explains how to install, operate, and manage the 3Com ONline
6-Slot System Concentrator. ONline Ethernet Management Module Installation and Operation Guide
Describes h ow to install the ONline Ethernet Network Management Module in the ONline System Concentrato r and explains the LEDs on the module faceplate. This guide also provides instructions for connecting a terminal to the module and describes the management commands necessary to perform management tasks on the concentrator and on remote devices.
ONline Management Commands Guide – Provides an a lphabetized reference resource describing all ONline ma nagement commands.
For a complete list of 3Com documents, contact your 3Com representative.
Reference Documents
The following documents supply related background information:
Case, J., Fedor, M., Scoffstall, M., and J. Davin, The Simple Network Management Protocol, RFC 1157, University of Tennessee at Knoxville,
Performan ce Systems International and the MIT Laboratory for Computer Science, May 1990.
Rose, M., and K. McCloghrie, Structure and Identification of Management Information for TCP/IP-based Internets, RFC 1155,
Performance Systems International and Hughes LAN Systems, Ma y 1990.
ONline 10BASE-T Security Module Installation and Operation Guide xvii

Introduction

1
This chapter describes the principle features of the ONline 10BASE-T Security Module.

The ONline 10BASE-T Security Module

The ONline 10BASE-T Security Module is a 12-port IEEE 802.3 repeater module that complies with the 10BASE-T standard. The module is designed for use with the 3Com ONline System Concentrators using unshielded twisted pair wiring. The Security Module provides the following features and benefits:
Provides jamming security for 12 10BASE-T ports Provides security from unauthorized transmissio ns Uses the 3Com ONgua rd™ technology to secure the network from
eavesdropping and i ntrusions
Suppo rts up to 150 meter link distances on 22 gauge wire and up to
125 meters on 24 ga uge wire (the meter distance on 26 gauge wire varies by cable type)
Complies fully with the 10BASE-T signaling standard
Introduction 1 - 1
Features 'hot swap' capability so that you can install or remove the
module without having to power d own the conc entrator
In addition, the Security Module allows you to disable Link Integrity, which allows the module to be connected to equipment that does not conform to the 10BASE-T standard.
Before installing the Security Module into the ONline System Concentrator, read the ONline System Concentrator Installation and Operation Guide.
Theory of Operation
The Security Module incorporates repeaters and twisted pair transceivers in its hardware:
Repeaters restore phase and frequency. Repeated signals
synchronize to the system clock and enter on the ONline concentrator's TriChannel™ backplane. Outgoing signals from the TriChannel backplane are sent directly to transceive rs to be transmitted to twisted pair link segments.
Transceivers receive and restore amplit ude to incom ing
signals.
Application
Attach the Security Module to a pa tch or punchdown block using bundled 25-pair or 12-leg hydra cables. This provides connections for the 12 twisted pair ports, as shown in Figure 1-1.
1 - 2 ONline 1 0B ASE-T Security Module I ns tallation and Operat ion Guide
Figure 1-1. ONline 10BASE-T Security Module Application
ONline Management
A master ONline Ethernet Management Module (EMM) at Version 4.0 is capable of managing the Security Module, including the Autolearning feature.
A master ONline Token Ring Management Module (TR MM) at Version 3.0 is capable of managing the Security Module with the exception of the Auto learning Feat ure. You must manually add MAC addresses to a port MAC address table in order for a TRMM to manage the security features of the Security Module. Refer to Chapter 4 for a description of the commands to add MAC addresses to a po rt MAC address tab le.
Introduction 1 - 3
2

Designing and Expanding t he Network

This chapter contains configuration information that will help you to design your netw ork. Install all equ ipment using only approved cables for proper operation. Refer to Appendix A, Twisted Pair Connectors a nd Cables, for information on twisted pair connector and cable requirements.
This chapter includes five sections which describe how to configure your network using the ONline System Concentrator and the ONline 10BASE-T Security Module. These sections include:
Understanding Network Configurations Fibe r Backbone, Twisted Pair To-T he-Desk Twisted Pair Backbone, Twisted Pair To-The-Desk Patch Panels Redundant Links
Designing and Expanding the Network 2 - 1

Understanding the General Rule s

As part of your network design, it is important to consider your network size. For instance, is the network (end-to-end) 100 meters, 1000 meters, 4000 meters, or more? What are your plans for expansion? Your answers play a role in how you configure your network. For example, once the network expands beyond a certain size, you need to add a bridge or other internetworking device.
This section describes general rules for configuring an Ethernet network using fiber as the backbone medium. It also provides rul es to ensure that your network configuration conforms to distance limitations imposed by Ethernet and networking equipment.
This secti on includ es:
Basic Network Rules LAN Equivalence
Basic Network Rules
This section outlines the basic network rules and 3Com’s recommendations for these rules. For more hardware-specific information on the 10-Port module, refer to Appendix A.
2 - 2 ONline 1 0B ASE-T Security Module I ns tallation and Operat ion Guide
Table 2-1 outlines the seven basic rules to keep in mind when you construct your network.
Table 2-1. Seven Basic Network Rules
Rule Definition Recommendations/Notes
1 If possible, use
10BASE-FB as the backbone medium.
2 Wire the backbone in
a star topology to isolate faults.
3 The maximum Fib er
Ethernet network diameter is 4200 meters of fiber cable.
Use 62.5 micron cable to conform with the IEEE 10B ASE-F and upcoming ANSI FDDI standards.
Use ST-type connectors. Make sure to l ay extra fiber cables.
The extra cost is small and you will find yo u need th em as your net work grows.
The st ar to po log y conf or ms t o FDD I wiring as well -- just make sure to run at least two fiber strands to every backbon e co nnection.
The 4200 meters is the maximum distance between any two transceivers on the network.
The 4200 meters does not include the transceiver cable (that is, drop or patch cable) that connects a device with an external transceiver. Transceiver cables can extend up to 50 meters. Thus, total network diameter can be as much as 4300 meters (420 0 m + 2 * 50 m) betwee n any two nodes.
Designing and Expanding the Network 2 - 3
Table 2-1. Seven Basic Network Rules (Continued)
Rule Definition Recommendations/Notes
4 Certain LAN devices
on the network shrink the maximum Fiber Ethernet network diameter to less than 4200 meters.
5 Assume that one
meter of co axial or twisted pair is equal to one meter of fib er cable.
Many LAN pro du cts de la y th e si gna l that goes through them. This is known a s equivalent distance. Ev ery microsecond delay reduces the maximum link distance. In fact, every microsecond delay shrinks the network diameter by approximately 200 meters of fiber cable. Table 2-2 lists the Equivalent Distances for other 3Com products.
This is a conservative rule. For example, the actual equivalence is about 1.1 meters of coaxial for every meter of fiber. For simplicity, assume one meter.
2 - 4 ONline 1 0B ASE-T Security Module I ns tallation and Operat ion Guide
Table 2-1. Seven Basic Network Rules (Continued)
Rule Definition Recommendations/Notes
6 The f iber l ink dist ances
must not exceed the limits imposed by the optical power budget.
7 When in doubt, use a
bridge.
In general, on 62.5 micron cable, you can go up to 4000 meters point-to-point using the ONcore or ONline Fiber Mo dules. If you ha ve poor quality cable or cross many patch panels, you may have to sacrifice some distance.
Some older Eth ernet fiber optic products are less powerful than ONcore Fiber Module optic s. So when connecting to these products, remember that the least powerful device determines the maximum point-to-point distan ce.
If you are not certain if you have exceeded allowable network distances, use a bridge to extend the network.
Designing and Expanding the Network 2 - 5
LAN Equivalence
LAN equivalen ce is the sum of both the incoming and outgoing module port signals . Different modules, however, have different equivalent distances. Table 2-2 lists the LAN product equivalent distances..
Table 2-2. LAN Product Equivalent Distances
LAN Produc t
ONline 10BASE-T Security Module (5112M-TPLS) 585 Incoming si gnal to TP port 420 Outgoing signal from TP port 165 ONline Ethernet 10BASE-FB Modules (5104M-FB,
5102M-FBP, 5104M-FBP) Incoming signal to fiber port 140 Outgoing signal from fibe r por t 50 ONline Ethernet FOIRL Module (510 4M-FL) 560 Incoming signal to fiber port 330 Outgoing sign al from fibe r por t 230 ONline Ethernet 10BAS E-T Module (5108M-TP) 585 Incoming si gnal to TP port 420 Outgoing signal from TP port 165
Equivalent Fiber
Distance (meters)
190
ONline Ethernet 50-Pin Module (5112M-TPL, 5112M-TPPL)
Incoming si gnal to TP port 420 Outgoing signal from TP port 165
2 - 6 ONline 1 0B ASE-T Security Module I ns tallation and Operat ion Guide
585
Table 2-2. LAN Product Equivalent Distances (Continued)
LAN Produc t
ONline Ethernet 24-Port Module (5124M-TPCL) 585 Incoming si gnal to TP port 420 Outgoing signal from TP port 165 ONline Ethernet Repeater Module (5102M-AUIF) 800 Incoming si gnal to AUI port 600 Outgoing signal from AUI port 200 ONline Ethernet BNC Module (5106M-BNC) 900 Incoming signal to BNC port 450 Outgoing signal from BNC port 450 ONline Ethernet Transceiver Module
(5103M-AUIM) 3Com 10BASE-FB Star Coupler (9308S-FB) 180 ORnet Star Coupler (9314S) 180
Equivalent Fiber
Distance (meters)
0
IEEE Repeater 800

Fiber Backbone, Twist ed P air To-T h e-D esk

When you configure a network with unshielded twisted pair cabling to-the-desk and fiber for the backbone, be aware of the following:
Designing and Expanding the Network 2 - 7
You must add a bridge if you exceed four full repeaters. The
four-repeater rule for Ethernet limits the number of 10BASE-T modules between any two transceivers. When traffic goes into a port on any repeater-based module and out the backplane, it counts as a 1/2 repeater. When the traffic goes into the module thro ugh one port and out another port on the same or a different module, it counts as one full repeater. Therefore, you must add a bridge if the path from one transceiver to another exceeds the four-repeater rule.
The equivalent fiber distance fo r the ONline Ethernet Fiber Modules
(se e Rule 4) is: – 140 meters for signals that externally enter a Fiber Module
port
50 meters for signals that internally enter a Fiber Module
through the ONline Concentrator backplane
The equivalent fiber distance for the Security Module (see Rule 4) is:
420 meters for signals that externally enter a Security
Module
165 meters for signals that internally enter a Security
Module through the ONline System Concentrator backplane
For every pair of Security Modules that a signal goes through, deduct a fiber equivalent distance of 585 meters (420 m + 165 m = 585 m) from the overall alllowable network diameter. This is also true if a signal makes a roundtrip through a single Security Module (enters the Security Mo dule through one port and exits another port of the same Security Module). This counts as 585 meters of fiber equivalent distance, and as a full repeater.

Fiber Backbone, Twisted Pair To-The-Desk Example

In the sample configuration shown in Figure 2-1, we determine if the transceivers are within legal Ethernet limits. 22-gauge unshielded twisted pair cable is used to connect 10BASE-T Transceivers to the Security Modules in the concentrators.
2 - 8 ONline 1 0B ASE-T Security Module I ns tallation and Operat ion Guide
Using the sample configuration below, identify the two transceivers that are likely to be the greate st fiber equivalent distance apart. In this case, they are 10BASE-T Transceivers A and B.
Figure 2-1. Sample Configuration Distance Calculation
To determine if your network configuration is legal:
1. Use 4.2 km (4200 m) since this is the maximum network diameter for a pure fib er network ( see Rule 3) .
2. Calculate the equivalent distances for each concentrator, and subtract the totals from 4200 (refer to Figure 2-1 for details).
3. Subtract all cable lengths betw een the two transceivers. If the result is greater than zero, the configuration is within legal Ethernet limits (se e Rule 5).
For the con figuration shown in Figure 2-1 to work, ensure the fiber equivalent distance between transceiver A and transceiver B is less than 4200 meters. As the calculation illustrates, 1560 meters remain for expansion in this configuration.
Designing and Expanding the Network 2 - 9
Do not exceed the distan ces as defin ed in Table 2-2 for the link from a Security Module to a 10BASE-T Transceiver.
Table 2-3. Maximum Link D istance on Twisted Pair
Cable Gauge Supports Link Distances Up To:
Unshielded Twisted Pa ir: 10BASE-T
22 (.6 mm) 100 m 24 (.5 mm) 100 m
Normal Squelch

Twisted Pair Backbone, Twisted Pair To-The-Desk

In constructing a twisted pair backbone, one additional configuration rule must be considered. Ensure there are no more than eight Security Modules in the path between any two transceivers due to Ethernet's four-repeater rule. This is because each Security Module counts as a 1/2 repeater unless the signal goes in one port and out another port of the same module, in which case the module counts as a full repeater.
If you have more than eight Security Modules serially connected, add a bridge. Each bridge creates a subnetwork. Each subnetwork can have its own 420 meter network diameter.
The configuration in Figure 2-2 illustrates a possible unshielded twisted pair network using 22 gauge cable.
2 - 10 ONline 10BASE-T Security Module Installation and Operation Guide
Figure 2-2. Unshielded Twisted Pair Network
While there is no fiber in the configuration in Figure 2-2, you can calculat e the fiber equivalent distance as follows:
Total link distance: 100 m + 100 m + 100 m + 50 m + 20 m = 370 m Total equivalent distance of the Security Modules: (4 * 420 m) + (4 * 165 m) = 2340 m (signal externally enters four Twisted Pair Modules: 4 * 420m) (signal enters four Twisted Pair Modules from the backplane: 4 * 165 m) Total equivalent distance: 370 m + 2340 m = 2710 m Since the totalequivalent distance (2710 m) is less than 4200 meters, this example is a legitimate configuration.

Patch Panels

Patch panels weaken signals that pass through them, thereby reducing achievable link distances. 3Com assumes the use of one patch panel in the 100 meter link distance calculations specified in this manual. However, each additional patch panel in the link reduces the 100 m eter link distance by approximately 10 meters.
Designing and Expanding the Network 2 - 11
In the exam ple shown in Figure 2-2, if two patch panels were used between the top right PC and the top right concentrator, you would have to shorten the link distance of 100 meters to 90 meters. This is because the maximum allowable link distance on 22 gauge wire using 10BASE-T signaling with two intervening patch panels is 100 meters minus approximately 10 meters.
Note that a patch panel installed between the bottom right PC and the bottom left concentrator would not affect the link because it is only 20 meters away.

Redundant Links

You can implement twisted pair link redundancy between ONli ne System Concentrators using network management. Figure 2-3 shows an exampl e of a redundant configuration between concentrators using Security Modules.
Figure 2-3. Redund ant Twisted Pair Configuration
2 - 12 ONline 10BASE-T Security Module Installation and Operation Guide
To set link redundancy between two Security Modules:
1. Connect two links to two ports on the 50-Pin Telco cables between the modu le s. U se a cr os so ver ad ap ter be tw ee n each lin k be ca us e the links are designed to be connected to a station's port, not to other concentrator ports.
2. Use the SET PORT {slot.port} MODE REDUNDANT {slot.port} network management command to specify which port is the primary link and which is the backup link.
Note: If the Security Mo dules are po wered down, and powered
up without a 3Com network management module present, a network loop could occur. To prevent a potential network failure, set the DIP switch for the backup port to disable.
3. Once link redundancy is configured, a switchover occurs under two conditio ns: a link failure or a port partition . The switchover occurs when the primary link fails.
4. Once the switchover occurs and the backup link become s operational, a switchover back to the primary link happens automatically once the problem is resolved.
Note: If you use a Secu rity M odule port as a bac kbone connect ion
ensure that Security Mode is disabled for the port or it will experience security intrusion attempts.
Refer to the appropriate network management module installation and operation guide for information on setting redundancy between Security Module ports.
Designing and Expanding the Network 2 - 13
3
This chapter describes the installation procedures and initial setup commands for the ONline 10BASE-T Security Module. For your convenience, a quick installation chart is included.
Note: Read the precautionary procedures before unpack ing the
The remainder of this chapter describes:

Installing and Operating the Module

module.
Setting the DIP S witch Installing the Module Configuring the Module Showing Module Configurations Monitoring the Front Panel
Installing and Operating the Module 3 - 1

Precautionary Procedures

Electrostatic discharge (ESD) can damage static-sensitive device s on circuit boards. Follow these precautions when you handle the Security Module:
Do not remove the board from its anti-static shielding bag until you
are ready to inspect it.
Handle the board by the faceplate.
Use proper grounding techniques when you install the Security Module. These techniques in clude using a foot stra p and grounded mat or wearin g a ground ed static discharge wrist strap . An alternate method is to touch the grounded rack or other source o f ground just before you handle the module.

Quick Inst allation Ch art

Table 3-1 outlines the steps necessary to complete the installation of your module. If you are familiar with these instructions, you may want to use this table as a checklist; otherwise, consult the remainder of this chapter.
Table 3-1. Procedures for Completing Installation
Step Procedure Reference
1. Verify that your network complies with the basic rules for network design.
2. Unpack the module. Unpacking Procedures
3. If you do not have a management module installed in the concentrator, set the DIP swi tch settings to your specifications.
3 - 2 ONline 1 0B ASE-T Securit y Module I ns tallation a n d Operat ion Guide
Chapter 2/Designing & Expanding the Network
Setting the DIP Sw it ch
Table 3-1. Procedures for Completing Installation (Continued)
Step Procedure Reference
4. Install the module into a blank slot in the concentrator and tighten the faceplate screws.
5. Establish connections from the Security M odule to devices or a 10BASE-T transceiver using the appropriate connectors and cabling.
6. If you have a management module installed in the concentrator, configure the module using the management commands.
7. Verify LED status for normal operation.
Note: To res olve pote ntial prob lems, consult the trouble sho oting techniques in Chap ter 5.
Installing the Module
Installing the Module
Configuring the Module
LED and Network Verification
Installing and Operating the Module 3 - 3

Unpacking Procedu res

To unpack yo ur Security Module:
1. Verify that the Security Module is the correct module by matching the model number listed on the side of the shipping carton to the model number you ordered.
Note that the p roduct mod el number printed on the shipping box differs from the model number on the product. The model number on the shipping box contains the prefix ’3C9’.
If the module appears to be damaged, return it to the anti-static shielding bag, repack it in the shipping carton, and contact your local 3Com supplier.
2. Remove the Security Module, in its anti-static bag, from the shipping carton.
3. Remove the module from the anti-static shielding bag an d inspect it for damage. Save the package of screws in the carton; you will need them when you attach a cable to the module. Always handle the Security M odule by the faceplate, being careful not to touch the components.
Keep the shipping carton and anti-static shielding bag in which your module was s hipp ed in case you wa nt to rep ack age th e modu le f or st ora ge or shipment. Record the serial number of your Security Module. A log for information specific to your modules is provided under the Slot Usage Chart in Appendix B of the ONline System Concentrator Installation and
Operation Guide.
3 - 4 ONline 1 0B ASE-T Securit y Module I ns tallation a n d Operat ion Guide

Setting the Dip Sw itc h

The Secu rity Modul e has one 4-switch DIP switch (SW1) located on the module. The functions of the DIP switch settings on the Security Module are ignored if a management module is already installed in the concentrator. For this reason, use management commands, rather than the DIP switch, to configure the module.
If a management module is installed in the concentrator, you may skip this section and procee d to the Installing the Module section later in this chapter.
Figure 3-1 shows the location and default settings of the DIP switch.
Figure 3-1. Securi t y Module D i p S w itch SW 1 Location
Installing and Operating the Module 3 - 5
Network selection switches 1 a nd 2 enable you to select a channel for the module. Switches 1 and 2 are factory set to On. Therefore, the S ecurity Module is initially configured to network 1. To reconfigure the module to a different network, refer to the information in .
Table 3-2. DIP Switch SW1 Network Selection Settings
Switch 1 Switch 2 Network Selec tion
Switch Settings On On 1 (default)
Off On 2 On Off 3 Off Off Isolated (mo dule
operates independently of the three backplane networks)
Switch 3 (Security) allow s you to enabl e or disable Security mode and enable or disable port mode for all 12 ports on the Security Module. Switch 3 is confi gured to affect both Security mode and the port mode setting in order to pro tect your ports in the event the management modul e fails.
When th e Security switch is set to enabled, port mode is set to disabled. Conversely, when the Security switch is set to disabled, port mode is set to enabled.
This dua l purpose setting pro vi des maximum security for all ports on the Security Module and also provides you with the flexibility of using the ports as non-secure ports in the event the management module fails. Without management, you may elect to have traffic contin ue to pass through the non-secure ports. However, your environment may require secure ports at all times. In this situation, you would choose to disable the ports rather than keep them enable d in a non-secure environment.
3 - 6 ONline 1 0B ASE-T Securit y Module I ns tallation a n d Operat ion Guide
Switch 4 (Link Integrity) allows you to enabl e or disable Link Integrity. Table 3-3 li sts the functions and default settings for switches 3 and 4.
Table 3-3. DIP Switch SW1 Security and Link Integrity Setti ngs
Switch Function
3 (Security) Enable or disable
security and enable or disabl e port mode for all 12 ports
4 (Link Integrity)
Enable or disable link integrity for all
Factory Default
enable Security
enable disable enable
Switch Setting
Off On
Security disable/ Port enable
enable/
Port
disable
12 ports .
The complete definition of each dip switch function is contained in the Configuring the Module section later in this chapter.
Installing and Operating the Module 3 - 7

Installing the Module

You do not need to power down the ONline System Concentrator to install the Security Module. You can insert the module while the concentrator is operating (this is called a ho t s wap).
This section describes:
Installing the Cabl e Ti e-W rap Kit Installing the Module
Installing the Cable Tie-Wrap Kit
A cable tie-wrap kit is included with the Security Module. If you use a cable connector other than a 180° cable connector (for example, a 90° cable connector), you must secure the cable to the module connector using the tie-wrap kit. 3Com recommends using a 180° cable connector with the Security Module.
If you are using a 180° cable connector with the Security Module, skip this procedure a nd proceed to the next section, I nstalling the Module.
Note: Perform the tie-wrap kit installation procedure prior to
installing the module into a 3Com ONline System Concentrator.
The tie-wrap kit contains:
Kit card containing kit part number 1 Phillips-head screw 1 Tie-wrap bracket 3 Tie-wraps
3 - 8 ONline 1 0B ASE-T Securit y Module I ns tallation a n d Operat ion Guide
To install the tie-wrap kit:
1. Remove the hex nut from the bo ttom of the connector located on the module faceplate.
2. Using the Phillips-head screw provided in the tie-wrap kit, attach the tie-wrap bracket to the m odule (Figure 3-2).
Figure 3-2. Attaching the Tie-Wrap Bracket to the Module
3. Insert the tie-wrap through the opening on the tie-wrap brac ket.
Installing and Operating the Module 3 - 9
4. Connect the 9 0° cable connector to the module connecto r using a tie-wrap to secure the cable connector to the module (Figure 3-3).
Figure 3-3. Attaching Cables With 90° Connectors
5. Wrap the tie-wrap around the cable connector to secure the cable connector to the module connector.
Caution: Do not fasten the tie-w rap around the module ejectors.
3 - 10 ONline 10BASE-T Security Module Installation and Operation Guide
Installing the Module
To install the Secu rity Module:
1. If you do not have a management module installed in the concentrator, make sure you set the DIP switches properly on the board, if different than the default settings.
A management module is required to configure the security features of the Security Modu le. Without management, the Security Module functions as a non-secure 10BASE-T module.
2. Locate an open slot in the concentrator. Remove the blank panel on the concen trator to expose a slot for the module.
Insert the module into the board guides at the top and bottom of the slot and slide it into the concentrator by firmly pressing the top and bottom of the faceplate. Make sure the connector is well-seated into the backplane of the concentrator. Figure 3-4 shows the installation of the m odule.
Figure 3-4. Installing an ONline 10BASE-T Security Module
3. Fasten th e spring-loaded screws on the front of the S ecurity Mod ule faceplate to the concentrator with your fingers (do not overtighten).
Inst alling and Oper ating the Module 3 - 11
4. Remove the lo ng scr ew (if prese nt) fr om th e 50-pin cable . Disc ard this screw.
5. Remove the two cable-fastening screws from the Security Module shipping carton.
6. Attach the 50-pin cable connector to the 50-pin connector on the front of the module.
7. Install the two screws in the top a nd bottom screw holes of the 50-pin cable connector to secure the cable to th e module connector as shown in Figure 3-5. (Only one of the cable-fastening screws may be installed depending on the angle of the 50-pin cable connector.)
Figure 3-5 . ONline 10BASE-T Security Module Cable Connection
8. Attach the other end of the cable to a 10BASE-T Transceiver or a 10BASE -T Adapt er Card.
3 - 12 ONline 10BASE-T Security Module Installation and Operation Guide
The 50-p in Telco-type connector connects to 12 10BASE-T-compliant ports using a 12-leg hydra cable. This module can be attache d using the 12-leg hydra cable to a patch panel or punch-down block, which provides connections for the 12 twisted pair ports.
The next section describes the features you can set for the Security Module.

Configuring the Module

The ONline management modules (EMM, TRMM, and FMM) provide management capabilities for the ONline System Concentrator and its modules. If a management module is already installed, the DIP switch settings on the Security Module are ignored. For this reason, 3Com recommends that you use management commands, rather than the DIP switches, to configure the module and the ports.
When you first install the module and network management is present:
1. The network defaults to isolated mode and the ports are automatically disabled so that unapproved users cannot be added.
2. You must enable the ports you wish to use and set the module to the appropriate network through the management commands.
The following sections describe the mana gement commands to set the above features. Refer to the appropriate ONline management module installation and operation guide and the ONline Management Commands Guide for additional informatio n on available netw ork management features.
Inst alling and Oper ating the Module 3 - 13
Port Enable
You can enable or disable use of the 12 ports on the Security Module. When a port is ena bled, it can transmit and receive data onto the network to which the module is assigned. 3Com recommends that you disable all unused ports on the Security Module to prevent network tampering.
Enter the following management command to enable all the ports on the module in slot 3.
ONline> set port 3.all mode enable [ENTER]
Network Assignment
The Security Module is equipped with the tech nology to work with the ONline System Concentrator's unique TriChannel™ architecture. This feature allows you to assign the module to any of three networks or isolated on the ONline System Concentrator backplane. Refer to the ONli ne System Concentrator Installation and Operation Guide, Chapter 1, for a discussion of the ONline TriChannel architecture.
Enter the following management command to assign the Security Module in slot 3 to Ethernet network 1.
ONline> set module 3 network ethernet_1 [ENTER]
Port Redundancy
ONline network management allows you to set redundancy between ports. Enter the following management command to set redundancy between ports on the Ethernet module in slot 5.
ONline> set port 5.1 mode redundant 5.2 [ENTER]
Use the MODE NON_REDUNDANT option to turn off redundancy between ports. Recommended redundancy c onfigurations are shown in Chapter 2, Designing and Expand ing the network.
3 - 14 ONline 10BASE-T Security Module Installation and Operation Guide
If you set up redundancy between a secure port and a non-secure port (whether on a Security Module port or other module port), a warning message is displayed to terminal management. The warning informs you that this configuration has the potential to automatically cause a change in security when the primary port fails and the secondary port becomes activated.
Link Integrity
In general, enable Link Integrity for the Security Module to conform to the10BASE-T standard. Disable Link Integrity to connect to older equipment that does not conform to the 10BASE-T standard.
Enable Link integrity at both ends or disable Link Integrity at both ends of the connection. If one end of the connection is different, the module with Link Integrity en abled reports a Link Integrit y error.
If you enable a port and disable Link Integrity, the Status LED for that port is on for 10 seconds and blinks off for 400 msecs to indicate that Link Integrity is disabled.
Enter the following management command to enable Link Integrity for all ports on the Ethernet module in slot 5.
ONline> set port 5.all link_integrity enable [ENTER]
Module Security
The Module Security DIP switch allows you to enable or disable security for the module. 3Com recommends that you leave this switch in its factory default setting (Off). This setting ensures that in the unlikely event of a concurrent failure of both the master management module a nd concentrator power, the Security Module ports will power up with ports disabled in a concentrato r without network management.
Note: When the Security switch is set to enabled, port mode is
set to disabled. Conversely, when the Sec urity switch is set to disabled, port mode is set to enabled.
Inst alling and Oper ating the Module 3 - 15
Use the following command to enable security for all of the ports on the Security M odule in slot 3.
ONline> set security port 3.all mode enable [ENTER]
Autopartition Threshold
Autopartition threshold tells network management the number of collisions to allow be fore automatically partitioning a port. The options are 31, 63, 127, and 255. The factory default is 63. The 10BASE-T specification lists a minimum of 31 collisions prior to partition, but 31 collisions can cause ports to partitio n more frequently than necessary .
The additional options (127 and 255) a re for debugging purposes, an d therefore not recommended for use in live networks.
Enter the following command to define 127 collisions for the module in slot 3.
ONline> set module 3 autopartition_threshold 127_coll [ENTER]
Saving Module Configurations
After configuring the module and port settings, issue the SAVE MODULE_PORT command from the management module to save the new configuration settings.
ONline> save module_port [ENTER]
Reverting Module Configurations
Issue the REVERT command as shown to return a module to the configuration settings that were in effect as of the last save.
ONline> revert module_port [ENTER]
3 - 16 ONline 10BASE-T Security Module Installation and Operation Guide

Showing Modu le Conf ig urat ions

You can display status information about the Security Module using the following management commands:
SHOW MODULE SHOW MODULE VERBOSE SHOW POR T SHOW POR T VERBOSE
The following command displays detailed information about the Security Module in slot 3:
ONline > show mod ul e 3 verbose [ENTER] Slot Module Versio n Network General In fo rma ti on 3 5112M-TPLS 001 ETHERNET_1 5112M- TP LS: ONline 10BASE-T Security M odu le Networ k Dip Sett in g: ETHERNET _1
Auto-p ar tit io n T hresh ol d: 63 CO LLI SI ONS
The followi ng command displays detailed information for port 1 o n a Security M odule in slot 12.
ONline > show port 12. 1 verbose [ENTER] Port Display for Module 5112 M-T PL S : Port Mode Status Network General Inf ormat ion
12.01 DISABLED LINK FAILUR E ETHER NET_1 Port A le rt: ENABLED Port C on nec to r: TELCO Mode D ip Se tt ing : ENABLED Securi ty Di p Set ting DISABLE D Link I nt egr it y D ip Sett ing : ENABLED
Inst alling and Oper ating the Module 3 - 17
The following output is an example of the SHOW PORT ALL VERBOSE command issued for the ports of a Security Module installed in slot 12 (only the output for ports 1, 2, and 3 are shown):
ONline > show port 12.all verbose [ENTER] Port Mode Status Network General Inform ati on
12.01 DISABLED LINK FAILURE ISOLATED Port Alert Filter: DISABLED
Port C on nec to r: TELCO Link I nt egr it y: ENABLED
12.02 DISABLED LINK FAILURE ISOLATED Port A le rt Fi lte r: D IS AB LED
Port C on nec to r: TELCO Link I nt egr it y: ENABLED
12.03 DISABLED LINK FAILURE ISOLATED Port A le rt Fi lte r: D IS AB LED
Port C on nec to r: TELCO Link I nt egr it y: ENABLED

Monitoring the Front Panel

The Security Module has 12 Activity and 12 Status LEDs on the front panel that indicate the state of the ports. The LEDs allow you to m onitor the status of each port. The front panel also contains a Module Status indicator that indicates the state of the module. Fig ure 3-5 shows the location the LEDs. Each LED indicates the state of its port as described in Table 3-4.
3 - 18 ONline 10BASE-T Security Module Installation and Operation Guide
Figure 3-6. Security Module Fac eplate
Inst alling and Oper ating the Module 3 - 19
Table 3-4. Interpretation of the Security Module LEDs
LED
Name
Activity (Ports 1-12)
Status (Ports 1-12)
Color State Indicates
yellow Off No packets are received on the
segment. On Constant activity on the segment. Blinking Normal activity on the segment.
green Off Port disabled.
On Port enabled and link OK or Link
Integrity disabled. 1 blink Link failure. 2 blinks Port partitioned.
3 - 20 ONline 10BASE-T Security Module Installation and Operation Guide

LED and Network Verificati o n

Once the module is installed, verify its operation through the front panel of the ONline Controller Module. The Controller Module is equipp ed with an LED test button on the front panel. Use the LED test button to verify LED operation and verify network assignment.
When you press this button, the Controller Module initiates a test to all modules in the concentrator. All LEDs should respond by lighting continuously for approximately five seconds. Any LED that does not light is defective.
After the five seconds elapse, the diagnostic continues w ith a network check of all modules. Each Status LED should respond by blinking the number of times to correspond with the network to which the module is assigned. The network check sequence repeats five times. If a module is in isolated mode, the Status LEDs on the module remain off. The Activity LED remains on during the network check sequence. This test does not disrupt network operation. Table 3-5 explains the network check codes
Table 3-5. Network Check Codes
LED State Network Configuration
1 Blink Module is configured for network 1 2 Blinks Module is configured for network 2 3 Blinks Module is configured for network 3 Off Isolated (module operates independent of
any network)
Inst alling and Oper ating the Module 3 - 21
4

Configuring Secur it y Features

This chapter describes the security features of the ONline 10BASE-T Security Module and includes the management commands necessary to configure and monitor security function ality.
A master EMM at Version 4.0 is required to manage the features of the Security Module, including A utolea rning. A mas ter TRMM a t V ersion 3.0 is required to manage the features of the Security Module with th e exce pt io n of the Autolearning Feature. You must manually add MAC addresses to a port MAC address table in order for a TRMM to manage the security features of the Security Module. Refer to the section, Defining a MAC Address Manually, for a description of the command to add MAC addresses to a port MAC address table.
The remainder of this chapter describes:
Configuring Security Features Showing Secu rity Configurations Clearing Security Configurations Using the 3Com MIB Security Variable s
Configuring Security Features 4 - 1

Quick Refere nc e for Config u ring Se curit y

Table 4-1 outlines the steps necessary to configure the security features of your module. These procedures and command examples are explained further throughout this cha pter. If you are familiar with these instructions, you may want to use this table as a c hecklist.
Table 4-1. Quick Reference for Configuring the Security
Module
Procedure Command
1. Di sable A utolea rning Mask to allow the EMM to Autolearn MAC addresses for ports. (Enabl ing Aut olear ning Mask prevents the E MM from learning a port's associated MAC addresses.)
2. Di sable Security Mode to allow the EMM to Autolearn MAC addresses for ports.
3. Enabl e the ports to allow traffic to pass through the network so the EMM can lear n whic h MAC addr e sse s are associated with which ports. (You must enable ports in order for Autolearning to run.)
SET SECURITY AUTOLEARN MASK
SET SECURITY PORT MODE
SET PORT MODE
4 - 2 ONline 1 0B ASE-T Securit y Module I ns tallation a n d Operat ion Guide
Table 4-1. Quick Reference for Configuring the Security
Module (Continued)
Procedure Command
4. Initiate Autolearning to enable the EMM to automatically learn the valid MAC addre ss es associated with a ports.
5. Down lo ad the learned MAC addresses from the Autolearning database to the port MAC address table.
TRMM Note: The TRMM does not support Autolearning. Therefore, you if you are using a TRMM to manage the Security Module, you must manually add MAC addresses to a port MAC address table.
6. Define the Security type: Eavesdropping_only, Intrusion_only, or Full. Note: Security Mode is automatically e nabled when you is sue the SET SECURITY PORT SECURITY_TYPE command.
SET SECURITY AUTOLEARN CAPTURE
SET SECURITY AUTOLEARN DOWNLOAD
SET SECURITY PORT MAC_ADDRESS
SET SECURITY PORT SECURITY_ TYPE
7. Define the corrective action the EMM is to take upon a Security Intrusion att empt.
8. Save Security configuration values.
SET SECURITY PORT ACTION_ ON_ INTRUSION (only necessary if Security Type is set to Intrusion_Only or Full)
SAVE SECURITY
Configuring Security Features 4 - 3

Configuring Security Features

This section describes the security features of the Security Module, including Eavesdropping Security and Intrusion Detection. Included in this section are the features you must configure to enable security on the module:
Define port security type Define port action on intrusion Configure Autolearning Ma sk Enable ports Configure autolearning Download the Autolearning database
Security configurations from the Security Module are automatically uploaded to a newly elected master management module or installation of a new master management module. This automatic uploading feature ensures that the Security Module configurations are always retained and eliminates the need for you to reconfigure the new master.
Note: If you issue security commands (with the exception of MAC
address settings) specifying the 'all' option, all Security Module ports in the concentrator are affected by the command. If you are running an Advanced EMM, all other Ethernet modules in the concentrator that support security are also affected.
Eavesdropping Security
Eavesdropping securi ty is a port jamming feature that prevents users from accessing data transmitte d to other users on the network. This type of security:
4 - 4 ONline 1 0B ASE-T Securit y Module I ns tallation a n d Operat ion Guide
Allows the Security Module to deliver packets only to the end station
to which a packet is addres sed.
Prohibits unauthorized end stations from listening (eavesdropping)
on packets that are not specifically addressed to them.
If a port receives a packet (from the ONline backplane) that is not targeted to any of the valid addresses associated with that port, the Security Module does n ot al low t h at p ac ket t o be d el ive r ed i nt act t o th e end s t atio n. I nst ea d of delivering valid data to an unauthorized port, the module 'jams' the data by transmitting to the unauthorized port a data pattern of alternating zeros and ones.
Figure 4-1. Example of Eavesdropping Security
Intrusion Detection
Intrusion Detectio n allows the Security Module to prevent delivery of packets transmitted from un authorized stations on the network. If a port receives a packet from its end station which contains an invalid source
Configuring Security Features 4 - 5
address, the module forces a collision. The collision prevents intruding end station s from gaining access to a port and transmitting unauthorized data over the network.
Figure 4-2 illustrates an example of an Intrusion Detection configuration.
Figure 4-2. Example of Intrusion Detection
Defining Port Security Type
You must define a security typ e for each port on the Security Module. Issue the following command to configure the security type 'full' for all
ports on the Security Module in slot 3.
ONline> set security port 3.all security_type full [ENTER]
You may elect to configure ports for Eavesdropping Security only, Intrusion only, or Full (which includes both Eavesdropping and Intrusion). The default setting for Security Type is Full.
4 - 6 ONline 1 0B ASE-T Securit y Module I ns tallation a n d Operat ion Guide
Security Mode is automatically enabled when you issue the SET SECURITY PORT SECURITY_TYPE command.
Security Type is automatically configured to Full (which includes bo t h Eavesdropping and Intrusion security) when you issue the SET SECURITY PORT MODE ENABLE command .
Note: Security mode must be disabled in order for the EMM to
Autolearn MAC addresses for ports that have Security Type configured for Intrusion_only or Full. If Security Mode is not disabled for each port that is configured for Intrusion Security:
MAC addre ss es are not Auto learned – The ports report an intrusion
Defining Port Action on Intrusion
An additional feature of Intrusion Detection provides you with the ability to define on a per-port basis the corrective action a management module is to take when a Security Module port experiences a security intrusion attempt. Each option provides Intrusion Detection and data collision on the intruding packet. You may elect to have the management module perform one of the following actions:
Disable the port and send a trap (disabl e_and_trap) Only disable the port (disable_only) No management action (no_action) Only send a trap to stations defined in the management module's
communi ty table (trap_only)
Issue the following command to define disable_and_trap as the corrective action a management module will take upon a security Intrusion attempt for all ports on the module in slot 3.
Configuring Security Features 4 - 7
ONline> set security port 3.all action_on_intrusion disable_and_trap [ENTER]
The default setting for action_on_intrusion is disable_and_trap.
Note: For a security intrusion attempt to be logged into the
Intruder li st, you must configure the actio n_on_intrusion setting for either disable_and_trap or trap_only. B oth settings allow a trap to be sent upon an intrusion, which also logs an entry into the Intruder list .
Configuring Autolearning Mask
Autolearning Mask:
Allows or prevents a port's MAC addresses from being learned by the
EMM du ring Autolearning.
Determines if the EMM is allowed or prevented from downloading
learned MA C a ddresses to the ports.
The Autolearn Mask command either allows (disable the mask) or prevents (enable the mask) the EMM from learning or downloading MAC addresses for ports.
Issue the following command to allow the EMM to learn MAC addresses during Autolearning for all ports on the Security Module in slot 3.
ONline> set security autolearn 3.all mask disable [ENTER]
Enabling Ports
For an EMM to lea rn MAC addresses fo r ports through Autolea rning, the ports must be enabled (at some point) to allow network traffic to pass through. Therefore, ensure that ports are enabled prior to initiating Autolearning. Note that Autolearning will run on a disabled port, however, no MAC addresses will be learned.
4 - 8 ONline 1 0B ASE-T Securit y Module I ns tallation a n d Operat ion Guide
Issue the following command to enable all the ports on the Security Module in slot 3.
ONline> set port 3.all mode enable [ENTER]
Configuring Autolearning
Autolearning uses the network monitoring features of the EMM to provide a mechanism which:
Learns the MAC addresses of the stations that have been sending
packets to the EMM network
Continuously monitors network activity
An EMM at Version 4.0 is required to configure Autolearning. Once the Autole arning capture process beg ins, the EMM takes an
instantaneous 'snapshot' of the MAC addresses tha t have passed through the specified ports. These addresses are stored in the Autolearn ing database.
Issue the following command to initiate Autolearning capture for all ports on the Security Module in slot 3.
ONline> set security autolearn 3.all capture [ENTER]
The followi ng steps are initiated once the Autolearn Capture command is issued:
1. The Autolearning database (the storage area for learned MAC addresses) is cleared.
2. All of the MAC a dd res ses ob ser ved on t he sp ec ifi ed por ts are enter ed into the Autolearni ng database.
3. The entries from the specified ports' MAC address table are copied into the Autolearni ng database.
Configuring Security Features 4 - 9
4. The result of this copy is a combination of the existing MAC addresse s associate d with a port, and the MAC ad dresses recently learned. (Remember tha t a port must have its Autolearning Mask disabled in order for MAC addresses to be learned.)
5. If MAC addre ss es for the specified ports currently exist in the Autolear ning database, the following message is displayed when the Autolearn Capture command is issued:
Note: overwriting previously autolearned addresses.
If no MAC addresses were learned for the specified ports, then the following message is displayed:
Autolearn capture done; learned 0 addresses total.
6. Upon completion of Autolearning, the following message is displayed:
Autolearn capture done; learned x addresses total.
(where x indicates the total number of addresses now stored in the Autolearning Database)
The stored MAC addresses are now ready to be downloaded to the Security Module ports. Refer to the section, Down loadi ng the Au to lear ning Database, further in this chapter.
Note: Security M ode must be disabled in order for the EMM to
Autolearn MAC addresses for ports that are configured for Security Types Intrusion_only or Full. If Security mode is not disabled for each port that is configured for Intrusion Security:
MAC addre ss es will not be Autolearned – The ports will report an intrusion
4 - 10 ONline 10BASE-T Security Module Installation and Operation Guide
Defining a MAC Address Manually
The Security Module provides you with the flexibility of manually adding MAC addresses into a port's MAC address table, and into the Autolearning Database. You may use this feature to add one or more MAC addresses to a port MAC address table instead of Autolearning a port's associated MAC addresses.
Note: If you are using a TRMM to manage the Security Module,
you must us e this co mmand in or der to add MAC ad dress es to a port MAC address table. (The TRMM does not support Autolearning.)
For example, once Autolearning Capture has completed and the MAC addresses are d ownloaded, a new station may be added to the network. You can add the new station's MAC address to a port's MAC address table using the SET SECURITY PORT MAC_ADDRESS command.
Issue the following command to add the MAC address 08-54-6f-01-32-08 to the MAC address table for port 1 on the module in slot 3.
ONline> set security port 3.1 mac_address 08-54-6f-01-32-08 [ENTER]
Note: MAC addresses 00-00-00-00-00-00 and FF-FF-FF-FF-FF-FF are
invalid.
Use the following command to add the MAC address 08-54-6f-01-32-08 into the Autolearning database. This command specifies that port 1 on the Security Module in slot 3 is associated with th e MAC address 08-54-6f-01-32-08.
ONline> set security autolearn 3.1 mac_address 08-54-6f-01-32-08 [ENTER]
Configuring Security Featur es 4 - 11
Downloading the Autolearning Database
You must download the contents of the Autolearning database to the Security Module ports in order for the MAC Addresses to be associated with the ports. When Autolearning Capture is complete, download the Autolearning database to initia te port security. Depending on the amount of network traffic transmitted to the Security Module ports, y ou may ele ct to defer the Autolearn download for a day, several days, or a w eek. Waiting to download the captured MAC address es allows all of a port's associated MAC addresses to be entered into the Autolearning database.
The Autolearning database for an EMM can contain a maximum of 360 MAC addresses. The Autolearning database for a TRMM can contain a maximum of 400 MAC addresses.
Since a maximum of four MAC addresses can be associated with one port, only four MAC addresses are downloaded. The fou r MAC addresses with the lowest al pha-numerical value s are downloaded from the Autolearning database to a Security Module ports.
Issue the following command to download the Autolearning database to port 1 on the Security Module in slot 3.
ONline> set security autolearn 3.1 download [ENTER]
If MAC addresses for the specified port currently exists in the port MAC address table, the following messa ge is displayed when the Autolearn Download command is issued:
Note: overwriting existing addresses in the Security database.
The following message is displayed upon completion of the Autolearn Downloa d command (where y indicates the total number of addresses copied to the po rt's MAC address table):
Autolearn download done; downloaded y addresses total.
If a port has more than four MAC addresses in the Autolearning database at the time of the download, the following message displays upon completion of the Autolearn Download command:
4 - 12 ONline 10BASE-T Security Module Installation and Operation Guide
Note: at least one autolearned address was skipped because the port with which it is associated has more than 4 autolearned addresses.
If any MAC address was skipped because the concentrator limit was reached, the following message displays upon completion of the Autolearn Download command:
Note: the number of autolearned addresses exceeds the conce nt rator lim it . Only the f ir st X a ddresse s (a s ordered by slot , port, and a ddr) were d ownloa ded.
Where x indicates 360 MAC addresses for an EMM or 400 MAC addresses for TRMM.
Configuring Security Mode
The Security Module provides you with the flexibility of manually enabling or disabling Security Mode for ports. Security M ode is enabled automatically for the ports specified in the SET SECURITY PORT SECURITY_TYPE command.
Issue the following command to enable security for all ports on the Security Module in slot 3.
ONline> set security port 3.all mode enable [ENTER]
Security Type is automatically configured to Full (which includes bo t h Eavesdropping and Intrusion security) when you issue the SET SECURITY PORT MODE ENABLE command .
You may ena ble Security mode for a port that does not have secure MAC addresses associated with it. However, each packet received by a port will have an invalid MAC address assigned and will therefore be treated as an intrusion.
Note that Security Mode must be disabled in order for the EMM to Autolearn MAC a ddresses for ports that are con figured for Security Types Intrusion or Full. If Security mode is not disabled for each port tha t is configured for Intrusion Security:
Configuring Security Featur es 4 - 13
MAC addre sses will not be Autolearned The port(s) will report an intrusion. (An intrusion is on ly reported if a
port Action_on_intrusion setting is configured to either Disable_an d_trap or Trap_only.)
Saving Security Configurations
The SAVE SECURITY command saves all security informatio n for each po rt on every Security Module, and on every Ethernet module in the concentrator. Issue the following command to save security configurations and make the information permanent.
ONline> save security [ENTER]
Reverting Security Configurations
The REVERT SECURITY command reverts all security information for all ports on all Security Modules, and on all Ethernet modules in the concentrator to their previously saved settings. Issue the following command to revert security configurations.
ONline> revert security [ENTER]

Showing Secu rit y Configu rati ons

The Secu rity Modul e provides several SHOW commands that display:
Port s ecurity con figurations for a sing le port, all ports on a Security
Module, or all ports on all Security Mod ules in a concentrato r
Entries in the Autolearning database All entries in the Security Intruder list
The SHOW commands to display this information are described in the following sections.
4 - 14 ONline 10BASE-T Security Module Installation and Operation Guide
Showing Port Configurations
You can display information about the Security Module ports using the SHOW PORT SECURITY command. The followin g command displays:
All of the addresses (up to four per-port) for a single port
or – All 12 ports on a Security Module or – All ports on all Security Modules in a concentrator
The command example shown displays security information for all ports on the Security Module in slo t 17.
ONline > show security port 17.all [ENTER] Securi ty Display for Module 5112M-TPLS in Slo t 17: Port
17.01 DISABL ED 17-01 -01-0 1-01- 01 ETHERNET _1
17.02 EAVESD ROP NONE ETHERNET_1
17.03 INTRUS ION 01-02-03-0 4-05- 06 ETHERNET _1
17.04 FULL NONE ETHERNET_1
17.05 FULL NONE ETHERNET_1
17.06 FULL NONE ETHERNET_1
17.07 FULL NONE ETHERNET_1
17.08 FULL 03-02-01 -00-0 9-08 ETHERN ET_1
17.09 FULL NONE ETHERNET_1
17.10 FULL NONE ETHERNET_1
17.11 FULL NONE ETHERNET_1
17.12 DISABL ED NONE ETHERNET _1
Mode MAC Addr es ses Gene ral Inf ormat ion
01-02-03 -04-0 5-07
03-02-01 -00-0 9-09 03-02-01 -00-0 9-0a
The command example shown displays all security information, including configuration settings, for all ports on the Security Module in slot 17 (only 6 of the 12 ports are shown).
Configuring Security Featur es 4 - 15
ONline > show security port 17.all ver bos e [ENTER] Securi ty Display for Module 5112M-TPLS in Slot 17 : Port
17.01 DISABL ED 17-01 -01-0 1-01- 01 ETHERNET _1 Port Action On Int rusion: DISAB LE_AN D_TRA P
Autole ar n M as k: ENABLED
17.02 EAVESD ROP NONE ETHERNET_1 Port A ct ion O n I nt rusio n: DISAB LE_ ON LY
Autole ar n M as k: DISABLED
17.03 INTRUS ION 01-02-03-04-0 5-06 ETHERNET_1
Port A ct ion O n I nt rusio n: TRAP_ ONL Y Autole ar n M as k: DISABLED
17.04 FULL NONE ETHERNET_1 Port Action On Int rusio n: NO_AC TIO N
Autole ar n M as k: DISABLED
17.05 FULL NONE ETHERNET_1 Port Action On Int rusion: DISAB LE_AN D_TRA P
Autole ar n M as k: DISABLED
17.06 FULL 03-02-01 -00-0 9-08 ETHERN ET_1
Port Action On Int rusion: DISAB LE_AN D_TRA P Autole arn Mask: DISABLED
Mode MAC Addr es ses Gene ral Inf ormat ion
01-02-03 -0 4-0 5- 07
03-02-01 -00-0 9-09 03-02-01 -00-0 9-0a
4 - 16 ONline 10BASE-T Security Module Installation and Operation Guide
Showing Security Autolearn
The SHOW SECURITY AUTOLEARN command displays all of the MAC addresses that have been learned and stored in the Autolearning database. Only entries for ports specified in the command are displayed. An additional message is provided if any port has more than four entries, or if the concentrator limit has been exceeded.
To display all associated MAC addresses for the ports on the Security Module in slot 17, issue the following command.
ONline> show security autolearn 17.all [ENTER] Autolearned Addresses for Module 5112M-TPLS in Slot 17 :
Port
17.01 01-01-01-01-01-01
17.06 08-00-8f-01-02-03
17.09 09-00-8c-09-09-09
17.12 12-00-01-12-12-12 Note: at least one port on this module has more than 4
security addresses autolearned for it. Only the first 4 addresses per port (as ordered by MAC address) will be downloaded; extraneous address are marked in the display above with an asterisk .
MAC Address(s)
08-00-8f-02-03-04 08-00-8f-04-05-06 08-00-8f-05-06-07 08-00-8f-06-07-08 * 08-01-01-01-01-01 *
09-00-8c-09-09-0a
A single asterisk (*) mark s entries for a port that excee ds the maximum of four MAC addresses per port .
If the number of MAC a ddresses learned exceeds the conce ntrator limit, the following message is displayed:
Note: The number of autolearned addresses exceeds the concentrator limit. Only the first x addresses (as ordered by slot, port, and addr) will be downloaded. Extraneous addresses are marked with a double asterisk.
Configuring Security Featur es 4 - 17
A double asterisk (**) marks entries that have exceeded the EMM capacity of 360 MAC addresses, or the TRMM capacity of 400 MAC addresses. Entries that exceed the 360 or 400 MAC addres s maximum (tha t is, entry 361 and greater or entry 4 01 or greater) a re not downloaded.
If your conce ntrator is near full capac ity , or if you have ports co nnected to bridges, you may wish to perform two or more Autolearn Captures, which may prevent these ports from exceeding the 360 MAC address limit.
For example, to perform two Autolearn Captures:
1. Initiate an Autole arn Capture speci fyi ng only some of the modules and ports.
2. Download this information to the Security Module.
3. Initiat e t he second Autolea rn Captur e specifying the remaining modules and ports .
4. Download this information to the Security Module.
Showing Security Intruder List
The SHOW SECURITY INTRUDER_LIST command is only avai lable with Advanced EMM Version 4.0. The Security Intruder list contains information regarding the 10 most recent intrusi on attempts for a network. This information includes:
The MAC address of the intruding station (MAC addresses are
available for al l Ethernet mod ules with the exception of the Security Module)
The time that has elapsed since the intrusion attempt occurred (in
days, ho urs, minutes, and seconds)
A notificati on if the port was automatically disabled
The oldest entry in the Intruder list is removed when the list is full (10 entries) an d a new intrusion attempt occurs.
4 - 18 ONline 10BASE-T Security Module Installation and Operation Guide
The following command example d isplays a Security Intrusion list for a two-port 10BASE-FB Module.
ONline > show security intruder_li st [ENTER ] Port
MAC Addr es s Time Since Intrusion Auto-Disa bl e ?
03.01 08- 00 -8f -0 2-c 6- be 0d 0h 15m 27s YES
03.02 09- d3 -74 -0 0-2 e- 01 1d 5h 32m 53s YES
MAC addresses for unauthorized stations that attempt to transmit data to Security Module ports are not displayed. The MAC addresses are not displayed bec ause the MAC add ress is intercepted by Intrusion Detection, and cannot reach the network where the EMM can de tect the MAC address.

Clearing Securit y Configu rat ions

The Security Module provides commands to clear a MA C address from a port's MAC address table, and fro m the Autolearning Database. A cleared MAC address is no longer considered to be a vali d address. A command is also available to clear the Security Intruder list.
Clearing the MAC Address Table
You may want to manually clear a MAC address from a port instead of initiating Autolearning to recapture a port's associated MAC addresses. For example, o nce Autolearning Capture has completed and the information downloaded, a station may be removed from the network.
Issue the following command to clear the MAC address 08-54-6f-01-32-08 from the MAC address table for port 1 on the Sec urity Module in slot 3.
ONline> clear security port 3.1 mac_address 08-54-6f-01-32-08 [ENTER]
Use the All option to remove all associated MAC addresses from a specific port, all ports on a Security Module, or all ports on all Security Modules in a concentrator. If you do not enter a MAC address, the command defaults to All, which clears all MAC addresses from the specified ports.
Configuring Security Featur es 4 - 19
Note: Security Mode is not disabled automatically when you
delete a port's MAC address. Thus, a port may not have a MAC address associated with it yet still have security enabled. In this case, any end station attached to that port is deemed “unauthorized.” Always disable Security Mode on a port that does not have an assigned MAC address.
Clearing the Autolearning Databa se
Issue the following command to clear from the Autolearning database all MAC addresses associated with port 1 o n the Security Module in slot 3.
ONline> clear security autolearn 3.1 mac_address all [ENTER]
If you do not enter a MAC address, the command defaults to All, which clears all MAC addresses from the Autolearning database for the specified ports.
Clearing the Security Intruder List
The Security Intruder list contains information regarding the 10 most recent intrusion attempts. Use the following command to completely clear the Intruder list.
ONline> clear security intruder_list [ENTER] Intruder List cleared.
4 - 20 ONline 10BASE-T Security Module Installation and Operation Guide

Using 3Com MIB Security Variables

This section lists the network management Security MIB (Management Information Base) variables and the ONline 10BASE-T Security Module MIB variables.
EMM Security SNMP Variables
The MIB variables for the EMM Security settings include:
olNetSe c urityMACTable - T able of securi ty information for the
entire concentrator.
olNetSe curityMACEntry - The element type for entries in the
olNetSecurityMACTable. An entry consists of a: – slot number – port number – single MAC address –mode value – status value
olNetSecurityMACSlotIndex - The slot number, defined to be an
integer.
olNetSe curityMACPortIn dex - The port number, defined to be an
integer.
olNetSecurityMACAd dress - Defines the MAC address to be a
6-byte field.
olNetSecurityMACMode - Defines the possible mode values that
may be associated with a port. Currently, only Enable and Disable are defined as legitimate values. These values indicate if security is enabled for a port.
Configuring Security Featur es 4 - 21
olNetSecurityMACStatus - Status associated with each port, which
indicates if a valid (non-zero) MAC address is assigned to it. The possible values for this field are Valid and Invalid.
Using the Security Module SNMP Variables
Listed below are the MIB (Management Information Base) variables for the ONline 10BASE -T Secur ity Module.
ol51nn MTPLSModTabl e - List of module-spec ific information about
a specific 51nnM-TPLS module in the concentrator.
ol51nnMTPLSModEntry - List of module-specific information about
a specific 51nnM-TPLS module in the concentrator.
ol51nnMTPLSModSlotIndex - Slot number of this module. ol51nnMT PLSModDipNetw ork - Network indicated by the module's
dip switches.
ol51nnMTPLSModDipSecurity - Mod ule security configuration as
indicated by this module's DIP switches.
ol51n nMTPLSModAutoPartition - Holds the consecutive collision
count limit value.
ol51nnMTPLSPortTable - Table of port-specific information for each
port of this module type.
ol51nnMTPLSPortEntry - List of module-specific information about a
specific 51nnM-TPLS port in the concentrator.
ol51nnMTPLSPortSlotIndex - Slot number of this port's module. ol51nn MT PLSPortAdminS tate - The desire d state of this port. ol51nnMTPLSPortBuddySlot - The slot index of the redundant
port's buddy.
4 - 22 ONline 10BASE-T Security Module Installation and Operation Guide
ol51nnMTPLSPortBuddyPort - The port ind ex of the redundan t
port's buddy.
ol51nnMTPLSPortLinkInteg - The link integrity configuratio n f or
this port.
ol51nnMTPLSPortDipLinkInteg - The link integrity configuration for
this port as indicated by the module DIP switch setting.
Configuring Security Featur es 4 - 23

Troubleshooting

5
This chapter describes troubleshooting procedures for the ONline Security Module. Information on troubleshooting will assist you in verifying operation. Typical fault conditions are addressed in this chapter.

Troubleshooting

Diagnostic features have been covered to a large extent in Tables 3-4 and 3-5. Table 5-1 and Tab le 5-2 in this chapter cover fault conditions and troubleshooting suggestions for the ONline 10BASE-T Security Module. This chapter is divided into the following sections:
Troubleshooting Using the Port Status LEDs Troublesho oting Using the Activity LEDs Technic al Assistance
Troubleshooting 5 - 1
Troubleshooting Using the Status LEDs
A blin ki ng P ort St atu s i nd icat or ( LED ) s i gna ls a prob le m wi th a p ort or a li nk connected to a port. Once a p ort detects a problem, yo u can further analyze the problem by counting the number of blinks. Table 5-1 provides troubleshooti ng suggestions for each of the blinking sequences .
Note: The LEDs provide accura te information only w hen unuse d
ports are disabled.
Table 5-1. Troubleshooting Using the Port Status LEDs
LED State Indication
1 Blink Link Failure Cables not
2 Blinks Port
Partitioned
Off Ports
Disa bled
Possible Problem
connected. Cables
broken.
Link Integrity mismatch.
Faulty cable. Check cable with cable
Network overloaded.
Ports disabled.
Security Module not powered.
Troubleshooting
Suggestions
Connect cables.
Check ca bles with cable tester. Repair or replace cables.
Make sure that both ends of the connection have the same Link Integrity setting.
tester. Repair or replace cable.
Reassign users to another network to balance the load.
Enable ports.
Check the Controller Module Power LEDs.
5 - 2 ONline 1 0B ASE-T Securit y Module I ns tallation a n d Operat ion Guide
Table 5-1. Troubleshooting Using the Port Status LEDs (Continued)
LED State Indication
Off (continued)
The Security Module also provides a Module Status LED. This LED indicates the operational status of the module. The Module Status LED is On to indicate the module is operational. The LED is Off to indicate the module is non operational. If this LED is off, refer to the troubleshooting suggestions in Table 5-1.
This LED is helpful if the Security Module is first installed, but the Autolearning database has not been downloaded to the module. The Module Status LED will be On and the 12 Port Status LEDs will be Off, indicating that the Security Module is operational, but all 12 ports are disabled. Thus, the Module Status LED enables you to discern that the lack of bus traffic is due to the ports being disabled rather than due to a fault with the Security Module.
Ports Disabled (continued)
Possible Problem
Broken L ED. Press the LED test on the
Faulty Security Module.
Attempted breach of security intrusion.
Troubleshooting
Suggestions
Controller Module.
Replace module.
Display the Intruder list for intruder information. Then re-enable the port.
Troubleshooting 5 - 3
Troubleshooting Using the Activity LEDs
Under some conditions a port Activity LED may not light. Use the troubleshooting suggestions in Table 5-2 to help determine why the light is off, and to isolate the source of the problem.
Table 5-2. Troubleshooting Using the Activity LEDs
LED State Possible Problem Troubleshooting Solutions
Off There is no traffic
received from the segments (normal).
Concentrator power is Off.
The Activity LED has burned out.
A Security Module port is faulty.
The module connection to the backplane is bad.
The Security Module is faulty.
None.
Check the Controller Module Power LEDs.
Press the LED test button on the Controller Module.
Connect the cable to a different port.
Reinsert the Security Module. If this fails to correct the problem, try another co ncentrator slot.
Try a different Security Module.
5 - 4 ONline 1 0B ASE-T Securit y Module I ns tallation a n d Operat ion Guide

Technical As sist anc e

You can receive assistance for installing and troubleshooting the Security Module by calling either your 3Com reseller or 3Com Technical Support. Be prepared to supply a representative with the following information:
Description of the problem Steps you have taken to try and correct the problem Type and software version of the ONline network management
module being used
Version of software installed o n your Security Module Status of the front panel LEDs Configuration of your network Configuration of your concen trator
(you may find it helpful to refer to the Slot Usage Chart in Appendix B of the ONline System Concentrator Installation and Operation Guide for a record of this inform ation)
Refer to Appen dix B for instructions on contacting Technical Support for your product.
Troubleshooting 5 - 5

Specifications

A
This appendix lists:
Electrical Specifications Environmental Specifications Mec hanical Sp ecifications General Specifications 50- Pin Connector and Ca ble Twisted Pair Connectors and Cables

Electrical Spe cifi cat ions

Backplane Interface: 96-pin edge connector, compatible with the 3Com ONline System Concentrators.
Power Requirements: 2.0 A for 5V Fuse: 4.0 Amps Fast blow Watts: 10
Specifications A - 1

Environmental Spec ifi cat ions

Operating T emperature: 0° to 50° C (32° to 122° F ) Storage Temperature: -30° to 65° C (-22° to 149° F) Humidity: less than 95%, non-condensing BTU/hr: 34

Mechanical Specifications

Dimensions: 1.0" W x 10.25" L x 8.5" H
(2.54 cm x 26.04 cm x 21.6 c m)
Weight: 1.25 lb. (0.57 kg.)

General Specifi cat ions

Data rate: 10 Mbps (million bits per second) Data modulation: Ma nchester Diagnostic modulation: Link Integrity pul se Collision detection: 100% deterministic Port partitioning: user-settable Maximum number of nodes: 1024 Configura tion rules: supports IEEE 802.3 co ntrollers and IEEE 802.3
repeaters Jabber protection: 6.5 milliseconds
A - 2 ONline 10BASE-T Security Module Installation and Operation Guide
Ethernet interface: 50-pin TELCO connector; supports 12 connections Number of ports: 12 Cabling: conforms to the 10BASE-T standard Cable differential impedance: 85 ohms to 115 ohms over 1 to 16 MHz band Cable propagati on velocity: >.585c Host inte rface: 3Com ONline System Concentrator bus interface standard Installation attachment: Two thumbscrews on the mounting bracket

50-Pin Connector and Cable

Figure A-1 illustrates the cable pinouts for the Security Module female connector and the 50-Pin cable male connector. This figure also shows how to connect Port 1 of the Security Module to a desktop transceiver using the TIA-568A wiring standard for an RJ-45 connection. Connections betwe en the module and the desktop device can be made through a patch panel, Hydra cable, o r punchdown block. It is critical that the data path be preserved along the route from the module's Telco connector to the remote end, especially whe n going through patch panels or punchdown blocks.
Specifications A - 3
Figure A-1. 50-Pin Cable Male and Female Connectors
Table A-1 lists the pinouts, receive/transmit pairs an d polarity, and port assignments for the 50-Pin Telco cable that connects to the Security Module.
A - 4 ONline 10BASE-T Security Module Installation and Operation Guide
Table A-1. 50-Pin Cable Pinouts and Port Assignments
Hub
Port #
Port 1 26 RX, + TX, + (1) Port 7 38 RX, + TX, + (1) Port 1 1 RX, - TX, - (2) Port 7 13 RX, - TX, - (2) Port 1 27 TX, + RX, + (3) Port 7 39 TX, + RX, + (3) Port 1 2 TX, - RX, - (6) Port 7 14 TX, - R X, - (6) Port 2 28 RX, + TX, + (1) Port 8 40 RX, + TX, + (1) Port 2 3 RX, - TX, - (2) Port 8 15 RX, - TX, - (2) Port 2 29 TX, + RX, + (3) Port 8 41 TX, + RX, + (3) Port 2 4 TX, - RX, - (6) Port 8 16 TX, - RX, - (6) Port 3 30 RX, + TX, + (1) Port 9 42 RX, + TX, + (1) Port 3 5 RX, - TX, - (2) Port 9 17 RX, - TX, - (2) Port 3 31 TX, + RX, + (3) Port 9 43 TX, + RX, + (3)
Hub
Pin
#
Hub Function /Polarity
Trans-
ceiver Function /Polarity
Hub
Port #
Hub Pin#
Hub Function /Polarity
Trans-
ceiver Function /Polarity
Port 3 6 TX, - RX, - (6) Port 9 18 TX, - RX, - (6) Port 4 32 RX, + TX, + (1) Port 10 44 RX, + TX, + (1) Port 4 7 RX, - TX, - (2) Port 10 19 RX, - TX, - (2) Port 4 33 TX, + RX, + (3) P ort 10 45 TX, + RX, + (3) Port 4 8 TX, - RX, - (6) Port 10 20 TX, - RX, - (6) Port 5 34 RX, + TX, + (1) Port 11 46 RX, + TX, + (1) Port 5 9 RX, - TX, - (2) Port 11 21 RX, - TX, - (2)
Specifications A - 5
Table A-1. 50-Pin Cable Pinouts and Port Assignments (Continued)
Hub
Port #
Port 5 35 TX, + RX, + (3) P ort 11 47 TX, + RX, + (3) Port 5 10 TX, - RX, - (6) P ort 11 22 TX, - RX, - (6) Port 6 36 RX, + TX, + (1) Port 12 48 RX, + TX, + (1) Port 6 11 RX, - TX, - (2) Port 12 23 R X, - TX, - (2) Port 6 37 TX, + RX, + (3) P ort 12 49 TX, + RX, + (3) Port 6 12 TX, - RX, - (6) P ort 12 24 TX, - RX, - (6)
Hub
Pin
#
Hub Function /Polarity
Trans-
ceiver Function /Polarity
Hub
Port #
Hub Pin#
50 Not Used Not Used 25 Not Used Not Used
Hub Function /Polarity
Function /Polarity

Twisted Pair Connectors and Cables

Trans­ceiver
You can use many types of cables and connectors to link your Security Module to your network. Use the information in this section to ensure that the cables and conne cting hardware meet requirements.
Note: For proper operation, use only approved cables when you
install all equipment.
3Com recommends that you connect cables first at the active concentrator location, and connect tran sc eivers second. Refer to the ONline System Conce ntr at o r Ins t al la ti on and Ope ra ti on G u ide for more information about the ONline System Concentrator connections.
A - 6 ONline 10BASE-T Security Module Installation and Operation Guide
This section is divided into the following parts:
Twiste d Pa ir C on ne ct or s Twiste d Pa ir C ab les
Twisted Pair Connectors
Uset the IEEE 80 2.3 10BASE-T standard for RJ-45 pinouts as described below. 10BASE-T uses 2 of the 4 pairs of wire: pins 1 and 2 and pins 3 and
6. If the pairs are not configured this way, the connection wil l not work properly. Level 3 or higher cable should have the fo llowing pin pairi ngs:
pins 4 and 5 are pair 1 pins 3 and 6 are pair 2 pins 1 and 2 are pair 3 pins 7 and 8 are pair 4
Refer to Figure A-1 for an example of the recommended TIA-568A wiring standard for an RJ-45 connector.
Figure A-2. RJ-45 Connector Pinouts
Specifications A - 7
Some installations may have 50-pin Telco connectors at the wiring closet. We recommend using a patch panel that converts from 50-pin to RJ45-type connectors. This allows direct connection to the Security Module in your ONline System Concentrator.
Twisted Pair Cables
The cables that are supported must meet the following qualifications:
Level 3 or hi gher 22 or 24 gauge tw isted pair ca ble 85 to 115 ohm impedance minimum of 2 pairs
A pair is usually a solid color wire twisted with a striped wire with the same color.
A - 8 ONline 10BASE-T Security Module Installation and Operation Guide
B

Technical Support

3Com prov ides easy access to technical support information through a variety of services. This appendix describes the following services:
On-line Technical Support Support from Your Network Supplier Support from 3Com Returning Products for Repair Accessing the 3Com MIB 3Com Technical Pu blications

On-line Technical Support

3Com offers worldwide product suppo rt through the followin g on-line systems:
Email Technical Service World Wide Web Site
Technical Support B - 1
Email Technical Support
You can contact the Integrated Systems Division (formerly Chipcom) on the Internet for technical supp ort using the e-mail address techsupp@chipcom.com.
World Wide Web Site
You can ac cess the latest networking informatio n on the 3Com World Wide Web site by entering our URL into your Internet browser:
http://www.3Com.com/
This service features news and information about 3Com products, customer serv ic e and support, the 3Com latest news releases, selected articles from 3TE CH™, the 3Com award-winnin g technical journal, and more.
You can contact the Integrated Systems Division on the World Wide Web by entering our URL into your Internet browser:
http://www.chipcom.com/
There are li nks between both WWW pages to view information from all 3Com divisions.

Support from Your Network Supplier

If additional assistance is req uired, contact your network supplier. Many suppliers are authorized 3Com service partners who are qualified to provide a variety of services, including network planning, installation, hardware maintenance, appli cation training, and su pport services.
B - 2 ONline 10BASE-T Security Module Installation and Operation Guide
When you contact your network supplier for assistance, have the following information ready:
Diagnostic error messages A list of sys tem hardware and software, including revision levels Details about recent configuration changes, if applicable
If you are unable to contact your network supplier, see the following section on how to contact 3Com .

Support from 3Com

If you are unable to receive support from your network supplier, technical support contracts are a vailable from 3Com.
For direct access to customer service for Integrated Systems Division products in:
U.S.A . and Canada - call (800) 724-2447 Asia Pacific - call (508) 787-5151 Europe - refer to the table below. For European countries not listed,
call 31 30 60 299 00
Country Telephone Number Country Telephone Num ber Belgium 0800 71429 Netherlands 06 0227788 Denmark 800 17309 Norway 800 11376 Finland 0800 113153 Spain 900 983125 France 05 917959 Sweden 020 7 95482 Germany 0130 82 1502 U.K. 0800 96619 7 Ireland 1 800 553117 U.S. 800 876-3266 Italy 1678 79489
Technical Support B - 3
For access to customer service for all 3Com products, call (800) 876-3266. You can also contact the Integrated Systems Div ision (ISD) on the Internet
by using the e-mail address techsupp@c hipcom.com.

Returning Produc ts for R epair

A product sent directly to 3Com for repair must first be assig ned a Return Materials Authorization (RMA) number. A product sent to 3Com without an RMA number will be returned to the sender unopened, at the sender’s expense.
To obtain an RMA number for Integrated Systems Division products (formerly Chipcom ), use the following numbers .
Country Telephon e Number Fax Number U.S. and Canad a (800) 724-2447 (508) 787-3400 Europe (44) (1442) 275860 No Fax Asia Pacific (508) 787-5296 (508) 787-3400

Accessing the 3Com MIB

The 3Com Management Information Base (MIB) for the Integrated Systems Division desc ribes commands that enable you to manage 3Com SNMP-based products. The MIB is available over the Internet on an anonymous FTP server. Updates to these MIBs are released as new 3Com products are introduced.
To access Internet vers ions:
1. FTP to ftp.chipcom.com (151.104.9.65).
2. Enter the login name anonymous.
B - 4 ONline 10BASE-T Security Module Installation and Operation Guide
Loading...