|
Chapter 4: Remote Management HTTP and SNMPThe following methods may be used to determine a gateway's IP address if lost or forgotten. Note that oncedetermined, management communication with the unit may only be possible from a host configured to thesame IP subnet address if the unit's default router address is invalid.To manually discover a unit's IP address, unplug all LAN and BNC cables from the gateway and powercycle the unit. 30 seconds after powerup, the gateway will begin blinking out its IP address on the leftmostLED. Each digit is counted up as an orange blink with a pause between digits and a short blink for a 0. Adecimal in the IP address is indicated with a green blink. For example, orange>... would be an IP address that begins “20.”For those with access to packet sniffers, upon power-up, the gateway will broadcast several gratuitous ARPpackets on its network ports which can be examined with a sniffer or packet monitoring software todetermine a unit's IP address. The source Ethernet MAC address of such packets and E3Switch gateways is00:50:C2:6F:xx:xx. Tcpdump or Wireshark are two readily available software packages to examinenetwork packets.Additionally, examination of the MAC address table of an attached LAN switch or router may provide theIP address if the E3Switch MAC address prefix (00:50:C2:6F:xx:xx) can be located.Management PasswordsThe HTTP management statistics page is initially accessible without a password. The HTTP settings pageis initially modifiable within the first several minutes after powerup with username admin and no password.If the unit has not had its default password changed, after several minutes the settings page will be lockedfor security reasons. It is desirable to change the default password of the unit. For security reasons,changing the default password of the unit must be done within the first several minutes of any powerup. Ifthe HTTP management password is lost or forgotten, it may be reset by accessing the HTTP managementsettings within the first minute after powerup and with no BNC cables attached to the unit.SNMP statistics may initially be accessed using the read-only community name public. Write-communitynames and variable access authorization may be set through the HTTP management interface.SecurityPlease also refer to the password section above.HTTP Interface SecurityAccess to the HTTP management interface statistics and settings pages can be selectively limited to usersknowing the HTTP management password, which is transmitted securely on the network using MD5encoding. New values of management settings, or modifications of the administrator password are notencrypted and are visible to users monitoring network packets, as is statistical data requested by an MD5authorized user or any information visible on a HTTP page.When logging out from any secure webpage, the browser window should always be closed! Browserstypically continue to send administrator credentials continuously even after apparent logout.SNMP SecurityThe gateway implements SNMPv2c, which is inherently an insecure protocol; however, the gatewayenhances security by implementing view-based access management (VACM), which can restrict read orwrite access to specific management settings and statistics. When shipped, the gateway allows read accessto “safe” SNMP statistics and prohibits read and write access to statistics and settings which could allowdetermination of network topology or interfere with normal link traffic. The VACM configuration can beupdated through the HTTP management interface to meet the user's needs, and most SNMP variables canalso be set through the HTTP management interface in a more secure manner than SNMP allows.9
PreviousNext |