HP 445946-001 Secure access to the switch

Accessing the switch

The following example shows how to configure a SNMPv3 user v3trap with authentication only:

/c/sys/ssnmp/snmpv3/usm 11	(Configure user named “v3trap”)
name "v3trap"
auth md5
authpw v3trap
/c/sys/ssnmp/snmpv3/access 11	(Define access group to view SNMPv3 traps)
name "v3trap"
level authNoPriv
nview "iso"
/c/sys/ssnmp/snmpv3/group 11	(Assign user to the access group)

uname v3trap gname v3trap

/c/sys/ssnmp/snmpv3/notify 11 (Assign user to the notify table)

name v3trap
tag v3trap
/c/sys/ssnmp/snmpv3/taddr 11	(Define an IP address to send traps)
name v3trap
addr 47.81.25.66
taglist v3trap
pname v3param
/c/sys/ssnmp/snmpv3/tparam 11	(Specify SNMPv3 traps to send)
name v3param
uname v3trap
level authNoPriv	(Set the authentication level)

For more information on using SNMP, see the HP 10Gb Ethernet BL-c Switch Command Reference Guide.

See the HP 10Gb Ethernet BL-c Switch User Guide for a complete list of supported MIBs.

Secure access to the switch

Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured management:

•Limiting management users to a specific IP address range. See the “Setting allowable source IP address ranges” section in this chapter.

•Authentication and authorization of remote administrators. See the “RADIUS authentication and authorization” section or the “TACACS+ authentication” section, both later in this chapter.

•Encryption of management information exchanged between the remote administrator and the switch. See the “Secure Shell and Secure Copy” section later in this chapter.

Setting allowable source IP address ranges

To limit access to the switch without having to configure filters for each switch port, you can set a source IP address (or range) that will be allowed to connect to the switch IP interface through Telnet, SSH, SNMP, or the switch browser-based interface (BBI).

When an IP packet reaches the application switch, the source IP address is checked against the range of addresses defined by the management network and management mask. If the source IP address of the host or hosts is within this range, it is allowed to attempt to log in. Any packet addressed to a switch IP interface with a source IP address outside this range is discarded.

20

Contents

HP 10Gb Ethernet BL-cSwitch Page Contents Ports and trunking Configuring LACP Port-basedNetwork Access and traffic control VLANs Viewing VLANs Bridge priority Port priority Port path cost Adding a VLAN to a Spanning Tree Group Creating a VLAN Basic IP routing Routing Information Protocol IGMP Snooping Configuring IGMP Snooping (CLI example) Configuring a Static Mrouter (CLI example) Configuring IGMP Snooping (BBI example) Configuring IGMP Filtering (BBI example) Types of OSPF areas High availability Spanning Tree Protocol with UFD Configuring UFD on Switch 1 (CLI example) Configuring UFD on Switch 2 (CLI example) Configuring Uplink Failure Detection (BBI example) Accessing the switch Additional references http://www.hp.com/go/bladesystem/documentation •HP 10Gb Ethernet BL-cSwitch User Guide •HP 10Gb Ethernet BL-cSwitch Command Reference Guide •HP 10Gb Ethernet BL-cSwitch ISCLI Reference Guide ○Untagged ○Port VLAN ID (PVID): VLAN Interface •Gateway 254—Thisgateway is the default gateway for the management interface Using the command line interfaces Using the Browser-basedInterface Using Simple Network Management Protocol /cfg/sys/ssnmp/snmpv3/usm <x>/auth md5|sha To configure a user with name rview wview nview CLI user equivalent CLI oper equivalent SNMPv1 trap host 3.Configure an entry in the notify table c/sys/ssnmp/snmpv3/tparam <x>/uname 5.Use the community table to define the community string used in the traps snmpv2 snmpv1 /c/sys/ssnmp/snmpv3/access <x>/level /c/sys/ssnmp/snmpv3/tparam <x Secure access to the switch Configuring an IP address range for the management network How RADIUS authentication works Configuring RADIUS on the switch (CLI example) Configuring RADIUS on the switch (BBI example) RADIUS authentication features User accounts for RADIUS users RADIUS attributes for user privileges NOTE: User access level TACACS+ level Quit 2.Configure the TACACS+ secret and second secret 5.Configure custom privilege-levelmapping (optional) 6.Apply and save the configuration Tacacs+ Submit Secure Shell and Secure Copy Configuring SSH and SCP features (CLI example) Enabling or disabling SSH Enabling or disabling SCP apply and save Configuring the SCP administrator password Using SSH and SCP client commands Logging in to the switch Downloading configuration from the switch using SCP Uploading configuration to the switch using SCP Applying and saving configuration SSH and SCP encryption of management messages Generating RSA host and server keys for SSH access SSH/SCP integration with RADIUS and TACACS+ authentication Page Ports and trunking Port trunk groups Before you configure trunks Trunk group configuration rules Port trunking example Figure 1.On Switch 1, configure trunk groups 5 and 3: 2.On Switch 2, configure trunk groups 4 and 2: 3.Examine the trunking information on each switch, using the following command: Trunk Groups Add e. Click Submit Dashboard Page Configurable Trunk Hash algorithm Link Aggregation Control Protocol Actor Switch Partner Switch Page 1.Set the LACP mode on port 3. Set the LACP mode on port 4. Define the admin key on port 5.Apply and verify the configuration 6.Save your new configuration changes Port-basedNetwork Access and traffic control Page Page Table 9 EAP support for RADIUS attributes Attribute Attribute Value A-R A-A Port-basedtraffic control To configure a port for traffic control, perform the following steps: 1.Configure the traffic-controlthreshold and enable traffic control 2.To disable a traffic-controlthreshold, use the following command: 3.Apply and save the configuration VLANs Viewing VLANs Port information Port configuration VLAN tagging Page Page Figure 7 802.1Q tagging (after 802.1Q tag assignment) VLANs and IP interfaces VLAN topologies and design considerations /cfg/l2/stp /cfg/l2/mrst Page Multiple VLANS with tagging Figure 8 Multiple VLANs with VLAN tagging The features of this VLAN are described in the following table: Table 10 Multiple VLANs with tagging Component Configuring ports and VLANs on Switch 1 (CLI example) Page Configuring ports and VLANs on Switch 2 (CLI example) Configuring ports and VLANs on Switch 1 (BBI example) e.Click Submit Add VLAN c.Click Submit FDB static entries Page Spanning Tree Protocol Bridge priority Port priority Port path cost Page Switch element Belongs to Multiple Spanning Trees Page Configuring Switch 1 (CLI example) Configuring Switch 2 (CLI example) Configuring Switch 1 (BBI example) Submit Port Fast Forwarding Fast Uplink Convergence RSTP and MSTP Edge port Link type Configuring Rapid Spanning Tree (CLI example) Configuring Rapid Spanning Tree Protocol (BBI example) Multiple Spanning Tree Protocol Configuring Multiple Spanning Tree Protocol (CLI example) Configuring Multiple Spanning Tree Protocol (BBI example) CIST-Bridge CIST-Ports d. Click Submit Quality of Service Using ACL filters Number Protocol Name TCP/UDP Application Flag Precedence Group ACLs Precedence Level Using ACL Groups ACL Metering and Re-marking Viewing ACL statistics ACL configuration examples 1.Configure Access Control Lists (ACLs) b.Open the Access Control Lists folder, and select Add ACL Deny IPv4 Page Page Using DSCP values to provide QoS Drop Precedence Class Table 18 Class selector priority classes Priority Using 802.1p priorities to provide QoS Page 1.Configure a port’s default 802.1 priority 1.Configure a port’s default 802.1p priority Page Page Priority - CoS CoS - Weight Queuing and scheduling Basic IP routing Page Page Example of subnet routing Subnet Devices IP Addresses Interface IP Interface Switch Port VLAN # 4.The VLANs shown in the table above are configured as follows: 5.Each time you add a port to a VLAN, you may get the following prompt: 6.Enter y to set the default Port VLAN ID (PVID) for the port 7.Add each IP interface to the appropriate VLAN 9.Apply and verify the configuration Dynamic Host Configuration Protocol Page Routing Information Protocol RIPv1 RIPv2 RIPv2 in RIPv1 compatibility mode RIP Features Page RIP configuration example 1. Add VLANs for routing interfaces 2. Add IP interfaces to VLANs (/cfg/l3/frwd/on) before you turn RIP on /maint/route/dump IGMP Snooping Page Configuring the range Configuring the action Configuring IGMP Snooping (CLI example) Configuring IGMP Filtering (CLI example) Configuring a Static Mrouter (CLI example) Configuring IGMP Snooping (BBI example) Page Configuring IGMP Filtering (BBI example) a. Select Layer 3 > IGMP > IGMP Filters > Add Filter Layer 3 > IGMP > IGMP Filters > Switch Ports Page Configuring a Static Multicast Router (BBI example) Page OSPF Page dead OSPF implementation in HP 10GbE switch software Assigning the area index Using the area ID to assign the OSPF area number Attaching an area to a network Default routes Page Page Page OSPF configuration examples Example 1: Simple OSPF domain (BBI example) Add IP Interface Page Add OSPF Area d.Select Add OSPF Area f.Click Submit Add OSPF Interface d.Select Add OSPF Interface f. Click Submit Configuring OSPF for a virtual link on Switch A 8.Attach the network interface to the backbone 9.Attach the network interface to the transit area Configure the virtual link Switch B in step Apply and save the configuration changes Other Virtual Link Options Figure 23 Summarizing routes hide Configure IP interfaces for each network which will be attached to OSPF areas 2.Enable OSPF 3.Define the backbone Use the following commands to verify the OSPF configuration on your switch: •/info/l3/ospf/general •/info/l3/ospf/nbr •/info/l3/ospf/dbase/dbsum •/info/l3/ospf/routes Remote monitoring Configuring RMON Statistics (CLI example) Configuring RMON Statistics (BBI example) Page 4.Click Submit History MIB objects Configure RMON History (CLI example) Configure RMON History (BBI example) Alarm MIB objects Configure RMON Alarms (CLI example 1) Configure RMON Alarms (CLI example 2) Configure RMON Alarms (BBI example 1) 2.Click Submit Configure RMON Alarms (BBI example 2) Configuring RMON Events (CLI example) Configuring RMON Events (BBI example) High availability Page Page Configuring UFD on Switch 1 (CLI example) Configuring UFD on Switch 2 (CLI example) Configuring Uplink Failure Detection (BBI example) Add Virtual router Virtual router MAC address Owners and renters Master and backup virtual router Virtual Interface Router Failover methods Figure 26 Active-Activeredundancy HP 10GbE switch extensions to VRRP Parameter Virtual router deployment considerations Task 1: Configure Switch A 2.Configure client and server interfaces 4.Turn on VRRP and configure two Virtual Interface Routers 6.Turn off Spanning Tree Protocol globally Task 2: Configure Switch B Task 1: Configure Switch A (BBI example) Page Page Add Default Gateway Page Add Virtual Router g.Select Add Virtual Router i.Click Submit Add Spanning Tree Group Page off Troubleshooting tools To configure Port Mirroring for the example shown in the preceding figure: 1.Specify the monitoring port 2.Select the ports that you want to mirror 3.Enable Port Mirroring 4. Apply and save the configuration Port-Based Port Mirroring d.Click Add Mirrored Port Other network troubleshooting techniques Other network troubleshooting techniques include the following /info/sys/log -mgt –data Page Index