Access Security Guide · RADIUS-Administered CoS and Rate-Limiting . . . . . . . . . . . . . . . . . . . 5-4 SNMP Access to the Switch’s Authentication Configuration MIB . . . 5-4

Access Security Guide

ProCurve Switches W.14.03

2910al

www.procurve.com

HP ProCurve 2910al Switch

February 2009 W.14.03


© Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved.

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another lan- gauge without the prior written consent of Hewlett-Packard.

Publication Number

5992-5439 February 2009

Applicable Products

HP ProCurve 2910al-24G Switch J9145A HP ProCurve 2910al-48G Switch J9147A HP ProCurve 2910al-24G-PoE+ Switch J9146A HP ProCurve 2910al-48G-PoE+ Switch J9148A

HP ProCurve 2-Port 10-GbE SFP+ al Module J9008A HP ProCurve 2-Port 10-GbE CX4 al Module J9149A HP ProCurve 10-GbE al Interconnect Kit J9165A

Trademark Credits

Microsoft, Windows, and Microsoft Windows NT are U.S. registered trademarks of Microsoft Corporation.

Software Credits and Notices

SSH on ProCurve Switches is based on the OpenSSH software toolkit. This product includes software developed by the OpenSSH Project for use in the OpenSSH Toolkit. For more information on OpenSSH, visit www.openssh.com.

SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more information on OpenSSL, visit www.openssl.org.

This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).

Portions of the software on ProCurve switches are based on the lightweight TCP/IP (lwIP) software toolkit by Adam Dunkels, and are covered by the following notices.

Copyright © 2001-2003 Swedish Institute of Computer Science. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials

provided with the distribution.

3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ̀ `AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLU- DING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIM- ITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software written by Adam Dunkels ([email protected]).

Disclaimer

The information contained in this document is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.

Warranty

See the Customer Support/Warranty booklet included with the product.

A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.

Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 www.procurve.com

http:www.openssh.comhttp:www.openssl.orgmailto:([email protected])

Contents

Product Documentation

About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Software Feature Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx

1 Security Overview

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Network Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Getting Started with Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Quick Start: Using the Management Interface Wizard . . . . . . . . . . . . 1-11

CLI: Management Interface Wizard . . . . . . . . . . . . . . . . . . . . . . . . 1-12

Web: Management Interface Wizard . . . . . . . . . . . . . . . . . . . . . . . 1-13

SNMP Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Precedence of Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Precedence of Port-Based Security Options . . . . . . . . . . . . . . . . . . . . 1-18

Precedence of Client-Based Authentication:

Dynamic Configuration Arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Network Immunity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

Arbitrating Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . 1-20

ProCurve Identity-Driven Manager (IDM) . . . . . . . . . . . . . . . . . . . . . 1-22

iii

2 Configuring Username and Password Security

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-9

SNMP: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . 2-9

Saving Security Credentials in a

Config File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Disabling the Clear Password Function of the Clear Button

Re-Enabling the Clear Button on the Switch’s Front Panel

Benefits of Saving Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Enabling the Storage and Display of Security Credentials . . . . . . . . 2-11

Security Settings that Can Be Saved . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

Local Manager and Operator Passwords . . . . . . . . . . . . . . . . . . . . . . . 2-12

Password Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

SNMP Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

802.1X Port-Access Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

TACACS+ Encryption Key Authentication . . . . . . . . . . . . . . . . . . . . . 2-15

RADIUS Shared-Secret Key Authentication . . . . . . . . . . . . . . . . . . . . 2-16

SSH Client Public-Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21

Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23

When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23

Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Clear Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Reset Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25

Restoring the Factory Default Configuration . . . . . . . . . . . . . . . . 2-25

Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

on the Switch’s Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29

and Setting or Changing the “Reset-On-Clear” Operation . . . . . 2-30

Changing the Operation of the Reset+Clear Combination . . . . . 2-31

Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32

iv

Disabling or Re-Enabling the Password Recovery Process . . . . 2-32

Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34

3 Web and MAC Authentication

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Concurrent Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . 3-3

Authorized and Unauthorized Client VLANs . . . . . . . . . . . . . . . . . . . . . 3-4

RADIUS-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Wireless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . 3-5

Web-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

MAC-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . . . . 3-13

Before You Configure Web/MAC Authentication . . . . . . . . . . . . . . . . 3-13

Configuring the RADIUS Server To Support MAC Authentication . . 3-15

Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . 3-16

Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18

Configuration Commands for Web Authentication . . . . . . . . . . . . . . 3-19

Show Commands for Web Authentication . . . . . . . . . . . . . . . . . . . . . . 3-26

Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . 3-32

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32

Configuration Commands for MAC Authentication . . . . . . . . . . . . . . 3-33

Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . 3-36

Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42

v

4 TACACS+ Authentication

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Viewing the Switch’s Current TACACS+

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 4-3

General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 4-5

Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 4-9

Viewing the Switch’s Current Authentication Configuration . . . . . . . 4-9

Server Contact Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 4-11

Using the Privilege-Mode Option for Login . . . . . . . . . . . . . . . . . 4-11

Authentication Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13

Configuring the TACACS+ Server for Single Login . . . . . . . . . . . . . . 4-13

Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 4-18

How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24

General Authentication Process Using a TACACS+ Server . . . . . . . . 4-24

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

Encryption Options in the Switch . . . . . . . . . . . . . . . . . . . . . . . . . 4-26

Controlling Web Browser Interface

Access When Using TACACS+ Authentication . . . . . . . . . . . . . . . . . . 4-27

Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . 4-28

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29

5 RADIUS Authentication and Accounting

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

vi

RADIUS-Administered CoS and Rate-Limiting . . . . . . . . . . . . . . . . . . . 5-4

SNMP Access to the Switch’s Authentication Configuration MIB . . . 5-4

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6

General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 5-8

Outline of the Steps for Configuring RADIUS Authentication . . . . . . 5-9

1. Configure Authentication for the Access Methods

You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10

2. Enable the (Optional) Access Privilege Option . . . . . . . . . . . . . . . . 5-13

3. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 5-15

4. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 5-17

Using SNMP To View and Configure

Switch Authentication Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

Changing and Viewing the SNMP Access Configuration . . . . . . . . . . 5-22

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24

Controlling Web Browser Interface Access . . . . . . . . . . . . . . . . . . . . 5-25

Commands Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26

Enabling Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27

Displaying Authorization Information . . . . . . . . . . . . . . . . . . . . . . . . . 5-28

Configuring Commands Authorization on a RADIUS Server . . . . . . 5-28

Using Vendor Specific Attributes (VSAs) . . . . . . . . . . . . . . . . . . . 5-28

Example Configuration on Cisco Secure ACS for MS Windows 5-30

Example Configuration Using FreeRADIUS . . . . . . . . . . . . . . . . . 5-32

Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34

Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35

Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 5-37

Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 5-37

1. Configure the Switch To Access a RADIUS Server . . . . . . . . . 5-38

2. Configure Accounting Types and the Controls for

Sending Reports to the RADIUS Server . . . . . . . . . . . . . . . . . . . . 5-40

3. (Optional) Configure Session Blocking and

Interim Updating Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42

Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43

vii

General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43

RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45

RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46

Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . 5-47

Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . 5-50

6 Configuring RADIUS Server Support

for Switch Services

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

RADIUS Server Configuration for

Viewing the Currently Active Per-Port CoS and Rate-Limiting

Contrasting Dynamic (RADIUS-Assigned) and

How a RADIUS Server Applies a RADIUS-Assigned

Example of Configuring a RADIUS-assigned ACL Using the

Format Details for ACEs Configured in a

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Per-Port CoS (802.1p Priority) and Rate-Limiting . . . . . . . . . . . . . . . 6-4

Applied Rates for RADIUS-Assigned Rate Limits . . . . . . . . . . . . . . . . . 6-5

Configuration Specified by a RADIUS Server . . . . . . . . . . . . . . . . . . . . 6-6

Configuring and Using RADIUS-Assigned Access Control Lists . . . 6-9

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

Overview of RADIUS-Assigned, Dynamic ACLs . . . . . . . . . . . . . . . . . 6-12

Static ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

ACL to a Switch Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14

General ACL Features, Planning, and Configuration . . . . . . . . . . . . . 6-15

The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

Operating Rules for RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . 6-17

Configuring an ACL in a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . 6-17

Nas-Filter-Rule-Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18

Configuring ACE Syntax in RADIUS Servers . . . . . . . . . . . . . . . . . . . 6-19

Example Using the Standard Attribute (92) In an IPv4 ACL . . . 6-20

FreeRADIUS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21

RADIUS-Assigned ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23

Configuration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24

viii

Configuring the Switch To Support RADIUS-Assigned

ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24

Displaying the Current RADIUS-Assigned ACL Activity

Causes of Client Deauthentication Immediately

on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26

ICMP Type Numbers and Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28

Event Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-29

After Authenticating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-30

Monitoring Shared Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-30

7 Configuring Secure Shell (SSH)

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Terminology

Steps for Configuring and Using SSH

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . 7-8

1. Assigning a Local Login (Operator) and

Enable (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8

2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . . 7-9

Configuring Key Lengths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12

3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 7-12

4. Enabling SSH on the Switch and Anticipating SSH

Client Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15

5. Configuring the Switch for SSH Authentication . . . . . . . . . . . . . . . 7-19

6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 7-23

Further Information on SSH Client Public-Key Authentication . 7-23

Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29

Logging Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30

Debug Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30

ix

8 Configuring Secure Socket Layer (SSL)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Overview

Steps for Configuring and Using SSL for Switch and Client

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . 8-7

1. Assigning a Local Login (Operator) and

Enabling (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7

2. Generating the Switch’s Server Host Certificate . . . . . . . . . . . . . . . . 8-8

To Generate or Erase the Switch’s Server Certificate

Generate a Self-Signed Host Certificate with the Web

Generate a CA-Signed server host certificate with the

with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

Comments on Certificate Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10

browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12

Web browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15

3. Enabling SSL on the Switch and Anticipating SSL

Browser Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17

Using the CLI Interface to Enable SSL . . . . . . . . . . . . . . . . . . . . . 8-19

Using the Web Browser Interface to Enable SSL . . . . . . . . . . . . . 8-19

Common Errors in SSL setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21

9 IPv4 Access Control Lists (ACLs)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

Overview of Options for Applying IPv4 ACLs on the Switch . . . . . . 9-6

Static ACLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

Dynamic Port ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

Types of IPv4 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

x

ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

What Is the Difference Between Network (or Subnet)

Rules for Defining a Match Between a Packet and an

A Configured ACL Has No Effect Until You Apply It

You Can Assign an ACL Name or Number to an Interface

Static Port ACL and Dynamic Port ACL Applications . . . . . . . . . 9-15

Dynamic (RADIUS-assigned) Port ACL Applications . . . . . . . . . 9-15

Multiple ACLs on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16

Features Common to All ACL Applications . . . . . . . . . . . . . . . . . . . . . 9-16

General Steps for Planning and Configuring ACLs . . . . . . . . . . . . . . . 9-18

IPv4 Static ACL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20

The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20

Planning an ACL Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-24

IPv4 Traffic Management and Improved Network Performance . . . 9-24

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25

Guidelines for Planning the Structure of a Static ACL . . . . . . . . . . . . 9-26

IPv4 ACL Configuration and Operating Rules . . . . . . . . . . . . . . . . . . . 9-27

How an ACE Uses a Mask To Screen Packets for Matches . . . . . . . . 9-28

Masks and the Masks Used with ACLs? . . . . . . . . . . . . . . . . . . . . 9-28

Access Control Entry (ACE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29

Configuring and Assigning an IPv4 ACL . . . . . . . . . . . . . . . . . . . . . . . 9-34

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-34

General Steps for Implementing ACLs . . . . . . . . . . . . . . . . . . . . . 9-34

Options for Permit/Deny Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35

ACL Configuration Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35

Standard ACL Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-36

Extended ACL Configuration Structure . . . . . . . . . . . . . . . . . . . . 9-37

ACL Configuration Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-39

The Sequence of Entries in an ACL Is Significant . . . . . . . . . . . . 9-39

Allowing for the Implied Deny Function . . . . . . . . . . . . . . . . . . . . 9-41

to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-41

Even if the ACL Does Not Exist in the Switch’s Configuration . 9-41

Using the CLI To Create an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-42

General ACE Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-42

Using CIDR Notation To Enter the IPv4 ACL Mask . . . . . . . . . . 9-43

xi

Configuring Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-44

Configuring Named, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-46

Creating Numbered, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-49

Configuring Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-53

Configuring Named, Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-55

Configuring Numbered, Extended ACLs . . . . . . . . . . . . . . . . . . . . 9-65

Adding or Removing an ACL Assignment On an Interface . . . . . . . 9-73

Filtering Inbound IPv4 Traffic Per Port . . . . . . . . . . . . . . . . . . . . . . . . 9-73

Deleting an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-74

Editing an Existing ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-75

Using the CLI To Edit ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-75

General Editing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-75

Sequence Numbering in ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-76

Inserting an ACE in an Existing ACL . . . . . . . . . . . . . . . . . . . . . . . 9-77

Deleting an ACE from an Existing ACL . . . . . . . . . . . . . . . . . . . . 9-79

Resequencing the ACEs in an ACL . . . . . . . . . . . . . . . . . . . . . . . . 9-80

Attaching a Remark to an ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-81

Operating Notes for Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-84

Displaying ACL Configuration Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-85

Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-86

Display the Content of All ACLs on the Switch . . . . . . . . . . . . . . . . . . 9-87

Display Static Port ACL Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . 9-88

Displaying the Content of a Specific ACL . . . . . . . . . . . . . . . . . . . . . . 9-89

Display All ACLs and Their Assignments in the Routing

Switch Startup-Config File and Running-Config File . . . . . . . . . . . . . 9-91

Monitoring Static ACL Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-92

Creating or Editing ACLs Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-94

Creating or Editing an ACL Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-94

The Offline Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-94

Enable ACL “Deny” Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-96

Requirements for Using ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . 9-96

ACL Logging Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-97

Enabling ACL Logging on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . 9-98

General ACL Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-99

xii

10 Configuring Advanced Threat Protection

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3

Enabling DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Enabling DHCP Snooping on VLANS . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6

Configuring DHCP Snooping Trusted Ports . . . . . . . . . . . . . . . . . . . . 10-7

Configuring Authorized Server Addresses . . . . . . . . . . . . . . . . . . . . . . 10-8

Using DHCP Snooping with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . 10-8

Changing the Remote-id from a MAC to an IP Address . . . . . . 10-10

Disabling the MAC Address Check . . . . . . . . . . . . . . . . . . . . . . . 10-10

The DHCP Binding Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11

Operational Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12

Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13

Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-15

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-15

Enabling Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17

Configuring Trusted Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17

Adding an IP-to-MAC Binding to the DHCP Database . . . . . . . . . . . 10-19

Configuring Additional Validation Checks on ARP Packets . . . . . . 10-20

Verifying the Configuration of Dynamic ARP Protection . . . . . . . . 10-20

Displaying ARP Packet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-21

Monitoring Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . 10-22

Using the Instrumentation Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24

Configuring Instrumentation Monitor . . . . . . . . . . . . . . . . . . . . . . . . 10-25

Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26

Viewing the Current Instrumentation Monitor Configuration . . . . . 10-27

xiii

11

12

Traffic/Security Filters and Monitors

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Using Port Trunks with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Filter Types and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . 11-4

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5

Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6

Operating Rules for Named Source-Port Filters . . . . . . . . . . . . . 11-6

Defining and Configuring Named Source-Port Filters . . . . . . . . 11-7

Viewing a Named Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . 11-9

Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . 11-9

Static Multicast Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15

Protocol Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-16

Configuring Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17

Configuring a Source-Port Traffic Filter . . . . . . . . . . . . . . . . . . . . . . 11-18

Example of Creating a Source-Port Filter . . . . . . . . . . . . . . . . . . 11-19

Configuring a Filter on a Port Trunk . . . . . . . . . . . . . . . . . . . . . . 11-19

Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-20

Configuring a Multicast or Protocol Traffic Filter . . . . . . . . . . . . . . 11-21

Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22

Displaying Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23

Configuring Port-Based and

User-Based Access Control (802.1X)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 12-3

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4

802.1X User-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 12-4

xiv

802.1X Port-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 12-5

Alternative To Using a RADIUS Server . . . . . . . . . . . . . . . . . . . . . 12-6

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6

General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . 12-9

Example of the Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . 12-9

VLAN Membership Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12

General Setup Procedure for 802.1X Access Control . . . . . . . . . . 12-15

Do These Steps Before You Configure 802.1X Operation . . . . . . . . 12-15

Overview: Configuring 802.1X Authentication on the Switch . . . . . 12-18

Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . 12-19

1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . 12-20

A. Enable the Selected Ports as Authenticators and Enable

the (Default) Port-Based Authentication . . . . . . . . . . . . . . . . . . 12-20

B. Specify User-Based Authentication or Return to

Port-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21

Example: Configuring User-Based 802.1X Authentication . . . . 12-22

Example: Configuring Port-Based 802.1X Authentication . . . . 12-22

2. Reconfigure Settings for Port-Access . . . . . . . . . . . . . . . . . . . . . . . 12-22

3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . 12-26

4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 12-27

5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . 12-27

6. Optional: Reset Authenticator Operation . . . . . . . . . . . . . . . . . . . . 12-28

7. Optional: Configure 802.1X Controlled Directions . . . . . . . . . . . . 12-28

Wake-on-LAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-29

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-29

Example: Configuring 802.1X Controlled Directions . . . . . . . . 12-30

802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-31

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-31

VLAN Membership Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-32

Use Models for 802.1X Open VLAN Modes . . . . . . . . . . . . . . . . . . . . 12-33

Operating Rules for Authorized-Client and

Unauthorized-Client VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-38

Setting Up and Configuring 802.1X Open VLAN Mode . . . . . . . . . . . 12-42

xv

13

802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . 12-46

Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices . . . . . . . . . . . . . . . . . 12-47

Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-48

Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches . . . . . . . . 12-49

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-49

Supplicant Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-51

Displaying 802.1X Configuration, Statistics, and Counters . . . . 12-53

Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . 12-53

Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . 12-62

Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . 12-66

How RADIUS/802.1X Authentication Affects VLAN Operation . 12-67

VLAN Assignment on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-68

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-68

Example of Untagged VLAN Assignment in a RADIUS-Based

Authentication Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-70

Enabling the Use of GVRP-Learned Dynamic VLANs

in Authentication Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-73

Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . 12-75

Configuring and Monitoring Port Security

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3

Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

Eavesdrop Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5

Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5

Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6

Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7

Port Security Command Options and Operation . . . . . . . . . . . . . . . . 13-8

Port Security Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-8

Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12

Retention of Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-17

xvi

MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22

Differences Between MAC Lockdown and Port Security . . . . . . . . 13-24

MAC Lockdown Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 13-25

Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-26

MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30

Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-32

Web: Displaying and Configuring Port Security Features . . . . . . 13-33

Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . 13-33

Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-33

How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-34

Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . 13-35

Menu: Checking for Intrusions, Listing Intrusion Alerts, and

Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-36

CLI: Checking for Intrusions, Listing Intrusion Alerts,

and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-37

Using the Event Log To Find Intrusion Alerts

Web: Checking for Intrusions, Listing Intrusion

. . . . . . . . . . . . . . . . . . 13-39

Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-40

Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-41

14 Using Authorized IP Managers

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2

Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3

Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3

Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . 14-3

Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4

Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 14-5

CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 14-6

Listing the Switch’s Current Authorized IP Manager(s) . . . . . . . 14-6

Configuring IP Authorized Managers for the Switch . . . . . . . . . . 14-6

Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . 14-8

Web Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8

How to Eliminate the Web Proxy Server . . . . . . . . . . . . . . . . . . . 14-9

xvii

Using a Web Proxy Server to Access the Web Browser

Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9

Web-Based Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9

Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10

Configuring One Station Per Authorized Manager IP Entry . . . . . . 14-10

Configuring Multiple Stations Per Authorized Manager IP Entry . . 14-10

Additional Examples for Authorizing Multiple Stations . . . . . . . . . 14-12

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13

15 Key Management System

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2

Configuring Key Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

Creating and Deleting Key Chain Entries . . . . . . . . . . . . . . . . . . . . . . . 15-3

Assigning a Time-Independent Key to a Chain . . . . . . . . . . . . . . . . . . 15-4

Assigning Time-Dependent Keys to a Chain . . . . . . . . . . . . . . . . . . . . 15-5

Index

xviii

Product Documentation

About Your Switch Manual Set

N o t e For the latest version of all ProCurve switch documentation, including Release Notes covering recently added features, please visit the ProCurve Networking Web site at www.procurve.com, click on Customer Care, and then click on Manuals.

Printed Publications

The publications listed below are printed and shipped with your switch. The latest version is also available in PDF format on the ProCurve Web site, as described in the Note at the top of this page.

■ Read Me First—Provides software update information, product notes, and other information.

■ HP ProCurve Switch Quick Setup—Provides quick start installation instructions. See the Installation and Getting Started Guide for more detailed information.

Electronic Publications

The latest version of each of the publications listed below is available in PDF format on the ProCurve Web site, as described in the Note at the top of this page.

■ Installation and Getting Started Guide—Explains how to prepare for and perform the physical installation and connect the switch to your network.

■ Management and Configuration Guide—Describes how to configure, manage, and monitor basic switch operation.

■ Advanced Traffic Management Guide—Explains how to configure traffic management features such as VLANs, MSTP, QoS, and Meshing.

■ Multicast and Routing Guide—Explains how to configure IGMP, PIM, IP routing, and VRRP features.

■ Access Security Guide—Explains how to configure access security features and user authentication on the switch.

■ IPv6 Configuration Guide—Describes the IPv6 protocol operations that are supported on the switch.

■ Release Notes—Describe new features, fixes, and enhancements that become available between revisions of the main product guide.

xix

http:www.procurve.com

Software Feature Index For the software manual set supporting your 2910al switch model, this feature index indicates which manual to consult for information on a given software feature.

N o t e This Index does not cover IPv6 capable software features. For information on IPv6 protocol operations and features (such as DHCPv6, DNS for IPv6, Ping6, and MLD Snooping), refer to the IPv6 Configuration Guide.

Intelligent Edge Software Features

Manual

Management and

Configuration

Advanced Traffic

Management

Multicast and Routing


802.1Q VLAN Tagging X

802.1X Port-Based Priority X

802.1X Multiple Authenticated Clients Per Port X

Access Control Lists (ACLs) X

AAA Authentication X

Authorized IP Managers X

Authorized Manager List (Web, Telnet, TFTP) X

Auto MDIX Configuration X

BOOTP X

Config File X

Console Access X

Copy Command X

CoS (Class of Service) X

Debug X

DHCP Configuration X

DHCP Option 82 X

DHCP Snooping X

xx


Manual

Management and

Configuration

Advanced Traffic

Management



DHCP/Bootp Operation

Diagnostic Tools

Downloading Software

X

X

X

Dynamic ARP Protection

Dynamic Configuration Arbiter

Eavesdrop Protection

Event Log X

X

X

X

Factory Default Settings

Flow Control (802.3x)

File Management

File Transfers

X

X

X

X

Friendly Port Names

Guaranteed Minimum Bandwidth (GMB)

GVRP

Identity-Driven Management (IDM)

X

X

X

X

IGMP

Interface Access (Telnet, Console/Serial, Web)

IP Addressing

IP Routing

X

X

X

X

Jumbo Packets

LACP

Link

LLDP

X

X

X

X

LLDP-MED

Loop Protection

MAC Address Management

X

X

X

xxi


Manual

Management and

Configuration

Advanced Traffic

Management



MAC Lockdown X

MAC Lockout

MAC-based Authentication

Management VLAN

Monitoring and Analysis

Multicast Filtering

Multiple Configuration Files

Network Management Applications (SNMP)

OpenView Device Management

X

X

X

X

X

X

X

X

Passwords and Password Clear Protection

ProCurve Manager (PCM)

Ping

Port Configuration

X

X

X

X

Port Monitoring

Port Security

Port Status

Port Trunking (LACP)

X

X

X

X

Port-Based Access Control (802.1X)

Power over Ethernet (PoE+)

Protocol Filters

Protocol VLANS

X

X

X

X

Quality of Service (QoS)

RADIUS Authentication and Accounting

RADIUS-Based Configuration

Rate-Limiting X

X

X

X

RIP X

xxii


Manual

Management and

Configuration

Advanced Traffic

Management



RMON 1,2,3,9

Routing

Routing - IP Static

X

X

X

Secure Copy

sFlow

SFTP

SNMPv3

X

X

X

X

Software Downloads (SCP/SFTP, TFPT, Xmodem)

Source-Port Filters

Spanning Tree (STP, RSTP, MSTP)

SSHv2 (Secure Shell) Encryption

X

X

X

X

SSL (Secure Socket Layer)

Stack Management (3500yl/6200yl switches only)

Syslog

System Information

X

X

X

X

TACACS+ Authentication

Telnet Access

TFTP

Time Protocols (TimeP, SNTP)

X

X

X

X

Traffic Mirroring

Traffic/Security Filters

Troubleshooting

Uni-Directional Link Detection (UDLD)

X

X

X

X

UDP Forwarder

USB Device Support

VLANs

X

X

X

xxiii


Manual

Management and

Configuration

Advanced Traffic

Management



Voice VLAN

Web Authentication RADIUS Support

Web-based Authentication

Web UI

Xmodem

X

X

X

X

X

xxiv

Security Overview Contents

1

Security Overview

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Network Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Getting Started with Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Quick Start: Using the Management Interface Wizard . . . . . . . . . . . . 1-11

CLI: Management Interface Wizard . . . . . . . . . . . . . . . . . . . . . . . . 1-12

Web: Management Interface Wizard . . . . . . . . . . . . . . . . . . . . . . . 1-13

SNMP Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Precedence of Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Precedence of Port-Based Security Options . . . . . . . . . . . . . . . . . . . . 1-18

Precedence of Client-Based Authentication:

Dynamic Configuration Arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Network Immunity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

Arbitrating Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . 1-20

ProCurve Identity-Driven Manager (IDM) . . . . . . . . . . . . . . . . . . . . . 1-22

1-1

Security Overview Introduction

Introduction

This chapter provides an overview of the security features included on your switch. Table 1-1 on page 1-3 outlines the access security and authentication features, while Table 1-2 on page 1-7 highlights the additional features designed to help secure and protect your network. For detailed information on individual features, see the references provided.

Before you connect your switch to a network, ProCurve strongly recommends that you review the section titled “Getting Started with Access Security” on page 1-10. It outlines potential threats for unauthorized switch and network access, and provides guidelines on how to prepare the switch for secure network operation.

About This Guide

This Access Security Guide describes how to configure security features on your switch.

N o t e For an introduction to the standard conventions used in this guide, refer to the Getting Started chapter in the Management and Configuration Guide for your switch.

For More Information

For IPv6-specific security settings and features, refer to the IPV6 Configuration Guide for your switch.

For information on which product manual to consult for a specific software feature, refer to the “Software Feature Index” on page xx of this guide.

For the latest version of all ProCurve switch documentation, including Release Notes covering recently added features and other software topics, visit the HP ProCurve Networking web site at www.procurve.com/manuals.

1-2

Security Overview Access Security Features

Access Security Features

This section provides an overview of the switch’s access security features, authentication protocols, and methods. Table 1-1 lists these features and provides summary configuration guidelines. For more in-depth information, see the references provided (all chapter and page references are to this Access Security Guide unless a different manual name is indicated).

N o t e Beginning with software release W.14.xx, the Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. See “Quick Start: Using the Management Interface Wizard” on page 1-11 for details.

Table 1-1. Access Security and Switch Authentication Features

Feature Default Setting

Security Guidelines More Information and Configuration Details

Manager no password Configuring a local Manager password is a fundamental password step in reducing the possibility of unauthorized access

through the switch’s Web browser and console (CLI and Menu) interfaces. The Manager password can easily be set by any one of the following methods: • CLI: password manager command, or Management

interface wizard • Web browser interface: the password options under

the Security tab, or Management interface wizard • Menu interface: Console Passwords option • SNMP

“Configuring Local Password Security” on page 2-6 “Quick Start: Using the Management Interface Wizard” on page 1-11 “Using SNMP To View and Configure Switch Authentication Features” on page 6-21

1-3




Telnet and enabled The default remote management protocols enabled on Web-browser the switch are plain text protocols, which transfer access passwords in open or plain text that is easily captured.

To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL (see below for details) should be used for remote access. This enables you to employ increased access security while still retaining remote client access. Also, access security on the switch is incomplete without disabling Telnet and the standard Web browser access. Among the methods for blocking unauthorized access attempts using Telnet or the Web browser are the following two CLI commands: • no telnet-server: This command blocks inbound

Telnet access. • no web-management: This command prevents use of

the Web browser interface through http (port 80) server access.

If you choose not to disable Telnet and Web browser access, you may want to consider using RADIUS accounting to maintain a record of password-protected access to the switch.

“Quick Start: Using the Management Interface Wizard” on page 1-11 For more on Telnet and web browser access, refer to the chapter on “Interface Access and System Information” in the Management and Configuration Guide. For RADIUS accounting, refer to Chapter 6, “RADIUS Authentication and Accounting”

SSH disabled SSH provides Telnet-like functions through encrypted, “Quick Start: Using the authenticated transactions of the following types: Management Interface • client public-key authentication: uses one or more Wizard” on page 1-11

public keys (from clients) that must be stored on the Chapter 8 “Configuring switch. Only a client with a private key that matches Secure Shell (SSH)” a stored public key can gain access to the switch.

• switch SSH and user password authentication: this option is a subset of the client public-key authentication, and is used if the switch has SSH enabled without a login access configured to authenticate the client’s key. In this case, the switch authenticates itself to clients, and users on SSH clients then authenticate themselves to the switch by providing passwords stored on a RADIUS or TACACS+ server, or locally on the switch.

• secure copy (SC) and secure FTP (SFTP): By opening a secure, encrypted SSH session, you can take advantage of SC and SFTP to provide a secure alternative to TFTP for transferring sensitive switch information. For more on SC and SFTP, refer to the section titled “Using Secure Copy and SFTP” in the “File Transfers” appendix of the Management and Configuration Guide for your switch.

1-4




SSL disabled Secure Socket Layer (SSL) and Transport Layer Security “Quick Start: Using the (TLS) provide remote Web browser access to the switch Management Interface via authenticated transactions and encrypted paths Wizard” on page 1-11 between the switch and management station clients Chapter 9, “Configuring capable of SSL/TLS operation. The authenticated type Secure Socket Layer (SSL)” includes server certificate authentication with user password authentication.

SNMP public, unrestricted

In the default configuration, the switch is open to access by management stations running SNMP management applications capable of viewing and changing the settings and status data in the switch’s MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.

“SNMP Security Guidelines” on page 1-16 “Quick Start: Using the Management Interface Wizard” on page 1-11 Management and Configuration Guide, Chapter 14, refer to the section “Using SNMP Tools To Manage the Switch”

Authorized IP none This feature uses IP addresses and masks to determine Chapter 15, “Using Managers whether to allow management access to the switch Authorized IP Managers”

across the network through the following : • Telnet and other terminal emulation applications • The switch’s Web browser interface • SNMP (with a correct community name)

Secure Management VLAN

disabled This feature creates an isolated network for managing the ProCurve switches that offer this feature. When a secure management VLAN is enabled, CLI, Menu interface, and Web browser interface access is restricted to ports configured as members of the VLAN.

Advanced Traffic Management Guide, refer to the chapter “Static Virtual LANs (VLANs)”

ACLs for Management Access Protection

none ACLs can also be configured to protect management access by blocking inbound IP traffic that has the switch itself as the destination IP address.

Chapter 10, “IPv4 Access Control Lists (ACLs)”

TACACS+ Authentication

disabled This application uses a central server to allow or deny access to TACACS-aware devices in your network. TACACS+ uses username/password sets with associated privilege levels to grant or deny access through either the switch’s serial (console) port or remotely, with Telnet. If the switch fails to connect to a TACACS+ server for the necessary authentication service, it defaults to its own locally configured passwords for authentication control. TACACS+ allows both login (read-only) and enable (read/write) privilege level access.

Chapter 5, “TACACS+ Authentication”

1-5




RADIUS disabled For each authorized client, RADIUS can be used to Chapter 6, “RADIUS Authentication authenticate operator or manager access privileges on Authentication and

the switch via the serial port (CLI and Menu interface), Accounting” Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access methods.

802.1X Access none This feature provides port-based or user-based Chapter 13 “Configuring Control authentication through a RADIUS server to protect the Port-Based and User-Based

switch from unauthorized access and to enable the use Access Control (802.1X)” of RADIUS-based user profiles to control client access to network services. Included in the general features are the following: • user-based access control supporting up to eight

authenticated clients per port • port-based access control allowing authentication

by a single client to open the port • switch operation as a supplicant for point-to-point

connections to other 802.1X-compliant ProCurve switches

Web and MAC none These options are designed for application on the edge Chapter 4, “Web and MAC Authentication of a network to provide port-based security measures Authentication”

for protecting private networks and the switch itself from unauthorized access. Because neither method requires clients to run any special supplicant software, both are suitable for legacy systems and temporary access situations where introducing supplicant software is not an attractive option. Both methods rely on using a RADIUS server for authentication. This simplifies access security management by allowing you to control access from a master database in a single server. It also means the same credentials can be used for authentication, regardless of which switch or switch port is the current access point into the LAN. Web authentication uses a web page login to authenticate users for access to the network. MAC authentication grants access to a secure network by authenticating device MAC addresses for access to the network.

1-6

Security Overview Network Security Features

Network Security Features

This section outlines features and defence mechanisms for protecting access through the switch to the network. For more detailed information, see the indicated chapters.

Table 1-2. Network Security—Default Settings and Security Guidelines



Secure File not Secure Copy and SFTP provide a secure alternative to Management and Transfers applicable TFTP and auto-TFTP for transferring sensitive Configuration Guide,

information such as configuration files and log Appendix A “File Transfers”, information between the switch and other devices. refer to the section “Using

Secure Copy and SFTP”

USB Autorun enabled (disabled once a password has been set)

Used in conjunction with ProCurve Manager Plus, this feature allows diagnosis and automated updates to the switch via the USB flash drive. When enabled in secure mode, this is done with secure credentials to prevent tampering. Note that the USB Autorun feature is disabled automatically, once a password has been set on the switch.

Management and Configuration Guide, Appendix A “File Transfers”, refer to the section “USB Autorun”

Traffic/Security none These statically configured filters enhance in-band Chapter 12, “Traffic/Security Filters security (and improve control over access to network Filters and Monitors”

resources) by forwarding or dropping inbound network traffic according to the configured criteria. Filter options include: • source-port filters: Inbound traffic from a

designated, physical source-port will be forwarded or dropped on a per-port (destination) basis.

• multicast filters: Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports or dropped on a per-port (destination) basis.

• protocol filters: Inbound traffic having the selected frame (protocol) type will be forwarded or dropped on a per-port (destination) basis.

1-7




Access Control none ACLs can filter traffic to or from a host, a group of hosts, Chapter 10, “IPv4 Access Lists (ACLs) or entire subnets. Layer 3 IP filtering with Access Control Control Lists (ACLs)”

Lists (ACLs) enables you to improve network performance and restrict network use by creating policies for: • Switch Management Access: Permits or denies in-

band management access. This includes preventing the use of certain TCP or UDP applications (such as Telnet, SSH, Web browser, and SNMP) for transactions between specific source and destination IP addresses.)

• Application Access Security: Eliminating unwanted IP, TCP, or UDP traffic by filtering packets where they enter or leave the switch on specific interfaces.

Note on ACL Security Use: ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.

Port Security, none The features listed below provide device-based access Chapter 13, “Configuring and MAC Lockdown, security in the following ways: Monitoring Port Security” and MAC • Port security: Enables configuration of each switch Lockout port with a unique list of the MAC addresses of See also “Precedence of

devices that are authorized to access the network Port-Based Securitythrough that port. This enables individual ports to Options” on page 1-18detect, prevent, and log attempts by unauthorized devices to communicate through the switch. Some switch models also include eavesdrop prevention in the port security feature.

• MAC lockdown: This “static addressing” feature is used as an alternative to port security to prevent station movement and MAC address “hijacking” by allowing a given MAC address to use only one assigned port on the switch. MAC lockdown also restricts the client device to a specific VLAN.

• MAC lockout: This feature enables blocking of a specific MAC address so that the switch drops all traffic to or from the specified address.

1-8




Key none KMS is available in several ProCurve switch models and Chapter 16, “Key Management is designed to configure and maintain key chains for use Management System” System (KMS) with KMS-capable routing protocols that use time-

dependent or time-independent keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys.) KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request.

Spanning Tree none These features prevent your switch from malicious Advanced Traffic Protection attacks or configuration errors: Management Guide, refer to

• BPDU Filtering and BPDU Protection: Protects the the chapter “Multiple network from denial-of-service attacks that use Instance Spanning-Tree spoofing BPDUs by dropping incoming BPDU frames Operation” and/or blocking traffic through a port.

• STP Root Guard: Protects the STP root bridge from malicious attacks or configuration mistakes.

DHCP Snooping, none These features provide the following additional Chapter 11, “Configuring Dynamic ARP protections for your network: Advanced Threat Protection • DHCP Snooping: Protects your network from Protection”

common DHCP attacks, such as address spoofing and repeated address requests.

• Dynamic ARP Protection: Protects your network from ARP cache poisoning.

• Instrumentation Monitor. Helps identify a variety of malicious attacks by generating alerts for detected anomalies on the switch.

1-9

Security Overview Getting Started with Access Security

Getting Started with Access Security

ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network operation, therefore, ProCurve strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible malicious actions.

Since security incidents can originate with sources inside as well as outside of an organization, your access security provisions must protect against internal and external threats while preserving the necessary network access for authorized clients and users. It is important to evaluate the level of management access vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place. This includes both configurable security options and physical access to the switch.

Switch management access is available through the following methods:

■ Front panel access to the console serial port (see “Physical Security”)

■ Inbound Telnet access

■ Web-browser access

■ SNMP access

For guidelines on locking down your switch for remote management access, see “Quick Start: Using the Management Interface Wizard” on page 1-11.

Physical Security

Physical access to the switch allows the following:

■ use of the console serial port (CLI and Menu interface) for viewing and changing the current configuration and for reading status, statistics, and log messages.

■ use of the switch’s USB port for file transfers and autorun capabilities.

■ use of the switch’s Clear and Reset buttons for these actions:

• clearing (removing) local password protection

• rebooting the switch

• restoring the switch to the factory default configuration (and erasing any non-default configuration settings)

1-10


Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access.

As additional precautions, you can do the following: ■ Disable or re-enable the password-clearing function of the Clear button. ■ Configure the Clear button to reboot the switch after clearing any local

usernames and passwords. ■ Modify the operation of the Reset+Clear button combination so that the

switch reboots, but does not restore the switch’s factory default settings. ■ Disable or re-enable password recovery. ■ Disable USB autorun by setting a Manager password, or enable USB

autorun in secure mode so that security credentials are required to use this feature.

For the commands used to configure the Clear and Reset buttons, refer to “Front-Panel Security” on page 2-23. For information on using USB Autorun, refer to the sections on “Using USB to Transfer Files to and from the Switch” and “Using USB Autorun” in the Management and Configuration Guide, Appendix A “File Transfers”.

Quick Start: Using the Management Interface Wizard

The Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. It guides you through the process of locking down the following switch operations or protocols: ■ setting local passwords ■ restricting SNMP access ■ enabling/disabling Telnet ■ enabling/disabling SSH ■ enabling/disabling remote Web management ■ restricting web access to SSL ■ enabling/disabling USB autorun ■ setting timeouts for SSH/Telnet sessions

The wizard can also be used to view the pre-configured defaults and see the current settings for switch access security. The wizard can be launched either via the CLI (see page 1-12) or the Web browser interface (see page 1-13).

N o t e The wizard’s security settings can also be configured using standard commands via the CLI, Menu or Web browser interfaces. For full details on preparing and configuring the switch for SSH and SSL operation, refer to chapters 7 and 8 respectively.

1-11


CLI: Management Interface Wizard

To configure security settings using the CLI wizard, follow the steps below:

1. At the command prompt, type setup mgmt-interfaces.

The welcome banner appears and the first setup option is displayed (Operator password). As you advance through the wizard, each setup option displays the current value in brackets [ ] as shown in Figure 1-1.

Welcome to the Management Interface Setup Wizard

This wizard will help you with the initial setup of the variousmanagement interfaces. The current values are shown in brack-ets[]. Type in a new value, or press to keep the cur-rent value. Press CTRL-C at any time to quit the wizard withoutsaving any changes. Press ? for help.

Operator password [not configured]: Confirm password:

Manager password [*******]: Confirm password:

Restrict SNMP access to SNMPv3 only [no]: SNMPv2 community name [notpublic]: SNMPv2 Community access level [unrestricted]: Telnet enabled [yes]: SSH enabled [no]: Web management enabled [yes]: Restrict Web access to SSL [no]: Timeout for ssh/telnet sessions [0]:

Operator password : Manager password :******* Restrict SNMP access to SNMPv3 only :no SNMPv2 community name :notpublic SNMPv2 Community access level :unrestricted Telnet enabled :yesSSH enabled :no Web management enabled :yesRestrict Web access to SSL :no Timeout for ssh/telnet sessions :0

Do you want to save these changes? [yes]:

Current values are shown in brackets (Password entries must be entered twice and will appear as asterisks.)

Type in a new value to change a setting, or press to keep the current value.

To save these settings, press [Enter]. To cancel any changes, type [n] (for no), then press [Enter].

Summary of current settings (displayed after last wizard option has been set)

Figure 1-1. Example of Management Interface Wizard Configuration

1-12


2. When you enter the wizard, you have the following options:

• To update a setting, type in a new value, or press [Enter] to keep the current value.

• To quit the wizard without saving any changes, press [CTRL-C] at any time.

• To access online Help for any option, press [?].

After you have gone through each setup option, the wizard displays the summary configuration together with a prompt to save the changes (see Figure 1-1 on page 1-12 for an example).

3. When the message appears asking if you want to save these changes, you have the following options:

• To save your changes, press [Enter]. • To cancel any changes without saving, type [n] and then press [Enter].

After pressing [Enter], the wizard exits to the command line prompt.

CLI Wizard: Operating Notes and Restrictions.

■ Once a password has been configured on the switch, you cannot remove it using the CLI wizard. Passwords can be removed by executing the no password command directly from the CLI.

■ When you restrict SNMP access to SNMPv3 only, the options SNMPv2 community name and access level will not appear.

■ The wizard displays the first available SNMPv2 community and allows the user to modify the first community access parameters.

■ The wizard creates a new SNMP community only when no communities have been configured on the switch.

■ The USB Autorun feature is disabled as soon as an operator or manager password is set on the switch. Once a password has been set, the USB autorun option is no longer provided as part of the wizard.

Web: Management Interface Wizard

To use the Management Interface wizard from the Web browser interface, follow the steps below:

1. Click the Security tab.

2. Click the Setup Wizard button.

1-13


The Welcome window appears.

Figure 1-2. Management Interface Wizard: Welcome Window

This page allows you to choose between two setup types:

• Typical—provides a multiple page, step-by-step method to configure security settings, with on-screen instructions for each option.

• Advanced—provides a single summary screen in which to configure all security settings at once.

3. To enter the wizard, choose a setup option and then click Continue. • Typical (multi-page setup): when you select this option, you will get

an alert indicating that configuration changes will be lost if you click on the Web browser’s navigation tabs. Click OK to close the alert and then advance through the following setup pages: Operator Password, Manager Password, SNMP, Telnet, SSH, Web Management GUI, USB Autorun, Timeout (see pages for details and setup options).

At each page, you have the following options: – Enter a new value and/or make a new selection, or click Continue

to keep the current value and proceed to the next page setup. When you have gone through all configurable options, the summary setup page appears (see step 4).

– To quit the Setup and return to the Welcome window without saving any changes, click Exit at any time.

– To return to the previous screen(s), click Back at any time. • Advanced (single page setup): when you select this option, the sum

mary setup page appears immediately (see step 4).

1-1

Documents

Access Security Guide · RADIUS-Administered CoS and Rate-Limiting . . . . . . . . . . . . . . . . . . . 5-4 SNMP Access to the Switch’s Authentication Configuration MIB . . . 5-4