Specifications
Alcatel-Lucent
OS-LS6200 Series Page 18
Serial port to support CLI Out-of-band serial port delivers CLI management interface for local configuration of switch
Security
Key Security Features Supported
Advanced Security
• 802.1x port based user authentication with multiple host mode
• 802.1x multi-client, multi-VLAN support for per-client authentication and VLAN assignment
• 802.1x MAC authentication
• 802.1x Multiple Sessions
• Transparent 802.1x BPDU Forwarding
• Private VLAN edge or port mapping
• Guest VLAN provides limited network access for unauthorized clients
• MAC addr. Lockdown allows only known devices to have network access preventing unauthorized
network device access includes lockdown after a user-configured number of MAC addr. have been
learned
• DHCP Option 82 and DHCP snooping for IP address allocation control and protection
• IP Source Guard and Dynamic ARP Inspection
• RADIUS and TACACS+ admin authentication prevents unauthorized switch management 4.1.2
• Secure Shell, Secure Socket Layer and SNMPv3 for encrypted remote management communication
• Access control lists to filter out unwanted traffic including denial of service attacks
• Access control lists (ACLs) are per port, MAC SA/DA, IP SA/DA, ICMP type and code, Ethertype,
TCP/ UDP port 4.4.7
• STP root guard prevents an unauthorized device from becoming the root of a spanning tree.
• STP BPDU guard is used to protect the network from invalid configurations.
Local authentication Authentication support for storing a local password database on the switch for local authentication
Advanced port-based and user-based authentication Advanced port-based authentication also enables user-based authentication.
Specific VLANs in the device are always available, even if specific ports attached to the VLAN are
unauthorized. For example, Voice over IP does not require authentication, while data traffic requires
authentication. VLANs for which authorization is not required can be defined. Unauthenticated
VLANs are available to users, even if the ports attached to the VLAN are defined as authorized.
Advanced port-based authentication is implemented in the following modes:
Single Host Mode — Only the authorized host can access the port.
Multiple Host Mode — Multiple hosts can be attached to a single port. Only one host must
be authorized for all hosts to access the network. If the host authentication fails, or an
EAPOL-logoff message is received, all attached clients are denied access to the network.
Guest VLANs — Provides limited network access to authorized ports. If a port is denied
network access via port-based authorization, but the Guest VLAN is enabled, the port
receives limited network access. For example, a network administrator can use Guest
VLANs to deny network access via port-based authentication, but grant Internet access to
unauthorized users.
Unauthenticated VLANS — Are available to users, even if the ports attached to the VLAN
are defined as unauthorized.
Access Control Lists (ACLs)
L2/L3/L4 ACLs
User can setup ACLs based upon L2/3/4 information
that can allow/deny based upon the packet header
content.
ACLs are a general mechanism to inspect incoming frames and classify them into named logical
groups based on various criteria. Each such group may have specific actions that are carried out on
each frame classified as a member of that group. ACLs are used for two main purposes:
• As a security mechanism, either permitting or denying entry (hence the name Access
Control) for frames in a group
• As the mechanism to classify (assign) frames into “traffic classes” for which various
“Class-of-service” handling actions are to be carried out; This is the classification
mechanism which is used in Advanced-mode QoS configuration
IP ACL Classification:
The classification part of the IP ACL identifies flows by any combination of the following fields:
• Protocol
• Source IP address with wildcard
• Destination IP address with wildcard
• DSCP. Can be defined as IP precedence
• For UDP/TCP:
o Source port
o Destination port
• For ICMP packets:
o ICMP code
o ICMP type
• For IGMP packets
o IGMP type
MAC Access Lists: The MAC lists would support the following fields:
• Source MAC address with wildcard
• Destination MAC address with wildcard
• VLAN
• User Priority