Ethernet
Ethernet is a data-link control layer protocol used to interconnect computers. Ethernet interfaces can connect network devices easily, since no complex configuration is required.
Operational command interfaces ethernet <value> show can be used to
display miscellaneous information about Ethernet interfaces. In particular,
command interfaces ethernet <value> show physical lists the hardware
details of an interface, including supported link modes, speed, duplex, etc.
Example:
admin@osdx$ interfaces ethernet eth1 show physical
Settings for eth1:
Supported ports: [ TP MII FIBRE ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
1000baseX/Full
Supported pause frame use: Symmetric Receive-only
Supports auto-negotiation: Yes
Supported FEC modes: Not reported
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
1000baseX/Full
Advertised pause frame use: Symmetric Receive-only
Advertised auto-negotiation: Yes
Advertised FEC modes: Not reported
Link partner advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Link partner advertised pause frame use: No
Link partner advertised auto-negotiation: Yes
Link partner advertised FEC modes: Not reported
Speed: 1000Mb/s
Duplex: Full
Auto-negotiation: on
master-slave cfg: preferred slave
master-slave status: slave
Port: Twisted Pair
PHYAD: 5
Transceiver: external
MDI-X: Unknown
Supports Wake-on: d
Wake-on: d
Current message level: 0x00007fff (32767)
drv probe link timer ifdown ifup rx_err tx_err tx_queued intr tx_done rx_status pktdata hw wol
Link detected: yes
driver: fsl_dpa
version: 6.1.55
firmware-version: 0
expansion-rom-version:
bus-info: soc:fsl,dpaa
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
Operational command interfaces ethernet <value> show statistics outputs
advanced statistics at driver level.
Example:
admin@osdx$ interfaces ethernet eth1 show statistics | grep frames
rx valid pause frames: 0
rx unicast frames: 0
rx multicast frames: 57726
rx broadcast frames: 0
rx total frames: 57726
tx valid pause frames: 0
tx unicast frames: 0
tx multicast frames: 7
tx broadcast frames: 0
tx total frames: 7
bmi rx frames: 18
bmi rx bad frames: 0
bmi rx large frames: 0
bmi rx filter frames: 0
bmi rx frames list dma errors: 0
bmi tx frames: 7
802.1x
IEEE 802.1X is an IEEE Standard for port-based network access control (PNAC). It belongs to the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices that wish to connect to a LAN or WLAN.
802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. In OSDx, both the supplicant and the authenticator end-points can be configured for Ethernet interfaces using the following commands:
The authentication server is typically a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is meant to be allowed.
While the supplicant is a client device that wishes to connect to the LAN, the authenticator is a network device that provides a data link between the client and the network. It can allow or block network traffic between the two.
Supplicant
The supplicant is a client device that wishes to connect to the LAN. In OSDx, an Ethernet supplicant end-point can be configured by entering the following commands:
set interfaces ethernet <ethX> 802.1x supplicant username <name>
set interfaces ethernet <ethX> 802.1x supplicant password <password>
Here, you can find more examples.
Authenticator
The authenticator is a network device that provides a data link between the client and the network, allowing or blocking network traffic between the two.
In OSDx, an Ethernet authenticator end-point can be configured via AAA lists:
set interfaces ethernet <ethX> 802.1x authenticator aaa authentication <AAA list>
set interfaces ethernet <ethX> 802.1x authenticator aaa accounting <AAA list>
set system aaa list <AAA list> method <priority> group radius <GROUP name>
set system aaa group radius <GROUP name> server <RAD server>
set system aaa server radius <RAD server> address <ip>
set system aaa server radius <RAD server> key <key>
The device itself may act also as an authenticator. This can be configured by entering the following commands:
set interfaces ethernet <ethX> 802.1x authenticator eap-server username <name> password <password>
set interfaces ethernet <ethX> 802.1x authenticator eap-server x509 ca-cert <file>
set interfaces ethernet <ethX> 802.1x authenticator eap-server x509 dh-param <file>
set interfaces ethernet <ethX> 802.1x authenticator eap-server x509 server-cert <file>
set interfaces ethernet <ethX> 802.1x authenticator eap-server x509 server-key <file>
set system aaa list <AAA list> method <priority> local
Note
Local EAP server only supports PEAP-MSCHAPv2 authentication protocol.
Setting up a local method with lower priority than the remote server can be a good idea in scenarios where the authentication server might not be accessible. This would allow supplicants to authenticate against the authenticator using its local database (failover mechanism). Once the remote server becomes available, authentication would be performed using RADIUS again.
Here you can find more information about AAA
configuration.
Note
There is a configuration command to change the logging event level.
set interfaces ethernet <ethX> 802.1x authenticator log-level <warning / notice / info / debug>
Level notice is configured by default.
Re-authentication is enabled by default and automatically performed every hour. However, it can be customized using the following command:
set interfaces ethernet <ethX> 802.1x authenticator reauth-period <seconds>
Special value 0 can be used to disable re-authentication.
802.1x supports authorization configuration using ACLs (Access Control Lists). There are two alternatives for using it:
Define one or more traffic policies and use aliases to reference them through the RADIUS Filter-ID attribute (see RFC2865 Section 5.11).
Send the ACL definition directly using the RADIUS NAS-Filter-Rule attribute (see RFC4829).
The first option requires the following configuration commands:
set interfaces ethernet <ethX> 802.1x authenticator aaa authorization acl-alias <RADIUS_alias> direction <in / out / both>
set interfaces ethernet <ethX> 802.1x authenticator aaa authorization acl-alias <RADIUS_alias> priority <very-high / high / low / very-low>
set interfaces ethernet <ethX> 802.1x authenticator aaa authorization acl-alias <RADIUS_alias> traffic-policy <traffic-policy>
Here you can find more information
about traffic policies.
Optionally, CoA (Change of Authorization) can be enabled and the following parameters can be configured:
set interfaces ethernet <ethX> 802.1x authenticator coa client <ip>
set interfaces ethernet <ethX> 802.1x authenticator coa client <port>
set interfaces ethernet <ethX> 802.1x authenticator coa secret <secret>
CoA messages can be used to de-authenticate users and to change the ACLs installed for existing sessions.
Here, you can find more examples.