HP E3800 Access Security Manual

HP Switch Software

E3800 switches

Software version KA.15.03 September 201 1

Access Security Guide

HP Networking E3800 Switches

Access Security Guide

September 2011

KA.15.03

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of HewlettPackard.

Publication Number

5998-2707 September 2011

Applicable Products

HP E3800-24G-PoE+-2SFP+ Switch J9573A

HP E3800-48G-PoE+-4SFP+ Switch J9574A

HP E3800-24G-2SFP+ Switch J9575A

HP E3800-48G-4SFP+ Switch J9576A

HP E3800-24GS-2XG tl Switch J9

800-24G-2XGT tl Switch J9

E3800-48G-4XGT tl Switch J9

HP E3800-24G-2XGT-PoE+ tl Switch J9

HP E3800-48G-4XGT-PoE+ tl Switch J9

HP E3800 4-port Stacking

Module J9577A

584A

585A

586A

587A

588A

Disclaimer

The information contained in this document is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.

Software End User License Agreement and Hardware Limited Warranty

For the software end user license agreement and the hardware limited warranty information for HP Networking products, visit www.hp.com/networking/support.

Trademark Credits

Microsoft, Windows, and Microsoft Windows NT are US registered trademarks of Microsoft Corporation. Java™ is a US trademark of Sun Microsystems, Inc.

Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 www.hp.com

Product Documentation

About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Software Feature Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

1 Security Overview

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Network Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Getting Started with Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Quick Start: Using the Management Interface Wizard . . . . . . . . . . . . 1-11

CLI: Management Interface Wizard . . . . . . . . . . . . . . . . . . . . . . . . 1-12

WebAgent: Management Interface Wizard . . . . . . . . . . . . . . . . . . 1-13

SNMP Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Precedence of Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Precedence of Port-Based Security Options . . . . . . . . . . . . . . . . . . . . 1-16

Precedence of Client-Based Authentication:

Dynamic Configuration Arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Network Immunity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

Arbitrating Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . 1-18

HP Identity-Driven Manager (IDM) . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

iii

2 Configuring Username and Password Security

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

WebAgent: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . 2-9

Saving Security Credentials in a Config File . . . . . . . . . . . . . . . . . . . 2-10

Benefits of Saving Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Enabling the Storage and Display of Security Credentials . . . . . . . . 2-11

Security Settings that Can Be Saved . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

Local Manager and Operator Passwords . . . . . . . . . . . . . . . . . . . . . . . 2-12

Password Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

SNMP Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

802.1X Port-Access Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

TACACS+ Encryption Key Authentication . . . . . . . . . . . . . . . . . . . . . 2-15

RADIUS Shared-Secret Key Authentication . . . . . . . . . . . . . . . . . . . . 2-16

SSH Client Public-Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21

Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23

When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23

Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Clear Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Reset Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25

Restoring the Factory Default Configuration . . . . . . . . . . . . . . . . 2-25

Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

Disabling the Clear Password Function of the Clear Button . . . 2-29 Re-Enabling the Clear Button and Setting or

Changing the “Reset-On-Clear” Operation . . . . . . . . . . . . . . . . . . 2-30

Changing the Operation of the Reset+Clear Combination . . . . . 2-31

Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32

Disabling or Re-Enabling the Password Recovery Process . . . . . . . . 2-32

Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34

3 Virus Throttling (Connection-Rate Filtering)

Overview of Connection-Rate Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Filtering Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Sensitivity to Connection Rate Detection . . . . . . . . . . . . . . . . . . . . 3-4

Application Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Operating Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

Unblocking a Currently Blocked Host . . . . . . . . . . . . . . . . . . . . . . 3-6

General Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7

For a network that is relatively attack-free: . . . . . . . . . . . . . . . . . . . . . 3-7

For a network that appears to be under significant attack: . . . . . . . . . 3-8

Configuring Connection-Rate Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Global and Per-Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Enabling Connection-Rate Filtering and Configuring

Sensitivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

Configuring the Per-Port Filtering Mode . . . . . . . . . . . . . . . . . . . 3-11

Example of a Basic Connection-Rate Filtering Configuration . . 3-12

Viewing and Managing Connection-Rate Status . . . . . . . . . . . . . . . . . 3-14

Viewing Connection-Rate Configuration . . . . . . . . . . . . . . . . . . . 3-14

Listing Currently-Blocked Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15

Unblocking Currently-Blocked Hosts . . . . . . . . . . . . . . . . . . . . . . 3-15

Configuring and Applying Connection-Rate ACLs . . . . . . . . . . . . . . 3-17

Connection-Rate ACL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18

Configuring a Connection-Rate ACL Using

Source IP Address Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19

Configuring a Connection-Rate ACL Using UDP/TCP Criteria . . . . . 3-21

Applying Connection-Rate ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24

Using CIDR Notation To Enter the ACE Mask . . . . . . . . . . . . . . . . . . 3-24

Example of Using an ACL in a Connection-Rate Configuration . . . . 3-25

Connection-Rate ACL Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 3-27

4 Web and MAC Authentication

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Concurrent Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . 4-3

Authorized and Unauthorized Client VLANs . . . . . . . . . . . . . . . . . . . . . 4-3

RADIUS-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

Wireless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . 4-5

Web-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

MAC-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . . . . 4-12

Before You Configure Web/MAC Authentication . . . . . . . . . . . . . . . . 4-12

Configuring the RADIUS Server To Support MAC Authentication . . 4-15

Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . . 4-15

Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18

Configuration Commands for Web Authentication . . . . . . . . . . . . . . 4-19

Show Commands for Web Authentication . . . . . . . . . . . . . . . . . . . . . . 4-26

Customizing Web Authentication HTML Files (Optional) . . . . . . . 4-32

Implementing Customized Web-Auth Pages . . . . . . . . . . . . . . . . . . . . 4-32

Operating Notes and Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32

Customizing HTML Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33

Customizable HTML Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34

Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . 4-48

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48

Configuration Commands for MAC Authentication . . . . . . . . . . . . . . 4-49

Configuring the Global MAC Authentication Password . . . . . . . 4-49

Configuring a MAC-based Address Format . . . . . . . . . . . . . . . . . 4-51

Configuring Custom Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-54

Web Page Display of Access Denied Message . . . . . . . . . . . . . . . 4-56

HTTP Redirect When MAC Address Not Found . . . . . . . . . . . . . . . . . 4-59

How HTTP Redirect Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-60

Diagram of the Registration Process . . . . . . . . . . . . . . . . . . . . . . . 4-62

Using the Restrictive-Filter Option . . . . . . . . . . . . . . . . . . . . . . . . 4-63

Show Command Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-63

Reauthenticating a MAC-Auth Client . . . . . . . . . . . . . . . . . . . . . . . 4-63

Configuring the Registration Server URL . . . . . . . . . . . . . . . . . . . 4-64

Unconfiguring a MAC-Auth Registration Server . . . . . . . . . . . . . 4-64

Operating Notes for HTTP Redirect . . . . . . . . . . . . . . . . . . . . . . . 4-64

Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . 4-65

Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-71

5 TACACS+ Authentication

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 5-2

General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 5-4

Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 5-8

Viewing the Switch’s Current Authentication Configuration . . . . . . . 5-8

Viewing the Switch’s Current TACACS+

Server Contact Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9

Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 5-10

Using the Privilege-Mode Option for Login . . . . . . . . . . . . . . . . . 5-10

Authentication Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12

Configuring the TACACS+ Server for Single Login . . . . . . . . . . . . . . 5-13

Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 5-17

How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24

General Authentication Process Using a TACACS+ Server . . . . . . . . 5-24

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26

General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26

Encryption Options in the Switch . . . . . . . . . . . . . . . . . . . . . . . . . 5-27

vii

Controlling WebAgent Access When

Using TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28

Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . 5-29

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-30

6 RADIUS Authentication, Authorization, and Accounting

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

RADIUS-Administered CoS and Rate-Limiting . . . . . . . . . . . . . . . . . . . 6-2

RADIUIS-Administered Commands Authorization . . . . . . . . . . . . . . . . 6-2

SNMP Access to the Switch’s Authentication Configuration MIB . . . 6-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 6-6

Outline of the Steps for Configuring RADIUS Authentication . . . . . . 6-8

1. Configure Authentication for the Access Methods

You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

2. Enable the (Optional) Access Privilege Option . . . . . . . . . . . . . . . . 6-12

3. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 6-14

4. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 6-17

Using Multiple RADIUS Server Groups . . . . . . . . . . . . . . . . . . . . . . . . 6-21

Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21

Enhanced Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22

Displaying the RADIUS Server Group Information . . . . . . . . . . . 6-24

viii

Cached Reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26

Timing Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

Using SNMP To View and Configure

Switch Authentication Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-30

Changing and Viewing the SNMP Access Configuration . . . . . . . . . . 6-31

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34

Controlling WebAgent Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-35

Commands Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-36

Enabling Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-37

Displaying Authorization Information . . . . . . . . . . . . . . . . . . . . . . . . . 6-38

Configuring Commands Authorization on a RADIUS Server . . . . . . 6-38

Using Vendor Specific Attributes (VSAs) . . . . . . . . . . . . . . . . . . . 6-38

Example Configuration on Cisco Secure ACS for MS Windows 6-40

Example Configuration Using FreeRADIUS . . . . . . . . . . . . . . . . . 6-43

VLAN Assignment in an Authentication Session . . . . . . . . . . . . . . . . 6-44

Tagged and Untagged VLAN Attributes . . . . . . . . . . . . . . . . . . . . . . . . 6-44

Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-45

Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-48

Accounting Service Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-48

Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 6-49

Acct-Session-ID Options in a Management Session . . . . . . . . . . . . . . 6-50

Unique Acct-Session-ID Operation . . . . . . . . . . . . . . . . . . . . . . . . 6-50

Common Acct-Session-ID Operation . . . . . . . . . . . . . . . . . . . . . . . 6-52

Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53

Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 6-53

1. Configure the Switch To Access a RADIUS Server . . . . . . . . . 6-54

2. (Optional) Reconfigure the Acct-Session-ID Operation . . . . . 6-56

3. Configure Accounting Types and the Controls for Sending

Reports to the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-57

4. (Optional) Configure Session Blocking and Interim

Updating Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-61

Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-62

General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-62

RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-64

RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-66

Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . 6-67

Dynamic Removal of Authentication

Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70

Configuring the RADIUS VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70

Displaying the Port-access Information . . . . . . . . . . . . . . . . . . . . . . . . 6-72

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-73

7 Configuring RADIUS Server Support for Switch Services

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

RADIUS Client and Server Requirements . . . . . . . . . . . . . . . . . . . . 7-1

Optional PCM and IDM Network Management Applications . . . . 7-2

RADIUS Server Configuration for CoS

(802.1p Priority) and Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Applied Rates for RADIUS-Assigned Rate Limits . . . . . . . . . . . . . . . . . 7-5

Viewing the Currently Active Per-Port CoS and Rate-Limiting

Configuration Specified by a RADIUS Server . . . . . . . . . . . . . . . . . . . . 7-7

Configuring and Using Dynamic

(RADIUS-Assigned) Access Control Lists . . . . . . . . . . . . . . . . . . . . . . 7-11

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11

Overview of RADIUS-Assigned, Dynamic ACLs . . . . . . . . . . . . . . . . . 7-14

Traffic Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14

Contrasting RADIUS-Assigned and Static ACLs . . . . . . . . . . . . . . . . . 7-16

How a RADIUS Server Applies a RADIUS-Assigned ACL

to a Client on a Switch Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18

General ACL Features, Planning, and Configuration . . . . . . . . . . . . . 7-19

The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20

Operating Rules for RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . 7-20

Configuring an ACL in a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . 7-22

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22

Nas-Filter-Rule-Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23

ACE Syntax in RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25

Example Using the Standard Attribute (92) In an IPv4 ACL . . . 7-27

Example Using HP VSA 63 To Assign IPv6 and/or IPv4 ACLs . . 7-29

Example Using HP VSA 61 To Assign IPv4 ACLs . . . . . . . . . . . . 7-32

To configure the above ACL, you would enter the username/

password and ACE information shown in figure 7-11 into the

FreeRADIUS “users” file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33

Configuration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-34

Configuring the Switch To Support RADIUS-Assigned

ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35

Displaying the Current RADIUS-Assigned ACL Activity

on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37

Event Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-42

Causes of Client Deauthentication Immediately

After Authenticating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-42

Monitoring Shared Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-42

8 Configuring Secure Shell (SSH)

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

Steps for Configuring and Using SSH

for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7

Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . 8-8

1. Assigning a Local Login (Operator) and

Enable (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . . 8-9

Configuring Key Lengths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12

3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 8-12

4. Enabling SSH on the Switch and Anticipating SSH

Client Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15

5. Configuring the Switch for SSH Authentication . . . . . . . . . . . . . . . 8-20

6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 8-24

Further Information on SSH Client Public-Key Authentication . 8-25

Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31

Logging Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31

Debug Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31

9 Configuring Secure Socket Layer (SSL)

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

Steps for Configuring and Using SSL for Switch and Client

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5

Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . 9-6

1. Assigning a Local Login (Operator) and

Enabling (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

2. Generating the Switch’s Server Host Certificate . . . . . . . . . . . . . . . 9-6

To Generate or Erase the Switch’s Server Certificate

with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7

Comments on Certificate Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8

Generate a Self-Signed Host Certificate with the WebAgent . . . 9-10

Generate a CA-Signed server host certificate with the

WebAgent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11

3. Enabling SSL on the Switch and Anticipating SSL

Browser Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Using the CLI Interface to Enable SSL . . . . . . . . . . . . . . . . . . . . . 9-14

Using the WebAgent to Enable SSL . . . . . . . . . . . . . . . . . . . . . . . . 9-14

Common Errors in SSL Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16

10 IPv4 Access Control Lists (ACLs)

xii

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Overview of Options for Applying IPv4 ACLs on the Switch . . . . . 10-3

Static ACLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3

RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3

Command Summary for Standard IPv4 ACLs . . . . . . . . . . . . . . . . . . . 10-5

Command Summary for IPv4 Extended ACLs . . . . . . . . . . . . . . . . . . 10-6

Command Summary for Enabling, Disabling, and

Displaying ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13

Types of IPv4 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13

ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13

RACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14

VACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16

Static Port ACL and RADIUS-Assigned ACL Applications . . . . 10-16

RADIUS-Assigned (Dynamic) Port ACL Applications . . . . . . . . 10-17

Multiple ACLs on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19

Features Common to All ACL Applications . . . . . . . . . . . . . . . . . . . . 10-22

General Steps for Planning and Configuring ACLs . . . . . . . . . . . . . . 10-23

IPv4 Static ACL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25

The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26

Planning an ACL Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29

IPv4 Traffic Management and Improved Network Performance . . 10-29

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-31

Guidelines for Planning the Structure of a Static ACL . . . . . . . . . . . 10-31

IPv4 ACL Configuration and Operating Rules . . . . . . . . . . . . . . . . . . 10-32

How an ACE Uses a Mask To Screen Packets for Matches . . . . . . . 10-35

What Is the Difference Between Network (or Subnet)

Masks and the Masks Used with ACLs? . . . . . . . . . . . . . . . . . . . 10-35

Rules for Defining a Match Between a Packet and an

Access Control Entry (ACE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-36

Configuring and Assigning an IPv4 ACL . . . . . . . . . . . . . . . . . . . . . . 10-40

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-40

General Steps for Implementing ACLs . . . . . . . . . . . . . . . . . . . . 10-40

Options for Permit/Deny Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41

ACL Configuration Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41

Standard ACL Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-42

Extended ACL Configuration Structure . . . . . . . . . . . . . . . . . . . 10-43

ACL Configuration Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-45

The Sequence of Entries in an ACL Is Significant . . . . . . . . . . . 10-45

Allowing for the Implied Deny Function . . . . . . . . . . . . . . . . . . . 10-47

A Configured ACL Has No Effect Until You Apply It

to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-47

You Can Assign an ACL Name or Number to an Interface

Even if the ACL Does Not Exist in the Switch’s Configuration 10-47

Using the CLI To Create an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-48

General ACE Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-48

Using CIDR Notation To Enter the IPv4 ACL Mask . . . . . . . . . 10-49

xiii

Configuring Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-50

Command Summary for Standard ACLs . . . . . . . . . . . . . . . . . . . . . . 10-50

Configuring Named, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . 10-52

Creating Numbered, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . 10-55

Configuring Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-59

Command Summary for Extended ACLs . . . . . . . . . . . . . . . . . . . . . . 10-59

Configuring Named, Extended ACLs . . . . . . . . . . . . . . . . . . . . . . 10-61

Configuring Numbered, Extended ACLs . . . . . . . . . . . . . . . . . . . 10-74

Adding or Removing an ACL Assignment On an Interface . . . . . . 10-81

Filtering Routed IPv4 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-81

Filtering IPv4 Traffic Inbound on a VLAN . . . . . . . . . . . . . . . . . . . . . 10-82

Filtering Inbound IPv4 Traffic Per Port . . . . . . . . . . . . . . . . . . . . . . . 10-83

Deleting an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-85

Editing an Existing ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-86

Using the CLI To Edit ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-86

General Editing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-86

Sequence Numbering in ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-87

Inserting an ACE in an Existing ACL . . . . . . . . . . . . . . . . . . . . . . 10-88

Deleting an ACE from an Existing ACL . . . . . . . . . . . . . . . . . . . 10-90

Resequencing the ACEs in an ACL . . . . . . . . . . . . . . . . . . . . . . . 10-91

Attaching a Remark to an ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-92

Operating Notes for Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-95

xiv

Displaying ACL Configuration Data . . . . . . . . . . . . . . . . . . . . . . . . . . 10-97

Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-98

Display the Content of All ACLs on the Switch . . . . . . . . . . . . . . . . . 10-99

Display the RACL and VACL Assignments for a VLAN . . . . . . . . . 10-100

Display Static Port (and Trunk) ACL Assignments . . . . . . . . . . . . . 10-101

Displaying the Content of a Specific ACL . . . . . . . . . . . . . . . . . . . . 10-103

Display All ACLs and Their Assignments in the Routing

Switch Startup-Config File and Running-Config File . . . . . . . . . . . 10-106

Creating or Editing ACLs Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-107

Creating or Editing an ACL Offline . . . . . . . . . . . . . . . . . . . . . . . . . . 10-107

The Offline Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-107

Example of Using the Offline Process . . . . . . . . . . . . . . . . . . . . 10-108

Enable ACL “Deny” Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-112

Requirements for Using ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . 10-112

ACL Logging Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-113

Enabling ACL Logging on the Switch . . . . . . . . . . . . . . . . . . . . . . . . 10-114

Configuring the Logging Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-116

Monitoring Static ACL Performance . . . . . . . . . . . . . . . . . . . . . . . . . 10-117

Example of ACL Performance Monitoring . . . . . . . . . . . . . . . . 10-119

Example of Resetting ACE Hit Counters to Zero . . . . . . . . . . . 10-121

IPv6 Counter Operation with Multiple Interface Assignments 10-122

IPv4 Counter Operation with Multiple Interface Assignments 10-123

General ACL Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-128

11 Configuring Advanced Threat Protection

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Enabling DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

Enabling DHCP Snooping on VLANS . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6

Configuring DHCP Snooping Trusted Ports . . . . . . . . . . . . . . . . . . . . 11-6

Configuring Authorized Server Addresses . . . . . . . . . . . . . . . . . . . . . . 11-7

Using DHCP Snooping with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . 11-8

Changing the Remote-id from a MAC to an IP Address . . . . . . 11-10

Disabling the MAC Address Check . . . . . . . . . . . . . . . . . . . . . . . 11-10

The DHCP Binding Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11

Operational Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12

Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13

Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15

Enabling Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17

Configuring Trusted Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17

Adding an IP-to-MAC Binding to the DHCP Database . . . . . . . . . . . 11-19

Configuring Additional Validation Checks on ARP Packets . . . . . . 11-20

Verifying the Configuration of Dynamic ARP Protection . . . . . . . . 11-20

Displaying ARP Packet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-21

Monitoring Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . 11-22

Dynamic IP Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22

Protection Against IP Source Address Spoofing . . . . . . . . . . . . . . . . 11-23

Prerequisite: DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23

Filtering IP and MAC Addresses Per-Port and Per-VLAN . . . . . . . . 11-24

Enabling Dynamic IP Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-25

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-25

Adding an IP-to-MAC Binding to the DHCP Binding Database . . . . 11-27

Potential Issues with Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27

Adding a Static Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-28

Verifying the Dynamic IP Lockdown Configuration . . . . . . . . . . . . . 11-28

Displaying the Static Configuration of IP-to-MAC Bindings . . . . . . 11-29

Debugging Dynamic IP Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30

Differences Between Switch Platforms . . . . . . . . . . . . . . . . . . . . . . . 11-31

Using the Instrumentation Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . 11-33

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-34

Configuring Instrumentation Monitor . . . . . . . . . . . . . . . . . . . . . . . . 11-35

Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-36

Viewing the Current Instrumentation Monitor Configuration . . . . . 11-37

xvi

12 Traffic/Security Filters and Monitors

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

Using Port Trunks with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

Filter Types and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . 12-3

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4

Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5

Operating Rules for Named Source-Port Filters . . . . . . . . . . . . . 12-6

Defining and Configuring Named Source-Port Filters . . . . . . . . 12-6

Viewing a Named Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . 12-8

Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . 12-8

Static Multicast Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14

Protocol Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15

Configuring Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16

Configuring a Source-Port Traffic Filter . . . . . . . . . . . . . . . . . . . . . . 12-17

Example of Creating a Source-Port Filter . . . . . . . . . . . . . . . . . . 12-18

Configuring a Filter on a Port Trunk . . . . . . . . . . . . . . . . . . . . . . 12-18

Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-19

Configuring a Multicast or Protocol Traffic Filter . . . . . . . . . . . . . . 12-20

Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21

Displaying Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-22

13 Configuring Port-Based and

User-Based Access Control (802.1X)

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 13-1

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2

802.1X User-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 13-3

802.1X Port-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 13-3

Alternative To Using a RADIUS Server . . . . . . . . . . . . . . . . . . . . . 13-4

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . 13-8

Example of the Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . 13-8

VLAN Membership Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 13-11

General Setup Procedure for 802.1X Access Control . . . . . . . . . . 13-13

Do These Steps Before You Configure 802.1X Operation . . . . . . . . 13-13

Overview: Configuring 802.1X Authentication on the Switch . . . . . 13-16

Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . 13-17

1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . 13-18

A. Enable the Selected Ports as Authenticators and Enable

the (Default) Port-Based Authentication . . . . . . . . . . . . . . . . . . 13-18

xvii

B. Specify User-Based Authentication or Return to

Port-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-19

Example: Configuring User-Based 802.1X Authentication . . . . 13-20

Example: Configuring Port-Based 802.1X Authentication . . . . 13-20

2. Reconfigure Settings for Port-Access . . . . . . . . . . . . . . . . . . . . . . . 13-21

3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . 13-24

4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 13-25

5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . 13-26

6. Optional: Reset Authenticator Operation . . . . . . . . . . . . . . . . . . . . 13-27

7. Optional: Configure 802.1X Controlled Directions . . . . . . . . . . . . 13-27

Wake-on-LAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-28

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-29

Example: Configuring 802.1X Controlled Directions . . . . . . . . 13-29

Unauthenticated VLAN Access (Guest VLAN Access) . . . . . . . . . . . 13-29

Characteristics of Mixed Port Access Mode . . . . . . . . . . . . . . . . 13-30

Configuring Mixed Port Access Mode . . . . . . . . . . . . . . . . . . . . . 13-31

802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-32

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-32

VLAN Membership Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-33

Use Models for 802.1X Open VLAN Modes . . . . . . . . . . . . . . . . . . . . 13-33

Operating Rules for Authorized-Client and

Unauthorized-Client VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-39

Setting Up and Configuring 802.1X Open VLAN Mode . . . . . . . . . . . 13-43

802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . 13-48

xviii

Option For Authenticator Ports: Configure Port-Security

To Allow Only 802.1X-Authenticated Devices . . . . . . . . . . . . . . . . . 13-49

Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-50

Configuring Switch Ports To Operate As

Supplicants for 802.1X Connections to Other Switches . . . . . . . . 13-51

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-51

Supplicant Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-53

Displaying 802.1X Configuration, Statistics, and Counters . . . . 13-55

Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . 13-55

Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . 13-64

Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . 13-68

How RADIUS/802.1X Authentication Affects VLAN Operation . 13-69

VLAN Assignment on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-70

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-70

Example of Untagged VLAN Assignment in a RADIUS-Based

Authentication Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-72

Enabling the Use of GVRP-Learned Dynamic VLANs

in Authentication Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-75

14 Configuring and Monitoring Port Security

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1

Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2

Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2

Eavesdrop Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3

Disabling Eavesdrop Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3

Feature Interactions When Eavesdrop Prevention is Disabled . 14-4

MIB Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5

Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5

Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6

Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7

Port Security Command Options and Operation . . . . . . . . . . . . . . . . 14-8

Port Security Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8

Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-12

Retention of Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17

MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-23

Differences Between MAC Lockdown and Port Security . . . . . . . . 14-24

MAC Lockdown Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 14-26

Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-27

MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-31

Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-33

Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . 14-34

Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-34

How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-35

Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . 14-35

xix

CLI: Checking for Intrusions, Listing Intrusion Alerts,

and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-36

Using the Event Log To Find Intrusion Alerts . . . . . . . . . . . . . . . . . . 14-38

Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-39

15 Using Authorized IP Managers

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1

Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . 15-4

Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-4

Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 15-5

CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 15-6

Listing the Switch’s Current Authorized IP Manager(s) . . . . . . . 15-6

Configuring IP Authorized Managers for the Switch . . . . . . . . . . 15-7

WebAgent: Configuring IP Authorized Managers . . . . . . . . . . . . . . . 15-9

Web Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-10

How to Eliminate the Web Proxy Server . . . . . . . . . . . . . . . . . . 15-10

Using a Web Proxy Server to Access the WebAgent . . . . . . . . . 15-10

Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-11

Configuring One Station Per Authorized Manager IP Entry . . . . . . 15-11

Configuring Multiple Stations Per Authorized Manager IP Entry . . 15-11

Additional Examples for Authorizing Multiple Stations . . . . . . . . . 15-13

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-14

16 Key Management System

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1

Configuring Key Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2

Creating and Deleting Key Chain Entries . . . . . . . . . . . . . . . . . . . . . . . 16-2

Assigning a Time-Independent Key to a Chain . . . . . . . . . . . . . . . . . . 16-3

Assigning Time-Dependent Keys to a Chain . . . . . . . . . . . . . . . . . . . . 16-5

Product Documentation

For the latest version of all HP switch documentation, including Release Notes covering recently added features, please visit the HP Networking Web site at www.hp.com/Networking/support

Electronic Publications

The latest version of each of the publications listed below is available in PDF format on the HP Web site, as described in the Note at the top of this page.

■ Installation and Getting Started Guide—Explains how to prepare and

perform the physical installation and connect the switch to your network.

■ Basic Operation Guide—Covers basic switch operating features, includ-

ing set-up, user interfaces, memory and configuration, interface access (including console operation), system information, and IP addressing.

■ Management and Configuration Guide—Describes how to configure,

manage, and monitor basic switch operation.

■ Advanced Traffic Management Guide—Explains how to configure traffic

management features such as VLANs, MSTP, QoS, and Meshing.

■ Multicast and Routing Guide—Explains how to configure IGMP, PIM, IP

routing, and VRRP features.

■ Access Security Guide—Explains how to configure access security fea-

tures and user authentication on the switch.

■ IPv6 Configuration Guide—Describes the IPv6 protocol operations that

are supported on the switch.

■ Command Line Interface Reference Guide—Provides a comprehensive

description of CLI commands, syntax, and operations.

■ Event Log Message Reference Guide—Provides a comprehensive descrip-

tion of event log messages.

■ Release Notes—Describe new features, fixes, and enhancements that

become available between revisions of the main product guide.

xxi

Software Feature Index

For the software manual set supporting your E3800 switch model, this feature index indicates which manual to consult for information on a given software feature.

Software Features Manual

Management

and

Configuration

Advanced

Traffic

Management

Multicast

and

Routing

Access

Security

Guide

IPv6

Configuration

Guide

802.1Q VLAN Tagging X

802.1X Port-Based Priority X

802.1X Multiple Authenticated Clients

Per Port

Access Control Lists (ACLs) X

Access Control Lists (ACLs) (IPv6) X

AAA Authentication X

Authorized IP Managers X

Authorized IP Managers (IPv6) X

Authorized Manager List (Web, Telnet,

TFTP)

Auto MDIX Configuration X

BOOTP X

Config File X

Console Access X

Basic

Operation

Guide

Copy Command X

Core Dump X

CoS (Class of Service) X

Debug X

DHCP Configuration X

DHCPv6 Relay X

DHCP Option 82 X

xxii

Software Features Manual

Management

and

Configuration

Advanced

Traffic

Management

Multicast

and

Routing

Access

Security

Guide

IPv6

Configuration

Guide

Basic

Operation

Guide

DHCP Snooping X

DHCP/Bootp Operation X

Diagnostic Tools X

Diagnostics and Troubleshooting (IPv6) X

Distributed Trunking X

Downloading Software X

Dynamic ARP Protection X

Dynamic Configuration Arbiter X

Dynamic IP Lockdown X

Eavesdrop Protection X

Equal Cost Multi-Path (ECMP) X

Event Log X

Factory Default Settings X

Flow Control (802.3x) X

File Management X

File Transfers X

Friendly Port Names X

Guaranteed Minimum Bandwidth (GMB) X

GVRP X

Identity-Driven Management (IDM) X

IGMP X

Interface Access (Telnet, Console/ Serial, Web)

IP Addressing X

IPv6 Addressing X

IP Preserve (IPv6) X

xxiii

Software Features Manual

Management

and

Configuration

Advanced

Traffic

Management

Multicast

and

Routing

Access

Security

Guide

IPv6

Configuration

Guide

IP Routing X

IPv6 Static Routing X

Jumbo Packets X

Key Management System (KMS) X

LACP X

LLDP X

LLDP-MED X

Loop Protection X

MAC Address Management X

MAC Lockdown X

MAC Lockout X

MAC-based Authentication X

Management VLAN X

Management Security (IPv6) X

Meshing X

Basic

Operation

Guide

MLD Snooping (IPv6) X

Monitoring and Analysis X

Multicast Filtering X

Multiple Configuration Files X

Network Management Applications

(SNMP)

Nonstop Switching (8200zl switches) X

Out-of-Band Management (OOBM) X

OpenView Device Management X

OSPFv2 (IPv4) X

OSPFv3 (IPv6) X

xxiv

Software Features Manual

Management

and

Configuration

Passwords and Password Clear

Advanced

Traffic

Management

Multicast

and

Routing

Access

Security

Guide

IPv6

Configuration

Guide

Basic

Operation

Guide

Protection

PCM/PCM+ X

PIM-DM (Dense Mode) X

PIM-SM (Sparse Mode) X

Ping X

Port Configuration X

Port Monitoring X

Port Security X

Port Status X

Port Trunking (LACP) X

Port-Based Access Control (802.1X) X

Power over Ethernet (PoE and PoE+) X

Protocol Filters X

Protocol VLANS X

QinQ (Provider Bridging) X

Quality of Service (QoS) X

RADIUS Authentication and Accounting X

RADIUS-Based Configuration X

Rate-Limiting X

RIP X

RMON 1,2,3,9 X

Routing X

Routing - IP Static X

Route Redistribution X

SavePower Features X

xxv

Software Features Manual

Management

and

Configuration

Advanced

Traffic

Management

Multicast

and

Routing

Access

Security

Guide

IPv6

Configuration

Guide

Secure Copy X

Secure Copy (IPv6) X

Secure FTP (IPv6) X

sFlow X

SFTP X

SNMPv3 X

SNMP (IPv6) X

Software Downloads (SCP/SFTP, TFPT,

Xmodem)

Source-Port Filters X

Spanning Tree (STP, RSTP, MSTP) X

SSHv2 (Secure Shell) Encryption X

SSH (IPv6) X

SSL (Secure Socket Layer) X

Stack Management (Stacking) X

Basic

Operation

Guide

Syslog X

System Information X

TACACS+ Authentication X

Telnet Access X

Telnet (IPv6) X

TFTP X

Time Protocols (TimeP, SNTP) X

Time Protocols (IPv6) X

Traffic Mirroring X

Traffic/Security Filters X

Troubleshooting X

xxvi

Software Features Manual

Management

and

Configuration

Advanced

Traffic

Management

Multicast

and

Routing

Access

Security

Guide

IPv6

Configuration

Guide

Basic

Operation

Guide

Uni-Directional Link Detection (UDLD) X

UDP Forwarder X

USB Device Support X

Virus Throttling (Connection-Rate

Filtering)

VLANs X

VLAN Mirroring (1 static VLAN) X

Voice VLAN X

VRRP X

Web Authentication RADIUS Support X

Web-based Authentication X

Web UI X

xxvii

xxviii

+ 702 hidden pages

HP E3800 Access Security Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Product Documentation

Software Feature Index