Instruction/ maintenance manual of the product W.14.03 HP (Hewlett-Packard)
Go to page of 594
Access Security Guide Pr oCurv e Switches W . 1 4.03 29 10al www .procurv e.com.
.
HP ProCurve 2910al Switch February 2009 W.14.03 Access Security Guide.
© Copyright 2009 Hewlett-Pa ckard Development Company, L.P . The information contain ed herein is subject to ch ange with- out notice. All Ri ghts Reserved.
Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Electronic Publications .
2 Configuring Username and Password Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disabling or Re-Enabling the Password Recovery Process . . . . 2-32 Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 3 Web and MAC Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . .
4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Viewing the Switch’s Current TAC ACS+ Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS-Administered CoS and Ra te-Limiting . . . . . . . . . . . . . . . . . . . 5-4 SNMP Access to the Switch’s Au thentication Conf iguration MIB . . . 5-4 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43 RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45 RADIUS Accounting Statistics . . . . . . . . . . . . .
Configuring th e Switch To Support RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24 Displaying the Current RAD IUS-Assigned ACL Activity Causes of Client D eauth entication Immediately on the Switch .
8 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Overview Steps for Configuring and Using SSL for Switch and Client . . . . . . . . . . . .
ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14 What Is the Difference Between Network (or Subnet) Rules for Defining a Match Between a Pack.
Configuring Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-44 Configuring Named, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-46 Creating Numbered, Standard ACLs . . . . . . . . . . . . . . . . .
10 Configuring Advanc ed Threat Protection Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 12 Traffic/Security Filters and Monitors Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1X Port-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 12-5 Alternative To Using a RADIUS Server . . . . . . . . . . . . . . . . . . . . . 12-6 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13 802.1X Open VLAN O perating Note s . . . . . . . . . . . . . . . . . . . . . . . . . 12-46 Option For Authenti cator Ports: Configure Port-Security To Allow Only 802.1X- Authenticated Devices . . . . . . . . . . . . . . . . . 12-47 Port-Security . .
MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22 Differences Betwee n MAC Lockdown an d Port Security . . . . . . . . 13-24 MAC Lockdown Operating Notes . . . . . . . . . . . . . . . . . . . .
Using a Web Proxy Server to Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9 Web-Based Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Product Documentation About Y our Switch Manual Set Note For the latest version of all ProCur ve switch documentation, including Release Notes covering re cently added features, please v isit the ProCurve Networking W eb site at www .procurve.com, c lick on Cu stomer Care , and then click on Manuals .
Software Feature Index For the software manual se t supporting your 2910al sw itch model, this feature index indicate s which manual to consult for in formation on a given software feature. Note This Index does not cover IPv6 capable software features.
Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide DHCP/Bootp Operation Diagnostic T ools Downloading Software X X X Dynamic ARP Protection Dynamic Configuration Arbiter Eavesdrop Protection Event Log X X X X Factory Default Settings Flow Control (802.
Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide MAC Lockdown X MAC Lockout MAC-based Authentication Mana.
Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide RMON 1,2,3,9 Routing Routing - IP Static X X X Secure Co.
Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide Vo i c e V L A N W eb Authentication RADIUS Support W eb.
1 Security Overview Contents Security Overview Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Overview Introduction Introduction This chapter provides a n overview of th e security features included on your switch. T abl e 1-1 on page 1-3 outlines the acce ss security and authentication features, while T able 1-2 on page 1-7 highlights the additi onal features designed to help secure and prot ect your network.
Security Overview Access Security Features Access Security Features This section provides an overvi ew of the switch’ s access security features, authentication protocol s, and methods. T able 1-1 lists the se features and provides summary con figuration guidel ines.
Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details T elnet and enabled The default remote management protocols enabled on W eb-browser the switch are plain text protocols, which transfer access passwords in open or plain text that is easily captured .
Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details SSL disabled Secure Socket Layer (S SL) and T ransport Layer Security .
Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details RADIUS disabled For each authorized client, RADIUS can be used to Chap.
Security Overview Network Security Features Network Security Features This section outlines features and de fence mechanisms for protecting access through the switch to the network. Fo r more detailed information, see the indicated chapters. T able 1-2.
Security Overview Network Security Features Feature Default Setting Security Guidelines More Information and Configuration Details Access Control none ACLs can filter traffic to or from a host, a group of hosts, Chapter 10, “IPv4 Access Lists (ACL s) or entire subnets.
Security Overview Network Security Features Feature Default Setting Security Guidelines More Information and Configuration Details Key none KMS is available in several ProCurve switch models and Chapt.
Security Overview Getting Started with Access Security Getting Started with Access Security ProCurve switches are designed as “plu g and play” devices, allowing q uick and easy installation in your network . In its default configuration the switch is open to unauthorized access o f various types.
Security Overview Getting Started with Access Security Keeping th e switch in a lo cked wiring closet or other secure space helps to prevent unauthorized physical access. As additional p recautions, you can do the following: ■ Disable or re-enable the password-clear ing func tion of the Clear button .
Security Overview Getting Started with Access Security CLI: Management Interface W i zard T o configure se curity settings u sing the CLI wizar d, follow the steps belo w: 1. At the command prompt, type setup mgmt -interfaces . The welcome banner appears and the first setup option is displayed ( Operator password ).
Security Overview Getting Started with Access Security 2. When you enter the wizard, you have the following opt ions: • T o update a setting , type in a new value , or press [ Enter ] to keep the current value. • T o qu it the wizard without saving any changes, press [ CT RL-C ] at any time.
Security Overview Getting Started with Access Security The W elcome window appears. Figure 1-2. Management I nterface Wizard: Welcome Window This page allow s you to choose between two setup t ypes: • T y pical —provides a multiple page , step -by-step method to configure security settings, with on-screen instructions for each option.
Security Overview Getting Started with Access Security 4. The summary setup scre en displays th e current configuration settings for all setup options (see Figure 1-3).
Security Overview Getting Started with Access Security SNMP Security Guidelines In the default configuration, t he swit ch is open to access by management stations run ning SNMP (Simple Network Manage.
Security Overview Getting Started with Access Security If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network , then yo u should implemen t the following security precaut.
Security Overview Precedence of Security Options Precedence of Security Options This section explains how port- based security options, and cli ent-based attribu tes used for au thentication , get prioritized on the switch.
Security Overview Precedence of Security Options DCA allows client-specific parameters c onfigured in any of the foll owing ways to be applied and removed a s needed in a specified hierarchy of precedence.
Security Overview Precedence of Security Options NIM also allow s you to configure and ap ply client-specific profile s on ports that are not configured to authenticate clients (unauthorized clients), provided that a client’s MAC add ress is known in the switch’s forwarding da tabase.
Security Overview Precedence of Security Options Client-specific conf igurations are applied on a per-parameter basis on a port. In a client-speci fic profile, if D CA de tects that a parameter has co.
Security Overview ProCurve Identity-Driven Manager (IDM) ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+) and u ses RADIUS-based technologies to create a user - cen tric approach to network access management and network activity tr acking and monitoring.
2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . .
Configuring Username and Password Security Contents Disabling the Clear Passwo rd Function of the Clear Button on the Switch’s Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Re-Enablin g the Clear Button on the Swit ch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation .
Configuring Username and Password Security Overview Overview Feature Default Menu CLI Web Set Usernames non e — — page 2-9 Set a Password none page 2-6 page 2-8 page 2-9 Delete Password Protection.
Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interfa ce areas. This is the default level. That is, if a Manager password has not been set prior to starting the current c onsole sess ion, then anyone having access to the console can access any area of the console interface.
Configuring Username and Password Security Overview Notes The manager and operator passwords and (o ptional) usernames cont rol access to the menu interface, C LI, and web browser interface.
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames ar e optional. Configuring a user - name requires either the CLI or the web browser interface.
Configuring Username and Password Security Configuring Local Password Security T o Delete Password Protection (Incl uding Recovery from a Lost Password): This procedure deletes al l usernames (if configured) and pass- words (Manager an d Operator).
Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below . Configuring M anager and O perator Password s. Note The password co mmand has changed.
Configuring Username and Password Security Configuring Local Password Security If you want to remov e both operator and m anager password p rotection, use the no password all command. W eb: Setting Passwo rds and Usernames In the web browse r interf ace you can enter passwords and (optional) user - names.
Configuring Username and Password Security Saving Security Credentials in a Config File Saving Security Credentials in a Config File Y ou can store and view the following secu rity settings in the ru .
Configuring Username and Password Security Saving Security Credentials in a Config File ■ By storing different secu rity setting s in different files, you can test different security configurations .
Configuring Username and Password Security Saving Security Credentials in a Config File ■ SNMP security credentials, incl uding SN MPv1 commu nity names and SNMPv3 us ernames, authenti ca tion, and privacy settings ■ 802.
Configuring Username and Password Security Saving Security Credentials in a Config File Password Command Options The password comman d has the follo wing options: Syntax: [no] passwo rd <manager | .
Configuring Username and Password Security Saving Security Credentials in a Config File SNMP Security Credentials SNMPv1 community names and write-access settings, and SNMPv3 usernames continue to be saved in the running configuration file even when you enter the include-creden tials command.
Configuring Username and Password Security Saving Security Credentials in a Config File 802.1X Port-Access Credentials 802.1X authenticator (port-acc ess) credentials can be stored in a configuration file. 802.1X authenticator credentials are used by a port to authenticate supplicants requesting a poi nt-t o-point connec tion to the switch.
Configuring Username and Password Security Saving Security Credentials in a Config File T ACACS+ server application. (The encryption key is sometimes referred to as “shared secret” or “secret” key .) For more informat ion, see “T ACACS+ Authenticati on” on page 4 -1 in this guide .
Configuring Username and Password Security Saving Security Credentials in a Config File The SSH secu rity credential t hat is stor ed in the running co nfiguration f ile is configured with the ip ssh pub lic-key command used to authenticate SSH clients for manager or opera tor access, along with the hashed content of each SSH client public -key .
Configuring Username and Password Security Saving Security Credentials in a Config File T o display th e SSH public -key configurations (72 ch aracters per line) stored in a configurat ion file, enter t he show config or sho w running-config command.
Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes Caution ■ When you first enter the include-credentials command to save the additional se curity crede ntials to the runnin g configuratio n, these settings are moved from internal storage on th e switch to the running-conf ig file.
Configuring Username and Password Security Saving Security Credentials in a Config File • copy config < source -filename > config < target-filen ame >: Makes a local copy of an existing .
Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running conf iguration with the include-credential s command: ■ The private keys o f an SSH host cannot be stored in the runnin g configuratio n.
Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. Y ou can store the password port-access values in the running conf iguration file by using the include -credentials command.
Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel sec urity features pro vide the ability to independently enable or disable some of the f unctions o.
Configuring Username and Password Security Front-Panel Security As a result of increased security co ncerns, customers now have the ability to stop someone from r emoving passwords by disabling the Cl ear and/or Reset buttons on the f ront of the switch .
Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset butt on alone for one second cau ses the switch to reboot.
Configuring Username and Password Security Front-Panel Security Reset Clear Test 4. When the T est LED to the right of th e Clear button begins fl ashing, release the Clear button. . Reset Clear Test It can take approxima tely 20-25 seconds for the switch to reboot.
Configuring Username and Password Security Front-Panel Security • Modify the operati on of the Reset+ Cl ear combination (page 2-25) so that the switch stil l reboots, but does not restore the switch’ s factory default configuratio n settings. (Use of the Reset button alone, to simply reboot the swit ch, is not affected.
Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to “Password Recovery Process” on page 2-34.) (Default: Enabled .) CAUTION: Disabling this option removes the ability to recover a password on the switch .
Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button on the Switch’ s Front Panel Syntax: no front-pa nel-security password-clear.
Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’ s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] fro .
Configuring Username and Password Security Front-Panel Security Shows password-clear disabl ed. Enables password-cle ar , with reset-on- clear disabled by the “ no ” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled.
Configuring Username and Password Security Front-Panel Security The command to di sable the factory-reset oper ation produces this caution. T o complete the command, press [Y] . T o abort the comm and, press [N] . Displays the current front- panel-security con figuration, with Factory Re set disabled.
Configuring Username and Password Security Front-Panel Security Caution Disabling password-recovery requires that factory-reset be enable d, and locks out the abi lity to recover a lost man ager username (if configured) and pass- word on the switch.
Configuring Username and Password Security Front-Panel Security • If you want to abort the command, press [N] (for “No”) Figure 2-13 shows an example of disabling the password-recovery parameter .
Configuring Username and Password Security Front-Panel Security Note The alternate password provided by the ProCurve Customer Care Center is valid only for a single login attempt. Y ou cannot use the same “one-time-use” password if you lose the password a s econd time.
Configuring Username and Password Security Front-Panel Security 2-36.
3 W eb and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Web Authenticat ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web and MAC Authentication Overview Overview Feature Default Menu CL I We b Configure W eb Aut hentication n/a — 3-18 — Configure MAC Aut hentication n/a — 3-32 — Display W eb Authentication S.
Web and MAC Authentication Overview Note A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web authentication. ■ In the login page, a cli ent enters a username and passwor d, which the switch forwards to a RADIUS server for a uthentication.
Web and MAC Authentication Overview ■ Each new W eb/MAC Auth clien t always ini tiate s a MAC authentication attempt. This same client can also in itiate W eb authenti cation at any time before the MAC authentication succeed s. If e ither au thentication suc- ceeds then the othe r authentication (if in progre ss) is ended.
Web and MAC Authentication How Web and MAC Authentication Operate Y ou configure access to an optional, un authorized VLAN wh en you configure W eb and MAC authentication on a port.
Web and MAC Authentication How Web and MAC Authentication Operate W eb-based Authentication When a client connects to a W eb-Auth enabled port, communication is redi- rected to t he switch. A tempora ry IP address is assign ed by the switch a nd a login screen is presented for the cli ent to enter their username and pa ssword.
Web and MAC Authentication How Web and MAC Authentication Operate If the client is authentica ted and the maximum number of clients allowed on the port ( client-limit ) has not been reached , the port is assigned to a static, untagged VLAN for network access.
Web and MAC Authentication How Web and MAC Authentication Operate A client may not be authenticated du e to invali d credentials or a RADIUS server timeout. The max-retries para meter spe cifies how many times a c lient may enter their creden ti als before authentic ation fails.
Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in pl ace until the session ends. Clients may be forced to reauth enticate after a fixed period of time ( reauth-per iod ) or at any time during a session ( reauthentic ate ).
Web and MAC Authentication Terminology T erminology Authorized-C lient VLAN: Like the Unauthorized-C lient VLAN, this is a conventional, static, untagged, port-b a sed VLAN previously configured on the switch by the System Administrat or . The intent in using this VLAN is to provide authenti cated clients with netw ork access and services.
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports co ncurrent 802.1X, W eb and MAC authentication operation on a port (with up to 2 clients all owed). However , concurrent operation of W eb and MAC authenti cation with other types of authentica- tion on the same port is not su pported.
Web and MAC Authentication Operating Rules and Notes ■ ■ ■ ■ 1. If there is a RADIUS-assigned VL AN, then, for th e duration of th e client session, the p ort belongs to this VLAN and tempor arily drops all other VLAN memberships.
Web and MAC Authentication Setup Procedure for Web/MAC Authentication We b / M A C W eb or MAC au thentication a nd LACP ar e not supported at the same time on Authentication a port. The swi tch automatically disables LACP on ports configured for W eb and LACP or MAC authentication.
---- ---------- ------------- -------- -------- Web and MAC Authentication Setup Procedure for Web/MAC Authentication ProCurve(config)# show port-access config Port Access Status Summary Port-access a.
Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that whe n configuring a RADI US server to assign a VLAN, you can use either the VL AN’ s name or VID.
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff AABBCCDDEEFF AABBCC-DDEEFF AA-BB-CC-DD-EE-FF AA:BB:CC:DD:EE:FF ■ If the device is a sw.
Web and MAC Authentication Configuring the Switch To Ac cess a RADIUS Server Syntax: [no] radius-server [host < ip-addre ss >] Adds a server to the RADIUS configuration or (with no ) deletes a server from the configuration. You can config- ure up to three RADIUS serv er addresses.
Web and MAC Authentication Configuring Web Authentication Configuring W eb Authentication Overview 1. If you have not already done so, configure a local username and password pair on th e switch. 2. Identify or create a redirec t URL for use by authenticated clients.
Web and MAC Authentication Configuring Web Authentication Configuration Co mmands for W eb Authentication Command Page Configuration Level aaa port-access < po rt-list > controlled-directions &l.
Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access < port-list > con trolled-directions <both | in> After you enable web-based au thentication on specified .
Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access < port-list > con trolled-directions <both | in> — Continued — Notes : ■ For information on how to .
Web and MAC Authentication Configuring Web Authentication Syntax: Syntax: Syntax: Syntax: [no] aaa port-ac cess web-based < port-list > Enables web-based authenti cation on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports.
Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access web-based < por t-list > [client-moves] Configures whether the client can move between ports. Default: Disabled Syntax: aaa po rt-access web-based [dhc p-addr < ip-address/mask >] Specifies the base address/mask for the temporary IP pool used by DHCP.
Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access web-based < port-list > [m ax-retries <1-10>] Specifies the number of the number of times a client can enter their user name and password bef ore authen- tication fails.
Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access web-based < port-list > [redirect -url < url >] no aaa port-access web-based < p ort-list > [redir ect-url] Specifies the URL that a user is redirected to after a successful login.
Web and MAC Authentication Configuring Web Authentication Show Commands for W eb Authentication Command Page show port-access web-based [ port-list ] 3-26 show port-access web-based clients [ port-lis.
Web and MAC Authentication Configuring Web Authentication ProCurve(config)# show port-access web-based Port Access Web-Based Status Auth Unauth Untagged Tagged Port % In RADIUS Port Clients Clients VL.
Web and MAC Authentication Configuring Web Authentication ProCurve(config)# show port-access web-based clients 1 detailed Port Access Web-Based Client Status Detailed Client Base Details : Port : 1 Se.
Web and MAC Authentication Configuring Web Authentication Syntax: show po rt-access web-based conf ig [ port-list ] Displays the currently conf igured W eb Authentication settings for all switch ports.
Web and MAC Authentication Configuring Web Authentication Syntax: show po rt-access web-based conf ig < port-list > detailed Displays more detailed inform ation on the currently config- ured W eb Authentication set tings for specified ports.
Web and MAC Authentication Configuring Web Authentication Syntax: show po rt-access web-based conf ig [ port-list ] auth-server Displays the currently conf igured W eb Authentication settings for all .
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on th e switch.
Web and MAC Authentication Configuring MAC Authent ication on the Switch Configuration Co mmands for MAC Authentication Command Page Configuration Level aaa port-access mac-based addr -format 3-33 [no.
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: [no] a aa port-access mac-based < port-list > Enables MAC-based authenti cation on the specified ports. Use the no form of the comma nd to disable MAC- based authentication on the specified ports.
Web and MAC Authentication Configuring MAC Authent ication on the Switch Syntax: aaa po rt-access mac-based [e] < port-list > [logoff-period] <60-9999999> ] Specifies the period, in seco nds, that the switch enforces for an implicit lo goff.
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa po rt-access mac-based [e] < port-list > [unauth-vid < vid >] no aaa port-access mac-based [e ] < port-list > [unauth -vid] Specifies the VLAN to use for a client that fails authen- tication.
---- ----------- -------------------- ------------------- ------------- Web and MAC Authentication Configuring MAC Authent ication on the Switch ProCurve(config)# show port-access mac-based Port Acces.
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show po rt-access mac-based client s < port-list > detailed Displays detailed informat ion on the status of MAC- authenticated client session s on specified ports.
Web and MAC Authentication Configuring MAC Authent ication on the Switch Syntax: show po rt-access mac-based conf ig [ port-list ] Displays the currently conf igured MAC Authentication settings for al.
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show po rt-access mac-based conf ig < port-list > detailed Displays more detailed inform ation on the currently config- ured MAC Authentication settings for specified ports.
Web and MAC Authentication Configuring MAC Authent ication on the Switch Syntax: show po rt-access mac-based conf ig [ port-list ] auth-server Displays the currently conf igured W eb Authentication se.
Web and MAC Authentication Client Status Client Status The table below show s the possible client status in formation that may be reported by a W eb-based or MAC-based ‘ show ... clients’ command. Reported Status Available Network Connection Possible Explanations authenticated Authorized VLAN Client authenticated.
4 T ACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applicati ons: . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements .
TACACS+ Authentication Overview Overview Feature Default Men u CLI We b view the switch’ s authentication configuration n/a — page 4-9 — view the switch’ s T ACACS+ server contact n/a — page.
TACACS+ Authentication Terminology Used in TA CACS Applications: T ACACS+ server for authentica tion services. If the swit ch fails to connect to any T ACACS+ serve r , it defaults to its own locally assigned passwords for authentication co ntrol if it has been configured to do so.
TACACS+ Authentication Terminology Used in TA CACS Applications: everyone who needs to access the swit ch, and you must configure and manage password protection on a per -switch basi s. (For more on local auth entication, re fer to chapter 2, “Configuring Username and Password Security”.
TACACS+ Authentication General System Requirements General System Requirements T o use T ACACS+ authentication, you need th e following: ■ A T ACACS+ server applicat ion installed and configured on one or more servers or management stati ons in your network.
TACACS+ Authentication General Authentication Setup Procedure Note If a complete access lockou t occurs on the switch as a result of a T ACACS+ configuration, see “T roubleshooting T ACACS+ Op eration” in the T rouble- shooting chapter of the Management and Configuration Gui de for your switch.
TACACS+ Authentication General Authentication Setup Procedure If you are a first-time user of th e T ACACS+ service, ProC urve recom- mends that you configure only the mini mum feature set required by th e T ACACS+ application to pr ovide service in your network environment.
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring T ACACS+ on the Switch Before Y ou Begin If you are new to T ACACS+ authentication, ProCur ve recommends that you read the “General Authen tication Se tup Procedure” on page 4-5 and configure your T ACACS+ server(s) before config uring authenticati on on the switch.
TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication 4-9 show tacacs 4-10 aaa authentication 4-11 through 4-17 console T eln.
TACACS+ Authentication Configuring TACACS+ on the Switch V iewing the Switch’ s Current T ACACS+ Server Contact Configuration This comma nd lists the tim eout period, encryption key , and the IP addre sses of the first-choice and backup T ACACS + servers the switch can contact.
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s Authentication Methods The aaa authentication command configures ac cess control for t he following access methods: ■ Console ■ Te l n e t ■ SSH ■ We b ■ Port-access (802.
TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: aaa authen tication < console | telnet | ssh | web | p ort-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level.
TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters T able 4-1. AAA Authentication Parameters Parameters Name Default Range Function console, T elnet, n/a n/a Specifies the access method us ed when authentica ting. T ACACS+ SSH, web or po rt- access authentication only uses the consol e, T elnet or SSH access methods.
TACACS+ Authentication Configuring TACACS+ on the Switch numbers 0 through 15, with zero allo wing only Operator privileges (and requiring two logins) and 15 representing root privil eges. The root priv ilege level is the only leve l that will a llow Manager le vel access on the switch.
TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of the T ACACS+ Server User Setup As shown in the next table, login and en able access is always available locall y through a direct t erminal connection to the switch’ s console port.
TACACS+ Authentication Configuring TACACS+ on the Switch T able 4-2. Primary/Secondary Authenticat ion T able Access Method and Privilege Level Authentication Options Effect on Access Attempts Primary Secondary Console — Login local none* Local userna me/password access only .
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of acce ss options and the corre sponding commands to configure them: Console Login (Operator or Re ad-Only) Access: Primary using T ACACS+ server . Secondary using Local.
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s T ACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one first- choice and up to two backups.
TACACS+ Authentication Configuring TACACS+ on the Switch tacacs-server key < key-string > Enters the optional gl obal encryption key. [no] tacacs-server key Removes the optional global encryption key. (Does not affect any server-specific en cryption key assignments.
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host < ip-addr > [key < key-string > none n/a Specifies the IP address of a device running a T ACACS+ serv er application. Optionally , can also specify the unique, per- server encryption key to use when each assigned server has it s own, uniqu e key.
TACACS+ Authentication Configuring TACACS+ on the Switch key < key-string > none (null) n/a Name Default Range Specifies the optional, global “e ncryption key” that is also assigned in t he T A CACS+ server(s) that the switch will access for authentication.
TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “ first-choice ” T ACACS+ authentication device. Figure 4-7. Example of the Switch After Assigni ng a Different “First-Choice” Server T o remove the 10.28.
TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encry ption key in the switch, re-enter the tacacs-server host comman d without th e key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.
TACACS+ Authentication How Authentication Operates How Authentication Operates General Authentication Process Using a T ACACS+ Server Authentication through a T ACACS+ server operates generally as described below . For specific operat ing details, refer to the documentation you received with your T ACACS+ server application.
TACACS+ Authentication How Authentication Operates 4. When the requesting te rm inal responds to the prompt with a p assword, the switch forwards it to the T ACACS+ server and one of the following act.
TACACS+ Authentication How Authentication Operates attempt limi t without a successful a uthentication , the login session is terminated and the op erator at the re questing te rminal mu st initiate a new session before trying again.
TACACS+ Authentication Controlling Web Browser Interface Acces s When Using TACACS+ Authentication in the switch must be i d entical to th e encryption key configured in the corresponding TACACS+ serv er. If the key is the same for all TACACS+ servers the switch will use for authenticat ion, then co nfigur e a global key in the switch.
TACACS+ Authentication Messages Related to TACACS+ Operation ■ Configure the switch’ s Authorized IP Manager feature to allow web browser access only from authorized management stations. (The Autho- rized IP Manager featur e does not interfere wi th T ACACS+ operation.
TACACS+ Authentication Operating Notes Operating Notes ■ If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as T ACACS+ servers in the authorized man- ager list.
TACACS+ Authentication Operating Notes 4-30.
5 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Authenti cation and Accounting Contents Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34 Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35 Operating Rules for RADIUS Acco unting .
RADIUS Authentication and Accounting Overview Overview Feature Default Menu CLI We b Configuring RADIUS Auth entication None n/a 5-8 n/a Configuring RADIUS A ccounting None n/a 5-35 n/a Configuring RA.
RADIUS Authenti cation and Accounting Overview Note The switch does not support RADIUS security for SNMP (network manage- ment) access. For i nformation on blocking access through the web browser interface, refer to “Controlling W e b Br owser Interface Access” on page 5-2 5.
RADIUS Authentication and Accounting Terminology T erminology AAA: Authentication, Authorization, and Account ing groups of services pro - vided by the carrying protocol .
RADIUS Authenti cation and Accounting Switch Operating Rules for RADIUS Shared Secret Key: A text value used for en crypting data in RADIUS packets. Both the RADIUS client and the RADIUS server have a copy of the key , and the key is never transmitted across the network.
RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS server s to support the switch. (That is, one primary server and one or two ba ckups.) Refer to the documentation provided with the RADIUS server application.
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying anoth er RADIUS server or quitting. (This depends on how many RADIUS servers you hav e configured the switch to access.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps fo r Configuring RADIUS Authentication There ar e three main step s to configuring RAD IUS authenticati on: 1.
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication • T imeout Pe riod: The ti meout pe riod the swit ch waits for a RADIUS server to reply . (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no serv er response to a RADIUS au thentication request.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possib ility of being completely locked out of the swit ch in the event that all primary access methods fail.
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication Figure 5-2 shows a n example of the show authentication command displ aying authorized as the secondary auth entication method for po rt-acc ess, W eb-auth access, and MAC-auth access.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-3. Example Confi guration for RADIUS Authent ication The switch now allows T elnet and SSH authentication only through RADIUS. Note: The We bu i access task shown in this figure is available only on th e switches covered in this guid e.
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication this default beh avior for clients with Enable (manager) access. Tha t is, with privilege-mode enabled, the switch immediat ely allo ws Enable (Manager) access to a clie nt for whom the RADIUS server specifies this access level.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch T o Access a RADIUS Server This section desc ribes how to con figure the switch to interact with a RADIUS server for both authenticat ion and accounting services.
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication [key < key-string > ] Optional. Specifies an encry ption key for use during authentication (or accounting) s essions with the specified server . This key must match the encryption key used on the RADIUS server .
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-4. Sample Confi guration for RADIUS Server Before Changing the Key and Adding Another Server T o make the cha nges listed prior to fi gure 5-4, you would do the following: Changes the key for the existing server to “source0127” (step 1, above).
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication ■ Global server key: The server key the switch will use for contacts with all RADIUS servers for which there is not a server -specific key configured by radius-server host < ip-address > key < key-string > .
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 - 15 > Specifies the maximum time the swi tch waits for a response to an authenticati on request before counting the attempt as a failure.
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication After two attempts failing due to username or pa ssword entry errors, the switch will termin ate the session. Global RADIU S parameters from figure 5-6. These two servers will use the global encr yption key .
Security Notes RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features Using SNMP T o Vi ew and Configure Switch Authentication Features SNMP MIB object acce ss is available fo r switch authe ntication conf iguration (hpSwitchAuth ) f eatures.
RADIUS Authenti cation and Accounting Using SNMP To View and Configur e Switch Authentication Features Changing and Vi ewing the SNMP Access Configuration Syntax: snmp-server mib hpsw itchauthmib <.
RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features An alternate me thod of determ ining the current Authentication MIB access state is t o use the show run command. ProCurve(config)# show run Running configuration: ; J8715A Configuration Editor; Created on release #W.
RADIUS Authenti cation and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to l ocal authentication only if one of these two conditions exists: ■ Local is the authentic ation option for the access method be ing used.
RADIUS Authentication and Accounting Controlling Web Browser Interface Access Controlling W eb Browser Interface Access T o help prevent unauthorized access th rough the web browser interface, do one .
RADIUS Authenti cation and Accounting Commands Authorization Commands Authorization The RADIUS proto col combines user au thentication and authorization steps into one phase. The user must be su ccessfully authenticated be fore the RADIUS server will send aut horization information (from th e user’ s profile) to the Network Access Server (NAS).
RADIUS Authentication and Accounting Commands Authorization Enabling Authorization T o configure authorization for controlling access to the CLI commands, enter this command at the CL I. Syntax: [no] aaa authoriza tion <commands> <radius | n one> Configures authorization for controlling access to CLI commands.
RADIUS Authenti cation and Accounting Commands Authorization Displaying Authorization Information Y ou can show the authorization info rmation by entering this command: Syntax: show authorization Configures authorization for controlling access to CLI commands.
RADIUS Authentication and Accounting Commands Authorization The results of using the HP-Command-St ring and HP-Command-Exception attributes in various combinations are shown below .
RADIUS Authenti cation and Accounting Commands Authorization Example Configuratio n on Cisco Secure ACS fo r MS W indows It is necessary to create a dictionary fi le that defines the VSAs so that the RADIUS server application can determin e which VSAs to add to its user interfac e.
RADIUS Authentication and Accounting Commands Authorization Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini dictiona ry file to c: program filescisco acs 3.2 utils (or the utils directory wher ever acs i s installed).
RADIUS Authenti cation and Accounting Commands Authorization 6. Right click and then select New > key . Ad d the vendor Id number that you determined in step 4 (100 in the example ). 7. Restart all Cisco se rvices. 8. The newly crea ted HP RADIUS VSA ap pears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes.
RADIUS Authentication and Accounting Commands Authorization # # dictionary.hp # # As posted to the lis t by User <user_email> # # Version: $Id: dictio nary.
RADIUS Authenti cation and Accounting Commands Authorization Additional RADI US Attributes The followin g attributes are inc luded in Access-Request and Access-Account- ing packets sent from the switc.
RADIUS Authentication and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 5 - 3 8 [acct-port < po.
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting ■ Exec accounti ng: Provides reco rds holding the in formation listed below about login session s (console, T elnet, and SSH) on t.
RADIUS Authentication and Accounting Configuring RADIUS Accounting Operating Rules for RADIUS Accounting ■ Y ou can confi gure up to four types of accounti ng to run simulta- neously: exec, system, network, and commands. ■ RADIUS servers used for accounting are also used fo r authentication.
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting must match the encrypti on key used on the specified RADIUS server . For more information, refer to the “ [key < key-string >] ” parameter on page 5-15. (Default: null) 2. Configure accounting ty pes and the co ntrols for sendin g reports to the RADIUS server .
RADIUS Authentication and Accounting Configuring RADIUS Accounting [key < key-string >] Optional. Specifies an encryption key for use during accounting or authenticati on sessions with the speci- fied server . This key must match the encryption key used on the RADIUS server .
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting The radius-server command as shown in figure 5-11, above, configures the switch to use a RADIUS serv er at IP a ddress 10.33.18.151 , with a (non-de fault) UDP accounting port of 1750, and a server -specific key of “source0151”.
RADIUS Authentication and Accounting Configuring RADIUS Accounting ■ Stop-Only: • Send a stop record accounting noti ce at the end of the accounting session. The notice includes the latest data the switch has co llected for the requested accounting type (Network, Exec, Commands, or System).
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additi onal control ov er accounting data.
RADIUS Authentication and Accounting Viewing RADIUS Statistics V iewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration , including the server IP addresses. Optional form shows data for a specific RADIUS host.
RADIUS Authenti cation and Accounting Viewing RADIUS Statistics Figure 5-15. RADIUS Server Information From the Show Radius Host Command Te r m Definition Round T rip T ime The time interval between the mo st recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server .
RADIUS Authentication and Accounting Viewing RADIUS Statistics Requests The number of RADIUS Accounti ng-Request packets sent. This does not include retransmissions. Te r m Definition AccessChallenges Th e number of RA DIUS Access-Challenge packets (valid or invalid) received from this server .
RADIUS Authenti cation and Accounting Viewing RADIUS Statistics Figure 5-17. Example of RADIUS Aut hentication Inform ation from a Specific Server RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres- sion status, accounting ty pes, methods, and modes.
RADIUS Authentication and Accounting Changing RADIUS-Ser ver Access Order Figure 5-19. Example of RADIUS Account ing Information for a Spe cific Server Figure 5-20.
RADIUS Authenti cation and Accounting Changing RADIUS-Server Access Order RADIUS server IP addresses li sted in the order in which the switch will try to access them.
RADIUS Authentication and Accounting Changing RADIUS-Ser ver Access Order Removes the “003” and “001” addresses from the RADIUS se rver list. Inserts the “003” address in the first position in the RADIUS server list, and inserts the “001” address in the last position in the li st.
RADIUS Authenti cation and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. T ry pinging the server to determine whether it is accessible to t he switch.
6 Configuring RADIUS Server Support for Switch Services Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring RADIUS Se rver Support for Switch Services Contents Configuring th e Switch To Support RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23 Displaying the Current RAD IUS-Assigned ACL Activity Causes of Client D eauth entication Immediately on the Switch .
Configuring RADIUS Server Support for Switch Services Overview Overview This chapter p rovides information that applies to setting up a RADIUS server to configure the foll owing switch features on po rts supporting RADIUS- authenticated clients: ■ CoS ■ Rate-Limiting ■ ACLS Optional Network Mana gement Applications.
Configuring RADIUS Se rver Support for Switch Services RADIUS Server Configuration for Per-Por t CoS (802.1p Priority) and Rate-Limiting RADIUS Server Configuration for Per -Port CoS (802.
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Service Control Method and Operating Notes: Rate-Limiting on V endor-Sp ecific Attribute configured in the RADIUS server .
Configuring RADIUS Se rver Support for Switch Services RADIUS Server Configuration for Per-Por t CoS (802.1p Priority) and Rate-Limiting T able 6-2. Examples of Assigned and Ap plied Rate Limits RADIU.
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Syntax: show port-access authenticator [ po rt-list ] show rate-l.
Configuring RADIUS Se rver Support for Switch Services RADIUS Server Configuration for Per-Por t CoS (802.1p Priority) and Rate-Limiting ProCurve(config)# show qos port-priority Port priorities Port A.
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Configuring and Using RADIUS-Assigned Access Control Lists Introduction A RADIUS-assi.
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists • RADIUS-assigned ACL: dynamic ACL assigned to a port by a RAD IUS server to f ilter inbound t raffic from an authenticated c lient on that port An ACL can be configured on an inte rface as a static port ACL.
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Permit: An ACE configured with this acti on allows the switch to forward an inbound packet f or which there is a match within an applicable ACL.
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Overview of RADIUS-A ssigned, Dynamic ACLs RADIUS-assigned ACLs enhance network and s.
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Note A RADIUS-assigned ACL assignment filt ers all inbound IP traffic from an authenticated client on a port, regardless of whether the client’ s IP traffic is to be switched or routed.
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists RADIUS-assigned ACLs Static Port ACLs Allows one RADIUS-assigned AC L per authenticated client on a port. (Each such ACL filter s traffic from a different, authenticated client.
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists the same username/ password pair . Wh ere the client MAC address is the selection criteria, only the client havi ng that MAC address can use the corre- sponding ACL.
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists 3. Configure the ACLs on a RADIUS server accessible to the inte nded clients. 4. Configure the switch to use the desi red RADIUS server and to support the desired client authentication sc heme.
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Operating Rules for RADIUS-Assigned ACLs ■ Relating a Client to a RADIUS-Assigned A.
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Elements in a RADIUS-assig ned ACL Configuration.
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Configuring ACE Syntax in RADIUS Servers The follow ing syntax and operating inf o rmation applies to ACLs configured in a RADIUS server .
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists any: • Specifies any IPv4 destin ation address if one of the following is true: – the A CE uses the standard attribute ( Nas-f ilter -Rule ).
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists 1. Enter the ACL standard at tr ibute in the FreeRADI US dictionary .rfc4849 file. ATTRIBUTE Nas-FILTER-Rule 92 2. Enter the switch IP address, NAS (Network Attached Server) type, and the key used in the FreeRADIU S client s.
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists 1. Enter the ProCurve vendor -specifi c ID and the ACL VSA in the FreeRADIUS dictiona.
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Note For syntax details on RADIUS-assigned ACLs, refer to the ne xt section, “Format Details for ACEs Configur ed in a RADIUS-Assigned ACL”.
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Configuration Notes Explicitly Permitting Any IP T raffic. Entering a permit in ip from any to any (permit any any) ACE in an ACL permits all IP traffic not previously permitted or denied by that ACL.
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Note Refer to the documentati on provided with your RADIUS server for infor - mation .
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Displaying the Current RA DIUS-Assigned ACL Activity on the Switch These commands output data i ndicating the current ACL activity i mposed per - port by RADIUS server responses to client authentic ation.
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Syntax: show port-a ccess authenti cator < port-list > For ports, in < port-lis t > that are configured for authentication, th is command indicates whether there are any RADIUS-assigned features active on the port(s).
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists ProCurve(config)# show port-access aut henticator 2-3 Port Access Authenticator Statu.
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Event Log Messages Message Meaning ACE parsing error, permit/deny keyword < ace-# > client < mac-address > port < port-# > .
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Message Meaning Invalid Access-list entry length, Notifies that the string conf igured for an ACE entry on the client < mac-add ress > port < port-# > .
7 Configuring Secure Shell (SSH) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Secure Shell (SSH) Overview Overview Feature Default Menu CLI We b Generating a public/private key pair on the switch No n/a page 7-9 n/a Using the switch’ s public key n/a n/a page 7-12.
Configuring Secure Shell (SSH) Terminology Switch SSH and User Password Authentication . This option is a subset of the client pu blic-key authe ntication shown in figure 7-1. It occurs if the switch has SSH enabled but does not have login access ( login pub lic-key ) configured to authenticate the client’ s key .
Configuring Secure Shell (SSH) Prerequisite for Using SSH ■ Local password or username: A Manager - level or Operator -le vel pass- word configured in the swit ch. ■ SSH Enabled: (1) A publ ic/private key pair has been generated on the switch ( generate ssh [dsa | rsa] ) and (2) SSH is enabled ( ip ssh ).
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication be tween the switch and an SSH client, you must use the logi n (O perator) level.
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH fo r Switch and Client Authentication B. Switch Prep aration 1. Assign a login (Operator) and enable (Manager) password on th e switch (page 7-8). 2. Generate a public/private key pair on the switch (page 7-9 ).
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generat ed on an SSH client must be exportab le to the switch.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section P age show ip ssh 7-18 [keylist-str] [< babble .
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation T o Configure Local Passwords. Y ou can configure b oth the Operato r and Manager password with one command. Syntax: password < manager | operator | a ll > Figure 7-4. Example of Config uring Local Passwords 2.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When you generate a host key pair on the switch, the switch places the key pair in flash memory ( and not in the running-config file). Also, the switch maintains the key pai r across reboots, including power cycles.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation show crypto host-public -key Displays switch’s public ke y. Displays the version 1 and version 2 views of the key. See “SSH Client Public-Ke y Authentication” on page 2-16 in this guide for info rmation about public keys saved in a configuration file.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation hosts file, note that the fo rmatting and comments need not match. For version 1 keys, the three numeric values bit size , exponent <e>, an d modulus <n> must match; for PEM keys, only th e PEM-en coded string itself must match.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation The public key gen erated by the switch consists of t hree parts, separated by one blank space each: Bit Size Exponent <e>.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add a ny data required by your SSH c lient application. For example Before saving the key to an SSH client’ s "known hosts" file you may have to insert the switch’ s IP address: Bit Size Exponent <e> Modulu s <n> Inserted IP Address Figure 7-8.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Hexadecimal "Fingerpri nts" of the Same Switch Phonetic "Hash" of Switch’ s Public Key Figure 7-9.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavio r . At the first contact be tween the switch and an SSH client, if the swit ch’ s pu blic ke y has .
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher <cipher-type>] Specify a cipher type to use for connection. V alid types are: • aes128-cbc • 3des-cbc • aes192-cbc • aes256-cbc • rijndael-cbc@lysator .
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (default: 22). Important: See “Note on Port Number” on page 7-18. [public-key <manager | operator> ] Configures a client public key.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution Protect your private key file from ac cess by anyone other than yoursel f. If someone can access your private key file, they can then penetrate SSH security on the switch by ap pearing to be you.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option A: Configuring SSH Access for Password-Only SSH Authentication. When configured with this option, the sw itch uses its pub- lic key to authenticate itself to a clie nt, but uses only p asswords for client authentication.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: copy tftp pub-key-file < ipv4-address | ipv6-address > < filename > Copies a public key fi le into the switch.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation ProCurve(config)# password manager us er-name leader Configures Manager user- name and password. Configures the switch to allow SSH access only for a client whos e public key matches one of the keys in the p ublic key file.
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 6. Use an SSH Client T o Access the Switch T est the S SH configuration o n the switch to ensure that you have achieved the level of SSH operatio n you want for the switch.
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication If you enable client public-key auth entication, the follow ing events occur when a client tries to acc ess the switch using SSH: 1. The client sends its public key to the switch with a re quest for authenti- cation.
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication T o Crea te a Client-Publi c-Key T e xt File. These steps describe how to copy client-public-ke ys into the switch for challenge-respon se authentication, and require an understandi ng of how to use you r SSH client application.
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 2. Copy the client’ s public key into a text file ( filename .txt ). (For example, you can use the Notepad editor includ e d with the Microsof t® W indows® software.
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication The babble option converts the key data to phonetic hashes that are easier fo r visual comparisons. The fingerprint option converts the ke y data to hexadec- imal hashes that are for the same purpose.
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Syntax: clear crypto public-key Deletes the client-public-ke y file from the swi tch. Syntax: clear crypto public-key 3 Deletes the entry with an index of 3 from the client-public-key fi le on the switch.
Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. File transfe r did not occur . Indicates an error in communicating with the tftp server or not finding the file to download.
Configuring Secure Shell (SSH) Messages Related to SSH Operation Generating new RSA host key. If the After you execu te the generate ssh [dsa | rsa] Message Meaning cache is depleted, this could t ake up to comman d, the switch displays this message while it two minutes.
8 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu CLI We b Generating a Self Signed Certificate on the switch No n/a page 8-8 page 8-12 Generating a Certificate Request on t.
Configuring Secure Socket Layer (SSL) Terminology ProCurve Switch (SSL Server) SSL Client Browser 1. Switch-to-Cl ient SSL Cert. 2. User -to-Sw itch (login password an d enable password authe ntication) options: – Local – T ACACS+ – R ADIUS Figure 8-1.
Configuring Secure Socket Layer (SSL) Terminology ■ Root Certificate: A trusted certificate used by certificate author ities to sign certificates (CA-Signed Certificat es) and used later on to verify that authenticity of those si gned certificates. T rusted certificates are distrib- uted as an integral part of most po pular web clients.
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL se rver , you must install a publicly or commercially available SSL enabled we b browser application on the com- puter(s) you use for manage ment acce ss to the switch.
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes 4. Use your SSL enabled brow ser to acc ess the switch using the sw itch’ s IP address or DNS name (if allowed by your browser). Refer to the documentatio n provided with the browser appl ication.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 8-19 show .
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Security T ab Password Button Figure 8-2. Example of Configurin g Local Passwords 1. Proceed to the security tab an d select device passwords button. 2. Click in the appropr iate box in the Device Passwords wi ndow and enter user names and passwords.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The server cert ificate is stored in the switch’ s flash memory . The server certificate should be added to your certi ficate folder on th e SSL clients who you want to have access to the switch.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. Syntax: crypto key generate cert [rsa] < 512 | 768 |1024 > Generates a key pair for use in the certificate. crypto key zeroize cert Erases the switch’ s certificat e key and disa bles SSL opera- tion.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T able 8-1.Certificate Field Descrip tions Field Name Description V alid Start Date This should be the date you desire to begin using the SSL functionality .
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. Syntax : show crypto host-cert Displays switch’s host certificate T o view the current host certif icate from the C LI you use the show crypt o host- cert command.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T o generate a self signed host certif icate from the web b rowser interface: i. Proceed to the Security tab then the SSL bu tton. The SSL config- uration screen is split up into two halve s.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web brow sers inter - face: Certificate T ype Box Key Size Selection Certificate Argu ments Figure 8-5.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 8-6. Web browser Interface showing curren t SSL Host Certificate Generate a CA-Signed server host certificate with the W eb browser interface T o install a CA-Signed server host c ertificate from the web browser interface.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation that involves having the certificate authority verify the certifi cate request and then digitally signing the request to gen erate a certific ate response (the usable server host certificate).
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation -----BEGIN C ERTIFICA TE----- MIICZDCCAc2gA wIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch yo u must genera te the switch’ s host certificate and key . If you h ave not already done so, refer to “2. Generating the Switch’ s Server Host Certificate” on page 8-8.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443).
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Sele ction Figure 8-8. Using the web b rowser interface to enable SSL an d select TCP port number Note on Port ProCurve recommends using the default IP port number (443).
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CL I Y ou have not generated a certificate key . (Refer to “CLI commands used to generate a Server Host Certificate” on page 8-10.
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup 8-22.
9 IPv4 Access Control Lists (ACLs) Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 What Is the Difference Between Network (or Subnet) Rules for Defining a Match Between a Packet and an Overview of Options for Applying IPv4 ACLs on the Switch .
IPv4 Access Control Lists (ACLs) Contents Configuring and Assigning a n IPv4 ACL . . . . . . . . . . . . . . . . . . . . . . . 9-34 A Configured ACL Has No Ef fect Until You Apply It You Can Assign an ACL Name or Number to an Interface Overview . . . .
IPv4 Access Control Lists (ACLs) Contents Displaying ACL Configuration D ata . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-85 Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-86 Display the Content of All ACL s on the Switch .
IPv4 Access Control Lists (ACLs) Introduction Introduction An Access Control List (ACL) is a list of one or more Access Control Entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing th e switch’ s interface s.
IPv4 Access Control Lists (ACLs) Introduction Notes IPv4 ACLs can enhance network security by blocking se lected traffic, and can serve as part of your netwo rk security program.
IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Overview of Options for Applying IPv4 ACLs on the Switch T o apply IPv4 ACL filtering, assign a configured IPv4 ACL to the interface on which you want traffic filt ering to occur .
9-49 9-76 IPv4 Access Control Lists (ACLs) Overview of Options for Appl ying IPv4 ACLs on the Switch Create a Standard, ProCurve(config)# access-list < 1-99 > < deny | permit > Numbered AC.
IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch T able 9-2. Command Summary for I Pv4 Extended ACLs Action Comman d(s) Page Create an Extended, Named ACL or A.
IPv4 Access Control Lists (ACLs) Overview of Options for Appl ying IPv4 ACLs on the Switch Enter or Remove a ProCurve(config)# ip access-list extended < name-str | 100-199 > 9-81 Action Comman d.
IPv4 Access Control Lists (ACLs) Terminology T erminology Access Control Entry (ACE): A policy consi sting of criter ia and an action (permit or deny) to execute on a p acket if it meets the criteria.
IPv4 Access Control Lists (ACLs) Terminology ACL Mask: Follows any IPv4 address ( source or destination) lis ted in an ACE. Defines which bits in a packet’ s corresponding IPv4 addressin g must exactly match the addressing in the ACE, and which bits need not match (wildcards).
IPv4 Access Control Lists (ACLs) Terminology Inbound T raffic: For the purpose of defining where the switch applies IPv4 ACLs to filter traffic, in bound traffic is a packet that meets one of the following crit eria: • Static Port ACL: Inbound traffic is a packet entering the switch on the port.
IPv4 Access Control Lists (ACLs) Terminology whether there is a match betwee n a packet and the ACE. In an extended ACE, this is the first of two IPv4 ad dresses used by the ACE to determine whether there is a match between a p acket and the ACE. See also “DA”.
IPv4 Access Control Lists (ACLs) Overview Overview T ypes of IPv4 ACLs A permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, o r on source address plus other factors. Standard ACL: Use a standard ACL when you need to pe rmit or deny IPv4 traffic based on so urce address on ly .
IPv4 Access Control Lists (ACLs) Overview Static Port ACL and Dyna mic Port ACL Applications An IPv4 static port ACL filt ers any IPv4 traffic inboun d on the designated port, regardless of whether the traf fic is switched or routed.
IPv4 Access Control Lists (ACLs) Overview 802.1X User -Bas ed and Port-Ba sed Applicati ons. User -Based 802.1X access control allows up to 8 individually a uthenticated clients on a given port.
IPv4 Access Control Lists (ACLs) Overview • T h e C L I remark command option allow s you to enter a separate comment for each ACE. ■ A source or destinati on IPv4 addre ss and a mask, together , ca n define a single host, a range of h osts, or all hosts.
IPv4 Access Control Lists (ACLs) Overview General Steps for Planni ng and Configuring ACLs 1. Identify the ACL application to apply . As part of this step, determine the best points at whi ch to apply specific ACL controls.
IPv4 Access Control Lists (ACLs) Overview For more details on ACL planning consideratio ns, refer to “Planning an ACL Application” on page 9-24. Caution Regarding the Use of Source Routing Source routing is enab led by default on the switch and can be used to override ACLs.
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation IPv4 Static ACL Operation Introduction An ACL is a list of one or more Ac cess Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). A static ACL applies onl y to the switch in which it is configured.
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation ACL. This directs the ACL to permit (f orward) packets that do not have a match with any earlier ACE listed in th e ACL, and prevents these packets from being filtered by the implicit “deny any”.
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation Is there a match? Perform action (permit or den y). No T est a packet agains t criteria in first A CE. Ye s No Ye s Deny the packet (invoke an Implici t Deny). End Perform ac tion (permit or deny).
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation 1. Permit inbound IPv4 traffic from IP address 10.11.11.42. 2. Deny only the inbound T elnet traffi c from address 10.11.11.101. 3. Permit only inbound T elnet traffic fr om IP address 10.11.11.
IPv4 Access Control Lists (ACLs) Planning an ACL Application Planning an ACL Application Before creating and im plementing ACLs, you need to defi ne the po licies you want your ACLs to enfor ce, and und erstand how the ACL assignments will impact your network users.
IPv4 Access Control Lists (ACLs) Planning an ACL Application ■ What are the logical points for mini mizing unw anted traffic, and what ACL application(s) should b e used? In many cases it makes sens.
IPv4 Access Control Lists (ACLs) Planning an ACL Application Caution IPv4 ACLs can enhance network security by blocking selec ted traffic, and can serve as one aspect of ma intaining network security .
IPv4 Access Control Lists (ACLs) Planning an ACL Application ■ Generally , you should list ACEs fr om the most speci fic (individual hosts) to the most general (subnets or groups of subnets) unl ess doing so permits traf fic that you want dropped .
IPv4 Access Control Lists (ACLs) Planning an ACL Application ■ Explicitly Permitting Any IPv4 T raffic: Entering a permit any or a permit ip any any A CE in an ACL pe rmits all IPv4 traffic not previ ously permitted or denied by that ACL. Any ACEs liste d after that point do not have any effect.
IPv4 Access Control Lists (ACLs) Planning an ACL Application Thus, the bi ts set to 1 in a netw ork mask define the part of an IPv4 address to use for the ne twork numb er , and the bits set to 0 in the m ask define th e part of the address to use for the host number .
IPv4 Access Control Lists (ACLs) Planning an ACL Application ACL mask to overlap one bit, which allows matches with hosts in two subnets: 31.30.224.0 and 31.
IPv4 Access Control Lists (ACLs) Planning an ACL Application • A group of IPv4 addresses fits t he matching criteria. I n t h i s c a s e you provide bo th the address and the mask. For ex ample: access-list 1 permit 10.28.32.1 0.0.0.31 Address Ma sk 10.
IPv4 Access Control Lists (ACLs) Planning an ACL Application dictates that a match occurs onl y when the source address on such packets is identical to the addr ess configured in the ACE. ip access-list standard Fileserver permit 10.28.252.117 0.0.0.0 exit Inbound Packet “A” On VLAN 20 – Destination Address: 10.
IPv4 Access Control Lists (ACLs) Planning an ACL Application T able 9-3. Mask Effect on Selected Oct ets of the IPv4 Addresse s in T able 9-2 Addr Octet Mask Octet 128 64 32 16 8 4 2 1 Range A 3 0 all.
IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL Configuring and Assigning an IPv4 ACL ACL Feature Page Caution Regarding the Use of IPv4 Source Routing Configuring and Assignin.
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Options for Permit/Deny Policies The permit or deny policy for IPv4 traffic you want to f ilter can be based on source address alone, or on source address plus other IPv4 factors.
IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL 3. One or more deny/per mit list entries (ACEs): One entry per line. Element Notes T ype Standard or Extended Identifier • Alp.
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 9-7 shows how to in terpret th e entries in a stand ard ACL. ProCurve(Config)# show running . . . ACL List Heading with List T ype and Identifier (Name o r Number) ip access-list standard “Sample-List” 10 deny 10.
IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL ip access-list extended < identifier > [ [ seq-# ] remark < remar k-str >] < permit | deny > < ipv4-protoc .
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 9-9 shows how to in terpret the entries in an extende d ACL. Figure 9-9. Example of a Di splayed Extended ACL Confi guration ProCurve(config)# show running Running configuration: ; J9146A Configuration Editor; Created o n release #W.
IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL For example, suppose that you have app lied the ACL shown in figure 9-10 to inbound IPv4 traffic on VLAN 1 (the default VLAN): ip access-list extended "Sample-List- 2" 10 deny ip 10.
50 IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Line # Action Any packet from any IPv4 SA to an y IPv4 DA will be permitted (forwarded). The only traffic to reach this ACE will be IPv4 packets not specifically per mitted or denied by the earlier ACEs.
IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL Using the CLI T o Create an ACL Command Page access-list (standard ACLs) 9-44 access-list (extended ACLs) 9-53 Y ou can use either the switch CLI or an offline text editor to create an ACL.
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL T o insert an ACE anywhere in a numbe red ACL, use the same process as described above for inserting an ACE anywhere in a named ACL. For example, to insert an ACE deny ing IPv4 traffic from the host at 10.
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Standard ACLs T able 9-6. Command Summary for Standard ACLs Action Comman d(s) Page Create a Standard, Named ACL or Add an ACE to.
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs A standard ACL uses only source IPv4 a ddresses in its ACEs. This type of ACE is useful when you need to: ■ Permit or deny any IP v4 traffic based on source address only . ■ Quickly control the IPv 4 traffic from a specific address.
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Named, Standard ACLs This section describes th e commands for performing the following: ■ creating and/or entering the c ontext.
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring ACEs in an Na med, Standard ACL. Configuring ACEs is done after using the ip access-list standard < name-str > command described above to enter the “Named ACL” ( nacl ) context of an access list.
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs [ log] This option generates an ACL log message if: • The action is deny. • There is a match. • AC L logging is enabled on t he switch. (Refer to “” on page 9-96.) (Use the debug command to direct ACL logging output to the current console session and/or to a Syslog server .
-------------------------------------- ----------------------------------------- IPv4 Access Control Lists (ACLs) Configuring Standard ACLs ProCurve(config)# show access-list Sam ple-List Access Control Lists Name: Sample-List Type: Standard Applied: No SEQ Entry 10 Action: permit 20 IP : 10.
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Creating or Adding to an Stan dard, Numbered ACL. This command is an alternative to u sing ip access-list standard < name-str > and does not use the “Named ACL” ( nacl ) context . For a standard ACL syntax summary, refer to table 9-6 on page 9-44.
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs < any | host < SA > | SA < mask | SA / mask-length >> Defines the source IPv4 address (S A) a packet must carry for a match with the ACE. • any — Allows IPv4 packets from any SA.
----------------------------------- ------------------------------------------- IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Example of Creating and V iewing a Stand ard ACL. This example cre- ates a standard, numbered ACL with the same ACE content as show in figure 9-11 on p age 9-48.
9-55 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Extended ACLs T able 9-7. Command Summary for E xtended ACLs Action Command(s) Page Create an Extended, Named ACL or Add an .
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Action Command(s) Page Enter or Remove a Pro Curve(config)# ip access-list extended < name-str | 100-199 > 9-81 Remark ProCurve(config-.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Named, Extended ACLs For a match to occur with an ACE in an extended ACL, a packet must have the source and destination address criter ia specified by the ACE, as well as any IPv4 protocol-specific crit eria included in the command.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Creating a Named, Extended ACL and/ or Entering the “Named ACL” ( nacl ) Context. This command is a prerequisite to entering or editing ACEs in a named, extend ed ACL. (For a summary of the extended ACL synta x options, refer to table 9-7 on page 9-53.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configure ACEs in a Named, Ex tended ACL and/or Enter the “Named ACL” ( nacl ) Context. Configuring ACEs is done after using the ip access- list standard < name-str > comman d described on page 9-56 to enter the “Named ACL” ( nacl ) context of an ACL.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Used after deny or permit to specify the pack et protocol type required for a match. An extend ed ACL must include one of the following: • ip — any IPv4 packet.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < any | host < DA > | DA/mask -length | DA/ < mask >> This is the second instance of IP v4 addressing in an extended ACE.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ tos < tos-setting > ] This option can be used after th e DA to cause the ACE to match packets with the specified T ype -of-Service (T oS) setting.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for TCP and UDP T raffic in Extended ACLs. An ACE designed to permit or deny TCP or UDP traffi c can optionally include port number criteria for either the sour ce or destin ation, or both.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Port Number or Well-Known Port Name: Use the TCP or UDP port number required by your appli- cation.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for ICMP T raffic in Extended ACLs. This option is useful where it is necessary to per mit some types of ICMP traffic and deny other types, instead of si mply permitting or de nying all types of ICM P traffic.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ icmp-type-name ] These name options are an alternative to the [icmp-type [ icmp-code] ] methodology described above .
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Option for IGMP in Extended ACLs. This option is useful where it is nec- essary to permit some typ es of IGMP traffic and den y other types instead of simply permitting or de nying all types of IGMP traffic.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs For other IPv4 ACL topics, re fer to the follow ing: To p i c Page configuring named, standard ACLs 9-46 configuring numbered, standard ACLs .
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs If the ACL does not already ex ist, this command creates the specified ACL and its first ACE. If the ACL already exists, the new ACE is appended to the en d of the config ured list of explicit ACEs.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Specifies the packet protocol t ype required for a match.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs SA Mask Application: The mask is applied to the SA in the ACL to define which bits in a packet’ s source SA must exactly match the address configured in the ACL and which bits need not match.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ precedence < 0 - 7 | precedenc e-name >] This option causes the ACE to match packets with the specified IP preceden ce value.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Additional Options f or TCP and UDP T raffic. An ACE designed to per - mit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both.
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Syntax: access-list < 100 - 199 > < deny | permit > igmp < src-ip > < dest -ip > [ igmp - type ] The IGMP “type” criteria is id entical to the criteria described for IGMP in named, extended ACLs, beginning on page 9-65.
IPv4 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface Adding or Removing an ACL Assignment On an Interface Filtering Inbound IPv4 T raffic Per Port For a given port, po rt list, or static port trunk, you can assign an ACL as a static port ACL to filter any IPv4 traffic entering the sw itch on that interface.
IPv4 Access Control Lists (ACLs) Deleting an ACL ProCurve(config)# interface b10 ip acce ss-group My-List in ProCurve(config)# interface b10 ProCurve(eth-b10)# ip access-group 155 in Enables a static port ACL ProCurve(eth-b10)# exit from a port context.
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Editing an Existing ACL The CLI provid es the capability for ed iting in the switch by u sing sequence numbers to insert or dele te individual ACEs. An offline method is also avail- able. This section describes using the CL I for editing ACLs.
IPv4 Access Control Lists (ACLs) Editing an Existing ACL ■ Y ou can delete any ACE from any AC L (named or numb ered) by using the ip access-list command to enter the ACL ’ s context, and then using the no < seq-# > command (page 9- 79). ■ Deleting the last ACE from an ACL l eaves the ACL in memory .
IPv4 Access Control Lists (ACLs) Editing an Existing ACL For example, to append a fourth ACE to the end of the ACL in figure 9-16: P roCurve(config)# ip access-list st andard My-List ProCurve(config-std-nacl)# permit any ProCurve(config-std-nacl)# show run .
IPv4 Access Control Lists (ACLs) Editing an Existing ACL 2. Begin the ACE command with a sequ ence number that identifies the position you want the ACE to occupy . (The sequence number range is 1- 2147483647 .) 3. Complete the ACE with the command syntax appropriate for the type of ACL you are editing.
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Deleting an ACE from an Existing ACL This action uses ACL sequence numbers to de lete ACEs from an ACL. Syntax: ip access-list < stand ard | extended > < name-str | 1 - 99 | 100 - 199 > no < seq-# > The first command enters the “Named-ACL” context for the specified ACL.
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Resequencing the ACEs in an ACL This action reconf igures the starting sequence number for ACEs in an ACL, and resets the numeric interval betw een sequence numbers for ACEs config- ured in the ACL .
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Attaching a Remark to an ACE A remark is numbered in the same way as an ACE, and use s the same sequence number as the ACE to which it refers. Th is operation requires that the remark for a given ACE be entered prior to entering the ACE itself.
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Note After a numbered ACL has been created (using access-list < 1 - 99 | 100 - 199 > ), it can be mana ged as either a name d or numbered ACL.
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Inserting Remarks and Related ACEs W ithin an Existing List. To insert an ACE with a rem ark within an ACL by specifying a sequ ence number , insert the numbered remark first, then, using the same sequence number , insert the ACE.
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Operating Notes for Remarks ■ The resequence command ignores “orphan” remarks that do not have an ACE counterp art with the same sequ ence number .
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying ACL Configuration Data ACL Commands Function Page show access-list show access-list config show access-list ports < all.
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display an ACL Summary This command lists the configured IPv 4 ACLs. Syntax: show access-list List a summary table of the name, type, and appl ication status of IPv4 ACLs configured on the switch.
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display the Content of All ACLs on the Switch This command lists the configurati on details for the IPv4 ACLs in t he running- config file. Syntax: show access-list con fig List the configured syntax for all IPv4 ACLs currently config- ured on the switch.
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display Static Port ACL Assignments This command briefly lists the identificat ion and type(s) of current static port ACL assignments to individual switch po rts and trunks, as configured i n the running-config file .
-------------------------------------- ---------------------------------------- IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying the Content of a Specific ACL This command displays a specif ic ACL configu red in the run ning config file in an easy-to-read tabular format.
-------------------------------------- -------------------------------- : IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data ProCurve(config)# show access-list Lis t-120 Access Control Lists Name: List-120 Type: Extended Indicates whether the AC L is applied to an interface.
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data IP Used for Standard ACLs: The source IP address to which the config ured mask is ap plied to determine whether there is a match with a packet. Field Description Src IP Used for Extended ACLs: Same as above.
IPv4 Access Control Lists (ACLs) Monitoring Static ACL Performance Monitoring Static ACL Performance ACL statistics counters provide a mean s for monitoring ACL performance by using coun ters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface.
IPv4 Access Control Lists (ACLs) Monitoring Static ACL Performance ACE Counter Oper ation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the crit eria in that ACE, and maintain s a running total of the match es since the last counter reset.
IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline Creating or Editing ACLs Offline The section titl ed “Editing an Existi ng ACL” on page 9-75 describes how to use the CLI to edit an ACL, and is m ost applicable in cases where the A CL is short or there is only a minor editi ng task to perform.
10 permit tcp 10.30.133.27 0.0.0.0 eq 23 0.0.0.0 255.255.255.255 IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline If you are replacing an ACL on the sw itch with a n ew ACL that uses .
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enable ACL “Deny” Logging ACL logging enables the sw itch to generate a message w hen IP traffic meets the criteria for a match with an ACE that results in an explic it “deny” action.
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includes both the deny acti on and the optional log parameter , an ACL log me ssage is sent to the desi gnated debug destinat ion.
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enabling ACL Loggin g on the Switch 1. If you are using a Syslog server , use the loggin g < ip-addr > command to configure the Syslog server IP address(es). Ensure that the switch can access any Syslog server(s) you specify .
IPv4 Access Control Lists (ACLs) General ACL Operating Notes General ACL Operating Notes ACLs do not provide DNS hostname support. ACLs cannot be config- ured to screen hostname IP traf fic betwee n the switch and a DNS. ACLs Do Not Affect Serial Port Access.
IPv4 Access Control Lists (ACLs) General ACL Operating Notes Monitoring Shared Resources. Applied ACLs share internal switch resources with several ot her features.
10 Configuring Advanced Threat Protection Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Advanced Threat Protection Introduction Introduction As your network ex pands to include an increasing n umber of mobile devices, continuous Internet access, and new classes of users (such.
Configuring Advanced Threat Protection DHCP Snooping • Attempts to exhaust system resources so that sufficie nt resources are not available to transmit legitimate traffic, indicated by an unusually .
Configuring Advanced Threat Protection DHCP Snooping DHCP snooping a ccomplishes t his by allowing you to distinguish betwe en trusted ports con nected to a DHCP server or switch and untrusted p orts connected to end-users. DHCP packet s are forwarded betw een trusted ports without inspect ion.
----- ----- Configuring Advanced Threat Protection DHCP Snooping option : Add relay information opti on (Option 82) to DHCP client packets that are being forwarded out truste d ports. The default is yes , add relay information. trust : Configure trusted ports.
Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# show dhcp-snoopin g stats Packet type Action Reason Count ----------- ------- ------------ ---------------- -------- - server for.
Configuring Advanced Threat Protection DHCP Snooping Configuring DHCP Snoo ping T r usted Ports By default, all p orts are untrusted. T o configure a port or r ange of ports as trusted, enter t his co.
--------------------- Configuring Advanced Threat Protection DHCP Snooping Configuring Authorized Server Addresses If authori zed server addre sses are configu red, a packet f rom a DHCP server must be received on a trusted port A ND have a source address in the autho- rized server list in order to be consider ed valid.
Configuring Advanced Threat Protection DHCP Snooping Note DHCP snoopi ng only ov errides the Option 82 settings o n a VLAN th at has snooping enabl ed, not on VLANS wit hout snooping enabled .
Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the swit ch as the remote - id in Option 82 additions.
Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# dhcp-snooping verify mac ProCurve(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans : 4 Verify MAC : yes Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : subnet-i p Figure 10-7.
Configuring Advanced Threat Protection DHCP Snooping A message is logged in the system event log if the DHCP binding database fails to update . T o display the co ntents of the DHCP sn ooping bind ing database, en ter this command.
Configuring Advanced Threat Protection DHCP Snooping ■ ProCurve recommends running a time synchr onization protocol such as SNTP in order to track lease times accurately . ■ A remote server must be used to s a ve lease i nformation or there may be a loss of connectivity after a switch reboot.
Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay inform ation logs for <duration>. More than one DHCP client packet received on an untrusted port with a relay in formation field was dropped.
Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and respons es are relay ed or used to update the local ARP cache.
Configuring Advanced Threat Protection Dynamic ARP Protection ■ V erifi es IP-to-MAC addr ess bindings on untr usted ports with th e informa- tion stored in the lease datab ase maintained by DHCP sn.
Configuring Advanced Threat Protection Dynamic ARP Protection Enabling Dynamic ARP Protection T o enabl e dynamic ARP protection for VL AN traffic on a routin g switch, enter the arp protect vlan command at the global configuration level.
Configuring Advanced Threat Protection Dynamic ARP Protection Figure 10-9. Confi guring T rusted Ports for Dynamic ARP Protection T ake into ac count the following conf iguration guide lines when you use dynamic ARP prot ection in your ne twork: ■ Y ou should configur e port s connected to other s wit ches in the n etwork as trusted po rts.
Configuring Advanced Threat Protection Dynamic ARP Protection Adding an IP-to-MAC Bind ing to the DHCP Database A routing switch mai ntains a DHCP binding database, which is used for DHCP and ARP packet validation.
Configuring Advanced Threat Protection Dynamic ARP Protection Configuring Additional V alidation Checks on ARP Packets Dynamic ARP protection can b e configured to perform additional val idation checks on ARP packets. By default, no additional ch ecks are performed.
----- ----- Configuring Advanced Threat Protection Dynamic ARP Protection ProCurve(config)# show arp protect ARP Protection Information Enabled Vlans : 1-4094 Validate : dst-mac, src-mac Port Trust B1 Yes B2 Yes B3 No B4 No B5 No Figure 10-10.
Configuring Advanced Threat Protection Dynamic ARP Protection Monitoring Dynamic ARP Protection When dynamic ARP prot ection is enabled, you can moni tor and troubleshoot the validation of AR P packets with the debug arp prot ect command.
Configuring Advanced Threat Protection Using the Instrumentation Mon itor Using the Instrumentation Monitor The instrumentation mo nitor can be used to detect anomalies caused by security attacks or other irregular op erations on th e switch.
Configuring Advanced Threat Protection Using the Instrumentation Monitor Operating Notes ■ T o generate alerts for monitored eve nts, you must en able the instru- mentation monito ring log and/or SNMP trap.
Configuring Advanced Threat Protection Using the Instrumentation Mon itor Configuring Instrumentation Monitor The following commands and parameters are used to configure the opera- tional thresh olds that are monitore d on the switch. By defaul t, the instru men- tation monit or is disabled.
Configuring Advanced Threat Protection Using the Instrumentation Monitor T o enable instrument ation monitor usin g the default parame ters and thresh- olds, enter the general instrumenta tion monitor command . T o adjust specific settings, enter the name of the parameter that you wish to modify , and revise the threshold limi ts as needed.
Configuring Advanced Threat Protection Using the Instrumentation Mon itor V iewing the Current In strumentation Monitor Configuration The show instrumentation monitor config uration command displays the config- ured thresholds for mo nitored paramet ers.
Configuring Advanced Threat Protection Using the Instrumentation Monitor 10-28.
11 T raffic/Security Filters and Monitors Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Traffic/Security Filters and Monitors Overview Overview Applicable Switch Models . As of June 2007, T raffic/Security fil ters are available on these current ProCurve switch models: Switch Models Sour.
Traffic/Security Fi lters and Monitors Filter Types and Operation Y ou can enhance in-band security and improve control over access to network resources by configur ing static filters to fo rward (the default action) or drop unwanted t raffic.
Traffic/Security Filters and Monitors Filter Types and Operation Source-Port Filters This filter type enables the switc h to forward or drop traf fic from all end nodes on the indicated so urce-port to specific destination ports.
Traffic/Security Fi lters and Monitors Filter Types and Operation ■ When you create a source port filter , all ports and port trunks (if any) on the switch appear as destinat ions on the list for that filter , even if routing is disabled and separate VLANs and/or subnets exist.
Traffic/Security Filters and Monitors Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to destination port 7 (server "A" ). Notice that the filter allows traffic to move fr om source port 5 to all other destin ation ports.
Traffic/Security Fi lters and Monitors Filter Types and Operation ■ T o change the na med source-po rt filter used o n a port or port t runk, the current filter must fi rst be removed, using the no fil ter source-port named-filter <filter-name > command .
Traffic/Security Filters and Monitors Filter Types and Operation Syntax: filter source-port nam ed-filter < filter -name > forw ard < destin ation-port-list > Configures the named source-port filter to forward traffic having a destination on the port s and/or port trunks in the < destination-port-list >.
Traffic/Security Fi lters and Monitors Filter Types and Operation Viewing a Named Source-Port Filter Y ou can list all source-port filters co nfigured in the switch, both named and unnamed, and t heir action using the show command below .
Traffic/Security Filters and Monitors Filter Types and Operation Defining and Con figuring Example Named Source-Port Filters. While named source-p ort filters may be defined and configured in two steps, this is not necessary . Here w e define and conf igure each of the named source-port filters for ou r example network in a single st ep.
11-11 Traffic/Security Fi lters and Monitors Filter Types and Operation Figure 11-7. Example of the sho w filter Command Using the IDX value in the show filter command, we can see how traffic is filtered on a specif ic port ( Va l u e ).The two o utputs below show a non - accounting and an accou nting switch port.
Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 24 ProCurve(config)# show filter 4 Traffic/Security Filters Traffic/Security Filters Filter Type : Source.
Traffic/Security Fi lters and Monitors Filter Types and Operation ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- .
Traffic/Security Filters and Monitors Filter Types and Operation The following revisions to the named so urce-port fi lter definiti ons maintain the desired network traffic management , as shown in the Action column of the show command.
Traffic/Security Fi lters and Monitors Filter Types and Operation ProCurve(config)# show filter source-por t Traffic/Security Filters Filter Name | Port List | Action -------------------- + ----------.
Traffic/Security Filters and Monitors Filter Types and Operation T able 11-2. Multicast Filter Limits Max-VLANs Setting Maximum # of Multicast Filters (Static and IGMP Combined) 1 (the minimum) 420 8 (the default) 413 32 or higher 389 Notes Per -Port IP Multicast Filters.
Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Only one filter f or a particular prot ocol type can be configur ed at any one time. For example, a separate protocol filter can be configured for each of the protocol types listed above, b ut only one of those can be an IP filter .
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Configuring a Source -Port T raffic Filter Syntax: [no] filter [source-port < port-number | trunk-nam e >] Specifies one inbound port or trunk. T raffic received inbound on this interface from other devices will be filtered.
Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a source-port filter that drops all traffic received on port 5 wi th a destination of port trunk 1 ( Tr k 1 ) and any port in the range of port 10 to port 15 .
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters filter on port 5, then create a trunk w ith ports 5 and 6, and display the results, you would see the following: The *5* shows that port 5 is configured for fi ltering, but the filtering action has bee n suspended while the port is a membe r of a trunk.
Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Figure 11-15. Assigning Add itional Destinati on Ports to an Existing Filt er Configuring a Multicast or Protocol T raffic Filter Syntax: [no] filter [multicast < mac- address >] Specifies a multicast address.
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters For example, suppose you wa nted t o configur e the fi lters in table 11-3 on a switch. (For more on source-port filt er s, refer to “Configuring a Source-Port T raffic Filter” on page 11-18.
Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Displaying T raffic/ Security Filters This command displays a listing of all f ilters by index number and also en ables you to use th e index number to display t he details of individual filters.
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Filter Inde x Numbers (Automatically Assi gned) Lists all filters con figured in the switch. Uses the index number (IDX) for a specific filter to list the details for that filter onl y .
12 Configuring Port-Based and User -Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Why Use Port-Based or User-Based Access Control? . . . . .
Configuring Port-Bas ed and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Auth entication Method . . . . . . . . . . . . . . . . 12-26 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 12-27 5. Enable 802.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Overview Overview Feature Default Menu CL I We b Configuring Switch Ports as 802.1X Authenticators Disabled n/a page 12-19 n/a Configuring 802.1X Open VLAN Mode Disabled n/a page 12-31 n/a Configuring Switch Ports to Operate as 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Overview • Port-Based access control opti on allowing authenticat ion by a single client to open the port . This option does not force a client limit and, on a port opened by an auth enticated clien t, allows unlimit ed client access without requiring further au thentication .
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Overview credentials. This op eration improves security by opening a given port only to individually auth enticated clients, while simultan eously blocking access to the same port for clients that cannot be authenticated.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Terminology This operat ion unblocks the port while an authenticated client se ssion is in progress.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Terminology a port loses its authenticated client connection, it drops its membership in this VLAN. Note that with multiple clie nts on a port, all such clients use the same untagged, port-b ased VLAN membership.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Terminology Static VLAN: A VLAN that has been configured as “permanent” on the switch by using the CLI vlan < vid > command or the Menu interfac e. Supplicant: The entity that must provide the proper cred entials to the swit ch before receiving access to the network.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General 802.1X Aut henticator Operation General 802.1X Authenticator Operation This operation provides security on a po int-to-point link between a client and the switch, where both devices are 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) General 802.1X Aut henticator Operation Note The switches covered in this guide can use either 802.1X port-based authen- tication or 802.1X user -bas ed authentication. For more information, refer to “User Authentication Methods” on page 12-4.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General 802.1X Aut henticator Operation No Ye s New Client Authenticated Untagged VLAN Configured On Port ? RADIUS- Assigned VLAN? Auth.
Configuring Port-Bas ed and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the u ser -based mode, when there is an authenticated client on a port, the followin g traffic movement is allowed: • Multicast and bro adcast traffic is allowed on the port.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General Operating Rules and Notes ■ If a port on switch “A” is configur ed as an 802.1X suppli cant and is connected to a port on anot her switch, “B”, that is not 802.1X-aware, access to switch “B” will occur wit hout 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) General Operating Rules and Notes not enabled. That is, any non-authenticating client attempting to access the port after another clien t authenticates with port -based 802.1X would still have to authenticate t hrough W eb-Auth or MAC-Au th.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Access Control Do These Steps Before Y ou Configure 802.1X Operation 1. Configure a local username and pa ssword on the switch for both the Operator (login) and Manager (enable) access levels.
---- ---------- ------------- -------- -------- Configuring Port-Bas ed and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control ProCurve(config)# password port-acc ess us er-name Jim s ecret3 Figure 12-2. Exa mple of the Password Port-Acce ss Command Y ou can save the port-access password for 802.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General Setup Procedure for 802.1X Access Control 3. Determine whether to us e user -based access control (pag e 12-4) or port- based access control (page 12-5). 4. Determine whether to use the op tional 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802. 1X Authentication on the Switch This section outl ines the steps for configuring 802.1X on the switch. For detailed info rmation on each step , refer to the followin g: ■ “802.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators Note If you want to implement the option al port security featur e (step 7) on the switch, you should first en sure that the ports you ha ve configured as 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentica tion on Selected Ports This task configures the indivi dual ports you want to operate as 802.1X authenticators for po int-to-point li nks to 802.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User -Based Au thentication or Return to Port-Based Authentication User -Based 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring User -Based 802.1X Authentication This example enables ports A10-A1 2 to operate as authenticators, and then configures the ports for us er -based auth entic ation.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the ma x-requests parameter fails (next page).
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the ma x-requests parameter fails (next page).
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time af ter which clients connected must be re-authenticated.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how th e switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the au thentication me thod, configure the switch to use 1, 2, or 3 RADIUS se rvers for authentication.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentica tion is operating, y ou can use the following aaa port- access authenticator commands to reset 802.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators ■ The 802.1s Multiple Spanning T ree Protocol (MSTP) or 802.1w Rapi d Spanning T ree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while m aintaining a lo op-free netw ork.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Because a port can be con figured for more than one type of authenticat ion to protect .
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands page 12-51 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator < port-list > page 12-45 [auth-vid < vlan-id >] [unauth-vid < vlan-id >] 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports confi gured to allow multi ple sessions using 802.1X user -based access control, all clients must use the same untagged VLAN.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note After client authenticati on, the port resumes me mbership in any tagged VLANs for which it i s configured.
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode T able 12-1. 802.1X Open VLAN Mode Options 802.1X Per -Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client t hat cannot initiate an authenti cation session.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode 802.1X Per -Port Configuration Port Response Authorized-Client VLAN • After c lient authentication, the po rt drops membership in the Unauthorized-Client VLAN a nd becomes an u ntagged member of this VLAN.
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per -Port Configuration Port Response Open VLAN Mode with Only an Unauthoriz ed-Client V LAN Configured: • When the port d etects a client, it automatically b ecomes an untagged member of this VLAN.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Open VLAN Mode with Only an Authorized-Client VLAN Con figured: 802.1X Per -Port Configuration Port Response • Port automatically blocks a client that cannot initiate an authentication session .
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Au thorized-Client and Unauthorized-Client VLANs T able 12-2.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN session on untagged port VLAN membership • When an una uthent.
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an u ntagged member . This rule assumes no other authenticated clients are already using the port on a different VLAN.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Condition Rule Note: Limitation on Using an Unauthorized-Client VLAN on an 802.1X Port Configured to Allow Multiple-Client Access Y ou can optionally ena ble switches to allow up to eight clie nts per - port.
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of bot h the Unauthorized-Client and Authorized-Client VLANs. Re fer to T able 12-1 on pa ge 12-34 for other options.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the swit ch to use local password auth entication inste ad of RADIUS authentication. However , this is less desirable because it me ans that all clients use the same passwords and have the same access privil eges.
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you sel ected either eap-radius or chap-radiu s for step 2, use the radius host command to configure up to thr ee RADIUS server IP address(es) on the switch. Syntax: rad ius host < ip-address > Adds a server to the RADIUS configuration.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listin g of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 12-42.
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For info rmation and an example on viewing current Open VLAN mode operatio n, refer to “Viewing 802.1X Open VLAN Mode Status” on page 12-62.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow On ly 802.1X-Authenticated Devices reauthenticate itself.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-S ecurity To Allo w Only 80 2.1X-Authenticated Devices Port-Security Note If 802.1X port-access is configured on a given port, th en port-security learn- mode for that port must be set to either continuous (the default) or port-access .
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches Configuring Switch Ports T o Operate As Supplicants for 802.1X Connections to Other Switches 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches • If, after the supplicant port sends the configur ed number of star t packets, it does not receive a respons e, it assumes that switch “B” is not 802.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. Y ou can configure a switch port as a supplicant for a p oint-to-point link to an 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches aaa port-access sup plicant [ethernet] <.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands page 12-49 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Syntax: show port-access authen ticator [ port-list ] [config | statistics | session-counters | vlan | clien ts]| detailed] —Continued— • Unt agged VLAN : VLAN ID number of the untagged VLAN used in client sessions.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters ProCurve(config)# show port-access aut henticator 2-3 Port Access Authentica.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Syntax: show port-access authen ticator config [ port-list ] Displays 802.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Access Control Port’ s authentication mode: Auto: Network access is allowed to any connected device that supports 802.1X authentication and provides valid 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters ProCurve(config)# show port-acces s authenticator statistics Port Access Authe.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Syntax: show port-access authenticat or vlan [ port-list ] Displays the following informat ion on the VLANs configured for use in 802.
----- ------------ ------------- --------------- -------------- Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Syntax: show port-a ccess authenticato r clients [ port-list ] Displays the session status, name, and address for each 802.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Syntax: show port-a ccess authenticato r clients < port-list > detailed Displays detai led information on the status of 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters V iewing 802.1X Open VLAN Mode Status Y ou can examine the switch’ s curre n.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Thus, in the output shown in figure 12-17: ■ When the Auth VLAN ID is configured and matches the Current VLAN ID , an authenticated client is co nnected to the port.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters T able 12-5. Output for Determining Open VLAN Mode Status (Figure 12-18, Lower) Status Indicator Meaning Status Closed: Either no client is connected or the connected cl ient has not received authorization through 802.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Note that ports B1 and B3 are not in the upp er listing, but are included und er “Overridden Port VLAN configur ation”.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Show Commands for Po rt-Access Supplicant Syntax: show port-a ccess supplicant.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation supplicant port to another without clearin g the statistics data from the first port, the au thenticator’ s MAC address wil l appear in the supplicant statistics for both ports.
Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Note Y ou can use 802.1X (port-based or client -based) authentica tion and either W eb or MAC authenticati on at the same time o n a port, with a maxi mum of eight clients allowed on the port.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation • If the port is assigned as a member of an untagged dynamic VLAN that was l.
Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation If this tempora ry VLAN assignment cau ses the switch to disable a different unt.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation For example, suppose that a RADIUS-au thenticated, 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation This entry sho ws that port A2 is temp orarily untagg ed on VLAN 22 for an 802 .
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation When the 802.1X client’ s session on port A2 en ds, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as un tagged on the port becomes available again.
Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Syntax: aaa port-access gvrp-vlans — Continued — 2.
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation T able 12-6. 802.1X Ope rating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.
Configuring Port-Bas ed and User-Based Access Control (802.1X) Messages Related to 802.1X Operation 12-76.
13 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and Monitoring Port Security Contents Web: Checking for Intrus ions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-40 Operating Notes for Port Security . . . . . . . . . . .
Configuring and Monitoring Port Security Overview Overview Feature Default Menu CLI We b Displaying Current Port S ecurity n/a — page 13-8 page 13-33 Configuring Port Security d isabled — page 13-.
Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default po rt security setting for each port is off , or “continuous”. T hat is, any dev ice can access a port without causing a security reaction.
Configuring and Monitoring Port Security Port Security • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port an d to specify some or all of the authorized addresses.
Configuring and Monitoring Port Security Port Security configuratio n to ports on which h ubs, switches, or othe r devices are connected, and to maintain security while also main taining network a ccess to authorized users.
Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port securi ty configuration and moni toring according to the following: a. On wh ich ports do you wa nt port securit y? b. Whic h devices (MAC addresses) are authorized on each port? c.
Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Comm ands Used in This Section show port-security 13-9 show mac-address port-security 1.
Configuring and Monitoring Port Security Port Security Displaying Port Se curity Settings. Syntax: show po rt-security show port-security < port nu mber > show port-security [< po rt number >-< port number> ].
Configuring and Monitoring Port Security Port Security Figure 13-3. Exa mple of the Port Security Config uration Display for a Single Port The next exam ple shows the op tion for entering a ra nge of ports, inc luding a series of non-cont iguous ports.
Configuring and Monitoring Port Security Port Security Figure 13-4. Exa mples of Show Mac-Address Outputs 13-11.
Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security an d edit security settings.
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < contin uous | static | port-acc ess | configured | limited- continuous > (Continued) static:.
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < contin uous | static | port-acc ess | configured | limited- continuous > (Continued) Caution.
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Informatio n configuration screen of the Menu interface or the show system information listing.
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [< mac-addr >] [< mac-addr >] . . . [< mac -addr >] A vailable for learn-mode with the, static , conf igured , or limited-continu ous option.
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) clear -intrusion-flag Clears the intrusion flag for a specific port.
Configuring and Monitoring Port Security Port Security ■ Delete it by using no port-security < port-nu mber > mac-address < mac-addr > . ■ Download a configur ation file that does not includ e the unwanted MAC address assignment. ■ Reset the switch to its fac tory-default co nfiguration.
Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. T o simply add a device (MAC address) to a port’ s existing Authorized Addresses list, enter the port number with the mac-add ress parameter and the device’ s MAC addre ss.
Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is alre ady on the list.
Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC address es) from the Authorized Addresses list. (An Authoriz ed Address list is available for each port for which Learn Mode is currentl y set to “Static”.
Configuring and Monitoring Port Security MAC Lockdown The following command serves this pu rpose by removing 0c0090-1 23456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 addr.
Configuring and Monitoring Port Security MAC Lockdown Y ou will need to enter a separate comm and for each MAC/VLAN pa ir you wish to lock down. If yo u do not specify a VLAN ID (VID) the sw itch inserts a VID of “1”.
Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pai r cannot be locked do wn on a different po rt. Y ou cannot perform MAC Lockdown and 802.1X authentication on the same port or on t he same MAC address.
Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Loc kdowns that you can safely code per switch. T o truly lock down a MAC addr ess it would be necessary to use the MAC Lockdown command fo r every MAC Address and VLAN ID on every switch.
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lo ckdown you ne ed to consider how you use it wi thin your network topology to ensure security .
Configuring and Monitoring Port Security MAC Lockdown ProCurve Switch ProCurve Switch ProCurve Switch ProCurve Switch Internal Core Network Switch 1 Switch 1 Mixed Users Edge Devices Lock Server “A” to these ports. Server “A” Network Edge There is no n eed to lock MAC addresses on switches in the internal core n etwork.
Configuring and Monitoring Port Security MAC Lockdown The key points for this Model T opology are: • The Core Network is separated fro m the edge by the use of switches which have been “locked down” for security .
Configuring and Monitoring Port Security MAC Lockdown Figure 13-11. Connectivity Prob lems Using MAC Lockdown with Mult iple Paths M i x e d U s e r s Internal Network External Network Switch 1 Server.
Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a M AC address on all ports and VLANs for a switch so that any traffic to or from the “l ocked-out” MAC address will be dropped. This means that all data pack ets addressed to or from the given address are stopped by th e switch.
Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, po rt security , and 802.1X authenti- cation. Y ou cannot use MAC Lockout to l ock: • Broadcast or Mu lticast.
Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independ ent of port-security an d in fact will override it. MAC Lockout is preferab le to port-security to st op access from known devices because it can be configured for all ports on the switch with one command.
Configuring and Monitoring Port Security Web: Displaying and Configur ing Port Security Features W eb: Displaying and Configuring Port Security Features 1. Click on the Security tab. 2. Click on [Port Security] . 3. Select the settings you want and, if you are usi n g the Static Learn Mode, add or edit the Author ized Addresses field.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ■ The switch enables notification of the i ntrusion through the following means: • I n t h e C L I : –.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Figure 13-12. Example of M ultiple Intrusion Log E ntries for the Same Port The log shows the most rece nt intrusion at the top of the listing. Y ou cannot delete Intrusio n Log entries (unless you reset th e switch to its factory-default configuration).
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interf ace indicates per -port intrusions in the Port Status screen, and provides details and t he reset function in the In trusion Log screen.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 13-1 3 on page 13-36) does not indicate an int rusion for port A1, the alert fl ag for the intru- sion on port A1 has already been reset.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags clear intrusion-flag s Clear intrusion flags on all ports. port-security [e] < port-n umber > clear-intrusion-flag Clear the intrusion flag on one or more specific ports.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags T o clear the intrusi on from port A1 and enable the swit ch to enter any subsequent intrusio n for port A1 in the Intrusion Log, execute th e port-security clear -intrusion-fla g command.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Listing with Security Violati on Detected Log Listing with No Security Violat ion Detected Log Command with “security” for Search Figure 13-18.
Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder .
Configuring and Monitoring Port Security Operating Notes for Port Security ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allo w you to configure LACP on a port on whic h port security is enabled.
14 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI W eb Listing (Showing) Authorized Managers n/a page 14-5 page 14-6 page 14-8 Configuring Authoriz.
Using Authorized IP Managers Options Options Y ou can configure: ■ Up to 100 authorized manager addresses , where eac h address applies to either a single ma nagement st ation or a group of station .
Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP column, and leave the IP Mask set to 255.255.255.255 . This is the easie st way to use the Author ized Managers feature . (For more on this topic, see “Configuring One Stat ion Per Authorized Manager IP E ntry” on page 14-10.
Using Authorized IP Managers Defining Authorized Management Stations Menu: V iewing and Config uring IP Authorized Managers Only IPv4 is suppor ted when using the m enu to set the manage ment access method. From the console Main Menu, select: 2. Switch Configuration … 6.
------------------------ Using Authorized IP Managers Defining Authorized Management Stations Editing or Dele ting an Au thorized Manage r Entry . Go to the IP Manag- ers List screen (figure 14-14-1), high lig ht the desire d entry , and press [E] (f or Edit ) or [D] (for Delete ).
Using Authorized IP Managers Defining Authorized Management Stations ProCurve(config)# ip authorized-managers 10.10.10.2 255.255.255.255 manager Figure 14-4. Exa mple of Configuring IP Authorized Man ager T o Authorize Manager Access. This command autho rizes manager -leve l access for any station with an IP address of 10.
Using Authorized IP Managers Web: Configuring IP Authorized Managers W eb: Configuring IP Authorized Managers In the web browse r interf ace you can configure IP Authorized Mana gers as described below . T o Add, Modify , or Delete an IP Authorized Manager address: 1.
Using Authorized IP Managers Web: Configuring IP Authorized Managers access through a web proxy server requires that you first add the web proxy server to the Authorized Manager IP lis t. This reduces security by opening switch access to anyone who uses the web proxy server .
Using Authorized IP Managers Building IP Masks Building IP Masks The IP Mask parameter contro ls how th e switch uses an Authorized Manager IP value to recognize the IP addre sses of authorized manager stati ons on your network. Configuring One Station Pe r Authorized Manager IP Entry This is the easiest way to apply a ma sk.
Using Authorized IP Managers Building IP Masks IP list. Thus, in the example shown ab ove, a “255” in an IP Mask octet ( all bit s in the octet are “on”) means only one va lue is allowed for that o ctet—the value you specify in the corresponding octet of the Authorize d Manager IP list.
Using Authorized IP Managers Building IP Masks T able 14-3. Example of How the Bitmap in the IP Mask Defines Authorized Man ager Addresses 4th Octet of IP Mask: 4th Octet of Authorized IP Address: 249.
Using Authorized IP Managers Operating Notes Operating Notes ■ Network Security Precautions: Y ou can enhance your network’ s secu- rity by keeping physical access to th e switch restricted to aut.
Using Authorized IP Managers Operating Notes 14-14.
15 Key Management System Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Key Management System Overview Overview The switches co vered in this guide provide suppo rt fo r advanced routing capabilities. Security tu rns out to be e xtremely important as complex ne t- works and the internet grow and become a part of our daily life and business.
Key Management System Configuring Key Chain Management Configuring Key Chain Management KMS-Related CLI Commands in This Section Page show key-chain < chain _name > page 15-3 [ no ] key-chain chain_name page 15-3 [ no ] key-chain chain_name key Key_ID page 15-4 The Key Man agement System (KMS) h as three configur ation steps: 1.
Key Management System Configuring Key Chain Managemen t show key-chain Displays the current key chain s on the switch and th eir overall status. For example, to generat e a new key chain entry: Add new key chain Entry “Procurve1”. Display key chain entries.
Key Management System Configuring Key Chain Management [ accept-lifetime infinite ] [ send-lifetime infinite ] accept-lifetime inf inite: Allows packets with this key to be accepted at any time fr om boot-up until the key is removed.
Key Management System Configuring Key Chain Managemen t Note [ key-string < key_str > ] This option specifies the ke y value referenced by the protocol using the key.
Key Management System Configuring Key Chain Management Adds a key with full time and date Adds a key with duration expressed i n seconds. Figure 15-3. Adding T ime-Dependent Keys to a Key Chain Entry .
Key Management System Configuring Key Chain Managemen t Y ou can use show key-chain to display the key s tatus at the time the command is issued. Using the info rmation from the example configuration in figures 15-3 and 15-4, if you execute show key-chai n at 8:05 on 01/19/03, the display would appear as fol lows: Figure 15-5.
Index Numerics 3DES …8 - 3 802.1X ACL, effect on … 9-16 802.1X access control authenticate users … 12-5, 12-4, 1 2-6, 12-4, 12-20 backend state … 12-62 operation … 12-9 show commands … 12-.
terminology … 12-6, 12-29, 12 -67, 12-68, 12-69, 12-13, 12-23, 12-24 unauthenticated port … 12- 28, 12-22, 12-25, 12-8, 12-41, 12-25, 12-35, 12-25, 12-33, 12-47 access … 12-4, 12-10 client authe.
configure … 9-65 option … 9-71 traffic … 9-18, 9-72 implicit deny See deny any, implicit. … 9-12, 9-20 See ACL, wildcar d. IPX … 9-26 log function, with mirroring … 9-17 See ACL, lo gging.
state … 12-62 authorized addresses for IP management s ecurity … 14-3, 13-5 authorized IP managers access levels … 14-3 building IP masks … 14-10 configuring … 14-6, 14-8, 14-5 definitions o.
verify … 10-5 documentation feature matrix … -xx latest versions … -xix printed in-box publications … -xix release notes … -xix duplicate IP address effect on authorized IP managers … 14-1.
address count … 10-23, 14-1 reserved port numbers … 7-18 IP attribute …5 - 3 6 IP masks building … 14-10 for multiple authorized manager stations … 14-10 operation … 14-4 IP routing dynami.
O open VLAN mode See 802.1X access control. OpenSSH …7 - 2 OpenSSL …8 - 2 operating notes authorized IP managers … 14-13 port security … 13-41 operator password … 2-4, 2-6, 2-7 saving to configuration file … 2-12 Option 82 snooping … 10-5 P packet validation … 10-5 password 802.
multiple ACL applicat ion types in use … 6-15 NAS-Prompt-User serv ice-type value … 5-14 network accounting … 5-35 operating rules, switch … 5 -6, 6-7, 6-8, 6-7, 6-8 rate-limiting … 6-4, 6-6.
saving security creden tials to configuration file … 2-12, 2-14, 2-21 snooping authorized server … 10-4, 10-8 binding database … 10-11 changing remote-id … 10-10 DHCP … 10-3 disable MAC chec.
configuration, authenti cation … 4-11, 4-22, 4-18, 4-23, 4-10 encryption key … 4-6, 4-18, 4-19, 4-22, 4-29, 4-26, 4-23, 2-12 general operation … 4-2 IP address, server … 4-18 local manager pas.
SSL … 8-18 unsecured access, SSL … 8-18 web server, proxy … 13-41 wildcard See ACL, wildcard. See ACL. wildcard, ACL, defined …6 - 1 1 Index – 11.
12 – Index.
.
© Copyright 2009 Hewlett-Pack ard Development Company , L.P . February 2009 Manual Part Number 5992-5439.
An important point after buying a device HP (Hewlett-Packard) W.14.03 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought HP (Hewlett-Packard) W.14.03 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data HP (Hewlett-Packard) W.14.03 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, HP (Hewlett-Packard) W.14.03 you will learn all the available features of the product, as well as information on its operation. The information that you get HP (Hewlett-Packard) W.14.03 will certainly help you make a decision on the purchase.
If you already are a holder of HP (Hewlett-Packard) W.14.03, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime HP (Hewlett-Packard) W.14.03.
However, one of the most important roles played by the user manual is to help in solving problems with HP (Hewlett-Packard) W.14.03. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device HP (Hewlett-Packard) W.14.03 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center
