Release M.10.41 supports the ProCurve Switch 3400cl-24G (J4905A), and 3400cl-48G (J4906A).
These release notes include information on the following:
■Downloading switch software and documentation from the Web (page 1)
■Clarification of operating details for certain software features (page 20)
■A listing of software enhancements in recent releases (page 25)
■A listing of software fixes included in releases M.08.51 through M.10.72 (page 145)
IMPORTANT:
3400cl switches MUST be running ROM version I.08.12 prior to loading M.10.20 or newer software. If your
switch is using a software version earlier than M.10.10, you need to install and boot the M.10.10 software
(included in the M.10.41 software package) to load the I.08.12 ROM version, before installing M.10.20 or
newer.
Security Note:
Downloading and booting software release M.08.89 or greater for the first time automatically enables
SNMP access to the hpSwitchAuth MIB objects. If this is not desirable for your network, ProCurve
recommends that you disable it after downloading and rebooting with the latest switch software. For more
information, refer to “Enforcing Switch Security” on page 10 and “Using SNMP To View and Configure
Switch Authentication Features” on page 35.
Configuration Compatibility Caution:
Configuration files created or saved using version M.10.65 or higher are NOT backward-compatible with
previous software versions. The user is advised to save a copy of the pre-M.10.65 startup-config file
BEFORE UPDATING to M.10.68 or greater, in case there is ever a need to revert back to an earlier version
of software.
Microsoft®, Windows®, and Windows NT® are US
registered trademarks of Microsoft Corporation.
Adobe® and Acrobat® are trademarks of Adobe Systems
Incorporated. Java™ is a US trademark of Sun
Microsystems, Inc.
Software Credits
SSH on ProCurve Switches is based on the OpenSSH software toolkit. This product includes software developed by
the OpenSSH Project for use in the OpenSSH Toolkit. For
more information on OpenSSH, visit
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
The only warranties for HP products and services are set
forth in the express warranty statements accompanying
such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions
contained herein.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
http:// www.openssh.com
SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes software developed by
the OpenSSL Project for use in the OpenSSL Toolkit. For
more information on OpenSSL, visit
http://www.openssl.org.
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com). This product includes
software written by Tim Hudson (tjh@cryptsoft.com)
.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
Check the ProCurve Networking Web site frequently for free software updates for the various
ProCurve switches you may have in your network.
Download Switch Documentation and Software from the Web
You can download software updates and the corresponding product documentation from the
ProCurve Networking Web site as described below.
View or Download the Software Manual Set
Go to: www.procurve.com/manuals
You may want to bookmark this Web page for easy access in the future.
You can also register on the My ProCurve portal to receive a set of ProCurve switch manuals on CDROM. To register and request a CD, go to www.procurve.com and click on My ProCurve Sign In. After
registering and entering the portal, click on My Manuals.
Downloading Software to the Switch
ProCurve Networking periodically provides switch software updates through the ProCurve
Networking Web site (www.procurve.com). After you acquire the new software file, you can use one
of the following methods for downloading it to the switch:
■For a TFTP transfer from a server, do either of the following:
•Select Download OS in the Main Menu of the switch’s menu interface and use the (default)
TFTP option.
•Use the copy tftp command in the switch’s CLI (see below).
■For an Xmodem transfer from a PC or Unix workstation, do either of the following:
•Select Download OS in the Main Menu of the switch’s menu interface and select the
Xmodem option.
•Use the copy xmodem command in the switch’s CLI (page 3).
■Use the USB port to download a software file from a USB flash drive.
■Use the download utility in ProCurve Manager Plus.
1
Software Management
Downloading Software to the Switch
Note
Downloading new software does not change the current switch configuration. The switch configuration is contained in a separate file that can also be transferred, for example, for archive purposes
or to be used in another switch of the same model.
This section describes how to use the CLI to download software to the switch. You can also use the
menu interface for software downloads. For more information, refer to the Management and Configuration Guide for your switch.
Downloading Software to the Switch
ProCurve Networking periodically provides switch software updates through the ProCurve
Networking Web site (www.procurve.com
of the following methods for downloading it to the switch:
■For a TFTP transfer from a server, do either of the following:
•Click on Download OS in the Main Menu of the switch’s menu interface and use the
(default) TFTP option.
). After you acquire the new software file, you can use one
•Use the copy tftp command in the switch’s CLI (see below).
■For an Xmodem transfer from a PC or Unix workstation, do either of the following:
•Click on Download OS in the Main Menu of the switch’s menu interface and select the
Xmodem option.
•Use the copy xmodem command in the switch’s CLI (page 3).
■Use the download utility in ProCurve Manager Plus.
Note
Downloading new software does not change the current switch configuration. The switch configuration is contained in a separate file that can also be transferred, for example, for archive purposes
or to be used in another switch of the same model.
This section describes how to use the CLI to download software to the switch. You can also use the
menu interface for software downloads. For more information, refer to the Management and Configuration Guide for your switch.
Note that if you do not specify the flash destination, the TFTP download defaults to the primary flash.
For example, to download a software file named M_08_8x.swi from a TFTP server with the IP address
of 10.28.227.103:
1.Execute the copy command as shown below:
ProCurve switch # copy tftp flash 10.28.227.103 M_08_8x.swi
The primary OS image will be deleted. continue [y/n]? Y
03125K
2.When the switch finishes downloading the software file from the server, it displays the progress
message shown in Figure 1. When the CLI prompt re-appears, the switch is ready to reboot to
activate the downloaded software:
When this message appears, the switch has finished
downloading the software file from the server.
When the CLI prompt appears, the switch is ready for
rebooting to activate the downloaded software.
ProCurve switch #
Figure 1. Message Indicating the Switch Is Ready To Activate the Downloaded Software
3.Reboot the switch.
After the switch reboots, it displays the CLI or Main Menu, depending on the Logon Default setting
last configured in the menu’s Switch Setup screen.
Xmodem Download From a PC or Unix Workstation
This procedure assumes that:
■The switch is connected via the Console RS-232 port to a PC operating as a terminal. (Refer
to the Installation and Getting Started Guide you received with the switch for information
on connecting a PC as a terminal and running the switch console interface.)
■The switch software is stored on a disk drive in the PC.
3
Software Management
Downloading Software to the Switch
■The terminal emulator you are using includes the Xmodem binary transfer feature. (For
example, in the HyperTerminal application included with Windows NT, you would use the
Send File option in the Transfer dropdown menu.)
Using Xmodem and a terminal emulator, you can download a switch software file to either primary
or secondary flash using the CLI.
1.To reduce the download time, you may want to increase the baud rate in your terminal emulator
and in the switch to a value such as 115200 bits per second. (The baud rate must be the same
in both devices.) For example, to change the baud rate in the switch to 115200, execute this
command:
ProCurve (config)# console baud-rate 115200
(If you use this option, be sure to set your terminal emulator to the same baud rate.)
Changing the console baud-rate requires saving to the Startup Config with the "write memory"
command. Alternatively, you can logout of the switch and change your terminal emulator speed
and allow the switch to AutoDetect your new higher baud rate (i.e. 115200 bps)
2.Execute the following command in the CLI:
ProCurve # copy xmodem flash primary
The primary OS image will be deleted. continue [y/n]? Y
Press ‘Enter’ and start XMODEM on your host...
3.Execute the terminal emulator commands to begin the Xmodem transfer. For example, using
HyperTerminal:
a.Click on Transfer, then Send File.
b.Type the file path and name in the Filename field.
c.In the Protocol field, select Xmodem.
d.Click on the
Send button.
The download can take several minutes, depending on the baud rate used in the transfer.
4.If you increased the baud rate on the switch (step 1), use the same command to return it to its
previous setting. (HP recommends a baud rate of 9600 bits per second for most applications.)
Remember to return your terminal emulator to the same baud rate as the switch.)
5.Reboot the switch.
After the switch reboots, it displays the CLI or Main Menu, depending on the Logon Default setting
last configured in the menu’s Switch Setup screen.
4
Saving Configurations While Using the CLI
Software Management
Saving Configurations While Using the CLI
The switch operates with two configuration files:
■Running-Config File: Exists in volatile memory and controls switch operation. Rebooting
the switch erases the current running-config file and replaces it with an exact copy of the
current startup-config file. To save a configuration change, you must save the running
configuration to the startup-config file.
■Startup-Config File: Exists in flash (non-volatile) memory and preserves the most recently-
saved configuration as the “permanent” configuration. When the switch reboots for any
reason, an exact copy of the current startup-config file becomes the new running-config file
in volatile memory.
When you use the CLI to make a configuration change, the switch places the change in the runningconfig file. If you want to preserve the change across reboots, you must save the change to the startupconfig file. Otherwise, the next time the switch reboots, the change will be lost. There are two ways
to save configuration changes while using the CLI:
■Execute write memory from the Manager, Global, or Context configuration level.
■When exiting from the CLI to the Main Menu, press [Y] (for Yes) when you see the “save
configuration” prompt:
Do you want to save current configuration [y/n] ?
5
Software Management
Install Recommendations for I.08.12 Boot ROM Update
Install Recommendations for I.08.12 Boot ROM Update
When installing the M.10.17 software to load the I.08.12 ROM version, ProCurve recommends that
you use the “fastboot” feature and the “reload” command after updating to M.10.17, as shown below.
ProCurve3400cl#config
ProCurve3400cl(config)# fastboot
ProCurve3400cl(config)# copy tftp flash <ip address of tftp server> M_10_17.swi
The Primary OS Image will be deleted, continue [y/n]? y Validating and Writing System
Software to FLASH...
ProCurve3400cl(config)# reload
Device will be rebooted, do you want to continue [y/n]? y
Rebooting the System
Then reconnect and run the show flash command:
ProCurve3400cl# show flas
Image Size(Bytes) Date Version
RSwitch 2610 Series (2610-24, 2610-24/12PWR, 2610-24-PWR, 2610-48 and 2610-48-PWR)
TSwitch 2900 Series (2900-24G and 2900-48G)
USwitch 2510-48
WSwitch 2910al Series (2910al-24G, 2910al-24G-PoE+, 2910al-48G, and 2910al-48G-PoE+)
VA/VBSwitch 1700 Series (Switch 1700-8 - VA and 1700-24 - VB)
WAProCurve Access Point 530
WSProCurve Wireless Edge Services xl Module and the ProCurve Redundant Wireless Services xl Module
WTProCurve Wireless Edge Services zl Module and the ProCurve Redundant Wireless Services zl Module
YSwitch 2510G Series (2510G-24 and 2510G-48)
7
Software Management
ProCurve Switch, Routing Switch, and Router Software Keys
Software
Letter
numericSwitch 9408sl, Switch 9300 Series (9304M, 9308M, and 9315M), Switch 6208M-SX and Switch 6308M-SX
ProCurve Networking Products
(Uses software version number only; no alphabetic prefix. For example 07.6.04.)
8
Minimum Software Versions for Series 3400cl Switch Features
Software Management
Minimum Software Versions for Series 3400cl Switch Features
For Software Features. To view a tabular listing of major switch software features and the
minimum software version each feature requires:
1.Visit the ProCurve Networking Web site at w
ww.procurve.com.
2.Click on Software updates.
3.Click on Minimum Software Version Required by Feature.
For Switch 3400cl Hardware Accessories.
ProCurve DeviceMinimum Supported
J8434A ProCurve 10-GbE Copper Module M.08.54
J8435A ProCurve 10-GbE Media Flex Module M.08.54
J8436A ProCurve 10-GbE X2-SC SR OpticM.08.51
J8437A ProCurve 10-GbE X2-SC LR Optic M.08.54
J8438A ProCurve 10 GbE X2-SC ER OpticM.08.75
J8439A ProCurve 10-GbE CX4 Media Converter M.08.54
J8440A ProCurve 10-GbE X2-CX4 TransceiverM.08.54
J8440B ProCurve 10-GbE X2-CX4 TransceiverM.10.06
Software Version
OS/Web/Java Compatibility Table
The switch Web agent supports the following combinations of OS browsers and Java Virtual
Machines:
Operating SystemInternet ExplorerJava
Windows NT 4.0 SP6a5.00, 5.01
5.01, SP1
6.0, SP1
Windows 2000 Pro SP45.05, SP2
Sun Java 2 Runtime Environment:
– Version 1.3.1.12
– Version 1.4.2.05
6.0, SP1
Windows XP Pro SP26.0, SP2
Windows Server SE 2003
and 7.0
Sun Java 2 Runtime Environment:
– Version 1.5.0_11, Version 1.6.0
SP2
Windows Vista
9
Enforcing Switch Security
Switch Management Access Security
Enforcing Switch Security
ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in
your network. However, when preparing the switch for network operation, ProCurve strongly
recommends that you enforce a security policy to help ensure that the ease in getting started is not
used by unauthorized persons as an opportunity for access and possible malicious actions. Since
security incidents can originate with sources inside as well as outside of an organization, your switch
and network access security provisions must protect against internal and external threats while
preserving the necessary network access for authorized clients and uses.
This section provides an overview of switch management and network access security features and
applications. For information on specific features, refer to the software manuals provided for your
switch model.
Caution:
In its default configuration, the switch is open to unauthorized access of various types. ProCurve
recommends that you review this section to help ensure that you recognize the potential for
unauthorized switch and network access and are aware of the features available to help prevent
such access.
Switch Management Access Security
This section outlines provisions for protecting access to the switch’s status information configuration
settings. For more detailed information on these features, refer to the indicated manuals.
Default Settings Affecting Security
In the default configuration, switch management access is available through the following methods:
■Telnet
■Web-browser interface (including the ability to launch Telnet access)
■SNMP access
■Front-Panel access (serial port access to the console, plus resets and clearing the pass-
word(s) or current configuration)
10
Switch Management Access Security
Enforcing Switch Security
It is important to evaluate the level of management access vulnerability existing in your network and
take steps to ensure that all reasonable security precautions are in place. This includes both
configurable security options and physical access to the switch hardware.
Local Manager Password
In the default configuration, there is no password protection. Configuring a local Manager password
is a fundamental step in reducing the possibility of unauthorized access through the switch’s web
browser and console (CLI and Menu) interfaces. The Manager password can easily be set using the
CLI password manager command, the Menu interface Console Passwords option, or the password
options under the Security tab in the web browser interface.
Inbound Telnet Access and Web Browser Access
The default remote management protocols enabled on the switch are plain text protocols, which
transfer passwords in open or plain text that is easily captured. To reduce the chances of unauthorized
users capturing your passwords, secure and encrypted protocols such as SSH and SSL must be used
for remote access. This enables you to employ increased access security while still retaining remote
client access.
■SSHv2 provides Telnet-like connections through encrypted and authenticated transactions
■SSLv3/TLSv1 provides remote web browser access to the switch via encrypted paths
between the switch and management station clients capable of SSL/TLS operation.
(For information on SSH and SSL/TLS, refer to the chapters on these topics in the Advanced Traffic Management Guide for your switch.)
Also, access security on the switch is incomplete without disabling Telnet and the standard web
browser access.Among the methods for blocking unauthorized access attempts using Telnet or the
Web browser are the following two commands:
■no telnet-server: This CLI command blocks inbound Telnet access.
■no web-management: This CLI command prevents use of the web browser interface
through http (port 80) server access.
If you choose not to disable Telnet and web browser access, you may want to consider using RADIUS
accounting to maintain a record of password-protected access to the switch. Refer to the chapter
titled “RADIUS Authentication and Accounting” in the Access Security Guide for your switch.
Secure File Transfers
Secure Copy and SFTP provide a secure alternative to TFTP and auto-TFTP for transferring sensitive
information such as configuration files and log information between the switch and other devices.
For more on these features, refer to the section titled “Using Secure Copy and SFTP” in the “File
Transfers” appendix of the Management and Configuration Guide for your switch.
11
Enforcing Switch Security
Switch Management Access Security
SNMP Access(Simple Network Management Protocol)
In the default configuration, the switch is open to access by management stations running SNMP
management applications capable of viewing and changing the settings and status data in the switch’s
MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing
unauthorized SNMP access should be a key element of your network security strategy.
General SNMP Access to the Switch. The switch supports SNMP versions 1, 2c, and 3, including
SNMP community and trap configuration. The default configuration supports versions 1 and 2c
compatibility, which uses plain text and does not provide security options. ProCurve recommends
that you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure
restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected
operation). SNMPv3 security options include:
•configuring device communities as a means for excluding management access by
unauthorized stations
•configuring for access authentication and privacy
•reporting events to the switch CLI and to SNMP trap receivers
•restricting non-SNMPv3 agents to either read-only access or no access
•co-existing with SNMPv1 and v2c if necessary
For more on SNMPV3, refer to the next subsection and to the chapter titled “Configuring for Network
Management Applications” in the Management and Configuration Guide for your switch.
SNMP Access to the Switch’s Authentication Configuration MIB . A management station
running an SNMP networked device management application such as ProCurve Manager Plus
(PCM+) or HP OpenView can access the switch’s management information base (MIB) for read access
to the switch’s status and read/write access to the switch’s configuration. In earlier software versions,
SNMP access to the switch’s authentication configuration (hpSwitchAuth) MIB was not allowed.
However, beginning with software release M.08.89, the switch’s default configuration allows SNMP
access to security settings in hpSwitchAuth. If SNMP access to the hpSwitchAuth MIB is considered
a security risk in your network, then you should implement the following security precautions when
downloading and booting from software release M.08.89 or greater:
1.If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above and
in the section titled “Using SNMP To View and Configure Switch Authentication Features” (page
35) is not desirable for your network, then immediately after downloading and booting from
the M.08.89 or greater software for the first time, use the following command to disable this
feature:
snmp-server mib hpswitchauthmib excluded
12
Switch Management Access Security
Enforcing Switch Security
Caution:
Downloading and booting from the M.08.89 or greater software version for the first time enables
SNMP access to the authentication configuration MIB (the default action). If SNMPv3 and other
security safeguards are not in place, the switch’s authentication configuration MIB is exposed to
unprotected SNMP access and you should use the above command to disable this access.
2.If you choose to leave the authentication configuration MIB accessible, then you should do the
following to help ensure that unauthorized workstations cannot use SNMP tools to access the
MIB:
•Configure SNMP version 3 management and access security on the switch.
•Disable SNMP version 2c on the switch.
Refer to “Using SNMP Tools To Manage the Switch” in the chapter titled “Configuring for Network
Management Applications” in the Management and Configuration Guide for your switch. .
Physical Access to the Switch
Physical access to the switch allows the following:
■use of the console serial port (CLI and Menu interface) for viewing and changing the current
configuration and for reading status, statistics, and log messages.
■use of the switch’s Clear and Reset buttons for these actions:
•clearing (removing) local password protection
•rebooting the switch
•restoring the switch to the factory default configuration (and erasing any nondefault
configuration settings)
Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized
physical access. As additional precautions, you can do the following:
■Disable or re-enable the password-clearing function of the Clear button.
■Configure the Clear button to reboot the switch after clearing any local usernames and
passwords.
■Modify the operation of the Reset+Clear button combination so that the switch reboots, but
does not restore the switch’s factory default settings.
■Disable or re-enable password recovery.
13
Enforcing Switch Security
Switch Management Access Security
For the commands to implement the above actions, refer to “Front-Panel Security” in the chapter
titled “Configuring Usernames and Passwords” in the Access Security Guide for your switch.
Other Provisions for Management Access Security
Authorized IP Managers. This feature uses IP addresses and masks to determine whether to allow
management access to the switch through the network, and covers access through the following:
■Telnet and other terminal emulation applications
■The switch’s web browser interface
■SNMP (with a correct community name)
Refer to the chapter titled “Using Authorized IP Managers” in the Access Security Guide for your
switch.
Secure Management VLAN. This feature creates an isolated network for managing the ProCurve
switches that offer this feature. When a secure management VLAN is enabled, CLI, Menu interface,
and web browser interface access is restricted to ports configured as members of the VLAN.
Refer to the chapter titled “Static Virtual LANs (VLANs)” in the Advanced Traffic Management Guide
for your switch.
RADIUS Authentication. For each authorized client, RADIUS can be used to authenticate operator
or manager access privileges on the switch via the serial port (CLI and Menu interface), Telnet, SSH,
and Secure FTP/Secure Copy (SFTP/SCP) access methods.
Refer to the chapter titled “RADIUS Authentication and Accounting” in the Access Security Guide
for your switch.
TACACS+ Authentication. This application uses a central server to allow or deny access to
TACACS-aware devices in your network. TACACS+ uses username/password sets with associated
privilege levels to grant or deny access through either the switch’s serial (console) port or remotely,
with Telnet. If the switch fails to connect to a TACACS+ server for the necessary authentication
service, it defaults to its own locally configured passwords for authentication control. TACACS+
allows both login (read-only) and enable (read/write) privilege level access.
Refer to the chapter titled “TACACS+ Authentication” in the Access Security Guide for your switch
model.
Access Control Lists (ACLs) for Management Access Protection. ACLs can be used to secure
access to the management interface of the switch by blocking inbound IP traffic that has the switch
itself as the destination address. (Refer also to “Access Control Lists” in the next section.)
14
Enforcing Switch Security
Network Access Security
Network Access Security
This section outlines provisions for protecting access through the switch to the network. For more
detailed information on these features, refer to the indicated manuals.
Access Control Lists (ACLs)
ACLs enable the switch to permit or deny the following:
■any inbound IP traffic on a port
■specific types of TCP or UDP traffic
While ACLs do not provide user or device authentication, or protection from malicious manipulation
of data in IP packet transmissions, ACLs can enhance network security by blocking selected IP traffic
types. This functionality can be utilized to:
■permit or deny in-band management access by limiting or preventing the use of designated
TCP or UDP protocols
■permit or deny unwanted IP traffic to or from specific hosts
Refer to the chapter titled “Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl
Switches” in the Advanced Traffic Management Guide for your switch model.
Web and MAC Authentication
These options are designed for application on the edge of a network to provide port-based security
measures for protecting private networks and the switch itself from unauthorized access. Because
neither method requires clients to run any special supplicant software, both are suitable for legacy
systems and temporary access situations where introducing supplicant software is not an attractive
option. Both methods rely on using a RADIUS server for authentication. This simplifies access
security management by allowing you to control access from a master database in a single server. It
also means the same credentials can be used for authentication, regardless of which switch or switch
port is the current access point into the LAN. Web authentication uses a web page login to
authenticate users for access to the network. MAC authentication grants access to a secure network
by authenticating device MAC address for access to the network.
Refer to the chapter titled “Web and MAC Authentication” in the Access Security Guide for your
switch model.
15
Enforcing Switch Security
Network Access Security
Secure Shell (SSH)
SSH provides Telnet-like functions through encrypted, authenticated transactions of the following
types:
■client public-key authentication: uses one or more public keys (from clients) that must
be stored on the switch. Only a client with a private key that matches a stored public key
can gain access to the switch.
■switch SSH and user password authentication: this option is a subset of the client public-
key authentication, and is used if the switch has SSH enabled without a login access
configured to authenticate the client’s key. In this case, the switch authenticates itself to
clients, and users on SSH clients then authenticate themselves to the switch by providing
passwords stored on a RADIUS or TACACS+ server, or locally on the switch.
■secure copy (SC) and secure FTP (SFTP): By opening a secure, encrypted SSH session,
you can take advantage of SC and SFTP to provide a secure alternative to TFTP for
transferring sensitive switch information.
Refer to the chapter titled “Configuring Secure Shell (SSH)” in the Access Security Guide for your
switch model. For more on SC and SFTP, refer to the section titled “Using Secure Copy and SFTP”
in the “File Transfers” appendix of the Management and Configuration Guide for your switch model.
Secure Socket Layer (SSLv3/TLSv1)
This feature includes use of Transport Layer Security (TLSv1) to provide remote web access to the
switch via authenticated transactions and encrypted paths between the switch and management
station clients capable of SSL/TLS operation. The authenticated type includes server certificate
authentication with user password authentication.
Refer to the chapter titled “Configuring Secure Socket Layer (SSL) in the Access Security Guide for
your switch model.
Traffic/Security Filters
These statically configured filters enhance in-band security (and improve control over access to
network resources) by forwarding or dropping inbound network traffic according to the configured
criteria. Filter options and the devices that support them are listed in the following table:
16
Enforcing Switch Security
Network Access Security
Switch ModelSource-Port
Filters
Series 6400clX----
Series 5400zlXXX
Series 5300xlXXX
Series 4200vlX----
Series 3500ylXXX
Series 3400clX----
Series 2800X----
Series 2600X----
■source-port filters: Inbound traffic from a designated, physical source-port will be
Protocol
Filters
Multicast
Filters
forwarded or dropped on a per-port (destination) basis.
■multicast filters: Inbound traffic having a specified multicast MAC address will be
forwarded to outbound ports or dropped on a per-port (destination) basis.
■protocol filters: Inbound traffic having the selected frame (protocol) type will be forwarded
or dropped on a per-port (destination) basis.
Refer to the chapter titled “Traffic/Security Filters” in the Access Security Guide for your switch
model.
802.1X Access Control
This feature provides port-based or client-based authentication through a RADIUS server to protect
the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control
client access to network services. Included in the general features are the following:
■client-based access control supporting up to 32 authenticated clients per-port
■port-based access control allowing authentication by a single client to open the port
■switch operation as a supplicant for point-to-point connections to other 802.1X-aware
switches
The following table shows the type of access control available on the various ProCurve switch
models:
17
Enforcing Switch Security
Network Access Security
Access Control Types6200yl 5400zl 3500yl 5300xl
client-based access control
(up to 32 authenticated clients per port)
port-based access control
(one authenticated client opens the port)
switch operation as a supplicantXXXXX
* On the 5300xl switches, this feature is available with software release E.09.02 and greater.
XX*------
XXXXX
4200vl
3400cl
6400cl
2800
2600
2600-pwr
4100gl
Refer to the chapter titled “Configuring Port-Based and Client-Based Access Control” in the Access
Security Guide for your switch model.
Port Security, MAC Lockdown, MAC Lockout, and IP Lockdown
These features provide device-based access security in the following ways:
■port security: Enables configuration of each switch port with a unique list of the MAC
addresses of devices that are authorized to access the network through that port. This
enables individual ports to detect, prevent, and log attempts by unauthorized devices to
communicate through the switch. Some switch models also include eavesdrop prevention
in the port security feature.
■MAC lockdown: This “static addressing” feature is used as an alternative to port security
for to prevent station movement and MAC address “hijacking” by allowing a given MAC
address to use only one assigned port on the switch. MAC lockdown also restricts the client
device to a specific VLAN.
■MAC lockout: This feature enables blocking of a specific MAC address so that the switch
drops all traffic to or from the specified address.
■IP lockdown: Available on Series 2600 and 2800 switches only, this feature enables restric-
tion of incoming traffic on a port to a specific IP address/subnet, and denies all other traffic
on that port.
Refer to the chapter titled “Configuring and Monitoring Port Security” in the Access Security Guide
for your switch model.
Key Management System (KMS)
KMS is available in several ProCurve switch models and is designed to configure and maintain key
chains for use with KMS-capable routing protocols that use time-dependent or time-independent
keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual
18
Enforcing Switch Security
Network Access Security
keys.) KMS provides specific instances of routing protocols with one or more Send or Accept keys
that must be active at the time of a request.
Refer to the chapter titled “Key Management System” in the Access Security Guide for your switch
model.
Connection-Rate Filtering Based On Virus-Throttling Technology
While not specifically a tool for controlling network access, this feature does help to protect the
network from attack and is recommeded for use on the network edge. It is primarily focused on the
class of worm-like malicious code that tries to replicate itself by taking advantage of weaknesses in
network applications behind unsecured ports. In this case, the malicious code tries to create a large
number of outbound IP connections on a routed interface in a short time. Connection-Rate filtering
detects hosts that are generating routed traffic that exhibits this behavior, and causes the switch to
generate warning messages and (optionally) to either throttle routed traffic from the offending hosts
or drop all traffic from the offending hosts.
Refer to the chapter titled “Virus Throttling” in the Access Security Guide for your switch model.
Identity-Driven Management (IDM)
IDM is a plug-in to ProCurve Manager Plus (PCM+) and uses RADIUS-based technologies to create
a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of access security policy from a central management server, with policy
enforcement to the network edge, and protection against both external and internal threats.
Using IDM, a system administrator can configure automatic and dynamic security to operate at the
network edge when a user connects to the network. This operation enables the network to distinguish
among different users and what each is authorized to do. Guest access can also be configured without
compromising internal security. This means that users can be identified and either approved or denied
at the edge of the network instead of in the core.
Criteria for enforcing RADIUS-based security for IDM applications includes classifiers such as:
■authorized user identity
■authorized device identity (MAC address)
■software running on the device
■physical location in the network
■time of day
Responses can be configured to support the networking requirements, user (SNMP) community,
service needs, and access security level for a given client and device.
For more information on IDM, visit the ProCurve web site at http://www.procurve.com
and click on
Products and Solutions, then Identity Driven Management (under Network Management).
19
Clarifications and Updates
Operating Notes for Jumbo Traffic-Handling
Clarifications and Updates
Operating Notes for Jumbo Traffic-Handling
In the Management and Configuration Guide, (Oct., 2005 version) on page 14-33 ( page 347 of the .pdf
file) where it states:
When a port is not a member of any jumbo-enabled VLAN, it drops all jumbo traffic. If the port
is receiving “excessive” inbound jumbo traffic, the port generates an Event Log message to notify
you of this condition. This same condition generates a Fault-Finder message in the Alert log of
the switch’s web browswer interface, and also increments the switch’s “Giant Rx” counter.
Note that it is the “Total Rx Errors” counter that is incremented, not the “Giant Rx” counter. On the
3400cl and 6400cl series switches, when the switch applies the jumbo MTU to a VLAN, all frames
with jumbo MTU sizes (1523 to 9220 bytes) are incremented to “Total Rx Errors”.
Non-Genuine Mini-GBIC Detection and Protection Initiative
Non-genuine ProCurve Transceivers and Mini-GBICs have been offered for sale in the marketplace.
To protect customer networks from these unsupported products, ProCurve switch software includes
the capability to detect and disable non-genuine transceivers and mini-GBICs discovered in Series
3400cl Switch ports. When a non-genuine device is discovered, the switch disables the port and
generates an error message in the Event Log.
Publication Updates
Table 1 lists updates to the manual set dated January, 2005.
Table 1. Publication Updates for Manual Set Dated January, 2005
Management and Configuration Guide
for the 3400cl, 5300xl, & 6400cl
Switches, p/n 5990-6050, January 2005
Edition
Chapter 14: “Configuring for Network
Management Applications”
Pages 14-44 and 14-49
Update
show lldp info stats is an invalid command.
The
The correct syntax is: show lldp stats.
20
Loading...
+ 167 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.