HP 445946-001 User Manual

HP 10Gb Ethernet BL-c Switch
Application Guide
Part number: 445946-001 First edition: June 2007
© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set
forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft®, Windows®, and Windows NT® are U.S. registered trademarks of Microsoft Corporation. SunOS™ and Solaris™ are trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Cisco® is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
2
Contents

Contents

Accessing the switch
Introduction........................................................................................................................................... 9
Additional references ........................................................................................................................... 10
Typographical conventions.................................................................................................................... 10
Management Network.......................................................................................................................... 10
Connecting through the console port.................................................................................................. 11
Connecting through Telnet................................................................................................................ 11
Connecting through Secure Shell....................................................................................................... 11
Using the command line interfaces ......................................................................................................... 12
Configuring an IP interface............................................................................................................... 12
Using the Browser-based Interface.......................................................................................................... 13
Using Simple Network Management Protocol .......................................................................................... 14
SNMP v1.0.................................................................................................................................... 14
SNMP v3.0.................................................................................................................................... 14
Default configuration ....................................................................................................................... 14
User configuration........................................................................................................................... 15
View based configurations ............................................................................................................... 16
CLI user equivalent..................................................................................................................... 16
CLI oper equivalent .................................................................................................................... 17
Configuring SNMP trap hosts ........................................................................................................... 17
SNMPv1 trap host...................................................................................................................... 17
SNMPv2 trap host configuration ....................................................................................................... 19
SNMPv3 trap host configuration ....................................................................................................... 19
Secure access to the switch ................................................................................................................... 20
Setting allowable source IP address ranges ........................................................................................ 20
Configuring an IP address range for the management network ........................................................ 21
RADIUS authentication and authorization........................................................................................... 21
How RADIUS authentication works............................................................................................... 21
Configuring RADIUS on the switch (CLI example) ........................................................................... 22
Configuring RADIUS on the switch (BBI example) ........................................................................... 23
RADIUS authentication features.................................................................................................... 24
User accounts for RADIUS users ................................................................................................... 24
RADIUS attributes for user privileges............................................................................................. 25
TACACS+ authentication ...................................................................................................................... 25
How TACACS+ authentication works................................................................................................. 26
TACACS+ authentication features ..................................................................................................... 26
Authorization.................................................................................................................................. 26
Accounting..................................................................................................................................... 27
Configuring TACACS+ authentication on the switch (CLI example) ....................................................... 28
Configuring TACACS+ authentication on the switch (BBI example) ....................................................... 29
Secure Shell and Secure Copy............................................................................................................... 30
Configuring SSH and SCP features (CLI example)........................................................................... 31
Using SSH and SCP client commands........................................................................................... 32
SSH and SCP encryption of management messages ....................................................................... 33
Generating RSA host and server keys for SSH access ..................................................................... 33
SSH/SCP integration with RADIUS and TACACS+ authentication..................................................... 34
3
Contents
User access control .............................................................................................................................. 34
Setting up user IDs .......................................................................................................................... 35
Ports and trunking
Introduction......................................................................................................................................... 36
Ports on the switch ............................................................................................................................... 36
Port trunk groups.................................................................................................................................. 37
Statistical load distribution................................................................................................................ 37
Built-in fault tolerance....................................................................................................................... 37
Before you configure trunks ................................................................................................................... 37
Trunk group configuration rules.............................................................................................................. 38
Port trunking example........................................................................................................................... 39
Configuring trunk groups (CLI example) ............................................................................................. 40
Configuring trunk groups (BBI example) ............................................................................................. 41
Configurable Trunk Hash algorithm ........................................................................................................ 44
Link Aggregation Control Protocol.......................................................................................................... 44
Configuring LACP ........................................................................................................................... 46
Port-based Network Access and traffic control
Port-based Network Access control......................................................................................................... 47
Extensible authentication protocol over LAN ....................................................................................... 47
802.1x authentication process.......................................................................................................... 48
EAPoL Message Exchange ............................................................................................................... 48
802.1x port states........................................................................................................................... 49
Supported RADIUS attributes ............................................................................................................ 50
EAPoL configuration guidelines ......................................................................................................... 51
Port-based traffic control ....................................................................................................................... 51
Configuring port-based traffic control................................................................................................. 52
VLANs
Introduction......................................................................................................................................... 53
Overview............................................................................................................................................ 53
VLANs and port VLAN ID numbers......................................................................................................... 53
VLAN numbers ............................................................................................................................... 53
Viewing VLANs ......................................................................................................................... 54
PVID numbers ................................................................................................................................. 54
Viewing and configuring PVIDs......................................................................................................... 54
Port information ......................................................................................................................... 54
Port configuration....................................................................................................................... 54
VLAN tagging ..................................................................................................................................... 55
VLANs and IP interfaces........................................................................................................................ 58
VLAN topologies and design considerations............................................................................................ 58
VLAN configuration rules ................................................................................................................. 59
Multiple VLANS with tagging................................................................................................................. 60
Configuring the example network...................................................................................................... 61
Configuring ports and VLANs on Switch 1 (CLI example) ................................................................ 61
Configuring ports and VLANs on Switch 2 (CLI example) ................................................................ 63
Configuring ports and VLANs on Switch 1 (BBI example) ................................................................ 64
FDB static entries.................................................................................................................................. 66
Trunking support for FDB static entries................................................................................................ 67
Configuring a static FDB entry .......................................................................................................... 67
Spanning Tree Protocol
4
Contents
Introduction......................................................................................................................................... 68
Overview............................................................................................................................................ 68
Bridge Protocol Data Units .................................................................................................................... 68
Determining the path for forwarding BPDUs........................................................................................ 69
Bridge priority ........................................................................................................................... 69
Port priority ............................................................................................................................... 69
Port path cost ............................................................................................................................ 69
Spanning Tree Group configuration guidelines ........................................................................................ 69
Default Spanning Tree configuration.................................................................................................. 69
Adding a VLAN to a Spanning Tree Group ........................................................................................ 70
Creating a VLAN ............................................................................................................................ 70
Rules for VLAN tagged ports............................................................................................................. 70
Adding and removing ports from STGs .............................................................................................. 70
Assigning cost to ports and trunk groups ............................................................................................ 71
Multiple Spanning Trees ....................................................................................................................... 71
Why do we need Multiple Spanning Trees? ....................................................................................... 71
VLAN participation in Spanning Tree Groups ..................................................................................... 72
Configuring Multiple Spanning Tree Groups.......................................................................................73
Configuring Switch 1 (CLI example) ............................................................................................. 73
Configuring Switch 2 (CLI example) ............................................................................................. 73
Configuring Switch 1 (BBI example) ............................................................................................. 74
Port Fast Forwarding ............................................................................................................................ 76
Configuring Port Fast Forwarding...................................................................................................... 76
Fast Uplink Convergence ...................................................................................................................... 76
Configuration guidelines .................................................................................................................. 76
Configuring Fast Uplink Convergence................................................................................................ 76
RSTP and MSTP
Introduction......................................................................................................................................... 77
Rapid Spanning Tree Protocol................................................................................................................ 77
Port state changes ........................................................................................................................... 77
Port type and link type..................................................................................................................... 78
Edge port.................................................................................................................................. 78
Link type ................................................................................................................................... 78
RSTP configuration guidelines ........................................................................................................... 78
RSTP configuration example ............................................................................................................. 78
Configuring Rapid Spanning Tree (CLI example) ............................................................................ 78
Configuring Rapid Spanning Tree Protocol (BBI example)................................................................ 79
Multiple Spanning Tree Protocol............................................................................................................. 80
MSTP region................................................................................................................................... 80
Common Internal Spanning Tree ....................................................................................................... 80
MSTP configuration guidelines.......................................................................................................... 81
MSTP configuration example ............................................................................................................ 81
Configuring Multiple Spanning Tree Protocol (CLI example)............................................................. 81
Configuring Multiple Spanning Tree Protocol (BBI example)............................................................. 82
Quality of Service
Introduction......................................................................................................................................... 86
Overview............................................................................................................................................ 86
Using ACL filters .................................................................................................................................. 87
Summary of packet classifiers ........................................................................................................... 87
Summary of ACL actions .................................................................................................................. 89
Understanding ACL precedence........................................................................................................ 89
5
Contents
Using ACL Groups ............................................................................................................................... 90
ACL Metering and Re-marking ............................................................................................................... 91
Metering........................................................................................................................................ 91
Re-marking..................................................................................................................................... 91
Viewing ACL statistics........................................................................................................................... 91
ACL configuration examples.................................................................................................................. 92
Configure Access Control Lists (CLI example) ...................................................................................... 92
Configure Access Control Lists and Groups (BBI example 1) ................................................................. 93
Using DSCP values to provide QoS ........................................................................................................ 97
Differentiated Services concepts........................................................................................................ 97
Per Hop Behavior............................................................................................................................ 97
QoS levels ..................................................................................................................................... 98
Using 802.1p priorities to provide QoS.................................................................................................. 98
802.1p configuration (CLI example) ................................................................................................ 100
802.1p configuration (BBI example)................................................................................................ 100
Queuing and scheduling..................................................................................................................... 105
Basic IP routing
IP routing benefits .............................................................................................................................. 106
Routing between IP subnets ................................................................................................................. 106
Example of subnet routing................................................................................................................... 109
Using VLANs to segregate broadcast domains.................................................................................. 110
Dynamic Host Configuration Protocol ................................................................................................... 112
DHCP relay agent ......................................................................................................................... 112
DHCP relay agent configuration...................................................................................................... 113
Routing Information Protocol
Distance vector protocol...................................................................................................................... 114
Stability ............................................................................................................................................ 114
Routing updates................................................................................................................................. 114
RIPv1................................................................................................................................................ 115
RIPv2................................................................................................................................................ 115
RIPv2 in RIPv1 compatibility mode........................................................................................................ 115
RIP Features....................................................................................................................................... 115
Poison ......................................................................................................................................... 115
Triggered updates......................................................................................................................... 115
Multicast...................................................................................................................................... 116
Default......................................................................................................................................... 116
Metric.......................................................................................................................................... 116
Authentication .............................................................................................................................. 116
RIP configuration example................................................................................................................... 117
IGMP Snooping
Introduction....................................................................................................................................... 118
Overview.......................................................................................................................................... 118
IGMPv3....................................................................................................................................... 119
FastLeave..................................................................................................................................... 119
IGMP Filtering .............................................................................................................................. 120
Configuring the range .............................................................................................................. 120
Configuring the action.............................................................................................................. 120
Static multicast router..................................................................................................................... 121
IGMP Snooping configuration example............................................................................................ 121
6
Contents
Configuring IGMP Snooping (CLI example) ................................................................................. 121
Configuring IGMP Filtering (CLI example).................................................................................... 122
Configuring a Static Mrouter (CLI example) ................................................................................. 122
Configuring IGMP Snooping (BBI example) ................................................................................. 123
Configuring IGMP Filtering (BBI example) ................................................................................... 125
Configuring a Static Multicast Router (BBI example)...................................................................... 129
OSPF
OSPF overview.................................................................................................................................. 131
Types of OSPF areas ..................................................................................................................... 131
Types of OSPF routing devices........................................................................................................ 132
Neighbors and adjacencies ........................................................................................................... 133
Link-State Database ....................................................................................................................... 133
Shortest Path First Tree................................................................................................................... 133
Internal versus external routing........................................................................................................ 134
OSPF implementation in HP 10GbE switch software ............................................................................... 134
Configurable parameters ............................................................................................................... 134
Defining areas.............................................................................................................................. 135
Assigning the area index .......................................................................................................... 135
Using the area ID to assign the OSPF area number ...................................................................... 136
Attaching an area to a network ................................................................................................. 136
Interface cost................................................................................................................................ 136
Electing the designated router and backup .......................................................................................137
Summarizing routes....................................................................................................................... 137
Default routes .................................................................................................................................... 137
Virtual links .................................................................................................................................. 138
Router ID...................................................................................................................................... 138
Authentication .............................................................................................................................. 139
Host routes for load balancing........................................................................................................ 140
OSPF features not supported in this release ...................................................................................... 141
OSPF configuration examples.............................................................................................................. 141
Example 1: Simple OSPF domain (CLI example)................................................................................ 141
Example 1: Simple OSPF domain (BBI example) .......................................................................... 142
Example 2: Virtual links ................................................................................................................. 150
Configuring OSPF for a virtual link on Switch A ........................................................................... 150
Configuring OSPF for a virtual link on Switch B.................................................................................151
Other Virtual Link Options......................................................................................................... 152
Example 3: Summarizing routes...................................................................................................... 152
Verifying OSPF configuration.......................................................................................................... 154
Remote monitoring
Introduction....................................................................................................................................... 155
Overview.......................................................................................................................................... 155
RMON group 1—statistics ............................................................................................................. 155
Configuring RMON Statistics (CLI example)................................................................................. 156
Configuring RMON Statistics (BBI example)................................................................................. 156
RMON group 2—history................................................................................................................ 158
History MIB objects .................................................................................................................. 159
RMON group 3—alarms ............................................................................................................... 161
Alarm MIB objects.................................................................................................................... 161
RMON group 9—events ................................................................................................................ 165
Configuring RMON Events (CLI example).................................................................................... 165
Configuring RMON Events (BBI example).................................................................................... 166
7
Contents
High availability
Introduction....................................................................................................................................... 167
Uplink Failure Detection...................................................................................................................... 167
Failure Detection Pair..................................................................................................................... 168
Spanning Tree Protocol with UFD .................................................................................................... 168
Configuration guidelines ................................................................................................................ 169
Monitoring Uplink Failure Detection................................................................................................. 169
Configuring Uplink Failure Detection................................................................................................ 169
Configuring UFD on Switch 1 (CLI example) ................................................................................ 170
Configuring UFD on Switch 2 (CLI example) ................................................................................ 170
Configuring Uplink Failure Detection (BBI example) ...................................................................... 171
VRRP overview................................................................................................................................... 173
VRRP components.......................................................................................................................... 173
Virtual router ........................................................................................................................... 173
Virtual router MAC address....................................................................................................... 173
Owners and renters.................................................................................................................. 173
Master and backup virtual router ............................................................................................... 174
Virtual Interface Router.............................................................................................................. 174
VRRP operation.................................................................................................................................. 174
Selecting the master VRRP router ..................................................................................................... 174
Failover methods................................................................................................................................ 175
Active-Active redundancy............................................................................................................... 175
HP 10GbE switch extensions to VRRP ................................................................................................... 176
Tracking VRRP router priority .......................................................................................................... 176
Virtual router deployment considerations............................................................................................... 177
Assigning VRRP virtual router ID ...................................................................................................... 177
Configuring the switch for tracking .................................................................................................. 177
High availability configurations............................................................................................................ 178
Active-Active configuration ............................................................................................................. 178
Task 1: Configure Switch A....................................................................................................... 178
Task 2: Configure Switch B ....................................................................................................... 180
Task 1: Configure Switch A (BBI example)................................................................................... 181
Troubleshooting tools
Introduction....................................................................................................................................... 191
Port Mirroring.................................................................................................................................... 191
Configuring Port Mirroring (CLI example) ......................................................................................... 192
Configuring Port Mirroring (BBI example) ......................................................................................... 193
Other network troubleshooting techniques ............................................................................................. 195
Console and Syslog messages ........................................................................................................ 195
Ping ............................................................................................................................................ 195
Trace route................................................................................................................................... 195
Statistics and state information........................................................................................................ 195
Customer support tools................................................................................................................... 195
Index
8
Accessing the switch

Accessing the switch

Introduction
This guide will help you plan, implement, and administer the switch software for the HP 10Gb Ethernet BL-c Switch. Where possible, each section provides feature overviews, usage examples, and configuration instructions.
“Accessing the switch” describes how to configure and view information and statistics on the switch
over an IP network. This chapter also discusses different methods to manage the switch for remote administrators, such as setting specific IP addresses and using Remote Authentication Dial-in User Service (RADIUS) authentication, Secure Shell (SSH), and Secure Copy (SCP) for secure access to the switch.
“Ports and port trunking” describes how to group multiple physical ports together to aggregate the
bandwidth between large-scale network devices.
“Port-based Network Access and Traffic Control” describes how to authenticate devices attached to
a LAN port that has point-to-point connection characteristics. Port-based Network Access Control provides security to ports of the HP 10GbE switch that connect to servers. Port-based Traffic Control allows the switch to guard against broadcast storms.
“VLANs” describes how to configure Virtual Local Area Networks (VLANs) for creating separate
network segments, including how to use VLAN tagging for devices that use multiple VLANs.
“Spanning Tree Protocol” discusses how spanning trees configure the network so that the switch uses
the most efficient path when multiple paths exist.
“Rapid Spanning Tree Protocol/Multiple Spanning Tree Protocol” describes extensions to the
Spanning Tree Protocol that provide rapid convergence of spanning trees for fast reconfiguration of the network.
“Quality of Service” discusses Quality of Service features, including IP filtering using Access Control
Lists, Differentiated Services, and IEEE 802.1p priority values.
“Basic IP Routing” describes how to configure the HP 10GbE switch for IP routing using IP subnets,
and DHCP Relay.
“Routing Information Protocol” describes how the HP 10GbE switch software implements standard
Routing Information Protocol (RIP) for exchanging TCP/IP route information with other routers.
“IGMP Snooping” describes how to use IGMP to conserve bandwidth in a multicast-switching
environment.
“OSPF” describes OSPF concepts, how OSPF is implemented, and examples of how to configure
your switch for OSPF support.
“Remote Monitoring” describes how to configure the RMON agent on the switch, so the switch can
exchange network monitoring data.
“High Availability” describes how the HP 10GbE switch supports high-availability network
topologies. This release provides Uplink Failure Detection and Virtual Router Redundancy Protocol (VRRP).
“Troubleshooting tools” describes Port Mirroring and other troubleshooting techniques.
9
Accessing the switch
Additional references
Additional information about installing and configuring the switch is available in the following guides, which are available at http://www.hp.com/go/bladesystem/documentation
.
HP 10Gb Ethernet BL-c Switch User Guide
HP 10Gb Ethernet BL-c Switch Command Reference Guide
HP 10Gb Ethernet BL-c Switch ISCLI Reference Guide
HP 10Gb Ethernet BL-c Switch Browser-based Interface Reference Guide
HP 10Gb Ethernet BL-c Switch Quick Setup Instructions
Typographical conventions
The following table describes the typographic styles used in this guide:
Table 1 Typographic conventions
Typeface or symbol
AaBbCc123
AaBbCc123
<AaBbCc123>
[ ]
Meaning Example
This type depicts onscreen computer output and prompts.
This type displays in command examples and shows text that must be typed in exactly as shown.
This bracketed type displays in command examples as a parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets.
Command items shown inside brackets are optional and can be used or excluded as the situation demands. Do not type the brackets.
Management Network
The 10Gb Ethernet BL-c Switch is an integral subsystem within the overall BladeSystem. The BladeSystem chassis includes an Onboard Administrator as the central element for overall chassis and control.
The 10GbE switch communicates with the Onboard Administrator through its internal management port (port 17). The factory default settings permit management and control access to the switch through the 10/100 Mbps Ethernet port on the Onboard Administrator, or the built-in console port. You also can use the external Ethernet ports to manage and control the 10GbE switch.
Main#
Main# sys
To establish a Telnet session, enter:
host# telnet <IP address>
Read your user guide thoroughly.
host# ls [-a]
The 10GbE switch management network has the following characteristics:
Port 17—Management port 17 has a fixed configuration, as follows:
100 Mbps Full duplex Flow control: both No auto-negotiation
10
Accessing the switch
Untagged Port VLAN ID (PVID): 4095
VLAN 4095—Management VLAN 4095 isolates management traffic within the HP 10GbE switch.
VLAN 4095 contains only one member port (port 17). No other ports can be members of VLAN 4095.
Interface 250—Management interface 250 is associated with VLAN 4095. No other interfaces can
be associated with VLAN 4095. You can configure the IP address of the management interface manually or through Dynamic Host Control Protocol (DHCP).
Gateway 254—This gateway is the default gateway for the management interface.
STG 128—If the HP 10GbE switch is configured to use multiple spanning trees, spanning tree group
128 (STG 128) contains management VLAN 4095, and no other VLANS are allowed in STG 128. The default status of STG 128 is off.
If the 10GbE switch is configured to use Rapid Spanning Tree Protocol, STG 1 contains management VLAN 4095.
To access the 10GbE switch management interface through the Onboard Administrator:
Use the Onboard Administrator internal DHCP server, through Enclosure-Based IP Addressing
Use an external DHCP server. Connect the Onboard administrator and the 10GbE switch to the
network, and disable Enclosure-Based IP Addressing.
Assign a static IP interface to the Onboard Administrator and to the 10GbE switch management
interface (interface 250).

Connecting through the console port

Using a null modem cable, you can directly connect to the switch through the console port. A console connection is required in order to configure Telnet or other remote access applications. For more information on establishing console connectivity to the switch, see the HP 10Gb Ethernet BL-c Switch User Guide.

Connecting through Telnet

By default, Telnet is enabled on the switch. Once the IP parameters are configured, you can access the CLI from any workstation connected to the network using a Telnet connection. Telnet access provides the same options for a user and an administrator as those available through the console port, minus certain commands. The switch supports four concurrent Telnet connections.
To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the
telnet command, followed by the switch IP address:
telnet <switch IP address>

Connecting through Secure Shell

By default, the Secure Shell (SSH) protocol is disabled on the switch. SSH enables you to securely log into another computer over a network to execute commands remotely. As a secure alternative to using Telnet to manage switch configuration, SSH ensures that all data sent over the network is encrypted and secure. For more information, see the “Secure Shell and Secure Copy” section later in this chapter. For additional information on the CLI, see the HP 10Gb Ethernet BL-c Switch Command Reference Guide.
11
Accessing the switch
Using the command line interfaces
The command line interface (CLI) can be accessed via local terminal connection or a remote session using Telnet or SSH. The CLI is the most direct method for collecting switch information and performing switch configuration.
The HP 10GbE switch provides two CLI modes: The menu-based AOS CLI, and the tree-based ISCLI. You can set the HP 10GbE switch to use either CLI mode.
The Main Menu of the AOS CLI, with administrator privileges, is displayed below:
[Main Menu] info - Information Menu stats - Statistics Menu cfg - Configuration Menu oper - Operations Command Menu boot - Boot Options Menu maint - Maintenance Menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] save - Save updated config to FLASH [global command] revert - Revert pending or applied changes [global command] exit - Exit [global command, always available]
For complete information about the AOS CLI, see the HP 10Gb Ethernet BL-c Switch Command Reference Guide.
The ISCLI provides a tree-based command structure, for users familiar with similar products. An example of a typical ISCLI command is displayed below:
Switch(config)# spanning-tree stp 1 enable
For complete information about the ISCLI, refer to the ISCLI Reference Guide.

Configuring an IP interface

An IP interface address must be set on the switch to provide management access to the switch over an IP network. By default, the management interface is set up to request its IP address from a Bootstrap Protocol (BOOTP) server.
If you have a BOOTP server on your network, add the Media Access Control (MAC) address of the switch to the BOOTP configuration file located on the BOOTP server. The MAC address can be found on a small white label on the back panel of the switch. The MAC address can also be found in the System Information menu (see the HP 10Gb Ethernet BL-c Switch Command Reference Guide or ISCLI Guide.) If you are using a DHCP server that also does BOOTP, you do not have to configure the MAC address.
If you do not have a BOOTP server, you must manually configure an IP address.
12
Accessing the switch
The following example shows how to manually configure an IP address on the switch:
1. Configure an IP interface for the Telnet connection, using the sample IP address of 205.21.17.3.
2. The pending subnet mask address and broadcast address are automatically calculated.
>> # /cfg/l3/if 1 (Select IP interface 1) >> IP Interface 1# addr 205.21.17.3 (Assign IP address for the interface) Current IP address: 0.0.0.0 New pending IP address: 205.21.17.3 Pending new subnet mask: 255.255.255.0
. . . . . . . . . . . .
>> IP Interface 1# ena (Enable IP interface 1)
3. If necessary, configure up to two default gateways.
4. Configuring the default gateways allows the switch to send outbound traffic to the routers.
>> IP Interface 5# ../gw 1 (Select primary default gateway) >> Default gateway 1# addr 205.21.17.1 (Assign IP address for primary router) >> Default gateway 1# ena (Enable primary default gateway) >> Default gateway 1# ../gw 2 (Select secondary default gateway) >> Default gateway 2# addr 205.21.17.2 (Assign address for secondary router) >> Default gateway 2# ena (Enable secondary default gateway)
5. Apply, verify, and save the configuration.
>> Default gateway 2# apply (Apply the configuration) >> Default gateway 2# save (Save the configuration) >> # /cfg/dump (Verify the configuration)
Using the Browser-based Interface
By default, the Browser-based Interface (BBI) protocol is enabled on the switch. The Browser-based Interface (BBI) provides access to the common configuration, management and operation features of the switch through your Web browser. For more information, see the HP 10Gb Ethernet BL-c Switch Browser- based Interface Reference Guide.
The BBI is organized at a high level as follows:
Configuration—These menus provide access to the configuration elements for the entire switch.
System—Configure general switch configuration elements. Switch ports—Configure switch ports and related features. Port-based port mirroring—Configure mirrored ports and monitoring ports. Layer 2—Configure Layer 2 features, including trunk groups, VLANs, and Spanning Tree
Protocol.
RMON menu—Configure Remote Monitoring (RMON) functions. Layer 3—Configure all of the IP related information, including IGMP Snooping. QoS—Configure Quality of Service features. Access Control—Configure Access Control Lists and Groups. Uplink Failure Detection—Configure a Failover Pair of Links to Monitor and Links to Disable.
Statistics—These menus provide access to the switch statistics and state information.
Dashboard—These menus display settings and operating status of a variety of switch features.
13
Accessing the switch
Using Simple Network Management Protocol
The switch software provides SNMP v1.0 and SNMP v3.0 support for access through any network management software, such as HP-OpenView.

SNMP v1.0

To access the SNMP agent on the switch, the read and write community strings on the SNMP manager should be configured to match those on the switch. The default read community string on the switch is public and the default write community string is private.
The read and write community strings on the switch can be changed using the following commands on the CLI.
>> /cfg/sys/ssnmp/rcomm
-and-
>> /cfg/sys/ssnmp/wcomm
The SNMP manager should be able to reach the management interface or any one of the IP interfaces on the switch.
For the SNMP manager to receive the traps sent out by the SNMP agent on the switch, the trap host on the switch should be configured with the following command:
/cfg/sys/ssnmp/snmpv3/taddr
For more details, see “Configuring SNMP trap hosts”.

SNMP v3.0

SNMPv3 is an enhanced version of the Simple Network Management Protocol, approved by the Internet Engineering Steering Group in March, 2002. SNMP v3.0 contains additional security and authentication features that provide data origin authentication, data integrity checks, timeliness indicators, and encryption to protect against threats such as masquerade, modification of information, message stream modification, and disclosure.
SNMP v3 ensures that the client can use SNMP v3 to query the MIBs, mainly for security. To access the SNMP v3.0 menu, enter the following command in the CLI:
>> # /cfg/sys/ssnmp/snmpv3
For more information on SNMP MIBs and the commands used to configure SNMP on the switch, see the HP 10Gb Ethernet BL-c Switch Command Reference Guide.

Default configuration

The switch software has two users by default. Both the users adminmd5 and adminsha have access to all the MIBs supported by the switch.
username 1—adminmd5/password adminmd5. Authentication used is MD5.
username 2—adminsha/password adminsha. Authentication used is SHA.
username 3—v1v2only/password none.
To configure an SNMP user name, enter the following command from the CLI:
>> # /cfg/sys/ssnmp/snmpv3/usm 6
14
Accessing the switch

User configuration

Users can be configured to use the authentication/privacy options. The HP 10GbE switch supports two authentication algorithms: MD5 and SHA, as specified in the following command:
/cfg/sys/ssnmp/snmpv3/usm <x>/auth md5|sha
1. To configure a user with name admin, authentication type MD5, authentication password of admin,
and privacy option DES with privacy password of admin, use the following CLI commands:
>> # /cfg/sys/ssnmp/snmpv3/usm 5 >> SNMPv3 usmUser 5 # name "admin" (Configure ‘admin’ user type) >> SNMPv3 usmUser 5 # auth md5 >> SNMPv3 usmUser 5 # authpw admin >> SNMPv3 usmUser 5 # priv des >> SNMPv3 usmUser 5 # privpw admin
2. Configure a user access group, along with the views the group may access. Use the access table to
configure the group’s access level.
>> # /cfg/sys/ssnmp/snmpv3/access 5 >> SNMPv3 vacmAccess 5 # name "admingrp" (Configure an access group) >> SNMPv3 vacmAccess 5 # level authPriv >> SNMPv3 vacmAccess 5 # rview "iso" >> SNMPv3 vacmAccess 5 # wview "iso" >> SNMPv3 vacmAccess 5 # nview "iso"
Because the read view (rview), write view (wview), and notify view (nview) are all set to “iso,” the user type has access to all private and public MIBs.
3. Assign the user to the user group. Use the group table to link the user to a particular access group.
>> # /cfg/sys/ssnmp/snmpv3/group 5 >> SNMPv3 vacmSecurityToGroup 5 # uname admin >> SNMPv3 vacmSecurityToGroup 5 # gname admingrp
If you want to allow user access only to certain MIBs, see the “View based configurations” section.
15
Accessing the switch

View based configurations

CLI user equivalent
To configure an SNMP user equivalent to the CLI user, use the following configuration:
/c/sys/ssnmp/snmpv3/usm 4 name "usr" (Configure the user) /c/sys/ssnmp/snmpv3/access 3 name "usrgrp" (Configure access group 3) rview "usr" wview "usr" nview "usr" /c/sys/ssnmp/snmpv3/group 4 (Assign user to access group 3) uname usr gname usrgrp /c/sys/ssnmp/snmpv3/view 6 (Create views for user) name "usr" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.1.2" (Agent statistics) /c/sys/ssnmp/snmpv3/view 7 name "usr" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.1.3" (Agent information) /c/sys/ssnmp/snmpv3/view 8 name "usr" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.2.2" (L2 statistics) /c/sys/ssnmp/snmpv3/view 9 name "usr" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.2.3" (L2 information) /c/sys/ssnmp/snmpv3/view 10 name "usr" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.3.2" (L3 statistics) /c/sys/ssnmp/snmpv3/view 11 name "usr" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.3.3" (L3 information)
16
Accessing the switch
CLI oper equivalent
To configure an SNMP user equivalent to the CLI oper, use the following configuration:
/c/sys/ssnmp/snmpv3/usm 5 name "oper" (Configure the oper) /c/sys/ssnmp/snmpv3/access 4 name "opergrp" (Configure access group 4) rview "oper" wview "oper" nview "oper" /c/sys/ssnmp/snmpv3/group 4 (Assign oper to access group 4) uname oper gname opergrp /c/sys/ssnmp/snmpv3/view 20 (Create views for oper) name "oper" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.1.2" (Agent statistics) /c/sys/ssnmp/snmpv3/view 21 name "oper" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.1.3" (Agent information) /c/sys/ssnmp/snmpv3/view 22 name "oper" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.2.2" (L2 statistics) /c/sys/ssnmp/snmpv3/view 23 name "oper" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.2.3" (L2 information) /c/sys/ssnmp/snmpv3/view 24 name "oper" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.3.2" (L3 statistics) /c/sys/ssnmp/snmpv3/view 25 name "oper" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.3.3" (L3 information)

Configuring SNMP trap hosts

SNMPv1 trap host
1. Configure a user with no authentication or password.
/c/sys/ssnmp/snmpv3/usm 10 (Configure user named “v1trap”) name "v1trap"
2. Configure an access group and group table entries for the user. Use the following command to
specify which traps can be received by the user:
/c/sys/ssnmp/snmpv3/access <x>/nview
/c/sys/ssnmp/snmpv3/access 10 (Define access group to view SNMPv1 traps) name "v1trap" model snmpv1 nview "iso" /c/sys/ssnmp/snmpv3/group 10 (Assign user to the access group) model snmpv1 uname v1trap gname v1trap
In this example the user will receive the traps sent by the switch.
17
Accessing the switch
3. Configure an entry in the notify table.
/c/sys/ssnmp/snmpv3/notify 10 (Assign user to the notify table) name v1trap tag v1trap
4. Specify the IP address and other trap parameters in the Target Address( targetAddr) and Target
Parameters (targetParam) tables. Use the following command to specify the user name used with this targetParam table:
c/sys/ssnmp/snmpv3/tparam <x>/uname
/c/sys/ssnmp/snmpv3/taddr 10 (Define an IP address to send traps) name v1trap addr 47.80.23.245 taglist v1trap pname v1param /c/sys/ssnmp/snmpv3/tparam 10 (Specify SNMPv1 traps to send) name v1param mpmodel snmpv1 uname v1trap model snmpv1
5. Use the community table to define the community string used in the traps.
/c/sys/ssnmp/snmpv3/comm 10 (Define the community string) index v1trap name public uname v1trap
18
Accessing the switch

SNMPv2 trap host configuration

The SNMPv2 trap host configuration is similar to the SNMPv1 trap host configuration. Wherever you specify the model, specify snmpv2 instead of snmpv1.
c/sys/ssnmp/snmpv3/usm 10 (Configure user named “v2trap”) name "v2trap" /c/sys/ssnmp/snmpv3/access 10 (Define access group to view SNMPv2 traps) name "v2trap" model snmpv2 nview "iso" /c/sys/ssnmp/snmpv3/group 10 (Assign user to the access group) model snmpv2 uname v2trap gname v2trap /c/sys/ssnmp/snmpv3/notify 10 (Assign user to the notify table) name v2trap tag v2trap /c/sys/ssnmp/snmpv3/taddr 10 (Define an IP address to send traps) name v2trap addr 47.81.25.66 taglist v2trap pname v2param /c/sys/ssnmp/snmpv3/tparam 10 (Specify SNMPv2 traps to send) name v2param mpmodel snmpv2c uname v2trap model snmpv2 /c/sys/ssnmp/snmpv3/comm 10 (Define the community string) index v2trap name public uname v2trap

SNMPv3 trap host configuration

To configure a user for SNMPv3 traps, you can choose to send the traps with both privacy and authentication, with authentication only, or without privacy or authentication. Use the following commands to configure the access table:
/c/sys/ssnmp/snmpv3/access <x>/level
/c/sys/ssnmp/snmpv3/tparam <x>
Configure the user in the user table to match the configuration of the access table. It is not necessary to configure the community table for SNMPv3 traps because the community string is not
used by SNMPv3.
19
Accessing the switch
The following example shows how to configure a SNMPv3 user v3trap with authentication only:
/c/sys/ssnmp/snmpv3/usm 11 (Configure user named “v3trap”) name "v3trap" auth md5 authpw v3trap /c/sys/ssnmp/snmpv3/access 11 (Define access group to view SNMPv3 traps) name "v3trap" level authNoPriv nview "iso" /c/sys/ssnmp/snmpv3/group 11 (Assign user to the access group) uname v3trap gname v3trap /c/sys/ssnmp/snmpv3/notify 11 (Assign user to the notify table) name v3trap tag v3trap /c/sys/ssnmp/snmpv3/taddr 11 (Define an IP address to send traps) name v3trap addr 47.81.25.66 taglist v3trap pname v3param /c/sys/ssnmp/snmpv3/tparam 11 (Specify SNMPv3 traps to send) name v3param uname v3trap level authNoPriv (Set the authentication level)
For more information on using SNMP, see the HP 10Gb Ethernet BL-c Switch Command Reference Guide. See the HP 10Gb Ethernet BL-c Switch User Guide for a complete list of supported MIBs.
Secure access to the switch
Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured management:
Limiting management users to a specific IP address range. See the “Setting allowable source IP
address ranges” section in this chapter.
Authentication and authorization of remote administrators. See the “RADIUS authentication and
authorization” section or the “TACACS+ authentication” section, both later in this chapter.
Encryption of management information exchanged between the remote administrator and the switch.
See the “Secure Shell and Secure Copy” section later in this chapter.

Setting allowable source IP address ranges

To limit access to the switch without having to configure filters for each switch port, you can set a source IP address (or range) that will be allowed to connect to the switch IP interface through Telnet, SSH, SNMP, or the switch browser-based interface (BBI).
When an IP packet reaches the application switch, the source IP address is checked against the range of addresses defined by the management network and management mask. If the source IP address of the host or hosts is within this range, it is allowed to attempt to log in. Any packet addressed to a switch IP interface with a source IP address outside this range is discarded.
20
Accessing the switch
Configuring an IP address range for the management network
Configure the management network IP address and mask from the System Menu in the CLI. For example:
>> Main# /cfg/sys/access/mgmt/add Enter Management Network Address: 192.192.192.0 Enter Management Network Mask: 255.255.255.128
In this example, the management network is set to 192.192.192.0 and management mask is set to
255.255.255.128. This defines the following range of allowed IP addresses:
192.192.192.1 to 192.192.192.127 The following source IP addresses are granted or not granted access to the switch:
A host with a source IP address of 192.192.192.21 falls within the defined range and would be
allowed to access the switch.
A host with a source IP address of 192.192.192.192 falls outside the defined range and is not
granted access. To make this source IP address valid, you would need to shift the host to an IP address within the valid range specified by the mnet and mmask or modify the mnet to be
192.192.192.128 and the mmask to be 255.255.255.128. This would put the 192.192.192.192 host within the valid range allowed by the mnet and mmask (192.192.192.128-255).

RADIUS authentication and authorization

The switch supports the Remote Authentication Dial-in User Service (RADIUS) method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back-end database server. A remote user (the remote administrator) interacts only with the RAS, not the back-end server and database.
RADIUS authentication consists of the following components:
A protocol with a frame format that utilizes User Datagram Protocol (UDP) over IP, based on Request
For Comments (RFC) 2138 and 2866
A centralized server that stores all the user authorization information
A client, in this case, the switch
The switch, acting as the RADIUS client, communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back-end RADIUS server.
How RADIUS authentication works
RADIUS authentication works as follows:
1. A remote administrator connects to the switch and provides the user name and password.
2. Using Authentication/Authorization protocol, the switch sends the request to the authentication
server.
3. The authentication server checks the request against the user ID database.
4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative
access.
21
Accessing the switch
Configuring RADIUS on the switch (CLI example)
To configure RADIUS on the switch, do the following:
1. Turn RADIUS authentication on, and then configure the Primary and Secondary RADIUS servers. For
example:
>> Main# /cfg/sys/radius (Select the RADIUS Server menu) >> RADIUS Server# on (Turn RADIUS on) Current status: OFF New status: ON >> RADIUS Server# prisrv 10.10.1.1 (Enter primary server IP) Current primary RADIUS server: 0.0.0.0 New pending primary RADIUS server: 10.10.1.1 >> RADIUS Server# secsrv 10.10.1.2 (Enter secondary server IP) Current secondary RADIUS server: 0.0.0.0 New pending secondary RADIUS server: 10.10.1.2
2. Configure the primary RADIUS secret and secondary RADIUS secret.
>> RADIUS Server# secret Enter new RADIUS secret: <1-32 character secret> >> RADIUS Server# secret2 Enter new RADIUS second secret: <1-32 character secret>
CAUTION: If you configure the RADIUS secret using any method other than a direct console
connection, the secret may be transmitted over the network as clear text.
3. If desired, you may change the default User Datagram Protocol (UDP) port number used to listen to
RADIUS. The well-known port for RADIUS is 1645.
>> RADIUS Server# port Current RADIUS port: 1645 Enter new RADIUS port [1500-3000]: <UDP port number>
4. Configure the number of retry attempts for contacting the RADIUS server and the timeout period.
>> RADIUS Server# retries Current RADIUS server retries: 3 Enter new RADIUS server retries [1-3]: <server retries> >> RADIUS Server# time Current RADIUS server timeout: 3 Enter new RADIUS server timeout [1-10]: 10 (Enter the timeout period in seconds)
5. Apply and save the configuration.
>> RADIUS Server# apply >> RADIUS Server# save
22
Accessing the switch
Configuring RADIUS on the switch (BBI example)
1. Configure RADIUS parameters.
a. Click the Configure context button. b. Open the System folder, and select Radius.
c. Enter the IP address of the primary and secondary RADIUS servers, and enter the RADIUS secret
for each server. Enable the RADIUS server.
CAUTION: If you configure the RADIUS secret using any method other than a direct console
connection, the secret may be transmitted over the network as clear text.
d. Click Submit.
23
Accessing the switch
2. Apply, verify, and save the configuration.
RADIUS authentication features
The switch supports the following RADIUS authentication features:
Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and
RFC 2866.
Allows RADIUS secret password up to 32 bytes.
Supports secondary authentication server so that when the primary authentication server is
unreachable, the switch can send client authentication requests to the secondary authentication server. Use the /cfg/sys/radius/cur command to show the currently active RADIUS authentication server.
Supports user-configurable RADIUS server retry and time-out values:
Time-out value = 1-10 seconds Retries = 1-3
The switch will time out if it does not receive a response from the RADIUS server in one to three
retries. The switch will also automatically retry connecting to the RADIUS server before it declares the server down.
Supports user-configurable RADIUS application port. The default is 1645/User Datagram Protocol
(UDP)-based on RFC 2138. Port 1812 is also supported.
Allows network administrator to define privileges for one or more specific users to access the switch
at the RADIUS user database.
Allows the administrator to configure RADIUS backdoor and secure backdoor for Telnet, SSH, HTTP,
and HTTPS access.
User accounts for RADIUS users
The user accounts listed in the following table can be defined in the RADIUS server dictionary file.
Table 2 User access levels
User account Description and tasks performed
User User interaction with the switch is completely passive; nothing can be changed on the
switch. Users may display information that has no security or privacy implications, such as switch statistics and current operational state information.
Operator Operators can only effect temporary changes on the switch. These changes are lost when
the switch is rebooted/reset. Operators have access to the switch management features used for daily switch operations. Because any changes an operator makes are undone by a reset of the switch, operators cannot severely impact switch operation, but do have access to the Maintenance menu. By default, the operator account is disabled and has no password.
24
Accessing the switch
Table 2 User access levels
User account Description and tasks performed
Administrator Administrators are the only ones that can make permanent changes to the switch
configuration—changes that are persistent across a reboot/reset of the switch. Administrators can access switch functions to configure and troubleshoot problems on the switch level. Because administrators can also make temporary (operator-level) changes as well, they must be aware of the interactions between temporary and permanent changes.
RADIUS attributes for user privileges
When the user logs in, the switch authenticates the level of access by sending the RADIUS access request, that is, the client authentication request, to the RADIUS authentication server.
If the authentication server successfully authenticates the remote user, the switch verifies the privileges of the remote user and authorizes the appropriate access. The administrator has the option to allow backdoor access through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When backdoor access is enabled, access is allowed even if the primary and secondary authentication servers are reachable. Only when both the primary and secondary authentication servers are not reachable, the administrator has the option to allow secure backdoor (secbd) access through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When RADIUS is on, you can have either backdoor or secure backdoor enabled, but not both at the same time. The default value for backdoor access through the console port only is enabled. You always can access the switch via the console port, by using noradius and the administrator password, whether backdoor/secure backdoor are enabled or not. The default value for backdoor and secure backdoor access through Telnet/SSH/HTTP/HTTPS is disabled.
All user privileges, other than those assigned to the administrator, must be defined in the RADIUS dictionary. RADIUS attribute 6, which is built into all RADIUS servers, defines the administrator. The file name of the dictionary is RADIUS vendor-dependent. The RADIUS attributes shown in the following table are defined for user privilege levels.
Table 3 Proprietary attributes for RADIUS
User name/access User service type Value
User Vendor-supplied 255
Operator Vendor-supplied 252
TACACS+ authentication
The switch software supports authentication, authorization, and accounting with networks using the Cisco Systems TACACS+ protocol. The switch functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the switch either through a data or management port.
25
Accessing the switch
TACACS+ offers the following advantages over RADIUS:
TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP based. TCP offers
a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers.
TACACS+ offers full packet encryption whereas RADIUS offers password-only encryption in
authentication requests.
TACACS+ separates authentication, authorization, and accounting.

How TACACS+ authentication works

TACACS+ works much in the same way as RADIUS authentication.
1. Remote administrator connects to the switch and provides user name and password.
NOTE: The user name and password can have a maximum length of 128 characters. The
password cannot be left blank.
2. Using Authentication/Authorization protocol, the switch sends request to authentication server.
3. Authentication server checks the request against the user ID database.
4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny
administrative access.
During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command.

TACACS+ authentication features

Authentication is the action of determining the identity of a user, and is generally done when the user first attempts to log in to a device or gain access to its services. Switch software supports ASCII inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one-time password authentication are not supported.

Authorization

Authorization is the action of determining a user’s privileges on the device, and usually takes place after authentication.
The default mapping between TACACS+ authorization privilege levels and switch management access levels is shown in the table below. The privilege levels listed in the following table must be defined on the TACACS+ server.
Table 4 Default TACACS+ privilege levels
User access level TACACS+ level
user 0
oper 3
admin 6
26
Accessing the switch
Alternate mapping between TACACS+ privilege levels and HP 10GbE switch management access levels is shown in the table below. Use the command /cfg/sys/tacacs/cmap ena to use the alternate TACACS+ privilege levels.
Table 5 Alternate TACACS+ privilege levels
User access level TACACS+ level
user 0—1
oper 6—8
admin 14—15
You can customize the mapping between TACACS+ privilege levels and HP 10GbE switch management access levels. Use the command /cfg/sys/tacacs/usermap to manually map each TACACS+ privilege level (0-15) to a corresponding HP 10GbE switch management access level (user, oper, admin, none).
If the remote user is authenticated by the authentication server, the HP 10GbE switch verifies the privileges of the remote user and authorizes the appropriate access. When both the primary and secondary authentication servers are not reachable, the administrator has an option to allow backdoor access via the console only or console and Telnet access. The default value is disable for Telnet access and enable for console access. The administrator also can enable secure backdoor (/cfg/sys/tacacs/secbd) to allow access if both the primary and secondary TACACS+ servers fail to respond.

Accounting

Accounting is the action of recording a user’s activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization is not performed via TACACS+, no TACACS+ accounting messages are sent out.
You can use TACACS+ to record and track software logins, configuration changes, and interactive commands.
The switch supports the following TACACS+ accounting attributes:
protocol (console/telnet/ssh/http)
start_time
stop_time
elapsed_time
NOTE: When using the browser-based Interface, the TACACS+ Accounting Stop records are sent
only if the Quit button on the browser is clicked.
27
Accessing the switch

Configuring TACACS+ authentication on the switch (CLI example)

1. Turn TACACS+ authentication on, and then configure the Primary and Secondary TACACS+ servers.
>> Main# /cfg/sys/tacacs (Select the TACACS+ Server menu) >> TACACS+ Server# on (Turn TACACS+ on) Current status: OFF New status: ON >> TACACS+ Server# prisrv 10.10.1.1 (Enter primary server IP) Current primary TACACS+ server: 0.0.0.0 New pending primary TACACS+ server: 10.10.1.1 >> TACACS+ Server# secsrv 10.10.1.2 (Enter secondary server IP) Current secondary TACACS+ server: 0.0.0.0 New pending secondary TACACS+ server: 10.10.1.2
2. Configure the TACACS+ secret and second secret.
>> TACACS+ Server# secret Enter new TACACS+ secret: <1-32 character secret> >> TACACS+ Server# secret2 Enter new TACACS+ second secret: <1-32 character secret>
CAUTION: If you configure the TACACS+ secret using any method other than a direct console
connection, the secret may be transmitted over the network as clear text.
3. If desired, you may change the default TCP port number used to listen to TACACS+. The well-known
port for TACACS+ is 49.
>> TACACS+ Server# port Current TACACS+ port: 49 Enter new TACACS+ port [1-65000]: <TCP port number>
4. Configure the number retry attempts for contacting the TACACS+ server and the timeout period.
>> TACACS+ Server# retries Current TACACS+ server retries: 3 Enter new TACACS+ server retries [1-3]: 2 >> TACACS+ Server# time Current TACACS+ server timeout: 5 Enter new TACACS+ server timeout [4-15]: 10 (Enter the timeout period in minutes)
5. Configure custom privilege-level mapping (optional).
>> TACACS+ Server# usermap 2 Current privilege mapping for remote privilege 2: not set Enter new local privilege mapping: user >> TACACS+ Server# usermap 3 user >> TACACS+ Server# usermap 4 user >> TACACS+ Server# usermap 5 oper
6. Apply and save the configuration.
28
Accessing the switch

Configuring TACACS+ authentication on the switch (BBI example)

1. Configure TACACS+ authentication for the switch.
a. Click the Configure context button. b. Open the System folder, and select Tacacs+.
c. Enter the IP address of the primary and secondary TACACS+ servers, and enter the TACACS+
secret. Enable TACACS+.
d. Click Submit.
29
Accessing the switch
Configure custom privilege-level mapping (optional). Click Submit to accept each mapping
e.
change.
2. Apply, verify, and save the configuration.
Secure Shell and Secure Copy
Secure Shell (SSH) and Secure Copy (SCP) use secure tunnels to encrypt and secure messages between a remote administrator and the switch. Telnet does not provide this level of security. The Telnet method of managing a switch does not provide a secure connection.
SSH is a protocol that enables remote administrators to log securely into the switch over a network to execute management commands. By default, SSH is disabled (off) on the switch.
SCP is typically used to copy files securely from one machine to another. SCP uses SSH for encryption of data on the network. On a switch, SCP is used to download and upload the switch configuration via secure channels. By default, SCP is disabled on the switch.
30
Loading...
+ 168 hidden pages