In the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the right to make changes to the products described in this document without notice. Nortel Networks does not assume any liability that can occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3
(such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software.
Page 4
Neither party can bring an action, regardless of form, more than two years after the cause of the action arose. The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks. This License Agreement is governed by the laws of the country in which Customer acquires the Software.
Getting help from the Nortel Web site 14 Getting help through a Nortel distributor or reseller 14 Getting help over the phone from a Nortel Solutions Center 14 Getting help from a specialist by using an Express Routing Code 15...
Page 6
Default passwords 26 HTTP port number change 26 Simple Network Management Protocol 26 SNMP Version 1 (SNMPv1) 26 Nortel Ethernet Routing Switch 2500 Series support for SNMP 27 SNMP MIB support 27 SNMP trap support 28 Advanced EAPOL features 28 Non-EAP hosts on EAP-enabled ports 30 Configuring Security using the CLI...
Management (NN47215-505) for Release 4.1. Features "Advanced Security features" (page changes. Advanced Security features The Nortel Ethernet Routing Switch 2500 Release 4.1 supports advanced EAPOL security features. For more information, see the following sections: • "Advanced EAPOL features" (page 28) •...
Introduction This guide provides information about configuring and managing security features on the Nortel Ethernet Routing Switch 2500 Series. This guide describes the features of the following Nortel switches: • Nortel Ethernet Routing Switch 2526T • Nortel Ethernet Routing Switch 2526T-PWR •...
Page 12
<valid_route>,valid_route is one variable, and you substitute one value for it. Indicates command syntax and system output, for example, prompts and system messages. Example: Set Trap Monitor Filters Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Getting help over the phone from a Nortel Solutions Center If you do not find the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.
Getting help from a specialist by using an Express Routing Code An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate the ERC for your product or service, go to: www.nortel.com/erc...
For more information, refer to <x-refs> If you set a password, the next time you log on to the switch, you are prompted to enter a valid username. Therefore, ensure you are aware of the valid usernames (default RW and RO) before you change passwords.
18 Using security in your network Logging on If you set a password, the next time you access the switch, you are prompted for a username and password as shown in the (default usernames are RW and RO). Enter a valid username and password and press Enter. You are then directed to the CLI.
Page 19
— MAC address-based security is used to allow up to 448 authorized stations (MAC addresses) access to one or more switch ports (see "MAC address-based security" (page — The switch is located in a locked closet, accessible only by authorized Technical Services personnel. •...
The security feature logically locks each wall jack to the specified station and prevents unauthorized access to the switch if someone attempts to connect a personal laptop PC into the wall jack. The printer is assigned as a single station and is allowed full bandwidth on that switch port.
The response can be to send a trap, turn on destination address (DA) filtering, disable a specific port, or any combination of these three options. The MAC address-based security feature is based on Nortel BaySecure LAN Access for Ethernet, a real-time security system that safeguards Ethernet networks from unauthorized surveillance and intrusion.
Page 22
EAPoL security feature and a new network connection: • When the switch finds a new connection in one of its ports, the following occurs: 1. The switch asks for a User ID of the new client.
Any active VLAN can be made a Guest VLAN. EAPOL Security Configuration EAPOL security lets you selectively limit access to the switch based on an authentication mechanism that uses Extensible Authentication Protocol (EAP) to exchange authentication information between the switch and an authentication server.
24 Using security in your network Do not enable EAPOL security on the switch port that is connected to the RADIUS server. Password security The Ethernet Routing Switch 2500 Series supports the password security feature that provides enhanced security for switch and stack passwords.
For more information, see Simple Network Management Protocol The Nortel Ethernet Routing Switch 2500 Series supports Simple Network Management Protocol (SNMP). SNMP is traditionally used to monitor Unix systems, Windows systems, printers, modem racks, switches, routers, power supplies, Web servers, and databases.
Nortel Ethernet Routing Switch 2500 Series support for SNMP The SNMP agent in the Nortel Ethernet Routing Switch 2500 Series supports SNMPv1, SNMPv2c, and SNMPv3. Support for SNMPv2c introduces a standards-based GetBulk retrieval capability using SNMPv1 communities.
The Nortel Ethernet Routing Switch 2500 Series supports both industry-standard SNMP traps, as well as private Nortel enterprise traps. Advanced EAPOL features EAPOL supports the following advanced features: •...
VLAN ID on the Radius server, the switch moves the port to the VLAN of the first authenticated client. In this way, a permanent bounce between different VLANs of the switch port is avoided.
• The username is the non-EAPOL MAC address in string format. • The password is a string that combines the MAC address, switch IP address, unit, and port. • The password is a string that combines the MAC address, switch IP address, unit, and port.
34 Using security in your network The maximum value for the maximum number of non-EAPOL hosts allowed on an MHSA-enabled port is 32. However, Nortel expects that the usual maximum value configured for a port is 2. This translates to around 200 for a box and 800 for a stack.
Telnet, and Web-based management. This command supports only one read-only and one read-write user on the switch. The parameters are set for the standalone or stack environment depending on the current operational mode.
Specifies that you are modifying the read-only (ro) username or the read-write (rw) username. The ro/rw variable is optional. If it is omitted, the command applies to the read-only mode. ATTENTION Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 describes...
Telnet access radius use RADIUS authentication for serial console or Telnet access Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 37...
Configuring the IP manager list When enabled, the IP manager list determines which source IP addresses are allowed access to the switch. No other source IP addresses have access to the switch. You configure the IP manager list by using the following commands: •...
SNMP, including the Device Manager • web— disables list check for the Web-based management system Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 41 describes...
You can use the ipmgr command for source IP addresses to enter the source IP addresses or address ranges for which you want to provide access to the switch. The syntax for the ipmgr command for source IP addresses is: ipmgr {source-ip <1-10>...
IP address and mask for the specified entry to 255.255.255.255 and 255.255.255.255. When you omit the optional parameter, the list is reset to the factory defaults. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 43...
You can also access CLI through a Telnet session. To access CLI remotely, the management port must have an assigned IP address and remote access must be enabled. You can log on to the switch using Telnet from a terminal that has access to the Ethernet Routing Switch 2500 Series.
Multiple users can access the CLI system simultaneously, through the serial port, Telnet, and modems. The maximum number of simultaneous users is four plus one at the serial port for a total of five users on the switch. All users can configure simultaneously.
With the telnet-access command, you can configure the Telnet connection that is used to manage the switch. The syntax for the telnet-access command is: telnet-access [enable|disable] [login-timeout <1-10>] [retry <1-100>] [inactive-timeout <0-60>] [logging {none|access |failures|all}] [source-ip <1-10>...
These are the same source IP addresses as in the IP Manager list. For more information on the IP Manager list, "Configuring the IP manager list" (page Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 47 39).
This section provides the Configuring SSH using the Command Line Interface commands for configuring and managing SSH on the Ethernet Routing Switch 2500 Series. The SSH protocol provides secure access to the CLI. By using the CLI, you can execute the following commands: •...
The switch starts generating the DSA host keys immediately after the ssh dsa-host-key command is given. A reboot is not necessary. You cannot enable SSH while the host key is being generated. This command can only be executed in SSH disable mode. The syntax of...
The ssh secure command enables the SSH server on the Ethernet Routing Switch 2500 Series in secure mode. In secure mode, the Ethernet Routing Switch 2500 Series does not accept Web, SNMP, or Telnet connections. The syntax of the ssh secure command is: ssh secure The ssh secure command executed in the Global Configuration command...
<1-65535> ssh download-auth-key command The ssh download-auth-key command downloads the client public key from the TFTP server to the Ethernet Routing Switch 2500 Series. The syntax for the ssh download-auth-key is: ssh download-auth-key [address <XXX.XXX.XXX.XXX>] [key-name <file>] The ssh download-auth-key command is executed in the Global Configuration command mode.
Resets the port number for SSH connections to the default. Default is 22. Resets the timeout value for session authentication to the default. Default is 60. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 55...
<num> key <string> timeout <num> When password security is enabled, you must omit the <string> variable from the command line and end the command immediately after key. The switch then prompts you to enter and confirm the string. The radius-server command is executed in the Global Configuration command mode.
Description Enables or disables the SNMP server. ATTENTION describes the parameters and variables for the Description Enables or disables the generation of authentication failure traps. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
MIB objects, and stations with rw access can retrieve and modify MIB objects. If neither ro nor rw is specified, ro is assumed (default). Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 ATTENTION...
Description Restores the read-only community to public, or the read/write community to private. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 63...
255 characters. Description Specifies the SNMP sysLocation value. Enter a string of up to 255 characters. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 65...
255 characters. Description Specifies the SNMP sysName value; enter an alphanumeric string of up to 255 characters. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 67...
Enter the port numbers or all. If you omit this parameter, the system uses the port number specified with the interface command. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 ATTENTION...
If you omit this parameter, the system uses the port number specified with the interface command. "Common SNMP and SNMPv3 CLI commands" (page Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 69 ATTENTION 58).
[write-view <view-name>][notify-view <view-name>] The snmp-server user command is executed in the Global Configuration command mode. The sha and des parameters are available only if the switch image has full SHA/DES support. The command shows three sets of read/write/notify views. The first set specifies unauthenticated access.
Specifies the write view to which the new user has access: • view-name — specifies the view name; enter an alphanumeric string of up to 255 characters. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 71 ATTENTION...
This parameter is not available when Password Security is enabled, in which case the switch prompts you to enter and confirm the new password. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 ATTENTION...
For the dotted form, a subidentifier can be an asterisk (*), which indicates a wildcard. Some examples of valid OID parameters are as follows: Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Description Specifies the name of the view to be removed. If no view is specified, all views are removed. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
—Specifies whether SNMPv3 traps can be authenticated. • auth-priv—This parameter is only available if the image has full SHA/DES support. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 75...
Description Enter the IP address of a trap destination host. Specifies the trap receivers in the SNMPv3 MIBs. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
This parameter is not available when Password Security is enabled, in which case, the switch prompts you to enter and confirm the new community string. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 77...
SNMP operations. • view-name — specifies the name of the view that is a set of MIB objects/instances that can be accessed; enter an alphanumeric string. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Description Specifies a minimum security configuration that allows read access to everything using noAuthNoPriv, and write access to everything using authNoPriv. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your system 79...
Specifies a maximum security configuration that allows no access. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
MAC address. Displays the BaySecure status of all ports. Displays the port membership of all security lists. Displays MAC DA filtering addresses. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your network 81...
Adds addresses to the MAC security address table. Adds or deletes MAC DA filtering addresses. Modifies security list port membership. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 ATTENTION...
ATTENTION Description Enter the MAC address in the form of H.H.H. Enter the port number or the security list number. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your network 83...
Enter a list or range of port numbers. describes the parameters and variables for the no Description Enter the MAC address in the form of H.H.H. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Description Enter the number of the security list that you want to clear. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your network 85...
MAC address learning is performed Description Add or delete the specified MAC address; enter the MAC address in the form of H.H.H. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Auto - Port authorization status depends on the result of the EAP authentication Force Authorized - Port is always authorized Yes - Authorized No - Unauthorized Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Disables or enables EAPOL-based security. Description Specifies the ports to configure for EAPOL; enter the port numbers you want to use. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your network 91...
Specifies a waiting period for response from supplicant for EAP Request/Identity packets. Enter the number of seconds that you want to wait; the range is 1-65535. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
1-65535. Enter the number of times to retry sending packets to supplicant. Description Guest VLAN ID. Enable Guest VLAN. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your network 93...
Enables Radius authentication of non-EAP clients Allows use of Radius-assigned VLAN value Sets bits in RADIUS non-EAPOL password format Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your network 95 describes the...
Resets control of non-EAP clients (MAC addresses) Disables auto-authentication of non-EAP clients in MHSA mode Disables Radius authentication of non-EAP clients Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 describes the parameters and describes the parameters...
EAPOL multihost settings Enables Radius authentication of non-EAP clients Allows use of Radius-assigned VLAN value Allows non-EAPoL MAC address Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your network 97 describes the...
Disables Radius authentication of non-EAP clients Disallows use of Radius-assigned VLAN value Allows non-EAPoL MAC address Specifies the maximum number of non-EAP authenticated MAC addresses allowed Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 describes the...
Enables Radius authentication of non-EAP clients Allows use of RADIUS-assigned VLAN values Resets the non-EAP MAC addresses to default Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Securing your network 99 describes the parameters...
MAC address of the allowed non-EAPOL host Description Displays EAPOL multihost port configuration Displays allowed non-EAPoL MACaddress Displays EAPOL multihost port status Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 displays sample output...
This section describes how to configure nonE-APOL authentication. To configure support for non-EAPOL hosts on EAPOL-enabled ports, do the following: 1. Enable non-EAPOL support globally on the switch and locally (for the desired interface ports), using one or both of the following authentication methods: a.
Enabling local authentication of non-EAPOL hosts on EAPOL-enabled ports For local authentication of non-EAPOL hosts on EAPOL-enabled ports, you must enable the feature globally on the switch and locally for ports on the interface. To enable local authentication of non-EAPOL hosts globally on the switch, use the following command in Global configuration mode:...
Enables RADIUS authentication on the desired interface or on a specific port, for non-EAPOL hosts. describes the parameters and variables for the eapol Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Interface mode command.
1. The configurable maximum number of non-EAPOL clients for each port is 32, but Nortel expects that the usual maximum allowed for each port be lower. Nortel expects that the combined maximum will be approximately 200 for each box and 800 for a stack.
The display lists the ports and the associated allowed MAC addresses. Viewing current non-EAPOL host activity To view information about non-EAPOL hosts currently active on the switch, use the following command in Privileged EXEC, Global configuration, or Interface configuration mode: show eapol multihost non-eap-mac status [<portlist>]...
Global configuration mode: eapol multihost auto-non-eap-mhsa-enable To discontinue support for MHSA globally on the switch, use one of the following commands in Global configuration mode: no eapol multihost auto-non-eap-mhsa-enable default eapol multihost auto-non-eap-mhsa-enable Configuring interface and port settings for MHSA To configure MHSA...
110 Configuring Security using the CLI Configuring Security using Device Manager You can set the security features for a switch so that when a violation occurs the right actions are performed by the software. The security actions that you specify are applied to all ports of the switch.
MAC address of the unauthorized station. Traps are sent to trap receivers. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Current number of entries of the Security listed in the SecurityList tab. Maximum entries of the Security listed in the SecurityList tab. —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 describes the SecurityList tab...
An index of the security list. This corresponds to the SecurityList field into AuthConfig tab. The set of ports that are currently members in the Port list. —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Security port list that can be used as an index into AuthConfig tab. The set of ports that are currently members in the Port list. —End— describes the AuthConfig tab fields. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 describes the...
The corresponding MAC Address of this entry is allowed or blocked on all ports of this port list. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
The corresponding MAC Address of this entry is allowed or blocked on all ports of this port list. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 describes...
The index of MAC address on the port. This corresponds to the index of the MAC address on the port if the index is greater than zero. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
If the port is disabled, notApplicable is returned. • If the port is in a normal state, portSecure is returned. • If the port is partitioned, portPartition is returned. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Indicates the SSH connection timeout in seconds. Indicates the SSH key action. Enables or disables the SSH DSA authentication. Enables or disables the SSH RSA authentication. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Indicates the SSH public keys that are set to initiate a TFTP download. Indicates the retrieved value of the TFTP transfer. —End— describes the SSH Sessions tab fields. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
It is used when user is changing the SharedSecret(key) field. User usually need to enter twice to confirm the string already being entered in the SharedSecret(Key). Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 ATTENTION...
Configuring Security using Device Manager From the shortcut menu, choose Edit. From the Device Manager main menu, choose Edit > Port. From the toolbar, click Edit. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
(see the preceding field description). Displays the current EAPOL authorization status for the port: • authorized • unauthorized Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 describes the EAPOL tab fields...
The protocol version number carried in the most recently received EAPOL frame. The source MAC address carried in the most recently received EAPOL frame. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Single Authentication (MHSA) on the port. Enables or disables non-EAPOL RADIUS authentication on the port Enables or disables multihost RADIUS assigned Vlans on the port Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 describes the...
The current state of the authenticator PAE state machin The current state of the Backend Authentication state machine The value used to reauthenticate the EAPOL client —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
The elapsed time of the session. The cause of the session termination. The username representing the identity of the supplicant PAE. —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
The MAC address of the client. screen appears. The following figure illustrates this tab. Figure 32 Insert Allowed non-EAP MAC screen add to the list. Allowed non-EAP MAC tab. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
• radiusPending: the MAC address is awaiting authentication by a RADIUS server • radiusAuthenticated: the MAC address was authenticated by a RADIUS server Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
—End— From the Device Manager main menu, choose Graph > Port. From the shortcut menu, choose Graph. On thetoolbar, click Graph. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
The number of EAPOL Req/Id frames that are transmitted by this authenticator. The number of EAP Req/Id frames (Other than Req/Id frames) that are transmitted by this authenticator. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
From the Device Manager main menu, choose Graph > Port. From the shortcut menu, choose Graph. On the toolbar, click Graph. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Counts the number of times that the state machine transitions from authenticating to authenticated, as a result of the Backend Authentication state machine indicating a successful authentication of the Supplicant. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Counts the number of times that the state machine receives an initial Access-Challenge packet from the Authentication server. Indicates that the Authentication Server has communication with the Authenticator. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Counts the number of times that the state machine receives an EAP-Failure message from the Authentication Server. Indicates that the Supplicant has not authenticated to the Authentication Server. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
The maximum number of trap receiver entries. The current number of trap receiver entries. The next trap receiver entry to be created. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
(see the following Community field description in this table). The address (or DNS hostname) for the trap receiver. Community string used for trap messages to this trap receiver. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
The total number of SNMP Set-Request PDUs that are accepted and processed by the SNMP protocol. The total number of SNMP Get-Response PDUs that are accepted and processed by the SNMP protocol. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is badValue. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
SNMP. The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is genErr. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
CAUTION By default, the CLI and Web interface are not password protected. Nortel strongly recommends that after you set up an SNMPv3 user, you change or delete all factory default settings that can allow an unauthorized person to log on to your device.
A message, if configured, is authenticated with the help of a one-way hash function that is associated with an individual user ID. In the Ethernet Routing Switch 2500 Series, a user can be configured to use the HMAC-MD5-96 or the HMAC-SHA-96 algorithm for the authentication of SNMPv3 messages.
Specifies whether the table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Defines a set of users that can be referenced by a single group name. Associates a group with Read, Write, and Notify views. Defines a set of MIB subtrees or objects. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 describes the...
If the entry is stored in volatile memory, it does not persist if the switch loses power. —End— (Figure 42 "VACM dialog, Group 153)). Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
The name of the MIB View to which the user is assigned read access. The name of the MIB View to which the user is assigned write access. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
The community string for which a row in this table represents a configuration. The security name assigned to this entry in the Community table. The range is 1 to 32 characters. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 describes the Community...
Specifies the type of message to send to a management target: trap or inform. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 describes the that help to define...
The default is 1500 milliseconds. Specifies the number of times this device can resend messages to this management target if initial messages are not acknowledged. The default is 3. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
If the entry is stored in volatile memory, it does not persist if the switch loses power. Table 78 "Notify Table dialog box fields" (page Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 166).
Specifies the Message Processing model: SNMPv1, SNMPv2c, or SNMPv3/USM. Specifies the security model: SNMPv1, SNMPv2c, or SNMPv3/USM. Specifies the security name for generating SNMP messages. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 describes the Target Params...
A name or index value for this row in the table. A single tag value that is used to associate this entry with an entry in the Target Address Table. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 ATTENTION...
This section describes the steps you use to build and manage security by using the Web-based management interface. When you install the switch, Nortel recommends that you set the initial system usernames and passwords by using the Command Line Interface. For more...
Sets a password for remote dial-up. If you select this password type, you must also set up RADIUS authentication from the Radius management page. —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Setting XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX Integer 1..60 1..16 —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Description Type a Primary Radius server IP address in the appropriate format. Type a Secondary Radius server IP address in the appropriate format.
You can specify a list of up to 448 MAC SAs that are authorized to access the switch. You can also specify the ports that each MAC SA is allowed to access. The options for allowed MAC SA port access include: NONE, ALL, and single or multiple ports that are specified...
176 Configuring Security using web-based management Ensure that you do not enter the MAC address of the switch on which you are working. After configuring the switch for MAC address-based security, you must enable the ports you want by using the Port Configuration page.
Forever— The port is disabled and remains disabled (partitioned) until reset. The port does not reset after the Partition Time elapses. You must manually reenable the port. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
(a maximum of 448 MAC addresses are allowed). Displays all the ports that learn incoming MAC addresses to detect intrusions (unallowed MAC addresses). (1) Enabled Enables learning. (2) Disabled —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 ATTENTION...
Lets you create a port list that you can use as an Allowed Source in the Security Table screen. Displays which ports are associated with each list. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
Port List View, Learn by Ports page a. Click the ports through which you want the switch to learn MAC b. If you want that port to no longer learn MAC addresses, click the c. Click Submit. In the MAC Security Table section, choose Enabled in the Current Learning Mode column of the Learn By Ports row.
182 Configuring Security using web-based management Figure 62 Security Table page By using this page, you instruct the switch to allow the specified MAC address access only through the specified port or port list. The following table describes the items on the Security Table page.
Allowed Source ATTENTION ATTENTION —End— 176)). Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Description Lets you specify the ports that each MAC address is allowed to access. The options for the Allowed Source...
Range 1 to 52 Blank, 1 to 6 (1) Enabled (2) Disabled —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Description Lists each port on the unit. Displays the MultiLink Trunk to which the port belongs to.
181)), click the checkmark of a port that you want to (Figure 64 "Port Configuration 185)), click Disabled to remove that port from the Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 (Figure 61 "Port List View, Port List...
Address X:XX ATTENTION 186)) with the new DA listed in the —End— 186)). Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Description To drop all packets to and from a specified MAC Destination Address (DA).
Commu- nity Strin Read- 1..32 Write Commu- nity Strin Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Configuring SNMPv1 189 Description Type a character string to identify the community string for the SNMPv1 read-only community, for example, public or private.
(2) Disa Auto (1) Enab Topology (2) Disa —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Description The default value is private. Choose to enable or disable the authentication trap, which sends a trap when an SNMP authentication failure occurs.
The SNMP dialect that the engine recognizes. The dialects are: SNMP1v1, SNMPv2C, and SNMPv3. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Configuring SNMPv3 191...
SNMP engine or otherwise unavailable. The total number of packets dropped by the SNMP engine because they appeared outside of the authoritative SNMP window of the engine. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 ATTENTION...
The total number of packets dropped by the SNMP engine because they could not be decrypted. —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Configuring SNMPv3 193...
Indicates whether the message sent on behalf of this user to/from the SNMP engine identified by the UserEngineID can be authenticated by the MD5 authentication protocol. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007...
(lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Configuring SNMPv3 195...
(3) USM 1..32 (1) Volatile (2) Non-Volati —End— 197)). Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Description Type a string of characters to create a security name for the principal that is mapped by this entry to a group name.
Click Cancel to return to the Group Membership page without making changes. ATTENTION "Configuring user access to SNMPv3" (page 193) —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Configuring SNMPv3 199 "Configuring...
1..32 1..32 1..32 (1) Volatile (2) Non- Volatile —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Configuring SNMPv3 201 Description Choose the minimum level of security required to gain the access rights allowed to the group.
Click Yes to delete the group access configuration. Click Cancel to return to the Group Access Rights page without making changes. ATTENTION —End— ATTENTION Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 (Figure 70 "Group Access...
(0..16) (1) Include (2) Exclude (1) Volatile (2) Non-Vola tile Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Description Deletes the row. Type a character string to create a name for a family of view subtrees.
—End— Click Yes to delete the management information view configuration. Click Cancel to return to the table without making changes. —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Configuring SNMPv3 205 203)).
(2) Inform (1) Volatile (2) Non-Vol atile —End— ATTENTION ("Notification page" (page Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Configuring SNMPv3 207 Description Type a value to use to select entries in the snmpTargetAddrTable.
Integer 0..255 1..20 1..32 (1) Volatile (2) Non-Vol atile Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Configuring SNMPv3 209 Description Deletes the row. Type a character string to create a target name.
—End— Click Yes to delete the target address configuration. Click Cancel to return to the table without making changes. —End— Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Description information to be saved in NVRAM when you turn off the power.
(lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power. 211)). —End— 211)). Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 ("Target ("Target Parameter page"...
0..32 —End— Click Yes to delete the SNMP trap receiver configuration. Click Cancel to return to the table without making changes. Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 Description Deletes the row.
Appendix A SNMP MIB support The Ethernet Routing Switch 2500 Series supports an SNMP agent with industry standard MIBs, as well as private MIB extensions, which ensures compatibility with existing network management tools. The switch supports the MIB-II (RFC 1213), Bridge MIB (RFC 1493), and the RMON MIB (RFC 1757), which provide access to detailed management statistics.
Always on Always on Always on Always on Always on Always on Always on Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management 4.1 19 November 2007 219)). Sent when The link state changes to up on a port.
Name field 166 New User Name field 152 no eapol guest-vlan command 93 no ipmgr command 41, 42 no mac-security command 84 Nortel Ethernet Routing Switch 2500 Series Security — Configuration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007...
Sourced in Canada, India, and the United States of America The information in this document is subject to change without notice. Nortel Networks reserves the right to make changes in design or components as progress in engineering and manufacturing warrants.