HP PROCURVE W.14.03 User Manual

2910al

ProCurve Switches

W.14.03

Access Security Guide

www.procurve.com

HP ProCurve 2910al Switch

Access Security Guide

February 2009

W.14.03

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another langauge without the prior written consent of Hewlett-Packard.

Publication Number

5992-5439 February 2009

Applicable Products

HP ProCurve 2910al-24G Switch J9145A HP ProCurve 2910al-48G Switch J9147A HP ProCurve 2910al-24G-PoE+ Switch J9146A HP ProCurve 2910al-48G-PoE+ Switch J9148A

HP ProCurve 2-Port 10-GbE SFP+ al Module J9008A HP ProCurve 2-Port 10-GbE CX4 al Module J9149A HP ProCurve 10-GbE al Interconnect Kit J9165A

Trademark Credits

Microsoft, Windows, and Microsoft Windows NT are U.S. registered trademarks of Microsoft Corporation.

Software Credits and Notices

SSH on ProCurve Switches is based on the OpenSSH software toolkit. This product includes software developed by the OpenSSH Project for use in the OpenSSH Toolkit. For more information on OpenSSH, visit www.openssh.com.

SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more information on OpenSSL, visit www.openssl.org.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

Portions of the software on ProCurve switches are based on the lightweight TCP/IP (lwIP) software toolkit by Adam Dunkels, and are covered by the following notices.

Copyright © 2001-2003 Swedish Institute of Computer Science. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials

provided with the distribution.

3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software written by Adam Dunkels (adam@sics.se).

Disclaimer

The information contained in this document is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.

Warranty

See the Customer Support/Warranty booklet included with the product.

A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.

Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551

www.procurve.com

Product Documentation

About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Software Feature Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx

1 Security Overview

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Network Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Getting Started with Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Quick Start: Using the Management Interface Wizard . . . . . . . . . . . . 1-11

CLI: Management Interface Wizard . . . . . . . . . . . . . . . . . . . . . . . . 1-12

Web: Management Interface Wizard . . . . . . . . . . . . . . . . . . . . . . . 1-13

SNMP Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Precedence of Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Precedence of Port-Based Security Options . . . . . . . . . . . . . . . . . . . . 1-18

Precedence of Client-Based Authentication:

Dynamic Configuration Arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Network Immunity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

Arbitrating Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . 1-20

ProCurve Identity-Driven Manager (IDM) . . . . . . . . . . . . . . . . . . . . . 1-22

iii

2 Configuring Username and Password Security

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-9

SNMP: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . 2-9

Saving Security Credentials in a

Config File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Benefits of Saving Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Enabling the Storage and Display of Security Credentials . . . . . . . . 2-11

Security Settings that Can Be Saved . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

Local Manager and Operator Passwords . . . . . . . . . . . . . . . . . . . . . . . 2-12

Password Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

SNMP Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

802.1X Port-Access Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

TACACS+ Encryption Key Authentication . . . . . . . . . . . . . . . . . . . . . 2-15

RADIUS Shared-Secret Key Authentication . . . . . . . . . . . . . . . . . . . . 2-16

SSH Client Public-Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21

Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23

When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23

Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Clear Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Reset Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25

Restoring the Factory Default Configuration . . . . . . . . . . . . . . . . 2-25

Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

Disabling the Clear Password Function of the Clear Button

on the Switch’s Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29

Re-Enabling the Clear Button on the Switch’s Front Panel

and Setting or Changing the “Reset-On-Clear” Operation . . . . . 2-30

Changing the Operation of the Reset+Clear Combination . . . . . 2-31

Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32

Disabling or Re-Enabling the Password Recovery Process . . . . 2-32

Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34

3 Web and MAC Authentication

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Concurrent Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . 3-3

Authorized and Unauthorized Client VLANs . . . . . . . . . . . . . . . . . . . . . 3-4

RADIUS-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Wireless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . 3-5

Web-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

MAC-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . . . . 3-13

Before You Configure Web/MAC Authentication . . . . . . . . . . . . . . . . 3-13

Configuring the RADIUS Server To Support MAC Authentication . . 3-15

Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . 3-16

Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18

Configuration Commands for Web Authentication . . . . . . . . . . . . . . 3-19

Show Commands for Web Authentication . . . . . . . . . . . . . . . . . . . . . . 3-26

Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . 3-32

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32

Configuration Commands for MAC Authentication . . . . . . . . . . . . . . 3-33

Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . 3-36

Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42

4 TACACS+ Authentication

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 4-3

General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 4-5

Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 4-9

Viewing the Switch’s Current Authentication Configuration . . . . . . . 4-9

Viewing the Switch’s Current TACACS+

Server Contact Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 4-11

Using the Privilege-Mode Option for Login . . . . . . . . . . . . . . . . . 4-11

Authentication Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13

Configuring the TACACS+ Server for Single Login . . . . . . . . . . . . . . 4-13

Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 4-18

How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24

General Authentication Process Using a TACACS+ Server . . . . . . . . 4-24

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

Encryption Options in the Switch . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

Controlling Web Browser Interface

Access When Using TACACS+ Authentication . . . . . . . . . . . . . . . . . . 4-27

Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . 4-28

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29

5 RADIUS Authentication and Accounting

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

RADIUS-Administered CoS and Rate-Limiting . . . . . . . . . . . . . . . . . . . 5-4

SNMP Access to the Switch’s Authentication Configuration MIB . . . 5-4

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6

General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 5-8

Outline of the Steps for Configuring RADIUS Authentication . . . . . . 5-9

1. Configure Authentication for the Access Methods

You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10

2. Enable the (Optional) Access Privilege Option . . . . . . . . . . . . . . . . 5-13

3. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 5-15

4. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 5-17

Using SNMP To View and Configure

Switch Authentication Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

Changing and Viewing the SNMP Access Configuration . . . . . . . . . . 5-22

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24

Controlling Web Browser Interface Access . . . . . . . . . . . . . . . . . . . . 5-25

Commands Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26

Enabling Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27

Displaying Authorization Information . . . . . . . . . . . . . . . . . . . . . . . . . 5-28

Configuring Commands Authorization on a RADIUS Server . . . . . . 5-28

Using Vendor Specific Attributes (VSAs) . . . . . . . . . . . . . . . . . . . 5-28

Example Configuration on Cisco Secure ACS for MS Windows 5-30

Example Configuration Using FreeRADIUS . . . . . . . . . . . . . . . . . 5-32

Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34

Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35

Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 5-37

Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 5-37

1. Configure the Switch To Access a RADIUS Server . . . . . . . . . 5-38

2. Configure Accounting Types and the Controls for

Sending Reports to the RADIUS Server . . . . . . . . . . . . . . . . . . . . 5-40

3. (Optional) Configure Session Blocking and

Interim Updating Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42

Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43

vii

General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43

RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45

RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46

Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . 5-47

Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . 5-50

6 Configuring RADIUS Server Support

for Switch Services

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

RADIUS Server Configuration for

Per-Port CoS (802.1p Priority) and Rate-Limiting . . . . . . . . . . . . . . . 6-4

Applied Rates for RADIUS-Assigned Rate Limits . . . . . . . . . . . . . . . . . 6-5

Viewing the Currently Active Per-Port CoS and Rate-Limiting

Configuration Specified by a RADIUS Server . . . . . . . . . . . . . . . . . . . . 6-6

Configuring and Using RADIUS-Assigned Access Control Lists . . . 6-9

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

Overview of RADIUS-Assigned, Dynamic ACLs . . . . . . . . . . . . . . . . . 6-12

Contrasting Dynamic (RADIUS-Assigned) and

Static ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

How a RADIUS Server Applies a RADIUS-Assigned

ACL to a Switch Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14

General ACL Features, Planning, and Configuration . . . . . . . . . . . . . 6-15

The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

Operating Rules for RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . 6-17

Configuring an ACL in a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . 6-17

Nas-Filter-Rule-Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18

Configuring ACE Syntax in RADIUS Servers . . . . . . . . . . . . . . . . . . . 6-19

Example Using the Standard Attribute (92) In an IPv4 ACL . . . 6-20

Example of Configuring a RADIUS-assigned ACL Using the

FreeRADIUS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21

Format Details for ACEs Configured in a

RADIUS-Assigned ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23

Configuration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24

viii

Configuring the Switch To Support RADIUS-Assigned

ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24

Displaying the Current RADIUS-Assigned ACL Activity

on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26

ICMP Type Numbers and Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28

Event Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-29

Causes of Client Deauthentication Immediately

After Authenticating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-30

Monitoring Shared Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-30

7 Configuring Secure Shell (SSH)

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Terminology

Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

Steps for Configuring and Using SSH

for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . 7-8

1. Assigning a Local Login (Operator) and

Enable (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8

2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . . 7-9

3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 7-12

4. Enabling SSH on the Switch and Anticipating SSH

Client Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15

5. Configuring the Switch for SSH Authentication . . . . . . . . . . . . . . . 7-19

6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 7-23

Further Information on SSH Client Public-Key Authentication . 7-23

Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29

Logging Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30

Debug Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Configuring Key Lengths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12

8 Configuring Secure Socket Layer (SSL)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Overview

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

Steps for Configuring and Using SSL for Switch and Client

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . 8-7

1. Assigning a Local Login (Operator) and

Enabling (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7

2. Generating the Switch’s Server Host Certificate . . . . . . . . . . . . . . . . 8-8

3. Enabling SSL on the Switch and Anticipating SSL

Browser Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

To Generate or Erase the Switch’s Server Certificate

with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

Comments on Certificate Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10

Generate a Self-Signed Host Certificate with the Web

browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12

Generate a CA-Signed server host certificate with the

Web browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15

Using the CLI Interface to Enable SSL . . . . . . . . . . . . . . . . . . . . . 8-19

Using the Web Browser Interface to Enable SSL . . . . . . . . . . . . . 8-19

Common Errors in SSL setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21

9 IPv4 Access Control Lists (ACLs)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

Overview of Options for Applying IPv4 ACLs on the Switch . . . . . . 9-6

Static ACLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

Dynamic Port ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

Types of IPv4 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

Static Port ACL and Dynamic Port ACL Applications . . . . . . . . . 9-15

Dynamic (RADIUS-assigned) Port ACL Applications . . . . . . . . . 9-15

Multiple ACLs on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16

Features Common to All ACL Applications . . . . . . . . . . . . . . . . . . . . . 9-16

General Steps for Planning and Configuring ACLs . . . . . . . . . . . . . . . 9-18

IPv4 Static ACL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20

The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20

Planning an ACL Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-24

IPv4 Traffic Management and Improved Network Performance . . . 9-24

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25

Guidelines for Planning the Structure of a Static ACL . . . . . . . . . . . . 9-26

IPv4 ACL Configuration and Operating Rules . . . . . . . . . . . . . . . . . . . 9-27

How an ACE Uses a Mask To Screen Packets for Matches . . . . . . . . 9-28

What Is the Difference Between Network (or Subnet)

Masks and the Masks Used with ACLs? . . . . . . . . . . . . . . . . . . . . 9-28

Rules for Defining a Match Between a Packet and an

Access Control Entry (ACE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29

Configuring and Assigning an IPv4 ACL . . . . . . . . . . . . . . . . . . . . . . . 9-34

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-34

General Steps for Implementing ACLs . . . . . . . . . . . . . . . . . . . . . 9-34

Options for Permit/Deny Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35

ACL Configuration Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35

Standard ACL Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-36

Extended ACL Configuration Structure . . . . . . . . . . . . . . . . . . . . 9-37

ACL Configuration Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-39

The Sequence of Entries in an ACL Is Significant . . . . . . . . . . . . 9-39

Allowing for the Implied Deny Function . . . . . . . . . . . . . . . . . . . . 9-41

A Configured ACL Has No Effect Until You Apply It

to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-41

You Can Assign an ACL Name or Number to an Interface

Even if the ACL Does Not Exist in the Switch’s Configuration . 9-41

Using the CLI To Create an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-42

General ACE Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-42

Using CIDR Notation To Enter the IPv4 ACL Mask . . . . . . . . . . 9-43

Configuring Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-44

Configuring Named, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-46

Creating Numbered, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-49

Configuring Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-53

Configuring Named, Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-55

Configuring Numbered, Extended ACLs . . . . . . . . . . . . . . . . . . . . 9-65

Adding or Removing an ACL Assignment On an Interface . . . . . . . 9-73

Filtering Inbound IPv4 Traffic Per Port . . . . . . . . . . . . . . . . . . . . . . . . 9-73

Deleting an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-74

Editing an Existing ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-75

Using the CLI To Edit ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-75

General Editing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-75

Sequence Numbering in ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-76

Inserting an ACE in an Existing ACL . . . . . . . . . . . . . . . . . . . . . . . 9-77

Deleting an ACE from an Existing ACL . . . . . . . . . . . . . . . . . . . . 9-79

Resequencing the ACEs in an ACL . . . . . . . . . . . . . . . . . . . . . . . . 9-80

Attaching a Remark to an ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-81

Operating Notes for Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-84

Displaying ACL Configuration Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-85

Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-86

Display the Content of All ACLs on the Switch . . . . . . . . . . . . . . . . . . 9-87

Display Static Port ACL Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . 9-88

Displaying the Content of a Specific ACL . . . . . . . . . . . . . . . . . . . . . . 9-89

Display All ACLs and Their Assignments in the Routing

Switch Startup-Config File and Running-Config File . . . . . . . . . . . . . 9-91

xii

Monitoring Static ACL Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-92

Creating or Editing ACLs Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-94

Creating or Editing an ACL Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-94

The Offline Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-94

Enable ACL “Deny” Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-96

Requirements for Using ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . 9-96

ACL Logging Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-97

Enabling ACL Logging on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . 9-98

General ACL Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-99

10 Configuring Advanced Threat Protection

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3

Enabling DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Enabling DHCP Snooping on VLANS . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6

Configuring DHCP Snooping Trusted Ports . . . . . . . . . . . . . . . . . . . . 10-7

Configuring Authorized Server Addresses . . . . . . . . . . . . . . . . . . . . . . 10-8

Using DHCP Snooping with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . 10-8

Changing the Remote-id from a MAC to an IP Address . . . . . . 10-10

Disabling the MAC Address Check . . . . . . . . . . . . . . . . . . . . . . . 10-10

The DHCP Binding Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11

Operational Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12

Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13

Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-15

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-15

Enabling Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17

Configuring Trusted Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17

Adding an IP-to-MAC Binding to the DHCP Database . . . . . . . . . . . 10-19

Configuring Additional Validation Checks on ARP Packets . . . . . . 10-20

Verifying the Configuration of Dynamic ARP Protection . . . . . . . . 10-20

Displaying ARP Packet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21

Monitoring Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . 10-22

Using the Instrumentation Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24

Configuring Instrumentation Monitor . . . . . . . . . . . . . . . . . . . . . . . . 10-25

Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26

Viewing the Current Instrumentation Monitor Configuration . . . . . 10-27

xiii

Traffic/Security Filters and Monitors

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Using Port Trunks with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Filter Types and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . 11-4

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5

Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6

Operating Rules for Named Source-Port Filters . . . . . . . . . . . . . 11-6

Defining and Configuring Named Source-Port Filters . . . . . . . . 11-7

Viewing a Named Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . 11-9

Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . 11-9

Static Multicast Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15

Protocol Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-16

Configuring Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17

Configuring a Source-Port Traffic Filter . . . . . . . . . . . . . . . . . . . . . . 11-18

Example of Creating a Source-Port Filter . . . . . . . . . . . . . . . . . . 11-19

Configuring a Filter on a Port Trunk . . . . . . . . . . . . . . . . . . . . . . 11-19

Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-20

Configuring a Multicast or Protocol Traffic Filter . . . . . . . . . . . . . . 11-21

Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22

Displaying Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23

xiv

Configuring Port-Based and User-Based Access Control (802.1X)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 12-3

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4

802.1X User-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 12-4

802.1X Port-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 12-5

Alternative To Using a RADIUS Server . . . . . . . . . . . . . . . . . . . . . 12-6

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6

General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . 12-9

Example of the Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . 12-9

VLAN Membership Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12

General Setup Procedure for 802.1X Access Control . . . . . . . . . . 12-15

Do These Steps Before You Configure 802.1X Operation . . . . . . . . 12-15

Overview: Configuring 802.1X Authentication on the Switch . . . . . 12-18

Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . 12-19

1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . 12-20

A. Enable the Selected Ports as Authenticators and Enable

the (Default) Port-Based Authentication . . . . . . . . . . . . . . . . . . 12-20

B. Specify User-Based Authentication or Return to

Port-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21

Example: Configuring User-Based 802.1X Authentication . . . . 12-22

Example: Configuring Port-Based 802.1X Authentication . . . . 12-22

2. Reconfigure Settings for Port-Access . . . . . . . . . . . . . . . . . . . . . . . 12-22

3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . 12-26

4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 12-27

5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . 12-27

6. Optional: Reset Authenticator Operation . . . . . . . . . . . . . . . . . . . . 12-28

7. Optional: Configure 802.1X Controlled Directions . . . . . . . . . . . . 12-28

Wake-on-LAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-29

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-29

Example: Configuring 802.1X Controlled Directions . . . . . . . . 12-30

802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-31

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-31

VLAN Membership Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-32

Use Models for 802.1X Open VLAN Modes . . . . . . . . . . . . . . . . . . . . 12-33

Operating Rules for Authorized-Client and

Unauthorized-Client VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-38

Setting Up and Configuring 802.1X Open VLAN Mode . . . . . . . . . . . 12-42

802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . 12-46

Option For Authenticator Ports: Configure Port-Security

To Allow Only 802.1X-Authenticated Devices . . . . . . . . . . . . . . . . . 12-47

Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-48

Configuring Switch Ports To Operate As

Supplicants for 802.1X Connections to Other Switches . . . . . . . . 12-49

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-49

Supplicant Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-51

Displaying 802.1X Configuration, Statistics, and Counters . . . . 12-53

Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . 12-53

Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . 12-62

Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . 12-66

How RADIUS/802.1X Authentication Affects VLAN Operation . 12-67

VLAN Assignment on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-68

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-68

Example of Untagged VLAN Assignment in a RADIUS-Based

Authentication Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-70

Enabling the Use of GVRP-Learned Dynamic VLANs

in Authentication Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-73

Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . 12-75

xvi

Configuring and Monitoring Port Security

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3

Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

Eavesdrop Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5

Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5

Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6

Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7

Port Security Command Options and Operation . . . . . . . . . . . . . . . . 13-8

Port Security Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-8

Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12

Retention of Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-17

MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22

Differences Between MAC Lockdown and Port Security . . . . . . . . 13-24

MAC Lockdown Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 13-25

Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-26

MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30

Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-32

Web: Displaying and Configuring Port Security Features . . . . . . 13-33

Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . 13-33

Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-33

How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-34

Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . 13-35

Menu: Checking for Intrusions, Listing Intrusion Alerts, and

Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-36

CLI: Checking for Intrusions, Listing Intrusion Alerts,

and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-37

Using the Event Log To Find Intrusion Alerts Web: Checking for Intrusions, Listing Intrusion

Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-40

Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-41

. . . . . . . . . . . . . . . . . . 13-39

14 Using Authorized IP Managers

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2

Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3

Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3

Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . 14-3

Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4

Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 14-5

CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 14-6

Listing the Switch’s Current Authorized IP Manager(s) . . . . . . . 14-6

Configuring IP Authorized Managers for the Switch . . . . . . . . . . 14-6

Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . 14-8

Web Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8

How to Eliminate the Web Proxy Server . . . . . . . . . . . . . . . . . . . 14-9

xvii

Using a Web Proxy Server to Access the Web Browser

Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9

Web-Based Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9

Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10

Configuring One Station Per Authorized Manager IP Entry . . . . . . 14-10

Configuring Multiple Stations Per Authorized Manager IP Entry . . 14-10

Additional Examples for Authorizing Multiple Stations . . . . . . . . . 14-12

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13

15 Key Management System

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2

Configuring Key Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

Creating and Deleting Key Chain Entries . . . . . . . . . . . . . . . . . . . . . . . 15-3

Assigning a Time-Independent Key to a Chain . . . . . . . . . . . . . . . . . . 15-4

Assigning Time-Dependent Keys to a Chain . . . . . . . . . . . . . . . . . . . . 15-5

Index

xviii

Product Documentation

About Your Switch Manual Set

Note For the latest version of all ProCurve switch documentation, including

Release Notes covering recently added features, please visit the ProCurve Networking Web site at www.procurve.com, click on Customer Care, and then click on Manuals.

Printed Publications

The publications listed below are printed and shipped with your switch. The latest version is also available in PDF format on the ProCurve Web site, as described in the Note at the top of this page.

■ Read Me First—Provides software update information, product notes,

and other information.

■ HP ProCurve Switch Quick Setup—Provides quick start installation

instructions. See the Installation and Getting Started Guide for more detailed information.

Electronic Publications

The latest version of each of the publications listed below is available in PDF format on the ProCurve Web site, as described in the Note at the top of this page.

■ Installation and Getting Started Guide—Explains how to prepare for

and perform the physical installation and connect the switch to your network.

■ Management and Configuration Guide—Describes how to configure,

manage, and monitor basic switch operation.

■ Advanced Traffic Management Guide—Explains how to configure traffic

management features such as VLANs, MSTP, QoS, and Meshing.

■ Multicast and Routing Guide—Explains how to configure IGMP, PIM, IP

routing, and VRRP features.

■ Access Security Guide—Explains how to configure access security fea-

tures and user authentication on the switch.

■ IPv6 Configuration Guide—Describes the IPv6 protocol operations that

are supported on the switch.

■ Release Notes—Describe new features, fixes, and enhancements that

become available between revisions of the main product guide.

xix

Software Feature Index

For the software manual set supporting your 2910al switch model, this feature index indicates which manual to consult for information on a given software feature.

Note This Index does not cover IPv6 capable software features. For information on

IPv6 protocol operations and features (such as DHCPv6, DNS for IPv6, Ping6, and MLD Snooping), refer to the IPv6 Configuration Guide.

Intelligent Edge Software Features

802.1Q VLAN Tagging X

802.1X Port-Based Priority X

802.1X Multiple Authenticated Clients Per Port X

Access Control Lists (ACLs) X

AAA Authentication X

Authorized IP Managers X

Authorized Manager List (Web, Telnet, TFTP) X

Auto MDIX Configuration X

BOOTP X

Config File X

Console Access X

Copy Command X

CoS (Class of Service) X

Management

and

Configuration

Advanced

Management

Traffic

Manual

Multicast and

Routing

Access

Security

Guide

Debug X

DHCP Configuration X

DHCP Option 82 X

DHCP Snooping X

Intelligent Edge Software Features

Management

and

Configuration

Manual

Advanced

Traffic

Management

Multicast and

Routing

Access

Security

Guide

DHCP/Bootp Operation

Diagnostic Tools

Downloading Software

Dynamic ARP Protection

Dynamic Configuration Arbiter

Eavesdrop Protection

Event Log X

Factory Default Settings

Flow Control (802.3x)

File Management

File Transfers

Friendly Port Names

Guaranteed Minimum Bandwidth (GMB)

GVRP

Identity-Driven Management (IDM)

IGMP

Interface Access (Telnet, Console/Serial, Web)

IP Addressing

IP Routing

Jumbo Packets

LACP

Link

LLDP

LLDP-MED

Loop Protection

MAC Address Management

xxi

Intelligent Edge Software Features

MAC Lockdown X

Management

and

Configuration

Advanced

Management

Traffic

Manual

Multicast and

Routing

Access

Security

Guide

MAC Lockout

MAC-based Authentication

Management VLAN

Monitoring and Analysis

Multicast Filtering

Multiple Configuration Files

Network Management Applications (SNMP)

OpenView Device Management

Passwords and Password Clear Protection

ProCurve Manager (PCM)

Ping

Port Configuration

Port Monitoring

Port Security

Port Status

Port Trunking (LACP)

Port-Based Access Control (802.1X)

Power over Ethernet (PoE+)

Protocol Filters

Protocol VLANS

Quality of Service (QoS)

RADIUS Authentication and Accounting

RADIUS-Based Configuration

Rate-Limiting X

RIP X

xxii

Intelligent Edge Software Features

Management

and

Configuration

Manual

Advanced

Traffic

Management

Multicast and

Routing

Access

Security

Guide

RMON 1,2,3,9

Routing

Routing - IP Static

Secure Copy

sFlow

SFTP

SNMPv3

Software Downloads (SCP/SFTP, TFPT, Xmodem)

Source-Port Filters

Spanning Tree (STP, RSTP, MSTP)

SSHv2 (Secure Shell) Encryption

SSL (Secure Socket Layer)

Stack Management (3500yl/6200yl switches only)

Syslog

System Information

TACACS+ Authentication

Telnet Access

TFTP

Time Protocols (TimeP, SNTP)

Traffic Mirroring

Traffic/Security Filters

Troubleshooting

Uni-Directional Link Detection (UDLD)

UDP Forwarder

USB Device Support

VLANs

xxiii

Intelligent Edge Software Features

Management

and

Configuration

Manual

Advanced

Traffic

Management

Multicast and

Routing

Access

Security

Guide

Voice VLAN

Web Authentication RADIUS Support

Web-based Authentication

Web UI

Xmodem

xxiv

Security Overview