ebook img

Policies and Security PDF

803 Pages·2014·13.01 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Policies and Security

Policies and Security ExtremeXOS 15.5 User Guide 120936-00 Rev. 2 Published June 2014 Copyright © 2011–2014 All rights reserved. Legal Notice Extreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks, Inc., reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information on Extreme Networks trademarks, please see: www.extremenetworks.com/company/legal/trademarks/ Support For product support, including documentation, visit: www.extremenetworks.com/support/ For information, contact: Extreme Networks, Inc. 145 Rio Robles San Jose, California 95134 USA Table of Contents Preface........................................................................................................................................13 Conventions...........................................................................................................................................................................13 Related Publications..........................................................................................................................................................14 Providing Feedback to Us...............................................................................................................................................15 Navigating the ExtremeXOS User Guide.........................................................................................................................16 Chapter 1: Policy Manager.......................................................................................................17 Policy Manager and Policies Overview.....................................................................................................................17 Creating and Editing Policies.........................................................................................................................................17 Applying Policies................................................................................................................................................................20 Chapter 2: QoS.........................................................................................................................22 Applications and Types of QoS..................................................................................................................................24 Traffic Groups.......................................................................................................................................................................25 Introduction to Rate Limiting, Rate Shaping, and Scheduling....................................................................30 Introduction to WRED.....................................................................................................................................................32 Meters......................................................................................................................................................................................34 QoS Profiles...........................................................................................................................................................................35 Multicast Traffic Queues.................................................................................................................................................37 Egress Port Rate Limiting and Rate Shaping.......................................................................................................37 Configuring QoS.................................................................................................................................................................38 Displaying QoS Configuration and Performance...............................................................................................50 Chapter 3: Security..................................................................................................................53 Security Features Overview..........................................................................................................................................53 Safe Defaults Mode............................................................................................................................................................55 MAC Security........................................................................................................................................................................55 DHCP Server.........................................................................................................................................................................63 IP Security..............................................................................................................................................................................65 Denial of Service Protection.........................................................................................................................................80 Authenticating Management Sessions through the Local Database.......................................................83 Authenticating Management Sessions Through a TACACS+ Server.......................................................84 Authenticating Management Sessions Through a RADIUS Server...........................................................89 Authenticating Network Login Users Through a RADIUS Server...............................................................91 Configuring the RADIUS Client...................................................................................................................................92 RADIUS Server Configuration Guidelines..............................................................................................................95 Configuring a Windows 7/Windows 8 Supplicant for 802.1X Authentication.....................................117 Hyptertext Transfer Protocol.......................................................................................................................................117 Secure Shell 2.......................................................................................................................................................................118 Secure Socket Layer.......................................................................................................................................................126 Chapter 4: Network Login....................................................................................................130 Network Login Overview..............................................................................................................................................130 Configuring Network Login.........................................................................................................................................139 Authenticating Users........................................................................................................................................................141 Local Database Authentication.................................................................................................................................142 802.1X Authentication....................................................................................................................................................146 Web-Based Authentication.........................................................................................................................................156 MAC-Based Authentication.........................................................................................................................................164 Policies and Security 3 Table of Contents Additional Network Login Configuration Details..............................................................................................168 Chapter 5: ACLs......................................................................................................................178 ACLs Overview..................................................................................................................................................................178 ACL Rule Syntax................................................................................................................................................................179 Layer-2 Protocol Tunneling ACLs............................................................................................................................194 ACL Byte Counters..........................................................................................................................................................195 Dynamic ACLs....................................................................................................................................................................196 CVID ACL Match Criteria.............................................................................................................................................208 ACL Evaluation Precedence........................................................................................................................................210 Applying ACL Policy Files.............................................................................................................................................212 ACL Mechanisms...............................................................................................................................................................216 Policy-Based Routing....................................................................................................................................................236 ACL Troubleshooting....................................................................................................................................................243 Chapter 6: CLEAR-Flow........................................................................................................245 CLEAR-Flow Overview.................................................................................................................................................245 Configuring CLEAR-Flow............................................................................................................................................246 Displaying CLEAR-Flow Configuration and Activity.....................................................................................246 Adding CLEAR-Flow Rules to ACLs......................................................................................................................246 CLEAR-Flow Rule Examples......................................................................................................................................260 Chapter 7: Identity Management........................................................................................264 Identity Management Overview...............................................................................................................................264 Identity Management Feature Limitations..........................................................................................................284 Configuring Identity Management..........................................................................................................................284 Managing the Identity Management Feature......................................................................................................291 Displaying Identity Management Information...................................................................................................292 Chapter 8: Universal Port.....................................................................................................294 Profile Types......................................................................................................................................................................295 Dynamic Profile Trigger Types.................................................................................................................................297 How Device-detect Profiles Work..........................................................................................................................300 How User Authentication Profiles Work...............................................................................................................301 Profile Configuration Guidelines..............................................................................................................................302 Collecting Information from Supplicants.............................................................................................................307 Supplicant Configuration Parameters...................................................................................................................309 Universal Port Configuration Overview...............................................................................................................309 Using Universal Port in an LDAP or Active Directory Environment.........................................................311 Configuring Universal Port Profiles and Triggers...............................................................................................311 Managing Profiles and Triggers.................................................................................................................................314 Sample Universal Port Configurations....................................................................................................................317 Chapter 9: Policies and Security Commands....................................................................343 check policy attribute....................................................................................................................................................352 check policy.......................................................................................................................................................................354 clear access-list counter...............................................................................................................................................355 clear access-list meter...................................................................................................................................................356 clear counters identity-management.....................................................................................................................357 clear counters wred........................................................................................................................................................358 clear ip-security anomaly-protection notify cache.........................................................................................359 clear ip-security arp validation violations...........................................................................................................360 Policies and Security 4 Table of Contents clear ip-security dhcp-snooping entries..............................................................................................................360 clear ip-security source-ip-lockdown entries ports.........................................................................................361 clear netlogin state mac-address............................................................................................................................362 clear netlogin state.........................................................................................................................................................362 clear vlan dhcp-address-allocation.........................................................................................................................363 configure access-list add.............................................................................................................................................364 configure access-list delete........................................................................................................................................366 configure access-list network-zone.......................................................................................................................367 configure access-list rule-compression port-counters.................................................................................369 configure access-list vlan-acl-precedence.........................................................................................................370 configure access-list width..........................................................................................................................................371 configure access-list zone...........................................................................................................................................372 configure access-list.......................................................................................................................................................373 configure diffserv examination code-point qosprofile..................................................................................375 configure diffserv replacement code-point........................................................................................................376 configure dos-protect acl-expire.............................................................................................................................377 configure dos-protect interval..................................................................................................................................378 configure dos-protect trusted ports......................................................................................................................379 configure dos-protect type l3-protect alert-threshold................................................................................380 configure dos-protect type l3-protect notify-threshold...............................................................................381 configure dot1p type......................................................................................................................................................382 configure flow-redirect add nexthop....................................................................................................................383 configure flow-redirect delete nexthop...............................................................................................................384 configure flow-redirect health-check....................................................................................................................385 configure flow-redirect nexthop..............................................................................................................................386 configure flow-redirect no-active............................................................................................................................387 configure flow-redirect vr...........................................................................................................................................388 configure identity-management role-based-vlan...........................................................................................389 configure identity-management role....................................................................................................................390 configure identity-management access-list........................................................................................................391 configure identity-management blacklist............................................................................................................392 configure identity-management database memory-size............................................................................394 configure identity-management detection.........................................................................................................395 configure identity-management greylist.............................................................................................................397 configure identity-management kerberos snooping aging time.............................................................398 configure identity-management kerberos snooping force-aging time................................................399 configure identity-management kerberos snooping forwarding...........................................................400 configure identity-management kerberos snooping server......................................................................402 configure identity-management list-precedence...........................................................................................403 configure identity-management ports.................................................................................................................404 configure identity-management role add child-role.....................................................................................405 configure identity-management role add dynamic-rule.............................................................................406 configure identity-management role add policy.............................................................................................407 configure identity-management role delete child-role................................................................................408 configure identity-management role delete dynamic-rule........................................................................409 configure identity-management role delete policy.........................................................................................410 configure identity-management role match-criteria inheritance...............................................................411 configure identity-management role priority.....................................................................................................412 configure identity-management stale-entry aging-time..............................................................................413 Policies and Security 5 Table of Contents configure identity-management whitelist............................................................................................................416 configure ip-security anomaly-protection icmp ipv4-max-size................................................................418 configure ip-security anomaly-protection icmp ipv6-max-size................................................................418 configure ip-security anomaly-protection notify cache...............................................................................419 configure ip-security anomaly-protection notify rate limit........................................................................420 configure ip-security anomaly-protection notify rate window..................................................................421 configure ip-security anomaly-protection notify trigger off.......................................................................421 configure ip-security anomaly-protection notify trigger on......................................................................422 configure ip-security anomaly-protection tcp..................................................................................................423 configure ip-security dhcp-bindings add............................................................................................................424 configure ip-security dhcp-bindings delete.......................................................................................................425 configure ip-security dhcp-bindings storage filename................................................................................426 configure ip-security dhcp-bindings storage location..................................................................................427 configure ip-security dhcp-bindings storage....................................................................................................427 configure ip-security dhcp-snooping information check............................................................................429 configure ip-security dhcp-snooping information circuit-id port-information port......................430 configure ip-security dhcp-snooping information circuit-id vlan-information.................................430 configure ip-security dhcp-snooping information option............................................................................431 configure ip-security dhcp-snooping information policy............................................................................432 configure ldap domain add server..........................................................................................................................433 configure ldap domain base-dn...............................................................................................................................435 configure ldap domain bind-user............................................................................................................................436 configure ldap domain delete server.....................................................................................................................437 configure ldap domain netlogin...............................................................................................................................438 configure ldap domain.................................................................................................................................................440 configure ldap hierarchical-search-oid................................................................................................................440 configure log target upm filter..................................................................................................................................441 configure log target upm match.............................................................................................................................442 configure mac-lockdown-timeout ports aging-time.....................................................................................443 configure meter...............................................................................................................................................................444 configure netlogin add mac-list...............................................................................................................................446 configure netlogin add proxy-port.........................................................................................................................448 configure netlogin agingtime....................................................................................................................................449 configure netlogin allowed-refresh-failures.......................................................................................................449 configure netlogin authentication database-order........................................................................................450 configure netlogin authentication failure vlan....................................................................................................451 configure netlogin authentication service-unavailable vlan.......................................................................452 configure netlogin banner...........................................................................................................................................454 configure netlogin base-url........................................................................................................................................455 configure netlogin delete mac-list..........................................................................................................................456 configure netlogin delete proxy-port....................................................................................................................457 configure netlogin dot1x eapol-transmit-version.............................................................................................457 configure netlogin dot1x guest-vlan.......................................................................................................................458 configure netlogin dot1x timers...............................................................................................................................460 configure netlogin dynamic-vlan uplink-ports..................................................................................................462 configure netlogin dynamic-vlan.............................................................................................................................463 configure netlogin local-user security-profile...................................................................................................465 configure netlogin local-user.....................................................................................................................................466 configure netlogin mac timers reauth-period...................................................................................................468 Policies and Security 6 Table of Contents configure netlogin move-fail-action......................................................................................................................469 configure netlogin port allow egress-traffic......................................................................................................470 configure netlogin ports mode..................................................................................................................................471 configure netlogin ports no-restart........................................................................................................................474 configure netlogin ports restart...............................................................................................................................475 configure netlogin redirect-page............................................................................................................................476 configure netlogin session-refresh..........................................................................................................................477 configure netlogin vlan.................................................................................................................................................478 configure port shared-packet-buffer....................................................................................................................479 configure ports qosprofile............................................................................................................................................481 configure ports rate-limit egress.............................................................................................................................482 configure ports rate-limit flood................................................................................................................................483 configure ports vlan.......................................................................................................................................................484 configure qosprofile qp8 weight.............................................................................................................................487 configure qosprofile wred...........................................................................................................................................487 configure qosprofile.......................................................................................................................................................489 configure qosscheduler weighted-deficit-round-robin................................................................................494 configure radius server client-ip..............................................................................................................................496 configure radius shared-secret.................................................................................................................................497 configure radius timeout.............................................................................................................................................499 configure radius-accounting server client-ip....................................................................................................500 configure radius-accounting shared-secret.......................................................................................................502 configure radius-accounting timeout....................................................................................................................503 configure ssh2 key..........................................................................................................................................................504 configure sshd2 user-key add user........................................................................................................................506 configure sshd2 user-key delete user...................................................................................................................507 configure ssl certificate pregenerated..................................................................................................................507 configure ssl certificate privkeylen.........................................................................................................................509 configure ssl privkey pregenerated.........................................................................................................................510 configure tacacs server client-ip................................................................................................................................511 configure tacacs shared-secret.................................................................................................................................512 configure tacacs timeout..............................................................................................................................................513 configure tacacs-accounting server........................................................................................................................514 configure tacacs-accounting shared-secret........................................................................................................516 configure tacacs-accounting timeout.....................................................................................................................517 configure trusted-ports trust-for dhcp-server...................................................................................................518 configure trusted-servers add server.....................................................................................................................519 configure trusted-servers delete server...............................................................................................................520 configure upm event.......................................................................................................................................................521 configure upm profile maximum execution-time............................................................................................522 configure upm timer after...........................................................................................................................................523 configure upm timer at.................................................................................................................................................524 configure upm timer profile........................................................................................................................................525 configure vlan dhcp-address-range.......................................................................................................................526 configure vlan dhcp-lease-timer..............................................................................................................................527 configure vlan dhcp-options......................................................................................................................................528 configure vlan netlogin-lease-timer........................................................................................................................529 configure vlan qosprofile.............................................................................................................................................530 create access-list network-zone................................................................................................................................531 Policies and Security 7 Table of Contents create access-list zone..................................................................................................................................................532 create access-list.............................................................................................................................................................533 create flow-redirect........................................................................................................................................................535 create identity-management role............................................................................................................................535 create ldap domain.........................................................................................................................................................539 create log target upm...................................................................................................................................................540 create meter........................................................................................................................................................................541 create netlogin local-user............................................................................................................................................542 create qosprofile..............................................................................................................................................................544 create sshd2 key-file......................................................................................................................................................545 create sshd2 user-key...................................................................................................................................................546 create upm profile...........................................................................................................................................................547 create upm timer.............................................................................................................................................................548 delete access-list network-zone..............................................................................................................................549 delete access-list zone..................................................................................................................................................550 delete access-list.............................................................................................................................................................550 delete flow-redirect.........................................................................................................................................................551 delete identity-management role............................................................................................................................552 delete ldap domain.........................................................................................................................................................553 delete log target upm....................................................................................................................................................554 delete meter.......................................................................................................................................................................554 delete netlogin local-user............................................................................................................................................555 delete qosprofile..............................................................................................................................................................556 delete sshd2 user-key....................................................................................................................................................557 delete upm profile...........................................................................................................................................................558 delete upm timer..............................................................................................................................................................558 disable access-list permit to-cpu.............................................................................................................................559 disable access-list refresh blackhole.....................................................................................................................560 disable clear-flow..............................................................................................................................................................561 disable dhcp ports vlan................................................................................................................................................562 disable diffserv examination ports..........................................................................................................................563 disable diffserv replacement ports.........................................................................................................................564 disable dos-protect........................................................................................................................................................564 disable dot1p examination ports..............................................................................................................................565 disable dot1p replacement ports.............................................................................................................................566 disable identity-management....................................................................................................................................567 disable iparp gratuitous protect vlan....................................................................................................................568 disable ip-security anomaly-protection icmp....................................................................................................569 disable ip-security anomaly-protection ip..........................................................................................................570 disable ip-security anomaly-protection l4port.................................................................................................570 disable ip-security anomaly-protection notify...................................................................................................571 disable ip-security anomaly-protection tcp flags............................................................................................572 disable ip-security anomaly-protection tcp fragment..................................................................................573 disable ip-security anomaly-protection................................................................................................................574 disable ip-security arp gratuitous-protection....................................................................................................575 disable ip-security arp learning learn-from-arp................................................................................................576 disable ip-security arp learning learn-from-dhcp............................................................................................577 disable ip-security arp validation.............................................................................................................................578 disable ip-security dhcp-bindings restoration..................................................................................................579 Policies and Security 8 Table of Contents disable ip-security dhcp-snooping.........................................................................................................................580 disable ip-security source-ip-lockdown ports....................................................................................................581 disable log target upm...................................................................................................................................................581 disable mac-lockdown-timeout ports...................................................................................................................582 disable netlogin authentication failure vlan ports...........................................................................................583 disable netlogin authentication service-unavailable vlan ports...............................................................584 disable netlogin dot1x guest-vlan ports...............................................................................................................584 disable netlogin logout-privilege.............................................................................................................................585 disable netlogin ports....................................................................................................................................................586 disable netlogin reauthenticate-on-refresh........................................................................................................587 disable netlogin redirect-page..................................................................................................................................588 disable netlogin session-refresh...............................................................................................................................588 disable netlogin................................................................................................................................................................589 disable radius....................................................................................................................................................................590 disable radius-accounting............................................................................................................................................591 disable snmp traps identity-management..........................................................................................................592 disable ssh2........................................................................................................................................................................593 disable tacacs....................................................................................................................................................................594 disable tacacs-accounting..........................................................................................................................................595 disable tacacs-authorization......................................................................................................................................595 disable upm profile.........................................................................................................................................................596 disable web http...............................................................................................................................................................597 disable web https............................................................................................................................................................598 download ssl certificate...............................................................................................................................................599 download ssl privkey....................................................................................................................................................600 edit policy............................................................................................................................................................................602 edit upm profile...............................................................................................................................................................604 enable access-list permit to-cpu.............................................................................................................................604 enable access-list refresh blackhole......................................................................................................................605 enable clear-flow.............................................................................................................................................................606 enable dhcp ports vlan.................................................................................................................................................607 enable diffserv examination ports..........................................................................................................................608 enable diffserv replacement ports.........................................................................................................................609 enable dos-protect simulated....................................................................................................................................610 enable dos-protect..........................................................................................................................................................610 enable dot1p examination ports.................................................................................................................................611 enable dot1p replacement ports................................................................................................................................612 enable identity-management......................................................................................................................................613 enable iparp gratuitous protect................................................................................................................................614 enable ip-option loose-source-route......................................................................................................................615 enable ip-security anomaly-protection icmp......................................................................................................616 enable ip-security anomaly-protection ip............................................................................................................617 enable ip-security anomaly-protection l4port...................................................................................................618 enable ip-security anomaly-protection notify....................................................................................................619 enable ip-security anomaly-protection tcp flags..............................................................................................619 enable ip-security anomaly-protection tcp fragment...................................................................................620 enable ip-security anomaly-protection..................................................................................................................621 enable ip-security arp gratuitous-protection....................................................................................................622 enable ip-security arp learning learn-from-arp.................................................................................................623 Policies and Security 9 Table of Contents enable ip-security arp learning learn-from-dhcp.............................................................................................624 enable ip-security arp validation violation-action...........................................................................................626 enable ip-security dhcp-bindings restoration...................................................................................................628 enable ip-security dhcp-snooping..........................................................................................................................628 enable ip-security source-ip-lockdown ports...................................................................................................630 enable log target upm....................................................................................................................................................631 enable mac-lockdown-timeout ports....................................................................................................................632 enable netlogin authentication failure vlan ports............................................................................................633 enable netlogin authentication service-unavailable vlan ports................................................................634 enable netlogin dot1x guest-vlan ports................................................................................................................634 enable netlogin logout-privilege..............................................................................................................................636 enable netlogin ports.....................................................................................................................................................637 enable netlogin reauthentication-on-refresh.....................................................................................................638 enable netlogin redirect-page...................................................................................................................................638 enable netlogin session-refresh................................................................................................................................639 enable netlogin.................................................................................................................................................................640 enable radius.......................................................................................................................................................................641 enable radius-accounting............................................................................................................................................642 enable snmp traps identity-management...........................................................................................................644 enable ssh2.........................................................................................................................................................................644 enable tacacs.....................................................................................................................................................................646 enable tacacs-accounting...........................................................................................................................................647 enable tacacs-authorization.......................................................................................................................................648 enable upm profile..........................................................................................................................................................649 enable web http...............................................................................................................................................................650 enable web https.............................................................................................................................................................650 refresh access-list network-zone..............................................................................................................................651 refresh identity-management role..........................................................................................................................652 refresh policy.....................................................................................................................................................................653 run upm profile.................................................................................................................................................................655 scp2........................................................................................................................................................................................656 show access-list configuration.................................................................................................................................658 show access-list counter.............................................................................................................................................659 show access-list dynamic counter...........................................................................................................................661 show access-list dynamic rule...................................................................................................................................662 show access-list dynamic............................................................................................................................................664 show access-list interface...........................................................................................................................................665 show access-list meter.................................................................................................................................................667 show access-list network-zone................................................................................................................................668 show access-list usage acl-mask port..................................................................................................................669 show access-list usage acl-range port.................................................................................................................670 show access-list usage acl-rule port.......................................................................................................................671 show access-list usage acl-slice port....................................................................................................................674 show access-list width..................................................................................................................................................677 show access-list...............................................................................................................................................................678 show banner netlogin...................................................................................................................................................680 show clear-flow acl-modified.....................................................................................................................................681 show clear-flow rule.......................................................................................................................................................682 show clear-flow rule-all................................................................................................................................................684 Policies and Security 10

Description:
120936-00 Rev. 2 14. Providing Feedback to .. RADIUS Server Configuration Guidelines ACLs Overview. Layer-2 Protocol Tunneling ACLs.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.