======== Ethernet ======== .. sidebar:: Contents .. contents:: :depth: 3 :local: Ethernet is a data-link control layer protocol used to interconnect computers. Ethernet interfaces can connect network devices easily, since no complex configuration is required. Operational command :osdx:op:`interfaces ethernet * show` can be used to display miscellaneous information about Ethernet interfaces. In particular, command :osdx:op:`interfaces ethernet * show physical` lists the hardware details of an interface, including supported link modes, speed, duplex, etc. *Example:* .. code-block:: none admin@osdx$ interfaces ethernet eth1 show physical Settings for eth1: Supported ports: [ TP MII FIBRE ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full 1000baseX/Full Supported pause frame use: Symmetric Receive-only Supports auto-negotiation: Yes Supported FEC modes: Not reported Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full 1000baseX/Full Advertised pause frame use: Symmetric Receive-only Advertised auto-negotiation: Yes Advertised FEC modes: Not reported Link partner advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Link partner advertised pause frame use: No Link partner advertised auto-negotiation: Yes Link partner advertised FEC modes: Not reported Speed: 1000Mb/s Duplex: Full Auto-negotiation: on master-slave cfg: preferred slave master-slave status: slave Port: Twisted Pair PHYAD: 5 Transceiver: external MDI-X: Unknown Supports Wake-on: d Wake-on: d Current message level: 0x00007fff (32767) drv probe link timer ifdown ifup rx_err tx_err tx_queued intr tx_done rx_status pktdata hw wol Link detected: yes driver: fsl_dpa version: 6.1.55 firmware-version: 0 expansion-rom-version: bus-info: soc:fsl,dpaa supports-statistics: yes supports-test: no supports-eeprom-access: no supports-register-dump: no supports-priv-flags: no Operational command :osdx:op:`interfaces ethernet * show statistics` outputs advanced statistics at driver level. *Example:* .. code-block:: none admin@osdx$ interfaces ethernet eth1 show statistics | grep frames rx valid pause frames: 0 rx unicast frames: 0 rx multicast frames: 57726 rx broadcast frames: 0 rx total frames: 57726 tx valid pause frames: 0 tx unicast frames: 0 tx multicast frames: 7 tx broadcast frames: 0 tx total frames: 7 bmi rx frames: 18 bmi rx bad frames: 0 bmi rx large frames: 0 bmi rx filter frames: 0 bmi rx frames list dma errors: 0 bmi tx frames: 7 802.1x ====== IEEE 802.1X is an IEEE Standard for port-based network access control (PNAC). It belongs to the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices that wish to connect to a LAN or WLAN. 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. In OSDx, both the supplicant and the authenticator end-points can be configured for Ethernet interfaces using the following commands: * :osdx:cfg:`interfaces ethernet * 802.1x supplicant` * :osdx:cfg:`interfaces ethernet * 802.1x authenticator` The authentication server is typically a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is meant to be allowed. While the supplicant is a client device that wishes to connect to the LAN, the authenticator is a network device that provides a data link between the client and the network. It can allow or block network traffic between the two. Supplicant ---------- The supplicant is a client device that wishes to connect to the LAN. In OSDx, an Ethernet supplicant end-point can be configured by entering the following commands: .. code-block:: none set interfaces ethernet 802.1x supplicant username set interfaces ethernet 802.1x supplicant password :doc:`Here `, you can find more examples. Authenticator ------------- The authenticator is a network device that provides a data link between the client and the network, allowing or blocking network traffic between the two. In OSDx, an Ethernet authenticator end-point can be configured via AAA lists: .. code-block:: none set interfaces ethernet 802.1x authenticator aaa authentication set interfaces ethernet 802.1x authenticator aaa accounting set system aaa list method group radius set system aaa group radius server set system aaa server radius address set system aaa server radius key The device itself may act also as an authenticator. This can be configured by entering the following commands: .. code-block:: none set interfaces ethernet 802.1x authenticator eap-server username password set interfaces ethernet 802.1x authenticator eap-server x509 ca-cert set interfaces ethernet 802.1x authenticator eap-server x509 dh-param set interfaces ethernet 802.1x authenticator eap-server x509 server-cert set interfaces ethernet 802.1x authenticator eap-server x509 server-key set system aaa list method local .. note:: Local EAP server only supports PEAP-MSCHAPv2 authentication protocol. Setting up a **local method** with lower priority than the remote server can be a good idea in scenarios where the authentication server might not be accessible. This would allow supplicants to authenticate against the authenticator using its local database (failover mechanism). Once the remote server becomes available, authentication would be performed using RADIUS again. :doc:`Here <../../system/aaa/index>` you can find more information about ``AAA configuration``. .. note:: There is a configuration command to change the logging event level. .. code-block:: none set interfaces ethernet 802.1x authenticator log-level Level ``notice`` is configured by default. Re-authentication is enabled by default and automatically performed every hour. However, it can be customized using the following command: .. code-block:: none set interfaces ethernet 802.1x authenticator reauth-period Special value ``0`` can be used to disable re-authentication. 802.1x supports authorization configuration using ACLs (Access Control Lists). There are two alternatives for using it: * Define one or more traffic policies and use aliases to reference them through the RADIUS Filter-ID attribute (see `RFC2865 Section 5.11 `_). * Send the ACL definition directly using the RADIUS NAS-Filter-Rule attribute (see `RFC4829 `_). The first option requires the following configuration commands: .. code-block:: none set interfaces ethernet 802.1x authenticator aaa authorization acl-alias direction set interfaces ethernet 802.1x authenticator aaa authorization acl-alias priority set interfaces ethernet 802.1x authenticator aaa authorization acl-alias traffic-policy :doc:`Here <../../routing/traffic/policy/index>` you can find more information about ``traffic policies``. Optionally, CoA (Change of Authorization) can be enabled and the following parameters can be configured: .. code-block:: none set interfaces ethernet 802.1x authenticator coa client set interfaces ethernet 802.1x authenticator coa client set interfaces ethernet 802.1x authenticator coa secret CoA messages can be used to de-authenticate users and to change the ACLs installed for existing sessions. :doc:`Here `, you can find more examples. Command Summary =============== .. osdx:cmdtree:: cfg :maxdepth: 3 interfaces ethernet .. osdx:cmdtree:: op :maxdepth: 3 interfaces ethernet