® ONline 10BASE-T Security Module Installation and Operation Guide Document Number 17-00392-3 Printed February 1996 Model Number: 5112M-TPLS 3Com Corporation 118 Turnpike Road Southborough, MA 01772-1886 U.S.A.
Federal Communications Commission Notice This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
The Chipcom Multichannel Architecture Communications System is registered under U.S. Patent Number 5,301,303. XNS is a trademark and Ethernet is a registered trademark of Xerox Corporation. DEC, DECnet, the Digital logo, DELNI, POLYCENTER, VAX, VT100, and VT220 are trademarks of Digital Equipment Corporation. UNIX is a registered trademark in the U.S.A. and other countries licensed exclusively through X/Open Company, Ltd. IBM is a registered trademark of International Business Machines.
iv ONline 10BASE-T Security Module Installation and Operation Guide
Contents How to Use This Guide Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Structure of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi 3Com Documents . . . . . . . . . . . . . . . . . .
Chapter 3 — Installing and Operating the Module Precautionary Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Quick Installation Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Unpacking Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Setting the Dip Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Installing the Module . . . . . . . . .
Showing Port Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 Showing Security Autolearn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17 Showing Security Intruder List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18 Clearing Security Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19 Clearing the MAC Address Table . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix B — Technical Support On-line Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 Email Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2 World Wide Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2 Support from Your Network Supplier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2 Support from 3Com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures Figure 1-1. Figure 2-1. Figure 2-2. Figure 2-3. Figure 3-1. Figure 3-2. Figure 3-3. Figure 3-4. Figure 3-5. Figure 3-6. Figure 4-1. Figure 4-2. Figure A-1. Figure A-2. ONline 10BASE-T Security Module Application . . . . . . . . . . 1-3 Sample Configuration Distance Calculation . . . . . . . . . . . . . 2-9 Unshielded Twisted Pair Network . . . . . . . . . . . . . . . . . . . 2-11 Redundant Twisted Pair Configuration . . . . . . . . . . . . . . . 2-12 Security Module Dip Switch SW1 Location . . . .
x ONline 10BASE-T Security Module Installation and Operation Guide
Tables Table 2-1. Table 2-2. Table 2-3. Table 3-1. Table 3-2. Table 3-3. Table 3-4. Table 3-5. Table 4-1. Table 5-1. Table 5-2. Table A-1. Seven Basic Network Rules . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 LAN Product Equivalent Distances . . . . . . . . . . . . . . . . . . . . 2-6 Maximum Link Distance on Twisted Pair . . . . . . . . . . . . . . 2-10 Procedures for Completing Installation . . . . . . . . . . . . . . . . 3-2 DIP Switch SW1 Network Selection Settings . . . . . . . . . . . .
How to Use This Guide This guide tells you how to install and operate the 3Com ONline™ 10BASE-T Security Module (referred throughout this guide as the Security Module) for the ONline System Concentrator. A configuration section is provided to help you plan your network configuration. This guide also includes information on monitoring the module using an ONline network management module. An appendix explains cabling guidelines and options for this module.
Structure of This Guide This guide contains the following chapters: Chapter 1, Introduction – Introduces the principal features of the Security Module. Chapter 2, Designing and Expanding the Network – Explains examples of possible network configurations using the ONline System Concentrator and the Security Module. Chapter 3, Installing and Operating the Module – Provides illustrated procedures for installing the Security Module into the ONline System Concentrator.
Document Conventions The following document conventions are used in this manual: Convention Courier text Indicates Example User input In the Agent Information Form, enter MIS in the New Contact field. System output After pressing the Apply button, the system displays the message Transmitting data. Bold command string Path names Before you begin, read the readme.txt file located in /usr/snm/agents.
Convention Indicates Example Note: A Note. The information is important Note: Use STP lobe cables for your system. Caution: A Caution. A condition may damage software or hardware Caution: Do not put your installation diskettes on a magnetic surface. This may damage the diskettes. Warning: A Warning. A condition may threaten personal safety Warning: Wear eye protection when performing these maintenance procedures.
3Com Documents The following documents provide additional information on 3Com products: 17-Slot ONline System Concentrator Installation and Operation Guide – Explains how to install, operate, and manage the 3Com ONline 17-Slot System Concentrator (Models 5017C-LS and 5017C with load sharing). 6-Slot ONline System Concentrator Installation and Operation Guide – Explains how to install, operate, and manage the 3Com ONline 6-Slot System Concentrator.
1 Introduction This chapter describes the principle features of the ONline 10BASE-T Security Module. The ONline 10BASE-T Security Module The ONline 10BASE-T Security Module is a 12-port IEEE 802.3 repeater module that complies with the 10BASE-T standard. The module is designed for use with the 3Com ONline System Concentrators using unshielded twisted pair wiring.
❑ Features 'hot swap' capability so that you can install or remove the module without having to power down the concentrator In addition, the Security Module allows you to disable Link Integrity, which allows the module to be connected to equipment that does not conform to the 10BASE-T standard. Before installing the Security Module into the ONline System Concentrator, read the ONline System Concentrator Installation and Operation Guide.
Figure 1-1. ONline 10BASE-T Security Module Application ONline Management A master ONline Ethernet Management Module (EMM) at Version 4.0 is capable of managing the Security Module, including the Autolearning feature. A master ONline Token Ring Management Module (TRMM) at Version 3.0 is capable of managing the Security Module with the exception of the Autolearning Feature.
2 Designing and Expanding the Network This chapter contains configuration information that will help you to design your network. Install all equipment using only approved cables for proper operation. Refer to Appendix A, Twisted Pair Connectors and Cables, for information on twisted pair connector and cable requirements. This chapter includes five sections which describe how to configure your network using the ONline System Concentrator and the ONline 10BASE-T Security Module.
Understanding the General Rules As part of your network design, it is important to consider your network size. For instance, is the network (end-to-end) 100 meters, 1000 meters, 4000 meters, or more? What are your plans for expansion? Your answers play a role in how you configure your network. For example, once the network expands beyond a certain size, you need to add a bridge or other internetworking device.
Table 2-1 outlines the seven basic rules to keep in mind when you construct your network. Table 2-1. Seven Basic Network Rules Rule 1 Definition Recommendations/Notes If possible, use 10BASE-FB as the backbone medium. Use 62.5 micron cable to conform with the IEEE 10BASE-F and upcoming ANSI FDDI standards. Use ST-type connectors. 2 Wire the backbone in a star topology to isolate faults. Make sure to lay extra fiber cables. The extra cost is small and you will find you need them as your network grows.
Table 2-1. Seven Basic Network Rules (Continued) Rule Definition Recommendations/Notes 4 Certain LAN devices on the network shrink the maximum Fiber Ethernet network diameter to less than 4200 meters. Many LAN products delay the signal that goes through them. This is known as equivalent distance. Every microsecond delay reduces the maximum link distance. In fact, every microsecond delay shrinks the network diameter by approximately 200 meters of fiber cable.
Table 2-1. Seven Basic Network Rules (Continued) Rule Definition Recommendations/Notes 6 The fiber link distances must not exceed the limits imposed by the optical power budget. In general, on 62.5 micron cable, you can go up to 4000 meters point-to-point using the ONcore or ONline Fiber Modules. If you have poor quality cable or cross many patch panels, you may have to sacrifice some distance. Some older Ethernet fiber optic products are less powerful than ONcore Fiber Module optics.
LAN Equivalence LAN equivalence is the sum of both the incoming and outgoing module port signals. Different modules, however, have different equivalent distances. Table 2-2 lists the LAN product equivalent distances.. Table 2-2.
Table 2-2.
❑ You must add a bridge if you exceed four full repeaters. The four-repeater rule for Ethernet limits the number of 10BASE-T modules between any two transceivers. When traffic goes into a port on any repeater-based module and out the backplane, it counts as a 1/2 repeater. When the traffic goes into the module through one port and out another port on the same or a different module, it counts as one full repeater.
Using the sample configuration below, identify the two transceivers that are likely to be the greatest fiber equivalent distance apart. In this case, they are 10BASE-T Transceivers A and B. Figure 2-1. Sample Configuration Distance Calculation To determine if your network configuration is legal: 1. Use 4.2 km (4200 m) since this is the maximum network diameter for a pure fiber network (see Rule 3). 2.
Do not exceed the distances as defined in Table 2-2 for the link from a Security Module to a 10BASE-T Transceiver. Table 2-3. Maximum Link Distance on Twisted Pair Cable Gauge Supports Link Distances Up To: Unshielded Twisted Pair: 10BASE-T Normal Squelch 22 (.6 mm) 100 m 24 (.5 mm) 100 m Twisted Pair Backbone, Twisted Pair To-The-Desk In constructing a twisted pair backbone, one additional configuration rule must be considered.
Figure 2-2.
In the example shown in Figure 2-2, if two patch panels were used between the top right PC and the top right concentrator, you would have to shorten the link distance of 100 meters to 90 meters. This is because the maximum allowable link distance on 22 gauge wire using 10BASE-T signaling with two intervening patch panels is 100 meters minus approximately 10 meters.
To set link redundancy between two Security Modules: 1. Connect two links to two ports on the 50-Pin Telco cables between the modules. Use a crossover adapter between each link because the links are designed to be connected to a station's port, not to other concentrator ports. 2. Use the SET PORT {slot.port} MODE REDUNDANT {slot.port} network management command to specify which port is the primary link and which is the backup link.
3 Installing and Operating the Module This chapter describes the installation procedures and initial setup commands for the ONline 10BASE-T Security Module. For your convenience, a quick installation chart is included. Note: Read the precautionary procedures before unpacking the module.
Precautionary Procedures Electrostatic discharge (ESD) can damage static-sensitive devices on circuit boards. Follow these precautions when you handle the Security Module: ❑ Do not remove the board from its anti-static shielding bag until you are ready to inspect it. ❑ Handle the board by the faceplate. Use proper grounding techniques when you install the Security Module. These techniques include using a foot strap and grounded mat or wearing a grounded static discharge wrist strap.
Table 3-1. Procedures for Completing Installation (Continued) Step Procedure Reference 4. Install the module into a blank slot in the concentrator and tighten the faceplate screws. Installing the Module 5. Establish connections from the Security Module to devices or a 10BASE-T transceiver using the appropriate connectors and cabling. Installing the Module 6. If you have a management module installed in the concentrator, configure the module using the management commands.
Unpacking Procedures To unpack your Security Module: 1. Verify that the Security Module is the correct module by matching the model number listed on the side of the shipping carton to the model number you ordered. Note that the product model number printed on the shipping box differs from the model number on the product. The model number on the shipping box contains the prefix ’3C9’.
Setting the Dip Switch The Security Module has one 4-switch DIP switch (SW1) located on the module. The functions of the DIP switch settings on the Security Module are ignored if a management module is already installed in the concentrator. For this reason, use management commands, rather than the DIP switch, to configure the module. If a management module is installed in the concentrator, you may skip this section and proceed to the Installing the Module section later in this chapter.
Network selection switches 1 and 2 enable you to select a channel for the module. Switches 1 and 2 are factory set to On. Therefore, the Security Module is initially configured to network 1. To reconfigure the module to a different network, refer to the information in . Table 3-2.
Switch 4 (Link Integrity) allows you to enable or disable Link Integrity. Table 3-3 lists the functions and default settings for switches 3 and 4. Table 3-3. DIP Switch SW1 Security and Link Integrity Settings Switch Function Factory Default Switch Setting Off On 3 (Security) Enable or disable security and enable or disable port mode for all 12 ports enable Security disable/ Port enable Security enable/ Port disable 4 (Link Integrity) Enable or disable link integrity for all 12 ports.
Installing the Module You do not need to power down the ONline System Concentrator to install the Security Module. You can insert the module while the concentrator is operating (this is called a hot swap). This section describes: ❑ Installing the Cable Tie-Wrap Kit ❑ Installing the Module Installing the Cable Tie-Wrap Kit A cable tie-wrap kit is included with the Security Module.
To install the tie-wrap kit: 1. Remove the hex nut from the bottom of the connector located on the module faceplate. 2. Using the Phillips-head screw provided in the tie-wrap kit, attach the tie-wrap bracket to the module (Figure 3-2). Figure 3-2. Attaching the Tie-Wrap Bracket to the Module 3. Insert the tie-wrap through the opening on the tie-wrap bracket.
4. Connect the 90° cable connector to the module connector using a tie-wrap to secure the cable connector to the module (Figure 3-3). Figure 3-3. Attaching Cables With 90° Connectors 5. Wrap the tie-wrap around the cable connector to secure the cable connector to the module connector. Caution: Do not fasten the tie-wrap around the module ejectors.
Installing the Module To install the Security Module: 1. If you do not have a management module installed in the concentrator, make sure you set the DIP switches properly on the board, if different than the default settings. A management module is required to configure the security features of the Security Module. Without management, the Security Module functions as a non-secure 10BASE-T module. 2. Locate an open slot in the concentrator.
4. Remove the long screw (if present) from the 50-pin cable. Discard this screw. 5. Remove the two cable-fastening screws from the Security Module shipping carton. 6. Attach the 50-pin cable connector to the 50-pin connector on the front of the module. 7. Install the two screws in the top and bottom screw holes of the 50-pin cable connector to secure the cable to the module connector as shown in Figure 3-5.
The 50-pin Telco-type connector connects to 12 10BASE-T-compliant ports using a 12-leg hydra cable. This module can be attached using the 12-leg hydra cable to a patch panel or punch-down block, which provides connections for the 12 twisted pair ports. The next section describes the features you can set for the Security Module. Configuring the Module The ONline management modules (EMM, TRMM, and FMM) provide management capabilities for the ONline System Concentrator and its modules.
Port Enable You can enable or disable use of the 12 ports on the Security Module. When a port is enabled, it can transmit and receive data onto the network to which the module is assigned. 3Com recommends that you disable all unused ports on the Security Module to prevent network tampering. Enter the following management command to enable all the ports on the module in slot 3. ONline> set port 3.
If you set up redundancy between a secure port and a non-secure port (whether on a Security Module port or other module port), a warning message is displayed to terminal management. The warning informs you that this configuration has the potential to automatically cause a change in security when the primary port fails and the secondary port becomes activated. Link Integrity In general, enable Link Integrity for the Security Module to conform to the10BASE-T standard.
Use the following command to enable security for all of the ports on the Security Module in slot 3. ONline> set security port 3.all mode enable [ENTER] Autopartition Threshold Autopartition threshold tells network management the number of collisions to allow before automatically partitioning a port. The options are 31, 63, 127, and 255. The factory default is 63.
Showing Module Configurations You can display status information about the Security Module using the following management commands: ❑ SHOW MODULE ❑ SHOW MODULE VERBOSE ❑ SHOW PORT ❑ SHOW PORT VERBOSE The following command displays detailed information about the Security Module in slot 3: ONline> show module 3 verbose Slot Module 3 5112M-TPLS Version [ENTER] Network 001 General Information ETHERNET_1 5112M-TPLS: ONline 10BASE-T Security Module Network Dip Setting: Auto-partition Threshold:
The following output is an example of the SHOW PORT ALL VERBOSE command issued for the ports of a Security Module installed in slot 12 (only the output for ports 1, 2, and 3 are shown): ONline> Port show port 12.all verbose [ENTER] Mode Status 12.01 DISABLED LINK FAILURE Port Alert Filter: Port Connector: Link Integrity: 12.02 DISABLED LINK FAILURE Port Alert Filter: Port Connector: Link Integrity: 12.
Figure 3-6.
Table 3-4. Interpretation of the Security Module LEDs LED Name Activity (Ports 1-12) Status (Ports 1-12) Color yellow green State Indicates Off No packets are received on the segment. On Constant activity on the segment. Blinking Normal activity on the segment. Off Port disabled. On Port enabled and link OK or Link Integrity disabled. 1 blink Link failure. 2 blinks Port partitioned.
LED and Network Verification Once the module is installed, verify its operation through the front panel of the ONline Controller Module. The Controller Module is equipped with an LED test button on the front panel. Use the LED test button to verify LED operation and verify network assignment. When you press this button, the Controller Module initiates a test to all modules in the concentrator. All LEDs should respond by lighting continuously for approximately five seconds.
4 Configuring Security Features This chapter describes the security features of the ONline 10BASE-T Security Module and includes the management commands necessary to configure and monitor security functionality. A master EMM at Version 4.0 is required to manage the features of the Security Module, including Autolearning. A master TRMM at Version 3.0 is required to manage the features of the Security Module with the exception of the Autolearning Feature.
Quick Reference for Configuring Security Table 4-1 outlines the steps necessary to configure the security features of your module. These procedures and command examples are explained further throughout this chapter. If you are familiar with these instructions, you may want to use this table as a checklist. Table 4-1. Quick Reference for Configuring the Security Module Procedure Command 1. Disable Autolearning Mask to allow the EMM to Autolearn MAC addresses for ports.
Table 4-1. Quick Reference for Configuring the Security Module (Continued) Procedure Command 4. Initiate Autolearning to enable the EMM to automatically learn the valid MAC addresses associated with a ports. SET SECURITY AUTOLEARN CAPTURE 5. Download the learned MAC addresses from the Autolearning database to the port MAC address table. SET SECURITY AUTOLEARN DOWNLOAD TRMM Note: The TRMM does not support Autolearning.
Configuring Security Features This section describes the security features of the Security Module, including Eavesdropping Security and Intrusion Detection.
❑ Allows the Security Module to deliver packets only to the end station to which a packet is addressed. ❑ Prohibits unauthorized end stations from listening (eavesdropping) on packets that are not specifically addressed to them. If a port receives a packet (from the ONline backplane) that is not targeted to any of the valid addresses associated with that port, the Security Module does not allow that packet to be delivered intact to the end station.
address, the module forces a collision. The collision prevents intruding end stations from gaining access to a port and transmitting unauthorized data over the network. Figure 4-2 illustrates an example of an Intrusion Detection configuration. Figure 4-2. Example of Intrusion Detection Defining Port Security Type You must define a security type for each port on the Security Module. Issue the following command to configure the security type 'full' for all ports on the Security Module in slot 3.
Security Mode is automatically enabled when you issue the SET SECURITY PORT SECURITY_TYPE command. Security Type is automatically configured to Full (which includes both Eavesdropping and Intrusion security) when you issue the SET SECURITY PORT MODE ENABLE command. Note: Security mode must be disabled in order for the EMM to Autolearn MAC addresses for ports that have Security Type configured for Intrusion_only or Full.
ONline> set security port 3.all action_on_intrusion disable_and_trap [ENTER] The default setting for action_on_intrusion is disable_and_trap. Note: For a security intrusion attempt to be logged into the Intruder list, you must configure the action_on_intrusion setting for either disable_and_trap or trap_only. Both settings allow a trap to be sent upon an intrusion, which also logs an entry into the Intruder list.
Issue the following command to enable all the ports on the Security Module in slot 3. ONline> set port 3.all mode enable [ENTER] Configuring Autolearning Autolearning uses the network monitoring features of the EMM to provide a mechanism which: ❑ Learns the MAC addresses of the stations that have been sending packets to the EMM network ❑ Continuously monitors network activity An EMM at Version 4.0 is required to configure Autolearning.
4. The result of this copy is a combination of the existing MAC addresses associated with a port, and the MAC addresses recently learned. (Remember that a port must have its Autolearning Mask disabled in order for MAC addresses to be learned.) 5. If MAC addresses for the specified ports currently exist in the Autolearning database, the following message is displayed when the Autolearn Capture command is issued: Note: overwriting previously autolearned addresses.
Defining a MAC Address Manually The Security Module provides you with the flexibility of manually adding MAC addresses into a port's MAC address table, and into the Autolearning Database. You may use this feature to add one or more MAC addresses to a port MAC address table instead of Autolearning a port's associated MAC addresses. Note: If you are using a TRMM to manage the Security Module, you must use this command in order to add MAC addresses to a port MAC address table.
Downloading the Autolearning Database You must download the contents of the Autolearning database to the Security Module ports in order for the MAC Addresses to be associated with the ports. When Autolearning Capture is complete, download the Autolearning database to initiate port security. Depending on the amount of network traffic transmitted to the Security Module ports, you may elect to defer the Autolearn download for a day, several days, or a week.
Note: at least one autolearned address was skipped because the port with which it is associated has more than 4 autolearned addresses. If any MAC address was skipped because the concentrator limit was reached, the following message displays upon completion of the Autolearn Download command: Note: the number of autolearned addresses exceeds the concentrator limit. Only the first X addresses (as ordered by slot, port, and addr) were downloaded.
❑ MAC addresses will not be Autolearned ❑ The port(s) will report an intrusion. (An intrusion is only reported if a port Action_on_intrusion setting is configured to either Disable_and_trap or Trap_only.) Saving Security Configurations The SAVE SECURITY command saves all security information for each port on every Security Module, and on every Ethernet module in the concentrator. Issue the following command to save security configurations and make the information permanent.
Showing Port Configurations You can display information about the Security Module ports using the SHOW PORT SECURITY command. The following command displays: – All of the addresses (up to four per-port) for a single port or – All 12 ports on a Security Module or – All ports on all Security Modules in a concentrator The command example shown displays security information for all ports on the Security Module in slot 17. ONline> show security port 17.
ONline> show security port 17.all verbose [ENTER] Security Display for Module 5112M-TPLS in Slot 17 : Port Mode MAC Addresses General Information 17.01 DISABLED 17-01-01-01-01-01 ETHERNET_1 Port Action On Intrusion: Autolearn Mask: 17.02 EAVESDROP NONE Port Action On Intrusion: Autolearn Mask: 17.03 INTRUSION 01-02-03-04-05-06 01-02-03-04-05-07 Port Action On Intrusion: Autolearn Mask: 17.04 FULL NONE Port Action On Intrusion: Autolearn Mask: 17.
Showing Security Autolearn The SHOW SECURITY AUTOLEARN command displays all of the MAC addresses that have been learned and stored in the Autolearning database. Only entries for ports specified in the command are displayed. An additional message is provided if any port has more than four entries, or if the concentrator limit has been exceeded. To display all associated MAC addresses for the ports on the Security Module in slot 17, issue the following command. ONline> show security autolearn 17.
A double asterisk (**) marks entries that have exceeded the EMM capacity of 360 MAC addresses, or the TRMM capacity of 400 MAC addresses. Entries that exceed the 360 or 400 MAC address maximum (that is, entry 361 and greater or entry 401 or greater) are not downloaded. If your concentrator is near full capacity, or if you have ports connected to bridges, you may wish to perform two or more Autolearn Captures, which may prevent these ports from exceeding the 360 MAC address limit.
The following command example displays a Security Intrusion list for a two-port 10BASE-FB Module. ONline> show security intruder_list [ENTER] Port MAC Address Time Since Intrusion Auto-Disable? 03.01 03.02 08-00-8f-02-c6-be 09-d3-74-00-2e-01 0d 1d YES YES 0h 5h 15m 32m 27s 53s MAC addresses for unauthorized stations that attempt to transmit data to Security Module ports are not displayed.
Note: Security Mode is not disabled automatically when you delete a port's MAC address. Thus, a port may not have a MAC address associated with it yet still have security enabled. In this case, any end station attached to that port is deemed “unauthorized.” Always disable Security Mode on a port that does not have an assigned MAC address.
Using 3Com MIB Security Variables This section lists the network management Security MIB (Management Information Base) variables and the ONline 10BASE-T Security Module MIB variables. EMM Security SNMP Variables The MIB variables for the EMM Security settings include: ❑ olNetSecurityMACTable - Table of security information for the entire concentrator. ❑ olNetSecurityMACEntry - The element type for entries in the olNetSecurityMACTable.
❑ olNetSecurityMACStatus - Status associated with each port, which indicates if a valid (non-zero) MAC address is assigned to it. The possible values for this field are Valid and Invalid. Using the Security Module SNMP Variables Listed below are the MIB (Management Information Base) variables for the ONline 10BASE-T Security Module. ❑ ol51nnMTPLSModTable - List of module-specific information about a specific 51nnM-TPLS module in the concentrator.
❑ ol51nnMTPLSPortBuddyPort - The port index of the redundant port's buddy. ❑ ol51nnMTPLSPortLinkInteg - The link integrity configuration for this port. ❑ ol51nnMTPLSPortDipLinkInteg - The link integrity configuration for this port as indicated by the module DIP switch setting.
5 Troubleshooting This chapter describes troubleshooting procedures for the ONline Security Module. Information on troubleshooting will assist you in verifying operation. Typical fault conditions are addressed in this chapter. Troubleshooting Diagnostic features have been covered to a large extent in Tables 3-4 and 3-5. Table 5-1 and Table 5-2 in this chapter cover fault conditions and troubleshooting suggestions for the ONline 10BASE-T Security Module.
Troubleshooting Using the Status LEDs A blinking Port Status indicator (LED) signals a problem with a port or a link connected to a port. Once a port detects a problem, you can further analyze the problem by counting the number of blinks. Table 5-1 provides troubleshooting suggestions for each of the blinking sequences. Note: The LEDs provide accurate information only when unused ports are disabled. Table 5-1.
Table 5-1. Troubleshooting Using the Port Status LEDs (Continued) LED State Indication Off (continued) Ports Disabled (continued) Possible Problem Troubleshooting Suggestions Broken LED. Press the LED test on the Controller Module. Faulty Security Module. Replace module. Attempted breach of security intrusion. Display the Intruder list for intruder information. Then re-enable the port. The Security Module also provides a Module Status LED. This LED indicates the operational status of the module.
Troubleshooting Using the Activity LEDs Under some conditions a port Activity LED may not light. Use the troubleshooting suggestions in Table 5-2 to help determine why the light is off, and to isolate the source of the problem. Table 5-2. Troubleshooting Using the Activity LEDs LED State Off Possible Problem Troubleshooting Solutions There is no traffic received from the segments (normal). None. Concentrator power is Off. Check the Controller Module Power LEDs. The Activity LED has burned out.
Technical Assistance You can receive assistance for installing and troubleshooting the Security Module by calling either your 3Com reseller or 3Com Technical Support.
A Specifications This appendix lists: ❑ Electrical Specifications ❑ Environmental Specifications ❑ Mechanical Specifications ❑ General Specifications ❑ 50-Pin Connector and Cable ❑ Twisted Pair Connectors and Cables Electrical Specifications Backplane Interface: 96-pin edge connector, compatible with the 3Com ONline System Concentrators. Power Requirements: 2.0 A for 5V Fuse: 4.
Environmental Specifications Operating Temperature: 0° to 50° C (32° to 122° F) Storage Temperature: -30° to 65° C (-22° to 149° F) Humidity: less than 95%, non-condensing BTU/hr: 34 Mechanical Specifications Dimensions: 1.0" W x 10.25" L x 8.5" H (2.54 cm x 26.04 cm x 21.6 cm) Weight: 1.25 lb. (0.57 kg.
Ethernet interface: 50-pin TELCO connector; supports 12 connections Number of ports: 12 Cabling: conforms to the 10BASE-T standard Cable differential impedance: 85 ohms to 115 ohms over 1 to 16 MHz band Cable propagation velocity: >.
Figure A-1. 50-Pin Cable Male and Female Connectors Table A-1 lists the pinouts, receive/transmit pairs and polarity, and port assignments for the 50-Pin Telco cable that connects to the Security Module.
Table A-1.
Table A-1.
This section is divided into the following parts: ❑ Twisted Pair Connectors ❑ Twisted Pair Cables Twisted Pair Connectors Uset the IEEE 802.3 10BASE-T standard for RJ-45 pinouts as described below. 10BASE-T uses 2 of the 4 pairs of wire: pins 1 and 2 and pins 3 and 6. If the pairs are not configured this way, the connection will not work properly.
Some installations may have 50-pin Telco connectors at the wiring closet. We recommend using a patch panel that converts from 50-pin to RJ45-type connectors. This allows direct connection to the Security Module in your ONline System Concentrator.
B Technical Support 3Com provides easy access to technical support information through a variety of services.
Email Technical Support You can contact the Integrated Systems Division (formerly Chipcom) on the Internet for technical support using the e-mail address techsupp@chipcom.com. World Wide Web Site You can access the latest networking information on the 3Com World Wide Web site by entering our URL into your Internet browser: http://www.3Com.
When you contact your network supplier for assistance, have the following information ready: ❑ Diagnostic error messages ❑ A list of system hardware and software, including revision levels ❑ Details about recent configuration changes, if applicable If you are unable to contact your network supplier, see the following section on how to contact 3Com. Support from 3Com If you are unable to receive support from your network supplier, technical support contracts are available from 3Com.
For access to customer service for all 3Com products, call (800) 876-3266. You can also contact the Integrated Systems Division (ISD) on the Internet by using the e-mail address techsupp@chipcom.com. Returning Products for Repair A product sent directly to 3Com for repair must first be assigned a Return Materials Authorization (RMA) number. A product sent to 3Com without an RMA number will be returned to the sender unopened, at the sender’s expense.
3. Enter your full Internet e-mail address as the password (for example, jdoe@company.com). 4. Change to the mib or schema directory using the cd /pub/mibs or cd /pub/mibs/schemas command. 5. To view the 3Com MIB, OID, or schema entries, enter the dir command. ❑ To pause the display, press [CTRL-S]. ❑ To continue the display, press [CTRL-Q]. 6. Copy the MIB, OID, or schema files to your current directory using the appropriate command (for example, get chipcom.mib). 7.
Index Numerics B 10BASE-T Signalling Standard, 1-1 Transceivers, 2-8 3Com Bulletin Board Service (3ComBBS), B-3 50-Pin Cable Pinouts and Port Assignments, A-5 50-Pin Connector, A-3 Backbone Fiber Medium, 2-2 Bridges, 2-8 bulletin board service, B-3 A Activity LEDs Troubleshooting With, 5-4 Audience of Manual, xiii Autolearning, 1-3, 4-8 Capture, 4-9 Configuring, 4-9 Database, 4-9 Ports, 4-8 Security Mode Setting, 4-10, 4-13 Using Security Mode, 4-7 Autolearning Capture Messages, 4-10 Autolearning Databa
Show Security Autolearn, 4-17 Show Security Intruder List, 4-19 Configuration Distance Calculation Sample, 2-9 Configuration Rules Equivalent Distance, 2-9 Fiber Backbone, 2-7 General, 2-2, 2-3, 2-5 Sample Calculation, 2-9 Twisted Pair Backbone, 2-10 Configuring Autolearn Mask, 4-8 Autolearning, 4-9 Autopartition Threshold, 3-16 Port Redundancy, 3-14 Redundant Links, 2-13 Security Features, 4-4 Security Mode, 4-13 Security Module, 3-13 D Defining a MAC Address, 4-11 Designing a Network, 2-1 DIP Switch Conf
Configuration Rules, 1-1 Link Integrity Configuring, 3-15 Description, 3-15 DIP Switch Setting, 3-7 M Mechanical Specifications, A-2 MIB, B-4 MIB Variables, 4-21 Module Configurations Saving, 3-16 Showing, 3-17 Module Security DIP Switch Setting, 3-15 Module Status LED Function, 5-3 P Patch Panels, 2-11 Port Action on Intrusion Default Setting, 4-8 Defining, 4-7 Intruder List, 4-8 Port Configurations Showing, 4-15 Port Redundancy, 2-13 Configuring, 3-14 Switchover Conditions, 2-13 Ports Enabling, 4-8 Q Q
Using With Autolearning, 4-7 Security Module Activity LEDs, 5-4 Configuration Quick Reference Chart, 4-2 Configuring, 3-13 DIP Switch, 3-5 Eavesdropping Security, 4-5 Electrical Specifications, A-1 Environmental Specifications, A-2 Features, 1-1 Front Panel, 3-18 General Specifications, A-2 Hot Swap Capability, 1-2 Installing, 3-8 Intrusion Detection, 4-5 Mechanical Specifications, A-2 Module Status LED, 5-3 Network Management, 4-1 Port Status LEDs, 5-2 Procedures for Handling, 3-2 Sample Application, 1-2 T
U Unpacking Procedures, 3-4 Unshielded Twisted Pair Cable, 2-8 Unshielded Twisted Pair Network Sample Configuration, 2-10 Uploading Security Configurations, 4-4 V VDE compliance, ii Verifying Network Assignments, 3-21 Verifying Module Functionality With LEDs, 3-21 W Wiring Closet, A-8 Index 5
