Nortel Secure Network Access Switch Using the Command Line Interface Release: 2.0 Document Revision: 03.01 www.nortel.com NN47230-100 320818-D...
Page 2
ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice. Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks. All other trademarks are the property of their respective owners.
30 days of purchase to obtain a credit for the full purchase price. "Software" is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies.
Page 12
Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software activation or...
Page 13
48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction.
4050 or 4070) controls operation of the Nortel SNAS. This user guide covers the process of implementing the Nortel SNAS using the Nortel SNAS 4050 or 4070 for Nortel Secure Network Access Switch Software Release 2.0. The document includes the following information: •...
(SSCP) are referred to as NSNA network access devices in this document. Generally, NSNA network access devices are the Ethernet Routing Switch 5500 Series and the Ethernet Routing Switch 8300. Specifically, Release 1.6.1 features are supported by the Ethernet Routing Switch 5500 Series, Release 5.0.2 and later.
Ethernet Routing Switch 8300 — Ethernet Routing Switch 4500, 5510, 5520, or 5530 ATTENTION NSNA Release 1.6.1 does not currently support the Ethernet Routing Switch 8300 as a Policy Enforcement Point. • RADIUS, DHCP, and DNS servers The following devices are additional, optional elements of the Nortel SNAS: •...
After you obtain the software license file from Nortel, you must copy the entire license key to the switch using the CLI or the BBI. When you copy the license key, ensure you include the BEGIN LICENSE and END LICENSE lines.
Page 31
MAC address, IP type, device type, and group name(s). You can optionally specify a user name, IP address of the device, comments, and the IP address, unit, and port of the switch to which the device is attached.
Page 32
SRS rules, see information about the Nortel Health Agent SRS Builder in Nortel Secure Network Access Switch 4050 User Guide for the SREM (NN47230-101), . For information about mapping an SRS rule to a group, see...
• fault tolerance—If a Nortel SNAS device fails, the failure is detected by the other node in the cluster, which takes over the switch control and session handling functions of the failed device. As long as there is one running Nortel SNAS, no sessions will be lost.
Nortel SNAS. For information about configuring the Nortel SNAS using the SREM, see Nortel Secure Network Access Switch 4050 User Guide for the SREM (NN47230-101), . For general information about installing and using the SREM, see Installing and Using the Security, .
Page 39
Configure the Nortel SNAS portal Virtual IP address e Configure port tagging, if applicable. g Configure DHCP relay and IP routing if the switch is used in h (Optional) Configure the Red, Yellow, Green, and VoIP filters. k Configure the Nortel SNAS ports.
In Trusted Computing Group (TCG) terminology, the edge switches in a Nortel SNAS function as the Policy Enforcement Point. In this document, the term network access devices is used to refer to the edge switch once it is configured for the Nortel SNAS network.
Managing network access devices The Nortel SNAS starts communicating with the network access devices as soon as you enable the switch on the Nortel SNAS by using the /cfg/domain #/switch #/ena command. You cannot configure the VLAN mappings for a network access devices in the Nortel SNAS domain if the switch is enabled.
60 Managing the network access devices Adding a network access devices You can add a network access devices to the configuration in two ways. You must repeat the steps for each switch that you want to add to the domain configuration. •...
ATTENTION Based on the discovery result, the wizard asks for switch ports, switch uplinks port (in case of sscplite switch) or NSNA communication port (in case of sscp switch). Specify the VLAN ID of the Red VLAN, as configured on the network access devices.
ID to the network access devices. The switch is disabled when it is first added to the configuration. Do not enable the switch until you have completed configuring the system. For more information, see access devices ”...
If the fingerprint is not successfully retrieved, you receive an error message (Error: Failed to retrieve host key). After you have added the switch, you must add or import the SSH public key for the switch (see 71)).
Configuring the network access devices When you first add a network access devices to the Nortel SNAS domain, the switch is disabled by default. Do not enable the switch until you have completed configuring it. In particular, do not enable the switch until you...
To configure a network access devices in the Nortel SNAS domain, use the following command: /cfg/domain #/switch <switch ID> where switch ID is the ID or name of the switch you want to configure. The Switch menu appears. The Switch menu includes the following options: /cfg/domain #/switch <switch ID>...
Mapping the VLANs The VLANs are configured on the network access devices. You specify the Red VLAN for each network access devices when you add the switch (see “Adding a network access devices ” (page you must identify the Yellow and Green VLANs to the Nortel SNAS.
/cfg/domain #/switch #/vlan The Nortel SNAS maintains separate maps for the domain and the switch. If you add a VLAN from the domain-level vlan command, you must use the domain-level command for all future management of that mapping.
The Nortel SNAS continually monitors the health of the network access devices. At specified intervals, a health check daemon sends queries and responses to the switch as a heartbeat mechanism. If no activity (heartbeat) is detected, the daemon will retry the health check for a specified number of times (the dead count).
/cfg/domain #/switch #/dis Enter apply to apply the change immediately. ATTENTION If the switch is not going to be used in the Nortel SNAS network, Nortel recommends deleting the switch from the Nortel SNAS domain, rather than just disabling it.
VOIP phones • Nortel SNAS should use MAC Authentication • Multiple PCs connected using hub to the switch port are not supported. To configure the sscplite, access the menu by using the following command. cfg/domain #/switch #/mgmtproto Configuration of switch menu are modified to include different communication protocols (sscp, sscplite).
• support for non-NSNA network access devices including Nortel Ethernet Switch Models 325 / 425 / 450 / 470 and 2500 series and Ethernet Routing Switch models - 4500 series, 5500 series, 8300 and 8600 as well as third party switches, and support for multiple devices on a port (for example, when a hub is connected to the port).
• move #A #B changes the index number of range #A to #B and changes the index number of #B to #A. That is, the ranges switch places in the range list. Prompts you to identify and configure values for the standard DHCP options.
You can define up to 63 extended profiles for each group. In Nortel Secure Network Access Switch Software Release 1.6.1, the data for an extended profile include the following configurable parameters: •...
To configure the symbolic name for the RSA server and import the sdconf.rec configuration file, use the following command: /cfg/sys/rsa The RSA Servers menu appears. ATTENTION This feature is not supported in Nortel Secure Network Access Switch Software Release 1.6.1. The RSA Servers menu includes the following options: /cfg/sys/rsa followed by: rsaname <name>...
Enabling TunnelGuard SRS administration To create and modify the TunnelGuard Software Requirement Set (SRS) rules, you must use the SREM (see Nortel Secure Network Access Switch 4050 User Guide for the SREM (NN47230-101), ). Before you can access the Rule Builder utility in the SREM, you must enable support for SRS administration.
If a software version marked old is available, it is possible to switch back to this version by activating it again. current means that a software version marked as old or unpacked has been activated.
SNAS device; two edge switches (one Ethernet Routing Switch 8300and one Ethernet Routing Switch 5510) functioning as network access devices ; an Ethernet Routing Switch 8600 functions only as the core router. BCM call server; a DNS server; a DHCP server; and a remediation server are connected to it.
Configure the Ethernet Routing Switch 8300 The configuration procedure is based on the following assumptions: • You are starting with an installed switch that is not currently configured as part of the network. • You have installed Software Release 2.2.8.
Configure the Ethernet Routing Switch 5510 The following configuration example is based on the following assumptions: • You are starting with an installed switch that is not currently configured as part of the network. • You have installed Software Release 4.3.
Adding the network access devices This example adds the Ethernet Routing Switch 8300manually, and uses the quick switch wizard to add the Ethernet Routing Switch 5510. In both cases, the example assumes that the switch is not reachable when it is added, and the switch public SSH key is therefore not automatically retrieved by the Nortel SNAS.
Error: Failed to retrieve host key >> Switch 1# apply Changes applied successfully. Export the Nortel SNAS public SSH key to the Ethernet Routing Switch 8300: >> Switch 1# sshkey/export Import the public SSH key from the switch: >> SSH Key# import Adding the Ethernet Routing Switch 5510 Use the quick switch wizard: >>...
Switch 8300(Switch 1) will always be used exclusively by Switch 1, whereas the VLAN IDs for the VLANs defined on the Ethernet Routing Switch 5510 (Switch 2) may be used by other edge switches added to the domain in future. Therefore, the VLAN mappings for Switch 1 are made at the switch-level command, while the VLAN mappings for Switch 2 are made at the domain level.
The following CLI menus are accessible from the Main menu: • Information—provides submenus for displaying information about the current status of the Nortel Secure Network Access Switch. For the Information menu commands, see • Statistics—provides submenus for displaying Nortel SNAS performance statistics.
NORTEL PROVIDES THIS DOCUMENT "AS IS "WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice. Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks. All other trademarks are the property of their respective owners.