- Allied Telesis, Inc Switch Specification Manual

ManualsBrandsAllied Telesis ManualsSwitchLayer 3 Switches

Managing the device securely

Create A Secure Network With Allied Telesis Managed Layer 3 Switches 10

Using SSL for secure web access

If you prefer to configure the switch using the convenient

web-based GUI, then this is unencrypted by default. SSL lets

you use the GUI securely, by using HTTPS instead of HTTP.

1. Add a security officer to your switch’s list of users.

2. Create an encryption key for SSL to use.

3. Create a self-signed PKI certificate, or load a certificate

generated by a Certificate Authority (CA) if you have

one.

4. Add the certificate to the certificate database.

5. Turn security on for the HTTP server.

6. Enable system security.

Once you have configured SSL, HTTPS connections to the device are available only on

port 443.

Example

To allow the security officer called “secoff” to browse securely to the GUI, using a self-signed

certificate:

add user=secoff password=secoff privilege=securityofficer

create enco key=0 type=rsa length=1024

set system distinguishedname="cn=switch1,o=my_company,c=us"

create pki certificate=cer_name keypair=0 serialnumber=12345

subject="cn=172.30.1.105,o=my_company,c=us"

add pki certificate=cer_name location=cer_name.cer trust=yes

set http server security=on sslkey=0 port=443

enable system security

Using SNMPv3

Traditionally, SNMP has been a popular but insecure way to

monitor networks.

Allied Telesis devices are SNMPv3 compliant. By using

SNMPv3, you can authenticate SNMP users and restrict

their network access to parts of the network. SNMPv3 is

very flexible, as the examples in this section show.

Configuration

1. Enable SNMP.

2. Set up one or more SNMP views. Views list the objects in the MIB that users can see.

3. Set up one or more groups and add the groups to the views. Each group is a collection of

users who have the same access rights.

4. Set up one or more users and add them to the groups. Authentication parameters are set

here.

5. Set up a traphost profile, for trap messages to be remotely sent to. This is not compulsory

but we recommend it.

Products

All switches listed on page 2,

except AT-8948 and x900-48

Series which have no

graphical user interface

Software Versions

All

Configuration

Products

All switches listed on page 2

Software Versions

2.6.4 and later