HP E3800 Access Security Manual

HP Switch Software

E3800 switches

Software version KA.15.03
September 201 1

Access Security Guide

HP Networking E3800 Switches

Access Security Guide

September 2011

KA.15.03

© Copyright 2008 - 2011 Hewlett-Packard Development Company,
L.P. The information contained herein is subject to change with­out notice. All Rights Reserved.

This document contains proprietary information, which is
protected by copyright. No part of this document may be
photocopied, reproduced, or translated into another
language without the prior written consent of Hewlett­Packard.

Publication Number

5998-2707
September 2011

Applicable Products

HP E3800-24G-PoE+-2SFP+ Switch J9573A

HP E3800-48G-PoE+-4SFP+ Switch J9574A

HP E3800-24G-2SFP+ Switch J9575A

HP E3800-48G-4SFP+ Switch J9576A

HP E3800-24GS-2XG tl Switch J9

800-24G-2XGT tl Switch J9

HP

E3

E3800-48G-4XGT tl Switch J9

HP

HP E3800-24G-2XGT-PoE+ tl Switch J9

HP E3800-48G-4XGT-PoE+ tl Switch J9

HP E3800 4-port Stacking

Module J9577A

584A

585A

586A

587A

588A

Disclaimer

The information contained in this document is subject to
change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.

The only warranties for HP products and services are set
forth in the express warranty statements accompanying
such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions
contained herein.

Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.

Software End User License Agreement and
Hardware Limited Warranty

For the software end user license agreement and the hard­ware limited warranty information for HP Networking prod­ucts, visit www.hp.com/networking/support.

Trademark Credits

Microsoft, Windows, and Microsoft Windows NT are US
registered trademarks of Microsoft Corporation. Java™ is a
US trademark of Sun Microsystems, Inc.

Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
www.hp.com

Contents

Product Documentation

About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Software Feature Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

1 Security Overview

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Network Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Getting Started with Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Quick Start: Using the Management Interface Wizard . . . . . . . . . . . . 1-11

CLI: Management Interface Wizard . . . . . . . . . . . . . . . . . . . . . . . . 1-12

WebAgent: Management Interface Wizard . . . . . . . . . . . . . . . . . . 1-13

SNMP Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Precedence of Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Precedence of Port-Based Security Options . . . . . . . . . . . . . . . . . . . . 1-16

Precedence of Client-Based Authentication:

Dynamic Configuration Arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Network Immunity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Arbitrating Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . 1-18

HP Identity-Driven Manager (IDM) . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

iii

2 Configuring Username and Password Security

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

WebAgent: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . 2-9

Saving Security Credentials in a Config File . . . . . . . . . . . . . . . . . . . 2-10

Benefits of Saving Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Enabling the Storage and Display of Security Credentials . . . . . . . . 2-11

Security Settings that Can Be Saved . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

Local Manager and Operator Passwords . . . . . . . . . . . . . . . . . . . . . . . 2-12

Password Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

SNMP Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

802.1X Port-Access Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

TACACS+ Encryption Key Authentication . . . . . . . . . . . . . . . . . . . . . 2-15

RADIUS Shared-Secret Key Authentication . . . . . . . . . . . . . . . . . . . . 2-16

SSH Client Public-Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21

Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23

When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23

Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Clear Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Reset Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25

Restoring the Factory Default Configuration . . . . . . . . . . . . . . . . 2-25

Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

Disabling the Clear Password Function of the Clear Button . . . 2-29
Re-Enabling the Clear Button and Setting or

Changing the “Reset-On-Clear” Operation . . . . . . . . . . . . . . . . . . 2-30

Changing the Operation of the Reset+Clear Combination . . . . . 2-31

Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32

Disabling or Re-Enabling the Password Recovery Process . . . . . . . . 2-32

Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34

iv

3 Virus Throttling (Connection-Rate Filtering)

Overview of Connection-Rate Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Filtering Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Sensitivity to Connection Rate Detection . . . . . . . . . . . . . . . . . . . . 3-4

Application Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Operating Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

Unblocking a Currently Blocked Host . . . . . . . . . . . . . . . . . . . . . . 3-6

General Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7

For a network that is relatively attack-free: . . . . . . . . . . . . . . . . . . . . . 3-7

For a network that appears to be under significant attack: . . . . . . . . . 3-8

Configuring Connection-Rate Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Global and Per-Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Enabling Connection-Rate Filtering and Configuring

Sensitivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

Configuring the Per-Port Filtering Mode . . . . . . . . . . . . . . . . . . . 3-11

Example of a Basic Connection-Rate Filtering Configuration . . 3-12

Viewing and Managing Connection-Rate Status . . . . . . . . . . . . . . . . . 3-14

Viewing Connection-Rate Configuration . . . . . . . . . . . . . . . . . . . 3-14

Listing Currently-Blocked Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15

Unblocking Currently-Blocked Hosts . . . . . . . . . . . . . . . . . . . . . . 3-15

Configuring and Applying Connection-Rate ACLs . . . . . . . . . . . . . . 3-17

Connection-Rate ACL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18

Configuring a Connection-Rate ACL Using

Source IP Address Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19

Configuring a Connection-Rate ACL Using UDP/TCP Criteria . . . . . 3-21

Applying Connection-Rate ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24

Using CIDR Notation To Enter the ACE Mask . . . . . . . . . . . . . . . . . . 3-24

Example of Using an ACL in a Connection-Rate Configuration . . . . 3-25

Connection-Rate ACL Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 3-27

v

4 Web and MAC Authentication

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Concurrent Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . 4-3

Authorized and Unauthorized Client VLANs . . . . . . . . . . . . . . . . . . . . . 4-3

RADIUS-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

Wireless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . 4-5

Web-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

MAC-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . . . . 4-12

Before You Configure Web/MAC Authentication . . . . . . . . . . . . . . . . 4-12

Configuring the RADIUS Server To Support MAC Authentication . . 4-15

Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . . 4-15

Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18

Configuration Commands for Web Authentication . . . . . . . . . . . . . . 4-19

Show Commands for Web Authentication . . . . . . . . . . . . . . . . . . . . . . 4-26

Customizing Web Authentication HTML Files (Optional) . . . . . . . 4-32

Implementing Customized Web-Auth Pages . . . . . . . . . . . . . . . . . . . . 4-32

Operating Notes and Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32

Customizing HTML Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33

Customizable HTML Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34

Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . 4-48

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48

Configuration Commands for MAC Authentication . . . . . . . . . . . . . . 4-49

Configuring the Global MAC Authentication Password . . . . . . . 4-49

Configuring a MAC-based Address Format . . . . . . . . . . . . . . . . . 4-51

Configuring Custom Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-54

Web Page Display of Access Denied Message . . . . . . . . . . . . . . . 4-56

vi

HTTP Redirect When MAC Address Not Found . . . . . . . . . . . . . . . . . 4-59

How HTTP Redirect Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-60

Diagram of the Registration Process . . . . . . . . . . . . . . . . . . . . . . . 4-62

Using the Restrictive-Filter Option . . . . . . . . . . . . . . . . . . . . . . . . 4-63

Show Command Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-63

Reauthenticating a MAC-Auth Client . . . . . . . . . . . . . . . . . . . . . . . 4-63

Configuring the Registration Server URL . . . . . . . . . . . . . . . . . . . 4-64

Unconfiguring a MAC-Auth Registration Server . . . . . . . . . . . . . 4-64

Operating Notes for HTTP Redirect . . . . . . . . . . . . . . . . . . . . . . . 4-64

Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . 4-65

Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-71

5 TACACS+ Authentication

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 5-2

General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 5-4

Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 5-8

Viewing the Switch’s Current Authentication Configuration . . . . . . . 5-8

Viewing the Switch’s Current TACACS+

Server Contact Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9

Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 5-10

Using the Privilege-Mode Option for Login . . . . . . . . . . . . . . . . . 5-10

Authentication Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12

Configuring the TACACS+ Server for Single Login . . . . . . . . . . . . . . 5-13

Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 5-17

How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24

General Authentication Process Using a TACACS+ Server . . . . . . . . 5-24

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26

General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26

Encryption Options in the Switch . . . . . . . . . . . . . . . . . . . . . . . . . 5-27

vii

Controlling WebAgent Access When

Using TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28

Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . 5-29

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-30

6 RADIUS Authentication, Authorization, and Accounting

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

RADIUS-Administered CoS and Rate-Limiting . . . . . . . . . . . . . . . . . . . 6-2

RADIUIS-Administered Commands Authorization . . . . . . . . . . . . . . . . 6-2

SNMP Access to the Switch’s Authentication Configuration MIB . . . 6-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 6-6

Outline of the Steps for Configuring RADIUS Authentication . . . . . . 6-8

1. Configure Authentication for the Access Methods

You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

2. Enable the (Optional) Access Privilege Option . . . . . . . . . . . . . . . . 6-12

3. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 6-14

4. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 6-17

Using Multiple RADIUS Server Groups . . . . . . . . . . . . . . . . . . . . . . . . 6-21

Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21

Enhanced Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22

Displaying the RADIUS Server Group Information . . . . . . . . . . . 6-24

viii

Cached Reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26

Timing Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

Using SNMP To View and Configure

Switch Authentication Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-30

Changing and Viewing the SNMP Access Configuration . . . . . . . . . . 6-31

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34

Controlling WebAgent Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-35

Commands Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-36

Enabling Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-37

Displaying Authorization Information . . . . . . . . . . . . . . . . . . . . . . . . . 6-38

Configuring Commands Authorization on a RADIUS Server . . . . . . 6-38

Using Vendor Specific Attributes (VSAs) . . . . . . . . . . . . . . . . . . . 6-38

Example Configuration on Cisco Secure ACS for MS Windows 6-40

Example Configuration Using FreeRADIUS . . . . . . . . . . . . . . . . . 6-43

VLAN Assignment in an Authentication Session . . . . . . . . . . . . . . . . 6-44

Tagged and Untagged VLAN Attributes . . . . . . . . . . . . . . . . . . . . . . . . 6-44

Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-45

Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-48

Accounting Service Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-48

Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 6-49

Acct-Session-ID Options in a Management Session . . . . . . . . . . . . . . 6-50

Unique Acct-Session-ID Operation . . . . . . . . . . . . . . . . . . . . . . . . 6-50

Common Acct-Session-ID Operation . . . . . . . . . . . . . . . . . . . . . . . 6-52

Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53

Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 6-53

1. Configure the Switch To Access a RADIUS Server . . . . . . . . . 6-54

2. (Optional) Reconfigure the Acct-Session-ID Operation . . . . . 6-56

3. Configure Accounting Types and the Controls for Sending

Reports to the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-57

4. (Optional) Configure Session Blocking and Interim

Updating Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-61

Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-62

General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-62

RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-64

RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-66

Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . 6-67

Dynamic Removal of Authentication

Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70

Configuring the RADIUS VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70

Displaying the Port-access Information . . . . . . . . . . . . . . . . . . . . . . . . 6-72

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-73

ix

7 Configuring RADIUS Server Support for Switch Services

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

RADIUS Client and Server Requirements . . . . . . . . . . . . . . . . . . . . 7-1

Optional PCM and IDM Network Management Applications . . . . 7-2

RADIUS Server Configuration for CoS

(802.1p Priority) and Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Applied Rates for RADIUS-Assigned Rate Limits . . . . . . . . . . . . . . . . . 7-5

Viewing the Currently Active Per-Port CoS and Rate-Limiting

Configuration Specified by a RADIUS Server . . . . . . . . . . . . . . . . . . . . 7-7

Configuring and Using Dynamic

(RADIUS-Assigned) Access Control Lists . . . . . . . . . . . . . . . . . . . . . . 7-11

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11

Overview of RADIUS-Assigned, Dynamic ACLs . . . . . . . . . . . . . . . . . 7-14

Traffic Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14

Contrasting RADIUS-Assigned and Static ACLs . . . . . . . . . . . . . . . . . 7-16

How a RADIUS Server Applies a RADIUS-Assigned ACL

to a Client on a Switch Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18

General ACL Features, Planning, and Configuration . . . . . . . . . . . . . 7-19

The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20

Operating Rules for RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . 7-20

Configuring an ACL in a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . 7-22

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22

Nas-Filter-Rule-Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23

ACE Syntax in RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25

Example Using the Standard Attribute (92) In an IPv4 ACL . . . 7-27

Example Using HP VSA 63 To Assign IPv6 and/or IPv4 ACLs . . 7-29

Example Using HP VSA 61 To Assign IPv4 ACLs . . . . . . . . . . . . 7-32

To configure the above ACL, you would enter the username/

password and ACE information shown in figure 7-11 into the

FreeRADIUS “users” file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33

Configuration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-34

Configuring the Switch To Support RADIUS-Assigned

ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35

Displaying the Current RADIUS-Assigned ACL Activity

on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37

x

Event Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-42

Causes of Client Deauthentication Immediately

After Authenticating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-42

Monitoring Shared Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-42

8 Configuring Secure Shell (SSH)

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

Steps for Configuring and Using SSH

for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7

Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . 8-8

1. Assigning a Local Login (Operator) and

Enable (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . . 8-9

Configuring Key Lengths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12

3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 8-12

4. Enabling SSH on the Switch and Anticipating SSH

Client Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15

5. Configuring the Switch for SSH Authentication . . . . . . . . . . . . . . . 8-20

6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 8-24

Further Information on SSH Client Public-Key Authentication . 8-25

Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31

Logging Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31

Debug Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31

9 Configuring Secure Socket Layer (SSL)

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

xi

Steps for Configuring and Using SSL for Switch and Client

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5

Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . 9-6

1. Assigning a Local Login (Operator) and

Enabling (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

2. Generating the Switch’s Server Host Certificate . . . . . . . . . . . . . . . 9-6

To Generate or Erase the Switch’s Server Certificate

with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7

Comments on Certificate Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8

Generate a Self-Signed Host Certificate with the WebAgent . . . 9-10

Generate a CA-Signed server host certificate with the

WebAgent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11

3. Enabling SSL on the Switch and Anticipating SSL

Browser Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Using the CLI Interface to Enable SSL . . . . . . . . . . . . . . . . . . . . . 9-14

Using the WebAgent to Enable SSL . . . . . . . . . . . . . . . . . . . . . . . . 9-14

Common Errors in SSL Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16

10 IPv4 Access Control Lists (ACLs)

xii

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Overview of Options for Applying IPv4 ACLs on the Switch . . . . . 10-3

Static ACLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3

RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3

Command Summary for Standard IPv4 ACLs . . . . . . . . . . . . . . . . . . . 10-5

Command Summary for IPv4 Extended ACLs . . . . . . . . . . . . . . . . . . 10-6

Command Summary for Enabling, Disabling, and

Displaying ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13

Types of IPv4 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13

ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13

RACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14

VACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16

Static Port ACL and RADIUS-Assigned ACL Applications . . . . 10-16

RADIUS-Assigned (Dynamic) Port ACL Applications . . . . . . . . 10-17

Multiple ACLs on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19

Features Common to All ACL Applications . . . . . . . . . . . . . . . . . . . . 10-22

General Steps for Planning and Configuring ACLs . . . . . . . . . . . . . . 10-23

IPv4 Static ACL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25

The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26

Planning an ACL Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29

IPv4 Traffic Management and Improved Network Performance . . 10-29

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-31

Guidelines for Planning the Structure of a Static ACL . . . . . . . . . . . 10-31

IPv4 ACL Configuration and Operating Rules . . . . . . . . . . . . . . . . . . 10-32

How an ACE Uses a Mask To Screen Packets for Matches . . . . . . . 10-35

What Is the Difference Between Network (or Subnet)

Masks and the Masks Used with ACLs? . . . . . . . . . . . . . . . . . . . 10-35

Rules for Defining a Match Between a Packet and an

Access Control Entry (ACE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-36

Configuring and Assigning an IPv4 ACL . . . . . . . . . . . . . . . . . . . . . . 10-40

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-40

General Steps for Implementing ACLs . . . . . . . . . . . . . . . . . . . . 10-40

Options for Permit/Deny Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41

ACL Configuration Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41

Standard ACL Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-42

Extended ACL Configuration Structure . . . . . . . . . . . . . . . . . . . 10-43

ACL Configuration Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-45

The Sequence of Entries in an ACL Is Significant . . . . . . . . . . . 10-45

Allowing for the Implied Deny Function . . . . . . . . . . . . . . . . . . . 10-47

A Configured ACL Has No Effect Until You Apply It

to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-47

You Can Assign an ACL Name or Number to an Interface

Even if the ACL Does Not Exist in the Switch’s Configuration 10-47

Using the CLI To Create an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-48

General ACE Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-48

Using CIDR Notation To Enter the IPv4 ACL Mask . . . . . . . . . 10-49

xiii

Configuring Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-50

Command Summary for Standard ACLs . . . . . . . . . . . . . . . . . . . . . . 10-50

Configuring Named, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . 10-52

Creating Numbered, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . 10-55

Configuring Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-59

Command Summary for Extended ACLs . . . . . . . . . . . . . . . . . . . . . . 10-59

Configuring Named, Extended ACLs . . . . . . . . . . . . . . . . . . . . . . 10-61

Configuring Numbered, Extended ACLs . . . . . . . . . . . . . . . . . . . 10-74

Adding or Removing an ACL Assignment On an Interface . . . . . . 10-81

Filtering Routed IPv4 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-81

Filtering IPv4 Traffic Inbound on a VLAN . . . . . . . . . . . . . . . . . . . . . 10-82

Filtering Inbound IPv4 Traffic Per Port . . . . . . . . . . . . . . . . . . . . . . . 10-83

Deleting an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-85

Editing an Existing ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-86

Using the CLI To Edit ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-86

General Editing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-86

Sequence Numbering in ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-87

Inserting an ACE in an Existing ACL . . . . . . . . . . . . . . . . . . . . . . 10-88

Deleting an ACE from an Existing ACL . . . . . . . . . . . . . . . . . . . 10-90

Resequencing the ACEs in an ACL . . . . . . . . . . . . . . . . . . . . . . . 10-91

Attaching a Remark to an ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-92

Operating Notes for Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-95

xiv

Displaying ACL Configuration Data . . . . . . . . . . . . . . . . . . . . . . . . . . 10-97

Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-98

Display the Content of All ACLs on the Switch . . . . . . . . . . . . . . . . . 10-99

Display the RACL and VACL Assignments for a VLAN . . . . . . . . . 10-100

Display Static Port (and Trunk) ACL Assignments . . . . . . . . . . . . . 10-101

Displaying the Content of a Specific ACL . . . . . . . . . . . . . . . . . . . . 10-103

Display All ACLs and Their Assignments in the Routing

Switch Startup-Config File and Running-Config File . . . . . . . . . . . 10-106

Creating or Editing ACLs Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-107

Creating or Editing an ACL Offline . . . . . . . . . . . . . . . . . . . . . . . . . . 10-107

The Offline Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-107

Example of Using the Offline Process . . . . . . . . . . . . . . . . . . . . 10-108

Enable ACL “Deny” Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-112

Requirements for Using ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . 10-112

ACL Logging Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-113

Enabling ACL Logging on the Switch . . . . . . . . . . . . . . . . . . . . . . . . 10-114

Configuring the Logging Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-116

Monitoring Static ACL Performance . . . . . . . . . . . . . . . . . . . . . . . . . 10-117

Example of ACL Performance Monitoring . . . . . . . . . . . . . . . . 10-119

Example of Resetting ACE Hit Counters to Zero . . . . . . . . . . . 10-121

IPv6 Counter Operation with Multiple Interface Assignments 10-122

IPv4 Counter Operation with Multiple Interface Assignments 10-123

General ACL Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-128

11 Configuring Advanced Threat Protection

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Enabling DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

Enabling DHCP Snooping on VLANS . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6

Configuring DHCP Snooping Trusted Ports . . . . . . . . . . . . . . . . . . . . 11-6

Configuring Authorized Server Addresses . . . . . . . . . . . . . . . . . . . . . . 11-7

Using DHCP Snooping with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . 11-8

Changing the Remote-id from a MAC to an IP Address . . . . . . 11-10

Disabling the MAC Address Check . . . . . . . . . . . . . . . . . . . . . . . 11-10

The DHCP Binding Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11

Operational Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12

Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13

Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15

Enabling Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17

Configuring Trusted Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17

Adding an IP-to-MAC Binding to the DHCP Database . . . . . . . . . . . 11-19

Configuring Additional Validation Checks on ARP Packets . . . . . . 11-20

Verifying the Configuration of Dynamic ARP Protection . . . . . . . . 11-20

Displaying ARP Packet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-21

xv

Monitoring Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . 11-22

Dynamic IP Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22

Protection Against IP Source Address Spoofing . . . . . . . . . . . . . . . . 11-23

Prerequisite: DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23

Filtering IP and MAC Addresses Per-Port and Per-VLAN . . . . . . . . 11-24

Enabling Dynamic IP Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-25

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-25

Adding an IP-to-MAC Binding to the DHCP Binding Database . . . . 11-27

Potential Issues with Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27

Adding a Static Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-28

Verifying the Dynamic IP Lockdown Configuration . . . . . . . . . . . . . 11-28

Displaying the Static Configuration of IP-to-MAC Bindings . . . . . . 11-29

Debugging Dynamic IP Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30

Differences Between Switch Platforms . . . . . . . . . . . . . . . . . . . . . . . 11-31

Using the Instrumentation Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . 11-33

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-34

Configuring Instrumentation Monitor . . . . . . . . . . . . . . . . . . . . . . . . 11-35

Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-36

Viewing the Current Instrumentation Monitor Configuration . . . . . 11-37

xvi

12 Traffic/Security Filters and Monitors

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

Using Port Trunks with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

Filter Types and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . 12-3

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4

Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5

Operating Rules for Named Source-Port Filters . . . . . . . . . . . . . 12-6

Defining and Configuring Named Source-Port Filters . . . . . . . . 12-6

Viewing a Named Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . 12-8

Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . 12-8

Static Multicast Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14

Protocol Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15

Configuring Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16

Configuring a Source-Port Traffic Filter . . . . . . . . . . . . . . . . . . . . . . 12-17

Example of Creating a Source-Port Filter . . . . . . . . . . . . . . . . . . 12-18

Configuring a Filter on a Port Trunk . . . . . . . . . . . . . . . . . . . . . . 12-18

Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-19

Configuring a Multicast or Protocol Traffic Filter . . . . . . . . . . . . . . 12-20

Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21

Displaying Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-22

13 Configuring Port-Based and

User-Based Access Control (802.1X)

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 13-1

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2

802.1X User-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 13-3

802.1X Port-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 13-3

Alternative To Using a RADIUS Server . . . . . . . . . . . . . . . . . . . . . 13-4

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . 13-8

Example of the Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . 13-8

VLAN Membership Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 13-11

General Setup Procedure for 802.1X Access Control . . . . . . . . . . 13-13

Do These Steps Before You Configure 802.1X Operation . . . . . . . . 13-13

Overview: Configuring 802.1X Authentication on the Switch . . . . . 13-16

Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . 13-17

1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . 13-18

A. Enable the Selected Ports as Authenticators and Enable

the (Default) Port-Based Authentication . . . . . . . . . . . . . . . . . . 13-18

xvii

B. Specify User-Based Authentication or Return to

Port-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-19

Example: Configuring User-Based 802.1X Authentication . . . . 13-20

Example: Configuring Port-Based 802.1X Authentication . . . . 13-20

2. Reconfigure Settings for Port-Access . . . . . . . . . . . . . . . . . . . . . . . 13-21

3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . 13-24

4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 13-25

5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . 13-26

6. Optional: Reset Authenticator Operation . . . . . . . . . . . . . . . . . . . . 13-27

7. Optional: Configure 802.1X Controlled Directions . . . . . . . . . . . . 13-27

Wake-on-LAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-28

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-29

Example: Configuring 802.1X Controlled Directions . . . . . . . . 13-29

Unauthenticated VLAN Access (Guest VLAN Access) . . . . . . . . . . . 13-29

Characteristics of Mixed Port Access Mode . . . . . . . . . . . . . . . . 13-30

Configuring Mixed Port Access Mode . . . . . . . . . . . . . . . . . . . . . 13-31

802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-32

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-32

VLAN Membership Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-33

Use Models for 802.1X Open VLAN Modes . . . . . . . . . . . . . . . . . . . . 13-33

Operating Rules for Authorized-Client and

Unauthorized-Client VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-39

Setting Up and Configuring 802.1X Open VLAN Mode . . . . . . . . . . . 13-43

802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . 13-48

xviii

Option For Authenticator Ports: Configure Port-Security

To Allow Only 802.1X-Authenticated Devices . . . . . . . . . . . . . . . . . 13-49

Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-50

Configuring Switch Ports To Operate As

Supplicants for 802.1X Connections to Other Switches . . . . . . . . 13-51

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-51

Supplicant Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-53

Displaying 802.1X Configuration, Statistics, and Counters . . . . 13-55

Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . 13-55

Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . 13-64

Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . 13-68

How RADIUS/802.1X Authentication Affects VLAN Operation . 13-69

VLAN Assignment on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-70

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-70

Example of Untagged VLAN Assignment in a RADIUS-Based

Authentication Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-72

Enabling the Use of GVRP-Learned Dynamic VLANs

in Authentication Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-75

14 Configuring and Monitoring Port Security

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1

Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2

Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2

Eavesdrop Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3

Disabling Eavesdrop Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3

Feature Interactions When Eavesdrop Prevention is Disabled . 14-4

MIB Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5

Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5

Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6

Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7

Port Security Command Options and Operation . . . . . . . . . . . . . . . . 14-8

Port Security Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8

Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-12

Retention of Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17

MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-23

Differences Between MAC Lockdown and Port Security . . . . . . . . 14-24

MAC Lockdown Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 14-26

Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-27

MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-31

Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-33

Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . 14-34

Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-34

How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-35

Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . 14-35

xix

CLI: Checking for Intrusions, Listing Intrusion Alerts,

and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-36

Using the Event Log To Find Intrusion Alerts . . . . . . . . . . . . . . . . . . 14-38

Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-39

15 Using Authorized IP Managers

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1

Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . 15-4

Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-4

Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 15-5

CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 15-6

Listing the Switch’s Current Authorized IP Manager(s) . . . . . . . 15-6

Configuring IP Authorized Managers for the Switch . . . . . . . . . . 15-7

WebAgent: Configuring IP Authorized Managers . . . . . . . . . . . . . . . 15-9

Web Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-10

How to Eliminate the Web Proxy Server . . . . . . . . . . . . . . . . . . 15-10

Using a Web Proxy Server to Access the WebAgent . . . . . . . . . 15-10

xx

Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-11

Configuring One Station Per Authorized Manager IP Entry . . . . . . 15-11

Configuring Multiple Stations Per Authorized Manager IP Entry . . 15-11

Additional Examples for Authorizing Multiple Stations . . . . . . . . . 15-13

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-14

16 Key Management System

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1

Configuring Key Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2

Creating and Deleting Key Chain Entries . . . . . . . . . . . . . . . . . . . . . . . 16-2

Assigning a Time-Independent Key to a Chain . . . . . . . . . . . . . . . . . . 16-3

Assigning Time-Dependent Keys to a Chain . . . . . . . . . . . . . . . . . . . . 16-5

Product Documentation

For the latest version of all HP switch documentation, including Release
Notes covering recently added features, please visit the HP Networking Web
site at www.hp.com/Networking/support

Electronic Publications

The latest version of each of the publications listed below is available in PDF
format on the HP Web site, as described in the Note at the top of this page.

■ Installation and Getting Started Guide—Explains how to prepare and

perform the physical installation and connect the switch to your network.

■ Basic Operation Guide—Covers basic switch operating features, includ-

ing set-up, user interfaces, memory and configuration, interface access
(including console operation), system information, and IP addressing.

■ Management and Configuration Guide—Describes how to configure,

manage, and monitor basic switch operation.

■ Advanced Traffic Management Guide—Explains how to configure traffic

management features such as VLANs, MSTP, QoS, and Meshing.

■ Multicast and Routing Guide—Explains how to configure IGMP, PIM, IP

routing, and VRRP features.

■ Access Security Guide—Explains how to configure access security fea-

tures and user authentication on the switch.

■ IPv6 Configuration Guide—Describes the IPv6 protocol operations that

are supported on the switch.

■ Command Line Interface Reference Guide—Provides a comprehensive

description of CLI commands, syntax, and operations.

■ Event Log Message Reference Guide—Provides a comprehensive descrip-

tion of event log messages.

■ Release Notes—Describe new features, fixes, and enhancements that

become available between revisions of the main product guide.

xxi

Software Feature Index

For the software manual set supporting your E3800 switch model, this feature
index indicates which manual to consult for information on a given software
feature.

Software Features Manual

Management

and

Configuration

Advanced

Traffic

Management

Multicast

and

Routing

Access

Security

Guide

IPv6

Configuration

Guide

802.1Q VLAN Tagging X

802.1X Port-Based Priority X

802.1X Multiple Authenticated Clients

X

Per Port

Access Control Lists (ACLs) X

Access Control Lists (ACLs) (IPv6) X

AAA Authentication X

Authorized IP Managers X

Authorized IP Managers (IPv6) X

Authorized Manager List (Web, Telnet,

X

TFTP)

Auto MDIX Configuration X

BOOTP X

Config File X

Console Access X

Basic

Operation

Guide

Copy Command X

Core Dump X

CoS (Class of Service) X

Debug X

DHCP Configuration X

DHCPv6 Relay X

DHCP Option 82 X

xxii

Software Features Manual

Management

and

Configuration

Advanced

Traffic

Management

Multicast

and

Routing

Access

Security

Guide

IPv6

Configuration

Guide

Basic

Operation

Guide

DHCP Snooping X

DHCP/Bootp Operation X

Diagnostic Tools X

Diagnostics and Troubleshooting (IPv6) X

Distributed Trunking X

Downloading Software X

Dynamic ARP Protection X

Dynamic Configuration Arbiter X

Dynamic IP Lockdown X

Eavesdrop Protection X

Equal Cost Multi-Path (ECMP) X

Event Log X

Factory Default Settings X

Flow Control (802.3x) X

File Management X

File Transfers X

Friendly Port Names X

Guaranteed Minimum Bandwidth (GMB) X

GVRP X

Identity-Driven Management (IDM) X

IGMP X

Interface Access (Telnet, Console/
Serial, Web)

IP Addressing X

IPv6 Addressing X

IP Preserve (IPv6) X

X

xxiii

Software Features Manual

Management

and

Configuration

Advanced

Traffic

Management

Multicast

and

Routing

Access

Security

Guide

IPv6

Configuration

Guide

IP Routing X

IPv6 Static Routing X

Jumbo Packets X

Key Management System (KMS) X

LACP X

LLDP X

LLDP-MED X

Loop Protection X

MAC Address Management X

MAC Lockdown X

MAC Lockout X

MAC-based Authentication X

Management VLAN X

Management Security (IPv6) X

Meshing X

Basic

Operation

Guide

MLD Snooping (IPv6) X

Monitoring and Analysis X

Multicast Filtering X

Multiple Configuration Files X

Network Management Applications

X

(SNMP)

Nonstop Switching (8200zl switches) X

Out-of-Band Management (OOBM) X

OpenView Device Management X

OSPFv2 (IPv4) X

OSPFv3 (IPv6) X

xxiv

Software Features Manual

Management

and

Configuration

Passwords and Password Clear

Advanced

Traffic

Management

Multicast

and

Routing

Access

Security

Guide

X

IPv6

Configuration

Guide

Basic

Operation

Guide

Protection

PCM/PCM+ X

PIM-DM (Dense Mode) X

PIM-SM (Sparse Mode) X

Ping X

Port Configuration X

Port Monitoring X

Port Security X

Port Status X

Port Trunking (LACP) X

Port-Based Access Control (802.1X) X

Power over Ethernet (PoE and PoE+) X

Protocol Filters X

Protocol VLANS X

QinQ (Provider Bridging) X

Quality of Service (QoS) X

RADIUS Authentication and Accounting X

RADIUS-Based Configuration X

Rate-Limiting X

RIP X

RMON 1,2,3,9 X

Routing X

Routing - IP Static X

Route Redistribution X

SavePower Features X

xxv

Software Features Manual

Management

and

Configuration

Advanced

Traffic

Management

Multicast

and

Routing

Access

Security

Guide

IPv6

Configuration

Guide

Secure Copy X

Secure Copy (IPv6) X

Secure FTP (IPv6) X

sFlow X

SFTP X

SNMPv3 X

SNMP (IPv6) X

Software Downloads (SCP/SFTP, TFPT,

X

Xmodem)

Source-Port Filters X

Spanning Tree (STP, RSTP, MSTP) X

SSHv2 (Secure Shell) Encryption X

SSH (IPv6) X

SSL (Secure Socket Layer) X

Stack Management (Stacking) X

Basic

Operation

Guide

Syslog X

System Information X

TACACS+ Authentication X

Telnet Access X

Telnet (IPv6) X

TFTP X

Time Protocols (TimeP, SNTP) X

Time Protocols (IPv6) X

Traffic Mirroring X

Traffic/Security Filters X

Troubleshooting X

xxvi

Software Features Manual

Management

and

Configuration

Advanced

Traffic

Management

Multicast

and

Routing

Access

Security

Guide

IPv6

Configuration

Guide

Basic

Operation

Guide

Uni-Directional Link Detection (UDLD) X

UDP Forwarder X

USB Device Support X

Virus Throttling (Connection-Rate

X

Filtering)

VLANs X

VLAN Mirroring (1 static VLAN) X

Voice VLAN X

VRRP X

Web Authentication RADIUS Support X

Web-based Authentication X

Web UI X

xxvii

xxviii

Security Overview

Introduction

This chapter provides an overview of the security features included on your
switch. Table 1-1 on page 1-3 outlines the access security and authentication
features, while Table 1-2 on page 1-7 highlights the additional features
designed to help secure and protect your network. For detailed information
on individual features, see the references provided.

Before you connect your switch to a network, HP recommends that you
review the section titled “Getting Started with Access Security” on page 1-10.
It outlines potential threats for unauthorized switch and network access, and
provides guidelines on how to prepare the switch for secure network
operation.

Security Overview

Introduction

1

About This Guide

This Access Security Guide describes how to configure security features on
your switch.

Note For an introduction to the standard conventions used in this guide, refer to

the Getting Started chapter in the Management and Configuration Guide for
your switch.

For More Information

For IPv6-specific security settings and features, refer to the IPV6
Configuration Guide for your switch.

For information on which product manual to consult for a specific software
feature, refer to the “Software Feature Index” on page xxiii of this guide.

1-1

Security Overview

Introduction

For the latest version of all HP networking switch documentation, including
Release Notes covering recently added features and other software topics,
visit the HP networking web site at www.hp/support/manuals.

1-2

Security Overview

Access Security Features

Access Security Features

This section provides an overview of the switch’s access security features,
authentication protocols, and methods. Table 1-1 lists these features and
provides summary configuration guidelines. For more in-depth information,
see the references provided (all chapter and page references are to this Access
Security Guide unless a different manual name is indicated).

Note The Management Interface wizard provides a convenient step-by-step method

to prepare the switch for secure network operation. See “Quick Start: Using
the Management Interface Wizard” on page 1-11 for details.

Table 1-1. Access Security and Switch Authentication Features

Feature Default

Setting

Manager
password

no password Configuring a local Manager password is a fundamental

Security Guidelines More Information and

Configuration Details

“Configuring Local

step in reducing the possibility of unauthorized access
through the switch’s WebAgent and console (CLI and
Menu) interfaces. The Manager password can easily be
set by any one of the following methods:

• CLI: password manager command, or Management
interface wizard

• WebAgent: the password options under the Security
tab, or Management interface wizard

• Menu interface: Console Passwords option

•SNMP

Password Security” on page
2-4

“Quick Start: Using the
Management Interface
Wizard” on page 1-11

“Using SNMP To View and
Configure Switch
Authentication Features” on
page 6-21

1-3

Security Overview

Access Security Features

Feature Default

Setting

Telnet and
Web-browser
access
(WebAgent)

SSH disabled SSH provides Telnet-like functions through encrypted,

enabled The default remote management protocols enabled on

Security Guidelines More Information and

the switch are plain text protocols, which transfer
passwords in open or plain text that is easily captured.
To reduce the chances of unauthorized users capturing
your passwords, secure and encrypted protocols such
as SSH and SSL (see below for details) should be used
for remote access. This enables you to employ
increased access security while still retaining remote
client access.

Also, access security on the switch is incomplete
without disabling Telnet and the standard Web browser
access (WebAgent). Among the methods for blocking
unauthorized access attempts using Telnet or the
WebAgent are the following two CLI commands:

• no telnet-server: This command blocks inbound
Telnet access.

• no web-management: This command prevents use of
the WebAgent through http (port 80) server access.

If you choose not to disable Telnet and the WebAgent,
you may want to consider using RADIUS accounting to
maintain a record of password-protected access to the
switch.

authenticated transactions of the following types:

• client public-key authentication: uses one or more
public keys (from clients) that must be stored on the
switch. Only a client with a private key that matches
a stored public key can gain access to the switch.

• switch SSH and user password authentication: this
option is a subset of the client public-key
authentication, and is used if the switch has SSH
enabled without a login access configured to
authenticate the client’s key. In this case, the switch
authenticates itself to clients, and users on SSH
clients then authenticate themselves to the switch by
providing passwords stored on a RADIUS or
TACACS+ server, or locally on the switch.

• secure copy (SC) and secure FTP (SFTP): By opening
a secure, encrypted SSH session, you can take
advantage of SC and SFTP to provide a secure
alternative to TFTP for transferring sensitive switch
information. For more on SC and SFTP, refer to the
section titled “Using Secure Copy and SFTP” in the
“File Transfers” appendix of the Management and
Configuration Guide for your switch.

Configuration Details

“Quick Start: Using the
Management Interface
Wizard” on page 1-11

For more on Telnet and the
WebAgent, refer to the
chapter on “Interface

Access and System
Information” in the
Management and
Configuration Guide.

For RADIUS accounting,
refer to Chapter 6, “RADIUS

Authentication and
Accounting”

“Quick Start: Using the
Management Interface
Wizard” on page 1-11

Chapter 8 “Configuring
Secure Shell (SSH)”

1-4

Security Overview

Access Security Features

Feature Default

Setting

SSL disabled Secure Socket Layer (SSL) and Transport Layer Security

SNMP public,

Authorized IP
Managers

Secure
Management
VLAN

ACLs for
Management
Access
Protection

TAC ACS +
Authentication

unrestricted

none This feature uses IP addresses and masks to determine

disabled This feature creates an isolated network for managing

none ACLs can also be configured to protect management

disabled This application uses a central server to allow or deny

Security Guidelines More Information and

(TLS) provide remote Web browser access (WebAgent)
to the switch via authenticated transactions and
encrypted paths between the switch and management
station clients capable of SSL/TLS operation. The
authenticated type includes server certificate
authentication with user password authentication.

In the default configuration, the switch is open to access
by management stations running SNMP management
applications capable of viewing and changing the
settings and status data in the switch’s MIB
(Management Information Base). Thus, controlling
SNMP access to the switch and preventing
unauthorized SNMP access should be a key element of
your network security strategy.

whether to allow management access to the switch
across the network through the following :

• Telnet and other terminal emulation applications

• The WebAgent

• SNMP (with a correct community name)

the HP switches that offer this feature. When a secure
management VLAN is enabled, CLI, Menu interface, and
WebAgent access is restricted to ports configured as
members of the VLAN.

access by blocking inbound IP traffic that has the switch
itself as the destination IP address.

access to TACACS-aware devices in your network.
TACACS+ uses username/password sets with
associated privilege levels to grant or deny access
through either the switch’s serial (console) port or
remotely, with Telnet.

If the switch fails to connect to a TACACS+ server for the
necessary authentication service, it defaults to its own
locally configured passwords for authentication control.
TACACS+ allows both login (read-only) and enable
(read/write) privilege level access.

Configuration Details

“Quick Start: Using the
Management Interface
Wizard” on page 1-11

Chapter 9, “Configuring
Secure Socket Layer (SSL)”

“SNMP Security Guidelines”
on page 1-14

“Quick Start: Using the
Management Interface
Wizard” on page 1-11

Management and
Configuration Guide,
Chapter 14, refer to the
section “Using SNMP Tools
To Manage the Switch”

Chapter 15, “Using
Authorized IP Managers”

Advanced Traffic
Management Guide, refer to
the chapter “Static Virtual
LANs (VLANs)”

“Access Control Lists
(ACLs)” on page 1-8

Chapter 10, “IPv4 Access
Control Lists (ACLs)”

Chapter 5, “TACACS+
Authentication”

1-5

Security Overview

Access Security Features

Feature Default

Setting

RADIUS
Authentication

802.1X Access
Control

Web and MAC
Authentication

disabled For each authorized client, RADIUS can be used to

none This feature provides port-based or user-based

none These options are designed for application on the edge

Security Guidelines More Information and

Configuration Details

authenticate operator or manager access privileges on
the switch via the serial port (CLI and Menu interface),
Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP)
access methods.

authentication through a RADIUS server to protect the
switch from unauthorized access and to enable the use
of RADIUS-based user profiles to control client access
to network services. Included in the general features are
the following:

• user-based access control supporting up to 32
authenticated clients per port

• port-based access control allowing authentication
by a single client to open the port

• switch operation as a supplicant for point-to-point
connections to other 802.1X-compliant HP switches

of a network to provide port-based security measures
for protecting private networks and the switch itself
from unauthorized access. Because neither method
requires clients to run any special supplicant software,
both are suitable for legacy systems and temporary
access situations where introducing supplicant
software is not an attractive option.

Both methods rely on using a RADIUS server for
authentication. This simplifies access security
management by allowing you to control access from a
master database in a single server. It also means the
same credentials can be used for authentication,
regardless of which switch or switch port is the current
access point into the LAN. Web authentication uses a
web page login to authenticate users for access to the
network. MAC authentication grants access to a secure
network by authenticating device MAC addresses for
access to the network.

Chapter 6, “RADIUS
Authentication and
Accounting”

Chapter 13 “Configuring
Port-Based and User-Based
Access Control (802.1X)”

Chapter 4, “Web and MAC
Authentication”

1-6

Security Overview

Network Security Features

Network Security Features

This section outlines features and defence mechanisms for protecting access
through the switch to the network. For more detailed information, see the
indicated chapters.

Table 1-2. Network Security—Default Settings and Security Guidelines

Feature Default

Setting

Secure File
Transfers

USB Autorun enabled

Traffic/Security
Filters

not
applicable

(disabled
once a
password
has been set)

none These statically configured filters enhance in-band

Security Guidelines More Information and

Configuration Details

Secure Copy and SFTP provide a secure alternative to
TFTP and auto-TFTP for transferring sensitive
information such as configuration files and log
information between the switch and other devices.

Used in conjunction with HP E-PCM Plus, this feature
allows diagnosis and automated updates to the switch
via the USB flash drive. When enabled in secure mode,
this is done with secure credentials to prevent
tampering. Note that the USB Autorun feature is
disabled automatically, once a password has been set
on the switch.

security (and improve control over access to network
resources) by forwarding or dropping inbound network
traffic according to the configured criteria. Filter options
include:

• source-port filters: Inbound traffic from a
designated, physical source-port will be forwarded
or dropped on a per-port (destination) basis.

• multicast filters: Inbound traffic having a specified
multicast MAC address will be forwarded to
outbound ports or dropped on a per-port (destination)
basis.

• protocol filters: Inbound traffic having the selected
frame (protocol) type will be forwarded or dropped
on a per-port (destination) basis.

Management and
Configuration Guide,
Appendix A “File Transfers”,
refer to the section “Using
Secure Copy and SFTP”

Management and
Configuration Guide,
Appendix A “File Transfers”,
refer to the section “USB
Autorun”

Chapter 12, “Traffic/Security
Filters and Monitors”

1-7

Security Overview

Network Security Features

Feature Default

Setting

Access Control
Lists (ACLs)

Port Security,
MAC Lockdown,
and MAC
Lockout

none ACLs can filter traffic to or from a host, a group of hosts,

none The features listed below provide device-based access

Security Guidelines More Information and

Configuration Details

Chapter 10, “IPv4 Access

or entire subnets. Layer 3 IP filtering with Access Control
Lists (ACLs) enables you to improve network
performance and restrict network use by creating
policies for:

• Switch Management Access: Permits or denies in­band management access. This includes preventing
the use of certain TCP or UDP applications (such as
Telnet, SSH, WebAgent, and SNMP) for transactions
between specific source and destination IP
addresses.)

• Application Access Security: Eliminating unwanted
IP, TCP, or UDP traffic by filtering packets where they
enter or leave the switch on specific interfaces.

Note on ACL Security Use:
ACLs can enhance network security by blocking

selected IP traffic, and can serve as one aspect of
maintaining network security. However, because ACLs
do not provide user or device authentication, or
protection from malicious manipulation of data carried
in IP packet transmissions, they should not be relied
upon for a complete security solution.

security in the following ways:

• Port security: Enables configuration of each switch
port with a unique list of the MAC addresses of
devices that are authorized to access the network
through that port. This enables individual ports to
detect, prevent, and log attempts by unauthorized
devices to communicate through the switch. Some
switch models also include eavesdrop prevention in
the port security feature.

• MAC lockdown: This “static addressing” feature is
used as an alternative to port security to prevent
station movement and MAC address “hijacking” by
allowing a given MAC address to use only one
assigned port on the switch. MAC lockdown also
restricts the client device to a specific VLAN.

• MAC lockout: This feature enables blocking of a
specific MAC address so that the switch drops all
traffic to or from the specified address.

Control Lists (ACLs)”

Chapter 14, “Configuring and
Monitoring Port Security”

See also “Precedence of
Port-Based Security
Options” on page 1-16

1-8

Security Overview

Network Security Features

Feature Default

Setting

Key
Management
System (KMS)

Connection­Rate Filtering
based on
Virus-Throttling
Technology

ICMP
Rate-Limiting

Spanning Tree
Protection

DHCP Snooping,
Dynamic ARP
Protection, and
Dynamic IP
Lockdown

none KMS is available in several HP switch models and is

none This feature helps protect the network from attack and

none This feature helps defeat ICMP denial-of-service

none These features prevent your switch from malicious

none These features provide the following additional

Security Guidelines More Information and

Configuration Details

designed to configure and maintain key chains for use
with KMS-capable routing protocols that use time­dependent or time-independent keys. (A key chain is a
set of keys with a timing mechanism for activating and
deactivating individual keys.) KMS provides specific
instances of routing protocols with one or more Send or
Accept keys that must be active at the time of a request.

is recommended for use on the network edge. It is
primarily focused on the class of worm-like malicious
code that tries to replicate itself by taking advantage of
weaknesses in network applications behind unsecured
ports. In this case, the malicious code tries to create a
large number of outbound connections on an interface
in a short time. Connection-Rate filtering detects hosts
that are generating traffic that exhibits this behavior, and
causes the switch to generate warning messages and
(optionally) to throttle or drop all traffic from the
offending hosts.

attacks by restricting ICMP traffic to percentage levels
that permit necessary ICMP functions, but throttle
additional traffic that may be due to worms or viruses
(reducing their spread and effect).

attacks or configuration errors:

• BPDU Filtering and BPDU Protection: Protects the
network from denial-of-service attacks that use
spoofing BPDUs by dropping incoming BPDU frames
and/or blocking traffic through a port.

• STP Root Guard: Protects the STP root bridge from
malicious attacks or configuration mistakes.

protections for your network:

• DHCP Snooping: Protects your network from
common DHCP attacks, such as address spoofing
and repeated address requests.

• Dynamic ARP Protection: Protects your network
from ARP cache poisoning.

• Dynamic IP Lockdown: Prevents IP source address
spoofing on a per-port and per-VLAN basis

• Instrumentation Monitor. Helps identify a variety of
malicious attacks by generating alerts for detected
an

omalies on the switch.

Chapter 16, “Key
Management System”

Chapter 3, “Virus Throttling
(Connection-Rate Filtering)”

Management and
Configuration Guide, in the
chapter on “Port Traffic
Controls” refer to the section
“ICMP Rate-Limiting”

Advanced Traffic
Management Guide, refer to
the chapter “Multiple
Instance Spanning-Tree
Operation”

Chapter 11, “Configuring
Advanced Threat
Protection”

1-9

Security Overview

Getting Started with Access Security

Getting Started with Access Security

HP switches are designed as “plug and play” devices, allowing quick and easy
installation in your network. In its default configuration the switch is open to
unauthorized access of various types. When preparing the switch for network
operation, therefore, HP recommends that you enforce a security policy to
help ensure that the ease in getting started is not used by unauthorized persons
as an opportunity for access and possible malicious actions.

Since security incidents can originate with sources inside as well as outside
of an organization, your access security provisions must protect against
internal and external threats while preserving the necessary network access
for authorized clients and users. It is important to evaluate the level of
management access vulnerability existing in your network and take steps to
ensure that all reasonable security precautions are in place. This includes both
configurable security options and physical access to the switch.

Switch management access is available through the following methods:

■ Front panel access to the console serial port (see “Physical Security”)

■ Inbound Telnet access

■ Web-browser access (WebAgent)

■ SNMP access

1-10

For guidelines on locking down your switch for remote management access,
see “Quick Start: Using the Management Interface Wizard” on page 1-11.

Physical Security

Physical access to the switch allows the following:

■ use of the console serial port (CLI and Menu interface) for viewing and

changing the current configuration and for reading status, statistics, and
log messages.

■ use of the switch’s USB port for file transfers and autorun capabilities.

■ use of the switch’s Clear and Reset buttons for these actions:

• clearing (removing) local password protection

• rebooting the switch

• restoring the switch to the factory default configuration (and erasing
any non-default configuration settings)

Getting Started with Access Security

Security Overview

Keeping the switch in a locked wiring closet or other secure space helps to
prevent unauthorized physical access.

As additional precautions, you can do the following:

■ Disable or re-enable the password-clearing function of the Clear button.

■ Configure the Clear button to reboot the switch after clearing any local

usernames and passwords.

■ Modify the operation of the Reset+Clear button combination so that the

switch reboots, but does not restore the switch’s factory default settings.

■ Disable or re-enable password recovery.

■ Disable USB autorun by setting a Manager password, or enable USB

autorun in secure mode so that security credentials are required to use
this feature.

For the commands used to configure the Clear and Reset buttons, refer to
“Front-Panel Security” on page 2-23. For information on using USB Autorun,
refer to the sections on “Using USB to Transfer Files to and from the Switch”
and “Using USB Autorun” in the Management and Configuration Guide,
Appendix A “File Transfers”.

Quick Start: Using the Management Interface Wizard

The Management Interface wizard provides a convenient step-by-step method
to prepare the switch for secure network operation. It guides you through the
process of locking down the following switch operations or protocols:

■ setting local passwords

■ restricting SNMP access

■ enabling/disabling Telnet

■ enabling/disabling SSH

■ enabling/disabling remote Web management (WebAgent)

■ restricting WebAgent access to SSL

■ enabling/disabling USB autorun

■ setting timeouts for SSH/Telnet sessions

The wizard can also be used to view the pre-configured defaults and see the
current settings for switch access security. The wizard can be launched either
via the CLI (see page 1-12) or the WebAgent (see page 1-13).

Note The wizard’s security settings can also be configured using standard

commands via the CLI, Menu, or WebAgent. For full details on preparing and
configuring the switch for SSH and SSL operation, refer to chapters 8 and 9
respectively.

1-11

Security Overview

Welcome to the Management Interface Setup Wizard

This wizard will help you with the initial setup of the various
management interfaces. The current values are shown in brack­ets[]. Type in a new value, or press <Enter> to keep the cur­rent value. Press CTRL-C at any time to quit the wizard without
saving any changes. Press ? for help.

Operator password [not configured]:
Confirm password:
Manager password [*******]:
Confirm password:
Restrict SNMP access to SNMPv3 only [no]:
SNMPv2 community name [notpublic]:
SNMPv2 Community access level [unrestricted]:
Telnet enabled [yes]:
SSH enabled [no]:
Web management enabled [yes]:
Restrict Web access to SSL [no]:
Timeout for ssh/telnet sessions [0]:

Operator password :
Manager password :*******
Restrict SNMP access to SNMPv3 only :no
SNMPv2 community name :notpublic
SNMPv2 Community access level :unrestricted
Telnet enabled :yes
SSH enabled :no
Web management enabled :yes
Restrict Web access to SSL :no
Timeout for ssh/telnet sessions :0

Do you want to save these changes? [yes]:

Current values are
shown in brackets
(Password entries
must be entered
twice and will
appear as asterisks.)

Type in a new
value to change a
setting, or press
<Enter> to keep
the current value.

To save these settings, press [Enter].
To cancel any changes, type [n] (for no), then press [

Enter].

Summary of current
settings (displayed
after last wizard
option has been set)

Getting Started with Access Security

CLI: Management Interface Wizard

To configure security settings using the CLI wizard, follow the steps below:

1. At the command prompt, type setup mgmt-interfaces.

The welcome banner appears and the first setup option is displayed
(Operator password). As you advance through the wizard, each setup
option displays the current value in brackets [ ] as shown in Figure 1-1.

Figure 1-1. Example of Management Interface Wizard Configuration

1-12

Getting Started with Access Security

Security Overview

2. When you enter the wizard, you have the following options:

• To update a setting, type in a new value, or press [Enter] to keep the
current value.

• To quit the wizard without saving any changes, press [CTRL-C] at any
time.

• To access online Help for any option, press [?].

After you have gone through each setup option, the wizard displays the
summary configuration together with a prompt to save the changes (see
Figure 1-1 on page 1-12 for an example).

3. When the message appears asking if you want to save these changes, you
have the following options:

• To save your changes, press [Enter].

• To cancel any changes without saving, type [n] and then press [Enter].

After pressing [Enter], the wizard exits to the command line prompt.

CLI Wizard: Operating Notes and Restrictions.

■ Once a password has been configured on the switch, you cannot remove

it using the CLI wizard. Passwords can be removed by executing the no
password command directly from the CLI.

■ When you restrict SNMP access to SNMPv3 only, the options SNMPv2

community name and access level will not appear.

■ The wizard displays the first available SNMPv2 community and allows the

user to modify the first community access parameters.

■ The wizard creates a new SNMP community only when no communities

have been configured on the switch.

■ The USB Autorun feature is disabled as soon as an operator or manager

password is set on the switch. Once a password has been set, the USB
autorun option is no longer provided as part of the wizard.

WebAgent: Management Interface Wizard

To use the Management Interface wizard from the WebAgent, follow the steps
below:

1. In the navigation tree, select Security.

2. Click on the Security Wizard. The Welcome window appears.

1-13

Security Overview

Getting Started with Access Security

This page allows you to choose between two setup types:

• Typical—provides a multiple page, step-by-step method to configure

• Advanced—provides a single summary screen in which to configure

Refer to the WebAgent Online Help for detailed information about using the
Management Interface wizard.

SNMP Security Guidelines

In the default configuration, the switch is open to access by management
stations running SNMP (Simple Network Management Protocol) management
applications capable of viewing and changing the settings and status data in
the switch’s MIB (Management Information Base). Thus, controlling SNMP
access to the switch and preventing unauthorized SNMP access should be a
key element of your network security strategy.

General SNMP Access to the Switch. The switch supports SNMP
versions 1, 2c, and 3, including SNMP community and trap configuration. The
default configuration supports versions 1 and 2c compatibility, which uses
plain text and does not provide security options.

security settings, with on-screen instructions for each option.

all security settings at once.

1-14

HP recommends that you enable SNMP version 3 for improved security.
SNMPv3 includes the ability to configure restricted access and to block all
non-version 3 messages (which blocks version 1 and 2c unprotected
operation).

SNMPv3 security options include:

■ configuring device communities as a means for excluding management

access by unauthorized stations

■ configuring for access authentication and privacy

■ reporting events to the switch CLI and to SNMP trap receivers

■ restricting non-SNMPv3 agents to either read-only access or no access

■ co-existing with SNMPv1 and v2c if necessary

SNMP Access to the Authentication Configuration MIB. A
management station running an SNMP networked device management
application, such as HP E-PCM Plus or HP OpenView, can access the switch’s
management information base (MIB) for read access to the switch’s status and
read/write access to the switch’s authentication configuration
(hpSwitchAuth). This means that the switch’s default configuration now
allows SNMP access to security settings in hpSwitchAuth.

Getting Started with Access Security

Security Overview

Note on SNMP
Access to
Authentication
MIB

Downloading and booting from the K.12.xx or greater software version for the
first time enables SNMP access to the authentication configuration MIB (the
default action). If SNMPv3 and other security safeguards are not in place, the
switch’s authentication configuration MIB is exposed to unprotected SNMP
access and you should use the command shown below to disable this access.

If SNMP access to the hpSwitchAuth MIB is considered a security risk
in your network, then you should implement the following security

precautions:

■ If SNMP access to the authentication configuration (hpSwitchAuth) MIB

described above is not desirable for your network, then immediately after
downloading and booting from the K.12.xx or greater software for the first
time, use the following command to disable this feature:

snmp-server mib hpswitchauthmib excluded

■ If you choose to leave the authentication configuration MIB accessible,

then you should do the following to help ensure that unauthorized work­stations cannot use SNMP tools to access the MIB:

a. Configure SNMP version 3 management and access security on the

switch.

b. Disable SNMP version 2c on the switch.

For details on this feature, refer to the section titled “Using SNMP To View
and Configure Switch Authentication Features” on page 6-30.

For more information on configuring SNMP, refer to the section “Using SNMP

Tools To Manage the Switch” in the chapter “Configuring for Network
Management Applications” in the Management and Configuration Guide

for your switch.

1-15

Security Overview

Precedence of Security Options

Precedence of Security Options

This section explains how port-based security options, and client-based
attributes used for authentication, get prioritized on the switch.

Precedence of Port-Based Security Options

Where the switch is running multiple security options, it implements network
traffic security based on the OSI (Open Systems Interconnection model)
precedence of the individual options, from the lowest to the highest. The
following list shows the order in which the switch implements configured
security features on traffic moving through a given port.

1. Disabled/Enabled physical port

2. MAC lockout (Applies to all ports on the switch.)

3. MAC lockdown

4. Port security

5. Authorized IP Managers

6. Application features at higher levels in the OSI model, such as SSH.

(The above list does not address the mutually exclusive relationship that
exists among some security features.)

Precedence of Client-Based Authentication: Dynamic Configuration Arbiter

The Dynamic Configuration Arbiter (DCA) is implemented to determine the
client-specific parameters that are assigned in an authentication session.

A client-specific authentication configuration is bound to the MAC address of
a client device and may include the following parameters:

■ Untagged client VLAN ID

■ Tagged VLAN IDs

■ Per-port CoS (802.1p) priority

■ Per-port rate-limiting on inbound traffic

■ Client-based ACLs

1-16

Precedence of Security Options

DCA allows client-specific parameters configured in any of the following ways
to be applied and removed as needed in a specified hierarchy of precedence.
When multiple values for an individual configuration parameter exist, the
value applied to a client session is determined in the following order (from
highest to lowest priority) in which a value configured with a higher priority
overrides a value configured with a lower priority:

1. Attribute profiles applied through the Network Immunity network-man­agement application using SNMP (see “Network Immunity Manager”)

2. 802.1X authentication parameters (RADIUS-assigned)

3. Web- or MAC-authentication parameters (RADIUS-assigned)

4. Local, statically-configured parameters

Although RADIUS-assigned settings are never applied to ports for non­authenticated clients, the Dynamic Configuration Arbiter allows you to
configure and assign client-specific port configurations to non-authenticated
clients, provided that a client’s MAC address is known in the switch in the
forwarding database. DCA arbitrates the assignment of attributes on both
authenticated and non-authenticated ports.

DCA does not support the arbitration and assignment of client-specific
attributes on trunk ports.

Security Overview

Network Immunity Manager

Network Immunity Manager (NIM) is a plug-in to HP E-PCM Plus and a key
component of the HP Network Immunity security solution that provides
comprehensive detection and per-port-response to malicious traffic at the HP
network edge. NIM allows you to apply policy-based actions to minimize the
negative impact of a client’s behavior on the network. For example, using NIM
you can apply a client-specific profile that adds or modifies per-port rate­limiting and VLAN ID assignments.

Note NIM actions only support the configuration of per-port rate-limiting and VLAN

ID assignment; NIM does not support CoS (802.1p) priority assignment and
ACL configuration.

NIM-applied parameters temporarily override RADIUS-configured and locally
configured parameters in an authentication session. When the NIM-applied
action is removed, the previously applied client-specific parameter (locally
configured or RADIUS-assigned) is re-applied unless there have been other
configuration changes to the parameter. In this way, NIM allows you to
minimize network problems without manual intervention.

1-17

Security Overview

Precedence of Security Options

NIM also allows you to configure and apply client-specific profiles on ports
that are not configured to authenticate clients (unauthorized clients), provided
that a client’s MAC address is known in the switch’s forwarding database.

The profile of attributes applied for each client (MAC address) session is
stored in the hpicfUsrProfile MIB, which serves as the configuration interface
for Network Immunity Manager. A client profile consists of NIM-configured,
RADIUS-assigned, and statically configured parameters. Using show
commands for 802.1X, web or MAC authentication, you can verify which
RADIUS -assigned and statically configured parameters are supported and if
they are supported on a per-port or per-client basis.

A NIM policy accesses the hpicfUsrProfileMIB through SNMP to perform the
following actions:

■ Bind (or unbind) a profile of configured attributes to the MAC address of

■ Configure or unconfigure an untagged VLAN for use in an authenticated

Note that the attribute profile assigned to a client is often a combination of
NIM-configured, RADIUS-assigned, and statically configured settings.
Precedence is always given to the temporarily applied NIM-configured
parameters over RADIUS-assigned and locally configured parameters.

a client device on an authenticated or unauthenticated port.

or unauthenticated client session.

1-18

For information on Network Immunity Manager, go to the HP Networking Web
site at www.hp.com/solutions,

Arbitrating Client-Specific Attributes

In previous releases, client-specific authentication parameters for 802.1X
Web, and MAC authentication are assigned to a port using different criteria.
A RADIUS-assigned parameter is always given highest priority and overrides
statically configured local passwords. 802.1X authentication parameters
override Web or MAC authentication parameters.

DCA stores three levels of client-specific authentication parameters and
prioritizes them according to the following hierarchy of precedence:

1. NIM access policy (applied through SNMP)

2. RADIUS-assigned
a. 802.1X authentication
b. Web or MAC authentication

3. Statically (local) configured

Precedence of Security Options

Security Overview

Client-specific configurations are applied on a per-parameter basis on a port.
In a client-specific profile, if DCA detects that a parameter has configured
values from two or more levels in the hierarchy of precedence described
above, DCA decides which parameters to add or remove, or whether to fail
the authentication attempt due to an inability to apply the parameters.

For example, NIM may configure only rate-limiting for a specified client
session, while RADIUS-assigned values may include both an untagged VLAN
ID and a rate-limiting value to be applied. In this case, DCA applies the NIM­configured rate-limiting value and the RADIUS-assigned VLAN (if there are no
other conflicts).

Also, you can assign NIM-configured parameters (for example, VLAN ID
assignment or rate-limiting) to be activated in a client session when a threat
to network security is detected. When the NIM-configured parameters are
later removed, the parameter values in the client session return to the
RADIUS-configured or locally configured settings, depending on which are
next in the hierarchy of precedence.

In addition, DCA supports conflict resolution for QoS (port-based CoS
priority) and rate-limiting (ingress) by determining whether to configure
either strict or non-strict resolution on a switch-wide basis. For example, if
multiple clients authenticate on a port and a rate-limiting assignment by a
newly authenticating client conflicts with the rate-limiting values assigned to
previous clients, by using Network Immunity you can configure the switch to
apply any of the following attributes:

■ Apply only the latest rate-limiting value assigned to all clients.

■ Apply a client-specific rate-limiting configuration to the appropriate client

session (overwrites any rate-limit previously configured for other client
sessions on the port).

For information about how to configure RADIUS-assigned and locally
configured authentication settings, refer to:

■ RADIUS-assigned 802.1X authentication: “Configuring Port-Based and

User-Based Access Control (802.1X)” on page 13-1.

■ RADIUS-assigned Web or MAC authentication: “Web and MAC Authenti-

cation” on page 4-1.

■ RADIUS-assigned CoS, rate-limiting, and ACLS: “Configuring RADIUS

Server Support for Switch Services” on page 7-1.

■ Statically (local) configured: “Configuring Username and Password

Security” on page 2-1.

1-19

Security Overview

HP Identity-Driven Manager (IDM)

HP Identity-Driven Manager (IDM)

IDM is a plug-in to HP E-PCM Plus and uses RADIUS-based technologies to
create a user-centric approach to network access management and network
activity tracking and monitoring. IDM enables control of access security
policy from a central management server, with policy enforcement to the
network edge, and protection against both external and internal threats.

Using IDM, a system administrator can configure automatic and dynamic
security to operate at the network edge when a user connects to the network.
This operation enables the network to:

■ approve or deny access at the edge of the network instead of in the core;

■ distinguish among different users and what each is authorized to do;

■ configure guest access without compromising internal security.

Criteria for enforcing RADIUS-based security for IDM applications includes
classifiers such as:

■ authorized user identity

■ authorized device identity (MAC address)

■ software running on the device

■ physical location in the network

■ time of day

1-20

Responses can be configured to support the networking requirements, user
(SNMP) community, service needs, and access security level for a given client
and device.

For more information on IDM, go to the HP Web site at www.hp.com/solutions,
click on Security.

Configuring Username and Password Security

Overview

Feature Default Menu CLI WebAgent

Set Usernames none — — page 2-9

Set a Password none page

Delete Password Protection n/a page

show front-panel-security n/a — page 1-13 —

front-panel-security — page 1-13 —

password-clear enabled — page 1-13 —

reset-on-clear disabled — page 1-14 —

factory-reset enabled — page 1-15 —

password-recovery enabled — page 1-15 —

page 2-6 page 2-9

2-4

page 2-6 page 2-9

2-5

2

Console access includes both the menu interface and the CLI. There are two
levels of console access: Manager and Operator. For security, you can set a
password pair (username and password) on each of these levels.

Notes Usernames are optional. Also, in the menu interface, you can configure

passwords, but not usernames. To configure usernames, use the CLI or the
WebAgent.

Usernames and passwords for Manager and Operator access can also be
configured using SNMP. For more information, refer to “Using SNMP To View
and Configure Switch Authentication Features” on page 6-30.

Usernames and passwords for Manager and Operator access can also be
configured using the Management Interface Wizard. For more information,
refer to “Quick Start: Using the Management Interface Wizard” on page 1-11.

2-1

Configuring Username and Password Security

Overview

Level Actions Permitted

Manager: Access to all console interface areas.

This is the default level. That is, if a Manager password has not been set prior
to starting the current console session, then anyone having access to the
console can access any area of the console interface.

Operator: Access to the Status and Counters menu, the Event Log, and the CLI*, but no

Configuration capabilities.
On the Operator level, the configuration menus, Download OS, and Reboot

Switch options in the Main Menu are not available.

*Allows use of the ping, link-test, show, menu, exit, and logout commands, plus the enable
command if you can provide the Manager password.

To configure password security:

1. Set a Manager password pair (and an Operator password pair, if applicable
for your system).

2. Exit from the current console session. A Manager password pair will now
be needed for full access to the console.

2-2

If you do steps 1 and 2, above, then the next time a console session is started
for either the menu interface or the CLI, a prompt appears for a password.
Assuming you have protected both the Manager and Operator levels, the level
of access to the console interface will be determined by which password is
entered in response to the prompt.

If you set a Manager password, you may also want to configure an inactivity
timer. This causes the console session to end after the specified period of
inactivity, thus giving you added security against unauthorized console access.
You can use either of the following to set the inactivity timer:

■ Menu Interface: System Information screen (Select “2. Switch Configu-

ration.)

■ CLI: Use the console inactivity-timer < 0 | 1 | 5 | 10 | 15 | 20 | 30 | 60 | 120 >

Configuring Username and Password Security

Overview

Notes The manager and operator passwords and (optional) usernames control

access to the menu interface, CLI, and WebAgent.

If you configure only a Manager password (with no Operator password), and
in a later session the Manager password is not entered correctly in response
to a prompt from the switch, then the switch does not allow management
access for that session.

If the switch has a password for both the Manager and Operator levels, and
neither is entered correctly in response to the switch’s password prompt, then
the switch does not allow management access for that session.

Passwords are case-sensitive.

When configuring an operator or manager password a message will appear
indicating that (USB) autorun has been disabled. For more information on the
autorun feature, refer to the Appendix A on “File Transfers” in the Manage-
ment and Configuration Guide for your switch.

Caution If the switch has neither a Manager nor an Operator password, anyone

having access to the switch through either Telnet, the serial port, or the
WebAgent can access the switch with full manager privileges. Also, if you
configure only an Operator password, entering the Operator password
enables full manager privileges.

The rest of this chapter covers how to:

■ Set passwords

■ Delete passwords

■ Recover from a lost password

■ Maintain front-panel security

2-3

Configuring Username and Password Security

Configuring Local Password Security

Configuring Local Password Security

Menu: Setting Passwords

As noted earlier in this section, usernames are optional. Configuring a user­name requires either the CLI or the WebAgent.

1. From the Main Menu select:

3. Console Passwords

2-4

Figure 2-1. The Set Password Screen

2. To set a new password:
a. Select Set Manager Password or Set Operator Password. You will then

be prompted with Enter new password.

b. Type a password of up to 16 ASCII characters with no spaces and

press [Enter]. (Remember that passwords are case-sensitive.)

c. When prompted with Enter new password again, retype the new pass-

word and press [Enter].

After you configure a password, if you subsequently start a new console
session, you will be prompted to enter the password. (If you use the CLI or
WebAgent to configure an optional username, the switch will prompt you for
the username, and then the password.)

Configuring Username and Password Security

Configuring Local Password Security

To Delete Password Protection (Including Recovery from a Lost
Password): This procedure deletes all usernames (if configured) and pass-

words (Manager and Operator).

If you have physical access to the switch, press and hold the Clear button (on
the front of the switch) for a minimum of one second to clear all password
protection, then enter new passwords as described earlier in this chapter.

If you do not have physical access to the switch, you will need Manager-Level
access:

1. Enter the console at the Manager level.

2. Go to the Set Passwords screen as described above.

3. Select Delete Password Protection. You will then see the following prompt:

Continue Deletion of password protection? No

4. Press the Space bar to select Ye s, then press [Enter].

5. Press [Enter] to clear the Password Protection message.

To Recover from a Lost Manager Password: If you cannot start a con­sole session at the Manager level because of a lost Manager password, you
can clear the password by getting physical access to the switch and pressing
and holding the Clear button for a minimum of one second. This action deletes
all passwords and usernames (Manager and Operator) used by both the
console and the WebAgent.

2-5

Configuring Username and Password Security

• Password entries appear
as asterisks.

• You must type the
password entry twice.

Press [Y] (for yes) and press [Enter].

Configuring Local Password Security

CLI: Setting Passwords and Usernames

Commands Used in This Section

password See below.

Configuring Manager and Operator Passwords.

Note The password command has changed. You can now configure manager and

operator passwords in one step. See “Saving Security Credentials in a Config
File” on page 2-10 of this guide.

Syntax: [ no ] password <manager | operator | all | port-access>
[ user-name ASCII-STR ] [<plaintext | sha1> ASCII-STR]

Figure 2-2. Example of Configuring Manager and Operator Passwords

To Remove Password Protection. Removing password protection means
to eliminate password security. This command prompts you to verify that you
want to remove one or both passwords, then clears the indicated password(s).
(This command also clears the username associated with a password you are
removing.) For example, to remove the Operator password (and username, if
assigned) from the switch, you would do the following:

Figure 2-3. Removing a Password and Associated Username from the Switch

The effect of executing the command in figure 2-3 is to remove password
protection from the Operator level. (This means that anyone who can access
the switch console can gain Operator access without having to enter a user­name or password.)

2-6

Configuring Username and Password Security

Configuring Local Password Security

If you want to remove both operator and manager password protection, use
the no password all command.

Username and Password Length.

The limit on usename and password length is 64 characters for the following
authentication methods:

■ Front-end—WEB User Interface, SSH, and Telnet

■ Back-end—RADIUS, TACACS+, and Local

General Rules for Usernames and Passwords

Usernames and passwords are case-sensitive. ASCII characters in the range
of 33-126 are valid, including:

■ A through Z uppercase characters

■ a through z lower case characters

■ 0 through 9 numeric characters

■ Special characters ‘ ~ ! @ # $ % ^ & * ( ) - _ = + [ ] { } \ | ; : ‘ “ , < > / ?

(see Restrictions, below)

The SPACE character is allowed to form a username or password pass-phrase.
The username must be in quotes, for example “The little brown fox”. A space
is not allowed as part of a username without the quotes. A password that
includes a space or spaces should not have quotes.

Restrictions for the Setmib Command

Usernames and passwords can be set using the CLI command setmib. They
cannot be set using SNMP.

■ Quotes are permitted for enclosing other characters, for example, a

username or password of abcd can be enclosed in quotes “abcd”
without the quotes becoming part of the username or password itself.
Quotes can also be inserted between other characters of a username
or password, for example, ab”cd. A pair of quotes enclosing
characters followed by any additional characters is invalid, for
example, “abc”d.

■ Spaces are allowed in usernames and passwords. The username or

password must be enclosed in quotes, for example, “one two three”.
A blank space or spaces between quotes is allowed, for example, “ ”.

2-7

Configuring Username and Password Security

Configuring Local Password Security

Additional Restrictions

Some authentication servers prevent the usage of special symbols such as the
backslash (\) and quotes (“”). The switch allows the use of these symbols in
configurable credentials, but using them may limit access for some users who
may use different client software. Please refer to the vendor’s documentation
for specific information about these restrictions.

Operating Notes on Upgrading or Downgrading Software Versions

When you update software from a version that does not support long pass­words to a version that supports long passwords, the existing usernames and
passwords continue to be there; no further action is required.

Before downgrading to a software version that does not include this feature,
use one of the following procedures:

1. Reset the username and/or password to be no more than 16 characters
in length, and without any special characters, using the CLI command

password or the equivalent in the WebAgent. Then execute a CLI write

memory command (required if the include-credentials feature has ever

been enabled).

HP Switch(config)# password manager
New password: ********
Please retype new password: *******
HP Switch(config)# write mem

2-8

Or

2. Execute the CLI command no password all. This clears all the passwords.

Then execute a CLI write memory command (required if the include-

credentials feature has ever been enabled).

HP Switch(config)# no password all
Password protections will be deleted, do you want
to continue [y/n]? y
HP Switch(config)# write mem

Or

3. Clear the password by using the "Clear" button on the switch. Then
execute a CLI write memory command (required if the include-credentials
feature has ever been enabled).

Configuring Username and Password Security

If You Cannot Access the Switch Using the Previous Password

If you cannot access the switch after a software version downgrade, clear the
password by using the "Clear" button on the switch to regain access. Then
boot into a software version that supports long passwords, and perform steps
1, 2, or 3 in the preceding section.

Configuring Local Password Security

WebAgent: Setting Passwords and Usernames

In the WebAgent you can enter passwords and (optional) usernames. See the
WebAgent Online Help for detailed information.

2-9

Configuring Username and Password Security

Saving Security Credentials in a Config File

Saving Security Credentials in a Config
File

You can store and view the following security settings in the running-config
file associated with the current software image by entering the include-
credentials command (formerly this information was stored only in internal
flash memory):

■ Local manager and operator passwords and (optional) user names that

control access to a management session on the switch through the CLI,
menu interface, or WebAgent

■ SNMP security credentials used by network management stations to

access a switch, including authentication and privacy passwords

■ Port-access passwords and usernames used as 802.1X authentication

credentials for access to the switch

■ TACACS+ encryption keys used to encrypt packets and secure

authentication sessions with TACACS+ servers

■ RADIUS shared secret (encryption) keys used to encrypt packets and

secure authentication sessions with RADIUS servers

■ Secure Shell (SSH) public keys used to authenticate SSH clients that try

to connect to the switch.

2-10

Benefits of Saving Security Credentials

The benefits of including and saving security credentials in a configuration
file are as follows:

■ After making changes to security parameters in the running configuration,

you can experiment with the new configuration and, if necessary, view
the new security settings during the session. After verifying the
configuration, you can then save it permanently by writing the settings to
the startup-config file.

■ By permanently saving a switch’s security credentials in a configuration

file, you can upload the file to a TFTP server or Xmodem host, and later
download the file to the HP switches on which you want to use the same
security settings without having to manually configure the settings
(except for SNMPv3 user parameters) on each switch.

Configuring Username and Password Security

Saving Security Credentials in a Config File

■ By storing different security settings in different files, you can test

different security configurations when you first download a new software
version that supports multiple configuration files, by changing the
configuration file used when you reboot the switch.

For more information about how to experiment with, upload, download, and
use configuration files with different software versions, refer to the following:

■ The chapter on “Switch Memory and Configuration” in the Management

and Configuration Guide.

■ “Configuring Local Password Security” on page 2-4 in this guide.

Enabling the Storage and Display of Security Credentials

To enable the security settings, enter the include-credentials command.

Syntax: [no] include-credentials

Enables the inclusion and display of the currently configured
manager and operator usernames and passwords, RADIUS shared
secret keys, SNMP and 802.1X authenticator (port-access) security
credentials, and SSH client public-keys in the running
configuration. (Earlier software releases store these security
configuration settings only in internal flash memory and do not
allow you to include and view them in the running-config file.)

To view the currently configured security settings in the running
configuration, enter one of the following commands:

■ show running-config: Displays the configuration settings in the

current running-config file.

■ write terminal: Displays the configuration settings in the current

running-config file.

For more information, refer to “Switch Memory and
Configuration” in the Management and Configuration Guide.

The “no” form of the command disables only the display and copying
of these security parameters from the running configuration, while
the security settings remain active in the running configuration.

Default: The security credentials described in “Security Settings
that Can Be Saved” on page 2-12 are not stored in the running
configuration.

2-11

Configuring Username and Password Security

password manager user-name George SHA1
2fd4e1c67a2d28fced849ee1bb76e7391b93eb12

Saving Security Credentials in a Config File

Security Settings that Can Be Saved

The security settings that can be saved to a configuration file are:

■ Local manager and operator passwords and user names

■ SNMP security credentials, including SNMPv1 community names and

SNMPv3 usernames, authentication, and privacy settings

■ 802.1X port-access passwords and usernames

■ TACACS+ encryption keys

■ RADIUS shared secret (encryption) keys

■ Public keys of SSH-enabled management stations that are used by the

switch to authenticate SSH clients that try to connect to the switch

Local Manager and Operator Passwords

The information saved to the running-config file when the include-credentials
command is entered includes:

password manager [user-name <name>] <hash-type> <pass-hash>
password operator [user-name <name>] <hash-type> <pass-hash>

where
<name> is an alphanumeric string for the user name assigned to the
manager or operator.
<hash-type> indicates the type of hash algorithm used: SHA-1 or plain
text.
<pass-hash> is the SHA-1 authentication protocol’s hash of the pass­word or clear ASCII text.

For example, a manager username and password may be stored in a running­config file as follows:

Use the write memory command to save the password configurations in the
startup-config file. The passwords take effect when the switch boots with the
software version associated with that configuration file.

Caution If a startup configuration file includes other security credentials, but does not

contain a manager or operator password, the switch will not have password
protection and can be accessed through Telnet, the serial port, or WebAgent
with full manager privileges.

2-12

Configuring Username and Password Security

Saving Security Credentials in a Config File

Password Command Options

The password command has the following options:

Syntax: [no] password <manager | operator | port-access> [user-name <name>]

<hash-type> <password>

Set or clear a local username/password for a given access level.

manager: configures access to the switch with manager-level
privileges.

operator: configures access to the switch with operator-level
privileges.

port-access: configures access to the switch through 802.1X
authentication with operator-level privileges.

user-name <name>: the optional text string of the user name
associated with the password.

<hash-type>: specifies the type of algorithm (if any) used to
hash the password. Valid values are plaintext or sha-1

<password>: the clear ASCII text string or SHA-1 hash of the
password.

You can enter a manager, operator, or 802.1X port-access password in clear
ASCII text or hashed format. However, manager and operator passwords are
displayed and saved in a configuration file only in hashed format; port-access
passwords are displayed and saved only as plain ASCII text.

After you enter the complete command syntax, the password is set. You are
not prompted to enter the password a second time.

This command enhancement allows you to configure manager, operator, and

802.1X port-access passwords in only one step (instead of entering the

password command and then being prompted twice to enter the actual
password).

■ For more information about configuring local manager and operator

passwords, refer to “Configuring Username and Password Security” on
page 2-1 in this guide.

■ For more information about configuring a port-access password for

802.1X client authentication, see “802.1X Port-Access Credentials” on
page 2-15 in this guide.

2-13

Configuring Username and Password Security

snmpv3 user “<name>" [auth <md5|sha> “<auth-pass>”]
[priv “<priv-pass>"]

auth md5 “9e4cfef901f21cf9d21079debeca453” \
priv “82ca4dc99e782db1a1e914f5d8f16824”

snmpv3 user boris \

priv “5bc4313e9fd7c2953aaea9406764fe8bb629a538”

auth sha “8db06202b8f293e9bc0c00ac98cf91099708ecdf” \

snmpv3 user alan \

Saving Security Credentials in a Config File

SNMP Security Credentials

SNMPv1 community names and write-access settings, and SNMPv3
usernames continue to be saved in the running configuration file even when
you enter the include-credentials command.

In addition, the following SNMPv3 security parameters are also saved:

where:
<name> is the name of an SNMPv3 management station.
[auth <md5 | sha>] is the (optional) authentication method used for the
management station.
<auth-pass> is the hashed authentication password used with the
configured authentication method.
[priv <priv-pass>] is the (optional) hashed privacy password used by a
privacy protocol to encrypt SNMPv3 messages between the switch and the
station.

The following example shows the additional security credentials for SNMPv3
users that can be saved in a running-config file:

Figure 2-4. Example of Security Credentials Saved in the Running-Config

Although you can enter an SNMPv3 authentication or privacy password in
either clear ASCII text or the SHA-1 hash of the password, the password is
displayed and saved in a configuration file only in hashed format, as shown in
the preceding example.

For more information about the configuration of SNMP security parameters,
refer to the chapter on “Configuring for Network Management Applications”
in the Management and Configuration Guide for your switch.

2-14

Configuring Username and Password Security

Saving Security Credentials in a Config File

802.1X Port-Access Credentials

802.1X authenticator (port-access) credentials can be stored in a

configuration file. 802.1X authenticator credentials are used by a port to
authenticate supplicants requesting a point-to-point connection to the switch.

802.1X supplicant credentials are used by the switch to establish a point-to-

point connection to a port on another 802.1X-aware switch. Only 802.1X
authenticator credentials are stored in a configuration file. For information
about how to use 802.1X on the switch both as an authenticator and a
supplicant, see “Configuring Port-Based and Client-Based Access Control
(802.1X)” in this guide.

The local password configured with the password command is no longer
accepted as an 802.1X authenticator credential. A new configuration
command (password port-access) is introduced to configure the local operator
username and password used as 802.1X authentication credentials for access
to the switch.

The password port-access values are now configured separately from the
manager and operator passwords configured with the password manager and
password operator commands and used for management access to the switch.
For information on the new password command syntax, see “Password
Command Options” on page 2-13.

After you enter the complete password port-access command syntax, the
password is set. You are not prompted to enter the password a second time.

TACACS+ Encryption Key Authentication

You can use TACACS+ servers to authenticate users who request access to a
switch through Telnet (remote) or console (local) sessions. TACACS+ uses an
authentication hierarchy consisting of:

■ Remote passwords assigned in a TACACS+ server

■ Local manager and operator passwords configured on the switch.

When you configure TACACS+, the switch first tries to contact a designated
TACACS+ server for authentication services. If the switch fails to connect to
any TACACS+ server, it defaults to its own locally assigned passwords for
authentication control if it has been configured to do so.

For improved security, you can configure a global or server-specific
encryption key that encrypts data in TACACS+ packets transmitted between
a switch and a RADIUS server during authentication sessions. The key
configured on the switch must match the encryption key configured in each

2-15

Configuring Username and Password Security

Saving Security Credentials in a Config File

TACACS+ server application. (The encryption key is sometimes referred to as
“shared secret” or “secret” key.) For more information, see “TACACS+
Authentication” on page 5-1 in this guide.

TACACS+ shared secret (encryption) keys can be saved in a configuration file
by entering this command:

HP Switch(config)# tacacs-server key <keystring>

The option <keystring> is the encryption key (in clear text) used for secure
communication with all or a specific TACACS+ server.

RADIUS Shared-Secret Key Authentication

You can use RADIUS servers as the primary authentication method for users
who request access to a switch through Telnet, SSH, WebAgent, console, or
port-access (802.1X). The shared secret key is a text string used to encrypt
data in RADIUS packets transmitted between a switch and a RADIUS server
during authentication sessions. Both the switch and the server have a copy of
the key; the key is never transmitted across the network. For more
information, refer to “3. Configure the Switch To Access a RADIUS Server” on
page 6-14 in this guide.

RADIUS shared secret (encryption) keys can be saved in a configuration file
by entering this command:

HP Switch(config)# radius-server key <keystring>

The option <keystring> is the encryption key (in clear text) used for secure
communication with all or a specific RADIUS server.

SSH Client Public-Key Authentication

Secure Shell version 2 (SSHv2) is used by HP switches to provide remote
access to SSH-enabled management stations. Although SSH provides Telnet­like functions, unlike Telnet, SSH provides encrypted, two-way authenticated
transactions. SSH client public-key authentication is one of the types of
authentication used.

Client public-key authentication uses one or more public keys (from clients)
that must be stored on the switch. Only a client with a private key that matches
a public key stored on the switch can gain access at the manager or operator
level. For more information about how to configure and use SSH public keys
to authenticate SSH clients that try to connect to the switch, refer to
“Configuring Secure Shell (SSH)” on page 8-1 in this guide.

2-16

Configuring Username and Password Security

Saving Security Credentials in a Config File

The SSH security credential that is stored in the running configuration file is
configured with the ip ssh public-key command used to authenticate SSH
clients for manager or operator access, along with the hashed content of each
SSH client public-key.

Syntax: ip ssh public-key <manager |operator> keystring

Set a key for public-key authentication.

manager: allows manager-level access using SSH public-key
authentication.

operator: allows operator-level access using SSH public-key
authentication.

“keystring”:. a legal SSHv2 (RSA or DSA) public key. The text
string for the public key must be a single quoted token. If the
keystring contains double-quotes, it can be quoted with single
quotes ('keystring'). The following restrictions for a
keystring apply:

■ A keystring cannot contain both single and double quotes.

■ A keystring cannot have extra characters, such as a blank

space or a new line. However, to improve readability, you
can add a backlash at the end of each line.

Note The ip ssh public-key command allows you to configure only one SSH client

public-key at a time. The ip ssh public-key command behavior includes an
implicit append that never overwrites existing public-key configurations on a
running switch.

If you download a software configuration file that contains SSH client public­key configurations, the downloaded public-keys overwrite any existing keys,
as happens with any other configured values.

2-17

Configuring Username and Password Security

...
include-credentials

ip ssh public-key manager “ssh-dss \
AAAAB3NzaC1kc3MAAACBAPwJHSJmTRtpZ9BUNC+ZrsxhMuZEXQhaDME1vc/ \
EvYnTKxQ31bWvr/bT7W58NX/YJ1ZKTV2GZ2QJCicUUZVWjNFJCsa0v03XS4 \
BhkXjtHhz6gD701otgizUOO6/Xzf4/J9XkJHkOCnbHIqtB1sbRYBTxj3NzA \
K1ymvIaU09X5TDAAAAFQCPwKxnbwFfTPasXnxfvDuLSxaC7wAAAIASBwxUP \
pv2scqPPXQghgaTkdPwGGtdFW/+K4xRskAnIaxuG0qLbnekohi+ND4TkKZd \
EeidgDh7qHusBhOFXM2g73RpE2rNqQnSf/QV95kdNwWIbxuusBAzvfaJptd \
gca6cYR4xS4TuBcaKiorYj60kk144E1fkDWieQx8zABQAAAIEAu7/1kVOdS \
G0vE0eJD23TLXvu94plXhRKCUAvyv2UyK+piG+Q1el1w9zsMaxPA1XJzSY/ \
imEp4p6WXEMcl0lpXMRnkhnuMMpaPMaQUT8NJTNu6hqf/LdQ2kqZjUuIyV9 \
LWyLg5ybS1kFLeOt0oo2Jbpy+U2e4jh2Bb77sX3G5C0= spock@sfc.gov” \
ip ssh public-key manager ‘ssh-rsa \
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDyO9RDD52JZP8k2F2YZXubgwRAN0R \
JRs1Eov6y1RK3XkmgVatzl+mspiEmPS4wNK7bX/IoXNdGrGkoE8tPkxlZOZ \
oqGCf5Zs50P1nkxXvAidFs55AWqOf4MhfCqvtQCe1nt6LFh4ZMig+YewgQG \
M6H1geCSLUbXXSCipdPHysakw== "TectiaClientKey [1024-bit rsa, \
nobody@testmachine, Mon Aug 15 2005 14:47:34]”’
ip ssh public-key manager “ssh-rsa \
AAAAB3NzaC1yc2EAAABIwAAAIEA1Kk9sVQ9LJOR6XO/hCMPxbiMNOK8C/ay \
+SQ10qGw+K9m3w3TmCfjh0ud9hivgbFT4F99AgnQkvm2eVsgoTtLRnfF7uw \
NmpzqOqpHjD9YzItUgSK1uPuFwXMCHKUGKa+G46A+EWxDAIypwVIZ697QmM \
qPFj1zdI4sIo5bDett2d0= joe@hp.com”
...

Saving Security Credentials in a Config File

To display the SSH public-key configurations (72 characters per line) stored
in a configuration file, enter the show config or show running-config command.
The following example shows the SSH public keys configured for manager
access, along with the hashed content of each SSH client public-key, that are
stored in a configuration file:

2-18

Figure 2-5. Example of SSH Public Keys

If a switch configuration contains multiple SSH client public keys, each public
key is saved as a separate entry in the configuration file. You can configure up
to ten SSH client public-keys on a switch.

Configuring Username and Password Security

Saving Security Credentials in a Config File

Operating Notes

Caution ■ When you first enter the include-credentials command to save the

additional security credentials to the running configuration, these settings
are moved from internal storage on the switch to the running-config file.

You are prompted by a warning message to perform a write memory
operation to save the security credentials to the startup configuration. The
message reminds you that if you do not save the current values of these
security settings from the running configuration, they will be lost the next
time you boot the switch and will revert to the values stored in the startup
configuration.

■ When you boot a switch with a startup configuration file that contains the

include-credentials command, any security credentials that are stored in
internal flash memory are ignored and erased. The switch will load only
the security settings in the startup configuration file.

■ Security settings are no longer automatically saved internally in flash

memory and loaded with the startup configuration when a switch boots
up. The configuration of all security credentials requires that you use the
write memory command to save them in the startup configuration in order
for them to not be lost when you log off. A warning message reminds you
to permanently save a security setting.

■ After you enter the include-credentials command, the currently configured

manager and operator usernames and passwords, RADIUS shared secret
keys, SNMP and 802.1X authenticator (port-access) security credentials,
and SSH client public-keys are saved in the running configuration.

Use the no include-credentials command to disable the display and copying
of these security parameters from the running configuration (using the
show running-config and copy running-config commands), without disabling
the configured security settings on the switch.

After you enter the include-credentials command, you can toggle between
the non-display and display of security credentials in show and copy
command output by alternately entering the no include-credentials and
include-credentials commands.

■ After you permanently save security configurations to the current startup-

config file using the write memory command, you can view and manage
security settings with the following commands:

• show config: Displays the configuration settings in the current startup-

config file.

2-19

Configuring Username and Password Security

Saving Security Credentials in a Config File

• copy config <source-filename> config <target-filename>: Makes a local

copy of an existing startup-config file by copying the contents of the
startup-config file in one memory slot to a new startup-config file in
another, empty memory slot.

• copy config tftp: Uploads a configuration file from the switch to a TFTP

server.

• copy tftp config: Downloads a configuration file from a TFTP server to

the switch.

• copy config xmodem: Uploads a configuration file from the switch to

an Xmodem host.

• copy xmodem config: Downloads a configuration file from an Xmodem

host to the switch.

For more information, see “Transferring Startup-Config Files To or From
a Remote Server” in the Management and Configuration Guide.

■ The switch can store up to three configuration files. Each configuration

file contains its own security credentials and these security configurations
may differ. It is the responsibility of the system administrator to ensure
that the appropriate security credentials are contained in the
configuration file that is loaded with each software image and that all
security credentials in the file are supported.

■ If you have already enabled the storage of security credentials (including

local manager and operator passwords) by entering the include­credentials command, the Reset-on-clear option is disabled. When you

press the Clear button on the front panel, the manager and operator
usernames and passwords are deleted from the running configuration.
However, the switch does not reboot after the local passwords are erased.
(The reset-on-clear option normally reboots the switch when you press
the Clear button.)

2-20

For more information about the Reset-on-clear option and other front­panel security features, see “Configuring Front-Panel Security” on page
2-26 in this guide.

Configuring Username and Password Security

snmpv3 engine-id 00:00:00:0b:00:00:08:00:09:01:10:01

Saving Security Credentials in a Config File

Restrictions

The following restrictions apply when you enable security credentials to be
stored in the running configuration with the include-credentials command:

■ The private keys of an SSH host cannot be stored in the running

configuration. Only the public keys used to authenticate SSH clients can
be stored. An SSH host’s private key is only stored internally, for example,
on the switch or on an SSH client device.

■ SNMPv3 security credentials saved to a configuration file on a switch

cannot be used after downloading the file on a different switch. The
SNMPv3 security parameters in the file are only supported when loaded
on the same switch for which they were configured. This is because when
SNMPv3 security credentials are saved to a configuration file, they are
saved with the engine ID of the switch as shown here:

If you download a configuration file with saved SNMPv3 security creden­tials on a switch, when the switch loads the file with the current software
version the SNMPv3 engine ID value in the downloaded file must match
the engine ID of the switch in order for the SNMPv3 users to be configured
with the authentication and privacy passwords in the file. (To display the
engine ID of a switch, enter the show snmpv3 engine-id command. To
configure authentication and privacy passwords for SNMPv3 users, enter
the snmpv3 user command.)

If the engine ID in the saved SNMPv3 security settings in a downloaded
configuration file does not match the engine ID of the switch:

• The SNMPv3 users are configured, but without the authentication and

privacy passwords. You must manually configure these passwords on
the switch before the users can have SNMPv3 access with the privi­leges you want.

• Only the snmpv3 user <user_name> credentials from the SNMPv3

settings in a downloaded configuration file are loaded on the switch,
for example:

snmpv3 user boris
snmpv3 user alan

■ You can store 802.1X authenticator (port-access) credentials in a

configuration file. However, 802.1X supplicant credentials cannot be
stored.

■ The local operator password configured with the password command is

no longer accepted as an 802.1X authenticator credential. A new
configuration command (password port-access) is introduced to configure

2-21

Configuring Username and Password Security

Saving Security Credentials in a Config File

the username and password used as 802.1X authentication credentials for
access to the switch. You can store the password port-access values in the
running configuration file by using the include-credentials command.

Note that the password port-access values are configured separately from
local operator username and passwords configured with the password
operator command and used for management access to the switch. For
more information about how to use the password port-access command
to configure operator passwords and usernames for 802.1X authentica­tion, see “Do These Steps Before You Configure 802.1X Operation” on page
13-13 in this guide.

2-22

Configuring Username and Password Security

Front-Panel Security

Front-Panel Security

The front-panel security features provide the ability to independently enable
or disable some of the functions of the two buttons located on the front of the
switch for clearing the password (Clear button) or restoring the switch to its
factory default configuration (Reset+Clear buttons together). The ability to
disable Password Recovery is also provided for situations which require a
higher level of switch security.

The front-panel Security features are designed to prevent malicious users
from:

■ Resetting the password(s) by pressing the Clear button

■ Restoring the factory default configuration by using the Reset+Clear

button combination.

■ Gaining management access to the switch by having physical access to

the switch itself

When Security Is Important

Some customers require a high level of security for information. Also, the
Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires
that systems handling and transmitting confidential medical records must be
secure.

It used to be assumed that only system and network administrators would be
able to get access to a network switch because switches were typically placed
in secure locations under lock and key. For some customers this is no longer
true. Others simply want the added assurance that even if someone did
manage to get to the switch that data would still remain secure.

If you do not invoke front-panel security on the switch, user-defined pass­words can be deleted by pushing the Clear button on the front panel. This
function exists so that if customers forget the defined passwords they can still
get back into the switch and reset the passwords. This does, however, leave
the switch vulnerable when it is located in an area where non-authorized
people have access to it. Passwords could easily be cleared by pressing the
Clear button. Someone who has physical access to the switch may be able to
erase the passwords (and possibly configure new passwords) and take control
of the switch.

2-23

Configuring Username and Password Security

Clear Button

Reset Button

Reset Clear

Front-Panel Security

As a result of increased security concerns, customers now have the ability to
stop someone from removing passwords by disabling the Clear and/or Reset
buttons on the front of the switch.

Front-Panel Button Functions

The System Support Module (SSM) of the switch includes the System Reset
button and the Clear button. When using redundant management, the System
Reset button reboots the entire chassis. (See “Resetting the Management
Module” in the Management and Configuration Guide for more information
on resetting the management modules in a redundant management switch.)

Figure 2-6. Front-Panel Button Locations on a HP E3800 Switch

Clear Button

Pressing the Clear button alone for one second resets the password(s) con­figured on the switch.

Figure 2-7. Press the Clear Button for One Second To Reset the Password(s)

2-24

Configuring Username and Password Security

Reset Clear

Reset Clear
Reset Clear

Front-Panel Security

Reset Button

Pressing the Reset button alone for one second causes the switch to reboot.

Figure 2-8. Press and hold the Reset Button for One Second To Reboot the Switch

Restoring the Factory Default Configuration

You can also use the Reset button together with the Clear button (Reset+Clear)
to restore the factory default configuration for the switch. To do this:

1. Press and hold the Reset button.

2. While holding the Reset button, press and hold the Clear button.

3. Release the Reset button.

2-25

Configuring Username and Password Security

Reset Clear

Te s t

Reset Clear

Te s t

Front-Panel Security

4. When the Test LED to the right of the Clear button begins flashing, release
the Clear button.

.

2-26

It can take approximately 20-25 seconds for the switch to reboot. This process
restores the switch configuration to the factory default settings.

Configuring Front-Panel Security

Using the front-panel-security command from the global configuration context
in the CLI you can:

• Disable or re-enable the password-clearing function of the Clear

button. Disabling the Clear button means that pressing it does not
remove local password protection from the switch. (This action
affects the Clear button when used alone, but does not affect the
operation of the Reset+Clear combination described under “Restor­ing the Factory Default Configuration” on page 2-25.)

• Configure the Clear button to reboot the switch after clearing any

local usernames and passwords. This provides an immediate, visual
means (plus an Event Log message) for verifying that any usernames
and passwords in the switch have been cleared.

Configuring Username and Password Security

Front-Panel Security

• Modify the operation of the Reset+Clear combination (page 2-25) so

that the switch still reboots, but does not restore the switch’s factory
default configuration settings. (Use of the Reset button alone, to
simply reboot the switch, is not affected.)

• Disable or re-enable Password Recovery.

Syntax: show front-panel-security

Displays the current front-panel-security settings:

Clear Password: Shows the status of the Clear button on the
front panel of the switch. Enabled means that pressing the
Clear button erases the local usernames and passwords
configured on the switch (and thus removes local password
protection from the switch). Disabled means that pressing the
Clear button does not remove the local usernames and
passwords configured on the switch. (Default: Enabled.)

Reset-on-clear: Shows the status of the reset-on-clear option
(Enabled or Disabled). When reset-on-clear is disabled and
Clear Password is enabled, then pressing the Clear button
erases the local usernames and passwords from the switch.
When reset-on-clear is enabled, pressing the Clear button
erases the local usernames and passwords from the switch
and reboots the switch. (Enabling reset-on-clear
automatically enables clear-password.) (Default: Disabled.)

Note: If you have stored security credentials (including the
local manager and operator usernames and passwords) to the
running config file by entering the include-credentials
command, the Reset-on-clear option is ignored. If you press
the Clear button on the front panel, the manager and operator
usernames and passwords are deleted from the startup
configuration file, but the switch does not reboot. For more
information about storing security credentials, see “Saving
Security Credentials in a Config File” on page 2-10 in this
guide.

Factory Reset: Shows the status of the System Reset button on
the front panel of the switch. Enabled means that pressing the
System Reset button reboots the switch and also enables the
System Reset button to be used with the Clear button (page
2-25) to reset the switch to its factory-default configuration.
(Default: Enabled.)

2-27

Configuring Username and Password Security

Front-Panel Security

Password Recovery: Shows whether the switch is configured
with the ability to recover a lost password. (Refer to
“Password Recovery Process” on page 2-34.) (Default:
Enabled.)

For example, show front-panel-security produces the following output when
the switch is configured with the default front-panel security settings.

Figure 2-9. The Default Front-Panel Security Settings

CAUTION: Disabling this option removes the ability to
recover a password on the switch. Disabling this option is
an extreme measure and is not recommended unless you
have the most urgent need for high security. If you disable
password-recovery and then lose the password, you will
have to use the Reset and Clear buttons (page 2-25) to reset
the switch to its factory-default configuration and create a
new password.

2-28

Configuring Username and Password Security

Indicates the command has disabled the Clear
button on the switch’s front panel. In this case
the Show command does not include the reset-
on-clear status because it is inoperable while
the Clear Password functionality is disabled, and
must be reconfigured whenever Clear Password
is re-enabled .

Front-Panel Security

Disabling the Clear Password Function of the Clear Button

Syntax: no front-panel-security password-clear

In the factory-default configuration, pressing the Clear button
on the switch’s front panel erases any local usernames and
passwords configured on the switch. This command disables
the password clear function of the Clear button, so that
pressing it has no effect on any local usernames and
passwords.

For redundant management systems, this command only
affects the active management module.

(Default: Enabled.)

Note: Although the Clear button does not erase passwords
when disabled, you can still use it with the Reset button
(Reset+Clear) to restore the switch to its factory default
configuration, as described under “Restoring the Factory
Default Configuration” on page 2-25.

This command displays a Caution message in the CLI. If you want to proceed
with disabling the Clear button, type

[Y]; otherwise type [N]. For example:

Figure 2-10. Example of Disabling the Clear Button and Displaying the New Configuration

2-29

Configuring Username and Password Security

Front-Panel Security

Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation

Syntax: [no] front-panel-security password-clear reset-on-clear

This command does both of the following:

• Re-enables the password-clearing function of the Clear

• Specifies whether the switch reboots if the Clear button is

To re-enable password-clear, you must also specify whether to
enable or disable the reset-on-clear option.
Defaults:

Thus:

• To enable password-clear with reset-on-clear disabled, use

• To enable password-clear with reset-on-clear also enabled,

(Either form of the command enables
For redundant management systems, this command only

affects the active management module.

button on the switch’s front panel.

pressed.

– password-clear: Enabled.
– reset-on-clear: Disabled.

this syntax:

no front-panel-security password-clear reset-on-clear

use this syntax:

front-panel-security password-clear reset-on-clear

password-clear.)

Note: If you disable password-clear and also disable the
password-recovery option, you can still recover from a lost

password by using the Reset+Clear button combination at
reboot as described on page 2-25. Although the Clear button
does not erase passwords when disabled, you can still use
it with the Reset button (Reset+Clear) to restore the switch
to its factory default configuration. You can then get access
to the switch to set a new password.

2-30

For example, suppose that password-clear is disabled and you want to restore
it to its default configuration (enabled, with reset-on-clear disabled).

Configuring Username and Password Security

Shows password-clear disabled.

Enables password-clear, with reset-on-
clear disabled by the “no” statement at
the beginning of the command.

Shows password-clear enabled, with

reset-on-clear disabled.

Figure 2-11. Example of Re-Enabling the Clear Button’s Default Operation

Changing the Operation of the Reset+Clear Combination

In their default configuration, using the Reset+Clear buttons in the combina­tion described under “Restoring the Factory Default Configuration” on page
2-25 replaces the switch’s current startup-config file with the factory-default
startup-config file, then reboots the switch, and removes local password
protection. This means that anyone who has physical access to the switch

could use this button combination to replace the switch’s current configu­ration with the factory-default configuration, and render the switch acces­sible without the need to input a username or password. You can use the

factory-reset command to prevent the Reset+Clear combination from being
used for this purpose.

Front-Panel Security

Syntax: [no] front-panel-security factory-reset

Disables or re-enables the following functions associated with
using the Reset+Clear buttons in the combination described

under “Restoring the Factory Default Configuration” on page
2-25:

• Replacing the current startup-config file with the factory­default startup-config file

• Clearing any local usernames and passwords configured on
the switch

(Default: Both functions enabled.)
For redundant management systems, this command only

affects the active management module.

Notes: The Reset+Clear button combination always reboots
the switch, regardless of whether the “no” form of the
command has been used to disable the above two functions.
Also, if you disable factory-reset, you cannot disable the
password-recovery option, and the reverse.

2-31

Configuring Username and Password Security

The command to disable the factory-reset operation produces this caution.
To complete the command, press [Y]. To abort the command, press [N].

Displays the current front­panel-security configuration,
with Factory Reset disabled.

Completes the command to
disable the factory reset option.

Password Recovery

Figure 2-12. Example of Disabling the Factory Reset Option

Password Recovery

The password recovery feature is enabled by default and provides a method
for regaining management access to the switch (without resetting the switch
to its factory default configuration) in the event that the system administrator
loses the local manager username (if configured) or password. Using Pass­word Recovery requires:

■ password-recovery enabled (the default) on the switch prior to an attempt

to recover from a lost username/password situation

■ Contacting your HP Customer Care Center to acquire a one-time-use

password

2-32

Disabling or Re-Enabling the Password Recovery Process

Disabling the password recovery process means that the only method for
recovering from a lost manager username (if configured) and password is to
reset the switch to its factory-default configuration, which removes any non­default configuration settings.

Configuring Username and Password Security

Password Recovery

Caution Disabling password-recovery requires that factory-reset be enabled, and locks

out the ability to recover a lost manager username (if configured) and pass­word on the switch. In this event, there is no way to recover from a lost
manager username/password situation without resetting the switch to its
factory-default configuration. This can disrupt network operation and make
it necessary to temporarily disconnect the switch from the network to prevent
unauthorized access and other problems while it is being reconfigured. Also,
with factory-reset enabled, unauthorized users can use the Reset+Clear button
combination to reset the switch to factory-default configuration and gain
management access to the switch.

Syntax: [no] front-panel-security password-recovery

Enables or (using the “no” form of the command) disables the
ability to recover a lost password.

When this feature is enabled, the switch allows management
access through the password recovery process described below.
This provides a method for recovering from a lost manager
username (if configured) and password. When this feature is
disabled, the password recovery process is disabled and the
only way to regain management access to the switch is to use
the Reset+Clear button combination (page 2-25) to restore the
switch to its factory default configuration.

Note: To disable password-recovery:

– You must have physical access to the front panel of the switch.
– The factory-reset parameter must be enabled (the default).

For redundant management systems, this command only
affects the active management module.

(Default: Enabled.)

Steps for Disabling Password-Recovery.

1. Set the CLI to the global interface context.

2. Use show front-panel-security to determine whether the factory-reset
parameter is enabled. If it is disabled, use the front-panel-security factory-
reset command to enable it.

3. Press and release the Clear button on the front panel of the switch.

4. Within 60-seconds of pressing the Clear button, enter the following com­mand:

no front-panel-security password-recovery

2-33

Configuring Username and Password Security

Password Recovery

5. Do one of the following after the “CAUTION” message appears:

• If you want to complete the command, press

• If you want to abort the command, press

Figure 2-13 shows an example of disabling the password-recovery parameter.

Figure 2-13. Example of the Steps for Disabling Password-Recovery

Password Recovery Process

If you have lost the switch’s manager username/password, but password-
recovery is enabled, then you can use the Password Recovery Process to gain
management access to the switch with an alternate password supplied by HP.

[Y] (for “Yes”).

[N] (for “No”)

Note If you have disabled password-recovery, which locks out the ability to recover a

manager username/password pair on the switch, then the only way to recover
from a lost manager username/password pair is to use the Reset+Clear button
combination described under “Restoring the Factory Default Configuration”
on page 2-25. This can disrupt network operation and make it necessary to
temporarily disconnect the switch from the network to prevent unauthorized
access and other problems while it is being reconfigured.

To use the password-recovery option to recover a lost password:

1. Note the switch’s base MAC address. It is shown on the label located on
the upper right front corner of the switch.

2. Contact your HP Customer Care Center for further assistance. Using the
switch’s MAC address, the HP Customer Care Center will generate and
provide a “one-time use” alternate password you can use with the to gain
management access to the switch. Once you gain access, you can config­ure a new, known password.

Note The alternate password provided by the HP Customer Care Center is valid

only for a single login attempt. You cannot use the same “one-time-use”
password if you lose the password a second time. Because the password

2-34

Configuring Username and Password Security

Password Recovery

algorithm is randomized based upon your switch's MAC address, the pass­word will change as soon as you use the “one-time-use” password provided
to you by the HP Customer Care Center.

2-35

Configuring Username and Password Security

Password Recovery

2-36

Virus Throttling (Connection-Rate Filtering)

Overview of Connection-Rate Filtering

Feature Default Page Ref

Global Configuration and Sensitivity Disabled 3-10

Per-Port Configuration None 3-11

Listing and Unblocking Blocked Hosts n/a 3-15

Viewing the Current Configuration n/a 3-14

Configuring Connection-Rate ACLs None 3-17

The spread of malicious agents in the form of worms exhibiting worm
behavior has severe implications for network performance. Damage can be as
minimal as slowing down a network with excessive, unwanted traffic, or as
serious as putting attacker-defined code on a system to cause any type of
malicious damage that an authorized user could do.

3

Current methods to stop the propagation of malicious agents rely on use of
signature recognition to prevent hosts from being infected. However, the
latency between the introduction of a new virus or worm into a network and
the implementation and distribution of a signature-based patch can be
significant. Within this period, a network can be crippled by the abnormally
high rate of traffic generated by infected hosts.

Connection-rate filtering based on virus throttling technology is
recommended for use on the edge of a network. It is primarily concerned with
the class of worm-like malicious code that tries to replicate itself by using
vulnerabilities on other hosts (that is, weaknesses in network applications
behind unsecured ports). Agents of this variety operate by choosing a set of
hosts to attack based on an address range (sequential or random) that is
exhaustively searched, either by blindly attempting to make connections by
rapidly sending datagrams to the address range, or by sending individual
ICMP ping messages to the address range and listening for replies.

Connection-rate filtering exploits the network behavior of malicious code
that tries to create a large number of outbound IP connections on an interface
in a short time. When a host exhibits this behavior, warnings can be sent, and
connection requests can be either throttled or dropped to minimize the
barrage of subsequent traffic from the host. When enabled on the switch,

3-1

Virus Throttling (Connection-Rate Filtering)

Overview of Connection-Rate Filtering

connection-rate filtering can help reduce the impact of worm-like malicious
code and give system administrators more time to isolate and eradicate the
threat. Thus, while traditional worm and virus-signature updates will still
need to be deployed to hosts, the network remains functional and the overall
distribution of the malicious code is limited.

Features and Benefits

Connection-rate filtering is a countermeasure tool you can use in your inci­dent-management program to help detect an manage worm-type IT security
threats received in inbound IP traffic. Major benefits of this tool include:

■ Behavior-based operation that does not require identifying details

unique to the code exhibiting the worm-like operation.

■ Handles unknown worms.

■ Needs no signature updates.

■ Protects network infrastructure by slowing or stopping IP traffic from

hosts exhibiting high connection-rate behavior.

■ Allows network and individual switches to continue to operate, even

when under attack.

3-2

■ Provides Event Log and SNMP trap warnings when worm-like

behavior is detected

■ Gives IT staff more time to react before the threat escalates to a crisis.

Virus Throttling (Connection-Rate Filtering)

HP switch with
connection-rate filtering
configured, and block
spreading option enabled.

Configuring connection-rate
filtering on the switch protects the
other devices on the network from
the high connection-rate traffic
(characteristic of worm attacks)
that is detected on the edge port
connected to device D.

Device infected with
worm-like malicious code

A

B

C

D

Port is blocked

SNMP Trap and/or
Event Log message

Management
Station

Overview of Connection-Rate Filtering

Note When configured on a port, connection-rate filtering is triggered by IPv4

traffic received inbound with a relatively high rate of IP connection attempts.

Figure 3-1. Example of Protecting a Network from Agents Using a High IP Connection Rate To Propagate

General Operation

Connection-rate filtering enables notification of worm-like behavior detected
in inbound IP traffic and, depending on how you configure the feature, also
throttles or blocks such traffic. This feature also provides a method for
allowing legitimate, high connection-rate traffic from a given host while still
protecting your network from possibly malicious traffic from other hosts.

Filtering Options

In the default configuration, connection-rate filtering is disabled. When
enabled on a port, connection-rate filtering monitors inbound IP traffic for a
high rate of connection requests from any given host on the port. If a host
appears to exhibit the worm-like behavior of attempting to establish a large
number of outbound IP connections in a short period of time, the switch
responds in one of the following ways, depending on how connection-rate
filtering is configured:

3-3

Virus Throttling (Connection-Rate Filtering)

Overview of Connection-Rate Filtering

■ Notify only (of potential attack): While the apparent attack

continues, the switch generates an Event Log notice identifying the
offending host’s source IP address and (if a trap receiver is configured
on the switch) a similar SNMP trap notice).

■ Throttle: In this case, the switch temporarily blocks inbound IP

traffic from the offending host source IP address for a “penalty”
period and generates an Event Log notice of this action and (if a trap
receiver is configured on the switch) a similar SNMP trap notice.
When the “penalty” period expires the switch re-evaluates the traffic
from the host and continues to block this traffic if the apparent attack
continues. (During the re-evaluation period, IP traffic from the host
is allowed.)

■ Block: This option blocks all IP traffic from the host. When a block

occurs, the switch generates an Event Log notice and (if a trap
receiver is configured on the switch) a similar SNMP trap notice. Note
that a network administrator must explicitly re-enable a host that has
been previously blocked.

Sensitivity to Connection Rate Detection

The switch includes a global sensitivity setting that enables adjusting the
ability of connection-rate filtering to detect relatively high instances of con­nection-rate attempts from a given source.

Application Options

For the most part, normal network traffic is distinct from the traffic exhibited
by malicious agents. However, when a legitimate network host generates
multiple connections in a short period of time, connection-rate filtering may
generate a “false positive” and treat the host as an infected client. Lowering
the sensitivity or changing the filter mode may reduce the number of false
positives. Conversely, relaxing filtering and sensitivity provisions lowers the
switch’s ability to detect worm-generated traffic in the early stages of an
attack, and should be carefully investigated and planned to ensure that a risky
vulnerability is not created. As an alternative, you can use connection-rate
ACLs (access control lists) or selective enabling to allow legitimate traffic.

Selective Enable. This option involves applying connection-rate filtering
only to ports posing a significant risk of attack. For ports that are reasonably
secure from attack, then there may be little benefit in configuring them with
connection-rate filtering.

3-4

Virus Throttling (Connection-Rate Filtering)

Overview of Connection-Rate Filtering

Connection-Rate ACLs. The basic connection-rate filtering policy is con­figured per-port as notify-only, throttle, and block. A connection-rate ACL cre­ates exceptions to these per-port policies by creating special rules for
individual hosts, groups of hosts, or entire subnets. Thus, you can adjust a
connection-rate filtering policy to create and apply an exception to configured
filters on the ports in a VLAN. Note that connection-rate ACLs are useful only
if you need to exclude inbound traffic from your connection-rate filtering
policy. For example, a server responding to network demand may send a
relatively high number of legitimate connection requests. This can generate a
false positive by exhibiting the same elevated connection-rate behavior as a
worm. Using a connection-rate ACL to apply an exception for this server
allows you to exclude the trusted server from connection-rate filtering and
thereby keep the server running without interruption.

Note Use connection-rate ACLs only when you need to exclude an IP traffic source

(including traffic with specific UDP or TCP criteria) from a connection-rate
filtering policy. Otherwise, the ACL is not necessary.

3-5

Virus Throttling (Connection-Rate Filtering)

Overview of Connection-Rate Filtering

Operating Rules

■ Connection-rate filtering does not operate on IPv6 traffic.

■ Connection-rate filtering is triggered by inbound IP traffic exhibiting

high rates of IP connections to new hosts. After connection-rate
filtering has been triggered on a port, all traffic from the suspect host
is subject to the configured connection-rate policy (notify-only, throttle,
or block).

■ When connection-rate filtering is configured on a port, the port cannot

be added to, or removed from, a port trunk group. Before this can be
done, connection-rate filtering must be disabled on the port.

■ Where the switch is throttling or blocking inbound IP traffic from a

host, any outbound traffic destined for that host is still permitted.

■ Once a throttle has been triggered on a port—temporarily blocking

inbound IP traffic—it cannot be undone during operation: the penalty
period must expire before traffic will be allowed from the host.

Unblocking a Currently Blocked Host

A host blocked by connection-rate filtering remains blocked until explicitly
unblocked by one of the following methods:

■ Using the connection-rate-filter unblock command (page 3-15).

■ Rebooting the switch.

■ Disabling connection-rate filtering using the no connection-rate-filter

command.

■ Deleting a VLAN removes blocks on any hosts on that VLAN.

Note Changing a port setting from block to throttle, notify-only, or to no filter connec-

tion-rate, does not unblock a currently blocked host. Similarly, applying a

connection-rate ACL will not unblock a currently blocked host. Refer to the
above list for the correct methods to use to unblock a host.

3-6

Virus Throttling (Connection-Rate Filtering)

General Configuration Guidelines

General Configuration Guidelines

As stated earlier, connection-rate filtering is triggered only by inbound IP
traffic generating a relatively high number of new IP connection requests from
the same host.

For a network that is relatively attack-free:

1. Enable notify-only mode on the ports you want to monitor.

2. Set global sensitivity to low.

3. If SNMP trap receivers are available in your network, use the snmp-server
command to configure the switch to send SNMP traps.

4. Monitor the Event Log or (if configured) the available SNMP trap receivers
to identify hosts exhibiting high connection rates.

5. Check any hosts that exhibit relatively high connection rate behavior to
determine whether malicious code or legitimate use is the cause of the
behavior.

6. Hosts demonstrating high, but legitimate connection rates, such as heavily
used servers, may trigger a connection-rate filter. Configure connection
rate ACLs to create policy exceptions for trusted hosts. (Exceptions can
be configured for these criteria:

• A single source host or group of source hosts

• A source subnet

• Either of the above with TCP or UDP criteria

(For more on connection rate ACLs, refer to “Application Options” on
page 3-4.)

7. Increase the sensitivity to Medium and repeat steps 5 and 6.

Note On networks that are relatively infection-free, sensitivity levels above

Medium are not recommended.)

8. (Optional.) Enable throttle or block mode on the monitored ports.

3-7

Virus Throttling (Connection-Rate Filtering)

General Configuration Guidelines

Note On a given VLAN, to unblock the hosts that have been blocked by the

connection-rate feature, use the vlan < vid > connection-rate filter unblock
command.

9. Maintain a practice of carefully monitoring the Event Log or configured
trap receivers for any sign of high connectivity-rate activity that could
indicate an attack by malicious code. (Refer to “Connection-Rate Log and
Trap Messages” on page 3-30.)

For a network that appears to be under significant attack:

The steps are similar to the general steps for a network that is relatively attack
free. The major difference is in policies suggested for managing hosts exhib­iting high connection rates. This allows better network performance for
unaffected hosts and helps to identify hosts that may require updates or
patches to eliminate malicious code.

1. Configure connection-rate filtering to throttle on all ports.

2. Set global sensitivity to medium.

3. If SNMP trap receivers are available in your network, use the snmp-server
command to configure the switch to send SNMP traps.

4. Monitor the Event Log or the available SNMP trap receivers (if configured
on the switch) to identify hosts exhibiting high connection rates.

5. Check any hosts that exhibit relatively high connection rate behavior to
determine whether malicious code or legitimate use is the cause of the
behavior.

6. On hosts you identify as needing attention to remove malicious behavior:

• To immediately halt an attack from a specific host, group of hosts, or

a subnet, use the per-port block mode on the appropriate port(s).

• After gaining control of the situation, you can use connection-rate

ACLs to more selectively manage traffic to allow receipt of normal
traffic from reliable hosts.

3-8

Virus Throttling (Connection-Rate Filtering)

Configuring Connection-Rate Filtering

Configuring Connection-Rate Filtering

Command Page

Global and Per-Port Configuration

connection-rate-filter sensitivity < low | medium | high | aggressive > 3-10
filter connection-rate < port-list > < notify-only | throttle | block > 3-11
show connection-rate-filter < blocked-host >

Unblocking Hosts

connection-rate-filter unblock 3-16

Note As stated previously, connection-rate filtering is triggered by inbound IP

traffic exhibiting a relatively high incidence of IP connection attempts from a
single source.

Global and Per-Port Configuration

Use the commands in this section to enable connection-rate filtering on the
switch and to apply the filtering on a per-port basis. (You can use the ACL
commands in the next section to adjust a filter policy on a per-vlan basis to
avoid filtering traffic from specific, trusted source addresses.)

3-9

Virus Throttling (Connection-Rate Filtering)

Configuring Connection-Rate Filtering

Enabling Connection-Rate Filtering and Configuring Sensitivity

Syntax: connection-rate-filter sensitivity < low | medium | high | aggressive >

no connection-rate-filter

This command:

• Enables connection-rate filtering.

• Sets the global sensitivity level at which the switch
interprets a given host’s attempts to connect to a series of
different devices as a possible attack by a malicious agent
residing in the host.

Options for configuring sensitivity include:

low: Sets the connection-rate sensitivity to the lowest
possible sensitivity, which allows a mean of 54
destinations in less than 0.1 seconds, and a corresponding
penalty time for Throttle mode (if configured) of less than
30 seconds.

medium: Sets the connection-rate sensitivity to allow a
mean of 37 destinations in less than 1 second, and a
corresponding penalty time for Throttle mode (if
configured) between 30 and 60 seconds.

high:

Sets the connection-rate sensitivity to allow a mean of

22 destinations in less than 1 second, and a corresponding
penalty time for Throttle mode (if configured) between 60
and 90 seconds.

aggressive:

highest possible level, which allows a mean of 15
destinations in less than 1 second, and a corresponding
penalty time for Throttle mode (if configured) between 90
and 120 seconds.

The no connection-rate-filter command disables connection­rate filtering on the switch.

Sets the connection-rate sensitivity to the

Note The sensitivity settings configured on the switch determines the Throttle

mode penalty periods as shown in Table 3-1 on page 3-11.

3-10

Virus Throttling (Connection-Rate Filtering)

Configuring Connection-Rate Filtering

Configuring the Per-Port Filtering Mode

Syntax: filter connection-rate < port-list > < notify-only | throttle | block >

no filter connection-rate < port-list >

Configures the per-port policy for responding to detection of a
relatively high number of inbound IP connection attempts from
a given source. The level at which the switch detects such traffic
depends on the sensitivity setting configured by the connection-
rate-filter sensitivity command (page 3-10). (Note: You can use
connection-rate ACLs to create exceptions to the configured
filtering policy. See “Configuring and Applying Connec­tion-Rate ACLs” on page 3-17.) The no form of the command

disables connection-rate filtering on the ports in # < port-list >.
notify-only: If the switch detects a relatively high number of IP

connection attempts from a specific host, notify-only generates
an Event Log message. Sends a similar message to any SNMP
trap receivers configured on the switch.

throttle: If the switch detects a relatively high number of IP
connection attempts from a specific host, this option generates
the notify-only messaging and also blocks all inbound traffic
from the offending host for a penalty period. After the penalty
period, the switch allows traffic from the offending host to
resume, and re-examines the traffic. If the suspect behavior
continues, the switch again blocks the traffic from the offending
host and repeats the cycle. For the penalty periods, refer to table
3-1, below.

block: If the switch detects a relatively high number of IP
connection attempts from a specific host, this option generates
the notify-only messaging and also blocks all inbound traffic
from the offending host.

Table 3-1. Throttle Mode Penalty Periods

Throttle Mode
(Sensitivity)

Low < 0.1 second 54 < 30 seconds

Medium < 1.0 second 37 30 - 60 seconds

High < 1.0 second 22 60 - 90 seconds

Aggressive < 1.0 second 15 90 - 120 seconds

Frequency of IP
Connection Requests
from the Same Source

Mean Number of New
Destination Hosts in the
Frequency Period

Penalty Period

3-11

Virus Throttling (Connection-Rate Filtering)

HP Switch

Server

Company

Intranet

VLAN 1

15.45.100.1

VLAN 10

15.45.200.1

Server

VLAN 15

15.45.300.1

Switch

Server

Server

Switch

Switch

A

B

C

D

E

H

F

G

B10

B11

B12

B19

B13

D21

D22

Configuring Connection-Rate Filtering

Example of a Basic Connection-Rate Filtering Configuration

3-12

Figure 3-2. Sample Network

Basic Configuration. Suppose that in the sample network, the administra­tor wanted to enable connection-rate filtering and configure the following
response to high connection-rate traffic on the switch:

■ Ports B1 - B3: Throttle traffic from the transmitting host(s).

■ Port B4: Respond with Notify-Only to identify the transmitting

host(s).

■ Ports B9, D1, and D2: Block traffic from the transmitting host(s).

Figure 3-3 illustrates the configuration steps and resulting startup-config file.

HP Switch(config)# connection-rate-filter sensitivity low
HP Switch(config)# filter connection-rate 10-12 throttle
HP Switch(config)# filter connection-rate 13 notify-only
HP Switch(config)# filter connection-rate 19,21-22 block
HP Switch(config)# write mem
HP Switch(config)# show config

Startup configuration:

; J9573A Configuration Editor; Created on release #KA.15.03
; Ver #01:00:01

hostname "HP Switch"
connection-rate-filter sensitivity low
module 1 type J9573x
ip routing
snmp-server community “public” Unrestricted
snmp-server host 15.45.200.75 “public”
vlan 1
name "DEFAULT_VLAN"
untagged 1-9, 14-24
ip address 10.10.10.145 255.255.255.0
no untagged 10-13, 21-22
ip proxy-arp
exit
vlan 10
name "VLAN10"
untagged 10-13
no ip address
ip proxy-arp
exit
vlan 15
name "VLAN15"
untagged 21-22
no ip address
ip proxy-arp
exit
filter connection-rate 14 notify-only
filter connection-rate 10-13 throttle
filter connection-rate 19,21-22 block

Enables connection-rate filtering
and sets the sensitivity to “low”.

Indicates that connectivity-rate
filtering is enabled at the “low”
sensitivity setting.

Configures the desired
responses to inbound, high
connectivity-rate traffic on the
various ports.

Shows the per-port configuration
for the currently enabled
connectivity-rate filtering.

Figure 3-3. Example of a Basic Connection-Rate Configuration

Virus Throttling (Connection-Rate Filtering)

Configuring Connection-Rate Filtering

3-13

Virus Throttling (Connection-Rate Filtering)

HP Switch(config)# show connection-rate -filter

Connection Rate Filter Configuration

Global Status: Enabled
Sensitiv ity: Low

Port | Filter Mode

------------+-----------------­ 10 | THROTTLE
11 | THROTTLE
12 | THROTTLE
13 | THROTTLE
14 | NOTIFY-ONLY
19 | BLOCK
21 | BLOCK

Per-Port configuration for
connection-rate filtering

Configuring Connection-Rate Filtering

Viewing and Managing Connection-Rate Status

The commands in this section describe how to:

■ View the current connection-rate configuration

■ List the currently blocked hosts

■ Unblock currently blocked hosts

Viewing Connection-Rate Configuration

Use the following command to view the basic connection-rate configuration.
If you need to view connection-rate ACLs and/or any other switch configura­tion details, use show config or show running (page 3-15).

Syntax: show connection-rate-filter

Displays the current global connection-rate status
(enabled/disabled) and sensitivity setting, and the cur­rent per-port configuration. This command does not
display the current (optional) connection-rate ACL con­figuration, if any.

3-14

Figure 3-4. Example of Displaying the Connection-Rate Status, Sensitivity, and Per-

Port Configuration