Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for Cabletron Systems LANVIEWsecure
Summary of Contents for Cabletron Systems LANVIEWsecure
- Page 1 LANVIEW SECURE USER’S GUIDE...
- Page 3 NOTICE Cabletron Systems reserves the right to make changes in specifications and other information contained in this document without prior notice. The reader should in all cases consult Cabletron Systems to determine whether any such changes have been made. The hardware, firmware, or software described in this manual is subject to change without notice. IN NO EVENT SHALL CABLETRON SYSTEMS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT, EVEN IF CABLETRON SYSTEMS HAS BEEN...
- Page 4 FCC NOTICE This device complies with Part 15 of the FCC rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.
- Page 5 N SYST CABLETRO IMPORTANT: Before utilizing this product, carefully read this License Agreement. This document is an agreement between you, the end user, and Cabletron Systems, Inc. (“Cabletron”) that sets forth your rights and obligations with respect to the Cabletron software program (the “Program”) contained in this package. The Program may be contained in firmware, chips or other media.
-
Page 7: Table Of Contents
LANVIEW CHAPTER 1 SECURE Introduction ... 1-1 Technology ... 1-1 1.2.1 Types of Protection ... 1-2 1.2.2 Features of First Generation Security ... 1-2 1.2.3 New Features of Second Generation Security... 1-3 Configuring LANVIEW ECURE Tips for Implementing LANVIEW Summary ... 1-5 Getting Help ... -
Page 9: Chapter 1 Lanview Secure
1.1 Introduction LANVIEW is Cabletron Systems strategy for hub-based security of Ethernet networks. Cabletron SECURE Systems technology provides security solutions across the entire Multi Media Access Center product line including the HubSTACK, MicroMMAC, and MMAC-Plus. Cost effective implementations in 10BASE-T twisted pair, 10BASE2 coaxial, and 10BASE-FL fiber optic media provide the network architect freedom of choice when incorporating physical layer security into the network. -
Page 10: Types Of Protection
1.2.1 Types of Protection Intruder Prevention Intruder Prevention prevents any unauthorized source addresses from communicating to the network via a secure port. Intruder Prevention is based on the expected MAC address of a port. In order for LANVIEW to be effective, specific parameters must be set and features enabled. During Setup, the SECURE manager configures the Trap Screen and enables security. -
Page 11: New Features Of Second Generation Security
Force Trunk Port The user may force the port to be a trunk port before locking the port. When this object is set to “Force” it causes the port to be placed into a Trunk topological state whether the network traffic warrants such a state or not. -
Page 12: Configuring Lanview
Learn State This provides the ability to start and stop learning at the network, port group, and port level. The Object Identifier (OID) defaults to “Learn” state. This OID automatically changes to “Nolearn” state once it has either learned two addresses or a set has been done by management. At this point, the user can set the OID back to “Learn”... -
Page 13: Tips For Implementing Lanview
1.4 Tips for Implementing LANVIEW Features SECURE Security can only be implemented by locking a port, and can only be completely disabled by unlocking a port. You cannot enable Intruder Protection on a LANVIEW hub without also enabling Eavesdrop Protection. SECURE You can, however, effectively enable Eavesdrop Protection alone by de-selecting the Disable Ports option for the violation response;... -
Page 14: Getting Help
1.6 Getting Help If you need additional support related to this device, or if you have any questions, comments, or suggestions concerning this manual, contact Cabletron Systems Technical Support: Phone CompuServe Internet mail Login Password Modem setting For additional information about Cabletron Systems products, visit our World Wide Web site: http://www.cabletron.com/ (603) 332-9400 Monday –... -
Page 15: Chapter 2 Oids To Enable/Disable Security
OIDs TO ENABLE/DISABLE SECURITY 2.1 Introduction This chapter provides a list of the OIDs for LANVIEW 2.2 OIDs The read-write community name for the Repeater MIB component is necessary to perform SNMP set commands to enable/disable LANVIEW community names. The examples shown below use the following definitions: b=board, p=port. rptrSaTrapSetSrcaddr {rptrSaTrapSet 1} Description:... - Page 16 rptrSecuritySecureState {rptrSaSecurity 2} Description: The status of source address security of the network. Ports on the network that are secure(1), can be locked in order to enable security. NonSecure(2) ports cannot be locked. Setting a value of portMisMatch(3) is invalid. Object Identifier: 1.3.6.1.4.1.52.4.1.1.1.4.1.7.2.0 Data Type:...
- Page 17 rptrPortGrpSaTrapSetSrcaddr {rptrPortGrpSaTrapEntry 2} Description: Enables and disables source address traps for the specified port group. Object Identifier: 1.3.6.1.4.1.52.4.1.1.1.4.2.5.2.1.1.2.0 Data Type: Integer Values: Access Policy: read-write rptrPortGrpSrcAddrLockGrpId {rptrPortGrpSrcAddrLockEntry 1} Description: Defines particular port group for this source address security lock information. Object Identifier: 1.3.6.1.4.1.52.4.1.1.1.4.2.6.1.1.b Data Type:...
- Page 18 rptrPortGrpSASecurity- {rptrPortGrpSrcAddrLockEntry 3} SecureState Description: The state of the source addressing security for this port group. Ports on the port group that are secure(1), can be locked in order to enable security. When a value of nonsecure(2) is returned ports cannot be locked. Setting a value of portMisMatch(3) is invalid.
- Page 19 rptrPortSrcAddrTopoState {rptrPortSrcAddrEntry 3} Description: Returns the topological state of the port. NOTE: Not related to security. Object Identifier: 1.3.6.1.4.1.52.4.1.1.1.4.3.5.1.3.b.p Data Type: Integer Values: Access Policy: read-only rptrPortSrcAddrForceTrunk {rptrPortSrcAddrEntry 4} Description: When this object is set to Force it causes the port to be placed into a Trunk topological state whether the network traffic would warrant such a state or not.
- Page 20 rptrPortSecurityPortId {rptrPortSecurityEntry 2} Description: The port ID for this source address lock entry. Object Identifier: 1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.2.b.p Data Type: Integer Access Policy: read-only rptrPortSecurityLockStatus {rptrPortSecurityEntry 3} Description: Defines lock status for this particular port entry. Object Identifier: 1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.3.b.p Data Type: Integer Values: Access Policy: read-write...
- Page 21 rptrPortSecurityDisableOnVio- {rptrPortSecurityEntry 6} lation Description: Designates whether port is disabled if its source address is violated. A source address violation occurs when an address is detected which is not in the secure address list for this port. If the port is disabled due to the source address violation it can be re-enabled by setting rptrPortMgmtAdminState.
- Page 22 rptrPortSecurityForceNonSe- {rptrPortSecurityEntry 9} cure Description: The force non-secure state of port. If the port is Forced, Non-Secure via a value of forceNonSecure(2) it is put into a Non-Secure state, in which case it cannot be locked. If a port is not forced noForce(1), then it will take on its natural state, according to the traffic flow on the port.
- Page 23 rptrPortSecurityListPortGrpId {rptrPortSecurityListEntry 1} Description: The port group for this security list entry. Object Identifier: 1.3.6.1.4.1.52.4.1.1.1.4.3.9.2.1.1.b.p Data Type: Integer Access Policy: read-only rptrPortSecurityListPortId {rptrPortSecurityListEntry 2} Description: The port ID for this source address lock list. Object Identifier: 1.3.6.1.4.1.52.4.1.1.1.4.3.9.2.1.2.b.p Data Type: Integer Access Policy: read-only rptrPortSecurityListIndex...
- Page 24 2-10...
-
Page 25: Chapter 3 Setting Oids
3.1 Introduction This chapter provides a step by step procedure for setting the LANVIEW platform of SNMP tools using the SEHI as an example. 3.2 Guidelines Community Name The read-write or superuser community name for the Repeater MIB component is necessary to perform SNMP set commands which enable/disable LANVIEW SNMP Set When performing SNMP sets on these OIDs, an integer of 1unlocks or disables the function, while an integer... -
Page 26: The Snmp Tools Screen
3.4 The SNMP Tools Screen Use the arrow keys to move from field to field about the screen. After entering information, use the <ENTER> key to accept information into that field and the arrow keys again to go to the next field or command. In this document, what you enter appears in GETNEXT NOTES:... -
Page 27: The Get Command
3.5 The GET Command Lock Port (Partial Security 1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.3 (1=Unlock, 2=Lock) GETNEXT 3.1.12 <GET> OID (=|F9): ACCESSED OID: 1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.3.1.12 ASCII_LABEL: DATA TYPE: { int } DATA LENGTH: DECODED DATA: Secure State (read only) 1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.8.b.p (b=board, p=port) GETNEXT 8.1.1 <GET> OID (=|F9): ACCESSED OID: 1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.8.1.1 ASCII_LABEL:... -
Page 28: The Set Command
3.6 The SET Command Set to Full Security 1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.7.b.p (b=board, p=port) GETNEXT 7.1.12 <SET> OID (=|F9): { Integer String Null Oid Ipaddress Counter Gauge Timeticks Opaque } DATA TYPE (name): SNMP OID Data: <SET> OPERATION CODE: 2 < OK > Add Address to Secure Table 1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.4.b.p (b=board, p=port) GETNEXT 4.1.12... - Page 29 Delete Address from Secure Table 1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.5.b.p (b=board, p=port) GETNEXT 5.1.12 <SET> OID (=|F9): { Integer String Null Oid Ipaddress Counter Gauge Timeticks Opaque } DATA TYPE (name): ENTER H(ex) or A(scii) FOR STRING TYPE: ENTER DATA AS HEX BYTES SEPARATED BY BLANKS LIKE 0 1D 30 5 00 00 1D 22 33 44 SNMP OID Data: <SET>...
-
Page 30: The Cycle Command
3.7 The CYCLE Command View Secure Address Table (read only) 1.3.6.1.4.1.52.4.1.1.1.4.3.9.2.1.4.b.p (b=board, p=port) GETNEXT ENTER <GETNEXT> CYCLE COUNT: ENTER CYCLE DELAY (secs): 4.1.12 <GETNEXT> OID (=|F9): ------------SPECIFIED OID ----------------- SIZE 1.3.6.1.4.1.52.4.1.1.1.4.3.9.2.1.4.1.12.1 1.3.6.1.4.1.52.4.1.1.1.4.3.9.2.1.4.1.12.2 1.3.6.1.4.1.52.4.1.1.1.4.3.9.2.1.4.1.12.3 1.3.6.1.4.1.52.4.1.1.1.4.3.9.2.1.4.1.12.4 1.3.6.1.4.1.52.4.1.1.1.4.3.9.2.1.4.1.12.5 1.3.6.1.4.1.52.4.1.1.1.4.3.9.2.1.4.1.12.6 1.3.6.1.4.1.52.4.1.1.1.4.3.9.2.1.4.1.12.7 1.3.6.1.4.1.52.4.1.1.1.4.3.9.2.1.4.1.12.8 ****** MIB WALK COMPLETED ****** This command is especially useful for viewing OIDs with tables of instances that span one or many boards or ports, such as the LANVIEW SECURE... -
Page 31: Chapter 4 Mib Navigator
4.1 Introduction This chapter explains how to use the MIB Navigator utility commands of get, set, and community names for LANVIEW . Figure 4-1 shows the MIB Navigator screen. SECURE NOTE: Figure 4-1 shows the MIB Navigator screen that would be presented after the user entered the “help” command. -
Page 32: Managing Device Mibs
4.2 Managing Device MIBs The MIB Navigator lets you manage objects in the NBR Management Information Bases (MIBs). MIBs are databases of objects used for managing the device and determining the device configuration. The commands within the MIB Navigator allow you to view and modify an object of the device. The MIB Navigator views the MIB tree hierarchy as a directory. -
Page 33: Conventions For Mib Navigator Commands
4.3.1 Conventions for MIB Navigator Commands This manual uses the following conventions for denoting commands: • Information keyed by the user is shown in this helvetica font. • Command arguments are indicated by two types of brackets: required arguments are enclosed by [ ]. optional arguments are enclosed by <... - Page 34 set: Syntax: set <OID> <value> Description: The set command enables you to set the value of a managed object. This command is valid only for leaf entries in the current MIB tree, or for managed objects in the MIB. If the leaf specified does not exist for the given path, MIB Navigator asks for a value. The following lists possible value types: (i)nteger - number (c)ounter - number...
-
Page 35: Chapter 5 Community Names
By default, the community name for each group is “public”, except for the Repeater group, which is “channelA” for single channel devices. For devices that have multiple repeaters, the default community names used would be “channelA” for Repeater One; “channelB” for Repeater Two; “channelC” for Repeater Three;... -
Page 36: Viewing Mib Components And Corresponding Community Names
5.2 Viewing MIB Components and Corresponding Community Names GETNEXT ENTER <GETNEXT> CYCLE COUNT: ENTER CYCLE DELAY (secs): (press down arrow key, not the <ENTER> key to begin cycle) <GETNEXT> OID (=|F9): ------------SPECIFIED OID ------------ SIZE 1.3.6.1.4.1.52.4.1.1.2.4.1.5.1 1.3.6.1.4.1.52.4.1.1.2.4.1.5.2 1.3.6.1.4.1.52.4.1.1.2.4.1.5.3 1.3.6.1.4.1.52.4.1.1.2.4.1.5.4 1.3.6.1.4.1.52.4.1.1.2.4.1.5.5 GETNEXT ENTER <GETNEXT>... -
Page 37: More Device Community Name Examples
5.3 More Device Community Name Examples MicroMMAC-22E Firmware Version 1.10.14 chCompName=1.3.6.1.4.1.52.4.1.1.2.4.1.5 chCompName.1 Chassis MGR chCompName.2 chCompName.3 Host Services chCompName.4 IP Services chCompName.5 Distributed LAN Monitor chCompName.6 MIB Navigator chCompName.7 RMON Default chCompName.8 RMON Host chCompName.9 RMON Capture chCompName.10 Repeater 1 EMME (MMAC-3FNB with TPRMIM and TPXMIM) chCompName=1.3.6.1.4.1.52.4.1.1.2.4.1.5 chCompName.1...