Access Security Guide for the ProCurve Series 8200zl Switcheswhp-hou9.cold.extweb.hp.com/pub/networking/software/8200zl-Secu… · Secure Socket Layer (SSLv3/TLSv1) . . . . .

Access Security Guide

8200zl

ProCurve Switches K.12.XX

www.procurve.com

ProCurve Series 8200zl Switches

September 2007 K.12.xx


© Copyright 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved.

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another lan- gauge without the prior written consent of Hewlett-Packard.

Publication Number

5991-8585 September 2007

Applicable Products

ProCurve Switch 8212zl (J8715A)

Trademark Credits

Microsoft, Windows, and Microsoft Windows NT are U.S. registered trademarks of Microsoft Corporation.

Software Credits and Notices

SSH on ProCurve Switches is based on the OpenSSH software toolkit. This product includes software developed by the OpenSSH Project for use in the OpenSSH Toolkit. For more information on OpenSSH, visit www.openssh.com.

SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more information on OpenSSL, visit www.openssl.org.

This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).

Portions of the software on ProCurve switches are based on the lightweight TCP/IP (lwIP) software toolkit by Adam Dunkels, and are covered by the following notices.

Copyright © 2001-2003 Swedish Institute of Computer Science. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLU- DING, BUT NOT LIMITED TO, THE IMPLIED WARRAN

TIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIM- ITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software written by Adam Dunkels ([email protected]).

Disclaimer

The information contained in this document is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.

Warranty

See the Customer Support/Warranty booklet included with the product.

A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.

Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 www.procurve.com

http:www.openssh.comhttp:www.openssl.orgmailto:([email protected])

Contents

Product Documentation

About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Software Feature Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii

1 Security Overview

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Switch Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Default Configuration Settings and Access Security . . . . . . . . . . . . . . 1-4

Saving Security Settings in a Configuration File . . . . . . . . . . . . . . 1-4

Local Manager Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Inbound Telnet Access and Web Browser Access . . . . . . . . . . . . . 1-5

SNMP Access (Simple Network Management Protocol) . . . . . . . 1-6

Front-Panel Access and Physical Security . . . . . . . . . . . . . . . . . . . 1-7

Secure File Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Other Provisions for Management Access Security . . . . . . . . . . . . . . . 1-8

Authorized IP Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Secure Management VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

ACLs for Management Access Protection . . . . . . . . . . . . . . . . . . . 1-9

Network Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

802.1X Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

iii

Secure Socket Layer (SSLv3/TLSv1) . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Connection-Rate Filtering Based On

DHCP Snooping, Dynamic ARP Protection,

Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Port Security, MAC Lockdown, and MAC Lockout . . . . . . . . . . . . . . . 1-12

Key Management System (KMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Advanced Threat Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

BPDU Filtering and BPDU Protection . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Virus-Throttling Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

and Instrumentation Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Identity-Driven Manager (IDM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

2 Configuring Username and Password Security

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-9

SNMP: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . 2-9

Saving Security Credentials in a

Config File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Benefits of Saving Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Enabling the Storage and Display of Security Credentials . . . . . . . . 2-11

Security Settings that Can Be Saved . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

Local Manager and Operator Passwords . . . . . . . . . . . . . . . . . . . . . . . 2-12

Password Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

SNMP Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

802.1X Port-Access Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

TACACS+ Encryption Key Authentication . . . . . . . . . . . . . . . . . . . . . 2-15

RADIUS Shared-Secret Key Authentication . . . . . . . . . . . . . . . . . . . . 2-16

SSH Client Public-Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21

iv

Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23

Disabling the Clear Password Function of the Clear Button

Re-Enabling the Clear Button on the Switch’s Front Panel

When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23

Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Clear Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Reset Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25

Restoring the Factory Default Configuration . . . . . . . . . . . . . . . . 2-25

Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

on the Switch’s Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29

and Setting or Changing the “Reset-On-Clear” Operation . . . . . 2-30

Changing the Operation of the Reset+Clear Combination . . . . . 2-31

Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32

Disabling or Re-Enabling the Password Recovery Process . . . . 2-32

Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34

3 Virus Throttling

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Enabling Connection-Rate Filtering and Configuring

Overview of Connection-Rate Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Filtering Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Sensitivity to Connection Rate Detection . . . . . . . . . . . . . . . . . . . . 3-5

Application Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

Operating Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7

Unblocking a Currently Blocked Host . . . . . . . . . . . . . . . . . . . . . . 3-7

General Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8

For a network that is relatively attack-free: . . . . . . . . . . . . . . . . . . . . . 3-8

For a network that appears to be under significant attack: . . . . . . . . . 3-9

Configuring Connection-Rate Filtering . . . . . . . . . . . . . . . . . . . . . . . . 3-10

Global and Per-Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

Sensitivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

Configuring the Per-Port Filtering Mode . . . . . . . . . . . . . . . . . . . 3-12

Example of a Basic Connection-Rate Filtering Configuration . . 3-13

v

4

Viewing and Managing Connection-Rate Status . . . . . . . . . . . . . . . . . 3-15

Viewing Connection-Rate Configuration . . . . . . . . . . . . . . . . . . . 3-15

Listing Currently-Blocked Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17

Unblocking Currently-Blocked Hosts . . . . . . . . . . . . . . . . . . . . . . 3-17

Configuring and Applying Connection-Rate ACLs . . . . . . . . . . . . . . 3-19

Connection-Rate ACL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20

Configuring a Connection-Rate ACL Using

Source IP Address Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21

Configuring a Connection-Rate ACL Using UDP/TCP Criteria . . . . . 3-23

Applying Connection-Rate ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

Using CIDR Notation To Enter the ACE Mask . . . . . . . . . . . . . . . . . . 3-26

Example of Using an ACL in a Connection-Rate Configuration . . . . 3-27

Connection-Rate ACL Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 3-29

Connection-Rate Log and Trap Messages . . . . . . . . . . . . . . . . . . . . . . 3-31

Web and MAC Authentication

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . 4-6

Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

Web-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

MAC-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11

General Setup Procedure for Web/MAC Authentication . . . . . . . . 4-13

Do These Steps Before You Configure Web/MAC Authentication . . 4-13

Additional Information for Configuring the RADIUS

Server To Support MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . 4-14

Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . 4-15

Configuring Web Authentication on the Switch . . . . . . . . . . . . . . . . 4-18

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18

Configure the Switch for Web-Based Authentication . . . . . . . . . . . . . 4-19

vi

Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . 4-25

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

Configure the Switch for MAC-Based Authentication . . . . . . . . . . . . 4-26

Show Commands for Web-Based Authentication . . . . . . . . . . . . . . . . 4-29

Example: Verifying a Web Authentication Configuration . . . . . . 4-30

Configuring MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32

Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32

Config Commands for MAC-Based Authentication . . . . . . . . . . . . . . 4-32

Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . 4-37

Example: Verifying a MAC Authentication Configuration . . . . . 4-38

Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40

5 TACACS+ Authentication

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Viewing the Switch’s Current TACACS+

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 5-3

General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 5-5

Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 5-9

Viewing the Switch’s Current Authentication Configuration . . . . . . . 5-9

Server Contact Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10

Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 5-10

Using the Privilege-Mode Option for Login . . . . . . . . . . . . . . . . . 5-11

Authentication Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12

Configuring the TACACS+ Server for Single Login . . . . . . . . . . . . . . 5-13

Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 5-17

How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23

General Authentication Process Using a TACACS+ Server . . . . . . . . 5-23

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26

General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26

vii

Encryption Options in the Switch . . . . . . . . . . . . . . . . . . . . . . . . . 5-26

Controlling Web Browser Interface

Access When Using TACACS+ Authentication . . . . . . . . . . . . . . . . . . 5-27

Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . 5-28

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28

6 RADIUS Authentication and Accounting

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

RADIUS-Administered CoS and Rate-Limiting . . . . . . . . . . . . . . . . . . . 6-4

SNMP Access to the Switch’s Authentication Configuration MIB . . . 6-4

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6

General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 6-8

Outline of the Steps for Configuring RADIUS Authentication . . . . . . 6-9

1. Configure Authentication for the Access Methods

You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

2. Enable the (Optional) Access Privilege Option . . . . . . . . . . . . . . . . 6-12

3. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 6-13

4. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 6-15

Using SNMP To View and Configure

Switch Authentication Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19

Changing and Viewing the SNMP Access Configuration . . . . . . . . . . 6-20

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23

Controlling Web Browser Interface Access . . . . . . . . . . . . . . . . . . . . 6-24

Configuring RADIUS Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25

Commands Authorization Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25

Enabling Authorization with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26

Showing Authorization Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

viii

Configuring the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

Using Vendor Specific Attributes (VSAs) . . . . . . . . . . . . . . . . . . . 6-27

Example Configuration on Cisco Secure ACS for MS Windows 6-29

Example Configuration Using FreeRADIUS . . . . . . . . . . . . . . . . . 6-31

Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-33

Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 6-35

Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 6-35

1. Configure the Switch To Access a RADIUS Server . . . . . . . . . 6-36

2. Configure Accounting Types and the Controls for

Sending Reports to the RADIUS Server . . . . . . . . . . . . . . . . . . . . 6-38

3. (Optional) Configure Session Blocking and

Interim Updating Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40

Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41

General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41

RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-43

RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-44

Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . 6-45

Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . 6-48

7 Configuring RADIUS Server Support

for Switch Services

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

Configuring the RADIUS Server for

Viewing the Currently Active Per-Port CoS and Rate-Limiting

How a RADIUS Server Applies a Dynamic Port ACL

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Per-Port CoS and Rate-Limiting Services . . . . . . . . . . . . . . . . . . . . . . . 7-3

Configuration Specified by a RADIUS Server . . . . . . . . . . . . . . . . . . . . 7-4

Configuring and Using RADIUS-Assigned Access Control Lists . . . 7-8

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8

Overview of RADIUS-Assigned, Dynamic Port ACLs . . . . . . . . . . . . . 7-11

Contrasting Dynamic and Static ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 7-13

to a Switch Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15

General ACL Features, Planning, and Configuration . . . . . . . . . . . . . 7-16

ix

The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16

Configuring the Switch To Support Dynamic Port

Displaying the Current Dynamic Port ACL Activity

Causes of Client Deauthentication Immediately

Operating Rules for Dynamic Port ACLs . . . . . . . . . . . . . . . . . . . . . . . 7-17

Configuring an ACL in a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . 7-18

Configuring ACE Syntax in RADIUS Servers . . . . . . . . . . . . . . . . . . . 7-21

Configuration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22

ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23

on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25

Event Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28

After Authenticating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29

Monitoring Shared Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29

8 Configuring Secure Shell (SSH)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Overview

Steps for Configuring and Using SSH

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8

Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . 8-9

1. Assigning a Local Login (Operator) and

Enable (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . 8-10

3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 8-13

4. Enabling SSH on the Switch and Anticipating SSH

Client Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15

5. Configuring the Switch for SSH Authentication . . . . . . . . . . . . . . . 8-18

6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 8-22

Further Information on SSH Client Public-Key Authentication . 8-22

Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28

x

9 Configuring Secure Socket Layer (SSL)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Overview

Steps for Configuring and Using SSL for Switch and Client

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . 9-7

1. Assigning a Local Login (Operator) and

Enable (Manager)Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7

2. Generating the Switch’s Server Host Certificate . . . . . . . . . . . . . . . . 9-8

To Generate or Erase the Switch’s Server Certificate

Generate a Self-Signed Host Certificate with the Web browser

Generate a CA-Signed server host certificate with the

with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9

Comments on Certificate Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10

interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12

Web browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15

3. Enabling SSL on the Switch and Anticipating SSL

Browser Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17

Using the CLI Interface to Enable SSL . . . . . . . . . . . . . . . . . . . . . 9-19

Using the Web Browser Interface to Enable SSL . . . . . . . . . . . . . 9-19

Common Errors in SSL setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21

10 Access Control Lists (ACLs)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Overview of Options for Applying ACLs on the Switch . . . . . . . . . 10-5

Static ACLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

Dynamic Port ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-15

Types of IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-15

xi

ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-15

What Is the Difference Between Network (or Subnet)

Rules for Defining a Match Between a Packet and an

A Configured ACL Has No Effect Until You Apply It

You Can Assign an ACL Name or Number to an Interface

RACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16

VACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-18

Static Port ACL and Dynamic Port ACL Applications . . . . . . . . 10-19

Multiple ACLs on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-20

Features Common to All ACL Applications . . . . . . . . . . . . . . . . . . . . 10-23

General Steps for Planning and Configuring ACLs . . . . . . . . . . . . . . 10-24

ACL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26

The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27

Planning an ACL Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-30

IP Traffic Management and Improved Network Performance . . . . 10-30

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-32

Guidelines for Planning the Structure of an ACL . . . . . . . . . . . . . . . 10-32

ACL Configuration and Operating Rules . . . . . . . . . . . . . . . . . . . . . . 10-33

How an ACE Uses a Mask To Screen Packets for Matches . . . . . . . 10-36

Masks and the Masks Used with ACLs? . . . . . . . . . . . . . . . . . . . 10-36

Access Control Entry (ACE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-37

Configuring and Assigning an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41

General Steps for Implementing ACLs . . . . . . . . . . . . . . . . . . . . 10-41

Options for Permit/Deny Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-42

ACL Configuration Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-42

Standard ACL Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-43

Extended ACL Configuration Structure . . . . . . . . . . . . . . . . . . . 10-44

ACL Configuration Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-46

The Sequence of Entries in an ACL Is Significant . . . . . . . . . . . 10-46

Allowing for the Implied Deny Function . . . . . . . . . . . . . . . . . . . 10-48

to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-48

Even if the ACL Does Not Exist in the Switch’s Configuration 10-48

Using the CLI To Create an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-49

General ACE Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-49

xii

Using CIDR Notation To Enter the ACL Mask . . . . . . . . . . . . . . 10-50

Configuring Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-51

Configuring Named, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . 10-53

Creating Numbered, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . 10-56

Configuring Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-60

Configuring Named, Extended ACLs . . . . . . . . . . . . . . . . . . . . . . 10-62

Configuring Numbered, Extended ACLs . . . . . . . . . . . . . . . . . . . 10-74

Adding or Removing an ACL Assignment On an Interface . . . . . . 10-81

Filtering Routed IP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-81

Filtering IP Traffic Inbound on a VLAN . . . . . . . . . . . . . . . . . . . . . . . 10-82

Filtering Inbound IP Traffic Per Port . . . . . . . . . . . . . . . . . . . . . . . . . 10-83

Deleting an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-85

Editing an Existing ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-86

Using the CLI To Edit ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-86

General Editing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-86

Sequence Numbering in ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-87

Inserting an ACE in an Existing ACL . . . . . . . . . . . . . . . . . . . . . . 10-88

Deleting an ACE from an Existing ACL . . . . . . . . . . . . . . . . . . . 10-90

Resequencing the ACEs in an ACL . . . . . . . . . . . . . . . . . . . . . . . 10-91

Attaching a Remark to an ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-92

Operating Notes for Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-95

Displaying ACL Configuration Data . . . . . . . . . . . . . . . . . . . . . . . . . . 10-96

Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-97

Display the Content of All ACLs on the Switch . . . . . . . . . . . . . . . . . 10-98

Display the RACL and VACL Assignments for a VLAN . . . . . . . . . . 10-99

Display Static Port ACL Assignments . . . . . . . . . . . . . . . . . . . . . . . . 10-100

Displaying the Content of a Specific ACL . . . . . . . . . . . . . . . . . . . . 10-101

Display All ACLs and Their Assignments in the Routing

Switch Startup-Config File and Running-Config File . . . . . . . . . . . 10-103

Creating or Editing ACLs Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-104

Creating or Editing an ACL Offline . . . . . . . . . . . . . . . . . . . . . . . . . . 10-104

The Offline Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-104

Example of Using the Offline Process . . . . . . . . . . . . . . . . . . . . 10-105

Enable ACL “Deny” Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-109

xiii

11

Requirements for Using ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . 10-109

ACL Logging Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-110

Enabling ACL Logging on the Switch . . . . . . . . . . . . . . . . . . . . . . . . 10-111

General ACL Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-113

Configuring Advanced Threat Protection

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Enabling DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

Enabling DHCP Snooping on VLANS . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6

Configuring DHCP Snooping Trusted Ports . . . . . . . . . . . . . . . . . . . . 11-7

Configuring Authorized Server Addresses . . . . . . . . . . . . . . . . . . . . . . 11-8

Using DHCP Snooping with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . 11-8

Changing the Remote-id from a MAC to an IP Address . . . . . . 11-10

Disabling the MAC Address Check . . . . . . . . . . . . . . . . . . . . . . . 11-10

The DHCP Binding Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11

Operational Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12

Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13

Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15

Enabling Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17

Configuring Trusted Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17

Adding an IP-to-MAC Binding to the DHCP Database . . . . . . . . . . . 11-19

Configuring Additional Validation Checks on ARP Packets . . . . . . 11-20

Verifying the Configuration of Dynamic ARP Protection . . . . . . . . 11-20

Displaying ARP Packet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-21

Monitoring Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . 11-22

Using the Instrumentation Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-24

Configuring Instrumentation Monitor . . . . . . . . . . . . . . . . . . . . . . . . 11-25

Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26

Viewing the Current Instrumentation Monitor Configuration . . . . . 11-26

xiv

12 Traffic/Security Filters and Monitors

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Using Port Trunks with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Filter Types and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4

Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . 12-4

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5

Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6

Operating Rules for Named Source-Port Filters . . . . . . . . . . . . . 12-6

Defining and Configuring Named Source-Port Filters . . . . . . . . 12-7

Viewing a Named Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . 12-9

Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . 12-9

Static Multicast Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15

Protocol Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16

Configuring Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17

Configuring a Source-Port Traffic Filter . . . . . . . . . . . . . . . . . . . . . . 12-18

Example of Creating a Source-Port Filter . . . . . . . . . . . . . . . . . . 12-19

Configuring a Filter on a Port Trunk . . . . . . . . . . . . . . . . . . . . . . 12-19

Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20

Configuring a Multicast or Protocol Traffic Filter . . . . . . . . . . . . . . 12-21

Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-22

Displaying Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-23

13 Configuring Port-Based and

User-Based Access Control (802.1X)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3

Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 13-3

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3

User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4

802.1X User-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 13-4

xv

802.1X Port-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 13-5

Alternative To Using a RADIUS Server . . . . . . . . . . . . . . . . . . . . . 13-6

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6

General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . 13-9

Example of the Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . 13-9

VLAN Membership Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-10

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12

General Setup Procedure for 802.1X Access Control . . . . . . . . . . 13-14

Do These Steps Before You Configure 802.1X Operation . . . . . . . . 13-14

Overview: Configuring 802.1X Authentication on the Switch . . . . . 13-16

Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . 13-17

1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . 13-18

A. Enable the Selected Ports as Authenticators and Enable

the (Default) Port-Based Authentication . . . . . . . . . . . . . . . . . . 13-18

B. Specify User-Based Authentication or Return to Port-Based

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-19

Example: Configuring User-Based 802.1X Authentication . . . . 13-20

Example: Configuring Port-Based 802.1X Authentication . . . . 13-20

2. Reconfigure Settings for Port-Access . . . . . . . . . . . . . . . . . . . . . . . 13-20

3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . 13-24

4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 13-25

5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . 13-25

6. Optional: Reset Authenticator Operation . . . . . . . . . . . . . . . . . . . . 13-26

7. Optional: Configure 802.1X Controlled Directions . . . . . . . . . . . . 13-26

Wake-on-LAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-27

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-28

Example: Configuring 802.1X Controlled Directions . . . . . . . . 13-28

802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-29

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-29

VLAN Membership Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30

Use Models for 802.1X Open VLAN Modes . . . . . . . . . . . . . . . . . . . . 13-31

Operating Rules for Authorized-Client and

Unauthorized-Client VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-36

Setting Up and Configuring 802.1X Open VLAN Mode . . . . . . . . . . . 13-40

xvi

802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . 13-44

Option For Authenticator Ports: Configure Port-Security

To Allow Only 802.1X-Authenticated Devices . . . . . . . . . . . . . . . . . 13-45

Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-46

Configuring Switch Ports To Operate As Supplicants for 802.1X

Connections to Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-47

Example of Untagged VLAN Assignment in a RADIUS-Based

Enabling the Use of GVRP-Learned Dynamic VLANs

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-47

Supplicant Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-48

Displaying 802.1X Configuration, Statistics, and Counters . . . . 13-51

Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . 13-51

Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . 13-54

Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . 13-58

How RADIUS/802.1X Authentication Affects VLAN Operation . 13-59

VLAN Assignment on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-60

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-60

Authentication Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-62

in Authentication Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-65

Operating Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-67

Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . 13-68

14 Configuring and Monitoring Port Security

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3

Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4

Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4

Eavesdrop Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5

Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5

Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6

Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7

Port Security Command Options and Operation . . . . . . . . . . . . . . . . 14-8

Port Security Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8

Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-12

xvii

15

Retention of Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17

MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-22

Differences Between MAC Lockdown and Port Security . . . . . . . . 14-24

MAC Lockdown Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 14-25

Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-26

MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-30

Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-32

Web: Displaying and Configuring Port Security Features . . . . . . 14-33

Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . 14-33

Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-33

How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-34

Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . 14-35

Menu: Checking for Intrusions, Listing Intrusion Alerts, and

Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-36

CLI: Checking for Intrusions, Listing Intrusion Alerts,

and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-37

Using the Event Log To Find Intrusion Alerts . . . . . . . . . . . . . . . . . . 14-39

Web: Checking for Intrusions, Listing Intrusion

Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-40

Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-41

Using Authorized IP Managers

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2

Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . 15-4

Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-4

Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 15-5

CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 15-6

Listing the Switch’s Current Authorized IP Manager(s) . . . . . . . 15-6

Configuring IP Authorized Managers for the Switch . . . . . . . . . 15-7

Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . 15-9

xviii

Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-9

Configuring One Station Per Authorized Manager IP Entry . . . . . . . 15-9

Configuring Multiple Stations Per Authorized Manager IP Entry . . 15-10

Additional Examples for Authorizing Multiple Stations . . . . . . . . . 15-12

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-12

16 Key Management System

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2

Configuring Key Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3

Creating and Deleting Key Chain Entries . . . . . . . . . . . . . . . . . . . . . . . 16-3

Assigning a Time-Independent Key to a Chain . . . . . . . . . . . . . . . . . . 16-4

Assigning Time-Dependent Keys to a Chain . . . . . . . . . . . . . . . . . . . . 16-5

Index

xix

Product Documentation

About Your Switch Manual Set

N o t e For the latest version of all ProCurve switch documentation, including Release Notes covering recently added features, please visit the ProCurve Networking Web site at www.procurve.com, click on Technical support, and then click on Product manuals (all).

Printed Publications

The two publications listed below are printed and shipped with your switch. The latest version of each is also available in PDF format on the ProCurve Web site, as described in the Note at the top of this page.

■ Read Me First—Provides software update information, product notes, and other information.

■ Installation and Getting Started Guide—Explains how to prepare for and perform the physical installation and connect the switch to your network.

Electronic Publications

The latest version of each of the publications listed below is available in PDF format on the ProCurve Web site, as described in the Note at the top of this page.

■ Management and Configuration Guide—Describes how to configure, manage, and monitor basic switch operation.

■ Advanced Traffic Management Guide—Explains how to configure traffic management features such as VLANs, MSTP, QoS, and Meshing.

■ Multicast and Routing Guide—Explains how to configure IGMP, PIM, IP routing, and VRRP features.

■ Access Security Guide—Explains how to configure access security features and user authentication on the switch.

■ Release Notes—Describe new features, fixes, and enhancements that become available between revisions of the main product guide.

xxi

http:www.procurve.com

Software Feature Index For the software manual set supporting your ProCurve 8212zl switch model, this feature index indicates which manual to consult for information on a given software feature.

Both Intelligent Edge and Premium Edge software features are available on the Procurve 8212zl switch.

Premium Edge Software Features Manual Management

and Configuration

Advanced Traffic

Management

Multicast and Routing


OSPF

PIM-DM (Dense Mode)

PIM-SM (Sparse Mode)

VRRP

X

X

X

X

Intelligent Edge Software Features

Manual

Management and

Configuration

Advanced Traffic

Management



802.1Q VLAN Tagging

802.1X Port-Based Priority

802.1X Multiple Authenticated Clients Per Port

ACLs

X

X

X

X

AAA Authentication

Authorized IP Managers

Authorized Manager List (Web, Telnet, TFTP)

Auto MDIX Configuration X

X

X

X

BOOTP X

xxii


Manual

Management and

Configuration

Advanced Traffic

Management



Config File

Console Access

Copy Command

X

X

X

CoS (Class of Service)

Debug

DHCP Configuration

DHCP Option 82

X

X

X

X

DHCP Snooping

DHCP/Bootp Operation

Diagnostic Tools

Downloading Software

X

X

X

X

Dynamic ARP Protection

Eavesdrop Protection

Event Log

Factory Default Settings

X

X

X

X

Flow Control (802.3x)

File Management

File Transfers

Friendly Port Names

X

X

X

X

Guaranteed Minimum Bandwidth (GMB)

GVRP

Identity-Driven Management (IDM)

IGMP

X

X

X

X

Interface Access (Telnet, Console/Serial, Web)

IP Addressing

X

X

xxiii


Manual

Management and

Configuration

Advanced Traffic

Management



IP Routing

Jumbo Packets X

X

LACP

Link

LLDP

LLDP-MED

X

X

X

X

MAC Address Management

MAC Lockdown

MAC Lockout

MAC-based Authentication

X

X

X

X

Management VLAN

Meshing

Monitoring and Analysis

Multicast Filtering

X

X

X

X

Multiple Configuration Files

Network Management Applications (SNMP)

OpenView Device Management

Passwords and Password Clear Protection

X

X

X

X

ProCurve Manager (PCM)

Ping

Port Configuration

Port Monitoring

X

X

X

X

Port Security

Port Status

Port Trunking (LACP)

X

X

X

xxiv


Manual

Management and

Configuration

Advanced Traffic

Management



Port-Based Access Control (802.1X) X

Power over Ethernet (PoE)

Protocol Filters

Protocol VLANS

Quality of Service (QoS)

X

X

X

X

RADIUS Authentication and Accounting

RADIUS-Based Configuration

Rate-Limiting

Redundant Management

X

X

X

X

RIP

RMON 1,2,3,9

Routing

Routing - IP Static

X

X

X

X

Secure Copy

sFlow

SFTP

SNMPv3

X

X

X

X

Software Downloads (SCP/SFTP, TFPT, Xmodem)

Source-Port Filters

Spanning Tree (STP, RSTP, MSTP)

SSHv2 (Secure Shell) Encryption

X

X

X

X

SSL (Secure Socket Layer)

Syslog

System Information

TACACS+ Authentication

X

X

X

X

xxv


Manual

Management and

Configuration

Advanced Traffic

Management



Telnet Access

TFTP

Time Protocols (TimeP, SNTP)

Traffic Mirroring

X

X

X

X

Traffic/Security Filters

Troubleshooting

Uni-Directional Link Detection (UDLD)

UDP Forwarder

X

X

X

X

USB Device Support

Virus Throttling (Connection-Rate Filtering)

VLANs

VLAN Mirroring (1 static VLAN)

X

X

X

X

Voice VLAN

Web Authentication RADIUS Support

Web-based Authentication

Web UI X

X

X

X

Xmodem X

xxvi

Security Overview Contents

1

Security Overview

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Switch Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Default Configuration Settings and Access Security . . . . . . . . . . . . . . 1-4

Saving Security Settings in a Configuration File . . . . . . . . . . . . . . 1-4

Local Manager Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Inbound Telnet Access and Web Browser Access . . . . . . . . . . . . . 1-5

SNMP Access (Simple Network Management Protocol) . . . . . . . 1-6

Front-Panel Access and Physical Security . . . . . . . . . . . . . . . . . . . 1-7

Secure File Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Other Provisions for Management Access Security . . . . . . . . . . . . . . . 1-8

Authorized IP Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Secure Management VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

ACLs for Management Access Protection . . . . . . . . . . . . . . . . . . . 1-9

Network Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

802.1X Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Secure Socket Layer (SSLv3/TLSv1) . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

1-1

Security Overview Contents

Port Security, MAC Lockdown, and MAC Lockout . . . . . . . . . . . . . . . 1-12

Connection-Rate Filtering Based On

DHCP Snooping, Dynamic ARP Protection,

Key Management System (KMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Advanced Threat Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

BPDU Filtering and BPDU Protection . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Virus-Throttling Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

and Instrumentation Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Identity-Driven Manager (IDM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

1-2

Security Overview Introduction

Introduction

Before you connect your switch to a network, ProCurve strongly recommends that you review the Security Overview beginning on page 1-3. It outlines the potential threats for unauthorized switch and network access, and provides guidelines on how to use the various security features available on the switch to prevent such access. For more information on individual features, see the references provided.

About This Guide

This Access Security Guide describes how to configure security features on the Procurve Switch 8212zl.

N o t e For an introduction to the standard conventions used in this guide, refer to the Getting Started chapter in the Management and Configuration Guide for your switch.

For More Information

For information on which product manual to consult for a specific software feature, refer to the “Software Feature Index” on page xxii of this guide.

For the latest version of all ProCurve switch documentation, including Release Notes covering recently added features and other software topics, visit the ProCurve Networking web site at www.procurve.com, click on Technical support, and then click on Product Manuals (all).

Switch Access Security

This section outlines provisions for protecting access to the switch’s status information and configuration settings. ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in your network. However, when preparing the switch for network operation, ProCurve strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportu

1-3

http:www.procurve.com

Security Overview Switch Access Security

nity for access and possible malicious actions. Since security incidents can originate with sources inside as well as outside of an organization, your access security provisions must protect against internal and external threats while preserving the necessary network access for authorized clients and users.

Default Configuration Settings and Access Security

In its default configuration, the switch is open to unauthorized access of various types. In addition to applying local passwords, ProCurve recommends that you consider using the switch’s other security features to provide a more complete security fabric.

Switch management access is available through the following methods:

■ Inbound Telnet access and Web-browser access

■ SNMP access

■ Front-Panel access (serial port access to the console, plus resets and clearing the password(s) or current configuration)

It is important to evaluate the level of management access vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place. This includes both configurable security options and physical access to the switch hardware.

Saving Security Settings in a Configuration File

You can store and view the following security settings in the running-config file associated with the current software image:

■ Local manager and operator passwords and user names

■ SNMP security credentials, including SNMPv1 community names and SNMPv3 usernames, authentication, and privacy settings

■ 802.1X port-access passwords and usernames

■ TACACS+ encryption keys

■ RADIUS shared secret (encryption) keys

■ Public keys of SSH-enabled management stations that are used by the switch to authenticate SSH clients that try to connect to the switch

For more information about saving security settings, see “Saving Security Credentials in a Config File” on page 2-10 in this guide.

1-4


Local Manager Password

In the default configuration, there is no password protection. Configuring a local Manager password is a fundamental step in reducing the possibility of unauthorized access through the switch’s Web browser and console (CLI and Menu) interfaces. The Manager password can easily be set using the CLI password manager command, the Menu interface Console Passwords option, or the password options under the Security tab in the Web browser interface.

Inbound Telnet Access and Web Browser Access

The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL must be used for remote access. This enables you to employ increased access security while still retaining remote client access.

■ SSHv2 provides Telnet-like connections through encrypted and authenticated transactions.

■ SSLv3/TLSv1 provides remote Web browser access to the switch via encrypted paths between the switch and management station clients capable of SSL/TLS operation.

(For information on SSH, refer to Chapter 8 “Configuring Secure Shell (SSH)”; for details on SSL, refer to Chapter 9, “Configuring Secure Socket Layer (SSL)”.)

Also, access security on the switch is incomplete without disabling Telnet and the standard Web browser access. Among the methods for blocking unauthorized access attempts using Telnet or the Web browser are the following two CLI commands:

■ no telnet-server: This command blocks inbound Telnet access. ■ no web-management: This command prevents use of the Web browser

interface through http (port 80) server access.

If you choose not to disable Telnet and Web browser access, you may want to consider using RADIUS accounting to maintain a record of password-protected access to the switch. Refer to Chapter 6, “RADIUS Authentication and Accounting” in this guide.

1-5


N o t e o n S N M P A c c e s s t o A u t h e n t i c a t i o n M I B

SNMP Access (Simple Network Management Protocol)

In the default configuration, the switch is open to access by management stations running SNMP management applications capable of viewing and changing the settings and status data in the switch’s MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.

General SNMP Access to the Switch. The switch supports SNMP versions 1, 2c, and 3, including SNMP community and trap configuration. The default configuration supports versions 1 and 2c compatibility, which uses plain text and does not provide security options. ProCurve recommends that you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected operation).

SNMPv3 security options include:

■ configuring device communities as a means for excluding management access by unauthorized stations

■ configuring for access authentication and privacy

■ reporting events to the switch CLI and to SNMP trap receivers

■ restricting non-SNMPv3 agents to either read-only access or no access

■ co-existing with SNMPv1 and v2c if necessary

SNMP Access to the Authentication Configuration MIB. Beginning with software release K.12.xx, a management station running an SNMP networked device management application, such as ProCurve Manager Plus (PCM+) or HP OpenView, can access the switch’s management information base (MIB) for read access to the switch’s status and read/write access to the switch’s authentication configuration (hpSwitchAuth). This means that the switch’s default configuration now allows SNMP access to security settings in hpSwitchAuth.

Downloading and booting from the K.12.xx or greater software version for the first time enables SNMP access to the authentication configuration MIB (the default action). If SNMPv3 and other security safeguards are not in place, the switch’s authentication configuration MIB is exposed to unprotected SNMP access and you should use the command shown below to disable this access.

If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then you should implement the following security precautions when downloading and booting from software release K.12.xx or greater:

1-6


■ If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above is not desirable for your network, then immediately after downloading and booting from the K.12.xx or greater software for the first time, use the following command to disable this feature:

snmp-server mib hpswitchauthmib excluded ■ If you choose to leave the authentication configuration MIB accessible,

then you should do the following to help ensure that unauthorized workstations cannot use SNMP tools to access the MIB:

a. Configure SNMP version 3 management and access security on the switch.

b. Disable SNMP version 2c on the switch.

For details on this feature, refer to the section titled “Using SNMP To View and Configure Switch Authentication Features” on page 6-19.

For information on SNMP, refer to “Using SNMP Tools To Manage the Switch” in the chapter titled “Configuring for Network Management Applications” in the Management and Configuration Guide for your switch.

Front-Panel Access and Physical Security

Physical access to the switch allows the following:

■ use of the console serial port (CLI and Menu interface) for viewing and changing the current configuration and for reading status, statistics, and log messages.

■ use of the switch’s Clear and Reset buttons for these actions:

• clearing (removing) local password protection

• rebooting the switch

• restoring the switch to the factory default configuration (and erasing any non-default configuration settings)

Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you can do the following:

■ Disable or re-enable the password-clearing function of the Clear button.

■ Configure the Clear button to reboot the switch after clearing any local usernames and passwords.

■ Modify the operation of the Reset+Clear button combination so that the switch reboots, but does not restore the switch’s factory default settings.

■ Disable or re-enable password recovery.

1-7


For the commands used to implement the above actions, refer to the section titled “Front-Panel Security” on page 2-23.

Secure File Transfers

Secure Copy and SFTP provide a secure alternative to TFTP and auto-TFTP for transferring sensitive information such as configuration files and log information between the switch and other devices. For more on these features, refer to the section on “Using Secure Copy and SFTP” in the “File Transfers” appendix of the Management and Configuration Guide for your switch.

Other Provisions for Management Access Security

The following features can help to prevent unauthorized management access to the switch.

Authorized IP Managers

This feature uses IP addresses and masks to determine whether to allow management access to the switch across the network through the following : ■ Telnet and other terminal emulation applications ■ The switch’s Web browser interface ■ SNMP (with a correct community name)

For more information, refer to Chapter 15, “Using Authorized IP Managers”.

Secure Management VLAN

This feature creates an isolated network for managing the ProCurve switches that offer this feature. When a secure management VLAN is enabled, CLI, Menu interface, and Web browser interface access is restricted to ports configured as members of the VLAN. For more information, refer to the chapter titled “Static Virtual LANs (VLANs)” in the Advanced Traffic Management Guide.

TACACS+ Authentication

This application uses a central server to allow or deny access to TACACS-aware devices in your network. TACACS+ uses username/password sets with associated privilege levels to grant or deny access through either the switch’s serial (console) port or remotely, with Telnet. If the switch fails to connect to a TACACS+ server for the necessary authentication service, it defaults to its

1-8

Security Overview Network Security Features

own locally configured passwords for authentication control. TACACS+ allows both login (read-only) and enable (read/write) privilege level access. For more information, refer to Chapter 5, “TACACS+ Authentication”.

RADIUS Authentication

For each authorized client, RADIUS can be used to authenticate operator or manager access privileges on the switch via the serial port (CLI and Menu interface), Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access methods. Refer to Chapter 6, “RADIUS Authentication and Accounting”.

ACLs for Management Access Protection

ACLs can also be configured to protect management access by blocking inbound IP traffic that has the switch itself as the destination IP address. (Refer to “Access Control Lists (ACLs)” in the next section.)

Network Security Features

This section outlines features for protecting access through the switch to the network. For more detailed information, see the indicated chapters.

Access Control Lists (ACLs)

Layer 3 IP filtering with Access Control Lists (ACLs) enables you to improve network performance and restrict network use by creating policies for:

■ Switch Management Access: Permits or denies in-band management access. This includes preventing the use of certain TCP or UDP applications (such as Telnet, SSH, Web browser, and SNMP) for transactions between specific source and destination IP addresses.)

■ Application Access Security: Eliminating unwanted IP, TCP, or UDP traffic by filtering packets where they enter or leave the switch on specific interfaces.

ACLs can filter traffic to or from a host, a group of hosts, or entire subnets. For details on how to apply ACLs in a network populated with ProCurve switches that support ACLs, see Chapter 10, “Access Control Lists (ACLs)”.

1-9


Note on ACL

Securi ty Use

ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.

802.1X Access Control

This feature provides port-based or user-based authentication through a RADIUS server to protect the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control client access to network services. Included in the general features are the following:

■ user-based access control supporting up to 32 authenticated clients per port

■ port-based access control allowing authentication by a single client to open the port

■ switch operation as a supplicant for point-to-point connections to other 802.1X-compliant ProCurve switches

For more information, refer to Chapter 13 “Configuring Port-Based and User-Based Access Control (802.1X)”.

Web and MAC Authentication

These options are designed for application on the edge of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access. Because neither method requires clients to run any special supplicant software, both are suitable for legacy systems and temporary access situations where introducing supplicant software is not an attractive option. Both methods rely on using a RADIUS server for authentication. This simplifies access security management by allowing you to control access from a master database in a single server. It also means the same credentials can be used for authentication, regardless of which switch or switch port is the current access point into the LAN. Web authentication uses a web page login to authenticate users for access to the network. MAC authentication grants access to a secure network by authenticating device MAC addresses for access to the network. For more information, refer to Chapter 4, “Web and MAC Authentication”.

1-10


Secure Shell (SSH)

SSH provides Telnet-like functions through encrypted, authenticated transactions of the following types:

■ client public-key authentication: uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch.

■ switch SSH and user password authentication: this option is a subset of the client public-key authentication, and is used if the switch has SSH enabled without a login access configured to authenticate the client’s key. In this case, the switch authenticates itself to clients, and users on SSH clients then authenticate themselves to the switch by providing passwords stored on a RADIUS or TACACS+ server, or locally on the switch.

■ secure copy (SC) and secure FTP (SFTP): By opening a secure, encrypted SSH session, you can take advantage of SC and SFTP to provide a secure alternative to TFTP for transferring sensitive switch information.

For more information on SSH, refer to Chapter 8, “Configuring Secure Shell (SSH)”. For more on SC and SFTP, refer to the section titled “Using Secure Copy and SFTP” in the “File Transfers” appendix of the Management and Configuration Guide for your switch.

Secure Socket Layer (SSLv3/TLSv1)

This feature includes use of Transport Layer Security (TLSv1) to provide remote web access to the switch via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operation. The authenticated type includes server certificate authentication with user password authentication. For more information, refer to Chapter 9, “Configuring Secure Socket Layer (SSL)”.

Traffic/Security Filters

These statically configured filters enhance in-band security (and improve control over access to network resources) by forwarding or dropping inbound network traffic according to the configured criteria. Filter options include:

■ source-port filters: Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis.

1-11


■ multicast filters: Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports or dropped on a per-port (destination) basis.

■ protocol filters: Inbound traffic having the selected frame (protocol) type will be forwarded or dropped on a per-port (destination) basis.

For details, refer to Chapter 12, “Traffic/Security Filters and Monitors”.

Port Security, MAC Lockdown, and MAC Lockout

The features listed below provide device-based access security in the following ways:

■ Port security: Enables configuration of each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port. This enables individual ports to detect, prevent, and log attempts by unauthorized devices to communicate through the switch. Some switch models also include eavesdrop prevention in the port security feature.

■ MAC lockdown: This “static addressing” feature is used as an alternative to port security to prevent station movement and MAC address “hijacking” by allowing a given MAC address to use only one assigned port on the switch. MAC lockdown also restricts the client device to a specific VLAN.

■ MAC lockout: This feature enables blocking of a specific MAC address so that the switch drops all traffic to or from the specified address.

Precedence of Security Options. Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port.

1. Disabled/Enabled physical port

2. MAC lockout (Applies to all ports on the switch.)

3. MAC lockdown

4. Port security

5. Authorized IP Managers

6. Application features at higher levels in the OSI model, such as SSH.

1-12

Security Overview Advanced Threat Detection

(The above list does not address the mutually exclusive relationship that exists among some security features.)

For more information, refer to Chapter 14, “Configuring and Monitoring Port Security”.

Key Management System (KMS)

KMS is available in several ProCurve switch models and is designed to configure and maintain key chains for use with KMS-capable routing protocols that use time-dependent or time-independent keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys.) KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request.

For more information, refer to Chapter 16, “Key Management System”.

Advanced Threat Detection

Advanced threat detection covers a range of features used to detect anomalous traffic on the switch and take mitiga

Documents

Access Security Guide for the ProCurve Series 8200zl Switcheswhp-hou9.cold.extweb.hp.com/pub/networking/software/8200zl-Secu… · Secure Socket Layer (SSLv3/TLSv1) . . . . .