ProCurve 2610 User Manual

Details on publications printed and shipped with the switch, available in PDF format.

Information on electronic publications available in PDF format on the ProCurve Web site.

Describes how to use ProCurve's switch security features to protect access to your switch.

Covers the access security features including passwords, TACACS+, RADIUS, SSH, and SSL.

Details two key areas to protect: unauthorized client access to management features and the network.

Provides guidelines for implementing network traffic security based on OSI model precedence.

Explains conventions used for command syntax and displayed information in the guide.

Indicates which product or product series offer a specific software feature.

Explains the syntax conventions for CLI commands, including delimiters and formatting.

Describes the default CLI prompt and how it can be customized.

Illustrates how simulated screen text and command output appear in the guide.

Explains the port identity system used for chassis-based and stackable switches.

Consults other product manuals and the ProCurve website for additional switch information.

Provides guidance for users who only need a quick start for IP addressing.

Recommends using the Switch Setup screen to quickly configure IP addressing.

Guides users to the Installation and Getting Started Guide for physical setup and basic configuration.

Explains console access levels (Manager and Operator) and password pair configuration.

Details configuring local passwords and usernames via Menu, CLI, and Web interfaces.

Procedure for setting Manager and Operator passwords using the switch's menu interface.

Describes using CLI commands to configure Manager and Operator passwords and usernames.

Explains how to configure passwords and optional usernames via the web browser interface.

Covers front-panel features for enabling/disabling password clearing and factory reset.

Discusses the importance of security for confidential data and physical access concerns.

Details the functions of the Reset and Clear buttons on the switch's front panel.

Explains CLI commands to disable/re-enable password clearing, reset-on-clear, and factory reset.

Describes the password recovery feature for regaining management access after losing passwords.

Details the process of recovering a lost password, including contacting Customer Care.

Introduces Web and MAC authentication for port-based security using RADIUS servers.

Explains port-based solutions where ports can belong to one untagged VLAN at a time.

Lists features including port-access authenticator, VLAN assignment, and web page login.

Describes client authentication process with RADIUS servers for Web-based and MAC-based methods.

Explains how clients present credentials to the switch for verification by a RADIUS server.

Defines terms like Authorized-Client VLAN, Authentication Server, Authenticator, CHAP, Client, Redirect URL, Static VLAN.

Covers concurrent authentication, precedence, VLAN rules, and client movement.

Outlines steps before configuring Web/MAC authentication, including local passwords and port determination.

Prepares for Web/MAC authentication by configuring local accounts, ports, and VLANs.

Provides server configuration details for MAC authentication, including MAC address format.

Details commands for configuring the switch to access a RADIUS server for authentication.

Provides an overview and steps for configuring Web Authentication on switch ports.

Lists commands for configuring Web-Based Authentication, including DHCP and SSL options.

Outlines steps for configuring MAC Authentication on switch ports, including address format.

Lists commands to display Web Authentication status and configuration settings.

Lists commands to display MAC Authentication status and configuration settings.

Explains possible client status information reported by 'show...clients' commands.

Explains TACACS+ authentication for allowing or denying access to the switch.

Defines terms like NAS, TACACS+ Server, and Authentication.

Lists requirements for using TACACS+ authentication, including server setup and switch configuration.

Provides steps for testing TACACS+ service before full implementation to avoid lockouts.

Details the process of configuring TACACS+ authentication on the switch.

Recommends reading setup procedures and configuring TACACS+ servers before switch configuration.

Lists CLI commands covered in the TACACS+ configuration section.

Lists login attempts, primary/secondary access methods for console and Telnet.

Lists timeout, encryption key, and IP addresses of TACACS+ servers the switch can contact.

Explains configuring access control for Console, Telnet, SSH using TACACS+ or local methods.

Details parameters for the tacacs-server command, including host IP, encryption key, and timeout.

Describes the general authentication process using a TACACS+ server.

Explains the sequence of events when a client requests authentication via a TACACS+ server.

Describes how the switch reverts to local authentication when TACACS+ fails or is not used.

Explains how encryption keys help prevent unauthorized access to TACACS+ packets.

Provides methods to prevent unauthorized access via the web browser interface.

Lists CLI messages related to TACACS+ operation and their meanings.

Discusses Authorized IP Managers, local passwords, and TACACS+ server accessibility.

Explains RADIUS for authentication and accounting, allowing separate settings for each server.

Defines terms related to RADIUS, including CHAP, EAP, Host, NAS, RADIUS Client/Server, Shared Secret Key.

Outlines rules for RADIUS operation, including server accessibility and authentication methods.

Provides preparation steps for configuring RADIUS on the switch, including server details.

Lists commands for configuring RADIUS authentication methods for various access types.

Details three main steps for configuring RADIUS authentication: access methods, server access, and global parameters.

Describes configuring authentication for Serial port, Telnet, SSH, Web, and Port-Access.

Explains how to configure the switch to interact with RADIUS servers for authentication and accounting.

Details global RADIUS parameters like login attempts, global server key, timeouts, and retransmits.

Describes when and how the switch reverts to local authentication if RADIUS fails or is unavailable.

Methods to prevent unauthorized access through the web browser interface using RADIUS authentication.

Explains how to limit user services by enabling AAA RADIUS authorization for CLI commands.

Details configuring RADIUS accounting, including types, reports, and session options.

Shows how to view general RADIUS configuration and specific server information.

Provides information on setting up a RADIUS server for CoS and ACL features on ports.

Guidelines for configuring a RADIUS server to dynamically apply Class of Service (CoS).

Shows how to view CoS settings imposed by a RADIUS server during an active client session.

Describes applying RADIUS-assigned dynamic port ACLs to filter traffic from authenticated clients.

Introduces RADIUS-assigned ACLs for filtering IP traffic from authenticated clients.

Defines terms related to ACLs like ACE, ACL, ACL ID, DA, Deny, Dynamic Port ACL, Implicit Deny, Inbound Traffic, NAS.

Explains dynamic port ACLs for Layer-3 filtering of IP traffic from authenticated clients.

Highlights key differences between static ACLs on ports and dynamic port ACLs assigned by RADIUS.

Describes how RADIUS assigns ACLs to ports based on client credentials to filter inbound traffic.

Provides steps for using dynamic port ACLs to establish access policies for client IP traffic.

Explains the sequential comparison and action process when applying an ACL to filter a packet.

Details rules for relating clients to dynamic port ACLs and their limitations.

Provides guidelines for configuring RADIUS servers to specify dynamic port ACLs.

Details the syntax and operating information for ACLs configured in a RADIUS server.

Outlines steps to enable switch forwarding of client credentials to RADIUS for dynamic ACLs.

Shows commands to display current ACL activity imposed per port by RADIUS server responses.

Lists event log messages related to ACL configuration and application errors.

Explains common reasons for client deauthentication after successful authentication.

Discusses how RADIUS-based sessions using dynamic port ACLs share switch resources.

Introduces Secure Shell (SSH) for remote management access via encrypted paths.

Defines terms related to SSH, including SSH Server, Key Pair, PEM, Private Key, Public Key, Levels.

Requires installing an SSH client application with key generation or import capabilities.

Specifies that client applications must export public keys in PEM-Encoded or Non-Encoded ASCII format.

Outlines general steps for configuring SSH for two-way authentication between switch and client.

Covers rules for public key exportability, key pair persistence, and security implications.

Lists SSH-related CLI commands and provides instructions for configuring SSH on the switch.

Recommends assigning at least a Manager password for switch configuration security.

Explains the need to generate a public/private host key pair for SSH negotiation.

Describes copying the switch's public key to client 'known hosts' files for secure access.

Details enabling SSH, host public-key authentication, and client contact behavior.

Explains configuring primary/secondary authentication methods for SSH Login and Enable levels.

Instructs users to test SSH configuration to ensure desired operation level.

Provides details on client public-key authentication, key file creation, and transfer.

Lists common SSH operation messages and their meanings, including TFTP errors.

Introduces SSL/TLS for secure web transactions, providing encrypted and authenticated access.

Defines terms related to SSL, including SSL Server, Key Pair, Digital Certificate, Self-Signed Certificate.

Requires installing an SSL-enabled web browser application for switch management access.

Outlines general steps for configuring SSL, including client preparation and switch preparation.

Covers rules for certificate generation, key pair persistence, and security implications.

Lists SSL-related CLI commands and provides instructions for configuring SSL on the switch.

Recommends assigning a Manager password for switch configuration security.

Explains generating a server certificate, including self-signed and CA-signed types.

Details enabling SSL and handling browser contact behavior, including security concerns.

Lists common errors during SSL setup, such as missing certificates or reserved TCP ports.

Explains how ACLs filter traffic from hosts, groups, or subnets for network performance.

Details how ACLs filter traffic at the network edge to remove unwanted traffic and improve performance.

Discusses augmenting ACLs with Identity Driven Management (IDM) via RADIUS server.

Introduces ProCurve Manager (PCM) and Identity Driven Manager (IDM) for network management.

Explains Layer 3 IP filtering with ACLs for network performance and restricting network use.

Defines terms related to ACLs: ACE, ACL, ACL ID, DA, Deny, Dynamic Port ACL, Implicit Deny, Inbound Traffic, NAS, SA, Standard ACL, Wildcard.

Describes Standard ACLs for source IP filtering and Extended ACLs for broader criteria.

Explains Standard ACLs (source IP) and Extended ACLs (source/destination IP, TCP/UDP criteria).

Details applying ACL filtering to inbound IP traffic on physical ports or static trunks.

Highlights common ACL features like multiple entries, ACEs, implicit deny, and logging.

Provides a process for planning and configuring ACLs, including traffic type and policy determination.

Describes how ACLs operate on assigned ports and static trunks to filter traffic types.

Explains the sequential comparison of ACEs to packets and the action taken upon finding a match.

Guides planning ACL applications by understanding switch resources and desired policies.

Discusses how ACLs load resources and the importance of resource planning for configurations.

Explains how IP subnet masks and application changes consume ACL resources.

Details how ACLs block unnecessary traffic and restrict user access to improve performance.

Explains how ACLs enhance security by blocking inbound IP traffic from unauthorized source IP addresses.

Provides steps for planning ACL structure, including determining application points and ACE order.

Covers per-interface ACL limits, implicit deny, explicit permit/deny, and ACL assignment exclusivity.

Explains how IP addresses and masks in ACEs enforce selection policies for packet screening.

Describes how to configure and assign numbered and named ACLs to interfaces.

Details the basic ACL structure including type, name, deny/permit entries, and implicit deny.

Discusses ACL resource consumption and the significance of entry sequence in ACLs.

Describes using the CLI method for creating short ACLs and general ACE rules.

Enhances in-band security and control over network resources using static per-port filters.

Explains configuring traffic filters to forward or drop unwanted traffic between ports and trunks.

Details preventing traffic from one subnet routing to another within the same VLAN using source-port filters.

Covers operating rules for configuring source-port filters on ports or port trunks.

Explains rules for configuring one source-port filter per port/trunk and its composition.

Describes the source-port filter command for creating or deleting filters with drop/forward actions.

Explains how to list source-port filters and view detailed information using the show filter command.

Details how the switch automatically assigns index (IDX) numbers to source-port filters.

Explains updating existing filters by changing actions for destination ports or trunks.

Describes using named filters applicable to multiple ports and trunks for easier management.

Introduces 802.1X for port-based and user-based access control, simplifying security management.

Explains how 802.1X simplifies security by providing access control and user profiles via RADIUS servers.

Lists key 802.1X features: authenticator/supplicant operation, RADIUS authentication, Open VLAN mode, user-based control.

Compares Port-Based and User-Based access control methods, highlighting their operating details.

Defines 802.1X terms: Authenticator, CHAP, Client, User-Based, Guest VLAN, EAP, EAPOL, Friendly Client, MD5, PVID, Port-Based, Static VLAN.

Describes security on point-to-point links between clients and switches using 802.1X-aware devices.

Illustrates the authentication process involving switch, client, and RADIUS server or local authentication.

Explains the priority order for assigning VLAN membership after client authentication.

Covers rules for user-based and port-based modes, re-authentication, and concurrent authentication.

Outlines steps before configuring 802.1X, including local accounts, ports, and RADIUS servers.

Provides steps for configuring 802.1X authentication, including user-based, port-based, and supplicant settings.

Details configuring ports as 802.1X authenticators, including enabling, setting modes, and commands.

Enables ports as 802.1X authenticators and sets default port-based authentication.

Allows reconfiguring port-access settings like control mode (authorized, auto, unauthorized).

Specifies the authentication type: local, EAP-RADIUS, or CHAP-RADIUS.

Configures the switch to use RADIUS servers for authentication, specifying IP addresses and keys.

Activates 802.1X port-access on ports configured as authenticators.

Allows resetting 802.1X authentication and statistics on specified ports.

Configures how ports transmit traffic before successful authentication (ingress/egress).

Provides a path for clients to acquire 802.1X supplicant software before authentication.

Describes using 802.1X Open VLAN mode for clients needing supplicant software or initialization services.

Explains the priority order for port VLAN membership after client authentication.

Details applying Open VLAN mode with Unauthorized-Client and Authorized-Client VLANs.

Introduces Port Security for configuring MAC addresses, detecting and logging unauthorized attempts.

Describes the default port security setting (off/continuous) and intruder protection mechanisms.

Explains that configuring port security automatically enables eavesdrop prevention for the port.

Details how the switch blocks unauthorized traffic without disabling the port upon security violation.

States that port security does not operate on static or dynamic trunk groups.

Guides planning port security configuration by considering ports, authorized devices, and security actions.

Describes CLI port security commands, including learn modes, address limits, and actions.

Explains how learned and assigned static MAC addresses are retained after reboots or configuration changes.

Shows how to display port security listings for all ports or specified ports using CLI commands.

Details using the CLI to configure port security, add/delete devices, and clear intrusion flags.

Explains MAC Lockdown as permanent assignment of MAC address/VLAN to a specific port to prevent hijacking.

Compares MAC Lockdown and Port Security, highlighting their distinct features and architecture levels.

Provides considerations for deploying MAC Lockdown within network topologies, especially with Spanning Tree Protocol.

Describes MAC Lockout as a simple blacklist feature to drop all traffic to/from a MAC address on the switch.

Explains that MAC Lockout overrides Port Security and 802.1X authentication and cannot be used together.

Guides users on how to check and configure Port Security settings via the web browser interface.

Explains how the switch notifies of security violations and how to reset alert flags.

Describes how the switch sets alert flags and provides notification methods for security violations.

Explains how the Intrusion Log lists detected security violation attempts and their history.

Details how resetting alert flags keeps the Intrusion Log current and allows new intrusion logging.

Shows how to use the Event Log and CLI commands to find and review port security intrusions.

Guides users on checking Alert Log and Intrusion Log via the web browser interface.

Provides notes on identifying intruder IP addresses, log entries, and LACP availability with port security.

Explains how Authorized IP Managers use IP addresses and masks to control network access to the switch.

Details configurable options: authorized manager addresses, access levels for Telnet, SNMP, and web browser.

Defines Manager and Operator access levels for stations using Telnet, SNMPv1, SNMPv2c.

Describes authorizing single stations or groups of stations using IP addresses and masks.

Explains how IP masks control switch access by defining ranges of authorized IP addresses.

Provides steps to view and configure IP Authorized Managers using the switch's console menu.

Lists CLI commands for viewing and configuring authorized IP managers and their access levels.

Details configuring IP Authorized Managers via the web browser interface (add, modify, delete).

Recommends avoiding web proxy servers for switch access due to security risks.

Guides users on accessing web-based help for the web browser interface screen.

Explains how IP Mask parameters control recognition of authorized manager station IP addresses.

Describes the easiest way to authorize stations by adding each IP address with a 255.255.255.255 mask.

Explains using IP Masks to authorize groups of stations with the same access level.

Provides examples of IP mask analysis for single and multiple station entries.

Covers network security precautions, modem/console access, duplicate IPs, and web proxy servers.