ProCurve 2600 Series, 2800 Series, 4100g Series, 6108, 2600-PWR Series Getting Started

...
Getting Started

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Management Access Security Protection . . . . . . . . . . . . . . . . . . . . . . . . 1-3
General Switch Traffic Security Guidelines . . . . . . . . . . . . . . . . . . . . . . 1-4
Feature Descriptions by Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Port Identity Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
1
Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . . . 1-9
1-1
Getting Started

Introduction

Introduction
This Access Security Guide describes how to use ProCurve’s switch security features to protect access to your switch. This guide is intended to support the following switches:
ProCurve Series 2600
ProCurve Series 2600-PWR
ProCurve Series 2800
ProCurve Series 4100gl
ProCurve Switch 6108
For an overview of other product documentation for the above switches, refer to “Product Documentation” on page xi.
The Product Documentation CD-ROM shipped with the switch includes a copy of this guide. You can also download a copy from the ProCurve website, http://www.procurve.com.
1-2

Overview of Access Security Features

The access security features covered in this guide include:
Local Manager and Operator Passwords (page 2-1): Control
access and privileges for the CLI, menu, and web browser interfaces.
TACACS+ Authentication (page 4-1): Uses an authentication appli-
cation on a server to allow or deny access to a switch.
RADIUS Authentication and Accounting (page 5-1): Like
TACACS+, uses an authentication application on a central server to allow or deny access to the switch. RADIUS also provides accounting services for sending data about user activity and system events to a RADIUS server.
Secure Shell (SSH) Authentication (page 6-1): Provides
encrypted paths for remote access to switch management functions.
Overview of Access Security Features
Secure Socket Layer (SSL) (page 7-1): Provides remote web access
Getting Started
to the switch via encrypted authentication paths between the switch and management station clients capable of SSL/TLS operation.
Port-Based Access Control (802.1X) (page 8-1): On point-to-point
connections, enables the switch to allow or deny traffic between a port and an 802.1X-aware device (supplicant) attempting to access the switch. Also enables the switch to operate as a supplicant for connections to other 802.1X-aware switches.
Port Security (page 9-1): Enables a switch port to maintain a unique
list of MAC addresses defining which specific devices are allowed to access the network through that port. Also enables a port to detect, prevent, and log access attempts by unauthorized devices.
Traffic/Security Filters (page 10-1): Source-Port filtering enhances
in-band security by enabling outbound destination ports on the switch to forward or drop traffic from designated source ports (within the same VLAN).
Authorized IP Managers (page 11-1): Allows access to the switch
by a networked device having an IP address previously configured in the switch as "authorized".

Management Access Security Protection

In considering management access security for your switch, there are two key areas to protect:
Unauthorized client access to switch management features
Unauthorized client access to the network.
Table 1-1 on page 1-4 provides an overview of the type of protection offered by each switch security feature.
Note ProCurve recommends that you use local passwords together with your
switch’s other security features to provide a more comprehensive security fabric than if you use only local passwords.
1-3
Getting Started
Overview of Access Security Features
Table 1-1. Management Access Security Protection
Security Feature Offers Protection Against Unauthorized Client Access to
Connection Tel ne t SNMP
Local Manager and Operator Usernames and Passwords
TA CA C S+
RADIUS
SSH
SSL Ptp: No No Ye s No No
Port-Based Access Control (802.1X)
Port Security (MAC address) PtP: Yes Yes Yes Yes Yes
Authorized IP Managers PtP: Yes Yes Yes Yes No
1
The local Manager/Operator, TACACS+, and RADIUS options (direct connect or modem access) also offer protection
1
1
for serial port access.
1
Remote: Ye s No Ye s Ye s No
Remote: Ye s No No Yes No
Remote: Ye s No No Yes No
Remote: Ye s No No Yes No
Remote: No No Ye s No No
Remote: No No No No No
Remote: Yes Yes Yes Yes Yes
Remote: Yes Yes Yes Yes No
Switch Management Features
Web
(Net Mgmt)
PtP: Ye s No Ye s Ye s No
PtP: Ye s No No Yes No
PtP: Ye s No No Yes No
Ptp: Ye s No No Yes No
PtP: Yes Yes Yes Yes Yes
Browser
SSH
Client
Offers Protection
Against
Unauthorized Client
Access to the
Network
1-4

General Switch Traffic Security Guidelines

Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port.
1. Disabled/Enabled physical port
2. MAC lockout (applies to all ports on the switch)
3. MAC lockdown
4. Port security
5. Authorized IP Managers
6. Application features at higher levels in the OSI model, such as SSH
(The above list does not address the mutually exclusive relationship that exists among some security features.)
Getting Started

Conventions

Conventions
This guide uses the following conventions for command syntax and displayed information.

Feature Descriptions by Model

In cases where a software feature is not available in all of the switch models covered by this guide, the section heading specifically indicates which product or product series offer the feature.
For example (the switch model is highlighted here in bold italics):
“Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches”.

Command Syntax Statements

Syntax: aaa port-access authenticator < port-list >
[ control < authorized | auto | unauthorized >]
Vertical bars ( | ) separate alternative, mutually exclusive elements.
Square brackets ( [ ] ) indicate optional elements.
Braces ( < > ) enclose required elements.
Braces within square brackets ( [ < > ] ) indicate a required element
within an optional choice.
Boldface indicates use of a CLI command, part of a CLI command
syntax, or other displayed element in general text. For example:
“Use the copy tftp command to download the key from a TFTP server.”
Italics indicate variables for which you must supply a value when
executing the command. For example, in this command syntax, < port- list > indicates that you must provide one or more port numbers:
Syntax: aaa port-access authenticator < port-list >
1-5
Getting Started
Conventions

Command Prompts

In the default configuration, your switch displays one of the following CLI prompts:
ProCurve Switch 4104# ProCurve Switch 4108# ProCurve Switch 2626# ProCurve Switch 2650# ProCurve Switch 6108#
To simplify recognition, this guide uses ProCurve to represent command prompts for all models. For example:
ProCurve#
(You can use the hostname command to change the text in the CLI prompt.)

Screen Simulations

Figures containing simulated screen text and command output look like this:
1-6
Figure 1-1. Example of a Figure Showing a Simulated Screen
In some cases, brief command-output sequences appear outside of a numbered figure. For example:
ProCurve(config)# ip default-gateway 18.28.152.1/24 ProCurve(config)# vlan 1 ip address 18.28.36.152/24 ProCurve(config)# vlan 1 ip igmp

Port Identity Examples

This guide describes software applicable to both chassis-based and stackable ProCurve switches. Where port identities are needed in an example, this guide uses the chassis-based port identity system, such as “A1”, “B3 - B5”, “C7”, etc. However, unless otherwise noted, such examples apply equally to the stackable switches, which for port identities typically use only numbers, such as “1”, “3-5”, “15”, etc.

Sources for More Information

Getting Started
Sources for More Information
For additional information about switch operation and features not covered in this guide, consult the following sources:
For information on which product manual to consult on a given
software feature, refer to “Product Documentation” on page xi.
Note For the latest version of all ProCurve switch documentation, including
release notes covering recently added features, visit the ProCurve Networking website at http://www.procurve.com. Click on Tec hn ic al support, and then click on Product manuals.
For information on specific parameters in the menu interface, refer
to the online help provided in the interface. For example:
Online Help for Menu interface
Figure 1-2. Getting Help in the Menu Interface
For information on a specific command in the CLI, type the command
name followed by “help”. For example:
1-7
Getting Started

Need Only a Quick Start?

Figure 1-3. Getting Help in the CLI
For information on specific features in the Web browser interface,
use the online help. For more information, refer to the Management and Configuration Guide for your switch.
For further information on ProCurve Networking switch technology,
visit the ProCurve website at:
http://www.procurve.com
1-8
Need Only a Quick Start?

IP Addressing

If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using multiple VLANs, ProCurve recommends that you use the Switch Setup screen to quickly configure IP addressing. To do so, do one of the following:
Enter setup at the CLI Manager level prompt.
ProCurve# setup
In the Main Menu of the Menu interface, select
8. Run Setup
For more on using the Switch Setup screen, see the Installation and Getting Started Guide you received with the switch.
Need Only a Quick Start?
Getting Started

To Set Up and Install the Switch in Your Network

Important! Use the Installation and Getting Started Guide shipped with your switch for
the following:
Notes, cautions, and warnings related to installing and using the
switch and its related modules
Instructions for physically installing the switch in your network
Quickly assigning an IP address and subnet mask, setting a Manager
password, and (optionally) configuring other basic features.
Interpreting LED behavior.
For the latest version of the Installation and Getting Started Guide and other documentation for your switch, visit the ProCurve website. (Refer to “Product Documentation” on page xi of this guide for further details.)
1-9
Getting Started
Need Only a Quick Start?
— This page is intentionally unused. —
1-10
Loading...