ProCurve 6200yl User's Guide

Access Security Guide6200yl5400zl3500ylwww.procurve.comProCurve SwitchesK.12.XX

viiiConfiguring the Switch for RADIUS Authentication . . . . . . . . . . . . . 6-8Outline of the Steps for Configuring RADIUS Authentication . . .

4-8Web and MAC AuthenticationHow Web and MAC Authentication Operate4. If neither 1, 2, or 3, above, apply, then the client session does not have acces

4-9Web and MAC AuthenticationTerminologyTerminologyAuthorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged

4-10Web and MAC AuthenticationOperating Rules and NotesOperating Rules and Notes The switch supports concurrent 802.1X and either Web- or MAC-authent

4-11Web and MAC AuthenticationOperating Rules and Notes• During an authenticated client session, the following hierarchy deter-mines a port’s VLAN mem

4-12Web and MAC AuthenticationGeneral Setup Procedure for Web/MAC Authentication Web- or MAC-based authentication and LACP cannot both be enabled on

4-13Web and MAC AuthenticationGeneral Setup Procedure for Web/MAC Authenticationc. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN”

4-14Web and MAC AuthenticationConfiguring the Switch To Access a RADIUS Server Configure the client device’s (hexadecimal) MAC address as both userna

4-15Web and MAC AuthenticationConfiguring the Switch To Access a RADIUS ServerSyntax: [no] radius-server[host < ip-address >]Adds a server to th

4-16Web and MAC AuthenticationConfiguring the Switch To Access a RADIUS ServerFor example, to configure the switch to access a RADIUS server at IP add

4-17Web and MAC AuthenticationConfiguring Web Authentication on the SwitchConfiguring Web Authentication on the SwitchOverview1. If you have not alrea

ix7 Configuring RADIUS Server Supportfor Switch ServicesContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4-18Web and MAC AuthenticationConfiguring Web Authentication on the SwitchConfigure the Switch for Web-Based AuthenticationCommand PageConfiguration L

4-19Web and MAC AuthenticationConfiguring Web Authentication on the SwitchSyntax: [no] aaa port-access web-based [e] < port-list>Enables web-bas

4-20Web and MAC AuthenticationConfiguring Web Authentication on the SwitchSyntax:aaa port-access web-based [e] < port-list > [logoff-period] <

4-21Web and MAC AuthenticationConfiguring Web Authentication on the SwitchSyntax: aaa port-access web-based [e] < port-list > [redirect-url <

4-22Web and MAC AuthenticationConfiguring Web Authentication on the SwitchSyntax: aaa port-access web-based [e] < port-list > [unauth-vid <vi

4-23Web and MAC AuthenticationConfiguring Web Authentication on the SwitchSyntax: aaa port-access <port-list > controlled-directions <both |

4-24Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchConfiguring MAC Authentication on the SwitchOverview1. If you have not alrea

4-25Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchConfigure the Switch for MAC-Based AuthenticationCommand PageConfiguration L

4-26Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchSyntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-

4-27Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchSyntax: aaa port-access mac-based [e] < port-list > [quiet-period <

xPublic Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5Steps for Configuring and Using SSHfor

4-28Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchShow Commands for Web-Based AuthenticationCommand Pageshow port-access [port

4-29Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchExample: Verifying a Web Authentication ConfigurationThe following example s

4-30Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchFigure 4-5. Example of Verifying a Web Authentication ConfigurationProCurve

4-31Web and MAC AuthenticationConfiguring MAC AuthenticationConfiguring MAC AuthenticationConfiguration Overview1. If you have not already done so, co

4-32Web and MAC AuthenticationConfiguring MAC AuthenticationSyntax: aaa port-access mac-based addr-format <no-delimiter|single-dash|multi-dash|mult

4-33Web and MAC AuthenticationConfiguring MAC AuthenticationSyntax: aaa port-access mac-based [e] < port-list > [auth-vid <vid>]no aaa por

4-34Web and MAC AuthenticationConfiguring MAC AuthenticationSyntax: aaa port-access mac-based [e] < port-list > [server-timeout <1 - 300>]

4-35Web and MAC AuthenticationConfiguring MAC AuthenticationPrerequisites: As implemented in 802.1X authentica-tion, the disabling of incoming traffic

4-36Web and MAC AuthenticationConfiguring MAC AuthenticationShow Commands for MAC-Based AuthenticationNotes: — Continued — Using the aaa port-access

4-37Web and MAC AuthenticationConfiguring MAC AuthenticationSyntax: show port-access [port-list] mac-based [clients]]Shows the port address, MAC addre

xiGenerate a CA-Signed server host certificate with theWeb browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-

4-38Web and MAC AuthenticationConfiguring MAC AuthenticationExample: Verifying a MAC Authentication ConfigurationThe following example shows how to us

4-39Web and MAC AuthenticationClient StatusClient StatusThe table below shows the possible client status information that may be reported by a Web-bas

4-40Web and MAC AuthenticationClient Status— This page is intentionally unused —

5-15TACACS+ AuthenticationContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5-2TACACS+ AuthenticationOverviewOverviewTACACS+ authentication enables you to use a central server to allow or deny access to the switches covered in

5-3TACACS+ AuthenticationTerminology Used in TACACS Applications:TACACS+ server for authentication services. If the switch fails to connect to any TAC

5-4TACACS+ AuthenticationTerminology Used in TACACS Applications:face. (Using the menu interface you can assign a local password, but not a username.)

5-5TACACS+ AuthenticationGeneral System RequirementsGeneral System RequirementsTo use TACACS+ authentication, you need the following: A TACACS+ serve

5-6TACACS+ AuthenticationGeneral Authentication Setup Procedureother access type (console, in this case) open in case the Telnet access fails due to a

5-7TACACS+ AuthenticationGeneral Authentication Setup ProcedureNote on Privilege LevelsWhen a TACACS+ server authenticates an access request from a sw

xiiWhat Is the Difference Between Network (or Subnet)Masks and the Masks Used with ACLs? . . . . . . . . . . . . . . . . . . . 10-36Rules for Defini

5-8TACACS+ AuthenticationConfiguring TACACS+ on the Switchconfiguration in your TACACS+ server application for mis-configura-tions or missing data tha

5-9TACACS+ AuthenticationConfiguring TACACS+ on the SwitchCLI Commands Described in this SectionViewing the Switch’s Current Authentication Configurat

5-10TACACS+ AuthenticationConfiguring TACACS+ on the SwitchViewing the Switch’s Current TACACS+ Server Contact ConfigurationThis command lists the tim

5-11TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s Authentication MethodsThe aaa authentication command configures th

5-12TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 5-1. AAA Authentication ParametersAs shown in the next table, login and enable access

5-13TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 5-2. Primary/Secondary Authentication TableCaution Regarding the Use of Local for Log

5-14TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFor example, here is a set of access options and the corresponding commands to configure th

5-15TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s TACACS+ Server AccessThe tacacs-server command configures these pa

5-16TACACS+ AuthenticationConfiguring TACACS+ on the SwitchNote on Encryption KeysEncryption keys configured in the switch must exactly match the encr

5-17TACACS+ AuthenticationConfiguring TACACS+ on the Switch Name Default Rangehost <ip-addr> [key <key-string> none n/aSpecifies the IP a

xiiiSequence Numbering in ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-87Inserting an ACE in an Existing ACL . . . . . . . .

5-18TACACS+ AuthenticationConfiguring TACACS+ on the SwitchAdding, Removing, or Changing the Priority of a TACACS+ Server. Suppose that the switch was

5-19TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFigure 5-5. Example of the Switch After Assigning a Different “First-Choice” ServerTo remov

5-20TACACS+ AuthenticationHow Authentication OperatesTo delete a per-server encryption key in the switch, re-enter the tacacs-server host command with

5-21TACACS+ AuthenticationHow Authentication OperatesUsing figure 5-6, above, after either switch detects an operator’s logon request from a remote or

5-22TACACS+ AuthenticationHow Authentication OperatesLocal Authentication ProcessWhen the switch is configured to use TACACS+, it reverts to local aut

5-23TACACS+ AuthenticationHow Authentication OperatesUsing the Encryption KeyGeneral OperationWhen used, the encryption key (sometimes termed “key”, “

5-24TACACS+ AuthenticationControlling Web Browser Interface Access When Using TACACS+ AuthenticationFor example, you would use the next command to con

5-25TACACS+ AuthenticationMessages Related to TACACS+ OperationMessages Related to TACACS+ OperationThe switch generates the CLI messages listed below

5-26TACACS+ AuthenticationOperating Notes When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not acce

6-16RADIUS Authentication and AccountingContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xivChanging the Remote-id from a MAC to an IP Address . . . . . . 11-10Disabling the MAC Address Check . . . . . . . . . . . . . . . . . . . . . .

6-2RADIUS Authentication and AccountingContentsExample Configuration on Cisco Secure ACS for MS Windows 6-28Example Configuration Using FreeRADIUS .

6-3RADIUS Authentication and AccountingOverviewOverviewRADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one

6-4RADIUS Authentication and AccountingOverviewNote The switch does not support RADIUS security for SNMP (network manage-ment) access. For information

6-5RADIUS Authentication and AccountingTerminologyTerminologyAAA: Authentication, Authorization, and Accounting groups of services pro-vided by the ca

6-6RADIUS Authentication and AccountingSwitch Operating Rules for RADIUSVendor-Specific Attribute: A vendor-defined value configured in a RADIUS serve

6-7RADIUS Authentication and AccountingGeneral RADIUS Setup ProcedureGeneral RADIUS Setup ProcedurePreparation:1. Configure one to three RADIUS server

6-8RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationConfiguring the Switch for RADIUS Authentication• Determine how

6-9RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationOutline of the Steps for Configuring RADIUS AuthenticationThere

6-10RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication• Timeout Period: The timeout period the switch waits for a RA

6-11RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authenticationradius (or tacacs) for primary authentication, you must config

xvUsing Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . 12-9Static Multicast Filters . . . . . . . . . . . . . . . . .

6-12RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication2. Enable the (Optional) Access Privilege OptionIn the default

6-13RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication 3. Configure the Switch To Access a RADIUS ServerThis section

6-14RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose you have configured the switch as shown i

6-15RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 6-3. Sample Configuration for RADIUS Server Before Chan

6-16RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication Global server key: The server key the switch will use for co

6-17RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationNote Where the switch has multiple RADIUS servers configured t

6-18RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 6-6. Listings of Global RADIUS Parameters Configured In

6-19RADIUS Authentication and AccountingUsing SNMP To View and Configure Switch Authentication FeaturesUsing SNMP To View and Configure Switch Authent

6-20RADIUS Authentication and AccountingUsing SNMP To View and Configure Switch Authentication Features2c access. (Refer to “Switch Access Security” o

6-21RADIUS Authentication and AccountingUsing SNMP To View and Configure Switch Authentication FeaturesFigure 6-7. Disabling SNMP Access to the Authen

xviA. Enable the Selected Ports as Authenticators and Enablethe (Default) Port-Based Authentication . . . . . . . . . . . . . . . . . . 13-17B. Spe

6-22RADIUS Authentication and AccountingLocal Authentication ProcessLocal Authentication ProcessWhen the switch is configured to use RADIUS, it revert

6-23RADIUS Authentication and AccountingControlling Web Browser Interface AccessControlling Web Browser Interface AccessTo help prevent unauthorized a

6-24RADIUS Authentication and AccountingConfiguring RADIUS AuthorizationConfiguring RADIUS AuthorizationOverviewYou can limit the services for a user

6-25RADIUS Authentication and AccountingConfiguring RADIUS AuthorizationEnabling Authorization with the CLITo configure authorization for controlling

6-26RADIUS Authentication and AccountingConfiguring RADIUS AuthorizationShowing Authorization InformationYou can show the authorization information by

6-27RADIUS Authentication and AccountingConfiguring RADIUS AuthorizationThe results of using the HP-Command-String and HP-Command-Exception attributes

6-28RADIUS Authentication and AccountingConfiguring RADIUS AuthorizationExample Configuration on Cisco Secure ACS for MS WindowsIt is necessary to cre

6-29RADIUS Authentication and AccountingConfiguring RADIUS AuthorizationProfile=IN OUTEnums=Hp-Command-Exception-Types[Hp-Command-Exception-Types]0=Pe

6-30RADIUS Authentication and AccountingConfiguring RADIUS Authorization6. Right click and then select New > key. Add the vendor Id number that you

6-31RADIUS Authentication and AccountingConfiguring RADIUS Authorization2. Find the location of the dictionary files used by FreeRADIUS (try /usr/loca

xviiOperating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-60Messages Related to 802.1X Operatio

6-32RADIUS Authentication and AccountingConfiguring RADIUS AccountingConfiguring RADIUS AccountingNote This section assumes you have already: Configu

6-33RADIUS Authentication and AccountingConfiguring RADIUS Accounting Exec accounting: Provides records holding the information listed below about lo

6-34RADIUS Authentication and AccountingConfiguring RADIUS Accounting If access to a RADIUS server fails during a session, but after the client has b

6-35RADIUS Authentication and AccountingConfiguring RADIUS Accounting1. Configure the Switch To Access a RADIUS ServerBefore you configure the actual

6-36RADIUS Authentication and AccountingConfiguring RADIUS AccountingFor example, suppose you want to the switch to use the RADIUS server described be

6-37RADIUS Authentication and AccountingConfiguring RADIUS AccountingNote that there is no time span associated with using the system option. It simpl

6-38RADIUS Authentication and AccountingConfiguring RADIUS AccountingFor example, to configure RADIUS accounting on the switch with start-stop for exe

6-39RADIUS Authentication and AccountingConfiguring RADIUS AccountingTo continue the example in figure 6-11, suppose that you wanted the switch to: S

6-40RADIUS Authentication and AccountingViewing RADIUS StatisticsViewing RADIUS StatisticsGeneral RADIUS StatisticsFigure 6-13. Example of General RAD

6-41RADIUS Authentication and AccountingViewing RADIUS StatisticsFigure 6-14. RADIUS Server Information From the Show Radius Host CommandTerm Definiti

xviiiOperating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4215 Using Authorized IP Managers Contents . . . .

6-42RADIUS Authentication and AccountingViewing RADIUS StatisticsRADIUS Authentication StatisticsFigure 6-15. Example of Login Attempt and Primary/Sec

6-43RADIUS Authentication and AccountingViewing RADIUS StatisticsFigure 6-16. Example of RADIUS Authentication Information from a Specific ServerRADIU

6-44RADIUS Authentication and AccountingChanging RADIUS-Server Access OrderFigure 6-18. Example of RADIUS Accounting Information for a Specific Server

6-45RADIUS Authentication and AccountingChanging RADIUS-Server Access OrderFigure 6-20. Search Order for Accessing a RADIUS ServerTo exchange the posi

6-46RADIUS Authentication and AccountingChanging RADIUS-Server Access OrderFigure 6-21. Example of New RADIUS Server Search OrderRemoves the “003” and

6-47RADIUS Authentication and AccountingMessages Related to RADIUS OperationMessages Related to RADIUS OperationMessage MeaningCan’t reach RADIUS serv

6-48RADIUS Authentication and AccountingMessages Related to RADIUS Operation— This page is intentionally unused —

7-17Configuring RADIUS Server Supportfor Switch ServicesContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7-2Configuring RADIUS Server Support for Switch ServicesOverviewOverviewThis chapter provides information that applies to setting up a RADIUS server t

7-3Configuring RADIUS Server Support for Switch ServicesConfiguring the RADIUS Server for Per-Port CoS and Rate-Limiting ServicesConfiguring the RADIU

xixProduct DocumentationAbout Your Switch Manual SetNote For the latest version of all ProCurve switch documentation, including Release Notes covering

7-4Configuring RADIUS Server Support for Switch ServicesConfiguring the RADIUS Server for Per-Port CoS and Rate-Limiting ServicesViewing the Currently

7-5Configuring RADIUS Server Support for Switch ServicesConfiguring the RADIUS Server for Per-Port CoS and Rate-Limiting ServicesFigure 7-1. Example o

7-6Configuring RADIUS Server Support for Switch ServicesConfiguring the RADIUS Server for Per-Port CoS and Rate-Limiting ServicesFigure 7-2. Example o

7-7Configuring RADIUS Server Support for Switch ServicesConfiguring the RADIUS Server for Per-Port CoS and Rate-Limiting ServicesNote Where multiple c

7-8Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsConfiguring and Using RADIUS-Assigne

7-9Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Lists• RACL: an ACL assigned to filter ro

7-10Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Listsby other ACEs configured sequential

7-11Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsOverview of RADIUS-Assigned, Dynami

7-12Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsNote A dynamic port ACL can be appl

7-13Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsContrasting Dynamic and Static ACLs

xxSoftware Feature IndexFor the software manual set supporting your 3500yl/5400zl/6200yl switch model, this feature index indicates which manual to co

7-14Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsCaution Regarding the Use of Source

7-15Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsHow a RADIUS Server Applies a Dynam

7-16Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsGeneral ACL Features, Planning, and

7-17Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsNote If a dynamic port ACL permits

7-18Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Listswas also configured on VLAN “Y”, th

7-19Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Lists(Note that the “string” value and t

7-20Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Listsautomatically includes an implicit

7-21Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsAny instance of a dynamic port ACL

7-22Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsConfiguration NotesExplicitly Permi

7-23Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Listsare not explicitly denied, you must

xxiAAA Authentication XAuthorized IP Managers XAuthorized Manager List (Web, Telnet, TFTP) XAuto MDIX Configuration XBOOTP XConfig File XConsole Acces

7-24Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsConfiguring the Switch To Support D

7-25Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsMAC Authentication Option:Syntax: a

7-26Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsFigure 7-7. Example Showing a Dynam

7-27Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsSyntax: show port-access authentica

7-28Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsFigure 7-8. Example of Output Showi

7-29Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control ListsCauses of Client Deauthentication I

7-30Configuring RADIUS Server Support for Switch ServicesConfiguring and Using RADIUS-Assigned Access Control Listssubscribed, new RADIUS-based sessio

8-18 Configuring Secure Shell (SSH)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8-2Configuring Secure Shell (SSH)OverviewOverviewThe switches covered in this guide use Secure Shell version 2 (SSHv2) to provide remote access to man

8-3Configuring Secure Shell (SSH)TerminologyNote SSH in ProCurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH, v

xxiiGVRP XIdentity-Driven Management (IDM) XIGMP XInterface Access (Telnet, Console/Serial, Web) XIP Addressing XIP Routing XJumbo Packets XLACP XLink

8-4Configuring Secure Shell (SSH)Terminology PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted client public-key that has been encoded for po

8-5Configuring Secure Shell (SSH)Prerequisite for Using SSHPrerequisite for Using SSHBefore using the switch as an SSH server, you must install a publ

8-6Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationSteps for Configuring and Using SSHfor Switch

8-7Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationB. Switch Preparation1. Assign a login (Opera

8-8Configuring Secure Shell (SSH)General Operating Rules and NotesGeneral Operating Rules and Notes Public keys generated on an SSH client must be ex

8-9Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationConfiguring the Switch for SSH Operation1. Assigning a Local Login (Operator)

8-10Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 8-4. Example of Configuring Local Passwords2. Generating the Switch’s

8-11Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNotes When you generate a host key pair on the switch, the switch places the

8-12Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, to generate and display a new key:Figure 8-5. Example of Genera

8-13Configuring Secure Shell (SSH)Configuring the Switch for SSH Operationdistribution to clients is to use a direct, serial connection between the sw

xxiiiPort Configuration XPort Monitoring XPort Security XPort Status XPort Trunking (LACP) XPort-Based Access Control (802.1X) XPower over Ethernet (P

8-14Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation4. Add any data required by your SSH client application. For example Before

8-15Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 8-9. Examples of Visual Phonetic and Hexadecimal Conversions of the S

8-16Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationSSH Client Contact Behavior. At the first contact between the switch and an

8-17Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation Zeroize the switch’s existing key pair. (page 8-11).The ip ssh key-size co

8-18Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationCaution Protect your private key file from access by anyone other than yours

8-19Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationOption B: Configuring the Switch for Client Public-Key SSH Authentication.

8-20Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, assume that you have a client public-key file named Client-Keys

8-21Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 8-12 shows how to check the results of the above commands.Figure 8-12

8-22Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationFurther Information on SSH Client Public-Key Authenticati

8-23Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authentication3. If there is not a match, and you have not configured t

xxivSSL (Secure Socket Layer) XStack Management (3500yl/6200yl switches only) XSyslog XSystem Information XTACACS+ Authentication XTelnet Access XTFTP

8-24Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationNotes Comments in public key files, such as smith@support

8-25Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationNote on Public KeysThe actual content of a public key ent

8-26Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationFor example, if you wanted to copy a client public-key fi

8-27Configuring Secure Shell (SSH)Messages Related to SSH OperationCaution To enable client public-key authentication to block SSH clients whose publi

8-28Configuring Secure Shell (SSH)Messages Related to SSH OperationDownload failed: overlength key in key file.Download failed: too many keys in key f

9-19Configuring Secure Socket Layer (SSL)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9-2Configuring Secure Socket Layer (SSL)OverviewOverviewThe switches covered in this guide use Secure Socket Layer Version 3 (SSLv3) and support for

9-3Configuring Secure Socket Layer (SSL)TerminologyFigure 9-1. Switch/User AuthenticationSSL on the switches covered in this guide supports these data

9-4Configuring Secure Socket Layer (SSL)Terminology Root Certificate: A trusted certificate used by certificate authorities to sign certificates (CA-

9-5Configuring Secure Socket Layer (SSL)Prerequisite for Using SSLPrerequisite for Using SSLBefore using the switch as an SSL server, you must install

1-1Security OverviewContents1Security OverviewContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9-6Configuring Secure Socket Layer (SSL)General Operating Rules and NotesGeneral Operating Rules and Notes Once you generate a certificate on the swi

9-7Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationConfiguring the Switch for SSL Operation1. Assigning a Local Login (Op

9-8Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationUsing the web browser interface To Configure Local Passwords. You can

9-9Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operation2. Generating the Switch’s Server Host Certificate You must generate a

9-10Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationTo Generate or Erase the Switch’s Server Certificatewith the CLIBecau

9-11Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationComments on certificate fields. There are a number arguments used in

9-12Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationNotes “Zeroizing” the switch’s server host certificate or key automat

9-13Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationGenerate a Self-Signed Host Certificate with the Web browser interfac

9-14Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFor example, to generate a new host certificate via the web browsers

9-15Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFigure 9-6. Web browser Interface showing current SSL Host Certificat

1-2Security OverviewIntroductionIntroductionBefore you connect your switch to a network, ProCurve strongly recommends that you review the Security Ove

9-16Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationThe installation of a CA-signed certificate involves interaction with

9-17Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operation Figure 9-7. Request for Verified Host Certificate Web Browser Interf

9-18Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationNote Before enabling SSL on the switch you must generate the switch’s

9-19Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationUsing the CLI interface to enable SSLTo enable SSL on the switch1. Ge

9-20Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFigure 9-8. Using the web browser interface to enable SSL and select

9-21Configuring Secure Socket Layer (SSL)Common Errors in SSL setup

9-22Configuring Secure Socket Layer (SSL)Common Errors in SSL setup— This page is intentionally unused —

10-110Access Control Lists (ACLs)Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10-2Access Control Lists (ACLs)ContentsConfiguring and Assigning an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41Overview . . . .

10-3Access Control Lists (ACLs)ContentsAttaching a Remark to an ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-92Operating Notes for Re

1-3Security OverviewSwitch Access SecuritySwitch Access SecurityThis section outlines provisions for protecting access to the switch’s status informat

10-4Access Control Lists (ACLs)IntroductionIntroductionAn Access Control List (ACL) is a list of one or more Access Control Entries (ACEs) specifying

10-5Access Control Lists (ACLs)Overview of Options for Applying ACLs on the SwitchOverview of Options for Applying ACLs on the SwitchTo apply ACL filt

10-6Access Control Lists (ACLs)Overview of Options for Applying ACLs on the SwitchNote This chapter describes the ACL applications you can statically

10-7Access Control Lists (ACLs)Overview of Options for Applying ACLs on the SwitchDelete a Standard ACL ProCurve(config)# no ip access-list standard &

10-8Access Control Lists (ACLs)Overview of Options for Applying ACLs on the SwitchTable 10-2. Command Summary for Extended ACLsAction Command(s) PageC

10-9Access Control Lists (ACLs)Overview of Options for Applying ACLs on the SwitchTable 10-3. Command Summary for Enabling, Disabling, and Displaying

10-10Access Control Lists (ACLs)TerminologyTerminologyAccess Control Entry (ACE): A policy consisting of criteria and an action (permit or deny) to ex

10-11Access Control Lists (ACLs)TerminologyACL: See “Access Control List”.ACL ID: A number or alphanumeric string used to identify an ACL. A standard

10-12Access Control Lists (ACLs)Terminologyidentifier: The term used in ACL syntax statements to represent either the name or number by which the ACL

10-13Access Control Lists (ACLs)TerminologyNamed ACL: An ACL created with the ip access-list < extended | standard > < name-str > command

ProCurveSeries 5400zl SwitchesSeries 3500yl Switches6200yl SwitchAccess Security GuideFebruary 2007K.12.XX

1-4Security OverviewSwitch Access SecurityInbound Telnet Access and Web Browser AccessThe default remote management protocols enabled on the switch ar

10-14Access Control Lists (ACLs)Terminologyseq-#: The term used in ACL syntax statements to represent the sequence number variable used to insert an A

10-15Access Control Lists (ACLs)OverviewOverviewTypes of IP ACLsA permit or deny policy for IP traffic you want to filter can be based on source IP ad

10-16Access Control Lists (ACLs)Overview• outbound traffic generated by the switch itself. VLAN ACL (VACL): on a VLAN configured with a VACL, any inb

10-17Access Control Lists (ACLs)OverviewFigure 10-1. Example of RACL Filter Applications on Routed IP TrafficNotes The switch allows one inbound RACL

10-18Access Control Lists (ACLs)OverviewVACL ApplicationsVACLs filter any IP traffic entering the switch on a VLAN configured with the “VLAN” ACL opti

10-19Access Control Lists (ACLs)OverviewStatic Port ACL and Dynamic Port ACL Applications Static Port ACL: filters any IP traffic inbound on the desi

10-20Access Control Lists (ACLs)Overview802.1X User-Based and Port-Based Applications. User-Based 802.1X access control allows up to 32 individually

10-21Access Control Lists (ACLs)Overview One inbound and one outbound RACL filtering routed IP traffic moving through the port for VLAN “X”. (Also ap

10-22Access Control Lists (ACLs)Overview An RACL that denies inbound IP traffic having a destination on the 10.28.10.0 subnetIn this case, no IP traf

10-23Access Control Lists (ACLs)Overview You can apply any one ACL to multiple interfaces. All ACEs in an ACL configured on the switch are automatic

1-5Security OverviewSwitch Access Securityyou enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access

10-24Access Control Lists (ACLs)OverviewGeneral Steps for Planning and Configuring ACLs1. Identify the ACL application to apply. As part of this step

10-25Access Control Lists (ACLs)Overview5. Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL, VACL, or

10-26Access Control Lists (ACLs)ACL OperationACL OperationIntroductionAn ACL is a list of one or more Access Control Entries (ACEs), where each ACE co

10-27Access Control Lists (ACLs)ACL OperationNote After you assign an ACL to an interface, the default action on the interface is to implicitly deny a

10-28Access Control Lists (ACLs)ACL Operationno further comparisons of the packet are made with the remaining ACEs in the list. This means that when a

10-29Access Control Lists (ACLs)ACL OperationNote The order in which an ACE occurs in an ACL is significant. For example, if an ACL contains six ACEs,

10-30Access Control Lists (ACLs)Planning an ACL ApplicationIt is important to remember that all ACLs configurable on the switch include an implicit de

10-31Access Control Lists (ACLs)Planning an ACL Application Any TCP traffic (only) for a specific TCP port or range of ports, including optional cont

10-32Access Control Lists (ACLs)Planning an ACL ApplicationSecurityACLs can enhance security by blocking IP traffic carrying an unauthorized source IP

10-33Access Control Lists (ACLs)Planning an ACL ApplicationAccess Control Entries (ACEs) in the ACL, beginning with the first ACE in the list and proc

1-6Security OverviewSwitch Access SecurityFor details on this feature, refer to the section titled “Using SNMP To View and Configure Switch Authentica

10-34Access Control Lists (ACLs)Planning an ACL Application• Numeric Standard ACLs: Up to 99; numeric range: 1 - 99 • Numeric Extended ACLs: Up to 100

10-35Access Control Lists (ACLs)Planning an ACL Application VACLs: These filter any IP traffic entering the switch through any port belonging to the

10-36Access Control Lists (ACLs)Planning an ACL ApplicationHow an ACE Uses a Mask To Screen Packets for MatchesWhen the switch applies an ACL to IP tr

10-37Access Control Lists (ACLs)Planning an ACL ApplicationRules for Defining a Match Between a Packet and anAccess Control Entry (ACE) For a given A

10-38Access Control Lists (ACLs)Planning an ACL Application Every IP address and mask pair (source or destination) used in an ACE creates one of the

10-39Access Control Lists (ACLs)Planning an ACL ApplicationExample of How the Mask Bit Settings Define a Match . Assume an ACE where the second octet

10-40Access Control Lists (ACLs)Planning an ACL ApplicationExamples Allowing Multiple IP Addresses. Table 10-5 provides exam-ples of how to apply mas

10-41Access Control Lists (ACLs)Configuring and Assigning an ACLConfiguring and Assigning an ACL OverviewGeneral Steps for Implementing ACLs1. Configu

10-42Access Control Lists (ACLs)Configuring and Assigning an ACLOptions for Permit/Deny PoliciesThe permit or deny policy for IP traffic you want to f

10-43Access Control Lists (ACLs)Configuring and Assigning an ACL3. One or more deny/permit list entries (ACEs): One entry per line. 4. Implicit Deny:

1-7Security OverviewSwitch Access SecurityOther Provisions for Management Access SecurityThe following features can help to prevent unauthorized manag

10-44Access Control Lists (ACLs)Configuring and Assigning an ACLFor example, figure 10-10 shows how to interpret the entries in a standard ACL.Figure

10-45Access Control Lists (ACLs)Configuring and Assigning an ACLExtended ACL Configuration StructureIndividual ACEs in an extended ACL include: A per

10-46Access Control Lists (ACLs)Configuring and Assigning an ACLFor example, figure 10-12 shows how to interpret the entries in an extended ACL.Figure

10-47Access Control Lists (ACLs)Configuring and Assigning an ACLsignificant because, once a match is found for a packet, subsequent ACEs in the same A

10-48Access Control Lists (ACLs)Configuring and Assigning an ACLAllowing for the Implied Deny Function In any ACL having one or more ACEs there will a

10-49Access Control Lists (ACLs)Configuring and Assigning an ACLUsing the CLI To Create an ACL You can use either the switch CLI or an offline text ed

10-50Access Control Lists (ACLs)Configuring and Assigning an ACLTo insert an ACE anywhere in a numbered ACL, use the same process as described above f

10-51Access Control Lists (ACLs)Configuring Standard ACLsConfiguring Standard ACLsTable 10-9. Command Summary for Standard ACLsAction Command(s) PageC

10-52Access Control Lists (ACLs)Configuring Standard ACLsA standard ACL uses only source IP addresses in its ACEs. This type of ACE is useful when you

10-53Access Control Lists (ACLs)Configuring Standard ACLsConfiguring Named, Standard ACLsThis section describes the commands for performing the follow

1-8Security OverviewNetwork Security FeaturesNetwork Security FeaturesThis section outlines features for protecting access through the switch to the n

10-54Access Control Lists (ACLs)Configuring Standard ACLsConfiguring ACEs in a Named, Standard ACL. Configuring ACEs is done after using the ip acces

10-55Access Control Lists (ACLs)Configuring Standard ACLsExample of Creating and Listing a Standard, Named ACL. This exam-ple illustrates how to crea

10-56Access Control Lists (ACLs)Configuring Standard ACLsFigure 10-15. Screen Output Listing the “Sample-List” ACL ContentCreating Numbered, Standard

10-57Access Control Lists (ACLs)Configuring Standard ACLsCreating or Adding to a Standard, Numbered ACL. This command is an alternative to using ip a

10-58Access Control Lists (ACLs)Configuring Standard ACLs< any | host < SA > | SA < mask | SA/mask-length >>Defines the source IP a

10-59Access Control Lists (ACLs)Configuring Standard ACLsExample of Creating and Viewing a Standard ACL. This example cre-ates a standard, numbered A

10-60Access Control Lists (ACLs)Configuring Extended ACLsConfiguring Extended ACLsTable 10-10. Command Summary for Extended ACLsAction Command(s) Page

10-61Access Control Lists (ACLs)Configuring Extended ACLsStandard ACLs use only source IP addresses for filtering criteria, extended ACLs use multiple

10-62Access Control Lists (ACLs)Configuring Extended ACLsConfiguring Named, Extended ACLsFor a match to occur with an ACE in an extended ACL, a packet

10-63Access Control Lists (ACLs)Configuring Extended ACLsCreating a Named, Extended ACL and/or Entering the “Named ACL” (nacl) Context. This command

1-9Security OverviewNetwork Security FeaturesFor more information, refer to Chapter 13 “Configuring Port-Based and User-Based Access Control (802.1X)”

10-64Access Control Lists (ACLs)Configuring Extended ACLsConfigure ACEs in a Named, Extended ACL and/or Enter the “Named ACL” (nacl) Context. Configu

10-65Access Control Lists (ACLs)Configuring Extended ACLs< ip | ip-protocol | ip-protocol-nbr >Used after deny or permit to specify the packet p

10-66Access Control Lists (ACLs)Configuring Extended ACLs< any | host < DA > | DA/mask-length | DA/ < mask >>This is the second inst

10-67Access Control Lists (ACLs)Configuring Extended ACLs[ tos < tos-setting > ]This option can be used after the DA to cause the ACE to match p

10-68Access Control Lists (ACLs)Configuring Extended ACLsOptions for TCP and UDP Traffic in Extended ACLs. An ACE designed to permit or deny TCP or U

10-69Access Control Lists (ACLs)Configuring Extended ACLsPort Number or Well-Known Port Name: Use the TCP or UDP port number required by your appli-ca

10-70Access Control Lists (ACLs)Configuring Extended ACLsOptions for ICMP Traffic in Extended ACLs. This option is useful where it is necessary to pe

10-71Access Control Lists (ACLs)Configuring Extended ACLs[ icmp-type-name ]These name options are an alternative to the [icmp-type [ icmp-code] ] meth

10-72Access Control Lists (ACLs)Configuring Extended ACLsOption for IGMP in Extended ACLs. This option is useful where it is nec-essary to permit som

10-73Access Control Lists (ACLs)Configuring Extended ACLsExample of a Named, Extended ACL. Suppose that you want to imple-ment these policies on a sw

1-10Security OverviewNetwork Security FeaturesSecure Socket Layer (SSLv3/TLSv1)This feature includes use of Transport Layer Security (TLSv1) to provid

10-74Access Control Lists (ACLs)Configuring Extended ACLsFigure 10-19. Example of Configuration Commands for Extended ACLsConfiguring Numbered, Extend

10-75Access Control Lists (ACLs)Configuring Extended ACLsCreating or Adding to an Extended, Numbered ACL. This command is an alternative to using ip

10-76Access Control Lists (ACLs)Configuring Extended ACLs< deny | permit >Specifies whether to deny (drop) or permit (forward) a packet that mat

10-77Access Control Lists (ACLs)Configuring Extended ACLs SA Mask Application: The mask is applied to the SA in the ACL to define which bits in a pack

10-78Access Control Lists (ACLs)Configuring Extended ACLs[ precedence < 0 - 7 | precedence-name >]This option causes the ACE to match packets wi

10-79Access Control Lists (ACLs)Configuring Extended ACLsAdditional Options for TCP and UDP Traffic. An ACE designed to per-mit or deny TCP or UDP tr

10-80Access Control Lists (ACLs)Configuring Extended ACLsAdditional Option for IGMP. This option is useful where it is necessary to permit some types

10-81Access Control Lists (ACLs)Adding or Removing an ACL Assignment On an InterfaceAdding or Removing an ACL Assignment On an InterfaceFiltering Rout

10-82Access Control Lists (ACLs)Adding or Removing an ACL Assignment On an InterfaceFigure 10-20. Methods for Enabling and Disabling RACLsFiltering IP

10-83Access Control Lists (ACLs)Adding or Removing an ACL Assignment On an InterfaceFigure 10-21. Methods for Enabling and Disabling VACLsProCurve(con

1-11Security OverviewNetwork Security FeaturesPrecedence of Security Options. Where the switch is running multiple security options, it implements ne

10-84Access Control Lists (ACLs)Adding or Removing an ACL Assignment On an InterfaceFiltering Inbound IP Traffic Per PortFor a given port, port list,

10-85Access Control Lists (ACLs)Deleting an ACLDeleting an ACLSyntax: no ip access-list standard < name-str | 1-99 >no ip access-list extended &

10-86Access Control Lists (ACLs)Editing an Existing ACLEditing an Existing ACLThe CLI provides the capability for editing in the switch by using seque

10-87Access Control Lists (ACLs)Editing an Existing ACL Deleting the last ACE from an ACL leaves the ACL in memory. In this case, the ACL is “empty”

10-88Access Control Lists (ACLs)Editing an Existing ACLFor example, to append a fourth ACE to the end of the ACL in figure 10-23:Figure 10-25. Example

10-89Access Control Lists (ACLs)Editing an Existing ACL2. Begin the ACE command with a sequence number that identifies the position you want the ACE

10-90Access Control Lists (ACLs)Editing an Existing ACLDeleting an ACE from an Existing ACLThis action uses ACL sequence numbers to delete ACEs from a

10-91Access Control Lists (ACLs)Editing an Existing ACLResequencing the ACEs in an ACLThis action reconfigures the starting sequence number for ACEs i

10-92Access Control Lists (ACLs)Editing an Existing ACLAttaching a Remark to an ACEA remark is numbered in the same way as an ACE, and uses the same s

10-93Access Control Lists (ACLs)Editing an Existing ACLNote After a numbered ACL has been created (using access-list < 1 - 99 | 100 - 199 >), it

1-12Security OverviewAdvanced Threat DetectionAdvanced Threat DetectionAdvanced threat detection covers a range of features used to detect anoma-lous

10-94Access Control Lists (ACLs)Editing an Existing ACLInserting Remarks and Related ACEs Within an Existing List. To insert an ACE with a remark wit

10-95Access Control Lists (ACLs)Editing an Existing ACLOperating Notes for Remarks The resequence command ignores “orphan” remarks that do not have a

10-96Access Control Lists (ACLs)Displaying ACL Configuration DataDisplaying ACL Configuration DataACL Commands Function Pageshow access-list Displays

10-97Access Control Lists (ACLs)Displaying ACL Configuration DataDisplay an ACL SummaryThis command lists the configured ACLs, regardless of whether t

10-98Access Control Lists (ACLs)Displaying ACL Configuration DataDisplay the Content of All ACLs on the SwitchThis command lists the configuration det

10-99Access Control Lists (ACLs)Displaying ACL Configuration DataDisplay the RACL and VACL Assignments for a VLANThis command briefly lists the identi

10-100Access Control Lists (ACLs)Displaying ACL Configuration DataDisplay Static Port ACL Assignments This command briefly lists the identification an

10-101Access Control Lists (ACLs)Displaying ACL Configuration DataDisplaying the Content of a Specific ACLThis command displays a specific ACL configu

10-102Access Control Lists (ACLs)Displaying ACL Configuration DataFigure 10-37. Examples of Listings Showing the Content of Standard and Extended ACLs

10-103Access Control Lists (ACLs)Displaying ACL Configuration DataTable 10-11. Descriptions of Data Types Included in Show Access-List < acl-id >

1-13Security OverviewIdentity-Driven Manager (IDM)Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+) and uses RADIUS-ba

10-104Access Control Lists (ACLs)Creating or Editing ACLs OfflineCreating or Editing ACLs OfflineThe section titled “Editing an Existing ACL” on page

10-105Access Control Lists (ACLs)Creating or Editing ACLs OfflineIf you are replacing an ACL on the switch with a new ACL that uses the same number or

10-106Access Control Lists (ACLs)Creating or Editing ACLs Offline Deny all other IP traffic from VLAN 20 to VLAN 10. Deny all IP traffic from VLAN 3

10-107Access Control Lists (ACLs)Creating or Editing ACLs OfflineIn this example, the CLI would show the following output to indicate that the ACL was

10-108Access Control Lists (ACLs)Creating or Editing ACLs OfflineFigure 10-41. Example of Verifying the .txt File Download to the Switch5. If the conf

10-109Access Control Lists (ACLs)Enable ACL “Deny” LoggingEnable ACL “Deny” LoggingACL logging enables the switch to generate a message when IP traffi

10-110Access Control Lists (ACLs)Enable ACL “Deny” LoggingACL Logging OperationWhen the switch detects a packet match with an ACE and the ACE includes

10-111Access Control Lists (ACLs)Enable ACL “Deny” LoggingEnabling ACL Logging on the Switch1. If you are using a Syslog server, use the logging <

10-112Access Control Lists (ACLs)Enable ACL “Deny” LoggingFigure 10-44. Commands for Applying an ACL with Logging to Figure 10-43ProCurve(config)# ip

10-113Access Control Lists (ACLs)General ACL Operating NotesGeneral ACL Operating NotesACLs do not provide DNS hostname support. ACLs cannot be confi

Hewlett-Packard Company8000 Foothills Boulevard, m/s 5551Roseville, California 95747-5551www.procurve.com© Copyright 2005-2007 Hewlett-Packard Develo

1-14Security OverviewIdentity-Driven Manager (IDM)— This page is intentionally unused —

10-114Access Control Lists (ACLs)General ACL Operating NotesMonitoring Shared Resources. Applied ACLs share internal switch resources with several ot

11-111Configuring Advanced Threat ProtectionContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11-2Configuring Advanced Threat ProtectionIntroductionIntroductionAs your network expands to include an increasing number of mobile devices, continuou

11-3Configuring Advanced Threat ProtectionDHCP Snooping• Attempts to exhaust system resources so that sufficient resources are not available to transm

11-4Configuring Advanced Threat ProtectionDHCP SnoopingDHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected

11-5Configuring Advanced Threat ProtectionDHCP SnoopingTo display the DHCP snooping configuration, enter this command:ProCurve(config)# show dhcp-snoo

11-6Configuring Advanced Threat ProtectionDHCP SnoopingFigure 11-2. Example of Show DHCP Snooping StatisticsEnabling DHCP Snooping on VLANSDHCP snoopi

11-7Configuring Advanced Threat ProtectionDHCP SnoopingConfiguring DHCP Snooping Trusted PortsBy default, all ports are untrusted. To configure a port

11-8Configuring Advanced Threat ProtectionDHCP SnoopingConfiguring Authorized Server AddressesIf authorized server addresses are configured, a packet

11-9Configuring Advanced Threat ProtectionDHCP SnoopingNote DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, n

2-12Configuring Username and Password SecurityContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11-10Configuring Advanced Threat ProtectionDHCP SnoopingChanging the Remote-id from a MAC to an IP AddressBy default, DHCP snooping uses the MAC addre

11-11Configuring Advanced Threat ProtectionDHCP SnoopingFigure 11-7. Example Showing the DHCP Snooping Verify MAC SettingThe DHCP Binding DatabaseDHCP

11-12Configuring Advanced Threat ProtectionDHCP SnoopingA message is logged in the system event log if the DHCP binding database fails to update.To di

11-13Configuring Advanced Threat ProtectionDHCP Snooping ProCurve recommends running a time synchronization protocol such as SNTP in order to track l

11-14Configuring Advanced Threat ProtectionDHCP SnoopingCeasing untrusted relay information logs for <duration>. More than one DHCP client pack

11-15Configuring Advanced Threat ProtectionDynamic ARP ProtectionDynamic ARP ProtectionIntroductionOn the VLAN interfaces of a routing switch, dynamic

11-16Configuring Advanced Threat ProtectionDynamic ARP Protection• If a binding is valid, the switch updates its local ARP cache and forwards the pack

11-17Configuring Advanced Threat ProtectionDynamic ARP ProtectionEnabling Dynamic ARP ProtectionTo enable dynamic ARP protection for VLAN traffic on a

11-18Configuring Advanced Threat ProtectionDynamic ARP ProtectionTake into account the following configuration guidelines when you use dynamic ARP pro

11-19Configuring Advanced Threat ProtectionDynamic ARP ProtectionTo add the static configuration of an IP-to-MAC binding for a port to the database, e

2-2Configuring Username and Password SecurityOverviewOverviewConsole access includes both the menu interface and the CLI. There are two levels of cons

11-20Configuring Advanced Threat ProtectionDynamic ARP ProtectionYou can configure one or more of the validation checks. The following example of the

11-21Configuring Advanced Threat ProtectionDynamic ARP ProtectionDisplaying ARP Packet StatisticsTo display statistics about forwarded ARP packets, dr

11-22Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorUsing the Instrumentation MonitorThe instrumentation monitor can be used t

11-23Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorOperating Notes To generate alerts for monitored events, you must enable

11-24Configuring Advanced Threat ProtectionUsing the Instrumentation Monitor Alerts are automatically rate limited to prevent filling the log file wi

11-25Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorTo enable instrumentation monitor using the default parameters and thresh-

11-26Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorTo adjust the alert threshold for the MAC address count to a specific valu

11-27Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorAn alternate method of determining the current Instrumentation Monitor con

11-28Configuring Advanced Threat ProtectionUsing the Instrumentation Monitor— This page is intentionally unused —

12-112Traffic/Security Filters and MonitorsContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2-3Configuring Username and Password SecurityOverviewTo configure password security:1. Set a Manager password pair (and an Operator password pair, if

12-2Traffic/Security Filters and MonitorsOverviewOverviewApplicable Switch Models. As of October, 2005, Traffic/Security filters are available on thes

12-3Traffic/Security Filters and MonitorsFilter Types and OperationYou can enhance in-band security and improve control over access to network resourc

12-4Traffic/Security Filters and MonitorsFilter Types and OperationSource-Port FiltersThis filter type enables the switch to forward or drop traffic f

12-5Traffic/Security Filters and MonitorsFilter Types and Operation When you create a source port filter, all ports and port trunks (if any) on the s

12-6Traffic/Security Filters and MonitorsFilter Types and OperationFigure 12-3. The Filter for the Actions Shown in Figure 12-2Named Source-Port Filte

12-7Traffic/Security Filters and MonitorsFilter Types and Operation A named source-port filter can only be deleted when it is not applied to any port

12-8Traffic/Security Filters and MonitorsFilter Types and OperationA named source-port filter must first be defined and configured before it can be ap

12-9Traffic/Security Filters and MonitorsFilter Types and OperationUsing Named Source-Port FiltersA company wants to manage traffic to the Internet an

12-10Traffic/Security Filters and MonitorsFilter Types and Operation Applying Example Named Source-Port Filters. Once the named source-port filters ha

12-11Traffic/Security Filters and MonitorsFilter Types and OperationUsing the IDX value in the show filter command, we can see how traffic is filtered

2-4Configuring Username and Password SecurityOverviewNote The manager and operator passwords and (optional) usernames control access to the menu inter

12-12Traffic/Security Filters and MonitorsFilter Types and OperationThe same command, using IDX 26, shows how traffic from the Internet is handled.Pro

12-13Traffic/Security Filters and MonitorsFilter Types and OperationAs the company grows, more resources are required in accounting. Two additional ac

12-14Traffic/Security Filters and MonitorsFilter Types and OperationThe following revisions to the named source-port filter definitions maintain the d

12-15Traffic/Security Filters and MonitorsFilter Types and OperationStatic Multicast FiltersThis filter type enables the switch to forward or drop mul

12-16Traffic/Security Filters and MonitorsFilter Types and OperationNotes: Per-Port IP Multicast Filters. The static multicast filters described in th

12-17Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersConfiguring Traffic/Security FiltersUse this procedure to specify the ty

12-18Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersConfiguring a Source-Port Traffic FilterSyntax: [no] filter [source-port

12-19Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersExample of Creating a Source-Port FilterFor example, assume that you wan

12-20Traffic/Security Filters and MonitorsConfiguring Traffic/Security Filtersfilter on port 5, then create a trunk with ports 5 and 6, and display th

12-21Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersFigure 12-7. Assigning Additional Destination Ports to an Existing Filte

2-5Configuring Username and Password SecurityConfiguring Local Password SecurityConfiguring Local Password SecurityMenu: Setting PasswordsAs noted ear

12-22Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersFor example, suppose you wanted to configure the filters in table 12-3 o

12-23Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersDisplaying Traffic/Security FiltersThis command displays a listing of al

12-24Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersFigure 12-9. Example of Displaying Filter DataFilter Index Numbers (Auto

13-113Configuring Port-Based andUser-Based Access Control (802.1X)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13-2Configuring Port-Based and User-Based Access Control (802.1X)Contents3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . .

13-3Configuring Port-Based and User-Based Access Control (802.1X)OverviewOverviewWhy Use Port-Based or User-Based Access Control?Local Area Networks a

13-4Configuring Port-Based and User-Based Access Control (802.1X)Overview• Port-Based access control option allowing authentication by a single client

13-5Configuring Port-Based and User-Based Access Control (802.1X)Overviewthe session total includes any sessions begun by the Web Authentication or MA

13-6Configuring Port-Based and User-Based Access Control (802.1X)TerminologyNote Port-Based 802.1X can operate concurrently with Web-Authentication or

13-7Configuring Port-Based and User-Based Access Control (802.1X)Terminologylocal authentication is used, in which case the switch performs this funct

2-6Configuring Username and Password SecurityConfiguring Local Password SecurityTo Delete Password Protection (Including Recovery from a Lost Password

13-8Configuring Port-Based and User-Based Access Control (802.1X)TerminologySupplicant: The entity that must provide the proper credentials to the swi

13-9Configuring Port-Based and User-Based Access Control (802.1X)General 802.1X Authenticator OperationGeneral 802.1X Authenticator OperationThis oper

13-10Configuring Port-Based and User-Based Access Control (802.1X)General 802.1X Authenticator OperationNote The switches covered in this guide can us

13-11Configuring Port-Based and User-Based Access Control (802.1X)General 802.1X Authenticator OperationFigure 13-1. Priority of VLAN Assignment for a

13-12Configuring Port-Based and User-Based Access Control (802.1X)General Operating Rules and NotesGeneral Operating Rules and Notes In the user-base

13-13Configuring Port-Based and User-Based Access Control (802.1X)General Operating Rules and Notes If a port on switch “A” is configured as an 802.1

13-14Configuring Port-Based and User-Based Access Control (802.1X)General Setup Procedure for 802.1X Access ControlGeneral Setup Procedure for 802.1X

13-15Configuring Port-Based and User-Based Access Control (802.1X)General Setup Procedure for 802.1X Access ControlOverview: Configuring 802.1X Authen

13-16Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsNote If you want to implement the o

13-17Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators1. Enable 802.1X Authentication on

2-7Configuring Username and Password SecurityConfiguring Local Password SecurityCLI: Setting Passwords and UsernamesCommands Used in This SectionConfi

13-18Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsB. Specify User-Based Authenticatio

13-19Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsExample: Configuring User-Based 802

13-20Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators[quiet-period < 0 - 65535 >]S

13-21Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators3. Configure the 802.1X Authenticat

13-22Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsFor example, to enable the switch t

13-23Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators5. Enable 802.1X Authentication on

13-24Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators7. Optional: Configure 802.1X Contr

13-25Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsThe aaa port-access controlled-dire

13-26Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeFigure 13-5. Example of Configuring 802.1X Controlled Direction

13-27Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeThe 802.1X Open VLAN mode solves this problem by temporarily su

2-8Configuring Username and Password SecurityFront-Panel SecurityWeb: Setting Passwords and UsernamesIn the web browser interface you can enter passwo

13-28Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeA port assigned to a VLAN by an Authorized-Client VLAN configur

13-29Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeTable 13-2. 802.1X Open VLAN Mode Options802.1X Per-Port Config

13-30Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeAuthorized-Client VLAN • After client authentication, the port

13-31Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeOpen VLAN Mode with Only an Unauthorized-Client VLAN Configured

13-32Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeOpen VLAN Mode with Only an Authorized-Client VLAN Configured:•

13-33Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeOperating Rules for Authorized-Client andUnauthorized-Client VL

13-34Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeEffect of Unauthorized-Client VLAN session on untagged port VLA

13-35Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeEffect of RADIUS-assigned VLANThis rule assumes no other authen

13-36Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeNote: If you use the same VLAN as the Unauthorized-Client VLAN

13-37Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeSetting Up and Configuring 802.1X Open VLAN ModePreparation. Th

2-9Configuring Username and Password SecurityFront-Panel Security Gaining management access to the switch by having physical access to the switch its

13-38Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeNote that as an alternative, you can configure the switch to us

13-39Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN Mode3. If you selected either eap-radius or chap-radius for step 2,

13-40Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeConfiguring 802.1X Open VLAN Mode. Use these commands to actual

13-41Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeInspecting 802.1X Open VLAN Mode Operation. For information an

13-42Configuring Port-Based and User-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authent

13-43Configuring Port-Based and User-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authent

13-44Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S

13-45Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S

13-46Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S

13-47Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S

iiiContentsProduct DocumentationAbout Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xixPrinted Publication

2-10Configuring Username and Password SecurityFront-Panel SecurityFront-Panel Button Functions The front panel of the switch includes the Reset button

13-48Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersDisplaying 802.1X Configura

13-49Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and Countersshow port-access authentica

13-50Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 13-8. Example of sho

13-51Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersViewing 802.1X Open VLAN Mo

13-52Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersThus, in the output shown i

13-53Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersTable 13-3. Output for Dete

13-54Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 13-10.Example of Sho

13-55Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersShow Commands for Port-Acce

13-56Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN Operationsupplicant port to another wi

13-57Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFor example, suppose that a R

2-11Configuring Username and Password SecurityFront-Panel SecurityReset ButtonPressing the Reset button alone for one second causes the switch to rebo

13-58Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFigure 13-12.The Active Confi

13-59Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationWhen the 802.1X client’s sess

13-60Configuring Port-Based and User-Based Access Control (802.1X)Operating NotesOperating Notes Applying Web Authentication or MAC Authentication Co

13-61Configuring Port-Based and User-Based Access Control (802.1X)Messages Related to 802.1X OperationMessages Related to 802.1X OperationTable 13-4.

13-62Configuring Port-Based and User-Based Access Control (802.1X)Messages Related to 802.1X Operation— This page is intentionally unused —

14-114Configuring and Monitoring Port SecurityContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

14-2Configuring and Monitoring Port Security ContentsWeb: Checking for Intrusions, Listing IntrusionAlerts, and Resetting Alert Flags . . . . . .

14-3Configuring and Monitoring Port SecurityOverviewOverviewPort Security (Page 14-4). This feature enables you to configure each switch port with a

14-4Configuring and Monitoring Port Security Port SecurityPort SecurityBasic OperationDefault Port Security Operation. The default port security s

14-5Configuring and Monitoring Port SecurityPort Security• Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the

2-12Configuring Username and Password SecurityFront-Panel Security3. Release the Reset button.4. When the Test LED to the right of the Clear button be

14-6Configuring and Monitoring Port Security Port Securityconfiguration to ports on which hubs, switches, or other devices are connected, and to m

14-7Configuring and Monitoring Port SecurityPort SecurityPlanning Port Security1. Plan your port security configuration and monitoring according to th

14-8Configuring and Monitoring Port Security Port SecurityPort Security Command Options and OperationPort Security Commands Used in This SectionTh

14-9Configuring and Monitoring Port SecurityPort SecurityDisplaying Port Security Settings. Figure 14-2. Example Port Security Listing (Ports A7 and

14-10Configuring and Monitoring Port Security Port SecurityFigure 14-3. Example of the Port Security Configuration Display for a Single PortThe n

14-11Configuring and Monitoring Port SecurityPort SecurityListing Authorized and Detected MAC Addresses. Figure 14-4. Examples of Show Mac-Address Ou

14-12Configuring and Monitoring Port Security Port SecurityConfiguring Port SecurityUsing the CLI, you can: Configure port security and edit secu

14-13Configuring and Monitoring Port SecurityPort SecuritySyntax: port-security (Continued)learn-mode < continuous | static | port-access | config

14-14Configuring and Monitoring Port Security Port SecuritySyntax: port-security (Continued)learn-mode < continuous | static | port-access | c

14-15Configuring and Monitoring Port SecurityPort SecuritySyntax: port-security (Continued)Addresses learned this way appear in the switch and port ad

2-13Configuring Username and Password SecurityFront-Panel Security• Configure the Clear button to reboot the switch after clearing any local usernames

14-16Configuring and Monitoring Port Security Port SecuritySyntax: port-security (Continued)mac-address [<mac-addr>] [<mac-addr>] . .

14-17Configuring and Monitoring Port SecurityPort SecuritySyntax: port-security (Continued)clear-intrusion-flagClears the intrusion flag for a specifi

14-18Configuring and Monitoring Port Security Port SecurityRetention of Static AddressesStatic MAC addresses do not age-out. MAC addresses learned

14-19Configuring and Monitoring Port SecurityPort SecuritySpecifying Authorized Devices and Intrusion Responses. This example configures port A1 to au

14-20Configuring and Monitoring Port Security Port SecurityAdding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s

14-21Configuring and Monitoring Port SecurityPort Security(The message Inconsistent value appears if the new MAC address exceeds the current Address L

14-22Configuring and Monitoring Port Security Port SecurityRemoving a Device From the “Authorized” List for a Port. This command option removes un

14-23Configuring and Monitoring Port SecurityMAC LockdownThe following command serves this purpose by removing 0c0090-123456 and reducing the Address

14-24Configuring and Monitoring Port Security MAC LockdownYou will need to enter a separate command for each MAC/VLAN pair you wish to lock down.

14-25Configuring and Monitoring Port SecurityMAC LockdownOther Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair ca

2-14Configuring Username and Password SecurityFront-Panel SecurityFor example, show front-panel-security produces the following output when the switch

14-26Configuring and Monitoring Port Security MAC LockdownMAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can

14-27Configuring and Monitoring Port SecurityMAC LockdownDeploying MAC LockdownWhen you deploy MAC Lockdown you need to consider how you use it within

14-28Configuring and Monitoring Port Security MAC LockdownFigure 14-10.MAC Lockdown Deployed At the Network Edge Provides SecurityBasic MAC Lockdo

14-29Configuring and Monitoring Port SecurityMAC LockdownThe key points for this Model Topology are:• The Core Network is separated from the edge by t

14-30Configuring and Monitoring Port Security MAC LockdownFigure 14-11.Connectivity Problems Using MAC Lockdown with Multiple Paths The resultant

14-31Configuring and Monitoring Port SecurityMAC LockoutMAC LockoutMAC Lockout involves configuring a MAC address on all ports and VLANs for a switch

14-32Configuring and Monitoring Port Security MAC LockoutMAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti-cation.You cannot

14-33Configuring and Monitoring Port SecurityMAC LockoutPort Security and MAC LockoutMAC Lockout is independent of port-security and in fact will over

14-34Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security FeaturesWeb: Displaying and Configuring Port Security

14-35Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert Flags The switch enables notification of the intrusion thro

2-15Configuring Username and Password SecurityFront-Panel SecurityFigure 2-8. Example of Disabling the Clear Button and Displaying the New Configurati

14-36Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert FlagsThe log shows the most recent intrusion at the top

14-37Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsMenu: Checking for Intrusions, Listing Intrusion Alerts

14-38Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags• Because the Port Status screen (figure 14-14 on

14-39Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsIn the following example, executing show interfaces bri

14-40Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert FlagsTo clear the intrusion from port A1 and enable the

14-41Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsFigure 14-19.Example of Log Listing With and Without De

14-42Configuring and Monitoring Port Security Operating Notes for Port SecurityOperating Notes for Port SecurityIdentifying the IP Address of an I

14-43Configuring and Monitoring Port SecurityOperating Notes for Port SecurityProCurve(config)# port-security e a17 learn-mode static address-limit 2L

14-44Configuring and Monitoring Port Security Operating Notes for Port Security— This page is intentionally unused —

15-115Using Authorized IP Managers ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2-16Configuring Username and Password SecurityFront-Panel SecurityRe-Enabling the Clear Button on the Switch’s Front Paneland Setting or Changing the

15-2Using Authorized IP ManagersOverviewOverviewAuthorized IP Manager Features The Authorized IP Managers feature uses IP addresses and masks to deter

15-3Using Authorized IP ManagersOptionsOptionsYou can configure: Up to 10 authorized manager addresses, where each address applies to either a single

15-4Using Authorized IP ManagersDefining Authorized Management StationsDefining Authorized Management Stations Authorizing Single Stations: The table

15-5Using Authorized IP ManagersDefining Authorized Management Stationsrized Manager IP address to authorize four IP addresses for management station

15-6Using Authorized IP ManagersDefining Authorized Management StationsFigure 15-2. Example of How To Add an Authorized Manager Entry (Continued)Editi

15-7Using Authorized IP ManagersDefining Authorized Management StationsFigure 15-3.Example of the Show IP Authorized-Manager DisplayThe above example

15-8Using Authorized IP ManagersDefining Authorized Management StationsIf you omit the < mask bits > when adding a new authorized manager, the s

15-9Using Authorized IP ManagersWeb: Configuring IP Authorized ManagersWeb: Configuring IP Authorized ManagersIn the web browser interface you can con

15-10Using Authorized IP ManagersBuilding IP MasksConfiguring Multiple Stations Per Authorized Manager IP EntryThe mask determines whether the IP addr

15-11Using Authorized IP ManagersBuilding IP MasksFigure 15-6. Analysis of IP Mask for Multiple-Station Entries Figure 15-7. Example of How the Bitmap

2-17Configuring Username and Password SecurityFront-Panel SecurityFigure 2-9. Example of Re-Enabling the Clear Button’s Default OperationChanging the

15-12Using Authorized IP ManagersOperating NotesAdditional Examples for Authorizing Multiple StationsOperating Notes Network Security Precautions: Yo

15-13Using Authorized IP ManagersOperating Notes• Even if you need proxy server access enabled in order to use other applications, you can still elimi

15-14Using Authorized IP ManagersOperating Notes— This page is intentionally unused —

16-116Key Management SystemContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16-2Key Management SystemOverviewOverviewThe switches covered in this guide provide support for advanced routing capabilities. Security turns out to b

16-3Key Management SystemConfiguring Key Chain ManagementConfiguring Key Chain ManagementThe Key Management System (KMS) has three configuration steps

16-4Key Management SystemConfiguring Key Chain ManagementFigure 16-1. Adding a New Key Chain EntryAfter you add an entry, you can assign key(s) to it

16-5Key Management SystemConfiguring Key Chain Management Figure 16-2. Example of Adding and Displaying a Time-Independent Key to a Key Chain Entry As

16-6Key Management SystemConfiguring Key Chain ManagementNote Using time-dependent keys requires that all the switches have accurate, synchronized tim

16-7Key Management SystemConfiguring Key Chain ManagementNote Given transmission delays and the variations in the time value from switch to switch, it

2-18Configuring Username and Password SecurityFront-Panel SecurityFigure 2-10. Example of Disabling the Factory Reset OptionPassword RecoveryThe passw

16-8Key Management SystemConfiguring Key Chain ManagementThe “Procurve1” key chain entry is a time-independent key and will not expire. “Procurve2” us

Index – 1IndexNumerics3DES … 8-3, 9-3802.1XACL, effect on … 10-20802.1X access controlauthenticate users … 13-5authentication methods … 13-4authentica

2 – Indexport-basedaccess … 13-4client without authentication … 13-5effect of Web/MAC Auth client … 13-60enable … 13-17, 13-43latest client, effect …

Index – 3untagged … 13-27, 13-30, 13-31untagged membership … 13-18VLAN operation … 13-56VLAN use, multiple clients … 13-6VLAN, assignment conflict … 1

4 – Indexexample, named extended … 10-73exception for connection-rate filtering … 10-22exit statement … 10-48extendedcommand summary … 10-8configure …

Index – 5policies … 10-30policy application points … 1-8, 10-4policy type … 10-42policy, permit/deny … 10-42port … 10-34port ACL definedSee also stat

6 – IndexACL, connection-rateSee connection-rate filteringACLsmanagement access protection … 1-8See also RADIUS-assigned ACLs.addressauthorized for po

Index – 7false positive … 3-6guidelines … 3-8, 3-9high rate, legitimate … 3-18host, trusted … 3-18host, unblocking … 3-18ICMP ping message … 3-3notify

8 – Indexevent logalerts for monitored events … 11-23connection-rate filtering alerts … 3-31intrusion alerts … 14-40messages … 3-31Ffilter, source-por

Index – 9LLACP802.1X not allowed … 13-13, 13-17, 13-61log keyword, ACL mirroring … 10-16login attempts, monitoring … 11-23MMAC addressesmonitoring act

2-19Configuring Username and Password SecurityFront-Panel SecuritySteps for Disabling Password-Recovery. 1. Set the CLI to the global interface conte

10 – Index See ProCurve Manager.physical security … 1-6portsecurity configuration … 14-3trusted … 11-17untrusted … 11-18port accessclient limit … 13-1

Index – 11multiple ACL application types in use … 7-15NAS-Prompt-User service-type value … 6-12network accounting … 6-32operating rules, switch … 6-6o

12 – Indexnotices of … 14-34security, ACLSee ACL, security use.security, passwordSee SSH.setting a password … 2-5SFTP … 1-6SNMPauthentication failures

Index – 13generate host key pair … 9-10generate self-signed … 9-13generate self-signed certificate … 9-10, 9-13generate server host certificate … 9-10

14 – IndexTLSSee RADIUS.troubleshootingauthentication via Telnet … 5-15authorized IP managers … 15-12trunkfilter, source-port … 12-3, 12-19LACP, 802.1

Technical information in this documentis subject to change without notice.© Copyright 2005-2007Hewlett-Packard Development Company, L.P.Reproduction,

ivTraffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10Port Security, MAC Lockdown, and MAC Lock

2-20Configuring Username and Password SecurityFront-Panel SecurityFigure 2-11. Example of the Steps for Disabling Password-RecoveryPassword Recovery P

3-13Virus Throttling ContentsOverview of Connection-Rate Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 3-3Features and Benefits . . .

3-2Virus ThrottlingContentsExample of Using an ACL in a Connection-Rate Configuration . . . . 3-27Connection-Rate ACL Operating Notes . . . . . . .

3-3Virus ThrottlingOverview of Connection-Rate FilteringOverview of Connection-Rate FilteringThe spread of malicious agents in the form of worms exhib

3-4Virus ThrottlingOverview of Connection-Rate FilteringFeatures and BenefitsConnection-rate filtering is a countermeasure tool you can use in your in

3-5Virus ThrottlingOverview of Connection-Rate FilteringGeneral OperationConnection-rate filtering enables notification of worm-like behavior detected

3-6Virus ThrottlingOverview of Connection-Rate FilteringApplication OptionsFor the most part, normal network traffic is distinct from the traffic exhi

3-7Virus ThrottlingOverview of Connection-Rate FilteringOperating Rules Connection-rate filtering is triggered by inbound IP traffic exhibiting high

3-8Virus ThrottlingGeneral Configuration GuidelinesGeneral Configuration GuidelinesAs stated earlier, connection-rate filtering is triggered only by i

3-9Virus ThrottlingGeneral Configuration GuidelinesNote On a given VLAN, to unblock the hosts that have been blocked by the connection-rate feature, u

v3 Virus ThrottlingContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1Overview of

3-10Virus ThrottlingConfiguring Connection-Rate FilteringConfiguring Connection-Rate FilteringNote As stated previously, connection-rate filtering is

3-11Virus ThrottlingConfiguring Connection-Rate FilteringEnabling Connection-Rate Filtering and Configuring SensitivityNote The sensitivity settings c

3-12Virus ThrottlingConfiguring Connection-Rate FilteringConfiguring the Per-Port Filtering ModeTable 3-1. Throttle Mode Penalty PeriodsSyntax: filter

3-13Virus ThrottlingConfiguring Connection-Rate FilteringExample of a Basic Connection-Rate Filtering ConfigurationFigure 3-2. Sample NetworkBasic Con

3-14Virus ThrottlingConfiguring Connection-Rate FilteringFigure 3-3. Example of a Basic Connection-Rate ConfigurationEnables connection-rate filtering

3-15Virus ThrottlingConfiguring Connection-Rate FilteringViewing and Managing Connection-Rate StatusThe commands in this section describe how to: Vie

3-16Virus ThrottlingConfiguring Connection-Rate FilteringTo view the complete connection-rate configuration, including any ACLs (page 3-19), use show

3-17Virus ThrottlingConfiguring Connection-Rate FilteringListing Currently-Blocked HostsFigure 3-6. Example of Listing Hosts in Any Connection-Rate St

3-18Virus ThrottlingConfiguring Connection-Rate FilteringUnblocking Currently-Blocked HostsIf a host becomes blocked by triggering connection-rate fil

3-19Virus ThrottlingConfiguring and Applying Connection-Rate ACLsConfiguring and Applying Connection-Rate ACLsA host sending legitimate, routed traffi

vi4 Web and MAC AuthenticationContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

3-20Virus ThrottlingConfiguring and Applying Connection-Rate ACLsFor more information on when to apply connection-rate ACLs, refer to “Appli-cation Op

3-21Virus ThrottlingConfiguring and Applying Connection-Rate ACLsFigure 3-8. Connection-Rate ACL Applied to Traffic Received Through a Given PortConfi

3-22Virus ThrottlingConfiguring and Applying Connection-Rate ACLs< filter | ignore >The filter option assigns policy filtering to traffic with s

3-23Virus ThrottlingConfiguring and Applying Connection-Rate ACLsConfiguring a Connection-Rate ACL Using UDP/TCP Criteria(To configure a connection-ra

3-24Virus ThrottlingConfiguring and Applying Connection-Rate ACLsip-addr < mask-length >: Applies the ACEs action (filter or ignore) to IP traff

3-25Virus ThrottlingConfiguring and Applying Connection-Rate ACLsFigure 3-9. Examples of Connection-Rate ACEs Using UDP/TCP Criteria< tcp-data >

3-26Virus ThrottlingConfiguring and Applying Connection-Rate ACLsApplying Connection-Rate ACLsTo apply a connection-rate ACL, use the access group com

3-27Virus ThrottlingConfiguring and Applying Connection-Rate ACLsFor more on ACE masks, refer to “How an ACE Uses a Mask To Screen Packets for Matches

3-28Virus ThrottlingConfiguring and Applying Connection-Rate ACLsconfigure a connection-rate ACL that causes the switch to ignore (circumvent) connect

3-29Virus ThrottlingConfiguring and Applying Connection-Rate ACLsFigure 3-12. Example of Switch Configuration Display with a Connection-Rate ACLConnec

viiOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2Terminology Used in TACACS

3-30Virus ThrottlingConfiguring and Applying Connection-Rate ACLs• filter < source-criteria >: This ACE type does the opposite of an ignore entr

3-31Virus ThrottlingConnection-Rate Log and Trap MessagesConnection-Rate Log and Trap MessagesThese messages appear in the switch’s Event Log identify

3-32Virus ThrottlingConnection-Rate Log and Trap Messages— This page is intentionally unused —

4-14Web and MAC AuthenticationContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4-2Web and MAC AuthenticationOverviewOverviewWeb and MAC Authentication are designed for employment on the “edge” of a network to provide port-based s

4-3Web and MAC AuthenticationOverviewpassword, and grants or denies network access in the same way that it does for clients capable of interactive log

4-4Web and MAC AuthenticationOverview On a port configured for Web or MAC Authentication, the switch operates as a port-access authenticator using a

4-5Web and MAC AuthenticationHow Web and MAC Authentication OperateHow Web and MAC Authentication OperateAuthenticator OperationBefore gaining access

4-6Web and MAC AuthenticationHow Web and MAC Authentication OperateFigure 4-2. Progress Message During AuthenticationIf the client is authenticated an

4-7Web and MAC AuthenticationHow Web and MAC Authentication Operatemoves have not been enabled (client-moves) on the ports, the session ends and the c