ProCurve Switches
Page
HP ProCurve 2910al Switch
Page
Product Documentation
1 Security Overview
2 Configuring Username and Password Security
3 Web and MAC Authentication
4 TACACS+ Authentication
5 RADIUS Authentication and Accounting
Using SNMP To View and Configure
Local Authentication Process
Controlling Web Browser Interface Access
6Configuring RADIUS Server Support for Switch Services
7 Configuring Secure Shell (SSH)
8 Configuring Secure Socket Layer (SSL)
9 IPv4 Access Control Lists (ACLs)
Page
Deleting an ACL
10 Configuring Advanced Threat Protection
11 Traffic/Security Filters and Monitors
Page
13 Configuring and Monitoring Port Security
14 Using Authorized IP Managers
15 Key Management System
Index
Product Documentation
Software Feature Index
Page
Page
Page
Page
Security Overview
About This Guide
For More Information
Access Security Features
Table 1-1.Access Security and Switch Authentication Features
Page
Page
Page
Network Security Features
Table 1-2.Network Security—DefaultSettings and Security Guidelines
Page
Page
Getting Started with Access Security
Physical Security
Quick Start: Using the Management Interface Wizard
setup
mgmt-interfaces
Figure 1-1.Example of Management Interface Wizard Configuration
CTRL-C
[n]
CLI Wizard: Operating Notes and Restrictions
no password
Setup Wizard
Figure 1-2.Management Interface Wizard: Welcome Window
Continue
Exit
Back
Figure 1-3.Management Interface Wizard: Summary Setup
Apply
Web Wizard: Operating Notes and Restrictions
SNMP Security Guidelines
A c c e s s t o
M I B
If SNMP access to the hpSwitchAuth MIB is considered a security risk
in your network
snmp-servermib hpswitchauthmib excluded
Precedence of Security Options
Precedence of Port-BasedSecurity Options
Precedence of Client-BasedAuthentication:
Dynamic Configuration Arbiter
Page
www.procurve.com/solutions
Security Products
Page
ProCurve Identity-DrivenManager (IDM)
Configuring Username and Password Security
Page
N o t e s
Menu Interface:
CLI:
C a u t i o n
Configuring Local Password Security
Menu: Setting Passwords
3. Console Passwords
Figure 2-1.The Set Password Screen
Enter new password again
To Delete Password Protection (Including Recovery from a Lost
Password):
Set Passwords
Delete Password Protection
Continue Deletion of password protection? No
CLI: Setting Passwords and Usernames
Configuring Manager and Operator Passwords
Figure 2-2.Example of Configuring Manager and Operator Passwords
Figure 2-3.Removing a Password and Associated Username from the Switch
no password all
Web: Setting Passwords and Usernames
To Configure (or Remove) Usernames and Passwords in the Web Browser Interface
SNMP: Setting Passwords and Usernames
Saving Security Credentials in a
Config File
include- credentials
Benefits of Saving Security Credentials
Enabling the Storage and Display of Security Credentials
running-config
write terminal
Security Settings that Can Be Saved
Local Manager and Operator Passwords
Password Command Options
manager:
operator:
port-access:
user-name
SNMP Security Credentials
auth
md5
sha
priv
802.1X Port-AccessCredentials
port-access)
password manager
password operator
TACACS+ Encryption Key Authentication
RADIUS Shared-SecretKey Authentication
SSH Client Public-KeyAuthentication
Page
Figure 2-5.Example of SSH Public Keys
include-credentials commands
copy config
config
copy config tftp
copy tftp config
copy config xmodem
Restrictions
snmpv3 user
Page
Front-PanelSecurity
When Security Is Important
Front-PanelButton Functions
Figure 2-6. Front-PanelReset and Clear Buttons
Figure 2-7.Press the Clear Button for One Second To Reset the Password(s)
Figure 2-8.Press and hold the Reset Button for One Second To Reboot the Switch
Configuring Front-PanelSecurity
front-panel-security
Clear Password:
Enabled
Disabled
Password Recovery:
CAUTION:
Figure 2-9.The Default Front-PanelSecurity Settings
Enabled
password-clear
Figure 2-11.Example of Re-Enablingthe Clear Button’s Default Operation
Default:
Notes:
Figure 2-12.Example of Disabling the Factory Reset Option
Password Recovery
Note: To disable password-recovery:
Steps for Disabling Password-Recovery
factory- reset
no front-panel-security password-recovery
CAUTION
Password Recovery Process
password
Page
Page
Web and MAC Authentication
Web Authentication
MAC Authentication
Concurrent Web and MAC Authentication
Authorized and Unauthorized Client VLANs
RADIUS-BasedAuthentication
Wireless Clients
How Web and MAC Authentication Operate
Web-basedAuthentication
Figure 3-1.Example of Default User Login Screen
Figure 3-2.Progress Message During Authentication
redirect-url
Figure 3-3.Authentication Completed
reauth-period
reauthenticate
logoff-period
MAC-basedAuthentication
addr-format
addr-limit
addr-moves
server-timeout
max- requests
quiet-period
Authorized-Client
Authentication Server:
Authenticator:
CHAP:
Client:
Operating Rules and Notes
Page
W e b / M A C
A u t h e n t i c a t i o n a n d L A C P
Setup Procedure for Web/MAC
Before You Configure Web/MAC Authentication
Figure 3-4.Example of show port-accessconfig Command Output
Configuring the RADIUS Server To Support MAC Authentication
aabbccddeeff
aabbcc-ddeeff
aa-bb-cc-dd-ee-ff
aa:bb:cc:dd:ee:ff
Configuring the Switch To Access a
RADIUS Server
Figure 3-5.Example of Configuring a Switch To Access a RADIUS Server
Configuring Web Authentication
ping
Configuration Commands for Web Authentication
both
spanning-tree
edge-port
Page
statis tics
Page
Page
Page
Show Commands for Web Authentication
MACbased
clients detailed
Figure 3-6.Example of show port-access web-basedCommand Output
n/a - IPv6
no info
Figure 3-7.Example of show port-access web-basedclients Command Output
Figure 3-8.Example of show port-access web-basedclients detailed Command Output
No)
Figure 3-9.Example of show port-access web-basedconfig Command Output
Figure 3-10.Example of show port-access web-basedconfig detail Command Output
Page
Configuring MAC Authentication on the
Switch
Configuration Commands for MAC Authentication
no-delimiter
single-dash
multi-dash
multi-colon
Page
Page
Show Commands for MAC-BasedAuthentication
Figure 3-12.Example of show port-access mac-basedCommand Output
Figure 3-13.Example of show port-access mac-basedclients Command Output
Figure 3-14.Example of show port-access mac-basedclients detail Command Output
Figure 3-15.Example of show port-access mac-basedconfig Command Output
Figure 3-16.Example of show port-access mac-basedconfig detail Command Output
Page
Client Status
show... clients’
TACACS+ Authentication
A3 or
A2 or
Figure 4-1.Example of TACACS+ Operation
Terminology Used in TACACS
Applications:
Page
Notes
General System Requirements
General Authentication Setup Procedure
Note on Privilege Levels
Caution
telnet login
telnet enable
Configuring TACACS+ on the Switch
Before You Begin
aaa authentication:
tacacs-server:
CLI Commands Described in this Section
Viewing the Switch’s Current Authentication
Viewing the Switch’s Current TACACS+
Server Contact Configuration
paris-1
show tacacs
Figure 4-3.Example of the Switch’s TACACS+ Configuration Listing
Configuring the Switch’s Authentication Methods
aaa authentication
privilege-mode
tacacs
radius
Table 4-1.AAA Authentication Parameters Parameters
local
Configuring the TACACS+ Server for Single Login
Figure 4-4.Advanced TACACS+ Settings Section of the TACACS+ Server User Setup
Figure 4-5.The Shell Section of the TACACS+ Server User Setup
Table 4-2.Primary/Secondary Authentication Table
Console Login (Operator or Read-Only)Access: Primary using TACACS+ server
Secondary using Local
Telnet Login (Operator or Read-Only)Access: Primary using TACACS+ server
Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server
Configuring the Switch’s TACACS+ Server Access
The host IP address(es)
Page
Page
Adding, Removing, or Changing the Priority of a TACACS+ Server
Figure 4-6.Example of the Switch with Two TACACS+ Server Addresses Configured
Figure
Configuring an Encryption Key
Procurve(config)# tacacs-serverkey <keystring
show config running
write mem
How Authentication Operates
General Authentication Process Using a TACACS+
Local Authentication Process
Using the Encryption Key
Global key:
Server-Specific
key:
Controlling Web Browser Interface
Access When Using TACACS+
Messages Related to TACACS+
Operation
server
tacacs-server configuration
Page
Page
RADIUS Authentication and Accounting
Page
Authentication Services
Accounting Services
RADIUS-AdministeredCoS and Rate-Limiting
SNMP Access to the Switch’s Authentication
Configuration MIB
EXEC Session:
Host: See RADIUS Server
NAS (Network Access Server):
RADIUS Client:
RADIUS Host:
Switch Operating Rules for RADIUS
General RADIUS Setup Procedure
Preparation:
Table 5-1.Preparation for Configuring RADIUS on the Switch
Figure 5-1.Example of Possible RADIUS Access Assignments
Configuring the Switch for RADIUS
Outline of the Steps for Configuring RADIUS
Authentication
Server Key:
Timeout Period:
Retransmit Attempts:
1.Configure Authentication for the Access Methods You Want RADIUS To Protect
Console:
Telnet:
Web:
peap-mschapv2
Default: chap-radius
Page
Figure 5-3.Example Configuration for RADIUS Authentication
2. Enable the (Optional) Access Privilege Option
Page
3. Configure the Switch To Access a RADIUS Server
auth-port
acct-port
Page
4. Configure the Switch’s Global RADIUS Parameters
Server timeout:
Server dead time:
Retransmit attempts:
Figure 5-6.Example of Global Configuration Exercise for RADIUS Authentication
Figure 5-7.Listings of Global RADIUS Parameters Configured In Figure
Using SNMP To View and Configure
Switch Authentication Features
S e c u r i t y N o t e s
snmp-server
mib hpswitchauthmib excluded
Changing and Viewing the SNMP Access Configuration
excluded:
included
Excluded MIBs
Page
Local Authentication Process
Controlling Web Browser Interface Access
CLI: no web-management
2.Switch Configuration
1. System Information
Web Agent Enabled: No
Commands Authorization
Enabling Authorization
radius:
Displaying Authorization Information
Figure 5-10.Example of Show Authorization Command
Configuring Commands Authorization on a RADIUS
Page
Page
Page
Page
Page
Additional RADIUS Attributes
Configuring RADIUS Accounting
Network accounting:
System accounting:
Commands accounting:
RADIUS accounting with IP attribute:
Operating Rules for RADIUS Accounting
show radius
Steps for Configuring RADIUS Accounting
radius-server
[key
key-string
Accounting types:
Trigger for sending accounting reports to a RADIUS server:
Updating:
Page
Exec:
exec
System:
system
system
stop-only
Figure 5-12.Example of Configuring Accounting Types
Updates:
Suppress:
Viewing RADIUS Statistics
General RADIUS Statistics
show radius
Figure 5-15.RADIUS Server Information From the Show Radius Host Command
RADIUS Authentication Statistics
Figure 5-16.Example of Login Attempt and Primary/Secondary Authentication
Information from the Show Authentication Command
Figure 5-17.Example of RADIUS Authentication Information from a Specific Server
RADIUS Accounting Statistics
Figure 5-18.Listing the Accounting Configuration in the Switch
Figure 5-19.Example of RADIUS Accounting Information for a Specific Server
Changing RADIUS-ServerAccess Order
Figure 5-21.Search Order for Accessing a RADIUS Server
Figure 5-22.Example of New RADIUS Server Search Order
Messages Related to RADIUS Operation
Configuring RADIUS Server Support for Switch Services
Page
www.procurve.com
Network Management
Product manuals page
Technical Support
RADIUS Server Configuration for
Per-PortCoS (802.1p Priority) and Rate
Limiting
Applied Rates for RADIUS-AssignedRate Limits
Table 6-1. RADIUS-Assigned Rate-LimitIncrements
Table 6-2.Examples of Assigned and Applied Rate Limits
rate-limit
all
show qos
port-priority
Page
Configuring and Using RADIUS-AssignedAccess Control Lists
DA:
Deny:
Dynamic Port ACL:
Inbound Traffic:
Outbound Traffic:
Static Port ACL:
Wildcard:
ACL Mask
Overview of RADIUS-Assigned,Dynamic ACLs
Contrasting Dynamic (RADIUS-Assigned)and
Static ACLs
Table 6-3.Contrasting Dynamic (RADIUS-Assigned)and Static ACLs
RADIUS-assignedACLs
Static Port ACLs
How a RADIUS Server Applies a RADIUS-AssignedACL to a Switch Port
ip deny any any
General ACL Features, Planning, and Configuration
The Packet-filteringProcess
Operating Rules for RADIUS-AssignedACLs
Multiple Clients Using the Same Username/Password Pair: Multiple
Effect of RADIUS-assignedACLs on Inbound Traffic for Two Cli
Configuring an ACL in a RADIUS Server
Table 6-4. Nas-Filter-RuleAttribute Options
Configuring ACE Syntax in RADIUS Servers
permit | deny >:
in:
ip |
ip-protocol-value
any:
Nas-filter-Rule
ipv4-addr
mask
< mask
dictionary.rfc4849
clients.conf
Figure 6-3.Example of Switch Identity Information for a FreeRADIUS Application
Page
Page
Configuring the Switch To Support RADIUS-AssignedACLs
cnt
802.1X Option:
MAC Authentication Option:
Web Authentication Option:
Displaying the Current RADIUS-AssignedACL Activity on the Switch
Port:
Auth Clients:
Unauth Clients:
Untagged VLAN:
Tagged VLANs
ICMP Type Numbers and Keywords
icmp-type
Table 6-5.ICMP Type Numbers and Keywords
Event Log Messages
Causes of Client Deauthentication Immediately After Authenticating
Monitoring Shared Resources
Configuring Secure Shell (SSH)
Client Public Key Authentication (Login/Operator Level) with User
Figure 7-1.Client Public Key Authentication Model
www.openssh.com
Figure 7-2.Switch/User Authentication
SSH Server:
Key Pair:
PEM (Privacy Enhanced Mode):
Enable Level:
Prerequisite for Using SSH
Public Key Formats
Steps for Configuring and Using SSH for Switch and Client Authentication
login public- key
erase
startup-config
Configuring the Switch for SSH
1.Assigning a Local Login (Operator) and Enable (Manager) Password
To Configure Local Passwords
Syntax:
Figure 7-4.Example of Configuring Local Passwords
2. Generating the Switch’s Public and Private Key Pair
Page
Figure 7-5.Example of Generating a Public/Private Host Key Pair for the Switch
Table 7-2.RSA/DSA Values for Various ProCurve Switches
3. Providing the Switch’s Public Key to Clients
Figure 7-6.Example of a Public Key Generated by the Switch
ord Wrap
dit
Figure 7-7.Example of a Correctly Formatted Public Key
Page
4.Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior
To enable SSH on the switch
no ip ssh
Page
Important:
manager
operator
N o t e o n P o r t N u m b e r
ip ssh port
5. Configuring the Switch for SSH Authentication
Option A: Configuring SSH Access for Password-OnlySSH
Authentication
Option B: Configuring the Switch for Client Public-KeySSH
Page
Figure 7-12.SSH Configuration and Client-Public-KeyListing From Figure
6. Use an SSH Client To Access the Switch
copy tftp
aaa authentication ssh
Figure 7-13.Example of a Client Public Key
N o t e o n P u b l i c K e y s
smith@support.cairns.com
append
Page
Page
Messages Related to SSH Operation
tftp
After you execute the generate ssh [dsa | rsa]
Logging Messages
Note
Debug Logging
Configuring Secure Socket Layer (SSL)
Server Certificate authentication with User Password
Authentication
Switch/User Authentication
N o t e :
SSL Server:
Digital Certificate:
Self-Signed
Root Certificate:
Manager Level:
Operator Level:
SSL Enabled:
(web interface or CLI command: crypto key generate cert [key size]
Prerequisite for Using SSL
Steps for Configuring and Using SSL for Switch and Client Authentication
Page
Configuring the Switch for SSL
1.Assigning a Local Login (Operator) and Enabling (Manager) Password
Figure 8-2.Example of Configuring Local Passwords
2. Generating the Switch’s Server Host Certificate
Page
CLI commands used to generate a Server Host Certificate
crypto key generate cert
Table 8-1.CertificateField Descriptions
CLI Command to view host certificates
Syntax
show crypto host cert
Figure 8-4.Example of show crypto host-certcommand
Page
Page
Figure 8-6.Web browser Interface showing current SSL Host Certificate
ii.Select the Create Certificate/Certificate Request radio button
iii.Select Create CA Request from the Certificate Type drop-downlist
Current
RSA Key Size
Figure 8-7.Request for Verified Host Certificate Web Browser Interface Screen
3.Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior
Page
■Execute no web-managementssl
[Apply Changes]
tcp-port
Common Errors in SSL setup
Page
IPv4 Access Control Lists (ACLs)
Page
Page
Application Access Security:
Page
Overview of Options for Applying IPv4
ACLs on the Switch
Static ACLS
Dynamic Port ACLs
Table 9-1.Command Summary for Standard IPv4 ACLs
Page
Table 9-2.Command Summary for IPv4 Extended ACLs
Note:
Table 9-3.Command Summary for Enabling, Disabling, and Displaying ACLs
Page
ACL Mask:
CIDR:
NAME-STR
identifier
ACL-ID
Named ACL: An ACL created with the ip access-list< extended | standard
Named ACL:
seq-#
Standard ACL:
Types of IPv4 ACLs
Extended ACL:
ACL Applications
Effect of Dynamic Port ACLs When Multiple Clients Are Using the
Same Port
Figure 9-1.Example of Multiple Clients Authenticating Through a Single Port
Multiple ACLs on an Interface
Features Common to All ACL Applications
deny any
deny ip any any
General Steps for Planning and Configuring ACLs
Page
IPv4 Static ACL Operation
Example
Figure 9-2.Example of Sequential Comparison
Figure 9-3.The Packet-FilteringProcess in an ACL with N Entries (ACEs)
Figure 9-4.Example of How an ACL Filters Packets
Planning an ACL Application
IPv4 Traffic Management and Improved Network
Security
Guidelines for Planning the Structure of a Static ACL
IPv4 ACL Configuration and Operating Rules
Static Port ACLs:
Per Switch ACL Limits for All ACL Types
show < qos |
> resources
How an ACE Uses a Mask To Screen Packets for
Matches
Page
Any IPv4 address fits the matching criteria
A group of IPv4 addresses fits the matching criteria
Table 9-1.Example of How the Mask Defines a Match
Example of Allowing Only One IPv4 Address (“Host” Option). Sup
Inbound Packet “A” On VLAN
Inbound Packet “B” On VLAN
Examples Allowing Multiple IPv4 Addresses. Table 9-2 provides exam
Table 9-2.Example of Using an IPv4 Address and Mask in an Access Control Entry
Table
CIDR Notation
Regarding the
Use of IPv4
Source Routing
Configuring and Assigning an IPv4 ACL
Options for Permit/Deny Policies
ACL Configuration Structure
standard
extended
Figure 9-6.Example of the General Structure for a Standard ACL
Figure 9-7.Example of a Displayed Standard ACL Configuration with Two ACEs
Figure 9-8.Example of General Structure Options for an Extended ACL
Figure 9-9.Example of a Displayed Extended ACL Configuration
ACL Configuration Factors
Table 9-4.Effect of the Above ACL on Inbound IPv4 Traffic in the Assigned VLAN
Page
Using the CLI To Create an ACL
Named IPv4 ACLs:
acl-name-str
Table 9-5.Examples of CIDR Notation for Masks
Configuring Standard ACLs
Table 9-6.Command Summary for Standard ACLs
Page
Page
resequence
Mask Application:
10.10.10.1/24
logging
Figure 9-11.Example of Commands Used To Create an Standard, Named ACL
Figure 9-12.Screen Output Listing the “Sample-List”ACL Content
Page
Example: 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define
Example of Creating and Viewing a Standard ACL. This example cre
Configuring Extended ACLs
Table 9-7.Command Summary for Extended ACLs
Page
Page
Page
ip access- list standard
(nacl
context)
ip-in-ip
ipv6-in-ipgre
esp
ospf
pim
DA Mask Application:
Page
tcp
udp
Comparison Operators:
tcp/udp-port-nbr
< end-port-nbr
Port Number or Well-KnownPort Name:
Comparison Operators and Well-KnownPort Names —
[established]
established
icmp
www.iana.com
[icmp-type
icmp-code]
igmp
extended
a.Use ip access list extended < 100 - 199 > to open the ACL as a named ACL
Page
Page
Page
Page
Page
Adding or Removing an ACL Assignment On an Interface
Filtering Inbound IPv4 Traffic Per Port
Figure 9-15.Methods for Enabling and Disabling ACLs
Deleting an ACL
Editing an Existing ACL
Using the CLI To Edit ACLs
■Named ACLs:
no
Sequence Numbering in ACLs
Figure 9-16.Example of the Default Sequential Numbering for ACEs
Figure 9-17.Examples of Adding an ACE to the end of Numbered or Named ACLs
Figure 9-18.Example of Appending an ACE to an Existing List
Figure 9-19.Example of Inserting an ACE in an Existing ACL
Figure 9-20.Example of Inserting an ACE into an Existing Sequence
Figure 9-21.Example of Deleting an ACE from Any ACL
starting-seq-#
interval
| 1 - 99 |
Figure 9-22.Example of Viewing and Resequencing an ACL
Page
< 1 - 99 | 100 - 199
Figure 9-24.Example of Inserting a Remark
Inserting a Remark for an ACE that Already Exists in an ACL. If a
list-name
Figure 9-25.Example of Overwriting One Remark with Another
Displaying ACL Configuration Data
Display an ACL Summary
Figure 9-26.Example of show access-listCommand
Figure 9-27.Example of a Summary Table of Access lists
std
ext
Display the Content of All ACLs on the Switch
memory
Figure 9-28.Example of an ACL Configured Syntax Listing
Display Static Port ACL Assignments
Figure 9-29.Example of Listing the ACL Assignments for Ports and Trunks
Displaying the Content of a Specific ACL
Figure 9-30.Example of a Listing a Standard ACL
acl-id
Page
Monitoring Static ACL Performance
Total:
Resetting ACE Hit Counters to Zero:
Creating or Editing ACLs Offline
Copy
xmodem
usb
Creating or Editing an ACL Offline
no ip access- list
Figure 9-32.Example of an Offline ACL File Designed To Replace An Existing ACL
command-file
Enable ACL “Deny” Logging
logging
Requirements for Using ACL Logging
ACL Logging Operation
Figure 9-33.Content of a Message Generated by an ACL-DenyAction
Enabling ACL Logging on the Switch
logging facility syslog
debug destination
logging
session
General ACL Operating Notes
ACLs Do Not Affect Serial Port Access. ACLs do not apply to the
ACL Logging
Protocol Support
Configuring Advanced Threat Protection
Page
DHCP Snooping
Enabling DHCP Snooping
authorized server:
database:
tftp://ip-addr/ascii-string
option
trust
untrusted
verify
vlan
Enabling DHCP Snooping on VLANS
Figure 10-3.Example of DCHP Snooping on a VLAN
Configuring DHCP Snooping Trusted Ports
Figure 10-4.Example of Setting Trusted Ports
Configuring Authorized Server Addresses
Figure 10-5.Example of Authorized Servers for DHCP Snooping
Using DHCP Snooping with Option
mac:
subnet-ip:
subnet-ip
untrusted
drop:
Figure 10-6.Example of DHCP Snooping Option 82 using the VLAN IP Address
Figure 10-7.Example Showing the DHCP Snooping Verify MAC Setting
The DHCP Binding Database
file
delay
timeout
Figure 10-8.Example Showing DHCP Snooping Binding Database Contents
Enabling Debug Logging
agent
event
packet
Operational Notes
Log Messages
Server <ip-address>packet received on untrusted port <port-number
dropped
Client packet destined to untrusted port <port-number
Unauthorized server <ip-address>detected on port
Client address <mac-address>not equal to source MAC <mac-address
detected on port
Attempt to release address <ip-address>leased to port <port-number
Lease table is full, DHCP lease was not added. The lease table is full
Snooping table is full
Dynamic ARP Protection
Page
Enabling Dynamic ARP Protection
arp protect vlan
vlan-range
Configuring Trusted Ports
Figure 10-9.Configuring Trusted Ports for Dynamic ARP Protection
arp protect trust
port-list
c1-c3
Adding an IP-to-MACBinding to the DHCP Database
ip source binding
interface
Configuring Additional Validation Checks on ARP
Packets
arp protect validate
src-mac
dst-mac
Displaying ARP Packet Statistics
show arp protect statistics
Figure 10-11.Showarp protect statistics Command
Monitoring Dynamic ARP Protection
Figure 10-12.Exampleof debug arp protect Command
Using the Instrumentation Monitor
Figure 10-13.Exampleof Event Log Message generated by Instrumentation Monitor
Figure 10-14.Exampleof rate limiting when multiple messages are generated
Known Limitations:
Configuring Instrumentation Monitor
enabled
[all]
see parameter listings below
[arp-requests]
instrumentation monitor
Viewing the Current Instrumentation Monitor
Page
Traffic/Security Filters and Monitors
Applicable Switch Models
Filter Limits
Using Port Trunks with Filters
Filter Types and Operation
Table 11-1.Filter Types and Criteria
Source-PortFilters
Figure 11-1.Example of a Source-PortFilter Application
trk1
trk2
trk
Figure 11-2.Example of a Filter Blocking Traffic only from Port 5 to Server "A
Figure 11-3.The Filter for the Actions Shown in Figure
Named Source-PortFilters
no filter
named-filter
<filter-name
show filter
web-only
accounting
Filter Name
Port List
NOT USED
Action
Figure 11-4.Network Configuration for Named Source-PortFilters Example
Figure 11-6.Source Port Filters Applied to Switch Ports
Figure 11-7.Example of the show filter Command
IDX
Value
Figure 11-8.Example Showing Traffic Filtered on Specific Ports
Figure 11-9.Example of Source Port Filtering with Internet Traffic
Action
Figure 11-12.Example of Removing a Source Port Filter
Figure 11-13.Named Source-PortFilters Managing Traffic
Static Multicast Filters
max-vlans
Table 11-2.Multicast Filter Limits
Protocol Filters
Configuring Traffic/Security Filters
Configuring a Source-PortTraffic Filter
Forward
Trk1
trk6
Figure 11-14.Example of Switch Response to Adding a Filtered Source Port to a
Trunk
Editing a Source-PortFilter
Figure 11-15.Assigning Additional Destination Ports to an Existing Filter
Configuring a Multicast or Protocol Traffic Filter
Table 11-3.Filter Example
Figure 11-16.Configuring Various Traffic/Security Filters
Filter Indexing
show filter
index
Displaying Traffic/Security Filters
Figure 11-17.Example of Displaying Filter Data
Configuring Port-Basedand
User-BasedAccess Control (802.1X)
Page
Why Use Port-Basedor User-BasedAccess Control
General Features
User Authentication Methods
Page
Page
CHAP (MD5):
User-Based
Authentication:
Guest VLAN:
EAP
Supplicant:
General 802.1X Authenticator Operation
Example of the Authentication Process
VLAN Membership Priority
Figure 12-1.Priority of VLAN Assignment for an Authenticated Client
Page
Error configuring port X: LACP and 802.1X cannot be run together
Applying Web Authentication or MAC Authentication Concurrently
Page
General Setup Procedure for 802.1X Access Control
Do These Steps Before You Configure 802.1X Operation
Figure 12-2.Example of the Password Port-AccessCommand
Figure 12-3.Example of show port-accessconfig Command Output
Page
Overview: Configuring 802.1X Authentication on the
Switch
auto
eap-radius
chap-radius
Configuring Switch Ports as 802.1X Authenticators
Page
User-Based802.1X Authentication
Port-Based802.1X Authentication
authenticator
Figure 12-4.Example of Configuring User-Based802.1X Authentication
Figure 12-5.Example of Configuring Port-Based802.1X Authentication
2. Reconfigure Settings for Port-Access
unauthorized:
quiet- period
Page
Page
3. Configure the 802.1X Authentication Method
none or authorized
Figure 12-6.Example of 802.1X (Port-Access)Authentication
4. Enter the RADIUS Host IP Address(es)
5. Enable 802.1X Authentication on the Switch
6. Optional: Reset Authenticator Operation
aaa port- access authenticator
control auto
7. Optional: Configure 802.1X Controlled Directions
Prerequisite
Page
authenticator config
Figure 12-7.Example of Configuring 802.1X Controlled Directions
802.1X Open VLAN Mode
VLAN Membership Priorities
1st Priority:
2nd Priority:
3rd Priority:
Use Models for 802.1X Open VLAN Modes
Table 12-1.802.1X Open VLAN Mode Options
802.1X Per-PortConfiguration
Port Response
Note for a Port Configured To Allow Multiple Client Sessions: If any
Page
Only
Unauthorized-Client
Authorized-Client
Operating Rules for Authorized-Clientand
Unauthorized-ClientVLANs
Table 12-2.Operating Rules for Client VLANs
Condition
Rule
Page
Page
Page
Setting Up and Configuring 802.1X Open VLAN Mode
Page
radius host
rad4all
802.1X Open VLAN Operating Notes
Option For Authenticator Ports:
Configure Port-Security
Devices
Figure 12-8. Port-AccessSupport for Port-SecurityOperation
Port-Security
Configure the port access type
Configuring Switch Ports To Operate As
Supplicants for 802.1X Connections to
Other Switches
Example
Figure 12-9.Example of Supplicant Operation
Page
Supplicant Port Configuration
(Syntax Continued)
Enter secret: < password
Repeat secret: < password
Displaying 802.1X Configuration, Statistics, and Counters
—Continued—
Yes or No
•Port COS:
cos-value
Figure 12-10.Example of show port-accessauthenticator Command
authenticator
Figure 12-11.Example of show port-accessauthenticator config Command
Page
Figure 12-12.Example of show port-accessauthenticator statistics Command
in-progress
terminated
Figure 12-13.Example of show port-accessauthenticator session-countersCommand
authenticator control
Figure 12-14.Exampleof show port-accessauthenticator vlan Command
n/a - no info
Figure 12-15.Example of show port-accessauthenticator clients Command Output
Page
Viewing 802.1X Open VLAN Mode Status
show port- access authenticator vlan
Figure 12-17.Example Showing Ports Configured for Open VLAN Mode
Auth VLAN ID
Current VLAN ID
Unauth VLAN ID
Table 12-4.Rules of Access Control
Table 12-5.Output for Determining Open VLAN Mode Status (Figure 12-18, Lower)
%Curr. Rate Limit Inbound
Figure 12-18.Example of Showing a VLAN with Ports Configured for Open VLAN Mode
Show Commands for Port-AccessSupplicant
secret
Connecting
Authenticated
Acquired
How RADIUS/802.1X Authentication Affects VLAN Operation
VLAN Assignment on a Port
Page
Example of Untagged VLAN Assignment in a RADIUS- Based Authentication Session
Figure 12-19.Example of an Active VLAN Configuration
show vlan
Page
Enabling the Use of GVRP-LearnedDynamic VLANs in Authentication Sessions
unknown-vlans
Messages Related to 802.1X Operation
Table 12-6.802.1X Operating Messages
Page
Configuring and Monitoring Port Security
Page
Port Security (Page
4)
MAC Lockdown (Page
13-22)
MAC Lockout (Page
Port Security
Basic Operation
Default Port Security Operation
Intruder Protection
Eavesdrop Protection
Eavesdrop Protection
Blocking Unauthorized Traffic
Figure 13-1.Example of How Port Security Controls Access
Trunk Group Exclusion
Planning Port Security
show log
Port Security Command Options and Operation
Port Security Commands Used in This Section
Displaying Port Security Settings
Listing Authorized and Detected MAC Addresses
mac-address:
port list:
vlan < vid >:
Figure 13-4.Examples of Show Mac-AddressOutputs
Configuring Port Security
continuous
port-security
MAC Age Interval
show system information
static:
limited-continuous
Page
none:
Retention of Static Addresses
Learned Addresses
mac-addr
address-list
■Delete it by using no port-security< port-number > mac-address< mac-addr
Figure 13-5.Example of Adding an Authorized Device to a Port
Figure 13-6.Example of Adding a Second Authorized Device to a Port
Figure 13-7.Example of Port Security on Port A1 with an Address Limit of “1”
Figure 13-8.Example of Two Authorized Addresses on Port A1
Figure 13-9.Example of Port A1 After Removing One MAC Address
MAC Lockdown
How It Works
Other Useful Information
Differences Between MAC Lockdown and Port Security
Page
Deploying MAC Lockdown
Figure 13-10.MAC Lockdown Deployed At the Network Edge Provides Security
Page
Figure 13-11.Connectivity Problems Using MAC Lockdown with Multiple Paths
MAC Lockout
Table 13-1.Limits on Lockout MACs
Port Security and MAC Lockout
Web: Displaying and Configuring Port Security Features
Reading Intrusion Alerts and Resetting Alert Flags
Notice of Security Violations
–The show port-security intrusion-log command displays the Intrusion Log
How the Intrusion Log Operates
Figure 13-12.Example of Multiple Intrusion Log Entries for the Same Port
Note on
Send-Disable
Operation
1.Status and Counters
4.Port Status
Figure 13-13.Example of Port Status Screen with Intrusion Alert on Port A3
Figure 13-14.Example of the Intrusion Log Display
prior to
show interfaces brief
intrusion-log
Figure 13-17.Exampleof Port Status Screen After Alert Flags Reset
Using the Event Log To Find Intrusion Alerts
From the CLI
search-text
ffi
security
Web: Checking for Intrusions, Listing Intrusion
Alerts, and Resetting Alert Flags
Operating Notes for Port Security
Page
Using Authorized IP Managers
Authorized IP Manager Features
Options
Access Levels
Manager:
Operator:
Defining Authorized Management Stations
Overview of IP Mask Operation
Menu: Viewing and Configuring IP Authorized
Managers
2.Switch Configuration …
6.IP Authorized Managers
Figure 14-2.Example of Edit Menu for Authorized IP Managers
CLI: Viewing and Configuring Authorized IP Managers
show ip
authorized-managers
Figure 14-3.Example of show authorized-managersCommand
Figure 14-4.Example of Configuring IP Authorized Manager
To Delete an Authorized Manager Entry. This command uses the IP
Web: Configuring IP Authorized
Managers
2.Click on the Authorized Addresses button
[Add]
[Replace]
Web-BasedHelp
Building IP Masks
Configuring One Station Per Authorized Manager IP
Entry
Table 14-1.Analysis of IP Mask for Single-StationEntries
Configuring Multiple Stations Per Authorized Manager IP Entry
Table 14-2.Analysis of IP Mask for Multiple-StationEntries
Additional Examples for Authorizing Multiple Stations
Duplicate IP Addresses:
Web Proxy Servers:
Page
Key Management System
Key Chain:
Time-Independent
Key:
Time-Dependent
Key Management System (KMS) Enabled Protocol:
Configuring Key Chain Management
Creating and Deleting Key Chain Entries
Figure 15-1.Adding a New Key Chain Entry
Assigning a Time-IndependentKey to a Chain
send-lifetime
infinite:
Assigning Time-DependentKeys to a Chain
start
time period
accept-lifetime
Figure 15-3.Adding Time-DependentKeys to a Key Chain Entry
Figure 15-4.Display of Time-DependentKeys in the Key Chain Entry
key-chain
Figure 15-5.Status of Keys in Key Chain Entry “Procurve2”
Index
Numerics
This ACL (a standard ACL named “Fileserver”) includes an ACE (Access Control Entry) that permits matches only with the packets received from 10.28.252.117 (the SA). Packets from any other source do not match and are denied.