Home » Netgear Manuals » Hubs & Switches » Netgear CSM4532 » Manual Viewer

Netgear CSM4532 Software Administration Manual - Page 122

Controlling Management Access

Add to My Manuals
Save this manual to your list of manuals

Page 122 highlights

4. Configuring Security Features 4.1. Controlling Management Access A user can access the switch management interface only after providing a valid user name and password combination that matches the user account information stored in the user database configured on the switch. The switch supports several features to increase management security and help prevent unauthorized access to the switch configuration interfaces. 4.1.1. Using RADIUS Servers for Management Security Many networks use a RADIUS server to maintain a centralized user database that contains per-user authentication information. RADIUS servers provide a centralized authentication method for: • Telnet Access • Console to Switch Access • Access Control Port (802.1X) RADIUS access control utilizes a database of user information on a remote server. Making use of a single database of accessible information-as in an Authentication Server-can greatly simplify the authentication and management of users in a large network. One such type of Authentication Server supports the Remote Authentication Dial In User Service (RADIUS) protocol as defined by RFC 2865. For authenticating users prior to access, the RADIUS standard has become the protocol of choice by administrators of large accessible networks. To accomplish the authentication in a secure manner, the RADIUS client and RADIUS server must both be configured with the same shared password or secret. This secret is used to generate one-way encrypted authenticators that are present in all RADIUS packets. The secret is never transmitted over the network. RADIUS conforms to a secure communications client/server model using UDP as a transport protocol. It is extremely flexible, supporting a variety of methods to authenticate and statistically track users. RADIUS is also extensible, allowing for new methods of authentication to be added without disrupting existing functionality. As a user attempts to connect to the switch management interface, the switch first detects the contact and prompts the user for a name and password. The switch encrypts the supplied information, and a RADIUS client transports the request to a pre-configured RADIUS server. NETGEAR M4500 Series Switches Software Administration Manual 122

Section	Page
1. Supported Features on the M4500 Series Switches	12
1.1. Switching Features Introduction	12
1.1.1. VLAN Support	12
1.1.2. Double VLANs	12
1.1.3. Switching Modes	12
1.1.4. Spanning Tree Protocols (STP)	12
1.1.5. Rapid Spanning Tree	12
1.1.6. Multiple Spanning Tree	13
1.1.7. Bridge Protocol Data Unit (BPDU) Guard	13
1.1.8. Port-channel	13
1.1.9. Link Aggregate Control Protocol (LACP)	13
1.1.10. Multi Chassis Link Aggregation Group (MLAG)	13
1.1.11. Flow Control Support (IEEE 802.3x)	13
1.1.12. Asymmetric Flow Control	14
1.1.13. Alternate Store and Forward (ASF)	14
1.1.14. Jumbo Frames Support	14
1.1.15. Auto-MDI/MDIX Support	14
1.1.16. Unidirectional Link Detection (UDLD)	14
1.1.17. Expandable Port Configuration	14
1.1.18. VLAN-aware MAC-based Switching	15
1.1.19. Back Pressure Support	15
1.1.20. Auto Negotiation	15
1.1.21. Storm Control	15
1.1.22. Port Mirroring	15
1.1.23. sFlow	16
1.1.24. Static and Dynamic MAC Address Tables	16
1.1.25. Link Layer Discovery Protocol (LLDP)	16
1.1.26. Link Layer Discovery Protocol (LLDP) for Media Endpoint Device	16
1.1.27. DHCP Layer 2 Relay	16
1.1.28. MAC Multicast Support	16
1.1.29. IGMP Snooping	17
1.1.30. SDVoE	17
1.1.31. Source Specific Multicasting (SSM)	17
1.1.32. Control Packet Flooding	17
1.1.33. Flooding to mRouter Ports	17
1.1.34. IGMP Snooping Querier	17
1.1.35. Management and Control Plane ACLs	18
1.1.36. Remote Switched Port Analyzer (RSPAN)	18
1.1.37. Link Dependency	18
1.1.38. IPv6 Router Advertisement Guard	18
1.1.39. FIP Snooping	19
1.1.40. ECN Support	19
1.2. Security Features	20
1.2.1. Configurable Access and Authentication Profiles	20
1.2.2. AAA Command Authorization	20
1.2.3. Password-protected Management Access	20
1.2.4. Strong Password Enforcement	20
1.2.5. MAC-based Port Security	20
1.2.6. RADIUS Client	20
1.2.7. TACACS+ Client	20
1.2.8. Dot1x Authentication (IEEE 802.1X)	21
1.2.9. MAC Authentication Bypass	21
1.2.10. DHCP Snooping	21
1.2.11. DHCPv6 Snooping	21
1.2.12. Dynamic ARP Inspection	22
1.2.13. IP Source Address Guard	22
1.3. Quality of Service Features	22
1.3.1. Access Control Lists (ACL)	22
1.3.2. ACL Remarks	22
1.3.3. ACL Rule Priority	22
1.3.4. Differentiated Service (DIffServ)	23
1.3.5. Class of Service (CoS)	23
1.4. Management Features	23
1.4.1. Management Options	23
1.4.2. Management of Basic Network Information	23
1.4.3. File Management	23
1.4.4. Malicious Code Detection	24
1.4.5. Automatic Installation of Firmware and Configuration	24
1.4.6. Warm Reboot	24
1.4.7. SNMP Alarms and Trap Logs	24
1.4.8. Remote Monitoring (RMON)	24
1.4.9. Statistics Application	24
1.4.10. Log Messages	25
1.4.11. System Time Management	25
1.4.12. Source IP Address Configuration	25
1.4.13. Multiple Linux Routing Tables	25
1.4.14. Open Network Install Environment Support	25
1.4.15. Interface Error Disable and Auto Recovery	25
1.4.16. CLI Scheduler	26
1.5. Routing Features	26
1.5.1. IP Unnumbered	26
1.5.2. Open Shortest Path First (OSPF)	26
1.5.3. Border Gateway Protocol (BGP)	26
1.5.4. VLAN Routing	27
1.5.5. IP Configuration	27
1.5.6. Address Resolution Protocol (ARP) Table Management	28
1.5.7. BOOTP/DHCP Relay Agent	28
1.5.8. IP Helper and UDP Relay	28
1.5.9. Routing Table	28
1.5.10. Virtual Router Redundancy Protocol (VRRP)	28
1.5.11. Algorithmic Longest Prefix Match (ALPM)	28
1.5.12. Bidirectional Forwarding Detection	28
1.5.13. VRF Lite Operation and Configuration	29
1.6. Layer 3 Multicast Features	29
1.6.1. Internet Group Management Protocol	29
1.6.2. Protocol Independent Multicast	29
1.6.2.1. Spare Mode (PIM-SM)	29
1.6.2.2. Source Specific Multicast (PIM-SSM)	29
1.6.2.3. PIM IPv6 Support	29
1.6.3. MLD/MLDv2 (RFC2710/RFC3810)	30
1.7. Data Center Features	30
1.7.1. Priority-Based Flow Control	30
1.7.2. Data Center Bridging Exchange Protocol	30
1.7.3. CoS Queuing and Enhanced Transmission Selection	30
1.7.4. VXLAN Gateway	30
2. Getting Started	32
2.1. Accessing the switch Command-Line Interface	32
2.1.1. Connecting to the Switch Console	32
2.1.2. Login User ID and Password	33
2.1.3. Accessing the Switch CLI through the Network	33
2.1.4. Using the Service Port or Management VLAN Interface for Remote Management	34
2.1.4.1. Configuring Service Port Information	34
2.1.4.2. Configuring the In-Band Management Interface	34
2.1.5. DHCP Option 61	35
2.1.5.1. Configuring DHCP Option 61	35
2.2. Understanding the User Interfaces	36
2.2.1. Using the Command-Line Interface	37
2.2.2. Using SNMP	37
2.2.2.1. SNMPv3	37
2.2.2.2. SNMP Configuration example	38
3. Configuring L2 Switching Features	43
3.1. Port Configuration	43
3.1.1. 100G Port-mode Command	43
3.1.1.1. 100G Port Mode Configuration Example	43
3.2. Virtual Local Area Networks	44
3.2.1. VLAN Tagging	45
3.2.2. Double-VLAN Tagging	46
3.2.3. Default VLAN Behavior	47
3.2.4. VLAN Configuration Example	47
3.2.4.1. Configuring the VLANs and Ports on Switch 1	49
3.2.4.2. Configuring the VLANs and Ports on Switch 2	51
3.3. Switchport Modes	51
3.4. Port-channels – Operation and Configuration	53
3.4.1. Static and Dynamic Port-channel	53
3.4.2. Port-channel Hashing	54
3.4.2.1. Resilient Hashing	54
3.4.2.2. Hash Prediction with ECMP and Port-channel	55
3.4.3. Port-channel Interface Overview	55
3.4.4. Port-channel Interaction with Other Features	56
3.4.4.1. VLAN	56
3.4.4.2. STP	56
3.4.4.3. Statistics	57
3.4.5. Port-channel Configuration Guidelines	57
3.4.5.1. Port-channel Configuration Examples	57
3.4.5.2. Configuration Dynamic Port-channels	57
3.4.5.3. Configuration Static Port-channels	58
3.5. LACP Fallback Configuration	60
3.5.1. Configuring Dynamic Port-channels	60
3.5.2. Configuring Static Port-channels	61
3.6. MLAG – Operation and Configuration	62
3.6.1. Overview	62
3.6.2. Deployment Scenarios	63
3.6.2.1. Definitions	64
3.6.2.2. Configuration Consistency	65
3.6.3. MLAG Fast Failover	67
3.6.4. MLAG Configuration	67
3.7. Unidirectional Link Detection (UDLD)	70
3.7.1. UDLD Modes	71
3.7.2. UDLD and Port-channel Interfaces	71
3.7.3. Configuring UDLD	71
3.8. Port Mirroring	73
3.8.1. Configuring Port Mirroring	73
3.8.2. Configuring RSPAN	74
3.8.2.1. Configuration on the Source Switch (SW1)	74
3.8.2.2. Configuration on the Intermediate Switch (SW2)	75
3.8.2.3. Configuration on the Destination Switch (SW3)	76
3.8.3. VLAN-based Mirroring	76
3.8.4. Flow-based Mirroring	76
3.9. Spanning Tree Protocol	77
3.9.1. Classic STP, Multiple STP, and Rapid STP	77
3.9.2. STP Operation	77
3.9.3. MSTP in the Network	78
3.9.4. Optional STP Features	81
3.9.4.1. BPDU Flooding	81
3.9.4.2. Edge Port	81
3.9.4.3. Root Guard	82
3.9.4.4. Loop Guard	82
3.9.4.5. BPDU Protection	82
3.9.5. STP Configuring Examples	83
3.9.5.1. Configuring MSTP	83
3.10. IGMP Snooping	84
3.10.1. IGMP Snooping Querier	84
3.10.2. Configuring IGMP Snooping	85
3.10.3. IGMPv3/SSM Snooping	88
3.11. SDVoE	88
3.11.1. IGMP & IGMP Snooping Enhancements for IGMP V1 & V2	88
3.11.2. SDVoE Configuration Example	91
3.12. MLD Snooping	93
3.12.1. MLD Snooping Configuration Example	93
3.12.1.1. MLD Snooping Configuration Example	95
3.12.1.2. MLD Snooping Verification Example	95
3.12.2. MLD Snooping First Leave Configuration Example	96
3.12.2.1. MLD Snooping Configuration	96
3.12.3. MLD Snooping Querier Configuration Example	97
3.13. LLDP and LLDP-MED	98
3.13.1. LLDP and Data Center Application	99
3.13.2. Configuring LLDP	99
3.14. sFlow	101
3.14.1. sFlow Sampling	102
3.14.1.1. Packet Flow Sampling	102
3.14.1.2. Counter Sampling	102
3.14.2. Configuring sFlow	103
3.15. Link Dependency	104
3.16. FIP Snooping	105
3.17. ECN	109
3.17.1. Enabling ECN in Microsoft Windows	110
3.17.2. Example 1: SLA Example	110
3.17.3. Example 2: Data Center TCP (DCTCP) Configuration	113
3.18. Storm Control	114
3.18.1. Storm Control Configuration Example	114
3.19. Jumbo Frames	115
3.19.1. Jumbo Frame Configuration Example	115
3.20. Port-Backup	116
3.20.1. Port-Backup Configuration Example	116
3.21. PTP End-to-End Transparent Clock	117
3.21.1. PTP Time Stamp Operation	118
3.21.2. PTP Transparent Clocks	119
3.21.3. Manage the PTP End-to-End Transparent Clock	119
3.21.3.1. Globally Disable PTP End-to-End Transparent Clock	119
3.21.3.2. Disable PTP End-to-End Transparent Clock for an Interface	120
3.21.4. Globally Reenable PTP End-to-End Transparent Clock	120
3.21.5. Reenable PTP End-to-End Transparent Clock for an Interface	120
3.21.6. Display the PTP End-to-End Transparent Clock Status	120
4. Configuring Security Features	122
4.1. Controlling Management Access	122
4.1.1. Using RADIUS Servers for Management Security	122
4.1.2. Using TACACS+ to Control Management Access	123
4.1.3. Configuring and Applying Authentication Profiles	124
4.1.3.1. Configuring Authentication Profiles for Post-based Authentication	125
4.1.4. Configuring the Primary and Secondary RADIUS Servers	126
4.1.5. Configuring an Authentication Profile	126
4.2. Configuring DHCP Snooping, DAI, and IPSG	128
4.2.1. DHCP Snooping Overview	128
4.2.1.1. Populating the DHCP Snooping Bindings Database	129
4.2.1.2. DHCP Snooping and VLANs	129
4.2.1.3. DHCP Snooping Logging and Rate Limits	130
4.2.2. IP Source Guard Overview	130
4.2.2.1. IPSG and Port Security	130
4.2.3. Dynamic ARP Inspection Overview	131
4.2.3.1. Optional DAI Features	131
4.2.4. Increasing Security with DHCP Snooping, DAI, and IPSG	131
4.2.5. Configuring DHCP Snooping	132
4.2.6. Configuring IPSG	133
4.3. Configuring DHCPv6 Snooping	134
4.3.1. DHCPv6 Snooping Configuration Example	134
4.4. ACLs	136
4.4.1. MAC ACLs	137
4.4.2. IP ACLs	137
4.4.3. ACL Redirect Function	138
4.4.4. ACL Mirror Function	138
4.4.5. ACL Logging	138
4.4.6. Time-based ACLs	138
4.4.7. ACL Rule Remarks	139
4.4.8. ACL Rule Priority	139
4.4.9. ACL Limitations	140
4.4.10. ACL Configuration Process	140
4.4.11. Preventing False ACL Matches	140
4.4.12. IPv6 ACL Qualifies	141
4.4.13. ACL Configuration Examples	142
4.4.13.1. Configuring an IP ACL	142
4.4.13.2. Configuring a MAC ACL	143
4.4.13.3. Configuring a Time-based ACL	145
4.5. Control Plane Policing (CoPP)	146
4.5.1. CoPP Configuration Examples	146
5. Configuring Quality of Service	149
5.1. CoS	149
5.1.1. Trusted and Untrusted Port Modes	149
5.1.2. Traffic Shaping on Egress Traffic	149
5.1.3. Defining Traffic Queues	150
5.1.3.1. Supported Queue Management Methods	150
5.1.3.2. CoS Configuration Example	150
5.2. DiffServ	152
5.2.1. DiffServ Functionality and Switch Roles	153
5.2.2. Elements of DiffServ Configuration	153
5.2.3. Configuration DiffServ to Provide Subnets Equal Access to External Network	154
6. Configuring Switch Management Features	156
6.1. Managing Images and Files	156
6.1.1. Supported File Management Methods	157
6.1.2. Uploading and Downloading Files	157
6.1.3. Managing Configuration Files	157
6.1.3.1. Editing and Downloading Configuration Files	158
6.1.3.2. Creating and Applying Configuration Scripts	158
6.1.3.3. Non-Disruptive Configuration Management	159
6.1.4. Saving the Running Configuration	159
6.1.5. File and Image Management Configuration Examples	159
6.1.5.1. Upgrading the Firmware	159
6.1.5.2. Managing Configuration Scripts	160
6.2. Enabling Automatic System Configuration	163
6.2.1. DHCP Auto Install Process	163
6.2.1.1. Obtaining IP address Information	163
6.2.1.2. Obtaining Other Dynamic Information	163
6.2.1.3. Obtaining the Configuration File	164
6.2.2. Monitoring and Completing the DHCP Auto Install Process	164
6.2.2.1. Saving a Configuration	164
6.2.2.2. Stopping and Restarting the Auto Install Process	164
6.2.2.3. Managing Downloaded Configuration Files	164
6.2.3. DHCP Auto Install Dependencies	165
6.2.4. Default Auto Install Values	165
6.2.5. Enabling DHCP Auto Install	165
6.3. Configuring System Log Example	166
6.3.1. Example 1 to Add Syslog Host	166
6.3.2. Example 2 to Verify Syslog Host Configuration	166
6.4. Configuring CLI Scheduler (Kron)	169
6.4.1. CLI Scheduler Policy Lists	169
6.4.2. CLI Scheduler Occurrences	170
6.4.3. Configuration Example	170
7. Configuring Routing	171
7.1. Basic Routing and Features	171
7.1.1. VLAN Routing	171
7.1.1.1. When to Configure VLAN Routing	172
7.1.2. IP Routing Configuration Example	172
7.1.2.1. Configuring Switch A	173
7.1.2.2. Configuring Switch B	174
7.1.3. IP Unnumbered Configuration Example	175
7.2. OSPF	177
7.2.1. Configuring an OSPF Border Router and Setting Interface Costs	178
7.3. VRRP	180
7.3.1. VRRP Operation in the Network	180
7.3.1.1. VRRP Router Priority	180
7.3.1.2. VRRP Preemption	181
7.3.1.3. VRRP Accept Mode	181
7.3.1.4. VRRP Route and Interface Tracking	181
7.3.2. VRRP Configuration Example	182
7.3.2.1. VRRP with Load Sharing	182
7.3.2.2. VRRP with Route and Interface Tracking	184
7.4. IP Helper	187
7.4.1. Relay Agent Configuration Example	189
7.5. Border Gateway Patrol (BGP)	191
7.5.1. BGP Topology	192
7.5.1.1. External BGP Peering	192
7.5.1.2. Internal BGP Peering	192
7.5.1.3. Advertising Network Layer Reachability Information	193
7.5.2. BGP Behavior	193
7.5.2.1. BGP Route Selection	194
7.5.3. BGP Configuration Example	194
7.5.3.1. Configuring BGP on Router 9	195
7.5.3.2. Configuring BGP on Router 3	198
7.6. IPv6 Routing	199
7.6.1. How Does IPv6 Compare with IPv6	199
7.6.2. How are IPv6 Interface Configured	200
7.6.3. Default IPv6 Routing Values	200
7.6.4. Configuring IPv6 Routing Features	201
7.6.4.1. Configuring Global IP Routing Settings	201
7.6.4.2. Configuring IPv6 Interface Settings	202
7.6.4.3. Configuring IPv6 Neighbor Discovery	202
7.6.4.4. Configuring IPv6 Route Table Entries and Route Preferences	204
7.6.4.5. IPv6 Show Commands	205
7.7. ECMP Hash Selection	205
7.8. Bidirectional Forwarding Detection	206
7.8.1. Configuring BFD	206
7.9. VRF Lite Operation and Configuration	207
7.9.1. Route Leaking	208
7.9.2. Adding Leaked Routes	208
7.9.3. Using Leaked Routes	208
7.9.4. CPU-Originated Traffic	208
7.9.5. VRF Features Support	209
7.9.6. VRF Lite Development Scenarios	211
7.9.7. VRF Configuration Example	213
8. Configuring Multicast Routing	215
8.1. L3 Multicast Overview	215
8.1.1. IP Multicast Traffic	215
8.1.2. Multicast Protocol Switch Support	215
8.1.3. Multicast Protocol Roles	216
8.1.4. Multicast Switch Requirements	216
8.1.5. Determining which Multicast Protocols to Enable	216
8.1.6. Multicast Routing Tables	216
8.1.7. Multicast Tunneling	216
8.1.8. IGMP	217
8.1.8.1. IGMP Proxy	217
8.1.9. MLD Protocol	217
8.1.9.1. Join Mechanism	218
8.1.9.2. Leave Mechanism	218
8.1.10. PIM Protocol	218
8.1.10.1. Using PIM-SM as the Multicast Routing Protocol	218
8.2. Default L3 Multicast Values	219
8.3. L3 Multicast Configuration Examples	221
8.3.1. Configuring Multicast VLAN Routing with IGMP and PIM-SM	221
8.3.2. Example 1: MLDv1 Configuration	223
8.3.3. Example 2: MLDv2 Configuration	224
8.3.4. Example 3: MLD Configuration Verification	225
9. Configuring Data Center Features	226
9.1. Data Center Technology Overview	226
9.2. Priority-based Flow Control	226
9.2.1. PFC Operation and Behavior	227
9.2.2. Configuring PFC	227
9.3. Data Center Bridging Exchange Protocol	228
9.3.1. Interoperability with IEEE DCBX	229
9.3.2. DCBX and Port Roles	229
9.3.3. Configuration Source Port Selection Process	230
9.3.4. Configuring DCBX	231
9.4. CoS Queuing	232
9.4.1. CoS Queuing Function and Behavior	233
9.4.1.1. Trusted Port Queue Mappings	233
9.4.1.2. Un-trusted Port Default Priority	234
9.4.1.3. Queue Configuration	234
9.4.1.4. Traffic Class Groups	234
9.4.2. Configuring CoS Queuing and ETS	235
9.5. Enhanced Transmission Selection	237
9.5.1. ETS Operation and Dependencies	237
9.6. VXLAN Gateway Operation and Configuration	238
9.6.1. Overview	238
9.6.1.1. VXLAN	238
9.6.2. Functional Description	239
9.6.2.1. VTEP to VN Association	239
9.6.2.2. Configuration of Remote VTEPs	240
9.6.2.3. VTEP Next-hop Resolution	240
9.6.2.4. VXLAN UDP Destination Port	241
9.6.2.5. Tunnels	241
9.6.2.6. MAC Learning and Aging	242
9.6.2.7. Host Configuration	242
9.6.2.8. ECMP	243
9.6.2.9. MTU	243
9.6.2.10. TTL and DSCP/TOS	243
9.6.2.11. Packet Forwarding	243
9.6.3. VXLAN Configuration Examples	244
9.6.3.1. Unicast VXLAN Configuration	245

Match case Limit results 1 per page

NETGEAR M4500 Series Switches Software Administration Manual

122

Configuring Security Features

4.1.

Controlling Management Access

A user can access the switch management interface only after providing a valid user name and password

combination that matches the user account information stored in the user database configured on the

switch.

The switch supports several features to increase management security and help prevent unauthorized access

to the switch configuration interfaces.

4.1.1.

Using RADIUS Servers for Management Security

Many networks use a RADIUS server to maintain a centralized user database that contains per-user

authentication information. RADIUS servers provide a centralized authentication method for:

•

Telnet Access

•

Console to Switch Access

•

Access Control Port (802.1X)

RADIUS access control utilizes a database of user information on a remote server. Making use of a single

database of accessible information—as in an Authentication Server—can greatly simplify the authentication

and management of users in a large network. One such type of Authentication Server supports the Remote

Authentication Dial In User Service (RADIUS) protocol as defined by RFC 2865.

For authenticating users prior to access, the RADIUS standard has become the protocol of choice by

administrators of large accessible networks. To accomplish the authentication in a secure manner, the

RADIUS client and RADIUS server must both be configured with the same shared password or secret. This

secret is used to generate one-way encrypted authenticators that are present in all RADIUS packets. The

secret is never transmitted over the network.

RADIUS conforms to a secure communications client/server model using UDP as a transport protocol. It is

extremely flexible, supporting a variety of methods to authenticate and statistically track users. RADIUS is

also extensible, allowing for new methods of authentication to be added without disrupting existing

functionality.

As a user attempts to connect to the switch management interface, the switch first detects the contact and

prompts the user for a name and password. The switch encrypts the supplied information, and a RADIUS

client transports the request to a pre-configured RADIUS server.