Page 1 Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B)
Page 2: Restricted Rights Legend
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks reserves the right to make changes to the products described in this document without notice. Nortel Networks does not assume any liability that can occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3 (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software.
Page 4 Neither party can bring an action, regardless of form, more than two years after the cause of the action arose. The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks. This License Agreement is governed by the laws of the country in which Customer acquires the Software.
Page 5: Table Of Contents
Getting help from the Nortel Web site 14 Getting help through a Nortel distributor or reseller 14 Getting help over the phone from a Nortel Solutions Center 14 Getting help from a specialist by using an Express Routing Code 15...
Page 6 Default passwords 26 HTTP port number change 26 Simple Network Management Protocol 26 SNMP Version 1 (SNMPv1) 26 Nortel Ethernet Routing Switch 2500 Series support for SNMP 27 SNMP MIB support 27 SNMP trap support 28 Advanced EAPOL features 28 Non-EAP hosts on EAP-enabled ports 30 Conﬁguring Security using the CLI...
Page 7: Contents
Conﬁguring an SNMPv3 management target parameter 211 Conﬁguring an SNMP trap receiver 213 Index NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Contents 7...
Page 9: New In This Release
Management (NN47215-505) for Release 4.1. Features "Advanced Security features" (page changes. Advanced Security features The Nortel Ethernet Routing Switch 2500 Release 4.1 supports advanced EAPOL security features. For more information, see the following sections: • "Advanced EAPOL features" (page 28) •...
Page 10 10 New in this release Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007 Copyright © 2007, Nortel Networks...
Page 11: Introduction
Introduction This guide provides information about conﬁguring and managing security features on the Nortel Ethernet Routing Switch 2500 Series. This guide describes the features of the following Nortel switches: • Nortel Ethernet Routing Switch 2526T • Nortel Ethernet Routing Switch 2526T-PWR •...
Page 12 <valid_route>,valid_route is one variable, and you substitute one value for it. Indicates command syntax and system output, for example, prompts and system messages. Example: Set Trap Monitor Filters Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 13: Related Publications
Nortel Ethernet Routing Switch 2500 Series Performance Management — System Monitoring (NN47215-502) Describes how to conﬁgure system logging and network monitoring, and how to display system statistics for the Nortel Ethernet Routing Switch 2500 Series. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Shows menu paths.
Page 14: How To Get Help
Getting help over the phone from a Nortel Solutions Center If you do not ﬁnd the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.
Page 15: Getting Help From A Specialist By Using An Express Routing Code
Getting help from a specialist by using an Express Routing Code An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate the ERC for your product or service, go to: www.nortel.com/erc...
Page 16 16 Introduction Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007 Copyright © 2007, Nortel Networks...
Page 17: Using Security In Your Network
For more information, refer to <x-refs> If you set a password, the next time you log on to the switch, you are prompted to enter a valid username. Therefore, ensure you are aware of the valid usernames (default RW and RO) before you change passwords.
Page 18: Logging On
18 Using security in your network Logging on If you set a password, the next time you access the switch, you are prompted for a username and password as shown in the (default usernames are RW and RO). Enter a valid username and password and press Enter. You are then directed to the CLI.
Page 19 — MAC address-based security is used to allow up to 448 authorized stations (MAC addresses) access to one or more switch ports (see "MAC address-based security" (page — The switch is located in a locked closet, accessible only by authorized Technical Services personnel. •...
Page 20: Radius-Based Network Security
The security feature logically locks each wall jack to the speciﬁed station and prevents unauthorized access to the switch if someone attempts to connect a personal laptop PC into the wall jack. The printer is assigned as a single station and is allowed full bandwidth on that switch port.
Page 21: Mac Address-Based Security
The response can be to send a trap, turn on destination address (DA) ﬁltering, disable a speciﬁc port, or any combination of these three options. The MAC address-based security feature is based on Nortel BaySecure LAN Access for Ethernet, a real-time security system that safeguards Ethernet networks from unauthorized surveillance and intrusion.
Page 22 EAPoL security feature and a new network connection: • When the switch ﬁnds a new connection in one of its ports, the following occurs: 1. The switch asks for a User ID of the new client.
Page 23: Eapol With Guest Vlan
Any active VLAN can be made a Guest VLAN. EAPOL Security Conﬁguration EAPOL security lets you selectively limit access to the switch based on an authentication mechanism that uses Extensible Authentication Protocol (EAP) to exchange authentication information between the switch and an authentication server.
Page 24: Password Security
24 Using security in your network Do not enable EAPOL security on the switch port that is connected to the RADIUS server. Password security The Ethernet Routing Switch 2500 Series supports the password security feature that provides enhanced security for switch and stack passwords.
Page 25: Password Aging Time
Current passwords remain valid. • Password history bank is removed. • Password veriﬁcation is disabled. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Password security 25...
Page 26: Default Passwords
For more information, see Simple Network Management Protocol The Nortel Ethernet Routing Switch 2500 Series supports Simple Network Management Protocol (SNMP). SNMP is traditionally used to monitor Unix systems, Windows systems, printers, modem racks, switches, routers, power supplies, Web servers, and databases.
Page 27: Nortel Ethernet Routing Switch 2500 Series Support For Snmp
Nortel Ethernet Routing Switch 2500 Series support for SNMP The SNMP agent in the Nortel Ethernet Routing Switch 2500 Series supports SNMPv1, SNMPv2c, and SNMPv3. Support for SNMPv2c introduces a standards-based GetBulk retrieval capability using SNMPv1 communities.
Page 28: Snmp Trap Support
The Nortel Ethernet Routing Switch 2500 Series supports both industry-standard SNMP traps, as well as private Nortel enterprise traps. Advanced EAPOL features EAPOL supports the following advanced features: •...
Page 29: Nortel Ethernet Routing Switch 2500 Series
ﬁrst authenticated EAP MAC NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Advanced EAPOL features 29...
Page 30: Non-Eap Hosts On Eap-Enabled Ports
VLAN ID on the Radius server, the switch moves the port to the VLAN of the ﬁrst authenticated client. In this way, a permanent bounce between different VLANs of the switch port is avoided.
Page 31: Nn47215-505 (323165-B) 02.01 Standard
After the maximum number of allowed non-EAPOL hosts is reached, any data packets received from additional non-EAPOL hosts are dropped. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Advanced EAPOL features 31...
Page 32: Nortel Ethernet Routing Switch 2500 Series
• The username is the non-EAPOL MAC address in string format. • The password is a string that combines the MAC address, switch IP address, unit, and port. • The password is a string that combines the MAC address, switch IP address, unit, and port.
Page 33: Nortel Ethernet Routing Switch 2500 Series
• This feature uses enterprise-speciﬁc MIBs. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Advanced EAPOL features 33...
Page 34: Nortel Ethernet Routing Switch 2500 Series
34 Using security in your network The maximum value for the maximum number of non-EAPOL hosts allowed on an MHSA-enabled port is 32. However, Nortel expects that the usual maximum value conﬁgured for a port is 2. This translates to around 200 for a box and 800 for a stack.
Page 35: Conﬁguring Security Using The Cli
Telnet, and Web-based management. This command supports only one read-only and one read-write user on the switch. The parameters are set for the standalone or stack environment depending on the current operational mode.
Page 36: Nortel Ethernet Routing Switch 2500 Series
Specifies that you are modifying the read-only (ro) username or the read-write (rw) username. The ro/rw variable is optional. If it is omitted, the command applies to the read-only mode. ATTENTION Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 describes...
Page 37: Setting Password Security
Telnet access radius use RADIUS authentication for serial console or Telnet access Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 37...
Page 38: Nortel Ethernet Routing Switch 2500 Series
If a new aging time is set from the CLI, the password aging counters are not reset. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 39: Conﬁguring The Ip Manager List
Conﬁguring the IP manager list When enabled, the IP manager list determines which source IP addresses are allowed access to the switch. No other source IP addresses have access to the switch. You conﬁgure the IP manager list by using the following commands: •...
Page 40: Nortel Ethernet Routing Switch 2500 Series
Copyright © 2007, Nortel Networks Description Enables IP manager list checking for access to various management systems: • telnet— provides list access using Telnet access Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 displays sample output...
Page 41: Nortel Ethernet Routing Switch 2500 Series
SNMP, including the Device Manager • web— disables list check for the Web-based management system Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 41 describes...
Page 42: Nortel Ethernet Routing Switch 2500 Series
You can use the ipmgr command for source IP addresses to enter the source IP addresses or address ranges for which you want to provide access to the switch. The syntax for the ipmgr command for source IP addresses is: ipmgr {source-ip <1-10>...
Page 43: Changing The Http Port Number
IP address and mask for the specified entry to 255.255.255.255 and 255.255.255.255. When you omit the optional parameter, the list is reset to the factory defaults. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 43...
Page 44: Setting Telnet Access
You can also access CLI through a Telnet session. To access CLI remotely, the management port must have an assigned IP address and remote access must be enabled. You can log on to the switch using Telnet from a terminal that has access to the Ethernet Routing Switch 2500 Series.
Page 45: Nortel Ethernet Routing Switch 2500 Series
Multiple users can access the CLI system simultaneously, through the serial port, Telnet, and modems. The maximum number of simultaneous users is four plus one at the serial port for a total of ﬁve users on the switch. All users can conﬁgure simultaneously.
Page 46: Nortel Ethernet Routing Switch 2500 Series
With the telnet-access command, you can conﬁgure the Telnet connection that is used to manage the switch. The syntax for the telnet-access command is: telnet-access [enable|disable] [login-timeout <1-10>] [retry <1-100>] [inactive-timeout <0-60>] [logging {none|access |failures|all}] [source-ip <1-10>...
Page 47: Nortel Ethernet Routing Switch 2500 Series
These are the same source IP addresses as in the IP Manager list. For more information on the IP Manager list, "Configuring the IP manager list" (page Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 47 39).
Page 48: Conﬁguring Secure Shell (Ssh)
This section provides the Conﬁguring SSH using the Command Line Interface commands for conﬁguring and managing SSH on the Ethernet Routing Switch 2500 Series. The SSH protocol provides secure access to the CLI. By using the CLI, you can execute the following commands: •...
Page 49: Nortel Ethernet Routing Switch 2500 Series
Figure 6 show ssh global command output NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 49 displays sample...
Page 50: Nortel Ethernet Routing Switch 2500 Series
Figure 8 show ssh download-auth-key command output NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 displays sample displays...
Page 51: Nortel Ethernet Routing Switch 2500 Series
The switch starts generating the DSA host keys immediately after the ssh dsa-host-key command is given. A reboot is not necessary. You cannot enable SSH while the host key is being generated. This command can only be executed in SSH disable mode. The syntax of...
Page 52: Nortel Ethernet Routing Switch 2500 Series
The ssh secure command enables the SSH server on the Ethernet Routing Switch 2500 Series in secure mode. In secure mode, the Ethernet Routing Switch 2500 Series does not accept Web, SNMP, or Telnet connections. The syntax of the ssh secure command is: ssh secure The ssh secure command executed in the Global Conﬁguration command...
Page 53: Nortel Ethernet Routing Switch 2500 Series
Table 11 "ssh port command parameters and variables" (page 54) the parameters and variables for the ssh port command. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 53...
Page 54: Nortel Ethernet Routing Switch 2500 Series
<1-65535> ssh download-auth-key command The ssh download-auth-key command downloads the client public key from the TFTP server to the Ethernet Routing Switch 2500 Series. The syntax for the ssh download-auth-key is: ssh download-auth-key [address <XXX.XXX.XXX.XXX>] [key-name <file>] The ssh download-auth-key command is executed in the Global Conﬁguration command mode.
Page 55: Setting Server For Web-Based Management
Resets the port number for SSH connections to the default. Default is 22. Resets the timeout value for session authentication to the default. Default is 60. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 55...
Page 56: Conﬁguring The Radius-Based Management Password Authentication
Figure 9 "show radius-server command output" (page 57) output from the show radius-server command. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Description Enables or disables the Web server. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 shows sample...
Page 57: Nortel Ethernet Routing Switch 2500 Series
<num> key <string> timeout <num> When password security is enabled, you must omit the <string> variable from the command line and end the command immediately after key. The switch then prompts you to enter and conﬁrm the string. The radius-server command is executed in the Global Conﬁguration command mode.
Page 58: Setting Snmp Parameters
SNMP and SNMPv3. For details about the SNMP CLI commands that are speciﬁc to SNMPv3, see (page 69). NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks "CLI commands speciﬁc to SNMPv3" Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 59: Nortel Ethernet Routing Switch 2500 Series
The switch provides the following CLI commands to conﬁgure SNMP and SNMPv3: • "snmp-server command" (page 59) • "no snmp-server command" (page 60) • "snmp-server authentication-trap command" (page 60) • "no snmp-server authentication-trap command" (page 61) • "default snmp-server authentication-trap command" (page 61) •...
Page 60: Nortel Ethernet Routing Switch 2500 Series
Description Enables or disables the SNMP server. ATTENTION describes the parameters and variables for the Description Enables or disables the generation of authentication failure traps. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 61: Nortel Ethernet Routing Switch 2500 Series
NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks describes the parameters and variables for the Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 61...
Page 62: Nortel Ethernet Routing Switch 2500 Series
MIB objects, and stations with rw access can retrieve and modify MIB objects. If neither ro nor rw is specified, ro is assumed (default). Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 ATTENTION...
Page 63: Nortel Ethernet Routing Switch 2500 Series
Description Restores the read-only community to public, or the read/write community to private. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 63...
Page 64: Nortel Ethernet Routing Switch 2500 Series
NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Description Specifies the SNMP sysContact value; enter an alphanumeric string. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 65: Nortel Ethernet Routing Switch 2500 Series
255 characters. Description Specifies the SNMP sysLocation value. Enter a string of up to 255 characters. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 65...
Page 66: Nortel Ethernet Routing Switch 2500 Series
NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Description Specifies the SNMP sysName value; enter an alphanumeric string of up to 255 characters. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 67: Nortel Ethernet Routing Switch 2500 Series
255 characters. Description Specifies the SNMP sysName value; enter an alphanumeric string of up to 255 characters. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 67...
Page 68: Nortel Ethernet Routing Switch 2500 Series
Enter the port numbers or all. If you omit this parameter, the system uses the port number specified with the interface command. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 ATTENTION...
Page 69: Cli Commands Speciﬁc To Snmpv3
If you omit this parameter, the system uses the port number specified with the interface command. "Common SNMP and SNMPv3 CLI commands" (page Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 69 ATTENTION 58).
Page 70: Nortel Ethernet Routing Switch 2500 Series
[write-view <view-name>][notify-view <view-name>] The snmp-server user command is executed in the Global Conﬁguration command mode. The sha and des parameters are available only if the switch image has full SHA/DES support. The command shows three sets of read/write/notify views. The ﬁrst set speciﬁes unauthenticated access.
Page 71: Nortel Ethernet Routing Switch 2500 Series
Specifies the write view to which the new user has access: • view-name — specifies the view name; enter an alphanumeric string of up to 255 characters. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 71 ATTENTION...
Page 72: Nortel Ethernet Routing Switch 2500 Series
This parameter is not available when Password Security is enabled, in which case the switch prompts you to enter and confirm the new password. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 ATTENTION...
Page 73: Nortel Ethernet Routing Switch 2500 Series
For the dotted form, a subidentifier can be an asterisk (*), which indicates a wildcard. Some examples of valid OID parameters are as follows: Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 74: Nortel Ethernet Routing Switch 2500 Series
Description Specifies the name of the view to be removed. If no view is specified, all views are removed. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 75: Nortel Ethernet Routing Switch 2500 Series
—Specifies whether SNMPv3 traps can be authenticated. • auth-priv—This parameter is only available if the image has full SHA/DES support. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 75...
Page 76: Nortel Ethernet Routing Switch 2500 Series
Description Enter the IP address of a trap destination host. Specifies the trap receivers in the SNMPv3 MIBs. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 77: Nortel Ethernet Routing Switch 2500 Series
This parameter is not available when Password Security is enabled, in which case, the switch prompts you to enter and confirm the new community string. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 77...
Page 78: Nortel Ethernet Routing Switch 2500 Series
SNMP operations. • view-name — specifies the name of the view that is a set of MIB objects/instances that can be accessed; enter an alphanumeric string. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 79: Nortel Ethernet Routing Switch 2500 Series
Description Specifies a minimum security configuration that allows read access to everything using noAuthNoPriv, and write access to everything using authNoPriv. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your system 79...
Page 80: Securing Your Network
Specifies a maximum security configuration that allows no access. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 81: Nortel Ethernet Routing Switch 2500 Series
MAC address. Displays the BaySecure status of all ports. Displays the port membership of all security lists. Displays MAC DA filtering addresses. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your network 81...
Page 82: Nortel Ethernet Routing Switch 2500 Series
Adds addresses to the MAC security address table. Adds or deletes MAC DA filtering addresses. Modifies security list port membership. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 ATTENTION...
Page 83: Nortel Ethernet Routing Switch 2500 Series
ATTENTION Description Enter the MAC address in the form of H.H.H. Enter the port number or the security list number. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your network 83...
Page 84: Nortel Ethernet Routing Switch 2500 Series
Enter a list or range of port numbers. describes the parameters and variables for the no Description Enter the MAC address in the form of H.H.H. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 85: Nortel Ethernet Routing Switch 2500 Series
Description Enter the number of the security list that you want to clear. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your network 85...
Page 86: Nortel Ethernet Routing Switch 2500 Series
MAC address learning is performed Description Add or delete the specified MAC address; enter the MAC address in the form of H.H.H. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 87: Conﬁguring Eapol-Based Security
Figure 11 "show eapol command output" (page 88) from the show eapol command. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks ATTENTION Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your network 87 displays sample output...
Page 88: Nortel Ethernet Routing Switch 2500 Series
Auto - Port authorization status depends on the result of the EAP authentication Force Authorized - Port is always authorized Yes - Authorized No - Unauthorized Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 89: Nortel Ethernet Routing Switch 2500 Series
Figure 12 "show eapol auth-diags interface command output" (page displays sample output from the show eapol auth-diags interface command. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your network 89...
Page 90: Nortel Ethernet Routing Switch 2500 Series
Figure 13 show eapol auth-stats interface command output NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 91: Nortel Ethernet Routing Switch 2500 Series
Disables or enables EAPOL-based security. Description Specifies the ports to configure for EAPOL; enter the port numbers you want to use. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your network 91...
Page 92: Nortel Ethernet Routing Switch 2500 Series
Specifies a waiting period for response from supplicant for EAP Request/Identity packets. Enter the number of seconds that you want to wait; the range is 1-65535. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 93: Nortel Ethernet Routing Switch 2500 Series
1-65535. Enter the number of times to retry sending packets to supplicant. Description Guest VLAN ID. Enable Guest VLAN. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your network 93...
Page 94: Conﬁguring Advanced Eapol Features
Multiple Host with Single Authentication (MHSA) (see MultiHost Single-Autentication (MHSA)" (page NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks 95)) Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 displays "Conﬁguring "Conﬁguring support 102)) "Conﬁguring...
Page 95: Nortel Ethernet Routing Switch 2500 Series
Enables Radius authentication of non-EAP clients Allows use of Radius-assigned VLAN value Sets bits in RADIUS non-EAPOL password format Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your network 95 describes the...
Page 96: Nortel Ethernet Routing Switch 2500 Series
Resets control of non-EAP clients (MAC addresses) Disables auto-authentication of non-EAP clients in MHSA mode Disables Radius authentication of non-EAP clients Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 describes the parameters and describes the parameters...
Page 97: Nortel Ethernet Routing Switch 2500 Series
EAPOL multihost settings Enables Radius authentication of non-EAP clients Allows use of Radius-assigned VLAN value Allows non-EAPoL MAC address Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your network 97 describes the...
Page 98: Nortel Ethernet Routing Switch 2500 Series
Disables Radius authentication of non-EAP clients Disallows use of Radius-assigned VLAN value Allows non-EAPoL MAC address Specifies the maximum number of non-EAP authenticated MAC addresses allowed Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 describes the...
Page 99: Nortel Ethernet Routing Switch 2500 Series
Enables Radius authentication of non-EAP clients Allows use of RADIUS-assigned VLAN values Resets the non-EAP MAC addresses to default Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your network 99 describes the parameters...
Page 100: Nortel Ethernet Routing Switch 2500 Series
MAC address of the allowed non-EAPOL host Description Displays EAPOL multihost port configuration Displays allowed non-EAPoL MACaddress Displays EAPOL multihost port status Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 displays sample output...
Page 101: Nortel Ethernet Routing Switch 2500 Series
This command is executed in the Privileged EXEC, Global, and Interface Conﬁguration mode. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Description List of ports Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Securing your network 101 displays...
Page 102: Nortel Ethernet Routing Switch 2500 Series
This section describes how to conﬁgure nonE-APOL authentication. To conﬁgure support for non-EAPOL hosts on EAPOL-enabled ports, do the following: 1. Enable non-EAPOL support globally on the switch and locally (for the desired interface ports), using one or both of the following authentication methods: a.
Page 103: Nortel Ethernet Routing Switch 2500 Series
Enabling local authentication of non-EAPOL hosts on EAPOL-enabled ports For local authentication of non-EAPOL hosts on EAPOL-enabled ports, you must enable the feature globally on the switch and locally for ports on the interface. To enable local authentication of non-EAPOL hosts globally on the switch, use the following command in Global conﬁguration mode:...
Page 104: Nortel Ethernet Routing Switch 2500 Series
Enables RADIUS authentication on the desired interface or on a specific port, for non-EAPOL hosts. describes the parameters and variables for the eapol Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Interface mode command.
Page 105: Nortel Ethernet Routing Switch 2500 Series
1. The conﬁgurable maximum number of non-EAPOL clients for each port is 32, but Nortel expects that the usual maximum allowed for each port be lower. Nortel expects that the combined maximum will be approximately 200 for each box and 800 for a stack.
Page 106: Nortel Ethernet Routing Switch 2500 Series
Copyright © 2007, Nortel Networks "Viewing global settings for non-EAPOL hosts" "Viewing port settings for non-EAPOL hosts" (page 106)) 107)) 107)) Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 106)) "Viewing allowed "Viewing current...
Page 107: Nortel Ethernet Routing Switch 2500 Series
The display lists the ports and the associated allowed MAC addresses. Viewing current non-EAPOL host activity To view information about non-EAPOL hosts currently active on the switch, use the following command in Privileged EXEC, Global conﬁguration, or Interface conﬁguration mode: show eapol multihost non-eap-mac status [<portlist>]...
Page 108: Nortel Ethernet Routing Switch 2500 Series
Global conﬁguration mode: eapol multihost auto-non-eap-mhsa-enable To discontinue support for MHSA globally on the switch, use one of the following commands in Global conﬁguration mode: no eapol multihost auto-non-eap-mhsa-enable default eapol multihost auto-non-eap-mhsa-enable Conﬁguring interface and port settings for MHSA To conﬁgure MHSA...
Page 109: Nortel Ethernet Routing Switch 2500 Series
NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks The configurable maximum number of non-EAPOL clients for each port is 32, but Nortel expects that the usual maximum allowed for each port will be lower. Nortel expects that the combined maximum will be approximately 200 for each box and 800 for a stack.
Page 110: Nortel Ethernet Routing Switch 2500 Series
110 Conﬁguring Security using the CLI Conﬁguring Security using Device Manager You can set the security features for a switch so that when a violation occurs the right actions are performed by the software. The security actions that you specify are applied to all ports of the switch.
Page 111: Nortel Ethernet Routing Switch 2500 Series
The General tab appears. The following ﬁgure displays the General tab. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Conﬁguring Security using Device Manager Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 112: Nortel Ethernet Routing Switch 2500 Series
Table 51 "General tab ﬁelds" (page 112) Table 51 General tab ﬁelds Field AuthSecurityLock AuthCtlPartTime SSecurityStatus Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks —End— describes the General tab ﬁelds. Description If this parameter is listed as locked, the agent refuses all requests to modify the security configuration.
Page 113: Nortel Ethernet Routing Switch 2500 Series
MAC address of the unauthorized station. Traps are sent to trap receivers. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 114: Nortel Ethernet Routing Switch 2500 Series
Current number of entries of the Security listed in the SecurityList tab. Maximum entries of the Security listed in the SecurityList tab. —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 describes the SecurityList tab...
Page 115: Nortel Ethernet Routing Switch 2500 Series
An index of the security list. This corresponds to the SecurityList field into AuthConfig tab. The set of ports that are currently members in the Port list. —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 116: Nortel Ethernet Routing Switch 2500 Series
Security port list that can be used as an index into AuthConfig tab. The set of ports that are currently members in the Port list. —End— describes the AuthConﬁg tab ﬁelds. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 describes the...
Page 117: Nortel Ethernet Routing Switch 2500 Series
The corresponding MAC Address of this entry is allowed or blocked on all ports of this port list. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 118: Nortel Ethernet Routing Switch 2500 Series
The corresponding MAC Address of this entry is allowed or blocked on all ports of this port list. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 describes...
Page 119: Nortel Ethernet Routing Switch 2500 Series
The AuthStatus tab appears. The following ﬁgure displays the AuthStatus tab. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Conﬁguring Security using Device Manager Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 120: Nortel Ethernet Routing Switch 2500 Series
The index of MAC address on the port. This corresponds to the index of the MAC address on the port if the index is greater than zero. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 121: Nortel Ethernet Routing Switch 2500 Series
If the port is disabled, notApplicable is returned. • If the port is in a normal state, portSecure is returned. • If the port is partitioned, portPartition is returned. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 122: Nortel Ethernet Routing Switch 2500 Series
To view the SSH tab, use the following procedure: Step Action From the Device Manager menu bar, select Edit > Security. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 123: Nn47215-505 (323165-B) 02.01 Standard
Indicates the SSH connection timeout in seconds. Indicates the SSH key action. Enables or disables the SSH DSA authentication. Enables or disables the SSH RSA authentication. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 124: Nortel Ethernet Routing Switch 2500 Series
Indicates the SSH public keys that are set to initiate a TFTP download. Indicates the retrieved value of the TFTP transfer. —End— describes the SSH Sessions tab ﬁelds. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 125: Nortel Ethernet Routing Switch 2500 Series
Copyright © 2007, Nortel Networks Conﬁguring Security using Device Manager Description Lists the currently active SSH sessions. "Radius Server tab" (page —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 125)illustrates the describes the Radius Server...
Page 126: Nortel Ethernet Routing Switch 2500 Series
It is used when user is changing the SharedSecret(key) field. User usually need to enter twice to confirm the string already being entered in the SharedSecret(Key). Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 ATTENTION...
Page 127: Nortel Ethernet Routing Switch 2500 Series
Conﬁguring Security using Device Manager From the shortcut menu, choose Edit. From the Device Manager main menu, choose Edit > Port. From the toolbar, click Edit. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 128: Nortel Ethernet Routing Switch 2500 Series
(see the preceding field description). Displays the current EAPOL authorization status for the port: • authorized • unauthorized Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 describes the EAPOL tab ﬁelds...
Page 129: Nortel Ethernet Routing Switch 2500 Series
The protocol version number carried in the most recently received EAPOL frame. The source MAC address carried in the most recently received EAPOL frame. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 130: Nortel Ethernet Routing Switch 2500 Series
Copyright © 2007, Nortel Networks ATTENTION From the shortcut menu, choose Edit. From the Device Manager main menu, choose Edit > Port. On the toolbar, click Edit. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 131: Nortel Ethernet Routing Switch 2500 Series
Single Authentication (MHSA) on the port. Enables or disables non-EAPOL RADIUS authentication on the port Enables or disables multihost RADIUS assigned Vlans on the port Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 describes the...
Page 132: Nortel Ethernet Routing Switch 2500 Series
The current state of the authenticator PAE state machin The current state of the Backend Authentication state machine The value used to reauthenticate the EAPOL client —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 133: Nortel Ethernet Routing Switch 2500 Series
The elapsed time of the session. The cause of the session termination. The username representing the identity of the supplicant PAE. —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 134: Nortel Ethernet Routing Switch 2500 Series
The MAC address of the client. screen appears. The following ﬁgure illustrates this tab. Figure 32 Insert Allowed non-EAP MAC screen add to the list. Allowed non-EAP MAC tab. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 135: Nortel Ethernet Routing Switch 2500 Series
• radiusPending: the MAC address is awaiting authentication by a RADIUS server • radiusAuthenticated: the MAC address was authenticated by a RADIUS server Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 136: Nortel Ethernet Routing Switch 2500 Series
—End— From the Device Manager main menu, choose Graph > Port. From the shortcut menu, choose Graph. On thetoolbar, click Graph. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 137: Nortel Ethernet Routing Switch 2500 Series
The number of EAPOL Req/Id frames that are transmitted by this authenticator. The number of EAP Req/Id frames (Other than Req/Id frames) that are transmitted by this authenticator. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 138: Nortel Ethernet Routing Switch 2500 Series
From the Device Manager main menu, choose Graph > Port. From the shortcut menu, choose Graph. On the toolbar, click Graph. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 139: Nortel Ethernet Routing Switch 2500 Series
Counts the number of times that the state machine transitions from authenticating to authenticated, as a result of the Backend Authentication state machine indicating a successful authentication of the Supplicant. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 140: Nortel Ethernet Routing Switch 2500 Series
Counts the number of times that the state machine receives an initial Access-Challenge packet from the Authentication server. Indicates that the Authentication Server has communication with the Authenticator. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 141: Nortel Ethernet Routing Switch 2500 Series
Counts the number of times that the state machine receives an EAP-Failure message from the Authentication Server. Indicates that the Supplicant has not authenticated to the Authentication Server. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 142: Nortel Ethernet Routing Switch 2500 Series
The maximum number of trap receiver entries. The current number of trap receiver entries. The next trap receiver entry to be created. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 143: Nortel Ethernet Routing Switch 2500 Series
(see the following Community field description in this table). The address (or DNS hostname) for the trap receiver. Community string used for trap messages to this trap receiver. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 144: Nortel Ethernet Routing Switch 2500 Series
The Graph Chassis dialog box appears with the SNMP tab displayed. Click the SNMP tab. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks —End— —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 145: Nortel Ethernet Routing Switch 2500 Series
The total number of SNMP Set-Request PDUs that are accepted and processed by the SNMP protocol. The total number of SNMP Get-Response PDUs that are accepted and processed by the SNMP protocol. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 146: Nortel Ethernet Routing Switch 2500 Series
The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is badValue. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 147: Nortel Ethernet Routing Switch 2500 Series
SNMP. The total number of SNMP PDUs delivered to the SNMP protocol for which the value of the error-status field is genErr. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 148: Nortel Ethernet Routing Switch 2500 Series
CAUTION By default, the CLI and Web interface are not password protected. Nortel strongly recommends that after you set up an SNMPv3 user, you change or delete all factory default settings that can allow an unauthorized person to log on to your device.
Page 149: Nortel Ethernet Routing Switch 2500 Series
A message, if conﬁgured, is authenticated with the help of a one-way hash function that is associated with an individual user ID. In the Ethernet Routing Switch 2500 Series, a user can be conﬁgured to use the HMAC-MD5-96 or the HMAC-SHA-96 algorithm for the authentication of SNMPv3 messages.
Page 150: Nortel Ethernet Routing Switch 2500 Series
Specifies whether the table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 151: Nortel Ethernet Routing Switch 2500 Series
ﬁelds. This is optional but recommended. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Conﬁguring Security using Device Manager ATTENTION Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 152: Nortel Ethernet Routing Switch 2500 Series
Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 153: Nortel Ethernet Routing Switch 2500 Series
Defines a set of users that can be referenced by a single group name. Associates a group with Read, Write, and Notify views. Defines a set of MIB subtrees or objects. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 describes the...
Page 154: Nortel Ethernet Routing Switch 2500 Series
If the entry is stored in volatile memory, it does not persist if the switch loses power. —End— (Figure 42 "VACM dialog, Group 153)). Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 155: Nortel Ethernet Routing Switch 2500 Series
The name of the MIB View to which the user is assigned read access. The name of the MIB View to which the user is assigned write access. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 156: Nortel Ethernet Routing Switch 2500 Series
Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 157: Nortel Ethernet Routing Switch 2500 Series
MIB View tab ﬁelds NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Conﬁguring Security using Device Manager —End— (Figure 42 "VACM dialog, Group 153)). Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 158: Nortel Ethernet Routing Switch 2500 Series
The following ﬁgure displays VACM, Insert MIB View dialog box. Figure 46 VACM, Insert MIB View dialog box NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Description Creates a new entry with this group name.
Page 159: Nortel Ethernet Routing Switch 2500 Series
The following ﬁgure displays the Community Table, Insert Community Table dialog box. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Conﬁguring Security using Device Manager —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 160: Nortel Ethernet Routing Switch 2500 Series
The community string for which a row in this table represents a configuration. The security name assigned to this entry in the Community table. The range is 1 to 32 characters. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 describes the Community...
Page 161: Nortel Ethernet Routing Switch 2500 Series
Specifies the type of message to send to a management target: trap or inform. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 describes the that help to deﬁne...
Page 162: Nortel Ethernet Routing Switch 2500 Series
The default is 1500 milliseconds. Specifies the number of times this device can resend messages to this management target if initial messages are not acknowledged. The default is 3. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 163: Nortel Ethernet Routing Switch 2500 Series
If the entry is stored in volatile memory, it does not persist if the switch loses power. Table 78 "Notify Table dialog box ﬁelds" (page Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 166).
Page 164: Nortel Ethernet Routing Switch 2500 Series
The Target Table, Insert Target Params Table dialog box appears. The following ﬁgure displays the Target Table, Insert Target Params Table dialog box. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 165: Nortel Ethernet Routing Switch 2500 Series
Specifies the Message Processing model: SNMPv1, SNMPv2c, or SNMPv3/USM. Specifies the security model: SNMPv1, SNMPv2c, or SNMPv3/USM. Specifies the security name for generating SNMP messages. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 describes the Target Params...
Page 166: Nortel Ethernet Routing Switch 2500 Series
A name or index value for this row in the table. A single tag value that is used to associate this entry with an entry in the Target Address Table. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 167: Nortel Ethernet Routing Switch 2500 Series
Specifies whether this table entry (row) will be stored in volatile or nonvolatile memory. If the entry is stored in volatile memory, it does not persist if the switch loses power. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 ATTENTION...
Page 168: Nortel Ethernet Routing Switch 2500 Series
168 Conﬁguring Security using the CLI —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007 Copyright © 2007, Nortel Networks...
Page 169: Conﬁguring Security Using Web-Based Management
This section describes the steps you use to build and manage security by using the Web-based management interface. When you install the switch, Nortel recommends that you set the initial system usernames and passwords by using the Command Line Interface. For more...
Page 170: Nortel Ethernet Routing Switch 2500 Series
Figure 55 Console password setting page The following table describes the items on the Console page. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks ATTENTION Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 171: Nortel Ethernet Routing Switch 2500 Series
Console Stack None Password Type Read-only Stack 1..15 Password Read-Write 1..15 Stack Password Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring system security 171 Description Displays the switch password types. ATTENTION The default is None.
Page 172: Conﬁguring Radius Dial-In Access Security
Sets a password for remote dial-up. If you select this password type, you must also set up RADIUS authentication from the Radius management page. —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 173: Accessing The Management Interface
Setting XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX Integer 1..60 1..16 —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Description Type a Primary Radius server IP address in the appropriate format. Type a Secondary Radius server IP address in the appropriate format.
Page 174: Nortel Ethernet Routing Switch 2500 Series
For information about modifying existing system usernames, see the username and password" (page Figure 58 System Information Page NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks ATTENTION Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 "Setting 35).
Page 175: Conﬁguring Mac Address-Based Security
You can specify a list of up to 448 MAC SAs that are authorized to access the switch. You can also specify the ports that each MAC SA is allowed to access. The options for allowed MAC SA port access include: NONE, ALL, and single or multiple ports that are speciﬁed...
Page 176: Conﬁguring Mac Address-Based Security
176 Conﬁguring Security using web-based management Ensure that you do not enter the MAC address of the switch on which you are working. After conﬁguring the switch for MAC address-based security, you must enable the ports you want by using the Port Conﬁguration page.
Page 177: Nortel Ethernet Routing Switch 2500 Series
Forever— The port is disabled and remains disabled (partitioned) until reset. The port does not reset after the Partition Time elapses. You must manually reenable the port. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 178: Nortel Ethernet Routing Switch 2500 Series
(a maximum of 448 MAC addresses are allowed). Displays all the ports that learn incoming MAC addresses to detect intrusions (unallowed MAC addresses). (1) Enabled Enables learning. (2) Disabled —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 ATTENTION...
Page 179: Conﬁguring Ports
The following table describes the items on the Port Lists page. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Conﬁguring MAC address-based security 179 Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 180: Nortel Ethernet Routing Switch 2500 Series
Lets you create a port list that you can use as an Allowed Source in the Security Table screen. Displays which ports are associated with each list. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 181: Adding Mac Addresses
Port List View, Learn by Ports page a. Click the ports through which you want the switch to learn MAC b. If you want that port to no longer learn MAC addresses, click the c. Click Submit. In the MAC Security Table section, choose Enabled in the Current Learning Mode column of the Learn By Ports row.
Page 182: Nortel Ethernet Routing Switch 2500 Series
182 Conﬁguring Security using web-based management Figure 62 Security Table page By using this page, you instruct the switch to allow the speciﬁed MAC address access only through the speciﬁed port or port list. The following table describes the items on the Security Table page.
Page 183: Clearing Ports
Allowed Source ATTENTION ATTENTION —End— 176)). Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Description Lets you specify the ports that each MAC address is allowed to access. The options for the Allowed Source...
Page 184: Enabling Security On Ports
> Port Conﬁguration. The Port Conﬁguration page appears. The following ﬁgure displays the Port Conﬁguration page. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks ATTENTION —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 185: Nortel Ethernet Routing Switch 2500 Series
Range 1 to 52 Blank, 1 to 6 (1) Enabled (2) Disabled —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Description Lists each port on the unit. Displays the MultiLink Trunk to which the port belongs to.
Page 186: Deleting Ports
181)), click the checkmark of a port that you want to (Figure 64 "Port Conﬁguration 185)), click Disabled to remove that port from the Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 (Figure 61 "Port List View, Port List...
Page 187: Deleting Mac Das
Address X:XX ATTENTION 186)) with the new DA listed in the —End— 186)). Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Description To drop all packets to and from a specified MAC Destination Address (DA).
Page 188: About Snmp
NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Click Yes to delete the target parameter conﬁguration. Click Cancel to return to the table without making changes. —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 189: Nortel Ethernet Routing Switch 2500 Series
Commu- nity Strin Read- 1..32 Write Commu- nity Strin Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv1 189 Description Type a character string to identify the community string for the SNMPv1 read-only community, for example, public or private.
Page 190: Conﬁguring Snmpv3
(2) Disa Auto (1) Enab Topology (2) Disa —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Description The default value is private. Choose to enable or disable the authentication trap, which sends a trap when an SNMP authentication failure occurs.
Page 191: Nortel Ethernet Routing Switch 2500 Series
The SNMP dialect that the engine recognizes. The dialects are: SNMP1v1, SNMPv2C, and SNMPv3. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv3 191...
Page 192: Nortel Ethernet Routing Switch 2500 Series
SNMP engine or otherwise unavailable. The total number of packets dropped by the SNMP engine because they appeared outside of the authoritative SNMP window of the engine. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 ATTENTION...
Page 193: Conﬁguring User Access To Snmpv3
The total number of packets dropped by the SNMP engine because they could not be decrypted. —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv3 193...
Page 194: Nortel Ethernet Routing Switch 2500 Series
Indicates whether the message sent on behalf of this user to/from the SNMP engine identified by the UserEngineID can be authenticated by the MD5 authentication protocol. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 195: Nortel Ethernet Routing Switch 2500 Series
(lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv3 195...
Page 196: Conﬁguring An Snmpv3 System User Group Membership
Copyright © 2007, Nortel Networks —End— Click Yes to delete the SNMPv3 user conﬁguration. Click Cancel to return to the User Speciﬁcation page without making changes. —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 194)).
Page 197: Nortel Ethernet Routing Switch 2500 Series
Group Membership page items Item and MIB association NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Range Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv3 197 Description Deletes the row.
Page 198: Nortel Ethernet Routing Switch 2500 Series
(3) USM 1..32 (1) Volatile (2) Non-Volati —End— 197)). Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Description Type a string of characters to create a security name for the principal that is mapped by this entry to a group name.
Page 199: Conﬁguring Snmpv3 Group Access Rights
Click Cancel to return to the Group Membership page without making changes. ATTENTION "Conﬁguring user access to SNMPv3" (page 193) —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv3 199 "Conﬁguring...
Page 200: Nortel Ethernet Routing Switch 2500 Series
Copyright © 2007, Nortel Networks Range 1..32 (1) SNMPv1 (2) SNMPv2c (3) USM Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Description Deletes the row. Type a character string to specify the group name to which access is granted.
Page 201: Nortel Ethernet Routing Switch 2500 Series
1..32 1..32 1..32 (1) Volatile (2) Non- Volatile —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv3 201 Description Choose the minimum level of security required to gain the access rights allowed to the group.
Page 202: Conﬁguring An Snmpv3 Management Information View
Click Yes to delete the group access conﬁguration. Click Cancel to return to the Group Access Rights page without making changes. ATTENTION —End— ATTENTION Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 (Figure 70 "Group Access...
Page 203: Nortel Ethernet Routing Switch 2500 Series
Management Information View page The following table describes the ﬁelds on the Management Information View page. NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv3 203...
Page 204: Nortel Ethernet Routing Switch 2500 Series
(0..16) (1) Include (2) Exclude (1) Volatile (2) Non-Vola tile Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Description Deletes the row. Type a character string to create a name for a family of view subtrees.
Page 205: Conﬁguring An Snmpv3 System Notiﬁcation Entry
—End— Click Yes to delete the management information view conﬁguration. Click Cancel to return to the table without making changes. —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv3 205 203)).
Page 206: Table 96
RowStatus) NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Range 1..32 Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Description Deletes the row. Type a character string to identify the entry.
Page 207: Nortel Ethernet Routing Switch 2500 Series
(2) Inform (1) Volatile (2) Non-Vol atile —End— ATTENTION ("Notiﬁcation page" (page Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv3 207 Description Type a value to use to select entries in the snmpTargetAddrTable.
Page 208: Conﬁguring An Snmpv3 Management Target Address
NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Click Yes to delete the notiﬁcation conﬁguration. Click Cancel to return to the table without making changes. —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007...
Page 209: Target Address Page Items
Integer 0..255 1..20 1..32 (1) Volatile (2) Non-Vol atile Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv3 209 Description Deletes the row. Type a character string to create a target name.
Page 210: Address
—End— Click Yes to delete the target address conﬁguration. Click Cancel to return to the table without making changes. —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Description information to be saved in NVRAM when you turn off the power.
Page 211: Conﬁguring An Snmpv3 Management Target Parameter
Table 98 Target Parameter page items Item NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Range Description Deletes the row. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv3 211...
Page 212: Nortel Ethernet Routing Switch 2500 Series
(lost) when you turn off the power. Selecting Non-Volatile requests information to be saved in NVRAM when you turn off the power. 211)). —End— 211)). Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 ("Target ("Target Parameter page"...
Page 213: Conﬁguring An Snmp Trap Receiver
Copyright © 2007, Nortel Networks Click Yes to delete the target parameter conﬁguration. Click Cancel to return to the table without making changes. —End— ATTENTION Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Conﬁguring SNMPv3 213...
Page 214: Nortel Ethernet Routing Switch 2500 Series
0..32 —End— Click Yes to delete the SNMP trap receiver conﬁguration. Click Cancel to return to the table without making changes. Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Description Deletes the row.
Page 215: Nortel Ethernet Routing Switch 2500 Series
Conﬁguring SNMPv3 215 —End— Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007 Copyright © 2007, Nortel Networks...
Page 216: Nortel Ethernet Routing Switch 2500 Series
216 Conﬁguring Security using web-based management Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007 Copyright © 2007, Nortel Networks...
Page 217: Nortel Ethernet Routing Switch 2500 Series
Appendix A SNMP MIB support The Ethernet Routing Switch 2500 Series supports an SNMP agent with industry standard MIBs, as well as private MIB extensions, which ensures compatibility with existing network management tools. The switch supports the MIB-II (RFC 1213), Bridge MIB (RFC 1493), and the RMON MIB (RFC 1757), which provide access to detailed management statistics.
Page 218: Nortel Ethernet Routing Switch 2500 Series
(Conversation steering) MIB • rcVLAN MIB • rcMLT MIB NN47215-505 (323165-B) 02.01 Standard Copyright © 2007, Nortel Networks Standard MIBs RFC1493 Bridge MIB IEEE 802.1ab Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 Proprietary MIBs...
Page 219: Nortel Ethernet Routing Switch 2500 Series
Always on Always on Always on Always on Always on Always on Always on Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management 4.1 19 November 2007 219)). Sent when The link state changes to up on a port.
Page 220: Index
44 default radius-server command 58 default snmp trap link-status command 69 default snmp-server authentication-trap command 61 default snmp-server community command 63 Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007...
Page 221: Nortel Ethernet Routing Switch 2500 Series
General tab 111 AuthCtlPartTime ﬁeld 112 AuthSecurityLock ﬁeld 112 CurrNodesAllowed ﬁeld 114 CurrSecurityLists ﬁeld 114 MaxNodesAllowed ﬁeld 114 MaxSecurityLists ﬁeld 114 Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007 Index 221...
Page 222: Nortel Ethernet Routing Switch 2500 Series
Name ﬁeld 166 New User Name ﬁeld 152 no eapol guest-vlan command 93 no ipmgr command 41, 42 no mac-security command 84 Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007...
Page 223: Nortel Ethernet Routing Switch 2500 Series
172 Security, Insert AuthConﬁg dialog box 117 AccessCtrlType ﬁeld 118 BrdIndx ﬁeld 118 MACIndx ﬁeld 118 PortIndx ﬁeld 118 Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007 Index 223...
Page 224: Nortel Ethernet Routing Switch 2500 Series
202 deleting 205 management target 161 system information, viewing 190 system notiﬁcation entries conﬁguring 205 deleting 207 target addresses Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007...
Page 225: Nortel Ethernet Routing Switch 2500 Series
39, 44, 56, 80 UDP RADIUS Port ﬁeld 173 username command 35 USM dialog box 149 AuthProtocol ﬁeld 150 EngineID ﬁeld 150 Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007 Index 225...
Page 226: Nortel Ethernet Routing Switch 2500 Series
View Subtree ﬁeld 204 View Type ﬁeld 204 Web Password Setting page 170 Web-based management system 40 web-server command 55 Write View ﬁeld 201 Nortel Ethernet Routing Switch 2500 Series Security — Conﬁguration and Management NN47215-505 (323165-B) 02.01 Standard 4.1 19 November 2007...
Page 228: Nortel Ethernet Routing Switch 2500 Series
Sourced in Canada, India, and the United States of America The information in this document is subject to change without notice. Nortel Networks reserves the right to make changes in design or components as progress in engineering and manufacturing warrants.

This manual is also suitable for:

2550t 2526t-pwr 2550t-pwr

Nortel 2526T Configuration

New in this Release

Introduction

Using Security in Your Network

Conﬁguring Security Using the CLI

Quick Links

Related Manuals for Nortel 2526T

Summary of Contents for Nortel 2526T