OmniAccess SafeGuard OS Administration Guide Release 3.0.2 PART NUMBER: 005-0033 REV A1 PUBLISHED: MARCH 2007 ALCATEL-LUCENT 26801 WEST AGOURA ROAD CALABASAS, CA 91301 USA (818) 880-3500 WWW.ALCATEL-LUCENT.
Alcatel-Lucent Proprietary Copyright © 2007 Alcatel-Lucent. All rights reserved. This document may not be reproduced in whole or in part without the expressed written permission Alcatel-Lucent. Alcatel-Lucent ® and the AlcatelLucent logo are registered trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.
Contents Preface About This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Conventions Used in This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Related Publications. . . . . . . . . . . . . . . . . . . . .
Contents Enabling and Disabling CLI Display Paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Uploading a New CLI Banner File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Uploading the CLI Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Copying the System Diagnostics File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring SNMP on the Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Setting the SNMP Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Setting the SNMP Physical Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Designating the SNMP Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Changing the Exception Recovery Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Enabling System Reboots on LSP Watchdog Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Viewing the Exception Recovery Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Chapter 3: Working with Configuration Files and Upgrading Images Understanding Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Assigning Ports to VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Forwarding Tagged and Untagged Frames. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Why Use VLANs? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Configuring VLANs on the SafeGuard Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Enabling Port Locking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Setting the Maximum Number of Dynamically Locked MAC Addresses . . . . . . . . . . . . . . . 177 Setting the Maximum Number of Statically Locked MAC Addresses . . . . . . . . . . . . . . . . . .
Contents Configuring Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Planning for Captive Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Configuring the Hijack Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Configuring the Redirect Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Reauthenticating the 802.1x Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Configuring the Maximum Authentications for the 802.1x Port . . . . . . . . . . . . . . . . . . . . 274 Re-authenticating the Supplicant for the 802.1x Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Configuring the 802.1x Port Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Role Derivation . . . . . . . . . .
Contents Refreshing Policies and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Network Zones Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Application Groups Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Overriding System Policies with a User Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Chapter 9: End Point Validation Determining the Posture of a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Configuring EPV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Configuring EPV Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Creating Global Bypass Policies. . . . . .
Contents Configuring Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Displaying Malware Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Displaying DNS Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Displaying a Malware Policy Configuration . . . . . . . . . . . . . . . . . . . .
Contents 14 OmniAccess SafeGuard OS Administration Guide
Preface In this preface: ■ ■ ■ About This Guide Related Publications Guide Organization
Preface About This Guide This guide provides concept and configuration instructions for the major features SafeGuard OS and its supported products. Audience This guide is intended for experienced network administrators who are responsible for managing SafeGuard OS. Conventions Used in This Guide Table 1 lists the text conventions used in this guide. Table 1 Text Conventions Convention Description courier Command name or screen text. courier bold Command text to be entered by the user.
Preface Related Publications For more information about configuring and managing a SafeGuard device, refer to the following guides: ■ OmniAccess SafeGuard Controller Installation Guide Describes the OmniAccess SafeGuard Controller. The guide provides detailed installation instructions and technical specifications for the OmniAccess SafeGuard Controller.
Preface Table 2 Guide Organization (continued) Chapter or Appendix Contents Chapter 4, Configuring SafeGuard Controllers Describes features specific to SafeGuard Controllers. Chapter 5, Setting Up SafeGuard Switches Describes numerous configurations specific to SafeGuard switches, including: Chapter 6, Configuring Authentication and Role Derivation ■ setting up Virtual Local Area Networks (VLANs) ■ setting up IP unicast or multicast routing.
chapter 1 SafeGuard OS Overview In this chapter: ■ ■ ■ ■ Alcatel-Lucent Solution and Product Overview Deployment Models Understanding Protection Modes SafeGuard OS Overall Feature Summary
Chapter 1: SafeGuard OS Overview Alcatel-Lucent enables enterprises to secure their LANs with purpose-built devices based on custom silicon. IT can control who is allowed onto the LAN, restrict what users can do on the LAN, and prevent threats from disrupting network services or compromising data. Customers can embed security directly in their LAN infrastructure using AlcatelLucent’s network device products: the SafeGuard Controller and SafeGuard Switch.
Chapter 1: SafeGuard OS Overview following capabilities in the same device, ensuring that there is no centralized point of failure: — Device Management – Administrators can set up, manage, and diagnose problems for the device as a network device. — Authentication – With Network Access Control (NAC) capabilities, authentication and posture check is provided to control who can enter the LAN.
Chapter 1: SafeGuard OS Overview OmniVista SafeGuard Manager compiles information based on user transactions, presenting all of the activities and access violations tied to usernames. It provides traffic views on a per-user and per-flow basis, allowing for detailed auditing, reporting, and forensics. For example, OmniVista SafeGuard Manager could display all users running Instant Messenger or detail every application, computer, and file a particular user has touched.
Chapter 1: SafeGuard OS Overview Figure 1 SafeGuard Controller and Switch in a Typical Deployment Internet Data Center Active Directory RADIUS servers Alcatel-Lucent OmniVista SafeGuard Manager Remediation servers LAN Core Distribution Layer Transparent Deployment OmniAccess SafeGuard Access Layer 10 Gigabit uplinks OmniAccess switch CST_055 With the preferred standard and typical deployment model, the SafeGuard Controller device is a multi-port “bump-in-the-wire” device between the edge switc
Chapter 1: SafeGuard OS Overview Figure 2 High Availability (Redundant) SafeGuard Controller Deployment Internet Ne t/ Hos tw o rk WAN/VPN /c or edg e e Core switch Firewall Secure LAN controller 3rd floor edge switch [Finance] Data center Active directory 2nd floor edge switch [Operations] RADIUS 1st floor edge switch [Marketing] Executive suite CST_011 Understanding Protection Modes Ingress and egress data traffic is managed by SafeGuard devices based on the level of protection mode set
Chapter 1: SafeGuard OS Overview Table 3 Supported Protection Modes (continued) Protection Mode When Used SafeGuard Controller Protect Mode Typical Deployment Authentication, captive portal, visualization, malware detection and protection and userbased policy checking is applied to all data traffic, and actively enforced.
Chapter 1: SafeGuard OS Overview SafeGuard OS Overall Feature Summary The following table summarizes SafeGuard OS features supported by SafeGuard devices. User/Machine Authentication ■ Authentication via 802.
chapter 2 Accessing and Managing the System In this chapter: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Connecting to a SafeGuard Device Console Accessing the SafeGuard Device Command Line Interface Configuring Management Users Managing Out-of-Band Management Port Setting Up the System Time and Date (SNTP) Managing Device Information Managing Network Information Configuring the Network Protocol Configuring SNMP on the Device Configuring Domain Name Servers Resetting the Device Configuring Data Traffic Ports Configuring H
Chapter 2: Accessing and Managing the System This chapter describes the tasks associated with managing the SafeGuard Controller or the SafeGuard Switch as a device in the network. Connecting to a SafeGuard Device Console SafeGuard devices can be managed using a PC or laptop computer connected to the SafeGuard Controller or SafeGuard Switch. To connect a SafeGuard device console: 1 Using a null cable, connect a PC or laptop computer to the DCE port on the back of the device.
Chapter 2: Accessing and Managing the System enable This command has no parameters or variables. For example: (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) #? #enable # #configure terminal (config) # See the following sections for more details on accessing SafeGuard devices: ■ Using Telnet ■ Using Secure Shell (SSH) ■ Customizing and Working with the Command Line Interface Default Settings Using Telnet A SafeGuard device can be accessed via a Telnet session.
Chapter 2: Accessing and Managing the System show sessions An example of this output and explanation of the fields is described in Tracking an Authenticated User Session on page 219. Closing a Telnet or SSH Session To close a Telnet or SSH session, use the disconnect command in Privileged Exec mode. disconnect [sessionID | all] Syntax Description sessionID Disconnects the session specified by the session identifier. Use the show sessions command to find the session ID.
Chapter 2: Accessing and Managing the System no ip telnet timeout Syntax Description timeout Sets the number of minutes that a session can be idle. Valid range is a decimal value from 0 to 160. A value of 0 indicates that the session remains active indefinitely. The default value is 5.
Chapter 2: Accessing and Managing the System ■ Changing SSH Protocols ■ Limiting SSH Sessions ■ Setting the SSH Timer ■ Displaying SSH Configuration Information Enabling an SSH Session To enable an SSH session on the device: 1 Enable SSH on the device by entering the ip ssh command in Global Configuration mode. The no version of the command disables SSH, which is the default state. ip ssh no ip ssh The commands have no parameters or variables.
Chapter 2: Accessing and Managing the System nvram:sshkey-rsa1 Specifies to download a SSH RSA1 key file. nvram:sshkey-rsa Specifies to download a SSH RSA2 key file. The following example specifies how to download an SSH RSA1 key file from the TFTP server: (SafeGuardOS) # copy tftp://180.29.52.20/keys nvram:sshkey-rsa1 (SafeGuardOS) # Generating DSA, RSA, RSA Keys The first time that SSH is enabled, the SafeGuard OS generates keys for DSA, RSA and RSA1 which are not installed.
Chapter 2: Accessing and Managing the System (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) #configure terminal (config) #ip ssh key delete (config) #exit # Changing SSH Protocols By default, SafeGuard OS supports both SSH versions 1 and 2. The protocols can be deleted or added as necessary by explicitly defining one or both. Use the ip ssh protocol command in Global Configuration mode to change the protocol support.
Chapter 2: Accessing and Managing the System Setting the SSH Timer SSH connections time out at 5 minutes, by default. To change the timeout timer from 1 to 160 minutes, in Global Configuration mode use the ip ssh timeout command. NOTE: A session is active as long as the session is idle for the value set. Changing the timeout value for active sessions does not become effective until the session is re-accessed. Also, any keystroke activates the new timeout duration.
Chapter 2: Accessing and Managing the System The fields in the output represent: Display Description Administrative Mode Displays whether the administrative state of SSH has been enabled or disabled. Operational Mode Displays the operational status of SSH and indicates whether SSH is currently enabled or disabled. Protocol Levels Displays the protocol level. This field may have the SSH Sessions Currently Active Displays the number currently active SSH connections. This field can be from 0 to 5.
Chapter 2: Accessing and Managing the System Changing the System Command Prompt To change the command line interface prompt, use the set prompt command in enable mode. The length of the prompt can be up to 64 alphanumeric characters. set prompt string Syntax Description string Sets the command prompt to an alphanumeric string up to 64 characters and numbers.
Chapter 2: Accessing and Managing the System The following example disables CLI display paging: (SafeGuardOS)# paging disable (SafeGuardOS)# Uploading a New CLI Banner File To upload the CLI banner file, use the copy nvram:clibanner command in Global Configuration mode. copy nvram:clibanner tftp://ip/{filepath/}filename Syntax Description ip Specifies the IP address of the TFTP server. filepath (Optional) Specifies the directory path to the file.
Chapter 2: Accessing and Managing the System Copying the System Debug File To copy a system debug file, use the copy system:dump command in Global Configuration mode. copy system:dump://ip/{filepath/}filename Syntax Description ip Specifies the IP address of the TFTP server. filepath (Optional) Specifies the directory path to the file. filename Specifies the filename of the file being saved.
Chapter 2: Accessing and Managing the System ■ Network Users – Network users are end-users defined in the SafeGuard local authentication database. Network users do not have authority to execute commands at the command line. For more information on managing network users, see Maintaining Users on page 258. This section describes setting up administrator and network user access to SafeGuard devices. By default, an “Admin” user is configured with the initial configuration.
Chapter 2: Accessing and Managing the System mode The mode from highest to lowest privileges are: ■ admin-user – An admin user is allowed to access all commands. ■ priv-user – The privilege user is allowed to access only show and action commands. ■ exec-user – The exec user is allowed to access only show commands.
Chapter 2: Accessing and Managing the System abcd priv-user Exec Exec Read Only Read Only None None None None (SafeGuardOS) # NOTE: SafeGuard OS will support SNMPv3 will be supported in a future release. The fields in the output represent: Field Description User Name Username as detected by its authentication. User Access Mode The user’s access mode. SNMPv3 Access Mode The SNMPv3 access mode. SNMPv3 Authentication Whether the user has SNMPv3 authentication.
Chapter 2: Accessing and Managing the System Configuring Local Authentication for Management Users Users are set up in the authentication database by assigning them to a set of roles usually defined by group and then by mapping a set of authentication protocol-specific attributes and their values to a role. The attributes are first obtained by user authentication against the local authentication database.
Chapter 2: Accessing and Managing the System show aaa mgmt-users authentication list This command has no options or parameters.
Chapter 2: Accessing and Managing the System The following example shows the disabling RADIUS authentication of non-configured users: (SafeGuardOS) (config) # no aaa mgmt-user defaultlogin salesList (SafeGuardOS) (config) # Configuring RADIUS Users for Management Users In order to provide administrative privileges to remote RADIUS users, the Service-Type field in RADIUS must be configured to return the appropriate value.
Chapter 2: Accessing and Managing the System Clearing All Passwords To clear all user passwords and reset them to the factory defaults (null) without powering off the device, use the clear pass command in Privileged Exec mode. When prompted to confirm that the password reset should proceed, enter y for Yes.
Chapter 2: Accessing and Managing the System dhcp (Default) Specifies DHCP as the protocol. The following command example changes the protocol to bootstrap: (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) # configure terminal (config) # service protocol none (config) # service protocol bootp (config) # Setting the IP Address, Netmask, and Gateway of the System To set the IP address, netmask, and gateway of the management port, use the serviceport ip command in Global Configuration mode.
Chapter 2: Accessing and Managing the System Setting Speed and Duplex for the Management Port The management port can operate at a variety of speeds and duplex settings. The default settings are to auto-negotiate with the link partner. For auto-negotiation to succeed, the management port and the link partner must both be set for auto-negotiating. Otherwise, the management port attempts to auto-negotiate but could fail if traffic does not match the auto-negotiated speed.
Chapter 2: Accessing and Managing the System The command has no options or parameters. The following output is representative of the show serviceport command on a SafeGuard Switch. This command’s output on a SafeGuard Controller would be similar, but with the addition of “Gateway Address” following the “Subnet Mask” line: (SafeGuardOS) #show serviceport Current ServicePort IP configuration IP Address..................................... 172.16.1.10 Subnet Mask.................................... 255.255.
Chapter 2: Accessing and Managing the System Field Description ServPort Configured Protocol Current Network protocol that is currently being used, if any. Service Port Statistics Total Packets Received Total number of packets (including broadcast packets and multicast packets) that were received by the management port. Total Packets Transmitted Total number of packets that were transmitted from the management port.
Chapter 2: Accessing and Managing the System Field Description Heartbeat Errors 0 Window Errors 0 Displaying Address Resolution Protocol Information SafeGuard Controllers have a preset configuration for the address resolution protocol (ARP) table and the ARP cache. SafeGuard Switches allow modification of the ARP settings. For details on configuring ARP on the SafeGuard Switch, see Configuring Address Resolution Protocol on page 184.
Chapter 2: Accessing and Managing the System To set the device to the correct timezone, use the clock timezone command in either Privileged Exec or Global Configuration modes. clock timezone zonename hours_offset {minutes_offset} Syntax Description zonename Specifies an arbitrary name of the timezone in a 3-letter abbreviation. For example, Eastern Standard Time is entered as EST. hours_offset Specifies the number of hours difference from Universal Time (a.k.a. Greenwich Mean Time, GMT).
Chapter 2: Accessing and Managing the System 3 Set up Daylight Savings Time. In many countries, clocks are set back an hour in the Summer when the days become longer. Often referred to as Daylight Savings Time, system clocks must be reset for this seasonal adjustment. Use the clock summer-time command in Global Configuration modes to adjust for this seasonal change.
Chapter 2: Accessing and Managing the System Hour to change the time back. The format is hh:mm. endtime The following example, configures Summer hours as a recurring event. (SafeGuardOS) # configure terminal (SafeGuardOS) (config) # clock summertime recurring (SafeGuardOS) (config) # exit 4 To display the system time, use the show clock command in Privileged Exec mode using the following syntax: show clock The command has no parameters or variables.
Chapter 2: Accessing and Managing the System (SafeGuardOS) (config) # exit (SafeGuardOS) # To delete this server, use the no version of the command. 2 Validate the SNTP server setup using the show sntp server command in Privileged Exec mode. show sntp server This command has no options or parameters.
Chapter 2: Accessing and Managing the System 3 Display Description Server Reference ID Displays the reference clock identifier of the server for the last received valid packet. Server Mode Displays the SNTP server mode. Server Maximum Entries Displays the total number of SNTP servers allowed. Server Current Entries Displays the total number of SNTP servers configured. IP Address Displays the IP address of the SNTP server. Address Type Displays the address type of the configured server.
Chapter 2: Accessing and Managing the System show sntp client This command has no options or parameters. The following example is representative of the command output: (SafeGuardOS) #show sntp client Client Supported Modes: SNTP Version: Port: Client Mode: unicast broadcast 4 123 disabled The fields in the show sntp client output represent: Display Description Client Supported Modes Displays the supported SNTP Modes (Broadcast or Unicast).
Chapter 2: Accessing and Managing the System Optional SNTP Client Configurations SafeGuard OS also allows for optional SNTP configuration. The poll interval can be set for either broadcast or unicast clients. The poll retry and the poll timeout values can also be set for the clients.
Chapter 2: Accessing and Managing the System sntp unicast client poll-retry retry no sntp unicast client poll-retry Specifies the number of retries for SNTP client polling. Valid values are 0 to 10. The default is 1.
Chapter 2: Accessing and Managing the System (SafeGuardOS) # Managing Device Information This section describes the commands used for managing the Alcatel-Lucent SafeGuard device, including their names, description, arguments, and argument descriptions.
Chapter 2: Accessing and Managing the System ping ipaddr Syntax Description ipaddr Target IP address to ping. The following example pings the device at IP address 10.1.1.0: (SafeGuardOS) # ping 10.1.1.0 (SafeGuardOS) # Displaying Version Information To display the SafeGuard OS version information, use the show version command in Privileged Exec mode. show version The command has no options or parameters.
Chapter 2: Accessing and Managing the System The fields in the output represent: Display Description Manufacturer Identifies the device as manufactured by Alcatel-Lucent System Description Factory-assigned description of the system Serial Number Serial number of the device. Burned In MAC Address Burned-in MAC address. Used as the MAC address for the serviceport. Software Version Version of SafeGuard OS. The version is in the format of: version.release.maintence_level.
Chapter 2: Accessing and Managing the System Displaying Hardware Information To display the device hardware information for either a SafeGuard Controller or a SafeGuard Switch, use the show hardware command in Privileged Exec mode. show hardware The command has no options or parameters. The following sample output is representative of the command on a controller: (SafeGuardOS) #show hardware Manufacturer................................... Alcatel-Lucent Inc. System Description.............................
Chapter 2: Accessing and Managing the System LSD Serial Number.............................. LSD Rev........................................ Main Board CPLD Version........................ Internal Temperature........................... Fan 1 Speed.................................... Fan 2 Speed.................................... Power Supply 1 (AC)............................ Power Supply 2 (AC)............................
Chapter 2: Accessing and Managing the System Field Description Power Supply SafeGuard Controllers have one power supply that cannot be hot swapped. The SafeGuard Switch has two power supplies that can be hot swapped. If the power supply is present and operating, it displays as PASS. If the power supply is absent or not operating, it displays as FAIL.
Chapter 2: Accessing and Managing the System Parity......................................... none (SafeGuardOS)# The fields in the output represent: Field Description Serial Port Login Timeout (minutes) The time (in minutes) of inactivity on a serial port connection, after which the device closes the configured connection. Any numeric value between 0 and 160 is allowed. The factory default is 5. A value of 0 disables the timeout.
Chapter 2: Accessing and Managing the System The following example performs a trace route on IP address 172.16.1.22: (SafeGuardOS) # traceroute 172.16.1.22 Tracing route over a maximum of 20 hops 1 172.16.1.22 1 ms 0 ms 0 ms (SafeGuardOS) # Managing Network Information This section describes the commands used for configuring the network.
Chapter 2: Accessing and Managing the System network mac-type {network | burnedin} Syntax Description network Select the locally administered MAC address. burnedin Select the burned in MAC address.
Chapter 2: Accessing and Managing the System ■ Configuring SNMP Communities ■ Configuring a SNMP Target ■ Enabling and Disabling SNMP Traps ■ Displaying SNMP Community Information ■ Displaying SNMP Target Information ■ Displaying SNMP System Information Setting the SNMP Name To set the SNMP name of the device, use the snmp-server sysinfo name command. The syntax for the Global Configuration command is: snmp-server sysinfo name name Syntax Description name Name of a device.
Chapter 2: Accessing and Managing the System Designating the SNMP Contact To designate the person or the organization responsible for SNMP on the network, use the snmp-server sysinfo contact command. The syntax for the Global Configuration command is: snmp-server sysinfo contact contact Syntax Description contact Text used to identify a contact person or organization for the device. It can be up to 31 alphanumeric characters. The factory default is blank.
Chapter 2: Accessing and Managing the System Establishing Access for the SNMP Community To change an existing community string to read-write access privileges, use the snmpservice community rw command. snmp-server community [rw name| ro name] Syntax Description ro (Default) Indicates that the specified name has read-only privileges. rw Indicates that the specified name has read-write privileges. name Name of an SNMP server community.
Chapter 2: Accessing and Managing the System Setting a Client Netmask SNMP Community To set a client netmask for an SNMP community, use the snmp-server community netmask command. snmp-server community netmask mask name Syntax Description mask The netmask. name SNMP community name. Configuring a SNMP Target The SafeGuard device allows authorized SNMP community trap receivers to be one or more network management stations on the network.
Chapter 2: Accessing and Managing the System new-ipaddr The new IP address of the trap receiver. The following example changes the address of the trap receiver with the community “public” and the IP address of 172.16.140.90 to have an IP Address of 172.16.230.10: (SafeGuardOS) # configure terminal (SafeGuardOS) (config) # snmp-server target ipaddr public 172.16.140.90 172.16.230.
Chapter 2: Accessing and Managing the System Displaying SNMP Community Information To display the SafeGuard device SNMP community information, use the show snmpserver community command. Communities can be added, changed, or deleted. The device does not have to be reset for changes to take effect. The SNMP agent of the device complies with SNMP Version 2 (for more information about the SNMP specification, refer to the SNMP RFCs).
Chapter 2: Accessing and Managing the System Table 6 Parameters Displayed with the show snmp-server community Command Option Description Access Mode Access level for this community string, valid entries are read only and read/write. Status Status of this community access entry, either enabled or disabled. Displaying SNMP Target Information To display the SNMP target information, use the show snmp-server target command.
Chapter 2: Accessing and Managing the System (SafeGuardOS) #show snmp-server sysinfo System System System System System System Description............................. Name.................................... Location................................ Contact................................. Object ID............................... Up Time................................. OAG4048x oag4048 ca95134 it2028 Alcatel-Lucent.2.1.
Chapter 2: Accessing and Managing the System Table 8 Parameters Displayed with the show snmp-server sysinfo Command Option Description System Object ID System Object ID. System Up Time The amount of time the system has been running. MIBs Supported A list of supported MIBs. Configuring Domain Name Servers To use some of the posture checking features, domain name servers (DNS) must be configured.
Chapter 2: Accessing and Managing the System Creating a DNS Name Server List A DNS name server list with up to three IP addresses in the list can be created. When more than one address is listed, the system uses the order specified to determine the order of priority for name resolution. To create a DNS name list, use the ip nameserver command in Privileged Exec mode. To remove one or two of the name servers, re-enter the ip nameserver command without their IP addresses.
Chapter 2: Accessing and Managing the System Resetting the Device To reset the SafeGuard device without powering it off, use the reload command in Privilege Exec mode. A reset means that all network connections are terminated and the boot code executes. The device uses the stored configuration to initialize itself. When prompted to confirm that the reset should proceed, enter y for Yes. The LEDs on the device indicate a successful reset.
Chapter 2: Accessing and Managing the System The following example enters interface configuration mode for slot 0 port 25: (SafeGuardOS)#configure terminal (SafeGuardOS) (config) #interface 0/25 (SafeGuardOS) (Interface 0/25)# Enabling and Disabling an Interface To disable an interface, use the shutdown command in interface configuration submode. This command disables all functions on the specified interface and marks it as unavailable. shutdown This command has no options or arguments.
Chapter 2: Accessing and Managing the System switchport Displays statistics for the entire switch. The following example shows the data available for port 20: (SafeGuardOS) (config) #show interface 0/20 Packets Received............................... Packets Received With Error.................... Broadcast Packets Received..................... Packets Transmitted............................ Transmit Packet Errors......................... Collision Frames...............................
Chapter 2: Accessing and Managing the System Table 9 Show interface Option Descriptions (continued) Option Description Time Since Counters Last Cleared The elapsed time, in days, hours, minutes, and seconds since the statistics for this port were last cleared. Displaying Ethernet Interface Information To display the Ethernet interface information for the device, use the show interface ethernet command.
Chapter 2: Accessing and Managing the System Total Bytes Transmitted: 0 Max Frame Size: 1522 Total Packets Transmitted Successfully: 0 Unicast Packets Transmitted: 0 Multicast Packets Transmitted: 0 Broadcast Packets Transmitted: 0 Total Transmit Errors: 0 FCS Errors: 0 Tx Oversized: 0 Underrun Errors: 0 Total Transmit Packets Discarded: 0 Single Collision Frames: 0 Multiple Collision Frames: 0 Excessive Collision Frames: 0 Port Membership Discards: 0 VLAN Viable Discards: 0 802.
Chapter 2: Accessing and Managing the System Table 10 shows Ethernet interface options and descriptions. Table 10 Ethernet Interface Options Option Description Packets Received Without Error Octets Received – The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including Frame Check Sequence (FCS) octets). This object can be used as a reasonable estimate of Ethernet utilization.
Chapter 2: Accessing and Managing the System Table 10 Ethernet Interface Options (continued) Option Description Packets Received Successfully Total – The total number of packets received that were without errors. Unicast Packets Received – The number of subnetwork-unicast packets delivered to a higher-layer protocol. Multicast Packets Received – The total number of good packets received that were directed to a multicast address.
Chapter 2: Accessing and Managing the System Table 10 Ethernet Interface Options (continued) Option Description Received Packets not Forwarded Total – A count of valid frames received which were discarded (i.e.,filtered) by the forwarding process. Local Traffic Frames – The total number of frames dropped in the forwarding process because the destination address was located off of this port. 802.
Chapter 2: Accessing and Managing the System Table 10 Ethernet Interface Options (continued) Option Description Packets Transmitted Octets Total Bytes – The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including FCS octets). This object can be used as a reasonable estimate of ethernet utilization. If greater precision is desired, the etherStatsPkts and etherStatsOctets objects should be sampled before and after a common interval.
Chapter 2: Accessing and Managing the System Table 10 Ethernet Interface Options (continued) Option Description Packets Transmitted Successfully Total – The number of frames that have been transmitted by this port to its segment. Unicast Packets Transmitted – The total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those that were discarded or not sent.
Chapter 2: Accessing and Managing the System Table 10 Ethernet Interface Options (continued) Option Description Protocol Statistics BPDU received – The count of BPDUs (Bridge Protocol Data Units) received in the spanning tree layer. BPDUs Transmitted – The count of BPDUs (Bridge Protocol Data Units) transmitted from the spanning tree layer. 802.3x Pause Frames Received – A count of MAC Control frames received on this interface with an opcode indicating the PAUSE operation.
Chapter 2: Accessing and Managing the System Most Address Entries Ever Used................. 2 Address Entries Currently in Use............... 1 Maximum VLAN Entries........................... Most VLAN Entries Ever Used.................... Static VLAN Entries............................ Dynamic VLAN Entries........................... VLAN Deletes................................... Time Since Counters Last Cleared...............
Chapter 2: Accessing and Managing the System Understanding Mirroring and Monitoring Ports The SafeGuard OS supports two types of mirroring: ■ port-based mirroring – Monitors all of the traffic on a port and copies, or mirrors, the data to a destination port. ■ policy-based mirroring – Allows mirroring at the rule-level of a policy. Policybased mirroring is described in Configuring Policy-Based Mirroring on page 323. Port-based mirroring is device dependant.
Chapter 2: Accessing and Managing the System directed to the analyzer that is attached to the other switching device. Table 13 shows the impact of frames traversing port ingress and egress with RSPAN enabled and disabled. NOTE: If RSPAN is enabled, the receiver should be configured to support jumbo frames, since adding a VLAN tag to the ingress frame may result in a jumbo frame being sent on the mirror port.
Chapter 2: Accessing and Managing the System Figure 4 RSPAN Frame Translation CST_056 Configuring Port-Based Mirroring Port mirroring, which is also known as port monitoring, selects network traffic that you can analyze with a network analyzer, such as a SwitchProbe device or other Remote Monitoring (RMON) probe. For details on policy-based mirroring, see Configuring Policy-Based Mirroring on page 323.
Chapter 2: Accessing and Managing the System no monitor session sessionID destination interface Syntax Description source interface slot/port Specifies the interface to monitor. The no form of the command removes the specified interface from the port monitoring session. rx (Optional, for Switch only) Monitor only ingress packets. If neither rx or tx is chosen, both ingress and egress packets will be monitored. tx (Optional, for Switch only) Monitor only egress packets.
Chapter 2: Accessing and Managing the System Following is an example of the command output on a SafeGuard Controller: (SafeGuardOS) #show monitor session 1 Session ID ---------1 Admin Mode ---------Enable Probe Port ---------0/21 Mirrored Port ------------0/20 Following is an example of the command output on a SafeGuard Switch: (SafeGuardOS) #show monitor session 1 Session ID ---------1 Admin Mode ---------Enable Probe Port ---------0/9 RSPAN VLAN ------------ Mirrored Port ------------0/1 0/2 Typ
Chapter 2: Accessing and Managing the System ■ Protect – The system monitors and enforces policies on user-defined and malware policy controls. Table 14 Supported Protection Modes Protection Mode When Used SafeGuard Controller SafeGuard Switch Pass-thru Mode First time set up and cabling Acts as a transparent bridge. All security functionality is bypassed. Acts as a standard L2/ L3 switch. All security functionality is bypassed.
Chapter 2: Accessing and Managing the System The following example sets ports 1 and 2 to protect mode, in Global Configuration mode: (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) #configure terminal (config) #interface 0/1 (interface 0/1) #protection-mode protect all (interface 0/1) #exit (config) #exit The following example sets the protection-mode globally (on all ports).
Chapter 2: Accessing and Managing the System protection-mode mode all Syntax Description mode The protection mode of the port-pair. Valid values are: ■ Pass-thru – (Default) No protection policies are employed. ■ Monitor – The system monitors for policy visualization based on user-defined policy controls, however no enforcement actions are taken. ■ Protect – The system monitors and enforces policies on user-defined and malware policy controls.
Chapter 2: Accessing and Managing the System 0/21 0/22 0/23 0/24 (SafeGuardOS) # Pass-thru Pass-thru Pass-thru Pass-thru network host network host The next example is representative output of the show protection-mode command on the SafeGuard Switch: (SafeGuardOS) #show protection-mode Interface ---0/1 0/2 0/3 0/4 0/5 0/6 0/7 0/8 0/9 0/10 0/11 0/12 0/13 0/14 0/15 0/16 0/17 0/18 0/19 0/20 0/21 0/22 0/23 0/24 0/25 0/26 0/27 0/28 0/29 0/30 0/31 0/32 0/33 0/34 0/35 0/36 0/37 0/38 0/39 0/40 0/41 0/42 0/43 0/4
Chapter 2: Accessing and Managing the System 0/45 0/46 0/47 0/48 0/49 0/50 Monitor Monitor Monitor Monitor Monitor Monitor network network network network network network (SafeGuardOS) # The fields in the show protection-mode output represent: Display Description Interface Displays the interface number in slot/port format. Protection Mode Displays the protection mode of the interface. Entries can be pass-thru, monitor, or protect.
Chapter 2: Accessing and Managing the System the failed system. Use the show system recovery command in Privileged Exec mode to check the setting for system recovery. 4 Configure each device to have a peer that synchronizes authentication state. To add the peer, use the Global Configuration command: ha peer ip_address The following example establishes two devices (172.15.4.2 and 172.10.10.1) as peers: (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) # configure terminal (config) #ha peer 172.15.
Chapter 2: Accessing and Managing the System --------- -- ----- ------ ------ -- ----- ------------ 001236fffffecbc2 661 661 ■ 172.16.5.
Chapter 2: Accessing and Managing the System Table 15 Field Descriptions of the Interface Table (continued) Field Description Source The protocol from which the entry was learned. Possible values are: ■ DHCP – The entry was created by DHCP; There is a MAC value associated with this entry. ■ LSP – The entry was learned based on active network traffic noted by the SafeGuard Processor. ■ PROTO – The entry was learned from the protocol header from one of the authentication events.
Chapter 2: Accessing and Managing the System Table 16 Field Descriptions of the Credential Table (continued) Field Description Source The protocol that generated the entry. Possible values are: State ■ white-list ■ captive portal ■ RADIUS ■ Kerberos The authentication state. Possible values are: ■ authing ■ failed ■ success State Provides the age out time and backup for each entry in the system. Attribute ID When this is a non-zero field, it provides an index into the attribute table.
Chapter 2: Accessing and Managing the System Configuring System Recovery Because there is only one SafeGuard device in the typical deployment model, the device must be configured for fail-passthru mode. When in fail-passthru mode, the device sets the protection mode to pass-thru if a critical error occurs. When the protection mode is set to pass-thru mode, policy enforcement, visualization, and malware detection are not enabled in addition to any high availability features.
Chapter 2: Accessing and Managing the System CAUTION: When the user logs into the system, a warning message is displayed if the system is in Fail-PassThru mode. When system is in FailPassThru mode, the user should not make any configuration changes because some components are not operational. In this state, user can use show commands for debugging and use the copy command to transfer the core file and perform an upgrade. However, all other commands are not disabled. Use any commands with extra caution.
Chapter 2: Accessing and Managing the System lsp recovery-mode no lsp recovery-mode This command has no options or parameters. For example: (SafeGuardOS) # configure terminal (SafeGuardOS) (config) # lsp recovery-mode (SafeGuardOS) (config) # Changing the Exception Recovery Parameters Recovery will “permit” a certain rate of exceptions per second, but will not tolerate a certain number of exceptions over time. This is done with a “leaky bucket” system using a sustain rate and threshold value.
Chapter 2: Accessing and Managing the System (SafeGuardOS) (config) # Enabling System Reboots on LSP Watchdog Events To enable system reboots on LSP watchdog events, use the lsp watchdog command in Global Configuration mode. To disable system reboots on LSP watchdog events, use the no form of the command. lsp watchdog no lsp watchdog This command has no options or parameters.
chapter 3 Working with Configuration Files and Upgrading Images In this chapter: ■ ■ ■ ■ ■ Understanding Configuration Files Upgrading System Images Upgrading the Boot Image Displaying Image and Boot Loader Information Removing All Data from Memory
Chapter 3: Working with Configuration Files and Upgrading Images This chapter describes the tasks associated with the configuration files and how to upgrade system software. Understanding Configuration Files The SafeGuard OS maintains two basic configuration files that manage the device: the startup configuration and the running configuration. ■ The startup configuration is used when the device is started or rebooted. ■ The running configuration is the current operating configuration.
Chapter 3: Working with Configuration Files and Upgrading Images ■ copy system:running-config has the following syntax: copy system:running-config [nvram:startup-config | nvram:backupconfig] Syntax Description startup-config Saves the running configuration to the start up configuration in flash. backup-config Saves the running configuration to the backup configuration on flash.
Chapter 3: Working with Configuration Files and Upgrading Images From Startup to External Storage To save the startup configuration to either a Trivial File Transfer Protocol (TFTP) server or to CF use the copy nvram:startup-config command in Privileged Exec mode. copy system:startup-config [[tftp://ip/{filepath/}filename] | [cf://{filepath/}filename]] Syntax Description tftp | cf Specifies whether to save the configuration onto a TFTP server or CF. ip Specifies the IP address of the TFTP server.
Chapter 3: Working with Configuration Files and Upgrading Images configuration. The change takes effect after a system reboot. The syntax of the Privileged Exec command is: copy nvram:backup-config nvram:startup-config There are no parameters or variables. From TFTP to Flash Memory Either a startup configuration or a running configuration can be downloaded from a TFTP server location using the copy tftp:startup command and the copy tftp:backup command in Privileged Exec mode to perform the download.
Chapter 3: Working with Configuration Files and Upgrading Images filename Specifies the filename of the startup or running configuration being downloaded. nvram:startup-config Specifies to copy a start up configuration file to flash memory. nvram:backup-config Specifies to copy a back up configuration file to flash memory.
Chapter 3: Working with Configuration Files and Upgrading Images ■ The write terminal command also has no parameters or variables. write terminal The output is displayed in the script format, which can be used to configure another device with the same configuration. The output from the show running-config command is shown in Appendix A, Sample Output. Startup Config To display the contents of the startup configuration to the terminal, use the show startupconfig command in Privileged Exec mode.
Chapter 3: Working with Configuration Files and Upgrading Images ■ Specifying the System Image Copying Images To copy the image file to either the primary or secondary image location, use the copy tftp command in the Privileged Exec mode. copy tftp://ip/{filepath/}file [image-primary | image-secondary] Syntax Description ip Specifies the IP address of the TFTP server. filepath (Optional) Specifies the directory path to the file. file Specifies the filename of the file being downloaded.
Chapter 3: Working with Configuration Files and Upgrading Images Upgrading the Boot Image SafeGuard devices use a boot sequence to bring up the device and load application software, such as SafeGuard OS into memory. There are two methods of performing this boot sequence: ■ Simple – A single piece of code that performs both the bootstrap and boot loader function. This type of boot loader was introduced in SafeGuard OS release 1.0 and continues to be supported.
Chapter 3: Working with Configuration Files and Upgrading Images The bootstrap component may only be upgraded at the factory, as opposed to the boot loader, which can be upgraded with a software update. Copying a Boot Loader from a TFTP Server Use the copy bootrom Privileged Exec command to install a single boot loader into the either the primary or secondary image area of flash.
Chapter 3: Working with Configuration Files and Upgrading Images (SafeGuardOS) # use bootrom primary (SafeGuardOS) # Simple Boot Loader Upgrades With a simple boot loader system, see the following sections for either of the following upgrade procedures, as desired.
Chapter 3: Working with Configuration Files and Upgrading Images bootpkgfilename Specifies the name of the boot loader package being downloaded. 2 Specify using the 3.0 image in either the primary or secondary image location as described in Specifying the Boot Loader on page 118. If not specified, the boot loader uses the primary image. 3 Reboot the system. When the system comes back up, SafeGuard OS detects the dual-stage boot loader and that it was booted from a raw image partition.
Chapter 3: Working with Configuration Files and Upgrading Images (SafeGuardOS) # The fields of the output represent: Field Description Manufacturer Indicates the device is manufactured by Alcatel-Lucent System Description The model number of the device Base Mgmt Port MAC Address The MAC address of the management port Software Version The software version; an extension of Captive Portal indicates an EPV version. Software Build Date The time and date that the build was created.
Chapter 3: Working with Configuration Files and Upgrading Images Primary Image.................................. 104507302006 Secondary Image................................ 104507302006 Bootstrap Version.............................. Bootrom Selected............................... Bootrom Booted................................. Primary Bootrom Version........................ Secondary Bootrom Version...................... System Time.................................... Cpu Utilization.....................
Chapter 3: Working with Configuration Files and Upgrading Images Field Description System Time The creation date and time for the system. CPU Utilization Current CPU utilization, both of the user and the system. Free Memory The amount of free memory and total memory. Uptime The amount of time since the last reload. Protection Mode The protection mode configured for the system. Possible values are pass-thru, monitor, and protect.
Chapter 3: Working with Configuration Files and Upgrading Images 124 OmniAccess SafeGuard OS Administration Guide
chapter 4 Configuring SafeGuard Controllers In this chapter: ■ ■ Configuring VLANs on the SafeGuard Controller Link Pair Synchronization
Chapter 4: Configuring SafeGuard Controllers Configuring VLANs on the SafeGuard Controller A VLAN is a logical grouping of endpoint devices on different physical LAN segments that communicate as if they are on the same physical LAN segment. These endpoint devices are referred to as members of the VLAN. Unlike a LAN connected using hardware, a VLAN is configured using the SafeGuard OS CLI, making it a virtual connection. VLANs are part of the IEEE 802.
Chapter 4: Configuring SafeGuard Controllers Link Pair Synchronization The SafeGuard Controller sits between the user and the network. It is important that if a link between a user and the controller goes down, the link between the controller and the network is also brought down. In addition, if the link between the controller and the network goes down, the link between the user and the controller must be brought down. This is required so that protocols can converge in the event of link failures.
Chapter 4: Configuring SafeGuard Controllers (SafeGuard) #config terminal (SafeGuard) (config) #linkpair-sync disable (SafeGuard) (config) # 128 OmniAccess SafeGuard OS Administration Guide
chapter 5 Setting Up SafeGuard Switches In this chapter: ■ ■ ■ ■ ■ Overview of VLANs Displaying Forwarding Database Entries Information Configuring IGMP Snooping Configuring Port Security Configuring Routing
Chapter 5: Setting Up SafeGuard Switches Overview of VLANs This chapter describes setting up Virtual Local Area Networks (VLANs) on SafeGuard devices. The SafeGuard Switch and the Controller both support VLANs but use different techniques and commands. A VLAN is a logical grouping of endpoint devices on different physical LAN segments that communicate as if they are on the same physical LAN segment. These endpoint devices are referred to as members of the VLAN.
Chapter 5: Setting Up SafeGuard Switches Ingress VLAN Classification A frame can be tagged, untagged or priority-tagged. When a switch receives a frame, it will first classify the incoming frame to assign the VLAN ID, as described in the following points: ■ If the frame is 802.1Q tagged, the switch uses the VID in the frame to assign the VLAN ID. ■ If the frame is untagged or priority-tagged, the switch uses one of four classifications methods to assign the VLAN ID.
Chapter 5: Setting Up SafeGuard Switches Ingress Filtering If ingress filtering is enabled, incoming frames for VLANs which do not include this ingress port in their member set will be discarded at the ingress port; otherwise, the incoming frames are admitted and forwarded to the ports that are member of that VLAN. By default, ingress filtering is enabled per port, and can be disabled. Ingress filtering does not affect VLAN independent BPDU frames, such as STP.
Chapter 5: Setting Up SafeGuard Switches ■ Location independent – When an endpoint device is moved to another location, it can remain on the same VLAN without needing to reconfigure any hardware. ■ Increased network efficiency – The network is more efficient by allowing a VLAN to control and screen broadcast traffic. ■ Increased security – By confining broadcast traffic to users in a workgroup, there is increased security because sensitive data is confined to only that group.
Chapter 5: Setting Up SafeGuard Switches Creating the VLAN and Assigning a VLAN ID Create VLANs in the VLAN database mode, which is a submode of Global Configuration. To enter the mode, use the vlan database command: vlan database The command has no parameters or variables. For example: (SafeGuardOS) (config) #vlan database (SafeGuardOS) (Vlan)# To assign an ID and an optional name to the VLAN, use the vlan command in VLAN database mode. Eligible ID numbers are from 2 to 4094.
Chapter 5: Setting Up SafeGuard Switches For further discussion of the show vlan brief command and a description of the output fields, see Showing a VLAN Brief on page 146. Assigning a Name to the VLAN This step is optional, however, most organizations prefer to identify their VLANs by an organizational name rather than by a number. Use the vlan name command in VLAN database submode of Privileged Exec. vlan name vlanid name Syntax Description vlanid Specifies an existing VLAN ID number.
Chapter 5: Setting Up SafeGuard Switches Assigning the Ports and Egress Tagging Although packets are inspected at port ingress, the system acts on the frame when it exits the port (on egress). At the assignment time, the ports can also be designated as tagged or untagged, as desired. Tagging is optional. For port-based VLANs, port membership and tagging are assigned on a per interface basis. At the assignment time, the ports can also be designated as tagged or untagged.
Chapter 5: Setting Up SafeGuard Switches Assigning a Port VLAN ID To specify that the VLAN is classified as port-based, use the vlan pvid command in Interface Configuration submode of Global Configuration. vlan pvid vid Syntax Description vid Specifies the VLAN ID being associated with the port.
Chapter 5: Setting Up SafeGuard Switches Setting Frame Acceptance To select the types of frames that can be received on a port, use the vlan acceptframe command. Untagged or priority tagged frames are either discarded or accepted and assigned the value of the VLAN ID for the interface. With either option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q VLAN specification. Use the no version of the command to set the frame acceptance mode for all interfaces to accept or admit all.
Chapter 5: Setting Up SafeGuard Switches no vlan port ingressfilter all The commands have no parameters or variables. In the following example, ingress filtering is enabled: (SafeGuardOS) #configure terminal (SafeGuardOS) (config) #vlan port ingressfilter all (SafeGuardOS) (config) #exit Per-Interface Filtering To enable ingress filtering for a specific interface, use the vlan port ingressfilter command in Interface Configuration mode.
Chapter 5: Setting Up SafeGuard Switches 4 Create a protocol group name. 5 Assign a protocol to that group name. 6 Assign the VLAN to the group name. 7 Associate the VLAN ID to a protocol group. 8 (Optional) Assign an IP address. See Assigning an IP Address to the VLAN on page 137 for more details. 9 (Optional) Enable ingress filtering. See Enabling Ingress Filtering on page 138 for more details. 10 Verify the configuration using the show vlan brief or show running-config commands.
Chapter 5: Setting Up SafeGuard Switches Creating a Protocol Group A protocol group is associated with a specific protocol identified by a group name. Use the vlan protocol group command to create a group name for a protocol group. Use the no version of the command to remove the group. vlan protocol group groupname no vlan protocol group groupname Syntax Description groupname Specifies to associate the VLAN with this VLAN ID to the group name. Valid entries are from 1 to 128 characters.
Chapter 5: Setting Up SafeGuard Switches protocol vlan group {all} groupname Syntax Description all Specifies to all physical interfaces to the protocol VLAN. groupname Specifies to associate the VLAN with this VLAN ID to the group name. Valid entries are from 1 to 128 characters. The following example adds all physical interfaces to the protocol VLAN.
Chapter 5: Setting Up SafeGuard Switches no vlan association [mac macaddr] Syntax Description macaddr vlanid Species the MAC address being associated to the VLAN. MAC addresses may be specified in any of the following formats: ■ aa:bb:cc:dd:ee:ff ■ aabb:ccdd:eeff ■ aa-bb-cc-dd-ee-ff ■ aabb.ccdd.eeff ■ aabbccddeeff Specifies the VLAN ID being associated. The following command associates a MAC address to a VLAN with the VLAN ID of 50.
Chapter 5: Setting Up SafeGuard Switches Associate the VLAN to an IP Subnet Address To associate the VLAN to an IP subnet address, use the vlan association command in VLAN database mode. The no version of the command removes the association. vlan association [subnet ipaddr netmask] vlanid no vlan association [subnet ipaddr netmask] Syntax Description ipaddr Specifies the IP address being associated to the VLAN. netmask Specifies a 4-digit dotted-decimal number that represents the subnet mask.
Chapter 5: Setting Up SafeGuard Switches Verifying the VLAN Configuration There are Privileged Exec show commands to display VLAN and VLAN-related configurations: Command Use show running-configuration Displays the running configuration for the Switch, which includes VLAN configuration. An example of the show running-config is shown in Appendix A, Sample Output. show vlan association Displays the VLAN associated with a specific configured IP address or netmask.
Chapter 5: Setting Up SafeGuard Switches The fields in the show vlan association output represent: Display Description IP Address Displays the IP address associated with the VLAN. IP Mask Displays the subnet mask associated with the VLAN. VLAN ID Displays the ID for the associated VLAN. Showing a VLAN Brief The show vlan brief command displays summary information about all configured VLANs. show vlan brief This command has no options or parameters.
Chapter 5: Setting Up SafeGuard Switches Showing VLAN ID The show vlan ID command displays either a summary or detailed information about a VLAN by the VLAN ID. show vlan id [id vlanid | name vlan_name]{detailed} Syntax Description vlanid Specifies to display information about the VLAN identified by this VLAN ID. detailed (Optional) Displays Include mode information about the specified VLAN.
Chapter 5: Setting Up SafeGuard Switches Interface --------------0/1 0/2 0/3 0/4 0/5 0/6 0/7 0/8 0/9 0/10 0/11 0/12 0/13 0/14 0/15 0/16 0/17 0/18 Current ------Include Include Include Include Include Include Include Include Include Include Include Include Include Include Include Include Include Include Configured ---------Include Include Include Include Include Include Include Include Include Include Include Include Include Include Include Include Include Include Tagging ------Untagged Untagged Untagged
Chapter 5: Setting Up SafeGuard Switches Display Description Tagging Displays whether this interface is configured for tagging. Link State Displays the link state: disabled, down (enabled), or up. Showing a VLAN Name Use this command to display either a summary or detailed information about a VLAN by name. show vlan name vlan_name {detailed} Syntax Description vlan_name Specifies to display information about the VLAN identified by the VLAN name.
Chapter 5: Setting Up SafeGuard Switches VLAN ID VLAN Name VLAN Type Ports IP Address Interface --------------0/1 0/2 0/3 0/4 0/5 0/6 0/7 0/8 0/9 0/10 0/11 0/12 0/13 0/14 0/15 0/16 0/17 0/18 : : : : : 1 Default Default 50 (Number of active ports = Current ------Include Include Include Include Include Include Include Include Include Include Include Include Include Include Include Include Include Include Configured ---------Include Include Include Include Include Include Include Include Include Include I
Chapter 5: Setting Up SafeGuard Switches Showing a VLAN Port Use this command to display information about an interface, all interfaces or a portchannel. show vlan port [slot/port | all | port-channel port-channel-name slot/port Specifies to display information about the interface that is shown in slot/port format. all Specifies to display information about all of the interfaces. port-channel-name Specifies to display information about the named port- channel.
Chapter 5: Setting Up SafeGuard Switches Display Description Ingress Filtering Displays whether filtering is enabled or disabled. When enabled, the frame is discarded if this port is not a member of the VLAN with which this frame is associated. In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an untagged frame, the VLAN is the Port VLAN ID specified for the port that received this frame. When disabled, all frames are forwarded in accordance with the 802.
Chapter 5: Setting Up SafeGuard Switches The fields in the output represent: Field Description VLAN ID Identifier for the VLAN. MAC Address A unicast MAC address for which the device has forwarding and or filtering information. MAC addresses may be specified in any of the following formats: ■ aa:bb:cc:dd:ee:ff ■ aabb:ccdd:eeff ■ aa-bb-cc-dd-ee-ff ■ aabb.ccdd.eeff ■ aabbccddeeff Interface Slot and port which this address was learned.
Chapter 5: Setting Up SafeGuard Switches The following sections describe commands to support STP: ■ Enabling or Disabling STP Globally ■ Forcing Transmission of Rapid Spanning Tree ■ Setting the Configuration Identifier Name ■ Setting the Configuration Identifier Revision Level ■ Specifying an Edge Port ■ Setting the Force Protocol Version Parameter ■ Setting the Bridge Forward Delay Parameter ■ Setting the Bridge Max Age Parameter ■ Setting the Path Cost or Port Priority ■ Setting the B
Chapter 5: Setting Up SafeGuard Switches This command forces the BPDU transmission, so the command does not change the system configuration or have a “no” version. spanning-tree bdpumigrationcheck [slot/port | all] Syntax Description slot/port Specifies to transmit a BDPU from the interface that is shown in slot/port format. all Transmits BDPUs from all interfaces.
Chapter 5: Setting Up SafeGuard Switches no spanning-tree configuration revision Syntax Description revisionlevel The configuration revision level. It is number in the range of 0 to 65535. The default value is 0.
Chapter 5: Setting Up SafeGuard Switches no spanning-tree forceversion Syntax Description 802.1d Specifies that the switch transmits ST BPDUs rather than MST BPDUs (IEEE 802.1d functionality supported). 802.1w Specifies that the switch transmits RST BPDUs rather than MST BPDUs (IEEE 802.1w functionality supported). The following example sets the force protocol version parameter to 802.1d: (SafeGuardOS) #configure terminal (SafeGuardOS) (config) #spanning-tree forceversion 802.
Chapter 5: Setting Up SafeGuard Switches spanning-tree max-age time no spanning-tree max-age Syntax Description time Time in seconds within a range of 6 to 40. The value must be less than or equal to - 1 (2 x Bridge Forward Delay).
Chapter 5: Setting Up SafeGuard Switches Setting the Bridge Priority To set the bridge priority, use the spanning-tree priority command in Global Configuration mode. The default priority is 32768. To set the bridge priority, use the no version of the command. spanning-tree priority priority no spanning-tree priority Syntax Description priority The priority. A number within a range of 0 to 61440 in increments of 4096. The twelve least significant bits are masked according to the 802.1s specification.
Chapter 5: Setting Up SafeGuard Switches Setting the Administrative Switch Port State for all Ports To set the Administrative Switch Port State for all ports to be enabled, use the spanningtree port mode all command in Global Configuration mode By default the ports are disabled. To set the Administrative Switch Port State for all ports to be disabled, use the no version of the command. spanning-tree port mode all no spanning-tree port mode all The commands have no parameters or variables.
Chapter 5: Setting Up SafeGuard Switches Topology Change Count.......................... 1 Topology Change in progress.................... TRUE Interface --------0/1 0/43 0/44 STP Mode -------Enabled Enabled Enabled STP State ---------------Forwarding Forwarding Discarding Port Role --------Designated Designated Backup Cost -----20000 20000 20000 The fields in the output represent: Field Description Bridge Priority Configured value.
Chapter 5: Setting Up SafeGuard Switches Displaying Settings for a Port To display settings and parameters for a specific switch port, use the show spanning-tree port command in the Privileged Exec or User Exec mode. show spanning-tree port [slot/port detailed | [slot/port | all] summary | slot/port statistics] Syntax Description slot/port The desired switch port. detailed Show detailed settings. all Show settings for all slot/ports. summary Show a summary of the settings.
Chapter 5: Setting Up SafeGuard Switches Field Description STP BPDUs Received Spanning Tree Protocol Bridge Protocol Data Units received. RST BPDUs Transmitted Rapid Spanning Tree Protocol Bridge Protocol Data Units sent. RST BPDUs Received Rapid Spanning Tree Protocol Bridge Protocol Data Units received.
Chapter 5: Setting Up SafeGuard Switches Configuring IGMP Snooping Internet Group Management Protocol (IGMP) is a multicast group membership discovery protocol. In subnets where IGMP is configured, a host that wants to be a multicast data receiver joins the group by sending a message to a multicast router on a local interface. There are three versions of IGMP: IGMPv1, IGMPv2, and IGMPv3. All three versions are supported by SafeGuard OS.
Chapter 5: Setting Up SafeGuard Switches Configuring IGMP Snooping on a VLAN IGMP Snooping is disabled by default. The only required configuration step is to enable the feature on the VLAN. All other VLAN for l IGMP Snooping configuration is optional. To enable IGMP Snooping on a VLAN, use the igmpsnooping command in VLAN Database mode. Use the no version of the command to disable IGMP snooping.
Chapter 5: Setting Up SafeGuard Switches ■ Creating a Static Connection to a Multicast Router on page 171 ■ Clearing IGMP Snooping Entries Globally on page 171 Setting the Group Membership Interval Time This optional configuration step is only valid for IGMPv3 environments and is available both globally and for VLANs.
Chapter 5: Setting Up SafeGuard Switches no igmpsnooping vlan vlanid group-membership-interval Syntax Description vlanid Sets the group membership interval on a VLAN having this identification number in IGMPv3 environments. Valid assignment numbers are from 1 to 4094. seconds Sets the group membership interval time in seconds. Valid ranges are from 2 to 3600 seconds. The default is 260 seconds.
Chapter 5: Setting Up SafeGuard Switches (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) #configure terminal (config) #igmpsnooping maximum-response-time 15 (config) #exit # To verify the configuration, use the Privileged Exec show igmpsnooping command. This command is described further in Showing the IGMP Snooping Configuration on page 172. Per VLAN To set the maximum response time by VLAN, in VLAN database mode use the igmpsnooping vlan maximum-response-time command.
Chapter 5: Setting Up SafeGuard Switches Global To globally set the multicast router expiration time, use the igmpsnooping mrouter-expire-time command in Global Configuration mode. Use the no version of the command to return the setting to the default value.
Chapter 5: Setting Up SafeGuard Switches (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (config) #vlan database (Vlan) #igmpsnooping vlan 2 mrouter-expire-time 2400 (Vlan) #exit (config) #exit # To verify the configuration, use the Privileged Exec show igmpsnooping command. This command is described further in Showing the IGMP Snooping Configuration on page 172.
Chapter 5: Setting Up SafeGuard Switches igmpsnooping fast-leave no igmpsnooping fast-leave The following example enables fast-leave mode on an interface: (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) #configure terminal (config) #vlan database (interface interface 0/3) #igmpsnooping fast-leave (interface interface 0/3) #exit (config) #exit # Creating a Static Connection to a Multicast Router To enable a static connection to a multicast router, use the igmpsnooping
Chapter 5: Setting Up SafeGuard Switches To verify that the tables have been cleared, use the Privileged Exec show mac multicasttable igmpsnooping command. This command is described further in Showing IGMP Snooping Entries on page 175. Displaying IGMP Snooping Information There are Privileged Exec show commands to display IGMP Snooping configurations and related table information Command Use show igmpsnooping Displays the IGMP Snooping configuration.
Chapter 5: Setting Up SafeGuard Switches The fields in the output represent: Field Description Global IGMP Snooping Admin Mode Displays whether IGMP Snooping is globally enabled on the switch. Multicast Control Frame Count Displays the number of multicast control frames that are processed by the CPU.
Chapter 5: Setting Up SafeGuard Switches Field Description IGMP Snooping Admin Mode Displays whether IGMP Snooping is active on the Fast Leave Mode Displays whether fast leave mode is enabled or disabled on the VLAN. Group Membership Interval Displays the amount of time in seconds that a switch waits for a report from a particular group on a specific interface that is participating in a VLAN before deleting the interface from the entry.
Chapter 5: Setting Up SafeGuard Switches The fields in the output represent: Field Description VLAN ID Displays the number of the VLAN having this identification number. Interface Displays the interface number running the static connection. Showing IGMP Snooping Entries To display information about the IGMP Snooping entries in the multicasting Forwarding Database, use the show mac multicast-table igmpsnooping command. show mac multicast-table igmpsnooping The command has no parameters or variables.
Chapter 5: Setting Up SafeGuard Switches Field Description Description Possible values are: “Mgmt Config” (management configured entries) and “Network Assist” (network assisted entries). Interfaces Interfaces on which this multicast address was learned or the mrouter ports for this particular VLAN. Configuring Port Security This section describes the commands used to configure port security on the switch.
Chapter 5: Setting Up SafeGuard Switches The commands have no parameters or variables. The following example enables port security at the system level on the SafeGuard Switch: (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) #configure terminal (config) #port-security (config) #exit # NOTE: The global configuration setting overrides all interface configuration, thus to enable port-security functionality, the global configuration port-security must be enabled.
Chapter 5: Setting Up SafeGuard Switches The following example restores the maximum number of dynamically locked MAC addresses to the default (600): (SafeGuardOS) (interface 0/1)#no port-security max-dynamic (SafeGuardOS) (interface 0/1)#show port-security 0/1 Intf -----0/1 Admin Dynamic Mode Limit ------- ---------Disabled 600 Static Limit --------20 Violation Trap Mode ---------Disabled (SafeGuardOS) (interface 0/1)# Setting the Maximum Number of Statically Locked MAC Addresses To set the maximum n
Chapter 5: Setting Up SafeGuard Switches The following example restores the maximum number of statically locked MAC addresses to the default (20): (SafeGuardOS) (interface 0/1)#no port-security max-static (SafeGuardOS) (interface 0/1)#show port-security 0/1 Intf -----0/1 Admin Dynamic Mode Limit ------- ---------Disabled 600 Static Limit --------20 Violation Trap Mode ---------Disabled (SafeGuardOS) (interface 0/1)# Adding a MAC Address to the Statically Locked List To add a MAC address to the list o
Chapter 5: Setting Up SafeGuard Switches Converting Dynamically Locked Address To Statically Locked Addresses To convert dynamically locked MAC addresses to statically locked addresses, use the port-security mac-address move command in Interface Configuration mode. port-security mac-address move This command has no parameters. The following examples shows this command: (SafeGuardOS) (interface 0/4)#show port-security static 0/4 There are no dynamically learned MAC addresses.
Chapter 5: Setting Up SafeGuard Switches Field Description Violation Trap Mode Whether violation traps are enabled.
Chapter 5: Setting Up SafeGuard Switches 0/39 0/40 0/41 0/42 0/43 0/44 0/45 0/46 0/47 0/48 0/49 0/50 Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled 600 600 600 600 600 600 600 600 600 600 600 600 20 20 20 20 20 20 20 20 20 20 20 20 Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled (SafeGuardOS) (interface 0/8)# Displaying the Dynamically Locked MAC Addresses for a Port To display the
Chapter 5: Setting Up SafeGuard Switches The fields in the output represent: Field Description MAC Address Statically locked MAC addresses.
Chapter 5: Setting Up SafeGuard Switches Configuring Routing SafeGuard OS supports both IP unicast and IP multicast routing on the SafeGuard Switch. In IP unicast routing, data packets are sent from a single source device to a single recipient. In IP multicast routing, a single copy of data is sent to a group of recipients using a single address for the group. Networks that employ IP unicast communication send datagrams from a source device to a single destination device.
Chapter 5: Setting Up SafeGuard Switches broadcasts IP addresses and gets the MAC address as a response from the device owning that IP. Layer 3 devices can respond to an ARP request for the host for which it has a route. This type of ARP response is called Proxy ARP. Even though a host is on another LAN segment or network, the hosts behaves as if all other hosts are actually on the network. If a host does not know the default gateway, proxy ARP can learn the first hop.
Chapter 5: Setting Up SafeGuard Switches macaddr Specifies a unicast MAC address for that device. MAC addresses may be specified in any of the following formats: ■ aa:bb:cc:dd:ee:ff ■ aabb:ccdd:eeff ■ aa-bb-cc-dd-ee-ff ■ aabb.ccdd.eeff ■ aabbccddeeff The following example creates an entry with an IP address of 10.12.14.1 and a MAC address of 34:78:A8:23:56:9B: (SafeGuardOS) #configure terminal Enter configuration commands, one per line. End with CNTL/Z (SafeGuardOS) (config) #arp 10.12.14.
Chapter 5: Setting Up SafeGuard Switches ip proxy-arp no ip proxy-arp The commands have no parameters or variables. This example enables Proxy ARP on interface 0/48, which is an uplink to a router: (SafeGuardOS) #configure terminal Enter configuration commands, one per line.
Chapter 5: Setting Up SafeGuard Switches Setting the Retry Limit By default, the system retries an ARP request up to 4 times. Use the arp retries command to change the maximum retry limit. Use the no version of the command to reinstate the default retry limit to 4 tries. The syntax of the Global Configuration commands are: arp retries attempts no arp retries Syntax Description attempts Specifies the maximum number of request for retries. Valid values are 0 to 10 retries.
Chapter 5: Setting Up SafeGuard Switches clear arp-cache {gateway} Syntax Description gateway (Optional) Clears all dynamic entries, including gateway entries from the ARP cache. A gateway ARP entry is the ARP entry ARPed by the switch for the IP address that is used as nexthop in static and dynamic routes. Displaying ARP Information There are two Privileged Exec show commands to display the ARP cache and ARP table configurations: Command Use show arp Displays the ARP cache.
Chapter 5: Setting Up SafeGuard Switches 10.10.2.1 10.10.2.200 10.20.3.1 66.66.66.1 00:12:36:FE:76:06 00:16:76:4B:65:BB 00:12:36:FE:76:06 00:12:36:FE:76:06 vlan701 vlan701 vlan702 vlan300 Local Dynamic Local Local 0h n/a 2m 52s n/a n/a The fields in the output represent: Field Description Age Time (seconds) Displays the time it takes for an ARP entry to age out. This value was configured into the unit. Age time is measured in seconds.
Chapter 5: Setting Up SafeGuard Switches The command has no parameters or variables. The following example is representative of the command output: (SafeGuardOS) #show arp switch MAC Address IP Address Interface ------------------- ---------------- -----------00:15:C5:03:63:36 172.16.3.35 Management 00:0D:56:38:BB:63 172.16.3.134 Management The fields in the output represent: Field Description MAC Address Displays the hardware MAC address of the device.
Chapter 5: Setting Up SafeGuard Switches ip route net_addr netmask next_hop {distance} no ip route net_addr netmask {next_hop} Syntax Description net_addr A valid IP address entered in dotted quad format. For example 172.23.45.1. netmask A subnet mask entered in dotted quad format. For example: 255.255.255.0. next_hop Specifies the IP address of the next hop router. If next_hop is specified in the no form, the route with that next hop will be deleted.
Chapter 5: Setting Up SafeGuard Switches no ip route distance Syntax Description distance Specifies the administrative distance of all new static routes. Among routes to the same destination, the route with the lowest metric value is the route entered into the forwarding database. A route with a metric of 255 cannot be used to forward traffic. The default is 1. This example sets the administrative distance to 2 hops for all static routes.
Chapter 5: Setting Up SafeGuard Switches Displaying Routing Information To display or verify the routing configuration, use the show ip route command in Privileged Exec mode. The syntax for this command is: show ip route The following example is representative of the command output: (SafeGuardOS) #configure terminal (SafeGuardOS) (config) #show ip route Route Codes: C - Connected, S - Static S C S S S S C 0.0.0.0/0 2.2.2.0/24 3.3.3.0/24 4.3.3.0/24 5.3.3.0/24 88.8.8.0/24 172.16.0.
Chapter 5: Setting Up SafeGuard Switches BOOP/DHCP servers on different subnets. BOOTP and DHCP relay are disabled by default. Enabling BOOTP or DHCP Relay To enable BOOTP or DHCP relay: 1 Configure VLANs and IP unicast routing before enabling BOOTP and DHCP relay. VLANs are discussed at length in Chapter 5, Setting Up SafeGuard Switches. Steps for configuring unicast routing are found in Configuring Static Routing on page 191.
Chapter 5: Setting Up SafeGuard Switches inserts a piece of information, called the relay agent information option (option 82), into any DHCP request packet that is being relayed by the switch. The relay agent information option is organized as a single DHCP option that contains one or more sub-options. One of these sub-options is for the incoming circuit in a public circuit access unit. Examples of a public circuit access unit include RAS's, cable modem termination systems, and ADSL access units.
Chapter 5: Setting Up SafeGuard Switches The following example, extends the BOOTP or DHCP relay hop count to 8: (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) #configure terminal (config) #bootpdhcprelay maxhopcount 8 (config) #exit # Establishing a BOOTP or DHCP Relay Minimum Wait Time When the BOOTP or DHCP relay agent receives a BOOTREQUEST message the request is immediately relayed.
Chapter 5: Setting Up SafeGuard Switches The fields in the show bootpdhcprelay output represent: Display Description Maximum Hop Count Maximum allowable relay agent hops. Minimum Wait Time (Seconds) Minimum wait time. Admin Mode Indicates whether the relaying of requests is enabled or disabled. Server IP Address IP address of either the BOOTP or DHCP relay server. Circuit Id Option Mode Indicates if the DHCP circuit ID option is enabled or disabled.
Chapter 5: Setting Up SafeGuard Switches Requests Relayed............................... 0 Packets Discarded.............................. 0 IP Multicast Routing IP multicasting allows a device on a LAN or VLAN to send packets, not to just one recipient, but to a group or collection of other devices. Multicasting is considered a more efficient method of routing because it conserves bandwidth and reduces traffic by being able to deliver simultaneously a single stream of information to multiple devices.
Chapter 5: Setting Up SafeGuard Switches 200 OmniAccess SafeGuard OS Administration Guide
chapter 6 Configuring Authentication and Role Derivation In this chapter: ■ ■ ■ ■ ■ Configuring User Authentication Configuring Device Authentication Lists Setting Up Authentication Servers IEEE 802.
Chapter 6: Configuring Authentication and Role Derivation Configuring User Authentication This section explains the different types of user authentication available in SafeGuard OS. It also explains how to configure the SafeGuard device using the CLI to achieve the maximum benefit in your deployment.
Chapter 6: Configuring Authentication and Role Derivation When providing active authentication, the system disables network access for client stations until an authentication exchange takes place. When access is disabled, it prevents users from accessing the network without the proper credentials. During passive authentication, the SafeGuard OS sniffs the results of external authentication devices and servers to obtain a user name that can then be used in traffic visualization.
Chapter 6: Configuring Authentication and Role Derivation Figure 5 Authentication Component Process Mapping table Updates Events User table Authentication component Creates Policy component Role Attribute table Processes rule maps to derive a role CST_060 Planning for Your Authentication and Policy Deployment Authentication and policy are tightly interwoven. When planning to implement a new security system, it is important to understand how policy is dependent on authentication.
Chapter 6: Configuring Authentication and Role Derivation — System attributes: source IP, source MAC, port number, VLAN ID, authentication type, mapping type, user name, role name, domain name, and time of day — DHCP attributes: requested IP address, subnet mask.
Chapter 6: Configuring Authentication and Role Derivation Displaying Trusted Server Information To review the current trusted server configuration, use the show aaa trusted-server command in Privileged Exec mode: show aaa session-tracking trusted-server This command has no options or parameters. Output of the command is similar to this example: (SafeGuardOS) #show aaa session-tracking trusted-server Trusted Servers --------------Number of Rows:1 Server -----1.2.3.
Chapter 6: Configuring Authentication and Role Derivation Configuring Layer 3 Devices for Mapping Because SafeGuard OS assumes that all traffic with the same MAC address has originated from the same host, it implies that a change in authentication status for one IP on a MAC changes the authentication status for all IPs on that MAC address. When a Layer 3 device (such as a router) is placed downstream of the SafeGuard device, all Layer 3 traffic is incorrectly mapped to a single user device.
Chapter 6: Configuring Authentication and Role Derivation no aaa session-tracking l3device mac Syntax Description mac MAC addresses may be specified in any of the following formats: ■ aa:bb:cc:dd:ee:ff ■ aabb:ccdd:eeff ■ aa-bb-cc-dd-ee-ff ■ aabb.ccdd.eeff ■ aabbccddeeff Use the show aaa session-tracking l3device command to display the list of currently configured Layer 3 devices. This command is described in Displaying the Current Contents of the Mapping Table on page 208.
Chapter 6: Configuring Authentication and Role Derivation Based on the options selected, this command displays in tabular or single-user form the following information. Field Description Port The physical port where the mapping was detected. The interface is shown in slot/port notation. VLAN The VLAN the mapping was detected on. VLAN 1 is the default VLAN. MAC The MAC address of the mapping.
Chapter 6: Configuring Authentication and Role Derivation In the detail mode the following additional information is shown: Field Description MAP Source LSP for mappings learned based on traffic, DHCP for mappings learned based on DHCP. Ed. Note: Configured Role This is the role derived from role derivation. It is also displayed in the brief output. Effective Role This is the role that policy has used for enforcement. It may be different than the configured role based on misconfiguration.
Chapter 6: Configuring Authentication and Role Derivation macaddr MAC address of the mapping. MAC addresses may be specified in any of the following formats: ■ aa:bb:cc:dd:ee:ff ■ aabb:ccdd:eeff ■ aa-bb-cc-dd-ee-ff ■ aabb.ccdd.eeff ■ aabbccddeeff slot/port Physical port where the mapping was detected. vlanid VLAN that the mapping was detected on. VLAN 1 is the default VLAN. host String name of the host that the IP is assigned to.
Chapter 6: Configuring Authentication and Role Derivation When the host database sees a DHCP exchange for an interface it makes an entry in the DHCP cache. When traffic is observed from that host, the cache entry is removed from the cache and the information contained in it is applied to the host table. To see the contents of the DHCP cache, use the show host dhcp-cache command.
Chapter 6: Configuring Authentication and Role Derivation SOAP Reqs...................................... SOAP Errors.................................... AES Errors..................................... Ticks.......................................... DHCP Age Out................................... 1 0 0 117 1 These counters can be cleared with the command clear host counters. Displaying Layer 3 Devices Up to 32 MAC address can be configured as Layer 3 devices.
Chapter 6: Configuring Authentication and Role Derivation show aaa users {[user-name Name] | [ip-address Ipaddr] | [mac-address Mac] | [port-number slot/port| [role-name rolename] | [vlan vlanid]} Syntax Description Name (Optional) Filter the user table and show entries corresponding to the given user name. User name here is case-sensitive. A single user can be authenticated on multiple hosts and multiple interfaces.
Chapter 6: Configuring Authentication and Role Derivation Field Description SATE Coded string that indicates the following information using the following syntax: SATE Login Time ■ S – current state of the user, based on the state of the users authentication. Possible values are: f (failed) or s (success). ■ A – authentication type. Possible values are: k (Kerberos), c (captive-portal), m (mac-radius), r (radius), x (802.1x), w (white-list) ■ T – Interface type.
Chapter 6: Configuring Authentication and Role Derivation Field Description Effective Role Role name that the policy component has enforced for the user. Rule Map Name Name of the rule map that assigned the role for the user. MAC MAC address associated with the L3 interface for this user. VLAN VLAN ID associated with this interface. Port Physical port the user is connected on. Type Type of the L2 interface the user is connected on, Router or Host. EPV Posture Posture state of the user.
Chapter 6: Configuring Authentication and Role Derivation device. When traffic arrives in other directions, it is not examined. To enable port checking, use the following Global Configuration command: aaa session-tracking do-port-check Verify the setting of the port check using the show aaa debug command in Global Configuration mode. SECURITY: Disabling of port checking is not recommended. When disabled, users can replay previously successful login attempts and appear as authenticated on the device.
Chapter 6: Configuring Authentication and Role Derivation This command has no options or parameters. The output of the command is similar to this example: (SafeGuardOS) #show aaa debug CACHE AGE...................................... L2 AUTH ADDED.................................. L2 AUTH REMOVED................................ L2 AUTH REFRESH................................ L2 AUTH IGNORE................................. L2 AUTH ERROR.................................. L3 AUTH ADDED.........................
Chapter 6: Configuring Authentication and Role Derivation Field Description ERROR Number of PDU errors. The sum of this column should match the total PDU Errors field. CUR Current number of events in the queue. MAX Maximum queue limit. HIGH High water mark. TOUT Number of times a user’s request was aged out. Tracking an Authenticated User Session The authentication component records the time at which a user logs in.
Chapter 6: Configuring Authentication and Role Derivation This command has no options or parameters. The output of the command is similar to this example: (SafeGuardOS) #show aaa timer-config Protocol Configuration ---------------------Number of Rows:6 Protocol -------mac-radius radius kerberos captive-portal Force Ageout (Secs 0 - never) --------------600 600 600 3600 (SafeGuardOS) # Field Description Protocol Configured protocols.
Chapter 6: Configuring Authentication and Role Derivation Captive Portal can be turned on or off for each port. By default, Captive Portal is disabled on all ports. If Captive Portal is enabled on a port and a user uses a different authentication mechanism (for example, Kerberos), the user is not presented with the Captive Portal screens. NOTE: Captive Portal can be enabled only on downstream interfaces. The Captive Portal command has no effect on upstream interfaces or on SPAN interfaces.
Chapter 6: Configuring Authentication and Role Derivation Configuring the Hijack Port See the following sections for details on hijack port configurations options: ■ Adding or Changing the Hijack Port ■ Removing the Hijack Port Adding or Changing the Hijack Port By default, the SafeGuard OS hijacks port 80. To change or to add additional hijack ports, use the aaa captive-portal hijack-port Global Configuration command.
Chapter 6: Configuring Authentication and Role Derivation Configuration command. The system uses both the specified port (for cleartext traffic) and next port number (for SSL traffic). aaa captive-portal redirect-port port number Syntax Description port_number TCP port for redirected traffic.
Chapter 6: Configuring Authentication and Role Derivation timer also expires, the user loses connection with Captive Portal and needs to reauthenticate again. Use the aaa captive-portal refresh-interval Global Configuration command to set the timer limits. aaa captive-portal refresh-interval minutes Syntax Description minutes Interval (in minutes) between refresh reloads. The interval can range from 0 to 720 minutes. The default is 15 minutes. 0 infers no refresh.
Chapter 6: Configuring Authentication and Role Derivation no aaa captive-portalv NOTE: Captive Portal is supported only on ports that face towards hosts. Entering the command for a network-facing port has no effect.
Chapter 6: Configuring Authentication and Role Derivation This command forces the user to use SSL when submitting their username and password. It has no effect on ports added with the use-ssl keyword. To disable HTTPS, use the no form of the command: no aaa captive-portal https-login This command has no options or parameters.
Chapter 6: Configuring Authentication and Role Derivation Downloading New Certificates SafeGuard devices ship with default certificates. To download new certificates and new Diffie-Helmann (DH) key material, use the following Global Configuration commands: copy tftp://ip/file nvram:sslpem-root copy tftp://ip/file nvram:sslpem-server Syntax Description ip IP address of the TFTP server. file Filename of the certificate.
Chapter 6: Configuring Authentication and Role Derivation (SafeGuardOS)(config) #exit (SafeGuardOS) # Restoring Certificates If you have changed the certificates and want to restore the them to the system defaults, use the clear aaa captive-portal cert-store Global Configuration command: clear aaa captive-portal cert-store This command has no options or parameters.
Chapter 6: Configuring Authentication and Role Derivation Page Name Description HTML Page Authorization page The Authorization page is displayed by the SafeGuard device while processing an authentication request. Authing.html Refresh or Reload page After authentication is successful, the SafeGuard device displays the Refresh or Reload pop-up page that continues to refresh a user’s session at periodic intervals. Reload.
Chapter 6: Configuring Authentication and Role Derivation 6 — Authing.html — Reload.html — Failed.html — logo.gif — style.css Download the HTML files to the SafeGuard Switch or Controller using the following command: copy tftp://ip/cpfiles.tar nvram:captive-portal Clearing the Login Page If you have customized the splash screen and wish to reinstate the default setup, use the Privileged Exec clear aaa captive-portal customization command. This command has no parameters or variables.
Chapter 6: Configuring Authentication and Role Derivation Field Description Refresh Interval Interval (in minutes) between refresh reloads. The interval can range from 1 to 720 minutes. Redirect Port TCP port for redirected traffic. Valid port range is from 1 to 65535. Port 16978 is the default. Redirect Location The location of the redirect is the server name to which the client is being redirected. The default location is cp.Alcatel-Lucent.
Chapter 6: Configuring Authentication and Role Derivation Field Description DROP Requests dropped HDR Invalid TCP header FRAG IP fragment CHKSUM Invalid checksum ACKERR Number of segments with a bad acknowledgement RST TCP resets RXMIT Retransmits SYNRST TCP SYNs for closed ports SYNDRP TCP SYNs for dropped connections Configuring MAC-Based RADIUS SafeGuard OS supports MAC-based RADIUS as an active authentication method.
Chapter 6: Configuring Authentication and Role Derivation (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) #configure terminal (config) #interface 0/8 (interface 0/8) #aaa mac-radius (interface 0/8) #exit (config) #exit # Use the show mac-radius configuration command in Privileged Exec Mode to verify the configuration. For example, the previous configuration of interface 0/8 displays as follows: (SafeGuardOS) #show aaa mac-radius configuration Interfaces................
Chapter 6: Configuring Authentication and Role Derivation Configuring Device Authentication Lists Sometimes the normal authentication process needs to be circumvented for a user or a process. SafeGuard OS allows for the creation of special lists—authentication lists—to handle these situations. This chapter explains how to configure those authentication lists. The authentication manager allows you to use these special purpose lists: ■ White list – Allows you to authenticate a user manually.
Chapter 6: Configuring Authentication and Role Derivation To create a white list, use the aaa session-tracking white-list id command in Global Configuration mode. aaa session-tracking white-list id int user name [[mac-address macaddr mac-mask macmask]| [ip-address ipaddr net-mask netmask]] [host hostname] [comment text] [role rolename] [force-timeout sec] Syntax Description int An unique integer for this white-list entry. name A string identifying the user.
Chapter 6: Configuring Authentication and Role Derivation (SafeGuardOS) (config) #aaa session-tracking white-list id 1 user cisco_1_&_2_users ip-address 170.25.68.10 net-mask 255.255.255.0 host stonehenge comment “engineering requirements” role engineer force-timeout 20 (SafeGuardOS) (config) #exit (SafeGuardOS) # Removing a Simple White List Entry Removing a white list entry reinstates the user to the normal authentication process.
Chapter 6: Configuring Authentication and Role Derivation Timeout ....................................... 0 Comment ....................................... unauthenticated printers (SafeGuard OS) (config) # Field Description ID A unique system-wide ID. User Name The userid of the client being added to the list. MAC Address MAC address for the interface of the user. MAC addresses may be specified in any of the following formats: ■ aa:bb:cc:dd:ee:ff ■ aabb:ccdd:eeff ■ aa-bb-cc-dd-ee-ff ■ aabb.
Chapter 6: Configuring Authentication and Role Derivation entries to call on the same set of match conditions. An attribute rule set is comprised of: — The name of the rule — (Optional) A description — (Optional) An operation — A set of match statements 2 Create the extended white list entry.
Chapter 6: Configuring Authentication and Role Derivation This step allows you to define a string that describes the entry. Specify the description in double quotation marks. In Attribute Rule submode, use the description statement using the following syntax: description string Syntax Description The description of the attribute rule being created. Enter the string in double quotation marks.
Chapter 6: Configuring Authentication and Role Derivation 4 Define the match conditions. The match statement describes what constitutes a match against the attribute rule. All match attributes are string values that are identified in the system by an attribute class and an attribute name. The notation for attributes is: class.name. NOTE: Match statements are not case sensitive.
Chapter 6: Configuring Authentication and Role Derivation match class.name rule-op value Syntax Description class.name ■ System attribute are shown in System Attributes for Attribute Rules on page 241. ■ DHCP attributes are shown in DHCP Attributes for Attribute Rules on page 243. Each attribute type can support one or more rule comparator operations depending the class.name.
Chapter 6: Configuring Authentication and Role Derivation Table 18 System Attributes for Attribute Rules (continued) Attribute Description system.portNum Match rule based on user slot/port. Supported operations for this attribute are: system.srcIP system.srcMAC system.timeOfDay system.vlanID 242 ■ equals ■ greater-than ■ less-than ■ not Match rule based on source IP. Supported operations for this attribute are: ■ contains ■ equals ■ not Match rule based on source MAC.
Chapter 6: Configuring Authentication and Role Derivation Table 19 DHCP Attributes for Attribute Rules dhcp.netmask (1) dhcp.timeOffset (2) dhcp.router (3) dhcp.hostName (4) dhcp.domainName (15) dhcp.serverIP (54) Match rule based on value of dhcp.netmask. Supported operations are: ■ equals ■ exists ■ not Match rule based on the value of dhcp.timeOffset. Supported operations are: ■ equals ■ exists ■ greater than ■ less than ■ not Match rule based on value of dhcp.router.
Chapter 6: Configuring Authentication and Role Derivation Table 19 DHCP Attributes for Attribute Rules (continued) dhcp.vendorClass (60) dhcp.userClass (77) dhcp.leaseTime (51) Match rule based on value of dhcp.vendorClass. Must be ASCII text string in order to be processed (if not, any rule matches against them will fail). Supported operations are: ■ contains ■ equals ■ exists ■ not Match rule based on value of dhcp.userClass.
Chapter 6: Configuring Authentication and Role Derivation aaa extended white-list entry_name Syntax Description entry_name The name of the white list entry being created. Suppose your IT department has a lab or office where they perform installations. The devices boot with a special DCHP class ID, which is changed during the installation. The following example creates an extended white list entry called “WHinstall” for those device installations.
Chapter 6: Configuring Authentication and Role Derivation operation [AND | OR] Syntax Description AND Specifies that all of the conditions in the following match statements must be true for the attribute rule to be true. OR (Default) Specifies that only one of the match statements must be true for the attribute rule to be true. The AND logical operator specifies that all conditions must be said to match.
Chapter 6: Configuring Authentication and Role Derivation class.attr The name of a system or DHCP attribute. These attributes are listed in Table 18 on page 241 and Table 19 on page 243. When both match conditions are satisfied, the set command assigns the user name and role for the host.
Chapter 6: Configuring Authentication and Role Derivation The apply command for the DHCP install scenario is: (SafeGuardOS) (config) # aaa extended white-list apply WHinstall precedence 100 (SafeGuardOS) (config) # Removing an Extended White List Entry Before removing the extended white list entry, remove the apply for the white-list using the following command in Global Configuration mode: no aaa extended white-list apply whitelist_name Syntax Description whitelist_name White list name in character str
Chapter 6: Configuring Authentication and Role Derivation Showing Attribute Rules Information To display information about a single attribute rule or all attribute rules, use the show aaa attribute-rules configuration command using the following syntax: show aaa attribute-rules configuration {rule_name} Syntax Description rule-name Displays the description of the attribute rule. If you do not specify an attribute rule name, all configured attribute rules are displayed.
Chapter 6: Configuring Authentication and Role Derivation The fields in the output represent: Field Description Precedence The precedence order for the white list. Valid values are 1 through 65535, with 1 being the highest precedence value. White List Name The name of the white list entry. Hit Count The number of times a white list’s condition has matched causing the variables to be set. Hit Failures The number of times a match was made, but the variable could not be assigned.
Chapter 6: Configuring Authentication and Role Derivation Creating a Grey List Entry To create a grey list entry, use the aaa session-tracking grey-list id command in Global Configuration mode: aaa session-tracking grey-list id entryid user name {is-partial} Syntax Description entryid A unique numerical ID. name The userid being dropped from logging. is-partial (Optional) Use to match part of a string. In the following example, user admin is added to the grey list.
Chapter 6: Configuring Authentication and Role Derivation 1 admin yes (SafeGuardOS) (config) # Field Description ID A system-generated indicator. User The userid of the user not being logged. Is Partial A partial string identifier used when you want to match part of a string Setting Up Authentication Servers This chapter explains the different types of user authentication available in SafeGuard OS.
Chapter 6: Configuring Authentication and Role Derivation seconds Number of seconds between retries to the backend server. The default is 3. The following example configures the a RADIUS server: (SafeGuardOS) #configure terminal (SafeGuardOS) (config) #aaa radius-server 1 ip-address 192.200.187.101 key r0kar0unddaCl0ck port 4078 retransmit timeout 4 (SafeGuardOS) (config) #exit (SafeGuardOS) # To remove a RADIUS server, use the no version of the command.
Chapter 6: Configuring Authentication and Role Derivation Show AAA RADIUS Server Statistics The show aaa radius-server statistics command provides information about the transmissions to and from the server. The Privileged Exec command has the following syntax: show aaa radius-server statistics The command has no options or keywords. The following example and sample output are representative of the command: (SafeGuardOS) #show aaa radius-server statistics Server.........................................
Chapter 6: Configuring Authentication and Role Derivation Configuring Active Directory Servers For networks using Active Directory (AD) for authentication, SafeGuard OS can query the backend AD servers for user attributes. SafeGuard OS maintains a list of the AD servers and retrieves the information from AD by domain name and by server IP address. You can have multiple servers per domain. SafeGuard OS first searches AD by domain, then by IP address.
Chapter 6: Configuring Authentication and Role Derivation Displaying Active Directory Configurations There are Privileged Exec show commands to display AD and LDAP configurations. See the following sections: ■ Showing AAA LDAP Servers Configuration ■ Showing AAA LDAP Servers Status Showing AAA LDAP Servers Configuration To display information about AD and LDAP configurations, use the show aaa ldapservers configuration command.
Chapter 6: Configuring Authentication and Role Derivation Field Description SSL The secure socket layer. Valid values are: enabled or disabled. Enabled, is the default, and encrypts the connection Disabled indicates that passwords are in clear text. Showing AAA LDAP Servers Status The show aaa ldap-servers status command provides information about the transmissions to and from the server.
Chapter 6: Configuring Authentication and Role Derivation Field Description Bind Failures The number of times the system has failed to find to this server. Other Errors The total number of failures, other than bind and timeouts, that have occurred on this server. Maintaining Users SafeGuard OS has a local authentication mechanism built-in to the authentication manager. You can use SafeGuard OS’ authentication in stand-alone mode or use it with external authentication servers such as RADIUS.
Chapter 6: Configuring Authentication and Role Derivation The following example adds a user with and without a role: (SafeGuardOS) (config) #aaa user test passwd test role engineer (SafeGuardOS) (config) #aaa user test1 passwd test1 (SafeGuardOS) (config) # Deleting a User from the Database To remove a user from the database, use the no version of the aaa command in Global Configuration Mode.
Chapter 6: Configuring Authentication and Role Derivation Clearing an Authenticated User Entries are aged from the user table at configurable intervals. You can also clear them by using the CLI. To clear authenticated users, use the clear aaa user Privileged Exec command. clear aaa user [all | [ip-address ipaddr]] Syntax Description all All user sessions are removed from the user table. ipaddr The user session matching this IP address will be removed from the user table.
Chapter 6: Configuring Authentication and Role Derivation Field Description Session Type The type of connection the user is using. The session type can either be telnet or serial. Configuring Remote Authentication In addition to local authentication, SafeGuard OS also supports authentication by RADIUS servers.
Chapter 6: Configuring Authentication and Role Derivation ■ Host – This component has many names, it is also referred to as the supplicant, the client, or the workstation. It is the device that is making the request to the LAN for switch services. ■ Switch – This component is the SafeGuard Switch. The switch controls the physical access to the network using the authentication status of the host. ■ RADIUS server – This component is the remote authentication server.
Chapter 6: Configuring Authentication and Role Derivation — Open1x X supplicant for Linux systems ■ RADIUS servers — OpenSource FreeRADIUS — Juniper Networks Steel-Belted Radius — Microsoft Internet Authentication Server (IAS) for Windows 2000 — Microsoft IAS for Windows 2003 — Open Systems Consultants Radiator The SafeGuard Switch supports the following EAP authentication types or methods on hosts.
Chapter 6: Configuring Authentication and Role Derivation If you plan to take advantage of the SafeGuard features, in addition to setting the protection mode you need to control the port authorization state. You set the port’s authorization state using the aaa dot1x port-control command, which works in either Global Configuration mode or in Interface Configuration mode. The commands use the following keywords: Force Authorized The port acts as if 802.1x is disabled.
Chapter 6: Configuring Authentication and Role Derivation To configure 802.1x authentication: NOTE: If you plan to connect the host to a VLAN, complete the VLAN configuration before setting up 802.1x authentication. 1 Prepare for authentication by configuring the following: — One or more RADIUS servers for backend authentication. See Configuring RADIUS Servers on page 252. — The local user database. See Configuring Rule Maps on page 279. 2 Enable 802.
Chapter 6: Configuring Authentication and Role Derivation no aaa dot1x port-control all Syntax Description auto (Default) Specifies that all ports enforce 802.1x authentication for 802.1x clients and grants controlled access to an authenticated 802.1x client. 802.1x communicates status changes of clients with the Authentication Manager. force-unauthorized Specifies that all ports are blocked and are administratively unauthorized. Traffic is prohibited in all directions for all clients.
Chapter 6: Configuring Authentication and Role Derivation no aaa dot1x port-control Syntax Description auto (Default) Specifies that all ports enforce 802.1x authentication for 802.1x clients and grants controlled access to an authenticated 802.1x client. 802.1x communicates status changes of clients with the Authentication Manager. force-unauthorized Specifies that all ports are blocked and are administratively unauthorized. Traffic is prohibited in all directions for all clients.
Chapter 6: Configuring Authentication and Role Derivation ■ Showing Summary Information for 802.1x Showing a Detailed Configuration Use the show aaa dot1x detail command to display the all of the 802.1x configuration information for a specified interface. The comm and has the following syntax: show aaa dot1x detail slot/port Syntax Description slot/port Displays the 802.1x configuration for this interface. The slot number is 0.
Chapter 6: Configuring Authentication and Role Derivation Display Description Authenticator PAE State Displays the current state of the authenticator PAE state machine. Possible values are: Quiet Period ■ Initialize ■ Disconnected ■ Connecting ■ Authenticating ■ Authenticated ■ Aborting ■ Held ■ ForceAuthorized ■ ForceUnauthorized Displays the timer used by the authenticator state machine on this port to define periods of time in which it does not attempt to acquire a supplicant.
Chapter 6: Configuring Authentication and Role Derivation Display Description Control Direction Displays the control direction for the specified port. The control direction is always both directions. Showing 802.1x Statistics Use the show aaa 802.1x statistics command to display the statistics for a specified interface. show aaa dot1x statistics slot/port Syntax Description slot/port Displays the 802.1x statistics for this interface. The slot number is 0.
Chapter 6: Configuring Authentication and Role Derivation Display Description EAPOL Logoff Frames Received Displays the number of EAPOL logoff frames of any type that are received by this authenticator. Last EAPOL Frame Version Displays the protocol version number carried in the most recently received EAPOL frame. Last EAPOL Frame Source Displays the source MAC address carried in the most recently received EAPOL frame.
Chapter 6: Configuring Authentication and Role Derivation 0/2 auto 0/3 auto 0/4 auto 0/5 auto 0/6 auto 0/7 force-authorized 0/8 force-authorized 0/9 auto 0/10 auto 0/11 auto 0/12 auto 0/13 auto 0/14 auto 0/15 auto 0/16 auto 0/17 auto 0/18 auto 0/19 auto 0/20 auto 0/21 auto 0/22 auto 0/23 auto 0/24 auto 0/25 auto 0/26 auto 0/27 auto 0/28 auto 0/29 auto 0/30 auto 0/31 auto 0/32 auto 0/33 auto 0/34 auto 0/35 auto 0/36 auto 0/37 auto 0/38 auto 0/39 auto 0/40 auto (SafeGuardOS) # auto auto auto auto auto force
Chapter 6: Configuring Authentication and Role Derivation Display Description Operating Control Mode Displays the control mode under which this port is operating. Possible values are: ■ authorized ■ unauthorized Reauthentication Enabled Displays whether re-authentication is enabled on this port. Values are either true or false. Port Status Displays the authorization of the port. Values are either authorized or unauthorized. Optional 802.1x Configuration Commands Optional 802.
Chapter 6: Configuring Authentication and Role Derivation Initializing the 802.1x Port Use the aaa dot1x initialize command in Privileged Exec mode to begin the initialization sequence on the specified port. This command is only valid if the control mode for the specified port is 'auto'. If the control mode is not 'auto' an error will be returned. aaa dot1x initialize slot/port slot/port Port on which to begin initialization sequence. The slot number is 0.
Chapter 6: Configuring Authentication and Role Derivation no aaa dot1x max-req Maximum number of transmissions. The range is 1 to 10. The default value is 2. count The following example is representative of the command: (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) #configure terminal (config) #interface 0/5 (interface 0/5) #aaa dot1x max-req 5 (interface 0/5) # Re-authenticating the Supplicant for the 802.
Chapter 6: Configuring Authentication and Role Derivation quiet-period seconds Sets the value, in seconds, of the timer used by the authenticator state machine on this port to define periods of time in which it will not attempt to acquire a supplicant. The quiet-period must be a value in the range 0 - 65535. The default value is 60.
Chapter 6: Configuring Authentication and Role Derivation Each rule in the rule map is evaluated, in order, against information in the user authentication event. If the rule map's conditions are met, the rule map is said to match. When a rule map matches, a role value can be assigned to the user. The role value can be explicitly specified, or it can be derived based on the value of some information in the authentication event.
Chapter 6: Configuring Authentication and Role Derivation Attribute Description system.timeOfDay Time of day when the user authenticated system.roleName A special attribute, used to assign a role to the user based on a rule-map match AD and RADIUS also have attributes that can be used for deriving a role. AD attributes are queried using LDAP when a user authenticates. For each domain, the SafeGuard device has one or more domain controllers that it can query.
Chapter 6: Configuring Authentication and Role Derivation Configuring Rule Maps To creating a rule map, follow the steps described in the following sections: 1 Assigning a Name 2 Adding a Description 3 Specifying Logical Operators (Optional) 4 Configuring the Rule Map Attributes 5 Setting the Role 6 Continuing or Stopping Assigning Roles 7 Applying the Rule Map and Assign a Precedence NOTE: The syntax for creating a rule map is lengthy.
Chapter 6: Configuring Authentication and Role Derivation description string Syntax Description string Description of the rulemap being created. Enter the string in double quotation marks.
Chapter 6: Configuring Authentication and Role Derivation (SafeGuardOS) (config) # In this example, the role name is picked up and assigned from the value on the Active Directory department attribute if the entry is listed on the AD server and the domain name has “corp” within the name.
Chapter 6: Configuring Authentication and Role Derivation Table 21 Match Attributes When Creating a Rule (continued) Attribute Area Description RADIUS Attributes RADIUS attributes are learned from RADIUS protocol exchanges. The class.name notation in the match statement for standard RADIUS attributes would translate to: radius.attrName For RADIUS vendor-specific extensions (VSAs), this would be radius.vendor.attrName. For example, NAS-IP would be given as radius.
Chapter 6: Configuring Authentication and Role Derivation To match attribute values, use the match command in rulemap mode: match class.name rule-op value Syntax Description class.
Chapter 6: Configuring Authentication and Role Derivation Table 22 AD Attributes (continued) Attribute Description ad.comment Match rule based on value of ad.comment. Supported operations for this attribute are: contains, equals, exists, not. ad.commonName Match rule based on value of ad.commonName. Supported operations for this attribute are: contains, equals, exists, not. ad.company Match rule based on value of ad.company.
Chapter 6: Configuring Authentication and Role Derivation Table 22 AD Attributes (continued) Attribute Description ad.hostMemberOf Match rule based on value of ad.hostMemberOf. Supported operations for this attribute are: contains, exists, not. ad.hostOperatingSystem Match rule based on value of ad.hostOperatingSystem. Supported operations for this attribute are: contains, equals, exists, not. ad.hostOperatingSystemServicePack Match rule based on value of ad.hostOperatingSystemServicePack.
Chapter 6: Configuring Authentication and Role Derivation Table 23 RADIUS Attributes Attribute Description radius.calledStation Match rule based on the RADIUS Called Station attribute. Supported operations for this attribute are: contains, equals, not. radius.callingStation Match rule based on the RADIUS Calling Station attribute. Supported operations for this attribute are: contains, equals, not. radius.Alcatel-Lucent.roleName Match rule based on the RADIUS Alcatel-Lucent attribute.
Chapter 6: Configuring Authentication and Role Derivation Table 23 RADIUS Attributes (continued) Attribute Description radius.nasServiceType Match rule based on the RADIUS NAS service type attribute. Supported operations for this attribute are: equals, exists, not. radius.reply Match rule based on RADIUS Reply attribute. Supported operations for this attribute are: contains, equals, not. radius.userName Match rule based on RADIUS User Name attribute.
Chapter 6: Configuring Authentication and Role Derivation Table 24 System Attributes Attribute Description system.authType Match rule based on authentication type used. Supported operations for this attribute are: equals, not. system.domainName Match rule based on value of domain name. Supported operations for this attribute are: contains, equals, not. system.mapType Match rule based on mapping type used. Supported operations for this attribute are: equals, not. system.
Chapter 6: Configuring Authentication and Role Derivation Table 25 DHCP Attributes (continued) Attribute Description dhcp.hostName Host name option (12), as supplied by the DHCP client. dhcp.domainName Domain name option (15) as supplied by the DHCP server. dhcp.leaseTime Lease time option (51), which is the number of seconds the IP address lease is good for. dhcp.serverIP IP address of the granting server, option (54) dhcp.
Chapter 6: Configuring Authentication and Role Derivation The following example, defines a rule-map called execStaff and creates two match statements for that rule-map. (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (config) # aaa rule-map execStaff (rulemap) # description “The top brass of the company” (rulemap) # match ad.distinguishedName contains “Finance” (rulemap) # match ad.distinguishedName contains “Exec” (rulemap) # set system.
Chapter 6: Configuring Authentication and Role Derivation (SafeGuardOS) (rulemap) # set system.roleName “specialPerson” (SafeGuardOS) (rulemap) # end (SafeGuardOS) (config) # In this next example, the role name is set to any match in the list. Therefore, matches for Sales are set to sales and matches for Engineering are set to engineering.
Chapter 6: Configuring Authentication and Role Derivation Building off of the previous example of the two types of user groups, we would want to assign a higher precedence value to the “highPower” user group over the normal “user” group.
Chapter 6: Configuring Authentication and Role Derivation Showing Rule Map Usage To display the activity level of one or more rule maps, use the show aaa rule-maps application command in Privileged Exec mode: show aaa rule-maps application {mapname} Syntax Description mapname (Optional) Displays the usage for the specified rule-map. If you do not specify a rule map name, all configured rule maps are displayed.
Chapter 6: Configuring Authentication and Role Derivation The following example is representative of the command output: (SafeGuardOS) # show aaa rule-maps configuration j9 aaa rule-map j9 operation or action stop match system.userName equals “jjones” set system.roleName “writer” (SafeGuardOS) # Adding VSAs to the Dictionary File To add the VSA to the VSA dictionary file, use the following syntax: vendorName vendor-ID stringName VSA-ID type Syntax Description 294 vendorName RADIUS vendor name.
Chapter 6: Configuring Authentication and Role Derivation type Each vendor has a unique 3-byte OUI which is appended to a one-byte tag to provide a VSA value. These are conforming attributes. Each conforming attribute in the system can be of the following types: ■ int – The protocol unit being specified is converted into a standard 32-bit signed integer. If fewer than 4 bytes are found in the PDU the resulting value is sign extended. If more than 4 bytes are found, the value is truncated.
Chapter 6: Configuring Authentication and Role Derivation To remove already configured VSAs, us either write erase or clear aaa radius-dictionary commands.
chapter 7 Establishing a Security Policy In this chapter: ■ ■ ■ ■ ■ ■ ■ ■ ■ Policy Concepts System White-Black List User Policies Configuring User Policies EPV Policies Configuring Policy-Based Mirroring Policy Debug System Generated Policies and Roles Displaying Policy Configurations
Chapter 7: Establishing a Security Policy Policy Concepts Policy is an important aspect of the SafeGuard OS solution. This chapter discusses the key concepts of policy, how to develop a policy workflow, and procedures for coding policy commands. Policies are the rules that govern access for users and resources. We use policies to establish the boundaries and enforce a security philosophy for these users and resources.
Chapter 7: Establishing a Security Policy the system can enforce access control based on the what the user is doing with the application and extend enforcement from Layer 3 through Layer 7. User policies are discussed in User Policies on page 305. Traffic Flow Unlike competitive products, SafeGuard devices are not packet-based nor do they use packet-based control mechanisms. Instead, the system initiates policy enforcement on TCP connections or groupings of UDP packets. These connections are called flows.
Chapter 7: Establishing a Security Policy 1 The ranking of the type of policy 2 The precedence of the policy within a policy type Policies have an internal ranking system that stacks the policies in the order shown in Figure 8. This ranking is done by SafeGuard OS and cannot be overridden by users.
Chapter 7: Establishing a Security Policy Policy Precedence Multiple user policies can be assigned to a role. When a user policy is applied to a role, it too can have a precedence. Precedence numbers can be in the range of 1 to 65535, where 1 has the highest precedence and 65535 the lowest. Policy precedence comes before rule precedence. Figure 9 shows an example of policy precedence.
Chapter 7: Establishing a Security Policy 2 Using your existing corporate security plan and documents for organizing your role hierarchy, organize your users, servers, and other resources into logical groups. As mentioned before, users are organized by role. Resources can also be organized into network zones, which are collections of nodes and network segments. A network zone is an easy way to take all of the resources for a group and naming that entity.
Chapter 7: Establishing a Security Policy 2 Specify one or more MAC addresses, VLAN, or IP addresses (TCP, UDP, or ICMP) to add using the command: system white-black list [mac mac_addr mask | vlan vlan | IP address] [deny|permit] {description string} Syntax Description mac_addr MAC address that overrides policy. The MAC address can either be the source or destination address; it is independent of direction.
Chapter 7: Establishing a Security Policy phones. However, she wants an exception for one IP phone to be permitted. The order of the entries becomes important.
Chapter 7: Establishing a Security Policy User Policies User policies allow the control of user access to network resources. When a user logs on to the network, the host starts authentication. It provides the user name and password information to the authentication server, such as Microsoft AD or Kerberos. The SafeGuard device notes the machine’s IP address, the user name and that it is in the process of authenticating.
Chapter 7: Establishing a Security Policy Figure 10 Policies, Rules, and Roles SLC Matches the role to a set of policies role information Authentication server Software Engineer User: Pat Lee Role: Software Engineer Password Credentials Authenticated Policies Rule 1 Rule 2 Rule 3 Rule n CST_059 Therefore, when you enforce a policy you are applying a set of rules against a user role. Role Hierarchy Each role has a different set of privileges.
Chapter 7: Establishing a Security Policy Figure 11 Role Hierarchy Engineering Hardware Authenticated Least specific Marketing Finance Software Asia-Pac Most specific US CST_061 Layer 7 Policies A unique feature of SafeGuard OS is the ability to enforce policies at the Application Layer. A Layer 7 policy is a type of user policy. By defining an application group, you could restrict a vendor or contractor from using an application such as FTP.
Chapter 7: Establishing a Security Policy Policy Made Simple For those who are new to configuring policies, start with some simple, yet powerful policy statements. For example: ■ Network Zone – Is a collection of nodes and network segments? ■ Application Group – Is a method of permitting or denying a group of applications? ■ Application Filters – Is a further refinement of application group? Network Zone An easy way to define a collection of nodes or network segments is to create a network zone.
Chapter 7: Establishing a Security Policy — Network – By a subnet network ipaddr mask Syntax Description ipaddr mask An IP address. A subnet mask in dotted-quad notation. For example, 255.255.255.255. This example specifies the finance_servers zone by subnet: (SafeGuardOS) (config) # network-zone finance_servers (SafeGuardOS) (network_zone) # network 192.168.0.0 255.255.252.
Chapter 7: Establishing a Security Policy For an additional example of network zones, see Network Zones Example on page 321. Application Group Application groups are collections of application protocols used to filter Layer 7 applications in rules.
Chapter 7: Establishing a Security Policy (SafeGuardOS) (app-group) # application MSMIM (SafeGuardOS) (app-group) # application YAHOOIM (SafeGuardOS) (app-group) # The no version of the command removes an application from an existing group. For example, this statement removes AOLIM from verbotemIM: (SafeGuardOS) (app-group) # no application AOLIM (SafeGuardOS) (app-group) # For an additional example of application groups, see Application Groups Example on page 322.
Chapter 7: Establishing a Security Policy 3 Specify the filter conditions: FTP [FileName|UserName] [{contains string}|{does-not-contain string}| {does-not-end-with string}| {does-not-match string}| {does-not-start-with string}| {ends-with string}| {matches string}| {starts-with string}] Syntax Description A value to be matched against. string Creating HTTP Application Filters Ed.
Chapter 7: Establishing a Security Policy 3 Specify the filter conditions: HTTP [Host [{contains string}|{does-not-contain string}| {does-not-end-with string}| {does-not-match string}| {does-not-start-with string}| {ends-with string}| {matches string}| {starts-with string}]| UserAgent [contains string | does-not-contain string]| ContentType [contains string]] Syntax Description string A value to be matched against.
Chapter 7: Establishing a Security Policy {operation [OR]} Syntax Description OR Logical OR operator. CIFS [UserName [{contains string}|{does-not-contain string}| {does-not-end-with string}| {does-not-match string}| {does-not-start-with string}| {ends-with string}| {matches string}| {starts-with string}]| FileName contains string] Syntax Description A value to be matched against.
Chapter 7: Establishing a Security Policy Assigning the Policy a Name To define a user policy, begin by assigning a name to a policy using the Global Configuration command: policy user name Syntax Description name A name that identifies the policy. For example, the following statement defines a policy for the Finance group called finance_policy. (SafeGuardOS) (config) # policy user finance_policy (SafeGuardOS) (policy-user) # After defining the policy name, the system goes into user policy mode.
Chapter 7: Establishing a Security Policy info Indicates an informational severity and the message displays in white. major Indicates a major severity and the message displays in orange. minor Indicates a minor severity and the message displays in yellow.
Chapter 7: Establishing a Security Policy filter name {direction} from source to destination protocol action {[mirror] [log] [precedence number]} Syntax Description name Name of the user filter. direction Specifies the direction that a flow is initiated.
Chapter 7: Establishing a Security Policy protocol Matches the IP protocol of the traffic. It can be any of the following: ■ any – Wildcard, which matches TCP or UDP protocols and application ■ application-filter – L7+ rule Configuring application filters is discussed separately. For more details, see Application Filters on page 311. ■ application-group – L7 application Configuring application groups is discussed separately. For more details, see Application Group on page 310.
Chapter 7: Establishing a Security Policy action Specifies the action to be taken if the traffic matches the preceding patterns. When log is specified, it is sent to OmniVista SafeGuard Manager as part of Visualization. Action can be any of the following: ■ action deny – drop the packet ■ action deny RESET – drop the packet and reset the denied TCP connection (L7 only) ■ action permit – permit the packet mirror Mirror the flow. For more details, see Configuring Policy-Based Mirroring on page 323.
Chapter 7: Establishing a Security Policy The procedure for creating a role is: 1 Assigning the Role a Name on page 320 2 Defining the Parent Role on page 320 3 Configuring the Role for User or Malware Policies on page 320 Assigning the Role a Name Assign the role a name using the Global Configuration command: user-role name Syntax Description name A name that identifies the role. This statement creates a user role called finance.
Chapter 7: Establishing a Security Policy In this example, we are binding both a malware policy and a user policy to the Finance role. We are also assigning a precedence number to the user policy but we are allowing the system to assign an auto-precedence number to blaster-policy.
Chapter 7: Establishing a Security Policy (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) #configure terminal (config) #network-zone nzSample1 (network-zone) #host ip-address 192.168.4.7 (network-zone) #host mac-address 00:ab:cd:11:22:33 (network-zone) #network 192.168.200.0 255.255.255.0 (network-zone) #range 192.168.5.1 192.168.5.
Chapter 7: Establishing a Security Policy (SafeGuardOS) (config) #policy user policySshTelnetWinNY (SafeGuardOS) (policy-user) #filter f1 from any to any application-group agSshTelnetWinNY deny log precedence 20 (SafeGuardOS) (policy-user) #exit (SafeGuardOS) (config) #exit (SafeGuardOS) # Overriding System Policies with a User Policy In the rare case where it is necessary to temporarily override a system policy, create an override policy.
Chapter 7: Establishing a Security Policy Policy-based mirroring is used in user and malware policies to mirror specific host activities. Port 21 on the OmniAccess 2400 SafeGuard and port 9 on the OmniAccess 1000 SafeGuard may be configured as the destination port for mirroring. To configure policybased mirroring use the monitor policy-based destination m1 command in Global Configuration mode.
Chapter 7: Establishing a Security Policy policy debug [enable | disable] Syntax Description enable Enables the capture of debug information. disable Disables the capture of debug information. To verify the settings of policy debug, use the show policy debug command as discussed in Showing Policy Debug on page 330. System Generated Policies and Roles SafeGuard OS creates policies and roles for internal use.
Chapter 7: Establishing a Security Policy EPV System Policies EPV also maintains a system-level policy to permit EPV processing for certain types of packets. Filter System_Redirect-epvhttp-tcp from any to host 69.233.160.203 tcp 31862 redirect-cpu precedence 7 EPV also has system-level bypass policies to bypass certain types of packets: (SW108) #show policy epv system policy epv "System-epv" filter "bypass1" from host 255.255.255.255 to any any bypass precedence 1 filter "bypass2" from network 0.0.0.
Chapter 7: Establishing a Security Policy Displaying Policy Configurations Following are Privileged Exec show commands to display policy and policy-related configurations: Command Use show application-filters Displays the filters for all policy application rules. show application-group Displays either a specific application-group configuration or all application groups. show monitor policy-based Displays the mirror configuration.
Chapter 7: Establishing a Security Policy show application-filter [filter_name | all] Syntax Description filter_name Displays the named application filter. all Displays all configured application filters.
Chapter 7: Establishing a Security Policy application FTP application SSH application TELNET ! application-group Web application ALT-HTTP application HTTP ! Showing Policy-Based Mirroring The Privileged Exec show monitor policy-based command displays the assignment for the mirroring ports. The destination port for a OmniAccess 2400 SafeGuard is 0/21 and for a OmniAccess 1000 SafeGuard it is 0/9. show monitor policy-based The command has no options or parameters.
Chapter 7: Establishing a Security Policy Showing Policy Debug The show policy debug command indicates whether policy debug is enabled or disabled. show policy debug The command has no options or parameters. The following sample output is representative of the show policy debug command: (SafeGuardOS) # show policy debug Policy Debug is Enabled (SafeGuardOS) # Showing Policy Enforcement-Priority The show policy enforcement-priority command is an easy way to display the ranking of policies for a user.
Chapter 7: Establishing a Security Policy The command has no options or parameters. The following sample output is representative of the show policy epv host-table command: (SafeGuardOS) #show policy epv host-table Global EPV status: enabled IP MAC Policy ------------------------------------------------172.16.145.17 00:0c:29:93:c4:51 dynamic_e 172.16.145.2 00:11:11:79:c4:de dynamic_a The fields in the output represent: Field Description Global EPV status Indicates whether EPV is enabled or disabled.
Chapter 7: Establishing a Security Policy The command has no options or parameters. The following sample output is representative of the show policy epv system command: (SW108) #show policy epv system policy epv "System-epv" filter "bypass1" from host 255.255.255.255 to any any bypass precedence 1 filter "bypass2" from network 0.0.0.0 255.255.255.255 to any any bypass precedence 2 filter "bypass3" from network 224.0.0.0 240.0.0.0 to any any bypass precedence 3 filter "bypass4" from network 127.0.0.0 255.0.
Chapter 7: Establishing a Security Policy filter System_CPAuthRedir-2 from any to any tcp 16979 redirect-cpu precedence 2 ! policy user System_Redirect severity MAJOR filter System_Redirect-radius from any to any udp 1812 copy-cpu precedence 1 filter System_Redirect-dhcp-1 from any to any udp 67 copy-cpu precedence 2 filter System_Redirect-dhcp-2 from any to any udp 68 copy-cpu precedence 3 filter System_Redirect-krb from any to any udp 88 copy-cpu precedence 4 filter System_Redirect-krb-tcp from any to an
Chapter 7: Establishing a Security Policy Showing User-Role To displays a single user-role name or all user-role names on the device, use the show user-role command. show user-role [user_role_name | all] Syntax Description user_role_name Displays a specific user role. all Displays all configured user roles.
chapter 8 Visualization In this chapter: ■ ■ About Visualization Configuring Visualization
Chapter 8: Visualization About Visualization The visualization component of SafeGuard OS allows you to collect information about users, applications and how those users and applications impact on your network. This component serves as the conduit between the other SafeGuard OS components and the Alcatel-Lucent OmniVista SafeGuard Manager Command Center. OmniVista SafeGuard Manager is a central management system that displays this information through a GUI.
Chapter 8: Visualization Application Control To help solve application problems, network visualization evaluates communication flows and packets in depth to pinpoint the application being used. Network visualization automatically discovers and records the user and application identities in real time without changing how users interact with systems and applications. It reports this information to OmniVista SafeGuard Manager, which offers a simple and accurate method of audit and control.
Chapter 8: Visualization ■ Layer 7 Event Table Configuring Visualization For the most part, you do not need to explicitly configure visualization in order to see data in OmniVista SafeGuard Manager. SafeGuard OS does however, provide some options for how you push information to OmniVista SafeGuard Manager. To keep changes to the configuration after a reboot, save the running configuration to the startup configuration using the write memory command.
Chapter 8: Visualization The first time you change the interval setting, the interval update is longer because the timer completes the existing interval before starting the new interval timer. To change the update interval, use the mgmt-server update-interval command in Global Configuration mode. mgmt-server update-interval seconds Syntax Description The time (in seconds) between updates to OmniVista SafeGuard Manager. Valid entries are from 15 to 120 seconds. The default is 30 seconds.
Chapter 8: Visualization (SafeGuardOS) # show mgmt-server max-server Maximum 3 simultaneous management servers are supported. (SafeGuardOS) # Showing the Update Interval Use the show mgmt-server update-interval command to display the update interval that the SafeGuard device sends refreshed information to OmniVista SafeGuard Manager. show mgmt-server update-interval The command does not have any options or parameters.
chapter 9 End Point Validation In this chapter: ■ ■ ■ ■ ■ Determining the Posture of a Host Configuring EPV Enabling EPV Optional EPV Configuration Displaying and Clearing the EPV Posture State
Chapter 9: End Point Validation Determining the Posture of a Host This chapter describes the concepts and procedures for configuring End Point Validation (EPV). The EPV component enforces a corporation's or entity’s end point security compliance rules. When a user’s system is current and in compliance with your corporate or enterprise security philosophy, it is said to be in good posture.
Chapter 9: End Point Validation 3 Once a user has authenticated on a host, the EPV sequence can either be triggered, or be bypassed, depending on the policies that apply to the IP interfaces on that host. The bypass policy defines the IP-enabled devices that are known by IP address, IP mask, MAC address, or MAC mask and do not require EPV scanning. Examples of items that might not require scanning and could be put on the bypass policy are: — A specific role, such as a guest role.
Chapter 9: End Point Validation C If the scan agent determines that the end point is in compliance with the corporate security policy, as defined on the ICS administration page, the end point is declared to be in good posture. It also, optionally, can present a web page to the user saying they have passed posture validation. If the user is not in compliance, they are presented with a results page that tells what rules failed, how to remediate, and gives them the option to rescan.
Chapter 9: End Point Validation the last two boxes (Require Integrity Secure Workspace and Require Advanced Anti-keylogger) because Alcatel-Lucent does not support these features. After being set in ICS, you should keep these settings in an optional backup file in NVRAM or on a TFTP server. This procedure is described in Backing Up and Restoring the ICS Gateway Configuration on page 355. 4 After the user receives notification of a healthy posture, they must keep the browser window open.
Chapter 9: End Point Validation ■ Creating Global Bypass Policies ■ Configuring a Trigger Policy Creating Global Bypass Policies Use a global bypass policy to define users that are not required to have their virus and system software checked on a regular basis. Global bypass policies are useful for filtering users with specific roles that do not require posture checking. Also use the global bypass policy to allow LDAP access for passive authentication.
Chapter 9: End Point Validation source destination protocol Specifies the source endpoint of the traffic.
Chapter 9: End Point Validation In addition to the standard L2-L4 policy rules, EPV bypass filters can be configured based on the assigned user role. This may be useful, for example, if a group of guest users authenticate via captive-portal, but should not be scanned.
Chapter 9: End Point Validation 2 Add a description of the policy, using the description keyword. This step is optional, but is recommended. Strings are entered in double quotation marks. For example: (SafeGuardOS) (SafeGuardOS) policy for (SafeGuardOS) 3 (config) #policy epv trigger (policy-epv) #description “This is our standard trigger EPV.” (policy-epv) # Define a filter for each rule and an action to execute.
Chapter 9: End Point Validation destination protocol Specifies the destination endpoint of the traffic. It can be any of the following: ■ any – Wildcard, which matches all destination. ■ host – IP address of the host ■ network – IP address of the subnet ■ network-zone – IP address, network address, or address range ■ range – IP address range ■ NOT – Negates the from criteria, except for ‘any’ Matches the IP protocol of the traffic.
Chapter 9: End Point Validation action Specifies the action to be taken if the traffic matches the preceding patterns. The preferred options are to redirect to the CPU or to permit the packet. Action can be any of the following: ■ deny – drop the packet ■ permit – allows the packet without further evaluation ■ redirect-CPU – redirect the packet to the CPU Note: The deny action can cause heavy network traffic, so use with caution.
Chapter 9: End Point Validation To set EPV to the enabled state, use the following command: epv enable EPV trigger and bypass policies do not take effect when EPV is disabled. Use the no version of the Global Configuration command to disable EPV.
Chapter 9: End Point Validation (SafeGuardOS) # configure terminal (SafeGuardOS) (config) #epv admin add user icsadmin2 password Alcatel-Lucent (SafeGuardOS) (config) # Modifying ICS Administrator Passwords To modify the password of an existing ICS admin user, use the following command in Global Configuration mode: epv admin modify user uname password pwd Syntax Description uname pwd Specifies name of the ICS administrator to modify. Specifies the new password.
Chapter 9: End Point Validation ■ Restoring the Policy Backup File ■ Restoring the Policy Default Configuration File Saving (Copying) ICS Policy and Rules Settings To save the policy and rules settings in an optional backup file, use the following Privileged Exec command: copy nvram:ics-policy [[tftp://ipaddr / filename]| [nvram:ics-policybackup]] Syntax Description ipaddr Specifies that the configuration is saved to the root directory of an TFTP server at this IP address.
Chapter 9: End Point Validation Restoring the Policy Default Configuration File To restore the policy file to the factory default settings, use the following command in Privileged Exec mode: copy nvram:ics-policy-default nvram:ics-policy This command has no options or parameters. Backing Up and Restoring the ICS Gateway Configuration Alcatel-Lucent recommends backing up the ICS gateway configuration, also called the portal configuration.
Chapter 9: End Point Validation The following example saves the new portal configuration to NVRAM: (SafeGuardOS) # copy nvram:ics-portal nvram:ics-portal-backup (SafeGuardOS) # Restoring the Portal Backup File If you created a backup portal file, you can restore the configuration using the portal.xml as the restore file.
Chapter 9: End Point Validation (SafeGuardOS) #configure terminal (SafeGuardOS)(config) #epv ics-config admin-info “For assistance with your software problem, contact the help desk at 4-HELP (4-4357).” (SafeGuardOS)(config) # Displaying and Clearing the EPV Posture State There are Privileged Exec Show commands to display EPV and EPV-policy related configurations: Command Use show epv Displays the EPV configuration of a host. show policy epv Displays the EPV configuration of a host.
Chapter 9: End Point Validation This example shows all of the hosts in the posture database: (SafeGuardOS) #show epv all Contents of Host posture database --------------------------------Number of Rows:3 Host IPHost MACHost PostureLast Scan StartedLast Scan Finished -------------------------------------------------------------10.25.0.300:0e:0c:80:1a:dcunknownNEVERNEVER 192.168.0.10200:11:43:4e:78:07unknownNEVERNEVER 192.168.0.
Chapter 9: End Point Validation Example 1: The example below shows the summary view of the user table. In the state column (header SATE) the E field indicates the current EPV state. Note that IP 172.16.145.2 (user echua) is healthy, IP 172.16.145.5 (user alice) has not even attempted an EPV scan and IP 172.16.145.126 (user bob) is unknown: (CS107) #show aaa users Port IP User ---- --------------- ---------------0/20 172.16.145.2 echua 0/20 172.16.145.5 alice 0/20 172.16.145.
Chapter 9: End Point Validation (SafeGuardOS) (config) #no epv refresh-window Showing the EPV Configuration The current configuration of the EPV feature can be displayed by using the show epv configuration command. This command has the following syntax: show epv configuration Following is an example of this command: (BOX101) #show epv configuration Enabled........................................ FALSE Use Refresh Window............................. TRUE Rescan Interval................................
chapter 10 Detecting and Isolating Malware Security Threats In this chapter: ■ ■ ■ ■ ■ ■ ■ Detecting and Quarantining Malware Configuring Malware Detection Configuring a Malware White-list Configuring Mirroring Displaying Malware Configurations Downloading Malware Definition Files Clearing Malware Configurations
Chapter 10: Detecting and Isolating Malware Security Threats Detecting and Quarantining Malware The term malware is derived from malicious software, which is any program or file that is harmful to a computer system. Common types of malware include computer viruses, worms, Trojan horses and spyware. SafeGuard OS stops malware from propagating past the edge switch. Not only can the system detect malware, but it can stop an attack before network resources are impacted.
Chapter 10: Detecting and Isolating Malware Security Threats The system uses the following malware algorithms: ■ High Connection Attempts Rate (HCAR) to detect fast worms ■ High Connection Attempts Failures (HCAF) to detect blind worms ■ HCARHCAF combination to detect fast and blind worms After malware is detected on the host or host application, the system reports the event to the policy component for enforcement action.
Chapter 10: Detecting and Isolating Malware Security Threats Configuring Malware Controls The enforcement the system makes when malware is detected on a host or host application is controlled by the malware action command. Use the Global Configuration command to block or unblock traffic. malware action [none] [block [host | hostapp]] Syntax Description host Blocks the host traffic by IP address. hostapp Attempts to block the host application based on the type of service observed on the host.
Chapter 10: Detecting and Isolating Malware Security Threats denied, the traffic is quarantined and malware remediation policies are used to determine where the user is sent to resolve the problem. When traffic is denied, the malware configuration determines that either the application or the host is to be blocked. If a malware mediation policy is configured it is applied to punch a hole into the firewall for the specified traffic.
Chapter 10: Detecting and Isolating Malware Security Threats (SafeGuardOS) (config) #policy malware blaster_policy (SafeGuardOS) (policy-malware) #description Blaster worm policy (SafeGuardOS) (policy-malware) # Configuring the Rules For each rule, define a filter, an action to execute, and the precedence. The overall syntax of a policy filter is: filter name from source to destination protocol action precedence number Syntax Description name Name of the malware filter.
Chapter 10: Detecting and Isolating Malware Security Threats precedence number Each policy filter has an associated precedence which sorts the filters with in the policy. The precedences have a valid range of 1(highest) to 65535 (lowest). If a precedence number is not supplied, the system assigns a precedence. For an overview to precedence numbers and autoprecedence, see Displaying Policy Configurations on page 327. In the following example, a rule or filter called “worm1” is created.
Chapter 10: Detecting and Isolating Malware Security Threats Configuring DNS Server IP Addresses Up to 3 DNS server IP addresses can be specified using the Privileged Exec command: dns nameserver ipaddr1 ipaddr2 ipadd3 Syntax Description ipaddr Specifies the IP address of a DNS server. For example, (SafeGuardOS) #dns nameserver 10.0.0.1 10.0.0.2 10.0.0.3 Also see Displaying DNS Information on page 371.
Chapter 10: Detecting and Isolating Malware Security Threats malware white-list [host ip_address | dos-destination ip_address] Syntax Description ip_address IP address that overrides policy. For example, the following command makes the user-host machine 10.0.10.7 exempt from malware detection. (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) #configure terminal (config) #malware white-list host 10.0.10.
Chapter 10: Detecting and Isolating Malware Security Threats Before configuring malware mirroring, configure policy-based mirroring as described in Configuring Policy-Based Mirroring on page 323. To enable malware mirroring, use the malware action mirror command in Global Configuration mode: malware action mirror [disable | enable seconds] Syntax Description disable Malware traffic is not mirrored. enable Malware traffic is mirrored for all ports for future events.
Chapter 10: Detecting and Isolating Malware Security Threats Command Use show malware detection Displays whether malware detection is enabled or disabled. show malware algorithm-info Displays algorithm-related information for each malware event. show malware event-info Displays connection event-related information about each malware event. show malware status Displays the malware status of the host by IP address.
Chapter 10: Detecting and Isolating Malware Security Threats The following sample output is representative of the show policy malware command: (SafeGuardOS) #show policy malware all policy malware Allow-to-Remediation-Server filter Allow-to-McAfee-Srv from any to host 172.16.0.
Chapter 10: Detecting and Isolating Malware Security Threats The following example is representative output from the show user-role command: (SafeGuardOS) #show user-role unauthenticated user-role unauthenticated malware-policy Allow-to-Remediation-Server precedence 10 ! (SafeGuardOS) #show user-role authenticated user-role authenticated malware-policy Allow-to-Remediation-Server precedence 10 ! Displaying Malware Actions To display the action the system takes for malware and the mirroring settings, use t
Chapter 10: Detecting and Isolating Malware Security Threats The following example is representative of sample output from the command; it shows the malware status of any hosts having a malware event: (SafeGuardOS) # show malware status Current Malware Status ---------------------- Number of Rows:2 Host IP Host MAC User ID Last Event Time Action Event Count ------- -------- ------- --------------- ------ ----------- 192.168.101.1 00:0c:29:d0:e8:49 2 Fri Mar 17 13:02:51.
Chapter 10: Detecting and Isolating Malware Security Threats show malware algorithm-info {ipaddress} Syntax Description (Optional) Displays additional malware and algorithm information for this specific IP address.
Chapter 10: Detecting and Isolating Malware Security Threats Table 29 Show Malware Algorithm-Info Output Fields (continued) Field Description Algorithm The algorithm detecting the event. Algorithm types are: ■ HCAR ■ HCAF ■ HCARHCAF App Group The type of application generating the event. Time(msec) The duration of the event in milliseconds. Attempts The number of times the malware attempted to contact a host during the event.
Chapter 10: Detecting and Isolating Malware Security Threats 2 66.166.203.235 TCP 4322 445 66.166.141.177 65/Fri Mar 17 13:02:31.171 2006 3 192.168.101.1 TCP 4765 135 66.137.210.181 65/Fri Mar 17 13:02:50.622 2006 4 192.168.101.1 TCP 4322 445 66.166.141.177 65/Fri Mar 17 13:02:51.002 2006 Table 30 explains the output fields of the show malware event-info command. Table 30 Show Malware Event-Info Output Fields Field Description Event ID A system-generated identifier for the event.
Chapter 10: Detecting and Isolating Malware Security Threats The following example is representative of sample output from the command for an IP scan event: (SafeGuardOS) # show malware trace 66.166.203.235 Trace Information ----------------- Number of Rows:8 Event Id DstIP Protocol DstPort SrcPort Visits Last Visited Time -------- ----- -------- ------- ------- ------ ----------------- 1 66.137.210.181 TCP 135 4765 1 Fri Mar 17 13:02:30.801 2006 1 66.211.161.
Chapter 10: Detecting and Isolating Malware Security Threats Table 31 Show Malware Trace Output Fields (continued) Field Description Visits The number of hits to this address. Last Visited Time The date an timestamp for the last visit. SECURITY: To see the full extent of the event, use Alcatel-Lucent OmniVista SafeGuard Manager. Displaying the Contents of the Malware White-List To display the contents of the malware white-list, use the show malware white-list command.
Chapter 10: Detecting and Isolating Malware Security Threats copy tftp://ip/{filepath/}file [malware-app-categories | malwareprofile] Syntax Description ip Specifies the IP address of the TFTP server filepath (Optional) Specifies the directory path to the file. file Specifies the filename of the key file. malware-appcategories Copies the app categorization definition file. malware-profile Copies the malware profile definition file.
Chapter 10: Detecting and Isolating Malware Security Threats For example, the following command clears the malware state for IP address 10.0.10.2. (SafeGuardOS) #clear malware ip-address 10.0.10.2 NOTE: After clearing a host, it might takes a few seconds before the show commands reflect the change in state.
Chapter 10: Detecting and Isolating Malware Security Threats 382 OmniAccess SafeGuard OS Administration Guide
chapter 11 Troubleshooting In this chapter: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Logging Overview Setting Logging Levels Setting Logging Hosts Terminal Monitor Enabling and Disabling the Logging of Commands Clearing the Logs Clearing the Alarm LED Displaying the Logging Level Displaying Log Information Logging Display Options
Chapter 11: Troubleshooting This chapter describes the commands used for configuring logging. Logging Overview Two types of log messages exist in the SafeGuard device: trace messages and syslog messages. ■ Trace messages provide developers with debugging information for the product in the field. This information is primarily used by the system engineers and TAC to diagnose problems. ■ Syslog messages inform the user of normal operational events.
Chapter 11: Troubleshooting Currently supported components are shown in the table that follows: Table 33 System Components and Descriptions Component Description AUTH Covers events generated by network login/logout, passive authentication, etc. ALL All components. AUTH Passive/active authentication. CFGM Device configuration processing including cross-process configuration. CLI CLI processing including configuration files, user actions, etc. EPV End Point Validation operations.
Chapter 11: Troubleshooting Setting Logging Levels To configure trace and syslog levels for every component by each log destination, use the logging command. Note the presence of a special component all. If all is specified, then all components are configured. By default, each component is configured so that syslog messages of INFO or greater are sent to the local system buffer.
Chapter 11: Troubleshooting logging host ip port Syntax Description ip IP address of the host. port UDP port number of the syslog daemon on receiver host. Must be between 1 and 65535. For example, to configure all components to log syslog messages at INFO and higher to the server 1.2.3.4, use the following commands: (SafeGuardOS) (SafeGuardOS) (SafeGuardOS) EMERGENCY (SafeGuardOS) (SafeGuardOS) #configure terminal (config) #logging host 1.2.3.
Chapter 11: Troubleshooting Enabling and Disabling the Logging of Commands To enable the logging of commands, use the logging commands log-level command. The SafeGuard device can log all commands typed at the CLI by any user. These commands are logged at a user-specified syslog level. Use the following syntax for the logging commands log-level Global Configuration command: logging commands log-level level Syntax Description level Severity level as defined in the table of severity levels.
Chapter 11: Troubleshooting Displaying the Logging Level To display the currently configured trace and syslog levels, use the show logging configuration command in Privileged Exec mode. show logging configuration The command has no parameters or variables.
Chapter 11: Troubleshooting Displaying Log Information Trace and syslog messages are buffered in two separate files: syslog messages are contained in the logfile and trace messages are contained in the trace file. To display the contents of either file, use the show logging command in Privileged Exec mode. show logging [logfile | tracefile | all] [[-]#lines | match | reverse] Syntax Description logfile Displays the log file for syslog information.
Chapter 11: Troubleshooting May 12 2006 16:32:53 TRACE [286] %%TAUTH-INFO auth event - map (1210852) 20:1 00 :11:11:79:be:ca-172.16.3.75 (mapped) filtered May 12 2006 16:33:01 TRACE [369] %%TAUTH-DEBU auth client - map event 18:1 00:13 :20:04:07:b0-172.16.3.169 (mapped) May 12 2006 16:33:01 TRACE [286] %%TAUTH-INFO auth event - map (1210853) 18:1 00 :13:20:04:07:b0-172.16.3.169 (mapped) filtered May 12 2006 16:33:01 TRACE [369] %%TAUTH-DEBU auth client - map event 20:1 00:13 :20:04:07:b0-172.16.3.
Chapter 11: Troubleshooting reverse Process the command in reverse chronological order (last message first). The following sample output displays the last five lines of the system log: SafeGuardOS) #show logging logfile -5 Total number of lines: 55 Nov 10 17:15:33 2006 switchdrvr: %%PFRM-EMER src=127.0.0.1 suser=admin (0) act=cmd: enable Nov 10 17:15:37 2006 switchdrvr: %%PFRM-EMER src=127.0.0.1 suser=admin (0) act=cmd: show logging all Nov 10 17:16:38 2006 switchdrvr: %%PFRM-EMER src=127.0.0.
Chapter 11: Troubleshooting Nov 10 17:15:37 2006 switchdrvr: %%PFRM-EMER src=127.0.0.1 suser=admin (0) act=cmd: show logging all Nov 10 17:15:33 2006 switchdrvr: %%USRMGR-INFO src=127.0.0.1 suser=admin (0) Login attempt act=succeeded msg=console session Nov 10 17:15:33 2006 switchdrvr: %%PFRM-EMER src=127.0.0.1 suser=admin (0) act=cmd: enable Nov 10 17:15:31 2006 switchdrvr: %%USRMGR-INFO src=127.0.0.
Chapter 11: Troubleshooting 394 OmniAccess SafeGuard OS Administration Guide
appendix A Sample Output In this appendix: ■ ■ ■ Show AAA Users Command Show AAA Session-Tracking Mapping-Table Command Show Running-Config Command
Appendix A: Sample Output 396 Show AAA Users Command (SafeGuardOS) #show aaa users User Table ---------- Number of Rows:7 Port OmniAccess SafeGuard OS Administration Guide VLAN MAC IP Address User Name Role Type State Last Update ---------------- --- ---------- --------- ---- ---- ----- 0/20 0 00:12:f0:17:3b:0a 1 18:05:53 2006 169.254.89.195 jlew employees radius success Wed Mar 0/20 0 00:0a:95:a4:eb:c8 1 17:21:52 2006 169.254.194.
OmniAccess SafeGuard OS Administration Guide Show AAA Session-Tracking Mapping-Table Command (SafeGuardOS) #show aaa session-tracking mapping-table Current IP/MAC Mappings ----------------------- Number of Rows:17 Port VLAN MAC IP Source Authed Idle Server Lease TimeL3 ---- ---- --- -- ------ ------ ---- ------ ------------ 0/20 0 0/18 false 0 00:0d:56:38:bb:63 169.254.113.156 lsp true 0/20 false 0 00:0b:85:33:10:20 172.16.0.16 lsp false false 0.0.0.
OmniAccess SafeGuard OS Administration Guide 0 00:11:43:1e:77:8d 172.16.1.37 2 true false 0.0.0.0 Mon May 1 13:05:25 2006 0/20 false 0 00:0f:1f:76:34:d1 172.16.1.98 2 true false 0.0.0.0 Mon May 1 12:05:25 2006 0/20 false 0 00:08:02:42:65:e3 172.16.1.103 lsp false false 0.0.0.0 Mon May 1 13:03:30 2006 0/18 false 0 00:0d:61:5f:55:17 172.16.1.115 2 true false 0.0.0.0 Mon May 1 13:05:25 2006 0/20 false 0 00:11:11:ea:90:06 172.16.1.122 2 false false 0.0.0.
OmniAccess SafeGuard OS Administration Guide 0/20 false 0 00:14:22:4f:dd:e5 172.16.1.139 2 false false 0.0.0.0 Mon May 1 13:03:30 2006 0/18 false 0 00:11:11:ea:8f:ae 172.16.1.141 lsp false false 0.0.0.0 Mon May 1 13:05:25 2006 0/18 false 0 00:14:22:4f:63:d9 172.16.1.148 2 true false 0.0.0.
(SafeGuardOS) #show running-config set prompt "OmniAccess 2400 SafeGuard" !Current Configuration: ! serviceport protocol none serviceport ip 172.16.5.22 255.255.192.0 0.0.0.0 !System Description "OmniAccess 2400 SafeGuard" !System Description SafeGuardOS-2.1.0.
OmniAccess SafeGuard OS Administration Guide snmptrap public 172.16.145.3 lineconfig serial timeout 1 exit snmp-server community public snmp-server community ipaddr 172.16.3.185 public snmp-server community ipmask 255.255.192.0 public snmp-server community private snmp-server community ipaddr 172.16.145.3 private snmp-server community ipmask 255.255.255.0 private snmp-server community rw private logging commands log-level INFO logging host 172.16.145.
logging buffered component PLATFORM log-level INFO logging buffered component POLICY log-level INFO logging buffered component PORTMON log-level INFO logging buffered component PROMAN log-level INFO logging buffered component USERMGR log-level INFO logging buffered component VIZ log-level INFO logging syslog component AUTH log-level INFO logging syslog component CLI log-level INFO logging syslog component CFGM log-level INFO logging syslog component EPV log-level INFO logging syslog component HWMON log-leve
OmniAccess SafeGuard OS Administration Guide logging console component AUTH log-level INFO logging console component CLI log-level INFO logging console component CFGM log-level INFO logging console component EPV log-level INFO logging console component HWMON log-level INFO logging console component HIGHAVAIL log-level INFO logging console component ICC log-level INFO logging console component IPC log-level INFO logging console component LSP log-level INFO logging console component MALWARE log-level INFO lo
aaa captive-portal redirect-port 16978 aaa captive-portal hijack-port 80 aaa captive-portal use-popup clock timezone PST -8 clock summer-time PDT recurring interface 0/1 no shutdown protection-mode monitor exit OmniAccess SafeGuard OS Administration Guide interface 0/2 no shutdown protection-mode monitor exit interface 0/3 shutdown protection-mode monitor exit Appendix A: Sample Output 404 aaa captive-portal redirect-location cp.Alcatel-Lucent.
OmniAccess SafeGuard OS Administration Guide interface 0/4 shutdown protection-mode monitor exit interface 0/5 shutdown protection-mode monitor exit interface 0/6 shutdown protection-mode monitor exit interface 0/7 shutdown exit interface 0/8 shutdown 405 protection-mode monitor Appendix A: Sample Output protection-mode monitor
interface 0/9 shutdown protection-mode monitor exit interface 0/10 shutdown protection-mode monitor exit interface 0/11 OmniAccess SafeGuard OS Administration Guide shutdown protection-mode monitor exit interface 0/12 shutdown protection-mode monitor exit Appendix A: Sample Output 406 exit
OmniAccess SafeGuard OS Administration Guide interface 0/13 shutdown protection-mode monitor exit interface 0/14 shutdown protection-mode monitor exit interface 0/15 shutdown protection-mode monitor exit interface 0/16 shutdown exit interface 0/17 shutdown 407 protection-mode monitor Appendix A: Sample Output protection-mode monitor
interface 0/18 shutdown protection-mode monitor exit interface 0/19 shutdown protection-mode monitor exit interface 0/20 OmniAccess SafeGuard OS Administration Guide shutdown protection-mode monitor exit interface 0/21 shutdown protection-mode pass-thru exit interface 0/22 Appendix A: Sample Output 408 exit
OmniAccess SafeGuard OS Administration Guide shutdown protection-mode pass-thru exit interface 0/23 shutdown protection-mode pass-thru exit interface 0/24 shutdown protection-mode pass-thru exit application-group IM application AOLIM application ICHAT application IRCS application IRCU application MSNIM application NET2PHONE 409 application YAHOOIM Appendix A: Sample Output application IRC
application-group NetworkConnectivity application CIFS application FTP application NFS application SSH application TELNET ! application-group Web application ALT-HTTP application HTTP application HTTPS ! OmniAccess SafeGuard OS Administration Guide user-role "authenticated" ! user-role "unauthenticated" ! aaa session-tracking trusted-server default-action protocol dhcp action permit aaa session-tracking trusted-server default-action protocol proto action permit aaa session-tracking trusted-server defau
ha heartbeat-loss-threshold 10 ha heartbeat-interval 1 (SafeGuardOS) # OmniAccess SafeGuard OS Administration Guide ! Appendix A: Sample Output 411
Appendix A: Sample Output 412 OmniAccess SafeGuard OS Administration Guide
Index Numerics 802.1x . . . 261 displaying configurations . . . 267 A AAA see authentication accessing SafeGuard devices . . . 28 action statement in rule map . . . 291 actions EPV . . . 351 malware policies . . . 366 user policies . . . 319 active authentication . . . 202, 203 Active Directory attributes . . . 277, 284 configuring servers . . . 255 displaying configurations . . . 256 administrator access . . . 40 alarm LED . . . 388 AND logical operator attribute rule . . . 239 extended white list . . .
Index boot loader migration . . . 119 update procedure . . . 117 BOOTP relay . . . 194 BOOTP, on management port . . . 46 browser requirements for EPV . . . 345 bypass policy creating . . . 346 defined . . . 343 C D date, setting . . . 51 daylight savings time . . . 53 deep packet inspection . . . 298 default system policies . . . 325 VLAN . . . 60 department lists . . . 43 deployment model standard, typical . . . 23 Captive Portal . . . 220 collecting RADIUS attributes . . .
Index running configuration . . . 114 SNTP server information . . . 55 startup configuration . . . 115 system information . . . 60 trusted server . . . 206 user sessions . . . 260 VLAN configurations . . . 145 forwarding database . . . 152 forwarding-mode . . . 98 G gateway, setting . . . 47 global bypass policy of EPV . . . 346 downloading certificates . . . 227 grey list (authentication) . . . 250 dual-stage boot loader defined . . . 117 upgrading . . . 117 group membership interval time . . .
Index K N key loggers . . . 342 name, setting for SNMP . . . 69, 70 L naming policies . . . 315 Layer 7 policies . . . 307 LDAP servers . . . 255 LEDs . . . 47, 388 limiting access to servers . . . 205 local authentication . . . 43 local authentication database . . . 259 logging . . . 386 netmask, setting . . . 47 network side ports . . . 216, 299 network zone configuring . . . 308 defined . . . 302 examples . . . 309, 321 removing . . . 309 notation supported for text strings . . .
Index system generated . . . 325 system white-black list . . . 302 white-black list . . . 333 workflow . . . 301 posture, defined . . . 342 precedence extended white list . . . 247 for policy . . . 300 users from database . . . 259 white list entries . . . 236 removing a role . . . 321 removing data from memory . . . 123 resetting SafeGuard devices . . . 117 resetting the device . . . 79 response time, ARP . . . 187 primary image . . . 116 restoring certificates . . . 228 primary system image . . .
Index S security compliance . . . 342 startup configuration defined . . . 110 displaying . . . 115 erasing . . . 114 saving changes from running . . . 110 saving to backup . . . 111 saving to external storage . . . 112 serial port connections . . . 29, 65 static ARP entries . . . 185 server access . . . 205 static connections to multicast router . . . 171 servers, trusted . . . 205, 206 static routing . . . 191 service packs . . . 342 summer clock setting . . . 53 service port . . .
Index U unauthenticated role . . . 306 update boot loader . . . 117 upgrading boot image . . . 117 upgrading system images . . . 115 user policy see policy user role see role user sessions . . . 219, 260 V version, displaying . . . 61 Virtual LANs. See VLANs virus definition files . . . 342 Visualization Layer 7 policies . . . 307 specifying user policies to OmniVista SafeGuard Manager . . . 319 VLANs . . . 130 displaying configurations . . . 145 Fast-Leave, IGMP Snooping . . .
Index 420 OmniAccess SafeGuard OS Administration Guide
Command Index A arp timeout 170 aaa attribute-rule 217, 224 aaa captive-portal 204 aaa captive-portal hijack-port 202 aaa captive-portal https-login 205 aaa captive-portal redirect-location 203 aaa captive-portal redirect-port 203 aaa captive-portal refresh-interval 204 aaa dot1x initialize 252 aaa dot1x max-req 253 aaa dot1x port-control 245 aaa dot1x port-control all 244 aaa dot1x re-authenticate 252 aaa dot1x re-authentication 253 aaa dot1x system-auth-control 244 aaa dot1x timeout 254 aaa extended whi
Command Index copy nvram ics-portal 331 copy nvram ics-portal-default nvram ics-portal 332 copy system diag-info tftp 20, 21 running-config 93 startup-config 94 copy tftp 98 copy tftp (malware) 355 copy tftp bootrom 100 copy tftp image-bootrom 101 copy tftp nvram captive-portal 209 copy tftp nvram sslpem-dhstrong 207 copy tftp nvram sslpem-dhweak 207 copy tftp nvram sslpem-root 206 copy tftp nvram sslpem-server 206 copy tftp radius-dictionary 274 copy tftp running 95 copy tftp sshkey 14, 355 copy tftp star
Command Index monitor policy-based destination m1 301 monitor session 75 N network 286 network mac-address 49 network mac-type 49 network mgmt_vlan 50 network protocol 50 network-zone 285 no aa user 237 no aaa captive-portal 204 no aaa captive-portal hijack-port 202 no aaa captive-portal https-login 205 no aaa dot1x max-req 253 no aaa dot1x port-control 245 no aaa dot1x port-control all 244 no aaa dot1x re-authentication 253 no aaa dot1x system-auth-control 244 no aaa dot1x timeout 254 no aaa extended whi
Command Index no vlan 126 no vlan acceptframe 120 no vlan association 125, 126 no vlan ingressfilter 121 no vlan name 117 no vlan port ingressfilter all 120 no vlan protocol group 123 no vlan protocol group add protocol 123 O operation (application filter) 289, 291 operator (attribute rule) 218 operator (extended white-list) 225 operator (rule map) 258 P paging 19 parent 297 ping 42 policy debug 301 policy epv bypass 322 policy epv trigger 324 policy malware 341 policy name-resolution interval 344 policy
Command Index show ip route 175 show ip ssh 17, 21 show logging 363, 364 show logging configuration 362 show lsp recovery-mode 89 show mac fdb-table 134 show mac multicast-table igmpsnooping 157 show malware action 349 show malware algorithm-info 350 show malware detection 349 show malware event-info 352 show malware status 349 show malware trace 353 show malware white-list 354 show mgmt-server connection-info 316 show mgmt-server max-server 315 show mgmt-server update-interval 316 show monitor policy-base
Command Index V vlan 116 vlan acceptframe 119 vlan association 124, 126 vlan database 115 vlan ingressfilter 121 vlan name 117 vlan participation 118 vlan participation all 122 vlan port ingressfilter all 120 vlan protocol group 122 vlan protocol group add protocol 123 vlan pvid 118 W write erase 96, 274 write memory 92, 314 write terminal 97 426 OmniAccess SafeGuard OS Administration Guide
