Alcatel-Lucent 6800 Switch User Manual


 
Software Supported
page 18 OmniSwitch 6800/6850/9000—Release 6.1.3.R01
Authenticated Switch Access
Authenticated Switch Access (ASA) is a way of authenticating users who want to manage the switch. With
authenticated access, all switch login attempts using the console or modem port, Telnet, FTP, SNMP, or
HTTP require authentication via the local user database or via a third-party server. The type of server may
be an authentication-only mechanism or an authentication, authorization, and accounting (AAA) mecha-
nism.
AAA servers are able to provide authorization for switch management users as well as authentication.
(They also may be used for accounting.) User login information and user privileges may be stored on the
servers. In addition to the Remote Authentication Dial-In User Service (RADIUS) and Lightweight Direc-
tory Access Protocol (LDAP) servers, using a Terminal Access Controller Access Control System
(TACACS+) server is now supported with the 6.1.3.R01 release.
Authentication-only servers are able to authenticate users for switch management access, but authoriza-
tion (or what privileges the user has after authenticating) are determined by the switch. Authentication-
only servers cannot return user privileges to the switch. The authentication-only server supported by the
switch is ACE/Server, which is a part of RSA Security’s SecurID product suite. RSA Security’s ACE/
Agent is embedded in the switch.
By default, switch management users may be authenticated through the console port via the local user
database. If external servers are configured for other management interfaces but the servers become
unavailable, the switch will poll the local user database for login information if the switch is configured
for local checking of the user database. The database includes information about whether or not a user is
able to log into the switch and what kinds of privileges or rights the user has for managing the switch.
Authenticated VLANs
Authenticated VLANs control user access to network resources based on VLAN assignment and a user
log-in process; the process is sometimes called user authentication or Layer 2 Authentication. (Another
type of security is device authentication, which is set up through the use of port-binding VLAN policies or
static port assignment.) The number of possible AVLAN users is 1048.
Layer 2 Authentication is different from Authenticated Switch Access, which is used to grant individual
users access to manage the switch.
The Mac OS X 10.3.x is supported for AVLAN web authentication using JVM-v1.4.2.
Automatic VLAN Containment (AVC)
In an 802.1s Multiple Spanning Tree (MST) configuration, it is possible for a port that belongs to a
VLAN, which is not a member of an instance, to become the root port for that instance. This can cause a
topology change that could lead to a loss of connectivity between VLANs/switches. Enabling Automatic
VLAN Containment (AVC) helps to prevent this from happening by making such a port an undesirable
choice for the root.
When AVC is enabled, it identifies undesirable ports and automatically configures them with an infinite
path cost value.
Balancing VLANs across links according to their Multiple Spanning Tree Instance (MSTI) grouping is
highly recommended to ensure that there is not a loss of connectivity during any possible topology
changes. Enabling AVC on the switch is another way to prevent undesirable ports from becoming the root
for an MSTI.