Enforcing Switch Security

Network Access Security

Access Control Types

6200yl 5400zl 3500yl

5300xl

3400cl

2800

4100gl

 

 

4200vl

6400cl

2600

 

 

 

 

 

2600-pwr

 

client-based access control

X

X*

--

--

--

(up to 32 authenticated clients per port)

 

 

 

 

 

 

 

 

 

 

 

port-based access control

X

X

X

X

X

(one authenticated client opens the port)

 

 

 

 

 

 

 

 

 

 

 

switch operation as a supplicant

X

X

X

X

X

 

 

 

 

 

 

* On the 5300xl switches, this feature is available with software release E.09.02 and greater.

Refer to the chapter titled “Configuring Port-Based and Client-Based Access Control” in the Access Security Guide for your switch model.

Port Security, MAC Lockdown, MAC Lockout, and IP Lockdown

These features provide device-based access security in the following ways:

port security: Enables configuration of each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port. This enables individual ports to detect, prevent, and log attempts by unauthorized devices to communicate through the switch. Some switch models also include eavesdrop prevention in the port security feature.

MAC lockdown: This “static addressing” feature is used as an alternative to port security for to prevent station movement and MAC address “hijacking” by allowing a given MAC address to use only one assigned port on the switch. MAC lockdown also restricts the client device to a specific VLAN.

MAC lockout: This feature enables blocking of a specific MAC address so that the switch drops all traffic to or from the specified address.

IP lockdown: Available on Series 2600 and 2800 switches only, this feature enables restric- tion of incoming traffic on a port to a specific IP address/subnet, and denies all other traffic on that port.

Refer to the chapter titled “Configuring and Monitoring Port Security” in the Access Security Guide for your switch model.

Key Management System (KMS)

KMS is available in several ProCurve switch models and is designed to configure and maintain key chains for use with KMS-capable routing protocols that use time-dependent or time-independent keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual

18

Page 28
Image 28
HP 3400CL-24G manual Port Security, MAC Lockdown, MAC Lockout, and IP Lockdown, Key Management System KMS