HP 4100gl, 2600, 2600-PWR, 6108, 2626 User Manual

...

ProCurve Switches

Access Security Guide

Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100 Series Switch 6108 Series

ProCurve

Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100gl Series Switch 6108

Access Security Guide

December 2008

Publication Number

5990-6024 December 2008

Applicable Products

ProCurve Switch 2626 (J4900A/B) ProCurve Switch 2650 (J4899A/B) ProCurve Switch 2600-8-PWR (J8762A) ProCurve Switch 2626-PWR (J8164A) ProCurve Switch 2650-PWR (J8165A) ProCurve Switch 2824 (J4903A) ProCurve Switch 2848 (J4904A) ProCurve Switch 4104GL (J4887A) ProCurve Switch 4108GL (J4861A/J4865A) ProCurve Switch 4140GL (J8151A) ProCurve Switch 4148GL (J4888A) ProCurve Switch 4160GL (J8152A) ProCurve Switch 6108 (J4902A).

Trademark Credits

Windows NT®, Windows®, and MS Windows® are US registered trademarks of Microsoft Corporation.

Software Credits

SSH on ProCurve Switches is based on the OpenSSH software toolkit. This product includes software developed by the OpenSSH Project for use in the OpenSSH Toolkit. For more information on OpenSSH, visit http:// www.openssh.com.

SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more information on OpenSSL, visit http://www.openssl.org.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

This product includes software written by Tim Hudson (tjh@cryptsoft.com)

Disclaimer

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information is provided "as is" without warranty of any kind and is subject to change without notice. The warranties for Hewlett-Packard Company products are set forth in the express limited warranty statements for such products. Nothing herein should be construed as constituting an additional warranty.

Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.

Warranty

See the Customer Support/Warranty booklet included with the product.

A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.

Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 http://www.procurve.com

Contents

Product Documentation

About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xii

1 Getting Started

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Management Access Security Protection . . . . . . . . . . . . . . . . . . . . . . . . 1-3

General Switch Traffic Security Guidelines . . . . . . . . . . . . . . . . . . . . . . 1-4

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Feature Descriptions by Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Port Identity Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . . . 1-9

2 Configuring Username and Password Security

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-6

iii

Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17

3 Web and MAC Authentication for the Series 2600/

2600-PWR and 2800 Switches

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

General Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . 3-12

Do These Steps Before You Configure Web/MAC Authentication . . 3-12

Additional Information for Configuring the RADIUS Server To Support

MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14

Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . . . . . 3-15

Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17

Configure the Switch for Web-Based Authentication . . . . . . . . . . . . . 3-18

Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . . . . . 3-22

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22

Configure the Switch for MAC-Based Authentication . . . . . . . . . . . . 3-23

Show Status and Configuration of Web-Based Authentication . . . . . . . . 3-26

Show Status and Configuration of MAC-Based Authentication . . . . . . . . 3-27

Show Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29

4 TACACS+ Authentication

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3

General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 4-9

Viewing the Switch’s Current Authentication Configuration . . . . . . . 4-9

Viewing the Switch’s Current TACACS+ Server Contact Configuration . 4-10

Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 4-11

Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 4-15

How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20

General Authentication Process Using a TACACS+ Server . . . . . . . . 4-20

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22

Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23

Controlling Web Browser Interface Access When Using TACACS+

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24

Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

5 RADIUS Authentication and Accounting

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . . . . . . 5-6

Outline of the Steps for Configuring RADIUS Authentication . . . . . . 5-7

1. Configure Authentication for the Access Methods You Want RADIUS

To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

2. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 5-10

3. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 5-12

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16

Controlling Web Browser Interface Access When Using RADIUS

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17

Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17

Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 5-19

Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 5-19

Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27

RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28

Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29

Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31

6 Configuring Secure Shell (SSH)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Steps for Configuring and Using SSH for Switch and Client Authentication . 6-6

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8

Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

1. Assign Local Login (Operator) and Enable (Manager) Password . 6-9

2. Generate the Switch’s Public and Private Key Pair . . . . . . . . . . . . 6-10

3. Provide the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . . 6-12

4. Enable SSH on the Switch and Anticipate SSH Client Contact Behavior 6-15

5. Configure the Switch for SSH Authentication . . . . . . . . . . . . . . . . . 6-18

6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 6-21

Further Information on SSH Client Public-Key Authentication . . . . . . . . 6-21

Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

7 Configuring Secure Socket Layer (SSL)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

Steps for Configuring and Using SSL for Switch and Client Authentication . 7-5

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

1. Assign Local Login (Operator) and Enable (Manager) Password . 7-7

2. Generate the Switch’s Server Host Certificate . . . . . . . . . . . . . . . . . 7-9

3. Enable SSL on the Switch and Anticipate SSL Browser Contact

Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

Common Errors in SSL Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21

8 Configuring Port-Based Access Control (802.1X)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Why Use Port-Based Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

How 802.1X Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

Switch-Port Supplicant Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10

General Setup Procedure for Port-Based Access Control (802.1X) . . . . . 8-12

Do These Steps Before You Configure 802.1X Operation . . . . . . . . . 8-12

Overview: Configuring 802.1X Authentication on the Switch . . . . . . 8-13

vii

Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . . . . . . . 8-15

1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . . 8-15

3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . . 8-19

4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . . 8-20

5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . . 8-20

802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21

Use Models for 802.1X Open VLAN Modes . . . . . . . . . . . . . . . . . . . . . 8-22

Operating Rules for Authorized-Client and Unauthorized-Client VLANs 8-25

Setting Up and Configuring 802.1X Open VLAN Mode . . . . . . . . . . . . 8-27

802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31

Option For Authenticator Ports: Configure Port-Security To Allow Only

802.1X Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32

Configuring Switch Ports To Operate As Supplicants for 802.1X Connections

to Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34

Displaying 802.1X Configuration, Statistics, and Counters . . . . . . . . . . . . 8-38

Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . . 8-38

Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . . 8-40

Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . . 8-43

viii

How RADIUS/802.1X Authentication Affects VLAN Operation . . . . . . . . 8-44

Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48

9 Configuring and Monitoring Port Security

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5

Port Security Command Options and Operation . . . . . . . . . . . . . . . . . . . . . 9-6

Retention of Static MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10

Displaying Current Port Security Settings . . . . . . . . . . . . . . . . . . . . . . 9-10

Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12

MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17

Differences Between MAC Lockdown and Port Security . . . . . . . . . 9-19

Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21

MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25

Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27

IP Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28

Web: Displaying and Configuring Port Security Features . . . . . . . . . . . . . 9-29

Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . . . . . . . . 9-29

Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29

How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30

Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . . 9-31

Using the Event Log To Find Intrusion Alerts . . . . . . . . . . . . . . . . . . . 9-36

Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting

Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-36

Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37

10 Traffic/Security Filters

(ProCurve Series 2600/2600-PWR and 2800 Switches)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

Using Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Configuring a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

Viewing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7

Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8

Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9

Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10

11 Using Authorized IP Managers

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 11-5

CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 11-6

Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . . . . . 11-9

Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9

Configuring One Station Per Authorized Manager IP Entry . . . . . . . 11-9

Configuring Multiple Stations Per Authorized Manager IP Entry . . 11-10

Additional Examples for Authorizing Multiple Stations . . . . . . . . . 11-11

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12

Product Documentation

About Your Switch Manual Set

The switch manual set includes the following:

■ Read Me First - a printed guide shipped with your switch. Provides

software update information, product notes, and other information.

■ Installation and Getting Started Guide - a printed guide shipped

with your switch. This guide explains how to prepare for and perform the physical installation and connection to your network.

■ Management and Configuration Guide - included as a PDF file on

the Documentation CD. This guide describes how to configure, manage, and monitor basic switch operation.

■ Advanced Traffic Management Guide - included as a PDF file on

the Documentation CD. This guide explains the configuration and operation of traffic management features such as spanning tree, VLANs, and IP routing.

■ Access Security Guide - included as a PDF file on the

Documentation CD. This guide explains the configuration and operation of access security and user authentication features on the switch.

■ Release Notes - posted on the ProCurve web site to provide

information on software updates. The release notes describe new features, fixes, and enhancements that become available between revisions of the above guides.

Note For the latest version of all ProCurve switch documentation, including release

notes covering recently added features, visit the ProCurve Networking website at http://www.procurve.com. Click on Technical support, and then click on Product manuals.

Product Documentation

Feature Index

For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. (Note that some software features are not supported on all switch models.)

Feature Management and

Configuration

802.1Q VLAN Tagging - X -

802.1X Port-Based Priority X - -

Authentication - - X

Authorized IP Managers - - X

Config File X --

Copy Command X - -

Debug X --

DHCP Configuration - X -

DHCP/Bootp Operation X --

Diagnostic Tools X - -

Downloading Software X --

Event Log X - -

Factory Default Settings X --

File Management X - -

Advanced Traffic Management

Access Security Guide

File Transfers X --

GVRP - X -

IGMP - X -

Interface Access (Telnet, Console/Serial, Web) X - -

IP Addressing X --

IP Routing - X -

xii

Product Documentation

Feature Management and

Configuration

LACP X --

Link X - -

LLDP X --

MAC Address Management X - -

MAC Lockdown - - X

MAC Lockout - - X

MAC-based Authentication - - X

Monitoring and Analysis X - -

Multicast Filtering - X -

Network Management Applications (LLDP, SNMP) X - -

Passwords - - X

Ping X - -

Port Configuration X --

Port Security - - X

Advanced Traffic Management

Access Security Guide

Port Status X --

Port Trunking (LACP) X - -

Port-Based Access Control - - X

Port-Based Priority (802.1Q) X - -

Power over Ethernet (PoE) X --

Quality of Service (QoS) - X -

RADIUS Authentication and Accounting - - X

Routing - X -

Secure Copy X --

SFTP X - -

SNMP X --

Software Downloads (SCP/SFTP, TFTP, Xmodem) X - -

xiii

Product Documentation

Feature Management and

Configuration

Source-Port Filters - - X

Spanning Tree (STP, RSTP, MSTP) - X -

SSH (Secure Shell) Encryption - - X

SSL (Secure Socket Layer) - - X

Stack Management (Stacking) - X -

Syslog X - -

System Information X --

TACACS+ Authentication - - X

Telnet Access X --

TFTP X - -

Time Protocols (TimeP, SNTP) X --

Traffic/Security Filters - - X

Troubleshooting X --

VLANs - X -

Advanced Traffic Management

Access Security Guide

Web-based Authentication - - X

Xmodem X - -

xiv

Getting Started