Enterasys 6H202-24, 6H252-17, 6H203-24, 6H253-13, 6H258-17 Local Management User’s Manual

...

Download

Matrix E7 Series and

SmartSwitch 6000 Series Modules

(6H2xx, 6E2xx, 6H3xx, and 6G3xx)

Local Management User’s Guide

9033528-05

NOTICE

Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.

The hardware, firmware, or software described in this document is subject to change without notice.

IN NO EVENT SHALL ENTERASYS NETWORKS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS DOCUMENT, WEB SITE, OR THE INFORMATION CONTAINED IN THEM, EVEN IF ENTERASYS NETWORKS HAS BEEN ADVISED OF, KNEW OF, OR SHOULD HAVE KNOWN OF, THE POSSIBILITY OF SUCH DAMAGES.

Enterasys Networks, Inc. 35 Industrial Way Rochester, NH 03867

Order Number: 9033528-05 November 2002

LANVIEW is a registered trademark and ENTERASYS NETWORKS, NETSIGHT, SMARTSWITCH, MATRIX, WEBVIEW, and any logos associated therewith, are trademarks of Enterasys Networks, Inc. in the United States and other countries.

All other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies.

ENTERASYS NETWORKS, INC.

PROGRAM LICENSE AGREEMENT

BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT,

CAREFULLY READ THIS LICENSE AGREEMENT.

This document is an agreement (“Agreement”) between You, the end user, and Enterasys Networks, Inc. (“Enterasys”) that sets forth your rights and obligations with respect to the Enterasys software program (“Program”) in the package. The Program may be contained in firmware, chips or other media. UTILIZING THE ENCLOSED PRODUCT, YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES THE LICENSE AND THE LIMITATION OF WARRANTY AND DISCLAIMER OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, RETURN THE UNOPENED PRODUCT TO ENTERASYS OR YOUR DEALER, IF ANY, WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT FOR A FULL REFUND.

IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT ENTERASYS NETWORKS (603) 332-9400. Attn: Legal Department.

1. LICENSE. You have the right to use only the one (1) copy of the Program provided in this package subject to the terms and conditions of this License Agreement.

You may not copy, reproduce or transmit any part of the Program except as permitted by the Copyright Act of the

United States or as authorized in writing by Enterasys.

2. OTHER RESTRICTIONS. You may not reverse engineer, decompile, or disassemble the Program.

3. APPLICABLE LAW. This License Agreement shall be interpreted and governed under the laws and in the state

and federal courts of New Hampshire. You accept the personal jurisdiction and venue of the New Hampshire courts.

4. EXPORT REQUIREMENTS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the U.S. Government, including the U.S. Department of Commerce, which prohibit export or diversion of certain technical products to certain countries, unless a license to export the product is obtained from the U.S. Government or an exception from obtaining such license may be relied upon by the exporting party.

If the Program is exported from the United States pursuant to the License Exception CIV under the U.S. Export Administration Regulations, You agree that You are a civil end user of the Program and agree that You will use the Program for civil end uses only and not for military purposes.

If the Program is exported from the United States pursuant to the License Exception TSR under the U.S. Export Administration Regulations, in addition to the restriction on transfer set forth in Sections 1 or 2 of this Agreement, You agree not to (i) reexport or release the Program, the source code for the Program or technology to a national of a country in Country Groups D:1 or E:2 (Albania, Armenia, Azerbaijan, Belarus, Bulgaria, Cambodia, Cuba, Estonia, Georgia, Iraq, Kazakhstan, Kyrgyzstan, Laos, Latvia, Libya, Lithuania, Moldova, North Korea, the People’s Republic of China, Romania, Russia, Rwanda, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, Vietnam, or such other countries as may be designated by the United States Government), (ii) export to Country Groups D:1 or E:2 (as defined herein) the direct product of the Program or the technology, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List, or (iii) if the direct product of the technology is a complete plant or any major component of a plant, export to Country Groups D:1 or E:2 the direct product of the plant or a major component thereof, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List or is subject to State Department controls under the U.S. Munitions List.

5. UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The enclosed Product (i) was developed solely at private expense; (ii) contains “restricted computer software” submitted with restricted rights in accordance with section

52.227-19 (a) through (d) of the Commercial Computer Software-Restricted Rights Clause and its successors, and (iii) in all respects is proprietary data belonging to Enterasys and/or its suppliers. For Department of Defense units, the Product is considered commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use, duplication, or disclosure by the Government is subject to restrictions set forth herein.

6. EXCLUSION OF WARRANTY. Except as may be specifically provided by Enterasys in writing, Enterasys makes no warranty, expressed or implied, concerning the Program (including its documentation and media).

ENTERASYS DISCLAIMS ALL WARRANTIES, OTHER THAN THOSE SUPPLIED TO YOU BY ENTERASYS IN WRITING, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE PROGRAM, THE ACCOMPANYING WRITTEN MATERIALS, AND ANY ACCOMPANYING HARDWARE.

7. NO LIABILITY FOR CONSEQUENTIAL DAMAGES. IN NO EVENT SHALL ENTERASYS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR RELIANCE DAMAGES, OR OTHER LOSS) ARISING OUT OF THE USE OR INABILITY TO USE THIS ENTERASYS PRODUCT, EVEN IF ENTERASYS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, OR IN THE DURATION OR LIMITATION OF IMPLIED WARRANTIES IN SOME INSTANCES, THE ABOVE LIMITATION AND EXCLUSIONS MAY NOT APPLY TO YOU.

Contents

Figures ........................................................................................................................................... xii

Tables.............................................................................................................................................xv

ABOUT THIS GUIDE

Using This Guide...........................................................................................................xix

Structure of This Guide ..................................................................................................xx

Related Documents...................................................................................................... xxii

Document Conventions................................................................................................ xxii

Typographical and Keystroke Conventions................................................................. xxiii

INTRODUCTION

1.1 Overview ......................................................................................................... 1-1

1.1.1 The Management Agent ................................................................. 1-3

1.1.2 In-Band vs. Out-of-Band ................................................................. 1-3

1.2 Navigating Local Management Screens ......................................................... 1-3

1.3 Local Management Requirements .................................................................. 1-4

1.4 Local Management Screen Elements ............................................................. 1-4

1.5 Local Management Keyboard Conventions .................................................... 1-8

1.6 Getting Help .................................................................................................... 1-9

LOCAL MANAGEMENT REQUIREMENTS

2.1 Management Terminal Setup.......................................................................... 2-1

2.1.1 Console Cable Connection ............................................................. 2-2

2.1.2 Management Terminal Setup Parameters ...................................... 2-3

2.2 Telnet Connections ......................................................................................... 2-4

2.3 Monitoring an Uninterruptible Power Supply................................................... 2-4

ACCESSING LOCAL MANAGEMENT

3.1 Navigating Local Management Screens ......................................................... 3-1

3.1.1 Selecting Local Management Menu Screen Items ......................... 3-4

3.1.2 Exiting Local Management Screens ............................................... 3-4

3.1.3 Using the NEXT and PREVIOUS Commands ................................ 3-5

3.1.4 Using the CLEAR COUNTERS Command ..................................... 3-5

3.2 Password Screen ............................................................................................ 3-6

3.3 Main Menu Screen .......................................................................................... 3-8

Contents v

3.4 Module Selection Screen ................................................................................ 3-9

3.4.1 Selecting a Module ....................................................................... 3-11

3.5 Module Menu Screen .................................................................................... 3-12

3.6 Overview of Security Methods ...................................................................... 3-15

3.6.1 Host Access Control Authentication (HACA) ................................ 3-16

3.6.2 802.1X Port Based Network Access Control ................................ 3-19

3.6.2.1 Definitions of Terms and Abbreviations......................... 3-19

3.6.2.2 802.1X Security Overview ............................................. 3-20

3.6.3 MAC Authentication Overview ...................................................... 3-21

3.6.3.1 Authentication Method Selection................................... 3-21

3.6.3.2 Authentication Method Sequence ................................. 3-21

3.6.3.3 Concurrent Operation of 802.1X and MAC Authentication... 3-22

3.6.4 MAC Authentication Control.......................................................... 3-25

3.7 Security Menu Screen................................................................................... 3-26

3.8 Passwords Screen ........................................................................................ 3-29

3.8.1 Setting the Module Login Password ............................................. 3-31

3.9 Radius Configuration Screen ........................................................................ 3-31

3.9.1 Setting the Last Resort Authentication.......................................... 3-34

3.9.2 Setting the Local and Remote Servers ......................................... 3-34

3.10 Name Services Configuration Screen ........................................................... 3-35

3.11 System Authentication Configuration Screen................................................ 3-37

3.12 EAP (Port) Configuration Screen .................................................................. 3-39

3.13 EAP Statistics Menu Screen ......................................................................... 3-44

3.13.1 EAP Session Statistics Screen ..................................................... 3-46

3.13.2 EAP Authenticator Statistics Screen............................................. 3-48

3.13.3 EAP Diagnostic Statistics Screen ................................................. 3-51

3.14 MAC Port Configuration Screen.................................................................... 3-54

3.15 MAC Supplicant Configuration Screen.......................................................... 3-56

vi Contents

CHASSIS MENU SCREENS

4.1 Chassis Menu Screen ..................................................................................... 4-2

4.2 Chassis Configuration Screen......................................................................... 4-4

4.2.1 Setting the IP Address .................................................................... 4-6

4.2.2 Setting the Subnet Mask ................................................................. 4-7

4.2.3 Setting the Chassis Date ................................................................ 4-7

4.2.4 Setting the Chassis Time ................................................................ 4-8

4.2.5 Setting a New Screen Refresh Time............................................... 4-8

4.2.6 Setting the Screen Lockout Time.................................................... 4-9

4.3 SNMP Configuration Menu Screen ............................................................... 4-10

4.4 SNMP Community Names Configuration Screen ......................................... 4-12

4.4.1 Establishing Community Names ................................................... 4-13

4.5 SNMP Traps Configuration Screen............................................................... 4-14

4.5.1 Configuring the Trap Table ........................................................... 4-16

4.6 Chassis Environmental Information Screen .................................................. 4-16

4.7 Redirect Configuration Menu Screen (Chassis) ............................................ 4-18

4.8 Port Redirect Configuration Screen .............................................................. 4-19

4.8.1 Changing Source and Destination Ports....................................... 4-22

4.9 VLAN Redirect Configuration Screen............................................................ 4-23

4.9.1 Changing Source VLAN and Destination Ports ............................ 4-26

MODULE CONFIGURATION MENU SCREENS

5.1 Module Configuration Menu Screen................................................................ 5-2

5.2 General Configuration Screen......................................................................... 5-4

5.2.1 Setting the IP Address .................................................................... 5-8

5.2.2 Setting the Subnet Mask................................................................. 5-9

5.2.3 Setting the Default Gateway ......................................................... 5-10

5.2.4 Setting the TFTP Gateway IP Address ......................................... 5-11

5.2.5 Setting the Module Name ............................................................. 5-12

5.2.6 Setting the Module Date ............................................................... 5-12

5.2.7 Setting the Module Time ............................................................... 5-13

5.2.8 Entering a New Screen Refresh Time .......................................... 5-13

5.2.9 Setting the Screen Lockout Time.................................................. 5-14

5.2.10 Configuring the COM Port............................................................. 5-14

5.2.10.1 Changing the COM Port Application ............................. 5-16

5.2.11 Clearing NVRAM........................................................................... 5-16

5.2.12 Enabling/Disabling IP Fragmentation............................................ 5-17

5.3 SNMP Configuration Menu Screen ............................................................... 5-18

5.4 SNMP Community Names Configuration Screen ......................................... 5-20

5.4.1 Establishing Community Names ................................................... 5-22

5.5 SNMP Traps Configuration Screen............................................................... 5-23

5.5.1 Configuring the Trap Table ........................................................... 5-24

5.6 Access Control List Screen ........................................................................... 5-25

5.6.1 Entering IP Addresses .................................................................. 5-28

5.6.2 Enable/Disable ACL ...................................................................... 5-29

5.7 System Resources Information Screen......................................................... 5-30

5.7.1 Setting the Reset Peak Switch Utilization ..................................... 5-31

5.8 FLASH Download Configuration Screen....................................................... 5-32

5.8.1 Image File Download Using Runtime............................................ 5-36

5.8.2 Configuration File Download Using TFTP..................................... 5-37

5.8.3 Configuration File Upload Using TFTP ......................................... 5-38

Contents vii

PORT CONFIGURATION MENU SCREENS

6.1 Port Configuration Menu Screen..................................................................... 6-2

6.2 Ethernet Interface Configuration Screen......................................................... 6-4

6.3 Ethernet Port Configuration Screen ................................................................ 6-8

6.3.1 Selecting Field Settings ................................................................ 6-12

6.3.2 Setting the Advertised Ability ........................................................ 6-12

6.4 HSIM/VHSIM Configuration Screen .............................................................. 6-13

6.5 Redirect Configuration Menu Screen ............................................................ 6-14

6.6 Port Redirect Configuration Screen .............................................................. 6-16

6.6.1 Changing Source and Destination Ports....................................... 6-19

6.7 VLAN Redirect Configuration Screen............................................................ 6-20

6.7.1 Changing Source VLAN and Destination Ports ............................ 6-23

6.8 Link Aggregation Screen (802.3ad Main Menu Screen) ............................... 6-24

6.8.1 802.3ad Port Screen .................................................................... 6-29

6.8.1.1 802.3ad Port Details Screen ......................................... 6-31

6.8.1.2 802.3ad Port Statistics Screen ...................................... 6-37

6.8.2 802.3ad Aggregator Screen .......................................................... 6-40

6.8.2.1 802.3ad Aggregator Details Screen .............................. 6-42

6.8.3 802.3ad System Screen................................................................ 6-44

6.9 Broadcast Suppression Configuration Screen .............................................. 6-46

6.9.1 Setting the Threshold.................................................................... 6-47

6.9.2 Setting the Reset Peak ................................................................. 6-48

802.1 CONFIGURATION MENU SCREENS

7.1 802.1 Configuration Menu Screen .................................................................. 7-2

7.2 Spanning Tree Configuration Menu Screen.................................................... 7-4

7.3 Spanning Tree Configuration Screen.............................................................. 7-6

7.3.1 Configuring a VLAN Spanning Tree................................................ 7-9

7.4 Spanning Tree Port Configuration Screen .................................................... 7-10

7.4.1 Enabling/Disabling the Default Spanning Tree Ports .................... 7-12

7.4.2 Viewing Status of Spanning Tree Ports ........................................ 7-12

7.5 PVST Port Configuration Screen .................................................................. 7-12

viii Contents

802.1Q VLAN CONFIGURATION MENU SCREENS

8.1 Summary of VLAN Local Management........................................................... 8-2

8.1.1 Preparing for VLAN Configuration .................................................. 8-2

8.2 802.1Q VLAN Configuration Menu Screen ..................................................... 8-3

8.3 Static VLAN Configuration Screen .................................................................. 8-6

8.3.1 Creating a Static VLAN ................................................................... 8-8

8.3.2 Displaying the Current Static VLAN Port Egress List...................... 8-8

8.3.3 Renaming a Static VLAN ................................................................ 8-9

8.3.4 Deleting a Static VLAN ................................................................... 8-9

8.3.5 Paging Through the VLAN List ..................................................... 8-10

8.4 Static VLAN Egress Configuration Screen.................................................... 8-10

8.4.1 Setting Egress Types on Ports ..................................................... 8-12

8.4.2 Displaying the Next Group of Ports............................................... 8-13

8.5 Current VLAN Configuration Screen ............................................................. 8-14

8.6 Current VLAN Egress Configuration Screen................................................. 8-16

8.7 VLAN Port Configuration Screen .................................................................. 8-17

8.7.1 Changing the Port Mode ............................................................... 8-20

8.7.2 Configuring the VLAN Ports.......................................................... 8-21

8.8 VLAN Classification Configuration Screen.................................................... 8-21

8.8.1 Classification Precedence Rules .................................................. 8-29

8.8.2 Displaying the Current Classification Rule Assignments ..............8-32

8.8.3 Assigning a Classification to a VID ............................................... 8-33

8.8.4 Deleting Line Items ....................................................................... 8-34

8.9 Protocol Port Configuration Screen............................................................... 8-35

8.9.1 Assigning Ports to a VID/Classification......................................... 8-37

802.1p CONFIGURATION MENU SCREENS

9.1 802.1p Configuration Menu Screen ................................................................ 9-2

9.2 Port Priority Configuration Screen................................................................... 9-4

9.2.1 Setting Switch Port Priority Port-by-Port ......................................... 9-6

9.2.2 Setting Switch Port Priority on All Ports .......................................... 9-7

9.3 Traffic Class Information Screen..................................................................... 9-7

9.4 Traffic Class Configuration Screen ............................................................... 9-10

9.4.1 Assigning the Traffic Class to Port Priority.................................... 9-11

9.5 Transmit Queues Configuration Screen........................................................ 9-12

9.5.1 Setting the Current Queueing Mode ............................................. 9-15

9.6 Priority Classification Configuration Screen .................................................. 9-16

9.6.1 Classification Precedence Rules .................................................. 9-26

9.6.2 About the IP TOS Rewrite Feature ............................................... 9-29

9.6.3 Displaying the Current PID/Classification Assignments................ 9-30

9.6.4 Assigning a Classification to a PID ............................................... 9-30

9.6.5 Deleting PID/Classification/Description Line Items ....................... 9-31

Contents ix

9.7 Protocol Port Configuration Screen............................................................... 9-32

9.7.1 Assigning Ports to a PID/Classification......................................... 9-34

9.7.2 Example, Prioritizing Traffic According to Classification Rule....... 9-35

9.7.2.1 Solving the Problem ...................................................... 9-35

9.8 Rate Limiting Configuration Screen .............................................................. 9-37

9.8.1 Configuring a Port ......................................................................... 9-41

9.8.2 Changing/Deleting Port Line Items ............................................... 9-43

9.8.3 More About Rate Limiting ............................................................. 9-44

LAYER 3 EXTENSIONS MENU SCREENS

10.1 Layer 3 Extensions Menu Screen ................................................................. 10-2

10.2 IGMP/VLAN Configuration Screen................................................................ 10-3

10.2.1 IGMP/VLAN Configuration Procedure .......................................... 10-7

MODULE STATISTICS MENU SCREENS

11.1 Module Statistics Menu Screen..................................................................... 11-2

11.2 Switch Statistics Screen ................................................................................ 11-4

11.3 Interface Statistics Screen ............................................................................ 11-6

11.3.1 Displaying Interface Statistics ....................................................... 11-9

11.4 RMON Statistics Screen ............................................................................. 11-10

11.4.1 Displaying RMON Statistics ........................................................ 11-13

11.5 Chassis Environmental Statistics

Configuration Screen .................................................................................. 11-14

NETWORK TOOLS SCREENS

12.1 Network Tools ............................................................................................... 12-1

12.2 Built-in Commands........................................................................................ 12-4

12.3 Example, Effects of Aging Time on Dynamic Egress .................................. 12-37

12.4 Example, Using Dynamic Egress to Control Traffic .................................... 12-37

12.5 Special Commands ..................................................................................... 12-38

x Contents

VLAN OPERATION AND NETWORK APPLICATIONS

13.1 Defining VLANs............................................................................................. 13-2

13.2 Types of VLANs ............................................................................................ 13-4

13.2.1 802.1Q VLANs .............................................................................. 13-4

13.2.2 Other VLAN Strategies ................................................................. 13-4

13.3 Benefits and Restrictions .............................................................................. 13-4

13.4 VLAN Terms.................................................................................................. 13-5

13.5 VLAN Operation ............................................................................................ 13-7

13.5.1 Description .................................................................................... 13-7

13.5.2 VLAN Components ....................................................................... 13-7

13.6 Configuration Process................................................................................... 13-8

13.6.1 Defining a VLAN ........................................................................... 13-8

13.6.2 Classifying Frames to a VLAN ...................................................... 13-8

13.6.3 Customizing the VLAN Forwarding List ........................................ 13-8

13.7 VLAN Switch Operation ................................................................................ 13-9

13.7.1 Receiving Frames from VLAN Ports ........................................... 13-10

13.7.2 Forwarding Decisions ................................................................. 13-10

13.7.2.1 Broadcasts, Multicasts, and Unknown Unicasts.......... 13-10

13.7.2.2 Known Unicasts........................................................... 13-11

13.8 VLAN Configuration .................................................................................... 13-11

13.8.1 Managing the Switch................................................................... 13-11

13.8.2 Switch Without VLANs ................................................................ 13-11

13.8.3 Switch with VLANs...................................................................... 13-12

13.9 Summary of VLAN Local Management....................................................... 13-14

13.9.1 Preparing for VLAN Configuration .............................................. 13-15

13.10 Quick VLAN Walkthrough ........................................................................... 13-16

13.11 Examples .................................................................................................... 13-21

13.12 Example 1, Single Switch Operation ........................................................... 13-22

13.12.1 Solving the Problem.................................................................... 13-22

13.12.2 Frame Handling .......................................................................... 13-24

13.13 Example 2, VLANs Across Multiple Switches ............................................. 13-24

13.13.1 Solving the Problem.................................................................... 13-26

13.13.2 Frame Handling .......................................................................... 13-29

13.14 Example 3, Filtering Traffic According to a Layer 4 Classification Rule...... 13-32

13.14.1 Solving the Problem.................................................................... 13-32

13.15 Example 4, Securing Sensitive Information According to Subnet ............... 13-33

13.15.1 Solving the Problem.................................................................... 13-34

13.16 Example 5, Using Dynamic Egress to Control Traffic ................................. 13-34

13.17 Example 6, Locking a MAC Address to a Port Using Classification Rules .13-36

13.17.1 Solving the Problem.................................................................... 13-36

GENERIC ATTRIBUTE REGISTRATION PROTOCOL (GARP)

A.1 Operation ........................................................................................................A-1

A.2 How It Works...................................................................................................A-2

ABOUT IGMP

B.1 IGMP Overview ...............................................................................................B-1

B.2 Supported Features and Functions .................................................................B-2

B.3 Detecting Multicast Routers ............................................................................B-3

INDEX

Contents xi

Figures

Figure Page

1-1 Example of a Local Management Screen ....................................................................... 1-5

2-1 Management Terminal Connection................................................................................. 2-2

2-2 Uninterruptible Power Supply (UPS) Connection ........................................................... 2-5

3-1 802.1Q Switching Mode, Chassis, LM Screen Hierarchy (Page 1 of 3) ......................... 3-2

3-2 802.1Q Switching Mode, Module, LM Screen Hierarchy (Page 2 of 3) .......................... 3-3

3-3 802.1Q Switching Mode, Chassis, LM Screen Hierarchy (Page 3 of 3) ......................... 3-4

3-4 Local Management Chassis/Module Password Screen.................................................. 3-7

3-5 Main Menu Screen.......................................................................................................... 3-8

3-6 Module Selection Screen.............................................................................................. 3-10

3-7 Module Menu Screen.................................................................................................... 3-12

3-8 Security Menu Screen................................................................................................... 3-27

3-9 Module Login Passwords Screen ................................................................................. 3-29

3-10 Radius Configuration Screen ........................................................................................ 3-32

3-11 Name Services Configuration Screen........................................................................... 3-35

3-12 System Authentication Configuration Screen ............................................................... 3-37

3-13 EAP Port Configuration Screen .................................................................................... 3-39

3-14 EAP Statistics Menu Screen......................................................................................... 3-44

3-15 EAP Session Statistics Screen ..................................................................................... 3-46

3-16 EAP Authenticator Statistics Screen............................................................................. 3-49

3-17 EAP Diagnostic Statistics Screen ................................................................................. 3-51

3-18 MAC Port Configuration Screen.................................................................................... 3-55

3-19 MAC Supplicant Configuration Screen ......................................................................... 3-57

4-1 Chassis Menu Screen..................................................................................................... 4-2

4-2 Chassis Configuration Screen ........................................................................................ 4-4

4-3 SNMP Configuration Menu Screen............................................................................... 4-10

4-4 SNMP Community Names Configuration Screen ......................................................... 4-12

4-5 SNMP Traps Configuration Screen............................................................................... 4-15

4-6 Chassis Environmental Information Screen.................................................................. 4-17

4-7 Redirect Configuration Menu Screen............................................................................ 4-18

4-8 Port Redirect Configuration Screen .............................................................................. 4-20

4-9 VLAN Redirect Configuration Screen ........................................................................... 4-24

5-1 Module Configuration Menu Screen ............................................................................... 5-2

5-2 General Configuration Screen ........................................................................................ 5-4

5-3 Configuration Warning Screen, IP Address .................................................................... 5-9

5-4 Configuration Warning Screen, Subnet Mask............................................................... 5-10

5-5 COM Port Warning........................................................................................................ 5-15

xii Figures

Figure Page

5-6 Clear NVRAM Warning ................................................................................................. 5-17

5-7 SNMP Configuration Menu Screen ............................................................................... 5-19

5-8 SNMP Community Names Configuration Screen.......................................................... 5-21

5-9 SNMP Traps Configuration Screen ............................................................................... 5-23

5-10 Access Control List Screen ........................................................................................... 5-26

5-11 System Resources Information Screen......................................................................... 5-30

5-12 Flash Download Configuration Screen.......................................................................... 5-33

6-1 Port Configuration Menu Screen (in Agg Mode, HUNTGROUP) .................................... 6-2

6-2 Port Configuration Menu Screen (in Agg Mode, IEEE8023ad) ....................................... 6-3

6-3 Ethernet Interface Configuration Screen ......................................................................... 6-5

6-4 Ethernet Port Configuration Screen ................................................................................ 6-8

6-5 Redirect Configuration Menu Screen ............................................................................ 6-15

6-6 Port Redirect Configuration Screen............................................................................... 6-17

6-7 VLAN Redirect Configuration Screen ............................................................................ 6-21

6-8 802.3ad Main Menu Screen .......................................................................................... 6-28

6-9 802.3ad Port Screen ..................................................................................................... 6-30

6-10 802.3ad Port Details Screen ......................................................................................... 6-32

6-11 802.3ad Port Statistics Screen ...................................................................................... 6-37

6-12 802.3ad Aggregator Screen .......................................................................................... 6-40

6-13 802.3ad Aggregator Details Screen .............................................................................. 6-42

6-14 802.3ad System Screen ................................................................................................ 6-44

6-15 Broadcast Suppression Configuration Screen .............................................................. 6-46

7-1 802.1 Configuration Menu Screen................................................................................... 7-2

7-2 Spanning Tree Configuration Menu Screen .................................................................... 7-5

7-3 Spanning Tree Configuration Screen .............................................................................. 7-7

7-4 Spanning Tree Port Configuration Screen .................................................................... 7-10

7-5 PVST Port Configuration Screen................................................................................... 7-13

8-1 802.1Q VLAN Screen Hierarchy ..................................................................................... 8-2

8-2 802.1Q VLAN Configuration Menu Screen ..................................................................... 8-4

8-3 Static VLAN Configuration Screen .................................................................................. 8-6

8-4 Static VLAN Egress Configuration Screen .................................................................... 8-11

8-5 Current VLAN Configuration Screen ............................................................................. 8-14

8-6 Current VLAN Egress Configuration Screen ................................................................. 8-16

8-7 VLAN Port Configuration Screen................................................................................... 8-18

8-8 VLAN Classification Configuration Screen .................................................................... 8-22

8-9 Protocol Port Configuration Screen............................................................................... 8-36

9-1 802.1p Configuration Menu Screen................................................................................. 9-2

9-2 Port Priority Configuration Screen................................................................................... 9-5

9-3 Traffic Class Information Screen ..................................................................................... 9-8

9-4 Traffic Class Configuration Screen................................................................................ 9-10

9-5 Transmit Queues Configuration Screen ........................................................................ 9-13

9-6 Priority Classification Configuration Screen .................................................................. 9-17

Figures xiii

Figure Page

9-7 Datagram, Layer 2 and Layer 3 .....................................................................................9-29

9-8 Protocol Port Configuration Screen ...............................................................................9-33

9-9 Prioritizing Network Traffic According to Classification Rule .........................................9-35

9-10 Rate Limiting Configuration Screen ...............................................................................9-38

10-1 Layer 3 Extensions Menu Screen..................................................................................10-2

10-2 IGMP/VLAN Configuration Screen ................................................................................10-4

11-1 Module Statistics Menu Screen .....................................................................................11-3

11-2 Switch Statistics Screen ................................................................................................11-5

11-3 Interface Statistics Screen .............................................................................................11-7

11-4 RMON Statistics Screen..............................................................................................11-10

11-5 Chassis Environmental Statistics Configuration Screen..............................................11-14

12-1 Network Tools Help Screen ...........................................................................................12-2

12-2 Example, Dynamic Egress Application ........................................................................12-37

13-1 Example of a VLAN .......................................................................................................13-3

13-2 View from Inside the Switch...........................................................................................13-9

13-3 Switch Management with Only Default VLAN..............................................................13-12

13-4 Switch Management with VLANs.................................................................................13-13

13-5 802.1Q VLAN Screen Hierarchy..................................................................................13-15

13-6 Walkthrough Stage One, Static VLAN Configuration Screen ......................................13-17

13-7 Walkthrough Stage Two, Port 3 Egress Setting ..........................................................13-18

13-8 Walkthrough Stage Three, Port 10 Egress Setting......................................................13-19

13-9 Walkthrough Stage Four, VLAN Port Configuration ....................................................13-21

13-10 Example 1, Single Switch Operation ...........................................................................13-22

13-11 Switch Configured for VLANs ......................................................................................13-23

13-12 Example 2, VLANs Across Multiple Switches..............................................................13-25

13-13 Bridge 1 Broadcasts Frames .......................................................................................13-29

13-14 Transmitting to Switch 4 ..............................................................................................13-30

13-15 Transmitting to Bridge 4...............................................................................................13-31

13-16 Example 5, Filtering Traffic According to a Classification ............................................13-32

13-17 Example 6, Securing Traffic to One Subnet ................................................................13-33

13-18 Example 7, Dynamic Egress Application .....................................................................13-35

13-19 Locking Ports According to Classification Rule ...........................................................13-36

A-1 Example of VLAN Propagation via GVRP ...................................................................... A-2

xiv Figures

Tables

Ta bl e Page

1-1 Event Messages ...........................................................................................................1-6

1-2 Keyboard Conventions ................................................................................................. 1-8

2-1 VT Terminal Setup........................................................................................................ 2-3

3-1 Main Menu Screen Menu Item Descriptions................................................................. 3-9

3-2 Module Selection Screen Field Descriptions .............................................................. 3-11

3-3 Module Menu Screen Menu Item Descriptions........................................................... 3-13

3-4 Authentication Terms and Abbreviations ....................................................................3-19

3-5 MAC / 802.1X Precedence States..............................................................................3-23

3-6 Security Menu Screen Menu Item Descriptions ......................................................... 3-27

3-7 Module Login Passwords Screen Field Descriptions ................................................. 3-30

3-8 Radius Configuration Screen Field Descriptions ........................................................ 3-32

3-9 Name Services Configuration Screen Field Descriptions ........................................... 3-36

3-10 System Authentication Configuration Screen Field Descriptions ...............................3-38

3-11 EAP Port Configuration Screen Field Descriptions .................................................... 3-40

3-12 EAP Statistics Menu Screen Descriptions .................................................................. 3-45

3-13 EAP Session Statistics Screen Field Descriptions .....................................................3-47

3-14 EAP Authenticator Statistics Screen Field Descriptions ............................................. 3-49

3-15 EAP Diagnostic Statistics Screen Field Descriptions .................................................3-52

3-16 MAC Port Configuration Screen Field Descriptions.................................................... 3-55

3-17 MAC Supplicant Configuration Screen Field Descriptions .........................................3-57

4-1 Chassis Menu Screen Menu Item Descriptions............................................................ 4-3

4-2 Chassis Configuration Screen Field Descriptions ........................................................ 4-5

4-3 SNMP Configuration Menu Screen Menu Item Descriptions...................................... 4-11

4-4 SNMP Community Names Configuration Screen Field Descriptions ......................... 4-13

4-5 SNMP Traps Configuration Screen Field Descriptions...............................................4-15

4-6 Chassis Environmental Information Screen Field Descriptions .................................. 4-17

4-7 Redirect Configuration Menu Screen Menu Item Descriptions................................... 4-19

4-8 Port Redirect Configuration Screen Field Descriptions .............................................. 4-20

4-9 VLAN Redirect Configuration Screen Field Descriptions ........................................... 4-24

5-1 Module Configuration Menu Screen Menu Item Descriptions ...................................... 5-3

5-2 General Configuration Screen Field Descriptions ........................................................ 5-5

5-3 COM Port Application Settings ................................................................................... 5-16

5-4 SNMP Configuration Menu Screen Menu Item Descriptions...................................... 5-19

5-5 SNMP Community Names Configuration Screen Field Descriptions ......................... 5-21

5-6 SNMP Traps Configuration Screen Field Descriptions...............................................5-24

5-7 Access Control List Screen Field Descriptions ........................................................... 5-27

5-8 System Resources Information Screen Field Descriptions ........................................ 5-31

Ta bl es xvTa bl es xv

Ta bl e Page

5-9 Flash Download Configuration Screen Field Descriptions..........................................5-34

6-1 Port Configuration Menu Screen Menu Item Descriptions ...........................................6-3

6-2 Ethernet Interface Configuration Screen Field Descriptions ........................................6-5

6-3 Ethernet Port Configuration Screen Field Descriptions ................................................6-9

6-4 Redirect Configuration Menu Screen Field Menu Item Descriptions ..........................6-15

6-5 Port Redirect Configuration Screen Field Descriptions...............................................6-18

6-6 VLAN Redirect Configuration Screen Field Descriptions............................................6-22

6-7 802.3ad Main Menu Screen Menu Item Descriptions .................................................6-29

6-8 802.3ad Port Screen Field Descriptions .....................................................................6-30

6-9 802.3ad Port Details Screen Field Descriptions .........................................................6-32

6-10 802.3ad Port Statistics Screen Field Descriptions ......................................................6-38

6-11 802.3ad Aggregator Screen Field Descriptions ..........................................................6-41

6-12 802.3ad Aggregator Details Screen Field Descriptions ..............................................6-43

6-13 802.3ad System Screen Field Descriptions ................................................................6-45

6-14 Broadcast Suppression Configuration Screen Field Descriptions ..............................6-47

7-1 802.1 Configuration Menu Screen Menu Item Descriptions .........................................7-3

7-2 Spanning Tree Configuration Menu Screen Menu Item Descriptions ...........................7-5

7-3 Spanning Tree Configuration Screen Field Descriptions ..............................................7-7

7-4 Spanning Tree Port Configuration Screen Field Descriptions ....................................7-11

7-5 PVST Port Configuration Screen Field Descriptions...................................................7-13

8-1 802.1Q VLAN Configuration Menu Screen Menu Item Descriptions ............................8-4

8-2 Static VLAN Configuration Screen Field Descriptions ..................................................8-7

8-3 Static VLAN Egress Configuration Screen Field Descriptions ....................................8-11

8-4 Current VLAN Configuration Screen Field Descriptions .............................................8-15

8-5 Current VLAN Egress Configuration Screen Field Descriptions .................................8-17

8-6 VLAN Port Configuration Screen Field Descriptions...................................................8-19

8-7 VLAN Classification Configuration Screen Field Descriptions ....................................8-23

8-8 Classification List ........................................................................................................8-24

8-9 Classification Precedence...........................................................................................8-30

8-10 Protocol Port Configuration Screen Field Descriptions ...............................................8-36

9-1 802.1p Configuration Menu Screen Menu Item Descriptions .......................................9-3

9-2 Port Priority Configuration Screen Field Descriptions ...................................................9-6

9-3 Traffic Class Information Screen Field Descriptions .....................................................9-9

9-4 Traffic Class Configuration Screen Field Descriptions................................................9-11

9-5 Transmit Queues Configuration Screen Field Descriptions ........................................9-14

9-6 Priority Classification Configuration Screen Field Descriptions ..................................9-17

9-7 Classification List ........................................................................................................9-19

9-8 Classification Precedence...........................................................................................9-27

9-9 Protocol Port Configuration Screen Field Descriptions ...............................................9-33

9-10 Rate Limiting Configuration Screen Field Descriptions...............................................9-38

10-1 Layer 3 Extensions Menu Screen Menu Item Descriptions ........................................10-3

10-2 IGMP/VLAN Configuration Screen Field Descriptions ................................................10-5

xvi Ta bl es

Ta bl e Page

11-1 Module Statistics Menu Screen Menu Item Descriptions ........................................... 11-3

11-2 Switch Statistics Screen Field Descriptions................................................................ 11-5

11-3 Interface Statistics Screen Field Descriptions ............................................................ 11-7

11-4 RMON Statistics Screen Field Descriptions ............................................................ 11-11

11-5 Chassis Environmental Statistics Configuration Screen Field Descriptions .............11-15

12-1 Built-in Commands ..................................................................................................... 12-3

12-2 Path Cost Parameter Values .................................................................................... 12-31

13-1 VLAN Terms and Definitions ...................................................................................... 13-5

Ta bl es xvii

About This Guide

Welcome to the Enterasys Networks Matrix E7 Series and SmartSwitch 6000 Series Modules (6H2xx, 6E2xx, 6H3xx and 6G3xx) Local Managment User’s Guide. This manual explains how

to access and use the Local Management screens to monitor and manage the switch modules, the attached segments, and the SmartSwitch 6C105 or Matrix E7 6C107 chassis.

When a mix of 6H2xx, 6E2xx, 6H3xx, and 6G3xx modules are installed in the 6C107 chassis, you must follow the module installation rules provided in the Matrix E7 Chassis Overview and Setup Guide for proper operation.

Important Notices

Depending on the firmware version used in the switch module, some features described in this document may not be supported. Refer to the Release Notes shipped with the switch module to determine which features are supported.

There are restrictions on the version of firmware required for 6H302-48 modules with a serial number starting with 3655xxxxxx. The serial number is visible on the top ejector tab of the switch, or by querying the PIC MIB. For firmware in the 5.x track, version 5.03.05 or higher must be used on 6H302-48 modules with a serial number starting with 3655. For the 4.x firmware track, 4.08.41 or higher must be used on 6H302-48 modules with a serial number starting with 3655.

USING THIS GUIDE

A general working knowledge of basic network operations and an understanding of management applications is helpful prior to using Enterasys Networks Local Management.

This manual describes how to do the following:

• Access the Local Management application

• Identify and operate the types of fields used by Local Management

• Navigate through Local Management fields and menus

• Use Local Management screens to perform management operations

• Establish and manage Virtual Local Area Networks (VLANs)

About This Guide xix

Structure of This Guide

STRUCTURE OF THIS GUIDE

The guide is organized as follows:

Chapter 1, Introduction, provides an overview of the tasks that may be accomplished using Local

Management (LM), and an introduction to LM screen navigation, in-band and out-of-band network management, screen elements, and LM keyboard conventions.

Chapter 2, Local Management Requirements, provides the setup requirements for accessing

Local Management, the instructions to configure and connect a management terminal to the SmartSwitch, and the instructions for connecting the SmartSwitch to an Uninterruptible Power Supply (UPS) to monitor the UPS power status.

Chapter 3, Accessing Local Management, describes how to use the Main Menu screen to select

either the Chassis Menu screen or the Module Selection screen. The Chassis Menu screen is the access point to the set of Local Management screens for the chassis. The Module Selection screen is used to select the module to be configured and its Module Menu screen. The Module Menu screen is the access point to the set of Local Management screens for the selected module and the Module Login Password screen. The Security screens are also described in this chapter.

Chapter 4, Chassis Menu Screens, describes the Chassis Menu screen and the screens that can be

selected to configure chassis operation. These screens are used to configure the operating parameters for the chassis, assign community names, and set SNMP traps; and obtain the operating status of the chassis power supplies, power supply redundancy, and chassis fan tray. This screen also provides access to screens to configure the port redirect and VLAN redirect functions.

NOTE: If you are installing modules into a seven-slot 6C107 chassis, there are installation rules that must be followed to install 6H202, 6H203, 6H253, 6H258, 6H259, 6H262, 6E233, and 6E253 modules along with 6H3xx and 6G3xx modules in the same chassis. Otherwise, the system will not operate properly.

Chapter 5, Module Configuration Menu Screens, describes the Module Configuration Menu

screen and the screens that can be selected from it. These screens are used to control access to the switch module by assigning community names, configure the switch module to send SNMP trap messages to multiple network management stations, limit access according to an Access Control List (ACL) for additional security, access system resource information, download a new firmware image to the switch module, provide access to menu screens to configure ports, and configure the switch module for 802.1, 802.1Q VLAN, and layer 3 operations.

Chapter 6, Port Configuration Menu Screens, describes how to use the screens to configure the

ports for various operations, such as for Ethernet Interface, HSIM/VHSIM, port and VLAN redirect, SmartTrunk, and broadcast suppression configuration.

xx About This Guide

Structure of This Guide

Chapter 7, 802.1 Configuration Menu Screens, describes how to access the Spanning Tree

Configuration Menu, 802.1Q VLAN Configuration Menu, and 802.1p Configuration Menu, screens. This chapter also introduces and describes how to use the Spanning Tree screens to create a separate Spanning Tree topology for each VLAN configured in the module.

Chapter 8, 802.1Q VLAN Configuration Menu Screens, describes how to use the screens to

create static VLANs, select the mode of operation for each port, filter frames according to VLAN, establish VLAN forwarding (Egress) lists, route frames according to VLAN ID, display the current ports and port types associated with a VLAN and protocol, and configure ports on the switch as GVRP-aware ports. VLAN classification and classification rules are also discussed.

Chapter 9, 802.1p Configuration Menu Screens, describes how to use the screens to set the

transmit priority of each port, display the current traffic class mapping-to-priority of each port, set ports to either transmit frames according to selected priority transmit queues or percentage of port transmission capacity for each queue, assign transmit priorities according to protocol types, and configure a rate limit for a given port and list of priorities.

Chapter 10, Layer 3 Extensions Menu Screens, introduces and describes how to enable or

disable IGMP (Internet Group Management Protocol, RFC 2236) on selected VLANs, or globally on all VLANs that are available.

Chapter 11, Module Statistics Menu Screens, introduces and describes how to use the statistics

screens to gather statistics about the switch, interfaces, RMON, and HSIM/VHSIM and, if the device is a repeater, repeater statistics.

Chapter 12, Network Tools Screens, describes how to access and use the Network Tool screens.

This chapter also includes examples for each command.

Chapter 13, VLAN Operation and Network Applications, introduces VLANs, describes how

they operate, and how to configure them using the Local Management screens described in

Chapter 8. Examples are also provided to show how VLANs are configured to solve a problem and

how the VLAN frames travel through the network.

Appendix A, Generic Attribute Registration Protocol (GARP), describes the switch operation

when its ports are configured to operate under the Generic Attribute Registration Protocol (GARP) application – GARP VLAN Registration Protocol (GVRP).

NOTE: There is a global setting for GVRP that is enabled by default. However, this setting is only accessible through a Management Information Base (MIB).

Appendix B, About IGMP, introduces the Internet Group Management Protocol (IGMP), its

features and functions, and describes how it detects multicast routers.

About This Guide xxi

RELATED DOCUMENTS

The following Enterasys Networks documents may help to set up, control, and manage the switch module:

• 6C105 SmartSwitch 6000 Overview and Setup Guide

• Matrix E7 Chassis Overview and Setup Guide

• SmartTrunk User’s Guide

• WAN Series Local Management User’s Guide

Documents associated with the optional HSIM and VHSIM interface modules, module installation user’s guides, and the manuals listed above, can be obtained from the World Wide Web in Adobe Acrobat Portable Document Format (PDF) at the following web site:

http://www.enterasys.com

DOCUMENT CONVENTIONS

The guide uses the following conventions:

NOTE: Calls the reader’s attention to any item of information that may be of special importance.

TIP: Conveys helpful hints concerning procedures or actions.

CAUTION: Contains information essential to avoid damage to the equipment.

xxii About This Guide

Typographical and Keystroke Conventions

TYPOGRAPHICAL AND KEYSTROKE CONVENTIONS

bold type Bold type can denote either a user input or a highlighted screen selection.

RETURN Indicates either the ENTER or RETURN key, depending on your keyboard.

ESC Indicates the keyboard Escape key.

SPACE bar Indicates the keyboard space bar key.

BACKSPACE Indicates the keyboard backspace key.

arrow keys Refers to the four keyboard arrow keys.

[-] Indicates the keyboard – key.

DEL Indicates the keyboard delete key.

italic type Italic type indicates complete document titles.

n.nn A period in numerals signals the decimal point indicator (e.g., 1.75 equals

one and three fourths). Or, periods used in numerals signal the decimal point in Dotted Decimal Notation (DDN) (e.g., 000.000.000.000 in an IP address).

x A lowercase italic x indicates the generic use of a letter (e.g., xxx indicates

any combination of three alphabetic characters).

n A lowercase italic n indicates the generic use of a number (e.g., 19nn

indicates a four-digit number in which the last two digits are unknown).

[ ] In the Local Management screens, the square brackets indicate that a value

may be selected. In the format descriptions in the Network Tools section, required arguments are enclosed in square brackets, [ ].

< > In the format descriptions in the Network Tools section, optional arguments

are enclosed in angle brackets, < >.

About This Guide xxiii

Introduction

This chapter provides an overview of the tasks that may be accomplished using Local Management (LM), and an introduction to LM screen navigation, in-band and out-of-band network management, screen elements, and LM keyboard conventions.

Important Notices

1.1 OVERVIEW

Enterasys Networks Local Management is a management tool that allows a network manager to perform the following tasks:

• Assign IP address and subnet mask.

• Select a default gateway.

• Assign a login password to the module for additional security.

• Download a new firmware image.

• Upload or download a configuration file to or from a TFTP server.

• Designate which Network Management Workstations will receive SNMP traps from the switch.

• Designate which Network Management Workstations are allowed to access the switch module.

• View switch, interface, and RMON statistics.

Introduction 1-1

Overview

• Assign ports to operate in the standard or full duplex mode.

• Configure ports to perform load sharing using SmartTrunking. Refer to the SmartTrunk User’s

Guide for details.

• Control the number of receive broadcasts that are switched to the other interfaces.

• Set flow control on a port-by-port basis.

• Configure ports to prioritize incoming frames at Layer 2, Layer 3, and Layer 4.

• Clear NVRAM.

• Set 802.1Q VLAN memberships and port configurations.

• Redirect frames according to port or VLAN and transmit them on a preselected destination port.

• Create a separate Spanning Tree topology for each VLAN configured in the switch module.

• Transmit frames on preselected destination ports according to protocol and priority or protocol

and VLAN.

• Configure the switch to operate as a Generic Attribute Registration Protocol (GARP) module to

dynamically create VLANs across a switched network.

• Configure the module to control the rate of network traffic entering and leaving the switch on a

per port/priority basis.

• Configure an optional HSIM or VHSIM installed in the device.

• Configure the module to dynamically switch frames according to a characteristic rule and

VLAN.

• Configure ports on the switch module as Router Redundancy Protocol (VRRP) ports.

• Provide additional security and policy administration capabilities via Port-based Web

Authentication (PWA) by configuring pertinent variables within the LM screen.

• Configure multiple ports to act in an 802.3ad trunk group.

• Configure and manage the use of 802.1w, a standards-based method to rapidly fail over links to

reduce downtime on a network.

• Provide additional security by configuring a physical port to lock on an attached device

according to a Classification rule so no other device can be connected to that port and used.

There are three ways to access Local Management:

• Locally using a VT type terminal connected to the COM port.

• Remotely using a VT type terminal connected through a modem.

• In-band through a Telnet connection.

1-2 Introduction

Navigating Local Management Screens

1.1.1 The Management Agent

The management agent is an entity within the switch module that collects statistical information (e.g., frames received, errors detected) about the operational performance of the managed network. Local Management communicates with the management agent for the purpose of viewing statistics or issuing management commands. Local Management provides a wide range of screens used to monitor and configure the switch module.

1.1.2 In-Band vs. Out-of-Band

Network management systems are often classified as either in-band or out-of-band. In-band network management passes data along the same medium (cables, frequencies) used by all other stations on the network.

Out-of-band network management passes data along a medium that is entirely separate from the common data carrier of the network, for example, a cable connection between a terminal and a switch module COM port. Enterasys Networks Local Management is an out-of-band network management system.

A module connected out-of-band to the management agent is not connected to the LAN. This type of connection allows you to communicate with a network module even when that module is unable to communicate through the network, for example, at the time of installation.

1.2 NAVIGATING LOCAL MANAGEMENT SCREENS

To navigate within a Local Management screen, use the arrow keys of the terminal or the workstation providing terminal emulation services. The Local Management screen cursor responds to the LEFT, RIGHT, UP, and DOWN arrow keys. Each time you press an arrow key, the Local Management screen cursor moves to the next available field in the direction of the arrow key.

The Local Management screen cursor only moves to fields that can be selected or used for input. This means that the cursor jumps over display fields and empty lines on the Local Management screen.

The Local Management screen cursor provides wrap-around operation. This means that a cursor located at the edge of a screen, when moved in the direction of that edge, “wraps around” to the outermost selectable item on the opposite side of the screen which is on the same line or column.

Introduction 1-3

Local Management Requirements

1.3 LOCAL MANAGEMENT REQUIREMENTS

The switch module provides one communication port, labeled COM, which supports a management terminal connection. To access Local Management, connect one of the following systems to the COM port:

• Digital Equipment Corporation VT series terminal.

• VT type terminal running emulation programs for the Digital Equipment Corporation VT series.

• IBM or compatible PC running a VT series emulation software package.

You can also access Local Management using a Telnet connection through one of the network ports of the switch module.

NOTE: For details on how to connect a console to the switch module, the setup parameters for the console, or how to make a telnet connection, refer to Chapter 2.

1.4 LOCAL MANAGEMENT SCREEN ELEMENTS

There are six types of screens used in Local Management: password, menu, statistics, configuration, status, and warning screens. Each type of screen can consist of one to five basic elements, or fields. Figure 1-1 shows an example of the fields in a screen. A description of each field follows the figure.

1-4 Introduction

Figure 1-1 Example of a Local Management Screen

Local Management Screen Elements

Event Message Field

Module Type & Slot Number

Event Message Line

Module Type: XXXX-XX Slot Number: X

MAC Address:

IP Address:

Subnet Mask:

Default Gateway:

TFTP Gateway IP Addr:

Operational Mode: [802.1Q SWITCHING]

Clear NVRAM [NO]

IP Fragmentation [ENABLED]

Display Fields

Heading

XXXX-XX LOCAL MANAGEMENT

General Configuration

00-00-ID-00-00-00

0.0.0.0

255.255.0.0

NONE DEFINED

0.0.0.0

EXIT

Display Field

Input Fields

Firmware Revision: XX.XX.XX BOOTPROM Revision: XX.XX.XX

Device Date:

Device Time:

Screen Refresh Time:

Screen Lockout Time:

Device Uptime XX D XX H XX M

10/11/97

14:23:00

30 sec.

15 min.

RETURNSAVE

See Note

Selection Field

Command Fields

Note:

This shows the location of the cut away that is used in most of the screen graphics in this document. The top portion of the screen is cut away to eliminate repeating the same information in each graphic.The screen title is contained in its figure title.

4046_03

Introduction 1-5

Local Management Screen Elements

Event Message Field

This field briefly displays messages that indicate if a Local Management procedure was executed correctly or incorrectly, that changes were saved or not saved to Non-Volatile Random Access Memory (NVRAM), or that a user did not have access privileges to an application.

Tabl e 1-1 describes the most common event messages. Event messages related to specific Local

Management applications are described with those applications throughout this manual.

Table 1-1 Event Messages

Message What it Means

SAVED OK One or more fields were modified, and saved to NVRAM.

NOT SAVED--PRESS

Attempting to exit the LM screen after one or more fields were modified,

but not saved to NVRAM. SAVE TO KEEP CHANGES

NOTHING TO SAVE

The SAVE command was executed, but nothing was saved to NVRAM

because there were no configuration changes since the data was last saved.

Heading Field

Indicates whether the module was accessed using the chassis or module IP address. If the chassis IP address is used to access the module, the heading will be the chassis name, e.g., 6C105. If the module IP address is used to access the module, the module name will be in the heading, the same as listed next to Module Type, e.g., 6H258-17.

Module Type and Slot Number Fields

Display only when a module is being accessed through Local Management. The module type is displayed and the chassis slot number of the module is displayed. A chassis screen will not display these fields.

1-6 Introduction

Local Management Screen Elements

Display Fields

Display fields cannot be edited. These fields may display information that never changes, or information that may change as a result of Local Management operations, user selections, or network monitoring information. In the screens shown in this guide, the characters in the display fields are in plain type (not bold). In the field description, the field is identified as being “read-only”.

Input Fields

Input Fields require the entry of keyboard characters. IP addresses, subnet mask, default gateway and module time are examples of input fields. In the screens shown in this guide, the characters in the input fields are in bold type. In the field description, the field is identified as being “modifiable”.

Selection Fields

Selection fields provide a series of possible values. Only applicable values appear in a selection field. In the screens shown in this guide, the selections display within brackets and are in bold type. In the field description, the field is identified as being either “selectable” when there are more than two possible values, or “toggle” when there are only two possible values.

Command Fields

Command fields are located at the bottom of Local Management screens. Command fields are used to exit Local Management screens, save Local Management entries, or navigate to another display of the same screen. In the screens shown in this guide, the characters in this field are all upper case and in bold type. In the field description, the field is identified as being a “command” field.

Introduction 1-7

Local Management Keyboard Conventions

1.5 LOCAL MANAGEMENT KEYBOARD CONVENTIONS

All key names appear as capital letters in this manual. Table 1- 2 explains the keyboard conventions and the key functions that are used.

Table 1-2 Keyboard Conventions

Key Function

ENTER Key

RETURN Key

Used to enter data or commands. These keys perform the same Local Management function. For example, “Press ENTER” means that you can press either ENTER or RETURN, unless this manual specifically instructs you otherwise.

ESCAPE (ESC) Key Used to “escape” from a Local Management screen without saving

changes. For example, “Press ESC twice” means the ESC key must be pressed quickly two times.

SPACE Bar

BACKSPACE Key

Used to cycle through selections in some Local Management fields. Use the SPACE bar to cycle forward through selections and use the BACKSPACE key to cycle backward through selections.

Arrow Keys (UP-ARROW, DOWN-ARROW, LEFT-ARROW, RIGHT-ARROW)

Used to move the screen cursor. For example, “Use the arrow keys” means to press whichever arrow key moves the cursor to the desired field on the Local Management screen.

DEL Key Used to remove characters from a Local Management field. For

example, “Press DEL” means to press the Delete key.

1-8 Introduction

Getting Help

1.6 GETTING HELP

For additional support related to the module or this document, contact Enterasys Networks using one of the following methods:

World Wide Web http://www.enterasys.com/

Phone (603) 332-9400

Internet mail support@enterasys.com

FTP ftp://ftp.enterasys.com

Password your email address

To send comments or suggestions concerning this document, contact the Technical Writing Department via the following email address: TechWriting@enterasys.com

Make sure to include the document Part Number in the email message.

Before contacting Enterasys Networks, have the following information ready:

• Your Enterasys Networks service contract number

• A description of the failure

• A description of any action(s) already taken to resolve the problem (e.g., changing mode

switches, rebooting the unit, etc.)

• The serial and revision numbers of all involved Enterasys Networks products in the network

• A description of your network environment (layout, cable type, etc.)

• Network load and frame size at the time of trouble (if known)

• The device history (i.e., have you returned the device before, is this a recurring problem, etc.)

• Any previous Return Material Authorization (RMA) numbers

Introduction 1-9

Local Management Requirements

This chapter provides the following information:

• Management Terminal Setup (Section 2.1), which describes how to attach a Local Management

terminal to the switch module.

NOTE: When the 6C105 chassis is set to operate in the distributed mode, you can connect the terminal to the COM port of any module in the chassis to access Local Management of any module, unless the module is set to operate in the standalone mode. In this case you must connect the terminal to the COM port of that module to access its Local Management screens.

• Telnet Connections (Section 2.2), which provides guidelines when using a Telnet connection to

access Local Management.

• Monitoring an Uninterruptible Power Supply (Section 2.3), which describes how to make a

connection from the COM port to an American Power Conversion (APC) Uninterruptible Power Supply (UPS) device. This type of connection enables the switch module to monitor the power status in case of a power loss.

2.1 MANAGEMENT TERMINAL SETUP

Use one of the following systems to access Local Management:

• An IBM PC or compatible device running a VT series emulation software package

• A Digital Equipment Corporation VT100 type terminal

• A VT type terminal running emulation programs for the Digital Equipment Corporation

VT100 series

• A remote VT100 type terminal via a modem connection

• In-band via a Telnet connection

Local Management Requirements 2-1

Management Terminal Setup

2.1.1 Console Cable Connection

Use the Console Cable Kit provided with the chassis to attach the management terminal to the switch module COM port as shown in Figure 2-1.

To connect the switch module to a PC or compatible device running the VT terminal emulation, proceed as follows:

1. Connect the RJ45 connector at one end of the cable (supplied in the kit) to the COM port on the

switch module.

2. Plug the RJ45 connector at the other end of the cable into the RJ45-to-DB9 adapter (supplied in

the kit).

3. Connect the RJ45-to-DB9 adapter to the PC communications port.

NOTE: If using a modem between the VT compatible device and the COM port of the switch module, use the appropriate connector included in the console cable kit. Refer to the modem manufacturer’s information for proper operation and setup of the modem.

As an example, Figure 2-1 shows the COM port connection to a 6H252-17 in a 6C105 chassis.

Figure 2-1 Management Terminal Connection

RJ45 COM Port

UTP Cable

With RJ45

Connectors

2345

Fast Enet

6H252-17

PS1

PS2

COM

CPU

2-2 Local Management Requirements

RJ45-to-DB9

PC Adapter

4046-01

Management Terminal Setup

2.1.2 Management Terminal Setup Parameters

Table 2- 1 lists the setup parameters for the local management terminal.

Table 2-1 VT Terminal Setup

Display Setup Menu

Columns ->

Controls ->

Auto Wrap ->

Scroll ->

Text Cursor ->

Cursor Style ->

General Setup Menu

Mode ->

ID number ->

Cursor Keys ->

Power Supply ->

Communications Setup Menu

Transmit ->

Receive ->

XOFF ->

80 Columns

Interpret Controls

No Auto Wrap

Jump Scroll

Cursor

Underline Cursor Style

VT100, 7 Bit Controls

VT100ID

Normal Cursor Keys

UPSS DEC Supplemental

2400, 4800, 9600, 19200

Receive=Transmit

XOFF at 64

Bits ->

Parity ->

Stop Bit ->

Local Echo ->

Port ->

Transmit ->

Auto Answerback ->

Keyboard Setup Menu

Keys ->

Auto Repeat ->

Keyclick ->

Margin Bell ->

Warning Bell ->

8 bits

No Parity

1 Stop Bit

No Local Echo

DEC-423, Data Leads Only

Limited Transmit

No Auto Answerback

Typewriter Keys

any option

Margin Bell

Warning Bell

Local Management Requirements 2-3

Telnet Connections

2.2 TELNET CONNECTIONS

Once the switch module has a valid IP address, the user can establish a Telnet session from any TCP/IP based node on the network. Telnet connections to the switch module require the community name passwords assigned in the SNMP Community Names Configuration screen.

For information about setting the IP address, refer to Section 5.2.

For information about assigning community names, refer to Section 5.4.

Refer to the instructions included with the Telnet application for information about establishing a Telnet session.

If the switch module is operating in the 802.1Q mode with configured VLANs, the management station must be connected to a physical port on the device that is on the same VLAN as the virtual Host Data Port. For more information about the virtual Host Data Port and the setup information for remote management in a device that is to be configured with VLANs, refer to Section 13.8.

2.3 MONITORING AN UNINTERRUPTIBLE POWER SUPPLY

If the switch module is connected to an American Power Conversion (APC) Uninterruptible Power Supply (UPS) device for protection against the loss of power, a connection from the switch module COM port to the UPS can be made to monitor the UPS power status. To use the COM port for this purpose, it must be reconfigured to support the UPS connection using the procedure described in

Section 5.2.10. Refer to the UPS documentation for details on how to access the status

information.

The Console Cable Kit provided with the switch module is used to connect the UPS to the switch module COM port as shown in Figure 2-2. To connect the UPS device to the COM port, proceed as follows:

1. Connect the RJ45 connector at one end of the cable to the COM port on the switch module.

2. Plug the RJ45 connector at the other end of the cable into the RJ45-to-DB9 male (UPS) adapter

(Enterasys Networks part number, 9372066).

3. Connect the RJ45-to-DB9 male (UPS) adapter to the female DB9 port on the rear of the UPS

device (refer to the particular UPS device’s user instructions for more specific information about the monitoring connection).

2-4 Local Management Requirements

Monitoring an Uninterruptible Power Supply

Figure 2-2 Uninterruptible Power Supply (UPS) Connection

2345

COM Port

Fast Enet

6H252-17

RESET

COM

DB9 Port

Fast Enet

6H252-17

PS1

PS2

RESET

COM

CPU

UPS Device

RJ45-to-DB9 UPS Adapter

UTP Cable

With RJ45 Connectors

4046-02

Local Management Requirements 2-5

Accessing Local Management

This chapter provides information about the following:

• Navigating through the Local Management screen hierarchy for 802.1Q Switching

(Section 3.1).

• Accessing the Password screen to enter a Local Management session (Section 3.2).

• Accessing the Main Menu screen and its menu items to gain access to the Local Management

screens for the 6C105 or 6C107 chassis and the modules installed in the chassis (Section 3.3).

• Accessing the Module Menu screen and its menu items to gain access to the Module

Configuration screens (described in Chapter 5, Chapter 6, Chapter 7, and Chapter 10), Module Statistics screens (described in Chapter 11), Network Tools commands (described in

Chapter 12), and the Security screens, which are described in this chapter starting with the

Module Menu screen described in Section 3.5.

• An overview of the Security Methods that can be configured on this module is described starting

with Section 3.6.

3.1 NAVIGATING LOCAL MANAGEMENT SCREENS

The switch module Local Management application consists of a series of menu screens. Navigate through Local Management by selecting items from the menu screens.

The hierarchy of the Local Management screens is shown in Figure 3-1, Figure 3-2, and

Figure 3-4.

NOTE: At the beginning of each chapter, a section entitled “Screen Navigation Path” shows the path to the first screen described in the chapter.

Accessing Local Management 3-1

Navigating Local Management Screens

Figure 3-1 802.1Q Switching Mode, Chassis, LM Screen Hierarchy (Page 1 of 3)

Password

Main Menu

Module Selection

The 6C107 chassis does not support the screens in this shaded area.

Chassis Menu

Chassis Configuration Menu

SNMP Configuration Menu

Chassis Environmental Information

Redirect Configuration Menu

SNMP Community Names Configuration

SNMP Traps Configuration

Port Redirect Configuration

VLAN Redirect Configuration

NOTES: The 6C107 chassis does not support the screens in the shaded area shown in

Figure 3-1, so the screen selection starts with the Password screen and skips to the

Module Selection screen.

If an additional Fast Ethernet or Gigabit Ethernet HSIM or VHSIM is installed in a switch, an additional statistics screen selection (not shown in Figure 3-2) may display in the Module Statistics Menu screen. This is dependent on the HSIM or VHSIM installed. For more information, refer to Chapter 11.

3-2 Accessing Local Management

Navigating Local Management Screens

Figure 3-2 802.1Q Switching Mode, Module, LM Screen Hierarchy (Page 2 of 3)

Module Configuration Menu

General Configuration

General Configuration SNMP Configuration Menu

SNMP Configuration Menu

System Resources Information

System Resources Information Flash Download Configuration

Flash Download Configuration

Port Configuration Menu

SNMP Community Names Configuration

SNMP Community Names Configuration SNMP Traps Configuration

SNMP Traps Configuration Access Control List

Access Control List

Ethernet Interface

Ethernet Interface Configuration

Configuration

802.1 Configuration Menu

Spanning Tree Configuration Menu

Spanning Tree Configuration

Spanning Tree Configuration Spanning Tree Port Configuration

Spanning Tree Port Configuration

PVST Port Configuration

802.1Q VLAN

802.1Q VLAN Configuration Menu

Configuration Menu

802.1p

802.1p Configuration Menu

Module

Layer 3 Extensions Menu

Module Statistics Menu

Module Statistics Menu Network Tools

Network Tools Security

* Refer to the SmartTrunk

User’s Guide for the

* Refer to the SmartTrunk User’s Guide for the screen hierarchy.

screen hierarchy.

Configuration Menu

Port Priority

Port Priority Configuration

Configuration

Traffic Class

Traffic Class Information

Information

Traffic Class

Traffic Class Configuration

Configuration

Transmit Queues

Transmit Queues Configuration

Configuration

Priority Classification

Priority Classification Configuration

Configuration

Rate Limiting

IGMP/VLAN

IGMP/VLAN Configuration

Configuration

Passwords

Radius Configuration

System Authentication Configuration

EAP Configuration

EAP Statistics Menu

Static VLAN

Static VLAN Configuration

Configuration

Static VLAN Egress

Static VLAN Egress Configuration

Configuration

Current VLAN

Current VLAN Configuration

Configuration

Current VLAN

Current VLAN Egress Configuration

Egress Configuration

VLAN Port

VLAN Port Configuration

Configuration VLAN Classification

VLAN Classification Configuration

Configuration

Protocol Port

Protocol Port Configuration

Configuration

Switch Statistics

Switch Statistics Interface Statistics

Interface Statistics RMON Statistics

RMON Statistics

Ethernet Port

Ethernet Port Configuration

Configuration

HSIM/VHSIM

HSIM/VHSIM Configuration

Configuration Redirect Configuration

Redirect Configuration Menu

Port Redirect

Port Redirect Configuration

Configuration VLAN Redirect

VLAN Redirect Configuration

Configuration

* SmartTrunk

* SmartTrunk Configuration

Configuration or

Link Aggregation

Link Aggregation Menu

802.3ad Port

802.3ad Port Details Details

802.3ad Port

802.3ad Port Statistics

Statistics

802.3ad

802.3ad Aggregator

Aggregator

Protocol Port

Protocol Port Configuration

Configuration

Broadcast Suppression

Broadcast Suppression Configuration

Configuration

Chassis Environment Statistics Configuration

Name Services Configuration

EAP Session Statistics

EAP Authentication Statistics

802.3ad

Aggregator Details

Aggregator Detail

802.3ad System

Accessing Local Management 3-3

Navigating Local Management Screens

Figure 3-3 802.1Q Switching Mode, Chassis, LM Screen Hierarchy (Page 3 of 3)

Security

Passwords

Radius Configuration

Name Services Configuration

System Authentication Configuration

EAP Configuration

EAP Statistics Menu MAC Port Configuration

MAC Supplicant Configuration

EAP Session Statistics

EAP Authenticator Statistics

EAP Diagnostic Statistics

3.1.1 Selecting Local Management Menu Screen Items

Select items on a menu screen by performing the following steps:

1. Use the arrow keys to highlight a menu item.

2. Press ENTER. The selected menu item displays on the screen.

3.1.2 Exiting Local Management Screens

There are two ways to exit the Local Management (LM) screens.

Using the Exit Command

To exit LM using the EXIT screen command, proceed as follows:

1. Use the arrow keys to highlight the EXIT command at the bottom of the Local Management

screen.

2. Press ENTER. The Local Management Password screen displays and the session ends.

3-4 Accessing Local Management

Navigating Local Management Screens

Using the RETURN Command

To exit LM using the RETURN command, proceed as follows:

1. Use the arrow keys to highlight the RETURN command at the bottom of the Local Management

screen.

2. Press ENTER. The previous screen in the Local Management hierarchy displays.

NOTE: The user can also exit Local Management screens by pressing ESC twice. This exit method does not warn about unsaved changes and all unsaved changes are lost.

3. Exit from Local Management by repeating steps 1 and 2 until the Device Menu screen displays.

4. To end the LM session, use the arrow keys to highlight the RETURN command at the bottom

of the Device Menu screen.

5. Press ENTER. The Local Management Password screen displays and the session ends.

3.1.3 Using the NEXT and PREVIOUS Commands

If a particular Local Management screen has more than one screen to display its information, the NEXT and PREVIOUS commands are used to navigate between its screens.

To go to the next or previous display of a screen, proceed as follows:

1. Highlight the applicable NEXT or PREVIOUS command at the bottom of the screen.

2. Press ENTER. The screen displays.

3.1.4 Using the CLEAR COUNTERS Command

The CLEAR COUNTERS command is used to temporarily reset all counters of a screen to zero to allow you to observe counter activity over a period of time. To reset the counters, perform the following steps:

1. Use the arrow keys to highlight the CLEAR COUNTERS command.

2. Press ENTER, the counters are reset to zero.

Accessing Local Management 3-5

Password Screen

3.2 PASSWORD SCREEN

When to Use

To start a Local Management session, which is controlled through the Local Management Password screen. Whenever a connection is made to the switch module the Local Management Password screen displays. Before continuing, you must enter a password, which is compared to the previously stored passwords and associated management level access policy configured using the Security screen described in Section 3.7. The level of access allowed the user depends on the password. To set or change passwords, refer to Section 5.4.

The level of management access is dependent on the Password and the associated Access Policy configured in the Password Configuration screen described in Section 4.4.

NOTE: You can set the same string as a Security password and SNMP Community Name. This will allow you to access and manage the switch whether you are starting a Local Management session via a Telnet connection or local COM port connection, or using a network SNMP management application.

If you utilize a string for the security password and a different one for the SNMP Community Name, the two cannot be used interchangeably to access the switch module. The access levels can also be configured to be different.

How to Access

Turn on the terminal. Press ENTER (this may take up to four times, because the COM port of the switch module auto-senses the baud rate of the terminal) until the Local Management Password screen displays. Figure 3-4 shows the Password screen.

3-6 Accessing Local Management

Screen Example

Figure 3-4 Local Management Chassis/Module Password Screen

xxxxxxxx LOCAL MANAGEMENT

Enterasys Networks, Inc.

P.O. Box 5005

Rochester, NH 03866-5005 USA

(603) 332-9400

c Copyright Enterasys Networks, Inc. 2001

Password Screen

Device Serial Number:

Device Hardware Revision:

Device Firmware Revision:

Device BOOTPROM Revision:

Enter Password:

xxxxxxxxxxxx xxx xx.xx.xx xx.xx.xx

3650_10

Enter the Password and press ENTER. The default super-user access password is “public” or press ENTER.

NOTE: The password is one of the passwords configured in the Module Login Password screen. Access to certain Local Management capabilities depends on the degree of access accorded that password. Refer to Section 5.4.

If an invalid password is entered, the terminal beeps and the cursor returns to the beginning of the password entry field.

Entering a valid password causes the associated access level to display at the bottom of the screen and the Module Menu screen to display.

If no activity occurs for a preset period of time, the Local Management Password screen redisplays and the password has to be reentered.

Accessing Local Management 3-7

Main Menu Screen

3.3 MAIN MENU SCREEN

NOTE: This screen does not display when using the 6C107 chassis. The Module

Selection screen is displayed instead of this screen.

When to Use

To access the two major sets of Local Management screens used to configure the chassis and the switch modules installed in the chassis.

How to Access

Enter a valid password in the Local Management Password screen as described in Section 3.2, and press ENTER. The Main Menu screen, Figure 3-5, displays.

Screen Example

Figure 3-5 Main Menu Screen

CHASSIS

MODULES

EXIT

3-8 Accessing Local Management

4046_04

Module Selection Screen

NOTE: If the terminal is idle for several minutes the Local Management Password screen redisplays and the session ends. This idle time can be changed in the General Configuration screen in Section 5.2.9.

Menu Descriptions

Table 3-1 Main Menu Screen Menu Item Descriptions

Menu Item Screen Function

CHASSIS Provides access to the Chassis Menu screen that is used to configure

the chassis, access current chassis power supply and environmental status, and perform port and VLAN redirect functions.

To access and use the Chassis Menu screen, refer to Section 4.1 for instructions.

MODULES Provides access to the Module Selection screen that is used to select

individual modules in the chassis for management purposes. If module management is desired at this time, proceed to Section 3.4.

3.4 MODULE SELECTION SCREEN

Screen Navigation Path

For 6C105 chassis:

Password > Main Menu > Module Selection

For 6C107 chassis:

Password > Module Selection

When to Use

To select a module in the chassis and the Module Menu screen, which is the access point to the set of Local Management screens for the selected module. The Module Selection screen is the access point to the Local Management screens for all modules installed in the 6C105 or 6C107 chassis.

Accessing Local Management 3-9

Module Selection Screen

How to Access

Use the arrow keys to highlight the MODULES menu item in the Module Selection screen, and press ENTER. The Module Selection screen, Figure 3-6, displays.

Screen Example

Figure 3-6 Module Selection Screen

Module #

<1>

5   

Module Type

6H258-17

6H252-25

6H203-26

6H202-24

Serial #

123456789

EXIT

Hardware Revision

XXX

RETURN

40462-39

3-10 Accessing Local Management

Field Descriptions

Refer to Tabl e 3-2 for a functional description of each screen field.

Table 3-2 Module Selection Screen Field Descriptions

Use this field… To…

Module Selection Screen

Module # (Selectable)

Display the slot in which the module is installed. The module number enclosed in angle brackets (< >) indicates the module to which the management terminal or Telnet session is currently connected.

Module Type

Display the type of interface module that is installed in each slot.

(Read-Only)

Serial #

(Read-Only)

Display the serial number of the module. The serial number of the device is necessary when calling Enterasys Networks concerning the module.

Hardware Revision

Display the hardware version of the module.

(Read-only)

3.4.1 Selecting a Module

To select an individual module to perform Local Management functions, proceed as follows:

1. Use the arrow keys to highlight the desired module number in the Module # field.

2. Press ENTER, the applicable Module Menu screen displays. Proceed to Section 3.5.

Accessing Local Management 3-11

Module Menu Screen

3.5 MODULE MENU SCREEN

Screen Navigation Path

For 6C105 chassis:

Password > Main Menu > Module Selection > Module Menu

For 6C107 chassis:

Password > Module Selection > Module Menu

When to Use

To access the Local Management screens for the switch module selected in the Module Selection screen.

How to Access

Use the procedure described in Section 3.4.1.

Screen Example

Figure 3-7 Module Menu Screen

MODULE CONFIGURATION MENU

MODULE STATISTICS MENU

NETWORK TOOLS

SECURITY

3-12 Accessing Local Management

EXIT

RETURN

40462_14

NOTE: If the terminal is idle for several minutes, the Local Management Password screen redisplays and the session ends. This idle time can be changed in the Chassis Configuration screen described in Section 4.2.

Menu Descriptions

Refer to Tabl e 3-3 for a functional description of each menu item.

Table 3-3 Module Menu Screen Menu Item Descriptions

Menu Item Screen Function

Module Menu Screen

MODULE CONFIGURATION

Provides access to the Local Management screens that are used to configure the switch module and also provides access to the Port Configuration Menu screen, 802.1 Configuration Menu screens, and the Layer 3 Extensions Menu screens.

The Port Configuration Menu screen provides access to the screens that are used to set operating parameters specific to each port.

The 802.1 Configuration Menu screen provides access to the Spanning Tree Configuration Menu screen, 802.1Q VLAN Configuration Menu screen, and the 802.1p Configuration Menu screen. These screens are used to set the basic switch operations, and provide access to screens to configure VLANs, and assign port priorities.

For details about the screens, refer to:

• Chapter 5 for the Module Configuration Menu screen,

• Chapter 6 for the Port Configuration Menu screen,

• Chapter 7 for the 802.1 Configuration Menu screen, and

• Chapter 10 for the Layer 3 Extensions Menu screen.

MODULE STATISTICS

NETWORK TOOLS

Provides access to screens used to obtain statistics and performance information for the switch module. For details, refer to Chapter 11.

The Network Tools function resides on the switch module and consists of commands that allow the user to access and manage network devices, including the ability to Telnet to other devices. Chapter 12 explains how to use the Network Tools utility.

Accessing Local Management 3-13

Module Menu Screen

Table 3-3 Module Menu Screen Menu Item Descriptions (Continued)

Menu Item Screen Function

SECURITY Provides access to the following screens:

• Module Login Passwords

• Radius Configuration

• Name Services Configuration

• System Authentication Configuration

• EAP Configuration

• EAP Statistics Menu

• MAC Port Configuration

• MAC Supplicant Configuration

The Module Login Passwords screen allows you to set a login password for the device according to access policy (read-only, read-write, and super-user). A different password can be set for each access policy.

To prevent clearing the passwords, hardware switch 8 on the board of the device can be disabled using this screen. For an overview of the security available on this switch module, refer to Section 3.6.

For more information about the Module Login Passwords screen, refer to Section 3.8.

The Radius Configuration screen enables you to configure the Radius client function on the switch module to provide another restriction for access to the Local Management screens. For more information on Radius Client, refer to Section 3.6.

For more information about the Radius Configuration screen, refer to

Section 3.9.

The System Authentication Configuration, EAP Configuration, and EAP Statistics Menu screens enable you to securely authenticate and grant appropriate access to end user devices directly attached to the switch module ports. For more information about 802.1x port based network access control, refer to Section 3.6.2.

For more information about the System Authentication Configuration, EAP Configuration, and EAP Statistics Menu screens, refer to

Section 3.11, Section 3.12, and Section 3.13, respectively.

3-14 Accessing Local Management

Overview of Security Methods

Table 3-3 Module Menu Screen Menu Item Descriptions (Continued)

Menu Item Screen Function

SECURITY (cont’d)

The MAC Port Configuration screen enables you to monitor the authentication state of the supplicants associated with each port and enable/disable, initialize, and force a revalidation of the port MAC credential.

For more information about MAC port configuration, refer to

Section 3.14.

The MAC Supplicant Configuration screen enables you to see which MAC authentication supplicants are active, their MAC address and associated module ports, and enable you to initialize or reauthenticate each of the supplicants.

For more information about the MAC Supplicant Configuration screen, refer to Section 3.15.

3.6 OVERVIEW OF SECURITY METHODS

Six security methods are available to control which users are allowed to access, monitor, and control the switch module.

• Login Security Password – used to access the Module Menu screen to start a Local Management

session via a Telnet connection or local COM port connection. Whenever a connection is made to the switch module, the Local Management Password screen displays. Before continuing, you must enter a login password, which is compared to the stored passwords and associated management level access policies configured using the Security screen described in Section 3.7.

• SNMP Community String – allows access to the switch module via a network SNMP

management application. To access the switch module, you must enter an SNMP Community Name string. The level of management access is dependent on the SNMP Community Name and the associated Access Policy configured in the SNMP Community Names Configuration screen described in Section 4.4.

NOTE: You can set the same string as a Security login password and SNMP Community Name. This allows you to access and manage the switch module whether you are starting a Local Management session via a Telnet connection or local COM port connection, or using a network SNMP management application.

If the login security password is different from the SNMP Community Name, the two cannot be used interchangeably to access the switch module.

Accessing Local Management 3-15

Overview of Security Methods

• Host Access Control Authentication (HACA) – authenticates user access of Telnet management,

console local management and WebView via a central Radius Client/Server application using the Password screen described in Section 3.8. For an overview of HACA and a description of how to set the access policy using the Radius Configuration screen, refer to Section 3.6.1 and

Section 3.9.

• Host Access Control List (ACL) – allows only the defined list of IP Addresses to communicate

with the host for Telnet, WebView (HTTP) and SNMP. To set up these parameters, refer to the Host Access Control List (ACL) screen described in Section 3.6.1.

• 802.1X Port Based Network Access Control – provides a mechanism for administrators to

securely authenticate and grant appropriate access to end user devices (supplicants) directly attached to switch module ports. For more information, refer to Section 3.6.2.

• MAC Authentication – provides a mechanism for administrators to securely authenticate and

grant appropriate access to end user devices directly attached to switch module ports. For more information, refer to Section 3.6.3.

3.6.1 Host Access Control Authentication (HACA)

To use HACA, the embedded Radius Client on the switch module must be configured to communicate with the Radius Server, and the Radius Server must be configured with the password information. The software used for this application provides the ability to centralize the Authentication, Authorization, and Accounting (AAA) of the network resources. For more information, refer to the RFC 2865 (Radius Authentication) and RFC 2866 (Radius Accounting) for a description of the protocol.

Each switch module has its own Radius Client. The client can be configured via:

• The Radius Configuration screen described in Section 3.9, or

• The Network Tools Command Line Interface (CLI) using the “radius” command described in

Chapter 12.

The IP address of the Radius Server and the shared secret text string must be configured on the Radius Client. The client uses the Password Authentication Protocol (PAP) to communicate the user name and encrypted password to the Radius Server.

On the Radius Server, each user is configured with the following:

• name

•password

• access level

3-16 Accessing Local Management

Overview of Security Methods

The access level can be set to one of the following levels for each user name:

•super-user

• read-write

• read-only

To support multiple access levels per user name, it involves sending back a different “FilterID” attribute using some server feature to differentiate between the same user name with different prefixes/suffixes. For example, “username@engineering” and “username@home” could each return different access levels.

NOTE: This is a server-dependent feature.

A Radius user/password combination is assigned one access level unless server-specific features such as prefixes or suffixes are used to assign different access levels.

All radius values, except the server IPs and shared secrets, are assigned reasonable default values when radius is installed on a new switch module. The defaults are as follows:

• Client, disabled

• Timeout, 20 seconds

• Retries, 3

• Primary and secondary Authentication ports: 1812 (per RFC 2865)

• Primary and secondary Accounting ports: 1813 (per RFC 2866)

• Last-resort for local and remote is CHALLENGE

If only one server is configured, it must be the primary server. It is not necessary to reboot after the client is reconfigured.

The client cannot be enabled unless the primary server is configured with at least the minimum configuration information.

NOTE: The minimum additional information that must be configured to use a server is its IP and Shared Secret.

Accessing Local Management 3-17

Overview of Security Methods

When the Radius Client is active on the switch module, the user is presented with an authorization screen, prompting for a user login name and password when attempting to access the host IP address via the local console LM, Telnet to LM, or WebView application. The embedded Radius Client encrypts the information entered by the user and sends it to the Radius Server for validation. Then the server returns an access-accept or access-reject response back to the client, allowing or denying the user to access the host application with the proper access level.

An access-accept response returns a message USER AUTHORIZATION = <ACCESS LEVEL> for 3 seconds and then the main screen of the application is displayed. An access-denied response causes an audible “beep” and the screen to return to the user name prompt.

If the Radius Client is unable to receive a response from the Radius Server, because the Radius Server is down or inaccessible, the Radius Client will time out to a default value of 20 seconds.

If the server returns an “access-accept” response (the user successfully authenticated), it must also return a Radius “FilterID” attribute containing an ASCII string with the following fields in the specified format:

“Enterasys:version=V:mgmt=M:policy=N”

Where:

V is the version number (currently V=1)

M is the access level for management, one of the following strings:

“su” for super-user access

“rw” for read-write access

“ro” for read-only access

N is the policy profile number (see the policy profile MIB)

NOTES:

1. Quotation marks (“ ”) are used for clarification only and are not part of the command

strings.

2. If the FilterID attribute is not returned, or the “mgmt” field is absent or contains an unrecognizable value, access is denied.

3. Policy profiles are not yet deployed and the “policy=N” part may be omitted.

If the Radius client does not receive a response from the primary server, it will consult the secondary server if one has been configured. If the secondary server also does not respond then the switch module reverts to the last-resort authentication action. Last-resort authentication is individually selectable for both local (COM port) and remote (TELNET or WebView). The last-resort action may be to accept the user, reject the user, or challenge the user for the Local Management passwords (resort to legacy authentication).

3-18 Accessing Local Management

Overview of Security Methods

3.6.2 802.1X Port Based Network Access Control

This section provides

• a brief description of 802.1X Port Based Network Access Control

• definitions of common terms and abbreviations, and

• an overview of the tasks that may be accomplished using the 802.1X (EAP security and

authentication features.

When using the physical access characteristics of IEEE 802 LAN infrastructures, the 802.1X standard provides a mechanism for administrators to securely authenticate and grant appropriate access to end user devices directly attached to switch module ports. When configured in conjunction with NetSight Policy Manager and Radius server(s), Enterasys Networks’ switch modules can dynamically administer user based policy that is specifically tailored to the end user’s needs.

3.6.2.1 Definitions of Terms and Abbreviations

Table 3- 4 provides an explanation of authentication terms and abbreviations used when describing

the 802.1X and EAP security and authentication features.

Table 3-4 Authentication Terms and Abbreviations

Term Definition

EAP Extensible Authentication Protocol (e.g., Microsoft IAS

Server and Funk Steel Belted Radius).

PAE Port Access Entity, device firmware that implements or

participates in the protocol.

PWA Port Web Authentication, an enterprise specific

authentication process using a web browser user-login process to gain access to ports.

RADIUS Remote Authentication Dial In User Service.

Authenticator The entity that sits between a supplicant and the

authentication server. The authenticator’s job is to pass authenticating information between the supplicant and authentication server until an authentication decision is made.

Accessing Local Management 3-19

Overview of Security Methods

Table 3-4 Authentication Terms and Abbreviations (Continued)

Term Definition

Authentication Server Provides authentication service to an authenticator. This

service determines, by the credentials the supplicant provides, whether a supplicant is authorized to access services provided by the authenticator. The authentication server can be co-located with an authenticator or can be accessed remotely.

Supplicant The entity (user machine) that is trying to be authenticated

by an authenticator attached to the other end of that link.

3.6.2.2 802.1X Security Overview

The Enterasys Networks’ 6000 Series and Matrix E7 modules support the following 802.1X security and authentication features to:

• Authenticate hosts that are connected to dedicated switch ports.

• Authenticate based on single-user hosts. (If a host is a time-shared Unix or VMS system,

successful authentication by any user will allow all users access to the network.)

• Allow users to authenticate themselves by logging in with user names and passwords, token

cards, or other high-level identification. Thus, a system manager does not need to spend hours setting low-level MAC address filters on every edge switch to simulate user-level access controls.

• Divide system functionality between supplicants (user machines), authenticators, and

authentication servers. Authenticators reside in edge switches. They shuffle messages and tell the switch when to grant or deny access, but do not validate logins. User validation is the job of authentication servers. This separation of functions allows network managers to put authentication servers on central servers.

• Use the 802.1X protocol to communicate between the authenticator and the supplicant. The

frame format using 802.1X includes extra data fields within a LAN frame. Note that 802.1X does not allow routing.

• Use 802.1X to communicate between the authenticator and the authentication server. The

specific protocol that runs between these components (e.g., RADIUS-encapsulated EAP) is not specified and is implementation-dependent.

3-20 Accessing Local Management

Overview of Security Methods

3.6.3 MAC Authentication Overview

This section discusses a method for a user to gain access to the network by validating the MAC address of their connected device. Network management statically provisions MAC addresses in a central radius server. Those pre-configured MAC addresses are allowed access to the network through the usual RADIUS validation process. This section further discusses how MAC Authentication and 802.1X cooperate to provide an integrated approach to authentication.

3.6.3.1 Authentication Method Selection

The 802.1X and PWA authentication methods are globally exclusive. Additionally, MAC Authentication and PWA are globally mutually exclusive. However, MAC Authentication and

802.1X are not mutually exclusive, so that both 802.1X and MAC authentications can be configured concurrently on the same device using the Local Management (LM) System Authentication Configuration screen described in Section 3.11. When both methods are enabled on the same device, the switch enforces a precedence relationship between MAC Authentication and

802.1X methods.

When configuring a device using the System Authentication Configuration screen, only the valid set of global and per port authentication methods are available for selection. These are EAP, PWA, MAC, MAC EAP, and NONE. If there is an attempt to enable both MAC Authentication and PWA either through the sole use of MIBs or by using both the LM screen and MIBs, then an appropriate error message is displayed.

3.6.3.2 Authentication Method Sequence

When MAC Authentication is enabled on a port, the Authentication of a specific MAC address commences immediately following the reception of any frame. The MAC address and a currently stored password for the port are used to perform a PAP authentication with one of the configured radius servers. If successful, the port forwarding behavior is changed according to the authorized policy and a session is started. If unsuccessful, the forwarding behavior of the port remains unchanged.

If successful, the filter-id in the radius response may contain a policy string of the form policy=”policy name”. If the string exists and it refers to a currently configured policy in this switch, then the port receives this new policy. If authenticated, but the authorized policy is invalid or non-existent, then the port forwards the frame normally according to the port default policy, if one exists. Otherwise, frames are forwarded without any policy.

Accessing Local Management 3-21

Overview of Security Methods

3.6.3.3 Concurrent Operation of 802.1X and MAC Authentication

This section defines the precedence rules to determine which authentication method, 802.1X (EAP) or MAC Authentication has control over an interface. Setting the 802.1X and MAC port authentication is described in Section 3.11.

When both methods are enabled, 802.1X takes precedence over MAC Authentication when a user is authenticated using the 802.1X method. If the port or MAC remains unauthenticated in 802.1X, then MAC authentication is active and may authenticate the next MAC address received on that port.

You can configure MAC Authentication and 802.1X to run concurrently on the same module, but exclusively on distinct interfaces of that module. To achieve this, the 802.1X port behavior in the force-unauthorized state is overloaded. When 802.1X and MAC Authentication are enabled, set the 802.1X MIB to force-unauthorized for the interface in question and enable MAC Authentication. This allows the MAC Authentication to run unhindered by 802.1X on that interface. This, in effect, disables all 802.1X control over that interface. However, if a default policy exists on that port, the switch forwards the frames according to that policy, otherwise the switch drops them.

If a switch port is configured to enable both 802.1X and MAC Authentication, then it is possible for the switch to receive a start or a response 802.1X frame while a MAC Authentication is in progress. If this situation, the switch immediately aborts MAC Authentication. The 802.1X authentication then proceeds to completion. After the 802.1X login completes, the user has either succeeded and gained entry to the network, or failed and is denied access to the network. After the

802.1X login attempt, no new MAC Authentication logins occur on this port until:

• A link is toggled.

• The user executes an 802.1X logout.

• Management terminates the 802.1X session.

NOTE: The switch may terminate a session in many different ways. All of these reactivate the MAC authentication method. Refer to Ta bl e 3 -5 for the precedence relationship between MAC and 802.1X authentication.

When a port is set for concurrent use of MAC and 802.1X authentication, the switch continues to issue EAPOL request/id frames until a MAC Authentication succeeds or the switch receives an EAPOL response/id frame.

3-22 Accessing Local Management

Table 3-5 MAC / 802.1X Precedence States

802.1X Port Control

MAC Port Control

Authenticated?

Default Policy Exists?

Authorized Policy Exists?

Overview of Security Methods

Action

Force Authorized

Auto Enabled Yes Don’t

Don’t Care

Yes Do n ’t

Care

No Don’t

Care

Ye s

Care

Auto Enabled Yes Yes No

• Neither method performs

authentication.

• Frames are forwarded according

to default policy.

• Neither method performs

authentication.

• Frames are forwarded.

• Hybrid authentication (both

methods are active).

• Frames are forwarded according

to authorized policy.

• Hybrid authentication (both

methods are active).

• Frames are forwarded according

to default policy.

Auto Enabled Yes No No

Auto Enabled No Yes Don’t

Care

Auto Enabled No No Don’t

Care

• Hybrid authentication (both

methods active).

• Frames are forwarded.

• Hybrid authentication (both

methods are active).

• Frames are forwarded according

to default policy.

• Hybrid authentication (both

methods are active).

• Frames are discarded.

Accessing Local Management 3-23

Overview of Security Methods

Table 3-5 MAC / 802.1X Precedence States (Continued)

Autho-

802.1X Port Control

MAC Port Control

Authenticated?

Default Policy Exists?

rized Policy Exists?

Action

Auto Disabled Yes Don’t

Yes • 802.1X performs authentication.

Care

Auto Disabled Yes Yes No

Auto Disabled Yes No No

Auto Disabled No Yes Don’t

Care

Auto Disabled No No Don’t

Care

Force Unauthori-

Enabled Yes Don’t

Care

Yes

zation

• Frames are forwarded according

to authorized policy.

• 802.1X performs authentication.

• Frames are forwarded according

to default policy.

• 802.1X performs authentication.

• Frames are forwarded.

• 802.1X performs authentication.

• Frames are forwarded according

to default policy.

• 802.1X performs authentication.

• Frames are discarded.

• MAC performs authentication.

• Frames are forwarded according

to authorized policy.

Force

Enabled Yes Yes No Unauthorization

Force

Enabled Yes No No Unauthorization

Force

Enabled No Yes Don’t Unauthorization

3-24 Accessing Local Management

Care

• MAC performs authentication.

• Frames are forwarded according

to default policy.

• MAC performs authentication.

• Frames are forwarded.

• MAC performs authentication.

• Frames are forwarded according

to default policy.

Table 3-5 MAC / 802.1X Precedence States (Continued)

Autho-

802.1X Port Control

MAC Port Control

Authenticated?

Default Policy Exists?

rized Policy Exists?

Overview of Security Methods

Action

Force Unauthori-

Enabled No No Don’t

Care

• MAC performs authentication.

• Frames are discarded.

zation

Force Unauthorization

Disabled Don’t

Care

Don’t Care

• Neither method performs

authentication.

• Frames are discarded.

3.6.4 MAC Authentication Control

This global variable can be set to enabled or disabled.

If set to enabled, then

a. MAC Authentication is active on those ports whose individual port-enabled variable is set to

enabled.

b. All session and statistic information is reset to defaults.

c. Any MAC addresses currently locked to ports are unlocked.

If set to disabled, then

a. MAC Authentication stops for all ports.

b. All active sessions are terminated with the cause portAdminDisabled.

c. All policies are applied to ports as a result of a MAC Authentication reverting to the ports

default policy, if any.

d. All ports currently authenticated using 802.1X, are unaffected.

e. Any 802.1X ports, which were set to forced-unauth, revert back to discarding all frames

regardless of the MAC Authentication state.

Accessing Local Management 3-25

Security Menu Screen

3.7 SECURITY MENU SCREEN

Screen Navigation Path

For 6C105 chassis:

Password > Main Menu > Module Selection > Module Menu > Security Menu

For 6C107 chassis:

Password > Module Selection > Module Menu > Security Menu

When to Use

To access the Passwords, Radius Configuration, Name Services Configuration, System Authentication Configuration, EAP Configuration, EAP Statistics Menu, MAC Port Configuration, and MAC Supplicant Configuration screens.

• The Passwords and Radius Configuration screens allow you to configure additional limited

access.

• The Name Services Configuration screen allows you to set parameters for personalized web

authentication.

• The System Authentication Configuration, EAP Configuration, EAP Statistics Menu screens

enable you to view port authentication type and status, to configure EAP settings, and to view EAP statistics.

• The MAC Port Configuration and MAC Supplicant Configuration screens enable you to

configure MAC Authentication for user devices (supplicants) directly attached to one or more physical ports.

How to Access

Use the arrow keys to highlight the SECURITY menu item on the Module Configuration Menu screen and press ENTER. The Security Menu screen, Figure 3-8, displays.

3-26 Accessing Local Management

Screen Example

Figure 3-8 Security Menu Screen

PASSWORDS

RADIUS CONFIGURATION

NAME SERVICES CONFIGURATION

SYSTEM AUTHENTICATION CONFIGURATION

CONFIGURATION EAP CONFIGURATION

EAP STATISTICS MENU

MAC PORT CONFIGURATION

MAC SUPPLICANT CONFIGURATION

Security Menu Screen

EXIT

RETURN

Menu Descriptions

Refer to Tabl e 3-6 for a functional description of each menu item.

Table 3-6 Security Menu Screen Menu Item Descriptions

Menu Item Screen Function

PASSWORDS Used to set the Locally Administered Passwords (super-user,

read-write, and read-only) to access the device according to an access policy. For details, refer to Section 3.8.

RADIUS CONFIGURATION

NAME SERVICES CONFIGURATION

Used to configure the Radius Client Parameters on the switch, primary server, and secondary server. For details, refer to Section 3.9.

Used to set parameters for personalized Web authentication, including the URL and IP of the Secure Harbour web page. For details, refer to Section 3.10.

3528_14

Accessing Local Management 3-27

Security Menu Screen

Table 3-6 Security Menu Screen Menu Item Descriptions (Continued)

Menu Item Screen Function

SYSTEM AUTHENTICATION CONFIGURATION

EAP CONFIGURATION

Used to enable or disable an authentication type for the device, and to display the authentication type and authentication status (enabled or disabled) for all ports. For details, refer to Section 3.11.

Used to configure authentication settings for each port. For details, refer to Section 3.12.

EAP STATISTICS Used to navigate to the EAP Session Statistics, EAP Authentication

Statistics, and EAP Diagnostic Statistics screens. For details, refer to

Section 3.13.

MAC PORT CONFIGURATION

Used to view the current port authentication states, enable or disable the authentication function on each port, reset ports to the initial authentication configuration, and force a revalidation of the MAC credential. For details, refer to Section 3.14.

MAC SUPPLICANT CONFIGURATION

Used to show how long MAC Authentication supplicants are logged on to a port and their MAC address, and provides limited configuration of these supplicants. For details, refer to Section 3.15.

3-28 Accessing Local Management

Passwords Screen

3.8 PASSWORDS SCREEN

When to Use

To provide additional security by using login passwords associated to access policy. This screen allows the use of passwords to provide three levels of Local Management access (super-user, read-write and read-only) via serial console or telnet connection. This screen is also used to disable the function of hardware switch 8 to prevent the clearing of the login passwords.

How to Access

Use the arrow keys to highlight the PASSWORDS menu item on the Security Menu screen and press ENTER. The Module Login Passwords screen, Figure 3-9, displays.

Screen Example

Figure 3-9 Module Login Passwords Screen

Password Access Policy

******** read-only ******** read-write ******** super-user

SWITCH 8 [ENABLED]

Restrict NVRAM Passwords from upload/download [DISABLED]

EXIT RETURNSAVE

3650_23

Accessing Local Management 3-29

Passwords Screen

Field Descriptions

Refer to Table 3- 7 for a functional description of each screen field.

Table 3-7 Module Login Passwords Screen Field Descriptions

Use this field… To…

Password

(Modifiable)

Access Policy

(Read-Only)

Switch 8

(Toggle)

Enter the password used to access the device according to an access policy. For information on how to set the login password, refer to

Section 3.8.1.

See the access given each password. Possible selections are as follows:

read-only This password allows read-only access to Local

Management, and excludes access to security-protected fields of read-write or super-user authorization.

read-write This password allows read and write access to Local

Management, excluding security protected fields for super-user access only.

super-user This password permits read-write access to Local

Management and allows the user to change all modifiable parameters including community names, IP addresses, traps, and SNMP objects.

Enable or disable the function of hardware switch S8 on the main board of the device. When set to ENABLED, S8 can be used to clear the password. When set to DISABLED, S8 cannot be used to clear the password. The default is ENABLED.

Restrict NVRAM Passwords from upload/download

Prevent passwords residing in NVRAM from being replaced when downloading a configuration file. The default setting is DISABLED. This prevents the passwords from being downloaded.

(Toggle)

3-30 Accessing Local Management

Radius Configuration Screen

3.8.1 Setting the Module Login Password

Setting the Module Login Password provides additional security by assigning each switch module its own password and allowing you to disable the function of switch S8 so that the password cannot be cleared. To assign the password and disable switch S8, proceed as follows:

1. Use the arrow keys to highlight the appropriate Password field. A different password can be

assigned to each Access Policy.

2. Press ENTER.

3. To disable the function of switch S8 so the passwords cannot be cleared, use the arrow keys to highlight the Switch 8 field.

4. Press the SPACE bar to select DISABLED.

5. To save the settings, press ENTER. The message “SAVED OK” displays at the top of the screen.

3.9 RADIUS CONFIGURATION SCREEN

When to Use

To configure the Radius client in the switch to restrict access to the management functions of the Local Management screens, by way of the COM port or network TELNET connection.

NOTE: The configuration and enable state of the Radius client will be stored in NVRAM and loaded on power-up. If the client is properly configured and enabled, the platform will create the Radius client and enable it at boot time, superseding legacy authentication. Otherwise, the legacy authentication becomes operational.

Radius Client parameters can also be set using the Network Tools screen described in

Chapter 12.

This screen allows you to set the necessary parameters to centralize the Authentication, Authorization, and Accounting of the network resources. For information about Radius Client and how it functions, refer to Section 3.6 and Section 3.6.1.

Accessing Local Management 3-31

Radius Configuration Screen

How to Access

Use the arrow keys to highlight the RADIUS CONFIGURATION menu item on the Security Menu screen and press ENTER. The Radius Configuration screen, Figure 3-10, displays.

Screen Example

Figure 3-10 Radius Configuration Screen

Timeout: 20 Retries: 03 Local Remote Last Resort Action: [CHALLENGE] [CHALLENGE] Radius Client: [DISABLED]

IP Address: Secret: Auth Port:

0.0.0.0 NOT CONFIGURED 1812

SAVE

EXIT RETURN

Field Descriptions

Refer to Table 3- 8 for a functional description of each screen field.

Table 3-8 Radius Configuration Screen Field Descriptions

Use this field… To…

Timeout

(Modifiable)

Enter the maximum time in seconds to establish contact with the Radius Server before timing out. The default is 20 seconds.

3650_22

Retries

(Modifiable)

Enter the maximum number of attempts (1…N) to contact the Radius Server before timing out. The default is 20 seconds.

3-32 Accessing Local Management

Radius Configuration Screen

Table 3-8 Radius Configuration Screen Field Descriptions (Continued)

Use this field… To…

Last Resort Action/Local

(Selectable)

Last Resort Action/Remote

(Selectable)

Accept, Challenge, and Reject, which do the following:

ACCEPT: Allows local access (via COM port) at the super-user level with no further attempt at authentication.

CHALLENGE: Reverts to local module (legacy) passwords.

REJECT: Does not allow local access.

For more details, refer to Section 3.9.1.

To set local and remote servers, refer to Section 3.9.2.

Accept, Challenge, and Reject, which do the following:

ACCEPT: Allows local access (via COM port) at the super-user level with no further attempt at authentication.

CHALLENGE: Reverts to local module (legacy) passwords.

REJECT: Does not allow remote access.

For more details, refer to Section 3.9.1.

To set local and remote servers, refer to Section 3.9.2.

Radius Client

(Toggle)

IP Address

(Modifiable)

Secret

(Modifiable)

Auth Port (Modifiable)

Enable or disable client status.

Enter the IP address (in decimal-dot format) of the primary and secondary servers being configured for the Radius function.

Enter a secret string of characters or the primary and secondary server (16 characters are recommended as per RFC 2865. The maximum is 32 characters).

Enter the number of the Authorization UDP Port for the Primary and Secondary server.

Accessing Local Management 3-33

Radius Configuration Screen

3.9.1 Setting the Last Resort Authentication

The Radius client can be configured to use primary and secondary servers. If the primary server does not respond within the specified number of retries during the specified time-out period, the client will then attempt to authenticate using the secondary server. If the secondary server also does not respond, then the client returns a time-out condition.

The “last resort” platform action in case of Radius server time-out for both local and remote access is selectable for each type of access:

• Local login via the COM port.

• Remote login via a remote network TELNET connection.

3.9.2 Setting the Local and Remote Servers

Before setting the parameters, refer to Section 3.6.1 and Section 3.9.1 for a better understanding of Radius Servers and Last Resort Authentication. To set the local and remote server, proceed as follows:

1. Highlight the Timeout field and enter the maximum time in seconds to establish contact with

the Radius Server before timing out.

2. Highlight the Retries field and enter the desired maximum number of attempts (1…N) to contact

the Radius Server before timing out.

3. Highlight the Last-Resort Action/Local field and select ACCEPT, CHALLENGE, or REJECT to allow local access at the super-user level with no further attempt at authentication;

revert local module to (legacy) passwords, or not allow local access.

4. Highlight the Last-Resort Action/Remote field select ACCEPT, CHALLENGE, or REJECT to allow remote access at the super-user level with no further attempt at

authentication, revert remote module to (legacy) passwords, or not allow remote access, respectively.

5. Use the arrow keys to highlight the IP Address field and enter the IP address (in decimal-dot format) of the primary and secondary servers being configured for the RADIUS function.

6. Highlight the Secret field and enter a secret string of characters or the primary and secondary server (16 characters are recommended as per RFC 2865. The maximum is 32 characters).

7. Highlight the Auth Port field and enter the number of the Accounting UDP Port for the Primary and Secondary server.

8. Use the arrow keys to highlight the SAVE command and press ENTER to save your settings.

3-34 Accessing Local Management

Name Services Configuration Screen

3.10 NAME SERVICES CONFIGURATION SCREEN

When to Use

Use this screen when enabling Port-based Web authentication. This screen can also be used to configure the global Secure Harbour name and IP address. The user can Enable/Disable Name Services and associate the switch name with the Secure Harbour IP address.

How to Access

Use the arrow keys to highlight the NAME SERVICES CONFIGURATION menu item on the Security Menu screen and press ENTER. The Name Services Configuration screen, Figure 3-11, displays.

Screen Example

Figure 3-11 Name Services Configuration Screen

Switch Name:

Secure Harbour IP:

Name Services:

Web Authentication:

SAVE

EXIT

Secure Harbour

0.0.0.0 [DISABLED] [DISABLED]

RETURN

3650_21

Accessing Local Management 3-35

Name Services Configuration Screen

Field Descriptions

Refer to Table 3- 9 for a functional description of each screen field.

Table 3-9 Name Services Configuration Screen Field Descriptions

Use this field… To…

Switch Name

(Modifiable)

Secure Harbour IP

(Read-Only)

Name Services

(Toggle)

Web Authentication

(Toggle)

Create a textual name to bind to the IP address.

NOTE: The switch Name and the Secure Harbour IP must be globally unique within your network and the end switch must contain the identical information.

See the IP address used to access services.

NOTE: The Switch Name and the Secure Harbour IP must be globally unique within your network and the end switch must contain the identical information. The Secure Harbour IP cannot be the same as the management IP of the switch.

Enable or disable the name services function.

Enable or disable Web Authentication.

3-36 Accessing Local Management

System Authentication Configuration Screen

3.11 SYSTEM AUTHENTICATION CONFIGURATION SCREEN

When to Use

To enable or disable an authentication type for the device, and to display the authentication type and authentication status (enabled or disabled) for all ports.

How to Access

Use the arrow keys to highlight the SYSTEM AUTHENTICATION CONFIGURATION menu item on the Security Menu screen and press ENTER. The System Authentication Configuration screen, Figure 3-12, displays.

Screen Example

Figure 3-12 System Authentication Configuration Screen

System Authentication [EAP]

Port # Authentication Type Authentication Status

1 EAP Unauthenticated 2 EAP Unauthenticated 3 EAP-MAC Unauthenticated 4 EAP Unauthenticated 5 EAP Unauthenticated 6 EAP Unauthenticated 7 EAP-MAC Unauthenticated 8 EAP-MAC Unauthenticated 9 EAP Unauthenticated 10 EAP Unauthenticated

EXITNEXTSAVE

RETURN

37831-02

Accessing Local Management 3-37

System Authentication Configuration Screen

Field Descriptions

Refer to Table 3- 10 for a functional description of each screen field.

Table 3-10 System Authentication Configuration Screen Field Descriptions

Use this field… To…

System Authentication

(Selectable)

Enable or disable an authentication type for the device, or turn off the port authentication function on all ports. Options are EAP (Extensible Authentication Protocol), PWA (Port Web Authentication), MAC (Machine Address Code), EAP MAC, or NONE.

• EAP is encapsulated in LAN frames according to the 802.1X

standard.

• PWA uses the web browser user login process to allow access to

ports.

• MAC authentication limits access to the network by validating the

MAC address of their connected devices.

• EAP MAC enables using both MAC and EAP authentication

methods concurrently for security.

• NONE turns off all port authentication in the switch. The default is

NONE.

To select the option, use the arrow keys to highlight the System

Authentication field, step to EAP, PWA, MAC, EAP MAC, or NONE using the SPACE bar, then press ENTER.

Port #

(Read-Only)

See the port numbers of all ports known to the device. Up to 10 ports can be displayed at a time. To see additional ports, select NEXT and press ENTER to display the authentication type and status for the next 10 ports.

Authentication Type

(Read-Only)

Authentication Status

(Read-Only)

3-38 Accessing Local Management

See the authentication type configured for each port: EAP, PWA, MAC, EAP MAC, or NONE.

See whether the port is authenticated for the chosen authentication type. Status is Authenticated, EAP Authenticated, MAC Authenticated, or Unauthenticated.

EAP (Port) Configuration Screen

3.12 EAP (PORT) CONFIGURATION SCREEN

When to Use

To configure authentication settings for each port.

How to Access

Use the arrow keys to highlight the EAP CONFIGURATION menu item on the Security Menu screen and press ENTER. The EAP Port Configuration screen, Figure 3-13, displays.

Screen Example

Figure 3-13 EAP Port Configuration Screen

Port Authentication

State

--------------------------------------------------------------------------------------------------- 1 initialize idle [Auto] [FALSE] [FALSE] [2] 2 initialize idle [Auto] [FALSE] [FALSE] [2] 3 initialize idle [Auto] [FALSE] [FALSE] [2] 4 initialize idle [Auto] [FALSE] [FALSE] [2] 5 initialize idle [Auto] [FALSE] [FALSE] [2] 6 initialize idle [Auto] [FALSE] [FALSE] [2] 7 initialize idle [Auto] [FALSE] [FALSE] [2] 8 initialize idle [Auto] [FALSE] [FALSE] [2] 9 initialize idle [Auto] [FALSE] [FALSE] [2] 10 initialize idle [Auto] [FALSE] [FALSE] [2]

Backend

State

Port

Control

Initialize

Port

Force

Reauth

RETURNEXITNEXTSAVE

Maximum Requests

37831_03

Accessing Local Management 3-39

EAP (Port) Configuration Screen

Field Descriptions

Refer to Table 3- 11 for a functional description of each screen field.

Table 3-11 EAP Port Configuration Screen Field Descriptions

Use this field… To…

Port

(Read-Only)

Authentication State

(Read-Only)

See the port number of all ports known to the device. Up to 10 ports can be displayed as a time. Highlight NEXT and press ENTER to display the next set of ports.

See the current authentication state of each port.

These following nine described states are the possible internal states for the authenticator. Some states are simply pass-through states causing a small action and immediately moving to a new state. Therefore, not all states can be observed for this interface.

• initialize: A port is in the initialize state when:

a. EAP authentication is disabled,

b. EAP authentication is enabled and the port is not linked, or

c. EAP authentication is enabled and the port is linked. (In this case

very little time is spent in this state, it immediately transitions to the connecting state, via disconnected.

• disconnected: The port passes through this state on its way to

connected whenever the port is reinitialized, via link state change, reauthentication failure, or management intervention.

• connecting: While in this state, the authenticator sends request/ID

messages to the supplicant.

• authenticating: The port enters this state from connecting after

receiving a response/ID from the supplicant. It remains in this state until the entire authentication exchange between the supplicant and the authentication server completes.

• authenticated: The port enters this state from authenticating state

after the exchange completes with a favorable result. It remains in this state until linkdown, logoff, or until a reauthentication begins.

3-40 Accessing Local Management

EAP (Port) Configuration Screen

Table 3-11 EAP Port Configuration Screen Field Descriptions (Continued)

Use this field… To…

Authentication State (Cont’d)

Backend State

(Read-Only)

• aborting: The port enters this state from authenticating when any

event occurs that interrupts the login exchange.

• held: After any login failure, this state is entered where the port

remains for the number of seconds equal to quietPeriod (can be set using mib).

• forceAuth: Management has set this in “Port Control”. This allows

normal, unsecured switching on this port.

• forceUnauth: Management has set this in “Port Control”.

Absolutely no frames are forwarded to or from this port.

See the current backend state of each port.

The backend state machine controls the protocol interaction between the authenticator (the switch) and the authentication server (typically a radius server).

These following seven states are the possible internal states for the authenticator. Some states are simply pass-through states causing a small action and immediately moving to a new state. Therefore, you may not observe all of the states in this interface.

For more detail, please see the IEEE Standard 802.1X-20001, Port Based Network Access Control.

• request: The port has received a request from the server and is

waiting for a response from the supplicant.

• response: The port has received a response from the server and is

waiting for either another request or an accept or reject from the server.

• success: The port has received a success from the server. Send a

success to the supplicant and move to idle.

• fail: The port has received a reject from the server. Send a fail to the

supplicant and move to idle.

• timeout: The port has timed-out during the authentication exchange.

Accessing Local Management 3-41

EAP (Port) Configuration Screen

Table 3-11 EAP Port Configuration Screen Field Descriptions (Continued)

Use this field… To…

Backend State (Cont’d)

Port Control

(Selectable)

• idle: The port is currently not involved in any authentication, but is

ready to begin one. Move to idle after completion.

• initialize: The port is initializing the relevant backend variables and

is not ready to begin an authentication. Move to idle after completion.

Set the port control mode enabling network access for each port. Modes include:

• Auto: In this mode, frames are forwarded according to the

authentication state of each port. When no default policy has been applied to the port, and its authentication state is unauthorized, the port discards all incoming and outgoing frames. If a default policy is applied to the port and its authentication state is unauthorized, frames are forwarded according to the configuration specified for that policy.

Once authorized, a port forwards frames according to its current configuration. A policy string may be returned by the Radius Server in the filter id attribute. This policy string can reference a set of VLAN and priority classification rules pre-configured in the switch.

If a policy string is returned as part of the user authorization process, then frames are forwarded according to the configuration specified by that policy.

If no policy is returned, the switch forwards frames using the existing default policy configuration, if it exists, or the current configuration for the port if no default policy exists. If the default policy is used, then we interpret that default policy to now be active on the controlled port. Although continuing to use the default policy after authorization may be a legal configuration, there are no practical uses.

If a policy string is returned that has no definition in the switch, then this is an illegal configuration and the port is not authenticated. Therefore frame forwarding in this case follows the rules outlined above for an unauthorized port.

3-42 Accessing Local Management

EAP (Port) Configuration Screen

Table 3-11 EAP Port Configuration Screen Field Descriptions (Continued)

Use this field… To…

Port Control (Cont’d)

Initialized Port

(Single Setting)

• Forced Authenticated Mode: The Forced Authenticated Mode is

meant to disable authentication on a port. It is intended for ports that support ISLs and devices that cannot authenticate, such as printers and file servers. If a default policy is applied to the port via the Policy Profile MIB, then frames are forwarded according to the configuration set by that policy, otherwise frames are forwarded according to the current configuration for that port. Authentication using 802.1X is not possible on a port in this mode.

• Forced Unauthenticated Mode: When a port is set to the Forced

Unauthenticated Mode, all frames received on the port are discarded by a filter. Authentication using 802.1X is not possible on a port in this mode.

Set to TRUE to initialize all state machines for this port. After initialization, authentication can proceed normally on this port according to its control settings. This has the effect of kicking off any currently authorized user on the port and resetting the session information for a new login.

Force Reauth

(Single Setting)

Maximum Requirements

(Modifiable)

You can only set this field to TRUE to initialize the port. Afterwards the field immediately reverts to FALSE.

Set to TRUE to cause an immediate forced reauthentication for a user who is currently logged on to the port. If the reauthentication fails, then the user is forced off the port. If there is no user on the port, a setting of TRUE of this variable has no effect. Setting this variable to FALSE has no effect.

Set the maximum number of times EAP request frames will be transmitted to the supplicant before timeout. Default is 2; range is 1 to 10.

Accessing Local Management 3-43

EAP Statistics Menu Screen

3.13 EAP STATISTICS MENU SCREEN

Screen Navigation Path

For 6C105 chassis:

Password > Main Menu > Module Selection > Module Menu > Security Menu > EAP Statistics Menu

For 6C107 chassis:

Password > Module Selection > Module Menu > Security Menu > EAP Statistics Menu

When to Use

To access the EAP Session Statistics, EAP Authenticator Statistics, and EAP Diagnostic Statistics screens.

How to Access

Use the arrow keys to highlight the EAP STATISTICS menu item on the Security Menu screen and press ENTER. The EAP Statistics Menu screen, Figure 3-14, displays.

Screen Example

Figure 3-14 EAP Statistics Menu Screen

EAP SESSION STATISTICS

EAP AUTHENTICATOR STATISTICS

EAP DIAGNOSTIC STATISTICS

3-44 Accessing Local Management

RETURNEXIT

3783 04

Menu Descriptions

Refer to Tabl e 3-1 2 for a functional description of each menu item.

Table 3-12 EAP Statistics Menu Screen Descriptions

Menu Item Screen Function

EAP Statistics Menu Screen

EAP SESSION STATISTICS

EAP AUTHENTICATOR STATISTICS

EAP DIAGNOSTIC STATISTICS

Used to review and clear EAP session statistics for each port. For details, refer to Section 3.13.1.

Used to review authenticator statistics for each port, including EAP frame types received and transmitted, and frame version number and source MAC address. For details, refer to Section 3.13.2.

Used to view port counters useful for EAP troubleshooting, including logoffs and timeouts while authenticating, and to view authorization failure messages from the authentication server. For details, refer to

Section 3.13.3.

Accessing Local Management 3-45

EAP Statistics Menu Screen

3.13.1 EAP Session Statistics Screen

When to Use

To review and clear EAP session statistics for each port.

How to Access

Use the arrow keys to highlight the EAP SESSION STATISTICS menu item on the EAP Statistics Menu screen and press ENTER. The EAP Session Statistics screen, Figure 3-15, displays.

Screen Example

Figure 3-15 EAP Session Statistics Screen

SessionID: (1, 00-00-00-00-00-00)

SessionOctetsRx: 0 SessionOctetsTx: 0 SessionFramesRx: 0 SessionFramesTx: 0 Session Authenticate Method: remote Authentication Server

Session Time: 00 days 00:00:00 Session Terminate Cause: port failure Session User Name:

RETURN Port Number: [ 1] CLEAR COUNTERS EXIT

Field Descriptions

Refer to Table 3- 13 for a functional description of each screen field.

3783_05

3-46 Accessing Local Management

Table 3-13 EAP Session Statistics Screen Field Descriptions

Use this field… To…

EAP Statistics Menu Screen

SessionID

(Read-Only)

SessionOctetsRx

(Read-Only)

SessionOctetsTx

(Read-Only)

SessionFramesRx

(Read-Only)

SessionFramesTx

(Read-Only)

Session Authenticate Method

(Read-Only)

Session Time

(Read-Only)

See the unique ASCII string identifier for a particular session.

See counts of user data octets received on the port during a particular session.

See counts of octets of transmitted on the port during a particular session.

See counts of user data received on the port during a particular session.

See counts of user data frames transmitted on the port during a particular session.

See whether the session was established by a remote Authentication Server or a local Authentication Server.

See the amount of time a session has been active in days, hours, minutes, and seconds.

Session Terminate Cause

(Read-Only)

See which of the following reasons ended the session:

• Supplicant Logoff: End user logged off.

• port failure: Authentication port failed.

• Supplicant Restart: End user restarted session.

• Reauthentication Failed: A previously authenticated Supplicant

has failed to re-authenticate successfully following timeout of the reauthentication timer or explicit reauthentication.

• authControlForce Unauth: Port forced to unauthorize mode by

network manager.

• portReInit: Port reinitialized.

• portAdminDisabled: Port disabled.

• notTerminatedYet:

Session still active.

Accessing Local Management 3-47

EAP Statistics Menu Screen

Table 3-13 EAP Session Statistics Screen Field Descriptions (Continued)

Use this field… To…

Session User Name

See the user name associated with the PAE (Point of Access Entity).

(Read-Only)

Port Number

(Selectable)

Select the port number to display the associated EAP Session Statistics. To select a port number, use the arrow keys to highlight the Port Number field. Then step to the correct port number using the SPACE bar and press ENTER to display the associated port EAP Session Statistics.

CLEAR COUNTERS

(Command)

Set the octets and frame counters to zero for a particular port. To clear the counters, highlight CLEAR COUNTERS and press ENTER.

NOTE: This command clears the counters for this LM screen, but it does not clear the associated MIB objects.

3.13.2 EAP Authenticator Statistics Screen

When to Use

To review authenticator statistics for each port, including EAP frame types received and transmitted, and frame version number and source MAC address. This screen refreshes counters data automatically.

How to Access

Use the arrow keys to highlight the EAP AUTHENTICATOR STATISTICS menu item on the EAP Statistics Menu screen and press ENTER. The EAP Authenticator Statistics screen,

Figure 3-16, displays.

3-48 Accessing Local Management

Screen Example

Figure 3-16 EAP Authenticator Statistics Screen

Total Frames Rx: 0 Frame Version: 0 Total Frames Tx: 0 Frame Source: 00-00-00-00-00-00 Start Frames Rx: 0 Logoff Frames Rx: 0 Response Id Frames Rx: 0 Response Frames Rx: 0 Request Id Frames Tx: 0 Request Frames Tx: 0 Invalid Frames Rx: 0 Length Error Frames Rx: 0

EAP Statistics Menu Screen

RETURN Port Number: [ 1] CLEAR COUNTERS EXIT

Field Descriptions

Refer to Tabl e 3-1 4 for a functional description of each screen field.

Table 3-14 EAP Authenticator Statistics Screen Field Descriptions

Use this field… To…

Tot al F ra mes Rx

(Read-Only)

Tot al F ra mes Tx

(Read-Only)

Start Frames Rx

(Read-Only)

See counts of all EAP frames received by the authenticator.

See counts of all EAP frames transmitted by the authenticator.

See counts of EAP start type frames received by the authenticator.

3783_06

Logoff Frames Rx

See counts of EAP logoff type frames received by the authenticator.

(Read-Only)

Accessing Local Management 3-49

EAP Statistics Menu Screen

Table 3-14 EAP Authenticator Statistics Screen Field Descriptions (Continued)

Use this field… To…

Response Id Frames Rx

(Read-Only)

Response Frames Rx

(Read-Only)

Request Id Frames Tx

(Read-Only)

Request Frames Tx

(Read-Only)

Invalid Frames Rx

(Read-Only)

Length Error Frames Rx

(Read-Only)

See counts of EAP response identification type frames received by the authenticator.

See counts of EAP response type frames received by the authenticator.

See counts of EAP request identification type frames transmitted by the authenticator.

See counts of frames received by the authenticator that have an unrecognizable frame type.

See counts of frames received by the authenticator with an invalid length field for the frame body,

Frame Version

(Read-Only)

Frame Source

(Read-Only)

Port Number

(Selectable)

CLEAR COUNTERS

(Command)

See the EAP protocol version present in the most recent EAP frame.

See the source MAC address for the most recent EAP frame received.

Select the port number to display the associated EAP Authenticator Statistics. To select a port number, use the arrow keys to highlight the Port Number field. Then step to the correct port number using the SPACE bar and press ENTER to display the associated port EAP Authenticator Statistics.

Set the octets and frame counters to zero for a particular port. To clear the counters, highlight CLEAR COUNTERS and press ENTER.

NOTE: This command clears the counters for this LM screen, but it does not clear the associated MIB objects.

3-50 Accessing Local Management

EAP Statistics Menu Screen

3.13.3 EAP Diagnostic Statistics Screen

When to Use

To view port counters useful for EAP troubleshooting, including logoffs and timeouts while authenticating, and to view authorization failure messages from the authentication server. The counters on this screen refresh automatically.

How to Access

Use the arrow keys to highlight the EAP DIAGNOSTIC STATISTICS menu item on the EAP Statistics Menu screen and press ENTER. The EAP Diagnostic Statistics screen, Figure 3-17, displays.

Screen Example

Figure 3-17 EAP Diagnostic Statistics Screen

Enters Connecting: 0 Logoffs Connecting: 0 Enters Authenticating: 0 Success Authenticating: 0 Timeouts Authenticating: 0 Fail Authenticating: 0 Reauths Authenticating: 0 Starts Authenticating: 0 Logoffs Authenticating: 0 Reauths Authenticated: 0 Starts Authenticated: 0 Logoffs Authenticated: 0

------ Backend Statistics -----Responses: 0 Access Challenges: 0 Other Requests To Supp: 0 Non-NAK resp From Supp: 0 Auth Successes: 0 Auth Failures: 0

RETURN Port Number: [ 1] CLEAR COUNTERS EXIT

3783_07

Accessing Local Management 3-51

EAP Statistics Menu Screen

Field Descriptions

Refer to Table 3- 15 for a functional description of each screen field.

Table 3-15 EAP Diagnostic Statistics Screen Field Descriptions

Use this field… To …

Enters Connecting

(Read-Only)

Logoffs Connecting

(Read-Only)

Enters Authenticating

(Read-Only)

Success Authenticating

(Read-Only)

Timeouts Authenticating

(Read-Only)

Fail Authenticating

(Read-Only)

See counts of transitions to connecting state from any other state.

See counts of transitions from connecting to disconnected state after an EAPOL logoff message. EAPOL is an encapsulation of the EAP protocol, plus some extra data fields, within a LAN frame.

See counts of transitions from connecting to authenticating state after an EAP Respld message is received from the supplicant (end-user requesting authentication).

See counts of transitions from authenticating to authenticated state after backend authentication has a successful authentication with the supplicant (end-user requesting authentication).

See counts of transitions from authenticating to aborting state due to backend authentication timing out.

See counts of transitions from authenticating to held state due to backend authentication failure.

Reauths Authenticating

See counts of transitions from authenticating to aborting state due to reauthentication requests.

(Read-Only)

Starts Authenticating

See counts of transitions from authenticating to aborting state due to a start from the supplicant (end-user requesting authentication).

(Read-Only)

Logoffs Authenticating

(Read-Only)

3-52 Accessing Local Management

See counts of transitions from authenticating to aborting state due to a logoff message from the supplicant (end-user requesting authentication).

EAP Statistics Menu Screen

Table 3-15 EAP Diagnostic Statistics Screen Field Descriptions (Continued)

Use this field… To…

Reauths Authenticated

(Read-Only)

Starts Authenticated

(Read-Only)

Logoffs Authenticated

(Read-Only)

Backend Statistics:

Responses

(Read-Only)

Access Challenges

(Read-Only)

Other Requests To Supp

(Read-Only)

See counts of transitions from authenticated to connecting state due to a reauthentication request.

See counts of transitions from authenticated to connecting state due to a start from the supplicant (end-user requesting authentication).

See counts of transitions from authenticating to disconnected state due to a logoff message from the supplicant (end-user requesting authentication).

See counts of initial access-request frames to the authentication server.

See counts of initial access-challenge frames to the authentication server.

See counts of EAP request frames transmitted that are not EAP notification, failure or success-type messages. This frame count indicates that the authenticator picked an EAP method.

Non-NAK resp From Supp

(Read-Only)

Auth Successes

(Read-Only)

Auth Failures

(Read-Only)

Port Number

(Selectable)

See counts of initial responses to an EAP request from the supplicant (end-user requesting authentication). Count does not include EAP-NAK frames. This count indicates that the supplicant can communicate with the chosen EAP method.

See counts of EAP success messages from the authentication server. Indicates that the supplicant is successfully authenticated.

See counts of EAP failure messages from the authentication server. Indicates that the supplicant is not authenticated.

Select the port number to display the associated EAP Diagnostic Statistics. To select a port number, use the arrow keys to highlight the Port Number field. Then step to the correct port number using the SPACE bar and press ENTER to display the associated port EAP Diagnostic Statistics.

Accessing Local Management 3-53

MAC Port Configuration Screen

Table 3-15 EAP Diagnostic Statistics Screen Field Descriptions (Continued)

Use this field… To …

CLEAR COUNTERS

(Command)

Set the octets and frame counters to zero for a particular port. To clear the counters, use the arrow keys to highlight CLEAR COUNTERS and press ENTER.

NOTE: This command clears the counters for this LM screen, but it does not clear the associated MIB objects.

3.14 MAC PORT CONFIGURATION SCREEN

When to Use

To display the authentication state of the supplicant associated with each port, enable or disable the authentication function, initialize authentication status, and force a revalidation of the MAC credential on a per port basis.

How to Access

Use the arrow keys to highlight the MAC PORT CONFIGURATION menu item on the Security Menu screen and press ENTER. The MAC Port Configuration screen, Figure 3-18, displays.

3-54 Accessing Local Management

Screen Example

Figure 3-18 MAC Port Configuration Screen

MAC Port Configuration Screen

Port Authentication

State

---------------------------------------------------------------------------------------------- 1 authenticated [Enabled] [FALSE] [FALSE] 2 authenticated [Disabled] [FALSE] [FALSE] 3 unauthenticated [Enabled] [FALSE] [FALSE] 4 unauthenticated [Enabled] [FALSE] [FALSE] 5 authenticated [Enabled] [FALSE] [FALSE] 6 authenticated [Enabled] [FALSE] [FALSE] 7 authenticated [Enabled] [FALSE] [FALSE] 8 authenticated [Enabled] [FALSE] [FALSE] 9 authenticated [Enabled] [FALSE] [FALSE]

SET ALL PORTS: [Enabled] [FALSE] [FALSE]

Port

Enable

Initialize

Port

EXITSAVE NEXTPREVIOUS

Field Descriptions

Refer to Tabl e 3-1 6 for a functional description of each screen field.

Force

Reauth

RETURN

35281_21

Table 3-16 MAC Port Configuration Screen Field Descriptions

Use this field… To…

Port #

(Read-Only)

See the port numbers of all ports known to the device. Up to 9 ports can be displayed at a time. To see additional ports, select NEXT and press ENTER to display the authentication type and status for the next 10 ports.

Authentication State

(Read-Only)

See the current state of the MAC Authentication of a port supplicant. If a supplicant is currently active, on that port, then authenticated is displayed in this field, otherwise unauthenticated is displayed.

Port Enable

Enable or disable MAC authentication for a given port.

(Toggle)

Accessing Local Management 3-55

MAC Supplicant Configuration Screen

Table 3-16 MAC Port Configuration Screen Field Descriptions (Continued)

Use this field… To…

Initialize Port

(Single Setting)

Initialize the authentication status of the port. When this field is set to TRUE, the current authentication session is terminated, the port returns to its initial authentication status, and the field returns to FALSE.

Force Reauth

(Single Setting)

Force the revalidation of the MAC credential for the port. When this field is set to TRUE, revalidation is executed. When set to TRUE, the field returns to FALSE. It always reads a value of FALSE.

SET ALL PORTS

(Command)

Set all ports in the module to the settings in the associated Port Enable, Initialize Port, and Force Port columns.

3.15 MAC SUPPLICANT CONFIGURATION SCREEN

When to Use

To determine the active MAC Authentication supplicants on the module and perform limited configuration on these supplicants, which includes initializing the supplicant and reauthenticating the supplicant.

How to Access

Use the arrow keys to highlight the MAC SUPPLICANT CONFIGURATION menu item on the Security Menu screen and press ENTER. The MAC Supplicant Configuration screen, Figure 3-19, displays.

3-56 Accessing Local Management

Screen Example

Figure 3-19 MAC Supplicant Configuration Screen

MAC Supplicant Configuration Screen

Port Duration (dd:hh:mm:ss)

----------------------------------------------------------------------------------------------------------- 1 00:12:23:58 nn-nn-nn-nn-nn-nn [FALSE] [FALSE] 2 54:02:56:00 nn-nn-nn-nn-nn-nn [FALSE] [FALSE]

MAC

Address

Initialize

Supplicant

EXITSAVE NEXTPREVIOUS

Reauthenticate

Supplicant

Field Descriptions

Refer to Tabl e 3-1 7 for a functional description of each screen field.

Table 3-17 MAC Supplicant Configuration Screen Field Descriptions

RETURN

35281_93

Use this field… To…

Port

(Read-Only)

Duration

(Read Only)

MAC Address

(Read Only)

See the time in days:hours:minutes:seconds that an active supplicant is logged on via the port.

See the ASCII value of the MAC address for each active supplicant associated with a port.

Accessing Local Management 3-57

MAC Supplicant Configuration Screen

Table 3-17 MAC Supplicant Configuration Screen Field Descriptions (Continued)

Use this field… To…

Initialize Supplicant

(Single Setting)

Reauthenticate Supplicant

(Single Setting)

Terminate the current session with a supplicant. When set to TRUE, the current session is terminated. It always displays a value of FALSE.

Force a revalidation of the MAC credential for the supplicant. When set to TRUE, the switch forces the revalidation. It always displays a value of FALSE.

3-58 Accessing Local Management

Enterasys 6H202-24, 6H252-17, 6H203-24, 6H253-13, 6H258-17 Local Management User’s Manual

Specifications and Main Features

Frequently Asked Questions

User Manual