Multicast Support; Quality Of Service (Qos) - HP ProCurve 6600 Switch Series Technical Overview

32
• ICMP throttling: defeats ICMP denial-of-service attacks by enabling any switch port to automatically throttle
ICMP traffic
• Virus throttling: detects traffic patterns typical of WORM-type viruses and either throttles or entirely prevents
the ability of the virus to spread across the routed VLANs or bridged interfaces, without requiring external
appliances
• STP BPDU port protection: blocks Bridge Protocol Data Units (BPDUs) on ports that do not require BPDUs,
preventing forged BPDU attacks
• Dynamic IP lockdown: works with DHCP protection to block traffic from unauthorized hosts, preventing IP
source address spoofing
• DHCP protection: blocks DHCP packets from unauthorized DHCP servers, preventing denial-of-service attacks
• Dynamic ARP protection: blocks ARP broadcasts from unauthorized hosts, preventing eavesdropping or theft
of network data
• USB Secure Autorun: deploys, diagnoses, and updates switch using USB flash drive; works with secure
credential to prevent tampering
• STP Root Guard: protects root bridge from malicious attack or configuration mistakes
• Management Interface Wizard: CLI-based step-by-step configuration tool helps ensure that management
interfaces such as SNMP, telnet, SSH, SSL, Web, and USB are secured to desired level
• Access control lists (ACLs): provide filtering based on the IP field, source/destination IP address/subnet, and
source/destination TCP/UDP port number on a per-VLAN or per-port basis
• Multiple user authentication methods:
− Multiple IEEE 802.1X users per port: provides authentication of multiple IEEE 802 . 1 X users per port; prevents
user "piggybacking" on another user's IEEE 802 . 1 X authentication
− Web-based authentication: authenticates from Web browser for clients that do not support IEEE 802 . 1 X
supplicant; customized remediation can be processed on an external Web server
− MAC-based authentication: client is authenticated with the RADIUS server based on client's MAC address
− Concurrent IEEE 802.1X, Web, and MAC authentication schemes per port: switch port will accept up to 32
sessions of IEEE 802 . 1 X, Web, and MAC authentications
• Switch CPU protection: provides automatic protection against malicious network traffic trying to shut down the
switch
• Identity-driven ACL: enables implementation of a highly granular and flexible access security policy specific
to each authenticated network user
• Secure Sockets Layer (SSL): encrypts all HTTP traffic, allowing secure access to the browser-based
management GUI in the switch
• Security banner: displays a customized security policy when users log in to the switch

Multicast support

• IP multicast routing (requires Premium License): includes PIM Sparse and Dense modes to route IP multicast
traffic
• IP multicast snooping (data-driven IGMP): automatically prevents flooding of IP multicast traffic

Quality of Service (QoS)

• Layer 4 prioritization: enables prioritization based on TCP/UDP port numbers
• Class of Service (CoS): sets the IEEE 802 . 1 p priority tag based on IP address, IP Type of Service (ToS), L3
protocol, TCP/UDP port number, source port, and DiffServ
• Bandwidth shaping:
− Port-based rate limiting: per-port ingress/egress enforced maximum bandwidth
− Classifier-based rate limiting: use ACL to enforce maximum bandwidth for ingress traffic on each port
− Guaranteed minimum: per-port, per-queue egress-based guaranteed minimum bandwidth
• Advanced classifier-based QoS: classifies traffic using multiple match criteria based on L2/L3/L4 information;
applies QoS policies such as setting priority level and rate limit to selected traffic per port or per VLAN
• Traffic prioritization: allows real-time traffic classification into eight priority levels mapped to eight queues