Dell PowerSwitch S5212F-ON SmartFabric OS10 Security Best Practices Guide July - Page 11

Management plane, Role-based access control

Get Dell PowerSwitch S5212F-ON PDF manuals and user guides View all Dell PowerSwitch S5212F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 11 highlights

• To display which MAC address causes a violation, use the log option. The system also drops the packet. OS10(config-if-port-sec)#mac-move violation log • To drop the packet when a MAC address movement violation occurs, use the drop option. OS10(config-if-port-sec)#mac-move violation drop • To shut down the original interface that learned the MAC address on a MAC movement violation, use the shutdown-original option. OS10(config-if-port-sec)#mac-move violation shutdown-original • To shut down the interface that detected a MAC address that is already learned by another interface, use the shutdown- offending option. OS10(config-if-port-sec)#mac-move violation shutdown-offending • To shut down both original and offending interfaces, use the shutdown-both option. OS10(config-if-port-sec)#mac-move violation shutdown-both Management plane These settings are applicable to services, settings, and configuration services of OS10. Role-based access control Role-based access control (RBAC) provides control for access and authorization. Users are granted permissions based on defined roles. Create user roles based on job functions to allow users appropriate system access. A user can be assigned only a single role, and many users can have the same role. A user role authenticates and authorizes a user at login. Enable AAA login authentication Rationale: Authentication, authorization, and accounting (AAA) services secure networks against unauthorized access. AAA is a centralized means of access control to users who want to access the system. Configuration: OS10(config)# aaa authentication login {console | default} local OS10(config)# exit OS10# write memory • console-Configure authentication methods for console logins. • default-Configure authentication methods for SSH and Telnet logins. • local-Use the local username, password, and role entries configured with the username password role command. Enable AAA login authentication with a fallback option Rationale: Configuring AAA authentication with a fallback option provides resiliency while authentication. If one method fails, the system uses the other method of authentication. Configuration: OS10(config)# aaa authentication login {console | default} {local | group radius | group tacacs+} OS10(config)# exit OS10# write memory • console-Configure authentication methods for console logins. • default-Configure authentication methods for SSH and Telnet logins. • local-Use the local username, password, and role entries configured with the username password role command. • group radius-Use the RADIUS servers configured with the radius-server host command. • group tacacs+-Use the TACACS+ servers configured with the tacacs-server host command. The authentication methods in the method list work in the order they are configured. OS10 security best practices 11

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
To display which MAC address causes a violation, use the
log
option. The system also drops the packet.
OS10(config-if-port-sec)#mac-move violation log
To drop the packet when a MAC address movement violation occurs, use the
drop
option.
OS10(config-if-port-sec)#mac-move violation drop
To shut down the original interface that learned the MAC address on a MAC movement violation, use the
shutdown-original
option.
OS10(config-if-port-sec)#mac-move violation shutdown-original
To shut down the interface that detected a MAC address that is already learned by another interface, use the
shutdown-
offending
option.
OS10(config-if-port-sec)#mac-move violation shutdown-offending
To shut down both original and offending interfaces, use the
shutdown-both
option.
OS10(config-if-port-sec)#mac-move violation shutdown-both
Management plane
These settings are applicable to services, settings, and configuration services of OS10.
Role-based access control
Role-based access control (RBAC) provides control for access and authorization. Users are granted permissions based on defined roles.
Create user roles based on job functions to allow users appropriate system access. A user can be assigned only a single role, and many
users can have the same role. A user role authenticates and authorizes a user at login.
Enable AAA login authentication
Rationale
: Authentication, authorization, and accounting (AAA) services secure networks against unauthorized access. AAA is a
centralized means of access control to users who want to access the system.
Configuration
:
OS10(config)# aaa authentication login {console | default} local
OS10(config)# exit
OS10# write memory
console
—Configure authentication methods for console logins.
default
—Configure authentication methods for SSH and Telnet logins.
local
—Use the local username, password, and role entries configured with the
username password role
command.
Enable AAA login authentication with a fallback option
Rationale
: Configuring AAA authentication with a fallback option provides resiliency while authentication. If one method fails, the system
uses the other method of authentication.
Configuration
:
OS10(config)# aaa authentication login {console | default} {local | group radius | group
tacacs+}
OS10(config)# exit
OS10# write memory
console
—Configure authentication methods for console logins.
default
—Configure authentication methods for SSH and Telnet logins.
local
—Use the local username, password, and role entries configured with the
username password role
command.
group radius
—Use the RADIUS servers configured with the
radius-server host
command.
group tacacs+
—Use the TACACS+ servers configured with the
tacacs-server host
command.
The authentication methods in the method list work in the order they are configured.
OS10 security best practices
11