Manualshelf

Specifications

ManualsBrandsExtreme Networks ManualsComputer equipmentExtremeWare XOS Command
321322323324325326327328329330
ExtremeWare XOS 10.1 Command Reference Guide 325
9 Security Commands
This chapter describes:
Commands for creating and configuring policies
Commands for creating and configuring IP access lists
Commands for creating and configuring route maps
Commands related to switch user authentication through a RADIUS client
Commands related to switch user authentication through TACACS+
Policies are a generalized category of features that impact forwarding and route forwarding decisions.
Access policies are used primarily for security and quality of service (QoS) purposes.
IP access lists (also referred to as Access Lists or ACLs) consist of IP access rules and are used to perform
packet filtering and forwarding decisions on incoming traffic. Each packet arriving on an ingress port is
compared to the access list in sequential order and is either forwarded to a specified QoS profile or
dropped. Using access lists has no impact on switch performance.
Access lists are typically applied to traffic that crosses layer 3 router boundaries, but it is possible to use
access lists within a layer 2 VLAN. Extreme products are capable of performing this function with no
additional configuration.
Routing access policies are used to control the advertisement or recognition of routing protocols, such as
RIP, OSPF, or BGP. Routing access policies can be used to hide entire networks or to trust only specific
sources for routes or ranges of routes. The capabilities of routing access policies are specific to the type
of routing protocol involved, but are sometimes more efficient and easier to implement than access lists.
User Authentication
Remote Authentication Dial In User Service (RADIUS, RFC 2138) is a mechanism for authenticating and
centrally administrating access to network nodes. The ExtremeWare XOS RADIUS client
implementation allows authentication for Telnet or console access to the switch.
Extreme switches are also capable of sending RADIUS accounting information. You can configure
RADIUS accounting servers to be the same as the authentication servers, but this is not required.
Terminal Access Controller Access Control System Plus (TACACS+) is a mechanism for providing
authentication, authorization, and accounting on a centralized server, similar in function to the RADIUS
client. The ExtremeWare XOS version of TACACS+ is used to authenticate prospective users who are