Page 1
This document includes the following: Software Feature Updates in Release YA.15.13 Applicable Products HP Switch 2530 Switch Series (J9772A, J9773A , J9775A , J9776A) This supplement applies to the following manuals: HP Switch Software Access Security Guide...
Page 2
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall...
Contents 1 Updates for the HP Switch Software Access Security Guide......6 Configuring advanced threat protection..................6 Introduction.........................6 DHCP snooping........................7 Overview........................7 Enabling DHCP snooping....................8 Enabling DHCP snooping on VLANs.................9 Configuring DHCP snooping trusted ports................9 Configuring authorized server addresses................10 Using DHCP snooping with Option 82................10 Changing remote-id from a MAC to an IP address.............11...
Page 4
Nas-Filter-Rule-Options....................42 ACE syntax in RADIUS servers..................44 Example using the standard attribute in an IPv4 ACL............46 Example using HP VSA 63 to assign IPv6 or IPv4 ACLs............47 Example using HP VSA 61 to assign IPv4 ACLs..............49 Configuration notes.......................51 Explicitly permit IPv4 and IPv6 traffic from an authenticated client........51 Explicitly permit only the IPv4 traffic from an authenticated client........51...
Page 5
Security..........................71 Guidelines for planning ACL structure...................71 ACL configuration and operating rules..................72 How an ACE uses a mask to screen packets for matches............72 Prefix usage differences between ACLs and other IPv6 addressing..........73 Configuring and assigning an ACL...................74 Steps for implementing ACLs....................74 ACL types.........................74 ACL configuration structure....................74 ACL configuration factors....................77...
‘Configuring advanced threat protection’ is a new section advanced threat protection release YA.15.13 and later. in Chapter 10 — Port Security of the HP Switch Software Access Security Guide NOTE: The features covered in this chapter are not supported on J9779A, J9780A, J9782A, and J9783A switches.
Attempts... Indicated by... to deny switch service by filling the forwarding table an increased number of learned MAC addresses or a high number of MAC address moves from one port to another to exhaust available CPU resources the discard of an increased number of learned MAC address events DHCP snooping Command...
Option 82 remote-id : mac Store lease database : Not configured Port Trust ----- ----- To display statistics about the DHCP snooping process, enter this command: HP Switch(config)# show dhcp-snooping stats Updates for the HP Switch Software Access Security Guide...
Example 2 Show DHCP-snooping statistics HP Switch(config)# show dhcp-snooping stats Packet type Action Reason Count ----------- ------- ---------------------------- --------- server forward from trusted port client forward to trusted port server drop received on untrusted port server drop unauthorized server client...
Using DHCP snooping with Option 82 DHCP adds Option 82 (relay information option) to DHCP request packets received on untrusted ports by default. (See “Configuring DHCP Relay” in the HP Switch Software Multicast and Routing Guide for more information on Option 82.)
DHCP snooping only overrides Option 82 settings on a VLAN with snooping enabled, not on VLANS without snooping enabled. If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, HP recommends that you have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, use the following command in the global configuration context.
The switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted. If the switch is rebooted, it reads its binding database from the specified location. To configure this location use the following command: Updates for the HP Switch Software Access Security Guide...
A message is logged in the system event log if the DHCP binding database fails to update. To display the contents of the DHCP snooping binding database, enter this command: Syntax: show dhcp-snooping binding Example 8 The DHCP snooping binding database contents HP Switch(config)# show dhcp-snooping binding MacAddress VLAN Interface Time left ------------- --------------- ---- --------- --------- 22.22.22.22.22.22...
HP recommends running a time synchronization protocol such as SNTP to track lease times accurately. A remote server must be used to save lease information or connectivity may be lost after a switch reboot. Log messages Attempt to release address <ip-address> leased to port <port-number> detected on port <port-number>...
MAC address, port number, VLAN identifier, leased IP address, and lease time. The DHCP binding database is used to validate packets by other security features on the switch. For more information, see “DHCP Snooping” in the HP Switch Software Access Security Guide.
ARP packets may be dropped and need to be retransmitted. The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure dynamic ARP protection and report ARP packet-forwarding status and counters. Enabling dynamic ARP protection To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp-protect vlan command at the global configuration level.
(for example, 13-15, 17). Example: HP Switch(config)# arp-protect trust 5-8, 17 Adding an IP-to-MAC binding to the DHCP binding database and adding or removing a static binding A routing switch maintains a DHCP binding database used for DHCP and ARP packet validation.
You can configure one or more of the validation checks. In the following example, the arp-protect validate command configures validation checks for source MAC address and destination AMC address: HP Switch(config)# arp-protect validate src-mac dest-mac Updates for the HP Switch Software Access Security Guide...
IP validation failures, enter the show arp-protect statistics VLAN-ID-RANGE command: Example 10 The show arp-protect statistics command HP Switch(config)# show arp-protect statistics 1-2 Status and Counters - ARP Protection Counters for VLAN 1 Forwarded pkts : 10 Bad source mac...
‘Dynamic IP Lockdown’ is a new section in Lockdown YA.15.13 and later. Chapter 10 — Port Security of the HP Switch Software Access Security Guide The Dynamic IP Lockdown feature prevents IP source address spoofing on a per-port and per-VLAN basis.
DHCP binding database, and dynamic IP lockdown will not allow inbound traffic from the client. HP recommends that you enable DHCP snooping a week before you enable dynamic IP lockdown to let the DHCP binding database learn clients’ leased IP addresses. Also ensure that the lease time for the information in the DHCP binding database lasts more than a week.
By default, all ports are untrusted. To remove the trusted configuration from a port, enter the no dhcp-snooping trust <port-list> command at the global configuration level. For more information on how to configure and use DHCP snooping, see “DHCP snooping” (page To enable IP lockdown: Updates for the HP Switch Software Access Security Guide...
Enter the ip source-lockdown command. This command enables IP source lockdown globally. Specify the port or ports to lock down with the ip source-lockdown <port-list> command. Specifying the ports to lock down does not automatically enable the feature globally, so complete both steps. After you enter the ip source-lockdown command (enabled globally with the desired ports entered in <port-list>), the dynamic IP lockdown feature remains disabled on a port if any of the following conditions exist:...
(YES or NO) a statically configured IP-to-MAC and VLAN binding on a specified port has been combined in the lease database maintained by the DHCP Snooping feature. Updates for the HP Switch Software Access Security Guide...
A delay of several seconds indicates a problem. system-resource-usage The percentage of system resources in use. Some Denial-of-Service (DoS) attacks will cause excessive system resource usage, resulting in insufficient resources for legitimate traffic. Updates for the HP Switch Software Access Security Guide...
To generate alerts for monitored events, enable the instrumentation monitoring log or SNMP trap. Adjust the threshold for each monitored parameter to minimize false alarms (see “Configuring instrumentation monitor” (page 27)). When a parameter exceeds its threshold, an alert (event log message or SNMP trap) is generated to inform network administrators of this condition.
Page 28
To adjust the alert threshold for the MAC address count to a specific value: HP Switch(config)# instrumentation monitor mac-address-count 767 To enable monitoring of learn discards with the default medium threshold value: Updates for the HP Switch Software Access Security Guide...
Server Support for Switch Services’ of the HP Switch Switch Services Software Access Security Guide NOTE: RADIUS ACLs are not supported on the following HP switches: J9779A, J9780A, J9782A, and J9783A. Introduction This chapter provides information on configuring CoS (802.1p priority), rate-limiting, and ACL client services on a RADIUS server.
— IPv4-only or IPv4 and IPv6) HP recommends using the Standard RADIUS attribute if available. Where both a standard attribute and a VSA are available, the VSA is maintained for backwards compatibility with configurations based on earlier software releases. If multiple clients are authenticated on a port where per-port rules are assigned by a RADIUS server, then the most recently assigned rule is applied to the traffic of all clients authenticated on the port.
Table 4 CoS and rate-limiting services (continued) Service Control method and operating notes For more on 802.1p priority levels, see "Overview" in the "Quality of Service (QoS)" chapter of the latest HP Switch Software Advanced Traffic Management Guide for your switch. Ingress (inbound) rate-limiting per-user VSA used in the RADIUS server.
100 Mbps 1,300,000 Per-port bandwidth override HP recommends that rate-limiting be configured either through RADIUS assignments or static CLI configuration unless the override described below is specifically desired. Ingress (inbound) traffic RADIUS-assigned ingress rate-limits are applied to individual clients, not to the client's port. But if...
Kbps as long as the bandwidth usage by the other clients already on the port remains at 450,000 Kbps. For more on static rate-limiting, see "Rate-Limiting" in the "Port Traffic Controls" in the HP Switch Software Management and Configuration Guide for your switch.
Page 34
10,000 kbps. Traffic from other clients using the port will not be affected by these values. The combined rate-limit outbound for all clients using the port will be 50,000 kbps until either all client sessions end or another client authenticates and receives a different outbound rate-limit. Updates for the HP Switch Software Access Security Guide...
Page 35
NOTE: Mixing CLI-configured and RADIUS-assigned rate-limiting on the same port can produce unexpected results. See “Per-port bandwidth override” (page 32). When multiple clients are currently authenticated on a given port where outbound (egress) rate-limiting values have been assigned by a RADIUS server, the port operates with the outbound rate-limit assigned by RADIUS for the most recently authenticated client.
ACL structure and operation. For information on ACL filtering criteria, design, and operation, see: “IPv4 Access Control Lists (ACLs)" in the latest HP Switch Software Access Security Guide for your switch. “IPv6 Access Control Lists (ACLs)" in the latest HP Switch Software IPv6 Configuration Guide for your switch.
Traffic applications The switch supports RADIUS-assigned ACLs for the following traffic applications: Inbound IPv4 traffic only Inbound IPv4 and IPv6 traffic This feature is designed for use on the network edge to accept RADIUS-assigned ACLs for Layer-3 filtering of IP traffic entering the switch from authenticated clients. A given RADIUS-assigned ACL is identified by a unique username/password pair or client MAC address, and applies only to IP traffic entering the switch from clients that authenticate with the required unique credentials.
Subject to resource availability on the switch. For more information, see the appendix titled "Monitoring Resources" in the latest HP Switch Software Management and Configuration Guide for your switch. One per authenticated client, up to a maximum of 32 clients per-port for 802.1X, web-based authentication, and MAC-Authentication methods combined.
The show statistics command includes options for increment when there is a packet match. displaying the packet match count, see “Monitoring Static ACL Performance” in the HP Switch Software Access Security Guide for your switch. Also, ACEs allow a log option that generates a log message whenever there is a packet match with a "deny"...
RADIUS-assigned ACL is also filtering the client's traffic. For more information, see “An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port, Multiple ACLs on an Interface” in the latest HP Switch Software Access Security Guide for your switch. ACL features, planning, and configuration The following steps outline a process for using RADIUS-assigned ACLs to establish access policies for client IP traffic.
For more on this topic, see “Static Port ACL Applications” and “An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port, Multiple ACLs on an Interface” in the HP Switch Software Access Security Guide for your switch.
Nas-filter-Rule="<permit or deny ACE> "(Standard Attribute 92) For example: HP-Nas-Rules-IPv6=1 Nas-filter-Rule="permit in tcp from any to any" Note: If HP-Nas-Rules-IPv6 is set to 2 or is not present in the ACL, IPv6 traffic from the client is dropped. Set IP Mode HP-Nas-Rules-IPv6: 63 (Vendor-Specific Attribute)
Page 43
IPv6 traffic filtering), HP recommends using the Standard authenticated on a switch port. Attribute (92) described earlier in this table instead of the HP-Nas-filter-Rule attribute described here. Configuring RADIUS server support for switch services...
[cnt]" Nas-filter-Rule= Standard attribute for filtering inbound IPv4 traffic from an authenticated client. When used without the HP VSA option (below) to filter inbound IPv6 traffic from the client, drops the IPv6 traffic. See also “Nas-Filter-Rule Attribute Options” (page 42).
Page 45
Nas-filter-Rule+="deny in ip from any to any" The ACE uses the standard attribute ( Nas-filter-Rule) and the IPv6 VSA ( HP-Nas-Rules-IPv6) is included in the ACL with an integer setting of 2. For example, all the following destinations are for IPv4 traffic: HP-Nas-Rules-IPv6=2 Nas-filter-Rule="permit in tcp from any to any 23"...
RADIUS accounting. Example using the standard attribute in an IPv4 ACL The Standard Attribute (92), when used in an ACL without the HP-Nas-Rules-IPv6 VSA, filters IPv4 traffic inbound from the authenticated client. (Any IPv6 traffic inbound from the client is dropped.)
Figure 7 Example of configuring the FreeRADIUS server to support ACLs for the indicated clients Example using HP VSA 63 to assign IPv6 or IPv4 ACLs The ACL VSA HP-Nas-Rules-IPv6=1 is used in conjunction with the standard attribute (Nas-Filter-Rule) for ACL assignments filtering both IPv6 and IPv4 traffic inbound from an authenticated client.
Page 48
Enter the following in the FreeRADIUS dictionary.hp file: HP vendor-specific ID ACL VSA for IPv6 ACLs (63) HP-Nas-Rules-IPv6 VALUE setting to specify both IPv4 and IPv6 (1) Figure 8 Example: Configuring the VSA for RADIUS-assigned IPv6 and IPv4 ACLs in a FreeRADIUS server Enter the switch IPv4 address, NAS type, and the key used in the FreeRADIUS clients.conf file.
This product release supports the HP VSA 61 vendor-specific method for enabling RADIUS-based IPv4 ACL assignments on the switch. Its recommended use is to support legacy ACL configurations that rely on VSA 61. Beginning with software release K.14.01, HP recommends using the standard attribute (92) for new, RADIUS-based IPv4 ACLs, see 42.
Page 50
Enter the HP vendor-specific ID and the ACL VSA in the FreeRADIUS dictionary file: Figure 1 1 Example of configuring the VSA for RADIUS-assigned IPv4 ACLs in a FreeRADIUS server Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file.
This option for ending a RADIUS-assigned ACL permits all the client's inbound IPv4 and IPv6 traffic not previously permitted or denied. Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=1 Table 10 (page 42) for information on the above attributes.
If cnt (counter) is included in an ACE, then the output includes the current number of inbound packet matches the switch has detected in the current session for that ACE, see “ACE syntax in RADIUS servers” (page 44). Updates for the HP Switch Software Access Security Guide...
Page 53
Note: If there are no ACLs currently assigned to any port in <port-list>, executing this command returns only the system prompt. If a client authenticates but the server does not return a RADIUS-assigned ACL to the client port, then the server does not have a valid ACL configured and assigned to that client's authentication credentials.
Page 54
If there is no egress rate-limit assigned, then Not Set appears in this field. Figure 15 Example of output showing current RADIUS-applied features Updates for the HP Switch Software Access Security Guide...
Event log messages See the HP Switch Software Event Log Message Reference Guide for information on Event Log messages. Configuring RADIUS server support for switch services...
The TCP/UDP port-range quantity of 14 per slot or port group has been exceeded. The rule limit of 3048 per slot or port group has been exceeded. An IPv6 ACE has been The HP-Nas-Rules-IPv6 attribute is missing or HP-Nas-Rules-IPv6=2 is configured. received on a port and Table 10 (page 42) for more on this attribute.
Lists (ACLs) in the HP Switch Software IPv6 Configuration later. Guide. NOTE: IPv6 ACLS and RADIUS ACLs are not supported on the following HP switches: J9779A, J9780A, J9782A, and J9783A. Introduction An Access Control List (ACL) contains one or more Access Control Entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing the switch’s...
RADIUS-assigned ACLs on a port as it allows authenticated clients. For information on RADIUS-assigned ACLs, refer to the chapter titled, “Configuring RADIUS Server Support for Switch Services” in the latest HP Switch Software Access Security Guide for your switch. NOTE: This chapter describes the IPv6 ACL applications you can statically configure on the switch.
Concurrent IPv4 and IPv6 ACLs You can implement concurrent configuration and concurrent configuration and operation of IPv4 and IPv6 ACLs. For information on IPv4 ACL, see the latest HP Switch Software Access Security Guide for your switch ACL inbound application points...
RADIUS authentication response for that client includes a RADIUS-assigned ACL. Clients authenticating without receiving a RADIUS-assigned ACL are immediately de-authenticated. In “Multiple, dual-stack clients authenticating through a single port” (page 61), clients A through D authenticate through the same port (1). Updates for the HP Switch Software IPv6 Configuration Guide...
For more information, see "Configuring Port-Based Access" in the "Port-Based and User-Based Access Control (802.1X)"chapter in the latest HP Switch Software Access Security Guide for your switch.
Standard and Extended ACL features cannot be combined in one ACL. You can configure ACLs using either the CLI or a text editor. HP recommends that you use the text-editor method when you plan to create or modify an ACL that has more entries than you can easily enter or edit using the CLI.
* For more information, see the chapter "Configuring RADIUS Server Support for Switch Services" in the latest version of the HP Switch Software Access Security Guide for your switch. See also the documentation for your RADIUS server. Identify the SA and/or the DA of IPv6 traffic you want to permit or deny.
For ACLs configured to filter inbound packets, Implicit Deny filters any packets, including those with a DA specifying the switch itself. This helps prevent management access from unauthorized IP sources. Figure 19 Packet-filtering process in an ACL with N entries (ACEs) Updates for the HP Switch Software IPv6 Configuration Guide...
Page 65
NOTE: The order where an ACE occurs in an ACL is significant. For example, if an ACL contains six ACEs, but the first ACE allows "Permit Any" forwarding, the ACL permits all IPv6 traffic, and the remaining ACEs in the list do not apply, even if they have a match with traffic permitted by the first ACE.
Page 66
Permit inbound IPv6 traffic from 2001:db8:0:fb::1 1:42. Deny only the inbound Telnet traffic from 2001:db8:0:fb::1 1:101. Permit inbound IPv6 traffic from 2001:db8:0:fb::1 1:101. Permit only inbound Telnet traffic from 2001:db8:0:fb::1 1:33. Deny any other inbound IPv6 traffic. Updates for the HP Switch Software IPv6 Configuration Guide...
Page 67
30 permit ipv6 2001:db8:0:fb::11:101/128 ::/0 40 permit tcp 2001:db8:0:fb::11:33/128 ::/0 eq 23 <Implicit Deny Any Any> exit HP Switch(config)# vlan 12 ipv6 access-group Test-02 in Line 10 Permits IPv6 traffic from source address 2001:db8:0:fb::1 1:42. Packets matching this criterion are permitted and will not be compared to any later ACE in the list.
Standard ACLs Implicit deny any (automatically included in any standard ACL, but not displayed by the show access-list <acl-#> command). First ACE entered Next ACE entered with the same ACL mask Updates for the HP Switch Software IPv6 Configuration Guide...
Table 13 ACL rule and mask resource usage (continued) ACE Type Rule Usage Next ACE entered with a different ACL mask Closing ACL with a deny any or permit any ACE having the same ACL mask as the preceding Closing ACL with a deny any or permit any ACE having a different ACL mask than the preceding Extended ACLs Implicit deny ip any (automatically included in any standard ACL, but not displayed by the show access-list <acl-#>...
ACEs in a given ACL (or a large number of ACLs), increasing the complexity of your solution and rapidly consuming its resources. Updates for the HP Switch Software IPv6 Configuration Guide...
What traffic can you implicitly block by taking advantage of the implicit deny any, denying traffic you have not explicitly permitted? This can reduce the number of entries needed in an ACL and make more economical use of switch resources. What traffic should you permit? Sometimes you need to explicitly identify permitted traffic;...
In IPv6 ACEs, prefixes define how many leading bits in the SA and DA to use for determining a match. Thus the switch uses IPv6 prefixes in CIDR format to specify how many leading bits in a Updates for the HP Switch Software IPv6 Configuration Guide...
packet’s SA and DA must be an exact match with the same bits in an ACE. The bits to the right of the prefix are wildcards, not used to determine a match. Prefix Range of Applicable Addresses Examples any IPv6 host ::/0 / 1 —...
Source routing is enabled by default on the switch and can override ACLs. Thus, if you are using ACLs to enhance network security, HP recommends disabling source routing on the switch. To do so, execute the no ip source-route command.
Page 75
One or more deny/permit list entries (ACEs) — one entry per line. Element Notes Identifier Alphanumeric; up to 64 characters, including spaces. Remark Allows up to 100 alphanumeric characters, including spaces. (If any spaces are used, the remark in a pair of single or double quotes.) A remark is associated with a particular ACE and has the same sequence number as the ACE.
Page 76
Includes a remark and permits TCP port 80 traffic received at any destination as port 3871 traffic. Includes a remark, denies TCP port 80 traffic received at any destination, and causes a log message to be generated when a match occurs. Updates for the HP Switch Software IPv6 Configuration Guide...
Table 14 Displayed ACL configuration example explanation (continued) Line Action Denies UDP port 69 (TFTP) traffic sent from the host at 2001:db8:0:150::44 to the host at 2001:db8:0:120::19 with a destination port number in the range of 3680 to 3690 and causes a log message to be generated when a match occurs.
(The ACL also does not use any of the monitored resources described in the appendix "Monitoring Resources" in the latest version of the HP Switch Software Management and Configuration Guide for your switch.)
“Configuring and assigning an ACL” (page 74) You can use either the switch CLI or an offline text editor to create an ACL. HP recommends that you use the CLI method for creating short ACLs; to use the offline method, see “Creating or editing...
<any | host <DA> | DA/<prefix-length>> [log] Inserting an ACE in an existing ACL HP Switch(config)# ipv6 access-list <name-str> with a sequence number HP Switch(config-ipv6-acl)# <seq-#> < deny | permit > Updates for the HP Switch Software IPv6 Configuration Guide...
Enable or disable a static port ACL HP Switch(config)# [no] interface <port-list | trkx> ipv6 access-group <name-str> in HP Switch (eth- <port-list) | trkx>)# [no] ipv6 access-group <name-str> in Displaying ACL configuration data HP Switch# show access-list HP Switch# show access-list <acl-name-str> [config]...
Use this criterion when you want to match only the IPv6 packets for a single DA. DA / prefix-length Specifies packets intended for one or more contiguous subnets or contiguous addresses Updates for the HP Switch Software IPv6 Configuration Guide...
Parameter Task Subtask within a single subnet. The prefix length in CIDR format defines the number of leftmost bits to use in determining a match. See “Using CIDR notation to enter the IPv6 ACL prefix length” (page 80). In a given ACE, the DA prefix-length defines how many leftmost bits in a packet's DA must exactly match the DA configured in the ACE.
Page 84
However, by using the established option, inbound Telnet traffic arriving in response to outbound Telnet requests are permitted, but inbound Telnet traffic trying to establish a new connection is denied. Updates for the HP Switch Software IPv6 Configuration Guide...
The established and dscp options are mutually exclusive in a given ACE. Configuring established and any combination of TCP control bits in the same ACE is supported, but established must precede any TCP control bits configured in the ACE. TCP control bits In a given ACE for filtering TCP traffic you can configure one or more of these options: [ack]...
HP Switch(config)# vlan 20 ipv6 access-group List-010 vlan HP Switch(config)# vlan 20 HP Switch(vlan-20)# ipv6 access-group List-015 vlan HP Switch(vlan-20)# exit HP Switch(config)# no vlan 20 ipv6 access-group List-010 vlan HP Switch(config)# vlan 20 HP Switch(vlan-20)# no ipv6 access-group 015 vlan HP Switch(vlan-20)# exit...
Append an ACE to the end of the ACL using ipv6 access-list at the global configuration prompt or by entering the ACL context: Example 31 Appending a new ACE to the end of an ACL HP Switch(config)# ipv6 access-list My-list permit esp host 2001:db8:0:5ad::19 any HP Switch(Config)# ipv6 access-list My-list...
From the global configuration context, insert a new ACE with a sequence number of 45 between the ACEs numbered 40 and 50 in “Appending an ACE to an existing list” (page 88). Updates for the HP Switch Software IPv6 Configuration Guide...
Inserting an ACE into an existing sequence HP Switch(config)# Port_1_5400(config)# ipv6 access-list List-01 HP Switch(config-ipv6-acl)# permit ipv6 host fe80::100 host fe80::200 HP Switch(config-ipv6-acl)# permit ipv6 host fe80::103 any HP Switch(config-ipv6-acl)# 11 permit ipv6 host fe80::110 host fe80:: HP Switch(config-ipv6-acl)# show run Running configuration: . . .
This action reconfigures the starting sequence number for ACEs in an IPv6 ACL and resets the numeric interval between sequence numbers for ACEs configured in the ACL. Syntax: ipv6 access-list resequence <identifier> <starting-seq-#> <interval> Updates for the HP Switch Software IPv6 Configuration Guide...
Page 92
Inserting remarks and related ACEs within an existing list. To insert an ACE with a remark within an ACL by specifying a sequence number: Insert the numbered remark first Then, using the same sequence number, insert the ACE (see Example 37 (page 93)) Updates for the HP Switch Software IPv6 Configuration Guide...
Example 37 Inserting a remark and an ACE within an existing ACL HP Switch(config-ipv6-acl)# 15 remark "PERMIT HTTP; STATION 23; SUBNET 1D" HP Switch(config-ipv6-acl)# 15 permit tcp host 2001:db8:0:1d::23 eq 80 2001:db8:0:2f::/64 HP Switch(config-ipv6-acl)# show access config . . .
List the IPv4 and IPv6 RADIUS ACLs currently For more on show access-list radius <all | assigned for either all ports and trunks, or this topic, see <port-list> for the specified ports or trunks. chapter Updates for the HP Switch Software IPv6 Configuration Guide...
ACL Commands Function Page "Configuring RADIUS Server Support for Switch Services" in the HP Switch Software Access Security Guide for your switch. For ports in the <port-list> show the For more on show port-access web-based clients details of the RADIUS-assigned features, this topic, see <port-list>...
ACL, it appears in the show config output. For example, with two ACLs configured in the switch, you will see results similar to the followingExample 41 “An ACL configured syntax listing”: Updates for the HP Switch Software IPv6 Configuration Guide...
ACL, it also appears in the show config output. “Listing the ACL assignments for ports and trunks” (page 99) shows IPv4 and IPv6 ACLs configured on various ports and trunks on the switch: Updates for the HP Switch Software IPv6 Configuration Guide...
This information also appears in the show running display. If you execute the write memory command after configuring an ACL, it also appears in the show config display. For information on IPv4 ACL operation, see the latest version of the HP Switch Software Access Security Guide for your switch.
Page 100
An empty configured.) TCP field indicates that Source Address the TCP port number Destination Address for that field can be TCP Source Port any value. Source and Destination Prefix Lengths 100 Updates for the HP Switch Software IPv6 Configuration Guide...
Page 101
Example 45 Listing an IPv4 extended ACL HP Switch(config)# show access-list List-120 Access Control Lists Name: List-120 Type: Extended Applied: No SEQ Entry ---------------------------------------------------------- 10 Action: permit Remark: Telnet Allowed Src IP: 10.30.133.27 Mask: 0.0.0.0 Port(s): eq Dst IP: 0.0.0.0 Mask: 255.255.255.255...
Copy commands that use either tftp or xmodem use usb as a source or destination device for file transfers. So while the following example highlights tftp, xmodem or usb can also transfer ACLs to and from the switch. 102 Updates for the HP Switch Software IPv6 Configuration Guide...
ACL configuration to a file named acl-001.txt in the TFTP directory on a server at FE80::2a1:200: HP Switch# copy command-output 'show access-list config' tftp fe80::2a1:200 acl-001.txt pc To create a new ACL, open a text (.txt) file in the appropriate directory on a TFTP server accessible to the switch.
Page 104
IP traffic on VLAN 20 NOTE: The comment preceded by " ; " in the .txt source file for this configuration do not appear in the ACL configured in the switch 104 Updates for the HP Switch Software IPv6 Configuration Guide...
If the configuration appears satisfactory, save it to the startup-config file: HP Switch(config)# write memory Enable IPv6 ACL "deny" logging ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit "deny" action. You can use ACL logging to help: Test your network to help ensure that your ACL configuration is detecting and denying the incoming IPv6 traffic you do not want to enter the switch.
Use the debug destination command to configure one or more log destinations. Destination options include logging and session. For more information on debug, see "Debug and Syslog Messaging Operation" in the Appendix, "Troubleshooting", in the latest HP Switch Software Management and Configuration Guide for your switch.
Example 51 Commands for applying an ACL with logging HP Switch(config)# access-list 143 deny tcp host 10.38.100.127 any eq telnet log HP Switch(config)# access-list 143 permit ip any any HP Switch(config)# interface 10 access-group 143 in HP Switch(config)# logging 10.38.110.54...
In the interface context, use the no ipv6 access-group command to remove the ACL from the interface. Use the no ipv6 access-list <name-str> command to delete the ACL. 108 Updates for the HP Switch Software IPv6 Configuration Guide...
Index delete, Symbols deleting an ACL, 802.1X deleting from config, ACL, IPv6, effect on, deny any any, implicit, supersede;supersede implicit port-based access not recommended, deny any any, deny any, implicit, 67, 78, display configuration details, display content of an ACL, assignments, data types, end,...