Home » Dell Manuals » Hubs & Switches » Dell PowerSwitch S4128F-ON » Manual Viewer

Dell PowerSwitch S4128F-ON OS10 Enterprise Edition User Guide Release 10.4.3.0 - Page 788

Assign user role, Bootloader Protection

View all Dell PowerSwitch S4128F-ON manuals

Add to My Manuals
Save this manual to your list of manuals

Page 788 highlights

OS10 supports four pre-defined roles: sysadmin, secadmin, netadmin, and netoperator. Each user role assigns permissions that determine the commands a user can enter, and the actions a user can perform. RBAC provides an easy and efficient way to administer user rights. If a user's role matches one of the allowed user roles for a command, command authorization is granted. The OS10 RBAC model provides separation of duty as well as greater security. It places some limitations on each role's permissions to allow you to partition tasks. For greater security, only some user roles can view events, audits, and security system logs. Assign user role To limit OS10 system access, assign a role when you configure each user. • Enter a user name, password, and role in CONFIGURATION mode. username username password password role role - username username - Enter a text string. A maximum of 32 alphanumeric characters; 1 character minimum. - password password - Enter a text string. A maximum of 32 alphanumeric characters; 9 characters minimum. - role role - Enter a user role: ◦ sysadmin - Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles. ◦ secadmin - Full access to configuration commands that set security policy and system access, such as password strength, AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic keys, login statistics, and log information. ◦ netadmin - Full access to configuration commands that manage traffic flowing through the switch, such as routes, interfaces, and ACLs. A network administrator cannot access configuration commands for security features or view security information. ◦ netoperator - Access to EXEC mode to view the current configuration. A network operator cannot modify any configuration setting on a switch. Create user and assign role OS10(config)# username smith password silver403! role sysadmin View users OS10# show users Index Line User 1 ttyS root 2 pts/0 admin Role Application Idle root -bash >24h sysadmin bash 1.1s Bootloader Protection Login-Time 2018-05-23 T23:05:03Z 2018-05-30 T20:04:27Z Location console 10.14.1.214[ssh] Protecting the bootloader via a GRUB password is essential to prevent unauthorised users with malicious intent from accessing your switch. OS10 provides a set of three commands which allow you to enable, disable or view bootloader protection information. This feature is available only for the sysadmin and secadmin roles. WARNING: When you enable this feature ensure to keep a copy of a configured username and password, as you cannot recover the switch without the configured credentials. • To enable bootloader protection, use the boot protect enable username username password password command. This command allows you to setup a username and password for bootloader protection. You can configure a maximum of three users per console. boot protect enable username password OS10# boot protect enable username root password calvin 788 Security

Section	Page
OS10 Enterprise Edition User Guide Release 10.4.3.0	3
Getting Started	29
Supported Hardware	29
Download OS10 image and license	30
Installation using ONIE	31
Automatic installation	32
Manual installation	33
Log into OS10	34
Install OS10 license	35
Zero-touch deployment	37
ZTD DHCP server configuration	39
ZTD provisioning script	39
ZTD CLI batch file	40
Post-ZTD script	41
ZTD commands	41
Remote access	42
Configure Management IP address	43
Management Route Configuration	43
Configure user name and password	44
CLI Basics	44
User accounts	44
Key CLI features	45
CLI command modes	45
CLI command hierarchy	46
CLI command categories	46
CONFIGURATION Mode	46
Command help	46
Check device status	48
Candidate configuration	50
Change to transaction-based configuration mode	54
Copy running configuration	55
Restore startup configuration	55
Reload system image	56
Filter show commands	56
Alias command	56
Batch mode	60
Linux shell commands	61
SSH commands	61
OS9 environment commands	62
Common commands	62
alias	62
alias (multi-line)	64
batch	64
boot	65
commit	65
configure	65
copy	66
default (alias)	67
delete	67
description (alias)	68
dir	69
discard	69
do	70
feature config-os9-style	70
exit	70
hostname	71
license	71
line (alias)	72
lock	72
management route	72
move	73
no	74
reload	74
show alias	74
show boot	75
show candidate-configuration	76
show environment	78
show inventory	79
show ip management-route	79
show ipv6 management-route	80
show license status	80
show running-configuration	81
show startup-configuration	83
show system	84
show version	86
start	87
system	87
system-cli disable	87
system identifier	88
terminal	88
traceroute	88
unlock	90
write	90
System management	91
OS10 upgrade	91
Boot system partition	92
Upgrade commands	93
System banners	97
Login banner	97
MOTD banner	97
System banner commands	98
User session management	99
User session management commands	99
Telnet server	101
Telnet commands	101
Simple Network Management Protocol	102
MIBs	102
SNMP security models and levels	103
SNMPv3	104
SNMP engine ID	104
SNMP groups and users	104
SNMP views	104
Configure SNMP	104
SNMP commands	107
System clock	117
System Clock commands	117
Network Time Protocol	119
Enable NTP	120
Broadcasts	120
Source IP address	121
Authentication	121
Sample NTP configuration	122
NTP commands	125
Dynamic Host Configuration Protocol	130
Packet format and options	130
DHCP server	131
Automatic address allocation	132
Hostname resolution	133
Manual binding entries	134
Configuring a DHCP client on a non-default VRF instance	135
DHCP relay agent	136
View DHCP Information	137
System domain name and list	137
DHCP commands	138
DNS commands	144
IPv4 DHCP limitations	146
Interfaces	148
Ethernet interfaces	148
Unified port groups	148
Z9264F-ON port-group profiles	149
L2 mode configuration	151
L3 mode configuration	151
Fibre Channel interfaces	152
Management interface	153
VLAN interfaces	154
User-configured default VLAN	154
VLAN scale profile	155
Loopback interfaces	155
Port-channel interfaces	156
Create port-channel	156
Add port member	156
Minimum links	157
Assign Port Channel IP Address	157
Remove or disable port-channel	158
Load balance traffic	158
Change hash algorithm	159
Configure interface ranges	159
Switch-port profiles	160
S4148-ON Series port profiles	161
S4148U-ON port profiles	161
Configure breakout mode	163
Breakout auto-configuration	163
Forward error correction	164
Energy-efficient Ethernet	165
Enable energy-efficient Ethernet	165
Clear EEE counters	166
View EEE status/statistics	166
EEE commands	167
View interface configuration	170
Digital optical monitoring	173
Enable DOM and DOM traps	174
Interface commands	175
channel-group	175
default vlan-id	175
description (Interface)	176
duplex	176
enable dom	177
enable dom traps	177
feature auto-breakout	178
fec	178
interface breakout	179
interface ethernet	179
interface loopback	179
interface mgmt	180
interface null	180
interface port-channel	181
interface range	181
interface vlan	182
link-bundle-utilization	182
mode	182
mode l3	183
mtu	184
port mode Eth	184
port-group	185
profile	185
scale-profile vlan	186
show interface	186
show inventory media	188
show link-bundle-utilization	188
show port-channel summary	189
show port-group	190
show switch-port-profile	191
show system	191
show vlan	192
shutdown	192
speed (Fibre Channel)	193
speed (Management)	193
switch-port-profile	194
switchport access vlan	196
switchport mode	196
switchport trunk allowed vlan	197
Fibre Channel	198
Terminology	199
Virtual fabric	199
Fibre Channel zoning	202
F_Port on Ethernet	203
Pinning FCoE traffic to a specific port of a port-channel	204
Sample FSB configuration on VLT network	206
Sample FC Switch configuration on VLT network	208
Sample FSB configuration on non-VLT network	209
Sample FC Switch configuration on non-VLT network	211
Multi-hop FIP-snooping bridge	212
Configuration notes	213
Configure multi-hop FSB	213
Verify multi-hop FSB configuration	218
Sample Multi-hop FSB configuration	219
Configuration guidelines	232
F_Port commands	232
fc alias	232
fc zone	232
fc zoneset	233
feature fc	233
member (alias)	233
member (zone)	234
member (zoneset)	234
show fc alias	235
show fc interface-area-id mapping	235
show fc ns switch	235
show fc zone	236
show fc zoneset	237
zone default-zone permit	238
zoneset activate	238
NPG commands	239
fc port-mode F	239
feature fc npg	239
show npg devices	239
F_Port and NPG commands	240
clear fc statistics	240
fcoe	241
name	241
show fc statistics	242
show fc switch	242
show running-config vfabric	243
show vfabric	243
vfabric	244
vfabric (interface)	244
vlan	244
FIP-snooping commands	245
feature fip-snooping	245
fip-snooping enable	245
fip-snooping fc-map	246
fip-snooping port-mode	246
FCoE commands	247
clear fcoe database	247
clear fcoe statistics	247
fcoe-pinned-port	248
fcoe max-sessions-per-enodemac	248
fcoe priority-bits	248
lldp tlv-select dcbxp-appln fcoe	249
show fcoe enode	249
show fcoe fcf	250
show fcoe pinned-port	250
show fcoe sessions	251
show fcoe statistics	251
show fcoe system	252
show fcoe vlan	252
Layer 2	253
802.1X	253
Port authentication	254
EAP over RADIUS	255
Configure 802.1X	255
Enable 802.1X	256
Identity retransmissions	257
Failure quiet period	258
Port control mode	258
Reauthenticate port	259
Configure timeouts	260
802.1X commands	261
Far-end failure detection	265
Enable FEFD globally	267
Enable FEFD on interface	268
Reset FEFD err-disabled interface	268
Display FEFD information	268
FEFD Commands	269
Link Aggregation Control Protocol	272
Modes	272
Configuration	273
Interfaces	273
Rates	274
Sample configuration	274
LACP fallback	278
LACP commands	280
Link Layer Discovery Protocol	287
Protocol data units	288
Optional TLVs	289
Organizationally-specific TLVs	289
Media endpoint discovery	292
Network connectivity device	292
LLDP-MED capabilities TLV	293
Network policies TLVs	294
Define network policies	294
Packet timer values	295
Disable and re-enable LLDP	295
Disable and re-enable LLDP on management ports	296
Advertise TLVs	297
Network policy advertisement	297
Fast start repeat count	298
View LLDP configuration	298
Adjacent agent advertisements	299
Time to live	300
LLDP commands	301
Media Access Control	312
Static MAC Address	313
MAC Address Table	313
Clear MAC Address Table	313
MAC Commands	314
Multiple Spanning-Tree	316
Configure MSTP	317
Create instances	318
Root selection	319
Non-Dell EMC hardware	320
Region name or revision	320
Modify parameters	320
Interface parameters	321
EdgePort Forward traffic	322
Spanning-tree extensions	322
Recover BPDU guard error disabled ports	324
Setting spanning-tree link type for rapid state transitions	325
MAC flush optimization	325
MST commands	327
Rapid per-VLAN spanning-tree plus	339
Load balance and root selection	340
Enable RPVST+	340
Select root bridge	341
Root assignment	342
Loop guard	343
Global parameters	343
Setting spanning-tree link type for rapid state transitions	344
MAC flush optimization	344
RPVST+ commands	344
Rapid Spanning-Tree Protocol	353
Enable globally	353
Global parameters	355
Interface parameters	356
Root bridge selection	357
EdgePort forward traffic	357
Spanning-tree extensions	358
Setting spanning-tree link type for rapid state transitions	359
MAC flush optimization	360
RSTP commands	360
Virtual LANs	367
Default VLAN	367
Create or remove VLANs	368
Access mode	369
Trunk mode	370
Assign IP address	370
View VLAN configuration	371
VLAN commands	373
Port monitoring	374
Local port monitoring	374
Remote port monitoring	375
Encapsulated remote port monitoring	377
Flow-based monitoring	378
Remote port monitoring on VLT	379
Port monitoring commands	381
Layer 3	386
Virtual routing and forwarding	386
Configure management VRF	386
Configure non-default VRF instances	388
VRF configuration	391
View VRF instance information	395
Static route leaking	396
VRF commands	399
Bidirectional Forwarding Detection	407
BFD session states	408
BFD three-way handshake	409
BFD configuration	410
Configure BFD globally	410
BFD for BGP	411
BFD for OSPF	415
BFD for Static route	420
BFD commands	422
Border Gateway Protocol	429
Sessions and peers	430
Route reflectors	430
Multiprotocol BGP	431
Attributes	431
Selection criteria	432
Weight and local preference	433
Multiexit discriminators	433
Origin	434
AS path and next-hop	434
Best path selection	434
More path support	435
Advertise cost	436
4-Byte AS numbers	436
AS number migration	436
Configure Border Gateway Protocol	437
Enable BGP	438
Configure Dual Stack	440
Configure administrative distance	440
Peer templates	441
Neighbor fall-over	445
Configure password	446
Fast external fallover	448
Passive peering	449
Local AS	450
AS number limit	451
Redistribute routes	452
Additional paths	452
MED attributes	452
Local preference attribute	453
Weight attribute	454
Enable multipath	454
Route-map filters	454
Route reflector clusters	455
Aggregate routes	456
Confederations	456
Route dampening	457
Timers	458
Neighbor soft-reconfiguration	459
BGP commands	459
Equal cost multi-path	493
Load balancing	493
Maximum ECMP groups and paths	497
ECMP commands	497
IPv4 routing	502
Assign interface IP address	502
Configure static routing	503
Address Resolution Protocol	504
IPv4 routing commands	504
IPv6 routing	509
Enable or disable IPv6	509
IPv6 addresses	510
Stateless autoconfiguration	512
Neighbor Discovery	512
Duplicate address discovery	514
Static IPv6 routing	514
IPv6 destination unreachable	515
IPv6 hop-by-hop options	515
View IPv6 information	515
IPv6 commands	516
Open shortest path first	528
Autonomous system areas	528
Areas, networks, and neighbors	529
Router types	529
Designated and backup designated routers	530
Link-state advertisements	531
Router priority	532
Shortest path first throttling	532
OSPFv2	534
OSPFv3	567
Object tracking manager	587
Interface tracking	588
Host tracking	589
Set tracking delays	590
Object tracking	590
View tracked objects	590
OTM commands	591
Policy-based routing	594
Policy-based route-maps	594
Access-list to match route-map	594
Set address to match route-map	594
Assign route-map to interface	595
View PBR information	595
Policy-based routing per VRF	596
Configuring PBR per VRF	596
Sample configuration	597
Track route reachability	597
Use PBR to permit and block specific traffic	598
View PBR configuration	599
PBR commands	599
Virtual Router Redundancy Protocol	603
Configuration	603
Create virtual router	604
Group version	604
Virtual IP addresses	605
Configure virtual IP address	605
Configure virtual IP address in a VRF	606
Set group priority	607
Authentication	608
Disable preempt	608
Advertisement interval	609
Interface/object tracking	610
Configure tracking	610
VRRP commands	611
Multicast	617
Important notes	617
Configure multicast routing	617
Unknown multicast flood control	618
Enable multicast flood control	619
Multicast Commands	619
multicast snooping flood-restrict	619
Internet Group Management Protocol	620
Standards compliance	620
Important notes	621
Supported IGMP versions	621
Query interval	621
Last member query interval	621
Maximum response time	621

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1,000
1,001
1,002
1,003
1,004
1,005
1,006
1,007
1,008
1,009
1,010
1,011
1,012
1,013
1,014
1,015
1,016
1,017
1,018
1,019
1,020
1,021
1,022
1,023
1,024
1,025
1,026
1,027
1,028
1,029
1,030
1,031
1,032
1,033
1,034
1,035
1,036
1,037
1,038
1,039
1,040
1,041
1,042
1,043
1,044
1,045
1,046
1,047
1,048
1,049
1,050
1,051
1,052
1,053
1,054
1,055
1,056
1,057
1,058
1,059
1,060
1,061
1,062
1,063
1,064
1,065
1,066
1,067
1,068
1,069
1,070
1,071
1,072
1,073
1,074
1,075
1,076
1,077
1,078
1,079
1,080
1,081
1,082
1,083
1,084
1,085
1,086
1,087
1,088
1,089
1,090
1,091
1,092
1,093
1,094
1,095
1,096
1,097
1,098
1,099
1,100
1,101
1,102
1,103
1,104
1,105
1,106
1,107
1,108
1,109
1,110
1,111
1,112
1,113
1,114
1,115
1,116
1,117
1,118
1,119
1,120
1,121
1,122
1,123
1,124
1,125
1,126
1,127
1,128
1,129
1,130
1,131
1,132
1,133
1,134
1,135
1,136
1,137
1,138
1,139
1,140
1,141
1,142
1,143
1,144
1,145
1,146
1,147
1,148
1,149
1,150
1,151
1,152
1,153
1,154
1,155
1,156
1,157
1,158
1,159
1,160
1,161
1,162
1,163
1,164
1,165
1,166
1,167
1,168
1,169
1,170
1,171
1,172
1,173
1,174
1,175
1,176
1,177
1,178
1,179
1,180
1,181
1,182
1,183
1,184
1,185
1,186
1,187
1,188
1,189
1,190
1,191
1,192
1,193
1,194
1,195
1,196
1,197
1,198
1,199
1,200
1,201
1,202
1,203

Match case Limit results 1 per page

OS10 supports four

pre-deﬁned

roles: sysadmin, secadmin, netadmin, and netoperator. Each user role assigns permissions that determine

the commands a user can enter, and the actions a user can perform. RBAC provides an easy and

eﬃcient

way to administer user rights. If a

user’s role matches one of the allowed user roles for a command, command authorization is granted.

The OS10 RBAC model provides separation of duty as well as greater security. It places some limitations on each role’s permissions to allow

you to partition tasks. For greater security, only some user roles can view events, audits, and security system logs.

Assign user role

To limit OS10 system access, assign a role when you

conﬁgure

each user.

•

Enter a user name, password, and role in CONFIGURATION mode.

username

password

role

–

username

— Enter a text string. A maximum of 32 alphanumeric characters; 1 character minimum.

–

password

— Enter a text string. A maximum of 32 alphanumeric characters; 9 characters minimum.

–

role

— Enter a user role:

◦

sysadmin

— Full access to all commands in the system, exclusive access to commands that manipulate the

ﬁle

system, and

access to the system shell. A system administrator can create user IDs and user roles.

◦

secadmin

— Full access to

conﬁguration

commands that set security policy and system access, such as password strength,

AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic

keys, login statistics, and log information.

◦

netadmin

— Full access to

conﬁguration

commands that manage

traﬃc

ﬂowing

through the switch, such as routes,

interfaces, and ACLs. A network administrator cannot access

conﬁguration

commands for security features or view security

information.

◦

netoperator

— Access to EXEC mode to view the current

conﬁguration.

A network operator cannot modify any

conﬁguration

setting on a switch.

Create user and assign role

OS10(config)# username smith password silver403! role sysadmin

View users

OS10# show users

Index Line

User

Role

Application Idle

Location

----- ----

------

----------- ----

---------------------

-------------

ttyS

root

-bash

>24h

2018-05-23 T23:05:03Z

console

pts/0 admin

sysadmin bash

1.1s

2018-05-30 T20:04:27Z

10.14.1.214[ssh]

Bootloader Protection

Protecting the bootloader via a GRUB password is essential to prevent unauthorised users with malicious intent from accessing your

switch. OS10 provides a set of three commands which allow you to enable, disable or view bootloader protection information.

This feature is available only for the

sysadmin

and

secadmin

roles.

WARNING:

When you enable this feature ensure to keep a copy of a

conﬁgured

username and password, as you cannot recover

the switch without the

conﬁgured

credentials.

•

To enable bootloader protection, use the

boot protect enable username

username

password

command.

This command allows you to setup a username and password for bootloader protection. You can

conﬁgure

a maximum of three users

per console.

boot protect enable username password

OS10# boot protect enable username root password calvin

788

Security