Alcatel-Lucent OMNIACCESS SAFEGUARD CONTROLLER Admin Guide
OmniAccess SafeGuard
OS Administration
Guide
Release 3.0.2
PART NUMBER: 005-0033 REV A1
UBLISHED: MARCH 2007
P
A
LCATEL-LUCENT
26801 WEST AGOURA ROAD
CALABASAS, CA 91301 USA
(818) 880-3500
WWW.ALCATEL-LUCENT.COM
Alcatel-Lucent Proprietary
Copyright © 2007 Alcatel-Lucent. All rights reserved. This document may not be reproduced in whole
or in part without the expressed written permission Alcatel-Lucent. Alcatel-Lucent ® and the AlcatelLucent logo are registered trademarks of Alcatel-Lucent. All other trademarks are the property of their
respective owners.
2
OmniAccess SafeGuard OS Administration Guide
Contents
Preface
About This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Conventions Used in This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Related Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Guide Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Chapter 1: SafeGuard OS Overview
Alcatel-Lucent Solution and Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Deployment Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Understanding Protection Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
SafeGuard OS Overall Feature Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 2: Accessing and Managing the System
Connecting to a SafeGuard Device Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Accessing the SafeGuard Device Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Using Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Enabling and Disabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Displaying the Current Telnet and Serial Port Connections . . . . . . . . . . . . . . . . . . . . . . . .29
Closing a Telnet or SSH Session. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Specifying the Maximum Number of Telnet Connections Allowed. . . . . . . . . . . . . . . . . .30
Setting the Telnet Connection Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Using Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Enabling an SSH Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Downloading SSH Key Files from TFTP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Generating DSA, RSA, RSA Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Deleting DSA, RSA, RSA Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Changing SSH Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Limiting SSH Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Setting the SSH Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Displaying SSH Configuration Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Customizing and Working with the Command Line Interface Default Settings . . . . . . . . . . .36
Changing the System Command Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Setting a Maximum Serial Console Connect Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
OmniAccess SafeGuard OS Administration Guide
3
Contents
Enabling and Disabling CLI Display Paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Uploading a New CLI Banner File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Uploading the CLI Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Copying the System Diagnostics File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Copying the System Debug File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Displaying the Current HTTP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Exiting or Logging Out of a Command Line Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configuring Management Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configuring Management Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Adding Management Users to the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Displaying the Management Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Setting a Password for the Default Admin Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Configuring Local Authentication for Management Users. . . . . . . . . . . . . . . . . . . . . . . . .43
Assigning a Login List to the Default Login User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Configuring RADIUS Users for Management Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Clearing All Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Managing Out-of-Band Management Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Setting the IP Configuration Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Setting the IP Address, Netmask, and Gateway of the System . . . . . . . . . . . . . . . . . . . . . . . .47
Enabling or Disabling the Management Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Setting Speed and Duplex for the Management Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Displaying Configuration Information for the Management Port. . . . . . . . . . . . . . . . . . . . . . .48
Displaying Address Resolution Protocol Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Setting Up the System Time and Date (SNTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Manually Setting the Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Configuring SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Optional SNTP Client Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Setting the Poll Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Setting the Poll Retry and Poll-Timeout Timers for Unicast Clients. . . . . . . . . . . . . . . . . . . . 58
Setting the Port ID for the Port Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Managing Device Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Clearing the Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Checking for Another Computer on the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Displaying Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Displaying Hardware Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Displaying the Serial Communication Settings for the Device . . . . . . . . . . . . . . . . . . . . . . . . .65
Setting Up a Trace Route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Managing Network Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Configuring the Network MAC Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Configuring the Network MAC Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Configuring the Network VLAN ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Configuring the Network Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
4
OmniAccess SafeGuard OS Administration Guide
Contents
Configuring SNMP on the Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Setting the SNMP Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Setting the SNMP Physical Location. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Designating the SNMP Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Configuring SNMP Communities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Adding and Naming a New SNMP Community. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Establishing Access for the SNMP Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Setting a Client IP Address for an SNMP Community. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Setting a Client Netmask SNMP Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Configuring a SNMP Target. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Creating the Trap Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Changing the IP Address of a Trap Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Changing the Trap Receiver Version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Enabling and Disabling SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Displaying SNMP Community Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Displaying SNMP Target Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Displaying SNMP System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Configuring Domain Name Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Specifying a Default Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Creating a DNS Name Server List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Displaying DNS Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Resetting the Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Configuring Data Traffic Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Entering Interface Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Enabling and Disabling an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Displaying Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Displaying Ethernet Interface Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Switchport Statistics Display Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Additional Statistics Display Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Understanding Mirroring and Monitoring Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
About Remote Span Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Configuring Port-Based Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Setting the Source or Destination Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Restoring the Default Mirror Session Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Showing the Monitor Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Changing the Protection Mode of Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
For the SafeGuard Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
For the SafeGuard Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Displaying Protection Mode Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Configuring High Availability Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Configuring Fail-over Device Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Configuring System Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Configuring Exception Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Enabling and Disabling Exception Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
OmniAccess SafeGuard OS Administration Guide
5
Contents
Changing the Exception Recovery Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Enabling System Reboots on LSP Watchdog Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Viewing the Exception Recovery Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Chapter 3: Working with Configuration Files and Upgrading Images
Understanding Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Saving Changes to the Running Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
From Running to the Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
From Running to External Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Saving Changes to the Startup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
From Startup to Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
From Startup to External Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Moving Backup Files to External Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Restoring Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
From Flash Memory to Flash Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
From TFTP to Flash Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
From Compact Flash to Flash Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Erasing the Startup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Displaying Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Running Config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Startup Config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Upgrading System Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Copying Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Specifying the System Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Upgrading the Boot Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Dual-Stage Boot Loader Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Copying a Boot Loader from a TFTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Specifying the Boot Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Simple Boot Loader Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Updating the Simple Boot Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Migrating a Simple Boot Loader to a Dual-Stage Boot Loader . . . . . . . . . . . . . . . . . . . .119
Displaying Image and Boot Loader Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Removing All Data from Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Chapter 4: Configuring SafeGuard Controllers
Configuring VLANs on the SafeGuard Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Link Pair Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Chapter 5: Setting Up SafeGuard Switches
Overview of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Tagged and Untagged Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Ingress VLAN Classification and Egress Forwarding for the SafeGuard Switch. . . . . . . . . . . 130
Ingress VLAN Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6
OmniAccess SafeGuard OS Administration Guide
Contents
Assigning Ports to VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Forwarding Tagged and Untagged Frames. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Why Use VLANs?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Configuring VLANs on the SafeGuard Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Configuring Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Configuring Protocol-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Configuring MAC-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Configuring IP Subnet-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Deleting a VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Verifying the VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Displaying Forwarding Database Entries Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Configuring Spanning Trees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Enabling or Disabling STP Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Forcing Transmission of Rapid Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Setting the Configuration Identifier Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Setting the Configuration Identifier Revision Level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Specifying an Edge Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Setting the Force Protocol Version Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Setting the Bridge Forward Delay Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Setting the Bridge Max Age Parameter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Setting the Path Cost or Port Priority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Setting the Bridge Priority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Setting the Administrative Switch Port State for a Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Setting the Administrative Switch Port State for all Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Displaying STP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Displaying Spanning Tree Settings for the Bridge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Displaying Settings for a Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Displaying Spanning Tree Settings and Parameters for a Switch. . . . . . . . . . . . . . . . . . .163
Configuring IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Configuring Global IGMP Snooping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Configuring IGMP Snooping on a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Optional IGMP Snooping Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Setting the Group Membership Interval Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Setting the Maximum Response Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Setting the Multicast Router Expiration Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Enabling Fast-Leave Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Enabling Fast-Leave Mode On An Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Creating a Static Connection to a Multicast Router. . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Clearing IGMP Snooping Entries Globally. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Displaying IGMP Snooping Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Showing the IGMP Snooping Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Displaying Static Configurations to a Multicast Router. . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Showing IGMP Snooping Entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
OmniAccess SafeGuard OS Administration Guide
7
Contents
Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Enabling Port Locking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Setting the Maximum Number of Dynamically Locked MAC Addresses . . . . . . . . . . . . . . .177
Setting the Maximum Number of Statically Locked MAC Addresses . . . . . . . . . . . . . . . . . .178
Adding a MAC Address to the Statically Locked List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Converting Dynamically Locked Address To Statically Locked Addresses. . . . . . . . . . . . . .180
Displaying the Port Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Displaying the Dynamically Locked MAC Addresses for a Port . . . . . . . . . . . . . . . . . . . . . . .182
Displaying the Statically Locked MAC Addresses for a Port . . . . . . . . . . . . . . . . . . . . . . . . . .182
Displaying the Source MAC Address of the Last Packet Discarded on a Locked Port . . . . 183
Configuring Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Configuring IP Unicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Configuring Address Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Displaying ARP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Configuring Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Optional Routing Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Setting an Administrative Distance or Preference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Creating a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
Displaying Routing Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Configuring Bootstrap or DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Enabling BOOTP or DHCP Relay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Optional BOOTP or DHCP Relay Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
IP Multicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Chapter 6: Configuring Authentication and Role Derivation
Configuring User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Authentication Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Authentication Component Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Planning for Your Authentication and Policy Deployment. . . . . . . . . . . . . . . . . . . . . . . .204
Limiting Access with Trusted Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Displaying Trusted Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Maintaining the Host Mapping Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Configuring Layer 3 Devices for Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Displaying the Current Contents of the Mapping Table. . . . . . . . . . . . . . . . . . . . . . . . . .208
Displaying Layer 3 Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Displaying Authenticated Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Working with Protocol Data Unit Parsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Port Checking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Enabling Safe Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Disabling Safe Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Displaying PDU Counters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Tracking an Authenticated User Session. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
8
OmniAccess SafeGuard OS Administration Guide
Contents
Configuring Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Planning for Captive Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Configuring the Hijack Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Configuring the Redirect Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Configuring the Redirect Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Setting the Refresh Interval Timer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Enabling and Disabling Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Optional Captive Portal Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Downloading New Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Configuring MAC-Based RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
Configuring Device Authentication Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Configuring Simple White Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Creating a Simple White List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Removing a Simple White List Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
Displaying a Simple White List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
Configuring Extended White Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
Removing an Extended White List Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Displaying Extended White List Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
Configuring Grey Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Creating a Grey List Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Removing a Grey List Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Displaying a Grey List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Setting Up Authentication Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Configuring RADIUS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Displaying RADIUS Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Configuring Active Directory Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Displaying Active Directory Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Maintaining Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Adding or Deleting a User from the Local Authentication Database. . . . . . . . . . . . . . .258
Displaying the Local Authentication Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Clearing an Authenticated User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Displaying User Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Configuring Remote Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
IEEE 802.1x Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Component Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Impact of Protection Modes on 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Configuring IEEE 802.1x Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Displaying 802.1x Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Showing a Detailed Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Showing 802.1x Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
Showing Summary Information for 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Optional 802.1x Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Clearing 802.1x Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Initializing the 802.1x Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
OmniAccess SafeGuard OS Administration Guide
9
Contents
Reauthenticating the 802.1x Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Configuring the Maximum Authentications for the 802.1x Port . . . . . . . . . . . . . . . . . . . .274
Re-authenticating the Supplicant for the 802.1x Port . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Configuring the 802.1x Port Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Role Derivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Configuring Rule Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Assigning a Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Adding a Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Specifying Logical Operators (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Configuring the Rule Map Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Setting the Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Applying the Rule Map and Assign a Precedence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Removing the Rule Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Displaying Rule Map Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
Showing Rule Map Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Showing a Rule Map Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Adding VSAs to the Dictionary File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Chapter 7: Establishing a Security Policy
Policy Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Traffic Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Designing a Policy Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
System White-Black List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Adding a System White-Black List Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Prioritizing List Entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Removing an Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
User Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Role Hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Layer 7 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Configuring User Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Policy Made Simple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Network Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Application Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
Application Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311
Defining and Applying User Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Assigning the Policy a Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Adding a Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Adding a Severity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Adding a Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Configuring the Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Configuring the Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
10
OmniAccess SafeGuard OS Administration Guide
Contents
Refreshing Policies and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Network Zones Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Application Groups Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Overriding System Policies with a User Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
EPV Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Configuring Policy-Based Mirroring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Policy Debug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324
System Generated Policies and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Default System Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
EPV System Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Default System Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Dynamic System Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Displaying Policy Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Showing Application Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Showing Application-Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Showing Policy-Based Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Showing Network Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Showing Policy Debug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Showing Policy Enforcement-Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Showing Policy EPV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Showing Policy EPV Host-Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Showing Policy EPV All. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Showing Policy EPV System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Showing Policy Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Showing Policy User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Showing System White-Black List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Showing User-Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Chapter 8: Visualization
About Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Total User Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
OmniVista SafeGuard Manager Table Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Configuring Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338
Setting Up the Controller or Switch for OmniVista SafeGuard Manager. . . . . . . . . . . . . . . .338
Setting the Update Interval for OmniVista SafeGuard Manager. . . . . . . . . . . . . . . . . . . . . .338
Displaying Visualization Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Showing Server Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Showing the Update Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340
Showing Connection Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
OmniAccess SafeGuard OS Administration Guide
11
Contents
Chapter 9: End Point Validation
Determining the Posture of a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
Configuring EPV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Configuring EPV Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Creating Global Bypass Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346
Bypass Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Configuring a Trigger Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Trigger Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Enabling EPV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
Optional EPV Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Adding or Deleting Additional ICS Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Adding ICS Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Modifying ICS Administrator Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
Deleting ICS Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
Backing Up and Restoring ICS Policies and Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
Saving (Copying) ICS Policy and Rules Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
Restoring the Policy Backup File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
Restoring the Policy Default Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
Backing Up and Restoring the ICS Gateway Configuration. . . . . . . . . . . . . . . . . . . . . . . . . .355
Copying and Saving Portal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
Restoring the Portal Backup File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Restoring the Portal Default Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Tailoring Contact Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Displaying and Clearing the EPV Posture State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357
Showing EPV Host Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357
Showing EPV User Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Configuring EPV Rescan Timers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Configuring Refresh Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Showing the EPV Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
Clearing EPV Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
Chapter 10: Detecting and Isolating Malware Security Threats
Detecting and Quarantining Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Configuring Malware Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
Enabling and Disabling Global Malware Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
Configuring Malware Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Configuring a Malware Remediation Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Configuring Malware Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Configuring for Domain Name Service (DNS) Server Support (optional) . . . . . . . . . . . .367
Configuring a Malware White-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Clearing the Malware White-List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369
Removing IP Addresses from the White-List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369
12
OmniAccess SafeGuard OS Administration Guide
Configuring Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Displaying Malware Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Displaying DNS Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Displaying a Malware Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Displaying DNS Server Names and Refresh Rates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Displaying User-roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Displaying Malware Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Displaying the Malware Detection State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373
Displaying Malware Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373
Displaying which Algorithm Detected the Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
Displaying Malware for an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Displaying Malware Trace Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Displaying the Contents of the Malware White-List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Downloading Malware Definition Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Clearing Malware Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Chapter 11: Troubleshooting
Contents
Logging Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Setting Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Setting Logging Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Terminal Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387
Enabling and Disabling the Logging of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Clearing the Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Clearing the Alarm LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Displaying the Logging Level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Displaying Log Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
Logging Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Appendix A: Sample Output
Show AAA Users Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Show AAA Session-Tracking Mapping-Table Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Show Running-Config Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400
Index
Command Index
OmniAccess SafeGuard OS Administration Guide
13
Contents
14
OmniAccess SafeGuard OS Administration Guide
Preface
In this preface:
■ About This Guide
■ Related Publications
■ Guide Organization
Preface
About This Guide
This guide provides concept and configuration instructions for the major features
SafeGuard OS and its supported products.
Audience
This guide is intended for experienced network administrators who are responsible for
managing SafeGuard OS.
Conventions Used in This Guide
Ta b le 1 lists the text conventions used in this guide.
Table 1 Text Conventions
Convention Description
courier Command name or screen text.
courier bold Command text to be entered by the user.
italic Indicates a book title, menu item, or new term.
This guide uses the following formats to highlight special messages in the text:
NOTE: Highlights information that is important or that has special interest.
CAUTION: Highlights information to help prevent damage to equipment
or loss of data.
16
WARNING: Highlights safety information that is related to electric shock
or bodily injury.
OmniAccess SafeGuard OS Administration Guide
Related Publications
For more information about configuring and managing a SafeGuard device, refer to the
following guides:
■
OmniAccess SafeGuard Controller Installation Guide
Describes the OmniAccess SafeGuard Controller. The guide provides detailed
installation instructions and technical specifications for the OmniAccess
SafeGuard Controller.
■
OmniVista SafeGuard Manager Administration Guide
Describes how to manage the OmniAccess SafeGuard Controller using the
OmniVista SafeGuard Manager software.
■
ICS Dissolvable Agent for SafeGuard Administration Guide
Describes how to configure the Integrity Clientless Security (ICS) module of the
Alcatel-Lucent Network Admission Control (NAC).
Preface
Additional Resources
Alcatel-Lucent publishes documents for Alcatel-Lucent customers at:
www.Alcatel-Lucent.com
Guide Organization
Ta b le 2 briefly describes each chapter in this guide.
Table 2 Guide Organization
Chapter or Appendix Contents
Chapter 1, SafeGuard OS
Overview
Chapter 2, Accessing and
Managing the System
Provides an overview to the Alcatel-Lucent SafeGuard
OS, the basic feature overview, and how it supports the
Alcatel-Lucent SafeGuard product line. Also, describes
typical deployment models for SafeGuard devices; they
can be deployed in either a standard topology or in a
High Availability (HA) topology.
Describes connecting display devices, such as a
terminal, PC, or laptop computer, to the SafeGuard
device and logging in to the system.
Chapter 3, Working with
Configuration Files and
Upgrading Images
OmniAccess SafeGuard OS Administration Guide
Describes functions and commands related to
configuration files and upgrade processes.
17
Preface
Table 2 Guide Organization (continued)
Chapter or Appendix Contents
Chapter 4, Configuring
SafeGuard Controllers
Chapter 5, Setting Up
SafeGuard Switches
Chapter 6, Configuring
Authentication and Role
Derivation
Describes features specific to SafeGuard Controllers.
Describes numerous configurations specific to
SafeGuard switches, including:
■ setting up Virtual Local Area Networks (VLANs)
■ setting up IP unicast or multicast routing.
This chapter describes the commands used for
configuring authentication, including their names,
descriptions, prototypes, arguments, and argument
descriptions. SafeGuard OS supports two types of user
authentication: active and passive.
Describes the different types of user authentication
available in SafeGuard OS as well as applicable CLI
commands for implementing authentication.
Describes how to configure special authentication lists
used for circumventing the normal authentication
processes, as needed.
Explains the different types of user authentication
available in SafeGuard OS. It also explains how to
configure the SafeGuard device using the CLI to
achieve the maximum benefit in a deployment.
Describes how to configure IEEE 802.1x, port-based
authentication, on the SafeGuard Switch.
Chapter 7, Establishing a
Security Policy
Discusses the key concepts of policy, how to develop a
Policy workflow, and procedures for coding Policy
commands.
Chapter 8, Visualization Describes the concepts and procedures for configuring
the Visualization component.
Chapter 9, End Point
Validation
Chapter 10, Detecting
and Isolating Malware
Security Threats
Chapter 11,
Troubleshooting
Describes the concepts and procedures for configuring
End Point Validation (EPV) commands.
Provides an overview of the malware detection process
and provides procedures for coding the commands
used for detecting and remedying malware.
Describes the commands used for configuring logging,
including their names, descriptions, prototypes,
arguments, and argument descriptions.
18
OmniAccess SafeGuard OS Administration Guide
chapter
SafeGuard OS Overview
1
In this chapter:
■ Alcatel-Lucent Solution and Product Overview
■ Deployment Models
■ Understanding Protection Modes
■ SafeGuard OS Overall Feature Summary
Chapter 1: SafeGuard OS Overview
Alcatel-Lucent enables enterprises to secure their LANs with purpose-built devices based
on custom silicon. IT can control who is allowed onto the LAN, restrict what users can do
on the LAN, and prevent threats from disrupting network services or compromising
data.
Customers can embed security directly in their LAN infrastructure using Alcatel-
Lucent’s network device products: the SafeGuard Controller and SafeGuard Switch.
This chapter reviews Alcatel-Lucent’s devices and products which make up the complete
Alcatel-Lucent solution.
Alcatel-Lucent Solution and Product Overview
Alcatel-Lucent’ solution and products are comprised of:
■ SafeGuard device(s)
A SafeGuard device, such as a SafeGuard Controller and/or SafeGuard Switch, is a
network infrastructure device for inline policy enforcement. The hardware is
designed with custom security silicon consisting of multi-core processors and
custom traffic-processing programmable ASICs. The flexible architecture of these
devices is the backbone for the SafeGuard operating system (OS).
The SafeGuard Controller is available in two models:
— The OmniAccess 1000 SafeGuard supports up to 800 authenticated users
across four gigabit uplinks, with deep packet inspection at 4 Gbps, with
appropriate licensing.
— The OmniAccess 2400 SafeGuard supports up to 2000 authenticated users
across ten 1-Gb uplinks, with 10 Gbps of deep packet inspection, with
appropriate licensing.
The OAG4048X Switch includes 10/100/1000 Mbps ports and 10 Gbps ports. A
similar model, the OAG4048X-PoE, includes additional Power over Ethernet. As
an enterprise-class switch, it has the performance, resiliency, and software
features expected of a network switch connecting user machines into the core or
distribution layer of the LAN. It has dual-homed uplinks, Rapid-Spanning Tree
for fast failover, and hot-swappable power supplies and fans.
While user and application-based controls are available for both the SafeGuard
Controller and SafeGuard Switch devices, the SafeGuard Switch provides perport control. The SafeGuard Controller provides per-uplink control.
■ SafeGuard OS
The operating system that runs on Alcatel-Lucent SafeGuard devices is the
SafeGuard OS. The SafeGuard OS drives the device, providing traffic usage
monitoring, access, and malware controls. The SafeGuard OS provides all of the
20
OmniAccess SafeGuard OS Administration Guide
Chapter 1: SafeGuard OS Overview
following capabilities in the same device, ensuring that there is no centralized
point of failure:
— Device Management – Administrators can set up, manage, and diagnose
problems for the device as a network device.
— Authentication – With Network Access Control (NAC) capabilities,
authentication and posture check is provided to control who can enter the
LAN. NAC leverages an organization’s existing authentication servers and
identity stores with flexibility to provide either passive or active
authentication using Active Directory, RADIUS, or Captive Portal web logon.
— End Point Validation (EPV) – As an optional component of NAC to validate
health or posture of end-user host machines, EPV policies use a temporary or
dissolvable client to check for out-of-date OS, anti-virus software, etc. Hosts
that are not in compliance with corporate security standards are redirected to
an appropriate site to download patches and fixes before accessing the
internet.
— Security Policy – Role-based provisioning learned from the authentication
component, the defined policy component allows the administrator to assign
ACLs (Access Control Lists) at Layer 4 and Layer 7 to individual users. This
capability is especially useful in the post admission separation of users
regardless of point of entry (for example, separation of employees, contractors
and business partners). While initiating policy enforcement on TCP
connections or groupings of UDP packets, a stateful deep packet inspection of
all flows is allowed.
— Threat Control – An essential part of LAN control, Alcatel-Lucent threat
control algorithms monitor application connection patters for signs of
malicious behavior. Because these algorithms do not rely on signatures, they
can detect zero-day malware. The threat detection algorithms are built with a
goal of preventing network meltdown by detecting the malicious activity in
the quickest amount of time with very low false-positive rates.
— Visualization – Collects information about users and applications and how
those users and applications impact the network. Visualization serves as the
conduit between other SafeGuard OS components and the Alcatel-Lucent
OmniVista SafeGuard Manager Command Center.
■ OmniVista SafeGuard Manager Command Center
OmniVista SafeGuard Manager is a central command center that displays data
flow information collected from the SafeGuard OS visualization component. The
OmniVista SafeGuard Manager interface, a graphical user interface, provides at-aglance views of network usage and security violations, which enables the IT
administrator to properly define security policies—global access and malware
policies—relevant to the unique characteristics, trends, and usage patterns and
characteristics of users on the network.
OmniAccess SafeGuard OS Administration Guide
21
Chapter 1: SafeGuard OS Overview
OmniVista SafeGuard Manager compiles information based on user transactions,
presenting all of the activities and access violations tied to usernames. It provides
traffic views on a per-user and per-flow basis, allowing for detailed auditing,
reporting, and forensics. For example, OmniVista SafeGuard Manager could
display all users running Instant Messenger or detail every application, computer,
and file a particular user has touched.
OmniVista SafeGuard Manager also supports role-based provisioning, allowing
IT to define access controls for broad groups of users, such as employees,
contractors, and guests, or for smaller groups, such as the finance department.
OmniVista SafeGuard Manager gives IT flexible malware control, allowing traffic
to be stopped on a per-user or per-application basis if malware is detected.
Using the Alcatel-Lucent OmniVista SafeGuard Manager command center, IT is
provided with full LAN visibility, policy creation capabilities and distribution.
The SafeGuard product family provides the full set of capabilities needed to protect
enterprise assets.
Deployment Models
In terms of deployment, the SafeGuard Controller sits between access switches and the
distribution or core layer, aggregating uplinks from the wiring closets and enforcing
access policies on all traffic. As a transparent device, the Controller requires no changes to
network design or user behavior, simplifying deployment and IT’s cost of operations.
The Controller supports high availability and resiliency modes. Enterprises that have
dual-homed wiring closet switches can deploy two SafeGuard Controllers as peers—the
two platforms would share state and preserve user authentications in case of failover. The
Controller runs in fail pass-through mode following a failure, where all LAN traffic will
traverse the Controller untouched, or protect mode, where all traffic is stopped (based on
security policy settings).
While the Controller sits behind existing switches, which suits environments not
upgrading their switches, the SafeGuard Switch provides an integrated secure switch
ideal for customers in the midst of a switch upgrade or building a new LAN for
enterprises to secure the fabric of their LAN.
The integrated platform with both the SafeGuard Controller and SafeGuard Switch
reduces the number of platforms customers need to buy and manage, lowering capital
and operational costs. The SafeGuard Switch also provides per-port control, vs. the per-
uplink control in the SafeGuard Controller. While user- and application-based controls
are available in both SafeGuard platforms, the switch’s per-port control means worms are
contained to a single user rather than all users connected to one uplink port.
22
OmniAccess SafeGuard OS Administration Guide
CST_055
Internet
LAN Core
Data Center
Distribution Layer
OmniAccess
switch
OmniAccess
SafeGuard
10 Gigabit
uplinks
Remediation
servers
Active Directory
RADIUS servers
Alcatel-Lucent
OmniVista
SafeGuard
Manager
Access Layer
Transparent
Deployment
Chapter 1: SafeGuard OS Overview
Figure 1 SafeGuard Controller and Switch in a Typical Deployment
With the preferred standard and typical deployment model, the SafeGuard Controller
device is a multi-port “bump-in-the-wire” device between the edge switch and the next
layer switch, whether that be the distribution layer or the core switch. The uplinks can
either be fiber or copper. A SafeGuard Switch is deployed like any other switch device,
but it can link directly to the distribution layer.
When deploying SafeGuard devices using this model, all SafeGuard OS features are
supported, including policy enforcement, captive portal, IP header validity, and malware
enforcement. Further, devices can be deployed without disrupting existing wiring closet
configurations. Figure 1 shows SafeGuard devices in the typical deployment model.
System recovery and high availability (HA) can be configured when deploying
SafeGuard Controllers. To, it requires an additional (redundant) SafeGuard Controller of
the same model, running the same software release, and configured with the same port
configuration.
In HA mode, the authentication state is propagated to the peer device before there is a
failure so that users do not have to re-authenticate. For example, end users do not need to
log in to the captive portal feature again if there is a system failure. Figure 2 shows this
type of deployment (for details on configuring high availability, see Configuring High
Availability Support on page 100).
OmniAccess SafeGuard OS Administration Guide
23
Chapter 1: SafeGuard OS Overview
CST_011
Internet
WAN/VPN
Secure LAN
controller
Firewall
Core
switch
Active
directory
Data center
RADIUS
Executive
suite
1st floor
edge switch
[Marketing]
2nd floor
edge switch
[Operations]
3rd floor
edge switch
[Finance]
H
ost / edge
Network / core
Figure 2 High Availability (Redundant) SafeGuard Controller Deployment
Understanding Protection Modes
Ingress and egress data traffic is managed by SafeGuard devices based on the level of
protection mode set within the device. Based on the established protection mode—Pass-
thru mode, Monitor mode, or Protect mode. For details on setting protection modes, see
Changing the Protection Mode of Ports on page 95.
When Used SafeGuard Controller SafeGuard Switch
First time set up
and cabling
Testing and
trials
Table 3 Supported Protection Modes
Protection
Mode
Pass-thru
Mode
Monitor Mode
Acts as a transparent
bridge. All security
functionality is
bypassed.
Authentication, captive portal, visualization,
malware detection and protection and userbased policy checking is applied to all data
Acts as a standard L2/
L3 switch. All security
functionality is
bypassed.
traffic, but enforcement is ignored.
24
OmniAccess SafeGuard OS Administration Guide
Table 3 Supported Protection Modes (continued)
Chapter 1: SafeGuard OS Overview
Protection
Mode
Protect Mode
When Used SafeGuard Controller SafeGuard Switch
Typical
Deployment
Authentication, captive portal, visualization,
malware detection and protection and userbased policy checking is applied to all data
traffic, and actively enforced.
OmniAccess SafeGuard OS Administration Guide
25
User/Machine Authentication
■ Authentication via 802.1X or
MAC address
■ Passive Active Directory
authentication snooping
■ Passive RADIUS
authentication snooping
■ Captive portal
authentication
■ Trusted DHCP serve
Role Derivation
■ RADIUS attributes
■ Active Directory attributes
■ Physical location
■ Combination of above
Role-Based Policy (Access
Control By)
■ User group
■ Application
■ Select application attributes
■ Destination port
■ Resource (e.g. servers)
Host Posture Check
■ Dissolvable agent
■ Scan for known threats, anti-
virus definition, service
packs, and custom registry
keys and files
Enforcement Actions
■ Allow
■ Deny
■ TCP reset
■ Mirroring, logging
Threat Detection/Mitigation
■ Zero-hour threat detection
■ No signature updates
necessary
■ Drops malformed packets
■ Block by: physical port, SRC
MAC, offending application
Visualization
■ Ties usernames to
applications and security
violations
■ Identifies applications and
application content
■ Reports application details
to centralized policy center
Centralized Visualization
■ Ties into Alcatel-Lucent
OmniVista SafeGuard
Manager Command Center
■ User and application usage
repository
■ Real-time alert dashboard
■ Fully drillable forensics
capability
■ Reporting and scheduler
■ Full policy and role-
derivation configuration GUI
Logging and Reporting
■ Direct syslog reporting
■ Detailed security log
messages
■ Formatted for SIEM
integration
■ Formatted syslog to multiple
destinations
Management and Control
■ Industry-standard
Command Line Interface
(CLI)
■ Managed by Alcatel-Lucent
OmniVista SafeGuard
Manager Command Center
■ SNMP v1/v2
■ Telnet
■ SSH
■ TFTP
■ Standard and privileged
access modes
Administrator Authentication
■ RADIUS authentication
Performance (Switch Only)
■ Switching capacity: 101
million pps
■ Secure Switching Rate: 10
Gbps
Protocols (Switch Only)
■ 802.1D Bridging
■ 802.1D Spanning Tree
■ 802.1Q/p VLAN Tagging and
Priority
■ 802.1w Rapid Spanning Tree
■ 802.1S MSTP
■ 802.1X Port-based
authentication
■ 802.3 10Base-T
■ 802.3u 100Base-T
■ 802.3z 1000Base-SX/T
■ 802.3ae 10 Gbps Ethernet
■ 802.3af Power-over-Ethernet
Layer 2 Features (Switch Only)
■ 4,096 VLANs
■ 16,000 MAC Addresses
■ Protocol VLAN (802.1v)
■ Port Security (MAC address
locking)
■ Mirror/monitor ports
■ IGMP v1/v2 snooping
Layer 3 Features (Switch Only)
■ Static routing
■ Additional L3 capabilities
due in future software
releases
Chapter 1: SafeGuard OS Overview
SafeGuard OS Overall Feature Summary
The following table summarizes SafeGuard OS features supported by SafeGuard devices.
26
OmniAccess SafeGuard OS Administration Guide
chapter
Accessing and
2
Managing the System
In this chapter:
■ Connecting to a SafeGuard Device Console
■ Accessing the SafeGuard Device Command Line Interface
■ Configuring Management Users
■ Managing Out-of-Band Management Port
■ Setting Up the System Time and Date (SNTP)
■ Managing Device Information
■ Managing Network Information
■ Configuring the Network Protocol
■ Configuring SNMP on the Device
■ Configuring Domain Name Servers
■ Resetting the Device
■ Configuring Data Traffic Ports
■ Configuring High Availability Support
Chapter 2: Accessing and Managing the System
This chapter describes the tasks associated with managing the SafeGuard Controller or
the SafeGuard Switch as a device in the network.
Connecting to a SafeGuard Device Console
SafeGuard devices can be managed using a PC or laptop computer connected to the
SafeGuard Controller or SafeGuard Switch.
To connect a SafeGuard device console:
1 Using a null cable, connect a PC or laptop computer to the DCE port on the back
of the device.
2 Launch a terminal emulation program and configure the settings as shown in
Ta b le 4 .
3 The login prompt is displayed.
Table 4 PC Terminal Emulator Settings
PC or Laptop Setting
Emulation type vt100
Bits per second 9600
Data bits 8
Parity bits None
Stop bits 1
Flow control None
See the following sections for details on accessing the SafeGuard device command line
interface.
Accessing the SafeGuard Device Command Line Interface
The first time that you log into a SafeGuard device, use the default ‘Admin’ as a
username (and no [null] password). Upon first logging into the command interface, you
are in Non-Privileged mode. To perform management and configuration functions, you
need to be in Privileged mode.
28
To access Privileged mode, use the
enable command in Non-Privileged mode.
OmniAccess SafeGuard OS Administration Guide
Chapter 2: Accessing and Managing the System
enable
This command has no parameters or variables.
For example:
(SafeGuardOS) #?
(SafeGuardOS) #enable
(SafeGuardOS) #
(SafeGuardOS) #configure terminal
(SafeGuardOS) (config) #
See the following sections for more details on accessing SafeGuard devices:
■ Using Telnet
■ Using Secure Shell (SSH)
■ Customizing and Working with the Command Line Interface Default Settings
Using Telnet
A SafeGuard device can be accessed via a Telnet session.
This section describes basic Telnet commands that may be useful when first accessing a
SafeGuard device via a Telnet session. See the following sections for more details:
■ Enabling and Disabling Telnet
■ Displaying the Current Telnet and Serial Port Connections
■ Closing a Telnet or SSH Session
■ Specifying the Maximum Number of Telnet Connections Allowed
■ Setting the Telnet Connection Session Timeout
Enabling and Disabling Telnet
Telnet access is enabled by default. If Telnet has been disabled, use the ip telnet
command in Privileged Exec mode. To disable Telnet, use the
ip telnet
no ip telnet
no form of the command.
The commands have no parameters or variables.
Displaying the Current Telnet and Serial Port Connections
To display the current Telnet and serial port connections, use the show sessions
command in Privileged Exec mode.
OmniAccess SafeGuard OS Administration Guide
29
Chapter 2: Accessing and Managing the System
show sessions
An example of this output and explanation of the fields is described in Tracking an
Authenticated User Session on page 219.
Closing a Telnet or SSH Session
To close a Telnet or SSH session, use the disconnect command in Privileged Exec mode.
disconnect [sessionID | all]
Syntax Description sessionID Disconnects the session specified by the
all Disconnects all remote sessions.
The following example disconnects session ID 10:
session identifier. Use the show sessions
command to find the session ID.
(SafeGuardOS) # disconnect 10
(SafeGuardOS) #
Specifying the Maximum Number of Telnet Connections Allowed
To specify the maximum number of Telnet connection sessions that can be established,
use the ip telnet maxsessions command in Global Configuration mode. Use the
no
version of the command to restore the default value.
ip telnet maxsessions number
no ip telnet maxsessions
Syntax Description number Sets the number of Telnet sessions. Valid range
is from 1 to 5. The default value is 5.
The following example sets the number of Telnet sessions to 3:
(SafeGuardOS) # configure terminal
(SafeGuardOS) (config) # ip telnet maxsessions 3
(SafeGuardOS) (config) #
Setting the Telnet Connection Session Timeout
30
To set the Telnet connection session timeout value (in minutes), use the ip telnet timeout
command in Global Configuration mode. Use the
no version of the command to restore
the default value.
ip telnet timeout timeout
OmniAccess SafeGuard OS Administration Guide
Loading...