Cabletron Systems LANVIEWsecure User manual

Brand: Cabletron Systems

Model: LANVIEWsecure

Category: Networking

Type: User manual

LANVIEW

SECURE

USER’S GUIDE

NOTICE

Cabletron Systems reserves the right to make changes in speciﬁcations and other information contained in this document without prior

notice. The reader should in all cases consult Cabletron Systems to determine whether any such changes have been made.

The hardware, ﬁrmware, or software described in this manual is subject to change without notice.

IN NO EVENT SHALL CABLETRON SYSTEMS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR

CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR

RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT, EVEN IF CABLETRON SYSTEMS HAS BEEN

ADVISED OF, KNOWN, OR SHOULD HAVE KNOWN, THE POSSIBILITY OF SUCH DAMAGES.

Cabletron Systems, Inc.

PO. Box 5005

Rochester, NH 03866-5005

Printed in the United States of America

Order Number: 9031250-01 October 1996

SPECTRUM

LANVIEW

SECURE

and

Multi Media Access Center

are registered trademarks of Cabletron Systems, Inc.,

and

EMME

EMM-E6

Hubstack

MicroMMAC

MMAC-Plus

and

SEHI

are trademarks of Cabletron Systems, Inc.

All other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies.

Printed on Recycled Paper

FCC NOTICE

This device complies with Part 15 of the FCC rules. Operation is subject to the following two conditions: (1) this device may not cause

harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired

operation.

NOTE:

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC

rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a

commercial environment. This equipment uses, generates, and can radiate radio frequency energy and if not installed in accordance

with the operator’s manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area

is likely to cause interference in which case the user will be required to correct the interference at his own expense.

WARNING:

Changes or modiﬁcations made to this device which are not expressly approved by the party responsible for compliance

could void the user’s authority to operate the equipment.

DOC NOTICE

This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the Radio

Interference Regulations of the Canadian Department of Communications.

Le présent appareil numérique n’émet pas de bruits radioélectriques dépassant les limites applicables aux appareils numériques de la

class A prescrites dans le Règlement sur le brouillage radioélectrique édicté par le ministère des Communications du Canada.

VCCI NOTICE

This equipment is in the 1st Class Category (information equipment to be used in commercial and/or industrial areas) and conforms to

the standards set by the Voluntary Control Council for Interference by Information Technology Equipment (VCCI) aimed at preventing

radio interference in commercial and/or industrial areas.

Consequently, when used in a residential area or in an adjacent area thereto, radio interference may be caused to radios and TV

receivers, etc.

Read the instructions for correct handling.

iii

CABLETRO

N SYST

EMS, INC. PROGRAM LICENSE AGREEMENT

IMPORTANT:

Before utilizing this product, carefully read this License Agreement.

This document is an agreement between you, the end user, and Cabletron Systems, Inc. (“Cabletron”) that sets forth your rights and

obligations with respect to the Cabletron software program (the “Program”) contained in this package. The Program may be contained

in ﬁrmware, chips or other media. BY UTILIZING THE ENCLOSED PRODUCT, YOU ARE AGREEING TO BECOME BOUND BY

THE TERMS OF THIS AGREEMENT, WHICH INCLUDES THE LICENSE AND THE LIMITATION OF WARRANTY AND

DISCLAIMER OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, PROMPTLY RETURN THE

UNUSED PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.

CAB

LETRON SO

FTWARE PROGRAM LICENSE

1. LICENSE

. You have the right to use only the one (1) copy of the Program provided in this package subject to the terms and

conditions of this License Agreement.

You may not copy, reproduce or transmit any part of the Program except as permitted by the Copyright Act of the United States or

as authorized in writing by Cabletron.

2. O

THER RESTRICTIONS. You may not reverse engineer, decompile, or disassemble the Program.

3. APPLICABLE LA

W. This License Agreement shall be interpreted and governed under the laws and in the state and federal courts

of New Hampshire. You accept the personal jurisdiction and venue of the New Hampshire courts.

EXCLUSION OF WA

RRANTY AND DI

SCLAIMER OF LIABILITY

1. EXCLUSION OF WARRANTY. Except as may be specifically provided by Cabletron in writing, Cabletron makes no warranty,

expressed or implied, concerning the Program (including its documentation and media).

CABLETRON DISCLAIMS ALL WARRANTIES, OTHER THAN THOSE SUPPLIED TO YOU BY CABLETRON IN

WRITING, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE PROGRAM, THE

ACCOMPANYING WRITTEN MATERIALS, AND ANY ACCOMPANYING HARDWARE.

2. NO LIABILITY FOR CONSEQ

UENTIAL DAMAGES. IN NO EVENT SHALL CABLETRON OR ITS SUPPLIERS BE

LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF

BUSINESS, PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, SPECIAL, INCIDENTAL,

CONSEQUENTIAL, OR RELIANCE DAMAGES, OR OTHER LOSS) ARISING OUT OF THE USE OR INABILITY TO USE

THIS CABLETRON PRODUCT, EVEN IF CABLETRON HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH

DAMAGES. BECAUSE SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR

CONSEQUENTIAL OR INCIDENTAL DAMAGES, OR ON THE DURATION OR LIMITATION OF IMPLIED

WARRANTIES, IN SOME INSTANCES THE ABOVE LIMITATIONS AND EXCLUSIONS MAY NOT APPLY TO YOU.

UNITED STATES GOVE

RNMENT

RESTRICTED RIGHTS

The enclosed product (a) was developed solely at private expense; (b) contains “restricted computer software” submitted with restricted

rights in accordance with Section 52227-19 (a) through (d) of the Commercial Computer Software - Restricted Rights Clause and its

successors, and (c) in all respects is proprietary data belonging to Cabletron and/or its suppliers.

For Department of Defense units, the product is licensed with “Restricted Rights” as deﬁned in the DoD Supplement to the Federal

Acquisition Regulations, Section 52.227-7013 (c) (1) (ii) and its successors, and use, duplication, disclosure by the Government is

subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at

252.227-7013. Cabletron Systems, Inc., 35 Industrial Way, Rochester, New Hampshire 03867-0505.

CONTENTS

CHAPTER 1

LANVIEW

SECURE

1.1 Introduction............................................................................................................................................1-1

1.2 Technology ............................................................................................................................................1-1

1.2.1 Types of Protection...................................................................................................................1-2

1.2.2 Features of First Generation Security.......................................................................................1-2

1.2.3 New Features of Second Generation Security..........................................................................1-3

1.3 Configuring

LANVIEW

ECURE

................................................................................................................1-4

1.4 Tips for Implementing

LANVIEW

SECURE

Features.................................................................................1-5

1.5 Summary ...............................................................................................................................................1-5

1.6 Getting Help...........................................................................................................................................1-6

CHAPTER 2 OIDs TO ENABLE/DISABLE SECURITY

2.1 Introduction............................................................................................................................................2-1

2.2 OIDs.......................................................................................................................................................2-1

CHAPTER 3 SETTING OIDs

3.1 Introduction............................................................................................................................................3-1

3.2 Guidelines..............................................................................................................................................3-1

3.3 Navigating the SNMP Tools Screen ......................................................................................................3-1

3.4 The SNMP Tools Screen.......................................................................................................................3-2

3.5 The GET Command...............................................................................................................................3-3

3.6 The SET Command...............................................................................................................................3-4

3.7 The CYCLE Command..........................................................................................................................3-6

CHAPTER 4 MIB NAVIGATOR

4.1 Introduction............................................................................................................................................4-1

4.2 Managing Device MIBs..........................................................................................................................4-2

4.3 MIB Navigator Command Set Overview................................................................................................4-2

4.3.1 Conventions for MIB Navigator Commands..............................................................................4-3

4.3.2 Navigation Commands..............................................................................................................4-3

CHAPTER 5 COMMUNITY NAMES

5.1 Introduction............................................................................................................................................5-1

5.2 Viewing MIB Components and Corresponding Community Names ......................................................5-2

5.3 More Device Community Name Examples............................................................................................5-3

1-1

CHAPTER 1

LANVIEW

SECURE

1.1 Introduction

LANVIEW

SECURE

is Cabletron Systems strategy for hub-based security of Ethernet networks. Cabletron

Systems technology provides security solutions across the entire Multi Media Access Center product line

including the HubSTACK, MicroMMAC, and MMAC-Plus. Cost effective implementations in 10BASE-T

twisted pair, 10BASE2 coaxial, and 10BASE-FL fiber optic media provide the network architect freedom of

choice when incorporating physical layer security into the network.

LANVIEW

SECURE

is based on the concept of a secure repeater which protects data from being transmitted to, or

received from, unauthorized users. The hub utilizes the Media Access Control (MAC) Address of attached

users to control the flow of data both outbound to the end user, and inbound from the end user.

1.2 Technology

The backbone of

LANVIEW

SECURE

is the Repeater Interface Controller II (RIC II) Chip. It provides hardware

assistance to the

LANVIEW

SECURE

Hub Security Architecture. With the security feature enabled, the RIC II

immediately begins scrambling the data portion of the Ethernet packets repeated out to all ports, except the

port containing the actual destination MAC Address of the attached device. When a source MAC Address that

is not on the secure list for a port is detected, the management module sends a trap to the Simple Network

Management Protocol (SNMP) Network Management Station alerting the operator to the condition and/or

automatically disables the port, if so configured.

The RIC II has the intelligence to learn up to two (2) MAC Addresses per port, on the fly, allowing automatic

configuration of the secure network. Supporting two MAC Addresses per port provides support of networks

that utilize the DECnet protocol. DECnet environments support the factory assigned MAC Addresses on the

Ethernet adapter, as well as a locally administered MAC Address. The RIC II also supports a floating cache of

32 MAC Addresses that can be assigned to any port. The cache is configurable from the SNMP agent of the

device managing the chassis or hub to allow network administrators the ability to add or delete authorized user

network addresses. The total number of addresses that can be saved is platform specific. The technology can

also be applied to scramble broadcast and multicast address packets. For any limitations, refer to the Release

Notes of the

LANVIEW

SECURE

products you are using.

Security is activated by enabling Port Locking. You can lock and unlock ports at the repeater, board, and port

levels.

1-2

1.2.1 Types of Protection

Intruder Prevention

Intruder Prevention prevents any unauthorized source addresses from communicating to the network via a

secure port. Intruder Prevention is based on the expected MAC address of a port. In order for

LANVIEW

SECURE

to be effective, specific parameters must be set and features enabled. During Setup, the

manager configures the Trap Screen and enables security. When an unrecognized MAC address is discovered

on a port, a trap is generated, sent to the Network Management station, and recorded on the Trap Screen. With

Locking enabled, the default configuration of Intruder Prevention is to disable the port and send trap

information to the Trap Screen.

Eavesdrop Protection

Eavesdrop Protection delivers a scrambled (a random pattern of ones and zeros) data portion of the Ethernet

packet to all ports except the port specified in the destination MAC address field of the original packet. The

result is that all ports other than the destination port receive meaningless information.

1.2.2 Features of First Generation Security

Repeater Security

You may perform the following security function at the repeater level: Lock Ports. This affects all ports on all

boards on the specified channel. The default condition is disabled.

Board Security

You may perform the following security function at the board level: Lock Ports. This affects all ports on the

specified board(s). The default condition is disabled.

Port Security

You may perform the following security functions at the port level: Disable Ports on intruder, Lock Port, and

Full Security (which enables the packet scrambling feature on broadcasts and multicast). This affects only the

specified port on a specified board.

Disable Ports (Intruder Prevention)

The Disable Ports feature disables the port when an unauthorized source address is detected. Disabling this

feature causes the port to remain operational after a violation. Not using the Disable Ports feature effectively

removes intruder protection from the selected port.

Send Trap

The Send Trap feature issues a trap after the first violation of the port; disable this feature if you do not wish to

receive these traps. The device using

LANVIEW

SECURE

must have the trap table properly configured for this

selection to function. (This is essentially the same as the Send Trap on Intruder feature for the board and

channel levels — only the Object Identifier (OID) strings change).

Lock Port (Partial Security)

Lock Port feature activates security on the port. Enabling Lock Port automatically secures the source addresses

in the secure address table. The addresses that are contained in the secure address list are considered the valid

addresses for that port. If an address is received on a locked port and that address is not on the secure list, the

port will be disabled.

1-3

Force Trunk Port

The user may force the port to be a trunk port before locking the port. When this object is set to “Force” it

causes the port to be placed into a Trunk topological state whether the network traffic warrants such a state or

not. When this object is set to “NoForce” it allows the port to assume the topological state it naturally assumes

based on the network activity on that port. When read, this object reports the current setting. When the port is

in the Trunk state, either forced or natural, this does not send a new source address trap or an aged source

address trap.

NOTE

: Prior to having secure state, the topological state of a port (station or trunk) was used for purposes of

determining whether a port was capable of being secure. The topological state of a port no longer has any

bearing on security. In fact, the only thing that the topological state affects, is whether traps are sent out for

new and aged addresses. If the port is a trunk port, traps are not sent out at all. Topological state is determined

by the traffic or it can be forced into a trunk state by selecting the Force Trunk OID. If a port sees more than

three addresses for an aging time, or exactly three addresses for consecutive aging times, then it becomes a

trunk port. This applies to both

LANVIEW

SECURE

products and regular, non-secure products.

Adding/Deleting Secure Addresses

Through the use of the appropriate OIDs, addresses can be added to or deleted from the secure address list.

When adding addresses to a port that has never been locked, it is important to note that any learned addresses

are deleted and replaced with the manually entered addresses. If the port is locked or was once locked, then all

addresses remain in the secure list and the new addresses are added to the list.

1.2.3 New Features of Second Generation Security

Full Security (Eavesdrop Protection)

When the Full Security feature is enabled, the data portions of data packets not intended for this destination,

including broadcast and multicast, are scrambled. When the Full Security feature is disabled, broadcast and

multicast packets are transmitted unchanged, regardless of what is contained in the secure address list. The

default condition is disabled.

Continuous Learn Mode

This allows a port to continuously learn source addresses. Network administrators now have the versatility to

move stations from port to port without manually adding and deleting source addresses. This benefits

customers who are constantly conducting adds, moves, and changes to their physical network environment. To

configure a port, port group, or network for Continuous Learn Mode, use the Learn Mode object. Once

configured, the port, port group, or network has the ability to learn the source address of the last packet to be

transmitted on the port. Scrambling, however, is still done on any packets not destined for this port (Eavesdrop

Protection).

This object can be set whether the port is locked or unlocked. Upon setting to Continuous Learn, all addresses

on the port are deleted, and then the next address seen is put in the security list. If the port is locked, it secures

on the latest address, and performs destination security on that one address (scramble packets not destined for

the port). The drawback to this mode is that there is no intruder protection (source address security) on the port.

Once an intruder sends a packet, it becomes the valid address on the port.

The Learn mode object can be set regardless of whether the port is in the Secure state or Non-Secure state.

However, the port only learns addresses when it is in the Secure state.

A port that is set to Continuous Learn is put into a state of Learn. Ports in Continuous Learn Mode do not

restore any addresses when “Hot-swapped”, reset, etc. In Continuous Learn Mode, the secure addresses are not

stored in NVRAM; however, the configuration of being in Continuous Learn Mode is stored.

1-4

Learn State

This provides the ability to start and stop learning at the network, port group, and port level. The Object

Identifier (OID) defaults to “Learn” state. This OID automatically changes to “Nolearn” state once it has either

learned two addresses or a set has been done by management. At this point, the user can set the OID back to

“Learn” state, which causes all of the addresses on the port to be deleted and the port to begin learning again.

Similarly, if the port is in the “Learn” state, the user can set it to “Nolearn”, which prevents any further

addresses from being learned on the port, port group, or network. Either action can only be taken if the port is

unlocked. The network, port group, and port level then need to have security enabled to benefit from the

Intruder Prevention and Eavesdrop Protection features.

Secure State (read only)

The secure state is a read only object. The secure state of a port is defined by the traffic on that port. A port that

is non-secure is a port that cannot support either Intruder Prevention Security or Eavesdrop Prevention. In

other words, it cannot be set to a locked state at any time. For

LANVIEW

SECURE

products, a port is non-secure

if there are more than 35 addresses “seen” on a port for an aging period; or if there are exactly 35 addresses

“seen” on that port for two consecutive aging periods. For all other products, a port is non-secure if there are

more than 3 addresses “seen” on the port for the aging period; or if there are exactly 3 addresses “seen” on the

port for two consecutive aging periods. A Non-Secure port cannot be locked. And, similarly, a locked port

cannot be Forced Non-Secure. An attempt to do either will return MIB_BAD_VALUE.

Force Secure/NonSecure

To put a port in a Non-Secure configuration, set the port to Forced Non-Secure. A port that is Forced

Non-Secure stays in this condition until the force is removed, at which point it goes into a natural secure state,

based on the traffic once the next aging time is reached. This is useful for ports that have a network connection

for which you do not want security implemented.

1.3 Configuring

LANVIEW

SECURE

To configure

LANVIEW

SECURE

, enter, through your network management system, the desired OID from the

List of Secure OIDs.

Chapter 2 provides a list of

LANVIEW

SECURE

OIDs.

Chapter 3 provides a step by step procedure for setting the

LANVIEW

SECURE

OIDs through the management

platform of SNMP tools using the SEHI as an example. To set OID strings, you can use the SNMP utility

described in the SEHI User’s Guide or any MIB walking tool. Refer to specific MIB walking tool

documentation for instructions on how to set MIB OID strings.

Chapter 4

explains how to use the MIB Navigator utility commands of get, set, and community names for

LANVIEW

SECURE

Chapter 5 provides information about community names. The read-write community name for the Repeater

MIB component is necessary to perform SNMP set commands to enable/disable

LANVIEW

SECURE

features.

1-5

1.4 Tips for Implementing

LANVIEW

SECURE

Features

Security can only be implemented by locking a port, and can only be completely disabled by unlocking a port.

You cannot enable Intruder Protection on a

LANVIEW

SECURE

hub without also enabling Eavesdrop Protection.

You can, however, effectively enable Eavesdrop Protection alone by de-selecting the Disable Ports option for

the violation response; choosing not to disable ports basically eliminates intruder protection, sends a trap, and

allows all packets to pass regardless of their source address. Another approach to enable Eavesdrop Protection

alone is to use Continuous Learn.

Security should not be enabled on any port that is connected to an external bridge. The bridge discards all

packets it receives as error packets since Cyclic Redundancy Checks (CRCs) are not recalculated after a packet

is scrambled.

Security should not be enabled on any port that is supporting a trunk connection with 3 or more addresses,

unless you are sure that no more than 34 consecutive addresses will attempt to use the port, and you have

secured all necessary addresses. A simple way of ensuring this is to put a port to Forced Non-Secure.

If you choose to set the board or repeater security, be advised that a board setting overrides all port settings for

the specified board, while a repeater setting overrides all board(s) and their respective port settings for the

specified channel. An integer of 3 for some OIDs indicates a mixed state.

Query chCompName and chCompSUCommStr to identify the community name for the Repeater MIB

component(s). Use the community name obtained to enable/disable

LANVIEW

SECURE

features.

Secure the device console port as well as device network ports. In the Community Name Table, change the

default community name for Read-Only, Read-Write, and Superuser access privileges.

Cabletron Systems advises that all default community names be changed for each MIB component. This can be

done simultaneously through Configuration Manager of SPECTRUM, Set Community String Utility of

Remote LANVIEW/Windows, or Set Community Names Utility of SPECTRUM Element Manager/Windows.

1.5 Summary

Many methods of network security exist today to ensure the integrity of what is quickly becoming an

organization’s most valuable asset — information. While no one method alone provides a complete solution

from all potential unauthorized access, when used appropriately and in conjunction with one another, a

solution set is often found. Cabletron Systems

LANVIEW

SECURE

is designed to discourage common security

violations while monitoring and controlling normal moves, adds, and changes in Local Area Network (LAN)

environments.

1-6

1.6 Getting Help

If you need additional support related to this device, or if you have any questions, comments, or suggestions

concerning this manual, contact Cabletron Systems Technical Support:

Phone (603) 332-9400

Monday – Friday; 8

. – 8

. Eastern Time

CompuServe GO CTRON from any ! prompt

Internet mail [email protected]

FTP ctron.com (134.141.197.25)

anonymous

Password

your email address

BBS (603) 335-3358

Modem setting 8N1: 8 data bits, 1 stop bit, No parity

For additional information about Cabletron Systems products, visit our

World Wide Web site: http://www.cabletron.com/

2-1

CHAPTER 2

OIDs TO ENABLE/DISABLE SECURITY

2.1 Introduction

This chapter provides a list of the OIDs for

LANVIEW

SECURE

2.2 OIDs

The read-write community name for the Repeater MIB component is necessary to perform SNMP set

commands to enable/disable

LANVIEW

SECURE

features. Refer to Chapter 4 for more information on

community names. The examples shown below use the following definitions: b=board, p=port.

rptrSaTrapSetSrcaddr

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrSaTrapSet 1}

Enables and disables source address traps for this network.

1.3.6.1.4.1.52.4.1.1.1.4.1.6.2.1.0

Integer

1 disable

2 enable

3 other

read-write

rptrSecurityLockState

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrSaSecurity 1}

Setting this object to Lock will activate the network port security lock. It is invalid to

set a value of portMisMatch(3). This value reﬂects a status value that the lock

status between the port group, port and repeater levels do not agree.

1.3.6.1.4.1.52.4.1.1.1.4.1.7.1.0

Integer

1 unlock

2 lock

3 portMisMatch

read-write

2-2

rptrSecuritySecureState

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrSaSecurity 2}

The status of source address security of the network. Ports on the network that

are secure(1), can be locked in order to enable security. NonSecure(2) ports

cannot be locked. Setting a value of portMisMatch(3) is invalid.

1.3.6.1.4.1.52.4.1.1.1.4.1.7.2.0

Integer

1 secure

2 nonSecure

3 portMisMatch

read-only

rptrSecurityLearnState

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrSaSecurity 3}

The learn state of the network. This object will only be applied to ports that are

locked. If set to learn(1), all addresses are deleted on the ports and learning

begins once again. If it is set to noLearn(2), learning stops on the port. Setting a

value of portMisMatch(3) is invalid.

1.3.6.1.4.1.52.4.1.1.1.4.1.7.3.0

Integer

1 learn

2 noLearn

3 portMisMatch

read-write

rptrSecurityLearnMode

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrSaSecurity 4}

Get/Set the learn mode of the network. If set to oneTime learn mode oneTime(1),

each port is capable of learning two addresses and securing on both destination

and source addresses once they are locked. If set to continuous learn

continuous(2), all addresses are initially deleted and each port continuously

replaces the existing secure source address with the latest source address it

sees. Setting a value of portMisMatch(3) is invalid.

1.3.6.1.4.1.52.4.1.1.1.4.1.7.4.0

Integer

1 oneTime

2 continuous

3 portMisMatch

read-write

2-3

rptrPortGrpSaTrapSetSrcaddr

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrPortGrpSaTrapEntry 2}

Enables and disables source address traps for the speciﬁed port group.

1.3.6.1.4.1.52.4.1.1.1.4.2.5.2.1.1.2.0

Integer

1 disable

2 enable

3 other

read-write

rptrPortGrpSrcAddrLockGrpId

Description:

Object Identiﬁer:

Data Type:

Access Policy:

{rptrPortGrpSrcAddrLockEntry 1}

Deﬁnes particular port group for this source address security lock information.

1.3.6.1.4.1.52.4.1.1.1.4.2.6.1.1.b

Integer

read-only

rptrPortGrpSrcAddrLock

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrPortGrpSrcAddrLockEntry 2}

Allows setting of the security lock status for this port group. It is invalid to set a

value of portMisMatch(3). This value is used for status to identify that the lock

status for the ports within the port group do not match the lock status for the port

group.

1.3.6.1.4.1.52.4.1.1.1.4.2.6.1.2.b

Integer

1 unlock

2 lock

3 portMisMatch

read-write

2-4

rptrPortGrpSASecurity-

SecureState

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrPortGrpSrcAddrLockEntry 3}

The state of the source addressing security for this port group. Ports on the port

group that are secure(1), can be locked in order to enable security. When a value

of nonsecure(2) is returned ports cannot be locked. Setting a value of

portMisMatch(3) is invalid. A value of portMisMatch(3) reﬂects that not all ports

are the same value.

1.3.6.1.4.1.52.4.1.1.1.4.2.6.1.3.b

Integer

1 secure

2 nonSecure

3 portMisMatch

read-only

rptrPortGrpSASecurityLearn-

State

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrPortGrpSrcAddrLockEntry 4}

The learn state of source addressing security for the port group. This Object will

only applied to ports that are unlocked. If set to learn(1), all addresses are deleted

on the port and learning begins once again. If it is set to nolearn(2), learning stops

on the port. Setting a value of portMisMatch(3) is invalid.

1.3.6.1.4.1.52.4.1.1.1.4.2.6.1.4.b

Integer

1 learn

2 noLearn

3 portMisMatch

read-write

rptrPortGrpSASecurityLearn-

Mode

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrPortGrpSrcAddrLockEntry 5}

The learn mode of source addressing security port group. If set to oneTime(1),

each port is capable of learning two addresses and securing on both destination

and source addresses once they are locked. If set to continuous(2), all addresses

are initially deleted and each port continuously replaces the existing secure

source address with the latest source address it sees. Setting a value of

portMisMatch(3) is invalid.

1.3.6.1.4.1.52.4.1.1.1.4.2.6.1.5.b

Integer

1 oneTime

2 continuous

3 portMisMatch

read-write

2-5

rptrPortSrcAddrTopoState

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrPortSrcAddrEntry 3}

Returns the topological state of the port. NOTE: Not related to security.

1.3.6.1.4.1.52.4.1.1.1.4.3.5.1.3.b.p

Integer

1 station

2 trunk

read-only

rptrPortSrcAddrForceTrunk

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrPortSrcAddrEntry 4}

When this object is set to Force it causes the port to be placed into a Trunk

topological state whether the network trafﬁc would warrant such a state or not.

When this object is set to noForce it allows the port to assume the topological

state it would naturally assume based on the network activity across it. When

read, this object reports the current setting. NOTE: Not related to security.

1.3.6.1.4.1.52.4.1.1.1.4.3.5.1.4.b.p

Integer

1 noForce

2 force

read-write

rptrPortSaTrapSetSrcaddr

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrPortSaTrapEntry 3}

Enables and disables source address traps for this port.

1.3.6.1.4.1.52.4.1.1.1.4.3.8.2.1.1.3

Integer

1 disable

2 enable

read-write

rptrPortSecurityPortGrpId

Description:

Object Identiﬁer:

Data Type:

Access Policy:

{rptrPortSecurityEntry 1}

Port Group ID for this source address lock entry.

1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.1.b.p

Integer

read-only

2-6

rptrPortSecurityPortId

Description:

Object Identiﬁer:

Data Type:

Access Policy:

{rptrPortSecurityEntry 2}

The port ID for this source address lock entry.

1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.2.b.p

Integer

read-only

rptrPortSecurityLockStatus

Description:

Object Identiﬁer:

Data Type:

Values:

Access Policy:

{rptrPortSecurityEntry 3}

Deﬁnes lock status for this particular port entry.

1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.3.b.p

Integer

1 unlock

2 lock

read-write

rptrPortSecurityLockAddAd-

dress

Description:

Object Identiﬁer:

Data Type:

Access Policy:

{rptrPortSecurityEntry 4}

Setting a value to this object will cause a new entry to be added to the

rptrPortSecurityListTable. When read, this object will display an octet string of size

6 with each octet containing a 0.

1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.4.b.p

Octet String

read-write

rptrPortSecurityLockDelAd-

dress

Description:

Object Identiﬁer:

Data Type:

Access Policy:

{rptrPortSecurityEntry 5}

Setting a value to this object will cause corresponding entry in the

rptrPortSecurityListTable to be deleted. When read this object returns an octet

string of length 6 with each octet having the value 0.

1.3.6.1.4.1.52.4.1.1.1.4.3.9.1.1.5.b.p

Octet String

read-write

Page is loading ...

Cabletron Systems LANVIEWsecure User manual

Brand: Cabletron Systems

Model: LANVIEWsecure

Category: Networking

Type: User manual

Download PDF

report

Cabletron Systems LANVIEWsecure User manual

Cabletron Systems LANVIEWsecure User manual

Related papers

Other documents