NEC N8406-023 Handbook
Part number: 856-126757-104-00
Second edition: Oct 2007
456-01769-000
PN# 456-01769-000
N8406-023 1Gb Intelligent L3 Switch
Application Guide
Legal notices
© 2007 NEC Corporation.
The information contained herein is subject to change without notice. The only warranties for NEC products and services are set forth in the
express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. NEC shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft®, Windows®, and Windows NT® are U.S. registered trademarks of Microsoft Corporation.
SunOS™ and Solaris™ are trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
Cisco® is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
Part number: 856-126757-104-00
Second edition: Oct 2007
2
Contents
Accessing the switch
Introduction ............................................................................................................................................................. 7
Additional references .............................................................................................................................................. 7
Typographical conventions ..................................................................................................................................... 7
Management Network ............................................................................................................................................ 8
Connecting through the console port ................................................................................................................ 8
Connecting through Telnet ................................................................................................................................ 8
Connecting through Secure Shell ..................................................................................................................... 9
Using the command line interfaces ........................................................................................................................ 9
Configuring an IP interface ................................................................................................................................ 9
Using the Browser-based Interface ...................................................................................................................... 11
Using Simple Network Management Protocol ...................................................................................................... 11
SNMP v1.0 ...................................................................................................................................................... 11
SNMP v3.0 ...................................................................................................................................................... 12
Default configuration ....................................................................................................................................... 12
User configuration ........................................................................................................................................... 12
View based configurations .............................................................................................................................. 13
Configuring SNMP trap hosts.......................................................................................................................... 14
Secure access to the switch ................................................................................................................................. 16
Setting allowable source IP address ranges ................................................................................................... 16
RADIUS authentication and authorization ....................................................................................................... 16
TACACS+ authentication ................................................................................................................................ 20
Secure Shell and Secure Copy ....................................................................................................................... 25
User access control ................................................................................................ .............................................. 29
Setting up user IDs .......................................................................................................................................... 29
Ports and trunking
Introduction ........................................................................................................................................................... 30
Ports on the switch ............................................................................................................................................... 30
Port trunk groups .................................................................................................................................................. 30
Statistical load distribution ............................................................................................................................... 31
Built-in fault tolerance ...................................................................................................................................... 31
Before you configure trunks .................................................................................................................................. 31
Trunk group configuration rules ............................................................................................................................ 31
Port trunking example ........................................................................................................................................... 32
Configuring trunk groups (AOS CLI example) ................................................................................................. 33
Configuring trunk groups (BBI example) ......................................................................................................... 34
Configurable Trunk Hash algorithm ...................................................................................................................... 36
Link Aggregation Control Protocol ........................................................................................................................ 37
Configuring LACP ........................................................................................................................................... 38
Port-based Network Access and traffic control
Port-based Network Access control ..................................................................................................................... 39
Extensible authentication protocol over LAN .................................................................................................. 39
802.1x authentication process ........................................................................................................................ 39
EAPoL Message Exchange ............................................................................................................................ 40
802.1x port states ............................................................................................................................................ 41
Supported RADIUS attributes ......................................................................................................................... 41
EAPoL configuration guidelines ...................................................................................................................... 42
Port-based traffic control ...................................................................................................................................... 42
VLANs
Introduction ........................................................................................................................................................... 44
Overview ............................................................................................................................................................... 44
VLANs and port VLAN ID numbers ...................................................................................................................... 44
VLAN numbers ................................................................................................................................................ 44
PVID numbers ................................................................................................................................................. 44
Viewing and configuring PVIDs ....................................................................................................................... 45
VLAN tagging ....................................................................................................................................................... 45
VLANs and IP interfaces ...................................................................................................................................... 48
VLAN topologies and design considerations ........................................................................................................ 48
VLAN configuration rules ................................................................................................................................ 48
N8406-023 1Gb Intelligent L3 Switch Application Guide 3
Multiple VLANS with tagging ................................................................................................................................ 49
Configuring the example network .................................................................................................................... 50
FDB static entries ................................................................................................................................................. 57
Trunking support for FDB static entries ........................................................................................................... 57
Configuring a static FDB entry ........................................................................................................................ 57
Spanning Tree Protocol
Introduction ........................................................................................................................................................... 58
Overview ............................................................................................................................................................... 58
Bridge Protocol Data Units ................................................................................................................................... 58
Determining the path for forwarding BPDUs ................................................................................................... 58
Spanning Tree Group configuration guidelines .................................................................................................... 59
Default Spanning Tree configuration ............................................................................................................... 59
Adding a VLAN to a Spanning Tree Group ..................................................................................................... 59
Creating a VLAN ............................................................................................................................................. 59
Rules for VLAN tagged ports .......................................................................................................................... 59
Adding and removing ports from STGs ........................................................................................................... 60
Assigning cost to ports and trunk groups ........................................................................................................ 60
Multiple Spanning Trees ....................................................................................................................................... 60
Why do we need Multiple Spanning Trees? .................................................................................................... 60
VLAN participation in Spanning Tree Groups ................................................................................................. 61
Configuring Multiple Spanning Tree Groups ................................................................................................... 61
Port Fast Forwarding ............................................................................................................................................ 63
Configuring Port Fast Forwarding ................................................................................................................... 64
Fast Uplink Convergence ..................................................................................................................................... 64
Configuration guidelines .................................................................................................................................. 64
Configuring Fast Uplink Convergence ............................................................................................................ 64
RSTP and MSTP
Introduction ........................................................................................................................................................... 65
Rapid Spanning Tree Protocol ............................................................................................................................. 65
Port state changes .......................................................................................................................................... 65
Port type and link type ..................................................................................................................................... 65
RSTP configuration guidelines ........................................................................................................................ 66
RSTP configuration example .......................................................................................................................... 66
Multiple Spanning Tree Protocol .......................................................................................................................... 68
MSTP region ................................................................................................................................................... 68
Common Internal Spanning Tree .................................................................................................................... 68
MSTP configuration guidelines ....................................................................................................................... 68
MSTP configuration example .......................................................................................................................... 68
Quality of Service
Introduction ........................................................................................................................................................... 73
Overview ............................................................................................................................................................... 73
Using ACL filters ................................................................................................................................................... 74
Summary of packet classifiers ........................................................................................................................ 74
Summary of ACL actions ................................................................................................................................ 75
Understanding ACL precedence ..................................................................................................................... 75
Using ACL Groups ................................................................................................................................................ 77
ACL Metering and Re-marking ............................................................................................................................. 77
Metering .......................................................................................................................................................... 77
Re-marking ...................................................................................................................................................... 78
Viewing ACL statistics .......................................................................................................................................... 78
ACL configuration examples ................................................................................................................................. 78
Configure Access Control Lists (AOS CLI example) ....................................................................................... 78
Configure Access Control Lists and Groups (BBI example 1) ........................................................................ 79
Using DSCP values to provide QoS ..................................................................................................................... 83
Differentiated Services concepts..................................................................................................................... 83
Per Hop Behavior ............................................................................................................................................ 83
QoS levels ....................................................................................................................................................... 84
Using 802.1p priorities to provide QoS ................................................................................................................. 84
802.1p configuration (AOS CLI example) ....................................................................................................... 85
802.1p configuration (BBI example) ................................................................................................................ 86
Queuing and scheduling ....................................................................................................................................... 89
Basic IP routing
IP routing benefits ................................................................................................................................................. 90
N8406-023 1Gb Intelligent L3 Switch Application Guide 4
Routing between IP subnets ................................................................................................................................. 90
Example of subnet routing .................................................................................................................................... 92
Using VLANs to segregate broadcast domains .............................................................................................. 94
Routing Information Protocol
Distance vector protocol ....................................................................................................................................... 96
Stability ................................................................................................................................................................. 96
Routing updates ................................................................................................................................................... 96
RIPv1 .................................................................................................................................................................... 96
RIPv2 .................................................................................................................................................................... 96
RIPv2 in RIPv1 compatibility mode ...................................................................................................................... 97
RIP Features ........................................................................................................................................................ 97
Poison ............................................................................................................................................................. 97
Triggered updates ........................................................................................................................................... 97
Multicast .......................................................................................................................................................... 97
Default ............................................................................................................................................................. 97
Metric .............................................................................................................................................................. 97
Authentication ................................................................................................................................................. 97
RIP configuration example ................................................................................................................................... 98
IGMP Snooping
Introduction ........................................................................................................................................................... 99
Overview ............................................................................................................................................................... 99
FastLeave ....................................................................................................................................................... 99
IGMP Filtering ............................................................................................................................................... 100
Static multicast router .................................................................................................................................... 100
IGMP Snooping configuration example ......................................................................................................... 100
OSPF
OSPF overview ................................................................................................................................................... 109
Types of OSPF areas .................................................................................................................................... 109
Types of OSPF routing devices .................................................................................................................... 110
Neighbors and adjacencies ........................................................................................................................... 111
Link-State Database ...................................................................................................................................... 111
Shortest Path First Tree ................................................................................................................................ 111
Internal versus external routing ..................................................................................................................... 111
OSPF implementation ........................................................................................................................................ 112
Configurable parameters ............................................................................................................................... 112
Defining areas ............................................................................................................................................... 112
Interface cost ................................................................................................................................................. 114
Electing the designated router and backup ................................................................................................... 114
Summarizing routes ...................................................................................................................................... 114
Default routes ..................................................................................................................................................... 114
Virtual links .................................................................................................................................................... 115
Router ID ....................................................................................................................................................... 116
Authentication ............................................................................................................................................... 116
Host routes for load balancing ...................................................................................................................... 117
OSPF features not supported ....................................................................................................................... 118
OSPF configuration examples ............................................................................................................................ 118
Example 1: Simple OSPF domain (AOS CLI example) ................................................................................ 118
Example 2: Virtual links ................................................................................................................................. 126
Example 3: Summarizing routes ................................................................................................................... 129
Verifying OSPF configuration ........................................................................................................................ 130
Remote monitoring
Introduction ......................................................................................................................................................... 131
Overview ............................................................................................................................................................. 131
RMON group 1 — statistics ........................................................................................................................... 131
RMON group 2 — history .............................................................................................................................. 134
RMON group 3 — alarms .............................................................................................................................. 136
RMON group 9 — events .............................................................................................................................. 140
High availability
Introduction ......................................................................................................................................................... 142
Uplink Failure Detection ..................................................................................................................................... 142
Failure Detection Pair .................................................................................................................................... 143
Spanning Tree Protocol with UFD ................................................................................................................. 143
N8406-023 1Gb Intelligent L3 Switch Application Guide 5
Configuration guidelines ................................................................................................................................ 143
Monitoring Uplink Failure Detection .............................................................................................................. 143
Configuring Uplink Failure Detection ............................................................................................................. 145
VRRP overview .................................................................................................................................................. 148
VRRP components ........................................................................................................................................ 148
VRRP operation .................................................................................................................................................. 149
Selecting the master VRRP router ................................................................................................................ 149
Failover methods ................................................................................................................................ ................ 149
Active-Active redundancy .............................................................................................................................. 150
Extensions to VRRP ........................................................................................................................................... 150
Tracking VRRP router priority ....................................................................................................................... 150
Virtual router deployment considerations ........................................................................................................... 150
Assigning VRRP virtual router ID .................................................................................................................. 151
Configuring the switch for tracking ................................................................................................................ 151
High availability configurations ........................................................................................................................... 151
Active-Active configuration ............................................................................................................................ 151
Troubleshooting tools
Introduction ......................................................................................................................................................... 162
Port Mirroring ...................................................................................................................................................... 162
Configuring Port Mirroring (AOS CLI example) ............................................................................................. 163
Configuring Port Mirroring (BBI example) ..................................................................................................... 164
Other network troubleshooting techniques ......................................................................................................... 166
Console and Syslog messages ..................................................................................................................... 166
Ping ............................................................................................................................................................... 166
Trace route .................................................................................................................................................... 166
Statistics and state information ..................................................................................................................... 166
Customer support tools ................................................................................................................................. 166
N8406-023 1Gb Intelligent L3 Switch Application Guide 6
Accessing the switch
Table 1 Typographic conventions
Typeface or symbol
Meaning
Example
AaBbCc123
This type depicts onscreen computer output and
prompts.
Main#
AaBbCc123
This type displays in command examples and
shows text that must be typed in exactly as
shown.
Main# sys
Introduction
This guide will help you plan, implement, and administer the switch software. Where possible, each section
provides feature overviews, usage examples, and configuration instructions.
―Accessing the switch‖ describes how to configure and view information and statistics on the switch over an IP
network. This chapter also discusses different methods to manage the switch for remote administrators, such
as setting specific IP addresses and using Remote Authentication Dial-in User Service (RADIUS)
authentication, Secure Shell (SSH), and Secure Copy (SCP) for secure access to the switch.
―Ports and port trunking‖ describes how to group multiple physical ports together to aggregate the bandwidth
between large-scale network devices.
―Port-based Network Access and Traffic Control‖ describes how to authenticate devices attached to a LAN
port that has point-to-point connection characteristics. Port-based Network Access Control provides security
to ports of the switch that connect to servers. Port-based Traffic Control allows the switch to guard against
broadcast storms.
―VLANs‖ describes how to configure Virtual Local Area Networks (VLANs) for creating separate network
segments, including how to use VLAN tagging for devices that use multiple VLANs.
―Spanning Tree Protocol‖ discusses how spanning trees configure the network so that the switch uses the
most efficient path when multiple paths exist.
―Rapid Spanning Tree Protocol/Multiple Spanning Tree Protocol‖ describes extensions to the Spanning Tree
Protocol that provide rapid convergence of spanning trees for fast reconfiguration of the network.
―Quality of Service‖ discusses Quality of Service features, including IP filtering using Access Control Lists,
Differentiated Services, and IEEE 802.1p priority values.
―Basic IP Routing‖ describes how to configure the switch for IP routing using IP subnets.
―Routing Information Protocol‖ describes how the switch software implements standard Routing Information
Protocol (RIP) for exchanging TCP/IP route information with other routers.
―IGMP Snooping‖ describes how to use IGMP to conserve bandwidth in a multicast-switching environment.
―OSPF‖ describes Open Shortest Path First (OSPF) concepts, how OSPF is implemented, and examples of
how to configure your switch for OSPF support.
―Remote Monitoring‖ describes how to configure the RMON agent on the switch, so the switch can exchange
network monitoring data.
―High Availability‖ describes how the switch supports high-availability network topologies. This release
provides Uplink Failure Detection and Virtual Router Redundancy Protocol (VRRP).
―Troubleshooting tools‖ describes Port Mirroring and other troubleshooting techniques.
Additional references
Additional information about installing and configuring the switch is available in the following guides, which are
attached in this product.
N8406-023 1Gb Intelligent L3 Switch User’s Guide
N8406-023 1Gb Intelligent L3 Switch Command Reference Guide (AOS)
N8406-023 1Gb Intelligent L3 Switch Command Reference Guide (ISCLI)
N8406-023 1Gb Intelligent L3 Switch Browser-based Interface Reference Guide
Typographical conventions
The following table describes the typographic styles used in this guide:
N8406-023 1Gb Intelligent L3 Switch Application Guide 7
Table 1 Typographic conventions
Typeface or symbol
Meaning
Example
<AaBbCc123>
This bracketed type displays in command
examples as a parameter placeholder. Replace
the indicated text with the appropriate real name
or value when using the command. Do not type
the brackets.
This also shows guide titles, special terms, or
words to be emphasized.
To establish a Telnet session, enter:
host# telnet <IP address>
Read your user guide thoroughly.
[ ]
Command items shown inside brackets are
optional and can be used or excluded as the
situation demands. Do not type the brackets.
host# ls [-a]
telnet <switch IP address>
Management Network
The 1Gb Intelligent L3 Switch is a Switch Module within the Blade Enclosure. The Blade Enclosure includes an
Enclosure Manager Card which manages the modules and CPU Blades in the enclosure.
The 1Gb Intelligent L3 Switch communicates with the Enclosure Manager Card through its internal management
port (port 19). The factory default settings permit management and control access to the switch through the 10/100
Mbps Ethernet port on the Blade Enclosure, or the built-in console port. You also can use the external Ethernet
ports to manage and control this switch.
The switch management network has the following characteristics:
Port 19 — Management port 19 has the following configuration:
Flow control: both
Auto-negotiation
Untagged
Port VLAN ID (PVID): 4095
VLAN 4095 — Management VLAN 4095 isolates management traffic within the switch. VLAN 4095 contains
only one member port (port 19). No other ports can be members of VLAN 4095.
Interface 256 — Management interface 256 is associated with VLAN 4095. No other interfaces can be
associated with VLAN 4095. You can configure the IP address of the management interface manually or
through Dynamic Host Control Protocol (DHCP).
Gateway 4 — This gateway is the default gateway for the management interface.
STG 128 — If the switch is configured to use multiple spanning trees, spanning tree group 128 (STG 128)
contains management VLAN 4095, and no other VLANS are allowed in STG 128. The default status of STG
128 is off.
If the switch is configured to use Rapid Spanning Tree Protocol, STG 1 contains management VLAN 4095.
To access the switch management interface:
Use the Enclosure Manager Card internal DHCP server, through Enclosure-Based IP Addressing
Assign a static IP interface to the switch management interface
(interface 256).
Connecting through the console port
Using a null modem cable, you can directly connect to the switch through the console port. A console connection is
required in order to configure Telnet or other remote access applications. For more information on establishing
console connectivity to the switch, see the N8406-023 1Gb Intelligent L3 Switch User’s Guide.
Connecting through Telnet
By default, Telnet is enabled on the switch. Once the IP parameters are configured, you can access the CLI from
any workstation connected to the network using a Telnet connection. Telnet access provides the same options for a
user and an administrator as those available through the console port, minus certain commands. The switch
supports four concurrent Telnet connections.
To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the telnet
command, followed by the switch IP address:
N8406-023 1Gb Intelligent L3 Switch Application Guide 8
Connecting through Secure Shell
[Main Menu]
info - Information Menu
stats - Statistics Menu
cfg - Configuration Menu
oper - Operations Command Menu
boot - Boot Options Menu
maint - Maintenance Menu
diff - Show pending config changes [global command]
apply - Apply pending config changes [global command]
save - Save updated config to FLASH [global command]
revert - Revert pending or applied changes [global command]
exit - Exit [global command, always available]
Switch(config)# spanning-tree stp 1 enable
>> # /cfg/sys/dhcp disable (Disable dhcp)
>> # /cfg/l3/if 256 (Select IP interface 256)
>> IP Interface 256# addr 205.21.17.3(Assign IP address for the interface)
Current IP address: 0.0.0.0
New pending IP address: 205.21.17.3
Pending new subnet mask: 255.255.255.0
. . . . . . . . . . . .
>> IP Interface 256# ena (Enable IP interface 256)
By default, the Secure Shell (SSH) protocol is disabled on the switch. SSH enables you to securely log into another
computer over a network to execute commands remotely. As a secure alternative to using Telnet to manage switch
configuration, SSH ensures that all data sent over the network is encrypted and secure. For more information, see
the ―Secure Shell and Secure Copy‖ section later in this chapter. For additional information on the CLI, see the
N8406-023 1Gb Intelligent L3 Switch Command Reference Guide.
Using the command line interfaces
The command line interface (CLI) can be accessed via local terminal connection or a remote session using Telnet
or SSH. The CLI is the most direct method for collecting switch information and performing switch configuration.
The switch provides two CLI modes: The menu-based AOS CLI, and the tree-based ISCLI. You can set the switch
to use either CLI mode.
The Main Menu of the AOS CLI, with administrator privileges, is displayed below:
For complete information about the AOS CLI, refer to the Command Reference Guide (AOS).
The ISCLI provides a tree-based command structure, for users familiar with similar products.
An example of a typical ISCLI command is displayed below:
For complete information about the ISCLI, refer to the Command Reference Guide (ISCLI).
Configuring an IP interface
An IP interface address must be set on the switch to provide management access to the switch over an IP network.
By default, the management interface is set up to request its IP address from a DHCP server on the Enclosure
Manager Card.
If you configure an IP address manually, the following example shows how to manually configure an IP address on
the switch:
1. Configure an IP interface for the Telnet connection, using the sample IP address of 205.21.17.3.
2. Disable dhcp.
3. The pending subnet mask address and broadcast address are automatically calculated.
N8406-023 1Gb Intelligent L3 Switch Application Guide 9
4. If necessary, configure default gateway.
N8406-023 1Gb Intelligent L3 Switch Application Guide 10
5. Configuring the default gateways allows the switch to send outbound traffic to the routers.
>> IP Interface 256# ../gw 4 (Select default gateway 4)
>> Default gateway 4# addr 205.21.17.1 (Assign IP address for a router)
>> Default gateway 4# ena (Enable default gateway 4)
>> Default gateway 4# apply (Apply the configuration)
>> Default gateway 4# save (Save the configuration)
>> # /cfg/dump (Verify the configuration)
NOTE: Disable dhcp on this switch when the IP address on interface 256 is set manually. When the
dhcp is enabled, the IP address obtained from the DHCP server overrides the static IP address
configured manually.
>> /cfg/sys/ssnmp/rcomm
>> /cfg/sys/ssnmp/wcomm
6. Apply, verify, and save the configuration.
Using the Browser-based Interface
By default, the Browser-based Interface (BBI) protocol is enabled on the switch. The Browser-based Interface (BBI)
provides access to the common configuration, management and operation features of the switch through your Web
browser. For more information, see the N8406-023 1Gb Intelligent L3 Switch Browser-based Interface Reference
Guide.
The BBI is organized at a high level as follows:
Configuration — These menus provide access to the configuration elements for the entire switch.
System — Configure general switch configuration elements.
Switch ports — Configure switch ports and related features.
Port-based port mirroring — Configure mirrored ports and monitoring ports.
Layer 2 — Configure Layer 2 features, including trunk groups, VLANs, and Spanning Tree Protocol.
RMON menu — Configure Remote Monitoring (RMON) functions.
Layer 3 — Configure all of the IP related information, including IGMP Snooping.
QoS — Configure Quality of Service features.
Access Control — Configure Access Control Lists and Groups.
Uplink Failure Detection — Configure a Failover Pair of Links to Monitor and Links to Disable.
Statistics — These menus provide access to the switch statistics and state information.
Dashboard — These menus display settings and operating status of a variety of switch features.
Using Simple Network Management Protocol
The switch software provides SNMP v1.0 and SNMP v3.0 support for access through any network management
software.
SNMP v1.0
To access the SNMP agent on the switch, the read and write community strings on the SNMP manager should be
configured to match those on the switch. The default read community string on the switch is public and the
default write community string is private.
The read and write community strings on the switch can be changed using the following commands on the CLI.
and
The SNMP manager should be able to reach the management interface or any one of the IP interfaces on the
switch.
For the SNMP manager to receive the traps sent out by the SNMP agent on the switch, the trap host on the switch
should be configured with the following command:
N8406-023 1Gb Intelligent L3 Switch Application Guide 11
/cfg/sys/ssnmp/snmpv3/taddr
>> # /cfg/sys/ssnmp/snmpv3
>> # /cfg/sys/ssnmp/snmpv3/usm 6
>> # /cfg/sys/ssnmp/snmpv3/usm 5
>> SNMPv3 usmUser 5 # name "test"
>> SNMPv3 usmUser 5 # auth md5
>> SNMPv3 usmUser 5 # authpw test
>> SNMPv3 usmUser 5 # priv des
>> SNMPv3 usmUser 5 # privpw test
>> # /cfg/sys/ssnmp/snmpv3/access 5
>> SNMPv3 vacmAccess 5 # name "testgrp"
>> SNMPv3 vacmAccess 5 # level authPriv
>> SNMPv3 vacmAccess 5 # rview "iso"
>> SNMPv3 vacmAccess 5 # wview "iso"
>> SNMPv3 vacmAccess 5 # nview "iso"
>> # /cfg/sys/ssnmp/snmpv3/group 5
>> SNMPv3 vacmSecurityToGroup 5 # uname test
>> SNMPv3 vacmSecurityToGroup 5 # gname testgrp
For more details, see ―Configuring SNMP trap hosts‖.
SNMP v3.0
SNMPv3 is an enhanced version of the Simple Network Management Protocol, approved by the Internet
Engineering Steering Group in March, 2002. SNMP v3.0 contains additional security and authentication features
that provide data origin authentication, data integrity checks, timeliness indicators, and encryption to protect against
threats such as masquerade, modification of information, message stream modification, and disclosure.
SNMP v3 ensures that the client can use SNMP v3 to query the MIBs, mainly for security.
To access the SNMP v3.0 menu, enter the following command in the CLI:
For more information on SNMP MIBs and the commands used to configure SNMP on the switch, see the
Command Reference Guide.
Default configuration
The switch software has two users by default. Both the users 'adminmd5' and 'adminsha' have access to all the
MIBs supported by the switch.
1. username 1: adminmd5/password adminmd5. Authentication used is MD5.
2. username 2: adminsha/password adminsha. Authentication used is SHA.
3. username 3: v1v2only/password none.
To configure an SNMP user name, enter the following command from the CLI:
User configuration
Users can be configured to use the authentication/privacy options. Currently we support two authentication
algorithms: MD5 and SHA. These can be specified using the command: /cfg/sys/ssnmp/snmpv3/usm
<x>/auth md5|sha
1. To configure a user with name 'test,' authentication type MD5, and authentication password of 'test,' privacy
option DES with privacy password of 'test,' use the following CLI commands:
2. Configure a user access group, along with the views the group may access. Use the access table to configure
the group's access level.
Because the read view (rview), write view(wview), and notify view (nview) are all set to "iso", the user type has
access to all private and public MIBs.
3. The group table links the user to a particular access group.
If you want to allow user access only to certain MIBs, see the ―View based configurations‖ section.
N8406-023 1Gb Intelligent L3 Switch Application Guide 12
View based configurations
/c/sys/ssnmp/snmpv3/usm 4
name "usr"
/c/sys/ssnmp/snmpv3/access 3
name "usrgrp"
rview "usr"
wview "usr"
nview "usr"
/c/sys/ssnmp/snmpv3/group 3
uname usr
gname usrgrp
/c/sys/ssnmp/snmpv3/view 6
name "usr"
tree " 1.3.6.1.4.1.26543.2.6.1.2"
/c/sys/ssnmp/snmpv3/view 7
name "usr"
tree " 1.3.6.1.4.1.26543.2.6.1.3"
/c/sys/ssnmp/snmpv3/view 8
name "usr"
tree " 1.3.6.1.4.1.26543.2.6.2.2"
/c/sys/ssnmp/snmpv3/view 9
name "usr"
tree " 1.3.6.1.4.1.26543.2.6.2.3"
/c/sys/ssnmp/snmpv3/view 10
name "usr"
tree " 1.3.6.1.4.1.26543.2.6.3.2"
/c/sys/ssnmp/snmpv3/view 11
name "usr"
tree " 1.3.6.1.4.1.26543.2.6.3.3"
(Configure the user)
(Configure access group 3)
(Assign user to access group 3)
(Create views for user)
(Agent statistics)
(Agent information)
(L2 statistics)
(L2 information)
(L3 statistics)
(L3 information)
/c/sys/ssnmp/snmpv3/usm 5
name "oper"
/c/sys/ssnmp/snmpv3/access 4
name "opergrp"
rview "oper"
wview "oper"
nview "oper"
/c/sys/ssnmp/snmpv3/group 4
uname oper
gname opergrp
/c/sys/ssnmp/snmpv3/view 20
name "oper"
tree " 1.3.6.1.4.1.26543.2.6.1.2"
/c/sys/ssnmp/snmpv3/view 21
name "oper"
tree " 1.3.6.1.4.1.26543.2.6.1.3"
/c/sys/ssnmp/snmpv3/view 22
name "oper"
tree " 1.3.6.1.4.1.26543.2.6.2.2"
/c/sys/ssnmp/snmpv3/view 23
name "oper"
tree " 1.3.6.1.4.1.26543.2.6.2.3"
/c/sys/ssnmp/snmpv3/view 24
name "oper"
tree " 1.3.6.1.4.1.26543.2.6.3.2"
/c/sys/ssnmp/snmpv3/view 25
name "oper"
tree " 1.3.6.1.4.1.26543.2.6.3.3"
(Configure the oper)
(Configure access group 4)
(Assign user to access group 4)
(Create views for oper)
(Agent statistics)
(Agent information)
(L2 statistics)
(L2 information)
(L3 statistics)
(L3 information)
CLI user equivalent
To configure an SNMP user equivalent to the CLI 'user,' use the following configuration:
CLI oper equivalent
To configure an SNMP user equivalent to the CLI ‗oper‘, use the following configuration:
N8406-023 1Gb Intelligent L3 Switch Application Guide 13
/c/sys/ssnmp/snmpv3/usm 10
name "v1trap"
(Configure user named "v1trap")
/c/sys/ssnmp/snmpv3/access 10
name "v1trap"
model snmpv1
nview "iso"
/c/sys/ssnmp/snmpv3/group 10
model snmpv1
uname v1trap
gname v1trap
(Define access group to view SNMPv1 traps)
(Assign user to the access group)
/c/sys/ssnmp/snmpv3/notify 10
name v1trap
tag v1trap
(Assign user to the notify table)
/c/sys/ssnmp/snmpv3/taddr 10
name v1trap
addr 47.80.23.245
taglist v1trap
pname v1param
/c/sys/ssnmp/snmpv3/tparam 10
name v1param
mpmodel snmpv1
uname v1trap
model snmpv1
(Define an IP address to send traps)
(Specify SNMPv1 traps to send)
/c/sys/ssnmp/snmpv3/comm 10
index v1trap
name public
uname v1trap
(Define the community string)
Configuring SNMP trap hosts
SNMPv1 trap host
1. Configure a user with no authentication and password.
2. Configure an access group and group table entries for the user. Use the following command to specify which
traps can be received by the user:
/c/sys/ssnmp/snmpv3/access <x>/nview
In this example the user will receive the traps sent by the switch.
3. Configure an entry in the notify table.
4. Specify the IP address and other trap parameters in the Target Address (targetAddr) and Target Parameters
(targetParam) tables. Use the following command to specify the user name with this targetParam table:
c/sys/ssnmp/snmpv3/tparam <x>/uname
5. Use the community table to define the community string used in the traps.
N8406-023 1Gb Intelligent L3 Switch Application Guide 14
SNMPv2 trap host configuration
c/sys/ssnmp/snmpv3/usm 10
name "v2trap"
/c/sys/ssnmp/snmpv3/access 10
name "v2trap"
model snmpv2
nview "iso"
/c/sys/ssnmp/snmpv3/group 10
model snmpv2
uname v2trap
gname v2trap
/c/sys/ssnmp/snmpv3/taddr 10
name v2trap
addr 47.81.25.66
taglist v2trap
pname v2param
/c/sys/ssnmp/snmpv3/tparam 10
name v2param
mpmodel snmpv2c
uname v2trap
model snmpv2
/c/sys/ssnmp/snmpv3/notify 10
name v2trap
tag v2trap
/c/sys/ssnmp/snmpv3/comm 10
index v2trap
name public
uname v2trap
(Configure user named "v2trap")
(Define access group to view SNMPv2 traps)
(Assign user to the access group)
(Define an IP address to send traps)
(Secify SNMPv2 traps to send)
(Assign user to the notify table)
(Define the community string)
/c/sys/ssnmp/snmpv3/usm 11
name "v3trap"
auth md5
authpw v3trap
/c/sys/ssnmp/snmpv3/access 11
name "v3trap"
level authNoPriv
nview "iso"
/c/sys/ssnmp/snmpv3/group 11
uname v3trap
gname v3trap
/c/sys/ssnmp/snmpv3/taddr 11
name v3trap
addr 47.81.25.66
taglist v3trap
pname v3param
/c/sys/ssnmp/snmpv3/tparam 11
name v3param
uname v3trap
level authNoPriv
/c/sys/ssnmp/snmpv3/notify 11
name v3trap
tag v3trap
(Configure user named "v3trap")
(Define access group to view SNMPv3 traps)
(Assign user to the access group)
(Define an IP address to send traps)
(Secify SNMPv3 traps to send)
(Set the authentication level)
(Assign user to the notify table)
The SNMPv2 trap host configuration is similar to the SNMPv1 trap host configuration. Wherever you specify the
model, specify snmpv2 instead of snmpv1.
SNMPv3 trap host configuration
To configure a user for SNMPv3 traps, you can choose to send the traps with both privacy and authentication, with
authentication only, or without privacy or authentication. Use the following commands to configure the access table:
/c/sys/ssnmp/snmpv3/access <x>/level
/c/sys/ssnmp/snmpv3/tparam <x>.
It is not necessary to configure the community table for SNMPv3 traps because the community string is not used by
SNMPv3.
The following example shows how to configure a SNMPv3 user v3trap with authentication only:
For more information on using SNMP, see the Command Reference Guide.
N8406-023 1Gb Intelligent L3 Switch Application Guide 15
>> Main# /cfg/sys/access/mgmt/add
Enter Management Network Address: 192.192.192.0
Enter Management Network Mask: 255.255.255.128
Secure access to the switch
Secure switch management is needed for environments that perform significant management functions across the
Internet. The following are some of the functions for secured management:
Limiting management users to a specific IP address range. See the ―Setting allowable source IP address
ranges‖ section in this chapter.
Authentication and authorization of remote administrators. See the ―RADIUS authentication and authorization‖
section or the ―TACACS+ authentication‖ section, both later in this chapter.
Encryption of management information exchanged between the remote administrator and the switch. See the
―Secure Shell and Secure Copy‖ section later in this chapter.
Setting allowable source IP address ranges
To limit access to the switch without having to configure filters for each switch port, you can set a source IP address
(or range) that will be allowed to connect to the switch IP interface through Telnet, SSH, SNMP, or the switch
browser-based interface (BBI).
When an IP packet reaches the application switch, the source IP address is checked against the range of
addresses defined by the management network and management mask. If the source IP address of the host or
hosts is within this range, it is allowed to attempt to log in. Any packet addressed to a switch IP interface with a
source IP address outside this range is discarded.
Configuring an IP address range for the management network
Configure the management network IP address and mask from the System Menu in the CLI. For example:
In this example, the management network is set to 192.192.192.0 and management mask is set to
255.255.255.128. This defines the following range of allowed IP addresses: 192.192.192.1 to 192.192.192.127.
The following source IP addresses are granted or not granted access to the switch:
A host with a source IP address of 192.192.192.21 falls within the defined range and would be allowed to
access the switch.
A host with a source IP address of 192.192.192.192 falls outside the defined range and is not granted access.
To make this source IP address valid, you would need to shift the host to an IP address within the valid range
specified by the mnet and mmask or modify the mnet to be 192.192.192.128 and the mmask to be
255.255.255.128. This would put the 192.192.192.192 host within the valid range allowed by the mnet and
mmask (192.192.192.128-255).
RADIUS authentication and authorization
The switch supports the Remote Authentication Dial-in User Service (RADIUS) method to authenticate and
authorize remote administrators for managing the switch. This method is based on a client/server model. The
Remote Access Server (RAS) — the switch — is a client to the back-end database server. A remote user (the
remote administrator) interacts only with the RAS, not the back-end server and database.
RADIUS authentication consists of the following components:
A protocol with a frame format that utilizes User Datagram Protocol (UDP) over IP, based on Request For
Comments (RFC) 2138 and 2866
A centralized server that stores all the user authorization information
A client, in this case, the switch
The switch, acting as the RADIUS client, communicates to the RADIUS server to authenticate and authorize a
remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the
client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition,
the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back-end
RADIUS server.
N8406-023 1Gb Intelligent L3 Switch Application Guide 16
How RADIUS authentication works
>> Main# /cfg/sys/radius (Select the RADIUS Server menu)
>> RADIUS Server# on (Turn RADIUS on)
Current status: OFF
New status: ON
>> RADIUS Server# prisrv 10.10.1.1 (Enter primary server IP)
Current primary RADIUS server: 0.0.0.0
New pending primary RADIUS server: 10.10.1.1
>> RADIUS Server# secsrv 10.10.1.2 (Enter secondary server IP)
Current secondary RADIUS server: 0.0.0.0
New pending secondary RADIUS server: 10.10.1.2
>> RADIUS Server# secret
Enter new RADIUS secret: <1-32 character secret>
>> RADIUS Server# secret2
Enter new RADIUS second secret: <1-32 character secret>
CAUTION: If you configure the RADIUS secret using any method other than a direct console connection, the
secret may be transmitted over the network as clear text.
>> RADIUS Server# port
Current RADIUS port: 1645
Enter new RADIUS port [1500-3000]: <UDP port number>
>> RADIUS Server# retries
Current RADIUS server retries: 3
Enter new RADIUS server retries [1-3]:<server retries>
>> RADIUS Server# time
Current RADIUS server timeout: 3
Enter new RADIUS server timeout [1-10]: 10 (Enter the timeout period
in seconds)
RADIUS authentication works as follows:
1. A remote administrator connects to the switch and provides the user name and password.
2. Using Authentication/Authorization protocol, the switch sends the request to the authentication server.
3. The authentication server checks the request against the user ID database.
4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access.
Configuring RADIUS on the switch (AOS CLI example)
To configure RADIUS on the switch, do the following:
1. Turn RADIUS authentication on, and then configure the Primary and Secondary RADIUS servers. For
example:
2. Configure the primary RADIUS secret and secondary RADIUS secret.
3. If desired, you may change the default User Datagram Protocol (UDP) port number used to listen to RADIUS.
4. The well-known port for RADIUS is 1645.
5. Configure the number of retry attempts for contacting the RADIUS server and the timeout period.
6. Configure the number of retry attempts for contacting the RADIUS server and the timeout period.
N8406-023 1Gb Intelligent L3 Switch Application Guide 17
>> RADIUS Server# apply
>> RADIUS Server# save
CAUTION: If you configure the RADIUS secret using any method other than a direct console connection, the
secret may be transmitted over the network as clear text.
Open
Select
Configuring RADIUS on the switch (BBI example)
1. Configure RADIUS parameters.
a. Click the Configure context button.
b. Open the System folder, and select Radius.
c. Enter the IP address of the primary and secondary RADIUS servers, and enter the RADIUS secret for
each server. Enable the RADIUS server.
d. Click Submit.
N8406-023 1Gb Intelligent L3 Switch Application Guide 18
2. Apply, verify, and save the configuration.
Table 2 User access levels
User account
Description and tasks performed
User
User interaction with the switch is completely passive; nothing can be changed on the switch.
Users may display information that has no security or privacy implications, such as switch
statistics and current operational state information.
Operator
Operators can only effect temporary changes on the switch. These changes are lost when
the switch is rebooted/reset. Operators have access to the switch management features
used for daily switch operations. Because any changes an operator makes are undone by a
reset of the switch, operators cannot severely impact switch operation, but do have access to
the Maintenance menu. By default, the operator account is disabled and has no password.
Administrator
Administrators are the only ones that can make permanent changes to the switch
configuration — changes that are persistent across a reboot/reset of the switch.
Administrators can access switch functions to configure and troubleshoot problems on the
switch level. Because administrators can also make temporary (operator-level) changes as
well, they must be aware of the interactions between temporary and permanent changes.
1. Apply
3. Save
2. Verify
RADIUS authentication features
The switch supports the following RADIUS authentication features:
Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866.
Allows RADIUS secret password up to 32 bytes.
Supports secondary authentication server so that when the primary authentication server is unreachable, the
switch can send client authentication requests to the secondary authentication server. Use the
/cfg/sys/radius/cur command to show the currently active RADIUS authentication server.
Supports user-configurable RADIUS server retry and time-out values:
Time-out value = 1-10 seconds
Retries = 1-3
The switch will time out if it does not receive a response from the RADIUS server in one to three retries. The
switch will also automatically retry connecting to the RADIUS server before it declares the server down.
Supports user-configurable RADIUS application port. The default is 1645/User Datagram Protocol (UDP)-
based on RFC 2138. Port 1812 is also supported.
Allows network administrator to define privileges for one or more specific users to access the switch at the
RADIUS user database.
Allows the administrator to configure RADIUS backdoor and secure backdoor for Telnet, SSH, HTTP, and
HTTPS access.
User accounts for RADIUS users
The user accounts listed in the following table can be defined in the RADIUS server dictionary file.
N8406-023 1Gb Intelligent L3 Switch Application Guide 19
Table 3 Proprietary attributes for RADIUS
User name/access
User service type
Value
User
Vendor-supplied
255
Operator
Vendor-supplied
252
NOTE: The user name and password can have a maximum length of 128 characters. The password
cannot be left blank.
RADIUS attributes for user privileges
When the user logs in, the switch authenticates the level of access by sending the RADIUS access request, that is,
the client authentication request, to the RADIUS authentication server.
If the authentication server successfully authenticates the remote user, the switch verifies the privileges of the
remote user and authorizes the appropriate access. The administrator has the option to allow backdoor access
through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When backdoor
access is enabled, access is allowed even if the primary and secondary authentication servers are reachable. Only
when both the primary and secondary authentication servers are not reachable, the administrator has the option to
allow secure backdoor (secbd) access through the console port only, or through the console and
Telnet/SSH/HTTP/HTTPS access. When RADIUS is on, you can have either backdoor or secure backdoor
enabled, but not both at the same time. The default value for backdoor access through the console port only is
enabled. You always can access the switch via the console port, by using noradius and the administrator
password, whether backdoor/secure backdoor are enabled or not. The default value for backdoor and secure
backdoor access through Telnet/SSH/HTTP/HTTPS is disabled.
All user privileges, other than those assigned to the administrator, must be defined in the RADIUS dictionary.
RADIUS attribute 6, which is built into all RADIUS servers, defines the administrator. The file name of the dictionary
is RADIUS vendor-dependent. The RADIUS attributes shown in the following table are defined for user privilege
levels.
TACACS+ authentication
The switch software supports authentication, authorization, and accounting with networks using the Cisco Systems
TACACS+ protocol. The switch functions as the Network Access Server (NAS) by interacting with the remote client
and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is
defined as someone requiring management access to the switch either through a data or management port.
TACACS+ offers the following advantages over RADIUS:
TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP based. TCP offers a
connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional
programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport,
but it lacks the level of built-in support that a TCP transport offers.
TACACS+ offers full packet encryption whereas RADIUS offers password-only encryption in authentication
requests.
TACACS+ separates authentication, authorization, and accounting.
How TACACS+ authentication works
TACACS+ works much in the same way as RADIUS authentication.
1. Remote administrator connects to the switch and provides user name and password.
2. Using Authentication/Authorization protocol, the switch sends request to authentication server.
3. Authentication server checks the request against the user ID database.
4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative
access.
During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to
determine if the user is granted permission to use a particular command.
TACACS+ authentication features
Authentication is the action of determining the identity of a user, and is generally done when the user first attempts
to log in to a device or gain access to its services. Switch software supports ASCII inbound login to the device.
PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one-time password
authentication are not supported.
N8406-023 1Gb Intelligent L3 Switch Application Guide 20
Authorization
Table 4 Default TACACS+ privilege levels
User access level
TACACS+ level
user
0
oper 3 admin
6
Table 5 Alternate TACACS+ privilege levels
User access level
TACACS+ level
user
0—1
oper
6— 8
admin
14—15
NOTE: When using the browser-based Interface, the TACACS+ Accounting Stop records are sent only
if the Quit button on the browser is clicked.
Authorization is the action of determining a user‘s privileges on the device, and usually takes place after
authentication.
The default mapping between TACACS+ authorization privilege levels and switch management access levels is
shown in the table below. The privilege levels listed in the following table must be defined on the TACACS+ server.
Alternate mapping between TACACS+ privilege levels and this switch management access levels is shown in the
table below. Use the command /cfg/sys/tacacs/cmap ena to use the alternate TACACS+ privilege levels.
You can customize the mapping between TACACS+ privilege levels and this switch management access levels.
Use the /cfg/sys/tacacs/usermap command to manually map each TACACS+ privilege level (0-15) to a
corresponding switch management access level (user, oper, admin, none).
If the remote user is authenticated by the authentication server, the switch verifies the privileges of the remote user
and authorizes the appropriate access. When both the primary and secondary authentication servers are not
reachable, the administrator has an option to allow backdoor access via the console only or console and Telnet
access. The default is disable for Telnet access and enable for console access. The administrator also can enable
secure backdoor (/cfg/sys/tacacs/secbd) to allow access if both the primary and secondary TACACS+ servers fail
to respond.
Accounting
Accounting is the action of recording a user‘s activities on the device for the purposes of billing and/or security. It
follows the authentication and authorization actions. If the authentication and authorization is not performed via
TACACS+, no TACACS+ accounting messages are sent out.
You can use TACACS+ to record and track software logins, configuration changes, and interactive commands.
The switch supports the following TACACS+ accounting attributes:
protocol (console/telnet/ssh/http)
start_time
stop_time
elapsed_time
N8406-023 1Gb Intelligent L3 Switch Application Guide 21
>> Main# /cfg/sys/tacacs (Select the TACACS+ Server menu)
>> TACACS+ Server# on (Turn TACACS+ on)
Current status: OFF
New status: ON
>> TACACS+ Server# prisrv 10.10.1.1 (Enter primary server IP)
Current primary TACACS+ server: 0.0.0.0
New pending primary TACACS+ server: 10.10.1.1
>> TACACS+ Server# secsrv 10.10.1.2 (Enter secondary server IP)
Current secondary TACACS+ server: 0.0.0.0
New pending secondary TACACS+ server: 10.10.1.2
>> TACACS+ Server# secret
Enter new TACACS+ secret: <1-32 character secret>
>> TACACS+ Server# secret2
Enter new TACACS+ second secret: <1-32 character secret>
CAUTION: If you configure the TACACS+ secret using any method other than a direct console connection,
the secret may be transmitted over the network as clear text.
>> TACACS+ Server# port
Current TACACS+ port: 49
Enter new TACACS+ port [1-65000]: <TCP port number>
>> TACACS+ Server# retries
Current TACACS+ server retries: 3
Enter new TACACS+ server retries [1-3]: 2
>> TACACS+ Server# time
Current TACACS+ server timeout: 5
Enter new TACACS+ server timeout [4-15]: 10 (Enter the timeout period
in minutes)
>> TACACS+ Server# usermap 2
Current privilege mapping for remote privilege 2: not set
Enter new local privilege mapping: user
>> TACACS+ Server# usermap 3 user
>> TACACS+ Server# usermap 4 user
>> TACACS+ Server# usermap 5 oper
Configuring TACACS+ authentication on the switch (AOS CLI example)
1. Turn TACACS+ authentication on, then configure the Primary and Secondary TACACS+ servers.
2. Configure the TACACS+ secret and second secret.
3. If desired, you may change the default TCP port number used to listen to TACACS+. The well-known port for
TACACS+ is 49.
4. Configure the number retry attempts for contacting the TACACS+ server and the timeout period.
5. Configure custom privilege-level mapping (optional).
6. Apply and save the configuration.
N8406-023 1Gb Intelligent L3 Switch Application Guide 22
Configuring TACACS+ authentication on the switch (BBI example)
Open
Select
1. Configure TACACS+ authentication for the switch.
a. Click the Configure context button.
b. Open the System folder, and select Tacacs+.
c. Enter the IP address of the primary and secondary TACACS+ servers, and enter the TACACS+ secret.
Enable TACACS+.
d. Click Submit.
N8406-023 1Gb Intelligent L3 Switch Application Guide 23
1. Apply
3. Save
2. Verify
e. Configure custom privilege-level mapping (optional). Click Submit to accept each mapping change.
2. Apply, verify, and save the configuration.
N8406-023 1Gb Intelligent L3 Switch Application Guide 24
Secure Shell and Secure Copy
>> # /cfg/sys/sshd/on (Turn SSH on)
Current status: OFF
New status: ON
SSHD# apply (Apply the changes to start generating
RSA host and server keys)
RSA host key generation starts
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RSA host key generation completes (lasts 212549 ms)
RSA host key is being saved to Flash ROM, please don’t reboot the box
immediately.
RSA server key generation starts
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RSA server key generation completes (lasts 75503 ms)
RSA server key is being saved to Flash ROM, please don’t reboot the box
immediately.
------------------------------------------------------------------------Apply complete; don’t forget to “save” updated configuration.
NOTE: Secure Shell can be configured using the console port only. SSH menus do not display if you access
the switch using Telnet or the Browser-based Interface.
Secure Shell (SSH) and Secure Copy (SCP) use secure tunnels to encrypt and secure messages between a
remote administrator and the switch. Telnet does not provide this level of security. The Telnet method of managing
a switch does not provide a secure connection.
SSH is a protocol that enables remote administrators to log securely into the switch over a network to execute
management commands. By default, SSH is disabled (off) on the switch.
SCP is typically used to copy files securely from one machine to another. SCP uses SSH for encryption of data on
the network. On a switch, SCP is used to download and upload the switch configuration via secure channels. By
default, SCP is disabled on the switch.
The switch implementation of SSH is based on version 1.5 and version 2.0, and supports SSH clients from version
1.0 through version 2.0. Client software can use SSH version 1 or version 2. The following SSH clients are
supported:
SSH 3.0.1 for Linux (freeware)
SecureCRT® 4.1.8 (VanDyke Technologies, Inc.)
OpenSSH_3.9 for Linux (FC 3)
FedoraCore 3 for SCP commands
PuTTY Release 0.58 (Simon Tatham) for Windows
Configuring SSH and SCP features (AOS CLI example)
Before you can use SSH commands, use the following commands to turn on SSH and SCP.
Enabling or disabling SSH
To enable the SSH feature, connect to the switch CLI and enter the following commands:
N8406-023 1Gb Intelligent L3 Switch Application Guide 25
>> # /cfg/sys/sshd/ena (Enable SCP apply and save)
>> # /cfg/sys/sshd/dis (Disable SCP apply and save)
SSHD# apply (Apply the changes)
>> # /cfg/sys/sshd/scpadm
Changing SCP-only Administrator password; validation required. . .
Enter current administrator password: <password>
Enter new SCP-only administrator password: <new password>
Re-enter new SCP-only administrator password: <new password>
New SCP-only administrator password accepted.
IMPORTANT: The SCP-only administrator password must be different from the regular administrator
password.
ssh <user>@<switch IP address>
>> # ssh admin@205.178.15.157
scp <user>@<switch IP address>:getcfg <local filename>
>> # scp scpadmin@205.178.15.157:getcfg ad4.cfg
scp <local filename> <user>@<switch IP address>:putcfg
Enabling or disabling SCP apply and save
Enter the following commands from the switch CLI to enable the SCP putcfg_apply and putcfg_apply_save
commands:
Configuring the SCP administrator password
To configure the scpadmin (SCP administrator) password, first connect to the switch via the RS-232 management
console. For security reasons, the scpadmin password can be configured only when connected directly to the
switch console.
To configure the password, enter the following CLI command. At factory default settings, the current SCP
administrator password is admin.
Using SSH and SCP client commands
The following shows the format for using some client commands. The examples below use 205.178.15.157 as the
IP address of a sample switch.
Logging in to the switch
Enter the following command to log in to the switch:
For example:
Downloading configuration from the switch using SCP
Enter the following command to download the switch configuration using SCP. You will be prompted for a
password:
For example:
The switch prompts you for the scpadmin password.
Uploading configuration to the switch using SCP
Enter the following command to upload configuration to the switch. You will be prompted for a password.
N8406-023 1Gb Intelligent L3 Switch Application Guide 26
For example:
>> # scp ad4.cfg admin@205.178.15.157:putcfg
>> # scp <local_filename> <user>@<switch IP addr>:putcfg_apply
>> # scp <local_filename> <user>@<switch IP addr>:putcfg_apply_save
>> # scp ad4.cfg admin@205.178.15.157:putcfg_apply
>> # scp ad4.cfg admin@205.178.15.157:putcfg_apply_save
Applying and saving configuration
Enter the apply and save commands after the command above (scp ad4.cfg 205.178.15.157:putcfg), or use the
following commands. You will be prompted for a password.
For example:
Note the following:
The diff command is automatically executed at the end of putcfg to notify the remote client of the difference
between the new and the current configurations.
putcfg_apply runs the apply command after the putcfg is done.
putcfg_apply_save saves the new configuration to the flash after putcfg_apply is done.
The putcfg_apply and putcfg_apply_save commands are provided because extra apply and save commands
are usually required after a putcfg.
SSH and SCP encryption of management messages
The following encryption and authentication methods are supported for SSH and SCP:
Server Host Authentication — Client RSA authenticates the switch at the beginning of every connection
Key Exchange — RSA
Encryption — AES256-CBC, AES192-CBC, 3DES-CBC, 3DES, ARCFOUR
User Authentication — Local password authentication, RADIUS, TACACS+
N8406-023 1Gb Intelligent L3 Switch Application Guide 27
>> # /cfg/sys/sshd/hkeygen (Generates the host key)
>> # /cfg/sys/sshd/skeygen (Generates the server key)
>> # /cfg/sys/sshd/intrval <number of hours (0-24)>
Generating RSA host and server keys for SSH access
To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key is 1024
bits and is used to identify the switch. The server key is 768 bits and is used to make it impossible to decipher a
captured session by breaking into the switch at a later time.
When the SSH server is first enabled and applied, the switch automatically generates the RSA host and server
keys and is stored in the flash memory.
To configure RSA host and server keys, first connect to the switch console connection, and enter the following
commands to generate them manually:
These two commands take effect immediately without the need of an apply command.
When the switch reboots, it will retrieve the host and server keys from the flash memory. If these two keys are not
available in the flash memory and if the SSH server feature is enabled, the switch automatically generates them
during the system reboot. This process may take several minutes to complete.
The switch can also automatically regenerate the RSA server key. To set the interval of RSA server key
autogeneration, use the following command:
A value of 0 denotes that RSA server key autogeneration is disabled. When greater than 0, the switch will auto
generate the RSA server key every specified interval; however, RSA server key generation is skipped if the switch
is busy doing other key or cipher generation when the timer expires.
The switch will perform only one session of key/cipher generation at a time. Thus, an SSH/SCP client will not be
able to log in if the switch is performing key generation at that time, or if another client has logged in immediately
prior. Also, key generation will fail if an SSH/SCP client is logging in at that time.
SSH/SCP integration with RADIUS and TACACS+ authentication
SSH/SCP is integrated with RADIUS and TACACS+ authentication. After the RADIUS or TACACS+ server is
enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified RADIUS or
TACACS+ servers for authentication. The redirection is transparent to the SSH clients.
N8406-023 1Gb Intelligent L3 Switch Application Guide 28
User access control
Table 6 User access levels
User account
Description
Password
admin
The Administrator has complete access to all menus, information, and
configuration commands on the switch, including the ability to change both the
user and administrator passwords.
admin
oper
The Operator manages all functions of the switch. The Operator can reset
ports or the entire switch.
oper
user
The User has no direct responsibility for switch management.
He/she can view all switch status information and statistics but
cannot make any configuration changes to the switch.
user
>> # /cfg/sys/access/user/uid 1
>> User ID 1 # name jane (Assign name “jane” to user ID 1)
Current user name:
New user name: jane
>> User ID 1 # cos <user|oper|admin>
>> # /cfg/sys/access/user/uid <#>/ena
The switch allows an administrator to define end user accounts that permit end users to perform limited actions on
the switch. Once end user accounts are configured and enabled, the switch requires username/password
authentication.
For example, an administrator can assign a user who can log into the switch and perform operational commands
(effective only until the next switch reboot).
The administrator defines access levels for each switch user, as shown in the following table.
Passwords can be up to 128 characters in length for TACACS+, Telnet, SSH, console, and BBI access. When
RADIUS authentication is used, the maximum password length is 16 characters.
If RADIUS authentication is used, the user password on the Radius server will override the user password on the
switch. Also note that the password-change command on the switch modifies only the ―use switch‖ password and
has no effect on the user password on the Radius server. RADIUS authentication and user password cannot be
used concurrently to access the switch.
Setting up user IDs
The administrator can configure up to 10 user accounts.
To configure an end-user account, perform the following steps:
1. Select a user ID to define.
2. Define the user name and password.
3. Define the user access level. By default, the end user is assigned to the user access level. To change the
user‘s access level, enter the user Class of Service (cos) command, and select one of the available options.
4. Enable the user ID.
Once an end user account is configured and enabled, the user can login to the switch using the
username/password combination. The level of switch access is determined by the user CoS for the account. The
CoS corresponds to the user access levels described in the User access levels table.
N8406-023 1Gb Intelligent L3 Switch Application Guide 29
NOTE: The actual mapping of switch ports to NIC interfaces is dependant on the operating system software,
the type of server blade, and the enclosure type. For more information, see the N8406-023 1Gb Intelligent L3
Switch User’s Guide.
Table 7 Ethernet switch port names
Port number
Port alias
1
Downlink1
2
Downlink2
3
Downlink3
4
Downlink4
5
Downlink5
6
Downlink6
7
Downlink7
8
Downlink8
9
Downlink9
10
Downlink10
11
Downlink11
12
Downlink12
13
Downlink13
14
Downlink14
15
Downlink15
16
Downlink16
17
XConnect1
18
XConnect2
19
Mgmt
20
Uplink1
21
Uplink2
22
Uplink3
23
Uplink4
24
Uplink5
Ports and trunking
Introduction
The first part of this chapter describes the different types of ports used on the switch. This information is useful in
understanding other applications described in this guide, from the context of the embedded switch/server
environment.
For specific information on how to configure ports for speed, auto-negotiation, and duplex modes, see the port
commands in the Command Reference Guide.
The second part of this chapter provides configuration background and examples for trunking multiple ports
together. Trunk groups can provide super-bandwidth, multi-link connections between switches or other trunkcapable devices. A trunk group is a group of links that act together, combining their bandwidth to create a single,
larger virtual link. The switch provides trunking support for the five external ports, two crosslink ports, and 16 server
ports.
Ports on the switch
The following table describes the Ethernet ports of the switch, including the port name and function.
Port trunk groups
When using port trunk groups between two switches, you can create an aggregate link operating at up to five
Gigabits per second, depending on how many physical ports are combined. The switch supports up to 12 trunk
groups per switch, each with up to six ports per trunk group.
The trunking software detects broken trunk links (link down or disabled) and redirects traffic to other trunk members
within that trunk group. You can only use trunking if each link has the same configuration for speed, flow control,
and auto-negotiation.
N8406-023 1Gb Intelligent L3 Switch Application Guide 30
Loading...