HP 2530 Switch Manual Supplement
Software Version YA.15.13
Abstract
This switch manual supplement is intended for network administrators and support personnel, and applies to the switch models
listed on this page unless otherwise noted. This document includes the following:
Software Feature Updates in Release YA.15.13
Applicable Products
HP Switch 2530 Switch Series (J9772A, J9773A , J9775A , J9776A)
This supplement applies to the following manuals:
HP Switch Software Access Security Guide
HP Switch Software IPv6 Configuration Guide
HP Part Number: 5998-4559
Published: July 2013
Edition: 1

Advertising

   Related Manuals for HP 2530

   Summary of Contents for HP 2530

  • Page 1

    This document includes the following: Software Feature Updates in Release YA.15.13 Applicable Products HP Switch 2530 Switch Series (J9772A, J9773A , J9775A , J9776A) This supplement applies to the following manuals: HP Switch Software Access Security Guide...

  • Page 2

    The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall...

  • Page 3: Table Of Contents

    Contents 1 Updates for the HP Switch Software Access Security Guide......6 Configuring advanced threat protection..................6 Introduction.........................6 DHCP snooping........................7 Overview........................7 Enabling DHCP snooping....................8 Enabling DHCP snooping on VLANs.................9 Configuring DHCP snooping trusted ports................9 Configuring authorized server addresses................10 Using DHCP snooping with Option 82................10 Changing remote-id from a MAC to an IP address.............11...

  • Page 4: Table Of Contents

    Nas-Filter-Rule-Options....................42 ACE syntax in RADIUS servers..................44 Example using the standard attribute in an IPv4 ACL............46 Example using HP VSA 63 to assign IPv6 or IPv4 ACLs............47 Example using HP VSA 61 to assign IPv4 ACLs..............49 Configuration notes.......................51 Explicitly permit IPv4 and IPv6 traffic from an authenticated client........51 Explicitly permit only the IPv4 traffic from an authenticated client........51...

  • Page 5: Table Of Contents

    Security..........................71 Guidelines for planning ACL structure...................71 ACL configuration and operating rules..................72 How an ACE uses a mask to screen packets for matches............72 Prefix usage differences between ACLs and other IPv6 addressing..........73 Configuring and assigning an ACL...................74 Steps for implementing ACLs....................74 ACL types.........................74 ACL configuration structure....................74 ACL configuration factors....................77...

  • Page 6: Updates For The Hp Switch Software Access Security Guide

    ‘Configuring advanced threat protection’ is a new section advanced threat protection release YA.15.13 and later. in Chapter 10 — Port Security of the HP Switch Software Access Security Guide NOTE: The features covered in this chapter are not supported on J9779A, J9780A, J9782A, and J9783A switches.

  • Page 7: Dhcp Snooping

    Attempts... Indicated by... to deny switch service by filling the forwarding table an increased number of learned MAC addresses or a high number of MAC address moves from one port to another to exhaust available CPU resources the discard of an increased number of learned MAC address events DHCP snooping Command...

  • Page 8: Enabling Dhcp Snooping

    Option 82 remote-id : mac Store lease database : Not configured Port Trust ----- ----- To display statistics about the DHCP snooping process, enter this command: HP Switch(config)# show dhcp-snooping stats Updates for the HP Switch Software Access Security Guide...

  • Page 9: Enabling Dhcp Snooping On Vlans

    Example 2 Show DHCP-snooping statistics HP Switch(config)# show dhcp-snooping stats Packet type Action Reason Count ----------- ------- ---------------------------- --------- server forward from trusted port client forward to trusted port server drop received on untrusted port server drop unauthorized server client...

  • Page 10: Configuring Authorized Server Addresses

    Using DHCP snooping with Option 82 DHCP adds Option 82 (relay information option) to DHCP request packets received on untrusted ports by default. (See “Configuring DHCP Relay” in the HP Switch Software Multicast and Routing Guide for more information on Option 82.)

  • Page 11: Changing Remote-id From A Mac To An Ip Address

    DHCP snooping only overrides Option 82 settings on a VLAN with snooping enabled, not on VLANS without snooping enabled. If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, HP recommends that you have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, use the following command in the global configuration context.

  • Page 12: Disabling Mac Address Check

    The switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted. If the switch is rebooted, it reads its binding database from the specified location. To configure this location use the following command: Updates for the HP Switch Software Access Security Guide...

  • Page 13: Clearing Dhcp Snooping Statistics

    A message is logged in the system event log if the DHCP binding database fails to update. To display the contents of the DHCP snooping binding database, enter this command: Syntax: show dhcp-snooping binding Example 8 The DHCP snooping binding database contents HP Switch(config)# show dhcp-snooping binding MacAddress VLAN Interface Time left ------------- --------------- ---- --------- --------- 22.22.22.22.22.22...

  • Page 14: Log Messages

    HP recommends running a time synchronization protocol such as SNTP to track lease times accurately. A remote server must be used to save lease information or connectivity may be lost after a switch reboot. Log messages Attempt to release address <ip-address> leased to port <port-number> detected on port <port-number>...

  • Page 15: Dynamic Arp Protection

    MAC address, port number, VLAN identifier, leased IP address, and lease time. The DHCP binding database is used to validate packets by other security features on the switch. For more information, see “DHCP Snooping” in the HP Switch Software Access Security Guide.

  • Page 16: Enabling Dynamic Arp Protection

    ARP packets may be dropped and need to be retransmitted. The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure dynamic ARP protection and report ARP packet-forwarding status and counters. Enabling dynamic ARP protection To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp-protect vlan command at the global configuration level.

  • Page 17: Binding

    (for example, 13-15, 17). Example: HP Switch(config)# arp-protect trust 5-8, 17 Adding an IP-to-MAC binding to the DHCP binding database and adding or removing a static binding A routing switch maintains a DHCP binding database used for DHCP and ARP packet validation.

  • Page 18: Configuring Additional Validation Checks On Arp Packets

    You can configure one or more of the validation checks. In the following example, the arp-protect validate command configures validation checks for source MAC address and destination AMC address: HP Switch(config)# arp-protect validate src-mac dest-mac Updates for the HP Switch Software Access Security Guide...

  • Page 19: Verifying Dynamic Arp Protection Configuration

    IP validation failures, enter the show arp-protect statistics VLAN-ID-RANGE command: Example 10 The show arp-protect statistics command HP Switch(config)# show arp-protect statistics 1-2 Status and Counters - ARP Protection Counters for VLAN 1 Forwarded pkts : 10 Bad source mac...

  • Page 20: Dynamic Ip Lockdown

    ‘Dynamic IP Lockdown’ is a new section in Lockdown YA.15.13 and later. Chapter 10 — Port Security of the HP Switch Software Access Security Guide The Dynamic IP Lockdown feature prevents IP source address spoofing on a per-port and per-VLAN basis.

  • Page 21: Filtering Ip And Mac Addresses Per-port And Per-vlan

    DHCP binding database, and dynamic IP lockdown will not allow inbound traffic from the client. HP recommends that you enable DHCP snooping a week before you enable dynamic IP lockdown to let the DHCP binding database learn clients’ leased IP addresses. Also ensure that the lease time for the information in the DHCP binding database lasts more than a week.

  • Page 22: Enabling Dynamic Ip Lockdown

    By default, all ports are untrusted. To remove the trusted configuration from a port, enter the no dhcp-snooping trust <port-list> command at the global configuration level. For more information on how to configure and use DHCP snooping, see “DHCP snooping” (page To enable IP lockdown: Updates for the HP Switch Software Access Security Guide...

  • Page 23: Adding An Ip-to-mac Binding To The Dhcp Binding Database

    Enter the ip source-lockdown command. This command enables IP source lockdown globally. Specify the port or ports to lock down with the ip source-lockdown <port-list> command. Specifying the ports to lock down does not automatically enable the feature globally, so complete both steps. After you enter the ip source-lockdown command (enabled globally with the desired ports entered in <port-list>), the dynamic IP lockdown feature remains disabled on a port if any of the following conditions exist:...

  • Page 24: Verifying The Dynamic Ip Lockdown Configuration

    (YES or NO) a statically configured IP-to-MAC and VLAN binding on a specified port has been combined in the lease database maintained by the DHCP Snooping feature. Updates for the HP Switch Software Access Security Guide...

  • Page 25: Debugging Dynamic Ip Lockdown

    Syntax: debug destination session Example 17 The debug dynamic-ip-lockdown command output HP Switch(config)# debug dynamic-ip-lockdown DIPLD 01/01/90 00:01:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 1 packets DIPLD 01/01/90 00:06:25 : denied ip 192.168.2.100 (0) (PORT 4) ->...

  • Page 26: Using The Instrumentation Monitor

    A delay of several seconds indicates a problem. system-resource-usage The percentage of system resources in use. Some Denial-of-Service (DoS) attacks will cause excessive system resource usage, resulting in insufficient resources for legitimate traffic. Updates for the HP Switch Software Access Security Guide...

  • Page 27: Configuring Instrumentation Monitor

    To generate alerts for monitored events, enable the instrumentation monitoring log or SNMP trap. Adjust the threshold for each monitored parameter to minimize false alarms (see “Configuring instrumentation monitor” (page 27)). When a parameter exceeds its threshold, an alert (event log message or SNMP trap) is generated to inform network administrators of this condition.

  • Page 28

    To adjust the alert threshold for the MAC address count to a specific value: HP Switch(config)# instrumentation monitor mac-address-count 767 To enable monitoring of learn discards with the default medium threshold value: Updates for the HP Switch Software Access Security Guide...

  • Page 29: Viewing The Current Instrumentation Monitor Configuration

    Server Support for Switch Services’ of the HP Switch Switch Services Software Access Security Guide NOTE: RADIUS ACLs are not supported on the following HP switches: J9779A, J9780A, J9782A, and J9783A. Introduction This chapter provides information on configuring CoS (802.1p priority), rate-limiting, and ACL client services on a RADIUS server.

  • Page 30: Radius Client And Server Requirements

    — IPv4-only or IPv4 and IPv6) HP recommends using the Standard RADIUS attribute if available. Where both a standard attribute and a VSA are available, the VSA is maintained for backwards compatibility with configurations based on earlier software releases. If multiple clients are authenticated on a port where per-port rules are assigned by a RADIUS server, then the most recently assigned rule is applied to the traffic of all clients authenticated on the port.

  • Page 31: Applied Rates For Radius-assigned Rate Limits

    Table 4 CoS and rate-limiting services (continued) Service Control method and operating notes For more on 802.1p priority levels, see "Overview" in the "Quality of Service (QoS)" chapter of the latest HP Switch Software Advanced Traffic Management Guide for your switch. Ingress (inbound) rate-limiting per-user VSA used in the RADIUS server.

  • Page 32: Per-port Bandwidth Override

    100 Mbps 1,300,000 Per-port bandwidth override HP recommends that rate-limiting be configured either through RADIUS assignments or static CLI configuration unless the override described below is specifically desired. Ingress (inbound) traffic RADIUS-assigned ingress rate-limits are applied to individual clients, not to the client's port. But if...

  • Page 33: Viewing The Currently Active Per-port Cos And Rate-limiting Configuration

    Kbps as long as the bandwidth usage by the other clients already on the port remains at 450,000 Kbps. For more on static rate-limiting, see "Rate-Limiting" in the "Port Traffic Controls" in the HP Switch Software Management and Configuration Guide for your switch.

  • Page 34

    10,000 kbps. Traffic from other clients using the port will not be affected by these values. The combined rate-limit outbound for all clients using the port will be 50,000 kbps until either all client sessions end or another client authenticates and receives a different outbound rate-limit. Updates for the HP Switch Software Access Security Guide...

  • Page 35

    NOTE: Mixing CLI-configured and RADIUS-assigned rate-limiting on the same port can produce unexpected results. See “Per-port bandwidth override” (page 32). When multiple clients are currently authenticated on a given port where outbound (egress) rate-limiting values have been assigned by a RADIUS server, the port operates with the outbound rate-limit assigned by RADIUS for the most recently authenticated client.

  • Page 36: Configuring And Using Dynamic (radius-assigned) Access Control Lists

    ACL structure and operation. For information on ACL filtering criteria, design, and operation, see: “IPv4 Access Control Lists (ACLs)" in the latest HP Switch Software Access Security Guide for your switch. “IPv6 Access Control Lists (ACLs)" in the latest HP Switch Software IPv6 Configuration Guide for your switch.

  • Page 37: Traffic Applications

    Traffic applications The switch supports RADIUS-assigned ACLs for the following traffic applications: Inbound IPv4 traffic only Inbound IPv4 and IPv6 traffic This feature is designed for use on the network edge to accept RADIUS-assigned ACLs for Layer-3 filtering of IP traffic entering the switch from authenticated clients. A given RADIUS-assigned ACL is identified by a unique username/password pair or client MAC address, and applies only to IP traffic entering the switch from clients that authenticate with the required unique credentials.

  • Page 38: Contrasting Radius-assigned And Static Acls

    Subject to resource availability on the switch. For more information, see the appendix titled "Monitoring Resources" in the latest HP Switch Software Management and Configuration Guide for your switch. One per authenticated client, up to a maximum of 32 clients per-port for 802.1X, web-based authentication, and MAC-Authentication methods combined.

  • Page 39: How A Radius Server Applies A Radius-assigned Acl To A Client On A Switch Port

    The show statistics command includes options for increment when there is a packet match. displaying the packet match count, see “Monitoring Static ACL Performance” in the HP Switch Software Access Security Guide for your switch. Also, ACEs allow a log option that generates a log message whenever there is a packet match with a "deny"...

  • Page 40: Multiple Clients Sharing The Same Radius-assigned Acl

    RADIUS-assigned ACL is also filtering the client's traffic. For more information, see “An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port, Multiple ACLs on an Interface” in the latest HP Switch Software Access Security Guide for your switch. ACL features, planning, and configuration The following steps outline a process for using RADIUS-assigned ACLs to establish access policies for client IP traffic.

  • Page 41: The Packet-filtering Process

    For more on this topic, see “Static Port ACL Applications” and “An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port, Multiple ACLs on an Interface” in the HP Switch Software Access Security Guide for your switch.

  • Page 42: Configuring An Acl In A Radius Server

    Nas-filter-Rule="<permit or deny ACE> "(Standard Attribute 92) For example: HP-Nas-Rules-IPv6=1 Nas-filter-Rule="permit in tcp from any to any" Note: If HP-Nas-Rules-IPv6 is set to 2 or is not present in the ACL, IPv6 traffic from the client is dropped. Set IP Mode HP-Nas-Rules-IPv6: 63 (Vendor-Specific Attribute)

  • Page 43

    IPv6 traffic filtering), HP recommends using the Standard authenticated on a switch port. Attribute (92) described earlier in this table instead of the HP-Nas-filter-Rule attribute described here. Configuring RADIUS server support for switch services...

  • Page 44: Ace Syntax In Radius Servers

    [cnt]" Nas-filter-Rule= Standard attribute for filtering inbound IPv4 traffic from an authenticated client. When used without the HP VSA option (below) to filter inbound IPv6 traffic from the client, drops the IPv6 traffic. See also “Nas-Filter-Rule Attribute Options” (page 42).

  • Page 45

    Nas-filter-Rule+="deny in ip from any to any" The ACE uses the standard attribute ( Nas-filter-Rule) and the IPv6 VSA ( HP-Nas-Rules-IPv6) is included in the ACL with an integer setting of 2. For example, all the following destinations are for IPv4 traffic: HP-Nas-Rules-IPv6=2 Nas-filter-Rule="permit in tcp from any to any 23"...

  • Page 46: Example Using The Standard Attribute In An Ipv4 Acl

    RADIUS accounting. Example using the standard attribute in an IPv4 ACL The Standard Attribute (92), when used in an ACL without the HP-Nas-Rules-IPv6 VSA, filters IPv4 traffic inbound from the authenticated client. (Any IPv6 traffic inbound from the client is dropped.)

  • Page 47: Example Using Hp Vsa 63 To Assign Ipv6 Or Ipv4 Acls

    Figure 7 Example of configuring the FreeRADIUS server to support ACLs for the indicated clients Example using HP VSA 63 to assign IPv6 or IPv4 ACLs The ACL VSA HP-Nas-Rules-IPv6=1 is used in conjunction with the standard attribute (Nas-Filter-Rule) for ACL assignments filtering both IPv6 and IPv4 traffic inbound from an authenticated client.

  • Page 48

    Enter the following in the FreeRADIUS dictionary.hp file: HP vendor-specific ID ACL VSA for IPv6 ACLs (63) HP-Nas-Rules-IPv6 VALUE setting to specify both IPv4 and IPv6 (1) Figure 8 Example: Configuring the VSA for RADIUS-assigned IPv6 and IPv4 ACLs in a FreeRADIUS server Enter the switch IPv4 address, NAS type, and the key used in the FreeRADIUS clients.conf file.

  • Page 49: Example Using Hp Vsa 61 To Assign Ipv4 Acls

    This product release supports the HP VSA 61 vendor-specific method for enabling RADIUS-based IPv4 ACL assignments on the switch. Its recommended use is to support legacy ACL configurations that rely on VSA 61. Beginning with software release K.14.01, HP recommends using the standard attribute (92) for new, RADIUS-based IPv4 ACLs, see 42.

  • Page 50

    Enter the HP vendor-specific ID and the ACL VSA in the FreeRADIUS dictionary file: Figure 1 1 Example of configuring the VSA for RADIUS-assigned IPv4 ACLs in a FreeRADIUS server Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file.

  • Page 51: Configuration Notes

    This option for ending a RADIUS-assigned ACL permits all the client's inbound IPv4 and IPv6 traffic not previously permitted or denied. Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=1 Table 10 (page 42) for information on the above attributes.

  • Page 52: Displaying Current Radius-assigned Acl Activity On The Switch

    If cnt (counter) is included in an ACE, then the output includes the current number of inbound packet matches the switch has detected in the current session for that ACE, see “ACE syntax in RADIUS servers” (page 44). Updates for the HP Switch Software Access Security Guide...

  • Page 53

    Note: If there are no ACLs currently assigned to any port in <port-list>, executing this command returns only the system prompt. If a client authenticates but the server does not return a RADIUS-assigned ACL to the client port, then the server does not have a valid ACL configured and assigned to that client's authentication credentials.

  • Page 54

    If there is no egress rate-limit assigned, then Not Set appears in this field. Figure 15 Example of output showing current RADIUS-applied features Updates for the HP Switch Software Access Security Guide...

  • Page 55: Event Log Messages

    Event log messages See the HP Switch Software Event Log Message Reference Guide for information on Event Log messages. Configuring RADIUS server support for switch services...

  • Page 56: Causes For Client Deauthentication Immediately After Authenticating

    The TCP/UDP port-range quantity of 14 per slot or port group has been exceeded. The rule limit of 3048 per slot or port group has been exceeded. An IPv6 ACE has been The HP-Nas-Rules-IPv6 attribute is missing or HP-Nas-Rules-IPv6=2 is configured. received on a port and Table 10 (page 42) for more on this attribute.

  • Page 57: Updates For The Hp Switch Software Ipv6 Configuration Guide

    Lists (ACLs) in the HP Switch Software IPv6 Configuration later. Guide. NOTE: IPv6 ACLS and RADIUS ACLs are not supported on the following HP switches: J9779A, J9780A, J9782A, and J9783A. Introduction An Access Control List (ACL) contains one or more Access Control Entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing the switch’s...

  • Page 58: Acl Applications

    RADIUS-assigned ACLs on a port as it allows authenticated clients. For information on RADIUS-assigned ACLs, refer to the chapter titled, “Configuring RADIUS Server Support for Switch Services” in the latest HP Switch Software Access Security Guide for your switch. NOTE: This chapter describes the IPv6 ACL applications you can statically configure on the switch.

  • Page 59: Concurrent Ipv4 And Ipv6 Acls

    Concurrent IPv4 and IPv6 ACLs You can implement concurrent configuration and concurrent configuration and operation of IPv4 and IPv6 ACLs. For information on IPv4 ACL, see the latest HP Switch Software Access Security Guide for your switch ACL inbound application points...

  • Page 60: Radius-assigned (dynamic) Port Acl Applications

    RADIUS authentication response for that client includes a RADIUS-assigned ACL. Clients authenticating without receiving a RADIUS-assigned ACL are immediately de-authenticated. In “Multiple, dual-stack clients authenticating through a single port” (page 61), clients A through D authenticate through the same port (1). Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 61: X User-based And Port-based Applications

    For more information, see "Configuring Port-Based Access" in the "Port-Based and User-Based Access Control (802.1X)"chapter in the latest HP Switch Software Access Security Guide for your switch.

  • Page 62: Ipv6 Applications

    Standard and Extended ACL features cannot be combined in one ACL. You can configure ACLs using either the CLI or a text editor. HP recommends that you use the text-editor method when you plan to create or modify an ACL that has more entries than you can easily enter or edit using the CLI.

  • Page 63: Planning And Configuring Acls

    * For more information, see the chapter "Configuring RADIUS Server Support for Switch Services" in the latest version of the HP Switch Software Access Security Guide for your switch. See also the documentation for your RADIUS server. Identify the SA and/or the DA of IPv6 traffic you want to permit or deny.

  • Page 64: Packet-filtering

    For ACLs configured to filter inbound packets, Implicit Deny filters any packets, including those with a DA specifying the switch itself. This helps prevent management access from unauthorized IP sources. Figure 19 Packet-filtering process in an ACL with N entries (ACEs) Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 65

    NOTE: The order where an ACE occurs in an ACL is significant. For example, if an ACL contains six ACEs, but the first ACE allows "Permit Any" forwarding, the ACL permits all IPv6 traffic, and the remaining ACEs in the list do not apply, even if they have a match with traffic permitted by the first ACE.

  • Page 66

    Permit inbound IPv6 traffic from 2001:db8:0:fb::1 1:42. Deny only the inbound Telnet traffic from 2001:db8:0:fb::1 1:101. Permit inbound IPv6 traffic from 2001:db8:0:fb::1 1:101. Permit only inbound Telnet traffic from 2001:db8:0:fb::1 1:33. Deny any other inbound IPv6 traffic. Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 67

    30 permit ipv6 2001:db8:0:fb::11:101/128 ::/0 40 permit tcp 2001:db8:0:fb::11:33/128 ::/0 eq 23 <Implicit Deny Any Any> exit HP Switch(config)# vlan 12 ipv6 access-group Test-02 in Line 10 Permits IPv6 traffic from source address 2001:db8:0:fb::1 1:42. Packets matching this criterion are permitted and will not be compared to any later ACE in the list.

  • Page 68: Planning An Acl Application

    Standard ACLs Implicit deny any (automatically included in any standard ACL, but not displayed by the show access-list <acl-#> command). First ACE entered Next ACE entered with the same ACL mask Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 69: Managing Acl Resource Consumption

    Table 13 ACL rule and mask resource usage (continued) ACE Type Rule Usage Next ACE entered with a different ACL mask Closing ACL with a deny any or permit any ACE having the same ACL mask as the preceding Closing ACL with a deny any or permit any ACE having a different ACL mask than the preceding Extended ACLs Implicit deny ip any (automatically included in any standard ACL, but not displayed by the show access-list <acl-#>...

  • Page 70: Troubleshooting Shortage Of Resources

    ACEs in a given ACL (or a large number of ACLs), increasing the complexity of your solution and rapidly consuming its resources. Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 71: Security

    What traffic can you implicitly block by taking advantage of the implicit deny any, denying traffic you have not explicitly permitted? This can reduce the number of entries needed in an ACL and make more economical use of switch resources. What traffic should you permit? Sometimes you need to explicitly identify permitted traffic;...

  • Page 72: Acl Configuration And Operating Rules

    In IPv6 ACEs, prefixes define how many leading bits in the SA and DA to use for determining a match. Thus the switch uses IPv6 prefixes in CIDR format to specify how many leading bits in a Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 73: Prefix Usage Differences Between Acls And Other Ipv6 Addressing

    packet’s SA and DA must be an exact match with the same bits in an ACE. The bits to the right of the prefix are wildcards, not used to determine a match. Prefix Range of Applicable Addresses Examples any IPv6 host ::/0 / 1 —...

  • Page 74: Configuring And Assigning An Acl

    Source routing is enabled by default on the switch and can override ACLs. Thus, if you are using ACLs to enhance network security, HP recommends disabling source routing on the switch. To do so, execute the no ip source-route command.

  • Page 75

    One or more deny/permit list entries (ACEs) — one entry per line. Element Notes Identifier Alphanumeric; up to 64 characters, including spaces. Remark Allows up to 100 alphanumeric characters, including spaces. (If any spaces are used, the remark in a pair of single or double quotes.) A remark is associated with a particular ACE and has the same sequence number as the ACE.

  • Page 76

    Includes a remark and permits TCP port 80 traffic received at any destination as port 3871 traffic. Includes a remark, denies TCP port 80 traffic received at any destination, and causes a log message to be generated when a match occurs. Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 77: Acl Configuration Factors

    Table 14 Displayed ACL configuration example explanation (continued) Line Action Denies UDP port 69 (TFTP) traffic sent from the host at 2001:db8:0:150::44 to the host at 2001:db8:0:120::19 with a destination port number in the range of 3680 to 3690 and causes a log message to be generated when a match occurs.

  • Page 78: Allowing For The Implied Deny Function

    (The ACL also does not use any of the monitored resources described in the appendix "Monitoring Resources" in the latest version of the HP Switch Software Management and Configuration Guide for your switch.)

  • Page 79: Creating An Acl Using The Cli

    “Configuring and assigning an ACL” (page 74) You can use either the switch CLI or an offline text editor to create an ACL. HP recommends that you use the CLI method for creating short ACLs; to use the offline method, see “Creating or editing...

  • Page 80: Using Cidr Notation To Enter The Ipv6 Acl Prefix Length

    <any | host <DA> | DA/<prefix-length>> [log] Inserting an ACE in an existing ACL HP Switch(config)# ipv6 access-list <name-str> with a sequence number HP Switch(config-ipv6-acl)# <seq-#> < deny | permit > Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 81: Enabling, Disabling, And Displaying Acls

    Enable or disable a static port ACL HP Switch(config)# [no] interface <port-list | trkx> ipv6 access-group <name-str> in HP Switch (eth- <port-list) | trkx>)# [no] ipv6 access-group <name-str> in Displaying ACL configuration data HP Switch# show access-list HP Switch# show access-list <acl-name-str> [config]...

  • Page 82: Configuring Aces In An Acl

    Use this criterion when you want to match only the IPv6 packets for a single DA. DA / prefix-length Specifies packets intended for one or more contiguous subnets or contiguous addresses Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 83: Tcp And Udp Traffic In Ipv6 Acls

    Parameter Task Subtask within a single subnet. The prefix length in CIDR format defines the number of leftmost bits to use in determining a match. See “Using CIDR notation to enter the IPv6 ACL prefix length” (page 80). In a given ACE, the DA prefix-length defines how many leftmost bits in a packet's DA must exactly match the DA configured in the ACE.

  • Page 84

    However, by using the established option, inbound Telnet traffic arriving in response to outbound Telnet requests are permitted, but inbound Telnet traffic trying to establish a new connection is denied. Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 85: Filtering Switched Ipv6 Traffic Inbound On A Vlan

    The established and dscp options are mutually exclusive in a given ACE. Configuring established and any combination of TCP control bits in the same ACE is supported, but established must precede any TCP control bits configured in the ACE. TCP control bits In a given ACE for filtering TCP traffic you can configure one or more of these options: [ack]...

  • Page 86: Deleting An Ipv6 Acl

    HP Switch(config)# vlan 20 ipv6 access-group List-010 vlan HP Switch(config)# vlan 20 HP Switch(vlan-20)# ipv6 access-group List-015 vlan HP Switch(vlan-20)# exit HP Switch(config)# no vlan 20 ipv6 access-group List-010 vlan HP Switch(config)# vlan 20 HP Switch(vlan-20)# no ipv6 access-group 015 vlan HP Switch(vlan-20)# exit...

  • Page 87: Sequence Numbering In Acls

    Append an ACE to the end of the ACL using ipv6 access-list at the global configuration prompt or by entering the ACL context: Example 31 Appending a new ACE to the end of an ACL HP Switch(config)# ipv6 access-list My-list permit esp host 2001:db8:0:5ad::19 any HP Switch(Config)# ipv6 access-list My-list...

  • Page 88: Inserting An Ace In An Existing Acl With A Sequence Number

    From the global configuration context, insert a new ACE with a sequence number of 45 between the ACEs numbered 40 and 50 in “Appending an ACE to an existing list” (page 88). Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 89: Deleting An Ace From An Existing Acl

    Inserting an ACE into an existing sequence HP Switch(config)# Port_1_5400(config)# ipv6 access-list List-01 HP Switch(config-ipv6-acl)# permit ipv6 host fe80::100 host fe80::200 HP Switch(config-ipv6-acl)# permit ipv6 host fe80::103 any HP Switch(config-ipv6-acl)# 11 permit ipv6 host fe80::110 host fe80:: HP Switch(config-ipv6-acl)# show run Running configuration: . . .

  • Page 90: Resequencing Aces In An Ipv6 Acl

    This action reconfigures the starting sequence number for ACEs in an IPv6 ACL and resets the numeric interval between sequence numbers for ACEs configured in the ACL. Syntax: ipv6 access-list resequence <identifier> <starting-seq-#> <interval> Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 91: Attaching A Remark To An Ace

    10 permit ipv6 fe80::100/128 ::/0 20 deny ipv6 fe80::110/128 fe80::/124 40 permit ipv6 ::/0 ::/0 exit HP Switch(config)# ipv6 access-list resequence My-List 100 HP Switch(config)# show access-list config ipv6 access-list "My-List" 100 permit ipv6 fe80::100/128 ::/0 200 deny ipv6 fe80::110/128 fe80::/124...

  • Page 92

    Inserting remarks and related ACEs within an existing list. To insert an ACE with a remark within an ACL by specifying a sequence number: Insert the numbered remark first Then, using the same sequence number, insert the ACE (see Example 37 (page 93)) Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 93: Operating Notes For Remarks

    Example 37 Inserting a remark and an ACE within an existing ACL HP Switch(config-ipv6-acl)# 15 remark "PERMIT HTTP; STATION 23; SUBNET 1D" HP Switch(config-ipv6-acl)# 15 permit tcp host 2001:db8:0:1d::23 eq 80 2001:db8:0:2f::/64 HP Switch(config-ipv6-acl)# show access config . . .

  • Page 94: Displaying Acl Configuration Data

    List the IPv4 and IPv6 RADIUS ACLs currently For more on show access-list radius <all | assigned for either all ports and trunks, or this topic, see <port-list> for the specified ports or trunks. chapter Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 95: Displaying An Acl Summary

    ACL Commands Function Page "Configuring RADIUS Server Support for Switch Services" in the HP Switch Software Access Security Guide for your switch. For ports in the <port-list> show the For more on show port-access web-based clients details of the RADIUS-assigned features, this topic, see <port-list>...

  • Page 96: Displaying Content Of All Acls On The Switch

    ACL, it appears in the show config output. For example, with two ACLs configured in the switch, you will see results similar to the followingExample 41 “An ACL configured syntax listing”: Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 97: Displaying Acl Information For A Vlan

    Example 41 An ACL configured syntax listing HP Switch(config)# show access-list config ip access-list extended "101" 10 permit tcp 10.30.133.27 0.0.0.0 0.0.0.0 255.255.255.255 20 permit tcp 10.30.155.101 0.0.0.0 0.0.0.0 255.255.255.255 30 deny ip 10.30.133.1 0.0.0.0 0.0.0.0 255.255.255.255 log 40 deny ip 10.30.155.1 0.0.0.255 0.0.0.0 255.255.255.255 exit ipv6 access-list "Accounting"...

  • Page 98: Displaying Static Port (and Trunk) Acl Assignments

    ACL, it also appears in the show config output. “Listing the ACL assignments for ports and trunks” (page 99) shows IPv4 and IPv6 ACLs configured on various ports and trunks on the switch: Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 99: Displaying Content Of A Specific Acl

    This information also appears in the show running display. If you execute the write memory command after configuring an ACL, it also appears in the show config display. For information on IPv4 ACL operation, see the latest version of the HP Switch Software Access Security Guide for your switch.

  • Page 100

    An empty configured.) TCP field indicates that Source Address the TCP port number Destination Address for that field can be TCP Source Port any value. Source and Destination Prefix Lengths 100 Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 101

    Example 45 Listing an IPv4 extended ACL HP Switch(config)# show access-list List-120 Access Control Lists Name: List-120 Type: Extended Applied: No SEQ Entry ---------------------------------------------------------- 10 Action: permit Remark: Telnet Allowed Src IP: 10.30.133.27 Mask: 0.0.0.0 Port(s): eq Dst IP: 0.0.0.0 Mask: 255.255.255.255...

  • Page 102: Display All Acls And Their Assignments In The Startup-config And Running-config Files

    Copy commands that use either tftp or xmodem use usb as a source or destination device for file transfers. So while the following example highlights tftp, xmodem or usb can also transfer ACLs to and from the switch. 102 Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 103: The Offline Process

    ACL configuration to a file named acl-001.txt in the TFTP directory on a server at FE80::2a1:200: HP Switch# copy command-output 'show access-list config' tftp fe80::2a1:200 acl-001.txt pc To create a new ACL, open a text (.txt) file in the appropriate directory on a TFTP server accessible to the switch.

  • Page 104

    IP traffic on VLAN 20 NOTE: The comment preceded by " ; " in the .txt source file for this configuration do not appear in the ACL configured in the switch 104 Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 105: Enable Ipv6 Acl "deny" Logging

    If the configuration appears satisfactory, save it to the startup-config file: HP Switch(config)# write memory Enable IPv6 ACL "deny" logging ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit "deny" action. You can use ACL logging to help: Test your network to help ensure that your ACL configuration is detecting and denying the incoming IPv6 traffic you do not want to enter the switch.

  • Page 106: Enabling Acl Logging On The Switch

    Use the debug destination command to configure one or more log destinations. Destination options include logging and session. For more information on debug, see "Debug and Syslog Messaging Operation" in the Appendix, "Troubleshooting", in the latest HP Switch Software Management and Configuration Guide for your switch.

  • Page 107: Acl Operating Notices

    Example 51 Commands for applying an ACL with logging HP Switch(config)# access-list 143 deny tcp host 10.38.100.127 any eq telnet log HP Switch(config)# access-list 143 permit ip any any HP Switch(config)# interface 10 access-group 143 in HP Switch(config)# logging 10.38.110.54...

  • Page 108: Unable To Delete An Acl In The Running Configuration

    In the interface context, use the no ipv6 access-group command to remove the ACL from the interface. Use the no ipv6 access-list <name-str> command to delete the ACL. 108 Updates for the HP Switch Software IPv6 Configuration Guide...

  • Page 109: Index

    Index delete, Symbols deleting an ACL, 802.1X deleting from config, ACL, IPv6, effect on, deny any any, implicit, supersede;supersede implicit port-based access not recommended, deny any any, deny any, implicit, 67, 78, display configuration details, display content of an ACL, assignments, data types, end,...

  • Page 110

    use to insert ACE, Option 82, sequence number, duplicate, statistics sequence number:out-of-range, clearing, static port ACL, trusted ports, structure, dual-stack traffic management, operation, troubleshooting client authentication, Dynamic ARP protection, type, 77, 94, 98, enabling, user-based 802.1X, trusted ports user-based security, configuring, VACL verifying...

  • Page 111

    check disabling, static binding filtering adding or removing, per-port and per-VLAN, static configuration MAC validation failure IP-to-MAC bindings, statistics, statistics ARP packets, switch platforms Option 82 dynamic IP lockdown DHCP snooping, differences, Syslog see ACL, IPv6, logging packets debugging, threat protection PCM, advanced, configuring,...

Comments to this Manuals

Symbols: 0
Latest comments: