How it Works
Enterasys
Loading...
6H2 Series
User Manual
436 pgs3.73 Mb0

Enterasys SmartSwitch 6000, Matrix E7 5G106-06, Matrix E7 Series, SmartSwitch 6000 Series, 6H2 Series User Manual

...
Download
Matrix E7 Series and
SmartSwitch 6000 Series Modules
(6H2xx, 6E2xx, 6H3xx, and 6G3xx)
Local Management User’s Guide
9033528-06
NOTICE
Enterasys Networks reserves the right to mak e cha nges in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.
The hardware, firmware, or software described in this document is subject to change without notice. IN NO EVENT SHALL ENTERASYS NETWORKS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL,
OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS DOCUMENT, WEB SITE, OR THE INFORMATION CONTAINED IN THEM, EVEN IF ENTERASYS NETWORKS HAS BEEN ADVISED OF , KNEW OF, OR SHOULD HA VE KNO WN OF, THE POSSIBILITY OF SUCH DAMAGES.
Enterasys Networks, Inc. 50 Minuteman Road Andover, MA 01810
2003 Enterasys Networks, Inc. All rights reserv ed. Printed in the United States of America.
Part Number: 9033528-06 June 2003
ENTERASYS NETWORKS, ENTERASYS MATRIX, LANVIEW, MATRIX, NETSIGHT, SMARTSWITCH, WEBVIEW, and any logos associated therewith, are trademarks or registered trademarks of Enterasys Networks, Inc. in the United States and other countries.
All other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies.
Version: Information in this guide ref ers to Matrix E7 Series and SmartSwitch
6000 Series firmware version 5.05.xx.
ENTERASYS NETWORKS, INC.
PROGRAM LICENSE AGREEMENT
BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT,
CAREFULLY READ THIS LICENSE A G REEMENT.
This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc. on behalf of itself and its Affiliates (as hereinafter defined) (“Enterasys”) that sets forth Your rights and obligations with respect to the Enterasys software program (including any accompanying documentation, hardware or media) (“Program”) in the package and prevails over any additional, conflicting or inconsistent terms and conditions appearing on any purchase order or other document submitted by You. “Affiliate” means any person, partnership, corporation, limited liability company, or other form of enterprise that directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the party specified. This Agreement constitutes the entire understanding between the parties, and supersedes all prior discussions, representations, understandings or agreements, whether oral or in writing, between the parties with respect to the subject matter of this Agreement. The Program may be contained in firmware, chips or other media.
BY INST ALLING OR O THER WISE USING THE PR OGRAM, Y OU REPRESENT THAT YOU ARE AUTHORIZED TO ACCEPT THESE TERMS ON BEHALF OF THE END USER (IF THE END USER IS AN ENTITY ON WHOSE BEHALF YOU ARE AUTHORIZED TO ACT, “YOU” AND “YOUR” SHALL BE DEEMED TO REFER TO SUCH ENTITY) AND THAT YOU AGREE THAT YOU ARE BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES, AMONG OTHER PROVISIONS, THE LICENSE, THE DISCLAIMER OF WARRANTY AND THE LIMITATION OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS A G REE MEN T OR ARE NOT AUTHORIZED TO ENTER INTO THIS AGREEMENT, ENTERASYS IS UNWILLING TO LICENSE THE PROGRAM TO YOU AND YOU AGREE TO RETURN THE UNOPENED PRODUCT TO ENTERASYS OR Y OUR DEALER, IF ANY, WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT FOR A FULL REFUND.
IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT ENTERASYS NETWORKS, LEGAL DEPARTMENT AT (603) 332-9400.
You and En terasys agree as follows:
1. LICENSE. You have the non-exclusive and non-transferable right to use only the one (1) copy of the Program
provided in this package subject to the terms and conditions of this Agreement.
2. RESTRICTIONS. Except as otherwise authorized in writing by Enterasys, You may not, nor may You permit any third party to:
(i) Reverse engineer, decompile, disassemble or modify the Program, in whole or in part, including for reasons of
error correction or interoperability , except to the e xtent e xpressly permitte d by ap plicable la w and to the e xtent the parties shall not be permitted by that applicable law, such rights are expressly excluded. Information necessary to achieve interoperability or correct errors is available from Enter asys upon request and upon payment of Enterasys’ applicable fee.
(ii) Incorporate the Program, in whole or in part, in any other product or create derivative works based on the
Program, in whole or in part. (iii) Publish, disclose, copy, reproduce or transmit the Program, in whole or in part. (iv) Assign, sell, license, sublicense, rent, lease, encumber b y way of security interest, pledge or otherwise transfer
the Program, in whole or in part, except for a sale or other transfer of the hardware in which the Program is
embedded. (v) Remove any cop yright, trademark, proprietary rights, disclaimer or w arning notice included on or embedded in
any part of the Program.
3. APPLICABLE LAW. This Agreement shall be interpreted and governed under the laws and in the state and federal courts of New Hampshire without regard to its conflicts of laws provisions. You accept the personal jurisdiction and venue of the New Hampshire courts. None of the 1980 United Nations Convention on Contracts for the International Sale of Goods, the United Nations Convention on the Limitation Period in the International Sale of Goods, and the Uniform Computer Information Transactions Act shall apply to this Agreement.
4. EXPORT RESTRICTIONS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the U.S. Government, including the U.S. Department of Commerce, which prohibit export or di version of certain technical products to certain countries, unless a license to export the Program is obtained from the U.S. Government or an exception from obtaining such license may be relied upon by the exporting party.
If the Program is exported from the United States pursuant to the License Exception CIV under the U.S. Export Administration Regulations, You agree that You are a civil end user of the Program and agree that You will use the Program for civil end uses only and not for military purposes.
If the Program is exported from the United States pursuant to the License Exception TSR under the U.S. Export Administration Regulations, in addition to the restriction on transfer set forth in Sections 1 or 2 of this Agreement, You agree not to (i) reexport or release the Program, the source code for the Program or technology to a national of a country in Country Groups D:1 or E:2 (Albania, Armenia, Azerbaijan, Belarus, Bulgaria, Cambodia, Cuba, Estonia, Georgia, Iraq, Kazakhstan, Kyrgyzstan, Laos, Latvia, Libya, Lithuania, Moldova, North Korea, the People’s Republic of China, Romania, Russia, Rwanda, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, Vietnam, or such other countries as may be designated by the United States Government), (ii) export to Country Groups D:1 or E:2 (as defined herein) the direct product of the Program or the technology, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List, or (iii) if the direct product of the technology is a complete plant or an y major component of a plant, export to Country Groups D:1 or E:2 the direct product of the plant or a major component thereof, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List or is subject to State Department controls under the U.S. Munitions List.
5. UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The enclosed Program (i) was developed solely at private expense; (ii) contains “restricted computer software” submitted with restricted rights in accordance with section
52.227-19 (a) through (d) of the Commercial Computer Software-Restricted Rights Clause and its successors, and (iii) in all respects is proprietary data belonging to Enterasys and/or its suppliers. For Department of Defense units, the Program is considered commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use, duplication, or disclosure by the Government is subject to restrictions set forth herein.
6. DISCLAIMER OF WARRANTY. ENTERASYS DISCLAIMS ALL WARRANTIES, OTHER THAN THOSE SUPPLIED TO YOU BY ENTERASYS IN WRITING, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON- INFRINGEMENT WITH RESPECT TO THE PROGRAM. IF IMPLIED WARRANTIES MAY NOT BE DISCLAIMED BY APPLICABLE LAW, THEN ANY IMPLIED WARRANTIES ARE LIMITED IN DURATION TO THIRTY (30) DAYS AFTER DELIVERY OF THE PROGRAM TO YOU.
7. LIMITATION OF LIABILITY. IN NO EVENT SHALL ENTERASYS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR RELIANCE DAMAGES, OR OTHER LOSS) ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM, EVEN IF ENTERASYS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS FOREGOING LIMITATION SHALL APPLY REGARDLESS OF THE CAUSE OF ACTION UNDER WHICH DAMAGES ARE SOUGHT.
THE CUMULATIVE LIABILITY OF ENTERASYS TO YOU FOR ALL CLAIMS RELATING TO THE PROGRAM, IN CONTRACT, TORT OR OT HERWISE, SHALL NOT EXCEED THE TOTAL AMOUNT OF FEES PAID TO ENTERASYS BY YOU FOR THE RIGHTS GRANTED HEREIN.
8. AUDIT RIGHTS. You hereby acknowledge that the intellectual property rights associated with the Program are of critical value to Enterasys and, accordingly, You hereby agree to maintain complete books, records and accounts showing (i) license fees due and paid, and (ii) the use, copying and deployment of the Program. You also grant to Enterasys and its authorized representatives, upon reasonable notice, the right to audit and examine during Your normal business hours, Your books, records, accounts and hardware devices upon which the Program may be deployed to verify compliance with this Agreement, including the verification of the license fees due and paid Enterasys and the u se, copying and deployment of the Program. Enterasys' right of examination shall be exercised reasonably, in good faith and in a manner calculated to not unreasonably interfere with Your business. In the event such audit discovers non-compliance with this Agreement, including copies of the Program made, used or deployed in breach of this Agreement, You shall promptly pay to Enterasys the appropriate license fees. Enterasys reserves the right, to be exer cised in its sole discretion and without prior notice, to terminate this license, effective immediately, for failure to comply with this Agreement. Upon any such termination, You shall immediately cease all use of the Program and shall return to Enterasys the Program and all copies of the Program.
9. OWNERSHIP. This is a license agreement and not an agreement for sale. You acknowledge and agree that the Program constitutes trade secrets and/or copyrighted material of Enterasys and/or its suppliers. You agree to implement reasonable security measures to protect such trade secrets and copyrighted material. All right, title and interest in and to the Program shall remain with Enterasys and/or its suppliers. All rights not specifically granted to You shall be reserved to Enterasys.
10. ENFORCEMENT. You acknowledge and agree that any breach of Sections 2, 4, or 9 of this Agreement by You may cause Enterasys irreparable damage for which recovery of money damages would be inadequate, and that Enterasys may be entitled to seek timely injunctive relief to protect Enterasys’ rights under thi s Agreement in addition to any and all remedies available at law.
11. ASSIGNMENT. You may not assign, transfer or sublicense this Agreement or any of Your rights or obligations under this Agreement, except in connection with the sale or other transfer of the hardware in which the Program is embedded. Enterasys may assign this Agreement in its sole discretion.
12. WAIVER. A waiver by Enterasys of a breach of any of the terms and conditions of this Agreement must be in writing and will not be construed as a waiver of any subsequent breach of such term or condition. Enterasys’ failure to enforce a term upon Your breach of such term shall not be construed as a waiver of Your breach or prevent enforcement on any other occasion.
13. SEVERABILITY. In the event any provision of this Agreement is found to be invalid, illegal or unenforceable, the validity, legality and enforceability of any of the remaining provisions shall not in any way be affected or impaired thereby, and that provision shall be reformed, construed and enforced to the maximum extent permissible. Any such invalidity, illegality or unenforceability in any jurisdiction shall not invalidate or render illegal or unenforceable such provision in any other jurisdiction.
14. TERMINATION. Enterasys may terminate this Agreement immediately upon Your breach of any of the terms and conditions of this Agreement. Upon any such termination, You shall immediately cease all use of the Program and shall return to Enterasys the Program and all copies of the Program.
Contents
Figures ...........................................................................................................................................xii
Tables.............................................................................................................................................xv
ABOUT THIS GUIDE
Using This Guide...........................................................................................................xiv
Structure of This Guide ....... ... .... ... ................................ ... .... ................................ ... ... ....xv
Related Documents... .... ... ... ... .... ................................ ... ... .... ... ... ................................ ..xvii
Document Conventions.............................. ... ... ... .... ... ... ................................ .... ... ... ... ..xvii
Typographical and Keystroke Conven tio ns.......................... ... ... ... .............................. xviii
1
2
3
INTRODUCTION
1.1 Overview.........................................................................................................1-1
1.1.1 The Management Agent .................................................................1-3
1.1.2 In-Band vs. Out-of-Band .. ... ... .... ... ... ................................ .... ... ........1-3
1.2 Navigating Local Management Screens .........................................................1-3
1.3 Local Management Requirements..................................................................1-4
1.4 Local Management Screen Elemen ts .............................. ...............................1-4
1.5 Local Management Keyboard Conventions ....................................................1-8
1.6 Getting Help....................................................................................................1-9
LOCAL MANAGEMENT REQUIREMENTS
2.1 Management Terminal Setup..........................................................................2-1
2.1.1 Console Cable Connection.............................................................2-2
2.1.2 Management Terminal Setup Parameters......................................2-3
2.2 Telnet Connections .........................................................................................2-4
2.3 Monitoring an Uninterruptible Pow er Supp ly.................... .... ... ... ... ... ...............2-4
ACCESSING LOCAL MANAGEMENT
3.1 Navigating Local Management Screens .........................................................3-1
3.1.1 Selecting Local Management Menu Screen Items .........................3-4
3.1.2 Exiting Local Management Screens ...............................................3-4
3.1.3 Using the NEXT and PREVIOUS Commands................................3-5
3.1.4 Using the CLEAR COUNTERS Command.....................................3-5
3.2 Password Screen............................................................................................3-6
3.3 Main Menu Screen..........................................................................................3-8
Contents v
3.4 Module Selection Screen ................................................................................3-9
3.4.1 Selecting a Module .......................................................................3-11
3.5 Module Menu Screen....................................................................................3-12
3.6 Overview of Security Methods ......................................................................3-15
3.6.1 Host Access Control Authentication (HA C A) ......................... .... ...3-16
3.6.2 802.1X Port Based Network Access Control ................................3-19
3.6.2.1 Definitions of Terms and Abbreviations............ ... ... .......3-19
3.6.2.2 802.1X Security Overview.............................................3-20
3.6.3 MAC Authentication Overview ......................................................3-21
3.6.3.1 Authentication Method Selectio n...................................3-21
3.6.3.2 Authentication Method Seque n ce ................. ... .............3-21
3.6.3.3 Concurrent Operation of 802.1X and MAC
Authentication................................................................3-21
3.6.4 MAC Authentication Control..........................................................3-25
3.7 Security Menu Screen............................... ... .... ................................ ... ... .......3-26
3.8 Passwords Screen ........................................................................................3-29
3.8.1 Setting the Module Login Password .............................................3-31
3.9 Radius Configuration Screen........................................................................3-31
3.9.1 Setting the Last Resort Authentication..........................................3-34
3.9.2 Setting the Local and Remote Servers .........................................3-34
3.10 Name Services Configuration Screen...........................................................3-35
3.11 System Authentication Configuration Screen................................................3-37
3.12 EAP (Port) Configuration Screen..................................................................3-39
3.13 EAP Statistics Menu Screen.........................................................................3-44
3.13.1 EAP Session Statistics Screen.....................................................3-46
3.13.2 EAP Authenticator Statistics Screen.............................................3-48
3.13.3 EAP Diagnostic Statistics Screen.................................................3-51
3.14 MAC Port Configuration Screen....................................................................3-54
3.15 MAC Supplicant Configuration Screen..........................................................3-56
4
vi Contents
CHASSIS MENU SCREENS
4.1 Chassis Menu Screen.....................................................................................4-2
4.2 Chassis Configuration Screen.........................................................................4-4
4.2.1 Setting the IP Address ....................................................................4-6
4.2.2 Setting the Subnet Mask.................................................................4-7
4.2.3 Setting the Chassis Date ................................................................4-7
4.2.4 Setting the Chassis Time................................................................4-8
4.2.5 Setting a New Screen Refresh Time...............................................4-8
4.2.6 Setting the Screen Lockout Time....................................................4-9
4.3 SNMP Configuration Menu Screen...............................................................4-10
4.4 SNMP Community Names Configuration Scre e n ............................ ... ... .... ...4-12
4.4.1 Establishing Community Names...................................................4-13
4.5 SNMP Traps Configuration Screen...............................................................4-14
4.5.1 Configuring the Trap Table ...........................................................4-16
4.6 Chassis Environmental Informatio n Scree n..................................................4-16
4.7 Redirect Configuration Menu Screen (Chassis)............................................4-18
4.8 Port Redirect Configuration Screen ..............................................................4-19
4.8.1 Changing Source and Destination Ports.......................................4-22
4.9 VLAN Redirect Configuration Scree n...................... ... ... ................................4-23
4.9.1 Changing Source VLAN and Destination Ports ............................4-26
5
MODULE CONFIGURATION MENU SCREENS
5.1 Module Configuration Menu Screen................................................................5-2
5.2 General Configuration Screen.......................... ... ................................. ... ... ... ..5-4
5.2.1 Setting the IP Address ......................................... ... ........................5-8
5.2.2 Setting the Subnet Mask.. ... ................................. ... ... .....................5-9
5.2.3 Setting the Default Gateway ................................ ... ......................5-10
5.2.4 Setting the TFTP Gateway IP Address................................ ... ... ...5-11
5.2.5 Setting the Module Name ....................................... ... ...................5-12
5.2.6 Setting the Module Date ........ .... ... ... ... ................................. ... ... ...5-12
5.2.7 Setting the Module Time..... ... .... ... ................................ ... .............5-13
5.2.8 Entering a New Screen Refresh Time ..........................................5-13
5.2.9 Setting the Screen Lockout Time..................................................5-14
5.2.10 Configuring the COM Port....................... ................................ ... ...5-14
5.2.10.1 Changing the COM Port Application .............................5-16
5.2.11 Clearing NVRAM...........................................................................5-16
5.2.12 Enabling/Disabling IP Fragm enta tio n............................................5-17
5.3 SNMP Configuration Menu Screen...............................................................5-18
5.4 SNMP Community Names Configuration Screen .........................................5-20
5.4.1 Establishing Community Names...................................................5-22
5.5 SNMP Traps Configuration Screen...............................................................5-23
5.5.1 Configuring the Trap Table ...........................................................5-24
5.6 Access Control List Screen...........................................................................5-25
5.6.1 Entering IP Addresses ........ ................................. ... ... ... ................5-28
5.6.2 Enable/Disable ACL......................................................................5-29
5.7 System Resources Information Screen.........................................................5-30
5.7.1 Setting the Reset Peak Switch Utilization.....................................5-31
5.8 FLASH Download Configuration Screen.......................................................5-32
5.8.1 Image File Download Using Runtime......................... ... ... .... ... ... ...5-36
5.8.2 Configuration File Download Using TFTP.....................................5-37
5.8.3 Configuration File Upload Using TFTP ................................... ... ...5-38
Contents vii
6
PORT CONFIGURATION MENU SCREENS
6.1 Port Configuration Menu Screen.....................................................................6-2
6.2 Ethernet Interface Configuration Screen.........................................................6-4
6.3 Ethernet Port Configuration Screen ................................................................6-8
6.3.1 Selecting Field Settings ................................................................6-12
6.3.2 Setting the Advertised Ability........................................................6-12
6.4 HSIM/VHSIM Configuration Screen..............................................................6-13
6.5 Redirect Configuration Menu Screen............................................................6-14
6.6 Port Redirect Configuration Screen ..............................................................6-16
6.6.1 Changing Source and Destination Ports.......................................6-19
6.7 VLAN Redirect Configuration Screen............................................................6-20
6.7.1 Changing Source VLAN and Destination Ports ............................6-23
6.8 Link Aggregation Screen (802.3ad Main Menu Screen) ...............................6-24
6.8.1 802.3ad Port Screen ....................................................................6-29
6.8.1.1 802.3ad Port Details Screen .........................................6-31
6.8.1.2 802.3ad Port Statistics Screen......................... ... ... .... ...6-37
6.8.2 802.3ad Aggregator Screen..........................................................6-40
6.8.2.1 802.3ad Aggregator Details Screen ..............................6-42
6.8.3 802.3ad System Screen................................................................6-44
6.9 Broadcast Suppression Configuration Screen ..............................................6-46
6.9.1 Setting the Threshold....................................................................6-47
6.9.2 Setting the Reset Peak .................................................................6-48
7
802.1 CONFIGURATION MENU SCREENS
7.1 802.1 Configuration Menu Screen ................................ ... ... ............................7-2
7.2 Spanning Tree Configuration Menu Screen....................................................7-4
7.3 Spanning Tree Configuration Screen..............................................................7-6
7.3.1 Configuring a VLAN Spanning Tree....................... .... ... ..................7-9
7.4 Spanning Tree Port Configuration Screen ....................................................7-10
7.4.1 Enabling/Disabling the Default Spanning Tree Ports....................7-12
7.4.2 Viewing Status of Spanning Tree Ports........................................7-13
7.5 PVST Port Configuration Screen ..................................................................7-13
viii Contents
8
802.1Q VLAN CONFIGURATION MENU SCREENS
8.1 Summary of VLAN Local Management...........................................................8-2
8.1.1 Preparing for VLAN Configuration ..................................................8-2
8.2 802.1Q VLAN Configuration Menu Screen .....................................................8-3
8.3 Static VLAN Configuration Screen..................................................................8-6
8.3.1 Creating a Static VLAN........................................ ... ... ... ..................8-8
8.3.2 Displaying the Current Static VLAN Port Egress List......................8-8
8.3.3 Renaming a Static VLAN ................................................................8-9
8.3.4 Deleting a Static VLAN ...................................................................8-9
8.3.5 Paging Through the VLAN List .....................................................8-10
8.4 Static VLAN Egress Configuration Screen....................................................8-10
8.4.1 Setting Egress Types on Ports .....................................................8-12
8.4.2 Displaying the Next Group of Ports...............................................8-13
8.5 Current VLAN Configuration Screen.............................................................8-14
8.6 Current VLAN Egress Configuration Scree n........................ ... ... ...................8-16
8.7 VLAN Port Configuration Screen ..................................................................8-17
8.7.1 Changing the Port Mode...............................................................8-20
8.7.2 Configuring the VLAN Ports..........................................................8-21
8.8 VLAN Classification Configuratio n Scr een................. ... ... .... ... ......................8-21
8.8.1 Classification Precedence Rules ..................................................8-29
8.8.2 Displaying the Current Classification Rule Assignments ..............8-32
8.8.3 Assigning a Classification to a VID...............................................8-33
8.8.4 Deleting Line Items .......................................................................8-34
8.9 Protocol Port Configuration Screen...............................................................8-35
8.9.1 Assigning Ports to a VID/Classification.........................................8-37
9
802.1p CONFIGURATION MENU SCREENS
9.1 802.1p Configuration Menu Scre e n . ... ................................. ... ... .....................9-2
9.2 Port Priority Configuration Screen...................................................................9-4
9.2.1 Setting Switch Port Priority Port-by-Port....................... ... .... ... ........9-6
9.2.2 Setting Switch Port Priority on All Ports.. ... ... ... .... ... ... .....................9-7
9.3 Traffic Class Information Screen.....................................................................9-7
9.4 Traffic Class Configuration Screen ............................... ... .... ... ... ... ................9-10
9.4.1 Assigning the Traffic Class to Port Priority....................................9-11
9.5 Transmit Queues Configuratio n Scr ee n........................ ... .............................9-12
9.5.1 Setting the Current Queueing Mod e .............................................9- 15
9.6 Priority Classification Configuration Screen..................................................9-16
9.6.1 Classification Precedence Rules ..................................................9-26
9.6.2 About the IP TOS Rewrite Feature...............................................9-29
9.6.3 Displaying the Current PID/Classification Assignments................9-30
9.6.4 Assigning a Classification to a PID...............................................9-30
9.6.5 Deleting PID/Classification/Description Line Items.......................9-31
Contents ix
9.7 Protocol Port Configuration Screen..................... ... ... ................................. ...9-32
9.7.1 Assigning Ports to a PID/Classification.........................................9-34
9.7.2 Example, Prioritizing Traffic According to Classification Rule.......9-35
9.7.2.1 Solving the Problem ......................................................9-35
9.8 Rate Limiting Configuration Screen ..............................................................9-37
9.8.1 Configuring a Port........ .... ................................ ... ... .......................9-41
9.8.2 Changing/Deleting Port Line Items...............................................9-43
9.8.3 More About Rate Limiting .............................................................9-44
10
11
12
LAYER 3 EXTENSIONS MENU SCREENS
10.1 Layer 3 Extensions Menu Screen .................................................................10-2
10.2 IGMP/VLAN Configuration Screen................................................................10-3
10.2.1 IGMP/VLAN Configuration Procedure ..........................................10-7
MODULE STATISTICS MENU SCREENS
11.1 Module Statistics Menu Screen.....................................................................11-2
11.2 Switch Statistics Screen................................................................................11-4
11.3 Interface Statistics Screen ............................................................................11-6
11.3.1 Displaying Interface Statistics.......................................................11-9
11.4 RMON Statistics Screen ........... ... ................................. ... ... ... .... .................11-10
11.4.1 Displaying RMON Statistics........................................................11-13
11.5 Chassis Environmental Statistics Configuration Screen .............................11-14
NETWORK TOOLS SCREENS
12.1 Network Tools.............. ................................ .... ... ................................ ... .... ...12-1
12.2 Built-in Commands........................................................................................12-4
12.3 Example, Effects of Aging Time on Dynamic Egress..................................12-39
12.4 Example, Using Dynamic Egress to Control Traffic ....................................12-40
12.5 Special Commands.....................................................................................12-41
13
x Contents
VLAN OPERATION AND NETWORK APPLICATIONS
13.1 Defining VLANs.............................................................................................13-2
13.2 Types of VLANs ............................................................................................13-4
13.2.1 802.1Q VLANs..............................................................................13-4
13.2.2 Other VLAN Strategies .... ... ................................ ... .... ... ... .............13-4
13.3 Benefits and Restrictions ....... ... ... .... ... ................................ ... .... ... ................13-4
13.4 VLAN Terms..................................................................................................13-5
13.5 VLAN Operation............................................................................................13-7
13.5.1 Description....................................................................................13-7
13.5.2 VLAN Components .......................................................................13-7
13.6 Configuration Process................................ ................................ ... ... .............13-8
13.6.1 Defining a VLAN ...........................................................................13-8
13.6.2 Classifying Frames to a VLAN......................................................13-8
13.6.3 Customizing the VLAN Forwarding List ........................................13-8
13.7 VLAN Switch Operation ................................................................................13-9
13.7.1 Receiving Frames from VLAN Ports...........................................13-10
13.7.2 Forwarding Decisions .................................................................13-10
13.7.2.1 Broadcasts, Multicasts, and Unknown Unicasts..........13-10
13.7.2.2 Known Unicasts...........................................................13-11
13.8 VLAN Configuration ....................................................................................13-11
13.8.1 Managing the Switch........................... ................................. ... ... .13-11
13.8.2 Switch Without VLANs..... ... ................................. ... ... ... ... .... ... ....13-11
13.8.3 Switch with VLANs..... ... ... ... ... .... ... ... ................................ .... ... ... .13-12
13.9 Summary of VLAN Local Management.......................................................13-14
13.9.1 Preparing for VLAN Configuration ..............................................13-15
13.10 Quick VLAN Walkthrough ...........................................................................13-16
13.11 Examples ....................................................................................................13-21
13.12 Example 1, Single Switch Operation...........................................................13-22
13.12.1 Solving the Problem....................................................................13-22
13.12.2 Frame Handling ..........................................................................13-24
13.13 Example 2, VLANs Across Multiple Switches.............................................13-24
13.13.1 Solving the Problem....................................................................13-26
13.13.2 Frame Handling ..........................................................................13-29
13.14 Example 3, Filtering Traffic According to a Layer 4 Classification Rule......13-32
13.14.1 Solving the Problem....................................................................13-32
13.15 Example 4, Securing Sensitive Information According to Subnet...............13-33
13.15.1 Solving the Problem....................................................................13-34
13.16 Example 5, Using Dynamic Egress to Control Traffic .................................13-34
13.17 Example 6, Locking a MAC Address to a Port Using Classification Rules .13-36
13.17.1 Solving the Problem....................................................................13-36
A
B
GENERIC ATTRIBUTE REGISTRATION PROTOCOL (GARP)
A.1 Operation ........................................................................................................A-1
A.2 How It Works...................................................................................................A-2
ABOUT IGMP
B.1 IGMP Overview...............................................................................................B-1
B.2 Supported Features and Functions..................... .... ... ... ... .... ... ........................B-2
B.3 Detecting Multicast Routers ................................ .... ... ................................ ... ..B-3
INDEX
Contents xi
Figures
Figure Page
1-1 Example of a Local Management Screen....................................................................... 1-5
2-1 Management Terminal Connection................................................................................. 2-2
2-2 Uninterruptible Power Supply (UPS) Connection ........................................................... 2-5
3-1 802.1Q Switching Mode, Chassis, LM Screen Hierarchy (Page 1 of 3) ......................... 3-2
3-2 802.1Q Switching Mode, Module, LM Screen Hierarchy (Page 2 of 3) .......................... 3-3
3-3 802.1Q Switching Mode, Chassis, LM Screen Hierarchy (Page 3 of 3) ......................... 3-4
3-4 Local Management Chassis/Module Password Screen.................................................. 3-7
3-5 Main Menu Screen........... ... .... ................................ ... ... ................................. ... ... ........... 3-8
3-6 Module Selection Screen.............................................................................................. 3-10
3-7 Module Menu Screen.................................................................................................... 3-12
3-8 Security Menu Screen................................................................................................... 3-27
3-9 Module Login Passwords Screen .... .... ................................ ... ... .... ... ............................ 3-29
3-10 Radius Configuration Screen........................................................................................ 3-32
3-11 Name Services Configuration Screen........................................................................... 3-35
3-12 System Authentication Configuration Screen ............................................................... 3-37
3-13 EAP Port Configuration Screen .................................................................................... 3-39
3-14 EAP Statistics Menu Screen......................................................................................... 3-44
3-15 EAP Session Statistics Screen..................................................................................... 3-46
3-16 EAP Authenticator Statistics Screen............................................................................. 3-49
3-17 EAP Diagnostic Statistics Screen................................................................................. 3-51
3-18 MAC Port Configuration Screen.............................. ... ... .... ... ................................ ... .... .. 3-55
3-19 MAC Supplicant Configuration Screen ......................................................................... 3-57
4-1 Chassis Menu Screen..................................................................................................... 4-2
4-2 Chassis Configuration Screen ........................................................................................ 4-4
4-3 SNMP Configuration Menu Screen............................................................................... 4-10
4-4 SNMP Community Names Configuration Screen ......................................................... 4-12
4-5 SNMP Traps Configuration Screen............................................................................... 4-15
4-6 Chassis Environmental Information Screen.................................................................. 4-17
4-7 Redirect Configuration Menu Screen............................................................................ 4-18
4-8 Port Redirect Configuration Screen.............................. ................................. ... ... ... .... .. 4-20
4-9 VLAN Redirect Configuration Screen ........................................................................... 4-24
5-1 Module Configuration Menu Screen ............................................................................... 5-2
5-2 General Configuration Screen ........................................................................................ 5-4
5-3 Configuration Warning Screen, IP Address .................................................................... 5-9
5-4 Configuration Warning Screen, Subnet Mask............................................................... 5-10
5-5 COM Port Warning........................................................................................................ 5-15
xii Figures
Figure Page
5-6 Clear NVRAM Warning .................................................................................................5-17
5-7 SNMP Configuration Menu Screen...............................................................................5-19
5-8 SNMP Community Names Configuration Screen..........................................................5-21
5-9 SNMP Traps Configuration Screen...............................................................................5-23
5-10 Access Control List Screen...........................................................................................5-26
5-11 System Resources Information Screen.........................................................................5-30
5-12 Flash Download Configuration Screen..........................................................................5-33
6-1 Port Configuration Menu Screen (in Agg Mod e, HUNTG ROUP).................. ... .... ...........6-2
6-2 Port Configuration Menu Screen (in Agg Mod e, IEEE80 23a d) ............................ ... ... ... ..6-3
6-3 Ethernet Interface Configuration Screen.........................................................................6-5
6-4 Ethernet Port Configuration Scree n . ... ... ................................. ... ... ... .... ...........................6-8
6-5 Redirect Configuration Menu Screen ............................................................................6-15
6-6 Port Redirect Configuration Screen...............................................................................6-17
6-7 VLAN Redirect Configuration Screen..................... .... ... ... ... ................................. ... ... ...6-21
6-8 802.3ad Main Menu Screen..........................................................................................6-28
6-9 802.3ad Port Screen .....................................................................................................6-30
6-10 802.3ad Port Details Screen .........................................................................................6-32
6-11 802.3ad Port Statistics Screen......................................................................................6-37
6-12 802.3ad Aggregator Screen..........................................................................................6-40
6-13 802.3ad Aggregator Details Screen..............................................................................6-42
6-14 802.3ad System Screen................................................................................................6-44
6-15 Broadcast Suppression Configuration Screen ..............................................................6-46
7-1 802.1 Configuration Menu Screen...................................................................................7-2
7-2 Spanning Tree Configuration Men u Scr ee n............................... ... ................................ ..7-5
7-3 Spanning Tree Configuration Screen......................................................... ... ... .... ...........7-7
7-4 Spanning Tree Port Configuration Scree n ........................................................... ... ... ...7-11
7-5 PVST Port Configuration Screen...................................................................................7-13
8-1 802.1Q VLAN Screen Hierarchy .....................................................................................8-2
8-2 802.1Q VLAN Configuration Menu Screen .....................................................................8-4
8-3 Static VLAN Configuration Screen..................................................................................8-6
8-4 Static VLAN Egress Configuration Screen....................................................................8-11
8-5 Current VLAN Configuration Screen.............................................................................8-14
8-6 Current VLAN Egress Configuration Screen.................................................................8-16
8-7 VLAN Port Configuration Screen...................................................................................8-18
8-8 VLAN Classification Configuration Scree n....................... ................................ .... ... ... ...8-22
8-9 Protocol Port Configuration Screen...............................................................................8-36
9-1 802.1p Configuration Menu Screen.................................................................................9-2
9-2 Port Priority Configuration Screen...................................................................................9-5
9-3 Traffic Class Information Screen.....................................................................................9-8
9-4 Traffic Class Configuration Screen...................... ... .... ... ... ................................ .... ... ... ...9-10
9-5 Transmit Queues Configuratio n Scre e n........................................................ ... .............9-13
9-6 Priority Classification Configuration Screen ..................................................................9-17
Figures xiii
Figure Page
9-7 Datagram, Layer 2 and Layer 3. ... ... .... ................................ ... ................................ .......9-29
9-8 Protocol Port Configuration Screen...............................................................................9-33
9-9 Prioritizing Network Traffic According to Classif ica tio n Rule ............................ ... ... .... ...9-35
9-10 Rate Limiting Configuration Screen...............................................................................9-38
10-1 Layer 3 Extensions Menu Screen.............................. ... .... ................................ ... ... .......10-2
10-2 IGMP/VLAN Configuration Screen ................................................................................10-4
11-1 Module Statistics Menu Screen.....................................................................................11-3
11-2 Switch Statistics Screen............... ................................ .... ... ... ................................ .... ...11-5
11-3 Interface Statistics Screen.............................................................................................11-7
11-4 RMON Statistics Screen..............................................................................................11-10
11-5 Chassis Environmental Statistics Configuration Screen..............................................11-14
12-1 Network Tools Help Screen...........................................................................................12-2
12-2 Example, Dynamic Egress Application........................................................................12-40
13-1 Example of a VLAN.......................................................................................................13-3
13-2 View from Inside the Switch...........................................................................................13-9
13-3 Switch Management with Only Default VLAN......................... ... ................................. .13-12
13-4 Switch Management with VLANs .. ... ................................. ... ... ... ................................. .13-13
13-5 802.1Q VLAN Screen Hierarchy..................................................................................13-15
13-6 Walkthrough Stage One, Static VLAN Configuration Screen ......................................13-17
13-7 Walkthrough Stage Two, Port 3 Egress Setting ..........................................................13-18
13-8 Walkthrough Stage Three, Port 10 Egress Setting......................................................13-19
13-9 Walkthrough Stage Four, VLAN Port Configuration ....................................................13-21
13-10 Example 1, Single Switch Operation ...........................................................................13-22
13-11 Switch Configured for VLANs .... ... ... .... ... ................................ ... .... ... ... ........................13-23
13-12 Example 2, VLANs Across Multiple Switches..............................................................13-25
13-13 Bridge 1 Broadcasts Frames ..... ... ... .... ... ................................ ... .... ..............................13-29
13-14 Transmitting to Switch 4 ............... ... ................................. ... ... ................................ .... .13-30
13-15 Transmitting to Bridge 4...... ................................. ... ... ................................. ... ... ...........13- 31
13-16 Example 5, Filtering Traffic According to a Classification............................................13-32
13-17 Example 6, Securing Traffic to One Subnet ................................................................13-33
13-18 Example 7, Dynamic Egress Application.....................................................................13-35
13-19 Locking Ports According to Classification Rule ...........................................................13-36
A-1 Example of VLAN Propagation via GVRP...................................................................... A-2
xiv Figures
Tables
Table Page
1-1 Event Messages...........................................................................................................1-6
1-2 Keyboard Conventions .................................................................................................1-8
2-1 VT Terminal Setup........................................................................................................2-3
3-1 Main Menu Screen Menu Item Descriptions.................................................................3-9
3-2 Module Selection Screen Field Descriptions..............................................................3-11
3-3 Module Menu Screen Menu Item Descriptions...........................................................3-13
3-4 Authentication Terms and Abbreviations....................................................................3-19
3-5 MAC / 802.1X Precedence States..............................................................................3-23
3-6 Security Menu Screen Menu Item Descrip tion s ............ ... .... ................................ ... ...3-27
3-7 Module Login Passwords Screen Field Descriptions .................................................3-30
3-8 Radius Configuration Screen Field Descr ipt ion s ........ ... ................................ .... ... ... ...3-32
3-9 Name Services Configuration Screen Field Descriptions...........................................3-36
3-10 System Authentication Configuration Screen Field Descriptions ...............................3-38
3-11 EAP Port Configuration Screen Field Descriptions ....................................................3-40
3-12 EAP Statistics Menu Screen Descriptions..................................................................3-45
3-13 EAP Session Statistics Screen Field Descriptions .....................................................3-47
3-14 EAP Authenticator Statistics Screen Field Descriptions.............................................3-49
3-15 EAP Diagnostic Statistics Screen Field Descriptions .................................................3-52
3-16 MAC Port Configuration Screen Field Descriptions....................................................3-55
3-17 MAC Supplicant Configuration Screen Field Descriptions .........................................3-57
4-1 Chassis Menu Screen Menu Item Descriptions............................................................4-3
4-2 Chassis Configuration Screen Field Descriptions ........................................................4-5
4-3 SNMP Configuration Menu Screen Menu Item Descriptions......................................4-11
4-4 SNMP Community Names Configuration Screen Field Descriptions .........................4-13
4-5 SNMP Traps Configuration Screen Field Descriptions...............................................4-15
4-6 Chassis Environmental Information Screen Field Descriptions..................................4-17
4-7 Redirect Configuration Menu Screen Menu Item Descriptions...................................4-19
4-8 Port Redirect Configuration Screen Field Descriptions ..............................................4-20
4-9 VLAN Redirect Configuration Screen Field Desc rip tions ........... ... .... .........................4-24
5-1 Module Configuration Menu Screen Menu Item Descriptions ......................................5-3
5-2 General Configuration Screen Field Descrip tion s ............ .... ... ... ................................ ..5-5
5-3 COM Port Application Settings................... ... ................................ .... ... ... ...................5-16
5-4 SNMP Configuration Menu Screen Menu Item Descriptions......................................5-19
5-5 SNMP Community Names Configuration Screen Field Descriptions .........................5-21
5-6 SNMP Traps Configuration Screen Field Descriptions...............................................5-24
5-7 Access Control List Screen Field Descriptions...........................................................5-27
5-8 System Resources Informatio n Sc re e n Fiel d De scr ipt ion s ........... .............................5-31
Tables xvTables xv
Table Page
5-9 Flash Download Configuration Screen Field Descriptions..........................................5-34
6-1 Port Configuration Menu Screen Me n u Ite m Descr ipt ion s ............................... ... .... ... ..6-3
6-2 Ethernet Interface Configuration Screen Field Descriptions ........................................6-5
6-3 Ethernet Port Configuration Screen Field Descr ip tion s .............. ... ... ... .... ... ... ...............6-9
6-4 Redirect Configuration Menu Screen Field Menu Item Descriptions ..........................6-15
6-5 Port Redirect Configuration Screen Field Descriptions...............................................6-18
6-6 VLAN Redirect Configuration Screen Field Desc rip tio ns............ ... .............................6-2 2
6-7 802.3ad Main Menu Screen Menu Item Descriptions.................................................6-29
6-8 802.3ad Port Screen Field Descriptions .....................................................................6-30
6-9 802.3ad Port Details Screen Field Descriptions .........................................................6-32
6-10 802.3ad Port Statistics Screen Field Descriptions......................................................6-38
6-11 802.3ad Aggregator Screen Field Descr ipt i on s ................... ................................ .... ... 6- 4 1
6-12 802.3ad Aggregator Details Screen Field Descriptions ..............................................6-43
6-13 802.3ad System Screen Field Descriptions................................................................6-45
6-14 Broadcast Suppression Configuration Screen Field Descriptions ..............................6-47
7-1 802.1 Configuration Menu Screen Menu Item Descriptions .........................................7-3
7-2 Spanning Tree Configuration Menu Screen Me n u Item Descr ip tion s............ ... ............7-5
7-3 Spanning Tree Configuration Screen Field Desc rip tio ns............... ............................... 7- 7
7-4 Spanning Tree Port Configuration Screen Fie ld Descr ipt ion s ................. ... ... ... ... .... ... 7- 1 1
7-5 PVST Port Configuration Screen Field Descriptions...................................................7-14
8-1 802.1Q VLAN Configuration Menu Screen Menu Item Descriptions ............................8-4
8-2 Static VLAN Configuration Screen Field Descriptions ..................................................8-7
8-3 Static VLAN Egress Configuration Screen Field Descriptions....................................8-11
8-4 Current VLAN Configuration Screen Field Descriptions .............................................8-15
8-5 Current VLAN Egress Configuration Scree n Fie ld Descr ip tions .......... .... ... ... ... ..........8-17
8-6 VLAN Port Configuration Screen Field Descriptions...................................................8-19
8-7 VLAN Classification Configuration Scree n Field Desc rip tio ns ............. .... ... ................8-23
8-8 Classification List ........................................................................................................8-24
8-9 Classification Precedence...........................................................................................8-30
8-10 Protocol Port Configuration Screen Field Descriptions...............................................8-36
9-1 802.1p Configuration Menu Scree n Me n u Ite m De scr ipt ion s .................. ... ... ... ... .........9-3
9-2 Port Priority Configuration Screen Field Descriptions...................................................9-6
9-3 Traffic Class Information Screen Field Descriptions.....................................................9-9
9-4 Traffic Class Configuration Screen Field Descrip tion s...... ... ... .... ... ... ..........................9-11
9-5 Transmit Queues Configura tion Screen Field Descriptions........................................9-14
9-6 Priority Classification Configuration Screen Field Descriptions ..................................9-17
9-7 Classification List ........................................................................................................9-19
9-8 Classification Precedence...........................................................................................9-27
9-9 Protocol Port Configuration Screen Field Descriptions...............................................9-33
9-10 Rate Limiting Configuration Screen Field Descriptions...............................................9-38
10-1 Layer 3 Extensions Menu Screen Menu Item Descr ip tion s ................. .... ... ................10-3
10-2 IGMP/VLAN Configuration Screen Field Descriptions................................................10-5
xvi Tables
Table Page
11-1 Module Statistics Menu Screen Menu Item Descriptions ...........................................11-3
11-2 Switch Statistics Screen Field Descriptions... ... ... .... ................................ ... ... .... ... ... ...11-5
11-3 Interface Statistics Screen Field Descriptions ............................................................11-7
11-4 RMON Statistics Screen Field Descriptions ............................................................11-11
11-5 Chassis Environmental Statistics Configuration Screen Field Descriptions.............11-15
12-1 Built-In Commands........................ ................................ ... .... ................................ ... ...12-3
12-2 Path Cost Parameter Values................... ................................ ... ... ...........................12-33
13-1 VLAN Terms and Definitions ......................................................................................13-5
Tables xvii
About This Guide
Welcome to the Enterasys Networks Matrix E7 Series and SmartSwitch 6000 Series Modules (6H2xx, 6E2xx, 6H3xx and 6G3xx) Local Managment User’s Guide. This manual explains how
to access and use the Local Management screens to monitor and manage the switch modules, the attached segments, and the SmartSwitch 6C105 or Matrix E7 6C107 chassis.
When a mix of 6H2xx, 6E2xx, 6H3xx, and 6G3xx modules are installed in the 6C107 chassis, you must follow the module installation rules provided in the Matrix E7 Chassis Overview and Setup Guide for proper operation.
Important Notices
Depending on the firmware version used in the switch module, some features described in this document may not be supported. Refer to the Release Notes shipped with the switch module to determine which features are supported.
There are restrictions on the version of firmware required for 6H302-48 modules with a serial number starting with 3655xxxxxx. The serial number is visible on the top ejector tab of the s wit ch, or by querying the PIC MIB. For firmware in the 5.x track, version 5.03.05 or higher must be used on 6H302-48 modules with a serial number starting with 3655. For the 4.x firmware track, 4.08.41 or higher must be used on 6H302-48 modules with a serial number starting with 3655.
USING THIS GUIDE
A general working knowledge of basic network operations and an understanding of management applications is helpful prior to using Enterasys Networks Local Management.
This manual describes how to do the following:
Access the Local Management application
Identify and operate the types of fields used by Local Management
Navigate through Local Management fields and menus
Use Local Management screens to perform management operations
Establish and manage Virtual Local Area Networks (VLANs)
About This Guide xiv
Structure of This Guide
STRUCTURE OF THIS GUIDE
The guide is organized as follows:
Chapter 1, Introduction, provides an ov ervie w of the tasks that may be accomplished using Local
Management (LM), and an introduction to LM screen navigation, in-band and out-of-band network management, screen elements, and LM keyboard conventions.
Chapter 2, Local Management Requirements, provides the setup requirements for accessing
Local Management, the instructions to configure and connect a management terminal to the SmartSwitch, and the instructions for connecting the SmartSwitch to an Uninterruptible Power Supply (UPS) to monitor the UPS power status.
Chapter 3, Accessing Local Management, describes how to use the Main Menu screen to select
either the Chassis Menu screen or the Module Selection screen. The Chassis Menu screen is the access point to the set of Local Management screens for the chassis. The Module Selection screen is used to select the module to be configured and its Module Menu screen. The Module Menu screen is the access point to the set of Local Management screens for the selected module and the Module Login Password screen. The Security screens are also described in this chapter.
Chapter 4, Chassis Menu Screens, describes the Chassis Menu screen and the screens that can be
selected to configure chassis operation. These screens are used to configure the operating parameters for the chassis, assign community names, and set SNMP traps; and obtain the operating status of the chassis power supplies, power supply redundancy, and chassis fan tray. This screen also provides access to screens to configure the port redirect and VLAN redirect functions.
NOTE: If you are installing modules into a seven-slot 6C107 chassis, there are installation rules that must be followed to install 6H202, 6H203, 6H253, 6H258, 6H259, 6H262, 6E233, and 6E253 modules along with 6H3xx and 6G3xx modules in the same chassis. Otherwise, the system will not operate properly.
Chapter 5, Module Configuration Menu Screens, describes the Module Configuration Menu
screen and the screens that can be selected from it. These screens are used to control access to the switch module by assigning community names, configure the switch module to send SNMP trap messages to multiple network management stations, limit access according to an Access Control List (ACL) for additional security, access system resource information, download a new firmware image to the switch module, provide access to menu screens to configure ports, and configure the switch module for 802.1, 802.1Q VLAN, and layer 3 operations.
Chapter 6, Port Configuration Menu Screens, describes how to use the screens to configure the
ports for various operations, such as for Ethernet Interface, HSIM/VHSIM, port and VLAN redirect, SmartTrunk, and broadcast suppression configuration.
xv About This Guide
Structure of This Guide
Chapter 7, 802.1 Configuration Menu Screens, describes how to access the Spanning Tree
Configuration Menu, 802.1Q VLAN Configuration Menu, and 802.1p Configuration Menu, screens. This chapter also introduces and describes how to use the Spanning T ree screens to create a separate Spanning Tree topology for each VLAN configured in the module.
Chapter 8, 802.1Q VLAN Configuration Menu Screens, describes how to use the screens to
create static VLANs, select the mode of operation for each port, filter frames according to VLAN, establish VLAN forwarding (Egress) lists, route frames according to VLAN ID, display the current ports and port types associated with a VLAN and protocol, and configure ports on the switch as GVRP-aware ports. VLAN classification and classification rules are also discussed.
Chapter 9, 802.1p Configuration Menu Screens, describes how to use the screens to set the
transmit priority of each port, display the current traffic class mapping-to-priority of each port, set ports to either transmit frames according to selected priority transmit queues or percentage of port transmission capacity for each queue, assign transmit priorities according to protocol types, and configure a rate limit for a given port and list of priorities.
Chapter 10, Layer 3 Extensions Menu Screens, introduces and describes how to enable or
disable IGMP (Internet Group Management Protocol, RFC 2236) on selected VLANs, or globally on all VLANs that are available.
Chapter 11, Module Statistics Menu Screens, introduces and describes how to use the statistics
screens to gather statistics about the switch, interfaces, RMON, and HSIM/VHSIM and, if the device is a repeater, repeater statistics.
Chapter 12, Network Tools Screens, describes how to access and use the Network Tool screens.
This chapter also includes examples for each command.
Chapter 13, VLAN Operation and Network Applications, introduces VLANs, describes how
they operate, and how to configure them using the Local Management screens described in
Chapter 8. Examples are also provided to show how VLANs are configured to solv e a problem and
how the VLAN frames travel through the network.
Appendix A, Generic Attribute Registration Protocol (GARP), describes the switch operation
when its ports are configured to operate under the Generic Attribute Registration Protocol (GARP) application – GARP VLAN Registration Protocol (GVRP).
NOTE: There is a global setting for GVRP that is enabled by de fault. However, this setting is only accessible through a Management Information Base (MIB).
Appendix B, About IGMP, introduces the Internet Group Management Protocol (IGMP), its
features and functions, and describes how it detects multicast routers.
About This Guide xvi
Related Documents
RELATED DOCUMENTS
The following Enterasys Networks documents may help to set up, control, and manage the switch module:
6C105 SmartSwitch 6000 Overview and Setup Guide
Matrix E7 Chassis Overview and Setup Guide
SmartTrunk User’s Guide
WAN Series Local Management User’s Guide
Documents associated with the optional HSIM and VHSIM interface modules, module installation user’s guides, and the manuals listed above, can be obtained from the World Wide Web in Adobe Acrobat Portable Document Format (PDF) at the following web site:
http://www.enterasys.com
DOCUMENT CONVENTIONS
The guide uses the following conventions:
NOTE: Calls the reader’s attention to any item of information that may be of special importance.
TIP: Conveys helpful hints concerning procedures or actions.
CAUTION: Contains information essential to avoid damage to the equipment.
xvii About This Guide
Typographical and Keystroke Conventions
TYPOGRAPHICAL AND KEYSTROKE CONVENTIONS
bold type Bold type can denote either a user input or a highlighted screen selection. RETURN Indicates either the ENTER or RETURN key, depending on your keyboard. ESC Indicates the keyboard Escape key. SPACE bar Indicates the keyboard space bar key. BACKSPACE Indicates the keyboard backspace key. arrow keys Refers to the four keyboard arrow keys. [-] Indicates the keyboard – key. DEL Indicates the keyboard delete key. italic type Italic type indicates complete document titles. n.nn A period in numerals signals the decimal point indicator (e.g., 1.75 equals
one and three fourths). Or, periods used in numerals signal th e d ecimal point in Dotted Decimal Notation (DDN) (e.g., 000.000.000.000 in an IP address).
x A lowercase italic x indicates the generic use of a letter (e.g., xxx indicates
any combination of three alphabetic characters).
n A lowercase italic n indicates the generic use of a number (e.g., 19nn
indicates a four-digit number in which the last two digits are unknown).
[ ] In the Local Management screens, the square brackets indicate that a value
may be selected. In the format descriptions in the Network Tools section, required arguments are enclosed in square brackets, [ ].
< > In the format descriptions in the Network Tools section, optional arguments
are enclosed in angle brackets, < >.
About This Guide xviii
1
Introduction
This chapter provides an overvie w of the tasks that may be accomplished using Local Management (LM), and an introduction to LM screen navigation, in-band and out-of-band network management, screen elements, and LM keyboard conventions.
Important Notices
Depending on the firmware version use d in the switch module, some features described in this document may not be supported. Refer to the Release Notes shipped with the switch module to determine which features are supported.
There are restrictions on the version of firmware required for 6H302-48 modules with a serial number starting with 3655xxxxxx. The serial number is visible on the top ejector tab of the switch, or by querying the PIC MIB. For firmware in the 5.x tra ck, version 5.03.05 or higher must be used on 6H302-48 modules with a serial number starting with 3655. For the 4.x firmware track, 4.08.41 or higher must be used on 6H302-48 modules with a serial number starting with 3655.
1.1 OVERVIEW
Enterasys Networks Local Management is a management tool that allows a network manager to perform the following tasks:
Assign IP address and subnet mask.
Select a default gateway.
Assign a login password to the module for additional security.
Download a new firmware image.
Upload or download a configuration file to or from a TFTP server.
Designate which Netw ork Management Workstations will receive SNMP traps from the switch.
Designate which Network Management Workstations are allowed to access the switch module.
View switch, interface, and RMON statistics.
Introduction 1-1
Overview
Assign ports to operate in the standard or full duplex mode.
Configure ports to perform load sharing using SmartTrunking. Refer to the SmartTrunk User’s
Guide for details.
Control the number of receive broadcasts that are switched to the other interfaces.
Set flow control on a port-by-port basis.
Configure ports to prioritize incoming frames at Layer 2, Layer 3, and Layer 4.
Clear NVRAM.
Set 802.1Q VLAN memberships and port configurations.
Redirect frames according to po rt or VLAN and transmit them on a preselected destination port.
Create a separate Spanning Tree topology for each VLAN configured in the switch module.
Transmit frames on preselected destination ports according to protocol and priority or protocol
and VLAN.
Conf igure the switch to operate as a Generic Att ribute Re gistration Protocol (GARP) module to
dynamically create VLANs across a switched network.
Conf igure the module to control the rate of netw ork traffic entering and lea ving the switch on a
per port/priority basis.
Configure an optional HSIM or VHSIM installed in the device.
Configure the module to dynamically switch frames according to a characteristic rule and
VLAN.
Configure ports on the switch module as Router Redundancy Protocol (VRRP) ports.
Provide additional security and policy administration capabilities via Port-based Web
Authentication (PWA) by configuring pertinent variables within the LM screen.
Configure multiple ports to act in an 802.3ad trunk group.
Conf igure and manage the use of 802.1w , a standards-based method to rapidly fail ov er links to
reduce downtime on a network.
Provide additional security by configuring a physical port to lock on an attached device
according to a Classification rule so no other device can be connected to that port and used.
There are three ways to access Local Management:
Locally using a VT type terminal connected to the COM port.
Remotely using a VT type terminal connected through a modem.
In-band through a Telnet connection.
1-2 Introduction
Navigating Local Management Screens
1.1.1 The Management Agent
The management agent is an entity within the switch module that collects statistical information (e.g., frames received, errors detected) about the operational performance of the managed network. Local Management communicates with the management agent for the purpose of viewing statistics or issuing management commands. Local Management provides a wide range of screens used to monitor and configure the switch module.
1.1.2 In-Band vs. Out-of-Band
Network management systems are often classified as either in-band or out-of-band. In-band network management passes data along the same medium (cables, frequencies) used by all other stations on the network.
Out-of-band network management passes data along a medium that is entirely separate from the common data carrier of the network, for example, a cable connection between a terminal and a switch module COM port. Enterasys Networks Local Management is an out-of-band network management system.
A module connected out-of-band to the management agent i s not connected to the LAN. This type of connection allows y ou to communicate with a network module e ven when that module is unable to communicate through the network, for example, at the time of installation.
1.2 NAVIGATING LOCAL MANAGEMENT SCREENS
To navigate within a Local Management screen, use the arrow keys of the terminal or the workstation providing terminal emulation services. The Local Management screen cursor responds to the LEFT, RIGHT, UP, and DOWN arrow keys. Each time you press an arrow key, the Local Management screen cursor moves to the next available field in the direction of the arrow key.
The Local Management screen cursor only moves to fields that can be selected or used for input. This means that the cursor jumps over display fields and empty lines on the Local Management screen.
The Local Management screen cursor provides wrap-around operation. This means that a cursor located at the edge of a screen, when moved in the direction of that edge, “wraps around” to the outermost selectable item on the opposite side of the screen which is on the same line or column.
Introduction 1-3
Local Management Requirements
1.3 LOCAL MANAGEMENT REQUIREMENTS
The switch module provides one communication port, labeled COM, wh ich supports a management terminal connection. To access Local Management, connect one of the following systems to the COM port:
Digital Equipment Corporation VT series terminal.
VT type terminal runni ng emulation programs for the Digital Equipment Corporation VT series.
IBM or compatible PC running a VT series emulation software package.
You can also access Local Management using a Telnet connection through one of the network ports of the switch module.
NOTE: For details on how to connect a console to the switch module, the setup parameters for the console, or how to make a telnet connection, refer to Chapter 2.
1.4 LOCAL MANAGEMENT SCREEN ELEMENTS
There are six types of screens used in Local Management: password, menu, statistics, configuration, status, and warning screens. Each type of screen can consist of one to five basic elements, or fields. Figure 1-1 shows an example of the fields in a screen. A description of each field follows the figure.
1-4 Introduction
Figure 1-1 Example of a Local Management Screen
Local Management Screen Elements
Event Message Field
Module Type & Slot Number
Event Message Line
Module Type: XXXX-XX Slot Number: X
MAC Address:
IP Address:
Subnet Mask:
Default Gateway:
TFTP Gateway IP Addr:
Operational Mode: [802.1Q SWITCHING]
Clear NVRAM [NO]
IP Fragmentation [ENABLED]
Display Fields
Heading
XXXX-XX LOCAL MANAGEMENT
General Configuration
00-00-ID-00-00-00
0.0.0.0
255.255.0.0
NONE DEFINED
0.0.0.0
EXIT
Display Field
Input Fields
Firmware Revision: XX.XX.XX BOOTPROM Revision: XX.XX.XX
Device Date:
Device Time:
Screen Refresh Time:
Screen Lockout Time:
Device Uptime XX D XX H XX M
10/11/97
14:23:00
30 sec.
15 min.
RETURNSAVE
See Note
Selection Field
Command Fields
Note:
This shows the location of the cut away that is used in most of the screen graphics in this document. The top portion of the screen is cut away to eliminate repeating the same information in each graphic.The screen title is contained in its figure title.
4046_03
Introduction 1-5
Local Management Screen Elements
Event Message Field
This field briefly displays messages that indicate if a Local Management procedure was executed correctly or incorrectly, that changes were saved or not saved to Non-Volatile Random Access Memory (NVRAM), or that a user did not have access privileges to an application.
Table 1-1 describes the most common event messages. Event messages related to specific Local
Management applications are described with those applications throughout this manual.
Table 1-1 Event Messages
Message What it Means
SAVED OK One or more fields were modified, and saved to NVRAM. NOT
SAVED--PRESS
Attempting to exit the LM screen after one or more fields were modified,
but not saved to NVRAM. SAVE TO KEEP CHANGES
NOTHING TO SAVE
The SAVE command was executed, but nothing was saved to NVRAM
because there were no configuration changes since the data was last saved.
Heading Field
Indicates whether the module was accessed using the chassis or module IP address. If the chassis IP address is used to access the module, the heading will be the chassis name, e.g., 6C105. If the module IP address is used to access the module, the module name will be in the heading, the same as listed next to Module Type, e.g., 6H258-17.
Module Type and Slot Number Fields
Display only when a module is being accessed thro ugh Local Management. The module type is displayed and the chassis slot number of the module is displayed. A chassis screen will not display these fields.
1-6 Introduction
Local Management Screen Elements
Display Fields
Display fields cannot be edited. These fields may display information that never changes, or information that may change as a result of Local Management operations, user selections, or network monitoring information. In the screens shown in this guide, the characters in the display fields are in plain type (not bold). In the field description, the field is identified as being “read-only”.
Input Fields
Input Fields require the entry of keyboard characters. IP addresses, subnet mask, default gateway and module time are examples of input fields. In the screens shown in this guide, the characters in the input fields are in bold type. In the field description, the field is identified as being “modifiable”.
Selection Fields
Selection fields provide a series of possible values. Only applicable values appear in a selection field. In the screens shown in this guide, the selections display within brackets and are in bold type. In the field description, the field is identif ied as being either “sel ectable” when ther e are more than two possible values, or “toggle” when there are only two possible values.
Command Fields
Command fields are located at the bottom of Local Management screens. Command fields are used to exit Local Management screens, save Local Management entries, or navigate to another display of the same screen. In the screens shown in this guide, the characters in this field are all upper case and in bold type. In the field description, the field is identified as being a “command” field.
Introduction 1-7
Local Management Keyboard Conventions
1.5 LOCAL MANAGEMENT KEYBOARD CONVENTIONS
All key names appear as capital letters in this manual. Table 1-2 explains the keyboard conv entions and the key functions that are used.
Table 1-2 Keyboard Con ventions
Key Function
ENTER Key RETURN Key
Used to enter data or commands. These ke ys perform the same Local Management function. For example, “Press ENTER” means that you can press either ENTER or RETURN, unless this manual specifically instructs you otherwise.
ESCAPE (ESC) Key Used to “escape” from a Local Management screen without saving
changes. For example, “Press ESC twice” means the ESC key must be pressed quickly two times.
SPACE Bar BACKSPACE Key
Used to cycle through selections in some Local Management fields. Use the SPACE bar to cycle forward through selections and use the BACKSPACE key to cycle backwa rd through selections.
Arrow Keys (UP-ARROW, DOWN-ARROW, LEFT-ARROW, RIGHT-ARROW)
Used to move the screen cursor. For example, “Use the arrow keys” means to press whichever arrow key moves the cursor to the desired field on the Local Management screen.
DEL Key Used to remove characters from a Local Management field. For
example, “Press DEL” means to press the Delete key.
1-8 Introduction
Getting Help
1.6 GETTING HELP
For additional support related to the module or this document, contact Enterasys Networks using one of the following methods:
World Wide Web http://www.enterasys.com/ Phone (603) 332-9400 Internet mail support@enterasys.com FTP ftp://ftp.enterasys.com
Login anonymous Password your email address
To send comments or suggestions concerning this document, contact the Technical Writing Department via the following email address: TechWriting@enterasys.com
Make sure to include the document Part Number in the email message.
Before contacting Enterasys Networks, have the following information ready:
Your Enterasys Networks service contract number
A description of the failure
A description of any action(s) already taken to resolve the problem (e.g., changing mode
switches, rebooting the unit, etc.)
The serial and revision numbers of all involved Enterasys Networks products in the network
A description of your network environment (layout, cable type, etc.)
Network load and frame size at the time of trouble (if known)
The device history (i.e., have you returned the device before, is this a recurring problem, etc.)
Any previous Return Material Authorization (RMA) numbers
Introduction 1-9
2
Local Management Requirements
This chapter provides the following information:
Management T erminal Setup (Section 2.1), which describes how to attach a Local Management
terminal to the switch module.
NOTE: When the 6C105 chassis is set to operate in the distributed mode, you can connect the terminal to the COM port of any module in the chassis to access Local Management of any module, unless the module is set to operate in the standalone mode. In this case you must connect the terminal to the COM port of that module to access its Local Management screens.
Telnet Connections (Section 2.2), which provides guidelines when using a Telnet connection to
access Local Management.
Monitoring an Uninterruptible Power Supply (Section 2.3), which describes how to make a
connection from the COM port to an American Power Con version (APC) Uninterruptible Power Supply (UPS) device. This type of connection enables the switch module to monitor the power status in case of a power loss.
2.1 MANAGEMENT TERMINAL SETUP
Use one of the following systems to access Local Management:
An IBM PC or compatible device running a VT series emulation software package
A Digital Equipment Corporation VT100 type terminal
A VT type terminal running emulation programs for the Digital Equipment Corporation
VT100 series
A remote VT100 type terminal via a mo de m co nnection
In-band via a Telnet connection
Local Management Requirements 2-1
Management Terminal Setup
2.1.1 Console Cable Connection
Use the Console Cable Kit provided with the chassis to attach the management terminal to the switch module COM port as shown in Figure 2-1.
To connect the switch module to a PC or compatible device running the VT terminal emulation, proceed as follows:
1. Co nnect the RJ45 connector at one end of the cable (supplied in th e kit) to the COM port on the
switch module.
2. P lug the RJ45 connector at the other end of the cable into the RJ45-to-DB9 adapter (supplied in
the kit).
3. Connect the RJ45-to-DB9 adapter to the PC communications port.
NOTE: If using a modem between the VT compatible device and th e COM port of the switch module, use t he appr opriate connector inclu ded in the co nsole cable kit. Ref er to the modem manufacturer’s information for proper operation and setup of the modem.
As an example, Figure 2-1 shows the COM port connection to a 6H252-17 in a 6C105 chassis.
Figure 2-1 Management Terminal Connection
RJ45 COM Port
UTP Cable
With RJ45
Connectors
1
2345
Fast Enet
6H252-17
PS1
PS2
COM
RX
1
TX
CPU
RX
2
TX
RX
3
TX
RX
4
TX
RX
5
TX
RX
6
TX
RX
7
TX
RX
8
TX
RX
9
TX
RX
10
TX
RX
11
TX
RX
12
TX
RX
13
TX
RX
14
TX
RX
15
TX
RX
16
TX
2-2 Local Management Requirements
RJ45-to-DB9
PC Adapter
PC
4046-01
Management Terminal Setup
2.1.2 Management Terminal Setup Parameters
Table 2-1 lists the setup parameters for the local management terminal.
Table 2-1 VT Terminal Setup
Display Setup Menu
Columns -> Controls -> Auto Wrap -> Scroll -> Text Cursor -> Cursor Style ->
General Setup Menu
Mode -> ID number -> Cursor Keys -> Power Supply ->
Communications Setup Menu
Transmit -> Receive -> XOFF ->
80 Columns Interpret Controls No Auto Wrap Jump Scroll Cursor Underline Cursor Style
VT100, 7 Bit Controls VT100ID Normal Cursor Keys UPSS DEC Supplemental
2400, 4800, 9600, 19200 Receive=Transmit
XOFF at 64 Bits -> Parity -> Stop Bit -> Local Echo -> Port -> Transmit -> Auto Answerback ->
Keyboard Setup Menu
Keys -> Auto Repeat -> Keyclick -> Margin Bell -> Warning Bell ->
8 bits
No Parity
1 Stop Bit
No Local Echo
DEC-423, Data Leads Only
Limited Transmit
No Auto Answerback
Typewriter Keys
any option
any option
Margin Bell
Warning Bell
Local Management Requirements 2-3
Telnet Connections
2.2 TELNET CONNECTIONS
Once the switch module has a valid IP address, the user can establish a Telnet session from any TCP/IP based node on the network. Telnet connections to the switch module require the community name passwords assigned in the SNMP Community Names Configuration screen.
For information about setting the IP address, refer to Section 5.2. For information about assigning community names, refer to Section 5.4. Refer to the instructions included with the Telnet application for information about establishing a
Telnet session. If the switch module is operating in the 802.1Q mode with configured VLANs, the management
station must be connected to a physical port on the device that is on the same VLAN as the virtual Host Data Port. For more information about the virtual Host Data Port and the setup information for remote management in a device that is to be configured with VLANs, refer to Section 13.8.
2.3 MONITORING AN UNINTERRUPTIBLE POWER SUPPLY
If the switch module is connected to an American Power Con v ersion (APC) Uninterruptible Po wer Supply (UPS) device for protection against the loss of po wer , a connection from the switch module COM port to the UPS can be made to monitor the UPS po wer status. To use the COM port for this purpose, it must be reconfigured to support the UPS connection using the procedure described in
Section 5.2.10. Refer to the UPS documentation for details on how to access the status
information. The Console Cable Kit provided with the switch module is used to connect the UPS to the switch
module COM port as shown in Figure 2-2. T o connect the UPS device to the COM port, proceed as follows:
1. Connect the RJ45 connector at one end of the cable to the COM port on the switch module.
2. Plug the RJ45 connector at the other end of the cable into the RJ45-to-DB9 male (UPS) adapter
(Enterasys Networks part number, 9372066).
3. Connect the RJ45-to-DB9 male (UPS) adapter to the female DB9 port on the rear of the UPS
device (refer to the particular UPS device’ s user instructions for more specific information about the monitoring connection).
2-4 Local Management Requirements
Monitoring an Uninterruptible Power Supply
Figure 2-2 Uninterruptible Power Supply (UPS) Connection
1
2345
COM Port
Fast Enet
6H252-17
RESET
COM
RX
1
TX
RX
2
TX
RX
3
TX
RX
4
TX
RX
5
TX
RX
6
TX
RX
7
TX
RX
8
TX
RX
9
TX
RX
10
TX
RX
11
TX
RX
12
TX
RX
13
TX
RX
14
TX
RX
15
TX
RX
16
TX
DB9 Port
Fast Enet
6H252-17
PS1
PS2
RESET
COM
CPU
UPS Device
RJ45-to-DB9 UPS Adapter
UTP Cable
With RJ45 Connectors
4046-02
Local Management Requirements 2-5
3
Accessing Local Management
This chapter provides information about the following:
Navigating through the Local Management screen hierarchy for 802.1Q Switching
(Section 3.1).
Accessing the Password screen to enter a Local Management session (Section 3.2).
Accessing the Main Menu screen and its menu items to gain access to the Local Management
screens for the 6C105 or 6C107 chassis and the modules installed in the chassis (Section 3.3).
Accessing the Module Menu screen and its menu items to gain access to the Module
Configuration screens (described in Chapter 5, Chapter 6, Chapter 7, and Chapter 10), Module Statistics screens (described in Chapter 11), Network Tools commands (described in
Chapter 12), and the Security screens, which are described in this chapter starting with the
Module Menu screen described in Section 3.5.
An o verview of the Security Methods that can be conf igured on this module is described starting
with Section 3.6.
3.1 NAVIGATING LOCAL MANAGEMENT SCREENS
The switch module Local Management application consists of a series of menu screens. Navigate through Local Management by selecting items from the menu screens.
The hierarchy of the Local Management screens is shown in Figure 3-1, Figure 3-2, and
Figure 3-4.
NOTE: At the beginning of each chapter, a section entitled “Scr een Navigation Path” shows the path to the first screen described in the chapter.
Accessing Local Management 3-1
Navigating Local Management Screens
Figure 3-1 802.1Q Switching Mode, Chassis, LM Screen Hierarchy (Page 1 of 3)
Password
Main Menu
Module Selection
The 6C107 chassis does not support the screens in this shaded area.
Chassis Menu
Chassis Configuration Menu
SNMP Configuration Menu
Chassis Environmental Information
Redirect Configuration Menu
SNMP Community Names Configuration
SNMP Traps Configuration
Port Redirect Configuration
VLAN Redirect Configuration
A
NOTES: The 6C107 chassis does not support the screens in the shaded area shown in
Figure 3-1, so the screen selection starts with the Password screen and skips to the
Module Selection screen. If an additional F ast Ethernet or Gigabit Ethernet HSIM or VHSIM is installed in a s witch,
an additional statistics screen selection (not shown in Figure 3-2) may display in the Module Statistics Menu screen. This is dependent on the HSIM or VHSIM insta lled. For more information, refer to Chapter 11.
3-2 Accessing Local Management
Navigating Local Management Screens
Figure 3-2 802.1Q Switching Mode, Module, LM Screen Hierarchy (Page 2 of 3)
Module Configuration Menu
Module Configuration Menu
General Configuration
General Configuration SNMP Configuration Menu
SNMP Configuration Menu
System Resources Information
System Resources Information Flash Download Configuration
Flash Download Configuration
Port Configuration Menu
Port Configuration Menu
SNMP Community Names Configuration
SNMP Community Names Configuration SNMP Traps Configuration
SNMP Traps Configuration Access Control List
Access Control List
Ethernet Interface
Ethernet Interface Configuration
Configuration
802.1 Configuration Menu
802.1 Configuration Menu
Spanning Tree Configuration Menu
Spanning Tree Configuration Menu
Spanning Tree Configuration
Spanning Tree Configuration Spanning Tree Port Configuration
Spanning Tree Port Configuration
PVST Port Configuration
PVST Port Configuration
802.1Q VLAN
802.1Q VLAN Configuration Menu
Configuration Menu
802.1p
802.1p Configuration Menu
A
A
Module
Module
Menu
Menu
Layer 3 Extensions Menu
Layer 3 Extensions Menu
Module Statistics Menu
Module Statistics Menu Network Tools
Network Tools Security
B
* Refer to the SmartTrunk
User’s Guide for the
* Refer to the SmartTrunk User’s Guide for the screen hierarchy.
screen hierarchy.
Configuration Menu
Port Priority
Port Priority Configuration
Configuration
Traffic Class
Traffic Class Information
Information
Traffic Class
Traffic Class Configuration
Configuration
Transmit Queues
Transmit Queues Configuration
Configuration
Priority Classification
Priority Classification Configuration
Configuration
Rate Limiting
Rate Limiting
IGMP/VLAN
IGMP/VLAN Configuration
Configuration
Passwords
Radius Configuration
System Authentication Configuration
EAP Configuration
EAP Statistics Menu
Static VLAN
Static VLAN Configuration
Configuration
Static VLAN Egress
Static VLAN Egress Configuration
Configuration
Current VLAN
Current VLAN Configuration
Configuration
Current VLAN
Current VLAN Egress Configuration
Egress Configuration
VLAN Port
VLAN Port Configuration
Configuration VLAN Classification
VLAN Classification Configuration
Configuration
Protocol Port
Protocol Port Configuration
Configuration
Switch Statistics
Switch Statistics Interface Statistics
Interface Statistics RMON Statistics
RMON Statistics
Ethernet Port
Ethernet Port Configuration
Configuration
HSIM/VHSIM
HSIM/VHSIM Configuration
Configuration Redirect Configuration
Redirect Configuration Menu
Menu
Port Redirect
Port Redirect Configuration
Configuration VLAN Redirect
VLAN Redirect Configuration
Configuration
* SmartTrunk
* SmartTrunk Configuration
Configuration or
or
Link Aggregation
Link Aggregation Menu
Menu
802.3ad Port
802.3ad Port
802.3ad Port
802.3ad Port Details Details
802.3ad Port
802.3ad Port Statistics
Statistics
802.3ad
802.3ad Aggregator
Aggregator
Protocol Port
Protocol Port Configuration
Configuration
Broadcast Suppression
Broadcast Suppression Configuration
Configuration
Chassis Environment Statistics Configuration
Chassis Environment Statistics Configuration
Name Services Configuration
EAP Session Statistics
EAP Authentication Statistics
802.3ad
802.3ad
Aggregator Details
Aggregator Detail
802.3ad System
802.3ad System
Accessing Local Management 3-3
Navigating Local Management Screens
Figure 3-3 802.1Q Switching Mode, Chassis, LM Screen Hierarchy (Page 3 of 3)
B
Security
Passwords
Radius Configuration
Name Services Configuration
System Authentication Configuration
EAP Configuration
EAP Statistics Menu MAC Port Configuration
MAC Supplicant Configuration
EAP Session Statistics
EAP Authenticator Statistics
EAP Diagnostic Statistics
3.1.1 Selecting Local Management Menu Screen Items
Select items on a menu screen by performing the following steps:
1. Use the arrow keys to highlight a menu item.
2. Press ENTER. The selected menu item displays on the screen.
3.1.2 Exiting Local Management Screens
There are two ways to exit the Local Management (LM) screens.
Using the Exit Command
To exit LM using the EXIT screen command, proceed as follows:
1. Use the arrow keys to highlight the EXIT command at the bottom of the Local Management
screen.
2. Press ENTER. The Local Management Password screen displays and the session ends.
3-4 Accessing Local Management
Navigating Local Management Screens
Using the RETURN Command
To exit LM using the RETURN command, proceed as follows:
1. Use the arrow keys to highlight the RETURN command at the bottom of the Local Management
screen.
2. Press ENTER. The previous screen in the Local Management hierarchy displays.
NOTE: The user can also exit Local Management screens by pr essing ESC twice. This exit method does not warn about unsaved changes and all unsaved changes are lost.
3. Exit from Local Management by repeating steps 1 and 2 until the Device Menu screen displays.
4. To end the LM session, use the arrow keys to highlight the RETURN command at the bottom
of the Device Menu screen.
5. Press ENTER. The Local Management Password screen displays and the session ends.
3.1.3 Using the NEXT and PREVIOUS Commands
If a particular Local Management screen has more than one screen to display its information, the NEXT and PREVIOUS commands are used to navigate between its screens.
To go to the next or previous display of a screen, proceed as follows:
1. Highlight the applicable NEXT or PREVIOUS command at the bottom of the screen.
2. Press ENTER. The screen displays.
3.1.4 Using the CLEAR COUNTERS Command
The CLEAR COUNTERS command is used to temporarily reset all counters of a screen to zero to allow you to observe counter activity over a period of time. To reset the counters, perform the following steps:
1. Use the arrow keys to highlight the CLEAR COUNTERS command.
2. Press ENTER, the counters are reset to zero.
Accessing Local Management 3-5
Password Screen
3.2 PASSWORD SCREEN
When to Use
To start a Local Management session, which is controlled through the Local Management Password screen. Whenever a connection is made to the switch module the Local Management Password screen displays. Before continuing, you must enter a password, which is compared to the previously stored passwords and associated management level access policy configured using the Security screen described in Section 3.7. The level of access allowed the user depends on the password. To set or change passwords, refer to Section 5.4.
The level of management access is dependent on the Password and the associated Access Policy configured in the Password Configuration screen described in Section 4.4.
NOTE: You can set the same string as a Security password and SNMP Community Name. This will allow you to access and manage the switch whether you are starting a Local Management session via a Telnet connection or local COM port connection, or using a network SNMP management application.
If you utilize a string for the security password and a different one for the SNMP Community Name, the two cannot be used interchangeably to access the switch module. The access levels can also be configured to be different.
How to Access
Turn on the terminal. Press ENTER (this may take up to four times, because the COM port of the switch module auto-senses the baud rate of the terminal) until the Local Management Password screen displays. Figure 3-4 shows the Password screen.
3-6 Accessing Local Management
Screen Example
Figure 3-4 Local Management Chassis/Module Password Screen
xxxxxxxx LOCAL MANAGEMENT
Enterasys Networks, Inc.
P.O. Box 5005
Rochester, NH 03866-5005 USA
(603) 332-9400
c Copyright Enterasys Networks, Inc. 2001
Password Screen
Device Serial Number:
Device Hardware Revision:
Device Firmware Revision:
Device BOOTPROM Revision:
Enter Password:
xxxxxxxxxxxx xxx xx.xx.xx xx.xx.xx
3650_10
Enter the Password and press ENTER. The default super-user access password is “public” or press ENTER.
NOTE: The password is one of the passwords configured in the Module Login Password screen. Access to certain Local Management capabilities depends on the degree of access accorded that password. Refer to Section 5.4.
If an inv alid password is entered, the terminal beeps and the cursor returns to the beginning of the password entry field.
Entering a valid pass word ca uses the associated a ccess lev el to displa y at the bottom of the screen and the Module Menu screen to display.
If no activity occurs for a preset period of time , the Local Management Passw ord screen redisplays and the password has to be reentered.
Accessing Local Management 3-7
Main Menu Screen
3.3 MAIN MENU SCREEN
NOTE: This screen does not display when using the 6C107 chassis. The Module
Selection screen is displayed instead of this screen.
When to Use
To access the two major sets of Local Management screens used to configure the chassis and the switch modules installed in the chassis.
How to Access
Enter a valid password in the Local Management Password screen as described in Section 3.2, and press ENTER. The Main Menu screen, Figure 3-5, displays.
Screen Example
Figure 3-5 Main Menu Screen
CHASSIS
MODULES
EXIT
3-8 Accessing Local Management
4046_04
Module Selection Screen
NOTE: If the terminal is idle for several minutes the Local Management Password screen redisplays and the session ends. This idle time can be changed in the General Configuration screen in Section 5.2.9.
Menu Descriptions
Table 3-1 Main Menu Screen Men u Item Descriptions
Menu Item Screen Function
CHASSIS Provides access to the Chassis Menu screen that is used to configure
the chassis, access current chassis power supply and environmental status, and perform port and VLAN redirect functions.
To access and use the Chassis Menu screen, refer to Section 4.1 for instructions.
MODULES Provides access to the Module Selection screen that is used to select
individual modules in the chassis for management pu rposes. If module management is desired at this time, proceed to Section 3.4.
3.4 MODULE SELECTION SCREEN
Screen Navigation Path
For 6C105 chassis:
Password > Main Menu > Module Selection
For 6C107 chassis:
Password > Module Selection
When to Use
To select a module in the chassis and the Module Menu screen, which is the access point to the set of Local Management screens for the selected module. The Module Selection screen is the access point to the Local Management screens for all modules installed in the 6C105 or 6C107 chassis.
Accessing Local Management 3-9
Module Selection Screen
How to Access
Use the arrow keys to highlight the MODULES menu item in the Module Selection screen, and press ENTER. The Module Selection screen, Figure 3-6, displays.
Screen Example
Figure 3-6 Module Selection Screen
Module #
<1>
2
3
4
5   
Module Type
6H258-17
6H252-25
6H203-26
6H202-24
Serial #
123456789
123456789
123456789
123456789
EXIT
Hardware Revision
XXX
XXX
XXX
XXX
RETURN
40462-39
3-10 Accessing Local Management
Field Descriptions
Refer to Table 3-2 for a functional description of each screen field.
Table 3-2 Module Selection Screen Field Descriptions
Use this field… To…
Module Selection Screen
Module # (Selectable)
Display the slot in which the module is installed. The module number enclosed in angle brackets (< >) indicates the module to which the management terminal or Telnet session is currently connected.
Module Type
Display the type of interface module that is installed in each slot.
(Read-Only)
Serial #
(Read-Only)
Display the serial number of the module. The serial number of the device is necessary when calling Enterasys Networks concerning the module.
Hardware Revision
Display the hardware version of the module.
(Read-only)
3.4.1 Selecting a Module
To select an individual module to perform Local Management functions, proceed as follows:
1. Use the arrow keys to highlight the desired module number in the Module # field.
2. Press ENTER, the applicable Module Menu screen displays. Proceed to Section 3.5.
Accessing Local Management 3-11
Module Menu Screen
3.5 MODULE MENU SCREEN
Screen Navigation Path
For 6C105 chassis:
Password > Main Menu > Module Selection > Module Menu
For 6C107 chassis:
Password > Module Selection > Module Menu
When to Use
To access the Local Management screens for the switch module selected in the Module Selection screen.
How to Access
Use the procedure described in Section 3.4.1.
Screen Example
Figure 3-7 Module Menu Screen
MODULE CONFIGURATION MENU
MODULE STATISTICS MENU
NETWORK TOOLS
SECURITY
3-12 Accessing Local Management
EXIT
RETURN
40462_14
NOTE: If the terminal is idle for several minutes, the Local Management Password screen redisplays and the session ends. This idle time can be changed in the Chassis Configuration screen described in Section 4.2.
Menu Descriptions
Refer to Table 3-3 for a functional description of each menu item.
Table 3-3 Module Menu Screen Menu Item Descriptions
Menu Item Screen Function
Module Menu Screen
MODULE CONFIGURATION
Provides access to the Local Management screens that are used to configure the switch module and also provides access to the Port Configuration Menu screen, 802.1 Configuration Menu screens, and the Layer 3 Extensions Menu screens.
The Port Configuration Menu screen provides access to the screens that are used to set operating parameters specific to each port.
The 802.1 Configuration Menu screen provides access to the Spanning Tree Configuration Menu screen, 802.1Q VLAN Configuration Menu screen, and the 802.1p Configuration Menu screen. These screens are used to set the basic switch operations, and provide access to screens to configure VLANs, and assign port priorities.
For details about the screens, refer to:
Chapter 5 for the Module Configuration Menu screen,
Chapter 6 for the Port Configuration Menu screen,
Chapter 7 for the 802.1 Configuration Menu screen, and
Chapter 10 for the Layer 3 Extensions Menu screen.
MODULE STATISTICS
NETWORK TOOLS
Provides access to screens used to obtain statistics and performance information for the switch module. For details, refer to Chapter 11.
The Network Tools function resides on the switch module and consists of commands that allow the user to access and manage network devices, including the ability to Telnet to other devices. Chapter 12 explains how to use the Network Tools utility.
Accessing Local Management 3-13
Module Menu Screen
Table 3-3 Module Menu Screen Menu Item Descriptions (Continued)
Menu Item Screen Function
SECURITY Provides access to the following screens:
Module Login Passwords
Radius Configuration
Name Services Configuration
System Authentication Configuration
EAP Configuration
EAP Statistics Menu
MAC Port Configuration
MAC Supplicant Configuration
The Module Login Passwords screen allows you to set a login password for the device according to access policy (read-only, read-write, and super-user). A different password can be set for each access policy.
To prevent clearing the passwords, hardware switch 8 on the board of the device can be disabled using this screen. For an overview of the security available on this switch module, refer to Section 3.6.
For more information about the Module Login Passw ords screen, refer to Section 3.8.
The Radius Configuration screen enables you to configure the Radius client function on the switch module to provide another restriction for access to the Local Management screens. For more information on Radius Client, refer to Section 3.6.
For more information about the Radius Configuration screen, refer to
Section 3.9.
The System Authentication Configuration, EAP Configuration, and EAP Statistics Menu screens enable you to securely authenticate and grant appropriate access to end user devices directly attached to the switch module ports. For more information about 802.1x port based network access control, refer to Section 3.6.2.
For more information about the System Authentication Configuration, EAP Configuration, and EAP Statistics Menu screens, refer to
Section 3.11, Section 3.12, and Section 3.13, respectively.
3-14 Accessing Local Management
Overview of Security Methods
Table 3-3 Module Menu Screen Menu Item Descriptions (Continued)
Menu Item Screen Function
SECURITY (cont’d)
The MAC Port Configuration screen enables you to monitor the authentication state of the supplicants associated with each port and enable/disable, initialize, and force a revalidation of the port MAC credential.
For more information about MAC port configuration, refer to
Section 3.14.
The MAC Supplicant Configuration screen enables you to see which MAC authentication supplicants are active, their MAC address and associated module ports, and enable you to initialize or reauthenticate each of the supplicants.
For more information about the MA C Supplicant Configurati on screen, refer to Section 3.15.
3.6 OVERVIEW OF SECURITY METHODS
Six security methods are available to control which users are allowed to access, monitor, and control the switch module.
Login Security Passw ord – used to access the Module Menu screen to start a Local Management
session via a T elnet connection or local COM port connection. Whenev er a connection is made to the switch module, the Local Management P assword screen displays. Bef ore continuing, you must enter a login password, which is compared to the stored passwords and associated management level access policies configured using the Security screen described in Section 3.7.
SNMP Community String – allows access to the switch module via a network SNMP
management application. To access the switch module, you must enter an SNMP Community Name string. The level of management access is dependent on the SNMP Community Name and the associated Access Policy configured in the SNMP Community Names Configuration screen described in Section 4.4.
NOTE: You can set the same string as a Security login password and SNMP Community Name. This allows you to access and manage the switch module whether you are starting a Local Management session via a Telnet connection or local COM port connection, or using a network SNMP management application.
If the login security password is differ ent from the SNMP Community Name, the two cannot be used interchangeably to access the switch module.
Accessing Local Management 3-15
Overview of Security Methods
Host Access Control Authentication (HA CA) – authenticates user access of T elnet management,
console local management and W ebV iew via a central Radius Client/Server application using the Password screen described in Section 3.8. For an overview of HACA and a description of how to set the access policy using the Radius Configuration screen, refer to Section 3.6.1 and
Section 3.9.
Host Access Control List (ACL) – allows only the def ined list of IP Addresses to communicate
with the host for Telnet, WebView (HTTP) and SNMP. To set up these parameters, refer to the Host Access Control List (ACL) screen described in Section 3.6.1.
802.1X Port Based Network Access Control – provides a mechanism for administrators to
securely authenticate and grant appropriate access to end user devices (supplicants) directly attached to switch module ports. For more information, refer to Section 3.6.2.
MAC Authentication – provides a mechanism for administrators to securely authenticate and
grant appropriate access to end user devices directly attached to switch module ports. For more information, refer to Section 3.6.3.
3.6.1 Host Access Control Authentication (HACA)
To use HACA, the embedded Radius Client on the switch module must be configured to communicate with the Radius Server, and the Radius Server must be conf igured with the password information. The software used for this application provides the ability to centralize the Authentication, Authorization, and Accounting (AAA) of the network resources. For more information, refer to the RFC 2865 (Radius Authentication) and RFC 2866 (Radius Accounting) for a description of the protocol.
Each switch module has its own Radius Client. The client can be configured via:
The Radius Configuration screen described in Section 3.9, or
The Network Tools Command Line Interface (CLI) using the “radius” command described in
Chapter 12.
The IP address of the Radius Server and the shared secret text string must be configured on the Radius Client. The client uses the Password Authen ticati on Proto c ol (PAP) to communicate the user name and encrypted password to the Radius Server.
On the Radius Server, each user is configured with the following:
name
•password
access level
3-16 Accessing Local Management
Overview of Security Methods
The access level can be set to one of the following levels for each user name:
•super-user
read-write
read-only To support multiple access levels per user name, it involves sending back a different “FilterID”
attribute using some server feature to differentiate between the same user name with different prefixes/suffixes. For example, “username@engineering” and “username@home” could each return different access levels.
NOTE: This is a server-dependent feature.
A Radius user/password combination is assigned one access level unless server-specific features such as prefixes or suffixes are used to assign different access levels.
All radius values, except the server IPs and shared secrets, are assigned reasonable default values when radius is installed on a new switch module. The defaults are as follows:
Client, disabled
Timeout, 20 seconds
Retries, 3
Primary and secondary Authentication ports: 1812 (per RFC 2865)
Primary and secondary Accounting ports: 1813 (per RFC 2866)
Last-resort for local and remote is CHALLENGE If only one server is configured, it must be the primary server. It is not necessary to reboot after the
client is reconfigured. The client cannot be enabled unless the primary server is configured with at least the minimum
configuration information.
NOTE: The minimum additional information that must be configured to use a se rver is its IP and Shared Secret.
Accessing Local Management 3-17
Overview of Security Methods
When the Radius Client is active on the switch module, the user is presented with an authorization screen, prompting for a user login name and password when attempting to access the host IP address via the local console LM, Telnet to LM, or WebView application. The embedded Radius Client encrypts the information entered by the user and sends it to the Radius Server for v alidation. Then the server returns an access-accept or access-reject response back to the client, allowing or denying the user to access the host application with the proper access level.
An access-accept response returns a message USER AUTHORIZATION = <ACCESS LEVEL> for 3 seconds and then the main screen of the application is displayed. An access-denied response causes an audible “beep” and the screen to return to the user name prompt.
If the Radius Client is unable to receive a response from the Radius Server, because the Radius Server is down or inaccessible, the Radius Client will time out to a default value of 20 seconds.
If the server returns an “access-accept” response (the user successfully authenticated), it must also return a Radius “FilterID” attribute containing an ASCII string with the following fields in the specified format:
“Enterasys:version=V:mgmt=M:policy=N”
Where:
V is the version number (currently V=1) M is the access level for management, one of the following strings:
“su” for super-user access “rw” for read-write access “ro” for read-only access
N is the policy profile number (see the policy profile MIB)
NOTES:
1. Quotation marks (“ ”) are used for clarification only and are not part of the command
strings.
2. If the FilterID attribute is not returned, or the “mgmt” field is absent or contains an unrecognizable value, access is denied.
3. Policy prof iles are not yet de plo ye d an d th e “p olic y=N” part ma y be omit te d.
If the Radius client does not receive a response from the primary server, it will consult the secondary server if one has been conf igured. If the seco ndary serv er also does not respond then the switch module reverts to the last-resort authentication action. Last-resort authentication is individually selectable for both local (COM port) and remote (TELNET or WebView). The last-resort action may be to accept the user, reject the user, or challenge the user for the Local Management passwords (resort to legacy authentication).
3-18 Accessing Local Management
Overview of Security Methods
3.6.2 802.1X Port Based Network Access Control
This section provides
a brief description of 802.1X Port Based Network Access Control
,
definitions of common terms and abbreviations, and
an overview of the tasks that may be accomplished using the 802.1X (EAP security and
authentication features.
When using the physical access characteristics of IEEE 802 LAN infrastructures, the 802.1X standard provides a mechanism for administrators to securely authenticate and grant appropriate access to end user devices directly attached to switch module ports. When configured in conjunction with NetSight Policy Manager and Radius server(s), Enterasys Networks’ switch modules can dynamically administer user based policy that is specif ically tailored to the end user’s needs.
3.6.2.1 Definitions of Terms and Abbreviations
Table 3-4 provides an explanation o f authentication terms and abbre viations used when describing
the 802.1X and EAP security and authentication features.
Table 3-4 Authentication Terms and Abbreviations
Term Definition
EAP Extensible Authentication Protocol (e.g., Microsoft IAS
Server and Funk Steel Belted Radius).
PAE Port Access Entity, device firmware that implements or
participates in the protocol.
PWA Port Web Authentication, an enterprise specific
authentication process using a web browser user-login
process to gain access to ports. RADIUS Remote Authentication Dial In User Service. Authenticator The entity that sits between a supplicant and the
authentication server. The authenticator’s job is to pass
authenticating information between the supplicant and
authentication server until an authentication decision is
made.
Accessing Local Management 3-19
Overview of Security Methods
Table 3-4 Authentication Terms and Abbreviations (Continued)
Term Definition
Authentication Server Provides authentication service to an authenticator. This
service determines, by the credentials the supplicant provides, whether a supplicant is authorized to access services provided by the authenticator. The authentication server can be co-located with an authenticator or can be accessed remotely.
Supplicant The entity (user machine) that is trying to be authenticated
by an authenticator attached to the other end of that link.
3.6.2.2 802.1X Security Overview
The Enterasys Networks’ 6000 Series and Matrix E7 modules support the following 802.1X security and authentication features to:
Authenticate hosts that are connected to dedicated switch ports.
Authenticate based on single-user hosts. (If a host is a time-shared Unix or VMS system,
successful authentication by any user will allow all users access to the network.)
Allow users to authenticate themselves by logging in with user names and passwords, token
cards, or other high-level identification. Thus, a system manager does not need to spend hours setting low-level MAC address filters on every edge switch to simulate user-level access controls.
Divide system functionality between supplicants (user machines), authenticators, and
authentication servers. Authenticators reside in edge switches. They shuffle messages and tell the switch when to grant or deny access, but do not validate logins. User validation is the job of authentication servers. This separation of functions allows network managers to put authentication servers on central servers.
Use the 802.1X protocol to communicate between the authenticator and the supplicant. The
frame format using 802.1X includes extra data fields within a LAN frame. Note that 802.1X does not allow routing.
Use 802.1X to communicate between the authenticator and the authentication server. The
specific protocol that runs between these components (e.g., RADIUS-encapsulated EAP) is not specified and is implementation-dependent.
3-20 Accessing Local Management
Overview of Security Methods
3.6.3 MAC Authentication Overview
This section discusses a method for a user to gain access to the network by validating the MAC address of their connected device. Network management statically provisions MAC addresses in a central radius server. Those pre-configured MAC addresses are allowed access to the network through the usual RADIUS validation process. This section further discusses how MAC Authentication and 802.1X cooperate to provide an integrated approach to authentication.
3.6.3.1 Authentication Method Selection
The 802.1X and PWA authentication methods are globally exclusive. Additionally, MAC Authentication and PWA are globally mutually exclusive. However, MAC Authentication and
802.1X are not mutually exclusive, so that both 802.1X and MAC authentications can be configured concurrently on the same device using the Local Management (LM) System Authentication Configuration screen described in Section 3.11. When both methods are enab led on the same device, the switch enforces a precedence relationship between MAC Authentication and
802.1X methods. When configuring a device using the System Authentication Configuration screen, only the valid
set of global and per port authentication methods are a vailable for selection. These are EAP, PWA, MAC, MAC EAP, and NONE. If there is an attempt to enable both MAC Authentication and PWA either through the sole use of MIBs or by using both the LM screen and MIBs, then an appropriate error message is displayed.
3.6.3.2 Authentication Method Sequence
When MAC Authentication is enabled on a port, the Authentication of a specific MAC address commences immediately following the reception of any frame. The MAC address and a currently stored password for the port are used to perform a PAP authentication with one of the configured radius servers. If successful, the port forwarding behavior is changed according to the authorized policy and a session is started. If unsuccessful, the forwarding behavior of the port remains unchanged.
If successful, the filter-id in the radius response may contain a policy string of the form policy=”policy name”. If the string exists and it refers to a currently configured policy in this switch, then the port receives this new policy. If authenticated, but the authorized policy is invalid or non-existent, then the port forwards the frame normally according to the port default policy, if one exists. Otherwise, frames are forwarded without any policy.
3.6.3.3 Concurrent Operation of 802.1X and MAC
Accessing Local Management 3-21
Overview of Security Methods
Authentication
This section defines the precedence rules to determine which authentication method, 802.1X (EAP) or MAC Authentication has control over an interface. Setting the 802.1X and MAC port authentication is described in Section 3.11.
When both methods are enabled, 802.1X takes precedence over MAC Authentication when a user is authenticated using the 802.1X method. If the port or MAC remains unauthenticated in 802.1X, then MAC authentication is active and may authenticate the next MAC address received on that port.
You can configure MAC Authentication and 802.1X to run concurrently on the same module, but exclusively on distinct interfaces of that module. To achieve this, the 802.1X port behavior in the force-unauthorized state is overloaded. When 802.1X and MAC Authentication are enabled, set the 802.1X MIB to force-unauthorized for the interface in question and enable MAC Authentication. This allows the MAC Authentication to run unhindered by 802.1X on that interface. This, in effect, disables all 802.1X control over that interface. However, if a default policy exists on that port, the switch forwards the frames according to that policy, otherwise the switch drops them.
If a switch port is configured to enable both 802.1X and MAC Authentication, then it is possible for the switch to receive a start or a response 802.1X frame while a MAC Authentication is in progress. If this situation, the switch immediately aborts MAC Authentication. The 802.1X authentication then proceeds to completion. After the 802.1X login completes, the user has either succeeded and gained entry to the network, or failed and is denied access to the network. After the
802.1X login attempt, no new MAC Authentication logins occur on this port until:
A link is toggled.
The user executes an 802.1X logout.
Management terminates the 802 .1 X session .
NOTE: The switch may terminate a session in many different ways. All of these reactivate the MAC authentication method. Refer to Table 3-5 for the precedence relationship between MAC and 802.1X authentication.
When a port is set for concurrent use of MAC and 802.1X authentication, the switch continues to issue EAPOL request/id frames until a MAC Authentication succeeds or the switch receives an EAPOL response/id frame.
3-22 Accessing Local Management
Table 3-5 MAC / 802.1X Precedence States
802.1X Port Control
MAC Port Control
Authen­ticated?
Default Policy Exists?
Autho­rized Policy Exists?
Overview of Security Methods
Action
Force Authorized
Force Authorized
Auto Enabled Yes Don’t
Don’t Care
Don’t Care
Don’t Care
Don’t Care
Yes Don’t
Care
No Don’t
Care
Yes
Care
Auto Enabled Yes Yes No
Neither method performs
authentication.
Frames are forwarded according
to default policy.
Neither method performs
authentication.
Frames are forwarded.
Hybrid authentication (both
methods are active).
Frames are forwarded according
to authorized policy.
Hybrid authentication (both
methods are active).
Frames are forwarded according
to default policy.
Auto Enabled Yes No No
Auto Enabled No Yes Don’t
Care
Auto Enabled No No Don’t
Care
Hybrid authentication (both
methods active).
Frames are forwarded.
Hybrid authentication (both
methods are active).
Frames are forwarded according
to default policy.
Hybrid authentication (both
methods are active).
Frames are discarded.
Accessing Local Management 3-23
Overview of Security Methods
Table 3-5 MAC / 802. 1X Precedence States (Continued)
Autho-
802.1X Port Control
MAC Port Control
Authen­ticated?
Default Policy Exists?
rized Policy Exists?
Action
Auto Disabled Yes Don’t
Yes 802.1X performs authentication.
Care
Auto Disabled Yes Yes No
Auto Disabled Yes No No
Auto Disabled No Yes Don’t
Care
Auto Disabled No No Don’t
Care
Force Unauthori-
Enabled Yes Don’t
Care
Yes
zation
Frames are forwarded according
to authorized policy.
802.1X performs authentication.
Frames are forwarded according
to default policy.
802.1X performs authentication.
Frames are forwarded.
802.1X performs authentication.
Frames are forwarded according
to default policy.
802.1X performs authentication.
Frames are discarded.
MAC performs authentication.
Frames are forwarded according
to authorized policy.
Force
Enabled Yes Yes No Unauthori­zation
Force
Enabled Yes No No Unauthori­zation
Force
Enabled No Yes Don’t Unauthori­zation
3-24 Accessing Local Management
Care
MAC performs authentication.
Frames are forwarded according
to default policy.
MAC performs authentication.
Frames are forwarded.
MAC performs authentication.
Frames are forwarded according
to default policy.
Table 3-5 MAC / 802.1X Precedence States (Continued)
Autho-
802.1X Port Control
MAC Port Control
Authen­ticated?
Default Policy Exists?
rized Policy Exists?
Overview of Security Methods
Action
Force Unauthori-
Enabled No No Don’t
Care
MAC performs authentication.
Frames are discarded.
zation Force
Unauthori­zation
Disabled Don’t
Care
Don’t Care
Don’t Care
Neither method performs
authentication.
Frames are discarded.
3.6.4 MAC Authentication Control
This global variable can be set to enabled or disabled. If set to enabled, then
a. MA C Authentication is activ e on those ports whose individual port-enabled v ariable is set to
enabled.
b. All session and statistic information is reset to defaults. c. Any MAC addresses currently locked to ports are unlocked.
If set to disabled, then
a. MAC Authentication stops for all ports. b. All active sessions are terminated with the cause portAdminDisabled. c. All policies are applied to ports as a result of a MAC Authentication reverting to the ports
default policy, if any.
d. All ports currently authenticated using 802.1X, are unaffected. e. Any 802.1X ports, which were set to forced-unauth, revert back to discarding all frames
regardless of the MAC Authentication state.
Accessing Local Management 3-25
Security Menu Screen
3.7 SECURITY MENU SCREEN
Screen Navigation Path
For 6C105 chassis:
Password > Main Menu > Module Selection > Module Menu > Security Menu
For 6C107 chassis:
Password > Module Selection > Module Menu > Security Menu
When to Use
To access the Passwords, Radius Configuration, Name Services Configuration, System Authentication Configuration, EAP Configuration, EAP Statistics Menu, MAC Port Configuration, and MAC Supplicant Configuration screens.
The Passwords and Radius Configuration screens allow you to configure additional limited
access.
The Name Services Configuration screen allows you to set parameters for personalized web
authentication.
The System Authentication Configuration, EAP Configuration, EAP Statistics Menu screens
enable you to view port authentication type and status, to configure EAP settings, and to view EAP statistics.
The MAC Port Configuration and MAC Supplicant Configuration screens enable you to
configure MAC Authentication for user devices (supplicants) directly attached to one or more physical ports.
How to Access
Use the arrow keys to highlight the SECURITY menu item on the Module Configuration Menu screen and press ENTER. The Security Menu screen, Figure 3-8 , displays.
3-26 Accessing Local Management
Screen Example
Figure 3-8 Security Menu Screen
PASSWORDS
RADIUS CONFIGURATION
NAME SERVICES CONFIGURATION
SYSTEM AUTHENTICATION CONFIGURATION
CONFIGURATION EAP CONFIGURATION
EAP STATISTICS MENU
MAC PORT CONFIGURATION
MAC SUPPLICANT CONFIGURATION
Security Menu Screen
EXIT
RETURN
Menu Descriptions
Refer to Table 3-6 for a functional description of each menu item.
Table 3-6 Security Menu Screen Menu Item Descriptions
Menu Item Screen Function
PASSWORDS Used to set the Locally Administered Passwords (super-user,
read-write, and read-only) to access the device according to an access policy. For details, refer to Section 3.8.
RADIUS CONFIGURATION
NAME SER VICES CONFIGURATION
Used to configure the Radius Client Parameters on the switch, primary server , and secondary server. For details, refer to Section 3.9.
Used to set parameters for personalized We b authentication, including the URL and IP of the Secure Harbour web page. For details, refer to Section 3.10.
3528_14
Accessing Local Management 3-27
Security Menu Screen
Table 3-6 Security Menu Screen Menu Item Descriptions (Continued)
Menu Item Screen Function
SYSTEM AUTHENTICATION CONFIGURATION
EAP CONFIGURATION
Used to enable or disable an authentication type for the device, and to display the authentication type and authentication status (enabled or disabled) for all ports. For details, refer to Section 3.11.
Used to configure authentication settings for each port. For details, refer to Section 3.12.
EAP STATISTICS Used to navigate to the EAP Session Statistics, EAP Authentication
Statistics, and EAP Diagnostic Statistics screens. For details, refer to
Section 3.13.
MA C PORT CONFIGURATION
Used to view the current port authentication states, enable or disable the authentication function on each port, reset ports to the initial authentication configuration, and force a revalidation of the MAC credential. For details, refer to Section 3.14.
MAC SUPPLICANT CONFIGURATION
Used to show how long MAC Authentication supplicants are logged on to a port and their MAC address, and pro vides limit ed configuration of these supplicants. For details, refer to Section 3.15.
3-28 Accessing Local Management
Passwords Screen
3.8 PASSWORDS SCREEN
When to Use
To provide additional security by using login passwords associated to access policy. This screen allows the use of passwords to provide three levels of Local Management access (super-user, read-write and read-only) via serial console or telnet connection. This screen is also used to disable the function of hardware switch 8 to prevent the clearing of the login passwords.
How to Access
Use the arrow keys to highlight the PASSWORDS menu item on the Security Menu screen and press ENTER. The Module Login Passwords screen, Figure 3-9, displays.
Screen Example
Figure 3-9 Module Login Passwords Screen
Password Access Policy
******** read-only ******** read-write ******** super-user
SWITCH 8 [ENABLED]
Restrict NVRAM Passwords from upload/download [DISABLED]
EXIT RETURNSAVE
3650_23
Accessing Local Management 3-29
Passwords Screen
Field Descriptions
Refer to Table 3-7 for a functional description of each screen field.
Table 3-7 Module Login Passwords Screen Field Descriptions
Use this field… To…
Password
(Modifiable)
Access Policy
(Read-Only)
Switch 8
(Toggle)
Enter the password used to access the device according to an access policy. For information on how to set the login password, refer to
Section 3.8.1.
See the access given each password. Possible selections are as follows: read-only This password allows read-only access to Local
Management, and excludes access to security-protected fields of read-write or super-user authorization.
read-write This password allows read and write access to Local
Management, excluding security protected fields for super-user access only .
super-user This password permits read-write access to Local
Management and allows the user to change all modifiable parameters including community names, IP addresses, traps, and SNMP objects.
Enable or disable the function of hardware switch S8 on the main board of the device. When set to ENABLED, S8 can be used to clear the password. When set to DISABLED, S8 cannot be used to clear the password. The default is ENABLED.
Restrict NVRAM Passwords from upload/download
Prevent passwords residing in NVRAM from being replaced when downloading a configuration file. The default setting is DISABLED. This prevents the passwords from being downloaded.
(Toggle)
3-30 Accessing Local Management
Radius Configuration Screen
3.8.1 Setting the Module Login Passwor d
Setting the Module Login Password provides additional security by assigning each switch module its own password and allowing you to disable the function of switch S8 so that the password cannot be cleared. To assign the password and disable switch S8, proceed as follows:
1. Use the arrow keys to highlight the appropriate Password field. A different password can be
assigned to each Access Policy.
2. Press ENTER.
3. To disable the function of switch S8 so the passwords cannot be cleared, use the arrow keys to highlight the Switch 8 field.
4. Press the SPACE bar to select DISABLED.
5. To save the settings, press ENTER. The message “SAVED OK” displays at t he top of the screen.
3.9 RADIUS CONFIGURATION SCREEN
When to Use
To configure the Radius client in the switch to restrict access to the management functions of the Local Management screens, by way of the COM port or network TELNET connection.
NOTE: The configuration and enable state of the Radius client will be stored in NVRAM and loaded on power-up. If the client is properly configured and enabled, the platform will create the Radius client and enable it at boot time, superseding legacy authentication. Otherwise, the legacy aut hentication becomes operational.
Radius Client parameters can also be set using the Network Tools screen described in
Chapter 12.
This screen allows you to set the necessary parameters to centralize the Authentication, Authorization, and Accounting of the network resources. For information ab out Radi us Client and how it functions, refer to Section 3.6 and Section 3.6.1.
Accessing Local Management 3-31
Radius Configuration Screen
How to Access
Use the arrow keys to highlight the RADIUS CONFIGURATION menu item on the Security Menu screen and press ENTER. The Radius Configuration screen, Figure 3-10, displays.
Screen Example
Figure 3-10 Radius Configuration Screen
Timeout: 20 Retries: 03 Local Remote Last Resort Action: [CHALLENGE] [CHALLENGE] Radius Client: [DISABLED]
IP Address: Secret: Auth Port:
0.0.0.0 NOT CONFIGURED 1812
0.0.0.0 NOT CONFIGURED 1812
SAVE
EXIT RETURN
Field Descriptions
Refer to Table 3-8 for a functional description of each screen field.
Table 3-8 Radius Configuration Screen Field Descriptions
Use this field… To…
Timeout
(Modifiable)
Enter the maximum time in seconds to establish contact with the Radius Server before timing out. The default is 20 seconds.
3650_22
Retries
(Modifiable)
Enter the maximum number of attempts (1…N) to contact the Radius Server before timing out. The default is 20 seconds.
3-32 Accessing Local Management
Radius Configuration Screen
Table 3-8 Radius Configuration Screen Field Descr iptions (Continued)
Use this field… To…
Last Resort Action/Local
(Selectable)
Last Resort Action/Remote
(Selectable)
Accept, Challenge, and Reject, which do the following:
ACCEPT: Allows local access (via COM port) at the super-user level with no further attempt at authentication.
CHALLENGE: Reverts to local module (legacy) passwords.
REJECT: Does not allow local access. For more details, refer to Section 3.9.1. To set local and remote servers, refer to Section 3.9.2.
Accept, Challenge, and Reject, which do the following:
ACCEPT: Allows local access (via COM port) at the super-user
level with no further attempt at authentication.
CHALLENGE: Reverts to local module (legacy) passwords.
REJECT: Does not allow remote access. For more details, refer to Section 3.9.1. To set local and remote servers, refer to Section 3.9.2.
Radius Client
(Toggle)
IP Address
(Modifiable)
Secret
(Modifiable)
Auth Port (Modifiable)
Enable or disable client status.
Enter the IP address (in decimal-dot format) of the primary and secondary servers being configured for the Radius function.
Enter a secret string of characters or the primary and secondary server (16 characters are recommended as per RFC 2865. The maximum is 32 characters).
Enter the number of the Authorization UDP Port for the Primary and Secondary server.
Accessing Local Management 3-33
Radius Configuration Screen
3.9.1 Setting the Last Resort Authentication
The Radius client can be configured to use primary and secondary servers. If the primary server does not respond within the specified number of retries during the specified time-out period, the client will then attempt to authenticate using the secondary server. If the secondary server also does not respond, then the client returns a time-out condition.
The “last resort” platform action in case of Radius server time-out for both local and remote access is selectable for each type of access:
Local login via the COM port.
Remote login via a remote network TELNET connection.
3.9.2 Setting the Local and Remote Servers
Before setting the parameters, refer to Section 3.6.1 and Section 3.9.1 for a better understanding of Radius Servers and Last Resort Authentication. To set the local and remote server, proceed as follows:
1. Highlight the Timeout field and enter the maximum time in seconds to establish contact with
the Radius Server before timing out.
2. Highlight the Retries field and enter the desired maximum number of attempts (1…N) to contact
the Radius Server before timing out.
3. Highlight the Last-Resort Action/Local field and select ACCEPT, CHALLENGE, or REJECT to allow local access at the super-user level with no further attempt at authentication;
revert local module to (legacy) passwords, or not allow local access.
4. Highlight the Last-Resort Action/Remote field select ACCEPT, CHALLENGE, or REJECT to allow remote access at the super-user level with no further attempt at
authentication, revert remote module to (legacy) passwords, or not allow remote access, respectively.
5. Use the arrow keys to highlight the IP Address field and enter the IP address (in decimal-dot format) of the primary and secondary servers being configured for the RADIUS function.
6. Highlight the Secret field and enter a secret string of characters or the primary and secondary server (16 characters are recommended as per RFC 2865. The maximum is 32 characters).
7. Highlight the Auth Port field and enter the number of th e Accounting UDP Port for the Primary and Secondary server.
8. Use the arrow keys to highlight the SAVE command and press ENTER to save your settings.
3-34 Accessing Local Management
Name Services Configuration Screen
3.10 NAME SERVICES CONFIGURATION SCREEN
When to Use
Use this screen when enabling Port-based Web authentication. This screen can also be used to configure the global Secure Harbour name and IP address. The user can Enable/Disable Name Services and associate the switch name with the Secure Harbour IP address.
How to Access
Use the arrow keys to highlight the NAME SERVICES CONFIGURATION menu item on the Security Menu screen and press ENTER. The Name Services Configuration screen, Figure 3-11, displays.
Screen Example
Figure 3-11 Name Services Configuration Screen
Switch Name:
Secure Harbour IP:
Name Services:
Web Authentication:
SAVE
EXIT
Secure Harbour
0.0.0.0 [DISABLED] [DISABLED]
RETURN
3650_21
Accessing Local Management 3-35
Name Services Configuration Screen
Field Descriptions
Refer to Table 3-9 for a functional description of each screen field.
Table 3-9 Name Services Configuration Scree n Field Descriptions
Use this field… To…
Switch Name
(Modifiable)
Secure Harbour IP
(Read-Only)
Name Services
(Toggle)
Web Authentication
(Toggle)
Create a textual name to bind to the IP address.
NOTE: The switch Name and the Secure Harbour IP must be globally unique within your network and the end switch must contain the identical information.
See the IP address used to access services.
NOTE: The Switch Name and the Secure Harbour IP must be globally unique within your network and the end switch must contain the identical info rmation. The Secure Harbour IP cannot be the same as the management IP of the switch.
Enable or disable the name services function.
Enable or disable Web Authentication.
3-36 Accessing Local Management
System Authentica tion Configuration Screen
3.11 SYSTEM AUTHENTICATION CONFIGURATION SCREEN
When to Use
To enable or disable an authentication type for the device, and to display the authentication type and authentication status (enabled or disabled) for all ports.
How to Access
Use the arrow ke ys to highlight the SYSTEM AUTHENTICATION CONFIGURATION menu item on the Security Menu screen and press ENTER. The System Authentication Configuration screen, Figure 3-12, displays.
Screen Example
Figure 3-12 System Authentication Configuration Screen
System Authentication [EAP]
Port # Authentication Type Authentication Status
1 EAP Unauthenticated 2 EAP Unauthenticated 3 EAP-MAC Unauthenticated 4 EAP Unauthenticated 5 EAP Unauthenticated 6 EAP Unauthenticated 7 EAP-MAC Unauthenticated 8 EAP-MAC Unauthenticated 9 EAP Unauthenticated 10 EAP Unauthenticated
EXITNEXTSAVE
RETURN
37831-02
Accessing Local Management 3-37
System Authentication Configuration Screen
Field Descriptions
Refer to Table 3-10 for a functional description of each screen field.
Table 3-10 System Authentication Configuration Screen Field Descriptions
Use this field… To…
System Authentication
(Selectable)
Enable or disable an authentication type for the device, or turn off the port authentication function on all ports. Options are EAP (Extensible Authentication Protocol), PWA (Port Web Authentication), MAC (Machine Address Code), EAP MAC, or NONE.
EAP is encapsulated in LAN frames according to the 802.1X
standard.
PWA uses the web browser user login process to allow access to
ports.
MAC authentication limits access to the network by validating the
MAC address of their connected devices.
EAP MAC enables using both MAC and EAP authentication
methods concurrently for security.
NONE turns off all port authentication in the switch. The default is
NONE.
To select the option, use the arrow keys to highlight the System
Authentication field, step to EAP, PWA, MAC, EAP MAC, or NONE using the SPACE bar, then press ENTER.
Port #
(Read-Only)
See the port numbers of all ports known to the device. Up to 10 ports can be displayed at a time. To see additional ports, select NEXT and press ENTER to display the authentication type and status for the next 10 ports.
Authentication Type
(Read-Only)
Authentication Status
(Read-Only)
3-38 Accessing Local Management
See the authentication type configured for each port: EAP, PWA, MAC, EAP MAC, or NONE.
See whether the port is authenticated for the chosen authentication type. Status is Authenticated, EAP Authenticated, MAC Authenticated, or Unauthenticated.
EAP (Port) Configuration Screen
3.12 EAP (PORT) CONFIGURATION SCREEN
When to Use
To configure authentication settings for each port.
How to Access
Use the arrow keys to highlight the EAP CONFIGURATION menu item on the Security Menu screen and press ENTER. The EAP Port Configuration screen, Figure 3-13, displays.
Screen Example
Figure 3-13 EAP Port Configuration Screen
Port Authentication
State
---------------------------------------------------------------------------------------------------­ 1 initialize idle [Auto] [FALSE] [FALSE] [2] 2 initialize idle [Auto] [FALSE] [FALSE] [2] 3 initialize idle [Auto] [FALSE] [FALSE] [2] 4 initialize idle [Auto] [FALSE] [FALSE] [2] 5 initialize idle [Auto] [FALSE] [FALSE] [2] 6 initialize idle [Auto] [FALSE] [FALSE] [2] 7 initialize idle [Auto] [FALSE] [FALSE] [2] 8 initialize idle [Auto] [FALSE] [FALSE] [2] 9 initialize idle [Auto] [FALSE] [FALSE] [2] 10 initialize idle [Auto] [FALSE] [FALSE] [2]
Backend
State
Port
Control
Initialize
Port
Force
Reauth
RETURNEXITNEXTSAVE
Maximum Requests
37831_03
Accessing Local Management 3-39
EAP (Port) Configuration Screen
Field Descriptions
Refer to Table 3-11 for a functional description of each screen field.
.
Table 3-11 EAP Port Configuration Screen Field Descriptions
Use this field… To…
Port
(Read-Only)
Au thentication State
(Read-Only)
See the port number of all ports known to the device. Up to 10 ports can be displayed as a time. Highlight NEXT and press ENTER to display the next set of ports.
See the current authentication state of each port. These following nine described states are the possible internal states
for the authenticator. Some states are simply pass-through states causing a small action and immediately moving to a new state. Therefore, not all states can be observed for this interface.
initialize: A port is in the initialize state when:
a. EAP authentication is disabled, b. EAP authentication is enabled and the port is not linked, or c. EAP authentication is enabled and the port is linked. (In this case
very little time is spent in this state, it immediately transitions to the connecting state, via disconnected.
disconnected: The port passes through this state on its way to
connected whenever the port is reinitialized, via link state change, reauthentication failure, or management intervention.
connecting: While in this state, the authenticator sends request/ID
messages to the supplicant.
authenticating: The port enters this state from connecting after
receiving a response/ID from the supplicant. It remains in this state until the entire authentication exchange between the supplicant and the authentication server completes.
authenticated: The port enters this state from authenticating state
after the exchange completes with a favorable result. It remains in this state until linkdown, logoff, or until a reauthentication begins.
3-40 Accessing Local Management
EAP (Port) Configuration Screen
Table 3-11 EAP Port Configuration Screen Field Descriptions (Continued)
Use this field… To…
A uthentication State (Cont’d)
Backend State
(Read-Only)
aborting: The port enters this state from authenticating when any
event occurs that interrupts the login exchange.
held: After any login failure, this state is entered where the port
remains for the number of seconds equal to quietPeriod (can be set using mib).
forceAuth: Management has set this in “Port Control”. This allows
normal, unsecured switching on this port.
forceUnauth: Management has set this in “Port Control”.
Absolutely no frames are forwarded to or from this port.
See the current backend state of each port. The backend state machine controls the protocol interaction between
the authenticator (the switch) and the authentication server (typically a radius server).
These following seven states are the possible internal states for the authenticator . Some states are simply pass-through states causing a small action and immediately moving to a new state. Therefore, you may not observe all of the states in this interface.
For more detail, please see the IEEE Standard 802.1X-20001, Port Based Network Access Control.
request: The port has received a request from the server and is
waiting for a response from the supplicant.
response: The port has received a response from the server and is
waiting for either another request or an accept or reject from the server.
success: The port has received a success from the server. Send a
success to the supplicant and move to idle.
fail: The port has received a reject from the serv er. Send a fail to the
supplicant and move to idle.
timeout: The port has timed-out during the authentication exchange.
Accessing Local Management 3-41
EAP (Port) Configuration Screen
Table 3-11 EAP Port Configuration Screen Field Descriptions (Continued)
Use this field… To…
Backend State (Cont’d)
Port Control
(Selectable)
idle: The port is currently not involved in any authentication, but is
ready to begin one. Move to idle after completion.
initialize: The port is initializing the rele v ant backend v ariables and
is not ready to begin an authentication. Move to idle after completion.
Set the port control mode enabling network access for each port. Modes include:
Auto: In this mode, frames are forwarded according to the
authentication state of each port. When no default policy has been applied to the port, and its authentication state is unauthorized, the port discards all incoming and outgoing frames. If a default policy is applied to the port and its authentication state is unauthorized, frames are forwarded according to the configuration specified for that policy.
Once authorized, a port forwards frames according to its current configuration. A policy string may be returned by the Radius Server in the filter id attribute. This policy string can reference a set of VLAN and priority classification rules pre-configured in the switch.
If a policy string is returned as part of the user authorization process, then frames are forwarded according to the configuration specified by that policy.
If no policy is returned, the switch forwards frames using the existing default policy configuration, if it exists, or the current configuration for the port if no default policy exists. If the default policy is used, then we interpret that default policy to now be active on the controlled port. Although continuing to use the default policy after authorization may be a legal configuration, there are no practical uses.
If a policy string is returned that has no definition in the switch, then this is an illegal configuration and the port is not authenticated. Therefore frame forwarding in this case follows the rules outlined above for an unauthorized port.
3-42 Accessing Local Management
EAP (Port) Configuration Screen
Table 3-11 EAP Port Configuration Screen Field Descriptions (Continued)
Use this field… To…
Port Control (Cont’d)
Initialized Port
(Single Setting)
Forced Authenticated Mode: The Forced Authenticated Mode is
meant to disable authentication on a port. It is intended for ports that support ISLs and devices that cannot authenticate, such as printers and file servers. If a default polic y is applied to the port via the Policy Profile MIB, then frames are forwarded according to the configuration set by that policy, otherwise frames are forwarded according to the current configuration for that port. Authentication using 802.1X is not possible on a port in this mode.
Forced Unauthenticated Mode: When a port is set to the Forced
Unauthenticated Mode, all frames received on the port are discarded by a filter. Authentication using 802.1X is not possible on a port in this mode.
Set to TRUE to initialize all state machines for this port. After initialization, authentication can proceed normally on this port according to its control settings. This has the effect of kicking off any currently authorized user on the port and resetting the session information for a new login.
Force Reauth
(Single Setting)
Maximum Requirements
(Modifiable)
You can only set this field to TRUE to initialize the port. Afterwards the field immediately reverts to FALSE.
Set to TRUE to cause an immediate forced reauthentication for a user who is currently logged on to the port. If the reauthentication fails, then the user is forced off the port. If there is no user on the port, a setting of TRUE of this variable has no ef fect. Setting this v ariable to FALSE has no effect.
Set the maximum number of times EAP request frames will be transmitted to the supplicant before timeout. Default is 2; range is 1 to 10.
Accessing Local Management 3-43
EAP Statistics Menu Screen
3.13 EAP STATISTICS MENU SCREEN
Screen Navigation Path
For 6C105 chassis:
Password > Main Menu > Module Selection > Module Menu > Security Menu > EAP Statistics Menu
For 6C107 chassis:
Password > Module Selection > Module Menu > Security Menu > EAP Statistics Menu
When to Use
To access the EAP Session Statistics, EAP Authenticator Statistics, and EAP Diagnostic Statistics screens.
How to Access
Use the arrow keys to highlight the EAP STATISTICS menu item on the Security Menu screen and press ENTER. The EAP Statistics Menu screen, Figure 3-14, displays.
Screen Example
Figure 3-14 EAP Statistics Menu Screen
EAP SESSION STATISTICS
EAP AUTHENTICATOR STATISTICS
EAP DIAGNOSTIC STATISTICS
3-44 Accessing Local Management
RETURNEXIT
3783 04
Menu Descriptions
Refer to Table 3-12 for a functional description of each menu item.
Table 3-12 EAP Statistics Menu Screen Descriptions
Menu Item Screen Function
EAP Statistics Menu Screen
EAP SESSION STATISTICS
EAP AUTHENTICATOR STATISTICS
EAP DIAGNOSTIC STATISTICS
Used to review and clear EAP session statistics for each port. For details, refer to Section 3.13.1.
Used to review authenticator statistics for each port, including EAP frame types received and transmitted, and frame version number and source MAC address. For details, refer to Section 3.13.2.
Used to view port counters useful for EAP troubleshooting, inclu ding logoffs and timeouts while authenticating, and to view authorization failure messages from the authentication server. For details, refer to
Section 3.13.3.
Accessing Local Management 3-45
EAP Statistics Menu Screen
3.13.1 EAP Session Statistics Screen
When to Use
To review and clear EAP session statistics for each port.
How to Access
Use the arrow keys to highlight the EAP SESSION STATISTICS menu item on the EAP Statistics Menu screen and press ENTER. The EAP Session Statistics screen, Figure 3-15, displays.
Screen Example
Figure 3-15 EAP Session Statistics Screen
SessionID: (1, 00-00-00-00-00-00)
SessionOctetsRx: 0 SessionOctetsTx: 0 SessionFramesRx: 0 SessionFramesTx: 0 Session Authenticate Method: remote Authentication Server
Session Time: 00 days 00:00:00 Session Terminate Cause: port failure Session User Name:
RETURN Port Number: [ 1] CLEAR COUNTERS EXIT
Field Descriptions
Refer to Table 3-13 for a functional description of each screen field.
3783_05
3-46 Accessing Local Management
Table 3-13 EAP Session Statistics Screen Field Descriptions
Use this field… To…
EAP Statistics Menu Screen
SessionID
(Read-Only)
SessionOctetsRx
(Read-Only)
SessionOctetsTx
(Read-Only)
SessionFramesRx
(Read-Only)
SessionFramesTx
(Read-Only)
Session Authenticate Method
(Read-Only)
Session Time
(Read-Only)
See the unique ASCII string identifier for a particular session.
See counts of user data octets received on the port during a particular session.
See counts of octets of transmitted on the port during a particular session.
See counts of user data received on the port during a particular session.
See counts of user data frames transmitted on the port during a particular session.
See whether the session was established by a remote Authentication Server or a local Authentication Server.
See the amount of time a session has been active in days, hours, minutes, and seconds.
Session Terminate Cause
(Read-Only)
See which of the following reasons ended the session:
Supplicant Logoff: End user logged off.
port failure: Authentication port failed.
Supplicant Restart: End user restarted session.
Reauthentication Failed: A previously authenticated Supplicant
has failed to re-authenticate successfully following timeout of the reauthentication timer or explicit reauthentication.
authControlF orce Unauth: Port forced to unauthorize mode by
network manager.
portReInit: Port reinitialized.
portAdminDisabled: Port disabled.
notTerminatedYet:
Session still active.
Accessing Local Management 3-47
EAP Statistics Menu Screen
Table 3-13 EAP Session Statistics Screen Field Descriptions (Continued)
Use this field… To…
Session User Name
See the user name associated with the PAE (Point of Access Entity).
(Read-Only)
Port Number
(Selectable)
Select the port number to display the associated EAP Session Statistics. To se lect a port number, use the arrow keys to highlight the Port Number field. Then step to the correct port number using the SPACE bar and press ENTER to display the associated port EAP Session Statistics.
CLEAR COUNTERS
(Command)
Set the octets and frame counters to zero for a particular port. To clear the counters, highlight CLEAR COUNTERS and press ENTER.
NOTE: This command clears the counters for this LM screen, but it does not clear the associated MIB objects.
3.13.2 EAP Authenticator Statistics Screen
When to Use
To review authenticator statistics for each port, including EAP frame types received and transmitted, and frame version number and source MAC address. This screen refreshes counters data automatically.
How to Access
Use the arrow keys to highlight the EAP AUTHENTICATOR STATISTICS menu item on the EAP Statistics Menu screen and press ENTER. The EAP Authenticator Statistics screen,
Figure 3-16, displays.
3-48 Accessing Local Management
Screen Example
Figure 3-16 EAP Authenticator Statistics Screen
Total Frames Rx: 0 Frame Version: 0 Total Frames Tx: 0 Frame Source: 00-00-00-00-00-00 Start Frames Rx: 0 Logoff Frames Rx: 0 Response Id Frames Rx: 0 Response Frames Rx: 0 Request Id Frames Tx: 0 Request Frames Tx: 0 Invalid Frames Rx: 0 Length Error Frames Rx: 0
EAP Statistics Menu Screen
RETURN Port Number: [ 1] CLEAR COUNTERS EXIT
Field Descriptions
Refer to Table 3-14 for a functional description of each screen field.
Table 3-14 EAP Authenticator Statistics Screen Field Descriptions
Use this field… To…
Total Frames Rx
(Read-Only)
Total Frames Tx
(Read-Only)
Start Frames Rx
(Read-Only)
See counts of all EAP frames received by the authenticator.
See counts of all EAP frames transmitted by the authenticator.
See counts of EAP start type frames received by the authenticator.
3783_06
Logoff Frames Rx
See counts of EAP logoff type frames received by the authenticator.
(Read-Only)
Accessing Local Management 3-49
EAP Statistics Menu Screen
Table 3-14 EAP Authenticator Statistics Screen Field Descriptions (Continued)
Use this field… To…
Response Id Frames Rx
(Read-Only)
Response Frames Rx
(Read-Only)
Request Id Frames Tx
(Read-Only)
Request Frames Tx
(Read-Only)
Invalid Frames Rx
(Read-Only)
Length Error Frames Rx
(Read-Only)
See counts of EAP response identification type frames received by the authenticator.
See counts of EAP response type frames received by the authenticator.
See counts of EAP request identification type frames transmitted by the authenticator.
See counts of EAP request identification type frames transmitted by the authenticator.
See counts of frames received by the authenticator that have an unrecognizable frame type.
See counts of frames received by the authenticator with an invalid length field for the frame body,
Frame Version
(Read-Only)
Frame Source
(Read-Only)
Port Number
(Selectable)
CLEAR COUNTERS
(Command)
See the EAP protocol version present in the most recent EAP frame.
See the source MAC address for the most recent EAP frame received.
Select the port number to display the associated EAP Authenticator Statistics. To select a port number, use the arrow keys to highlight the Port Number field. Then step to the correct port number using the SPACE bar and press ENTER to display the associated port EAP Authenticator Statistics.
Set the octets and frame counters to zero for a particular port. To clear the counters, highlight CLEAR COUNTERS and press ENTER.
NOTE: This command clears the counters for this LM screen, but it does not clear the associated MIB objects.
3-50 Accessing Local Management
EAP Statistics Menu Screen
3.13.3 EAP Diagnostic Statistics Screen
When to Use
To view port counters useful for EAP troubleshooting, including logoffs and timeouts while authenticating, and to view authorization failure messages from the authentication server. The counters on this screen refresh automatically.
How to Access
Use the arrow keys to highlight the EAP DIAGNOSTIC STATISTICS menu item on the EAP Statistics Menu screen and press ENTER. The EAP Diagnostic Statistics screen, Figure 3-17, displays.
Screen Example
Figure 3-17 EAP Diagnostic Statistics Screen
Enters Connecting: 0 Logoffs Connecting: 0 Enters Authenticating: 0 Success Authenticating: 0 Timeouts Authenticating: 0 Fail Authenticating: 0 Reauths Authenticating: 0 Starts Authenticating: 0 Logoffs Authenticating: 0 Reauths Authenticated: 0 Starts Authenticated: 0 Logoffs Authenticated: 0
------ Backend Statistics -----­Responses: 0 Access Challenges: 0 Other Requests To Supp: 0 Non-NAK resp From Supp: 0 Auth Successes: 0 Auth Failures: 0
RETURN Port Number: [ 1] CLEAR COUNTERS EXIT
3783_07
Accessing Local Management 3-51
EAP Statistics Menu Screen
Field Descriptions
Refer to Table 3-15 for a functional description of each screen field.
Table 3-15 EAP Diagnostic Statistics Screen Field Descriptions
Use this field… To…
Enters Connecting
(Read-Only)
Logoffs Connecting
(Read-Only)
Enters Authenticating
(Read-Only)
Success Authenticating
(Read-Only)
Timeouts Authenticating
(Read-Only)
Fail Authenticating
(Read-Only)
See counts of transitions to connecting state from any other state.
See counts of transitions from connecting to disconnected state after an EAPOL logoff message. EAPOL is an encapsulation of the EAP protocol, plus some extra data fields, within a LAN frame.
See counts of transitions from connecting to authenticating state after an EAP Respld message is received from the supplicant (end-user requesting authentication).
See counts of transitions from authenticating to authenticated state after backend authentication has a successful authentication with the supplicant (end-user requesting authentication).
See counts of transitions from authenticating to aborting state due to backend authentication timing out.
See counts of transitions from authenticating to held state due to backend authentication failure.
Reauths Authenticating
See counts of transitions from authenticating to aborting state due to reauthentication requests.
(Read-Only)
Starts Authenticating
See counts of transitions from authenticating to aborting state due to a start from the supplicant (end-user requesting authentication).
(Read-Only)
Logoffs Authenticating
(Read-Only)
3-52 Accessing Local Management
See counts of transitions from authenticating to aborting state due to a logoff message from the supplicant (end-user requesting authentication).
EAP Statistics Menu Screen
Table 3-15 EAP Diagnostic Statistics Screen Field Descriptions (Continued)
Use this field… To…
Reauths Authenticated
(Read-Only)
Starts Authenticated
(Read-Only)
Logoffs Authenticated
(Read-Only)
Backend Statistics: Responses
(Read-Only)
Access Challenges
(Read-Only)
Other Requests To Supp
(Read-Only)
See counts of transitions from authenticated to connecting state due to a reauthentication request.
See counts of transitions from authenticated to connecting state due to a start from the supplicant (end-user requesting authentication).
See counts of transitions from authenticating to disconnected state due to a logoff message from the supplicant (end-user requesting authentication).
See counts of initial access-request frames to the authentication server.
See counts of initial access-challenge frames to the authentication server.
See counts of EAP request frames transmitted that are not EAP notification, failure or success-type messages. This frame count indicates that the authenticator picked an EAP method.
Non-NAK resp From Supp
(Read-Only)
Auth Successes
(Read-Only)
Auth Failures
(Read-Only)
Port Number
(Selectable)
See counts of initial responses to an EAP request from the supplicant (end-user requesting authentication). Count does not include EAP-N AK frames. This count indicates that the supplicant can communicate with the chosen EAP method.
See counts of EAP success messages from the authentication server. Indicates that the supplicant is successfully authenticated.
See counts of EAP failure messages from the authentication server. Indicates that the supplicant is not authenticated.
Select the port number to display the associated EAP Diagnostic Statistics. To select a port number, use the arrow keys to highlight the Port Number field. Then step to the correct port number using the SPACE bar and press ENTER to display the associated port EAP Diagnostic Statistics.
Accessing Local Management 3-53
MAC Port Configuration Screen
Table 3-15 EAP Diagnostic Statistics Screen Field Descriptions (Continued)
Use this field… To…
CLEAR COUNTERS
(Command)
Set the octets and frame counters to zero for a particular port. To clear the counters, use the arrow ke ys to highlight CLEAR COUNTERS and press ENTER.
NOTE: This command clears the counters f or t his LM screen, but it does not clear the associated MIB objects.
3.14 MAC PORT CONFIGURATION SCREEN
When to Use
T o display the authentication state of the supplicant associated with each port, enable or disable the authentication function, initialize authentication status, and force a revalidation of the MAC credential on a per port basis.
How to Access
Use the arrow ke ys to highlight the MAC PORT CONFIGURATION menu item on the Security Menu screen and press ENTER. The MAC Port Configuration screen, Figure 3-18, displays.
3-54 Accessing Local Management
Screen Example
Figure 3-18 MAC Port Configuration Screen
MAC Port Configuration Screen
Port Authentication
State
----------------------------------------------------------------------------------------------­ 1 authenticated [Enabled] [FALSE] [FALSE] 2 authenticated [Disabled] [FALSE] [FALSE] 3 unauthenticated [Enabled] [FALSE] [FALSE] 4 unauthenticated [Enabled] [FALSE] [FALSE] 5 authenticated [Enabled] [FALSE] [FALSE] 6 authenticated [Enabled] [FALSE] [FALSE] 7 authenticated [Enabled] [FALSE] [FALSE] 8 authenticated [Enabled] [FALSE] [FALSE] 9 authenticated [Enabled] [FALSE] [FALSE]
SET ALL PORTS: [Enabled] [FALSE] [FALSE]
Port
Enable
Initialize
Port
EXITSAVE NEXTPREVIOUS
Field Descriptions
Refer to Table 3-16 for a functional description of each screen field.
Force
Reauth
RETURN
35281_21
Table 3-16 MAC Port Configurat ion Screen Field Descriptions
Use this field… To…
Port #
(Read-Only)
See the port numbers of all ports known to the device. Up to 9 ports can be displayed at a time. To see additional ports, select NEXT and press ENTER to display the authentication type and status for the next 10 ports.
Authentication State
(Read-Only)
See the current state of the MAC Authentication of a port supplicant. If a supplicant is currently active, on that port, then authenticated is displayed in this field, otherwise unauthenticated is displayed.
Port Enable
Enable or disable MAC authentication for a given port.
(Toggle)
Accessing Local Management 3-55
MAC Supplicant Configuration Screen
Table 3-16 MAC Port Configuration Screen Field Descriptions (Continued)
Use this field… To…
Initialize Port
(Single Setting)
Initialize the authentication status of the port. When this field is set to TRUE, the current authentication session is terminated, the port returns to its initial authentication status, and the field returns to FALSE.
Force Reauth
(Single Setting)
Force the revalidation of the MAC credential for the port. When this field is set to TRUE, revalidation is executed. When set to TRUE, the field returns to FALSE. It always reads a value of FALSE.
SET ALL PORTS
(Command)
Set all ports in the module to the settings in the associat ed Port Enable, Initialize Port, and Force Port columns.
3.15 MAC SUPPLICANT CONFIGURATION SCREEN
When to Use
To determine the active MAC Authentication supplicants on the module and perform limited configuration on these supplicants, which includes initializing the supplicant and reauthenticating the supplicant.
How to Access
Use the arrow ke ys to highlig ht the MAC SUPPLICANT CONFIGURATION menu item on the Security Menu screen and press ENTER. The MAC Supplicant Configuration screen, Figure 3-19, displays.
3-56 Accessing Local Management
Screen Example
Figure 3-19 MAC Supplicant Configuration Screen
MAC Supplicant Configuration Screen
Port Duration (dd:hh:mm:ss)
-----------------------------------------------------------------------------------------------------------­ 1 00:12:23:58 nn-nn-nn-nn-nn-nn [FALSE] [FALSE] 2 54:02:56:00 nn-nn-nn-nn-nn-nn [FALSE] [FALSE]
MAC
Address
Initialize
Supplicant
EXITSAVE NEXTPREVIOUS
Reauthenticate
Supplicant
Field Descriptions
Refer to Table 3-17 for a functional description of each screen field.
Table 3-17 MAC Supplicant Configuration Screen Field Descriptions
RETURN
35281_93
Use this field… To…
Port
(Read-Only)
See the port numbers of all ports known to the device. Up to 10 ports can be displayed at a time. To see additional ports, select NEXT and press ENTER to display the authentication type and status for the next 10 ports.
Duration
(Read Only)
MAC Address
(Read Only)
See the time in days:hours:minutes:seconds that an active supplicant is logged on via the port.
See the ASCII value of the MAC address for each active supplicant associated with a port.
Accessing Local Management 3-57
MAC Supplicant Configuration Screen
Table 3-17 MAC Supplicant Configuration Screen Field Descriptions (Continued)
Use this field… To…
Initialize Supplicant
(Single Setting)
Reauthenticate Supplicant
(Single Setting)
Terminate the current session with a supplicant. When set to TRUE, the current session is terminated. It always disp lays a v alue of FALSE.
Force a rev alidation of the MA C credential for the supplicant. When set to TRUE, the switch forces the rev alidation. It alw ays di splays a value of FALSE.
3-58 Accessing Local Management
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use