Home

Avaya Business Policy Switch 2000 Software Version 1.1 Release Notes

Contents

1. LastEapolFrameSource The source MAC address carried in the most recently received EAPOL frame The EAPOL Stats tab shows EAPOL statistics for graphing ports To open the EAPOL Stats tab for graphing 1 Select the port or ports you want to graph Ctrl left click the ports that you want to configure A yellow outline appears around the selected ports Do one of the following e From the Device Manager main menu choose Graph gt Port e From the shortcut menu choose Graph e On the toolbar click Graph The graphPort dialog box for a single port or for multiple ports opens with the Interface tab displayed Click the EAPOL Stats tab The EAPOL Stats tab for graphing ports opens Figure 10 210676 C 33 Figure 10 EAPOL Stats tab for graphing ports interface Ethernet Errars Bridge Rmon EAPOL Stats EAPOL Diag AbsoluteValue Cumulative Average sec Minimumisec Maximumisec LastValisec 0 0 0 EapolStarntFramesRx EapolLogofiframesRx EapolRespldFramesRx EapolRespFramesRx EapolReqidFramesTx ooo ooo0 6 EapolReqFramesTx InvalidEapolFramesRx EapLengthErrorFramesRx 4 9 9 9 9 9 9 9 9 9 9o 9 9 9 9 9 9 9 0 9 9 9 9 9 9 9 09 oo oO o ol ol ol o o o ojo aam ejaj 8l close Help Poll interval 10s 7 Oh 11m 10s Table 6 describes the EAPOL Stats tab fields for graphing ports Table 6
2. When the Authentication server returns a success or failure message the controlled port s state is changed accordingly If the authorization is successful the controlled port s operational state is set to Forwarding Otherwise the controlled port s state depends on the Operational Traffic Control field value in the EAPOL Security Configuration screen 210676 C 19 The Operational Traffic Control field can have one of the following two values e Incoming and Outgoing lIf the controlled port is unauthorized frames are not transmitted through the port all frames received on the controlled port are discarded The controlled port s state is set to Blocking e Incoming TIf the controlled port is unauthorized frames received on the port are discarded but the transmit frames are forwarded through the port EAPOL dynamic VLAN assignment If EAPOL based security is enabled on a port and then the port is authorized the EAPOL feature dynamically changes the port s VLAN configuration according to preconfigured values and assigns a new VLAN The new VLAN configuration values are applied according to previously stored parameters based on the user_id in the Authentication server The following VLAN configuration values are affected e Port Membership e PVID e Port Priority When the EAPOL based security is disabled on a port that was previously authorized the port s VLAN configuration values are restor
3. Copyright 2000 Nortel Networks Inc Allzights reserved 210676 C 57 Additional Java security When you choose Summary gt Switch View from the Main Menu a Java Security window opens Figure 26 Figure 26 Java Security window PetavaSecuty CSE JavaScript or a Java applet from Rapid Logic Inc is requesting As additional privileges Granting the following is high risk Remember this decision 1 pect ayertfi asl baa EN A Certificate gt Click Grant to open the Switch View page To avoid having the Java Security open again within a session click the Remember this decision box However when you reset the switch the Java Security window opens MAC address based security BPS 2000 software version 1 1 allows you to configure the MAC address based security system using the Web based management system Using earlier software versions you can configure this security with the CI menus For more information on MAC address based security and configuring this feature refer to Using the Business Policy Switch 2000 Release Notes for the Business Policy Switch 2000 Software Version 1 1 58 To configure MAC address based security using the Web based management system 1 From the main menu of the Business Policy Switch 2000 Web based management system choose Application gt MAC Address Security gt Security Configuration The MAC Address Security Configuration page opens F
4. Location http 10 10 40 297 PUE e Statistics gt Port Error Summary Access RW Port Error Summary Table gt Summary z A j Frame FCS Late Multiple Excessive gt Configuration ple Hi Scenic Errors Errors Collisions Collisions Collisions gt Fault N Statistics P Port Port Error Summary D Interface P Ethernet Errors P Transparent Bridging P RMON Ethernet P RMON History gt Application W Administration System Information gt Security Table 10 describes the read only information displayed in the Port Error Summary Table Table 10 Port Error Summary Table fields Item Description Unit Displays the unit number in the stack Port Displays the port number of the unit Status Displays the status of the port Enabled Disabled Release Notes for the Business Policy Switch 2000 Software Version 1 1 54 Table 10 Port Error Summary Table fields continued Item Description Link Displays the link status of the port Up Down Speed Duplex Displays the speed at which the port is operating as well as whether it is in half or full duplex mode Frame Errors Displays the number of frame errors received on this port FCS errors Displays the number of frame check sequence FCS errors received on this port Late Collisions Displays the number of late collisions errors received on this port Multiple Collisions Displays the number of
5. Address Mask is 255 255 255 255 a b Application gt QoS gt Advanced QoS gt Rules gt Layer2 Classification Configure the filter and the filter group The filter The filter group Click Submit Choose Application gt QoS gt QoS Advanced gt Actions page a b Create and name an In Profile Action If you plan to work with metered data create and name your own Out Profile Action Note When configuring an In Profile action you must take at least one of the following actions Change the DSCP value in the Update the DSCP field Choose from the Set Drop Precedence list Choose from the Update Priorities list 5 Click Submit 210676 C 11 6 Choose Application gt QoS gt QoS Advanced gt Meter Note You cannot edit Meters To change the Meter you must first delete the current Meter and create the one you want The Meter page opens Figure 1 Figure 1 Meter page RTEL NETWORKS Access RW EAPOL Security gt MAC Address Security gt IGMP gt VLAN gt Spanning Tree gt MultiLink Trunk M QoS P QoS Wizard V QoS Advanced gt Devices gt Rules Actions Meters Policies Agent Application gt QoS gt QoS Advanced gt Meter Meter Table 1MB_Meter 1 Committed Data Action Instance Data Specification eommiisa Leet kbits sec x 1000000 Committed Burst Size bytes 125000 In le Out Profile Action Action Change _DSCP
6. SE Tas heen visitas NORTEL NETWORKS Application gt MAC Address Security Port List View Access RW Application gt MAC Address Security gt Security Configuration Learn by Ports gt configuration Port NONE1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 gt Fault Unit2 O OQOO0OOOOOCOOODOOOCOOOOOOOOoogoogogrT gt oiis mel gpopooopononopnonpnnnnnpnonnonnnnonnnn non N Application Port Mirroring BY Rate Limiting ea ax EAPOL Security M MAC Address Security P Security Configuration Port Configuration P Port List Security Table gt IGMP gt VLAN gt Spanning Tree a Use this page to add or remove a specified port to the list of ports through which MAC addressed are learned To add a port click on the box under the port number To delete a port click on the check mark in the box under the port If you do not wish to add any ports click in the box under None b Click Submit The Security Configuration page Figure 27 opens 6 Choose Enabled in the Learn by Ports list in the MAC Security Table section at the bottom of the page 7 Click Security Table from Main Menu on the left under MAC Address Security The Security Table page opens Figure 31 Release Notes for the Business Policy Switch 2000 Software Version 1 1 62 NORT
7. message being received from the supplicant AuthEapLogoffWhileAuthenticated Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Disconnected as a result of an EAPOL Logoff message being received from the supplicant BackendResponses Counts the number of times that the Backend Authentication state machine sends an Initial Access request packet to the Authentication server BackendAccessChallenges Counts the number of times that the Backend Authentication state machine receives an Initial Access challenge packet from the Authentication server BackendOtherRequests ToSupplicant Counts the number of times that the Backend Authentication state machine sends an EAP request packet other than an Identity Notification failure or success message to the supplicant 210676 C 37 Table 7 EAPOL Diag tab fields for graphing ports continued Field Description BackendNonNakResponsesFromSupplicant Counts the number of times that the Backend Authentication state machine receives a response from the supplicant to an initial EAP request and the response is something other than EAP NAK BackendAuthSuccesses Counts the number of times that the Backend Authentication state machine receives an EAP success message from the Authentication server BackendAuthFails Counts the number of times that the Backend Authentication state machi
8. multiple collisions errors received on this port Excessive Collisions Displays the number of excessive collisions errors received on this port 2 To view the latest port statistics click the Update button at the bottom of the page Ability to ping With software version 1 1 you can ping from a BPS 2000 This ability greatly enhances the ease of network management Improved STP Fast Learning Mode A front BPS 2000 port set for Fast Learning Mode for the Spanning Tree Protocol STP is improved in version 1 1 of BPS 2000 software The port can forward data immediately as soon as it detects that the link is on BootP menu item for a stack of only BPS 2000 switches In a stack consisting only of BPS 2000 switches you can perform BootP using the MAC address of the base unit You must use the console interface CI menus to choose this option 210676 C 55 To set this feature 1 Open the Main Menu of the BPS 2000 2 Choose Switch Configuration gt Stack Operational Mode The menu contains the following new option Stack BootP Mac Address Type Stack Mac Address Base Unit Mac Address Toggle between the two choices using the space bar 3 Press Enter The chosen setting is saved even when the stack is reset and the default setting is Stack Mac Address You cannot choose Base Unit Mac Address when the Stack Operational Mode is Hybrid Stack If you do so you see the following error messag
9. server Note Before you use the EAPOL Security Configuration screen you must configure your Primary RADIUS Server and RADIUS Shared Secret You will also need to set up specific user accounts on your RADIUS server e User names e Passwords e VLAN IDs e Port priority You can set up these parameters directly on your RADIUS server For detailed instructions about configuring your RADIUS server refer to your RADIUS server documentation Note Do not enable EAPOL security on the switch port that is connected to the RADIUS server gt Choose EAPOL Security Configuration or press e from the Switch Configuration Menu to display the EAPOL Security Configuration screen 210676 C 25 Figure 7 EAPOL security configuration screen a EAPOL Security Configuration N EAPOL Administrative State Disabled Unit 1 Port 1 Initialize No Administrative Status Force Authorized Operational Status Authorized Administrative Traffic Control Incoming and Outgoing Operational Traffic Control Incoming and Outgoing Re Authenticate Now No Re Authentication Enabled Re Authentication Period Quiet Period Transmit Period Supplicant Timeout Server Timeout Maximum Requests 3600 seconds 60 seconds 30 seconds 30 seconds 30 seconds 2 mannanna Use space bar to display choices press lt Return gt or lt Enter gt to select choice Press Ctrl R to return to
10. 000 eee eee 23 Configuring EAPOL using Cl menus 2000 0 e eee eee 24 Configuring EAPOL using JDM cciaeds cu eens aaa eu dee ted eee rasia 28 Configuring EAPOL using the Web based management system 39 Support for the GBIC MDA o cccccccaseeieecaas desde sabed a WARE x ame os 43 Automati PMID 202245200 en Sesee eg eeS HERSEK pia eR Er ERENT E TEESE 43 USNC sist os estes i a oder Bak Rona a aie Ri a ane ee Aa oboe 44 PVIDALAN association example sscccasaesceeer dee shabewneareneees 44 Configuring Automatic PVID using Cl menus 0 00000 eae 45 Configuring Automatic PVID using the Web based management system 49 Tabular port StAlSNCS occ ccc cee e ed ee ee caw E DEH RE EAW ETRE EDO RG saaria 53 PE WO PAE 4325 jn dae dd eee ke RRL EET ERA SSE SER SS SEER EES EES 54 Release Notes for the Business Policy Switch 2000 Software Version 1 1 4 Contents Improved STP Fast Learning Mode 0000 c cece eee ee 54 BootP menu item for a stack of only BPS 2000 switches 54 Additional Web based management operation 000 ee eee eee 55 Access to the Web based management system using JDM 55 Addilionaldava Socu Guede eke dee se DRE SRR ERG ReU GEESE DEE KREWE es 57 MAC address based security 000 0c 57 Pra UE Sos sss ce ucla ke a gan eh we cele Be ne Gath dere a boon Bree yD ced aan ees 65 FONN P UOS sirrin tsiere is Bako Sede e tebe ete eee ORE CARRS E
11. 0676 C 17 Figure 3 EAPOL based security 1 of 2 RADIUS server RADIUS server Password request 2 Switch forwards user ID to RADIUS Server Password Switch requests user ID gl New client PC m New client PC EAPOL_step1 Figure 4 EAPOL based security 2 of 2 RADIUS server Client RADIUS server 4 Switch forwards accesses 5 Password password network validated RRR RRR oo 222 ee Access to Encrypted password network approved al New client PC New client PC EAPOL_step2 Overview and terms This section provides a detailed description of EAPOL based security including an overview of the components and terms used with this feature Release Notes for the Business Policy Switch 2000 Software Version 1 1 18 Some components of EAPOL based security are e Supplicant the device applying for access to the network e Authenticator software with the sole purpose
12. 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0 090 9 9 9 9 9 9 9 9 9 9 9 9 9 09 9 o 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 09 o 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0 2mm eja A ciose Help Poll interval 10s 7 Oh Om 1s Table 7 describes the EAPOL Diag tab fields for graphing ports Table 7 EAPOL Diag tab fields for graphing ports Field Description EntersConnecting Counts the number of times that the Authenticator PAE state machine transitions to the Connecting state from any other state EapLogoffsWhileConnecting Counts the number of times that the Authenticator PAE state machine transitions from Connected to Disconnected as a result of receiving an EAPOL Logoff message EntersAuthenticating Counts the number of times that the Authenticator PAE state machine transitions from Connecting to Authenticating as a result of receiving an EAP Response Identity message being received from the supplicant AuthSuccessWhileAuthenticating Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Authenticated as a result of the Backend authentication state machine indicating successful authentication of the supplicant Release Notes for the Business Policy Switch 2000 Software Version 1 1 36 Table 7 EAPOL Diag tab fields for graphing ports continued Field Description AuthTimeoutsWhile Authe
13. BayStack 410 and BayStack 450 software in a hybrid stack the stack must be fully redundant All cables in the stack must be installed and operating properly If the cables are not installed properly the BayStack units will fail to upgrade A message is displayed on consoles connected to BayStack 410 and BayStack 450 switches Primload seconds Error 2009 Switch will reset in 5 e You can configure as many as 63 protocol based VLANs with a sum total of N PID values not to exceed 15 Table 11 Table 11 Protocol and PID values Protocol Name Number of PID values N Ip Ether2 Ipx 802 3 i Ipx 802 2 Ipx Snap Ipx Ether2Snap AplTk Ether2Snap Declat Ether2 M NM M DecOther Ether 2 Sna 802 2 N Sna Ether2 NetBios 802 2 Xns Ether2 NINJ Vines Ether2 lpv6 Ether2 i Usrdef Rarp Ether2 For more information on Predefined Protocol Identifiers PIDs hexadecimal values and associated protocols refer to Using the Business Policy Switch 2000 Release Notes for the Business Policy Switch 2000 Software Version 1 1 68 210676 C
14. Drop_Action Meter Creation Name I Data Specification no Meter Data z Committed Rate Committed Burst Size bytes In Profile Action Drop_Action OutProfile Action Drop_Action z DO kbitsssec 7 Inthe Meter Creation area create the traffic policing meters Release Notes for the Business Policy Switch 2000 Software Version 1 1 12 Table 1 describes the fields in the Meter Creation area which you use to set new meters Table 1 Meter Creation fields Field Description Name Enter the name for the filter you are creating Data Specification Choose from the list to install a filter with e No Meter Data e Metered Data NOTE When you choose No Meter Data do not complete the Committed Rate Committed Burst Size or Out Profile Action fields in the box Committed Rate Use this field only if you specified metered data for this filter refer to Data Specification above Enter the Committed Rate in kbits second here You can enter from 13 kbits second to 1 700 000 kbits second Committed Burst Size Use this field only if you specified metered data for this filter refer to Data Specification above Enter the Committed Burst Size in bytes here You can enter from 2 047 bytes to 131 071 bytes In Profile Action Choose from the list the action you previously created using the Actions page Out Profile Action Use this field only if you spe
15. EAPOL Stats tab fields for graphing ports Field Description EapolFramesRx The number of valid EAPOL frames of any type that have been received by this authenticator EapolFramesTx The number of EAPOL frame types of any type that have been transmitted by this authenticator EapolStartFramesRx The number of EAPOL start frames that have been received by this authenticator EapolLogoffFramesRx The number of EAPOL Logoff frames that have been received by this authenticator EapolRespldFramesRx The number of EAPOL Resp Id frames that have been received by this authenticator EapolRespFramesRx The number of valid EAP Response frames Other than Resp Id frames that have been received by this authenticator EapolReqidFramesTx The number of EAPOL Red Id frames that have been transmitted by this authenticator EapolReqFramesTx The number of EAP Redq Id frames Other than Rq Id frames that have been transmitted by this authenticator Release Notes for the Business Policy Switch 2000 Software Version 1 1 34 Table 6 EAPOL Stats tab fields for graphing ports continued Field Description InvalidEapolFramesRx The number of EAPOL frames that have been received by this authenticator in which the frame type is not recognized EapLengthErrorFramesRx The number of EAPOL frames that have been received by this authenticator in which the packet body length field is not valid The EAP
16. EL E NETWORKS Access RW gt Summary gt Configuration gt Fault gt Statistics W Application Port Mirroring Rate Limiting EAPOL Security W MAC Address Security P Security Configuration Port Configuration PortList Security Table gt IGMP gt VLAN o Application gt MAC Address Security gt Security Table MAC Address Security Table Action MAC Address Allowed Source MAC Address Security Table Entry Creation MAC Address Allowed Source Unit Port E Entry z Wait until the required addresses are learned The MAC Address Security Table displays the addresses and the allowed source for each address 8 To adda MAC address in the MAC Address Security Table Entry Creation area a b Enter the MAC address to which you want to allow access To specify the entry though which the MAC address is allowed either enter the unit port number or choose the entry from the list When you choose from the Entry list you must have already selected ports for that entry by using the Port List View Figure 32 However if you choose the entry and do not want any ports on that entry select None on the Port List View for that entry If you select an entry in the MAC Address Security Table Entry Creation box and have not selected either any ports or the None option the screen displays an error message saying that the Submit Failed 210676 C 63 c Click Submi
17. ELS ORES 65 Version 1 1 DEUCE s cane ceay scene atere aches Sense ssh ener eee anses 65 e ET eea 5 eal dee a8 Scat ra ad ews Dl Sar dg EEEE Donde de Sp Ae Rc ele oh oad 66 210676 C Introduction These release notes for the Nortel Networks Business Policy Switch 2000 software version 1 1 provide information about software and operational issues not included in the Business Policy Switch 2000 BPS 2000 software version 1 0 and version 1 0 1 guides To obtain the software version 1 1 download the following files from the Customer Support World Wide Web site e bps2k110 img software file e bps2k110 bin diagnostics file To obtain the Java Device Manager DM software to manage the BPS 2000 download the following file from the Customer Support World Wide Web site e JDM 5 1 0 0 These release notes provide information on version 1 1 and cover the following topics e Related publications next e New features and enhancements on page 7 e Resolved issues on page 65 e Known issues on page 65 e Known limitations on page 66 Related publications For more information about the BPS 2000 switch refer to Release Notes for the Business Policy Switch 2000 Software version 1 0 1 part number 210676 B e Addendum to the Release Notes for the Business Policy Switch 2000 part number 210676 A e Release Notes for the Business Policy Switch 2000 part number 209320 A Release Notes
18. Field Description ServerTimeout Time to wait for a response from the RADIUS server MaxReq Number of times to retry sending packets to the supplicant ReAuthPeriod Time interval between successive re authentications ReAuthEnabled Whether to re authenticate or not Setting this object to Enabled causes reauthentication of existing supplicant at the time interval specified in the Re authentication Period field KeyTxEnabled The value of the KeyTranmissionEnabled constant currently in use by the Authenticator PAE state machine This always returns false as key transmission is irrelevant LastEapolFrameVersion LastEapolFrameSource Configuring EAPOL using the Web based management system To configure EAPOL using the Web based management system 1 From the main menu of the Business Policy Switch 2000 Web based Manager choose Application gt EAPOL Security The EAPOL Security Configuration page opens Figure 13 and Figure 14 Use the scroll bar on the right to move down the page and the scroll bar on the bottom to move across the page Release Notes for the Business Policy Switch 2000 Software Version 1 1 40 Figure 13 EAPOL Security Configuration page 1 of 2 Netscape NETWORKS Access RW gt Summary gt Configuration gt Fault gt Statistics W Application Port Mirroring Rate Limiting EAPOL Security gt MAC Address Security gt IGMP gt VLAN gt Spanning
19. JDM on page 28 Configuring EAPOL using the Web based management system on page 39 Introduction The Extensible Authentication Protocol over LAN EAPOL based security feature uses the EAP as described in the IEEE Draft P802 1X to allow you to set up network access control on internal LANs Release Notes for the Business Policy Switch 2000 Software Version 1 1 16 EAP allows the exchange of authentication information between any end station or server connected to the switch and an authentication server such as a RADIUS server The EAPOL based security feature operates in conjunction with a RADIUS based server to extend the benefits of remote authentication to internal LAN clients EAPOL based security example The following example illustrates how the BPS 2000 configured with the EAPOL based security feature reacts to a new network connection e The switch detects a new connection on one of its ports Figure 4 The switch requests a user ID from the new client 1 EAPOL encapsulates the user ID and forwards it to the RADIUS server 2 The RADIUS server responds with a request for the user s password 3 e The new client forwards an encrypted password to the switch within the EAPOL packet Figure 4 The switch relays the EAPOL packet to the RADIUS server 4 Ifthe RADIUS server validates the password 5 the new client is allowed access to the switch and the network 6 21
20. OL Diag tab shows EAPOL diagnostic information for graphing ports To open the EAPOL Diag tab for graphing 1 Select the port or ports you want to graph Ctrl left click the ports that you want to configure A yellow outline appears around the selected ports Do one of the following e From the Device Manager main menu choose Graph gt Port e From the shortcut menu choose Graph e On the toolbar click Graph The graphPort dialog box for a single port or for multiple ports opens with the Interface tab displayed Click the EAPOL Diag tab The EAPOL Diag tab for graphing ports opens Figure 11 210676 C 35 Figure 11 EAPOL Diag tab interface Ethernet Errors Bridge Rmon EAPOL Stats EAPOL Diag AbsoluteValue Cumulative Averagelsec Mininumisec Maximumisec Lastvalisec 0 0 0 0 EntersConnecting EapLogoffsvvhileConnecting EntersAuthenticating AuthSuccessvVhileAuthenticating AuthTimeouts VhileAuthenticating AuthF ailvvhileAuthenticating AuthReauthsvyhileAuthenticating AuthEapStartsWhileAuthenticating AuthEapLogoffVhileAuthenticating AuthReauthsWVhileAuthenticated AuthEapLogoffyhileAuthenticated BackendResponses BackendAccessChallenges BackendOtherRequestsToSupplicant BackendNonNakResponsesFromSupplicant BackendAuthSuccesses BackendAuthFails 0 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 09 o 9 9 9 9 9 9 9 9 9 9 9 9
21. Part No 210676 C March 2001 4401 Great America Parkway Santa Clara CA 95054 Release Notes for the Business Policy Switch 2000 Software Version 1 1 ORT CA N amp 2 0 T C RTEL NETWORKS Copyright 2001 Nortel Networks All rights reserved March 2001 The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Nortel Networks NA Inc The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license The software license agreement is included in this document Trademarks BaySecure BayStack Business Policy Switch 2000 Nortel Networks the Nortel Networks logo Optivity and Passport are trademarks of Nortel Networks Microsoft and Windows are trademarks of Microsoft Corporation Java is a trademark of Sun Micorsystems Inc Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated All other trademarks and registered trademarks are the property of their respective owners Statement of Conditions In the interest of improving internal design operational function and or reli
22. To configure the PVID port VLAN identifier for Port 8 1 From the VLAN Configuration screen press Ctrl R to return to the VLAN Configuration Menu 2 From the VLAN Configuration Menu select VLAN Port Configuration or press c The default VLAN Port Configuration screen opens Figure 18 The VLAN Port Configuration screen settings shown in Figure 18 are default settings Release Notes for the Business Policy Switch 2000 Software Version 1 1 48 Figure 18 Default VLAN port configuration screen example a Use space bar to display choices press lt Return gt or lt Enter gt to select choice VLAN Port Configuration b Unit 1 Port 2 7 Filter Tagged Frames No Filter Untagged Frames No Filter Unregistered Frames No Port Name Unit 1 Port 1 PVID 1 Port Priority 0 Tagging Untagged Access AutoPVID all ports Disabled ress Ctrl R to return to previous menu Press Ctrl C to return to Main i Figure 19 shows the VLAN Port Configuration screen after it is configured to support the PVID assignment for port 8 as shown in Figure 15 The Port Name field is optional As shown in Figure 19 the PVID VLAN association for VLAN 3 is now PVID 3 210676 C 49 Figure 19 VLAN port configuration screen example a Use space bar to display choices press lt Return gt or lt Enter gt to select choice Press Ctrl R to return to previous
23. Tree gt MultiLink Trunk gt aos gt cops Application gt EAPOL Security Configuration EAPOL Administrative State Setting EAPOL Administrative State Disabled EAPOL Security Setting Unit soo ae Status Status Traffic Control Now Control Force Authorized Authorized Authorized In Jin amp Out J Out In Only l o E Foe Unauthorized z Authorized in amp Out In Only No Disabled f Force Unauthorized z Authorized in amp Out z In Only No Disabled E No z Force Unauthorized z Authorized Jin amp Out In Only No Disabled j No l N zi Force Unauthorized z Authorized Jin amp Out In Only No Disabled Tin amp Out E In Only No Enabled eS JE Jddd Auto Authorized 210676 C 41 mgar 14 EAPOL Security Configuration page 2 of 2 Business Policy Switch 2000 10 10 40 29 Netscape Pe Edit View Go Window Help t Z 3 4 a A a wet amp Back Fowadi Reload Home Search Netscape Print Security top Bookmarks A Location htp 10 10 40 297 E whats eked a a OR Access RW gt Summary gt Configuration gt Fault gt Statistics N Application Port Mirroring Rate Limiting EAPOL Security gt MAC Address Security gt IGMP gt VLAN gt Spanning Tree Re authenticate Quiet Transmit Supplicant Server Maximum gt MultiLink Trunk Period Period Period Timeout Timeout Reque
24. ability Nortel Networks NA Inc reserves the right to make changes to the products described in this document without notice Nortel Networks NA Inc does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein 210676 C Contents Hro UCO cate cecuangeceapoeersraresccseuerie i AEAEE RADA 5 Related PUDICHNONE 20 5 2206 5 0542 ee dense TEs er FREES eR a ER EA 5 New features and enhancements 200 eee ee eee 7 Compatibility with BayStack 450 Switch software version 4 0 00 T Gos rame polig sseriai radai a E oped E AAE we 7 MEON lt lt ciatgutninwshs eeceG Selene shee ROTOS SEERNE NUA 8 QoS and configuring titers cccccccccacevscasniseveivntetentaawnnons 9 Configuring using the Web based management system 5 9 EAPCL Daeer GOONS cc cwcncucn adden ei inae rE ke wadedt Raeee es 16 MOCION 465 eh eae e ged ee boas Hee be eeak vars heehee bees eA 15 EAPOL based security example 0000 0 cece eee 16 Overview GNC TENNIS ccsccicacteneiointtinniaiehreeneherareamenes 17 EAPOL dynamic VLAN assignment 000 0 cece eee eee 19 Setting up the Authentication server 000 00 eee eee 20 Authentication process siscrerecserecsri cosie es 20 System FEGUIFGINGMS 26 near Vad eens Lh odes alae Ra adhe 22 EAPOL based security configuration rules 0 0000 eee eee 23 RADIUS based network security 0 0
25. and outgoing traffic on the specified unit port is blocked Default Incoming and Outgoing Range Incoming and Outgoing Incoming Only 210676 C 27 Table 4 EAPOL security configuration screen options continued Option Description Operational Traffic A read only field that indicates the current administrative traffic control Control configuration for the specified unit port see preceding field description This read only field does not appear when the Unit Port field value is set to All Default Incoming and Outgoing Range Incoming and Outgoing Incoming Only Re Authenticate Now Allows you to activate EAPOL authentication for the specified unit port immediately without waiting for the Re Authentication Period to expire Default No Range No Yes Re Authentication Allows you to repeat EAPOL authentication for the specified unit port according to the time interval value configured in the Re Authentication Period field see next field description Default Enabled Range Enabled Disabled Re Authentication Period When the Re Authentication field value see preceding field is set to Enabled this field allows you to specify the time period between successive EAPOL authentications for the specified unit port Default 3600 seconds Range 1 to 604800 seconds Quiet Period Allows you to specify the time period between any single EAPOL authentication failure and the start of a new EAPOL au
26. ange 0 to 7 No Switch sets Port Prioity value to 0 Switch sets Port Priority value to Key preconfigured values stored in the Authentication server gt Off page reference O On page reference EAPOL_Authen_Process_new_2 System requirements The following are minimum system requirements for the EAPOL based security feature e At least one of the following supported switches BayStack 350 410 24T 450 switch software version V4 0 or later Business Policy Switch 2000 software version V1 1 or later e RADIUS server Microsoft Windows XP Server e Client software that supports EAPOL Microsoft Windows XP Client You must configure your BayStack 350 410 24T 450 switches and BPS 2000 for port based VLANs and EAPOL security For information on configuring these switches refer to the documents shipped with the switch You must also specify the Microsoft 2001 IAS server or any generic RADIUS server that supports EAP as the primary RADIUS server for these devices 210676 C 23 EAPOL based security configuration rules The following configuration rules apply to your BPS 2000 when using EAPOL based security e Before configuring your switch you must configure the Primary RADIUS Server and Shared Secret fields e You cannot configure EAPOL based security on ports that are currently configured for Shared segments MultiLink Trunking MAC address based security IGMP Stat
27. cified metered data for this filter refer to Data Specification above Choose from the list the action you previously created using the Actions page 8 View created meters in the Meter Table Table 2 describes the fields in the Meter Table Table 2 Meter Table fields Field Description Action Deletes that meter Name Displays the name of the filter Instance Displays the generated Meter Table index Data Specification Displays whether the filter is set up with Metered Data or No Meter Data Committed Rate Displays the specified bandwidth in kbits per second 210676 C 13 Table 2 Meter Table fields continued Field Description Committed Burst Displays the specified bytes allowed to exceed the threshold set in the Committed Rate field for a brief period In Profile Action Displays the action configured on the Actions page for the switch to take on In Profile traffic which is traffic within the Committed Rate Out Profile Action Displays the action configured on the Actions page for the switch to take on Out of Profile traffic which is that exceeds the Committed Rate as well as the Committed Burst Size This field is unused for filters with No Meter Data defined 9 Click Submit 10 Choose Applications gt QoS gt QoS Advanced gt Devices gt Interface Configuration page to connect the desired ports to the desired filte
28. der this behavior when you configure filters and when you allocate ports for the purposes of configuring and or monitoring the switch Also please note when configuring IP filters the Address Mask specifies the portion of the address used to determine if that particular packet meets your filter criteria Configuring using the Web based management system You can configure traffic policing using SNMP or the Web based management system Refer to Using Web Based Management for the Business Policy Switch 2000 for more information on using the following QoS Advanced pages IP Classification Layer2 Classification Actions and Interface Group You will need to configure traffic policing using the following pages in the following order 1 From the main menu choose one of the following e Application gt QoS gt QoS Advanced gt Rules gt IP Classification Release Notes for the Business Policy Switch 2000 Software Version 1 1 10 Note After configuring an IP filter the screen may return the message Submit Failed Double check that you have correctly entered the Destination Address Mask and the Source Address Mask The Address Mask specifies that portion of the address used to determine if the packet meets the filter criteria the Address Mask is not a subnet mask If you specify a subnet address ensure that the host portion of the address contains a 0 value If you intend to identify an IP host address ensure that the
29. dified field values to most of but not all of your switch s ports For example if you want to apply modified field values to 23 of your switch s 24 ports it may be easier to apply the All value in the Port field and then reconfigure the single port back to its original values Default 1 Range 1 to 28 ALL Initialize Allows you to activate EAPOL authentication for the specified unit port Default No Administrative Status Range No Yes Allows you to set the EAPOL authorization status for the specified unit port Default Force Authorized Range Force Authorized Force Unauthorized Auto e Force Authorized means the specified unit port authorization status is always authorized e Force Unauthorized means the specified unit port authorization status is always Unauthorized e Auto means the specified unit port authorization status depends on the EAP authentication results Operational Status A read only field that shows the current authorization status for the specified unit port This read only field does not appear when the Unit Port field value is set to All Default Authorized Range Authorized Unauthorized Administrative Traffic Control Allows you to choose whether EAPOL authentication is set for incoming and outgoing traffic or for incoming traffic only For example if you set the specified unit port field value to Incoming and Outgoing and the EAPOL authentication fails then both incoming
30. e BootP with Base Unit Mac Address is not supported in Hybrid Stack Additional Web based management operation BPS 2000 software version 1 1 offers the following enhancements to the Web based management system e Access to the Web based management system using JDM next e Additional Java security on page 57 e MAC address based security on page 57 Access to the Web based management system using JDM You can access the Web based management system using JDM Release Notes for the Business Policy Switch 2000 Software Version 1 1 56 To access the Web based management system using JDM gt Do one of the following e Choose Actions gt Open Home Page e Click the globe icon shown on the toolbar Figure 24 Figure 24 JDM toolbar Device Manager 5 0 0 b25 10 10 40 29 salao ela Glee The System Information opens Figure 25 Figure 25 System Information page 24 Business Policy Switch 2000 10 10 40 29 Microsoft Internet Explorer RTEL Administration gt System Information NETWORKS Acco RM Business Policy Switch 2000 gt Summary j i gt Configuration sysDescription Business Policy Switch 2000 HW AB3 FW 0 0 0 9E SW v1 1 0 20 gt Fault sysUpTime 6 Hours 42 Minutes 5 Seconds i gt Statistics sysName gt Application W Administration sysLocation System Information sysContact gt Security 7 Logout Reset Reset To Default gt Support
31. ed directly from the switch s non volatile random access memory NVRAM The following exceptions apply to dynamic VLAN assignments e The dynamic VLAN configuration values assigned by EAPOL are not stored in the switch s NVRAM e You can override the dynamic VLAN configuration values assigned by EAPOL however aware that the values you configure are not stored in NVRAM e When EAPOL is enabled on a port and you configure values other than VLAN configuration values those values are applied and stored in NVRAM Release Notes for the Business Policy Switch 2000 Software Version 1 1 20 Setting up the Authentication server This section describes how to set up your Authentication server RADIUS server for EAPOL dynamic VLAN assignments The Authentication server allows you to configure user specific settings for VLAN memberships and port priority When you log on to a system that has been configured for EAPOL authentication the Authentication server recognizes your user ID and notifies the switch to assign preconfigured user specific VLAN membership and port priorities to the switch The configuration settings are based on configuration parameters that were customized for your user ID and previously stored on the Authentication server To set up the Authentication server set the following Return List attributes for all user configurations refer to your Authentication server documentation e VLAN membership att
32. eout for the BPS is now set to five minutes which matches the BootP timeout value for the BayStack 450 switch CR 13161 1 e BootP values set to either Always or When Needed are retained during a switch reset CR 126842 1 The following issue was resolved in version 1 0 1 e The ports on the BPS2000 4 TX MDA now autonegotiate correctly to 100 Mb s full duplex when they are connected to another BPS2000 port configured to autonegotiate Known issues The following paragraphs discuss the known issues with the BPS 2000 Version 1 1 issues The following issues are known to be included in version 1 1 of the BPS 2000 software e The pre defined Usernames for the login page of the Web based management system are uppercase letters RO or RW The documentation erroneously shows these user names as lower case letters CR 145225 1 e The Multicast Group Membership table may display duplicate entries when the switch is in Distributed MultiLink Trunking D MLT mode However the trunks function properly this is a display problem only CR 138095 1 Release Notes for the Business Policy Switch 2000 Software Version 1 1 66 In a BPS 2000 only stack the entire stack is reset to default values when you return the base unit to default values CR 145501 1 To disable a port that is part of a MultiLink Truck MLT group use either Java Device Manager JDM or the Console Interface CI management system menus you can use the Teln
33. ess Policy Switch 2000 Software Version 1 1 60 Figure 29 MAC Address Security Port List View Port List page NG RIE Application gt MAC Address Security Port List View Access RW Application gt MAC Address Security gt Port List Entry S1 gt configuration Pot NONE1 2 3 4 5 6 7 8 9 10 11 1213 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 gt Faut me OOOCOOOKODOOOOnnoOooOoOnneoooe ret mer OOODOODODODOOOOn Oooo n nnna e Port Mirroring a Rate Limiting Ep ap EAPOL Security NM MAC Address Security P Security Configuration Port Configuration P Port List Security Table gt IGMP gt VLAN gt Spanning Tree c Set the selected port for security enabled by clicking on the box under the port To disable security click on the check mark that appears in the box which will disappear To have the entry available but without any ports click the box under None d Click Submit 5 Return to the Security Configuration page Figure 27 and click the Action icon in the Learn by Ports section The Ports List View Learn by Ports page Figure 30 opens 210676 C 61 a 30 MAC Address Security Port List View Learn by Ports page Policy Switch 2000 10 10 40 29 Netscape E sD ee ae a E gt 2a24 a gga N Foward Reload Home Search Security
34. et connection With the Web based management system you may be unable to disable ports that are part of MLTs CR 146607 1 When the High Speed Flow Control Autonegotiation feature is set to enabled the default the port only advertises support for 1000 Mb s operation in full duplex mode If you experience problems between the Business Policy Switch and other network devices set Autonegotiation to disabled on both sides of the link Gigabit MDA When viewing Active Phy information from the console interface the console must be connected to the unit containing the Gigabit MDA the BayStack 450 1SR MDA and the BayStack 450 1LLR MDA to display the appropriate Phy information Incorrect information may be displayed if you connect to a unit not containing a Gigabit MDA When you remove a Gigabit MDA from a switch the Active Phy of the effected unit displays the new status However occasionally the Active Phys of the other units in the stack or remote units will not display the new status Known limitations The following limitations are known to exist The current usable filters with software version 1 1 for the BPS are 50 policies 200 IP filters and filter groups 24 IP filters with same Source Address 18 nested subnets 14 Layer 2 filters and filter groups 50 meters 50 actions Metered data consumes 2 filters 210676 C 67 e Mixed stacks hybrid stacks In order to upgrade
35. for the Business Policy Switch 2000 Software Version 1 1 e Using the Business Policy Switch 2000 part number 208700 A e Using Web Based Management for the Business Policy Switch 2000 part number 209570 A e Reference for the Business Policy Switch 2000 Management Software part number 209322 A e Getting Started with the Business Policy Switch 2000 Management Software part number 209321 A e Business Policy Switch 2000 Installation Instructions part number 209319 A Installing Media Dependent Adapters MDAs part number 302403 F e Managing Policy Information in Optivity Policy Services for Business Policy Switch part number 306969 D e Installing Optivity Policy Services for Business Policy Switch part number 306972 C e Task Map Installing the OPS for BPS Product Family part number 306976 C e Release Notes for Optivity Policy Services for the Business Policy Switch Version 1 0 part number 306975 C e Known Anomalies for Optivity Policy Services for the Business Policy Switch Version 1 0 part number 306974 C e Using the Optivity Quick2Config 2 2 Client Software part number 207810 B e Installing and Administering Optivity Quick2Config 2 2 part number 207809 B e Configuring Business Policy Switches with Optivity Quick2 Config 2 2 part number 311208 A e Release Notes for Optivity Quick2 Config for Business Policy Switch 2000 v 2 2 1 part number 310621 A You can print selected technical manual
36. i depending on the quality of the cable e 1000BASE ZX This GBIC uses single mode fiber to connect devices over distances up to 70 km or 43 mi depending on the quality of the cable The ports on this GBIC operate only in full duplex mode For more information on this MDA as well as installation and cabling instructions refer to Installing Media Dependent Adapters MDAs which is displayed on the Web site described in Related publications Automatic PVID This section contains the following information on Automatic PVIDs e Introduction next e PVID VLAN association example on page 44 e Configuring Automatic PVID using CI menus on page 45 e Configuring Automatic PVID using the Web based management system on page 49 Release Notes for the Business Policy Switch 2000 Software Version 1 1 44 Introduction After setting a VLAN ID in earlier software releases the user had to also manually configure the port VLAN ID PVID In the software version 1 1 automatic PVID automatically sets the PVID when you configure a port based VLAN The PVID value will be the same value as VLAN The user can also manually change the PVID value The default setting for AutoPVID is Off you must enable this feature PVID VLAN association example For example to create a broadcast domain for each VLAN shown in Figure 15 configure each VLAN with a port membership and each port with the appropriate PVID VLAN assoc
37. iation Figure 15 VLAN broadcast domains within the switch S1 VLAN 3 VLAN 2 VLAN 1 Key VLAN 1 PVID 1 VLAN 2 PVID 2 VLAN 3 PVID 3 BS45019A 210676 C 45 In Figure 15 the ports have the following PVID VLAN associations e Ports 8 6 and 11 are untagged members of VLAN 1 The PVID VLAN association for ports 6 and 11 is PVID 1 e Ports 2 4 10 and 8 are untagged members of VLAN 2 The PVID VLAN association for ports 2 4 and 10 is PVID 2 e Ports 2 4 10 8 6 and 11 are untagged members of VLAN 3 The PVID VLAN association for port 8 is PVID 3 Configuring Automatic PVID using Cl menus The following steps show how to use the VLAN configuration screens to configure the VLAN 3 broadcast domain shown in Figure 15 To configure the VLAN port membership for VLAN 1 1 Select Switch Configuration from the Main Menu or press w 2 From the Switch Configuration Menu select VLAN Configuration or press v 3 From the VLAN Configuration Menu select VLAN Configuration or press v The default VLAN Configuration screen opens Figure 16 Release Notes for the Business Policy Switch 2000 Software Version 1 1 46 Figure 16 Default VLAN configuration screen example a VLAN Configuration Create VLAN 1 VLAN Type Port Based Delete VLAN Pr
38. ic Router Ports Port mirroring e You can connect only a single client on each port that is configured for EAPOL based security If you attempt to add additional ports to a port that port goes to Blocking mode RADIUS based network security The Remote Authentication Dial In User Services RADIUS based security feature allows you to set up network access control using the RADIUS security protocol The feature uses the RADIUS protocol to authenticate local console Telnet and EAPOL authorized logins You must set up specific user accounts user names and passwords and Service Type attributes on your RADIUS server before the authentication process can be initiated To provide each user with appropriate levels of access to the switch set the following username attributes on your RADIUS server e Read write access Set the Service Type field value to Administrative e Read only access Set the Service Type field value to NAS Prompt For detailed instructions about setting up your RADIUS server refer to your RADIUS server documentation Release Notes for the Business Policy Switch 2000 Software Version 1 1 24 Configuring EAPOL using CI menus The EAPOL Security Configuration screen Figure 7 allows you to selectively limit access to the switch based on an authentication mechanism that uses Extensible Authentication Protocol EAP to exchange authentication information between the switch and an authentication
39. igure 27 Figure 27 MAC Address Security Configuration page 3 Business Policy Switch 2000 10 10 40 29 Netscape File Edt View Go Window Help p 1 3 a a u s RA a N j Back Foward Reload Home Search Netscape Print Security G Bookmarks Location htte 7 10 10 40 29 JE men Access RW EAPOL Security W MAC Address Security Configuration MAC Address Security SNMP Locked Disabled 7 Port Configuration P Port List Security Table gt IGMP gt VLAN gt Spanning Tree gt MultiLink Trunk M aos P QoS Wizard V QoS Advanced gt Devices SUE pr Application gt MAC Address Security gt Security Configuration MAC Address Security Setting MAC Address Security Disabled z Partition Port on Intrusion Detected Disabled v Partition Time 1 65535 DA Filtering on Intrusion Detected Disabled Generate SNMP Trap on Intrusion Disabled MAC Security Table lAction Port List Current Learning Mode Clear by Ports E Learn by Ports Disabled z aei In the MAC Address Security Setting area choose Enabled in the MAC Address Security list and click Submit If you want to lock the MAC Address Security SNMP feature choose Enabled from the list If you want to partition a port when an intrusion is detected choose Enabled from Forever Enabled and Disabled choices in the Partition Port on Intrusion Detected list and type in the partition t
40. ime in the Partition Time box Only use the Partition Time box if Partition Port on Intrusion Detected is Enabled If you choose Forever from the list that partition port is disabled until reset 210676 C 59 If you want to isolate the intruding node choose Enabled in the DA Filtering on Intrusion Detected list and click Submit If you want an SNMP trap on intrusion choose Enabled in the Generate SNMP Trap on Intrusion list 3 Go to the MAC Address Security Port Lists page Figure 28 and use the Action tab to configure each desired entry Figure 28 MAC Address Security Port Lists page el Netscape Business Policy Switch 2000 10 30 31 148 File Edit View Ga Communicator Help krarks A Location Jattp 10 30 31 148 G2 What s Related IY NORTEL Dl NETWORKS Application gt MAC Address Security gt Port Lists Application gt MAC Address Security gt Port Lists Access RW gt Summary 51 gt Configuration gt Fault Be gt Statistics 53 V Application Port Mirroring 54 Rate Limiting 5 EAPOL Security V MAC Address Security 56 D Security Configuration s7 Port Configuration P Port List 8 Security Table gt IGMP Be gt VLAN 510 511 512 513 514 515 516 517 518 519 20 m m m a eee Peewee e d e a na N gt a 4 When you click the Action icon the Ports List View Port List page opens Figure 29 Release Notes for the Busin
41. itch 2000 Software Version 1 1 64 Figure 33 MAC Address Security Port Configuration page Business Policy Switch 2000 10 10 40 29 Netscape NORTEL rs Application gt MAC Address Security gt Port Configuration Access RW MAC Address Security gt Port Configuration gt summary Bl unit Bs gt Configuration z gt Fault gt Statistics ji V Application Port Mirroring Rate Limiting EAPOL Security W MAC Address Security P Security Configuration Port Configuration PortList Security Table gt IGMP gt VLAN Security 1 Disabled Ji Disable Disabled Disabled Disabled Disabled Disabled Disab o co D a gt w N a Disab Disab Disab Disabl UCC Disab Disab a Pie allel 11 Set the security values for all desired ports to Enabled and click Submit The Port Configuration page also displays the Trunk Group membership for each port if applicable 210676 C 65 Resolved issues The following issues were resolved in version 1 1 e You can download BayStack 410 and BayStack 450 software images and diagnostics using the Device Manager in a mixed stack environment with Business Policy Switches Using DM with a mixed stack and you choose Edit gt File System you can specify either the image for the BPS 2000 or the image for the BayStack or both to download the software image s e The BootP tim
42. ive gt Statistics Bi X 3 VIAN3 Por None Ox0 ML Active N Application Port Mirroring Rate Limiting EAPOL Security gt MAC Address Security VLAN Creation gt onP VLAN Type Por W VLAN 2 P VLAN Configuration Port Configuration Part Information gt Spanning Tree VLAN Setting Management VLAN 1 z C Submit AutoPVID Setting AutoPVID Disabled Choose Enabled from the AutoPVID list in the AutoPVID Setting area Click Submit To view the PVID value by port choose Application gt VLAN gt Port Information The Port Information page opens Figure 21 and displays the PVID value for the selected port 210676 C 51 Figure 21 Port Information page Business Policy Switch 2000 10 10 40 29 Netscape NORTEL NETWORKS Access RW gt Summary gt Configuration gt Fault gt Statistics N Application Port Mirroring Rate Limiting EAPOL Security gt MAC Address Security gt IGMP V VLAN P VLAN Configuration Port Configuration Port Information gt Spanning Tree http 10 10 40 297 Application gt VLAN gt Port Information Unit Rea Port Ea PVID 1 VLAN Port Information View By Port Name Unit 2 Port 5 1 VLAN Por VLAN Port Information Table a To view the information for other ports choose desired port from the lists by Unit and Port b Click Submit 5 To manually change the PVID value of a port choose Applica
43. menu Press Ctrl C to return to Main Menu VLAN Port Configuration Unit 1 Port 8 Filter Tagged Frames No Filter Untagged Frames No Filter Unregistered Frames No Port Name Molly s port PVID 3 Port Priority 0 Tagging Untagged Access AutoPVID all ports Disabled The preceding example explains how to manually configure the PVID VLAN association to PVID 3 However if you set the AutoPVID field value to Enabled before creating the VLAN port memberships the PVID VLAN association is automatically assigned a value that is associated with the VLAN number you create Configuring Automatic PVID using the Web based management system To configure AutoPVID using the Web based management system 1 From the main menu of the Business Policy Switch 2000 Web based Manager choose Application gt VLAN gt VLAN Configuration The VLAN Configuration page opens Figure 20 Release Notes for the Business Policy Switch 2000 Software Version 1 1 50 Figure 20 VLAN Configuration page Bu Policy Switch 2000 10 10 40 29 Netscape Application gt VLAN gt VLAN Configuration N RTEL NETWORKS VLAN Table Action VLAN VLAN NamelVLAN Type User Defined Access RW Protocol Constraint gt Summary BIX ViAN Por None Ox0 ML Active Configuration S raii BIX 2 ViAN2 Por None Ox0 ML Act
44. mitted Rate Instead of dropping all traffic that exceeds this threshold traffic policing allows you to configure a Committed Burst Rate to exceed the threshold Committed Rate for a brief period of time without being dropped The BPS 2000 filters collectively can take the following actions on a packet depending on your configuration e Pass or Drop e Re mark the packet when Pass is selected Re mark a new DiffServ Codepoint DSCP Re mark the 802 1p field Mark the Drop precedence You must use either SNMP or the Web based management system to configure the traffic policing filters You can also configure traffic classifiers without traffic policing in which case you choose No Metered Data in the Data Specification field of the Meter page Because the number of filters available in hardware is limited Nortel Networks provides some design guidelines for constructing traffic policing 210676 C QoS and configuring filters You can install filters that will act on traffic destined for the switch itself such as ICMP Echo Requests ping and SNMP messages If the associated action is to drop the traffic you can lock yourself out of the switch However traffic destined for the switch and received through a port on the base unit of a stack is not dropped even if filters targeting the traffic are installed and drop has been specified This behavior prevents you from completely isolating yourself from the switch Consi
45. ne receives an EAP failure message from the Authentication server The EAPOL tab shows EAPOL statistics for multiple ports To open the EAPOL tab for multiple ports 1 Select the port or ports you want to graph Ctrl left click the ports that you want to configure A yellow outline appears around the selected ports Do one of the following e From the Device Manager main menu choose Edit gt Port From the shortcut menu choose Edit e On the toolbar click Edit The Port dialog box for multiple ports opens with the Interface tab displayed Click the EAPOL tab The EAPOL tab for multiple ports opens Figure 12 Release Notes for the Business Policy Switch 2000 Software Version 1 1 38 Figure 12 EAPOL tab for multiple ports 10 10 40 29 Port Interface VLAN EAPOL Index 56 PortProtocolversion PortCapabilities Portinitialize PortReauthenticate Paestate 1 dotixPaePortAuthCapable false false 1 dot1xPaePortAuthCapable false false AdminControlledDirections OperControlledDirections AuthC Unknown 1966080 Unknown 1966080 authori BackendAuthState paca initialize i forceAuth Unknown 132 Unknown 2 Unknown 2 authori gt ABHI Retresn ciose Hern Table 8 describes the EAPOL tab fields for multiple ports Table 8 EAPOL tab fields for multiple ports Field Description Index Displays the unique value a
46. nticating Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of the Backend authentication state machine indicating authentication timeout AuthFailWhileAuthenticating Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Held as a result of the Backend authentication state machine indicating authentication failure AuthReauthsWhileAuthenticating Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of a reauthentication request AuthEapStartsWhileAuthenticating Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of an EAPOL Start message being received from the supplicant AuthEapLogoffWhileAuthenticating Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of an EAPOL Logoff message being received from the supplicant AuthReauthsWhileAuthenticated Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Connecting as a result of a reauthentication request AuthEapStartsWhileAuthenticated Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Connecting as a result of an EAPOL Start
47. of authorizing a supplicant that is attached to the other end of a LAN segment e Authentication Server a RADIUS server that provides authorization services to the Authenticator e Port Access Entity PAE a software entity associated with each port that supports the Authenticator or Supplicant functionality In the preceding example the Authenticator PAE resides on the switch e Controlled Port any switch port with EAPOL based security enabled The Authenticator communicates with the Supplicant using an encapsulation mechanism known as EAP over LANs EAPOL The Authenticator PAE encapsulates the EAP message into a RADIUS packet before sending the packet to the Authentication Server The Authenticator facilitates the authentication exchanges that occur between the Supplicant and the Authentication Server by encapsulating the EAP message to make it suitable for the packet s destination The Authenticator determines the controlled port s operational state After the RADIUS server notifies the Authenticator PAE about the success or failure of the authentication it changes the controlled port s operational state accordingly The Authenticator PAE functionality is implemented for each controlled port on the switch At system initialization or when a supplicant is initially connected to the switch s controlled port the controlled port s state is set to Blocking During that time EAP packets are processed by the authenticator
48. ort access control in the system 3 Select the port you want to edit Do one of the following e Double click on the selected port e From the shortcut menu right click choose Edit e From the Device Manager main menu choose Edit gt Port Release Notes for the Business Policy Switch 2000 Software Version 1 1 30 e On the toolbar click Edit The Port dialog box for a single port opens with the Interface tab displayed 4 Click the EAPOL tab The EAPOL tab opens Figure 9 Figure 9 EAPOL tab for a single port 10 10 40 29 Port 2 24 210676 C 31 Table 5 describes the EAPOL tab items for a single port Table 5 EAPOL tab items for a single port Item Description PortProtocolVersion The EAP Protocol version that is running on this port PortCapabilities The PAE functionality that is implemented on this port Always returns dot1xPaePortAuthCapable 0 Portinitialize Setting this attribute to True causes this port s EAPOL state to be initialized PortReauthenticate Setting this attribute to True causes the reauthentication of the client PaeState The current authenticator PAE state machine stat value BackendAuthState The current state of the Backend Authentication state machine AdminControlledDirections The current value of the administrative controlled directions parameter for the port OperControlledDirections The current value of the opera
49. otocol Id PID None VLAN Name VLAN 1 User Defined PID 0x0000 Management VLAN Yes VLAN State Active Port Membership 1 6 7 12 Unit 1 UUUUUU UUUUUU KEY T Tagged Port Member U Untagged Port Member Not a Member of V Use space bar to display choices press lt Return gt or lt Enter gt to select choice s LAN diag Ctrl R to return to previous menu Press Ctrl C to return to Main SE The VLAN Configuration screen settings shown in Figure 16 are default settings with all switch ports classified as untagged members of VLAN 1 Figure 17 shows the VLAN Configuration screen after it is configured to support the VLAN 3 broadcast domain shown in Figure 15 VLAN Name is optional Ports 2 4 6 8 10 and 11 are now untagged members of VLAN 3 as shown in Figure 15 210676 C 47 Figure 17 VLAN configuration screen example a x VLAN Configuration Create VLAN 3 1 VLAN Type Port Based i Delete VLAN Protocol Id PID None VLAN Name Mary s VLAN User Defined PID 0x0000 Management VLAN Yes VLAN State Active Port Membership 1 6 7 12 Unit 1 U U U U UU KEY T Tagged Port Member U Untagged Port Member Not a Member of VLAN Use space bar to display choices press lt Return gt or lt Enter gt to select choice Press Ctrl R to return to previous menu Press Ctrl C to return to Main Menu s Zz
50. policy you are creating Filter Group Type Choose the filter group type from the list e IP Filter Group e Layer Filter Group Filter Group Choose the name of the filter group for which you are creating the metering policy You named this filter group s using the IP Classification Layer2 Classification page Role Combination Choose the name of the Role Combination for which you are creating the metering policy You named this Role Combination on the Interface Group page 210676 C 15 Table 3 Policy Creation fields continued Field Description Order Specify the order of precedence among the filter groups Meter Choose the name of the filter group for which you are creating the metering policy You named this filter group on the Meter page 13 View the policies you previously created in the Policy Table 14 Click Submit EAPOL based security This section contains the following information on EAPOL based security Introduction next EAPOL based security example on page 16 Overview and terms on page 17 EAPOL dynamic VLAN assignment on page 19 Setting up the Authentication server on page 20 Authentication process on page 20 System requirements on page 22 EAPOL based security configuration rules on page 23 RADIUS based network security on page 23 Configuring EAPOL using CI menus on page 24 Configuring EAPOL using
51. previous menu Press Ctrl C to return to Main Menu k Table 4 describes the EAPOL Security Configuration screen options Table 4 EAPOL security configuration screen options Option Description EAPOL Administrative Allows you to enable or disable EAPOL for your switch or stack When this State field is set to Disabled the default state the Operational Status for all of the switch stack ports is set to Authorized no security restriction Default Disabled Range Disabled Enabled Unit Allows you to select the unit number when stacking is configured to view or configure To view or configure another unit type its unit number and press Enter or press the spacebar to toggle the unit numbers If you set this field value to All other screen field values you modify apply to all stack ports Default 1 Range 1 2 3 4 5 6 7 8 ALL Release Notes for the Business Policy Switch 2000 Software Version 1 1 26 Table 4 EAPOL security configuration screen options continued Option Description Port Allows you to select a specified unit s see preceding Unit field port number to view or configure To view or configure another port type its port number and press Enter or press the spacebar to toggle the port numbers If you set this field value to All other screen field values you modify apply to all ports for the specified unit The All value is also useful when you want to apply mo
52. r the supplicant to respond to EAP Request Identity packets You can set this field between 1 and 65535 seconds Supplicant Timeout Allows you to specify how long the switch waits for the supplicant to respond to all EAP packets except EAP Request Identity packets You can set this field between 1 and 65535 seconds Server Timeout Allows you to specify how long the switch wits for the RADIUS server to respond to all EAP packets You can set this field between 1 and 65535 seconds Maximum Requests Allows you to specify the number of times the switch attempts to resend EAP packets to a supplicant You can set this field between 1 and 10 attempts 2 After making any changes to the EAPOL Security Configuration page click Submit 210676 C 43 Support for the GBIC MDA The BPS 2000 software version 1 1 supports the Gigabit Interface Connector GBIC MDA The MDA BayStack 450 1GBIC MDA provides only two priority queues The BayStack 450 1GBIC MDA supports the following GBICs e 1000BASE SX This GBIC uses shortwave 850 nm fiber optic connectors to connect devices over multimode 550 m or 1 805 ft fiber optic cable e 1000BASE LX This GBIC uses longwave 1 300 nm fiber optic connectors to connect devices over single mode 5 km or 3 1 mi or multimode 550 m or 1 805 ft fiber optic cable e 1000BASE XD This GBIC uses single mode fiber to connect devices over distances up to 50 km or 31 m
53. ributes Tunnel Type value 13 Tunnel Type VLAN Tunnel Medium Type value 6 Tunnel Medium Type 802 Tunnel Private Group Id ASCII value 1 to 4094 this value is used to identify the specified VLAN e Port priority vendor specific attributes Vendor Id value 562 Nortel Networks vendor Id Attribute Number value 1 Port Priority Attribute Value value 0 zero to 7 this value is used to indicate the port priority value assigned to the specified user Authentication process The flowcharts shown in Figure 5 and Figure 6 describe the authentication process 210676 C 21 Figure 5 Authenticaton process flowchart 1 of 2 Login screen Authentication successful Access denied See System Administrator Authentication Switch restores VLAN ID and PVID server sent values from NVRAM A gt VLAN ID Does VLAN exist Switch sets VLAN ID and PVID A gt values to VLAN 1 Port based VLAN Key Switch sets VLAN ID and PVID values L gt Off page reference to preconfigured values stored in the Authentication server O On page reference EAPOL_Authen_Process_new_1 Release Notes for the Business Policy Switch 2000 Software Version 1 1 22 Figure 6 Authenticaton process flowchart 2 of 2 Authentication server sent Port Priority value No Switch restores Port Priority value from NVRAM Is Port Priority value r
54. rs 11 Choose Applications gt QoS gt QoS Advanced gt Policies Note You cannot edit Policies To change the Policy you must first delete the current Policy and create the one you want The Policies page opens Figure 2 Release Notes for the Business Policy Switch 2000 Software Version 1 1 14 Figure 2 Policies page XY Business Policy Switch 2000 10 10 40 29 Netscape File Edit View Go Window Help te 3a 2 as amp H Back Foward Reload Home Search Netscape Print Security Stop Bookmarks A Location http 10 10 40 297 me o e E oU NORTEL rks Application gt QoS gt QoS Advanced gt Policies Access RW Policy Table gt IGMP action nay Instance Eien ena Filter Group Role Combination Meare Lovderfteter gt VLAN ame ype irection gt Spanning Tree gt MultiLink Trunk Policy Creation V aos P QoS Wizard Policy Name V QoS Advanced Filter Group Type P Filter Group gt Devices gt Rules Filter Group None Defined z Actions Meters Role Combination BPS_Hybrid_Ext_lfcs z Policies Order m Agent gt COPS Meter None Defined z W Administration 12 In the Policy Creation area create the policy for each traffic policing filter Table 3 describes the fields in the Policy Creation Box which you use to set new policies Table 3 Policy Creation fields Field Description Policy Name Enter the name for the
55. rsion 1 1 and BayStack 450 version 4 0 The Main Menu of the Console Interface CI menus shows an Interoperability Software Version Number ISVN For the latest releases the ISVN is 2 for both the BayStack 450 and BPS 2000 switches QoS traffic policing For more information on Quality of Service QoS and the BPS 2000 as well as sample QoS configurations refer to Using Web Based Management for the Business Policy Switch 2000 and Release Notes for the Business Policy Switch 2000 Release Notes for the Business Policy Switch 2000 Software Version 1 1 This section contains the following information on QoS traffic policing e Introduction next e QoS and configuring filters on page 9 e Configuring using the Web based management system on page 9 Introduction The BPS 2000 switch can interoperate with the Nortel Networks Optivity Policy Server using Common Open Policy Services COPS For information about Optivity go to the www nortelnetworks com documentation URL Find the product for which you need documentation Then locate the specific category and model or version for your hardware or software product in this case Optivity Network Management and IP Services section QoS traffic policing which operates at ingress provides different levels of service to data streams through user configurable parameters An example would be to limit traffic entering a port to a specified bandwidth such as 25 Kb s Com
56. s e Force Authorized Always authorized Operational Status Displays the current authorization status Release Notes for the Business Policy Switch 2000 Software Version 1 1 42 Table 9 EAPOL Security Configuration page fields continued Field Description Administrative Traffic Control Allows you to set EAPOL authentication either for incoming and outgoing traffic or for incoming traffic only e In amp Out Incoming and outgoing traffic e In Only Incoming traffic only Operational Traffic Control Displays the current administrative traffic control setting Re authenticate Now Allows you to activate EAPOL authentication immediately without waiting for the re authentication period to expire e Yes Re authenticate now e No Wait for the period to expire Re authentication Allows you to repeat EAPOL authentication according to the time value specified in Re authentication Period field by choosing Enabled or Disabled Re authentication Period With Re authentication enabled allows you to specify the time period between successive EAPOL authentications You can set this field between 1 and 604800 seconds Quiet Period Allows you to specify the time interval between an authentication failure and the start of a new authentication attempt You can set this field between 0 and 65535 seconds Transmit Period Allows you to specify how long the switch waits fo
57. s and release notes free directly from the Internet Go to the www25 nortelnetworks com library tpubs URL Find the product for which you need documentation Then locate the specific category and model or version for your hardware or software product Use Adobe Acrobat Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to Adobe Systems at the www adobe com URL to download a free copy of the Adobe Acrobat Reader 210676 C New features and enhancements The following paragraphs describe the new features and enhancements offered with the BPS 2000 software version 1 1 e Compatibility with BayStack 450 Switch software version 4 0 next e QoS traffic policing on page 7 e EAPOL based security on page 15 e Support for the GBIC MDA on page 43 e Automatic PVID on page 43 e Ability to ping on page 54 e Tabular port statistics on page 53 e Improved STP Fast Learning Mode on page 54 e BootP menu item for a stack of only BPS 2000 switches on page 54 e Additional Web based management operation on page 55 Compatibility with BayStack 450 Switch software version 4 0 The software version 1 1 for the BPS 2000 is compatible with version 4 0 for the BayStack 450 Switch When you are using these two switches combined in a stack configuration ensure that both are running the latest software version BPS 2000 ve
58. ssigned to each interface PortProtocolVersion The EAP Protocol version that is running on this port PortCapabilities The PAE functionality that is implemented on this port Always returns dot1xPaePortAuthCapable 0 Portlnitialize Setting this attribute to True causes this ports EAPOL state to be initialized PortReauthenticate Setting this attribute to True causes the reauthentication of the client PaeState The current authenticator PAE state machine stat value BackendAuthState The current state of the Backend Authentication state machine AdminControlledDirections The current value of the administrative controlled directions parameter for the port OperControlledDirections The current value of the operational controlled directions parameter for the port AuthControlledPortStatus The current value of the controlled port status parameter for the port AuthControlledPortControl The current value of the controlled port control parameter for the port QuietPeriod The current value of the time interval between authentication failure and the start of a new authentication TxPeriod Time to wait for response from supplicant for EAP requests Identity packets SuppTiemout Time to wait for response from supplicant for all EAP packets except EAP Request Identity 210676 C 39 Table 8 EAPOL tab fields for multiple ports continued
59. sts KORA cabled Jesss seconds 2359296 seconds 3932160 seconds io66080 seconds fioesos0 seconds 1968080 1 4294967295 1 65535 1 65535 1 65535 1 65535 1 10 isabled fi seconds 3600 seconds feo seconds fo seconds 20 seconds 30 1 4294967295 1 65535 1 65535 1 65535 1 65535 0 10 isabled E fisseoe seconds 65626 seconds 2368286 seconds 2932160 seconds 1986080 seconds 1956080 1 4294967295 1 65535 1 65535 1 65535 1 65535 1 10 isabled g seconds 1 seconds esoo seconds 60 seconds 20 seconds 30 1 4299967295 1 65535 1 65535 1 65535 1 65535 1 10 sabled E p seconds iseece seconds esss6 seconds 2359296 seconds 2922160 seconds 1986080 1 4294967295 1 65535 1 65535 1 65535 1 65535 1 10 fabled fo seconds 3 seconds fi seconds 2600 seconds eo seconds 20 4 ee ee eae fa Table 9 describes the fields on the EAPOL Security Configuration page Table 9 EAPOL Security Configuration page fields Field Description EAPOL Administrative State Enables or disables EAPOL based security Port Displays the port number Initialize Choosing Yes from the list activates EAPOL state on this port Administrative Status Allows you to set the EAPOL authorization status for the specified unit port e Force Unauthorized Always unauthorized e Auto Status depends on EAP authentication result
60. t 9 To clear the information collected so far on the selected ports return to the Security Configuration page Figure 27 and click the Action icon in the Clear by Ports line in the MAC Security Table section at the bottom of the Security Configuration page The Ports List View Clear by Ports page Figure 32 opens Figure 32 MAC Address Port List View Clear By Ports page Business Policy Switch 2000 10 10 40 29 Netscape NORTEL Rks Application gt MAC Address Security Port List View Application gt MAC Address Security gt Security Configuration Clear by Ports Port NONE1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 1 Unit 2 mjua jaja ja a j m a m m m m a Unit4 M googOoOoOoOoOOOO OO OO CO C Access RW gt Configuration gt Fault gt Statistics N Application Port Mirroring Rate Limiting EAPOL Security W MAC Address Security D Security Configuration Port Configuration P Port List Security Table gt IGMP gt VLAN gt Spanning Tree 19 20 21 22 23 24 25 26 27 28 Oogcooo p pgpppi0ngmg ao ao a Deselect the ports and click Submit The Security Configuration page Figure 27 opens 10 Click Port Configuration from Main Menu on the left under MAC Address Security The Port Configuration page opens Figure 33 Release Notes for the Business Policy Sw
61. thentication attempt Default 60 seconds Range 0 to 65535 seconds Transmit Period Allows you to specify how long the switch waits for the supplicant to respond to EAP Request Identity packets Default 30 seconds Range 1 to 65535 seconds Supplicant Timeout Allows you to specify how long the switch waits for the supplicant to respond to all EAP packets except EAP Request Identity packets Default 30 seconds Range 1 to 65535 seconds Server Timeout Allows you to specify how long the switch waits for the RADIUS server to respond to all EAP packets Default 30 seconds Range 1 to 65535 seconds Release Notes for the Business Policy Switch 2000 Software Version 1 1 28 Table 4 EAPOL security configuration screen options continued Option Description Maximum Requests Allows you to specify the number of times the switch attempts to resend EAP packets to a supplicant Default 2 attempts Range 1 to 10 attempts Configuring EAPOL using JDM You can configure the BPS 2000 for EAPOL using Java Device Manager DM Additionally you can view the statistics for running EAPOL and for the diagnostics To configure EAPOL 1 From the Device Manager main menu choose Edit gt Chassis The Chassis dialog box opens with the System tab displayed Figure 8 210676 C 29 Figure 8 System tab 10 10 40 29 Chassis 2 Inthe EAPOL Security area in the SystemAuthControl field click enabled to enable p
62. tion gt VLAN gt Port Configuration The Port Configuration page opens Figure 22 Release Notes for the Business Policy Switch 2000 Software Version 1 1 52 Figure 22 Port Configuration page Busines 2000 10 40 2 ets NETWORKS Application gt VLAN gt Port Configuration VLAN Port Setting Unit 4 Port Na Filter Filter Filter me Tagged Untagged Unregistered P Frames Frames Frames 1 Access RW gt Summary gt Configuration gt Fault gt Statistics N Application Port Mirroring Rate Limiting EAPOL Security gt MAC Address Security gt IGMP W VLAN P VLAN Configuration Port Configuration Port Information gt Spanning Tree 6 pere e i No F o_o Unassed Access E 7 finwz roaT o ie we F o a Umeed Access z 49 Mint paai Eta ala l a TTR N annd Aronne wl a Enter the PVID value you want in the box for that port b Click Submit 210676 C 53 Tabular port statistics With software version 1 1 you can view all ports in the entire stack hat have an error If a particular port has no errors it will not be displayed To view a summary of the port errors for the BPS 2000 1 From the main menu of the Business Policy Switch 2000 Web based management system choose Statistics gt Port Error Summary The Port Error Summary page opens Figure 23 mge 23 Port Error r page ERER i Bookmarks
63. tional controlled directions parameter for the port AuthControlledPortStatus The current value of the controlled port status parameter for the port AuthControlledPortControl The current value of the controlled port control parameter for the port QuietPeriod The current value of the time interval between authentication failure and the start of a new authentication TxPeriod Time to wait for response from supplicant for EAP requests Identity packets SuppTimeout Time to wait for response from supplicant for all EAP packets except EAP Request Identity ServerTimeout Time to wait for a response from the RADIUS server MaxReq Number of times to retry sending packets to the supplicant ReAuthPeriod Time interval between successive re authentications ReAuthEnabled Whether to re authenticate or not Setting this object to Enabled causes reauthentication of existing supplicant at the time interval specified in the Re authentication Period field KeyTxEnabled The value of the KeyTranmissionEnabled constant currently in use by the Authenticator PAE state machine This always returns false as key transmission is irrelevant Release Notes for the Business Policy Switch 2000 Software Version 1 1 32 Table 5 EAPOL tab items for a single port continued Item Description LastEapolFrameVersion The protocol version number carried in the most recently received EAPOL frame

Download Pdf Manuals

Related Search

Related Contents

Betriebsanleitung_BEATZ4two_D  Tamper Detect Installation Instructions  Owner`s Manual  Cooper Lighting Portfolio MD6xT4 User's Manual  1 observatoire & réfutation et/ou jugement de fécondité des  Registro de Manutenção - Brunswick Marine in EMEA  récolteuses de canne à sucre case ih – série a8000  AGITATEUR VERTICAL BCI / BCA / BCR  ASSMANN Electronic ST OS2 09/125 µ, 2m  Samsung 275T Bruksanvisning  

Copyright © All rights reserved. Failed to retrieve file