HP 2910AL 132

IPv6 Management Security Features

Authorized IP Managers for IPv6

■You configure each authorized manager address with Manager or Opera tor-level privilege to access the switch in a Telnet, SNMPv1, or SNMPv2c session. (Access privilege for SSH, SNMPv3, and web browser sessions are configured through the access application, not through the Authorized IP Managers feature.)

•Manager privilege allows full access to all web browser and console interface screens for viewing, configuration, and all other operations available in these interfaces.

•Operator privilege allows read-only access from the web browser and console interfaces.

■When you configure station access to the switch using the Authorized IP Managers feature, the settings take precedence over the access config ured with local passwords, TACACS+ servers, RADIUS-assigned settings, port-based (802.1X) authentication, and port security settings.

As a result, the IPv6 address of a networked management device must be configured with the Authorized IP Managers feature before the switch can authenticate the device using the configured settings from other access security features. If the Authorized IP Managers feature disallows access to the device, then access is denied. Therefore, with authorized IP man agers configured, logging in with the correct passwords is not sufficient to access a switch through the network unless the station requesting access is also authorized in the switch’s Authorized IP Managers config uration.

6-4

Contents

ProCurve Switches Page HP ProCurve 2910al Switch IPv6 Configuration Guide Page 1 Getting Started 2 Introduction to IPv6 3 IPv6 Addressing 4 IPv6 Addressing Configuration 5 IPv6 Management Features 6 IPv6 Management Security Features 7 Multicast Listener Discovery (MLD) Snooping 8 IPv6 Diagnostic and Troubleshooting A Terminology Index Product Documentation Printed Publications Electronic Publications Software Feature Index Intelligent Edge Software Manual Features Page Page Page Page Getting Started Configuration and Operation Examples Protocol Acronyms Command Syntax and Displayed Information copy tftp Command Prompts ProCurve hostname Screen Simulations Displayed Text Sources for More Information www.procurve.com Customer Care Manuals Page Getting Documentation From the Web Online Help Command Line Interface help Figure 1-3.Example of CLI Help Web Browser Interface Figure 1-4.Help for Web Browser Interface IP Addressing Physical Installation Introduction to IPv6 Page Migrating to IPv6 Figure 2-1. Dual-StackProCurve Switches Employed in an IPv4/IPv6 Network IPv6 Propagation Dual-StackOperation Connecting to Devices Supporting IPv6 Over IPv4 Tunneling Adding IPv6 Capability Supported IPv6 Operation in Release K.13.01 Management Features IPv6 Addressing DHCPv6 (Stateful) Address Configuration Static Address Configuration Default IPv6 Gateway Neighbor Discovery (ND) in IPv6 IPv6 Management Features SSHv2 on IPv6 IP Authorized Managers ICMP Rate-Limiting Ping6 Traceroute6 Domain Name System (DNS) Resolution IPv6 Neighbor Discovery (ND) Controls Event Log SNMP Loopback Address Debug/Syslog Enhancements Path MTU (PMTU) Discovery IPv6 Addressing Page IPv6 Address Structure and Format Address Format xxxx : xxxx : xxxx : xxxx : xxxx : xxxx : xxxx : Address Notation Network Prefix Interface (Device) Identifier IPv6 Address Sources General IPv6 Address Types Static Address Configuration Related Information Stateless Address Autoconfiguration (SLAAC) Stateful (DHCPv6) Address Configuration Static Address Configuration Address Types Address Scope Unicast Address Prefixes Multicast Prefix (ff) Autoconfiguring Link-LocalUnicast Addresses Extended Unique Identifier (EUI) Statically Configuring Link-LocalAddresses Stateless Autoconfiguration of a Global Unicast Address Static Configuration of a Global Unicast Address Prefixes in Routable IPv6 Addresses Unique Local Unicast IPv6 Address Anycast Addresses Overview of the Multicast Operation in IPv6 IPv6 Multicast Address Format multicast scope: Bit group identifier: Solicited-NodeMulticast Address Format www.iana.org Loopback Address Preferred and Valid Address Lifetimes N o t e s IPv6 Addressing Configuration Page Feature Default CLI show General Configuration Steps Configuring IPv6 Addressing Enabling IPv6 with an Automatically Configured Link-LocalAddress Default: Disabled show run Notes: Default: Disabled autoconfig Operating Notes Enabling DHCPv6 ipv6 enable [rapid-commit]: Default: Disabled Configuring a Static IPv6 Address on a VLAN Statically Configuring a Link-LocalUnicast Address Statically Configuring A Global Unicast Address Statically Configuring An Anycast Address anycast: Default: None Duplicate Address Detection (DAD) for Statically Configured Addresses Neighbor Discovery (ND) Duplicate Address Detection (DAD) DAD Operation Configuring DAD Page View the Current IPv6 Addressing Configuration IPv6 Routing: Disabled Default Gateway: ND DAD: Address Origin: Autoconfig: DHCP: Manual: IPv6 Address/Prefix Length: Figure 4-1.Example of Show IPv6 Command Output ipv6 nd dad- attempts Page Figure 4-2.Example of Show IPv6 VLAN < vid > Output Syntax: show run Page Router Advertisements Router Solicitations Default IPv6 Router Router Redirection Viewing Gateway and IPv6 Route Information Viewing IPv6 Router Information MTU: Hop Limit: Prefix Advertised: Valid Lifetime: Preferred Lifetime: Preferred Lifetime Valid Lifetime Sources of IPv6 Address Lifetimes Table 4-1.IPv6 Unicast Addresses Lifetimes Address Source Lifetime Criteria Page IPv6 Management Features Viewing and Clearing the IPv6 Neighbors Cache Anycast Addresses Viewing the Neighbor Cache Figure 5-1.Example of Neighbor Cache Without Specifying a VLAN Figure 5-2.Example of Neighbor Cache Content for a Specific VLAN Clearing the Neighbor Cache Outbound Telnet6 to Another Device Viewing the Current Telnet Activity on a Switch Enabling or Disabling Inbound Telnet6 Access Viewing the Current Inbound Telnet6 Configuration Configuring (Enabling or Disabling) the SNTP Mode Configuring an IPv6 Address for an SNTP Server Syntax:. show sntp timep SNTP Mode: SNTP Server Address: Protocol Version: Configuring (Enabling or Disabling) the Timep Mode timep dhcp: Note Timep Mode: Server Address: Poll Interval (min) [720]: show timep ip timep manual TFTP File Transfers over IPv6 Enabling TFTP for IPv6 tftp6 U s a g e N o t e s Using TFTP to Copy Files over IPv6 target autorun-cert-file autorun-key-file command-file pub-key-file startup-config crash-log slot-id master >: Using Auto-TFTPfor IPv6 boot system flash primary reload SNMP Features Supported SNMP Configuration Commands Supported snmp-server Figure 5-8.“show snmp-server”Command Output with IPv6 Address show snmpv3 targetaddress Figure 5-9.“show snmpv3 targetaddress” Command Output with IPv6 Address IP Preserve for IPv6 ip preserve Figure 5-10.Example of How to Enter IP Preserve in a Configuration File dhcp-bootp Page IPv6 Management Security Features IPv6 Management Security Usage Notes Page Configuring Authorized IP Managers for Switch Access Using a Mask to Configure Authorized Management Stations authorized-managers command Figure 6-1.Mask for Configuring a Single Authorized IPv6 Manager Station Configuring Multiple Station Access Figure 6-2.Hexadecimal Mask Values and Binary Equivalents Example 2001:DB8:0000:0000:244:17FF:FEB6:D37D FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC 2001:DB8:0000:0000:244:17FF:FEB6:D37D/64 FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFF FFF8 FFFF:FFFF:FFFF:FFF8 244:17FF:FEB6:D37D Figure 6-8.Binary Equivalents of Authorized Subnet IDs (in Hexadecimal) Displaying an Authorized IP Managers Configuration Figure 6-9.Example of “show ipv6 authorized-managers”Output Figure 6-10.How Masks Determine Authorized IPv6 Manager Addresses Additional Examples of Authorized IPv6 Managers Configuration FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00 operator manager Configuring SSH for IPv6 no ip ssh 4or6 Displaying an SSH Configuration Secure Copy and Secure FTP for IPv6 ip-version ip ssh filetransfer no ip ssh filetransfer Multicast Listener Discovery (MLD) Snooping Overview Introduction to MLD Snooping MLD host multicast router Figure 7-1.Without MLD, multicast traffic is flooded to all ports Figure 7-2.With MLD snooping, traffic is sent to MLD hosts Forwarding in MLD snooping Listeners and joins Queries Leaves Page Enabling or Disabling MLD Snooping on a VLAN Configuring Per-PortMLD Traffic Filters Configuring the Querier Configuring Fast Leave Configuring Forced Fast Leave Current MLD Status Figure 7-5.Continuation of Figure Page Current MLD Configuration Figure 7-7.Example of an MLD Configuration for a Specific VLAN Ports Currently Joined Statistics Figure 7-9.Example of MLD Statistics for All VLANs Configured Figure 7-10.Example of MLD Statistics for a Single VLAN Counters Page Page IPv6 Diagnostic and Troubleshooting ICMP Rate-Limiting error-interval: Range: Default: 10; Range: 1 no ipv6 icmp error-interval Ping for IPv6 (Ping6) link-local-address hostname switch-number [repetitions] [timeout] [data-size] [data-fill] Figure 8-1.Examples of IPv6 Ping Tests Traceroute for IPv6 traceroute ipv6-address minttl: minttl maxttl timeout Figure 8-2.Examples of IPv6 Traceroute Probes DNS Configuration ip-addr 2001:db8::127:10 ■the domain suffix mygroup.procurve.net Viewing the Current Configuration Operating Notes Configuring Debug and Event Log Messaging Debug Command Configuring Debug Destinations Logging Command Page Terminology Page Index Symbols