Home » Dell Manuals » Servers » Dell Force10 Z9000 » Manual Viewer

Dell Force10 Z9000 FTOS Configuration Guide for Z9000 System - Page 801

Monitor TACACS+, TACACS+ Remote Authentication and Authorization

Add to My Manuals
Save this manual to your list of manuals

Page 801 highlights

Figure 39-4. Failed Authentication FTOS(conf)# FTOS(conf)#do show run aaa ! aaa authentication enable default tacacs+ enable aaa authentication enable LOCAL enable tacacs+ aaa authentication login default tacacs+ local aaa authentication login LOCAL local tacacs+ aaa authorization exec default tacacs+ none aaa authorization commands 1 default tacacs+ none aaa authorization commands 15 default tacacs+ none aaa accounting exec default start-stop tacacs+ aaa accounting commands 1 default start-stop tacacs+ aaa accounting commands 15 default start-stop tacacs+ FTOS(conf)# FTOS(conf)#do show run tacacs+ ! tacacs-server key 7 d05206c308f4d35b Server key purposely changed to incorrect value tacacs-server host 10.10.10.10 timeout 1 FTOS(conf)#tacacs-server key angeline FTOS(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on vty0 (10.11.9.209) %RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0 ( 10.11.9.209 ) %RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 (10.11.9.209) FTOS(conf)#username angeline password angeline FTOS(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline on vty0 (10.11.9.209) %RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0 ( 10.11.9.209 ) User authenticated using secondary method Monitor TACACS+ To view information on TACACS+ transactions, use the following command in the EXEC Privilege mode: Command Syntax debug tacacs+ Command Mode Purpose EXEC Privilege View TACACS+ transactions to troubleshoot problems. TACACS+ Remote Authentication and Authorization FTOS takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet sizes. If you have configured remote authorization, then FTOS ignores the access class you have configured for the VTY line. FTOS instead gets this access class information from the TACACS+ server. FTOS needs to know the username and password of the incoming user before it can fetch the access class from the server. A user, therefore, will at least see the login prompt. If the access class denies the connection, FTOS closes the Telnet session immediately. Security | 801

Section	Page
About this Guide	27
Objectives	27
Audience	27
Conventions	28
Information Symbols	28
Configuration Fundamentals	29
Accessing the Command Line	29
CLI Modes	30
Navigating CLI Modes	31
The do Command	34
Undoing Commands	34
Obtaining Help	35
Entering and Editing Commands	35
Command History	36
Filtering show Command Outputs	37
Multiple Users in Configuration mode	38
Getting Started	39
Console access	39
Serial console	39
Accessing the RJ-45 console port with a DB-9 adapter	40
Default Configuration	40
Configure a Host Name	41
Access the System Remotely	41
Access the C-Series, E-Series, S-Series, and the Z-Series Remotely	41
Configure the Management Port IP Address	42
Configure a Management Route	42
Configure a Username and Password	42
Access the S-Series Remotely	43
Configure the Enable Password	44
Configuration File Management	44
Copy Files to and from the System	45
Save the Running-configuration	46
Configure the Overload bit for Startup Scenario	47
View Files	47
View Configuration Files	48
File System Management	49
View command history	50
Upgrading FTOS	50
Management	51
Configure Privilege Levels	51
Create a Custom Privilege Level	51
Removing a command from EXEC mode	52
Move a command from EXEC privilege mode to EXEC mode	52
Allow Access to CONFIGURATION mode commands	52
Allow Access to INTERFACE, LINE, ROUTE-MAP, and ROUTER mode	52
Apply a Privilege Level to a Username	55
Apply a Privilege Level to a Terminal Line	55
Configure Logging	55
Log Messages in the Internal Buffer	56
Configuration Task List for System Log Management	56
Disable System Logging	56
Send System Messages to a Syslog Server	57
Configure a Unix System as a Syslog Server	57
Change System Logging Settings	57
Display the Logging Buffer and the Logging Configuration	58
Configure a UNIX logging facility level	60
Synchronize log messages	61
Enable timestamp on syslog messages	61
File Transfer Services	62
Configuration Task List for File Transfer Services	62
Enable FTP server	63
Configure FTP server parameters	63
Configure FTP client parameters	64
Terminal Lines	64
Deny and Permit Access to a Terminal Line	64
Configure Login Authentication for Terminal Lines	65
Time out of EXEC Privilege Mode	66
Telnet to Another Network Device	67
Lock CONFIGURATION mode	68
Viewing the Configuration Lock Status	69
Recovering from a Forgotten Password on the S4810 and Z9000	69
Recovering from a Forgotten Enable Password on the S4810 and Z9000	71
Recovering from a Failed Start on the S4810 and Z9000	72
802.1X	73
Protocol Overview	73
The Port-authentication Process	74
EAP over RADIUS	75
RADIUS Attributes for 802.1 Support	76
Configuring 802.1X	77
Related Configuration Tasks	77
Important Points to Remember	77
Enabling 802.1X	77
Configuring Request Identity Re-transmissions	79
Configuring a Quiet Period after a Failed Authentication	80
Forcibly Authorizing or Unauthorizing a Port	81
Re-authenticating a Port	82
Periodic Re-authentication	82
Configuring Timeouts	83
Dynamic VLAN Assignment with Port Authentication	84
Guest and Authentication-fail VLANs	85
Configuring a Guest VLAN	86
Configuring an Authentication-fail VLAN	86
Access Control Lists (ACLs)	89
Overview	89
IP Access Control Lists (ACLs)	90
CAM Profiling, CAM Allocation, and CAM Optimization	90
CAM Profiling	91
User Configurable CAM Allocation	91
CAM optimization	92
Test CAM Usage	92
Implementing ACLs on FTOS	93
ACLs and VLANs	93
ACL Optimization	93
Determine the order in which ACLs are used to classify traffic	93
IP Fragment Handling	94
IP fragments ACL examples	95
Layer 4 ACL rules examples	95
Configure a standard IP ACL	96
Configure an extended IP ACL	99
Configure filters with sequence number	99
Configure filters without sequence number	101
Configuring Layer 2 and Layer 3 ACLs on an Interface	102
Assign an IP ACL to an Interface	103
Counting ACL Hits	104
Configuring Ingress ACLs	104
Configuring Egress ACLs	105
Egress Layer 3 ACL Lookup for Control-plane IP Traffic	106
Configuring ACLs to Loopback	107
Applying an ACL on Loopback Interfaces	107
IP Prefix Lists	108
Implementation Information	109
Configuration Task List for Prefix Lists	109
Configure a prefix list	109
Use a prefix list for route redistribution	112
ACL Resequencing	113
Resequencing an ACL or Prefix List	114
Route Maps	115
Implementation Information	115
Important Points to Remember	116
Configuration Task List for Route Maps	116
Create a route map	116
Configure route map filters	118
Configure a route map for route redistribution	121
Configure a route map for route tagging	122
Continue clause	122
Bidirectional Forwarding Detection (BFD)	123
Protocol Overview	123
How BFD Works	124
BFD packet format	124
BFD sessions	126
BFD three-way handshake	127
Session state changes	128
o to Remember	129
Configuring Bidirectional Forwarding Detection	129
Configuring BFD for Physical Ports	130
Related configuration tasks	130
Enabling BFD globally	130
Establishing a session on physical ports	131
Changing physical port session parameters	132
Disabling and re-enabling BFD	133
Configuring BFD for Static Routes	134
Related configuration tasks	134
Establishing sessions for static routes	134
Changing static route session parameters	135
Disabling BFD for static routes	136
Configuring BFD for OSPF	136
Related configuration tasks	136
Establishing sessions with OSPF neighbors	136
Changing OSPF session parameters	138
Disabling BFD for OSPF	139
Configuring BFD for IS-IS	139
Related configuration tasks	139
Establishing sessions with IS-IS neighbors	139
Changing IS-IS session parameters	141
Disabling BFD for IS-IS	142
Configuring BFD for BGP	142
Prerequisites	142
Establishing sessions with BGP neighbors	142
Disabling BFD for BGP	144
Using BFD in a BGP Peer Group	145
Displaying BFD for BGP Information	145
Configuring BFD for VRRP	150
Related configuration tasks	150
Establishing sessions with all VRRP neighbors	150
Establishing VRRP sessions on VRRP neighbors	151
Changing VRRP session parameters	152
Disabling BFD for VRRP	152
Configuring BFD for VLANs	153
Related configuration tasks	153
Establishing sessions with VLAN neighbors	154
Changing session parameters	155
Disabling BFD for VLANs	155
Configuring BFD for Port-Channels	155
Related configuration tasks	156
Establishing sessions on port-channels	156
Changing port-channel session parameters	157
Disabling BFD for port-channels	157
Configuring Protocol Liveness	158
Troubleshooting BFD	158
Border Gateway Protocol	159
Protocol Overview	160
Autonomous Systems (AS)	160
Sessions and Peers	162
Establishing a session	163
Peer Groups	163
Route Reflectors	164
Confederations	165
Communities	165
BGP Attributes	165
Best Path Selection Criteria	165
Best Path selection details	167
Weight	168
Local Preference	168
Multi-Exit Discriminators (MEDs)	169
Origin	170
AS Path	171
Next Hop	172
Multiprotocol BGP	172
Implementing BGP with FTOS	172
Additional Path (Add-Path) support	172
Advertise IGP cost as MED for redistributed routes	173
Ignore Router-ID for some best-path calculations	173
4-Byte AS Numbers	174
AS4 Number Representation	174
Dynamic AS Number Notation application	175
AS Number Migration	177
BGP4 Management Information Base (MIB)	179
Important Points to Remember	179
Configuration Information	180
BGP Configuration	181
Defaults	181
Configuration Task List for BGP	182
Enable BGP	182
Configure AS4 Number Representations	187
Configure Peer Groups	189
BGP fast fall-over	193
Configure passive peering	195
Maintain existing AS numbers during an AS migration	196
Allow an AS number to appear in its own AS path	197
Enable graceful restart	198
Filter on an AS-Path attribute	200
Redistribute routes	203
Enable additional paths	204
Configure IP community lists	204
Manipulate the COMMUNITY attribute	207
Change MED attribute	210
Change LOCAL_PREFERENCE attribute	210
Change NEXT_HOP attribute	211
Change WEIGHT attribute	211
Enable multipath	212
Filter BGP routes	212
Configure BGP route reflectors	215
Aggregate routes	216
Configure BGP confederations	217
Enable route flap dampening	217
Change BGP timers	221
BGP neighbor soft-reconfiguration	221
Route map continue	223
MBGP Configuration	224
BGP Regular Expression Optimization	225
Debugging BGP	225
Storing Last and Bad PDUs	226
Capturing PDUs	227
PDU Counters	228
Sample Configurations	228
Bare Metal Provisioning 3.0 (BMP 3.0)	239
Overview	239
Prerequisites	240
Important Information	240
BMP Process Overview	240
Preparing BMP	241
DHCP Server	241
DHCP Configuration	241
DHCP Retry Mechanism	242
DHCP server IP Blacklist	242
MAC-Based IP assignment	242
File Server	243
Domain Name Server	243
Reload Modes	243
BMP Mode	244
BMP Mode Prerequisites	244
MAC-Based IP Address Assignment	244
Normal Mode	245
DHCP Configuration	245
FTOS Image Retrieval	245
Scripts	245
Pre-configuration Scripts	245
Post-configuration Scripts	246
Auto-execution Scripts	246
Process for pre-configuration scripts:	246
Configuration Tasks	247
System boot and set-up behavior in BMP Mode	248
BMP mode: Boot and Set-up Behavior	249
Reload without a DHCP Server Offer	250
Reload with a DHCP Server Offer without an FTOS Image	250
Reload with a DHCP Server Offer without a Configuration File	250
Reload with a DHCP Server Offer without a DNS Server	252
Reload with a Pre-configuration Script (BMP mode only)	252
Using the Post-Configuration Script (BMP mode only)	253
Reload using the Auto-execution Script (Normal mode only)	253
Script Examples	254
Auto-execution Script - Normal mode	254
Pre-configuration Script - BMP Mode	257
Content Addressable Memory (CAM)	259
Content Addressable Memory	259
CAM Profiles	260
Microcode	261
CAM Profiling for ACLs	262
Boot Behavior	263
Example: EF Line Card with EG Chassis Profile (Card Problem)	263
Example: EH Line Card with EG Chassis Profile (Card Problem)	264
When to Use CAM Profiling	264
Important Points to Remember	264
Select CAM Profiles	265
CAM Allocation	265
Test CAM Usage	267
View CAM Profiles	267
View CAM-ACL settings	268
View CAM Usage	270
Configure IPv4Flow Sub-partitions	270
Configure Ingress Layer 2 ACL Sub-partitions	273
Return to the Default CAM Configuration	275
CAM Optimization	275
Applications for CAM Profiling	275
LAG Hashing	275
LAG Hashing based on Bidirectional Flow	276
CAM profile for the VLAN ACL group feature	276
Troubleshoot CAM Profiling	276
CAM Profile Mismatches	276
QoS CAM Region Limitation	277
Control Plane Policing (CoPP)	279
Overview	279
Configure Control Plane Policing	280
Configure CoPP for protocols	281
Sample Config for CoPP protocol configuration	282
Configure CoPP for CPU queues	283
Sample Config for CoPP CPU queue configuration	284
Show commands	284
Z-Series Debugging and Diagnostics	287
Offline Diagnostics	287
Important Points to Remember	287
Running Offline Diagnostics	288
TRACE logs	293
Auto Save on Crash or Rollover	293
Last restart reason	294
Hardware watchdog timer	294
show hardware commands	294
Environmental monitoring	297
Recognize an over-temperature condition	297
Troubleshoot an over-temperature condition	298
Recognize an under-voltage condition	299
Troubleshoot an under-voltage condition	299
Buffer tuning	300
Deciding to tune buffers	301
Buffer tuning commands	302
Using a pre-defined buffer profile	304
Sample buffer profile configuration	304
Troubleshooting packet loss	305
Displaying Drop Counters	305
Dataplane Statistics	306
Displaying Stack Member Counters	308
Application core dumps	309
Mini core dumps	309
TCP dumps	310
Dynamic Host Configuration Protocol (DHCP)	313
Protocol Overview	313
DHCP Packet Format and Options	314
Assigning an IP Address using DHCP	315
Implementation Information	316
Configuration Tasks	316
Configure the System to be a DHCP Server	316
Configuration Tasks	317
Related Configuration Tasks	317
Configure the Server for Automatic Address Allocation	317
Create an IP Address Pool	317
Exclude Addresses from the Address Pool	318
Specify an Address Lease Time	318
Specify a Default Gateway	318
Enable DHCP Server	319
Configure a Method of Hostname Resolution	319
Address Resolution using DNS	319
Address Resolution using NetBIOS WINS	320
Create Manual Binding Entries	320
Debug DHCP server	321
DHCP Clear Commands	321
Configure the System to be a Relay Agent	321
Configure the System for User Port Stacking	323
When you set the DHCP offer on the DHCP server, you can set the stacking-option variable to provide the stack-port detail so a stack can be formed when the units are connected.	323
Configure Secure DHCP	323
Option 82	323
DHCP Snooping	324
Enable DHCP snooping	325
Add a static entry in the binding table	325
Clear the binding table	325
Display the contents of the binding table	325
Drop DHCP packets on snooped VLANs only	326
Dynamic ARP Inspection	327
Bypass the ARP Inspection	329
Source Address Validation	329
IP Source Address Validation	329
DHCP MAC Source Address Validation	330
IP+MAC Source Address Validation	330
Equal Cost Multi-Path (ECMP)	333
ECMP for Flow-based Affinity	333
Configurable Hash Algorithm	333
Deterministic ECMP Next Hop	334
Configurable Hash Algorithm Seed	334
Link Bundle Monitoring	335
Managing ECMP Group Paths	336
Enabling FIPS Cryptography	337
Preparing the System	337
Enabling FIPS Mode	338
Generating Host-Keys	338
Monitoring FIPS Mode Status	339
Disabling the FIPS Mode	339
Force10 Resilient Ring Protocol (FRRP)	341
Protocol Overview	341
Ring Status	342
Ring Checking	342
Ring Failure	343
Ring Restoration	343
Multiple FRRP Rings	343
Member VLAN Spanning Two Rings Connected by One Switch	343
Important FRRP Points	344
Important FRRP Concepts	345
Implementing FRRP	346
FRRP Configuration	347
Create the FRRP group	347
Configure the Control VLAN	347
Configure and add the Member VLANs	349
Set FRRP Timers	350
Clear FRRP counters	351
Show FRRP configuration	351
Show FRRP information	351
Troubleshooting FRRP	352
Configuration Checks	352
Sample Configuration and Topology	352
GARP VLAN Registration Protocol (GVRP)	355
Protocol Overview	355
Important Points to Remember	355
Configuring GVRP	356
Related Configuration Tasks	357
Enabling GVRP Globally	357
Enabling GVRP on a Layer 2 Interface	358
Configuring GVRP Registration	358
Configuring a GARP Timer	359
Internet Group Management Protocol (IGMP)	361
IGMP Implementation Information	361
IGMP Protocol Overview	361
IGMP version 2	362
Joining a Multicast Group	362
Leaving a Multicast Group	363
IGMP version 3	363
Joining and Filtering Groups and Sources	364
Leaving and Staying in Groups	365
Configuring IGMP	366
Related Configuration Tasks	366
Viewing IGMP Enabled Interfaces	366
Selecting an IGMP Version	367
Viewing IGMP Groups	367
Adjusting Timers	368
Adjusting Query and Response Timers	368
Adjusting the IGMP Querier Timeout Value	368
Configuring a Static IGMP Group	369
Enabling IGMP Immediate-leave	369
IGMP Snooping	370
IGMP Snooping Implementation Information	370
Configuring IGMP Snooping	370
Related Configuration Tasks	370
Enabling IGMP Immediate-leave	370
Disabling Multicast Flooding	371
Specifying a Port as Connected to a Multicast Router	371
Configuring the Switch as Querier	371
Adjusting the Last Member Query Interval	372
Fast Convergence after MSTP Topology Changes	372
Designating a Multicast Router Interface	372
Interfaces	373
Basic Interface Configuration:	373
Advanced Interface Configuration:	373
Interface Types	374
View Basic Interface Information	374
Enable a Physical Interface	376
Physical Interfaces	377
Configuration Task List for Physical Interfaces	377
Overview of Layer Modes	378
Configure Layer 2 (Data Link) Mode	378
Configure Layer 3 (Network) Mode	379
Management Interfaces	380
Configure Management Interfaces on the E-Series, C-Series, S4810 and Z9000	380
Important Things to Remember — virtual-ip	382
Configure Management Interfaces on the S-Series	382
VLAN Interfaces	383
Loopback Interfaces	384
Null Interfaces	385
Port Channel Interfaces	385
Port channel definition and standards	385
Port channel benefits	385
Port channel implementation	386
10/100/1000 Mbps interfaces in port channels	387
Configuration task list for port channel interfaces	387
Create a port channel	387
Add a physical interface to a port channel	388
Reassign an interface to a new port channel	391
Configure the minimum oper up links in a port channel (LAG)	392
Add or remove a port channel from a VLAN	392
Assign an IP address to a port channel	393
Delete or disable a port channel	393
Load balancing through port channels	393
E-Series load-balancing	394
IPv4, IPv6, and non-IP traffic handling on the E-Series	395

Match case Limit results 1 per page

Security

801

Figure 39-4.

Failed Authentication

Monitor TACACS+

To view information on TACACS+ transactions, use the following command in the EXEC Privilege mode:

TACACS+ Remote Authentication and Authorization

FTOS takes the access class from the TACACS+ server. Access class is the class of service that restricts

Telnet access and packet sizes. If you have configured remote authorization, then FTOS ignores the access

class you have configured for the VTY line. FTOS instead gets this access class information from the

TACACS+ server. FTOS needs to know the username and password of the incoming user before it can

fetch the access class from the server. A user, therefore, will at least see the login prompt. If the access

class denies the connection, FTOS closes the Telnet session immediately.

Command Syntax

Command Mode

Purpose

debug tacacs+

EXEC Privilege

View TACACS+ transactions to troubleshoot

problems.

FTOS(conf)#

FTOS(conf)#do show run aaa

aaa authentication enable default tacacs+ enable

aaa authentication enable LOCAL enable tacacs+

aaa authentication login default tacacs+ local

aaa authentication login LOCAL local tacacs+

aaa authorization exec default tacacs+ none

aaa authorization commands 1 default tacacs+ none

aaa authorization commands 15 default tacacs+ none

aaa accounting exec default start-stop tacacs+

aaa accounting commands 1 default start-stop tacacs+

aaa accounting commands 15 default start-stop tacacs+

FTOS(conf)#

FTOS(conf)#do show run tacacs+

tacacs-server key 7 d05206c308f4d35b

tacacs-server host 10.10.10.10 timeout 1

FTOS(conf

)#tacacs-server key angeline

FTOS(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on vty0

(10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0

( 10.11.9.209 )

%RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 (10.11.9.209)

FTOS(conf)#username angeline password angeline

FTOS(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline on vty0

(10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0

( 10.11.9.209 )

Server key purposely changed to incorrect value

User authenticated using secondary method