ProCurve 2610, 2610-PWR, 2610-24, 2610-48, 2610-24-PWR User Manual

...

Access Security Guide

2610 2610-PWR

ProCurve Switches

R.11.XX

www.procurve.com

ProCurve

Switch 2610 Series Switch 2610-PWR Series

December 2007

Access Security Guide

Publication Number

5991-8642 December 2007

Applicable Products

ProCurve Switch 2610-24 (J9085A) ProCurve Switch 2610-48 (J9088A) ProCurve Switch 2610-24-PWR (J9087A) ProCurve Switch 2610-48-PWR (J9089A) ProCurve Switch 2610-24/12-PWR (J9086A)

Trademark Credits

Windows NT®, Windows®, and MS Windows® are US registered trademarks of Microsoft Corporation.

Software Credits

SSH on ProCurve Switches is based on the OpenSSH software toolkit. This product includes software developed by the OpenSSH Project for use in the OpenSSH Toolkit. For more information on OpenSSH, visit http:// www.openssh.com.

SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more information on OpenSSL, visit http://www.openssl.org.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

This product includes software written by Tim Hudson (tjh@cryptsoft.com)

Disclaimer

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not

be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information is provided "as is" without warranty of any kind and is subject to change without notice. The warranties for Hewlett-Packard Company products are set forth in the express limited warranty statements for such products. Nothing herein should be construed as constituting an additional warranty.

Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.

Warranty

See the Customer Support/Warranty booklet included with the product.

A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.

Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 http://www.procurve.com

Contents

Product Documentation

Software Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

1 Getting Started

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Management Access Security Protection . . . . . . . . . . . . . . . . . . . . . . . . 1-3

General Switch Traffic Security Guidelines . . . . . . . . . . . . . . . . . . . . . . 1-4

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Feature Descriptions by Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Port Identity Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . . . 1-9

2 Configuring Username and Password Security

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18

3 Web and MAC Authentication

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

General Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . 3-12

Do These Steps Before You Configure Web/MAC Authentication . . 3-12 Additional Information for Configuring the RADIUS

Server To Support MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . 3-13

Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . . . . . 3-15

Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18

Configure the Switch for Web-Based Authentication . . . . . . . . . . . . . 3-19

Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . . . . . 3-23

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23

Configure the Switch for MAC-Based Authentication . . . . . . . . . . . . 3-24

Show Commands for Web-Based Authentication . . . . . . . . . . . . . . . . . . . 3-28

Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . . . . . 3-31

Show Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33

4 TACACS+ Authentication

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Viewing the Switch’s Current TACACS+ Server Contact

Controlling Web Browser Interface Access When Using TACACS+

General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 4-9

Viewing the Switch’s Current Authentication Configuration . . . . . . . 4-9

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 4-10

Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 4-17

How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22

General Authentication Process Using a TACACS+ Server . . . . . . . . 4-22

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24

Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . . . . . 4-27

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28

5 RADIUS Authentication and Accounting

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . . . . . . 5-6

Outline of the Steps for Configuring RADIUS Authentication . . . . . . 5-7

1. Configure Authentication for the Access Methods

You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

2. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 5-11

3. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 5-13

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17

Controlling Web Browser Interface Access When Using RADIUS

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18

Configuring RADIUS Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18

Commands Authorization Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

Enabling Authorization with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

Showing Authorization Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20

Configuring the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20

Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26

Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 5-27

Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 5-28

Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33

General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33

RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35

RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36

Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-37

Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39

6 Configuring RADIUS Server Support

for Switch Services

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Configuring the RADIUS Server for

Viewing the Currently Active Per-Port CoS

How a RADIUS Server Applies a Dynamic Port ACL

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

CoS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Configuration Specified by a RADIUS Server . . . . . . . . . . . . . . . . . . . . 6-3

Configuring and Using RADIUS-Assigned Access Control Lists . . . . . . . . 6-6

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6

Overview of RADIUS-Assigned, Dynamic Port ACLs . . . . . . . . . . . . . . 6-9

Contrasting Dynamic and Static ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 6-11

to a Switch Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12

General ACL Features, Planning, and Configuration . . . . . . . . . . . . . 6-13

The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14

Configuring the Switch To Support Dynamic Port

Displaying the Current Dynamic Port ACL Activity

Causes of Client Deauthentication Immediately

Operating Rules for Dynamic Port ACLs . . . . . . . . . . . . . . . . . . . . . . . 6-14

Configuring an ACL in a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . 6-15

Configuring ACE Syntax in RADIUS Servers . . . . . . . . . . . . . . . . . . . 6-18

ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20

on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21

Event Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24

After Authenticating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25

Monitoring Shared Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25

7 Configuring Secure Shell (SSH)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

Steps for Configuring and Using SSH for

Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8

Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9

1. Assign Local Login (Operator) and Enable (Manager) Password . 7-9

2. Generate the Switch’s Public and Private Key Pair . . . . . . . . . . . . 7-10

3. Provide the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . . 7-12

4. Enable SSH on the Switch and Anticipate SSH Client

Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15

5. Configure the Switch for SSH Authentication . . . . . . . . . . . . . . . . . 7-18

6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 7-21

Further Information on SSH Client Public-Key Authentication . . . . . . . . 7-22

Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28

8 Configuring Secure Socket Layer (SSL)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

Steps for Configuring and Using SSL for

Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7

1. Assign Local Login (Operator) and Enable (Manager) Password . 8-7

2. Generate the Switch’s Server Host Certificate . . . . . . . . . . . . . . . . . 8-9

3. Enable SSL on the Switch and Anticipate SSL Browser Contact

Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17

Common Errors in SSL Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21

9 Access Control Lists (ACLs)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

Optional Network Management Applications . . . . . . . . . . . . . . . . . . . . 9-3

Optional PCM and IDM Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

General Application Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9

Types of IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9

ACL Inbound Application Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9

Features Common to All ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10

General Steps for Planning and Configuring ACLs . . . . . . . . . . . . . . . 9-11

ACL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12

The Packet-Filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Planning an ACL Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16

Switch Resource Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16

Managing ACL Resource Consumption . . . . . . . . . . . . . . . . . . . . . . . . 9-18

Traffic Management and Improved Network Performance . . . . . . . . . . . 9-22

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22

Guidelines for Planning the Structure of an ACL . . . . . . . . . . . . . . . . 9-23

ACL Configuration and Operating Rules . . . . . . . . . . . . . . . . . . . . . . . 9-24

How an ACE Uses a Mask To Screen Packets for Matches . . . . . . . . 9-25

Configuring and Assigning an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-32

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-32

ACL Configuration Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-33

ACL Configuration Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-36

Using the CLI To Create an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-38

Configuring and Assigning a Numbered, Standard ACL . . . . . . . . . . 9-39

Configuring and Assigning a Numbered, Extended ACL . . . . . . . . . . 9-44

Configuring a Named ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-50

Enabling or Disabling ACL Filtering on an Interface . . . . . . . . . . . . . 9-52

Deleting an ACL from the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-53

Displaying ACL Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-54

Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-54

Display the Content of All ACLs on the Switch . . . . . . . . . . . . . . . . . . 9-55

Display the ACL Assignments for an Interface . . . . . . . . . . . . . . . . . . 9-56

Displaying the Content of a Specific ACL . . . . . . . . . . . . . . . . . . . . . . 9-57

Displaying the Current ACL Resources . . . . . . . . . . . . . . . . . . . . . . . . 9-59

Display All ACLs and Their Assignments in

the Switch Startup-Config File and Running-Config File . . . . . . . . . . 9-60

Editing ACLs and Creating an ACL Offline . . . . . . . . . . . . . . . . . . . . . . . . . 9-60

Using the CLI To Edit ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-60

Working Offline To Create or Edit an ACL . . . . . . . . . . . . . . . . . . . . . 9-63

Enable ACL “Deny” Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-67

Requirements for Using ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . 9-67

ACL Logging Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-67

Enabling ACL Logging on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . 9-68

Operating Notes for ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-70

General ACL Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-71

Traffic/Security Filters

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

Applying a Source Port Filter in a Multinetted VLAN . . . . . . . . . . . . . 10-3

Using Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Configuring a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

Viewing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7

Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9

Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9

Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10

Configuring Port-Based and User-Based Access Control (802.1X)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 11-3

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6

General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9

Example of the Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . 11-9

VLAN Membership Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12

General Setup Procedure for 802.1X Access Control . . . . . . . . . . . . . . . 11-14

Do These Steps Before You Configure 802.1X Operation . . . . . . . . 11-14

Overview: Configuring 802.1X Authentication on the Switch . . . . . 11-16

Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . . . . . . 11-17

1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . 11-18

2. Reconfigure Settings for Port-Access . . . . . . . . . . . . . . . . . . . . . . . 11-20

3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . 11-24

4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 11-25

5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . 11-26

6. Optional: Reset Authenticator Operation . . . . . . . . . . . . . . . . . . . . 11-26

7. Optional: Configure 802.1X Controlled Directions . . . . . . . . . . . . 11-26

Operating Rules for Authorized-Client and

Option For Authenticator Ports: Configure Port-Security

Configuring Switch Ports To Operate As

Example of Untagged VLAN Assignment in a RADIUS-Based

Enabling the Use of GVRP-Learned Dynamic VLANs

802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-29

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-29

VLAN Membership Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30

Use Models for 802.1X Open VLAN Modes . . . . . . . . . . . . . . . . . . . . 11-31

Unauthorized-Client VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-36

Setting Up and Configuring 802.1X Open VLAN Mode . . . . . . . . . . . 11-40

802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . 11-44

To Allow Only 802.1X-Authenticated Devices . . . . . . . . . . . . . . . . . . . . . 11-45

Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-46

Supplicants for 802.1X Connections to Other Switches . . . . . . . . . . . . . 11-47

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-47

Supplicant Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-48

Displaying 802.1X Configuration, Statistics, and Counters . . . . . . . . . . . 11-51

Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . 11-51

Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . 11-54

Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . 11-57

How RADIUS/802.1X Authentication Affects VLAN Operation . . . . . . . 11-58

VLAN Assignment on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-59

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-59

Authentication Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-61

in Authentication Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-64

Operating Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-66

Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-67

Configuring and Monitoring Port Security

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

Eavesdrop Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4

Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5

Port Security Command Options and Operation . . . . . . . . . . . . . . . . . . . . 12-6

Retention of Static MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10

Displaying Current Port Security Settings . . . . . . . . . . . . . . . . . . . . . 12-10

Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12

MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17

Differences Between MAC Lockdown and Port Security . . . . . . . . 12-19

Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21

MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-25

Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-27

Web: Displaying and Configuring Port Security Features . . . . . . . . . . . . 12-27

Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . . . . . . . 12-28

Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-28

How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-29

Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . 12-29

Using the Event Log To Find Intrusion Alerts . . . . . . . . . . . . . . . . . . 12-34

Web: Checking for Intrusions, Listing Intrusion Alerts,

and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-35

Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-35

Using Authorized IP Managers

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2

Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3

Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3

Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 13-5

CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 13-6

Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . . . . . 13-9

Web Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9

Web-Based Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-10

Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-10

Configuring One Station Per Authorized Manager IP Entry . . . . . . 13-10

Configuring Multiple Stations Per Authorized Manager IP Entry . . 13-11

Additional Examples for Authorizing Multiple Stations . . . . . . . . . 13-13

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-13

Index

Product Documentation

Note For the latest version of all ProCurve switch documentation, including release

notes covering recently added features, visit the ProCurve Networking website at www.procurve.com. Click on Technical support, and then click on Product manuals.

Printed Publications

The two publications listed below are printed and shipped with your switch. The latest version of each is also available in PDF format on the ProCurve Web site, as described in the Note at the top of this page.

■ Read Me First—Provides software update information, product notes,

and other information.

■ Installation and Getting Started Guide—Explains how to prepare for

and perform the physical installation and connect the switch to your network.

Electronic Publications

The latest version of each of the publications listed below is available in PDF format on the ProCurve Web site, as described in the Note at the top of this page.

■ Management and Configuration Guide—Describes how to configure,

manage, and monitor basic switch operation.

■ Advanced Traffic Management Guide—Explains how to configure

traffic management features, such as spanning tree, VLANs, and IP routing.

■ Access Security Guide—Explains how to configure access security

features and user authentication on the switch.

■ Release Notes—Describe new features, fixes, and enhancements that

become available between revisions of the above guides.

xiii

Product Documentation

Software Feature Index

For the software manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. (Note that some software features are not supported on all switch models.)

Feature Management and

Configuration

Advanced Traffic Management

Access Security Guide

802.1Q VLAN Tagging - X -

802.1X Port-Based Priority X - -

ACLs - - X

AAA Authentication - - X

Authorized IP Managers - - X

Auto-MDIX Configuration X - -

BootP X - -

Config File X - -

Console Access X - -

Copy Command X - -

Debug X - -

DHCP Configuration - X -

DHCP/Bootp Operation X - -

DHCP Option 82 - X -

Diagnostic Tools X - -

Downloading Software X - -

Event Log X - -

Factory Default Settings X - -

File Management X - -

xiv

Product Documentation

Feature Management and

Configuration

Advanced Traffic Management

Access Security Guide

File Transfers X - -

Friendly Port Names X

GVRP - X -

IGMP - X -

Interface Access (Telnet, Console/Serial, Web) X - -

Jumbo Packets X - -

IP Addressing X - -

IP Routing - X -

LACP X - -

Link X - -

LLDP X - -

LLDP-MED X - -

MAC Address Management X - -

MAC Lockdown - - X

MAC Lockout - - X

MAC-based Authentication - - X

Monitoring and Analysis X - -

Multicast Filtering - X -

Multiple Configuration Files X - -

Network Management Applications (LLDP, SNMP) X - -

Passwords - - X

Ping X - -

Port Configuration X - -

Port Security - - X

Port Status X - -

Port Trunking (LACP) X - -

Product Documentation

Feature Management and

Configuration

Advanced Traffic Management

Access Security Guide

Port-Based Access Control - - X

Port-Based Priority (802.1Q) X - -

Power over Ethernet (PoE) X - -

Quality of Service (QoS) - X -

RADIUS ACLs - - X

RADIUS Authentication and Accounting - - X

Routing - X -

Secure Copy X - -

sFlow X

SFTP X - -

SNMP X - -

Software Downloads (SCP/SFTP, TFTP, Xmodem) X - -

Source-Port Filters - - X

Spanning Tree (STP, RSTP, MSTP) - X -

SSH (Secure Shell) Encryption - - X

SSL (Secure Socket Layer) - - X

Stack Management (Stacking) - X -

Syslog X - -

System Information X - -

TACACS+ Authentication - - X

Telnet Access X - -

TFTP X - -

Time Protocols (TimeP, SNTP) X - -

Traffic/Security Filters - - X

Troubleshooting X - -

Uni-Directional Link Detection (UDLD) X - -

xvi

Product Documentation

Feature Management and

Configuration

Advanced Traffic Management

Access Security Guide

VLANs - X -

Web-based Authentication - - X

Xmodem X - -

xvii

Product Documentation

xviii

Getting Started