HP HP 2530, Manual Supplement

Page 1: ...s listed on this page unless otherwise noted This document includes the following Software Feature Updates in Release YA 15 13 Applicable Products HP Switch 2530 Switch Series J9772A J9773A J9775A J9776A This supplement applies to the following manuals HP Switch Software Access Security Guide HP Switch Software IPv6 Configuration Guide HP Part Number 5998 4559 Published July 2013 Edition 1 ...

Page 2: ... for Commercial Items are licensed to the U S Government under vendor s standard commercial license The information contained herein is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be lia...

Page 3: ...wn 20 Protection against IP source address spoofing 20 Prerequisite DHCP snooping 20 Filtering IP and MAC addresses per port and per VLAN 21 Enabling dynamic IP lockdown 22 Adding an IP to MAC binding to the DHCP binding database 23 Potential issues with bindings 23 Verifying the dynamic IP lockdown configuration 24 Displaying the static configuration of IP to MAC bindings 24 Debugging dynamic IP ...

Page 4: ... the switch to support RADIUS assigned ACLs 51 Displaying current RADIUS assigned ACL activity on the switch 52 Event log messages 55 Causes for client deauthentication immediately after authenticating 56 2 Updates for the HP Switch Software IPv6 Configuration Guide 57 Access Control Lists ACLs 57 Introduction 57 ACL applications 58 RADIUS assigned ACLs 58 General application options 58 IPv6 ACLs ...

Page 5: ...c in IPv6 ACLs 83 Filtering switched IPv6 traffic inbound on a VLAN 85 Deleting an IPv6 ACL 86 Editing an existing ACL 86 Editing rules 86 Sequence numbering in ACLs 87 Inserting an ACE in an existing ACL with a sequence number 88 Deleting an ACE from an existing ACL 89 Resequencing ACEs in an IPv6 ACL 90 Attaching a remark to an ACE 91 Operating notes for remarks 93 Displaying ACL configuration d...

Page 6: ...etwork DHCP server caused by repeated attacker access to the network and numerous IP address requests Dynamic ARP protection Protects your network from ARP cache poisoning such as An unauthorized device forges an illegitimate ARP response and network devices use the response to update their ARP caches A denial of service DoS attack from unsolicited ARP responses changes the network gateway IP addr...

Page 7: ... packets received on other switch ports are inspected before being forwarded Packets from untrusted sources are dropped Conditions for dropping packets are shown below Packet Types Condition for Dropping a Packet DHCPOFFER DHCPACK DHCPNACK A packet from a DHCP server received on an untrusted port DHCPOFFER DHCPACK DHCPNACK If the switch is configured with a list of authorized DHCP server addresses...

Page 8: ...Default untrusted Configures trusted ports Only server packets received on trusted ports are forwarded trust Default Yes Enables DHCP packet validation The DHCP client hardware address field and the source verify MAC address must be the same for packets received on untrusted ports or the packet is dropped Default No Enables DHCP snooping on a vlan DHCP snooping must be enabled already vlan To disp...

Page 9: ...d range You can also use this command in the vlan context where you cannot enter a range of VLANs for snooping Example 3 DCHP snooping on a VLAN shows DHCP snooping enabled on VLAN 4 Example 3 DCHP snooping on a VLAN HP Switch config dhcp snooping vlan 4 HP Switch config show dhcp snooping DHCP Snooping Information DHCP Snooping Yes Enabled Vlans 4 Verify MAC Yes Option 82 untrusted policy drop Op...

Page 10: ...igure up to 20 authorized servers To configure a DHCP authorized server address enter this command in the global configuration context HP Switch config dhcp snooping authorized server ip ad Example 5 Authorized servers for DHCP snooping HP Switch config show dhcp snooping DHCP Snooping Information DHCP Snooping Yes Verify MAC No Option 82 untrusted policy drop Option 82 Insertion Yes Option 82 rem...

Page 11: ...ot set the MAC address is used The IP address of the VLAN the packet was received on for the remote id subnet ip If mgmt ip is specified but the value is not set the MAC address is used The management VLAN IP address of the remote id mgmt ip untrusted policy Configure DHCP snooping behavior when forwarding a DHCP packet from an untrusted port that already contains DHCP relay information Option 82 ...

Page 12: ...g verify mac Example 7 The DHCP snooping verify MAC setting HP Switch config dhcp snooping verify mac HP Switch config show dhcp snooping DHCP Snooping Information DHCP Snooping Yes Enabled Vlans 4 Verify MAC yes Option 82 untrusted policy drop Option 82 Insertion Yes Option 82 remote id subnet ip DHCP binding database DHCP snooping maintains a database of up to 8192 DHCP bindings on untrusted por...

Page 13: ...ddress IP VLAN Interface Time left 22 22 22 22 22 22 10 0 0 1 4 6 1600 NOTE If a lease database is configured and the switch reboot completes quickly the switch drops all DHCP packets until the lease database is read If the switch cannot read the lease database from the tftp server it waits until that operation times out and then starts forwarding DHCP packets Clearing DHCP snooping statistics Syn...

Page 14: ...eated attempts untrusted relay information packets will not be logged for the specified duration Ceasing untrusted server logs for s More than one packet was received from a DHCP server on an untrusted port To avoid filling the log file with repeated attempts untrusted server drop packet events are not logged for the specified duration Client address mac address not equal to source MAC mac address...

Page 15: ...the attacker s MAC address Thus the attacker can intercept traffic for other hosts in a classic man in the middle attack The attacker gains access to any traffic sent to the poisoned address and can capture passwords e mail and VoIP calls or even modify traffic before resending it The ARP cache of known IP addresses and associated MAC addresses can also be poisoned through unsolicited ARP response...

Page 16: ...nabling dynamic ARP protection To enable dynamic ARP protection for VLAN traffic on a routing switch enter the arp protect vlan command at the global configuration level Syntax no arp protect vlan vlan range Task Parameter Specifies a VLAN ID or a range of VLAN IDs from 1 to 4094 vlan range Example HP Switch config arp protect vlan 1 101 Configuring trusted ports Like DHCP snooping dynamic ARP pro...

Page 17: ...r Separate individual port numbers or ranges of port numbers with a comma for example 13 15 17 Specifies a port number or a range of port numbers port list Example HP Switch config arp protect trust 5 8 17 Adding an IP to MAC binding to the DHCP binding database and adding or removing a static binding A routing switch maintains a DHCP binding database used for DHCP and ARP packet validation Both t...

Page 18: ...configured to perform additional validation checks on ARP packets By default no additional checks are performed To configure additional validation checks enter the arp protect validate command at the global configuration level Syntax no arp protect validate src mac dest mac ip Detail Task Parameter n a Optional Drops any ARP request or response packet in which the source src mac MAC address in the...

Page 19: ...LAN ID RANGE command Example 10 The show arp protect statistics command HP Switch config show arp protect statistics 1 2 Status and Counters ARP Protection Counters for VLAN 1 Forwarded pkts 10 Bad source mac 2 Bad bindings 1 Bad destination mac 1 Malformed pkts 0 Bad IP address 0 Status and Counters ARP Protection Counters for VLAN 2 Forwarded pkts 1 Bad source mac 1 Bad bindings 1 Bad destinatio...

Page 20: ...e the BSD r protocols rlogin rcp rsh rely on the IP source address for packet authentication SNMPv1 and SNMPv2c also often use authorized IP address lists to limit management access An attacker that can send traffic that appears to originate from an authorized IP source address may gain access to network services for which he is not authorized Dynamic IP lockdown provides protection against IP sou...

Page 21: ...rk a port must be a member of at least one VLAN with DHCP snooping enabled Disabling DHCP snooping on a VLAN removes Dynamic IP bindings on Dynamic IP Lockdown enabled ports in that VLAN The port reverts back to switching traffic as usual Filtering IP and MAC addresses per port and per VLAN Internal Dynamic IP lockdown bindings are dynamically applied on a per port basis from information in the DH...

Page 22: ...only IP packets exempt from dynamic IP lockdown are broadcast DHCP request packets which are handled by DHCP snooping DHCP snooping is a prerequisite for Dynamic IP Lockdown operation The following restrictions apply DHCP snooping is required for dynamic IP lockdown to operate To enable DHCP snooping enter the dhcp snooping command at the global configuration level Dynamic IP lockdown only filters...

Page 23: ...amic bindings with up to 32 bindings per port When DHCP snooping is enabled globally on a VLAN dynamic bindings are learned when a client on the VLAN obtains an IP address from a DHCP server Static bindings are created manually with the CLI or from a downloaded configuration file When dynamic IP lockdown is enabled globally or on ports the bindings associated with the ports are written to hardware...

Page 24: ...tic configuration of IP to MAC bindings To display the static configurations of IP to MAC bindings stored in the DHCP lease database enter the show ip source lockdown bindings command Syntax show ip source lockdown bindings port number Task Parameter Optional Specifies the port number on which source IP to MAC address and VLAN bindings are configured in the DHCP lease database port number Example ...

Page 25: ... 2 100 0 PORT 4 192 168 2 1 0 1 packets DIPLD 01 01 90 00 06 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 294 packets DIPLD 01 01 90 00 11 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 300 packets DIPLD 01 01 90 00 16 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 300 packets DIPLD 01 01 90 00 21 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 299 packets DIPLD 01 01 90 00 26 25 deni...

Page 26: ...cks fill the IP forwarding table causing legitimate traffic to be dropped ip address count Number of MAC address learn events per minute discarded to help free CPU resources when busy learn discards min The number of failed CLI login attempts or SNMP management authentication failures per minute This indicates an attempt has been made to manage the switch with an invalid login or password login fa...

Page 27: ...1 01 90 00 20 00 inst mon Limit for MAC addr count 300 is exceeded 324 W 01 01 90 00 20 00 inst mon Ceasing logs for MAC addr count for 15 minutes In Rate limiting when multiple messages are generated page 27 if a condition is reported 4 times persists for more than 15 minutes then alerts cease for 15 minutes If after 15 minutes the condition still exists the alerts cease for 30 minutes then for 1...

Page 28: ...ed The count of times per minute that a client has been unsuccessful logging into the network port auth failures Default threshold setting when enabled 3 seconds med The response time in seconds of the CPU to new network events system delay such as BPDU packets or packets for other network protocols Default threshold setting when enabled 50 med The percentage of system resources in use system reso...

Page 29: ...nstrumentation monitoring log enabled You can also view the current instrumentation monitor configuration with the show run command which does not display threshold values for each limit set Configuring RADIUS server support for switch services Affected Chapter Section Software Release Fix or Feature update Updated content for Chapter 6 Configuring RADIUS Server Support for Switch Services of the ...

Page 30: ...e services in the PCM application using the HP PMC Identity Driven Manager HP PMC IDM plug in see the documentation for these applications on the HP Networking website at www hp com support manuals All RADIUS based services described in this chapter can be used without PCM or HP PMC IDM support RADIUS server configuration for CoS 802 1p priority and rate limiting This section provides guidelines f...

Page 31: ...limit to the outbound traffic sent to a switch port VSA 48 string HP Setting HP RATE LIMIT bandwidth in Kbps Note RADIUS assigned rate limit bandwidths must be specified in Kbps bandwidth percentage settings are not supported Using a VSA on a RADIUS server to specify a per port rate limit requires the actual Kbps to which you want to limit outbound traffic volume For example to limit outbound traf...

Page 32: ... assigned ingress rate limits are applied to individual clients not to the client s port But if you use the CLI to configure a per port ingress rate limit on the same port where an authenticated client receives a RADIUS assigned ingress rate limit the client s assigned ingress limit can be reduced by the CLI configured port ingress limit if the port reaches its CLI configured rate limit maximum be...

Page 33: ...f dynamic RADIUS assignment Static per port setting options Dynamic RADIUS assignment options Applies per client that is only to client whose authentication triggered the assignment Up to 32 clients supported per port qos priority 0 7 802 1p Priority CoS rate limit all bcast icmp mcast in kbps percent Inbound Ingress Rate Limiting Applies per port that is to all clients on the port 1 rate limit al...

Page 34: ...d rate limit setting which is applied per port instead of per client then the outbound traffic from the port to all connected clients will be rate limited according to the value set by the server for the most recently authenticated client Thus if client X authenticates with web based authentication on port 4 with a RADIUS server that assigns a priority of 3 an inbound rate limit of 10 000 kbps and...

Page 35: ... later becomes authenticated with an outbound rate limit of 500 kbps while the session for client X is still active then the port operates with an outbound rate limit of 500 kbps for both clients Outbound rate limit Inbound rate limit 802 1p Assignment method on port 10 100 000 kbs1 100 000 kbs 7 Statically Configured Values 50 000 kbs1 10 000 kbs 3 RADIUS assigned when client X authenticates 1 Co...

Page 36: ...ng of ACL structure and operation For information on ACL filtering criteria design and operation see IPv4 Access Control Lists ACLs in the latest HP Switch Software Access Security Guide for your switch IPv6 Access Control Lists ACLs in the latest HP Switch Software IPv6 Configuration Guide for your switch RADIUS assigned dynamic ACLs RADIUS assigned ACLs enhance network and switch management acce...

Page 37: ...ntication services Configuring one or more ACLs on a RADIUS server instead of the switch and assigning each ACL to the username password pair or MAC address of the clients you want the ACLs to support Using RADIUS to dynamically apply ACLs to clients on edge ports enables the switch to filter IP traffic coming from outside the network thus removing unwanted IP traffic as soon as possible and helpi...

Page 38: ...ements are likely to use the same port routed IPv4 traffic RACLs IP traffic from multiple sources with a destination on the switch itself Client authentication does not apply Implementation requires client authentication Identified by a number in the range of 1 199 or an alphanumeric name Identified by credentials username password pair or MAC address of the specific client the ACL is to service S...

Page 39: ...ce route command to disable source routing on the switch If source routing is disabled in the running config file the show running command includes no ip source route in the running config file listing How a RADIUS server applies a RADIUS assigned ACL to a client on a switch port A RADIUS assigned ACL configured on a RADIUS server is identified and invoked by the unique credentials username passwo...

Page 40: ... also filtering the client s traffic For more information see An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port Multiple ACLs on an Interface in the latest HP Switch Software Access Security Guide for your switch ACL features planning and configuration The following steps outline a process for using RADIUS assigned ACLs to establish access policies for client IP traff...

Page 41: ... characters in a single ACE CAUTION Exceeding this limit causes the related client authentication to fail Effect of other statically configured ACLs If port 5 belongs to VLAN Y and has a RADIUS assigned ACL to filter inbound traffic from an authenticated client and port 5 is also configured with IPv4 and IPv6 static port ACLs and VLAN Y is statically configured with IPv4 and IPv6 ACLs then IP traf...

Page 42: ...ttribute for use in RADIUS assigned ACLs to configure ACEs to filter IPv4 and IPv6 traffic Assigns a RADIUS configured ACL to filter inbound packets received from Entry for IPv4 Only ACE To Filter Client Traffic a specific client authenticated on a switch port Nas filter Rule permit or deny ACE Standard Attribute 92 For example Nas filter Rule permit in tcp from any to any Entries for IPv4 IPv6 AC...

Page 43: ...of addresses you must distinguish the separate destinations by using explicit addresses for the any destinations For example HP Nas Rules IPv6 1 Nas filter Rule deny in tcp from any to 0 0 0 0 0 23 Nas filter Rule deny in tcp from any to fe80 b1 23 The above example sends IPv4 Telnet traffic to its any destination but IPv6 Telnet traffic only to fe80 b1 23 To reverse this example configure ACEs su...

Page 44: ...s the IPv6 traffic See also Nas Filter Rule Attribute Options page 42 HP Nas Rules IPv6 1 2 HP VSA used in an ACL to filter IPv6 traffic Settings include 1 ACE filters both IPv4 and IPv6 traffic 2 ACE filters IPv4 traffic and drops IPv6 traffic VSA not used ACE filters IPv4 traffic and drops IPv6 traffic This VSA must be present in an ACL where the Nas filter Rule attribute is intended to filter i...

Page 45: ...example all the following destinations are for IPv4 traffic HP Nas Rules IPv6 2 Nas filter Rule permit in tcp from any to any 23 Nas filter Rule permit in ip from any to 10 10 10 1 24 Nas filter Rule deny in ip from any to any The HP Nas Filter Rule VSA is used instead of either of the above options For example all the following destinations are for IPv4 traffic HP Nas filter Rule permit in tcp fr...

Page 46: ...s For example the following ACE shows two ways to deny any UDP traffic from an authenticated client with a DA of any address and a UDP destination port of 135 137 139 or 445 deny in udp from any to any 135 137 139 445 deny in 17 from any to any 135 137 139 445 icmp type icmpv6 type Optional ICMP type specifier This can be either a keyword or an ICMP type number For a list of numbers and types see ...

Page 47: ...vice at 10 10 10 101 Deny http TCP port 80 traffic from the client to all other devices Permit all other traffic from the client to all other devices To configure the above ACL enter the username password and ACE information shown in Figure 7 page 47 Figure 7 Example of configuring the FreeRADIUS server to support ACLs for the indicated clients Example using HP VSA 63 to assign IPv6 or IPv4 ACLs T...

Page 48: ...S assigned IPv6 and IPv4 ACLs in a FreeRADIUS server 2 Enter the switch IPv4 address NAS type and the key used in the FreeRADIUS clients conf file For example if the switch IP address is 10 10 10 125 and the key secret is 1234 enter the following in the server s clients conf file Figure 9 Example of switch identity information for a freeRADIUS application 48 Updates for the HP Switch Software Acce...

Page 49: ...es Permit all other IPv4 and IPv6 traffic from the client to all other devices To configure the above ACL enter the username password and ACE information as shown in Example of configuring a FreeRADIUS server to filter IPv4 and IPv6 traffic for a client using the correct username and password credentials page 49 Figure 10 Example of configuring a FreeRADIUS server to filter IPv4 and IPv6 traffic f...

Page 50: ...created to filter IPv4 traffic automatically includes an implicit deny in ip from any to any ACE for IPv4 For example to create ACL support for a client with a username of User 10 and a password of auth7X the ACL in this example must achieve the following Permit http TCP port 80 traffic from the client to the device at 10 10 10 1 17 Deny http TCP port 80 traffic from the client to all other IPv4 a...

Page 51: ... filter Rule deny in ip from any to any HP Nas Filter Rule deny in ip from any to any Nas filter Rule deny in ip from any to any HP Nas Rules IPv6 2 Implicitly deny any IP traffic For any packet filtered by a RADIUS assigned ACL there is always a match as any packet without a match with an explicit permit or deny ACE in the list will match with the implicit deny any any ACE automatically included ...

Page 52: ... specified ports Syntax MAC Authentication Option aaa port access mac based port list This command configures MAC authentication on the switch and activates this feature on the specified ports Syntax Web Authentication Option aaa port access web based port list This command configures web based authentication on the switch and activates this feature on the specified ports Displaying current RADIUS...

Page 53: ...lient authentication Ports in port list not configured for authentication are not listed Client Base Details Port Port number of port configured for authentication Session Status Indicates whether there is an authenticated client session active on the port Options include authenticated and unauthenticated Username During an authenticated session shows the user name of the authenticated client If t...

Page 54: ...ction RADIUS ACL List Lists the explicit ACEs in the ACL assigned to the port for the authenticated client Includes the ACE Hit Count matches for ACEs configured with the cnt option see ACE syntax in RADIUS servers page 44 If a RADIUS ACL for the authenticated client is not assigned to the port No Radius ACL List appears in this field In Limit Kbps Indicates the ingress rate limit assigned by the ...

Page 55: ...16 redirect message 137 address mask request 17 router renumbering 138 address mask reply 18 icmp node information query 139 icmp node information response 140 inverse neighbor discovery solicitation message 141 inverse neighbor discovery advertisement message 142 version 2 multicast listener report 143 home agent address discovery request message 144 home agent address discovery reply message 145...

Page 56: ...d when the protocol is neither UDP or TCP A RADIUS assigned ACL limit has been exceeded An ACE in the ACL for a given authenticated client exceeds 80 characters The TCP UDP port range quantity of 14 per slot or port group has been exceeded The rule limit of 3048 per slot or port group has been exceeded The HP Nas Rules IPv6 attribute is missing or HP Nas Rules IPv6 2 is configured See Table 10 pag...

Page 57: ...e switches covered by this guide and how to monitor IPv6 ACL actions NOTE Because the switches covered by this guide operate in IPv4 IPv6 dual stack mode IPv4 and IPv6 ACLs can operate simultaneously in these switches with the restrictions listed below Static IPv6 ACLs and IPv4 ACLs do not filter each other s traffic IPv6 and IPv4 ACEs cannot be configured in the same static ACL See RADIUS assigne...

Page 58: ...r information on static IPv4 ACL applications see the IPv4 Access Control Lists ACLs chapter in the latest HP Switch Software Access Security Guide for your switch General application options Layer 3 IP filtering with ACLs lets you improve network performance and restrict network use by creating policies for Switch Management Access Permits or denies in band management access that includes prevent...

Page 59: ...witch can apply ACL filtering to traffic entering the switch on ports or trunks configured to apply ACL filters For example in Example of filter applications page 59 assign an inbound ACL on port 1 to filter a packet from the workstation 10 28 10 5 to the server at 10 28 20 99 All ACL filtering is performed on the inbound port or trunk Routing may be enabled or disabled on the switch and any permi...

Page 60: ...icated by such servers In Figure 17 page 60 client A connects to a given port and is authenticated by a RADIUS server Because the server is configured to assign a dynamic ACL to the port the IPv4 and IPv6 traffic inbound on the port from client A is filtered RADIUS assigned ACLs when multiple clients use the same port Some network configurations may allow multiple clients authenticate through a si...

Page 61: ...d the client de authenticated Using 802 1X port based security on a port where the RADIUS response to a client authenticating includes a RADIUS assigned ACL different results can occur depending on whether any additional clients attempt to use the port and whether these other clients initiate an authentication attempt This option is recommended for applications where only one client at a time can ...

Page 62: ...red on a RADIUS server to filter IPv4 traffic also denies inbound IPv6 traffic from an authenticated client unless the ACL includes ACEs that permit the desired IPv6 traffic The reverse occurs for a dynamic ACL configured on RADIUS server to filter IPv6 traffic ACLs are based on the MAC address of the authenticating client See the chapter Configuring RADIUS Server Support for Switch Services in th...

Page 63: ...nable IPv6 ACL deny logging page 105 5 Create the ACLs in the selected switches 6 Assign the ACLs to filter the inbound traffic on ports or static trunk interfaces configured on the switch 7 Test for desired results For more details on ACL planning considerations see Planning an ACL application page 68 CAUTION Source routing is enabled by default on the switch and can be used to override ACLs Thus...

Page 64: ...teria match a packet is found the action configured for that ACE is invoked and any remaining ACEs in the ACL are ignored Because of this sequential processing successfully implementing an ACL depends in part on configuring ACEs in the correct order for the overall policy you want the ACL to enforce Implicit Deny If a packet does not have a match with the criteria in any ACEs in the ACL the switch...

Page 65: ...you want to configure an ACL with an ID of Test 02 to invoke these policies for IPv6 traffic entering the switch on VLAN 100 1 Permit inbound IPv6 traffic from 2001 db8 0 fb 1 1 42 2 Deny only the inbound Telnet traffic from 2001 db8 0 fb 1 1 101 3 Permit inbound IPv6 traffic from 2001 db8 0 fb 1 1 101 4 Permit only inbound Telnet traffic from 2001 db8 0 fb 1 1 33 5 Deny any other inbound IPv6 tra...

Page 66: ...l not be any Telnet packets to compare with this entry they have already been dropped as a result of matching the preceding entry Line 40 Permits IPv6 Telnet traffic from 2001 db8 0 fb 1 1 33 Packets matching this criterion are permitted and are not compared to any later criteria in the list Packets not matching this criterion are compared to the next entry in the list Implicit Deny Any Any This e...

Page 67: ...not be compared to any later criteria in the list Because this entry comes after the entry blocking Telnet traffic from this same address there will not be any Telnet packets to compare with this entry they have already been dropped as a result of matching the preceding entry Line 40 Permits IPv6 Telnet traffic from source address 2001 db8 0 fb 1 1 33 Packets matching this criterion are permitted ...

Page 68: ...basis There are 128 rules available for configuring ACLs with the CLI and 128 rules available for configuring ACLs with IDM You can apply a CLI ACL and a IDM ACL on the same port at the same time The switch uses resources required by the ACEs in an ACL when you apply the ACL to one or more port or static trunk interfaces Rule usage There is only one implicit deny any entry per device for CLI ACLs ...

Page 69: ...ng and monitoring rule and mask usage in an ACL configuration Syntax access list resources help Provides a quick reference on how ACLs use rule resources Includes most of the information in ACL rule and mask resource usage page 68 plus an ACL usage summary Syntax show access list resources Shows the number of rules used maximum rules available resources used and resources required for ACLs created...

Page 70: ...d information on configuring and applying ACLs refer to the later sections of this chapter Viewing current rule usage The show access list resources command displays current information about rules and resources Example 23 Rules and resources used and required HP Switch config show access list resources ACL Resource Usage Rules Rules Resources Resources Feature Used Maximum Used Required cli acl 1...

Page 71: ...ection from malicious manipulation of data carried in IP packet transmissions do not rely on them for a complete security solution NOTE ACLs do not screen non IP traffic such as AppleTalk and IPX packets Guidelines for planning ACL structure The first step in planning a specific ACL is to determine where to apply it See ACL inbound application points page 59 Then determine the order in which you w...

Page 72: ...t encounters that does not have a match with an entry in the ACL and for t an ACL to permit any packets you have not expressly denied enter a permit any or permit ip any any as the last visible ACE in an ACL Because for a given packet the switch sequentially applies the ACEs in an ACL until it finds a match any packet that reaches the permit any or permit ip any any entry is permitted and will not...

Page 73: ...b8 10 1 Source SA to prefix FFFF FFFF FFFF FFFF prefix 0 2001 db8 10 1 218 71ff fec4 Destination DA to prefix FFFF To summarize when the switch compares an IPv6 packet to an ACE in an ACL it uses the subnet prefixes configured with the SA and DA in the ACE to determine how many leftmost contiguous bits in the ACE s SA and DA must be matched by the same bits in the SA and DA carried by the packet T...

Page 74: ... if you are using ACLs to enhance network security HP recommends disabling source routing on the switch To do so execute the no ip source route command ACL types Standard ACL Uses packet source IP address as a criterion for permitting or denying the packet For a standard ACL ID use either a unique numeric string in the range 1 99 or a unique name of up to 64 alphanumeric characters Extended ACL Ch...

Page 75: ... port depends on the concurrent resource usage by multiple configured features For more information use the show qos access list resources command or see Monitoring shared resources page 108 4 Implicit deny Where an ACL is applied to an interface it denies any packets that do not have a match with any of the ACEs explicitly configured in its list The implicit deny does not appear in ACL configurat...

Page 76: ...it ipv6 2001 db8 0 130 55 128 2001 db8 0 130 240 128 20 permit tcp 0 0 eq 23 30 remark ALLOWS HTTP FROM SINGLE HOST 30 permit tcp 2001 db8 0 140 14 128 eq 80 0 eq 3871 40 remark DENIES HTTP FROM ANY TO ANY 40 deny tcp 0 0 eq 80 log 50 deny udp 2001 db8 0 150 44 128 eq 69 2001 db8 0 120 19 128 range 3680 3690 log 60 deny udp 0 2001 db8 0 150 121 128 log 70 permit ipv6 2001 db8 0 01 56 0 exit Table ...

Page 77: ...nd When a match is found the switch applies the indicated action permit or deny to the packet Once a match is found for a packet subsequent ACEs in the same ACL are not applied to that packet whether or not they match the packet Example 27 ACE that permits all IPv6 traffic not implicitly denied ipv6 access list Sample List 2 10 deny ipv6 2001 db8 235 101 1282 03 20 deny ipv6 2001 db8 245 89 128 0 ...

Page 78: ...er entries in the list so no traffic remains for action by the implicit deny function Defines the end of the ACL exit Allowing for the implied deny function In any ACL having one or more ACEs there is always a packet match because the switch automatically applies the implicit deny as the last ACE in any ACL This function is not visible in ACL listings but is always present see Example 27 page 77 T...

Page 79: ...nds enter the context of an ACL named List 1 and add a permit ACE at the end of the list This new ACE permits IPv6 traffic from the device at 2001 db8 0 a9 8d 100 to go to all destinations HP Switch config ipv6 access list List 1 HP Switch config ipv6 acl permit host 2001 db8 0 a9 8d 100 any To insert an ACE anywhere in an existing ACL 1 Enter the ACL context 2 Specify a sequence number For exampl...

Page 80: ...ftmost 80 bits must match The remaining 48 bits are wildcards 2620 0 a03 e102 215 2620 0 a03 e102 215 80 All 128 bits must match This specifies a single host address 2620 0 a03 e102 215 60ff fe7a adc0 2620 0 a03 e102 215 60ff fe7a adc0 128 The leftmost 1 12 bits must match The remaining 16 bits are wildcards 2001 db8 a03 e102 0 ab4 100 2001 db8 a03 e102 0 ab4 100 1 12 Configuration commands Config...

Page 81: ...s and generates a message when there is either a deny match or a permit match Enabling disabling and displaying ACLs Page Example Task HP Switch config no vlan vid ipv6 access group name str vlan Enable or disable an IPv6 VACL HP Switch config no interface port list trkx ipv6 access group name str in HP Switch eth port list trkx no ipv6 access group name str in Enable or disable a static port ACL ...

Page 82: ... in increments of 10 and can be renumbered using resequence page 90 NOTE To insert a new ACE between two existing ACEs in an ACL precede deny or permit with an appropriate sequence number See Inserting an ACE in an existing ACL with a sequence number page 88 For a match to occur a packet must have the source and destination IPv6 addressing criteria specified in the ACE the protocol specific criter...

Page 83: ...iteria also enables the established option for controlling TCP connection traffic TCP deny permit tcp SA comparison operator tcp src port DA comparison operator tcp dest port established ack fin rst syn UDP deny permit udp SA comparison operator udp src port DA comparison operator udp dest port In an IPv6 ACL using either tcp or udp as the IP packet protocol type you can optionally apply compariso...

Page 84: ... ntp radius radius old rip snmp snmp trap tftp To list the above names press the Shift key combination after entering an operator For a list of port names see www iana org assignments port numbers comparison operator tcp dest port established comparison operator udp dest port Enter the comparison operator immediately after the DA entry To specify a TCP or UDP port number 1 Select a comparison oper...

Page 85: ...ion and operating rules page 72 Syntax no vlan vid ipv6 access group identifier vlan Assigns an ACL as a VACL to a VLAN to filter switched or routed IPv6 traffic entering the switch on that VLAN You can use either the global configuration level or the VLAN context level to assign or remove a VACL vid VLAN identification number identifier The alphanumeric name by which the ACL can be accessed An id...

Page 86: ...explicit ACEs later to the empty ACL automatically activates the ACEs as they are created and implements the implicit deny at the end of the ACL Deleting an ACL from the running configuration while the ACL is currently assigned on an interface adds an empty version of the ACL to the running configuration and on the interface Later removing the ACL from the interface also removes the empty ACL from...

Page 87: ...cheme Example 30 Default sequential numbering for ACEs ipv6 access list My list 10 permit ipv6 2001 db8 0 5ad 25 128 0 20 permit ipv6 2001 db8 0 5ad 111 128 0 30 permit icmp 2001 db8 0 5ad 115 128 0 135 40 deny ipv6 2001 db8 0 5ad 64 0 exit Append an ACE to the end of the ACL using ipv6 access list at the global configuration prompt or by entering the ACL context Example 31 Appending a new ACE to ...

Page 88: ...in an existing ACL with a sequence number Syntax 1 2147483647 permit deny ipv6 ACE criteria Used in the context of a given ACL this command inserts an ACE into the ACL 1 2147483647 The range of valid sequence numbers for an ACL ipv6 ACE criteria The various traffic selection options described earlier in this chapter NOTE Entering an ACE that would result in an out of range sequence number is not a...

Page 89: ...his example the first command creates a new ACL and enters the ACL context The next two ACEs entered become lines 10 and 20 in the list The third ACE entered is inserted between lines 10 and 20 using a sequence command with sequence number 1 1 Inserting an ACE into an existing sequence HP Switch config Port_1_5400 config ipv6 access list List 01 1 HP Switch config ipv6 acl permit ipv6 host fe80 10...

Page 90: ... to delete Example 34 page 90 illustrates the process for deleting an ACE from a list Example 34 Deleting an ACE from an IPv6 ACL HP Switch config show access list My List config 1 ipv6 access list My List 10 permit ipv6 fe80 100 128 0 20 deny ipv6 fe80 110 128 fe80 124 30 deny ipv6 fe80 111 128 fe80 124 40 permit ipv6 0 0 exit HP Switch config ipv6 access list My List2 HP Switch config ipv6 acl n...

Page 91: ...fig ipv6 access list My List 100 permit ipv6 fe80 100 128 0 200 deny ipv6 fe80 110 128 fe80 124 300 permit ipv6 0 0 exit Attaching a remark to an ACE A remark is numbered the same way as an ACE and uses the same sequence number as the ACE to which it refers This operation requires that the remark for a given ACE be entered before entering the ACE itself Syntax remark remark str 1 2147483647 remark...

Page 92: ... ACEs to the end of an ACL To append an ACE with an associated remark to the end of an ACL named List 100 enter remarks from the CLI context for the desired ACL HP Switch config ipv6 access list List 100 HP Switch config ipv6 acl permit tcp host 2001 db8 0 b 100 17 eq telnet any HP Switch config ipv6 acl permit tcp host 2001 db8 0 b 100 23 eq telnet any HP Switch config ipv6 acl remark BLOCKS UNAU...

Page 93: ...r as the remark you want to replace This step overwrites the former remark text with the new remark text Example 38 Replacing an existing remark To change the text of the remark at line 15 in Example 37 page 93 to PERMIT HTTP FROM ONE STATION use the following command HP Switch config ipv6 access list List 105 HP Switch config ipv6 acl 15 remark PERMIT HTTP FROM ONE STATION Removing a remark from ...

Page 94: ...matic inclusion at the end of an ACL each successive remark replaces the previous one until an ACE is configured for automatic inclusion at the end of the list Displaying ACL configuration data Page Function ACL Commands 95 View a brief listing of all ACLs on the switch show access list 95 Display the ACL lists configured in the switch show access list config 97 List the name and type for each IPv...

Page 95: ...cnt counter option show port access authenticator clients port list detailed Support for Switch Services in the HP Switch Software Access Security Guide for your switch show config includes configured ACLs and assignments existing in the startup config file show config show running includes configured ACLs and assignments existing in the running config file show running Displaying an ACL summary T...

Page 96: ...switch Name Displaying content of all ACLs on the switch The show access list command provides configuration details for every ACL configured in the running config file whether or not you have assigned any to filter traffic on switch interfaces Syntax show access list config List the configured syntax for all ACLs currently configured on the switch NOTE You can use the output from this command for...

Page 97: ...ing 10 permit tcp 2001 db8 0 1af 10 14 128 0 eq 23 20 permit tcp 2001 db8 0 1af 10 23 128 0 eq 23 30 deny tcp 2001 db8 0 1af 10 116 0 log 40 permit ipv6 2001 db8 0 1af 10 116 0 50 deny ipv6 0 0 log exit Displaying ACL information for a VLAN Syntax show access list vlan vid List the name and type for each IPv4 andI Pv6 ACL application assigned to a particular VLAN on the switch For example Example ...

Page 98: ...e are no per VLAN IPv6 ACLs assigned to VLAN 20 6 There are no per VLAN IPv6 ACLs assigned to VLAN 20 7 There are no IPv4 Connection Rate Filter ACLs see the chapter Virus Throttling Connection Rate Filtering in the HP Switch Software Access Security Guide for your switch Displaying static port and trunk ACL assignments This command lists the identification and types of current static port ACL ass...

Page 99: ...execute the write memory command after configuring an ACL it also appears in the show config display For information on IPv4 ACL operation see the latest version of the HP Switch Software Access Security Guide for your switch Syntax show access list identifier config Displays detailed information on the content of a specific ACL configured in the running config file For example suppose you configu...

Page 100: ...ion deny log Src IP 2001 db8 0 1af 10 Prefix Len 116 Dst IP Prefix Len 0 Src Port s Dst Port s Proto TCP Option s Dscp 40 Action permit Src IP 2001 db8 0 1af 10 Prefix Len 116 Dst IP Prefix Len 0 Src Port s Dst Port s Proto IPV6 Dscp 9 1 Protocol Data Indicates whether the ACL is applied to an interface 1 0 DSCP Codepoint or Precedence 2 Remark Field Appears if remark configured 8 TCP Destination ...

Page 101: ...ccess list identifier config command in Example 46 An ACL listed with the config option shows the same ACL data as show access list identifier but in the format used by the show run config commands Example 46 An ACL listed with the config option Port 1 config show access list List 120 config ip access list extended List 120 10 remark Telnet Allowed 10 permit tcp 10 30 133 27 0 0 0 0 eq 23 0 0 0 0 ...

Page 102: ...Es The source IPv6 or IPv4 address to which the configured mask is applied to determine whether there is a match with a packet Src IP Used in IPv6 ACEs to show TCP or UDP source and destination operator and port numbers included in the ACE Src Ports Dst Ports IPv6 Standard or Extended IPv6 ACLs use a source and a destination address plus IPv6 protocol specifiers Type Standard ACLs are IPv4 only an...

Page 103: ...wise the switch will append the new ACEs in the ACL you download to the existing ACL For example if you plan to use the copy command to replace an ACL named List 120 place the following command at the beginning of the edited file no ipv6 access list List 120 Example 47 An offline ACL file designed to replace an existing ACL no ipv6 access list List 1201 ip access list List 120 2 10 remark THIS ACE...

Page 104: ...o assign the ACL to a VLAN was included in the txt command file If this is not done in your applications the next step is to manually assign the new ACL to the intended VLAN vlan vid ipv6 access group identifier vlan vlan vid ipv6 access group identifier in 5 Then use the show run or show access list config command to inspect the switch configuration to ensure that the ACL was properly downloaded ...

Page 105: ... to the switch and identified in the running configuration The logging facility must been enabled for Syslog Debug must be configured to support ACL messages send debug messages to the desired debug destination These requirements are described in more detail under Enabling ACL logging on the switch page 106 ACL logging operation When the switch detects a packet match with an ACE and the ACE includ...

Page 106: ... log destinations Destination options include logging and session For more information on debug see Debug and Syslog Messaging Operation in the Appendix Troubleshooting in the latest HP Switch Software Management and Configuration Guide for your switch 4 Use debug acl or debug all to configure the debug operation to include ACL messages 5 Configure an ACL with the deny action and the log option in...

Page 107: ... affect switch performance For this reason HP recommends that you remove the logging option from ACEs for which you do not have a present need and do not configure logging where it does not serve an immediate purpose ACL logging is not an accounting method See also Apparent Failure To Log All Deny or Permit Matches in the section ACL Problems in appendix Troubleshooting of the latest HP Switch Sof...

Page 108: ...e insufficient resources to accommodate an ACL application affected by the change the change is not applied to any of the interfaces and the previous version of the ACL remains in effect See Monitoring shared resources page 108 Strict IPv6 TCP and UDP When the IPv6 ACL configuration includes TCP or UDP options the switch operates in strict TCP and UDP mode for increased control and the switch comp...

Page 109: ... an ACL 108 deleting from config 86 deny any any implicit supersede supersede implicit deny any any 75 deny any implicit 67 78 87 display configuration details 96 content of an ACL 99 data types 102 summary configured ACLs 95 dual stack 62 dual stack operation 57 duplicate sequence number 79 dynamic 57 dynamic port RADIUS ACL 57 dynamic port ACL application 60 editing 86 offline 102 effect of repl...

Page 110: ...ing adding 23 DHCP database IP to MAC binding 17 DHCP snooping 20 commands 7 configuring trusted ports 9 debug logging enabling 13 enabling 8 VLANs 9 Option 82 10 statistics clearing 13 trusted ports 9 dual stack operation 57 Dynamic ARP protection 15 enabling 16 trusted ports configuring 16 verifying configuring 19 dynamic ARP protection monitoring 19 Dynamic IP Lockdown address binding 20 addres...

Page 111: ...ork security 37 implicit deny 40 multiple application types in use 40 multiple clients access restriction 40 41 multiple dynamic ACLs 41 multiple on an interface 41 source routing caution source routing caution 39 standard attribute 42 switched packets 41 vendor specific attribute 42 43 44 RADIUS assigned ACLs RADIUS ACL 37 rate limiting RADIUS and CLI option 32 RADIUS egress 32 RADIUS ingress 32 ...