Part No. 210676-C March 2001 4401 Great America Parkway Santa Clara, CA 95054 Release Notes for the Business Policy Switch 2000 Software Version 1.
Copyright © 2001 Nortel Networks All rights reserved. March 2001. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks NA Inc.
Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 New features and enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Compatibility with BayStack 450 Switch software version 4.0 . . . . . . . . . . . . . . . . . 7 QoS traffic policing . . . . . .
Contents Improved STP Fast Learning Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 BootP menu item for a stack of only BPS 2000 switches . . . . . . . . . . . . . . . . . . . 54 Additional Web-based management operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Access to the Web-based management system using JDM . . . . . . . . . . . . . . 55 Additional Java security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction These release notes for the Nortel Networks Business Policy Switch 2000* software version 1.1 provide information about software and operational issues not included in the Business Policy Switch 2000 (BPS 2000) software version 1.0 and version 1.0.1 guides. To obtain the software version 1.1, download the following files from the Customer Support World Wide Web site: • • bps2k110.img (software file) bps2k110.
• • • • • • • • • • • • • • • Using the Business Policy Switch 2000 (part number 208700-A) Using Web-Based Management for the Business Policy Switch 2000 (part number 209570-A) Reference for the Business Policy Switch 2000 Management Software (part number 209322-A) Getting Started with the Business Policy Switch 2000 Management Software (part number 209321-A) Business Policy Switch 2000 Installation Instructions (part number 209319-A) Installing Media Dependent Adapters (MDAs) (part number 302403-F) Man
New features and enhancements The following paragraphs describe the new features and enhancements offered with the BPS 2000 software version 1.1: • • • • • • • • • • “Compatibility with BayStack 450 Switch software version 4.
This section contains the following information on QoS traffic policing: • • • “Introduction,” next “QoS and configuring filters” on page 9 “Configuring using the Web-based management system” on page 9 Introduction The BPS 2000 switch can interoperate with the Nortel Networks Optivity* Policy Server using Common Open Policy Services (COPS). For information about Optivity, go to the www.nortelnetworks.com/documentation URL. Find the product for which you need documentation.
QoS and configuring filters You can install filters that will act on traffic destined for the switch itself, such as ICMP Echo Requests (ping) and SNMP messages. If the associated action is to drop the traffic, you can lock yourself out of the switch. However, traffic destined for the switch and received through a port on the base unit of a stack is not dropped even if filters targeting the traffic are installed and drop has been specified.
Note: After configuring an IP filter, the screen may return the message: Submit Failed! Double-check that you have correctly entered the Destination Address Mask and the Source Address Mask. The Address Mask specifies that portion of the address used to determine if the packet meets the filter criteria; the Address Mask is not a subnet mask. If you specify a subnet address, ensure that the host portion of the address contains a 0 value.
6 Choose Application > QoS > QoS Advanced > Meter. Note: You cannot edit Meters. To change the Meter, you must first delete the current Meter and create the one you want. The Meter page opens (Figure 1). Figure 1 Meter page 7 In the Meter Creation area, create the traffic policing meters. Release Notes for the Business Policy Switch 2000: Software Version 1.
Table 1 describes the fields in the Meter Creation area, which you use to set new meters. Table 1 Meter Creation fields Field Description Name Enter the name for the filter you are creating. Data Specification Choose from the list to install a filter with: • No Meter Data • Metered Data NOTE: When you choose No Meter Data, do not complete the Committed Rate, Committed Burst Size, or Out-Profile Action fields in the box.
Table 2 Meter Table fields (continued) Field Description Committed Burst Displays the specified bytes allowed to exceed the threshold set in the Committed Rate field for a brief period. In-Profile Action Displays the action (configured on the Actions page) for the switch to take on In-Profile traffic, which is traffic within the Committed Rate.
Figure 2 Policies page 12 In the Policy Creation area, create the policy for each traffic policing filter. Table 3 describes the fields in the Policy Creation Box, which you use to set new policies. Table 3 Policy Creation fields Field Description Policy Name Enter the name for the policy you are creating.
Table 3 Policy Creation fields (continued) Field Description Order Specify the order of precedence among the filter groups. Meter Choose the name of the filter group for which you are creating the metering policy (You named this filter group on the Meter page.) 13 View the policies you previously created in the Policy Table. 14 Click Submit.
EAP allows the exchange of authentication information between any end station or server connected to the switch and an authentication server (such as a RADIUS server). The EAPOL-based security feature operates in conjunction with a RADIUS-based server to extend the benefits of remote authentication to internal LAN clients.
Figure 3 EAPOL-based security (1 of 2) RADIUS server RADIUS server 2 1 3 Password request Switch forwards user ID to RADIUS Server Password? Switch requests user ID New client PC New client PC EAPOL_step1 Figure 4 EAPOL-based security (2 of 2) RADIUS server 4 Switch forwards password ******** ******** Encrypted password New client PC Client accesses network RADIUS server 5 Password validated 6 Access to network approved New client PC EAPOL_step2 Overview and terms This section provides a
Some components of EAPOL-based security are: • • • • • Supplicant—the device applying for access to the network. Authenticator—software with the sole purpose of authorizing a supplicant that is attached to the other end of a LAN segment. Authentication Server—a RADIUS server that provides authorization services to the Authenticator. Port Access Entity (PAE)—a software entity associated with each port that supports the Authenticator or Supplicant functionality.
The Operational Traffic Control field can have one of the following two values: • • Incoming and Outgoing—If the controlled port is unauthorized, frames are not transmitted through the port; all frames received on the controlled port are discarded. The controlled port’s state is set to Blocking. Incoming—If the controlled port is unauthorized, frames received on the port are discarded, but the transmit frames are forwarded through the port.
Setting up the Authentication server This section describes how to set up your Authentication server (RADIUS server) for EAPOL dynamic VLAN assignments. The Authentication server allows you to configure user-specific settings for VLAN memberships and port priority.
Figure 5 Authenticaton process flowchart (1 of 2) Login screen Authentication successful? No Access denied. See System Administrator. Yes Authentication server sent VLAN ID? No Switch restores VLAN ID and PVID values from NVRAM. A Yes Does VLAN exist? No Switch sets VLAN ID and PVID values to VLAN 1. A Yes Port-based VLAN? No Yes Key Switch sets VLAN ID and PVID values to preconfigured values stored in the Authentication server.
Figure 6 Authenticaton process flowchart (2 of 2) A Authentication server sent Port Priority value? No Switch restores Port Priority value from NVRAM. Yes Is Port Priority value range 0 to 7? No Switch sets Port Prioity value to 0. Yes Switch sets Port Priority value to preconfigured values stored in the Authentication server.
EAPOL-based security configuration rules The following configuration rules apply to your BPS 2000 when using EAPOL-based security: • • • Before configuring your switch, you must configure the Primary RADIUS Server and Shared Secret fields.
Configuring EAPOL using CI menus The EAPOL Security Configuration screen (Figure 7) allows you to selectively limit access to the switch based on an authentication mechanism that uses Extensible Authentication Protocol (EAP) to exchange authentication information between the switch and an authentication server. Note: Before you use the EAPOL Security Configuration screen, you must configure your Primary RADIUS Server and RADIUS Shared Secret.
Figure 7 EAPOL security configuration screen EAPOL Security Configuration EAPOL Administrative State: Unit: [ 1 [ Disabled ] ] Port: [ Initialize: [ Administrative Status: [ Operational Status: Administrative Traffic Control:[ Operational Traffic Control: Re-Authenticate Now: [ Re-Authentication: [ Re-Authentication Period: [ Quiet Period: [ Transmit Period: [ Supplicant Timeout: [ Server Timeout: [ Maximum Requests: [ 1 ] No ] Force Authorized ] Authorized Incoming and Outgoing ] Incoming and Ou
Table 4 EAPOL security configuration screen options (continued) Option Description Port Allows you to select a specified unit’s (see preceding Unit field) port number to view or configure. To view or configure another port, type its port number and press [Enter], or press the spacebar to toggle the port numbers. If you set this field value to All, other screen field values you modify apply to all ports for the specified unit.
Table 4 EAPOL security configuration screen options (continued) Option Description Operational Traffic Control A read-only field that indicates the current administrative traffic control configuration for the specified unit/port (see preceding field description). This read-only field does not appear when the Unit/Port field value is set to All.
Table 4 EAPOL security configuration screen options (continued) Option Description Maximum Requests Allows you to specify the number of times the switch attempts to resend EAP packets to a supplicant. Default 2 attempts Range 1 to 10 attempts Configuring EAPOL using JDM You can configure the BPS 2000 for EAPOL using Java Device Manager (DM). Additionally, you can view the statistics for running EAPOL and for the diagnostics.
Figure 8 System tab 2 In the EAPOL Security area in the SystemAuthControl field, click enabled to enable port access control in the system. 3 Select the port you want to edit. Do one of the following: • • • Double-click on the selected port. From the shortcut menu (right-click), choose Edit. From the Device Manager main menu, choose Edit > Port. Release Notes for the Business Policy Switch 2000: Software Version 1.
• On the toolbar, click Edit. The Port dialog box for a single port opens with the Interface tab displayed. 4 Click the EAPOL tab. The EAPOL tab opens (Figure 9).
Table 5 describes the EAPOL tab items for a single port. Table 5 EAPOL tab items for a single port Item Description PortProtocolVersion The EAP Protocol version that is running on this port. PortCapabilities The PAE functionality that is implemented on this port. Always returns dot1xPaePortAuthCapable(0). PortInitialize Setting this attribute to True causes this port’s EAPOL state to be initialized. PortReauthenticate Setting this attribute to True causes the reauthentication of the client.
Table 5 EAPOL tab items for a single port (continued) Item Description LastEapolFrameVersion The protocol version number carried in the most recently received EAPOL frame. LastEapolFrameSource The source MAC address carried in the most recently received EAPOL frame. The EAPOL Stats tab shows EAPOL statistics for graphing ports. To open the EAPOL Stats tab for graphing: 1 Select the port or ports you want to graph. [Ctrl]+left-click the ports that you want to configure.
Figure 10 EAPOL Stats tab for graphing ports Table 6 describes the EAPOL Stats tab fields for graphing ports. Table 6 EAPOL Stats tab fields for graphing ports Field Description EapolFramesRx The number of valid EAPOL frames of any type that have been received by this authenticator. EapolFramesTx The number of EAPOL frame types of any type that have been transmitted by this authenticator. EapolStartFramesRx The number of EAPOL start frames that have been received by this authenticator.
Table 6 EAPOL Stats tab fields for graphing ports (continued) Field Description InvalidEapolFramesRx The number of EAPOL frames that have been received by this authenticator in which the frame type is not recognized. EapLengthErrorFramesRx The number of EAPOL frames that have been received by this authenticator in which the packet body length field is not valid. The EAPOL Diag tab shows EAPOL diagnostic information for graphing ports.
Figure 11 EAPOL Diag tab Table 7 describes the EAPOL Diag tab fields for graphing ports. Table 7 EAPOL Diag tab fields for graphing ports Field Description EntersConnecting Counts the number of times that the Authenticator PAE state machine transitions to the Connecting state from any other state. EapLogoffsWhileConnecting Counts the number of times that the Authenticator PAE state machine transitions from Connected to Disconnected as a result of receiving an EAPOL-Logoff message.
Table 7 EAPOL Diag tab fields for graphing ports (continued) Field Description AuthTimeoutsWhile Authenticating Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of the Backend authentication state machine indicating authentication timeout.
Table 7 EAPOL Diag tab fields for graphing ports (continued) Field Description BackendNonNakResponsesFromSupplicant Counts the number of times that the Backend Authentication state machine receives a response from the supplicant to an initial EAP request and the response is something other than EAP-NAK. BackendAuthSuccesses Counts the number of times that the Backend Authentication state machine receives an EAP-success message from the Authentication server.
Figure 12 EAPOL tab for multiple ports Table 8 describes the EAPOL tab fields for multiple ports. Table 8 EAPOL tab fields for multiple ports 210676-C Field Description Index Displays the unique value assigned to each interface. PortProtocolVersion The EAP Protocol version that is running on this port. PortCapabilities The PAE functionality that is implemented on this port. Always returns dot1xPaePortAuthCapable(0).
Table 8 EAPOL tab fields for multiple ports (continued) Field Description ServerTimeout Time to wait for a response from the RADIUS server MaxReq Number of times to retry sending packets to the supplicant. ReAuthPeriod Time interval between successive re-authentications. ReAuthEnabled Whether to re-authenticate or not. Setting this object to Enabled causes reauthentication of existing supplicant at the time interval specified in the Re-authentication Period field.
Figure 13 EAPOL Security Configuration page (1 of 2) 210676-C
Figure 14 EAPOL Security Configuration page (2 of 2) Table 9 describes the fields on the EAPOL Security Configuration page. Table 9 EAPOL Security Configuration page fields Field Description EAPOL Administrative State Enables or disables EAPOL-based security. Port Displays the port number. Initialize Choosing Yes from the list activates EAPOL state on this port.
Table 9 EAPOL Security Configuration page fields (continued) Field Description Administrative Traffic Control Allows you to set EAPOL authentication either for incoming and outgoing traffic or for incoming traffic only: • In & Out—Incoming and outgoing traffic • In Only—Incoming traffic only Operational Traffic Control Displays the current administrative traffic control setting.
Support for the GBIC MDA The BPS 2000 software version 1.1 supports the Gigabit Interface Connector (GBIC) MDA. The MDA, BayStack 450-1GBIC MDA, provides only two priority queues. The BayStack 450-1GBIC MDA supports the following GBICs: • • • • 1000BASE-SX—This GBIC uses shortwave 850 nm fiber optic connectors to connect devices over multimode (550 m or 1,805 ft) fiber optic cable. 1000BASE-LX—This GBIC uses longwave 1,300 nm fiber optic connectors to connect devices over single mode (5 km or 3.
Introduction After setting a VLAN ID in earlier software releases, the user had to also manually configure the port VLAN ID (PVID). In the software version 1.1, automatic PVID automatically sets the PVID when you configure a port-based VLAN. The PVID value will be the same value as VLAN. The user can also manually change the PVID value. The default setting for AutoPVID is Off; you must enable this feature.
In Figure 15 the ports have the following PVID/VLAN associations: • Ports 8, 6, and 11 are untagged members of VLAN 1. The PVID/VLAN association for ports 6 and 11 is: PVID = 1. • Ports 2, 4, 10, and 8 are untagged members of VLAN 2. The PVID/VLAN association for ports 2, 4, and 10 is: PVID = 2. • Ports 2, 4, 10, 8, 6, and 11 are untagged members of VLAN 3. The PVID/VLAN association for port 8 is: PVID = 3.
Figure 16 Default VLAN configuration screen example VLAN Configuration Create VLAN: Delete VLAN: VLAN Name: Management VLAN: [ 1 ] [ ] [ VLAN #1 ] [ Yes ] VLAN Type: Protocol Id (PID): User-Defined PID: VLAN State: [ Port-Based [ None [ 0x0000 ] [ Active ] ] ] Port Membership 1-6 7-12 ----------Unit #1 UUUUUU UUUUUU KEY: T = Tagged Port Member, U = Untagged Port Member, - = Not a Member of VLAN Use space bar to display choices, press or to select choice.
Figure 17 VLAN configuration screen example VLAN Configuration Create VLAN: Delete VLAN: VLAN Name: Management VLAN: [ 3 ] [ ] [ Mary’s VLAN ] [ Yes ] VLAN Type: Protocol Id (PID): User-Defined PID: VLAN State: [ Port-Based [ None [ 0x0000 ] [ Active ] ] ] Port Membership 1-6 7-12 ----------Unit #1 -U-U-U -U-UU- KEY: T = Tagged Port Member, U = Untagged Port Member, - = Not a Member of VLAN Use space bar to display choices, press or to select choice.
Figure 18 Default VLAN port configuration screen example VLAN Port Configuration Unit: Port: Filter Tagged Frames: Filter Untagged Frames: Filter Unregistered Frames: Port Name: PVID: Port Priority: Tagging: [ [ [ [ [ [ [ [ [ 1 ] 1 ] No ] No ] No ] Unit 1, Port 1 ] 1 ] 0 ] Untagged Access ] AutoPVID (all ports): [ Disabled ] Use space bar to display choices, press or to select choice. Press Ctrl-R to return to previous menu. Press Ctrl-C to return to Main Menu.
Figure 19 VLAN port configuration screen example VLAN Port Configuration Unit: Port: Filter Tagged Frames: Filter Untagged Frames: Filter Unregistered Frames: Port Name: PVID: Port Priority: Tagging: [ [ [ [ [ [ [ [ [ 1 ] 8 ] No ] No ] No ] Molly’s port ] 3 ] 0 ] Untagged Access ] AutoPVID (all ports): [ Disabled ] Use space bar to display choices, press or to select choice. Press Ctrl-R to return to previous menu. Press Ctrl-C to return to Main Menu.
Figure 20 VLAN Configuration page 2 Choose Enabled from the AutoPVID list in the AutoPVID Setting area. 3 Click Submit. 4 To view the PVID value by port, choose Application > VLAN > Port Information. The Port Information page opens (Figure 21), and displays the PVID value for the selected port.
113.fm Page 51 Thursday, March 29, 2001 2:22 PM 51 Figure 21 Port Information page 5 a To view the information for other ports, choose desired port from the lists by Unit and Port. b Click Submit. To manually change the PVID value of a port, choose Application > VLAN > Port Configuration. The Port Configuration page opens (Figure 22). Release Notes for the Business Policy Switch 2000: Software Version 1.
113.fm Page 52 Thursday, March 29, 2001 2:22 PM 52 Figure 22 Port Configuration page 210676-C a Enter the PVID value you want in the box for that port. b Click Submit.
Tabular port statistics With software version 1.1, you can view all ports in the entire stack hat have an error. If a particular port has no errors, it will not be displayed. To view a summary of the port errors for the BPS 2000: 1 From the main menu of the Business Policy Switch 2000 Web-based management system, choose Statistics > Port Error Summary. The Port Error Summary page opens (Figure 23).
Table 10 Port Error Summary Table fields (continued) Item Description Link Displays the link status of the port (Up/Down). Speed/Duplex Displays the speed at which the port is operating, as well as whether it is in half- or full-duplex mode. Frame Errors Displays the number of frame errors received on this port. FCS errors Displays the number of frame check sequence (FCS) errors received on this port. Late Collisions Displays the number of late collisions errors received on this port.
To set this feature: 1 Open the Main Menu of the BPS 2000. 2 Choose Switch Configuration > Stack Operational Mode. The menu contains the following new option: Stack BootP Mac Address Type: [ Stack Mac Address ] [Base Unit Mac Address] Toggle between the two choices using the space bar. 3 Press Enter. The chosen setting is saved even when the stack is reset, and the default setting is Stack Mac Address. You cannot choose Base Unit Mac Address when the Stack Operational Mode is Hybrid Stack.
To access the Web-based management system using JDM: Do one of the following: • • Choose Actions > Open Home Page. Click the globe icon shown on the toolbar (Figure 24). Figure 24 JDM toolbar The System Information opens (Figure 25).
Additional Java security When you choose Summary > Switch View from the Main Menu, a Java Security window opens (Figure 26). Figure 26 Java Security window Click Grant to open the Switch View page. To avoid having the Java Security open again within a session, click the Remember this decision box. However, when you reset the switch, the Java Security window opens. MAC address-based security BPS 2000 software version 1.
To configure MAC address-based security using the Web-based management system: 1 From the main menu of the Business Policy Switch 2000 Web-based management system, choose Application > MAC Address Security > Security Configuration. The MAC Address Security Configuration page opens (Figure 27). Figure 27 MAC Address Security Configuration page 2 In the MAC Address Security Setting area, choose Enabled in the MAC Address Security list and click Submit.
If you want to isolate the intruding node, choose Enabled in the DA Filtering on Intrusion Detected list, and click Submit. If you want an SNMP trap on intrusion, choose Enabled in the Generate SNMP Trap on Intrusion list. 3 Go to the MAC Address Security Port Lists page (Figure 28), and use the Action tab to configure each desired entry. Figure 28 MAC Address Security Port Lists page 4 When you click the Action icon, the Ports List View, Port List page opens (Figure 29).
Figure 29 MAC Address Security Port List View, Port List page c Set the selected port for security enabled by clicking on the box under the port. To disable security, click on the check mark that appears in the box, which will disappear. To have the entry available, but without any ports; click the box under None. d 5 Click Submit. Return to the Security Configuration page (Figure 27), and click the Action icon in the Learn by Ports section.
Figure 30 MAC Address Security Port List View, Learn by Ports page a Use this page to add or remove a specified port to the list of ports through which MAC addressed are learned. To add a port, click on the box under the port number. To delete a port, click on the check mark in the box under the port. If you do not wish to add any ports, click in the box under None. b Click Submit. The Security Configuration page (Figure 27) opens.
Figure 31 MAC Address Security Table page 8 a Wait until the required addresses are learned. b The MAC Address Security Table displays the addresses and the allowed source for each address. To add a MAC address, in the MAC Address Security Table Entry Creation area: a Enter the MAC address to which you want to allow access. b To specify the entry though which the MAC address is allowed, either enter the unit/port number or choose the entry from the list.
c 9 Click Submit. To clear the information collected so far on the selected ports, return to the Security Configuration page (Figure 27), and click the Action icon in the Clear by Ports line in the MAC Security Table section, at the bottom of the Security Configuration page. The Ports List View, Clear by Ports page (Figure 32) opens. Figure 32 MAC Address Port List View, Clear By Ports page a Deselect the ports, and click Submit. The Security Configuration page (Figure 27) opens.
Figure 33 MAC Address Security Port Configuration page 11 Set the security values for all desired ports to Enabled and click Submit. The Port Configuration page also displays the Trunk Group membership for each port, if applicable.
Resolved issues The following issues were resolved in version 1.1: • You can download BayStack* 410 and BayStack 450 software images (and diagnostics) using the Device Manager in a mixed stack environment with Business Policy Switches. Using DM with a mixed stack and you choose Edit > File System, you can specify either the image for the BPS 2000 or the image for the BayStack, or both to download the software image(s).
• • • • In a BPS 2000-only stack, the entire stack is reset to default values when you return the base unit to default values. (CR 145501-1) To disable a port that is part of a MultiLink Truck (MLT) group, use either Java Device Manager (JDM) or the Console Interface (CI) management system menus (you can use the Telnet connection). With the Web-based management system, you may be unable to disable ports that are part of MLTs.
• Mixed stacks (hybrid stacks)—In order to upgrade BayStack 410 and BayStack 450 software in a hybrid stack, the stack must be fully redundant. All cables in the stack must be installed and operating properly. If the cables are not installed properly, the BayStack units will fail to upgrade. A message is displayed on consoles connected to BayStack 410 and BayStack 450 switches: Primload Error - 2009 Switch will reset in 5 seconds...
210676-C