Access Security Guide6200yl5400zl3500ylwww.procurve.comProCurve SwitchesK.12.XX
viiiConfiguring the Switch for RADIUS Authentication . . . . . . . . . . . . . 6-8Outline of the Steps for Configuring RADIUS Authentication . . .
4-8Web and MAC AuthenticationHow Web and MAC Authentication Operate4. If neither 1, 2, or 3, above, apply, then the client session does not have acces
4-9Web and MAC AuthenticationTerminologyTerminologyAuthorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged
4-10Web and MAC AuthenticationOperating Rules and NotesOperating Rules and Notes The switch supports concurrent 802.1X and either Web- or MAC-authent
4-11Web and MAC AuthenticationOperating Rules and Notes• During an authenticated client session, the following hierarchy deter-mines a port’s VLAN mem
4-12Web and MAC AuthenticationGeneral Setup Procedure for Web/MAC Authentication Web- or MAC-based authentication and LACP cannot both be enabled on
4-13Web and MAC AuthenticationGeneral Setup Procedure for Web/MAC Authenticationc. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN”
4-14Web and MAC AuthenticationConfiguring the Switch To Access a RADIUS Server Configure the client device’s (hexadecimal) MAC address as both userna
4-15Web and MAC AuthenticationConfiguring the Switch To Access a RADIUS ServerSyntax: [no] radius-server[host < ip-address >]Adds a server to th
4-16Web and MAC AuthenticationConfiguring the Switch To Access a RADIUS ServerFor example, to configure the switch to access a RADIUS server at IP add
4-17Web and MAC AuthenticationConfiguring Web Authentication on the SwitchConfiguring Web Authentication on the SwitchOverview1. If you have not alrea
ix7 Configuring RADIUS Server Supportfor Switch ServicesContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-18Web and MAC AuthenticationConfiguring Web Authentication on the SwitchConfigure the Switch for Web-Based AuthenticationCommand PageConfiguration L
4-19Web and MAC AuthenticationConfiguring Web Authentication on the SwitchSyntax: [no] aaa port-access web-based [e] < port-list>Enables web-bas
4-20Web and MAC AuthenticationConfiguring Web Authentication on the SwitchSyntax:aaa port-access web-based [e] < port-list > [logoff-period] <
4-21Web and MAC AuthenticationConfiguring Web Authentication on the SwitchSyntax: aaa port-access web-based [e] < port-list > [redirect-url <
4-22Web and MAC AuthenticationConfiguring Web Authentication on the SwitchSyntax: aaa port-access web-based [e] < port-list > [unauth-vid <vi
4-23Web and MAC AuthenticationConfiguring Web Authentication on the SwitchSyntax: aaa port-access <port-list > controlled-directions <both |
4-24Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchConfiguring MAC Authentication on the SwitchOverview1. If you have not alrea
4-25Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchConfigure the Switch for MAC-Based AuthenticationCommand PageConfiguration L
4-26Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchSyntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-
4-27Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchSyntax: aaa port-access mac-based [e] < port-list > [quiet-period <
xPublic Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5Steps for Configuring and Using SSHfor
4-28Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchShow Commands for Web-Based AuthenticationCommand Pageshow port-access [port
4-29Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchExample: Verifying a Web Authentication ConfigurationThe following example s
4-30Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchFigure 4-5. Example of Verifying a Web Authentication ConfigurationProCurve
4-31Web and MAC AuthenticationConfiguring MAC AuthenticationConfiguring MAC AuthenticationConfiguration Overview1. If you have not already done so, co
4-32Web and MAC AuthenticationConfiguring MAC AuthenticationSyntax: aaa port-access mac-based addr-format <no-delimiter|single-dash|multi-dash|mult
4-33Web and MAC AuthenticationConfiguring MAC AuthenticationSyntax: aaa port-access mac-based [e] < port-list > [auth-vid <vid>]no aaa por
4-34Web and MAC AuthenticationConfiguring MAC AuthenticationSyntax: aaa port-access mac-based [e] < port-list > [server-timeout <1 - 300>]
4-35Web and MAC AuthenticationConfiguring MAC AuthenticationPrerequisites: As implemented in 802.1X authentica-tion, the disabling of incoming traffic
4-36Web and MAC AuthenticationConfiguring MAC AuthenticationShow Commands for MAC-Based AuthenticationNotes: — Continued — Using the aaa port-access
4-37Web and MAC AuthenticationConfiguring MAC AuthenticationSyntax: show port-access [port-list] mac-based [clients]]Shows the port address, MAC addre
xiGenerate a CA-Signed server host certificate with theWeb browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-
4-38Web and MAC AuthenticationConfiguring MAC AuthenticationExample: Verifying a MAC Authentication ConfigurationThe following example shows how to us
4-39Web and MAC AuthenticationClient StatusClient StatusThe table below shows the possible client status information that may be reported by a Web-bas
4-40Web and MAC AuthenticationClient Status— This page is intentionally unused —
5-15TACACS+ AuthenticationContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5-2TACACS+ AuthenticationOverviewOverviewTACACS+ authentication enables you to use a central server to allow or deny access to the switches covered in
5-3TACACS+ AuthenticationTerminology Used in TACACS Applications:TACACS+ server for authentication services. If the switch fails to connect to any TAC
5-4TACACS+ AuthenticationTerminology Used in TACACS Applications:face. (Using the menu interface you can assign a local password, but not a username.)
5-5TACACS+ AuthenticationGeneral System RequirementsGeneral System RequirementsTo use TACACS+ authentication, you need the following: A TACACS+ serve
5-6TACACS+ AuthenticationGeneral Authentication Setup Procedureother access type (console, in this case) open in case the Telnet access fails due to a
5-7TACACS+ AuthenticationGeneral Authentication Setup ProcedureNote on Privilege LevelsWhen a TACACS+ server authenticates an access request from a sw
xiiWhat Is the Difference Between Network (or Subnet)Masks and the Masks Used with ACLs? . . . . . . . . . . . . . . . . . . . 10-36Rules for Defini
5-8TACACS+ AuthenticationConfiguring TACACS+ on the Switchconfiguration in your TACACS+ server application for mis-configura-tions or missing data tha
5-9TACACS+ AuthenticationConfiguring TACACS+ on the SwitchCLI Commands Described in this SectionViewing the Switch’s Current Authentication Configurat
5-10TACACS+ AuthenticationConfiguring TACACS+ on the SwitchViewing the Switch’s Current TACACS+ Server Contact ConfigurationThis command lists the tim
5-11TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s Authentication MethodsThe aaa authentication command configures th
5-12TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 5-1. AAA Authentication ParametersAs shown in the next table, login and enable access
5-13TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 5-2. Primary/Secondary Authentication TableCaution Regarding the Use of Local for Log
5-14TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFor example, here is a set of access options and the corresponding commands to configure th
5-15TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s TACACS+ Server AccessThe tacacs-server command configures these pa
5-16TACACS+ AuthenticationConfiguring TACACS+ on the SwitchNote on Encryption KeysEncryption keys configured in the switch must exactly match the encr
5-17TACACS+ AuthenticationConfiguring TACACS+ on the Switch Name Default Rangehost <ip-addr> [key <key-string> none n/aSpecifies the IP a
xiiiSequence Numbering in ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-87Inserting an ACE in an Existing ACL . . . . . . . .
5-18TACACS+ AuthenticationConfiguring TACACS+ on the SwitchAdding, Removing, or Changing the Priority of a TACACS+ Server. Suppose that the switch was
5-19TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFigure 5-5. Example of the Switch After Assigning a Different “First-Choice” ServerTo remov
5-20TACACS+ AuthenticationHow Authentication OperatesTo delete a per-server encryption key in the switch, re-enter the tacacs-server host command with
5-21TACACS+ AuthenticationHow Authentication OperatesUsing figure 5-6, above, after either switch detects an operator’s logon request from a remote or
5-22TACACS+ AuthenticationHow Authentication OperatesLocal Authentication ProcessWhen the switch is configured to use TACACS+, it reverts to local aut
5-23TACACS+ AuthenticationHow Authentication OperatesUsing the Encryption KeyGeneral OperationWhen used, the encryption key (sometimes termed “key”, “
5-24TACACS+ AuthenticationControlling Web Browser Interface Access When Using TACACS+ AuthenticationFor example, you would use the next command to con
5-25TACACS+ AuthenticationMessages Related to TACACS+ OperationMessages Related to TACACS+ OperationThe switch generates the CLI messages listed below
5-26TACACS+ AuthenticationOperating Notes When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not acce
6-16RADIUS Authentication and AccountingContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xivChanging the Remote-id from a MAC to an IP Address . . . . . . 11-10Disabling the MAC Address Check . . . . . . . . . . . . . . . . . . . . . .
6-2RADIUS Authentication and AccountingContentsExample Configuration on Cisco Secure ACS for MS Windows 6-28Example Configuration Using FreeRADIUS .
6-3RADIUS Authentication and AccountingOverviewOverviewRADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one
6-4RADIUS Authentication and AccountingOverviewNote The switch does not support RADIUS security for SNMP (network manage-ment) access. For information
6-5RADIUS Authentication and AccountingTerminologyTerminologyAAA: Authentication, Authorization, and Accounting groups of services pro-vided by the ca
6-6RADIUS Authentication and AccountingSwitch Operating Rules for RADIUSVendor-Specific Attribute: A vendor-defined value configured in a RADIUS serve
6-7RADIUS Authentication and AccountingGeneral RADIUS Setup ProcedureGeneral RADIUS Setup ProcedurePreparation:1. Configure one to three RADIUS server
6-8RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationConfiguring the Switch for RADIUS Authentication• Determine how
6-9RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationOutline of the Steps for Configuring RADIUS AuthenticationThere
6-10RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication• Timeout Period: The timeout period the switch waits for a RA
6-11RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authenticationradius (or tacacs) for primary authentication, you must config
xvUsing Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . 12-9Static Multicast Filters . . . . . . . . . . . . . . . . .
6-12RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication2. Enable the (Optional) Access Privilege OptionIn the default
6-13RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication 3. Configure the Switch To Access a RADIUS ServerThis section
6-14RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose you have configured the switch as shown i
6-15RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 6-3. Sample Configuration for RADIUS Server Before Chan
6-16RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication Global server key: The server key the switch will use for co
6-17RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationNote Where the switch has multiple RADIUS servers configured t
6-18RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 6-6. Listings of Global RADIUS Parameters Configured In
6-19RADIUS Authentication and AccountingUsing SNMP To View and Configure Switch Authentication FeaturesUsing SNMP To View and Configure Switch Authent
6-20RADIUS Authentication and AccountingUsing SNMP To View and Configure Switch Authentication Features2c access. (Refer to “Switch Access Security” o
6-21RADIUS Authentication and AccountingUsing SNMP To View and Configure Switch Authentication FeaturesFigure 6-7. Disabling SNMP Access to the Authen
xviA. Enable the Selected Ports as Authenticators and Enablethe (Default) Port-Based Authentication . . . . . . . . . . . . . . . . . . 13-17B. Spe
6-22RADIUS Authentication and AccountingLocal Authentication ProcessLocal Authentication ProcessWhen the switch is configured to use RADIUS, it revert
6-23RADIUS Authentication and AccountingControlling Web Browser Interface AccessControlling Web Browser Interface AccessTo help prevent unauthorized a
6-24RADIUS Authentication and AccountingConfiguring RADIUS AuthorizationConfiguring RADIUS AuthorizationOverviewYou can limit the services for a user
6-25RADIUS Authentication and AccountingConfiguring RADIUS AuthorizationEnabling Authorization with the CLITo configure authorization for controlling
6-26RADIUS Authentication and AccountingConfiguring RADIUS AuthorizationShowing Authorization InformationYou can show the authorization information by
6-27RADIUS Authentication and AccountingConfiguring RADIUS AuthorizationThe results of using the HP-Command-String and HP-Command-Exception attributes
6-28RADIUS Authentication and AccountingConfiguring RADIUS AuthorizationExample Configuration on Cisco Secure ACS for MS WindowsIt is necessary to cre
6-29RADIUS Authentication and AccountingConfiguring RADIUS AuthorizationProfile=IN OUTEnums=Hp-Command-Exception-Types[Hp-Command-Exception-Types]0=Pe
6-30RADIUS Authentication and AccountingConfiguring RADIUS Authorization6. Right click and then select New > key. Add the vendor Id number that you
6-31RADIUS Authentication and AccountingConfiguring RADIUS Authorization2. Find the location of the dictionary files used by FreeRADIUS (try /usr/loca
xviiOperating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-60Messages Related to 802.1X Operatio
6-32RADIUS Authentication and AccountingConfiguring RADIUS AccountingConfiguring RADIUS AccountingNote This section assumes you have already: Configu
6-33RADIUS Authentication and AccountingConfiguring RADIUS Accounting Exec accounting: Provides records holding the information listed below about lo
6-34RADIUS Authentication and AccountingConfiguring RADIUS Accounting If access to a RADIUS server fails during a session, but after the client has b
6-35RADIUS Authentication and AccountingConfiguring RADIUS Accounting1. Configure the Switch To Access a RADIUS ServerBefore you configure the actual
6-36RADIUS Authentication and AccountingConfiguring RADIUS AccountingFor example, suppose you want to the switch to use the RADIUS server described be
6-37RADIUS Authentication and AccountingConfiguring RADIUS AccountingNote that there is no time span associated with using the system option. It simpl
6-38RADIUS Authentication and AccountingConfiguring RADIUS AccountingFor example, to configure RADIUS accounting on the switch with start-stop for exe
6-39RADIUS Authentication and AccountingConfiguring RADIUS AccountingTo continue the example in figure 6-11, suppose that you wanted the switch to: S
6-40RADIUS Authentication and AccountingViewing RADIUS StatisticsViewing RADIUS StatisticsGeneral RADIUS StatisticsFigure 6-13. Example of General RAD
6-41RADIUS Authentication and AccountingViewing RADIUS StatisticsFigure 6-14. RADIUS Server Information From the Show Radius Host CommandTerm Definiti
xviiiOperating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4215 Using Authorized IP Managers Contents . . . .
6-42RADIUS Authentication and AccountingViewing RADIUS StatisticsRADIUS Authentication StatisticsFigure 6-15. Example of Login Attempt and Primary/Sec
6-43RADIUS Authentication and AccountingViewing RADIUS StatisticsFigure 6-16. Example of RADIUS Authentication Information from a Specific ServerRADIU
6-44RADIUS Authentication and AccountingChanging RADIUS-Server Access OrderFigure 6-18. Example of RADIUS Accounting Information for a Specific Server
6-45RADIUS Authentication and AccountingChanging RADIUS-Server Access OrderFigure 6-20. Search Order for Accessing a RADIUS ServerTo exchange the posi
6-46RADIUS Authentication and AccountingChanging RADIUS-Server Access OrderFigure 6-21. Example of New RADIUS Server Search OrderRemoves the “003” and
6-47RADIUS Authentication and AccountingMessages Related to RADIUS OperationMessages Related to RADIUS OperationMessage MeaningCan’t reach RADIUS serv
6-48RADIUS Authentication and AccountingMessages Related to RADIUS Operation— This page is intentionally unused —
7-17Configuring RADIUS Server Supportfor Switch ServicesContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7-2Configuring RADIUS Server Support for Switch ServicesOverviewOverviewThis chapter provides information that applies to setting up a RADIUS server t
7-3Configuring RADIUS Server Support for Switch ServicesConfiguring the RADIUS Server for Per-Port CoS and Rate-Limiting ServicesConfiguring the RADIU
xixProduct DocumentationAbout Your Switch Manual SetNote For the latest version of all ProCurve switch documentation, including Release Notes covering
7-4Configuring RADIUS Server Support for Switch ServicesConfiguring the RADIUS Server for Per-Port CoS and Rate-Limiting ServicesViewing the Currently
7-5Configuring RADIUS Server Support for Switch ServicesConfiguring the RADIUS Server for Per-Port CoS and Rate-Limiting ServicesFigure 7-1. Example o
7-6Configuring RADIUS Server Support for Switch ServicesConfiguring the RADIUS Server for Per-Port CoS and Rate-Limiting ServicesFigure 7-2. Example o
7-7Configuring RADIUS Server Support for Switch ServicesConfiguring the RADIUS Server for Per-Port CoS and Rate-Limiting ServicesNote Where multiple c
7-8Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsConfiguring and Using RADIUS-Assigne
7-9Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Lists• RACL: an ACL assigned to filter ro
7-10Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Listsby other ACEs configured sequential
7-11Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsOverview of RADIUS-Assigned, Dynami
7-12Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsNote A dynamic port ACL can be appl
7-13Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsContrasting Dynamic and Static ACLs
xxSoftware Feature IndexFor the software manual set supporting your 3500yl/5400zl/6200yl switch model, this feature index indicates which manual to co
7-14Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsCaution Regarding the Use of Source
7-15Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsHow a RADIUS Server Applies a Dynam
7-16Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsGeneral ACL Features, Planning, and
7-17Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsNote If a dynamic port ACL permits
7-18Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Listswas also configured on VLAN “Y”, th
7-19Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Lists(Note that the “string” value and t
7-20Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Listsautomatically includes an implicit
7-21Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsAny instance of a dynamic port ACL
7-22Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsConfiguration NotesExplicitly Permi
7-23Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Listsare not explicitly denied, you must
xxiAAA Authentication XAuthorized IP Managers XAuthorized Manager List (Web, Telnet, TFTP) XAuto MDIX Configuration XBOOTP XConfig File XConsole Acces
7-24Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsConfiguring the Switch To Support D
7-25Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsMAC Authentication Option:Syntax: a
7-26Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsFigure 7-7. Example Showing a Dynam
7-27Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsSyntax: show port-access authentica
7-28Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsFigure 7-8. Example of Output Showi
7-29Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsCauses of Client Deauthentication I
7-30Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Listssubscribed, new RADIUS-based sessio
8-18 Configuring Secure Shell (SSH)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-2Configuring Secure Shell (SSH)OverviewOverviewThe switches covered in this guide use Secure Shell version 2 (SSHv2) to provide remote access to man
8-3Configuring Secure Shell (SSH)TerminologyNote SSH in ProCurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH, v
xxiiGVRP XIdentity-Driven Management (IDM) XIGMP XInterface Access (Telnet, Console/Serial, Web) XIP Addressing XIP Routing XJumbo Packets XLACP XLink
8-4Configuring Secure Shell (SSH)Terminology PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted client public-key that has been encoded for po
8-5Configuring Secure Shell (SSH)Prerequisite for Using SSHPrerequisite for Using SSHBefore using the switch as an SSH server, you must install a publ
8-6Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationSteps for Configuring and Using SSHfor Switch
8-7Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationB. Switch Preparation1. Assign a login (Opera
8-8Configuring Secure Shell (SSH)General Operating Rules and NotesGeneral Operating Rules and Notes Public keys generated on an SSH client must be ex
8-9Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationConfiguring the Switch for SSH Operation1. Assigning a Local Login (Operator)
8-10Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 8-4. Example of Configuring Local Passwords2. Generating the Switch’s
8-11Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNotes When you generate a host key pair on the switch, the switch places the
8-12Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, to generate and display a new key:Figure 8-5. Example of Genera
8-13Configuring Secure Shell (SSH)Configuring the Switch for SSH Operationdistribution to clients is to use a direct, serial connection between the sw
xxiiiPort Configuration XPort Monitoring XPort Security XPort Status XPort Trunking (LACP) XPort-Based Access Control (802.1X) XPower over Ethernet (P
8-14Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation4. Add any data required by your SSH client application. For example Before
8-15Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 8-9. Examples of Visual Phonetic and Hexadecimal Conversions of the S
8-16Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationSSH Client Contact Behavior. At the first contact between the switch and an
8-17Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation Zeroize the switch’s existing key pair. (page 8-11).The ip ssh key-size co
8-18Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationCaution Protect your private key file from access by anyone other than yours
8-19Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationOption B: Configuring the Switch for Client Public-Key SSH Authentication.
8-20Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, assume that you have a client public-key file named Client-Keys
8-21Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 8-12 shows how to check the results of the above commands.Figure 8-12
8-22Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationFurther Information on SSH Client Public-Key Authenticati
8-23Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authentication3. If there is not a match, and you have not configured t
xxivSSL (Secure Socket Layer) XStack Management (3500yl/6200yl switches only) XSyslog XSystem Information XTACACS+ Authentication XTelnet Access XTFTP
8-24Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationNotes Comments in public key files, such as smith@support
8-25Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationNote on Public KeysThe actual content of a public key ent
8-26Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationFor example, if you wanted to copy a client public-key fi
8-27Configuring Secure Shell (SSH)Messages Related to SSH OperationCaution To enable client public-key authentication to block SSH clients whose publi
8-28Configuring Secure Shell (SSH)Messages Related to SSH OperationDownload failed: overlength key in key file.Download failed: too many keys in key f
9-19Configuring Secure Socket Layer (SSL)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9-2Configuring Secure Socket Layer (SSL)OverviewOverviewThe switches covered in this guide use Secure Socket Layer Version 3 (SSLv3) and support for
9-3Configuring Secure Socket Layer (SSL)TerminologyFigure 9-1. Switch/User AuthenticationSSL on the switches covered in this guide supports these data
9-4Configuring Secure Socket Layer (SSL)Terminology Root Certificate: A trusted certificate used by certificate authorities to sign certificates (CA-
9-5Configuring Secure Socket Layer (SSL)Prerequisite for Using SSLPrerequisite for Using SSLBefore using the switch as an SSL server, you must install
1-1Security OverviewContents1Security OverviewContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9-6Configuring Secure Socket Layer (SSL)General Operating Rules and NotesGeneral Operating Rules and Notes Once you generate a certificate on the swi
9-7Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationConfiguring the Switch for SSL Operation1. Assigning a Local Login (Op
9-8Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationUsing the web browser interface To Configure Local Passwords. You can
9-9Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operation2. Generating the Switch’s Server Host Certificate You must generate a
9-10Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationTo Generate or Erase the Switch’s Server Certificatewith the CLIBecau
9-11Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationComments on certificate fields. There are a number arguments used in
9-12Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationNotes “Zeroizing” the switch’s server host certificate or key automat
9-13Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationGenerate a Self-Signed Host Certificate with the Web browser interfac
9-14Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFor example, to generate a new host certificate via the web browsers
9-15Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFigure 9-6. Web browser Interface showing current SSL Host Certificat
1-2Security OverviewIntroductionIntroductionBefore you connect your switch to a network, ProCurve strongly recommends that you review the Security Ove
9-16Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationThe installation of a CA-signed certificate involves interaction with
9-17Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operation Figure 9-7. Request for Verified Host Certificate Web Browser Interf
9-18Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationNote Before enabling SSL on the switch you must generate the switch’s
9-19Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationUsing the CLI interface to enable SSLTo enable SSL on the switch1. Ge
9-20Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFigure 9-8. Using the web browser interface to enable SSL and select
9-21Configuring Secure Socket Layer (SSL)Common Errors in SSL setup
9-22Configuring Secure Socket Layer (SSL)Common Errors in SSL setup— This page is intentionally unused —
10-110Access Control Lists (ACLs)Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10-2Access Control Lists (ACLs)ContentsConfiguring and Assigning an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41Overview . . . .
10-3Access Control Lists (ACLs)ContentsAttaching a Remark to an ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-92Operating Notes for Re
1-3Security OverviewSwitch Access SecuritySwitch Access SecurityThis section outlines provisions for protecting access to the switch’s status informat
10-4Access Control Lists (ACLs)IntroductionIntroductionAn Access Control List (ACL) is a list of one or more Access Control Entries (ACEs) specifying
10-5Access Control Lists (ACLs)Overview of Options for Applying ACLs on the SwitchOverview of Options for Applying ACLs on the SwitchTo apply ACL filt
10-6Access Control Lists (ACLs)Overview of Options for Applying ACLs on the SwitchNote This chapter describes the ACL applications you can statically
10-7Access Control Lists (ACLs)Overview of Options for Applying ACLs on the SwitchDelete a Standard ACL ProCurve(config)# no ip access-list standard &
10-8Access Control Lists (ACLs)Overview of Options for Applying ACLs on the SwitchTable 10-2. Command Summary for Extended ACLsAction Command(s) PageC
10-9Access Control Lists (ACLs)Overview of Options for Applying ACLs on the SwitchTable 10-3. Command Summary for Enabling, Disabling, and Displaying
10-10Access Control Lists (ACLs)TerminologyTerminologyAccess Control Entry (ACE): A policy consisting of criteria and an action (permit or deny) to ex
10-11Access Control Lists (ACLs)TerminologyACL: See “Access Control List”.ACL ID: A number or alphanumeric string used to identify an ACL. A standard
10-12Access Control Lists (ACLs)Terminologyidentifier: The term used in ACL syntax statements to represent either the name or number by which the ACL
10-13Access Control Lists (ACLs)TerminologyNamed ACL: An ACL created with the ip access-list < extended | standard > < name-str > command
ProCurveSeries 5400zl SwitchesSeries 3500yl Switches6200yl SwitchAccess Security GuideFebruary 2007K.12.XX
1-4Security OverviewSwitch Access SecurityInbound Telnet Access and Web Browser AccessThe default remote management protocols enabled on the switch ar
10-14Access Control Lists (ACLs)Terminologyseq-#: The term used in ACL syntax statements to represent the sequence number variable used to insert an A
10-15Access Control Lists (ACLs)OverviewOverviewTypes of IP ACLsA permit or deny policy for IP traffic you want to filter can be based on source IP ad
10-16Access Control Lists (ACLs)Overview• outbound traffic generated by the switch itself. VLAN ACL (VACL): on a VLAN configured with a VACL, any inb
10-17Access Control Lists (ACLs)OverviewFigure 10-1. Example of RACL Filter Applications on Routed IP TrafficNotes The switch allows one inbound RACL
10-18Access Control Lists (ACLs)OverviewVACL ApplicationsVACLs filter any IP traffic entering the switch on a VLAN configured with the “VLAN” ACL opti
10-19Access Control Lists (ACLs)OverviewStatic Port ACL and Dynamic Port ACL Applications Static Port ACL: filters any IP traffic inbound on the desi
10-20Access Control Lists (ACLs)Overview802.1X User-Based and Port-Based Applications. User-Based 802.1X access control allows up to 32 individually
10-21Access Control Lists (ACLs)Overview One inbound and one outbound RACL filtering routed IP traffic moving through the port for VLAN “X”. (Also ap
10-22Access Control Lists (ACLs)Overview An RACL that denies inbound IP traffic having a destination on the 10.28.10.0 subnetIn this case, no IP traf
10-23Access Control Lists (ACLs)Overview You can apply any one ACL to multiple interfaces. All ACEs in an ACL configured on the switch are automatic
1-5Security OverviewSwitch Access Securityyou enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access
10-24Access Control Lists (ACLs)OverviewGeneral Steps for Planning and Configuring ACLs1. Identify the ACL application to apply. As part of this step
10-25Access Control Lists (ACLs)Overview5. Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL, VACL, or
10-26Access Control Lists (ACLs)ACL OperationACL OperationIntroductionAn ACL is a list of one or more Access Control Entries (ACEs), where each ACE co
10-27Access Control Lists (ACLs)ACL OperationNote After you assign an ACL to an interface, the default action on the interface is to implicitly deny a
10-28Access Control Lists (ACLs)ACL Operationno further comparisons of the packet are made with the remaining ACEs in the list. This means that when a
10-29Access Control Lists (ACLs)ACL OperationNote The order in which an ACE occurs in an ACL is significant. For example, if an ACL contains six ACEs,
10-30Access Control Lists (ACLs)Planning an ACL ApplicationIt is important to remember that all ACLs configurable on the switch include an implicit de
10-31Access Control Lists (ACLs)Planning an ACL Application Any TCP traffic (only) for a specific TCP port or range of ports, including optional cont
10-32Access Control Lists (ACLs)Planning an ACL ApplicationSecurityACLs can enhance security by blocking IP traffic carrying an unauthorized source IP
10-33Access Control Lists (ACLs)Planning an ACL ApplicationAccess Control Entries (ACEs) in the ACL, beginning with the first ACE in the list and proc
1-6Security OverviewSwitch Access SecurityFor details on this feature, refer to the section titled “Using SNMP To View and Configure Switch Authentica
10-34Access Control Lists (ACLs)Planning an ACL Application• Numeric Standard ACLs: Up to 99; numeric range: 1 - 99 • Numeric Extended ACLs: Up to 100
10-35Access Control Lists (ACLs)Planning an ACL Application VACLs: These filter any IP traffic entering the switch through any port belonging to the
10-36Access Control Lists (ACLs)Planning an ACL ApplicationHow an ACE Uses a Mask To Screen Packets for MatchesWhen the switch applies an ACL to IP tr
10-37Access Control Lists (ACLs)Planning an ACL ApplicationRules for Defining a Match Between a Packet and anAccess Control Entry (ACE) For a given A
10-38Access Control Lists (ACLs)Planning an ACL Application Every IP address and mask pair (source or destination) used in an ACE creates one of the
10-39Access Control Lists (ACLs)Planning an ACL ApplicationExample of How the Mask Bit Settings Define a Match . Assume an ACE where the second octet
10-40Access Control Lists (ACLs)Planning an ACL ApplicationExamples Allowing Multiple IP Addresses. Table 10-5 provides exam-ples of how to apply mas
10-41Access Control Lists (ACLs)Configuring and Assigning an ACLConfiguring and Assigning an ACL OverviewGeneral Steps for Implementing ACLs1. Configu
10-42Access Control Lists (ACLs)Configuring and Assigning an ACLOptions for Permit/Deny PoliciesThe permit or deny policy for IP traffic you want to f
10-43Access Control Lists (ACLs)Configuring and Assigning an ACL3. One or more deny/permit list entries (ACEs): One entry per line. 4. Implicit Deny:
1-7Security OverviewSwitch Access SecurityOther Provisions for Management Access SecurityThe following features can help to prevent unauthorized manag
10-44Access Control Lists (ACLs)Configuring and Assigning an ACLFor example, figure 10-10 shows how to interpret the entries in a standard ACL.Figure
10-45Access Control Lists (ACLs)Configuring and Assigning an ACLExtended ACL Configuration StructureIndividual ACEs in an extended ACL include: A per
10-46Access Control Lists (ACLs)Configuring and Assigning an ACLFor example, figure 10-12 shows how to interpret the entries in an extended ACL.Figure
10-47Access Control Lists (ACLs)Configuring and Assigning an ACLsignificant because, once a match is found for a packet, subsequent ACEs in the same A
10-48Access Control Lists (ACLs)Configuring and Assigning an ACLAllowing for the Implied Deny Function In any ACL having one or more ACEs there will a
10-49Access Control Lists (ACLs)Configuring and Assigning an ACLUsing the CLI To Create an ACL You can use either the switch CLI or an offline text ed
10-50Access Control Lists (ACLs)Configuring and Assigning an ACLTo insert an ACE anywhere in a numbered ACL, use the same process as described above f
10-51Access Control Lists (ACLs)Configuring Standard ACLsConfiguring Standard ACLsTable 10-9. Command Summary for Standard ACLsAction Command(s) PageC
10-52Access Control Lists (ACLs)Configuring Standard ACLsA standard ACL uses only source IP addresses in its ACEs. This type of ACE is useful when you
10-53Access Control Lists (ACLs)Configuring Standard ACLsConfiguring Named, Standard ACLsThis section describes the commands for performing the follow
1-8Security OverviewNetwork Security FeaturesNetwork Security FeaturesThis section outlines features for protecting access through the switch to the n
10-54Access Control Lists (ACLs)Configuring Standard ACLsConfiguring ACEs in a Named, Standard ACL. Configuring ACEs is done after using the ip acces
10-55Access Control Lists (ACLs)Configuring Standard ACLsExample of Creating and Listing a Standard, Named ACL. This exam-ple illustrates how to crea
10-56Access Control Lists (ACLs)Configuring Standard ACLsFigure 10-15. Screen Output Listing the “Sample-List” ACL ContentCreating Numbered, Standard
10-57Access Control Lists (ACLs)Configuring Standard ACLsCreating or Adding to a Standard, Numbered ACL. This command is an alternative to using ip a
10-58Access Control Lists (ACLs)Configuring Standard ACLs< any | host < SA > | SA < mask | SA/mask-length >>Defines the source IP a
10-59Access Control Lists (ACLs)Configuring Standard ACLsExample of Creating and Viewing a Standard ACL. This example cre-ates a standard, numbered A
10-60Access Control Lists (ACLs)Configuring Extended ACLsConfiguring Extended ACLsTable 10-10. Command Summary for Extended ACLsAction Command(s) Page
10-61Access Control Lists (ACLs)Configuring Extended ACLsStandard ACLs use only source IP addresses for filtering criteria, extended ACLs use multiple
10-62Access Control Lists (ACLs)Configuring Extended ACLsConfiguring Named, Extended ACLsFor a match to occur with an ACE in an extended ACL, a packet
10-63Access Control Lists (ACLs)Configuring Extended ACLsCreating a Named, Extended ACL and/or Entering the “Named ACL” (nacl) Context. This command
1-9Security OverviewNetwork Security FeaturesFor more information, refer to Chapter 13 “Configuring Port-Based and User-Based Access Control (802.1X)”
10-64Access Control Lists (ACLs)Configuring Extended ACLsConfigure ACEs in a Named, Extended ACL and/or Enter the “Named ACL” (nacl) Context. Configu
10-65Access Control Lists (ACLs)Configuring Extended ACLs< ip | ip-protocol | ip-protocol-nbr >Used after deny or permit to specify the packet p
10-66Access Control Lists (ACLs)Configuring Extended ACLs< any | host < DA > | DA/mask-length | DA/ < mask >>This is the second inst
10-67Access Control Lists (ACLs)Configuring Extended ACLs[ tos < tos-setting > ]This option can be used after the DA to cause the ACE to match p
10-68Access Control Lists (ACLs)Configuring Extended ACLsOptions for TCP and UDP Traffic in Extended ACLs. An ACE designed to permit or deny TCP or U
10-69Access Control Lists (ACLs)Configuring Extended ACLsPort Number or Well-Known Port Name: Use the TCP or UDP port number required by your appli-ca
10-70Access Control Lists (ACLs)Configuring Extended ACLsOptions for ICMP Traffic in Extended ACLs. This option is useful where it is necessary to pe
10-71Access Control Lists (ACLs)Configuring Extended ACLs[ icmp-type-name ]These name options are an alternative to the [icmp-type [ icmp-code] ] meth
10-72Access Control Lists (ACLs)Configuring Extended ACLsOption for IGMP in Extended ACLs. This option is useful where it is nec-essary to permit som
10-73Access Control Lists (ACLs)Configuring Extended ACLsExample of a Named, Extended ACL. Suppose that you want to imple-ment these policies on a sw
1-10Security OverviewNetwork Security FeaturesSecure Socket Layer (SSLv3/TLSv1)This feature includes use of Transport Layer Security (TLSv1) to provid
10-74Access Control Lists (ACLs)Configuring Extended ACLsFigure 10-19. Example of Configuration Commands for Extended ACLsConfiguring Numbered, Extend
10-75Access Control Lists (ACLs)Configuring Extended ACLsCreating or Adding to an Extended, Numbered ACL. This command is an alternative to using ip
10-76Access Control Lists (ACLs)Configuring Extended ACLs< deny | permit >Specifies whether to deny (drop) or permit (forward) a packet that mat
10-77Access Control Lists (ACLs)Configuring Extended ACLs SA Mask Application: The mask is applied to the SA in the ACL to define which bits in a pack
10-78Access Control Lists (ACLs)Configuring Extended ACLs[ precedence < 0 - 7 | precedence-name >]This option causes the ACE to match packets wi
10-79Access Control Lists (ACLs)Configuring Extended ACLsAdditional Options for TCP and UDP Traffic. An ACE designed to per-mit or deny TCP or UDP tr
10-80Access Control Lists (ACLs)Configuring Extended ACLsAdditional Option for IGMP. This option is useful where it is necessary to permit some types
10-81Access Control Lists (ACLs)Adding or Removing an ACL Assignment On an InterfaceAdding or Removing an ACL Assignment On an InterfaceFiltering Rout
10-82Access Control Lists (ACLs)Adding or Removing an ACL Assignment On an InterfaceFigure 10-20. Methods for Enabling and Disabling RACLsFiltering IP
10-83Access Control Lists (ACLs)Adding or Removing an ACL Assignment On an InterfaceFigure 10-21. Methods for Enabling and Disabling VACLsProCurve(con
1-11Security OverviewNetwork Security FeaturesPrecedence of Security Options. Where the switch is running multiple security options, it implements ne
10-84Access Control Lists (ACLs)Adding or Removing an ACL Assignment On an InterfaceFiltering Inbound IP Traffic Per PortFor a given port, port list,
10-85Access Control Lists (ACLs)Deleting an ACLDeleting an ACLSyntax: no ip access-list standard < name-str | 1-99 >no ip access-list extended &
10-86Access Control Lists (ACLs)Editing an Existing ACLEditing an Existing ACLThe CLI provides the capability for editing in the switch by using seque
10-87Access Control Lists (ACLs)Editing an Existing ACL Deleting the last ACE from an ACL leaves the ACL in memory. In this case, the ACL is “empty”
10-88Access Control Lists (ACLs)Editing an Existing ACLFor example, to append a fourth ACE to the end of the ACL in figure 10-23:Figure 10-25. Example
10-89Access Control Lists (ACLs)Editing an Existing ACL2. Begin the ACE command with a sequence number that identifies the position you want the ACE
10-90Access Control Lists (ACLs)Editing an Existing ACLDeleting an ACE from an Existing ACLThis action uses ACL sequence numbers to delete ACEs from a
10-91Access Control Lists (ACLs)Editing an Existing ACLResequencing the ACEs in an ACLThis action reconfigures the starting sequence number for ACEs i
10-92Access Control Lists (ACLs)Editing an Existing ACLAttaching a Remark to an ACEA remark is numbered in the same way as an ACE, and uses the same s
10-93Access Control Lists (ACLs)Editing an Existing ACLNote After a numbered ACL has been created (using access-list < 1 - 99 | 100 - 199 >), it
1-12Security OverviewAdvanced Threat DetectionAdvanced Threat DetectionAdvanced threat detection covers a range of features used to detect anoma-lous
10-94Access Control Lists (ACLs)Editing an Existing ACLInserting Remarks and Related ACEs Within an Existing List. To insert an ACE with a remark wit
10-95Access Control Lists (ACLs)Editing an Existing ACLOperating Notes for Remarks The resequence command ignores “orphan” remarks that do not have a
10-96Access Control Lists (ACLs)Displaying ACL Configuration DataDisplaying ACL Configuration DataACL Commands Function Pageshow access-list Displays
10-97Access Control Lists (ACLs)Displaying ACL Configuration DataDisplay an ACL SummaryThis command lists the configured ACLs, regardless of whether t
10-98Access Control Lists (ACLs)Displaying ACL Configuration DataDisplay the Content of All ACLs on the SwitchThis command lists the configuration det
10-99Access Control Lists (ACLs)Displaying ACL Configuration DataDisplay the RACL and VACL Assignments for a VLANThis command briefly lists the identi
10-100Access Control Lists (ACLs)Displaying ACL Configuration DataDisplay Static Port ACL Assignments This command briefly lists the identification an
10-101Access Control Lists (ACLs)Displaying ACL Configuration DataDisplaying the Content of a Specific ACLThis command displays a specific ACL configu
10-102Access Control Lists (ACLs)Displaying ACL Configuration DataFigure 10-37. Examples of Listings Showing the Content of Standard and Extended ACLs
10-103Access Control Lists (ACLs)Displaying ACL Configuration DataTable 10-11. Descriptions of Data Types Included in Show Access-List < acl-id >
1-13Security OverviewIdentity-Driven Manager (IDM)Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+) and uses RADIUS-ba
10-104Access Control Lists (ACLs)Creating or Editing ACLs OfflineCreating or Editing ACLs OfflineThe section titled “Editing an Existing ACL” on page
10-105Access Control Lists (ACLs)Creating or Editing ACLs OfflineIf you are replacing an ACL on the switch with a new ACL that uses the same number or
10-106Access Control Lists (ACLs)Creating or Editing ACLs Offline Deny all other IP traffic from VLAN 20 to VLAN 10. Deny all IP traffic from VLAN 3
10-107Access Control Lists (ACLs)Creating or Editing ACLs OfflineIn this example, the CLI would show the following output to indicate that the ACL was
10-108Access Control Lists (ACLs)Creating or Editing ACLs OfflineFigure 10-41. Example of Verifying the .txt File Download to the Switch5. If the conf
10-109Access Control Lists (ACLs)Enable ACL “Deny” LoggingEnable ACL “Deny” LoggingACL logging enables the switch to generate a message when IP traffi
10-110Access Control Lists (ACLs)Enable ACL “Deny” LoggingACL Logging OperationWhen the switch detects a packet match with an ACE and the ACE includes
10-111Access Control Lists (ACLs)Enable ACL “Deny” LoggingEnabling ACL Logging on the Switch1. If you are using a Syslog server, use the logging <
10-112Access Control Lists (ACLs)Enable ACL “Deny” LoggingFigure 10-44. Commands for Applying an ACL with Logging to Figure 10-43ProCurve(config)# ip
10-113Access Control Lists (ACLs)General ACL Operating NotesGeneral ACL Operating NotesACLs do not provide DNS hostname support. ACLs cannot be confi
Hewlett-Packard Company8000 Foothills Boulevard, m/s 5551Roseville, California 95747-5551www.procurve.com© Copyright 2005-2007 Hewlett-Packard Develo
1-14Security OverviewIdentity-Driven Manager (IDM)— This page is intentionally unused —
10-114Access Control Lists (ACLs)General ACL Operating NotesMonitoring Shared Resources. Applied ACLs share internal switch resources with several ot
11-111Configuring Advanced Threat ProtectionContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11-2Configuring Advanced Threat ProtectionIntroductionIntroductionAs your network expands to include an increasing number of mobile devices, continuou
11-3Configuring Advanced Threat ProtectionDHCP Snooping• Attempts to exhaust system resources so that sufficient resources are not available to transm
11-4Configuring Advanced Threat ProtectionDHCP SnoopingDHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected
11-5Configuring Advanced Threat ProtectionDHCP SnoopingTo display the DHCP snooping configuration, enter this command:ProCurve(config)# show dhcp-snoo
11-6Configuring Advanced Threat ProtectionDHCP SnoopingFigure 11-2. Example of Show DHCP Snooping StatisticsEnabling DHCP Snooping on VLANSDHCP snoopi
11-7Configuring Advanced Threat ProtectionDHCP SnoopingConfiguring DHCP Snooping Trusted PortsBy default, all ports are untrusted. To configure a port
11-8Configuring Advanced Threat ProtectionDHCP SnoopingConfiguring Authorized Server AddressesIf authorized server addresses are configured, a packet
11-9Configuring Advanced Threat ProtectionDHCP SnoopingNote DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, n
2-12Configuring Username and Password SecurityContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11-10Configuring Advanced Threat ProtectionDHCP SnoopingChanging the Remote-id from a MAC to an IP AddressBy default, DHCP snooping uses the MAC addre
11-11Configuring Advanced Threat ProtectionDHCP SnoopingFigure 11-7. Example Showing the DHCP Snooping Verify MAC SettingThe DHCP Binding DatabaseDHCP
11-12Configuring Advanced Threat ProtectionDHCP SnoopingA message is logged in the system event log if the DHCP binding database fails to update.To di
11-13Configuring Advanced Threat ProtectionDHCP Snooping ProCurve recommends running a time synchronization protocol such as SNTP in order to track l
11-14Configuring Advanced Threat ProtectionDHCP SnoopingCeasing untrusted relay information logs for <duration>. More than one DHCP client pack
11-15Configuring Advanced Threat ProtectionDynamic ARP ProtectionDynamic ARP ProtectionIntroductionOn the VLAN interfaces of a routing switch, dynamic
11-16Configuring Advanced Threat ProtectionDynamic ARP Protection• If a binding is valid, the switch updates its local ARP cache and forwards the pack
11-17Configuring Advanced Threat ProtectionDynamic ARP ProtectionEnabling Dynamic ARP ProtectionTo enable dynamic ARP protection for VLAN traffic on a
11-18Configuring Advanced Threat ProtectionDynamic ARP ProtectionTake into account the following configuration guidelines when you use dynamic ARP pro
11-19Configuring Advanced Threat ProtectionDynamic ARP ProtectionTo add the static configuration of an IP-to-MAC binding for a port to the database, e
2-2Configuring Username and Password SecurityOverviewOverviewConsole access includes both the menu interface and the CLI. There are two levels of cons
11-20Configuring Advanced Threat ProtectionDynamic ARP ProtectionYou can configure one or more of the validation checks. The following example of the
11-21Configuring Advanced Threat ProtectionDynamic ARP ProtectionDisplaying ARP Packet StatisticsTo display statistics about forwarded ARP packets, dr
11-22Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorUsing the Instrumentation MonitorThe instrumentation monitor can be used t
11-23Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorOperating Notes To generate alerts for monitored events, you must enable
11-24Configuring Advanced Threat ProtectionUsing the Instrumentation Monitor Alerts are automatically rate limited to prevent filling the log file wi
11-25Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorTo enable instrumentation monitor using the default parameters and thresh-
11-26Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorTo adjust the alert threshold for the MAC address count to a specific valu
11-27Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorAn alternate method of determining the current Instrumentation Monitor con
11-28Configuring Advanced Threat ProtectionUsing the Instrumentation Monitor— This page is intentionally unused —
12-112Traffic/Security Filters and MonitorsContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2-3Configuring Username and Password SecurityOverviewTo configure password security:1. Set a Manager password pair (and an Operator password pair, if
12-2Traffic/Security Filters and MonitorsOverviewOverviewApplicable Switch Models. As of October, 2005, Traffic/Security filters are available on thes
12-3Traffic/Security Filters and MonitorsFilter Types and OperationYou can enhance in-band security and improve control over access to network resourc
12-4Traffic/Security Filters and MonitorsFilter Types and OperationSource-Port FiltersThis filter type enables the switch to forward or drop traffic f
12-5Traffic/Security Filters and MonitorsFilter Types and Operation When you create a source port filter, all ports and port trunks (if any) on the s
12-6Traffic/Security Filters and MonitorsFilter Types and OperationFigure 12-3. The Filter for the Actions Shown in Figure 12-2Named Source-Port Filte
12-7Traffic/Security Filters and MonitorsFilter Types and Operation A named source-port filter can only be deleted when it is not applied to any port
12-8Traffic/Security Filters and MonitorsFilter Types and OperationA named source-port filter must first be defined and configured before it can be ap
12-9Traffic/Security Filters and MonitorsFilter Types and OperationUsing Named Source-Port FiltersA company wants to manage traffic to the Internet an
12-10Traffic/Security Filters and MonitorsFilter Types and Operation Applying Example Named Source-Port Filters. Once the named source-port filters ha
12-11Traffic/Security Filters and MonitorsFilter Types and OperationUsing the IDX value in the show filter command, we can see how traffic is filtered
2-4Configuring Username and Password SecurityOverviewNote The manager and operator passwords and (optional) usernames control access to the menu inter
12-12Traffic/Security Filters and MonitorsFilter Types and OperationThe same command, using IDX 26, shows how traffic from the Internet is handled.Pro
12-13Traffic/Security Filters and MonitorsFilter Types and OperationAs the company grows, more resources are required in accounting. Two additional ac
12-14Traffic/Security Filters and MonitorsFilter Types and OperationThe following revisions to the named source-port filter definitions maintain the d
12-15Traffic/Security Filters and MonitorsFilter Types and OperationStatic Multicast FiltersThis filter type enables the switch to forward or drop mul
12-16Traffic/Security Filters and MonitorsFilter Types and OperationNotes: Per-Port IP Multicast Filters. The static multicast filters described in th
12-17Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersConfiguring Traffic/Security FiltersUse this procedure to specify the ty
12-18Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersConfiguring a Source-Port Traffic FilterSyntax: [no] filter [source-port
12-19Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersExample of Creating a Source-Port FilterFor example, assume that you wan
12-20Traffic/Security Filters and MonitorsConfiguring Traffic/Security Filtersfilter on port 5, then create a trunk with ports 5 and 6, and display th
12-21Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersFigure 12-7. Assigning Additional Destination Ports to an Existing Filte
2-5Configuring Username and Password SecurityConfiguring Local Password SecurityConfiguring Local Password SecurityMenu: Setting PasswordsAs noted ear
12-22Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersFor example, suppose you wanted to configure the filters in table 12-3 o
12-23Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersDisplaying Traffic/Security FiltersThis command displays a listing of al
12-24Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersFigure 12-9. Example of Displaying Filter DataFilter Index Numbers (Auto
13-113Configuring Port-Based andUser-Based Access Control (802.1X)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13-2Configuring Port-Based and User-Based Access Control (802.1X)Contents3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . .
13-3Configuring Port-Based and User-Based Access Control (802.1X)OverviewOverviewWhy Use Port-Based or User-Based Access Control?Local Area Networks a
13-4Configuring Port-Based and User-Based Access Control (802.1X)Overview• Port-Based access control option allowing authentication by a single client
13-5Configuring Port-Based and User-Based Access Control (802.1X)Overviewthe session total includes any sessions begun by the Web Authentication or MA
13-6Configuring Port-Based and User-Based Access Control (802.1X)TerminologyNote Port-Based 802.1X can operate concurrently with Web-Authentication or
13-7Configuring Port-Based and User-Based Access Control (802.1X)Terminologylocal authentication is used, in which case the switch performs this funct
2-6Configuring Username and Password SecurityConfiguring Local Password SecurityTo Delete Password Protection (Including Recovery from a Lost Password
13-8Configuring Port-Based and User-Based Access Control (802.1X)TerminologySupplicant: The entity that must provide the proper credentials to the swi
13-9Configuring Port-Based and User-Based Access Control (802.1X)General 802.1X Authenticator OperationGeneral 802.1X Authenticator OperationThis oper
13-10Configuring Port-Based and User-Based Access Control (802.1X)General 802.1X Authenticator OperationNote The switches covered in this guide can us
13-11Configuring Port-Based and User-Based Access Control (802.1X)General 802.1X Authenticator OperationFigure 13-1. Priority of VLAN Assignment for a
13-12Configuring Port-Based and User-Based Access Control (802.1X)General Operating Rules and NotesGeneral Operating Rules and Notes In the user-base
13-13Configuring Port-Based and User-Based Access Control (802.1X)General Operating Rules and Notes If a port on switch “A” is configured as an 802.1
13-14Configuring Port-Based and User-Based Access Control (802.1X)General Setup Procedure for 802.1X Access ControlGeneral Setup Procedure for 802.1X
13-15Configuring Port-Based and User-Based Access Control (802.1X)General Setup Procedure for 802.1X Access ControlOverview: Configuring 802.1X Authen
13-16Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsNote If you want to implement the o
13-17Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators1. Enable 802.1X Authentication on
2-7Configuring Username and Password SecurityConfiguring Local Password SecurityCLI: Setting Passwords and UsernamesCommands Used in This SectionConfi
13-18Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsB. Specify User-Based Authenticatio
13-19Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsExample: Configuring User-Based 802
13-20Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators[quiet-period < 0 - 65535 >]S
13-21Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators3. Configure the 802.1X Authenticat
13-22Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsFor example, to enable the switch t
13-23Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators5. Enable 802.1X Authentication on
13-24Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators7. Optional: Configure 802.1X Contr
13-25Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsThe aaa port-access controlled-dire
13-26Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeFigure 13-5. Example of Configuring 802.1X Controlled Direction
13-27Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeThe 802.1X Open VLAN mode solves this problem by temporarily su
2-8Configuring Username and Password SecurityFront-Panel SecurityWeb: Setting Passwords and UsernamesIn the web browser interface you can enter passwo
13-28Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeA port assigned to a VLAN by an Authorized-Client VLAN configur
13-29Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeTable 13-2. 802.1X Open VLAN Mode Options802.1X Per-Port Config
13-30Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeAuthorized-Client VLAN • After client authentication, the port
13-31Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeOpen VLAN Mode with Only an Unauthorized-Client VLAN Configured
13-32Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeOpen VLAN Mode with Only an Authorized-Client VLAN Configured:•
13-33Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeOperating Rules for Authorized-Client andUnauthorized-Client VL
13-34Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeEffect of Unauthorized-Client VLAN session on untagged port VLA
13-35Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeEffect of RADIUS-assigned VLANThis rule assumes no other authen
13-36Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeNote: If you use the same VLAN as the Unauthorized-Client VLAN
13-37Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeSetting Up and Configuring 802.1X Open VLAN ModePreparation. Th
2-9Configuring Username and Password SecurityFront-Panel Security Gaining management access to the switch by having physical access to the switch its
13-38Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeNote that as an alternative, you can configure the switch to us
13-39Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN Mode3. If you selected either eap-radius or chap-radius for step 2,
13-40Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeConfiguring 802.1X Open VLAN Mode. Use these commands to actual
13-41Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeInspecting 802.1X Open VLAN Mode Operation. For information an
13-42Configuring Port-Based and User-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authent
13-43Configuring Port-Based and User-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authent
13-44Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S
13-45Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S
13-46Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S
13-47Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S
iiiContentsProduct DocumentationAbout Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xixPrinted Publication
2-10Configuring Username and Password SecurityFront-Panel SecurityFront-Panel Button Functions The front panel of the switch includes the Reset button
13-48Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersDisplaying 802.1X Configura
13-49Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and Countersshow port-access authentica
13-50Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 13-8. Example of sho
13-51Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersViewing 802.1X Open VLAN Mo
13-52Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersThus, in the output shown i
13-53Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersTable 13-3. Output for Dete
13-54Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 13-10.Example of Sho
13-55Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersShow Commands for Port-Acce
13-56Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN Operationsupplicant port to another wi
13-57Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFor example, suppose that a R
2-11Configuring Username and Password SecurityFront-Panel SecurityReset ButtonPressing the Reset button alone for one second causes the switch to rebo
13-58Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFigure 13-12.The Active Confi
13-59Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationWhen the 802.1X client’s sess
13-60Configuring Port-Based and User-Based Access Control (802.1X)Operating NotesOperating Notes Applying Web Authentication or MAC Authentication Co
13-61Configuring Port-Based and User-Based Access Control (802.1X)Messages Related to 802.1X OperationMessages Related to 802.1X OperationTable 13-4.
13-62Configuring Port-Based and User-Based Access Control (802.1X)Messages Related to 802.1X Operation— This page is intentionally unused —
14-114Configuring and Monitoring Port SecurityContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14-2Configuring and Monitoring Port Security ContentsWeb: Checking for Intrusions, Listing IntrusionAlerts, and Resetting Alert Flags . . . . . .
14-3Configuring and Monitoring Port SecurityOverviewOverviewPort Security (Page 14-4). This feature enables you to configure each switch port with a
14-4Configuring and Monitoring Port Security Port SecurityPort SecurityBasic OperationDefault Port Security Operation. The default port security s
14-5Configuring and Monitoring Port SecurityPort Security• Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the
2-12Configuring Username and Password SecurityFront-Panel Security3. Release the Reset button.4. When the Test LED to the right of the Clear button be
14-6Configuring and Monitoring Port Security Port Securityconfiguration to ports on which hubs, switches, or other devices are connected, and to m
14-7Configuring and Monitoring Port SecurityPort SecurityPlanning Port Security1. Plan your port security configuration and monitoring according to th
14-8Configuring and Monitoring Port Security Port SecurityPort Security Command Options and OperationPort Security Commands Used in This SectionTh
14-9Configuring and Monitoring Port SecurityPort SecurityDisplaying Port Security Settings. Figure 14-2. Example Port Security Listing (Ports A7 and
14-10Configuring and Monitoring Port Security Port SecurityFigure 14-3. Example of the Port Security Configuration Display for a Single PortThe n
14-11Configuring and Monitoring Port SecurityPort SecurityListing Authorized and Detected MAC Addresses. Figure 14-4. Examples of Show Mac-Address Ou
14-12Configuring and Monitoring Port Security Port SecurityConfiguring Port SecurityUsing the CLI, you can: Configure port security and edit secu
14-13Configuring and Monitoring Port SecurityPort SecuritySyntax: port-security (Continued)learn-mode < continuous | static | port-access | config
14-14Configuring and Monitoring Port Security Port SecuritySyntax: port-security (Continued)learn-mode < continuous | static | port-access | c
14-15Configuring and Monitoring Port SecurityPort SecuritySyntax: port-security (Continued)Addresses learned this way appear in the switch and port ad
2-13Configuring Username and Password SecurityFront-Panel Security• Configure the Clear button to reboot the switch after clearing any local usernames
14-16Configuring and Monitoring Port Security Port SecuritySyntax: port-security (Continued)mac-address [<mac-addr>] [<mac-addr>] . .
14-17Configuring and Monitoring Port SecurityPort SecuritySyntax: port-security (Continued)clear-intrusion-flagClears the intrusion flag for a specifi
14-18Configuring and Monitoring Port Security Port SecurityRetention of Static AddressesStatic MAC addresses do not age-out. MAC addresses learned
14-19Configuring and Monitoring Port SecurityPort SecuritySpecifying Authorized Devices and Intrusion Responses. This example configures port A1 to au
14-20Configuring and Monitoring Port Security Port SecurityAdding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s
14-21Configuring and Monitoring Port SecurityPort Security(The message Inconsistent value appears if the new MAC address exceeds the current Address L
14-22Configuring and Monitoring Port Security Port SecurityRemoving a Device From the “Authorized” List for a Port. This command option removes un
14-23Configuring and Monitoring Port SecurityMAC LockdownThe following command serves this purpose by removing 0c0090-123456 and reducing the Address
14-24Configuring and Monitoring Port Security MAC LockdownYou will need to enter a separate command for each MAC/VLAN pair you wish to lock down.
14-25Configuring and Monitoring Port SecurityMAC LockdownOther Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair ca
2-14Configuring Username and Password SecurityFront-Panel SecurityFor example, show front-panel-security produces the following output when the switch
14-26Configuring and Monitoring Port Security MAC LockdownMAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can
14-27Configuring and Monitoring Port SecurityMAC LockdownDeploying MAC LockdownWhen you deploy MAC Lockdown you need to consider how you use it within
14-28Configuring and Monitoring Port Security MAC LockdownFigure 14-10.MAC Lockdown Deployed At the Network Edge Provides SecurityBasic MAC Lockdo
14-29Configuring and Monitoring Port SecurityMAC LockdownThe key points for this Model Topology are:• The Core Network is separated from the edge by t
14-30Configuring and Monitoring Port Security MAC LockdownFigure 14-11.Connectivity Problems Using MAC Lockdown with Multiple Paths The resultant
14-31Configuring and Monitoring Port SecurityMAC LockoutMAC LockoutMAC Lockout involves configuring a MAC address on all ports and VLANs for a switch
14-32Configuring and Monitoring Port Security MAC LockoutMAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti-cation.You cannot
14-33Configuring and Monitoring Port SecurityMAC LockoutPort Security and MAC LockoutMAC Lockout is independent of port-security and in fact will over
14-34Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security FeaturesWeb: Displaying and Configuring Port Security
14-35Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert Flags The switch enables notification of the intrusion thro
2-15Configuring Username and Password SecurityFront-Panel SecurityFigure 2-8. Example of Disabling the Clear Button and Displaying the New Configurati
14-36Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert FlagsThe log shows the most recent intrusion at the top
14-37Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsMenu: Checking for Intrusions, Listing Intrusion Alerts
14-38Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags• Because the Port Status screen (figure 14-14 on
14-39Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsIn the following example, executing show interfaces bri
14-40Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert FlagsTo clear the intrusion from port A1 and enable the
14-41Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsFigure 14-19.Example of Log Listing With and Without De
14-42Configuring and Monitoring Port Security Operating Notes for Port SecurityOperating Notes for Port SecurityIdentifying the IP Address of an I
14-43Configuring and Monitoring Port SecurityOperating Notes for Port SecurityProCurve(config)# port-security e a17 learn-mode static address-limit 2L
14-44Configuring and Monitoring Port Security Operating Notes for Port Security— This page is intentionally unused —
15-115Using Authorized IP Managers ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2-16Configuring Username and Password SecurityFront-Panel SecurityRe-Enabling the Clear Button on the Switch’s Front Paneland Setting or Changing the
15-2Using Authorized IP ManagersOverviewOverviewAuthorized IP Manager Features The Authorized IP Managers feature uses IP addresses and masks to deter
15-3Using Authorized IP ManagersOptionsOptionsYou can configure: Up to 10 authorized manager addresses, where each address applies to either a single
15-4Using Authorized IP ManagersDefining Authorized Management StationsDefining Authorized Management Stations Authorizing Single Stations: The table
15-5Using Authorized IP ManagersDefining Authorized Management Stationsrized Manager IP address to authorize four IP addresses for management station
15-6Using Authorized IP ManagersDefining Authorized Management StationsFigure 15-2. Example of How To Add an Authorized Manager Entry (Continued)Editi
15-7Using Authorized IP ManagersDefining Authorized Management StationsFigure 15-3.Example of the Show IP Authorized-Manager DisplayThe above example
15-8Using Authorized IP ManagersDefining Authorized Management StationsIf you omit the < mask bits > when adding a new authorized manager, the s
15-9Using Authorized IP ManagersWeb: Configuring IP Authorized ManagersWeb: Configuring IP Authorized ManagersIn the web browser interface you can con
15-10Using Authorized IP ManagersBuilding IP MasksConfiguring Multiple Stations Per Authorized Manager IP EntryThe mask determines whether the IP addr
15-11Using Authorized IP ManagersBuilding IP MasksFigure 15-6. Analysis of IP Mask for Multiple-Station Entries Figure 15-7. Example of How the Bitmap
2-17Configuring Username and Password SecurityFront-Panel SecurityFigure 2-9. Example of Re-Enabling the Clear Button’s Default OperationChanging the
15-12Using Authorized IP ManagersOperating NotesAdditional Examples for Authorizing Multiple StationsOperating Notes Network Security Precautions: Yo
15-13Using Authorized IP ManagersOperating Notes• Even if you need proxy server access enabled in order to use other applications, you can still elimi
15-14Using Authorized IP ManagersOperating Notes— This page is intentionally unused —
16-116Key Management SystemContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16-2Key Management SystemOverviewOverviewThe switches covered in this guide provide support for advanced routing capabilities. Security turns out to b
16-3Key Management SystemConfiguring Key Chain ManagementConfiguring Key Chain ManagementThe Key Management System (KMS) has three configuration steps
16-4Key Management SystemConfiguring Key Chain ManagementFigure 16-1. Adding a New Key Chain EntryAfter you add an entry, you can assign key(s) to it
16-5Key Management SystemConfiguring Key Chain Management Figure 16-2. Example of Adding and Displaying a Time-Independent Key to a Key Chain Entry As
16-6Key Management SystemConfiguring Key Chain ManagementNote Using time-dependent keys requires that all the switches have accurate, synchronized tim
16-7Key Management SystemConfiguring Key Chain ManagementNote Given transmission delays and the variations in the time value from switch to switch, it
2-18Configuring Username and Password SecurityFront-Panel SecurityFigure 2-10. Example of Disabling the Factory Reset OptionPassword RecoveryThe passw
16-8Key Management SystemConfiguring Key Chain ManagementThe “Procurve1” key chain entry is a time-independent key and will not expire. “Procurve2” us
Index – 1IndexNumerics3DES … 8-3, 9-3802.1XACL, effect on … 10-20802.1X access controlauthenticate users … 13-5authentication methods … 13-4authentica
2 – Indexport-basedaccess … 13-4client without authentication … 13-5effect of Web/MAC Auth client … 13-60enable … 13-17, 13-43latest client, effect …
Index – 3untagged … 13-27, 13-30, 13-31untagged membership … 13-18VLAN operation … 13-56VLAN use, multiple clients … 13-6VLAN, assignment conflict … 1
4 – Indexexample, named extended … 10-73exception for connection-rate filtering … 10-22exit statement … 10-48extendedcommand summary … 10-8configure …
Index – 5policies … 10-30policy application points … 1-8, 10-4policy type … 10-42policy, permit/deny … 10-42port … 10-34port ACL definedSee also stat
6 – IndexACL, connection-rateSee connection-rate filteringACLsmanagement access protection … 1-8See also RADIUS-assigned ACLs.addressauthorized for po
Index – 7false positive … 3-6guidelines … 3-8, 3-9high rate, legitimate … 3-18host, trusted … 3-18host, unblocking … 3-18ICMP ping message … 3-3notify
8 – Indexevent logalerts for monitored events … 11-23connection-rate filtering alerts … 3-31intrusion alerts … 14-40messages … 3-31Ffilter, source-por
Index – 9LLACP802.1X not allowed … 13-13, 13-17, 13-61log keyword, ACL mirroring … 10-16login attempts, monitoring … 11-23MMAC addressesmonitoring act
2-19Configuring Username and Password SecurityFront-Panel SecuritySteps for Disabling Password-Recovery. 1. Set the CLI to the global interface conte
10 – Index See ProCurve Manager.physical security … 1-6portsecurity configuration … 14-3trusted … 11-17untrusted … 11-18port accessclient limit … 13-1
Index – 11multiple ACL application types in use … 7-15NAS-Prompt-User service-type value … 6-12network accounting … 6-32operating rules, switch … 6-6o
12 – Indexnotices of … 14-34security, ACLSee ACL, security use.security, passwordSee SSH.setting a password … 2-5SFTP … 1-6SNMPauthentication failures
Index – 13generate host key pair … 9-10generate self-signed … 9-13generate self-signed certificate … 9-10, 9-13generate server host certificate … 9-10
14 – IndexTLSSee RADIUS.troubleshootingauthentication via Telnet … 5-15authorized IP managers … 15-12trunkfilter, source-port … 12-3, 12-19LACP, 802.1
Technical information in this documentis subject to change without notice.© Copyright 2005-2007Hewlett-Packard Development Company, L.P.Reproduction,
ivTraffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10Port Security, MAC Lockdown, and MAC Lock
2-20Configuring Username and Password SecurityFront-Panel SecurityFigure 2-11. Example of the Steps for Disabling Password-RecoveryPassword Recovery P
3-13Virus Throttling ContentsOverview of Connection-Rate Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 3-3Features and Benefits . . .
3-2Virus ThrottlingContentsExample of Using an ACL in a Connection-Rate Configuration . . . . 3-27Connection-Rate ACL Operating Notes . . . . . . .
3-3Virus ThrottlingOverview of Connection-Rate FilteringOverview of Connection-Rate FilteringThe spread of malicious agents in the form of worms exhib
3-4Virus ThrottlingOverview of Connection-Rate FilteringFeatures and BenefitsConnection-rate filtering is a countermeasure tool you can use in your in
3-5Virus ThrottlingOverview of Connection-Rate FilteringGeneral OperationConnection-rate filtering enables notification of worm-like behavior detected
3-6Virus ThrottlingOverview of Connection-Rate FilteringApplication OptionsFor the most part, normal network traffic is distinct from the traffic exhi
3-7Virus ThrottlingOverview of Connection-Rate FilteringOperating Rules Connection-rate filtering is triggered by inbound IP traffic exhibiting high
3-8Virus ThrottlingGeneral Configuration GuidelinesGeneral Configuration GuidelinesAs stated earlier, connection-rate filtering is triggered only by i
3-9Virus ThrottlingGeneral Configuration GuidelinesNote On a given VLAN, to unblock the hosts that have been blocked by the connection-rate feature, u
v3 Virus ThrottlingContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1Overview of
3-10Virus ThrottlingConfiguring Connection-Rate FilteringConfiguring Connection-Rate FilteringNote As stated previously, connection-rate filtering is
3-11Virus ThrottlingConfiguring Connection-Rate FilteringEnabling Connection-Rate Filtering and Configuring SensitivityNote The sensitivity settings c
3-12Virus ThrottlingConfiguring Connection-Rate FilteringConfiguring the Per-Port Filtering ModeTable 3-1. Throttle Mode Penalty PeriodsSyntax: filter
3-13Virus ThrottlingConfiguring Connection-Rate FilteringExample of a Basic Connection-Rate Filtering ConfigurationFigure 3-2. Sample NetworkBasic Con
3-14Virus ThrottlingConfiguring Connection-Rate FilteringFigure 3-3. Example of a Basic Connection-Rate ConfigurationEnables connection-rate filtering
3-15Virus ThrottlingConfiguring Connection-Rate FilteringViewing and Managing Connection-Rate StatusThe commands in this section describe how to: Vie
3-16Virus ThrottlingConfiguring Connection-Rate FilteringTo view the complete connection-rate configuration, including any ACLs (page 3-19), use show
3-17Virus ThrottlingConfiguring Connection-Rate FilteringListing Currently-Blocked HostsFigure 3-6. Example of Listing Hosts in Any Connection-Rate St
3-18Virus ThrottlingConfiguring Connection-Rate FilteringUnblocking Currently-Blocked HostsIf a host becomes blocked by triggering connection-rate fil
3-19Virus ThrottlingConfiguring and Applying Connection-Rate ACLsConfiguring and Applying Connection-Rate ACLsA host sending legitimate, routed traffi
vi4 Web and MAC AuthenticationContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
3-20Virus ThrottlingConfiguring and Applying Connection-Rate ACLsFor more information on when to apply connection-rate ACLs, refer to “Appli-cation Op
3-21Virus ThrottlingConfiguring and Applying Connection-Rate ACLsFigure 3-8. Connection-Rate ACL Applied to Traffic Received Through a Given PortConfi
3-22Virus ThrottlingConfiguring and Applying Connection-Rate ACLs< filter | ignore >The filter option assigns policy filtering to traffic with s
3-23Virus ThrottlingConfiguring and Applying Connection-Rate ACLsConfiguring a Connection-Rate ACL Using UDP/TCP Criteria(To configure a connection-ra
3-24Virus ThrottlingConfiguring and Applying Connection-Rate ACLsip-addr < mask-length >: Applies the ACEs action (filter or ignore) to IP traff
3-25Virus ThrottlingConfiguring and Applying Connection-Rate ACLsFigure 3-9. Examples of Connection-Rate ACEs Using UDP/TCP Criteria< tcp-data >
3-26Virus ThrottlingConfiguring and Applying Connection-Rate ACLsApplying Connection-Rate ACLsTo apply a connection-rate ACL, use the access group com
3-27Virus ThrottlingConfiguring and Applying Connection-Rate ACLsFor more on ACE masks, refer to “How an ACE Uses a Mask To Screen Packets for Matches
3-28Virus ThrottlingConfiguring and Applying Connection-Rate ACLsconfigure a connection-rate ACL that causes the switch to ignore (circumvent) connect
3-29Virus ThrottlingConfiguring and Applying Connection-Rate ACLsFigure 3-12. Example of Switch Configuration Display with a Connection-Rate ACLConnec
viiOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2Terminology Used in TACACS
3-30Virus ThrottlingConfiguring and Applying Connection-Rate ACLs• filter < source-criteria >: This ACE type does the opposite of an ignore entr
3-31Virus ThrottlingConnection-Rate Log and Trap MessagesConnection-Rate Log and Trap MessagesThese messages appear in the switch’s Event Log identify
3-32Virus ThrottlingConnection-Rate Log and Trap Messages— This page is intentionally unused —
4-14Web and MAC AuthenticationContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-2Web and MAC AuthenticationOverviewOverviewWeb and MAC Authentication are designed for employment on the “edge” of a network to provide port-based s
4-3Web and MAC AuthenticationOverviewpassword, and grants or denies network access in the same way that it does for clients capable of interactive log
4-4Web and MAC AuthenticationOverview On a port configured for Web or MAC Authentication, the switch operates as a port-access authenticator using a
4-5Web and MAC AuthenticationHow Web and MAC Authentication OperateHow Web and MAC Authentication OperateAuthenticator OperationBefore gaining access
4-6Web and MAC AuthenticationHow Web and MAC Authentication OperateFigure 4-2. Progress Message During AuthenticationIf the client is authenticated an
4-7Web and MAC AuthenticationHow Web and MAC Authentication Operatemoves have not been enabled (client-moves) on the ports, the session ends and the c
Comments to this Manuals