d.
te
bi
i
oh
pr
s i
rt
pa
in
or
le
ho
w
in
P
H
of
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
odr
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Student guide
HP Partner Learning
H
P
Em
pl
oy
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
oh
i bi
te
d.
Implementing HP Network Infrastructure Security
d.
te
bi
i
oh
pr
s i
rt
pa
in
or
le
ho
w
in
P
H
of
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
odr
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Student guide
HP Partner Learning
Copyright 2010 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for HP products and
d.
te
services are set forth in the express warranty statements accompanying such products and services. Nothing
ibi
herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial
oh
pr
errors or omissions contained herein.
s
This is an HP copyrighted work that may not be reproduced without the written permission of HP. You may not use
i
rt
these materials to deliver training to any person outside of your organization without the written permission of HP.
pa
n
i
Implementing HP Network Infrastructure Security - v10.41
or
le
Student Guide
ho
September 2010
w
in
HP Restricted
P
H
of
Printed in the USA
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
r od
ep
.R
ly
on
e
us
d y
tu
f-s
l
se
ee
oy
pl
Em
P
H
Contents
Module 1: Threats and the Need for Security ................................................. 1 - 1
WBT Overview .................................................................................... 1 - 1
SSL with a CA signed certificate............................................................. 1 - 3
Module 2: Traffic Mirroring .......................................................................... 2 - 1
d.
Traffic mirroring overview ...................................................................... 2 - 1
te
Guidelines for ProVision traffic mirroring ................................................. 2 - 3
i bi
oh
Local traffic mirroring: Configuration steps ............................................... 2 - 4
pr
Local traffic mirroring: Configuring mirror session and traffic source ............ 2 - 5
s
Local traffic mirroring: Viewing the configuration ...................................... 2 - 7
i
rt
pa
Remote traffic mirroring: Configuration steps ............................................ 2 - 9
Remote traffic mirroring: Configuring jumbo frame support ....................... 2 - 10
in
or
Remote traffic mirroring: Configuring the mirror sessions .......................... 2 - 11
le
Remote traffic mirroring: Configuring the mirror sources ........................... 2 - 12
ho
Remote traffic mirroring: Viewing the configuration .................................. 2 - 13
w
Comware Traffic Mirroring ................................................................... 2 - 15
in
P
Module 3: ACLs ......................................................................................... 3 - 1
H
Scenario: ACLs .................................................................................... 3 - 1
of
VLAN basics ....................................................................................... 3 - 2
de
i
Basic concepts of ACLs ......................................................................... 3 - 3
ts
ou
Implementing ACLs: Static options .......................................................... 3 - 5
r
d.
Use cases............................................................................................ 6 - 4
te
bi
Module 7: Spanning Tree Protection.............................................................. 7 - 1
i
oh
Objectives ........................................................................................... 7 - 1
pr
Spanning-tree vulnerabilities .................................................................. 7 - 2
is
BPDU filtering and protection ................................................................. 7 - 4
rt
pa
Guidelines for using BPDU filtering and protection.................................... 7 - 5
n
Root Guard and TCN Guard ................................................................. 7 - 8
i
or
Comware Spanning Tree Protection ........................................................ 7 - 9
le
Module 8: DHCP Protection ......................................................................... 8 - 1
ho
DHCP vulnerabilities ............................................................................. 8 - 1
w
in
Protecting against DHCP attacks: DHCP Snooping ................................... 8 - 2
P
Using option 82 with DHCP snooping .................................................... 8 - 4
H
of
Comware DHCP Snooping ................................................................... 8 - 14
de
Summary: ProVision DHCP snooping ..................................................... 8 - 17
i
ts
Module 9: ARP Protection ............................................................................ 9 - 1
ou
ARP vulnerabilities ................................................................................ 9 - 1
r
fe
ii Rev 10.41
Threats and the Need for Security
Module 1
d.
te
This class will cover the security features needed to protect a network specifically
bi
looking at the features built into the switches. For further security training, look at the
i
oh
courses in the AIS and ASE Network Security certification tracks.
pr
s
i
There is a prerequisite WBT, HP Network Infrastructure Security Technologies, for this
rt
pa
class. The content covered in HP Network Infrastructure Security Technologies will not
n
be covered in this class. It is necessary to complete both HP Network Infrastructure
i
or
Security Technologies and this class to get the whole picture.
le
ho
WBT Overview
w
in
Module 1: Security Overview
P
H
of
Lesson1: The Challenges of Securing Networks
de
Lesson2: Defense in Depth and Security with HP Networking
i
ts
ou
Module 2: Trusted Network Infrastructure Data Integrity
r
fe
Lesson 3: Connection Rate Limiting and Filtering with HP Virus Throttle Technology
on
e
Lesson 6: Directories
H
Rev 10.41 1 1
Implementing HP Network Infrastructure Security
d.
te
Module 7: Virtual Private Networks
ibi
oh
Lesson 1: IPsec VPNs
pr
s
Lesson 2: L2TP and L2TP over IPsec VPNs
i
rt
pa
Lesson 3: Generic Routing Encapsulation (GRE)
in
Lesson 4: SSL and MACsec VPNs
or
le
Module 8: Threat Management
ho
w
Lesson 1: Intrusion Detection Systems (IDSs)
in
P
Lesson 2: Deploying IDSs
H
of
Lesson 3: Intrusion Prevention Systems (IPSs)
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
1 2 Rev 10.41
Threats and the Need for Security
d.
te
ibi
oh
pr
is
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
Figure 1
ou
r
The switches covered in this guide use Secure Socket Layer Version 3 (SSLv3) and
fe
ns
support for Transport Layer Security(TLSv1) to provide remote web access to the
tra
switches via encrypted paths between the switch and management station clients
or
SSL provides all the web functions but, unlike standard web access, SSL provides
uc
subset of full certificate authentication of the user and host. It occurs only if the switch
on
has SSL enabled. As in figure below, the switch authenticates itself to SSL enabled
e
us
web browser. Users on SSL browser then authenticate themselves to the switch
y
(operator and/or manger levels) by providing passwords stored locally on the switch
d
tu
or on a TACACS+ or RADIUS server. However, the client does not use a certificate to
f-s
Figure 2
Rev 10.41 1 3
Implementing HP Network Infrastructure Security
Terminology
SSL Server: An HP switch with SSL enabled.
Key Pair: Public/private pair of RSA keys generated by switch, of which public
portion makes up part of server host certificate and private portion is stored in
d.
switch flash (not user accessible).
te
bi
Digital Certificate: A certificate is an electronic passport that is used to
oh
establish the credentials of the subject to which the certificate was issued.
pr
Information contained within the certificate includes: name of the subject, serial
si
rt
number, date of validity, subject's public key, and the digital signature of the
pa
authority who issued the certificate. Certificates on HP switches conform to the
n
i
X.509v3 standard, which defines the format of the certificate.
or
le
Self-Signed Certificate: A certificate not verified by a third-party certificate
ho
authority (CA). Self-signed certificates provide a reduced level of security
w
compared to a CA-signed certificate.
in
P
CA-Signed Certificate: A certificate verified by a third party certificate authority
of
(CA). Authenticity of CA-Signed certificates can be verified by an audit trail
de
leading to a trusted root certificate.
i
ts
ou
Root Certificate: A trusted certificate used by certificate authorities to sign
r
of most popular web clients. (see browser documentation for which root
or
r
ep
SSL Enabled: (1)A certificate key pair has been generated on the switch (web
e
interface or CLI command: crypto key generate cert [key size] (2) A certificate
us
been generated on the switch (web interface or CLI command: crypto host-cert
y
d
generate self-signed [arg-list]) and (3) SSL is enabled (web interface or CLI
tu
f-s
enabling SSL, but you cannot enable SSL without first generating a Certificate.
ee
oy
To install a CA-Signed server host certificate from the web browser interface. For
more information on how to access the web browser interface, refer to the chapter
titled Using the ProCurve Web Browser Interface in the Management and
Configuration Guide for your switch.
1 4 Rev 10.41
Threats and the Need for Security
The installation of a CA-signed certificate involves interaction with other entities and
consists of three phases. The first phase is the creation of the CA certificate request,
which is then copied off from the switch for submission to the certificate authority. The
second phase is the actual submission process that involves having the certificate
authority verify the certificate request and then digitally signing the request to
d.
generate a certificate response (the usable server host certificate). The third phase is
te
bi
the download phase consisting of pasting to the switch web server the certificate
i
oh
response, which is then validated by the switch and put into use by enabling SSL
pr
To generate a certificate request from the web browser interface:
is
rt
pa
a. Select the Security tab, then select the [SSL] button
n
b. Select the Create Certificate/Certificate Request radio button.
i
or
le
c. Select Create CA Request from the Certificate Type drop-down list.
ho
w
d. Select the key size from the RSA Key Size drop-down list. If you wish to re-
in
use the current certificate key, select Current from the RSA Key Size drop-
P
down list.
H
of
e. Fill in remaining certificate arguments.
de
i
f. ts
Click on [Apply Changes] to create the certificate request. A new web
ou
browser page appears, consisting of two text boxes. The switch uses the
r
fe
upper text box for the certificate request text. The lower text box appears
ns
empty. You will use it for pasting in the certificate reply after you receive it
tra
from the certificate authority. (This authority must return a non- PEM encoded
or
g. After the certificate authority processes your request and sends you a
uc
certificate reply (that is, an installable certificate), copy and paste it into the
od
r
An SSL server policy is a set of SSL parameters for a server to use when booting up.
y
An SSL server policy takes effect only after it is associated with an application layer
d
tu
Configuration Prerequisites
ee
When configuring an SSL server policy, you need to specify the PKI domain to be
oy
used for obtaining the server side certificate. Therefore, before configuring an SSL
pl
Em
Rev 10.41 1 5
Implementing HP Network Infrastructure Security
Configuration Procedure
Follow these steps to configure an SSL server policy:
d.
Create an SSL server ssl server-policy <policy-
te
Required
bi
policy and enter its view name>
i
oh
Required
pr
Specify a PKI domain pki-domain <domain- By default, no PKI
for the SSL server policy name> domain is specified for
i s
an SSL server policy.
rt
pa
Ciphersuite
n
[rsa_3des_ede_cbc_sha |
i
Specify the cipher Optional
or
rsa_aes_128_cbc_sha |
suite(s) for By default, an SSL
le
rsa_aes_256_cbc_sha |
the SSL server policy to server policy supports
ho
rsa_des_cbc_sha |
support all cipher suites.
w
rsa_rc4_128_md5 |
in
rsa_rc4_128_sha ] *
P
Set the handshake Optional
H
handshake timeout
timeout time for the SSL 3,600 seconds by
of
<time>
server default
de
Set the SSL connection Optional
i
close-mode wait
close mode ts Not wait by default
ou
Optional
r
fe
follows:
tra
the caching
r
timeout time.
ep
Optional
.R
Enable certificate-based
client-verify enable Not enabled by
ly
1 6 Rev 10.41
Traffic Mirroring
Module 2
This module describes the traffic mirroring features available on various ProVison and
d.
te
Comware based switches. Traffic mirroring can be used for copying traffic from
bi
various ports for troubleshooting purposes or for intrusion activity analysis.
i
oh
pr
Traffic mirroring overview
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
Figure 1
r ou
Traffic mirroring, which is also called intelligent mirroring, allows you to monitor
fe
ns
traffic to detect threats, troubleshoot problems, or manage the network. For example,
tra
you can use a network protocol analyzer on a remote computer to examine the
or
For threat detection, you can monitor traffic through a security appliance such as an
uc
appliance must be able to receive the mirrored data stream in order to detect threats
r
ep
such as hackers and malicious attacks. Many IDS/IPS systems can be positioned in-
.R
entry point to an enclave network. Using the traffic mirroring feature, traffic from
e
other locations in the network can be funneled to the IDS/IPS device for analysis
us
as well.
dy
tu
Local traffic mirroring, in which the source and the destination for the mirrored
se
Remote traffic mirroring, in which the source and the destination are on different
pl
switches
Em
The traffic mirroring feature provides some significant advantages over the mirroring
P
H
feature available in unintelligent switches. Rather than limiting you to mirroring traffic
from one port to another port on same switch, the E8200zl, E5400zl, E6200yl, and
E3500yl switches now allow you to mirror traffic to a remote switch. In addition,
each switch can support more than one data stream of mirrored traffic.
Rev 10.41 2 1
Implementing HP Network Infrastructure Security
Note
Other HP switches that support an earlier implementation of the traffic mirroring
feature only allow the traffic stream to be sent to another port on the same
switch.
d.
With traffic mirroring, you no longer need a monitoring port on every switch. Instead,
te
you can send mirrored data from multiple remote switches to one local switch. The
i bi
oh
security appliance attached to this local switch can then monitor all the mirrored
pr
data, reducing the number of security appliances you need on your network.
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
2 2 Rev 10.41
Traffic Mirroring
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
Figure 2
in
P
Each switch can be the originator of up to four mirror sessions. A mirror session is
H
defined according to the source and destination switches managing a data stream.
of
de
You define the source of a data stream when you set up each session by specifying
i
one or more of these criteria: ts
ou
Local port or multiple local ports, including mesh ports
r
fe
ns
The destination for a mirror session can be an exit port on the local switch or the
tio
destination can be another switch. The remote switch can be located anywhere in the
uc
od
network.
r
ep
Each switch can be the destination of up to 32 mirror sessions and the source of up
.R
to 4 mirror sessions from itself. Sessions for which the switch is both the source and
ly
the destination are restricted to four due to the limit on the number of originating
on
mirror sessions. As the destination, the switch sends data streams to the exit port you
e
us
You can configure one or more mirror sessions to use the same exit port, or you can
l
se
distribute the mirrored traffic across multiple exit ports. In this example, the switch is
ee
configured to send three mirror sessions to the same exit port that provides a path to
oy
an IDS/IPS device. The switch is also sending one mirror session to a local port
pl
Rev 10.41 2 3
Implementing HP Network Infrastructure Security
d.
te
ibi
oh
pr
s
i
rt
pa
n
i
or
le
ho
Figure 3
w
in
If you want to configure traffic mirroring, the first step is to configure the destination
P
switch whether the source is local or remote to the switch. If the destination switch is
H
of
not ready to handle the mirrored traffic forwarded by another switch, performance
de
may be adversely affected due to receiving packets that the switch does not know are
i
ts
intended for an attached device running an IDS/IPS or packet analyzer.
ou
The second step is to configure the source switch. In the case of local traffic
r
fe
mirroring, this is of course the same switch. In this step, you define a mirror session
ns
tra
number and the destination for the mirror session. For local traffic mirroring, the
destination is a port on the same switch. For remote traffic mirroring, the destination
or
n
As part of the procedure for defining the source switch you identify the source
od
interface for the mirror session and the traffic of interest that you want to monitor.
r
ep
us
d
tu
Select traffic based on its direction. The mirrored packets can be those inbound
ee
Select traffic by applying an ACL. If you only want to monitor inbound traffic,
pl
Em
you can use a standard or extended ACL to further refine the particular packets
that are mirrored. The switch only mirrors the inbound traffic that matches the
P
H
criteria configured in the ACL. For example, in an extended ACL, you can
specify criteria that includes the source IP address, destination IP address,
source port number, destination port number, and protocol.
2 4 Rev 10.41
Traffic Mirroring
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
ou
Figure 4
r
fe
If you are configuring local traffic mirroring, you begin by configuring the exit port
ns
using the mirror command from the global configuration level. The no form of the
tra
command removes the mirroring session and any mirroring source previously
or
You must complete this step before you define the originating interface. If you try to
od
configure the originating interface first, the CLI displays a message, explaining that it
r
ep
cannot apply the command until you configure the destination for the specified
.R
session number.
ly
on
<1 - 4>An integer value between 1 and 4 that identifies the mirroring
y
friendly name can be useful to identify the purpose of the traffic monitoring
ee
oy
mirrored traffic for the specified session. For a local mirroring session, this is
P
H
First, you must choose between specifying the traffic source as a physical
interface (port, trunk, or mesh port) or a logical interface (one or more
VLANs). To specify the former you use the interface command prefix. To
specify the latter you use the vlan command prefix.
Second, you must choose how to identify the actual traffic that is to be
d.
te
monitored. You can do this based on the traffics direction, relative to the
bi
switch, or by using a standard or extended ACL. If you choose to use an ACL,
i
oh
only that subset of inbound traffic that matches the ACL criteria will be
pr
mirrored.
s
i
rt
pa
Using the monitor command, you specify the following information:
n
i
interface <port-id | trunk-id | mesh>Use this prefix to specify one or
or
more physical ports, trunk groups, or the ports comprising a mesh on the
le
ho
switch as the source of the traffic to be mirrored. For example, you could
w
specify interface a1-a3,trk1-trk2,mesh.
in
P
vlan <vid>Use this prefix to specify a VLAN on the switch as the source of
H
the traffic to be mirrored.
of
de
monitor all <in | out | both>Use this option to identify the traffic to be
i
mirrored based on direction. ts
ou
r
After specifying the all keyword (implying all types of packets are candidates
fe
ns
for traffic mirroring), you must specify the direction of traffic to be mirrored
tra
based on whether the traffic is entering or leaving the switch on the physical or
or
logical interface. Specify in to mirror traffic entering the switch, out to mirror
n
defined. Only inbound traffic to the switch can be selected for mirroring when
.R
an ACL is used.
ly
on
ACLs used for selecting traffic to mirror are configured in the same way
e
us
as ACLs for traffic filtering. This means that an ACL applied as a static
y
port ACL, VACL, or RACL can be applied to mirroring, but an ACL used
d
tu
the ACL take on a different role than in ACL traffic filtering. A packet
ee
oy
deny statement will not be mirrored. Any log keywords in ACL deny
Em
2 6 Rev 10.41
Traffic Mirroring
d.
replacing, or modifying a traffic-filtering ACL also apply to an ACL used
te
bi
for mirroring.
i
oh
mirror <1 - 4 | <name-string>Assigns the traffic defined by the
pr
s
i
rt
The session must have been previously configured.
pa
n
Depending on how many sessions are already configured on the switch, you
i
or
can use the same command to assign the specified source to up to four numeric
le
or alphanumeric session identifiers.
ho
w
Local traffic mirroring: Viewing the configuration
in
P
H
of
i de
ts
rou
fe
ns
tra
or
n
tio
uc
od
r
ep
.R
ly
on
e
us
dy
tu
f-s
Figure 5
l
se
ee
You use the show monitor command to view the traffic mirroring configuration on
oy
the switch.
pl
Em
If a remote mirroring source is configured on the switch, then the following fields
appear. Otherwise, the output displays the message Mirroring is currently disabled.
P
H
Rev 10.41 2 7
Implementing HP Network Infrastructure Security
d.
te
SourcesIndicates how many mirroring sources are using each mirroring
bi
session.
i
oh
pr
ACLIndicates whether the source is using an ACL to select traffic for
s
mirroring.
i
rt
pa
If a remote mirroring endpoint is configured on the switch, then additional fields
n
appear. Otherwise, the output displays the message There are no Remote Mirroring
i
or
endpoints currently assigned.
le
ho
The show monitor <session-number> command displays the current
w
configuration for the specified session on a source switch.
in
P
SessionDisplays the numeric identifier (1 to 4) of the selected session.
of
Session NameDisplays the alphanumeric name of the session, if
de
configured.
i
ts
ou
ACLIndicates whether the source is using an ACL to select traffic for
r
fe
mirroring. Only inbound traffic to the switch can be selected for mirroring when
ns
an ACL is used.
tra
configured as the exit port on the source switch. For remote mirroring session,
tio
interface for the currently configured sessions. Options include the source port,
.R
2 8 Rev 10.41
Traffic Mirroring
d.
te
i bi
oh
pr
s
i
rt
pa
ni
or
le
ho
w
in
P
Figure 6
H
of
Configuring remote traffic mirroring is more complex than local traffic mirroring and
de
involves more procedures.
i
ts
ou
The four steps involve the following major tasks:
r
fe
If any one packet with the additional 54-byte mirror encapsulation header
or
might meet or exceed the MTU size of the interfaces used to send mirrored
n
packets, then you will need to enable the jumbo frame support on the VLAN
tio
uc
used to transport mirrored traffic. Jumbo frame support must be enabled on the
od
This step involves specifying a variety of information which includes the source
on
VLAN or subnet IP address of the mirrored traffic on the source switch, the
e
us
On the source switch you configure the local mirror session by assigning a
oy
This step is equivalent to what is done for local mirroring. You specify a port,
mesh port, trunk, or VLAN as the source and you identify the traffic of interest by
specifying either traffic direction(s) or an ACL.
The details about these steps are covered on the pages that follow.
Rev 10.41 2 9
Implementing HP Network Infrastructure Security
d.
te
i bi
oh
pr
s
i
rt
pa
n
Figure 7
i
or
le
When the source switch sends the mirrored data stream to the destination switch, it
ho
adds a 54-byte proprietary (mirror encapsulation) header to the Layer 2 frame,
w
in
increasing the total size of the frame. On a typical network using the default MTU of
P
1518 bytes for Ethernet frames, the switch can remote mirror frames that are less than
H
or equal to 1464 bytes without requiring jumbo frame support being enabled. This is
of
de
because the 54-byte proprietary header, inserted into the data field of the Ethernet
i
ts
frame, when coupled with the header and trailers of the frame, will not exceed the
ou
limits of the hardware, either 1518 bytes (normal untagged Ethernet frame) or 1522
r
fe
Note
or
The standard Ethernet frame consists of several header and trailer fields and a
n
maximum data field size of 1500 bytes. The Ethernet header and trailer fields consist of
tio
bytes), and FCS (Frame Check Sequence, 4 bytes). These fields comprise 18 bytes of
rod
the total frame size. The 802.1Q field, if present, adds an additional 4 bytes.
ep
Therefore, when the 54-byte proprietary mirror encapsulation header is present and
.R
jumbo frame support is not enabled, the Ethernet data field can be no larger than
ly
on
Of course there is a possibility that any intermediate switch or the destination switch
y
d
operation, if a switch receives an Ethernet frame that has a data field larger than
l
se
1500 bytes (1446 actual data bytes plus the 54-byte mirror encapsulation header), it
ee
will drop the frame. This is because the additional header makes the frame exceed
oy
the maximum frame size for legacy Ethernet, either 1518 untagged or 1522 tagged.
pl
Em
The switch will forward any frame to its intended destination as long as the received
frame does not exceed the receiving interfaces default MTU, which is typically set at
P
H
them and sending them to a destination where they will have bad checksums.
Additionally, if a device is attempting to reassemble frames to search, for example,
for worms and viruses, then some of the critical data may be missing.
If you want to capture all traffic of interest, then you should enable jumbo frame
support. The switch can then transmit a packet that is a total of 9220 bytes. Jumbo
d.
te
frames are only supported on ports operating at 1 Gbps or greater.
i bi
oh
To allow these larger frames to be transmitted across your network, you must enable
pr
all the switches that might carry the mirrored traffic to support jumbo frames. These
s
switches include both the source and destination switches and any switches in
i
rt
pa
between. On each switch, enable jumbo frames on the VLAN that carries the
mirrored traffic using the vlan <vid> jumbo command.
n
i
or
Remote traffic mirroring: Configuring the mirror
le
ho
w
sessions
in
P
H
of
i de
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
Figure 8
y
d
tu
If you are configuring remote traffic mirroring, you must configure the destination
f-s
switch to handle the mirrored traffic before you configure the source switch to begin
l
se
sending that mirrored traffic. In other words, you must configure the destination
ee
switch to recognize the mirror session and to deliver the mirrored traffic to an exit
oy
port.
pl
Em
To configure the destination switch, you use the mirror endpoint ip command as
P
shown above. When you configure the <src-ip>, <src-udp>, and <dst-ip> options,
H
you must match these settings exactly as those that will be configured on the source
switch. If the settings do not match, the destination switch will not recognize the
mirror session and will not know where to send the mirrored data stream.
Rev 10.41 2 11
Implementing HP Network Infrastructure Security
d.
te
<dst-ip> This is the IP address of the VLAN or subnet on which the
bi
i
oh
mirrored traffic enters or leaves the destination switch. The exit port on the
pr
destination switch must be a member of this VLAN or subnet.
si
rt
<port-id>This the port identifier of the physical port on the destination
pa
switch that represents the exit port for the mirrored traffic sent to a receiving
n
i
device such as a computer running an IDS/IPS or packet analyzer.
or
le
To configure the source switch, you use the mirror <session> remote ip
ho
command as shown above. As previously mentioned, the <src-ip>, <src-udp>, and
w
<dst-ip> options must match the settings configured on the destination switch. That is,
in
P
you specify the same values for the same named options.
H
of
Remote traffic mirroring: Configuring the mirror
i de
ts
sources
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
Figure 9
pl
Em
On the source switch, you configure the mirror sources for remote traffic mirroring just
P
as you do for local traffic mirroring. Notice that the session number specified in this
H
example is the value assigned to the remote traffic mirroring session on the source
switch shown on the previous page. In this example, to show the flexibility of the
traffic mirroring feature, the source interface is actually defined as a VLAN instead
of one or more physical ports.
2 12 Rev 10.41
Traffic Mirroring
d.
te
i bi
oh
pr
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
i de
Figure 10
ts
ou
The commands shown above display the remote traffic mirroring configuration on the
r
fe
source switch.
ns
tra
The show monitor command lists a second session representing the remote traffic
or
mirroring session. The Type field has a value of IPv4 which indicates the session is
n
tio
The show monitor <session> command displays the configured parameters for
od
the remote traffic mirroring session. The values for the source IP address, destination
r
ep
IP address, and UDP port number are the same as those specified on the destination
.R
switch.
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Figure 11
To view the remote traffic mirroring configuration on the destination switch you use
the show monitor endpoint command. The values for the source IP address,
Rev 10.41 2 13
Implementing HP Network Infrastructure Security
destination IP address, and UDP port number are the same as those specified on the
source switch.
The Destination port field identifies the physical port on this destination switch that
connects to a device running an application such as IDS/IPS or a packet analyzer.
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
2 14 Rev 10.41
Traffic Mirroring
d.
te
i bi
oh
pr
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
ide
ts
ou
Figure 12
r
fe
ns
Port mirroring is the process of copying the packets that pass through a port/CPU (a
n
mirroring port/CPU) to another port (the monitor port) that is connected with a
tio
uc
port/CPU as needed.
.R
ly
Local port mirroring: In local port mirroring, the mirroring ports/CPUs and the
y
d
tu
Layer 2 remote port mirroring: In Layer 2 remote port mirroring, the mirroring
l
se
ports/CPUs and the monitor port are located on different devices but are on the
ee
Layer 3 remote port mirroring: In Layer 3 remote port mirroring, the mirroring
Em
Note
Because a monitor port can monitor multiple ports, in some case, it
may receive several duplicates of a packet. For example, suppose
that Port 1 is monitoring bidirectional traffic on Ports 2 and 3 of the
Rev 10.41 2 15
Implementing HP Network Infrastructure Security
d.
te
traffic carries the same VLAN tag as the original traffic did before it
bi
was sent out the mirroring ports.
i
oh
pr
Implementing Port Mirroring
s
i
rt
Port mirroring is implemented through port mirroring groups. There are three types
pa
of mirroring groups: local, remote source, and remote destination.
in
or
The following subsections describe how local port mirroring, Layer 2 remote port
le
mirroring, and Layer 3 remote port mirroring are implemented.
ho
w
Local port mirroring
in
P
Local port mirroring is implemented through a local mirroring group. In local port
H
mirroring, packets passing through a port/CPU (mirroring port/CPU) are mirrored to
of
de
the monitor port located on the same device.
i
Layer 2 remote port mirroring ts
rou
fe
remote source mirroring group and a remote destination mirroring group. A remote
tra
source mirroring group is created on the source device and a remote destination
or
mirroring group is created on the destination device. The source device copies the
n
tio
packets passing through the mirroring ports/CPUs, broadcasts the packets in the
uc
remote probe VLAN for remote mirroring through the egress port, and transmits the
od
packets to the destination device via the intermediate device. When receiving these
r
ep
mirrored packets, the destination device compares their VLAN IDs to the ID of the
.R
remote probe VLAN configured in the remote destination mirroring group. If the
ly
VLAN IDs of these mirrored packets match the remote probe VLAN ID, the device
on
forwards them to the data monitoring device through the monitor port. In this way,
e
us
the data monitoring device connected to the monitor port on the destination device
y
can monitor and analyze packets passing through the mirroring ports/CPUs on the
d
tu
source device.
f-s
l
se
Note
ee
Make sure that the source device and the destination device are
oy
2 16 Rev 10.41
Traffic Mirroring
d.
te
destination device to disable the MAC address learning function for
bi
the remote port mirroring VLAN.
i
oh
pr
s
Layer 3 remote port mirroring
i
rt
pa
Layer 3 remote port mirroring is implemented through the cooperation of a remote
n
source mirroring group, a remote destination mirroring group, and a GRE tunnel.
i
or
le
On the source device, packets of the mirroring port (or CPU) are mirrored to the
ho
tunnel interface that serves as the monitor port in the remote source mirroring group.
w
Then the mirrored packets are transmitted to the destination device through the GRE
in
tunnel. The destination device receives the mirrored packets from the other tunnel
P
H
interface that serves the mirroring port in the remote destination mirroring group.
of
Then the packets are forwarded to the monitor port in the remote destination
de
mirroring group. In this way, the data monitoring device connected to the monitor
i
ts
ou
port on the destination device can monitor and analyze packets passing through the
r
Local mirroring is made up of one or more mirroring port (source) and on monitor
n
<A5800>system-view
rod
The next step is to configure the source of the destination of the mirrored traffic.
ly
<A5800>system-view
on
e
<A5800>system-view
f-s
l
[A5800]interface <port-id>
se
ee
<A5800>system-view
P
Rev 10.41 2 17
Implementing HP Network Infrastructure Security
Note
A mirroring group can contain multiple mirroring ports.
d.
Configuring Layer 2 Remote Mirroring
te
bi
i
oh
Layer 2 remote mirroring is made up of one or more mirroring port (source) and on
pr
monitor port (destination).
i s
rt
Destination Device
pa
The first step is to configure a group on the destination device.
in
or
<A5800-Dst>system-view
le
ho
[A5800-Src]mirroring-group <group-id> remote-desination
w
The next step is to configure the source of the destination of the mirrored traffic.
in
P
<A5800-Dst>system-view
H
of
[A5800-Dst]mirroring-group <group-id> monitor-port <port-id>
de
Or from the interface configuration prompt.
i
ts
ou
<A5800-Dst>system-view
r
fe
[A5800-Dst]interface <port-id>
ns
It is then necessary to define the VLAN that will be used by the mirrored traffic.
or
n
tio
Note
uc
It is recommended that you use the remote probe VLAN for port mirroring
od
exclusively.
r
ep
.R
<A5800-Dst>system-view
ly
on
Make sure the monitor port is a member of the remote probe VLAN.
us
y
Source Device
d
tu
f-s
<A5800-Src>system-view
Em
2 18 Rev 10.41
Technet24.ir
Traffic Mirroring
Note
A mirroring group can contain multiple mirroring ports.
On the source device, configure the port used to send the mirrored traffic to the
d.
te
destination.
ibi
oh
<A5800-Src>system-view
pr
[A5800-Dst]mirroring-group <group-id> monitor-egress <port-id>
is
Or from the interface configuration prompt.
rt
pa
<A5800-Src>system-view
in
or
[A5800-Src]interface <port-id>
le
[A5800-Src-GE1/0/24]mirroring-group <group-id> monitor-egress
ho
w
It is then necessary to define the VLAN that will be used by the mirrored traffic.
in
<A5800-Src>system-view
P
H
[A5800-Src]mirroring-group <group-id> remote-probe vlan <vid>
of
de
Make sure the egress port is a member of the remote probe VLAN. Mirroring ports
should not belong to the remote probe VLAN.
i
ts
ou
Configuring Layer 3 Remote Mirroring
r
fe
To configure Layer 3 remote port mirroring, you need to create a local port mirroring
ns
tra
group on the source device as well as on the destination device, and configure
mirroring ports/CPUs and the monitor port for each mirroring group. A tunnel
or
On the source device, you need to configure the ports/CPUs you want to
od
monitor as the mirroring ports/CPUs, and configure the tunnel interface as the
r
ep
monitor port.
.R
on
corresponding to the tunnel interface as the mirroring port and configure the
e
port that connects the data monitoring device as the monitor port.
us
dy
Note
tu
Before configuring Layer 3 remote port mirroring, make sure that you have
f-s
created a GRE tunnel that connects the source and destination devices.
l
se
ee
oy
pl
Em
P
H
Rev 10.41 2 19
H
P
Em
pl
oy
2 20
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
Implementing HP Network Infrastructure Security
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
ACLs
Module 3
In this module, Access Control Lists (ACLs) are described. The section starts with an
d.
te
overview of the various types of ACLs that are supported on selected HP switches.
bi
The emphasis of the section is on explaining how standard and extended ACLs work
i
oh
and how to configure them.
pr
si
Scenario: ACLs
rt
pa
n
An IT staff is continuing on with the process of upgrading network security using HP
i
or
switch software solutions. They are busy looking at their existing physical security
le
resources, their policies regarding configuration changes and maintenance, and the
ho
w
needs of various departments and student groups across campus.
in
While most network resources can be secured through operating system passwords
P
H
and file permissions, the network itself also must be designed to prevent accidental or
of
intentional misuse of resources.
de
i
ts
VLANs can be used to create logical or function-based partitions to the LAN. These
ou
partitions have boundaries that must be crossed to move data in or out of the VLAN.
r
fe
Lists (ACLs).
tra
The IT staff would like to better understand some of the key ACL features supported
or
n
on HP switches before looking into how to implement them. In particular, the IT staff
tio
would like to understand the types of options that are available for using ACLs such
uc
as applying them to physical interfaces or VLAN interfaces, and the types of packet
rod
Rev 10.41 3 1
Implementing HP Network Infrastructure Security
VLAN basics
A VLAN is a group of ports designated by the switch as belonging to the same
broadcast domain. When using VLANs you can group users by logical function
instead of physical location. This allows you to group high-bandwidth users on low-
d.
traffic segments or to organize users from different LAN segments according to their
te
bi
need for common resources.
i
oh
pr
Port-based VLANs are typically used to enable broadcast traffic reduction and to
s
increase security. A group of network users assigned to a VLAN form a broadcast
i
rt
domain that is separate from other VLANs that may be configured on a switch. On a
pa
given switch, packets are forwarded only between ports that are designated for the
in
same VLAN. Thus, all ports carrying traffic for a particular subnet address should be
or
le
configured to the same VLAN. Moving traffic between VLANs requires a router or
ho
layer 3 routing switch.
w
in
Although membership in a VLAN is typically controlled by assigning a port to a
P
particular VLAN, it is possible to create VLANs based on MAC address, protocol
H
of
information, or application-based information.
de
Reasons for VLANs
i
ts
ou
By default, all the ports on a switch are in a default VLAN. For small networks this
r
fe
may be acceptable. If you decide to leave all the ports in the same VLAN, then all
ns
the hosts (PCs, notebooks, servers, and so forth) should be configured in the same
tra
subnet.
or
n
with an assigned subnet. This localizes the broadcast traffic and resource
r
ep
of thousands of hosts, a number that is far too large to be in the same broadcast
ly
domain.
on
Another important reason for dividing hosts into VLANs is security. Dozens of
e
us
different types of users are served by the typical enterprise network. To allow all of
y
d
those users equal access to resources could constitute a serious risk to security. So
tu
instead we define a subnet for each group of users that has similar resource or
f-s
l
service needs.
se
ee
Because moving traffic between VLANs is a Layer 3 operation, the network traffic
oy
must cross routing boundaries; thus ACLs can be employed to control the flow of
pl
3 2 Rev 10.41
Technet24.ir
ACLs
d.
te
Without the application of traffic filters, each routing switch interface accepts packets
i bi
from attached hosts and forwards the traffic based on its forwarding tables.
oh
pr
However, there may be situations where you do not want all traffic to be forwarded,
s
such as for security or traffic efficiency purposes.
i
rt
pa
An ACL specifies criteria the switch uses to either permit (forward) or deny (drop) IP
n
packets traversing the switchs interfaces. These criteria may include Layer 3
i
or
identifiers, such as source and destination IP addresses, and Layer 4 identifiers, such
le
as source and destination ports. Using ACLs, you can filter IP traffic to or from a host,
ho
w
a group of hosts, or entire subnets.
in
Technically, an ACL is comprised of one or more Access Control Entries (ACEs). It is
P
H
the ACE that corresponds to the statement of criteria for determining which traffic is
of
permitted or denied. Once an ACL consisting of one or more ACEs has been
de
defined, you can then implement the ACL by applying it to a physical port or a
i
VLAN interface.
ts
rou
fe
Using ACLs
ns
tra
A typical approach for planning the use of ACLs is to determine the specific
or
conditions that you want to allow traffic to pass and then define ACEs that expressly
n
deny any other traffic. This approach can allow a host to pass traffic when it is
tio
Note
.R
Only selected HP switches support the use of ACLs. Generally, these are switches that
ly
provide support for more advanced IP routing services. Switches that provide limited IP
on
routing services such as only IP static routes do not typically support the use of ACLs.
e
us
y
ACLs can be useful at both the network edge as well as the network core and
d
tu
distribution levels.
f-s
l
se
ACLs at the network edge can help improve network performance by reducing
pl
the volume of packets that are handled by upstream switches and routers which
Em
also helps reduce system resource usage in the form of buffers and CPU
P
utilization.
H
Implementing ACLs in the network core and distribution levels can be useful for
security and performance purposes. ACLs can be used to ensure various
collections of clients only have access to selected destinations. These destinations
may be specific, hosts, entire subnets, or even particular applications. For
Rev 10.41 3 3
Implementing HP Network Infrastructure Security
security purposes, you may want to ensure communications are restricted, for
instance, that all hosts and servers in a given VLAN are only allowed to
communicate within that VLAN or with a limited number of other specific
VLANs.
d.
te
Note
bi
The extent of ACL support varies among the HP switch families. For example, some
i
oh
switches may support applying ACLs to ports, trunks, and VLANs whereas other switches
pr
may support applying ACLs to ports and trunks only. In other cases, some switches support
s
i
specifying extensive criteria for identifying the traffic to be filtered, while other switches
rt
pa
support less extensive criteria. Later in this section, a table can be found that summarizes
n
the ACL feature support on HP switches.
i
or
le
ho
w
in
P
H
of
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
3 4 Rev 10.41
Technet24.ir
ACLs
d.
others also allow you to implement ACLs in a dynamic manner. Later in this section,
te
a table summarizes the ACL feature support on various HP switches.
i bi
oh
Using static ACLs implies that you are configuring ACLs on the switch and storing
pr
them in the switch configuration file. Once a static ACL is applied to a physical port
s
i
rt
or trunk or a VLAN interface, the ACL is fixed in place until you later modify it or
pa
remove it.
in
or
In contrast, using dynamic ACLs involves configuring them on an external system such
le
as a supported RADIUS server (Microsoft IAS, FreeRADIUS, and others) or HP
ho
Identity Driven Manager. A dynamic ACL can only be applied to a physical port and
w
its application to a port is triggered dynamically based on the successful
in
P
authentication of a client. The application of this type of ACL is temporary. That is,
H
the ACL is active for the duration of the clients session. When the clients session
of
ends, the ACL is removed from the port.
de
i
ts
As will be explained later in this section, the structure of an ACL can be categorized
ou
as either being a standard type or an extended type. When implementing ACLs in a
r
fe
static manner, you can use either the standard or extended format. Applying a
ns
dynamic ACL through a RADIUS server requires the use of the extended ACL format.
tra
or
Implementing static ACLs implies that you configure the ACLs on the switch and store
uc
them in the switch configuration file. There are three applications or approaches for
od
implementing static ACLs that are supported by selected HP switches. These are:
r
ep
.R
VLAN to filter routed IP traffic entering or leaving the switch on that interface.
on
An RACL can also filter traffic having a destination on the switch itself.
e
us
y
given VLAN. To filter traffic in both directions, you must apply the ACL twice
f-s
one instance of the ACL would specify the criterion that corresponds to in
l
se
and a second instance would specify the criterion that corresponds to out.
ee
oy
Note
pl
Em
Except for filtering IP traffic to an IP address on the switch itself, RACLs can operate
only while IP routing is enabled on the switch. A RACL corresponds to a Layer 3
P
H
traffic filter.
Rev 10.41 3 5
Implementing HP Network Infrastructure Security
Note
VACLs can operate while IP routing is NOT enabled on the switch. A VACL
d.
corresponds to a Layer 2 traffic filter.
te
i bi
oh
pr
Note
s
The terms RACL and VACL were introduced with the HP Switch 8200zl, 5400zl,
i
rt
3500yl, and 6200yl series.
pa
in
Static Port ACLA static port ACL filters IP traffic entering the switch on a port,
or
le
group of ports, or a static trunk. The IP traffic is filtered regardless of whether it
ho
is routed or switched.
w
in
A static port ACL can also filter traffic having a destination on the switch itself.
P
H
of
Note
de
Since a static port ACL supports both switched and routed traffic, it provides Layer 2
i
and Layer 3 traffic filtering. ts
rou
fe
VACL (or both), and on a physical port or static trunk. The HP Switch 8200zl,
tra
5400zl, 3500yl, and 6200yl series support all of these ACL implementations. A
or
table at the end of this module summarizes the HP switch ACL feature support.
n
tio
uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
3 6 Rev 10.41
Technet24.ir
ACLs
d.
traffic control by permitting or denying authenticated client access to specific network
te
resources. The network resources you identify may be individual servers, entire
i bi
oh
subnets, and even the switch management interfaces. This includes preventing clients
pr
from using applications, such as Telnet, SSH, Web browser, and SNMP, if you do not
s
i
want their access privileges to include these capabilities.
rt
pa
This feature is designed for use at the network edge where you can apply RADIUS-
in
assigned, per-port ACLs for Layer 3 and 4 filtering of IP traffic entering the switch
or
from authenticated clients. A given dynamic port ACL is associated with a unique
le
ho
username/password pair or client MAC address, and applies only to IP traffic
w
entering the switch from clients that authenticate with the unique credentials.
in
P
H
Note
of
Dynamic, per-port ACLs applied through a RADIUS server can also be augmented
de
using the Identity-Driven Management (IDM) application that is supported by PCM+.
i
ts
IDM operates in conjunction with a RADIUS server to provide an easy-to-use interface
ou
for implementing per-user access controls at the network edge.
r
fe
IDM is also more convenient to use because it enables you to centrally manage ACLs
ns
for all users across multiple RADIUS servers. Details about IDM capabilities and
tra
Benefits
tio
uc
od
Using RADIUS or IDM to dynamically apply per-port ACLs to edge ports enables the
r
switch to filter IP traffic coming from outside the network. Removing unwanted IP
ep
.R
traffic as soon as possible can help to improve network and system performance.
ly
Applying dynamic port ACLs to ports on the network edge can be less complex than
on
configuring static port and VLAN-based ACLs in the network core to filter unwanted
e
us
The switch allows multiple dynamic port ACLs on a given port, up to the maximum
tu
f-s
number of authenticated clients allowed on the port. Also, dynamic port ACLs can be
l
se
assigned regardless of whether other ACLs affecting the same port are statically
ee
Requirements
pl
Em
Rev 10.41 3 7
Implementing HP Network Infrastructure Security
Configuring each ACL on the RADIUS server, instead of the switch, and
assigning each ACL to a username/password pair or MAC address identifier.
d.
te
Dynamic port ACLs are supported by various HP switches. These include the HP
bi
Switch 8200zl, 5400zl, 3500yl, and 6200yl, 5300xl, 3400cl, and 6400cl series.
i
oh
You can implement dynamic port ACLs on these switches using a RADIUS server
pr
directly or though IDM.
s
i
rt
pa
Comparison of static and dynamic ACL options
in
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
This table highlights several notable differences between the static ACLs configurable
e
us
on switch VLANs and ports, and the dynamic port ACLs that can be assigned to
individual ports by a RADIUS server or IDM operating in conjunction with a RADIUS
y
d
tu
server.
f-s
l
se
ee
oy
pl
Em
P
H
3 8 Rev 10.41
Technet24.ir
ACLs
Elements of an ACL
An ACL consists of the following elements or building blocks:
ACL identifierA given static ACL is identified by using a number or
d.
alphanumeric name. The number you configure can be between 1 and 199 and
te
the name can be up to 64 alphanumeric characters.
ibi
oh
pr
Note
s
i
The ACL identifier for dynamic, per-port ACLs uses an internal system identifier that
rt
pa
associates the ACL with user credentials or a MAC address.
n
i
or
As described earlier, an ACL itself is comprised of one or more ACEs. When an
le
ACL is comprised of multiple ACEs, these entries share the same ACL identifier
ho
(ID).
w
in
In this case, all of the entries with the same ACL ID are applied to the same port,
P
H
trunk, or VLAN interface for filtering IP traffic. In the case of the dynamic form of
of
an ACL, it can only be applied to a physical port.
de
i
CriteriaEach ACE in an ACL is a filter statement that identifies the
ts
ou
characteristics of traffic to receive special handling. The characteristics to be
r
matched can be one or more of the fields in a packets Layer 3 and Layer 4
fe
ns
DirectionEach ACE must specify the direction of the traffic for which packets
n
tio
ActionEach ACE also defines the action you want taken for packets that match
r
the criteria that has been specified. Packets matching the criteria can be either
ep
.R
Rev 10.41 3 9
Implementing HP Network Infrastructure Security
Types of ACLs
From a configuration perspective, there are two primary types of ACLs:
Standard / BasicA standard ACL uses only a packet's source IP address as a
d.
criterion for permitting or denying the packet.
te
bi
ExtendedAn extended ACL offers more options for specifying criteria for
i
oh
filtering packets compared to a standard ACL. The additional criteria includes
pr
the destination IP address, source port number, destination port number, and
s
i
various other IP protocols in addition to IP, TCP and UDP.
rt
pa
A standard or extended ACL can use either a number or a name for the ACL ID. The
n
i
HP switches that support ACLs allow you to define 99 numbered, standard ACLs and
or
100 numbered, extended ACLs. For a standard ACL, the numeric identifier can be
le
ho
from 1 to 99. For an extended ACL, the numeric identifier can be from 100 to 199.
w
in
P
Note
H
The specific manner in which an ACL is assigned to an interface corresponds to the
of
type of application for the ACL; a RACL, VACL, static port, or dynamic port ACL.
de
i
ts
ou
When a name is used for the identifier of a standard or extended ACL, it can be up
r
the quantity of ACLs that you can define on a switch. By using named ACLs, you can
tra
also define more than 199 ACLs should you reach the limit of 99 numbered,
or
standard ACLs and 100 numbered, extended ACLs. Defining named ACLs can also
n
be more convenient to use for the purposes of organizing and referencing the ACLs.
tio
uc
switches support a smaller number. Switches that support up to 2048 ACLs include
r
ep
the HP Switch 8200zl, 5400zl, 3500yl, and 6200yl series. Regardless of the specific
.R
ACLs share internal routing switch resources with several other features. This includes
the QoS, IDM, Virus-Throttling, ICMP, and Management VLAN features. The switch
y
d
tu
typically provides ample resources for all features. However, if the internal resources
f-s
become fully subscribed, additional ACLs cannot be applied until the necessary
l
se
3 10 Rev 10.41
Technet24.ir
ACLs
ACL criteria
Standard / Basic ACLs
A standard ACL allows you to filter traffic based solely on a packets source IP
d.
address. The IP address can be specified as a single address or as a range of
te
addresses using a mask.
i bi
oh
A standard ACL is useful when you need to:
pr
s
Permit or deny any IP traffic based on source IP address only.
rt
pa
Quickly control the IP traffic from a specific address. This allows you to isolate
n
IP traffic problems generated by a specific device, group of devices, or a
i
or
subnet threatening to degrade network performance. This gives you an
le
opportunity to troubleshoot without sacrificing performance for users outside of
ho
w
the problem area
in
Extended ACLs
P
H
of
An extended ACL allows you to define multiple criteria to filter traffic. This enables
de
you to more closely define your IP packet-filtering.
i
ts
ou
An extended ACL allows you to filter traffic based on criteria that includes the source
r
IP address, destination IP address, IP protocol type, source port, and destination port.
fe
ns
You can also filter traffic based on the IP precedence and Type of Service (ToS) fields
tra
that are located in the IP header. For ICMP and IGMP traffic, you can even specify
or
using one of several well-known names. For example, the IP protocol type can be
od
The TCP/UDP port can also be specified by using a number or a well-known name.
ly
Examples of well-known names you can specify include telnet, http, and bgp.
on
For applications that may implement the ToS field settings, you can also use the IP
e
us
Precedence and ToS criteria options to filter packets as well. The IP header has an 8-
y
bit field called the Type of Service (ToS). Traditionally, IP Precedence has used the
d
tu
first three bits of this field to assign 8 possible precedence levels. These correspond
f-s
l
Rev 10.41 3 11
Implementing HP Network Infrastructure Security
d.
te
Normal (0)
bii
max-reliability (2)
oh
pr
max-throughput (4)
s
minimize-delay (8)
rt
pa
n
Note
i
or
Not all switches support all criteria for extended ACLs. For details about the
le
specifically supported features, refer to the Access Security guide (or Advanced
ho
Traffic Management guide) for the switch model.
w
in
P
Defining a standard ACL: Numbered format
H
of
A standard ACL can be defined and applied using the CLI. Some HP switches also
de
allow you to configure ACLs using the web browser management interface.
i
ts
ou
The elements of the access-list command used to define a standard ACL include the
r
fe
ACL ID, which is used to associate one or more ACL entries; an action, which may be
ns
In the first example, a single source IP address is specified using the keyword host. To
n
the source IP address of a packet. The mask may also have a string of 1s that
ly
designate bit positions that are considered a match regardless of their actual
on
value.
e
us
of specifying a forward slash and an integer number after the IP address. The
tu
f-s
number specifies the length of the mask in bits and designates the bit positions
l
se
Details about these formats will described after the next page.
oy
pl
Em
P
H
3 12 Rev 10.41
Technet24.ir
ACLs
d.
te
which have a common value in the first 24 bits
i bi
oh
10.1.10.0 00001010 00000001 00001010 00000000
pr
10.1.10.255 00001010 00000001 00001010 11111111
s
ACL mask 00000000 00000000 00000000 11111111 Last 8 bits are
i
not significant
rt
This range can be defined in an ACL as: 10.1.10.0 0.0.0.255 or
pa
10.1.10.0/24
in
or
Example 2: You want to specify all addresses in the range: 10.1.32.0 through
le
10.1.47.255 which have a common value in the first 20 bits
ho
w
10.1.32.0 00001010 00000001 00100000 00000000
in
10.1.47.255 00001010 00000001 00101111 11111111
P
ACL mask 00000000 00000000 00001111 11111111 Last 12 bits are
H
not significant
of
This range can be defined in an ACL as: 10.1.32.0 0.0.15.255 or
de
10.1.32.0/20
i
ts
Figure 1
rou
fe
In common IP addressing, a network (or subnet) mask defines which part of the IP
or
address to use for the network number (or subnet) and which part to use for the hosts
n
on the network. Thus, the bits set to 1 in a network mask define the part of an IP
tio
address to use for the network (or subnet) number, and the bits set to 0 in the mask
uc
od
define the part of the address to use for the host number.
r
ep
In the first example above, 10.1.10.0 corresponds to the subnet with a subnet mask of
.R
255.255.255.0 which is a 24-bit address mask. Valid host numbers in the fourth
ly
on
octet are between 1 and 254. Therefore, valid IP addresses that could be assigned
to devices are from 10.1.10.1 through 10.1.10.254. The IP addresses 10.1.10.0 and
e
us
10.1.10.255 are reserved for identifying the subnet and broadcast addresses,
y
d
respectively.
tu
f-s
The second example can be more difficult to understand since the boundary between
l
se
the subnet and host numbers occurs within the third octet instead of on a full octet
ee
boundary. In this second example above, 10.1.32.0 corresponds to the subnet with a
oy
subnet mask of 255.255.240.0 which is a 20-bit address mask. Valid host numbers
pl
Em
can use the last four bits of the third octet and the 8 bits of the fourth octet. The valid
IP addresses that could be assigned to devices are from 10.1.32.1 through
P
H
10.1.47.254. The IP addresses 10.1.32.0 and 10.1.47.255 are reserved for identifying
the subnet and broadcast addresses, respectively.
Rev 10.41 3 13
Implementing HP Network Infrastructure Security
d.
compared with the next ACE in the ACL.
te
bi
An ACL mask uses 0 bits to identify the portion of an IP address in a packet that
i
oh
must match and 1 bits to identity the portion of an IP address in a packet that does
pr
NOT need to match. The notation involves specifying a quad dotted-decimal value
s
i
which is the inverse of the common IP addressing masks you may be more familiar
rt
pa
with.
in
You can also use CIDR notation to specify the mask for an ACL entry. The switch
or
interprets the bits specified with CIDR notation as the IP address bits (relative to the
le
ho
left-most bit position) in an ACL that a corresponding IP address in a packet must
w
match. The switch converts the mask to inverse notation for ACL use. A CIDR mask
in
involves specifying the number of 0 bits using the /n syntax. It is equivalent in
P
H
purpose to the ACL mask, but simply uses a different syntax.
of
de
Both dotted-decimal and CIDR notations are acceptable when defining address
i
ts
ranges for an ACL, but the ACE is stored in the configuration file using the ACL mask
ou
notation.
r
fe
ns
tra
Note
Where a standard network mask defines how to identify the network and host
or
numbers in an IP address, the mask used with ACEs defines which bits in a packets IP
n
tio
address must match the corresponding bits in the IP address listed in an ACE, and
uc
In the first example, lets assume that you want to identify any host within the
.R
10.1.10.0/24 subnet for the ACL entry. To do this you would specify an IP address
ly
and ACL mask of the form 10.1.10.0 0.0.0.255. The equivalent entry using a CIDR
on
In the second example, lets assume that you want to identify any host within the
y
d
tu
10.1.32.0/20 subnet for the ACL entry. To do this you would specify an IP address
f-s
and ACL mask of the form 10.1.32.0 0.0.15.255. The equivalent entry using a CIDR
l
se
Note
pl
Em
There is NOT necessarily any correspondence between the mask you use to
configure IP addresses on devices and the ACL mask you specify in ACLs.
P
H
3 14 Rev 10.41
Technet24.ir
ACLs
d.
alphanumeric string of up to 64 characters and is created by entering the named
te
ACL (nacl) context. A numbered, standard ACL, identified by a number in the range
i bi
of 1 to 99, can be created without having to leave the global configuration context.
oh
pr
In the graphic above, the first example shows how you access the named ACL
s
i
context using the ip access-list command. Then, you can specify the criteria, in the
rt
pa
case for a standard ACL, for a particular ACE starting with the permit or deny
n
keyword. You can add more than one ACE to a given ACL once you have accessed
i
or
the named ACL context for that particular ACL.
le
ho
w
Note
in
Once a numbered ACL has been created, it can be accessed using the named ACL
P
H
context. This is useful if it becomes necessary to edit a numbered ACL by inserting or
of
removing individual ACEs, just as you might need to do for a named ACL.
de
Inserting or deleting an ACE is done by sequence number, and requires the use of
i
the named ACL context. ts
rou
fe
The show access-list command options enable you to view a variety of information
or
The show access-list command displays ACL summary information. This command
uc
lists the configured ACLs, regardless of whether they are assigned to any interfaces.
rod
ep
TypeIndicates whether the listed ACL is a standard (std) ACL or extended (ext)
.R
ACL.
ly
on
d
tu
ACL.
f-s
The show access-list config command displays a listing of all configured ACLs on the
l
se
switch as they appear in the switch configuration file. This command also allows you
ee
Note
P
The sequence number is listed for ProVision ASIC products only. These include the HP
H
Rev 10.41 3 15
Implementing HP Network Infrastructure Security
show access-list vlan <vid>List the name and type for each ACL application
assigned to a particular VLAN on the switch.
show access-list ports < all | port-list >Lists the ACL static port assignment for
either all ports and trunks, or for the specified ports and/or trunks.
d.
show access-list <acl-id>Displays detailed content information for a specific
te
ACL.
ibi
oh
show access-list resourcesDisplays the currently available per-slot resource
pr
s
i
Management and Configuration Guide for your switch.
rt
pa
show access-list radius <all | port-list>Lists the dynamic per-port ACLs
i
currently assigned through RADIUS for either all ports and trunks, or for the
or
le
specified ports and/or trunks.
ho
w
in
P
H
of
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
3 16 Rev 10.41
Technet24.ir
ACLs
d.
entering or leaving the switch on a VLAN.
te
i bi
oh
pr
Note
s
The command option indicating the direction of the traffic to be filtered that you can
i
rt
specify for the ip access-group command depends on the type of application;
pa
RACL, VACL, or port/trunk.
in
or
Keep the following points in mind when configuring any ACL:
le
ho
The switch allows you to assign a nonexistent ACL name or number to a VLAN.
in
In this case, if you subsequently configure an ACL with that name or number, it
P
automatically becomes active on the assigned VLAN.
H
of
If you delete an assigned ACL from the switch without subsequently using the
de
no form of this command to remove the assignment to a VLAN, the ACL
i
ts
assignment remains and will automatically activate any new ACL you create
ou
with the same identifier (name or number).
r
fe
ns
For a given VLAN interface on a switch configured for routing, you can assign an
or
n
ACL as a RACL to filter inbound IP traffic and another ACL as a RACL to filter
tio
outbound IP traffic. You can also use one ACL for both inbound and outbound RACL
uc
applications. You can even use the same ACL for multiple VLANs.
od
r
ep
In fact, the same ACL could potentially be used for any of the possible static
.R
applications. For example, the same ACL may be assigned as a RACL on one VLAN,
ly
a VACL on another VLAN, and as a static per-port ACL on some physical port or
on
trunk.
e
us
Except for any IP traffic with a destination IP address on the switch itself, RACLs filter
dy
only routed IP traffic that is entering or leaving the switch on a given VLAN.
tu
f-s
Therefore, if routing is not enabled on the switch, there is no routed IP traffic for
l
se
RACLs to filter.
ee
RACLs screen routed IP traffic entering or leaving the switch on a given VLAN
oy
IP traffic arriving on the switch through one VLAN and leaving the switch
P
IP traffic arriving on the switch through one subnet and leaving the switch
through another subnet within the same, multinetted VLAN
Rev 10.41 3 17
Implementing HP Network Infrastructure Security
To filter the routed IP traffic of interest requires that you assign a RACL to screen IP
traffic inbound or outbound on the appropriate VLAN(s). In the case of a multinetted
VLAN, this implies the following:
IP traffic inbound from different subnets in the same VLAN is screened by the
same inbound RACL.
d.
te
IP traffic outbound from different subnets is screened by the same outbound
bi
i
oh
RACL.
pr
A RACL does not filter switched IP traffic unless the switch itself is the source or
si
destination. Also, a RACL does not filter IP traffic moving between ports belonging to
rt
pa
the same VLAN or subnet (in the case of a subnetted VLAN).
in
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
3 18 Rev 10.41
Technet24.ir
ACLs
d.
entering the switch on that VLAN. You can also use the same ACL for assignment to
te
bi
multiple VLANs.
i
oh
You can use either the global configuration level or the VLAN context level to assign
pr
or remove an ACL implemented as a VACL.
si
rt
pa
Notice that you specify the vlan keyword with the ip access-group command when
n
implementing an ACL as a VACL. In contrast, when implementing an ACL as a RACL,
i
or
you can choose in or out.
le
ho
Operating notes: Using a VACL
w
in
A given ACL implemented as a VACL can be assigned to multiple static VLANs
P
H
A VACL filters IP traffic entering the switch on the VLAN to which it is assigned
of
de
Is not affected by the IP routing setting on the switch
i
Traffic subject to filtering by a VACL: ts
ou
r
multinetted VLAN
or
n
uc
Rev 10.41 3 19
Implementing HP Network Infrastructure Security
d.
te
You can use either the global configuration level or the interface context level to
i bi
assign or remove an ACL implemented as static port ACL.
oh
pr
Notice that you specify the in keyword of the ip access-group command when
s
i
implementing an ACL as a static port ACL. In contrast, when implementing an ACL as
rt
pa
a:
n
i
RACL, you can choose in or out.
or
le
VACL, you can only choose in.
ho
w
Operating notes: Using a static port ACL
in
P
Filters any IP traffic inbound on the designated port, regardless of whether it is
of
switched or routed
de
If a port is configured with an ACL, the ACL must be removed before the port is
i
Adding a port to a trunk applies the trunks ACL configuration to the new
fe
ns
member
tra
If a port is configured with an ACL, you must remove the ACL before the port is
od
added to the trunk. Adding a port to a trunk applies the trunks ACL configuration to
r
ep
the new member. Also, if you remove a port from an ACL-configured trunk, the ACL
.R
3 20 Rev 10.41
Technet24.ir
ACLs
Implied rules
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
ou
Figure 2
r
fe
ns
tra
(depending on user configuration) are tested against each ACL entry in the access
n
list until there is a match. When a packet meets the test conditions of an ACL entry,
tio
uc
the specified action (permit or deny) is followed, and the packet is not tested further
od
In every IP access group there is an implied member, which denies all traffic that is
.R
not specifically permitted by any of the explicit ACL entries. While in many traffic-
ly
on
filtering applications this is a desired effect, sometimes it is not. The implied deny
e
any ACL entry can cause unexpected results if you are not aware of its existence.
us
In this example, all packets that fail to match the conditions of the first entry in the
y
d
tu
ACL will be subjected to the implicit ACE that denies traffic from any source address.
f-s
As a result, no inbound traffic will be accepted through the VLAN. Therefore, an ACL
l
se
should have at least one entry that contains the permit action.
ee
The ACEs in any ACL are sequentially numbered. In the default state, the sequence
number of the first ACE in a list is 10 and subsequent ACEs are numbered in
P
H
increments of 10. For example, in the graphic, the show access-list output displays
the ACEs for one ACL that are numbered 10, 20, and 30, respectively.
Rev 10.41 3 21
Implementing HP Network Infrastructure Security
When you add an entry to an ACL, by default, it goes to the end of the list. You can
add an ACE to the end of a numbered or named ACL by using either the access-list
command for numbered ACLs or the ip access-list command for named ACLs.
On some switches (8200zl, 5400zl, 3500yl, and 6200yl), if you need to add an
ACL entry to some location other than the end of the list, you can specify a sequence
d.
te
number so that the ACE is inserted in the correct location relative to the other existing
bi
ACEs. To use this feature, you must be in the named ACL (nacl) context.
i
oh
pr
From the named ACL context level, you can also easily remove an ACE using the no
s
<sequence-number> command. In addition, you can redefine the sequence numbers
i
rt
pa
of all ACEs in a given ACL using the ip access-list resequence <start-sequence>
<increment> command, where <start-sequence> is the sequence number you want to
n
i
or
assign to the first ACE and <increment> is the incrementing value by which
le
subsequent ACEs will be numbered.
ho
w
When you have many ACL configuration changes to make to an existing
in
configuration, you can use one of several approaches listed in the graphic:
P
H
Remove one or more ACEs and then redefine them in the preferred order.
of
de
Use the copy command to transfer the ACL configuration to a server for
i
editing: ts
ou
You can use the copy command-output show access-list config tftp command to
r
fe
transfer the entire ACL configuration to a text file on the server. You can then edit
ns
tra
the file to make the necessary changes. When you are done, use the copy tftp
or
Note
od
are replacing any ACL using the same number or name identifier.
.R
ly
Use TFTP (or SFTP if SSH is enabled) to transfer the switch configuration file to
on
Then you can modify the ACLs listed in the configuration file and add any
dy
additional ones that are necessary. When completed, you can transfer the file
tu
f-s
instance.
ee
It is important to note that the manual modification of ACL entries can result in
oy
anomalous behavior. For example, if you delete all permit ACEs from an ACL without
pl
Em
removing its inbound or outbound association with an interface, all inbound traffic on
that interface will be denied. On the other hand, if you remove the ACLs inbound or
P
H
3 22 Rev 10.41
Technet24.ir
ACLs
d.
address.
te
i bi
Using an extended ACL allows you to more specifically control the IP packet-filtering
oh
pr
process. Extended ACLs allow filtering based on the following criteria:
s
i
Source and destination IP addresses. The IP address can be specified in one of
rt
pa
several formats that identify a specific host IP address, a subnet, a group of IP
n
addresses, or any IP address.
i
or
IP protocol. This can be specified as a number from 0 to 255, or one of several
le
ho
well-known names. Examples of well-known names are ip, tcp, udp, and icmp.
w
in
Optional message type criteria for IGMP, and ICMP protocols.
P
H
Optional source and/or destination TCP/UDP ports. In addition, you can
of
specify a comparison operator to more easily qualify the ports. For TCP, the
de
established option can be used to specify whether TCP SYN packets will be
i
allowed. ts
r ou
ns
or
To define an extended ACL you first use the ip access-list extended command to
n
define an ACL ID. This command also causes the extended named ACL context to be
tio
accessed. From this context level you can specify one or more ACEs.
uc
od
IP protocol options
ly
on
An extended ACL allows you to filter traffic based on the protocol type field in the IP
e
header. Specifying a value for this criterion is required in an extended ACL. For this
us
ee
udp vrrp
H
Note
Not all switches support the protocols listed in the table while some switches support
several other protocols. For details about the specifically supported protocols, refer to
Rev 10.41 3 23
Implementing HP Network Infrastructure Security
the Access Security guide (or Advanced Traffic Management guide) for the switch
model.
If you do not want to specify a protocol as selection criteria, you should specify ip as
the protocol. This will cause all IP traffic to be tested against the ACL entry.
d.
te
The Internet Assigned Numbers Authority has a Web site that contains a database
bi
listing well-known protocol and port names at http://www.iana.org.
i
oh
pr
ICMP protocol options
s
i
rt
IP hosts rely heavily on the Internet Control Messaging Protocol (ICMP) and it would
pa
likely have a negative impact on network communication if you were to deny all
n
i
ICMP traffic. Some HP switches allow you to identify individual ICMP message types
or
in an ACL entry. This option is useful where it is necessary to permit some types of
le
ho
ICMP traffic and deny other types, instead of simply permitting or denying all types
w
of ICMP traffic.
in
P
In an extended ACL using icmp as the IP protocol type, you can optionally specify an
H
individual ICMP message type or message type/code pair to further define the
of
criteria for a match. This option, if used, is specified after the destination IP address
de
i
criterion. ts
ou
As an alternative, the ACE can include the well-known name of an ICMP message
r
fe
type. Some examples of these message type names are: echo, echo-reply, host-
ns
Similar to ICMP, IGMP is also a protocol for which you may want to selectively filter
uc
based on message type criteria. This option is useful where it is necessary to permit
od
some types of IGMP traffic and deny other types, instead of simply permitting or
r
ep
In an extended ACL using igmp as the IP protocol type, you can optionally specify an
on
individual IGMP message type. As an alternative, the ACE can include the well-
e
known name of an IGMP message type. Some examples of these message type
us
trace.
f-s
An extended ACL also allows you to filter traffic based on the destination port, the
oy
source port, or both. These fields are located in the layer 4 (TCP or UDP) header. The
pl
Em
3 24 Rev 10.41
Technet24.ir
ACLs
d.
te
bi
radius radius- rip snmp
i
oh
old
pr
snmp- tftp
s
i
rt
trap
pa
in
or
If you specify a source or destination port number or name, you also need to specify
le
ho
a comparison operator. The comparison operators are:
w
eqEqual to
in
P
gtGreater than
H
ltLess than
of
de
neqNot equal to
i
ts
range <start> <end>Range of port numbers from start to end, inclusive.
ou
r
fe
For the TCP protocol, you can optionally include the established keyword which is
ns
used to control TCP connection traffic. It can be used so that synchronizing packets
tra
VLAN, while allowing all other IP traffic for the same type of connection in the
n
tio
opposite direction.
uc
od
For example, a Telnet connection request requires TCP traffic to move both ways
r
ep
between a host and the target device. Simply applying a deny action to inbound
.R
Telnet traffic on a VLAN would prevent Telnet sessions in either direction because
ly
would be permitted, but inbound Telnet traffic trying to establish a connection would
y
be denied.
d
tu
f-s
Rev 10.41 3 25
Implementing HP Network Infrastructure Security
This table provides a summary of ACL feature support on the indicated HP switch
models.
Depending on the type of ACL and the switch model, you may be able to assign an
ACL to an interface to filter inbound, outbound, or both.
d.
All switches listed support the configuration of ACLs through the CLI. The 9300m also
te
supports configuration of ACLs through the web management interface.
bi
i
oh
The maximum number of ACLs varies by switch model. In the case of the 3400cl and
pr
6400cl models, the maximum number supported depends in particular based on the
s
i
usage of the switch rule and mask resources. Refer to the Advanced Traffic
rt
pa
Management Guide for additional information on how to monitor these resources.
n
i
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
3 26 Rev 10.41
Technet24.ir
ACLs
Comware ACLs
Comware ACLs support the same types of ACLs that have been discussed to this
point. The biggest difference is that ACLs are applied using QoS policies or using the
packet-filter command.
d.
te
Port based ACL
bi
i
oh
QoS Policy
pr
s
packet-filter command
i
rt
pa
VLAN ACL
in
QoS Policy
or
le
IP Interface ACL
ho
w
packet-filter command
in
P
These are the steps necessary to configure an ACL using the QoS policy method:
H
of
Create an ACL
de
Create a traffic classifier. This usually specifies an ACL
i
ts
ou
Create a traffic behavior. This setting overrides the action defined in the ACL
r
fe
itself.
ns
tra
Create a QoS policy to link the traffic classifier (ACL) and the behavior.
or
Note
n
tio
It is possible to define multiple ACLs, traffic classifiers, and traffic behaviors and
uc
Globally
ly
on
VLAN (VACL)
e
us
Port (PACL)
dy
tu
These are the steps to create an ACL using the packet-filter command.
f-s
l
ee
Port (PACL)
Em
Rev 10.41 3 27
Implementing HP Network Infrastructure Security
Introduction to ACL
Introduction
An access control list (ACL) is a set of rules (that is, a set of permit or deny
statements) for identifying traffic based on matching criteria such as source address,
d.
destination address, and port number. The selected traffic will then be permitted or
te
bi
rejected by predefined security policies. ACLs are widely used in technologies
i
oh
where traffic identification is desired, such as packet filtering and QoS.
pr
s
Application of ACLs on the Switch
i
rt
pa
The switch supports two ACL application modes:
in
Hardware-based application: An ACL is assigned to a piece of hardware. For
or
le
ho
packet filtering or is referenced by a QoS policy for traffic classification. Note
w
that when an ACL is referenced to implement QoS, the actions defined in the
in
ACL rules, deny or permit, do not take effect; actions to be taken on packets
P
H
matching the ACL depend on the traffic behavior definition in QoS.
of
de
Software-based application: An ACL is referenced by a piece of upper layer
i
ts
software. For example, an ACL can be referenced to configure login user
ou
control behavior, thus controlling Telnet, SNMP and Web users. Note that when
r
fe
Note
n
policy for traffic classification, the switch does not take action according to the
od
traffic behavior definition on a packet that does not match the ACL.
r
ep
Advanced IPv4 ACL 3000 to 3999 over IP, and other Layer 3 or
f-s
information
ee
Note
The name of an IPv4 ACL must be unique among IPv4 ACLs. However, an IPv4
ACL and an IPv6 ACL can share the same name.
d.
te
An ACL can contain multiple rules, which are identified by their rule IDs. Each rule
i bi
defines a condition that is different from those for the other rules of the ACL.
oh
pr
Because these rules may overlap or conflict, the term of rule order is introduced to
s
determine which rule will apply. A packet concerned is compared against the rules
i
rt
of the ACL in the rule order until a matching rule is found, and is then processed as
pa
per the rule.
in
or
Two rule orders are available for IPv4 ACLs:
le
ho
config: ACL rules are sorted in ascending order of rule ID. That is, a rule with a
w
smaller ID number has a higher priority.
in
P
auto: ACL rules are sorted in depth-first order. The depth-first order differs with
ACL categories.
of
de
For more details on the auto rule order, see the user manual.
i
ts
ou
Rule Numbering Step with IPv4 ACLs
r
fe
The rule numbering step defines the increment by which the system numbers rules
or
automatically. By default, the rule numbering step is 5, and if you do not specify ID
n
tio
numbers for the rules when creating them, rules are automatically numbered 0, 5,
uc
Whenever the step changes, the rules are renumbered, starting from 0. For
r
ep
example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step
.R
Likewise, when the default step is restored, ACL rules are renumbered in the default
e
us
step. For example, there are four ACL rules numbered 0, 2, 4, and 6 in steps of 2.
y
When the default step is restored, the rules are renumbered 0, 5, 15, and 15.
d
tu
f-s
The concept of ACL rule numbering step is introduced to facilitate insertion of new
ee
rules in an ACL that already contains ACL rules, and a bigger step means more
oy
numbering flexibility. This is helpful when the config rule order is adopted, in which
pl
Em
case ACL rules are sorted in ascending order of rule ID. For example, for an ACL
with four rules: rule 0, rule 5, rule 10, and rule 15, you can insert a rule numbered
P
H
Rev 10.41 3 29
Implementing HP Network Infrastructure Security
28, the newly defined rule will be numbered 30. If the ACL does not contain any
rule, the first defined rule will be numbered 0.
Effective Time Period of an IPv4 ACL
You can control when a rule can take effect by referencing one or more time ranges
d.
in the rule.
te
bi
You may reference a time range before or after creating it. However, a rule
i
oh
referencing a time range can take effect only after the time range is defined and
pr
becomes active.
si
rt
pa
IP Fragments Filtering with IPv4 ACLs
n
Traditional packet filtering matches only first fragments of IP packets. All subsequent
i
or
non-first fragments are allowed to pass through. As attackers may fabricate non-first
le
ho
fragments to attack your network, this results in security risks.
w
As for the configuration of a rule for an IPv4 ACL, the fragment keyword specifies
in
P
that the rule applies to non-first fragment packets only, and does not apply to non-
H
fragment packets or the first fragment packets. ACL rules that do not contain this
of
keyword apply to both non-fragment packets and fragment packets.
de
i
ts
ou
Note
For information on IPv6 ACLs, see the Master ASE Network Infrastructure course
r
fe
3 30 Rev 10.41
Technet24.ir
ACLs
Summary: ACLs
This module provided an overview of the key ACL concepts you need to understand
for implementing them. These concepts include understanding how ACLs are
comprised of one or more entries called ACEs and that the ACEs share a common
d.
ACL identifier. The ACEs specify the filtering criteria that will be applied to packets to
te
bi
determine whether or not the configured action (permit or deny) will be applied.
i
oh
pr
Once created, an ACL can be assigned to a switch interface. Until an ACL is
s
assigned to an interface, it has no effect on traffic processed by the switch.
i
rt
Depending on the switch model, you may be able to assign an ACL to a VLAN, port,
pa
port list or trunk interface.
n
i
or
A given ACL may be used for various traffic filtering purposes. These include:
le
ho
Inbound on a VLANswitched traffic only
w
Inbound or outbound on a VLANrouted traffic only
in
P
Inbound on a static port
H
Inbound on a dynamic port
of
de
i
ts
ou
Note
r
The traffic filtering purposes for which you can implement an ACL depend on the HP
fe
ns
switch model.
tra
or
There are two major types of ACLs that you can configure. A standard ACL is used
n
when the source address is sufficient to filter the traffic of interest. An extended ACL is
tio
useful for more complex filtering requirements where you may need to identify traffic
uc
od
Rev 10.41 3 31
H
P
Em
pl
oy
3 32
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
Implementing HP Network Infrastructure Security
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
In this module, the MAC Lockdown and MAC Lockout features are described. These
d.
te
two features provide a type of port-based security. Both involve the specification of
bi
MAC addresses as part of their configuration. Whereas, MAC Lockdown is used to
i
oh
ensure a particular device can only access the network through designated ports,
pr
s
MAC Lockout is used to ensure a particular device does not access the network
i
rt
through one or more switches.
pa
n
Scenario: MAC Lockdown and MAC Lockout
i
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
Figure 1
on
e
The IT staff frequently needs to support visiting faculty from other colleges as part of
us
joint seminar programs and research projects. Typically, the visiting faculty work out
y
d
of several visitor offices with telephone and computer hookup services and bring in
tu
f-s
It is the security policy to not allow the visiting faculty to connect in the full-time
ee
faculty lounge which they are allowed to use for its other intended purposes. One
oy
consideration for enforcing any access controls is that the IT staff does not have
pl
Em
So the essential challenge for the IT staff is to allow the visiting faculty access to only
H
the resources they require while keeping them from any unauthorized locations.
Rev 10.41 4 1
Implementing HP Network Infrastructure Security
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
Figure 2
ou
r
fe
MAC Lockdown is a type of port security based on Layer 2 static addressing. To use
or
n
this feature you must manually define the MAC addresses of devices for which you
tio
want to enforce the restriction of using designated ports within particular VLANs.
uc
od
Therefore, when configured, a device with a specified MAC address can only
r
connect to the designated port and will only be assigned to the associated VLAN of
ep
.R
that port.
ly
If the device is moved to a different port on the switch, the switch will detect that the
on
MAC address is not connecting to the appropriate port and will quietly drop all
e
us
The MAC address cannot be used on any other port on a given switch unless it is
tu
f-s
configured in another MAC Lockdown entry that involves a different VLAN. That is,
l
se
you cannot lock down a given MAC address to multiple ports in the same VLAN, but
ee
you can lock down multiple MAC addresses to the same port of a given VLAN.
oy
4 2 Rev 10.41
Technet24.ir
MAC Lockdown and Lockout
d.
te
i bi
oh
pr
si
rt
pa
in
or
le
ho
w
in
Figure 3
P
H
of
Implementing MAC Lockdown is a fairly simple task. You will first need to obtain the
de
MAC addresses of the devices that you want to lock down on a particular switch.
i
ts
ou
You use the static-mac command to specify three required parameters:
r
fe
VLAN identifier
or
Port identifier
n
tio
The MAC address can be specified in one of several different formats as indicated in
uc
the graphic above. You can use a dash or semicolon to delimit each hexadecimal
od
octet, each pair of three hexadecimal octets, or choose not to use either delimiter.
r
ep
.R
You can use the show static-mac command to display the locked down MAC
ly
Figure 4
Rev 10.41 4 3
Implementing HP Network Infrastructure Security
This graphic shows an example of Event Log messages that will be generated if a
locked down device is inadvertently or otherwise plugged into a port on the switch
that is not on the MAC Lockdown list for the device.
In this example, a device is initially connected to port A9 successfully. This port is a
member of VLAN 8 and has a static MAC address configured for this particular
d.
te
device. Note that the virtual LAN enabled and virtual LAN disabled messages
bi
occur because this device is the one and only device in the referenced VLAN at this
i
oh
time on the switch.
pr
s
At a later time, the Ethernet cable connecting to the locked down device is moved to
i
rt
pa
another port on the switch, port A11. This port does not have this devices MAC
address configured as a MAC Lockdown entry. In fact, since port A11 is apparently
n
i
or
part of the same VLAN, it cannot be configured with a MAC Lockdown entry for the
le
same MAC address/VLAN pair. If port A11 was a member of a different VLAN, then
ho
it could be a candidate for configuring the same MAC address, since the VLAN ID
w
would be different from the entry configured on port A9.
in
P
H
Although the Event Log indicates the port is enabled (on-line), the device is actually
of
prevented from transmitting any packets into the network as implied by the move
de
<mac-address> to port A11 denied messages.
i
ts
ou
Message throttling is imposed on the logging of these MAC Lockdown messages on
r
a per-module basis. What this means is that the logging system checks again after
fe
ns
the first 5 minutes to see if another attempt has been made to move to the wrong
tra
port.
or
If this is the case the log file registers the most recent attempt and then checks again
n
tio
after one hour. If there are no further attempts in that period then it will continue to
uc
check every 5 minutes. If another attempt was made during the one hour period then
od
the log resets itself to check once a day. Using this message throttling measure
r
ep
prevents the log file from becoming too full with multiple occurrences of these
.R
messages.
ly
on
Note
e
us
You can also configure the switch to send the same messages to a Syslog server.
y
d
MAC Lockdown is a good replacement for port security to create tighter control over
l
se
MAC addresses and to which ports they are allowed to connect. Whereas port
ee
security can learn a MAC address, and optionally have the port disabled if the
oy
Configuration of the MAC Lockdown and Port-Security features are mutually exclusive.
H
If you deploy multiple path technologies, such as MSTP, RSTP, or meshing, in your
network and you also implement the MAC Lockdown feature, a situation could arise
where the MAC Lockdown is not enforced. This could occur if an alternate path
becomes active and the locked down device is not directly connected to the switch
on which MAC Lockdown is configured.
d.
te
Depending on the topology design, the alternate path may potentially:
i bi
oh
Bypass the switch with MAC Lockdown configured altogether, or
pr
Enter the switch with MAC Lockdown configured over a different port.
i
rt
It is recommended that no more than 500 MAC Lockdown entries be configured per
pa
switch.
n
i
or
le
ho
w
in
P
H
of
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 4 5
Implementing HP Network Infrastructure Security
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
de
i
ts
ou
r
fe
ns
tra
One important point to note is that, similar to MAC Lockdown, the device with the
r
ep
locked out MAC address does not have to be connected directly to the switch where
.R
The only requirements are that packets from a locked out device:
e
us
f-s
Implementing MAC Lockout is also a fairly simple task. You will first need to obtain
oy
the MAC addresses of the devices that you want to lock out from a particular switch.
pl
Em
You use the lockout-mac command to specify a single MAC address of the device
you want to lock out.
P
H
Just like when you configure MAC Lockdown, you can specify the MAC address for
the lockout-mac command in one of several different formats as indicated in the
graphic above. You can use a dash or semicolon to delimit each hexadecimal octet,
each pair of three hexadecimal octets, or choose not to use either delimiter.
4 6 Rev 10.41
Technet24.ir
MAC Lockdown and Lockout
You can use the show lockout-mac command to display the locked out MAC
addresses configured on the switch.
d.
te
i bi
oh
pr
s
i
rt
pa
n
Figure 5
i
or
le
This graphic shows an example of Event Log messages that will be generated if a
ho
locked down device is plugged into a port on the switch where the MAC address is
w
in
configured as a locked out entry.
P
H
In this example, a device with a prohibited MAC address is connected to port A2
of
that happens to be a member of VLAN 10. Note that the virtual LAN enabled
de
message occurs because this device is the one and only device in the referenced
i
VLAN at this time on the switch. ts
rou
Although the Event Log indicates the port is enabled (on-line), the device is actually
fe
ns
prevented from transmitting any packets into the network as implied by the maclock:
tra
Similar to how MAC Lockdown event messages are handled, message throttling is
n
tio
Using this message throttling measure prevents the log file from becoming too full
od
Note
on
You can also configure the switch to send the same messages to a Syslog server.
e
us
MAC Lockout is a powerful feature to stop a known device from accessing a switch.
l
se
Keeping in mind you must know the MAC address in advance, MAC Lockout is
preferable to relying upon port-security to stop access from known devices because it
ee
oy
can be blocked for all ports on the switch with one command.
pl
Em
learning MAC addresses and allowing access, while at the same time denying
access to a specific device. When using the two together, take note that if a MAC
address is locked out, it will be denied access even if it appears in a static learn
table as an acceptable address.
Rev 10.41 4 7
Implementing HP Network Infrastructure Security
It is recommended that no more than 16 MAC Lockouts be coded per switch, if less
than or equal to 1024 VLANs are configured, or no more than 8 per switch, if more
than 1024 VLANs are configured. If too many students were to attempt to access the
network from inappropriate locations, some other way of preventing such access
would need to be considered.
d.
te
i bi
oh
pr
si
rt
pa
in
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
4 8 Rev 10.41
Technet24.ir
MAC Lockdown and Lockout
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
Figure 6
in
P
H
When using MAC Lockdown to bind a device to a particular port on a switch, you
of
must consider the entire layer of network access for that device. For example,
de
considering the above diagram, if a device had its MAC address locked down to a
i
ts
port on the Layer 2 switch on the far left, that device could not be used on any other
ou
port on that particular switch. But, the device could be connected to another switch at
r
fe
This may or may not be the desired result, but if the goal is to actually lock down a
or
device to a specific location on the network, then the device needs to be locked
n
tio
down to a specific port on one switch and locked out of all other switches it could
uc
Rev 10.41 4 9
Implementing HP Network Infrastructure Security
d.
source MAC addresses of incoming frames.
te
bi
To improve port security, you can manually add MAC address entries to the MAC
i
oh
address table to bind ports with MAC addresses, fending off MAC address spoofing
pr
attacks.
s
i
rt
pa
Note
When using the mac-address command to add a MAC address entry, ensure
in
that the interface specified by the interface keyword is already assigned to the
or
VLAN specified by the vlan keyword, and that the VLAN already exists.
le
ho
Otherwise the command fails.
w
in
P
The command used to configure a MAC Lockdown is the mac-address command:
H
of
<A5800>system-view
de
[A5800] mac-address static <mac-addr> interface <port-id> vlan
i
<vid> ts
rou
fe
ns
MAC Lockout
tra
or
Usually, a device can populate its MAC address table automatically by learning the
n
You can configure blackhole MAC address entries to filter out packets with certain
od
<A5800>system-view
on
Use one command to lock a device down on one device and use the blackhole
l
se
command on other devices in the network to keep the device from moving to another
ee
switch.
oy
pl
Em
P
H
4 10 Rev 10.41
Technet24.ir
MAC Lockdown and Lockout
d.
te
MAC Lockdown
bi
i
oh
Useful for preventing station movement and MAC address hijacking
pr
s
Involves permanent assignment of a MAC address to a particular port and
i
rt
VLAN, one instance is allowed
pa
n
Multiple different MAC addresses can be locked down to a single port
i
or
Same MAC address within a different VLAN can be assigned to some other
le
ho
port
w
in
ProVision: Configured using static-mac <mac-address> vlan <vid> interface
P
<portid> command
H
of
Comware: Configured using mac-address static <mac-address> interface
de
<portid> vlan <vlan-id> command.
i
ts
ou
MAC Lockout
r
fe
switch
tra
or
MAC addresses are locked out from all ports, packets sent to or from given
n
ep
<vlan-id> command
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 4 11
H
P
Em
pl
oy
4 12
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
Implementing HP Network Infrastructure Security
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
Port Security
Module 5
In this module, the port security feature is described. This feature enables you to
d.
te
configure each switch port with a unique list of device MAC addresses that are
bi
authorized to access the network through that port. This enables individual ports to
i
oh
detect, prevent, and log attempts by unauthorized devices to communicate through
pr
s
the switch.
i
rt
pa
The closest feature to ProVision Port Security on a Comware device is the max MAC
n
address feature described in the previous module.
i
or
Scenario: Port security
le
ho
w
The HP Port Security feature provides the type of flexibility that allows the switch to
in
learn one MAC address at a time.
P
H
of
In a campus environment there is much concern regarding advanced
de
piggybacking techniques
i
ts
Server MAC address is hijacked and traffic stolen
ou
r
fe
tra
can plug into a switch as needed for maintenance and troubleshooting and not
tio
uc
Ideally, you want the switch to learn or unlearn one MAC address at a time
r
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 5 1
Implementing HP Network Infrastructure Security
d.
te
i bi
oh
pr
Figure 1
s
i
rt
pa
Using port security, you can configure each switch port with a unique list of the MAC
n
addresses of devices that are authorized to access the network through a given port.
i
or
This enables individual ports to detect, prevent, and log attempts by unauthorized
le
devices to communicate through the switch.
ho
w
On a per-port basis, you can configure security measures to block unauthorized
in
devices and to send a notice (alarm) of a security violation. Once you have
P
H
configured port security, you can then monitor the network for security violations
of
through one or more of the following:
i de
SNMP traps sent to network management tools such as PCM or PCM+
ts
ou
Event Log entries on the switch
r
fe
ns
Each port can have one or more MAC addresses specified as the only allowable
or
devices to pass network traffic through the port. These addresses can be learned
n
tio
The factory default setting for port security is off for each port. This mode of
.R
operation is referred to as continuous mode in which any device can access a port
ly
on
without causing a security response. The various modes of port security operation will
be described in several pages.
e
us
Eavesdrop protection
dy
tu
protection for that port. This prevents use of the port to flood unicast packets
se
unauthorized users from eavesdropping on traffic intended for addresses that have
oy
pl
switch sends a stream of unicast packets, all with different source and destination
addresses. The intent of this attack, similar to a SYN flood, is to fill up the switch's
address table. When the address table becomes full and a valid client sends a
unicast packet to an address that has since aged out due to this attack, the switch
floods the unicast packet to all ports because it can no longer add it to its full
5 2 Rev 10.41
Technet24.ir
Port Security
address table. Eavesdrop protection will prevent this valid packet from being sent
(flooded) and therefore prevent it from being sent to the hacker's port where the
hacker was hoping to eavesdrop on traffic.
d.
Note
te
Eavesdrop prevention does not affect multicast and broadcast traffic, meaning that
i bi
the switch floods these two traffic types out a given port regardless of whether port
oh
security is enabled on that port.
pr
s
i
rt
Blocking unauthorized traffic
pa
n
This inherent capability of port security prevents an intruder from transmitting traffic
i
or
into the network without necessarily disabling the port. If the port is not automatically
le
disabled by port security, the switch security measures still block unauthorized traffic.
ho
w
The benefit of this flexibility is that you can implement port security on a port
in
connecting to a shared device such as a hub or switch. For a scenarios like that,
P
traffic from a detected intruder on one MAC address can be blocked while still
H
of
allowing network access to other authorized users.
de
i
Note
ts
ou
Broadcast and multicast traffic is always allowed, and can be read by intruders
r
fe
Disabling a port
or
n
tio
For selected modes of operation, you can optionally have a port disabled when an
uc
a later time.
r
ep
Port security does not operate on either a static or dynamic trunk group. If you
on
configure port security on one or more ports that are later added to a trunk group,
e
us
the switch will reset the port security parameters for those ports to the factory-default
y
configuration.
d
tu
f-s
l
se
Note
Ports configured for either Active or Passive LACP, and which are not members of a
ee
NTK
The need to know (NTK) feature checks the destination MAC addresses in outbound
frames and allows frames to be sent to only devices passing authentication, thus
preventing illegal devices from intercepting network traffic.
Rev 10.41 5 3
Implementing HP Network Infrastructure Security
Intrusion protection
The intrusion protection feature checks the source MAC addresses in inbound frames
and takes a pre-defined action accordingly upon detecting illegal frames. The action
may be disabling the port temporarily, disabling the port permanently, or blocking
frames from the MAC address for three minutes (unmodifiable).
d.
te
Trapping
bi
i
oh
The trapping feature enables the device to send traps upon detecting specified
pr
frames that result from, for example, intrusion or user login/logout operations,
s
i
helping you monitor user behaviors.
rt
pa
n
i
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
5 4 Rev 10.41
Technet24.ir
Port Security
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
ns
tra
or
n
tio
Figure 2
uc
od
Because port-security relies upon MAC addresses, it is often confused with the MAC
r
ep
address can exist on multiple ports of a switch. The list of allowed MAC addresses
us
combination of both. Port security also deals with MAC addresses only, whereas,
tu
f-s
MAC Lockdown is not a list; it is a global parameter on the switch for a given MAC
ee
address/VLAN pair that takes precedence over any other security mechanism. The
oy
MAC address will be allowed to communicate with a specific port on the switch
pl
Em
One other important distinction is that MAC Lockdown is not a type of port
H
lockdown. That is, when a MAC Lockdown entry is configured, the MAC address is
locked to the designated port, not the other way around. The designated port can
receive traffic from another device with a different MAC address that may be
subjected to other security settings such as port-security.
Rev 10.41 5 5
Implementing HP Network Infrastructure Security
d.
Any MAC address is learned as
continuous Default
te
devices connect (default)
i bi
MAC addresses can be
oh
static autoLearn predefined, other addresses
pr
can be learned
si
MAC addresses can be
rt
configured secure
pa
predefined, no addresses can
be learned
n
i
limited-
or
N/A MAC addresses can be learned
continuous
le
ho
userLogin, userLoginSecure,
userLoginSecureExt, userLogin ProVision: Used in conjunction
w
With OUI, with 802.1X to temporarily
in
macAddressWithRadius, learn a MAC address of an
P
port-access macAddressOrUserLogin Secure, 802.1X authenticated session
H
macAddressElseUserLoginSecure
of
, Comware: Used for 802.1X /
de
macAddressElseUserLoginSecure MAC authentication
i
Ext
ts
ou
Figure 3
r
fe
ns
ProVision
tra
or
For each port or port-list of a switch supporting the Port Security feature, you can
n
tio
configure one of five MAC address learning modes. The default port security setting
uc
for each port is set to continuous learn mode. That is, any device can access a port
od
The learn modes specify how each port acquires authorized addresses. These learn
ly
modes are.
on
us
f-s
authorized for the port and to specify some or all of the authorized addresses.
l
se
If you specify only some of the authorized addresses, the port learns the
ee
5 6 Rev 10.41
Technet24.ir
Port Security
d.
te
Comparison of static and configured modes
i bi
oh
Configured learn mode aspects
pr
s
i
Configured mode requires you to specify the MAC addresses of the devices
rt
pa
authorized for a port (or port list). For the address-limit parameter, which defines the
n
maximum number of MAC addresses that will comprise the list, you can specify a
i
or
value from 1 (default) to 8. No MAC addresses will be learned dynamically. So, for
le
example, if you specify 8 for the address-limit parameter, but only define 7 MAC
ho
addresses, the remaining entry will remain empty.
w
in
The MAC addresses that are defined for each configured port are not aged out. That
P
H
is, they are saved in the switch configuration file and are therefore maintained across
of
reboots. You must manually delete them, if necessary. This step will be described
de
later.
i
ts
ou
Any other detected MAC address will not be allowed and will be handled as an
r
fe
intruder.
ns
Static mode allows you to specify the MAC addresses of the devices authorized for a
n
tio
port (or port list) along with address-limit parameter. You can specify a value from 1
uc
In contrast to the configured mode, for the static mode, you can authorize specific
r
ep
devices for the port, while still allowing the port to accept other, non-specified
.R
devices. That is, if you define fewer MAC addresses compared to the address-limit
ly
on
parameter, then the port authorizes the remaining MAC addresses in the order in
e
For example, if you use address-limit to specify two authorized devices, but you
d
tu
define only one MAC address , the port adds the one specifically authorized MAC
f-s
address to its authorized devices list and the first additional MAC address it detects.
l
se
Any subsequently detected MAC address will not be allowed and will be handled as
ee
an intruder.
oy
pl
Keep in mind, for the static learn mode, regardless of the address-limit parameters
Em
value you specify, it is possible to define no actual MAC addresses and allow the list
P
Note
Both statically defined MAC addresses and those learned addresses that become
Rev 10.41 5 7
Implementing HP Network Infrastructure Security
Comware
Control MAC address learning
d.
te
autoLearn: A port in this mode can learn MAC addresses. These automatically
bi
learned MAC addresses are secure MAC addresses. You can also configure
i
oh
secure MAC addresses by using the port-security mac-address security
pr
command. A secure MAC address never ages out by default. When the number
si
rt
of secure MAC addresses reaches the upper limit, the port turns to secure mode.
pa
n
i
In addition, you can configure MAC addresses manually by using the mac-
or
address dynamic and mac-address static commands for a port in autoLearn
le
ho
mode.
w
in
A port in autoLearn mode allows only frames sourced from the MAC addresses
P
H
that are in the MAC address table to pass.
of
de
On a port operating in autoLearn mode, the dynamic MAC address learning
i
ts
function in MAC address management is disabled.
ou
r
ns
but you can configure MAC addresses by using the mac-address static and mac-
tra
A port in secure mode allows only frames sourced from the MAC addresses that
tio
uc
port-based access control. The port can service multiple 802.1X users. If one
on
802.1X user passes authentication, all the other 802.1X users of the port can
e
us
implements MAC-based access control. The port services only one user passing
f-s
l
802.1X authentication.
se
ee
5 8 Rev 10.41
Technet24.ir
Port Security
For wireless users, the port performs OUI check at first. If the OUI check
fails, the port performs 802.1X authentication.
Perform MAC authentication
macAddressWithRadius: A port in this mode performs MAC authentication for
d.
users and services multiple users.
te
bi
Perform a combination of MAC authentication and 802.1X authentication
i
oh
pr
macAddressOrUserLoginSecure: This mode is the combination of the
s
macAddressWithRadius and userLoginSecure modes.
i
rt
pa
For wired users, the port performs MAC authentication upon receiving non-
n
802.1X frames and performs 802.1X authentication upon receiving 802.1X
i
or
frames.
le
ho
For wireless users, the port performs 802.1X authentication first. If 802.1X
w
authentication fails, MAC authentication is performed.
in
P
macAddressOrUserLoginSecureExt: This mode is similar to the
of
macAddressOrUserLoginSecure mode except that a port in this mode supports
de
multiple 802.1X and MAC authentication users.
i
ts
macAddressElseUserLoginSecure: This mode is the combination of the
ou
For non-802.1X frames, a port in this mode performs only MAC authentication.
or
n
multiple 802.1X and MAC authentication users as the keyword Ext implies.
ly
on
e
us
where port security is important, but also keeping the administration costs to an
l
se
acceptable level. It is recommended to keep the address limit at 1 and allow for
ee
several devices to connect dynamically only where appropriate. The more flexibility
oy
pl
you try to implement with port security, the less security you actually achieve.
Em
The limited-continuous learn mode sets a finite limit to the number of dynamically
P
learned MAC addresses allowed per port. Although you can set the range from 1
H
(default) to 64, MAC addresses learned through the limited-continuous mode are not
manageable. That is, you cannot manually enter or remove these addresses from a
ports authorized list.
Rev 10.41 5 9
Implementing HP Network Infrastructure Security
All MAC addresses learned through the limited-continuous mode appear in the
switch and port address tables and age out based on the global mac-age-time
parameter. You can view the setting for this parameter using the show system-
information command. The default value is 300 seconds.
Since any of the learned MAC addresses are temporary, they are lost during a
d.
te
reboot of the switch. This differs from how MAC addresses associated with ports
bi
configured to use the static or configured learn modes are handled. For those modes,
i
oh
the MAC addresses are retained over reboots and do not age out.
pr
s
The actions that can be taken for a detected intruder with limited-continuous learn
i
rt
pa
mode are the same as those allowed for the static and configured modes. When a
n
port is re-enabled and operating in limited-continuous mode, it is possible for the
i
or
port to relearn and therefore allow a MAC address that caused the address-limit to
le
be exceeded.
ho
w
Implementing port security
in
P
H
of
i de
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
Figure 4
dy
Port security is configured using the port-security command. The graphic above
tu
f-s
shows the command syntax and a configuration example specifying the limited-
l
se
When you configure port security for a port or list of ports you specify the following:
oy
pl
Learn modeThe factory default setting is continuous mode for all ports.
Em
specify one of three options: send an alarm only, send an alarm and disable
the port, or take no action. The default action is none for all learn modes.
Address limitSpecifies the maximum number of MAC addresses that will
be allowed in the ports authorized list. This parameter applies only to the
static, configured, and limited-continuous modes.
5 10 Rev 10.41
Technet24.ir
Port Security
For the static and configured modes, you can specify a value from 1 to 8. For
the limited-continuous mode you can specify a value from 1 to 64. The default is
1 for all three modes.
MAC addressesFor the configured and static modes, you can define from
1 to 8 MAC addresses subject to the address-limit parameter setting.
d.
te
Clear intrusion flagYou specify this option to clear the intrusion flag for
bi
i
oh
one or more specified ports. Resetting intrusion flag is necessary for
pr
subsequent events to be listed in the intrusion log.
s
i
rt
Consider the following points when planning your port security configuration and
pa
monitoring needs:
n
i
or
On which ports do you want port security implemented?
le
Which devices (MAC addresses) are authorized on each port? Up to 8 MAC
ho
w
addresses can be authorized for ports using the static and configured mode,
in
and up to 64 MAC addresses can be authorized for ports using the limited-
P
continuous mode.
H
of
For each port, what security actions do you want? You can configure the switch
de
to:
i
ts
ou
Send intrusion alarms to an SNMP management station.
r
fe
intrusion is detected
or
How do you want to learn of the security violation attempts the switch detects?
n
tio
Through the switchs Intrusion Log which can be examined through the
.R
Through the switchs Event Log which can also be examined through the
e
Rev 10.41 5 11
Implementing HP Network Infrastructure Security
d.
te
bi
i
oh
pr
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
ou
Figure 5
r
fe
ns
To view the port security configuration of all ports, you use the show port-
tra
security command. You can also specify a port list to view the settings for those
or
particular ports.
n
tio
uc
The MAC addresses that are currently active, learned and predefined, can be viewed
od
using the show mac-address command. This command also allows you to
r
ep
Figure 6
5 12 Rev 10.41
Technet24.ir
Port Security
The graphic above shows examples of the types of messages you may typically find
in the Intrusion and Event logs. In this particular example, a port has been configured
for static learn mode with one predefined MAC address.
When the switch detects an intrusion attempt on a port, it enters a record of this
event in the Intrusion Log. No further intrusion attempts on that port will appear in the
d.
te
log until you acknowledge the earlier intrusion event by resetting the alert flag.
i bi
oh
At some later point in time, if a device with the incorrect MAC address connects to
pr
the port in the example above, an intrusion will be detected. This results in messages
s
being generated in the Intrusion and Event logs. Because the action configured is
i
rt
pa
send-disable, the port is also automatically disabled.
in
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
ns
tra
or
Figure 7
n
tio
uc
Once the problem has been detected and subsequently diagnosed, the administrator
od
can choose to clear the intrusion flag and then re-enable the port.
r
ep
The Intrusion Log holds up to 20 entries and manages the log in a last-in first-out
.R
manner when the log becomes full. The Intrusion Log entries cannot be manually
ly
on
deleted. As other alarms are generated they replace the older ones once the log
e
becomes full.
us
y
When trying to add a static MAC address, you keep receiving the message
l
se
inconsistent value
ee
Address limit set for that port is not large enough to allow for one more
oy
MAC address
pl
Em
Each time you try to remove a MAC address from the authorized list, it keeps
reappearing almost instantly
Lower the address-limit first by one number, then remove the specific MAC
address
Rev 10.41 5 13
Implementing HP Network Infrastructure Security
Port is disabled from an intrusionafter the port is reenabled, the port will not
disable itself after another intrusion
Be sure to reset the intrusion flag
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
r ou
fe
ns
tra
Figure 8
or
n
In Comware, the port security commands are used to configure features similar to the
tio
ProVision feature set as well as 802.1X and MAC authentication. 802.1X and MAC
uc
authentication are discussed in the AIS or ASE Network Security Track of the HP
rod
Certification Program.
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
5 14 Rev 10.41
Technet24.ir
Port Security
d.
Provides host authentication Although the switch can learn
te
authorized MAC addresses
bi
A port can be configured to learn
i
dynamically, maintaining the
oh
authorized MAC addresses
addresses in the event of a
pr
A port can be configured to forward traffic change or move can be a difficult
s
from authorized MAC addresses and reject management task
i
rt
traffic from unauthorized MAC addresses
pa
Removing/changing statically
The action taken when an unauthorized defined or dynamically learned
n
i
MAC address transmits can be set to: MAC addresses requires manual
or
-- Take no action intervention
le
-- Send an alert (trap)
ho
-- Disable the port
w
-- Temporarily disable the port
in
P
Figure 9
H
of
The graphic above summarizes several of the key benefits of deploying port security
de
on HP switches along with some of the implementation issues to consider.
i
ts
r ou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 5 15
H
P
Em
pl
oy
5 16
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
Implementing HP Network Infrastructure Security
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
Traffic Filters
Module 6
d.
te
In this module, Layer 2 traffic filters will be discussed. In the case of both ProVision
i bi
oh
and Comware software, traffic can be controlled based on source and destination
pr
port.
si
rt
Scenario: Traffic Filters
pa
in
A company currently has both surveillance and user traffic on separate networks. This
or
has become difficult to manage and expand. It is desired to combine both types of
le
ho
traffic on the same switch without having to reconfigure IP addressing while keeping
w
the two types of devices from communicating.
in
P
H
of
i de
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
Figure 1
ee
oy
pl
Em
P
H
Rev 10.41 6 1
Implementing HP Network Infrastructure Security
d.
te
ibi
oh
pr
s
i
rt
pa
n
i
or
Figure 2
le
ho
You can enhance in-band security and improve control over access to network
w
in
resources by configuring static filters to forward (the default action) or drop unwanted
P
traffic. That is, you can configure a traffic filter to either forward or drop all network
H
of
traffic moving to outbound (destination) ports and trunks (if any) on the switch.
i de
ts
Operating Rules for Source-Port Filters
ou
r
fe
You can configure one source-port filter for each physical port and port trunk
ns
You can include all destination ports and trunks in the switch on a single
n
source-port filter.
tio
uc
A set of destination ports and/or port trunks that includes all untrunked LAN
ly
When you create a source-port filter, the switch automatically sets the filter to forward
f-s
traffic from the designated source to all destinations for which you do not specifically
l
se
configure a drop action. Thus, it is not necessary to configure a source-port filter for
ee
traffic you want the switch to forward unless the filter was previously configured to
oy
When you create a source port filter, all ports and port trunks (if any) on the
P
switch appear as destinations on the list for that filter, even if routing is disabled
H
and separate VLANs and/or subnets exist. Where traffic would normally be
allowed between ports and/or trunks, the switch automatically forwards traffic to
the outbound ports and/or trunks you do not specifically configure to drop
traffic. (Destination ports that comprise a trunk are listed collectively by the trunk
name such as Trk1 instead of by individual port name.)
6 2 Rev 10.41
Technet24.ir
Traffic Filters
Packets allowed for forwarding by a source-port filter are subject to the same
operation as inbound packets on a port that is not configured for source-port
filtering.
With multiple IP addresses configured on a VLAN, and routing enabled on the
switch, a single port or trunk can be both the source and destination of packets
d.
te
moving between subnets in that same VLAN. In this case, you can prevent the
bi
traffic of one subnet from being routed to another subnet of the same port by
i
oh
configuring the port or trunk as both the source and destination for traffic to
pr
drop.
s
i
rt
pa
n
Comware Port Isolation
i
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
ns
tra
Figure 3
or
save VLAN resources, port isolation is introduced to isolate ports within a VLAN,
uc
Ports in the same isolation group are isolated from each other, but they can
.R
exchange Layer 2 traffic with ports in other isolation groups in the same VLAN, as
ly
well as ports in the same VLAN but not assigned to any isolation group.
on
e
For ports in an isolation group to exchange Layer 2 traffic with outside ports, the
us
isolation group must have some uplink ports, which are non-isolation group member
d y
ports within the VLAN. There is no limit on the number of uplink ports in an isolation
tu
f-s
group.
l
se
Configuration
ee
oy
2. Enable the port isolation group on individual interfaces and bridge aggregation
H
groups.
Rev 10.41 6 3
Implementing HP Network Infrastructure Security
Use cases
d.
te
bi
i
oh
pr
si
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
ou
Figure 4
r
fe
ns
Both the ProVision and Comware software features can be configured to fulfill
tra
Guests are allowed to communicate with the Internet only. They are not allowed
n
tio
The gaming network allows devices to talk to each other but nothing else.
od
r
ep
The authorized clients network allows devices to talk to each other and to the
.R
How would you configure each feature to accomplish these use cases?
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
6 4 Rev 10.41
Technet24.ir
Objectives
d.
te
bi
i
oh
After completing this module, you will be able to:
pr
Configure the features that protect spanning tree from rogue devices
i
rt
BPDU Filtering
pa
n
BDPU Protection
i
or
Root Guard
le
ho
TCN Guard
w
in
Reduce occurrences of spanning tree re-convergence
H
of
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
r od
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 7 1
Implementing HP Network Infrastructure Security
Spanning-tree vulnerabilities
d.
te
ibi
oh
pr
si
rt
pa
in
or
le
ho
Figure 1
w
in
P
H
There are various vulnerabilities that exist across the spectrum of networking and IP
of
de
protocols. This includes the original Spanning Tree Protocol (STP) and the Rapid
i
ts
Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP) variants.
ou
r
fe
Note
ns
The IEEE 802.1D standard originally described STP, but was updated (2004) to
n
reference RSTP (formerly IEEE 802.1w). The IEEE 802.1Q standard describes
tio
environments by providing protection from attacks that target the vulnerabilities of the
ly
7 2 Rev 10.41
Technet24.ir
Spanning Tree Protection
To prevent broadcast storms, a network must have a loop free topology. STP, as well
as RSTP and MSTP, helps network devices to create this topology. All devices running
any of these protocols exchange bridge protocol data units (BPDUs) to elect a root
bridge and to determine which path among multiple potential paths to the root
bridge is the shortest. Any other redundant paths are then temporarily blocked until
d.
they are needed.
te
bi
STP, RSTP, and MSTP are designed to allow any network device to join the spanning
i
oh
tree. This openness ensures that all loops are eliminated, but leaves choices about
pr
disabling links that may be vulnerable to manipulation from unauthorized devices. As
s
i
rt
BPDUs have no authentication aspect and can be easily spoofed, a rogue device can
pa
send BPDUs and join the spanning tree. This can affect path selection, and the rogue
n
i
device may even become the root bridge.
or
le
The rogue device might be controlled by a hacker or simply a device controlled by a
ho
different system. In either case, the result is the same. Incorrect links may be
w
deactivated, impeding the networks ability to handle traffic efficiently. A hacker may
in
P
even use the rogue device to launch a DoS attack by causing constant topology
H
changes to the spanning tree.
of
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 7 3
Implementing HP Network Infrastructure Security
d.
te
i bi
oh
pr
si
rt
pa
n
i
or
le
ho
w
Figure 2
in
P
H
of
Two features that help protect your network from spanning-tree vulnerabilities are
de
BPDU protection and BPDU filtering. Both forms of protection operate at the port
i
level. ts
ou
ns
A port with the BPDU filter enabled will ignore incoming BPDU packets and stay
od
locked in the spanning-tree forwarding state. Any other ports on the switch that
r
ep
are not configured for BPDU filtering will maintain their role. Unlike BPDU
.R
protection (described below), a port configured for BPDU filtering does not take
ly
incoming BPDUs. If the port receives a BPDU, the switch disables the port,
dy
tu
protecting the network from an apparently rogue device. You can configure the
f-s
amount of time for which a port is disabled. The default causes the port to
l
se
7 4 Rev 10.41
Technet24.ir
Spanning Tree Protection
d.
For example, you might enable BPDU protection on edge ports. Edge devices with a
te
single link should not be sending BPDUs, so an incoming BPDU may indicate an
i bi
attack. BPDU protection offers a more secure alternative to BPDU filtering, since it
oh
pr
allows you to disable the port. BPDU protection also allows you to have an alert sent
s
as SNMP trap message when a BPDU is received.
i
rt
pa
On the other hand, some BPDUs may be unauthorized, but not necessarily malicious.
n
And you might not want to deactivate a port simply because a BPDU has arrived on
i
or
it. For example, suppose your switch connects to a device controlled by another
le
authority and which is running its own spanning tree. You would not want to
ho
w
deactivate the link to this system even if its administrators have inappropriately
in
allowed a BPDU to cross into your side of the network. Instead, simply configure the
P
port to ignore the BPDUs with BPDU filtering.
H
of
Some other reasons why you may want to use BPDU filtering could include:
i de
ts
You may want to allow spanning-tree operations to run on selected ports of the
ou
switch rather than every port of the switch.
r
fe
You may want to eliminate the need for a topology change when a port's link
ns
status changes. For example, a port that connects to downstream servers and
tra
Figure 3
Rev 10.41 7 5
Implementing HP Network Infrastructure Security
d.
One important factor to keep in mind is that ports with BPDU filtering enabled
te
remain active, i.e., the ports continue to learn and forward frames. However, the
ibi
oh
spanning-tree subsystem cannot receive or transmit BPDUs on the port. Since the port
pr
remains in a forwarding state and permits all broadcast traffic, this can create a
s
network storm if there are any loops (trunks or redundant links) using these ports.
i
rt
pa
You can use the show spanning-tree config to list the ports that have BPDU
in
filtering enabled.
or
le
Configuring BPDU protection
ho
w
in
P
H
of
i de
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
Figure 4
P
To enable BPDU protection on one or more ports, you also use the spanning-tree
H
command. You can also specify all to enable BPDU protection on all switch ports.
By default, BPDU protection permanently disables a port if it receives a BPDU.
However, you can configure BPDU protection to impose a temporary disable period
instead. Using the spanning-tree command, you can configure a timeout value,
7 6 Rev 10.41
Technet24.ir
Spanning Tree Protection
which applies to any port running BPDU protection. The timeout value can be
between 0 and 65,535 seconds. Specifying 0 returns BPDU protection to the default
behavior of permanently disabling protected ports. The upper value is equivalent to
approximately 18 hours. Note that this is a global setting for all ports with BPDU
protection enabled.
d.
te
You can use the show spanning-tree bpdu-protection command to list the
bi
ports that have BPDU protection enabled and determine if any errant BPDUs have
i
oh
been received on each port.
pr
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
od
r
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 7 7
Implementing HP Network Infrastructure Security
d.
te
ibi
oh
pr
si
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
ou
r
Figure 5
fe
ns
tra
Root Guard
or
Root guard is only available when running MSTP. When a port is enabled as root-
n
tio
guard, it cannot be selected as the root port even if it receives superior STP BPDUs.
uc
The port is assigned an alternate port role and enters a blocking state if it receives
od
superior STP BPDUs. (A superior BPDU contains better information on the root
r
ep
bridge and/or path cost to the root bridge, which would normally replace the current
.R
The superior BPDUs received on a port enabled as root-guard are ignored. All other
e
BPDUs are accepted and the external devices may belong to the spanning tree as
us
Use this command on MSTP switch ports that are connected to devices located in
f-s
ee
Ensure the stability of the core MSTP network topology so that undesired
oy
Protect the configuration of the CIST root bridge that serves as the common
root for the entire network.
P
H
TCN-Guard
When tcn-guard is enabled for a port, it causes the port to stop propagating
received topology change notifications and topology changes to other ports.
7 8 Rev 10.41
Technet24.ir
Spanning Tree Protection
d.
Root guard
te
bi
Loop guard
i
oh
pr
TC-BPDU guard
s
i
rt
Note
pa
Among loop guard, root guard and edge port settings, only one function can
in
take effect on a port at any given point in time.
or
le
ho
Configuration prerequisites
w
in
MSTP must be correctly configured on the switch before the protection functions are
P
configured.
H
of
BPDU guard
de
i
ts
MSTP provides the BPDU guard function to protect the system against attacks
ou
involving forged configuration BPDUs. For access layer switches, the access ports
r
fe
generally connect directly with user terminals (such as PCs) or file servers. In this
ns
case, the access ports are configured as edge ports to allow rapid transition. Under
tra
normal conditions, these ports do not receive configuration BPDUs. If these ports do
or
receive configuration BPDUs, the system automatically sets these ports as non-edge
n
tio
ports and starts a new spanning tree calculation process, which causes a change in
uc
With the BPDU guard function enabled on the switch, when edge ports receive
ly
configuration BPDUs, MSTP closes these ports and notifies the NMS that these ports
on
have been closed by MSTP. Ports closed this way can be restored only by the network
e
us
administrators.
dy
Note
l
se
You can disable MSTP on certain ports so that they do not take part in spanning
oy
Root guard
P
H
MSTP provides the root guard function to prevent undesired network topology
changes and network congestion that can result from configuration errors or
malicious attacks. The root bridge and secondary root bridge of a spanning tree are
ideally located in the same MST region. Especially for the CIST, the root bridge and
Rev 10.41 7 9
Implementing HP Network Infrastructure Security
secondary root bridge are generally put in a high-bandwidth core region during
network design. However, due to possible configuration errors or malicious attacks in
the network, the legal root bridge may receive a configuration BPDU with a higher
priority. In this case, the current legal root bridge is superseded by another device,
which causes an undesired change in the network topology. Traffic that should go
d.
over high-speed links is switched to low-speed links, resulting in network congestion.
te
bi
If the root guard function is enabled on a port of a root bridge, this port keeps
i
oh
playing the role of designated port on all MSTIs. Once this port receives a
pr
configuration BPDU with a higher priority from an MSTI, it immediately sets that port
s
i
rt
to the listening state in the MSTI, without forwarding the packet. (This is equivalent to
pa
disconnecting the link connected with this port in the MSTI.) If the port receives no
n
i
BPDUs with a higher priority within twice the forwarding delay, it reverts to its
or
original state.
le
ho
Configure root guard on a designated port.
w
in
Loop guard
P
H
The loop guard function suppresses the occurrence of loops that result from link
of
de
congestion or unidirectional link failures.
i
ts
A switch generally maintains the state of the root port and blocked ports by receiving
ou
BPDUs from the upstream device. However, if these ports fail to receive BPDUs from
r
fe
the upstream devices due to link congestion or unidirectional link failures, the
ns
tra
downstream device reselects the port roles. Ports in forwarding state that failed to
receive upstream BPDUs become designated ports, and the blocked ports transition
or
to the forwarding state, resulting in loops in the switched network. The loop guard
n
tio
If a loop guardenabled port fails to receive BPDUs from the upstream device, and if
r
ep
the port takes part in STP calculation, all the instances on the port, no matter what
.R
roles the port plays, are set to, and stay in, the Discarding state.
ly
on
TC-BPDU guard
y
d
The BPDUs used to notify the switch of topology changes are called Topology
tu
f-s
Change BPDUs, or TC-BPDUs. When the switch receives TC-BPDUs the switch flushes
l
se
its forwarding address entries. If someone forges TC-BPDUs to attack the switch, the
ee
switch receives a large number of TC-BPDUs within a short time and becomes busy
oy
The TC-BPDU guard function lets you set the maximum number of immediate
forwarding address entry flushes that the switch can perform within a certain period
P
H
of time after receiving the first TC-BPDU. For TC-BPDUs received in excess of the limit,
the switch performs forwarding address entry flush only when the time period
expires. This prevents frequent flushing of forwarding address entries.
HP recommends that you keep the TC-BPDU guard feature enabled.
7 10 Rev 10.41
Technet24.ir
DHCP Protection
Module 8
d.
te
snooping, Dynamic ARP protection, and the Dynamic IP Protection are referred to as
bi
advanced network protection features.
i
oh
pr
DHCP vulnerabilities
si
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
ou
r
fe
Figure 1
ns
tra
DHCP is designed to work in the trusted internal network and does not provide
or
server has no way of verifying that the client requesting an address is a legitimate
uc
client on the network. Similarly, the DHCP client has no way of knowing if the DHCP
od
There are two types of common DHCP attacks from which you should protect your
ly
on
network:
e
us
addresses of the client itself, the default gateway, DNS servers, and WINS
f-s
servers. Without valid IP addresses, the legitimate client devices are unable to
l
se
contact other legitimate IP network devices and users are prevented from
ee
Rev 10.41 8 1
Implementing HP Network Infrastructure Security
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
Figure 2
of
de
HP switches that support the DHCP snooping feature can to protect your network
i
ts
against these DHCP address spoofing and exhaustion attacks. With DHCP snooping
ou
configured, the switch takes the role of a security guard, overseeing DHCP
r
fe
exchanges and ensuring that DHCP clients and servers act as they should.
ns
tra
As part of the DHCP snooping process, the switch distinguishes between trusted and
untrusted ports. Trusted ports connect to the networks own trusted devices, such as
or
n
the DHCP server. The switch allows DHCP packets to flow freely on these ports. On
tio
untrusted ports, the switch inspects DHCP packets to determine whether or not the
uc
Here are three of the types of activities performed by the DHCP snooping feature:
.R
DHCP server packets should not originate from untrusted ports. So if the switch
ly
on
The switch also verifies information in DHCP client packets before allowing the
y
packets onto the network. For example, the switch drops packets in which the
d
tu
source MAC address does not match the DHCP check MAC addressa sign
f-s
of spoofing.
l
se
The switch can also be configured to handle packets that have the DHCP
ee
oy
By filtering DHCP packets, the switch acts somewhat like a firewall between untrusted
P
H
clients and DHCP servers. In this way, the switch can provide protection from DHCP
attacks for your network.
DHCP snooping allows the switches to protect your network from other attacks as
well. It does so by capitalizing on the information it learns while filtering DHCP
packets. The switch builds and maintains a DHCP snooping table, which tracks the
8 2 Rev 10.41
Technet24.ir
DHCP Protection
d.
Leased IP address of the client.
te
bi
i
Lease time in seconds.
oh
pr
VLAN identifier.
s
i
rt
Interface identifier of the port connecting directly to or toward the client.
pa
n
Using this table to verify IP-to-MAC address bindings, the switch can learn which IP
i
or
addresses should legitimately send traffic on which ports and it can also detect
le
malicious hosts that try to spoof ARP packets. Well discuss how the switch makes
ho
good use of what it has learned through DHCP snooping when we explain dynamic
w
in
ARP protection in the next module.
P
H
of
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
od
r
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 8 3
Implementing HP Network Infrastructure Security
d.
te
ibi
oh
pr
s i
rt
pa
n
i
Figure 3
or
le
ho
DHCP options
w
in
In general, DHCP packets carry a number of data fields that are more specifically
P
called options. Each option is used to convey information about the client, a DHCP
H
of
relay agent, or the DHCP server. Examples of DHCP options include:
de
Option 3The default gateways (routers) IP address.
i
ts
ou
Option 6The DNS servers IP address.
r
fe
od
Option 53The DHCP message type, e.g., Discover, Offer, and so forth.
r
ep
Option 55Identifies the parameters being requested by the client. This list
e
us
can include the default gateway, subnet mask of an assigned IP address, and
NetBIOS support features.
dy
tu
Option 58IP address renewal time which is usually less than the lease time.
f-s
l
se
The DHCP snooping feature blocks DHCP attacks by filtering DHCP packets on
untrusted ports. In addition, the DHCP snooping feature can facilitate the functions of
DHCP itself by using option 82.
8 4 Rev 10.41
Technet24.ir
DHCP Protection
Option 82 can be used to provide identifying information about the DHCP relay
agent. Option 82 allows a DHCP server to apply specialized configuration policies
when assigning IP addresses and other configuration information to clients based on
what value is in option 82. For example, you may want certain ranges of IP
addresses to be associated with certain areas of the network. Or, a service providers
d.
DHCP server might limit a certain switch port to a set number of IP addresses,
te
bi
ensuring that a subscriber network does not consume too many IP addresses.
i
oh
To a DHCP server, however, all incoming DHCP packets will look alike without
pr
option 82 information specified. With option 82, the switch acts as the DHCP
si
rt
servers eyes, adding the information that the DHCP server needs so that it can select
pa
the correct configuration policy. This information includes the following:
in
or
Remote IDThe remote identifier corresponds to an address identifier of the
le
switch. It can be the switchs IP address or MAC address.
ho
w
Circuit IDThe circuit identifier corresponds to the physical switch port on
in
which the client DHCP request was received.
P
H
A general requirement of option 82 is that a switch must act as the relay for the
of
DHCP request in order to modify or insert the information. Therefore, unless a switch
i de
is the DHCP relay, it cannot normally manipulate DHCP requests and must forward
ts
ou
the DHCP packets.
r
fe
Another switch acts as the DHCP relay, but is not configured to insert the
or
The DHCP client is on the same subnet as the DHCP server, so the switch does
uc
not need to act as a relay. That is, the DHCP client and DHCP server can
od
potentially communicate directly with the switch merely forwarding the packets.
r
ep
However, with DHCP snooping enabled on a VLAN, the switch can inspect all DHCP
.R
packets on untrusted ports. This configuration capability allows the switch to modify
ly
on
or insert option 82 for those scenarios where the DHCP client and server are in the
e
same subnet.
us
y
Figure 4
Rev 10.41 8 5
Implementing HP Network Infrastructure Security
DHCP option 82 is a valuable capability that you can take advantage of, but one
that can also be potentially hijacked by endpoints in an untrusted network. For
example, a hacker can create an option 82 to manipulate the DHCP server into
sending a client the wrong configuration.
However, the DHCP snooping feature also includes a capability that allows the
d.
te
switch to snoop for option 82 information inside of DHCP requests from untrusted
bi
endpoints. When the switch detects option 82, you can configure the switch to take
i
oh
one of three actions:
pr
s
Permit the request
rt
pa
Drop the request entirely
n
Replace the request with option 82 information you have configured
or
In the graphic above, the switch is configured to override an unauthorized option 82
le
ho
with the correct option information, forcing the client network to comply with the
w
policy.
in
P
H
Note
of
For those VLANs that have DHCP snooping enabled, the value you specify for option
de
82 through DHCP snooping overrides the global configuration information that may
i
ts
have been defined for option 82 using the dhcp-relay command.
ou
r
fe
ns
Figure 5
dy
By default, a switch using DHCP snooping detects and drops any DHCP request
tu
f-s
received on an untrusted port that also includes option 82. You should preserve this
l
se
behavior whenever your switch connects directly to the clients. An option 82 that is
ee
received directly from a DHCP client can indicate a malicious attack which the switch
oy
must prevent.
pl
Em
On the other hand, a switch that runs DHCP snooping might connect to another
switch that also runs DHCP snooping. For example, in the graphic above, the switch
P
H
on the left should pass on DHCP requests with option 82 to the switch on the right.
Lastly, you can configure your switch to overwrite a detected option 82 setting in a
packet received from a client with the switchs own information, thereby enforcing
your networks policy.
8 6 Rev 10.41
Technet24.ir
DHCP Protection
d.
te
i bi
oh
pr
s
i
rt
pa
Figure 6
n
i
or
The first step when implementing DHCP snooping is to enable DHCP snooping
le
globally on the switch. To do this you use the dhcp-snooping command. This
ho
command in effect enables (or disables, if the no form of the command is
w
specified) the ability to use the feature.
in
P
H
The next step is to enable the DHCP snooping feature on particular VLANs. To do
of
this, you use the dhcp-snooping vlan command and specify the VLANs you want
de
to protect with the DHCP snooping feature. To specify a range of VLAN identifiers,
i
ts
you use a hyphen. A comma-delimited list is not allowed.
ou
r
Once DHCP snooping is enabled and configured, the switch will begin to build a
fe
ns
In the graphic, other options supported by the dhcp-snooping command are listed.
or
Figure 7
H
By default, all the ports on the switch are untrusted in the context of the DHCP
snooping feature. The switch inspects all the traffic received on these ports, looking
for DHCP packets. If the switch detects DHCP server packets that originate from
Rev 10.41 8 7
Implementing HP Network Infrastructure Security
untrusted ports, it immediately discards the packets. Remember untrusted ports should
not connect to DHCP servers.
If the switch detects DHCP client packets, it verifies the MAC address to ensure that
the client is not trying to misuse DHCP. Specifically, the switch checks the clients
hardware address (chaddr) field in the DHCP header to ensure that it matches the
d.
te
source MAC address in the packet. If the two addresses do not match, the client is
bi
attempting to spoof a MAC address, probably to masquerade as a legitimate device.
i
oh
The switch discards the packet, preventing the misbehaving client from receiving an
pr
IP address.
si
rt
pa
This verify MAC check is enabled by default when you activate DHCP snooping. You
can disable this check if you no longer want the switch to perform it. You use the no
in
or
dhcp-snooping verify mac command to do disable this check.
le
ho
Since devices that are connected to untrusted ports should not be transmitting DHCP
w
server packets, but your DHCP server must be allowed to do so, you will need to
in
define one or more ports as trusted so that the switch does not disrupt DHCP
P
H
operations.
of
To define trusted ports, you use the dhcp-snooping trust command to specify the
de
i
trusted ports. For example, you would designate an uplink port and a port that
ts
ou
connects directly to a DHCP server as trusted ports. When you define a trusted port,
r
the switch does not filter any DHCP packets on that port.
fe
ns
In addition to defining trusted ports, you can define the authorized DHCP servers on
tra
your network. In this case, the switch allows a DHCP server packet only if it meets
or
two criteria:
n
tio
od
ep
command from the global configuration mode context. If you have more than one
ly
on
DHCP server, you will need to specify the command once for each DHCP server.
e
us
Configuring option 82
dy
tu
After you have enabled DHCP snooping on a VLAN, the switch can always insert
f-s
option 82 into DHCP requests whether the clients and DHCP servers are in the same
l
se
When you configure option 82, you specify a value for the switchs remote identifier
oy
pl
that gets inserted into the DHCP header. If an option 82 field is not present in a
Em
packet received from a client, the switch inserts the value you configured. If an option
P
82 value was already inserted by the client, then the switch replaces it with value you
H
configured.
The switch actually inserts two values into a DHCP header that correspond to option
82:
The switchs remote ID. You can configure this value.
8 8 Rev 10.41
Technet24.ir
DHCP Protection
The circuit ID for the physical port on which the DHCP request arrived. This
value is not configurable.
The remote ID can be configured as one of three possible values using the dhcp-
snooping remote-id command.
d.
The switchs base MAC address (mac).
te
bi
The switchs IP address on the VLAN that received the request (subnet-ip).
oh
pr
The switchs management IP address (mgmt-ip)
si
Typically, you should select the subnet ip option when your switch includes multiple
rt
pa
VLANs for which all client requests are relayed to the same DHCP server. Selecting
n
this option lets the server determine the correct DHCP pool that applies to the request
i
or
based on the subnet IP address.
le
ho
The options you configure for option 82 with DHCP snooping override any global
w
configuration information specified using the dhcp-relay command. However, on
in
VLANs that do not use DHCP snooping, the global configuration applies.
P
H
of
You can also configure your switch to snoop specifically for option 82 in filtered
de
DHCP requests that are received from clients. If the switch detects this option, it takes
i
one of three actions: ts
ou
ns
The switch can forward the request as is, keeping the option 82 value that was
tra
received.
or
The switch can forward the request, but replace the unauthorized option 82
n
tio
Rev 10.41 8 9
Implementing HP Network Infrastructure Security
d.
te
i bi
oh
pr
si
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
ou
r
fe
ns
tra
Figure 8
or
information:
uc
od
on
us
d
tu
The Read at boot: line entry indicates whether or not the DHCP snooping
f-s
binding database was read successfully at boot time. The File status:, Write
l
se
attempts:, Write failures:, and Last successful file update: provide the most
ee
How you can configure DHCP snooping to store the switchs DHCP binding
Em
8 10 Rev 10.41
Technet24.ir
DHCP Protection
d.
te
bi
i
oh
pr
s
i
rt
pa
in
or
le
ho
Figure 9
w
in
The show dhcp-snooping stats command allows you to view statistics about
P
H
DHCP packets that the switch has filtered. The statistics provide information about the
of
packet type, the action taken, the reason the action was taken, and the count of
de
packets involved. The packet type refers to whether the packet originated from a
i
ts
DHCP server or a DHCP client. The action taken is either forward or drop.
rou
The client packet was a legitimate request that was then forwarded out a
or
trusted port.
tio
uc
.R
The client packet was a bad DHCP release request that may indicate a
d
tu
The client packets DHCP MAC address field did not match the clients Ethernet
ee
MAC address.
oy
pl
Em
P
H
Rev 10.41 8 11
Implementing HP Network Infrastructure Security
d.
te
i bi
oh
pr
Figure 10
s
i
rt
The show dhcp-snooping binding command allows you to view the IP-to-MAC
pa
address bindings in the DHCP snooping database. The switch refers back to these IP-
n
i
or
to-MAC bindings as part of several attack protections, including ARP protection,
le
which will be explained in the next section.
ho
w
You can optionally configure the switch to save the DHCP snooping database to a
in
specific URL on a TFTP server so they will not be lost if the switch is rebooted. If the
P
H
switch is rebooted, it will read its binding database from the specified location. To
of
configure this location, you use the dhcp-snooping database command. The
de
options you can specify for this command are:
i
ts
ou
fileMust be in an URL format that specifies TFTP as the protocol, the IP
r
address of the TFTP server, and a filename that will contain the database
fe
ns
information. The maximum number of characters that you can specify following
tra
tio
timeoutThis is the number of seconds to wait for the database file transfer
r
to finish before returning an error. A value of zero means retry indefinitely. The
ep
.R
8 12 Rev 10.41
Technet24.ir
DHCP Protection
Example configuration
d.
te
i bi
oh
pr
si
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
Figure 11
ns
tra
This graphic shows a portion of a switch configuration file with dynamic DHCP
or
snooping configured.
n
tio
Based on the VLAN definitions, the switch relays DHCP requests from VLAN 8 and
uc
The switch snoops DHCP traffic on VLAN 8 and 24 and checks for indications of
ly
attacks. As part of these checks, the switch looks for the option 82 field in DHCP
on
requests from untrusted endpoints, replacing any information in this field with its own
e
IP address associated with the VLAN on which the DHCP request was received. The
us
Rev 10.41 8 13
Implementing HP Network Infrastructure Security
d.
te
As a DHCP security feature, DHCP snooping can implement the following:
i bi
oh
1. Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
pr
2. Recording IP-to-MAC mappings of DHCP clients
si
rt
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
pa
n
If there is an unauthorized DHCP server on a network, the DHCP clients may obtain
i
or
invalid IP addresses and network configuration parameters, and cannot normally
le
communicate with other network devices. With DHCP snooping, the ports of a
ho
w
device can be configured as trusted or untrusted, ensuring the clients to obtain IP
in
addresses from authorized DHCP servers.
P
H
Trusted: A trusted port forwards DHCP messages normally.
of
de
Untrusted: An untrusted port discards the DHCP-ACK or DHCP-OFFER messages
i
from any DHCP server. ts
ou
You should configure ports that connecting to authorized DHCP servers and other
r
fe
DHCP snooping devices as trusted, and other ports as untrusted. With such
ns
tra
trusted ports to record DHCP snooping entries, including MAC addresses of clients,
ep
IP addresses obtained by the clients, ports that connect to DHCP clients, and VLANs
.R
to which the ports belong. With DHCP snooping entries, DHCP snooping can
ly
on
ARP detection: Whether ARP packets are sent from an authorized client is
y
determined based on DHCP snooping entries. This feature prevents ARP attacks
d
tu
8 14 Rev 10.41
Technet24.ir
DHCP Protection
d.
te
ibi
oh
pr
si
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
ns
tra
or
n
Figure 12
tio
uc
should be configured as a trusted port to forward reply messages from the DHCP
r
ep
server, so that the DHCP client is guaranteed to obtain IP addresses from the
.R
To save system resources, you can disable the trusted ports, which are indirectly
l
se
Option 82 records the location information of the DHCP client. The administrator
P
can locate the DHCP client to further implement security control and accounting.
H
If DHCP snooping supports Option 82, it will handle a clients request according to
the contents defined in Option 82, if any. The handling strategies are described in
the table below.
Rev 10.41 8 15
Implementing HP Network Infrastructure Security
If a reply returned by the DHCP server contains Option 82, the DHCP snooping
device will remove the Option 82 before forwarding the reply to the client. If the
reply contains no Option 82, the DHCP snooping device forwards it directly.
If a clients Handling Padding The DHCP snooping device will
requesting strategy format
d.
message has
te
bi
Option 82 Drop Random Drop the message.
i
oh
pr
Keep Random Forward the message without changing
s
Option 82.
i
rt
pa
Replace Normal Forward the message after replacing the
original Option 82 with the Option 82
n
i
padded in normal format.
or
le
Verbose Forward the message after replacing the
ho
original Option 82 with the Option 82
w
padded in verbose format.
in
User defined Forward the message after replacing the
P
H
original Option 82 with the user-defined
of
Option 82.
de
No Option 82 - Normal Forward the message after adding the
i
ts
Option 82 padded in normal format.
ou
format.
tra
8 16 Rev 10.41
Technet24.ir
DHCP Protection
d.
DHCP snooping protects against attacks involving IP address spoofing and IP
te
address exhaustion
bi
i
oh
The primary configuration steps are:
pr
s
Enable DHCP snooping globally
i
rt
pa
Specify the VLANs to be protected
n
i
Define trusted ports
or
le
With DHCP snooping enabled, a switch differentiates between trusted and
ho
untrusted ports
w
in
Drops DHCP server packets received on untrusted ports
P
H
Filters/modifies DHCP client packets received on untrusted ports
of
de
A DHCP IP address to MAC address binding database is used to track valid
i
DHCP assignments ts
ou
ns
DHCP requests
tra
Rev 10.41 8 17
H
P
Em
pl
oy
8 18
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
Implementing HP Network Infrastructure Security
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
ARP Protection
Module 9
d.
te
Dynamic ARP protection, DHCP snooping, and the Dynamic IP Protection are referred
bi
to as advanced network protection features.
i
oh
pr
ARP vulnerabilities
si
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
rou
Figure 1
fe
ns
ARP is used to resolve a devices IP address to its MAC address. ARP creates and
tra
requests information for unknown MAC addresses. Most ARP devices update their
n
tio
tables every time they receive an ARP packet even if they did not request the
uc
information. This makes ARP vulnerable to attacks such as ARP poisoning, ARP
od
response, and other devices use the response to change their ARP tables. In the
on
MAC address.
l
se
At the same time, device C sends a packet to device B, posing as device A. Any
ee
response intended for device B, the legitimate owner of the IP address, now
oy
pl
When device A updates its ARP table with the spoofed entry, device As ARP
P
device Cs MAC address, all IP traffic that device A wants to send to device B is
sent to device C instead.
Rev 10.41 9 1
Implementing HP Network Infrastructure Security
d.
te
associating the network gateways IP address with the MAC address of some
bi
endpoint station. Because the endpoint station does not have access to outside
i
oh
networks, outgoing traffic is prevented from leaving the network. The endpoint station
pr
may also become easily overwhelmed by the unexpected traffic.
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
9 2 Rev 10.41
Technet24.ir
ARP Protection
d.
te
i bi
oh
pr
s
i
rt
pa
in
or
Figure 2
le
ho
Switches that support dynamic ARP protection can protect a network against these
w
types of ARP attacks. Similar to the DHCP snooping feature, the dynamic ARP
in
protection feature allows you to designate trusted and untrusted ports.
P
H
of
If a port is untrusted, the switch:
de
Intercepts all ARP requests and responses on untrusted ports before forwarding
i
them.
ts
rou
fe
Verifies the IP-to-MAC address bindings on untrusted ports with the information
ns
stored in the lease database maintained by DHCP snooping and any user
tra
If the binding is valid, the switch updates its local ARP cache or forwards
n
tio
If the binding is invalid, the switch simply drops the packets, preventing
r
ep
other devices from receiving them and being tricked by the false
.R
information.
ly
on
Since the switch verifies the IP-to-MAC address binding by checking the information
e
against what is stored in its DHCP snooping table, you should enable DHCP
us
snooping as part of configuring ARP protection. However, if you are not using DHCP,
dy
you can configure static IP-to-MAC address bindings, and the switch will use this
tu
f-s
Even if you are using DHCP snooping, you may want to add static IP-to-MAC address
ee
bindings to the DHCP snooping table so that the switch can verify IP-to-MAC
oy
bindings for any devices that have been assigned static IP addresses.
pl
Em
In addition to verifying IP-to-MAC address bindings, you can configure the switch to
P
perform three additional checks. The switch can verify the following:
H
Rev 10.41 9 3
Implementing HP Network Infrastructure Security
d.
te
ibi
oh
pr
si
rt
pa
in
or
le
ho
w
in
Figure 3
P
H
The switches on your network must be able to exchange ARP packets and update
of
their ARP tables accordingly. To facilitate this exchange, you must configure ports that
i de
connect to other switches as trusted ports. In this example, ports A23 and A24 are
ts
ou
considered trusted ports. Other ports, which connect to end users, are marked as
r
If your network includes switches that do not support dynamic ARP protection, you
tra
should use a router to separate these switches into their own Layer 2 domains. Since
or
ARP packets do not cross Layer 2 barriers, the unprotected switches cannot receive
n
tio
ARP packets from a hacker and subsequently pass them onto other unprotected
uc
switches. The switch with IP routing and dynamic ARP protection enabled would
od
Figure 4
The first step when implementing dynamic ARP protection is to enable dynamic ARP
protection globally on the switch. To do this you use the arp-protect command.
9 4 Rev 10.41
Technet24.ir
ARP Protection
This command in effect enables (or disables, if the no form of the command is
specified) the ability to use the feature.
The next step is to enable the dynamic ARP protection feature on particular VLANs.
To do this, you use the arp-protect vlan command and specify the VLANs you
want to protect with the dynamic ARP protection feature. To specify a range of VLAN
d.
te
identifiers, you use a hyphen. A comma-delimited list is not allowed.
ibi
oh
By default, all ports are untrusted in the context of dynamic ARP protection. This
pr
means that the switch will check the ARP requests and responses received on all the
s
ports that are members of the protected VLANs.
i
rt
pa
To configure a trusted port, you use the arp-protect trust command. The switch
in
will not check the ARP requests and responses that it receives on the trusted port.
or
le
Optional configuration steps
ho
w
in
P
H
of
i de
ts
ou
r
fe
ns
tra
or
Figure 5
n
tio
uc
A routing switch maintains a DHCP binding database, which is used for DHCP and
od
ARP packet validation. The DHCP snooping feature maintains the lease database by
r
ep
You can also define static IP-to-MAC address bindings if your network does not use
ly
on
DHCP or if some devices have statically assigned IP addresses. The switch uses the
static IP-to-MAC address bindings you define for both DHCP snooping and dynamic
e
us
ARP protection. To add a static IP-to-MAC address binding for a port to the
dy
database, you use the ip source binding command. This command associates a
tu
f-s
given IP address to a specific MAC address, VLAN ID, and port ID.
l
se
You can also enable additional checks for the VLANs protected by the dynamic ARP
ee
protection feature using the arp-protect validate command. You can specify from
oy
src-macThe switch checks ARP request and response packets to ensure that
P
the source MAC address in the Ethernet header matches the sender MAC
H
address in the body of the ARP packet. If the two addresses do not match, the
switch drops the packet.
dest-macThe switch checks each unicast ARP response packet to ensure
that the destination MAC address in the Ethernet header matches the target
Rev 10.41 9 5
Implementing HP Network Infrastructure Security
MAC address in the body of the ARP packet. If the two addresses do not
match, the switch drops the packet.
ipThe switch checks the sender and target IP addresses in the body of an
ARP packet to ensure it does not contain an invalid IP address. If an invalid
IP address is detected, the switch drops the ARP packet. Invalid IP addresses
d.
te
are defined as:
i bi
oh
0.0.0.0
pr
255.255.255.255
si
rt
pa
All Class D (multicast) IP addresses
n
All class E IP addresses
i
or
le
Viewing the dynamic ARP protection configuration
ho
w
in
P
H
of
i de
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
Figure 6
ep
.R
To view the configuration for dynamic ARP protection, you use the show arp-
ly
on
tu
f-s
9 6 Rev 10.41
Technet24.ir
ARP Protection
d.
te
ibi
oh
pr
s
i
rt
pa
n
i
or
Figure 7
le
ho
You use the show arp-protect statistics command to view statistical information
w
about the packets that dynamic ARP protection has filtered.
in
P
The statistics include information about forwarded ARP packets and dropped ARP
H
of
packets. A packet may have been dropped due to several possible violations such as
de
an invalid IP address to MAC address binding (based on the DHCP binding
i
ts
database), source or destination MAC address mismatches, or invalid source or
ou
destination IP addresses. The latter two categories are checked if the associated
r
fe
Example configuration
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Figure 8
Rev 10.41 9 7
Implementing HP Network Infrastructure Security
This graphic shows a portion of a switch configuration file with dynamic ARP
protection configured.
The switch is configured to protect VLAN 8 and VLAN 24. Ports A23 and A24 are
configured as trusted ports which imply they connect to other switches. All other ports
are marked as untrusted by default. Optional dynamic ARP protection validation
d.
te
options are also enabled.
ibi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
9 8 Rev 10.41
Technet24.ir
ARP Protection
d.
prone to network attacks. An attacker may send:
te
bi
ARP packets by acting as a trusted user or gateway, so that the receiving
oh
devices obtain incorrect ARP entries.
pr
s
A large number of IP packets with unreachable destinations. As a result, the
rt
receiving device continuously resolves destination IP addresses and thus its CPU
pa
is overloaded.
in
or
A large number of ARP packets to bring a great impact to the CPU. For details
le
about ARP attack features and types, refer to ARP Attack Protection Technology
ho
w
White Paper.
in
Currently, ARP attacks and viruses are threatening LAN security. The device can
P
H
provide multiple features to detect and prevent such attacks. This chapter mainly
of
introduces these features.
de
i
Flood Prevention ts
ou
tu
Rev 10.41 9 9
Implementing HP Network Infrastructure Security
The device keeps trying to resolve destination IP addresses, which increases the
load of the CPU.
To protect the device from IP packet attacks, you can enable the ARP source
suppression function or ARP black hole routing function.
d.
If the packets have the same source address, you can enable the ARP source
te
suppression function. With the function enabled, whenever the number of ARP
i bi
oh
requests triggered by the packets with unresolvable destination IP addresses from a
pr
host within five seconds exceeds a specified threshold, the device suppresses the
s
packets of the sending host from triggering any ARP requests within the following
i
rt
pa
five seconds.
n
If the packets have various source addresses, you can enable the ARP black hole
i
or
routing function. After receiving an IP packet whose destination IP address cannot
le
ho
be resolved by ARP, the device with this function enabled immediately creates a
w
black hole route and simply drops all packets matching the route during the aging
in
time of the black hole route.
P
H
Configuring ARP Packet Rate Limit
of
de
This feature allows you to limit the rate of ARP packets to be delivered to the CPU.
i
ts
For example, if an attacker sends a large number of ARP packets to an ARP
ou
detection enabled device, the CPU of the device may become overloaded because
r
fe
all the ARP packets are redirected to the CPU for checking. As a result, the device
ns
tra
fails to deliver other functions properly or even crashes. To prevent this, you need to
configure ARP packet rate limit.
or
n
It is recommended that you enable this feature after the ARP detection, ARP
tio
uc
snooping, or MFF feature is configured, or use this feature to prevent ARP flood
od
attacks.
r
ep
This feature allows the device to check the source MAC address of ARP packets. If
on
the number of ARP packets sent from a MAC address within five seconds exceeds
e
us
the specified value, the device considers this an attack and adds the MAC address
y
to the attack detection table. Before the attack detection entry is aged out, the
d
tu
device generates an alarm and filters out ARP packets sourced from that MAC
f-s
address (in filter mode), or only generates an alarm (in monitor mode).
l
se
ee
A gateway or critical server may send a large number of ARP packets. To prevent
oy
these ARP packets from being discarded, you can specify the MAC address of the
pl
9 10 Rev 10.41
Technet24.ir
ARP Protection
d.
Configuring ARP Active Acknowledgement
te
ibi
oh
Typically, the ARP active acknowledgement feature is configured on gateway
pr
devices to identify invalid ARP packets.
si
ARP active acknowledgement works before the gateway creates or modifies an ARP
rt
pa
entry to avoid generating any incorrect ARP entry. For details about its working
n
mechanism, refer to ARP Attack Protection Technology White Paper.
i
or
le
Configuring ARP Detection
ho
w
The ARP detection feature is mainly configured on an access device to allow only
in
the ARP packets of authorized clients to be forwarded, hence preventing user
P
H
spoofing and gateway spoofing.
of
ARP detection includes ARP detection based on specified objects, and ARP detection
de
i
based on static IP source guard binding entries/DHCP snooping entries/802.1X
ts
ou
security entries/OUI MAC addresses.
r
fe
Addresses
n
tio
With this feature enabled, the device compares the sender IP and MAC addresses
uc
of an ARP packet received from the VLAN against the static IP Source Guard
od
r
binding entries, DHCP snooping entries, 802.1X security entries, or OUI MAC
ep
Upon receiving an ARP packet from an ARP untrusted port, the device
us
compares the sender IP and MAC addresses of the ARP packet against the
dy
static IP Source Guard binding entries. If a match is found, the ARP packet is
tu
f-s
an unmatched MAC address is found, the ARP packet is considered invalid and
ee
compares the ARP packets sender IP and MAC addresses against the DHCP
pl
If a match is found in any of the entries, the ARP packet is considered valid and
P
is forwarded. ARP detection based on OUI MAC addresses refers to that if the
sender MAC address of the received ARP packet is an OUI MAC address and
voice VLAN is enabled, the packet is considered valid.
If no match is found, the ARP packet is considered invalid and is discarded.
Rev 10.41 9 11
Implementing HP Network Infrastructure Security
Upon receiving an ARP packet from an ARP trusted port, the device does not
check the ARP packet.
d.
te
With ARP automatic scanning enabled on an interface, the device automatically
bi
scans neighbors on the interface, sends ARP requests to the neighbors, obtains their
i
oh
MAC addresses, and creates dynamic ARP entries.
pr
s
i
Fixed ARP allows the device to change the existing dynamic ARP entries (including
rt
pa
those generated through ARP automatic scanning) into static ARP entries. The fixed
n
ARP feature can effectively prevents ARP entries from being modified by attackers.
i
or
Configuring ARP Gateway Protection
le
ho
The ARP gateway protection feature, if configured on ports not connected with the
w
in
gateway, can block gateway spoofing attacks as follows:
P
H
When such a port receives an ARP packet, it checks whether the sender IP address
of
in the packet is consistent with that of any protected gateway. If yes, it discards the
de
packet. If not, it handles the packets normally.
i
ts
ou
Configuring ARP Filtering
r
fe
ns
To prevent gateway spoofing and user spoofing, the ARP filtering feature controls
tra
The port checks the sender IP and MAC addresses in a received ARP packet against
n
tio
configured ARP filtering entries. If a match is found, the packet is handled normally.
uc
9 12 Rev 10.41
Technet24.ir
ARP Protection
d.
The Dynamic ARP protection feature protects against ARP poisoning, snooping,
te
and DoS attacks
ibi
oh
The key configuration steps are:
pr
s
Enable dynamic ARP protection globally
i
rt
pa
Specify the VLANs to be protected
ni
Define trusted ports connecting to other switches
or
le
Optionally, define static IP-to-MAC address bindings
ho
w
With Dynamic ARP protection enabled, a switch differentiates between trusted
in
and untrusted ports
P
H
Drops invalid ARP packets received on untrusted ports
of
de
Does not perform ARP inspections on trusted ports
i
ts
ou
The dynamic ARP protection makes use of the DHCP snooping binding database
r
Rev 10.41 9 13
H
P
Em
pl
oy
9 14
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
Implementing HP Network Infrastructure Security
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
IP Spoofing Protection
Module 10
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
ou
r
fe
ns
tra
or
n
tio
uc
Figure 1
od
r
ep
Many network attacks occur when an attacker injects packets with forged IP source
.R
addresses into the network. Also, some network services use the IP source address as
ly
(rlogin, rcp, rsh) rely on the IP source address for packet authentication. SNMPv1
e
us
and SNMPv2c also frequently use authorized IP address lists to limit management
y
access. An attacker that is able to send traffic that appears to originate from an
d
tu
authorized IP source address may gain access to network services for which he is not
f-s
authorized.
l
se
ee
packets received on a port enabled for dynamic IP lockdown are only forwarded if
Em
they contain a known IP source address and MAC address binding for the port.
P
H
Comware switches provide a feature called IP Source Guard that can help to mitigate
an IP spoofing attack. The IP Source Guard function can be enabled on user access
ports of the switch to improve network security. It prevents illegal packets from
traveling through the ports. When a port enabled with the IP Source Guard function
receives a packet, the port looks up the key attributes (including IP address, MAC
d.
address and VLAN tag) of the packet in the binding entries of the IP source guard. If
te
bi
there is a match, the port forwards the packet. If there is no match, the port discards
i
oh
the packet. IP source guard bindings are on a per-port basis. After a binding entry is
pr
configured on a port, it is effective only on that port.
si
rt
pa
in
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
10 2 Rev 10.41
Technet24.ir
IP Spoofing Protection
Dynamic IP Lockdown
The Dynamic IP Lockdown feature is used to prevent IP source address spoofing on a
per-port and per-VLAN basis. When dynamic IP lockdown is enabled, IP packets in
VLAN traffic received on a port are forwarded only if they contain a known source IP
d.
address and MAC address binding for the port. The IP-to-MAC address binding can
te
bi
either be statically configured or learned by the DHCP Snooping feature.
i
oh
pr
Protection Against IP Source Address Spoofing
is
rt
Many network attacks occur when an attacker injects packets with forged IP source
pa
addresses into the network. Also, some network services use the IP source address as
in
a component in their authentication schemes. For example, the BSD r protocols
or
(rlogin, rcp, rsh) rely on the IP source address for packet authentication. SNMPv1
le
ho
and SNMPv2c also frequently use authorized IP address lists to limit management
w
access. An attacker that is able to send traffic that appears to originate from an
in
authorized IP source address may gain access to network services for which he is not
P
H
authorized.
of
Dynamic IP lockdown provides protection against IP source address spoofing by
de
i
means of IP-level port security. IP packets received on a port enabled for dynamic IP
ts
ou
lockdown are only forwarded if they contain a known IP source address and MAC
r
database and through statically configured IP source bindings to create internal, per-
or
port lists. The internal lists are dynamically created from known IP-to-MAC address
n
tio
bindings to filter VLAN traffic on both the source IP address and source MAC
uc
address.
rod
ep
Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for
ly
on
Dynamic IP lockdown only enables traffic for clients whose leased IP addresses
us
are already stored in the lease database created by DHCP snooping or added
dy
tu
clients with an existing DHCP-assigned address must either request a new leased
oy
It is recommended that you enable DHCP snooping a week before you enable
dynamic IP lockdown to allow the DHCP binding database to learn clients
leased IP addresses. You must also ensure that the lease time for the information
in the DHCP binding database lasts more than a week.
Rev 10.41 10 3
Implementing HP Network Infrastructure Security
d.
te
and VLAN bindings are learned, a corresponding permit rule is dynamically
bi
created and applied to the port (preceding the final deny any vlan <VLAN_IDs>
i
oh
rule as shown in the example in Figure 11-4. These VLAN_IDs correspond to the
pr
subset of configured and enabled VLANS for which DHCP snooping has been
s
i
rt
configured.
pa
For dynamic IP lockdown to work, a port must be a member of at least one
i
or
VLAN that has DHCP snooping enabled.
le
ho
Disabling DHCP snooping on a VLAN causes Dynamic IP bindings on Dynamic
w
IP Lockdown-enabled ports in this VLAN to be removed. The port reverts back to
in
switching traffic as usual.
P
H
Filtering IP and MAC Addresses Per-Port and Per-VLAN
of
de
This section contains an example that shows the following aspects of the Dynamic IP
i
Lockdown feature: ts
ou
r
ns
Packet filtering using source IP address, source MAC address, and source VLAN
n
tio
as criteria
uc
To enable dynamic IP lockdown on all ports or specified ports, enter the ip source-
.R
lockdown command at the global configuration level. Use the no form of the
ly
routing switch.
f-s
l
Operating Notes
se
ee
all bridged or routed IP packets entering the switch. The only IP packets that are
pl
Em
exempt from dynamic IP lockdown are broadcast DHCP request packets, which
are handled by DHCP snooping.
P
H
10 4 Rev 10.41
Technet24.ir
IP Spoofing Protection
d.
te
port must be configured for at least one VLAN that is enabled for DHCP
bi
snooping.
i
oh
pr
To enable DHCP snooping on a VLAN, enter the dhcp-snooping vlan [vlan-
is
rt
id-range] command at the global configuration level or the dhcp-snooping
pa
command at the VLAN configuration level.
in
or
Dynamic IP lockdown is not supported on a trusted port. (However, note that
le
the DHCP server must be connected to a trusted port when DHCP snooping
ho
is enabled.)
w
in
P
By default, all ports are untrusted. To remove the trusted configuration from
H
a port, enter the no dhcp-snooping trust <port-list> command at the global
of
de
configuration level.
i
ts
After you enter the ip source-lockdown command (enabled globally with the
ou
If the port is not a member of at least one VLAN that is enabled for DHCP
n
tio
snooping.
uc
od
Dynamic IP lockdown is activated on the port only after you make the following
.R
configuration changes:
ly
on
enabled.
tu
f-s
You can configure dynamic IP lockdown only from the CLI; this feature cannot be
ee
If you enable dynamic IP lockdown on a port, you cannot add the port to a
Em
trunk.
P
H
Dynamic IP lockdown must be removed from a trunk before the trunk is removed.
Adding an IP-to-MAC Binding to the DHCP Binding Database
A switch maintains a DHCP binding database, which is used for dynamic IP
lockdown as well as for DHCP and ARP packet validation. The DHCP snooping
Rev 10.41 10 5
Implementing HP Network Infrastructure Security
feature maintains the lease database by learning the IP-to-MAC bindings of VLAN
traffic on untrusted ports. Each binding consists of the client MAC address, port
number, VLAN identifier, leased IP address, and lease time.
Dynamic IP lockdown supports a total of 4K static and dynamic bindings with up to
64 bindings per port. When DHCP snooping is enabled globally on a VLAN,
d.
te
dynamic bindings are learned when a client on the VLAN obtains an IP address from
bi
a DHCP server. Static bindings are created manually with the CLI or from a
i
oh
downloaded configuration file.
pr
s
When dynamic IP lockdown is enabled globally or on ports the bindings associated
i
rt
pa
with the ports are written to hardware. This occurs during these events:
n
Switch initialization
or
le
Hot swap
ho
w
A dynamic IP lockdown-enabled port is moved to a DHCP snooping-enabled
in
VLAN
P
H
DHCP snooping or dynamic IP lockdown characteristics are changed such that
of
dynamic IP lockdown is enabled on the ports
de
i
Potential Issues with Bindings ts
ou
When dynamic IP lockdown enabled, and a port or switch has the maximum
r
fe
number of bindings configured, the client DHCP request will be dropped and the
ns
tra
maximum number of bindings, adding a static binding to the port will fail.
tio
uc
When dynamic IP lockdown is enabled globally, the bindings for each port are
od
several times, it is possible to run out of buffer space for additional bindings.
.R
The software will delay adding the bindings to hardware until resources are
ly
on
available.
e
us
To add the static configuration of an IP-to-MAC binding for a port to the lease
tu
f-s
Use the no form of the command to remove the IP-to-MAC binding from the
se
database.
ee
oy
<portnumber>
Em
10 6 Rev 10.41
Technet24.ir
IP Spoofing Protection
d.
te
Note
bi
Note that the ip source-binding command is the same command used by the
i
oh
Dynamic ARP Protection feature to configure static bindings. The Dynamic ARP
pr
Protection and Dynamic IP Lockdown features share a common list of source IP-to-
is
MAC address bindings.
rt
pa
n
Verifying the Dynamic IP Lockdown Configuration
i
or
To display the ports on which dynamic IP lockdown is configured, enter the show ip
le
ho
source-lockdown status command at the global configuration level.
w
in
show ip source-lockdown status
P
Displaying the Static Configuration of IP-to-MAC Bindings
H
of
To display the static configurations of IP-to-MAC bindings stored in the DHCP lease
de
database, enter the show ip source-lockdown bindings command.
i
ts
ou
show ip source-lockdown bindings [port-number]
r
fe
to-MAC address and VLAN bindings are configured in the DHCP lease
tra
database.
or
n
debug dynamic-ip-lockdown
ly
To send command output to the active CLI session, enter the debug destination
on
session command.
e
us
command output. Packet counts are updated every five minutes. An example of the
tu
f-s
When dynamic IP lockdown drops IP packets in VLAN traffic that do not contain a
ee
known source IP-to-MAC address binding for the port on which the packets are
oy
Rev 10.41 10 7
Implementing HP Network Infrastructure Security
IP Source Guard
IP source guard filters packets based on the following types of binding entries:
IP-port binding entry
d.
MAC-port binding entry
te
bi
IP-MAC-port binding entry
i
oh
pr
IP-VLAN-port binding entry
s
i
rt
MAC-VLAN-port binding entry
pa
IP-MAC-VLAN-port binding entry
i
or
Depending on how the entity is created, an IP source guard binding entry can be
le
static or dynamic:
ho
w
A static binding is configured manually. It is suitable when there are a few hosts
in
P
H
A dynamic binding is implemented in cooperation with DHCP snooping or
of
de
DHCP Relay. It is suitable when there are many hosts in a LAN, and DHCP is
i
ts
used to allocate IP addresses to the hosts. Once DHCP allocates an IP address
ou
for a user, the IP source guard function automatically adds a binding entry
r
fe
based on the DHCP entry to allow the user to access the network. If a user
ns
specifies an IP address instead of getting one through DHCP, the user does not
tra
binding is added for the user to access the network. In this way, IP address
n
tio
Note
r
ep
group, nor can you add a port configured with IP source guard to an
ly
aggregation group.
on
e
us
Cooperating with DHCP snooping, IP source guard will automatically obtain the
ee
oy
DHCP snooping entries that are generated during dynamic IP address allocation
pl
Cooperating with DHCP Relay, IP source guard will automatically obtain the
P
DHCP Relay entries that are generated during dynamic IP address allocation
across network segments on a VLAN interface.
These dynamically obtained binding entries contain such information as MAC
address, IP address, VLAN tag, port information and entry type. IP source guard
10 8 Rev 10.41
Technet24.ir
IP Spoofing Protection
applies these binding entries to the port, so that the port can filter packets according
to the binding entries.
<A5800>system-view
[A5800]interface <port-id>
d.
[A5800-GE1/0/1]ip check source [ip-address | ip-address mac-
te
address | mac-address]
i bi
oh
Note
pr
s
To implement dynamic binding in IP source guard, make sure that DHCP
i
rt
snooping or DHCP Relay is configured and works normally.
pa
in
Displaying and Maintaining IP Source Guard
or
le
Display ip check source [interface <port-id> | ip-address <ip-
ho
addr> | mac-addrss <mac-addr>] [slot <slot-id>]
w
in
P
H
of
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
od
r
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 10 9
H
P
Em
pl
oy
10 10
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
Implementing HP Network Infrastructure Security
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
Virus Throttling
Module 11
d.
te
Scenario: Protecting against viruses
ibi
oh
pr
Connection-rate filtering is a countermeasure tool you can use in your incident-
si
management program to help detect and manage worm-type security threats
rt
pa
received by the switch in inbound IP traffic.
in
Connection-rate filtering
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
ns
tra
Figure 1
or
configure the feature, traffic from the source host can be blocked, throttled
r
ep
(temporarily blocked), or you can simply be notified. Notifications are written to the
.R
This feature also provides a method for allowing legitimate, high connection-rate
e
us
traffic from a given host while still protecting your network from possibly malicious
y
Connection-rate filtering can help protect your network against both known and
l
unknown viruses. Rather than stop virus attacks based on signature files, connection-
se
rate filtering monitors behavior, working on the principle that a worm will request
ee
oy
sessions with a large number of devices on the network as it attempts to spread. You
pl
dont have to wait for a signature file so that you can protect your network against a
Em
new threat. And you dont have to take the time to painstakingly update each
P
d.
te
i bi
oh
pr
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
ou
Figure 2
r
fe
ns
The connection-rate filtering feature is based on the Virus Throttle software invented
n
Throttling viruses can also be compared to onramp metering lights. Each car is like a
.R
connection. The meter restricts access to the highway to one car per light while
ly
on
allowing cars already on the highway to continue moving freely. Similarly, the
connection-rate filtering feature restricts the number of new connections, but allows
e
us
How it works
f-s
l
se
Em
If the destination IP address is listed in the working set, the new connection is
H
11 2 Rev 10.41
Technet24.ir
Virus Throttling
The connection rate threshold determines how many new connections a source is
allowed to initiate in a set time period. The connection rate is a good indicator
of virus activity. For example, in most circumstances a computer may open one
new connection per second while an infected computer may attempt to open
hundreds.
d.
te
If the new connection request exceeds the sources threshold, the configured
bi
action is applied. The connection-rate filtering feature can send both a
i
oh
notification and block traffic associated with new connections. The duration for
pr
which traffic is throttled can either be temporary, a short penalty period, or
is
rt
the traffic can be permanently blocked. When a source computer is blocked,
pa
the administrator must manually unblock it.
in
or
Connection-rate sensitivity
le
ho
The switch includes a global sensitivity setting that allows you to adjust the ability of
w
connection-rate filtering to detect relatively high instances of connection-rate attempts
in
from a given source.
P
H
Generally, normal network traffic has a fairly different profile compared to traffic
of
de
introduced into the network by malicious agents. However, when a legitimate
i
ts
computer generates multiple connections in a short period of time, connection-rate
ou
filtering could potentially generate a false positive and treat the computer as an
r
fe
infected system. Lowering the sensitivity or changing the filter mode (notify-only,
ns
On the other hand, relaxing filtering and sensitivity settings does lower the switchs
or
ability to detect worm-like traffic in the early stages of an attack. Your approach
n
tio
should be carefully investigated and planned to ensure that a risky vulnerability is not
uc
created.
rod
ep
First, whether the switch throttles or blocks suspicious traffic, it does this on
l
se
inbound traffic from the computer, not on traffic outbound to the computer.
ee
oy
Note
pl
When a source IP address is throttled, you cannot cancel the throttle action
the penalty period must expire. On the other hand, you must manually cancel
a block that is applied to a source IP address. Carefully tuning the global
Rev 10.41 11 3
Implementing HP Network Infrastructure Security
d.
te
Connection-rate filtering also supports its own special form of ACLs called
bi
i
oh
connection-rate ACLs. These will be described later in this section.
pr
Guidelines: Using connection-rate filtering
si
rt
pa
On this page and the next one, some general guidelines for using connection-rate
n
filtering are listed. Because every network can have its own distinct traffic profiles,
i
or
there is no one approach that will both secure your network and eliminate false
le
positives. Since connection-rate filtering operates based on a configured sensitivity
ho
w
level of incoming connection requests per time period, using this feature will require
in
that you have an understanding of what are normal traffic patterns for both highly
P
active servers and typical end-user computers.
H
of
For a network that is relatively attack-free you should set the global sensitivity to low
de
and enable notify-only mode on the ports you want to monitor with connection-rate
i
ts
ou
filtering.
r
fe
If SNMP trap receivers are available in your network, use the snmp-server command
ns
to configure the switch to send SNMP traps. Then monitor the Event log or the SNMP
tra
Check any hosts that exhibit relatively high connection rate behavior to determine
n
tio
whether malicious code or legitimate use is the cause of the behavior. Computers
uc
demonstrating high, but legitimate connection rates, such as heavily used servers,
rod
may trigger a connection-rate filter. For these sources you should consider doing the
ep
following:
.R
ly
rate filtering keys off of the source IP address. Therefore, enabling throttle or
tu
f-s
block mode will only affect those sources that exceed the global sensitivity
l
se
level.
ee
Implementing and managing features like connection-rate filtering that operate based
oy
configuration process when you begin using it. But, you also need to maintain the
practice of carefully monitoring the Event log or trap receivers for any sign of high
P
H
and helps to identify hosts that may require updates or patches to eliminate malicious
code.
Compared to a network that is relatively attack free, you should set the global
sensitivity to medium and enable throttle mode for a network under significant attack.
As described previously, you will then need to monitor the Event log or the SNMP
d.
te
trap receivers to identify computers exhibiting high connection rates.
i bi
oh
Check any hosts that exhibit relatively high connection rate behavior to determine
pr
whether malicious code or legitimate use is the cause of the behavior. On hosts you
s
identify as needing attention to remove malicious behavior:
i
rt
pa
To immediately halt an attack from a specific computer, group of hosts, or a
n
subnet, you can use the per-port block mode on the ports traversed by these
i
or
sources.
le
ho
After gaining control of the situation, you can use connection-rate ACLs to
w
more selectively manage traffic to allow receipt of normal routed traffic from
in
reliable computers.
P
H
of
Implementing connection-rate filtering
de
i
ts
To configure connection-rate filtering, there are three primary tasks involved:
ou
You enable connection-rate filtering globally when you configure the detection
r
fe
sensitivity. You must determine the sensitivity for your network, i.e., how many
ns
tra
Although the feature is enabled when you set the detection sensitivity, you must
n
You assign connection-rate filtering to one or more ports. As part of this task,
od
you specify the action that will be applied if suspicious behavior is detected.
r
ep
bypass connection-rate filtering from one or more hosts. This type of ACL is
e
us
separate from the standard and extended ACLs that were described in a
y
previous section.
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 11 5
Implementing HP Network Infrastructure Security
d.
te
ibi
oh
pr
si
rt
pa
in
or
le
ho
w
in
P
H
of
Figure 3
i de
ts
You use the connection-rate-filter sensitivity command to enable connection-
ou
rate filtering and specify the global sensitivity detection level. The no connection-
r
fe
The sensitivity setting determines how the switch interprets a given computers
or
a malicious agent. The sensitivity setting also determines the throttle mode penalty
tio
in less than 1 second, and a corresponding penalty time for throttle mode
oy
corresponding penalty time for throttle mode between 90 and 120 seconds.
11 6 Rev 10.41
Technet24.ir
Virus Throttling
d.
te
i bi
oh
pr
s
i
rt
pa
n
Figure 4
i
or
le
You use the filter connection-rate command to assign connection-rate filtering for
ho
one or more ports and specify the filtering mode. The no filter connection-rate
w
in
command is used to remove connection-rate filtering from one or more ports.
P
H
The filtering mode specifies the manner in which the switch will respond if a relatively
of
high number of inbound connection attempts are detected from a given source. That
de
is, if the global sensitivity threshold you configured is exceeded.
i
ts
ou
The filtering modes are:
r
fe
computer, this option generates an Event log message and sends a similar
tra
uc
computer, this option generates the notify-only message and also blocks all
od
traffic inbound from the offending computer for a penalty period. After the
r
ep
penalty period expires, the switch allows traffic from the offending host to
.R
resume, and re-examines the traffic. If the suspect behavior continues, the
ly
switch again blocks the traffic from the offending computer and repeats the
on
cycle.
e
us
this option generates the notify-only messaging and also blocks all traffic
tu
f-s
Note
oy
Rev 10.41 11 7
Implementing HP Network Infrastructure Security
d.
te
bii
oh
pr
s
i
rt
pa
n
i
or
Figure 5
le
ho
The show connection-rate-filter command displays the connection-rate-filtering
w
configuration. This command answers these questions:
in
P
Is the feature enabled?
of
On which ports is it enabled?
i de
What action does the switch take against suspicious traffic for each port?
ts
ou
Figure 6
d
tu
f-s
options. These options allow you to view how your switch is currently implementing
ee
connection-rate filtering.
oy
pl
throttled or blocked.
P
H
11 8 Rev 10.41
Technet24.ir
Virus Throttling
d.
te
i bi
oh
pr
s
i
rt
Figure 7
pa
n
If the list of blocked-hosts shows an IP address that you have cleared for renewed
i
or
network access, then you must manually remove the block by using the connection-
le
ho
rate-filter unblock command. You can remove all blocks at once, all blocks for IP
w
addresses in a given subnet, or only the block on a specific IP address.
in
P
Keep in mind, that throttled hosts cannot be managed, the temporary block is
H
removed when the throttle period expires.
of
ide
Note ts
ou
HP recommends that, before you unblock a source IP address that has been blocked by
r
fe
connection-rate filtering, you inspect the computer with current antivirus tools and remove
ns
high connection-rate traffic, then you should consider either changing the sensitivity level
n
Rev 10.41 11 9
Implementing HP Network Infrastructure Security
d.
rate ACL that allows this traffic to bypass connection-rate filtering.
te
ibi
A connection-rate ACL is an optional feature that consists of one or more explicitly
oh
pr
configured ACEs used to specify whether to enforce the configured connection-rate
s
policy on traffic from a particular source. Use of connection-rate ACLs allows you to
i
rt
apply exceptions to the configured connection-rate filtering policy. This enables you
pa
to bypass connection-rate filtering for legitimate traffic from a trusted source.
in
or
For example, where a connection-rate policy has been configured, you can apply a
le
connection-rate ACL that causes the switch bypass connection-rate policy filtering on
ho
w
traffic from:
in
A trusted server exhibiting a relatively high IP connection rate due to heavy
H
demand
of
de
A trusted traffic source on the same port as other, untrusted traffic sources
i
ts
Connection-rate ACLs support some of the parameters of extended ACLs that you are
ou
already familiar with, although there are several differences. These differences are
r
fe
illustrated on the next page. The criteria that you can specify for a connection-rate
ns
ACL can include the source IP address of traffic from a specific host, group of hosts,
tra
or a subnet, and can also include source and destination TCP/UDP criteria.
or
n
Figure 8
P
H
The filter option assigns connection-rate filtering to traffic that matches the IP address
and TCP/UDP port criteria. The ignore option specifies that traffic matching the
criteria is to bypass connection-rate filtering.
When you define an ACE for a connection-rate ACL, you can define it using the
source IP address criterion only or you can specify source IP address and TCP/UDP
d.
te
criteria.
i bi
oh
Similar to standard and extended ACLs, the source IP address may be specified in
pr
one of four forms:
is
any host (literal term)
rt
pa
Single host
i
or
Address with a dotted decimal mask
le
ho
Address with a bit mask length
w
in
A connection-rate ACL also allows you to identify traffic based on the destination
P
port, the source port, or both. These fields are located in the layer 4 (TCP or UDP)
H
header. The port identifier may be any one of the following:
of
de
A protocol number in the range of 0 to 65535
i
ts
ou
A well-known port name listed in the table below:
r
fe
TCP
ns
tra
UDP
od
snmp-trap tftp
on
e
us
If you specify a source or destination port number or name, you also need to specify
y
eqEqual to
l
se
gtGreater than
ee
ltLess than
oy
pl
neqNot equal to
Em
Just like standard and extended ACLs, there is an implicit ACE in a connection-rate
ACL that is hidden. The implicit ACE is activated if a given packet does not match
any of the other ACEs of the ACL. The implicit ACE in a connection-rate ACL
functions differently that the implicit ACE of standard and extended ACLs.
Rev 10.41 11 11
Implementing HP Network Infrastructure Security
In a connection-rate ACL, the format of the implicit ACE is filter ip any. This ACE
sends a packet that does not match any of the explicitly defined ACEs to the
connection-rate filtering process.
To preempt the implicit ACE, you can configure an ignore IP any ACE as the last
explicit entry in the connection-rate ACL. The switch will then ignore (permit) traffic
d.
te
that does not match the other ACEs in the ACL without filtering the traffic through the
bi
connection-rate policy.
i
oh
pr
Applying connection-rate ACLs
s
i
rt
pa
n
i
or
le
ho
w
Figure 9
in
P
H
To apply a connection-rate ACL, you use the vlan <vid> ip access-group
of
command. The no form of the command removes the connection-rate ACL
de
assignment from the VLAN.
i
ts
ou
A connection-rate ACL is applied at the VLAN level, but the ACL is evaluated for
r
fe
inbound traffic only on ports configured for connection-rate filtering in that VLAN.
ns
The ACL has no effect on ports in the VLAN that are not configured for connection-
tra
rate filtering.
or
The switch allows only one connection-rate ACL assignment per VLAN. If a
n
tio
connection-rate ACL to that VLAN, the second ACL overwrites the first one. A
od
11 12 Rev 10.41
Technet24.ir
Virus Throttling
Example configuration
d.
te
i bi
oh
pr
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
Figure 10
i de
This graphic shows a portion of a switch configuration file with connection-rate
ts
ou
filtering configured.
r
fe
The global detection sensitivity is set to low which implies the connection-rate policy
ns
is the least sensitive. The switch is configured to protect the ports of modules A and B.
tra
The filter mode is set to notify-only on some ports, throttle on one port, and block on
or
particular server. Traffic matching this ACE will bypass connection-rate filtering and
r
ep
will not be subject to throttling should the server at some point trigger the connection-
.R
Rev 10.41 11 13
Implementing HP Network Infrastructure Security
d.
Connection-rate filtering can be used to detect worm-like network activity
te
bi
Monitors inbound IP traffic for a relatively high rate of connection requests
i
oh
from any given host on a port
pr
s
The key configuration steps are:
i
rt
pa
Enable connection-rate filtering globally and set the detection sensitivity
n
level
i
or
Assign connection-rate filtering to specific ports and specify the action to be
le
ho
taken
w
in
Optionally, configure connection-rate ACLs
P
H
Connection-rates for a given source that exceed a threshold can be throttled,
of
blocked, or result in a notification only
de
i
A connection-rate ACL allows you to specify selected traffic from a source that
ts
ou
should bypass the connection-rate filtering process
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
11 14 Rev 10.41
H
P
Em
pl
oy
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
oh
i bi
te
d.
Technet24.ir
d.
te
i bi
oh
pr
is
rt
pa
i n
or
le
ho
w
in
P
H
of
ide
ts
r ou
fe
ns
tra
or
n
tio
uc
r od
ep
.R
ly
on
e
us
d y
tu
f-s
l
se
ee
oy
pl
Em
www.hp.com/networking
2010 Hewlett-Packard Development Company, L.P. The information contained herein is
subject to change without notice. The only warranties for HP products and services are set forth
in the express warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. HP shall not be liable for technical
or editorial errors or omissions contained herein.