To Next Page

To Previous Page

IPv4 Access Control Lists (ACLs)

Enable ACL “Deny” Logging

■ On port 10, configure an extended ACL with an ACL-ID of 143 to deny

Telnet traffic from IP address 10.38.100.127.

■ Configure the switch to send an ACL log message to the console and

to a Syslog server at IP address 10.38.110.54 on port 11 if the switch

detects a match denying Telnet access from 10.38.100.127.

10.38.110.54

10.38.100.127

Syslog Server

Configure extended ACL 143

here to deny Telnet access to

inbound Telnet traffic from IP

address 10.38.100.127.

Block Telnet access to the

network from this host.

ProCurve Switch

Console

Console RS-232 Port

Figure 9-31. Example of an ACL Log Application

9-70

Table of Contents5
Product Documentation23
About Your Switch Manual Set23
Printed Publications23
Electronic Publications23
Software Feature Index24
Security Overview29
Contents29
Introduction30
About this Guide30
For more Information30
Access Security Features31
Network Security Features35
Physical Security37
Getting Started with Access Security37
Quick Start: Using the Management Interface Wizard38
CLI: Management Interface Wizard38
Web: Management Interface Wizard40
SNMP Security Guidelines43
Precedence of Security Options45
Precedence of Port-Based Security Options45
Precedence of Client-Based Authentication: Dynamic Configuration Arbiter45
Network Immunity Manager46
Arbitrating Client-Specific Attributes47
Procurve Identity-Driven Manager (IDM)49
Configuring Username and Password Security51
Contents51
Overview53
Menu: Setting Passwords56
Configuring Local Password Security56
CLI: Setting Passwords and Usernames58
Web: Setting Passwords and Usernames59
SNMP: Setting Passwords and Usernames59
Saving Security Credentials in a Config File60
Benefits of Saving Security Credentials60
Enabling the Storage and Display of Security Credentials61
Security Settings that Can be Saved61
Local Manager and Operator Passwords62
Password Command Options62
SNMP Security Credentials63
802.1X Port-Access Credentials64
TACACS+ Encryption Key Authentication65
RADIUS Shared-Secret Key Authentication65
SSH Client Public-Key Authentication66
Operating Notes69
Restrictions71
Front-Panel Security73
When Security Is Important73
Front-Panel Button Functions74
Clear Button75
Reset Button75
Restoring the Factory Default Configuration75
Configuring Front-Panel Security77
Disabling the Clear Password Function of the Clear Button79
Re-Enabling the Clear Button and Setting or Changing the "Reset-On-Clear" Operation80
Changing the Operation of the Reset+Clear Combination81
Password Recovery82
Disabling or Re-Enabling the Password Recovery Process82
Password Recovery Process84
Web and MAC Authentication85
Contents85
Overview87
Web Authentication87
MAC Authentication88
Concurrent Web and MAC Authentication88
Authorized and Unauthorized Client Vlans89
RADIUS-Based Authentication90
Wireless Clients90
How Web and MAC Authentication Operate90
Web-Based Authentication91
MAC-Based Authentication93
Terminology95
Operating Rules and Notes96
Before You Configure Web/Mac Authentication98
Setup Procedure for Web/Mac Authentication98
Configuring the RADIUS Server to Support MAC Authentication101
Configuring the Switch to Access a RADIUS Server101
Configuring Web Authentication104
Overview104
Configuration Commands for Web Authentication105
Show Commands for Web Authentication112
Customizing Web Authentication HTML Files (Optional)118
Implementing Customized Web-Auth Pages118
Operating Notes and Guidelines118
Customizing HTML Templates119
Customizable HTML Templates120
Configuring MAC Authentication on the Switch134
Overview134
Configuring the Global MAC Authentication Password135
Configuration Commands for MAC Authentication135
Configuring a MAC-Based Address Format137
Show Commands for MAC-Based Authentication139
Client Status146
TACACS+ Authentication147
Contents147
Overview148
Terminology Used in TACACS Applications149
General System Requirements151
General Authentication Setup Procedure151
Configuring TACACS+ on the Switch154
Before You Begin154
CLI Commands Described in this Section155
Viewing the Switch's Current Authentication Configuration155
Viewing the Switch's Current TACACS+ Server Contact Configuration156
Configuring the Switch's Authentication Methods157
Using the Privilege-Mode Option for Login157
Authentication Parameters158
Configuring the TACACS+ Server for Single Login159
Configuring the Switch's TACACS+ Server Access164
How Authentication Operates170
General Authentication Process Using a TACACS+ Server170
Local Authentication Process172
Using the Encryption Key173
General Operation173
Encryption Options in the Switch173
Controlling Web Browser Interface Access When Using TACACS+ Authentication174
Messages Related to TACACS+ Operation175
Operating Notes175
Contents177
Authentication Services179
Overview179
RADIUS Authentication, Authorization, and Accounting179
Accounting Services180
RADIUS-Administered Cos and Rate-Limiting180
RADIUIS-Administered Commands Authorization180
SNMP Access to the Switch's Authentication Configuration MIB180
Overview180
Terminology181
Switch Operating Rules for RADIUS182
General RADIUS Setup Procedure183
Configuring the Switch for RADIUS Authentication184
Outline of the Steps for Configuring RADIUS Authentication185
Configure Authentication for the Access Methods You Want RADIUS to Protect186
Enable the (Optional) Access Privilege Option189
Configure the Switch to Access a RADIUS Server190
Configure the Switch's Global RADIUS Parameters193
Using Multiple RADIUS Server Groups197
Commands197
Enhanced Commands198
Displaying the RADIUS Server Group Information200
Cached Reauthentication202
Timing Considerations203
Using SNMP to View and Configure Switch Authentication Features206
Changing and Viewing the SNMP Access Configuration207
Local Authentication Process209
Controlling Web Browser Interface Access210
Commands Authorization211
Enabling Authorization212
Using Vendor Specific Attributes (Vsas)213
Configuring Commands Authorization on a RADIUS Server213
Displaying Authorization Information213
Example Configuration on Cisco Secure ACS for MS Windows215
Example Configuration Using Freeradius217
VLAN Assignment in an Authentication Session219
Tagged and Untagged VLAN Attributes220
Additional RADIUS Attributes221
Configuring RADIUS Accounting223
Operating Rules for RADIUS Accounting225
Steps for Configuring RADIUS Accounting225
Configure the Switch to Access a RADIUS Server226
Configure Accounting Types and the Controls for Sending Reports to the RADIUS Server228
Optional) Configure Session Blocking and Interim Updating Options230
Viewing RADIUS Statistics232
General RADIUS Statistics232
RADIUS Authentication Statistics234
RADIUS Accounting Statistics235
Changing RADIUS-Server Access Order236
Messages Related to RADIUS Operation239
Configuring RADIUS Server Support241
For Switch Services241
Contents241
Overview243
RADIUS Server Configuration for Per-Port Cos (802.1P Priority) and Rate-Limiting244
Applied Rates for RADIUS-Assigned Rate Limits245
RADIUS Server Configuration for Per-Port Cos (802.1P Priority) and Rate-Limiting245
Viewing the Currently Active Per-Port Cos and Rate-Limiting Configuration Specified by a RADIUS Server246
Configuring and Using RADIUS-Assigned Access Control Lists249
Introduction249
Terminology249
Overview of RADIUS-Assigned, Dynamic Acls252
Contrasting Dynamic (RADIUS-Assigned) and Static Acls253
How a RADIUS Server Applies a RADIUS-Assigned254
ACL to a Switch Port254
General ACL Features, Planning, and Configuration255
The Packet-Filtering Process256
Operating Rules for RADIUS-Assigned Acls256
Configuring an ACL in a RADIUS Server257
Nas-Filter-Rule-Options258
Configuring ACE Syntax in RADIUS Servers258
Example Using the Standard Attribute (92) in an Ipv4 ACL260
Example of Configuring a RADIUS-Assigned ACL Using the Freeradius Application261
Format Details for Aces Configured in a RADIUS-Assigned ACL263
Configuration Notes264
Configuring the Switch to Support RADIUS-Assigned264
Acls264
Displaying the Current RADIUS-Assigned ACL Activity266
On the Switch266
ICMP Type Numbers and Keywords268
Event Log Messages269
Causes of Client Deauthentication Immediately after Authenticating270
Monitoring Shared Resources270
Contents271
Configuring Secure Shell (SSH)272
- Overview272
Terminology273
Prerequisite for Using SSH275
Public Key Formats275
Steps for Configuring and Using SSH for Switch and Client Authentication276
General Operating Rules and Notes278
Configuring the Switch for SSH Operation279
Configuring the Switch for SSH Operation280
Assigning a Local Login (Operator) and Enable (Manager) Password280
Generating the Switch's Public and Private Key Pair280
Configuring Key Lengths283
Providing the Switch's Public Key to Clients283
Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior285
Configuring the Switch for SSH Authentication290
Use an SSH Client to Access the Switch294
Further Information on SSH Client Public-Key Authentication294
Messages Related to SSH Operation300
Logging Messages301
Debug Logging302
Contents303
Configuring Secure Socket Layer (SSL)304
Overview304
Terminology305
Prerequisite for Using SSL307
Steps for Configuring and Using SSL for Switch and Client Authentication307
General Operating Rules and Notes308
Configuring the Switch for SSL Operation309
Assigning a Local Login (Operator) and Enabling (Manager) Password309
Generating the Switch's Server Host Certificate310
To Generate or Erase the Switch's Server Certificate311
With the CLI311
Comments on Certificate Fields312
Generate a Self-Signed Host Certificate with the Web Browser314
Interface314
Generate a CA-Signed Server Host Certificate with the Web Browser Interface317
Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior319
Using the CLI Interface to Enable SSL321
Using the Web Browser Interface to Enable SSL321
Common Errors in SSL Setup323
Ipv4 Access Control Lists (Acls)325
Contents325
Optional Network Management Applications328
ACL Applications328
Introduction328
Optional PCM and IDM Applications329
General Application Options329
Terminology331
Overview334
Types of IP Acls334
ACL Inbound Application Points334
Features Common to All Acls335
General Steps for Planning and Configuring Acls336
ACL Operation337
Introduction337
The Packet-Filtering Process338
ACL Resource Usage and Monitoring341
Switch Resource Usage341
Prioritizing and Monitoring ACL and Qos, Feature Usage341
Planning an ACL Application341
Rule Usage342
Managing ACL Resource Consumption343
Oversubscribing Available Resources343
Troubleshooting a Shortage of Resources343
Example of ACL Resource Usage344
Viewing the Current Rule Usage344
Traffic Management and Improved Network Performance347
Security347
Guidelines for Planning the Structure of an ACL348
ACL Configuration and Operating Rules349
How an ACE Uses a Mask to Screen Packets for Matches350
What Is the Difference between Network (or Subnet) Masks and the Masks Used with Acls351
Rules for Defining a Match between a Packet and an Access Control Entry (ACE)352
Configuring and Assigning an ACL357
Overview357
General Steps for Implementing Acls357
Types of Acls357
ACL Configuration Structure358
Standard ACL Structure359
Extended ACL Configuration Structure359
ACL Configuration Factors361
ACL Resource Consumption361
The Sequence of Entries in an ACL Is Significant361
In any ACL, There will Always be a Match362
A Configured ACL Has no Effect until You Apply It to an Interface362
Using CIDR Notation to Enter the ACL Mask363
General ACE Rules363
Using the CLI to Create an ACL363
Configuring and Assigning a Numbered, Standard ACL364
Configuring and Assigning a Numbered, Extended ACL369
Configuring a Named ACL375
Enabling or Disabling ACL Filtering on an Interface377
Deleting an ACL from the Switch378
Displaying ACL Data379
Display an ACL Summary379
Display the Content of All Acls on the Switch380
Display the ACL Assignments for an Interface381
Displaying the Content of a Specific ACL382
Displaying the Current ACL Resources384
Display All Acls and Their Assignments in the Switch Startup-Config File and Running-Config File385
Editing Acls and Creating an ACL Offline385
Using the CLI to Edit Acls385
Editing Acls and Creating an ACL Offline386
Deleting any ACE from an ACL386
General Editing Rules386
Working Offline to Create or Edit an ACL388
Creating an ACL Offline389
Enable ACL "Deny" Logging392
Requirements for Using ACL Logging392
ACL Logging Operation393
Enabling ACL Logging on the Switch393
Operating Notes for ACL Logging395
General ACL Operating Notes396
Configuring Advanced Threat Protection399
Contents399
Introduction401
DHCP Snooping402
Overview402
Enabling DHCP Snooping403
DHCP Snooping403
Enabling DHCP Snooping on VLANS405
Configuring DHCP Snooping Trusted Ports406
Configuring Authorized Server Addresses407
Using DHCP Snooping with Option 82407
Changing the Remote-ID from a MAC to an IP Address409
Disabling the MAC Address Check409
The DHCP Binding Database410
Operational Notes411
Log Messages412
Dynamic ARP Protection414
Introduction414
Enabling Dynamic ARP Protection416
Configuring Trusted Ports416
Adding an IP-To-MAC Binding to the DHCP Database418
Configuring Additional Validation Checks on ARP Packets419
Verifying the Configuration of Dynamic ARP Protection419
Displaying ARP Packet Statistics420
Monitoring Dynamic ARP Protection421
Dynamic IP Lockdown421
Protection against IP Source Address Spoofing422
Prerequisite: DHCP Snooping422
Filtering IP and MAC Addresses Per-Port and Per-VLAN423
Enabling Dynamic IP Lockdown424
Operating Notes424
Adding an IP-To-MAC Binding to the DHCP Binding Database426
Potential Issues with Bindings426
Adding a Static Binding427
Verifying the Dynamic IP Lockdown Configuration427
Displaying the Static Configuration of IP-To-MAC Bindings428
Debugging Dynamic IP Lockdown429
Using the Instrumentation Monitor431
Operating Notes432
Configuring Instrumentation Monitor433
Examples434
Viewing the Current Instrumentation Monitor Configuration435
Traffic/Security Filters and Monitors438
Overview438
Introduction438
Filter Limits438
Using Port Trunks with Filters438
Filter Types and Operation439
Source-Port Filters440
Operating Rules for Source-Port Filters440
Example441
Named Source-Port Filters442
Operating Rules for Named Source-Port Filters442
Defining and Configuring Named Source-Port Filters443
Viewing a Named Source-Port Filter444
Using Named Source-Port Filters445
Configuring Traffic/Security Filters451
Configuring a Source-Port Traffic Filter452
Example of Creating a Source-Port Filter453
Configuring a Filter on a Port Trunk453
Editing a Source-Port Filter454
Filter Indexing455
Displaying Traffic/Security Filters456
User-Based Access Control (802.1X)457
Contents457
Overview460
Why Use Port-Based or User-Based Access Control460
General Features460
User Authentication Methods461
802.1X User-Based Access Control461
802.1X Port-Based Access Control462
Alternative to Using a RADIUS Server463
Accounting463
Terminology463
General 802.1X Authenticator Operation466
Example of the Authentication Process466
VLAN Membership Priority467
General Operating Rules and Notes469
General Setup Procedure for 802.1X Access Control471
Do These Steps before You Configure 802.1X Operation471
Overview: Configuring 802.1X Authentication on the Switch474
Configuring Switch Ports as 802.1X Authenticators475
The (Default) Port-Based Authentication476
Enable the Selected Ports as Authenticators and Enable476
Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based Authentication476
Enable 802.1X Authentication on Selected Ports476
Specify User-Based Authentication or Return to Port-Based Authentication477
Example: Configuring User-Based 802.1X Authentication478
Example: Configuring Port-Based 802.1X Authentication478
Reconfigure Settings for Port-Access478
Configure the 802.1X Authentication Method481
Enter the RADIUS Host IP Address(Es)482
Enable 802.1X Authentication on the Switch482
Optional: Reset Authenticator Operation483
Optional: Configure 802.1X Controlled Directions483
Wake-On-LAN Traffic484
Operating Notes484
Example: Configuring 802.1X Controlled Directions485
Unauthenticated VLAN Access (Guest VLAN Access)485
Characteristics of Mixed Port Access Mode486
Configuring Mixed Port Access Mode487
802.1X Open VLAN Mode488
Introduction488
VLAN Membership Priorities489
Use Models for 802.1X Open VLAN Modes490
Operating Rules for Authorized-Client and Unauthorized-Client Vlans495
Setting up and Configuring 802.1X Open VLAN Mode499
802.1X Open VLAN Operating Notes503
- Option for Authenticator Ports: Configure Port-Security to Allow Only 802.1X-Authenticated Devices504
Port-Security504
Port-Security505
- Configuring Switch Ports to Operate as Supplicants for 802.1X Connections to Other Switches506
Example506
Supplicant Port Configuration508
Displaying 802.1X Configuration, Statistics, and Counters510
Show Commands for Port-Access Authenticator510
Viewing 802.1X Open VLAN Mode Status519
Show Commands for Port-Access Supplicant523
How RADIUS/802.1X Authentication Affects VLAN Operation524
VLAN Assignment on a Port525
Operating Notes525
Example of Untagged VLAN Assignment in a RADIUS-Based Authentication Session527
Enabling the Use of GVRP-Learned Dynamic Vlans in Authentication Sessions530
Messages Related to 802.1X Operation532
Configuring and Monitoring Port Security533
Contents533
Overview535
Port Security536
Basic Operation536
Eavesdrop Prevention537
Disabling Eavesdrop Prevention537
Feature Interactions When Eavesdrop Prevention Is Disabled538
Blocking Unauthorized Traffic539
MIB Support539
Trunk Group Exclusion540
Planning Port Security541
Port Security Command Options and Operation542
Port Security Display Options542
Configuring Port Security546
Retention of Static Addresses551
MAC Lockdown556
MAC Lockdown557
Differences between MAC Lockdown and Port Security558
MAC Lockdown Operating Notes559
Deploying MAC Lockdown560
MAC Lockout560
MAC Lockout561
Port Security and MAC Lockout563
Notice of Security Violations564
Web: Displaying and Configuring Port Security Features564
Reading Intrusion Alerts and Resetting Alert Flags564
How the Intrusion Log Operates565
Keeping the Intrusion Log Current by Resetting Alert Flags566
Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags567
CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags568
- Using the Event Log to Find Intrusion Alerts570
Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags571
Operating Notes for Port Security572
Contents575
Using Authorized IP Managers576
Overview576
Options577
Access Levels577
Defining Authorized Management Stations578
Overview of IP Mask Operation578
Menu: Viewing and Configuring IP Authorized Managers579
CLI: Viewing and Configuring Authorized IP Managers580
Listing the Switch's Current Authorized IP Manager(S)580
Configuring IP Authorized Managers for the Switch581
Web: Configuring IP Authorized Managers583
Web Proxy Servers583
How to Eliminate the Web Proxy Server583
Using a Web Proxy Server to Access the Web Browser584
Interface584
Web-Based Help584
Building IP Masks584
Configuring One Station Per Authorized Manager IP Entry584
Configuring Multiple Stations Per Authorized Manager IP Entry585
Additional Examples for Authorizing Multiple Stations587
Operating Notes587

Brand	HP
Model	ProCurve 6120G/XG
Category	Switch
Language	English

HP ProCurve 6120G/XG User Manual

Table of Contents

Other manuals for HP ProCurve 6120G/XG

Questions and Answers:

HP ProCurve 6120G/XG Specifications

Related product manuals