ProLiant BL p-Class GbE2 Interconnect Switch Application Guide
Accessing the GbE2 Interconnect Switch 16
Secure access to the switch
Secure switch management is needed for environments that perform significant management functions across the
Internet. The following are some of the functions for secured management:
• Limiting management users to a specific IP address range. See the “Setting allowable source IP address
ranges” section in this chapter.
• Authentication and authorization of remote administrators. See the “RADIUS authentication and
authorization” section or the “TACACS+ authentication” section, both later in this chapter.
• Encryption of management information exchanged between the remote administrator and the switch. See
the “Secure Shell and Secure Copy” section later in this chapter.
Setting allowable source IP address ranges
To limit access to the GbE2 Interconnect Switch without having to configure filters for each switch port, you can
set a source IP address (or range) that will be allowed to connect to the GbE2 Interconnect Switch IP interface
through Telnet, SSH, SNMP, or the GbE2 Interconnect Switch browser-based interface (BBI).
When an IP packet reaches the application switch, the source IP address is checked against the range of
addresses defined by the management network and mask (mnet and mmask). If the source IP address of the host
or hosts is within this range, it is allowed to attempt to log in. Any packet addressed to a GbE2 Interconnect
Switch IP interface with a source IP address outside this range is discarded.
Configuring an IP address range for the management network
Configure the management network IP address and mask from the System Menu in the CLI. For example:
>> Main# /cfg/sys/access/mgmt/add
Enter Management Network Address: 192.192.192.0
Enter Management Network Mask: 255.255.255.128
In this example, the management network is set to 192.192.192.0 and management mask is set to
255.255.255.128. This defines the following range of allowed IP addresses: 192.192.192.1 to
192.192.192.127.
The following source IP addresses are granted or not granted access to the GbE2 Interconnect Switch:
• A host with a source IP address of 192.192.192.21 falls within the defined range and would be allowed
to access the GbE2 Interconnect Switch.
• A host with a source IP address of 192.192.192.192 falls outside the defined range and is not granted
access. To make this source IP address valid, you would need to shift the host to an IP address within the
valid range specified by the mnet and mmask or modify the mnet to be 192.192.192.128 and the mmask
to be 255.255.255.128. This would put the 192.192.192.192 host within the valid range allowed by the
mnet and mmask (192.192.192.128-255).
RADIUS authentication and authorization
The GbE2 Interconnect Switch supports the Remote Authentication Dial-in User Service (RADIUS) method to
authenticate and authorize remote administrators for managing the GbE2 Interconnect Switch. This method is
based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back-end
database server. A remote user (the remote administrator) interacts only with the RAS, not the back-end server
and database.
RADIUS authentication consists of the following components:
• A protocol with a frame format that utilizes User Datagram Protocol (UDP) over IP, based on Request For
Comments (RFC) 2138 and 2866
• A centralized server that stores all the user authorization information
• A client, in this case, the GbE2 Interconnect Switch