Implementing+HP+Network+Infrastructure+Security+-+Student+Guide+Rev+10 41

Implementing HP Network Infrastructure Security
Rev. 10.41 - Course #: 00243555

Part Number: 00243555S1009
d.
te
bi
i
oh
pr
s i
rt
pa
in
or
le
ho
w
in
P
H
of
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
odr
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Student guide
HP Partner Learning
H
P
Em
pl
oy
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
oh
i bi
te
d.
Rev. 10.41 - Course #: 00243555

Part Number: 00243555S1009
d.
te
bi
i
oh
pr
s i
rt
pa
in
or
le
ho
w
in
P
H
of
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
odr
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Student guide
HP Partner Learning
Copyright 2010 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for HP products and
d.
te
services are set forth in the express warranty statements accompanying such products and services. Nothing
ibi
herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial
oh
pr
errors or omissions contained herein.
s
This is an HP copyrighted work that may not be reproduced without the written permission of HP. You may not use
i
rt
these materials to deliver training to any person outside of your organization without the written permission of HP.
pa
n
i
Implementing HP Network Infrastructure Security - v10.41
or
le
Student Guide
ho
September 2010
w
in
HP Restricted
P
H
of
Printed in the USA
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
r od
ep
.R
ly
on
e
us
d y
tu
f-s
l
se
ee
oy
pl
Em
P
H
Contents
Module 1: Threats and the Need for Security ................................................. 1 - 1
WBT Overview .................................................................................... 1 - 1
SSL with a CA signed certificate............................................................. 1 - 3
Module 2: Traffic Mirroring .......................................................................... 2 - 1
d.
Traffic mirroring overview ...................................................................... 2 - 1
te
Guidelines for ProVision traffic mirroring ................................................. 2 - 3
i bi
oh
Local traffic mirroring: Configuration steps ............................................... 2 - 4
pr
Local traffic mirroring: Configuring mirror session and traffic source ............ 2 - 5
s
Local traffic mirroring: Viewing the configuration ...................................... 2 - 7
i
rt
pa
Remote traffic mirroring: Configuration steps ............................................ 2 - 9
Remote traffic mirroring: Configuring jumbo frame support ....................... 2 - 10
in
or
Remote traffic mirroring: Configuring the mirror sessions .......................... 2 - 11
le
Remote traffic mirroring: Configuring the mirror sources ........................... 2 - 12
ho
Remote traffic mirroring: Viewing the configuration .................................. 2 - 13
w
Comware Traffic Mirroring ................................................................... 2 - 15
in
P
Module 3: ACLs ......................................................................................... 3 - 1
H
Scenario: ACLs .................................................................................... 3 - 1
of
VLAN basics ....................................................................................... 3 - 2
de
i
Basic concepts of ACLs ......................................................................... 3 - 3
ts
ou
Implementing ACLs: Static options .......................................................... 3 - 5
r
Implementing ACLs: Dynamic options ..................................................... 3 - 7

fe
ns
Elements of an ACL .............................................................................. 3 - 9

tra
Types of ACLs ..................................................................................... 3 - 10

or
ACL criteria ........................................................................................ 3 - 11

n
How an ACL mask works ..................................................................... 3 - 13

tio
uc
Filtering routed traffic: Assigning an ACL as a RACL ................................ 3 - 17

od
Filtering switched traffic: Assigning an ACL as a VACL ............................. 3 - 19

r
ep
Assigning an ACL to a port ................................................................. 3 - 20

.R
Implied rules ....................................................................................... 3 - 21

ly
Defining the extended ACL ...................................................................3 - 23

on
Comware ACLs ...................................................................................3 - 27

e
us
Summary: ACLs .................................................................................. 3 - 31

y
Module 4: MAC Lockdown and Lockout ........................................................ 4 - 1

d
tu
Scenario: MAC Lockdown and MAC Lockout ........................................... 4 - 1

f-s
MAC Lockdown explained .................................................................... 4 - 2

l
se
MAC Lockout explained ........................................................................ 4 - 6

ee
Using MAC Lockdown and MAC Lockout together .................................... 4 - 9

oy
Comware MAC Table Configuration ...................................................... 4 - 10

pl
Em
Summary: MAC Lockdown and Lockout.................................................. 4 - 11

Module 5: Port Security ............................................................................... 5 - 1
P
H
Scenario: Port security........................................................................... 5 - 1

Port security explained .......................................................................... 5 - 2
Comparison: Port security and MAC Lockdown ........................................ 5 - 5
MAC address learn modes .................................................................... 5 - 6
Limited-continuous learn mode ............................................................... 5 - 9
Rev 10.41 i
Summary: Port Security ........................................................................ 5 - 15

Module 6: Traffic Filters ............................................................................... 6 - 1
Scenario: Traffic Filters .......................................................................... 6 - 1
ProVision Source Port Filters ................................................................... 6 - 2
Comware Port Isolation ......................................................................... 6 - 3
d.
Use cases............................................................................................ 6 - 4
te
bi
Module 7: Spanning Tree Protection.............................................................. 7 - 1
i
oh
Objectives ........................................................................................... 7 - 1
pr
Spanning-tree vulnerabilities .................................................................. 7 - 2
is
BPDU filtering and protection ................................................................. 7 - 4
rt
pa
Guidelines for using BPDU filtering and protection.................................... 7 - 5
n
Root Guard and TCN Guard ................................................................. 7 - 8
i
or
Comware Spanning Tree Protection ........................................................ 7 - 9
le
Module 8: DHCP Protection ......................................................................... 8 - 1
ho
DHCP vulnerabilities ............................................................................. 8 - 1
w
in
Protecting against DHCP attacks: DHCP Snooping ................................... 8 - 2
P
Using option 82 with DHCP snooping .................................................... 8 - 4
H
of
Comware DHCP Snooping ................................................................... 8 - 14
de
Summary: ProVision DHCP snooping ..................................................... 8 - 17
i
ts
Module 9: ARP Protection ............................................................................ 9 - 1
ou
ARP vulnerabilities ................................................................................ 9 - 1
r
fe
Dynamic ARP protection ........................................................................ 9 - 3

ns
Guidelines: Using dynamic ARP protection .............................................. 9 - 4

tra
Comware ARP Protection ...................................................................... 9 - 9

or
Summary: ARP protection ..................................................................... 9 - 13

n
tio
Module 10: IP Spoofing Protection ............................................................... 10 - 1

uc
Dynamic IP Lockdown .......................................................................... 10 - 3

od
IP Source Guard ................................................................................. 10 - 8

r
ep
Module 11: Virus Throttling .......................................................................... 11 - 1

.R
Scenario: Protecting against viruses ....................................................... 11 - 1

ly
Connection-rate filtering ....................................................................... 11 - 1

on
Connection-rate filtering operation......................................................... 11 - 2

e
us
Using connection-rate ACLs ................................................................ 11 - 10

y
d
Summary: Connection-rate filtering ....................................................... 11 - 14

tu
f-s
l
se
ee
oy
pl
Em
P
H
ii Rev 10.41
Threats and the Need for Security
Module 1
Welcome to the Implementing HP Network Infrastructure Security certification class.
d.
te
This class will cover the security features needed to protect a network specifically
bi
looking at the features built into the switches. For further security training, look at the
i
oh
courses in the AIS and ASE Network Security certification tracks.
pr
s
i
There is a prerequisite WBT, HP Network Infrastructure Security Technologies, for this
rt
pa
class. The content covered in HP Network Infrastructure Security Technologies will not
n
be covered in this class. It is necessary to complete both HP Network Infrastructure
i
or
Security Technologies and this class to get the whole picture.
le
ho
WBT Overview
w
in
Module 1: Security Overview
P
H
of
Lesson1: The Challenges of Securing Networks
de
Lesson2: Defense in Depth and Security with HP Networking
i
ts
ou
Module 2: Trusted Network Infrastructure Data Integrity
r
fe
Lesson 1: Introduction to Data Integrity and Privacy

ns
tra
Lesson 2: Key Management and Public Key Infrastructure (PKI)

or
Lesson 3: Wireless Data Integrity and Privacy

n
tio
uc
Module 3: Trusted Network Infrastructure Built-In

od
Lesson 1: DHCP Snooping and ARP Protection

r
ep
.R
Lesson 2: MAC Spoofing Protection and STP Protection

ly
Lesson 3: Connection Rate Limiting and Filtering with HP Virus Throttle Technology
on
e
Module 4: Network Access Control

us
y
Lesson 1: Access Control through VLANs and ACLs

d
tu
f-s
Lesson 2: Authentication Credentials

l
se
Lesson 3: Authentication Protocols

ee
oy
Lesson 4: Authentication, Authorization, and Accounting

pl
Em
Lesson 5: Network Authentication Methods

P
Lesson 6: Directories
H
Module 5: More Solutions for Controlling Traffic

Lesson 1: Port and MAC Based Controls
Lesson 2: Firewalls
Rev 10.41 1 1
Lesson 3: Next Generation Firewalls

Module 6: Network Access Protection or Endpoint Integrity
Lesson 1: Security Measures Implemented on the Endpoint
Lesson 2: Network Access Control Based on Endpoint Integrity
d.
te
Module 7: Virtual Private Networks
ibi
oh
Lesson 1: IPsec VPNs
pr
s
Lesson 2: L2TP and L2TP over IPsec VPNs
i
rt
pa
Lesson 3: Generic Routing Encapsulation (GRE)
in
Lesson 4: SSL and MACsec VPNs
or
le
Module 8: Threat Management
ho
w
Lesson 1: Intrusion Detection Systems (IDSs)
in
P
Lesson 2: Deploying IDSs
H
of
Lesson 3: Intrusion Prevention Systems (IPSs)
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
1 2 Rev 10.41
SSL with a CA signed certificate
d.
te
ibi
oh
pr
is
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
Figure 1
ou
r
The switches covered in this guide use Secure Socket Layer Version 3 (SSLv3) and
fe
ns
support for Transport Layer Security(TLSv1) to provide remote web access to the
tra
switches via encrypted paths between the switch and management station clients
or
capable of SSL/TLS operation.

n
tio
SSL provides all the web functions but, unlike standard web access, SSL provides
uc
encrypted, authenticated transactions. The authentication type includes server

od
certificate authentication with user password authentication.

r
ep
.R
Server Certificate authentication with User Password Authentication. This option is a

ly
subset of full certificate authentication of the user and host. It occurs only if the switch
on
has SSL enabled. As in figure below, the switch authenticates itself to SSL enabled
e
us
web browser. Users on SSL browser then authenticate themselves to the switch
y
(operator and/or manger levels) by providing passwords stored locally on the switch
d
tu
or on a TACACS+ or RADIUS server. However, the client does not use a certificate to
f-s
authenticate itself to the switch.

l
se
ee
oy
pl
Em
P
H
Figure 2
Rev 10.41 1 3
Terminology
SSL Server: An HP switch with SSL enabled.
Key Pair: Public/private pair of RSA keys generated by switch, of which public
portion makes up part of server host certificate and private portion is stored in
d.
switch flash (not user accessible).
te
bi
Digital Certificate: A certificate is an electronic passport that is used to
oh
establish the credentials of the subject to which the certificate was issued.
pr
Information contained within the certificate includes: name of the subject, serial
si
rt
number, date of validity, subject's public key, and the digital signature of the
pa
authority who issued the certificate. Certificates on HP switches conform to the
n
i
X.509v3 standard, which defines the format of the certificate.
or
le
Self-Signed Certificate: A certificate not verified by a third-party certificate
ho
authority (CA). Self-signed certificates provide a reduced level of security
w
compared to a CA-signed certificate.
in
P
CA-Signed Certificate: A certificate verified by a third party certificate authority
of
(CA). Authenticity of CA-Signed certificates can be verified by an audit trail
de
leading to a trusted root certificate.
i
ts
ou
Root Certificate: A trusted certificate used by certificate authorities to sign
r
certificates (CA-Signed Certificates) and used later on to verify that authenticity

fe
ns
of those signed certificates. Trusted certificates are distributed as an integral part

tra
of most popular web clients. (see browser documentation for which root
or
certificates are pre-installed).

n
tio
Manager Level: Manager privileges on the switch.

uc
Operator Level: Operator privileges on the switch.

od

r
ep
Local password or username: A Manager-level or Operator-level password

.R
configured in the switch.

ly
on
SSL Enabled: (1)A certificate key pair has been generated on the switch (web
e
interface or CLI command: crypto key generate cert [key size] (2) A certificate
us
been generated on the switch (web interface or CLI command: crypto host-cert
y
d
generate self-signed [arg-list]) and (3) SSL is enabled (web interface or CLI
tu
f-s
command: web-management ssl). (You can generate a certificate without

l
se
enabling SSL, but you cannot enable SSL without first generating a Certificate.
ee
oy
Generate a CA-Signed server host certificate with the Web browser

pl
Em
interface on a ProVision based switch

P
H
To install a CA-Signed server host certificate from the web browser interface. For
more information on how to access the web browser interface, refer to the chapter
titled Using the ProCurve Web Browser Interface in the Management and
Configuration Guide for your switch.
1 4 Rev 10.41
The installation of a CA-signed certificate involves interaction with other entities and
consists of three phases. The first phase is the creation of the CA certificate request,
which is then copied off from the switch for submission to the certificate authority. The
second phase is the actual submission process that involves having the certificate
authority verify the certificate request and then digitally signing the request to
d.
generate a certificate response (the usable server host certificate). The third phase is
te
bi
the download phase consisting of pasting to the switch web server the certificate
i
oh
response, which is then validated by the switch and put into use by enabling SSL
pr
To generate a certificate request from the web browser interface:
is
rt
pa
a. Select the Security tab, then select the [SSL] button
n
b. Select the Create Certificate/Certificate Request radio button.
i
or
le
c. Select Create CA Request from the Certificate Type drop-down list.
ho
w
d. Select the key size from the RSA Key Size drop-down list. If you wish to re-
in
use the current certificate key, select Current from the RSA Key Size drop-
P
down list.
H
of
e. Fill in remaining certificate arguments.
de
i
f. ts
Click on [Apply Changes] to create the certificate request. A new web
ou
browser page appears, consisting of two text boxes. The switch uses the
r
fe
upper text box for the certificate request text. The lower text box appears
ns
empty. You will use it for pasting in the certificate reply after you receive it
tra
from the certificate authority. (This authority must return a non- PEM encoded
or
certificate request reply.

n
tio
g. After the certificate authority processes your request and sends you a
uc
certificate reply (that is, an installable certificate), copy and paste it into the
od
r
lower text box.

ep
.R
h. Click on the [Apply Changes] button to install the certificate.

ly
on
Configuring an SSL Server Policy on a Comware switch

e
us
An SSL server policy is a set of SSL parameters for a server to use when booting up.
y
An SSL server policy takes effect only after it is associated with an application layer
d
tu
protocol, HTTP protocol, for example.

f-s
l
se
Configuration Prerequisites
ee
When configuring an SSL server policy, you need to specify the PKI domain to be
oy
used for obtaining the server side certificate. Therefore, before configuring an SSL
pl
Em
server policy, you must configure a PKI domain.

P
H
Rev 10.41 1 5
Configuration Procedure
Follow these steps to configure an SSL server policy:
To do Use the command Remarks

Enter system view system-view
d.
Create an SSL server ssl server-policy <policy-
te
Required
bi
policy and enter its view name>
i
oh
Required
pr
Specify a PKI domain pki-domain <domain- By default, no PKI
for the SSL server policy name> domain is specified for
i s
an SSL server policy.
rt
pa
Ciphersuite
n
[rsa_3des_ede_cbc_sha |
i
Specify the cipher Optional
or
rsa_aes_128_cbc_sha |
suite(s) for By default, an SSL
le
rsa_aes_256_cbc_sha |
the SSL server policy to server policy supports
ho
rsa_des_cbc_sha |
support all cipher suites.
w
rsa_rc4_128_md5 |
in
rsa_rc4_128_sha ] *
P
Set the handshake Optional
H
handshake timeout
timeout time for the SSL 3,600 seconds by
of
<time>
server default
de
Set the SSL connection Optional
i
close-mode wait
close mode ts Not wait by default
ou
Optional
r
fe
The defaults are as

ns
follows:
tra
Set the maximum 500 for the

number of cached session { cachesize <size> maximum number
or
sessions and the | timeout <time> } * of cached

n
tio
caching timeout time sessions,

uc
3600 seconds for

od
the caching
r
timeout time.
ep
Optional
.R
Enable certificate-based
client-verify enable Not enabled by
ly
SSL client authentication

default
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
1 6 Rev 10.41
Traffic Mirroring
Module 2
This module describes the traffic mirroring features available on various ProVison and
d.
te
Comware based switches. Traffic mirroring can be used for copying traffic from
bi
various ports for troubleshooting purposes or for intrusion activity analysis.
i
oh
pr
Traffic mirroring overview
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
Figure 1
r ou
Traffic mirroring, which is also called intelligent mirroring, allows you to monitor
fe
ns
traffic to detect threats, troubleshoot problems, or manage the network. For example,
tra
you can use a network protocol analyzer on a remote computer to examine the
or
mirrored data stream and troubleshoot a network experiencing problems.

n
tio
For threat detection, you can monitor traffic through a security appliance such as an
uc
Intrusion Detection System/Intrusion Prevention System (IDS/IPS) device. The security

od
appliance must be able to receive the mirrored data stream in order to detect threats
r
ep
such as hackers and malicious attacks. Many IDS/IPS systems can be positioned in-
.R
line at strategic locations in the network such as at the network perimeter or ay an

ly
on
entry point to an enclave network. Using the traffic mirroring feature, traffic from
e
other locations in the network can be funneled to the IDS/IPS device for analysis
us
as well.
dy
tu
There are two types of traffic mirroring:

f-s
l
Local traffic mirroring, in which the source and the destination for the mirrored
se
data stream are on the same switch

ee
oy
Remote traffic mirroring, in which the source and the destination are on different
pl
switches
Em
The traffic mirroring feature provides some significant advantages over the mirroring
P
H
feature available in unintelligent switches. Rather than limiting you to mirroring traffic
from one port to another port on same switch, the E8200zl, E5400zl, E6200yl, and
E3500yl switches now allow you to mirror traffic to a remote switch. In addition,
each switch can support more than one data stream of mirrored traffic.
Rev 10.41 2 1
Note
Other HP switches that support an earlier implementation of the traffic mirroring
feature only allow the traffic stream to be sent to another port on the same
switch.
d.
With traffic mirroring, you no longer need a monitoring port on every switch. Instead,
te
you can send mirrored data from multiple remote switches to one local switch. The
i bi
oh
security appliance attached to this local switch can then monitor all the mirrored
pr
data, reducing the number of security appliances you need on your network.
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
2 2 Rev 10.41
Traffic Mirroring
Guidelines for ProVision traffic mirroring
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
Figure 2
in
P
Each switch can be the originator of up to four mirror sessions. A mirror session is
H
defined according to the source and destination switches managing a data stream.
of
de
You define the source of a data stream when you set up each session by specifying
i
one or more of these criteria: ts
ou
Local port or multiple local ports, including mesh ports
r

fe
ns
Local trunk (link aggregation)

tra
Local virtual LAN (VLAN) or multiple VLANs

or
The destination for a mirror session can be an exit port on the local switch or the
tio
destination can be another switch. The remote switch can be located anywhere in the
uc
od
network.
r
ep
Each switch can be the destination of up to 32 mirror sessions and the source of up
.R
to 4 mirror sessions from itself. Sessions for which the switch is both the source and
ly
the destination are restricted to four due to the limit on the number of originating
on
mirror sessions. As the destination, the switch sends data streams to the exit port you
e
us
specifythe port to which a receiving device, such as an IDS/IPS device or network

dy
analyzer, is directly or indirectly attached.

tu
f-s
You can configure one or more mirror sessions to use the same exit port, or you can
l
se
distribute the mirrored traffic across multiple exit ports. In this example, the switch is
ee
configured to send three mirror sessions to the same exit port that provides a path to
oy
an IDS/IPS device. The switch is also sending one mirror session to a local port
pl
connecting to a device running a packet analyzer.

Em
P
H
Rev 10.41 2 3
Local traffic mirroring: Configuration steps
d.
te
ibi
oh
pr
s
i
rt
pa
n
i
or
le
ho
Figure 3
w
in
If you want to configure traffic mirroring, the first step is to configure the destination
P
switch whether the source is local or remote to the switch. If the destination switch is
H
of
not ready to handle the mirrored traffic forwarded by another switch, performance
de
may be adversely affected due to receiving packets that the switch does not know are
i
ts
intended for an attached device running an IDS/IPS or packet analyzer.
ou
The second step is to configure the source switch. In the case of local traffic
r
fe
mirroring, this is of course the same switch. In this step, you define a mirror session
ns
tra
number and the destination for the mirror session. For local traffic mirroring, the
destination is a port on the same switch. For remote traffic mirroring, the destination
or
n
is some other switch.

tio
uc
As part of the procedure for defining the source switch you identify the source
od
interface for the mirror session and the traffic of interest that you want to monitor.
r
ep
The source interface can be:

.R
ly
A port or multiple ports, including mesh ports

on
A trunk (link aggregation)

e

us
A VLAN or multiple VLANs

y

d
tu
To identify the traffic of interest you have two options.

f-s
l
se
Select traffic based on its direction. The mirrored packets can be those inbound
ee
to the interface, those outbound from the interface, or both.

oy
Select traffic by applying an ACL. If you only want to monitor inbound traffic,
pl

Em
you can use a standard or extended ACL to further refine the particular packets
that are mirrored. The switch only mirrors the inbound traffic that matches the
P
H
criteria configured in the ACL. For example, in an extended ACL, you can
specify criteria that includes the source IP address, destination IP address,
source port number, destination port number, and protocol.
2 4 Rev 10.41
Traffic Mirroring
Local traffic mirroring: Configuring mirror session

and traffic source
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
ou
Figure 4
r
fe
If you are configuring local traffic mirroring, you begin by configuring the exit port
ns
using the mirror command from the global configuration level. The no form of the
tra
command removes the mirroring session and any mirroring source previously
or
assigned to that session.

n
tio
uc
You must complete this step before you define the originating interface. If you try to
od
configure the originating interface first, the CLI displays a message, explaining that it
r
ep
cannot apply the command until you configure the destination for the specified
.R
session number.
ly
on
Using the mirror command, you specify the following information:

e
us
<1 - 4>An integer value between 1 and 4 that identifies the mirroring
y
session to be allocated by this command.

d
tu
name <name-string>This is an optional alphanumeric name string used

f-s
to identify the session which can be up to 15 characters in length. Using a

se
friendly name can be useful to identify the purpose of the traffic monitoring
ee
oy
session especially if it is maintained for an extended period of time.

pl
port <port-id>The identifier of the exit port to be used for sending

Em
mirrored traffic for the specified session. For a local mirroring session, this is
P
H
the port to which a packet analyzer or IDS/IPS device is directly connected.

Multiple sessions on the switch can use the same exit port.
The second step is to identify the source of the traffic and the particular traffic that is
to be mirrored using the monitor command. There are multiple formats of the
monitor command.
Rev 10.41 2 5
First, you must choose between specifying the traffic source as a physical
interface (port, trunk, or mesh port) or a logical interface (one or more
VLANs). To specify the former you use the interface command prefix. To
specify the latter you use the vlan command prefix.
Second, you must choose how to identify the actual traffic that is to be
d.

te
monitored. You can do this based on the traffics direction, relative to the
bi
switch, or by using a standard or extended ACL. If you choose to use an ACL,
i
oh
only that subset of inbound traffic that matches the ACL criteria will be
pr
mirrored.
s
i
rt
pa
Using the monitor command, you specify the following information:
n
i
interface <port-id | trunk-id | mesh>Use this prefix to specify one or
or

more physical ports, trunk groups, or the ports comprising a mesh on the
le
ho
switch as the source of the traffic to be mirrored. For example, you could
w
specify interface a1-a3,trk1-trk2,mesh.
in
P
vlan <vid>Use this prefix to specify a VLAN on the switch as the source of
H
the traffic to be mirrored.
of
de
monitor all <in | out | both>Use this option to identify the traffic to be
i
mirrored based on direction. ts
ou
r
After specifying the all keyword (implying all types of packets are candidates
fe
ns
for traffic mirroring), you must specify the direction of traffic to be mirrored
tra
based on whether the traffic is entering or leaving the switch on the physical or
or
logical interface. Specify in to mirror traffic entering the switch, out to mirror
n
traffic exiting the switch, or both to mirror traffic entering or exiting.

tio
uc
ip access-group <acl-id>Use this option to identify the traffic to be

od
mirrored based on a standard or extended ACL that you have previously

r
ep
defined. Only inbound traffic to the switch can be selected for mirroring when
.R
an ACL is used.
ly
on
ACLs used for selecting traffic to mirror are configured in the same way
e
us
as ACLs for traffic filtering. This means that an ACL applied as a static
y
port ACL, VACL, or RACL can be applied to mirroring, but an ACL used
d
tu
for mirroring does not filter traffic.

f-s
l
When an ACL is applied to mirroring, the permit and deny statements in

se
the ACL take on a different role than in ACL traffic filtering. A packet
ee
oy
matching a permit statement will be mirrored, and a packet matching a

pl
deny statement will not be mirrored. Any log keywords in ACL deny
Em
statements are ignored by the mirroring function.

P
H
2 6 Rev 10.41
Traffic Mirroring
If both a mirrored ACL and a statically-configured ACL are applied to the

same interface, and a packet matches a permit statement in the mirrored
ACL and a deny statement in statically-configured ACL, the packet will be
mirrored and dropped. Each mirrored ACL applied to an interface uses
shared switch resources. The rules applicable for adding, removing,
d.
replacing, or modifying a traffic-filtering ACL also apply to an ACL used
te
bi
for mirroring.
i
oh
mirror <1 - 4 | <name-string>Assigns the traffic defined by the
pr

interface and direction to a session by number or by name, if configured.
s
i
rt
The session must have been previously configured.
pa
n
Depending on how many sessions are already configured on the switch, you
i
or
can use the same command to assign the specified source to up to four numeric
le
or alphanumeric session identifiers.
ho
w
Local traffic mirroring: Viewing the configuration
in
P
H
of
i de
ts
rou
fe
ns
tra
or
n
tio
uc
od
r
ep
.R
ly
on
e
us
dy
tu
f-s
Figure 5
l
se
ee
You use the show monitor command to view the traffic mirroring configuration on
oy
the switch.
pl
Em
If a remote mirroring source is configured on the switch, then the following fields
appear. Otherwise, the output displays the message Mirroring is currently disabled.
P
H
SessionsLists the sessions configurable on the switch.

StatusFor each session, shows current session activity.
ActiveThe session is configured and is mirroring traffic.
Rev 10.41 2 7
InactiveThe session is configured, but is not currently mirroring traffic.

not definedMirroring not configured for this session.
TypeIndicates whether the session is a port (local) or IPv4 (remote) mirroring
session.
d.
te
SourcesIndicates how many mirroring sources are using each mirroring
bi
session.
i
oh
pr
ACLIndicates whether the source is using an ACL to select traffic for
s
mirroring.
i
rt
pa
If a remote mirroring endpoint is configured on the switch, then additional fields
n
appear. Otherwise, the output displays the message There are no Remote Mirroring
i
or
endpoints currently assigned.
le
ho
The show monitor <session-number> command displays the current
w
configuration for the specified session on a source switch.
in
P
SessionDisplays the numeric identifier (1 to 4) of the selected session.
of
Session NameDisplays the alphanumeric name of the session, if
de

configured.
i
ts
ou
ACLIndicates whether the source is using an ACL to select traffic for
r
fe
mirroring. Only inbound traffic to the switch can be selected for mirroring when
ns
an ACL is used.
tra
Mirroring DestinationFor a local mirroring session, indicates the port

or
configured as the exit port on the source switch. For remote mirroring session,
tio
shows IPv4, which indicates mirroring to a remote (exit) switch.

uc
od
Monitoring SourcesFor the associated session, indicates the source

r
ep
interface for the currently configured sessions. Options include the source port,
.R
source trunk, or source VLAN.

ly
on
DirectionFor the selected interface, indicates whether mirrored traffic is

e
entering the switch (in), leaving the switch (out), or both.

us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
2 8 Rev 10.41
Traffic Mirroring
Remote traffic mirroring: Configuration steps
d.
te
i bi
oh
pr
s
i
rt
pa
ni
or
le
ho
w
in
P
Figure 6
H
of
Configuring remote traffic mirroring is more complex than local traffic mirroring and
de
involves more procedures.
i
ts
ou
The four steps involve the following major tasks:
r
fe
1. Enable jumbo frames, if necessary

ns
tra
If any one packet with the additional 54-byte mirror encapsulation header
or
might meet or exceed the MTU size of the interfaces used to send mirrored
n
packets, then you will need to enable the jumbo frame support on the VLAN
tio
uc
used to transport mirrored traffic. Jumbo frame support must be enabled on the
od
source, destination, and any intermediate switches.

r
ep
2. Configure the remote mirror session

.R
ly
This step involves specifying a variety of information which includes the source
on
VLAN or subnet IP address of the mirrored traffic on the source switch, the
e
us
destination VLAN or subnet IP address of mirrored traffic on the destination

y
switch, a unique, unused UDP port number (7933-65535)used for session

d
tu
identification, and the exit port on the destination switch.

f-s
l
3. Configure the local mirror session

se
ee
On the source switch you configure the local mirror session by assigning a
oy
session number from 1 to 4 and specifying equivalent parameters as done for

pl
Em
the remote session on the destination switch.

P
4. Configure the mirroring sources

H
This step is equivalent to what is done for local mirroring. You specify a port,
mesh port, trunk, or VLAN as the source and you identify the traffic of interest by
specifying either traffic direction(s) or an ACL.
The details about these steps are covered on the pages that follow.
Rev 10.41 2 9
Remote traffic mirroring: Configuring jumbo frame

support
d.
te
i bi
oh
pr
s
i
rt
pa
n
Figure 7
i
or
le
When the source switch sends the mirrored data stream to the destination switch, it
ho
adds a 54-byte proprietary (mirror encapsulation) header to the Layer 2 frame,
w
in
increasing the total size of the frame. On a typical network using the default MTU of
P
1518 bytes for Ethernet frames, the switch can remote mirror frames that are less than
H
or equal to 1464 bytes without requiring jumbo frame support being enabled. This is
of
de
because the 54-byte proprietary header, inserted into the data field of the Ethernet
i
ts
frame, when coupled with the header and trailers of the frame, will not exceed the
ou
limits of the hardware, either 1518 bytes (normal untagged Ethernet frame) or 1522
r
fe
bytes (802.1Q tagged).

ns
tra
Note
or
The standard Ethernet frame consists of several header and trailer fields and a
n
maximum data field size of 1500 bytes. The Ethernet header and trailer fields consist of
tio
the DA (Destination Address, 6 bytes), SA (Source Address, 6 bytes), Type/Length (2

uc
bytes), and FCS (Frame Check Sequence, 4 bytes). These fields comprise 18 bytes of
rod
the total frame size. The 802.1Q field, if present, adds an additional 4 bytes.
ep
Therefore, when the 54-byte proprietary mirror encapsulation header is present and
.R
jumbo frame support is not enabled, the Ethernet data field can be no larger than
ly
on
1446 bytes (1500 bytes minus 54 bytes).

e
us
Of course there is a possibility that any intermediate switch or the destination switch
y
d
could receive a frame larger than what it is configured to handle. In normal

tu
f-s
operation, if a switch receives an Ethernet frame that has a data field larger than
l
se
1500 bytes (1446 actual data bytes plus the 54-byte mirror encapsulation header), it
ee
will drop the frame. This is because the additional header makes the frame exceed
oy
the maximum frame size for legacy Ethernet, either 1518 untagged or 1522 tagged.
pl
Em
The switch will forward any frame to its intended destination as long as the received
frame does not exceed the receiving interfaces default MTU, which is typically set at
P
H
1500 bytes for legacy Ethernet.

The switch drops the mirrored frames larger than the MTU, rather than truncating and
then mirroring them, because truncating the frames alters the checksum values.
Receiving devices, such as an IDS/IPS, cannot handle frames that have bad
checksums. Therefore, it is better to simply discard large frames rather than truncating
2 10 Rev 10.41
Traffic Mirroring
them and sending them to a destination where they will have bad checksums.
Additionally, if a device is attempting to reassemble frames to search, for example,
for worms and viruses, then some of the critical data may be missing.
If you want to capture all traffic of interest, then you should enable jumbo frame
support. The switch can then transmit a packet that is a total of 9220 bytes. Jumbo
d.
te
frames are only supported on ports operating at 1 Gbps or greater.
i bi
oh
To allow these larger frames to be transmitted across your network, you must enable
pr
all the switches that might carry the mirrored traffic to support jumbo frames. These
s
switches include both the source and destination switches and any switches in
i
rt
pa
between. On each switch, enable jumbo frames on the VLAN that carries the
mirrored traffic using the vlan <vid> jumbo command.
n
i
or
Remote traffic mirroring: Configuring the mirror
le
ho
w
sessions
in
P
H
of
i de
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
Figure 8
y
d
tu
If you are configuring remote traffic mirroring, you must configure the destination
f-s
switch to handle the mirrored traffic before you configure the source switch to begin
l
se
sending that mirrored traffic. In other words, you must configure the destination
ee
switch to recognize the mirror session and to deliver the mirrored traffic to an exit
oy
port.
pl
Em
To configure the destination switch, you use the mirror endpoint ip command as
P
shown above. When you configure the <src-ip>, <src-udp>, and <dst-ip> options,
H
you must match these settings exactly as those that will be configured on the source
switch. If the settings do not match, the destination switch will not recognize the
mirror session and will not know where to send the mirrored data stream.
Rev 10.41 2 11
<src-ip>This is the IP address of the VLAN or subnet on which the mirrored

traffic enters or leaves the source switch.
<src-udp>This is a unique, unused UDP port number that the source and
destination switches use for sending and receiving the mirrored traffic. The
recommended range is 7933 to 65535.
d.
te
<dst-ip> This is the IP address of the VLAN or subnet on which the
bi

i
oh
mirrored traffic enters or leaves the destination switch. The exit port on the
pr
destination switch must be a member of this VLAN or subnet.
si
rt
<port-id>This the port identifier of the physical port on the destination
pa
switch that represents the exit port for the mirrored traffic sent to a receiving
n
i
device such as a computer running an IDS/IPS or packet analyzer.
or
le
To configure the source switch, you use the mirror <session> remote ip
ho
command as shown above. As previously mentioned, the <src-ip>, <src-udp>, and
w
<dst-ip> options must match the settings configured on the destination switch. That is,
in
P
you specify the same values for the same named options.
H
of
Remote traffic mirroring: Configuring the mirror
i de
ts
sources
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
Figure 9
pl
Em
On the source switch, you configure the mirror sources for remote traffic mirroring just
P
as you do for local traffic mirroring. Notice that the session number specified in this
H
example is the value assigned to the remote traffic mirroring session on the source
switch shown on the previous page. In this example, to show the flexibility of the
traffic mirroring feature, the source interface is actually defined as a VLAN instead
of one or more physical ports.
2 12 Rev 10.41
Traffic Mirroring
Remote traffic mirroring: Viewing the configuration
d.
te
i bi
oh
pr
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
i de
Figure 10
ts
ou
The commands shown above display the remote traffic mirroring configuration on the
r
fe
source switch.
ns
tra
The show monitor command lists a second session representing the remote traffic
or
mirroring session. The Type field has a value of IPv4 which indicates the session is
n
tio
configured for remote traffic mirroring.

uc
The show monitor <session> command displays the configured parameters for
od
the remote traffic mirroring session. The values for the source IP address, destination
r
ep
IP address, and UDP port number are the same as those specified on the destination
.R
switch.
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Figure 11
To view the remote traffic mirroring configuration on the destination switch you use
the show monitor endpoint command. The values for the source IP address,
Rev 10.41 2 13
destination IP address, and UDP port number are the same as those specified on the
source switch.
The Destination port field identifies the physical port on this destination switch that
connects to a device running an application such as IDS/IPS or a packet analyzer.
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
2 14 Rev 10.41
Traffic Mirroring
Comware Traffic Mirroring
d.
te
i bi
oh
pr
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
ide
ts
ou
Figure 12
r
fe
ns
Introduction to Port Mirroring

tra
or
Port mirroring is the process of copying the packets that pass through a port/CPU (a
n
mirroring port/CPU) to another port (the monitor port) that is connected with a
tio
uc
monitoring device for packet analysis.

od
You can select to port-mirror inbound, outbound, or bidirectional traffic on a

r
ep
port/CPU as needed.
.R
ly
Classification of Port Mirroring

on
Port mirroring falls into the following types:

e
us
Local port mirroring: In local port mirroring, the mirroring ports/CPUs and the
y

d
tu
monitor port are located on the same device.

f-s
Layer 2 remote port mirroring: In Layer 2 remote port mirroring, the mirroring
l
se
ports/CPUs and the monitor port are located on different devices but are on the
ee
same Layer 2 network.

oy
pl
Layer 3 remote port mirroring: In Layer 3 remote port mirroring, the mirroring
Em
ports/CPUs and the monitor port are separated by IP networks.

P
H
Note
Because a monitor port can monitor multiple ports, in some case, it
may receive several duplicates of a packet. For example, suppose
that Port 1 is monitoring bidirectional traffic on Ports 2 and 3 of the
Rev 10.41 2 15
same device. If a packet travels from Port 2 to Port 3, two duplicates

of the packet will be received on Port 1.
Given an A5820X & A5800 series switch, if incoming traffic is
mirrored, the mirrored traffic is sent with the same VLAN tag (if any)
as the original traffic; if the outgoing traffic is mirrored, the mirrored
d.
te
traffic carries the same VLAN tag as the original traffic did before it
bi
was sent out the mirroring ports.
i
oh
pr
Implementing Port Mirroring
s
i
rt
Port mirroring is implemented through port mirroring groups. There are three types
pa
of mirroring groups: local, remote source, and remote destination.
in
or
The following subsections describe how local port mirroring, Layer 2 remote port
le
mirroring, and Layer 3 remote port mirroring are implemented.
ho
w
Local port mirroring
in
P
Local port mirroring is implemented through a local mirroring group. In local port
H
mirroring, packets passing through a port/CPU (mirroring port/CPU) are mirrored to
of
de
the monitor port located on the same device.
i
Layer 2 remote port mirroring ts
rou
fe
Layer 2 remote port mirroring is implemented through the cooperation between a

ns
remote source mirroring group and a remote destination mirroring group. A remote
tra
source mirroring group is created on the source device and a remote destination
or
mirroring group is created on the destination device. The source device copies the
n
tio
packets passing through the mirroring ports/CPUs, broadcasts the packets in the
uc
remote probe VLAN for remote mirroring through the egress port, and transmits the
od
packets to the destination device via the intermediate device. When receiving these
r
ep
mirrored packets, the destination device compares their VLAN IDs to the ID of the
.R
remote probe VLAN configured in the remote destination mirroring group. If the
ly
VLAN IDs of these mirrored packets match the remote probe VLAN ID, the device
on
forwards them to the data monitoring device through the monitor port. In this way,
e
us
the data monitoring device connected to the monitor port on the destination device
y
can monitor and analyze packets passing through the mirroring ports/CPUs on the
d
tu
source device.
f-s
l
se
Note
ee
Make sure that the source device and the destination device are
oy
able to communicate at Layer 2 in the remote probe VLAN.

pl
Em
Because packets of the mirroring ports/CPUs are broadcast in the

P
remote probe VLAN created on the source device, you can

H
implement the local port mirroring function by adding the other

ports on the source device to the remote probe VLAN.
For the mirrored packets to be forwarded to the monitor port, make
sure that the remote source and destination mirroring groups are
2 16 Rev 10.41
Traffic Mirroring
configured with the same probe VLAN.

To make the port mirroring function work properly, before
configuring bidirectional traffic mirroring on a port in a mirroring
group, you need to use the mac-address mac-learning disable
command on the source device, intermediate devices, and
d.
te
destination device to disable the MAC address learning function for
bi
the remote port mirroring VLAN.
i
oh
pr
s
Layer 3 remote port mirroring
i
rt
pa
Layer 3 remote port mirroring is implemented through the cooperation of a remote
n
source mirroring group, a remote destination mirroring group, and a GRE tunnel.
i
or
le
On the source device, packets of the mirroring port (or CPU) are mirrored to the
ho
tunnel interface that serves as the monitor port in the remote source mirroring group.
w
Then the mirrored packets are transmitted to the destination device through the GRE
in
tunnel. The destination device receives the mirrored packets from the other tunnel
P
H
interface that serves the mirroring port in the remote destination mirroring group.
of
Then the packets are forwarded to the monitor port in the remote destination
de
mirroring group. In this way, the data monitoring device connected to the monitor
i
ts
ou
port on the destination device can monitor and analyze packets passing through the
r
mirroring port (or CPU) on the source device.

fe
ns
Configuring Local Port Mirroring

tra
or
Local mirroring is made up of one or more mirroring port (source) and on monitor
n
port (destination). The first step is to configure a group.

tio
uc
<A5800>system-view
rod
[A5800]mirroring-group <group-id> local

ep
.R
The next step is to configure the source of the destination of the mirrored traffic.
ly
<A5800>system-view
on
e
[A5800]mirroring-group <group-id> monitor-port <port-id>

us
Or from the interface configuration prompt.

y
d
tu
<A5800>system-view
f-s
l
[A5800]interface <port-id>
se
ee
[A5800-GE1/0/24]mirroring-group <group-id> monitor-port

oy
The last step is to configure the source(s) of the mirrored traffic.

pl
Em
<A5800>system-view
P
[A5800]mirroring-group <group-id> mirroring-port <port-list>

H
[both | inbound | outbound]

<A5800>system-view
Rev 10.41 2 17
[A5800-GE1/0/24]mirroring-group <group-id> mirroring-port [both

| inbound | outbound]
Note
A mirroring group can contain multiple mirroring ports.
d.
Configuring Layer 2 Remote Mirroring
te
bi
i
oh
Layer 2 remote mirroring is made up of one or more mirroring port (source) and on
pr
monitor port (destination).
i s
rt
Destination Device
pa
The first step is to configure a group on the destination device.
in
or
<A5800-Dst>system-view
le
ho
[A5800-Src]mirroring-group <group-id> remote-desination
w
The next step is to configure the source of the destination of the mirrored traffic.
in
P
H
of
[A5800-Dst]mirroring-group <group-id> monitor-port <port-id>
de
i
ts
ou
r
fe
[A5800-Dst]interface <port-id>
ns
[A5800-Dst-GE1/0/24]mirroring-group <group-id> monitor-port

tra
It is then necessary to define the VLAN that will be used by the mirrored traffic.
or
n
tio
Note
uc
It is recommended that you use the remote probe VLAN for port mirroring
od
exclusively.
r
ep
.R
ly
on
[A5800-Dst]mirroring-group <group-id> remote-probe vlan <vid>

e
Make sure the monitor port is a member of the remote probe VLAN.
us
y
Source Device
d
tu
f-s
Configure the mirroring group.

l
se
[A5800-Src]mirroring-group <group-id> remote-source

ee
The next step is to configure the source(s) of the mirrored traffic.

oy
pl
<A5800-Src>system-view
Em
[A5800-Src]mirroring-group <group-id> mirroring-port <port-

P
list> [both | inbound | outbound]

H

[A5800-Src]interface <port-id>
2 18 Rev 10.41
Technet24.ir
Traffic Mirroring
[A5800-Src-GE1/0/24]mirroring-group <group-id> mirroring-port

[both | inbound | outbound]
Note
A mirroring group can contain multiple mirroring ports.
On the source device, configure the port used to send the mirrored traffic to the
d.
te
destination.
ibi
oh
pr
[A5800-Dst]mirroring-group <group-id> monitor-egress <port-id>
is
rt
pa
in
or
[A5800-Src]interface <port-id>
le
[A5800-Src-GE1/0/24]mirroring-group <group-id> monitor-egress
ho
w
It is then necessary to define the VLAN that will be used by the mirrored traffic.
in
P
H
[A5800-Src]mirroring-group <group-id> remote-probe vlan <vid>
of
de
Make sure the egress port is a member of the remote probe VLAN. Mirroring ports
should not belong to the remote probe VLAN.
i
ts
ou
Configuring Layer 3 Remote Mirroring
r
fe
To configure Layer 3 remote port mirroring, you need to create a local port mirroring
ns
tra
group on the source device as well as on the destination device, and configure
mirroring ports/CPUs and the monitor port for each mirroring group. A tunnel
or
connects the source and destination devices.

n
tio
uc
On the source device, you need to configure the ports/CPUs you want to
od
monitor as the mirroring ports/CPUs, and configure the tunnel interface as the
r
ep
monitor port.
.R
On the destination device, you need to configure the physical port

ly

on
corresponding to the tunnel interface as the mirroring port and configure the
e
port that connects the data monitoring device as the monitor port.
us
dy
Note
tu
Before configuring Layer 3 remote port mirroring, make sure that you have
f-s
created a GRE tunnel that connects the source and destination devices.
l
se
ee
oy
pl
Em
P
H
Rev 10.41 2 19
H
P
Em
pl
oy
2 20
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
ACLs
Module 3
In this module, Access Control Lists (ACLs) are described. The section starts with an
d.
te
overview of the various types of ACLs that are supported on selected HP switches.
bi
The emphasis of the section is on explaining how standard and extended ACLs work
i
oh
and how to configure them.
pr
si
Scenario: ACLs
rt
pa
n
An IT staff is continuing on with the process of upgrading network security using HP
i
or
switch software solutions. They are busy looking at their existing physical security
le
resources, their policies regarding configuration changes and maintenance, and the
ho
w
needs of various departments and student groups across campus.
in
While most network resources can be secured through operating system passwords
P
H
and file permissions, the network itself also must be designed to prevent accidental or
of
intentional misuse of resources.
de
i
ts
VLANs can be used to create logical or function-based partitions to the LAN. These
ou
partitions have boundaries that must be crossed to move data in or out of the VLAN.
r
fe
Traffic between VLANs can be controlled or restricted by employing Access Control

ns
Lists (ACLs).
tra
The IT staff would like to better understand some of the key ACL features supported
or
n
on HP switches before looking into how to implement them. In particular, the IT staff
tio
would like to understand the types of options that are available for using ACLs such
uc
as applying them to physical interfaces or VLAN interfaces, and the types of packet
rod
header criteria that can be specified.

ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 3 1
VLAN basics
A VLAN is a group of ports designated by the switch as belonging to the same
broadcast domain. When using VLANs you can group users by logical function
instead of physical location. This allows you to group high-bandwidth users on low-
d.
traffic segments or to organize users from different LAN segments according to their
te
bi
need for common resources.
i
oh
pr
Port-based VLANs are typically used to enable broadcast traffic reduction and to
s
increase security. A group of network users assigned to a VLAN form a broadcast
i
rt
domain that is separate from other VLANs that may be configured on a switch. On a
pa
given switch, packets are forwarded only between ports that are designated for the
in
same VLAN. Thus, all ports carrying traffic for a particular subnet address should be
or
le
configured to the same VLAN. Moving traffic between VLANs requires a router or
ho
layer 3 routing switch.
w
in
Although membership in a VLAN is typically controlled by assigning a port to a
P
particular VLAN, it is possible to create VLANs based on MAC address, protocol
H
of
information, or application-based information.
de
Reasons for VLANs
i
ts
ou
By default, all the ports on a switch are in a default VLAN. For small networks this
r
fe
may be acceptable. If you decide to leave all the ports in the same VLAN, then all
ns
the hosts (PCs, notebooks, servers, and so forth) should be configured in the same
tra
subnet.
or
n
However, if the network is comprised of more than 30 or 40 hosts, then it is probably

tio
advantageous to segment the broadcast domain by creating multiple VLANs, each

uc
od
with an assigned subnet. This localizes the broadcast traffic and resource
r
ep
consumption associated with broadcast traffic. A typical enterprise network consists

.R
of thousands of hosts, a number that is far too large to be in the same broadcast
ly
domain.
on
Another important reason for dividing hosts into VLANs is security. Dozens of
e
us
different types of users are served by the typical enterprise network. To allow all of
y
d
those users equal access to resources could constitute a serious risk to security. So
tu
instead we define a subnet for each group of users that has similar resource or
f-s
l
service needs.
se
ee
Because moving traffic between VLANs is a Layer 3 operation, the network traffic
oy
must cross routing boundaries; thus ACLs can be employed to control the flow of
pl
traffic between VLANs.

Em
P
H
3 2 Rev 10.41
Technet24.ir
ACLs
Basic concepts of ACLs

After layout of the VLANs has been planned, ACLs can be used to determine the
types and destinations of traffic to be allowed. ACLs provide an effective mechanism
for filtering traffic.
d.
te
Without the application of traffic filters, each routing switch interface accepts packets
i bi
from attached hosts and forwards the traffic based on its forwarding tables.
oh
pr
However, there may be situations where you do not want all traffic to be forwarded,
s
such as for security or traffic efficiency purposes.
i
rt
pa
An ACL specifies criteria the switch uses to either permit (forward) or deny (drop) IP
n
packets traversing the switchs interfaces. These criteria may include Layer 3
i
or
identifiers, such as source and destination IP addresses, and Layer 4 identifiers, such
le
as source and destination ports. Using ACLs, you can filter IP traffic to or from a host,
ho
w
a group of hosts, or entire subnets.
in
Technically, an ACL is comprised of one or more Access Control Entries (ACEs). It is
P
H
the ACE that corresponds to the statement of criteria for determining which traffic is
of
permitted or denied. Once an ACL consisting of one or more ACEs has been
de
defined, you can then implement the ACL by applying it to a physical port or a
i
VLAN interface.
ts
rou
fe
Using ACLs
ns
tra
A typical approach for planning the use of ACLs is to determine the specific
or
conditions that you want to allow traffic to pass and then define ACEs that expressly
n
deny any other traffic. This approach can allow a host to pass traffic when it is
tio
intended and not get trapped by a deny entry.

uc
rod
ep
Note
.R
Only selected HP switches support the use of ACLs. Generally, these are switches that
ly
provide support for more advanced IP routing services. Switches that provide limited IP
on
routing services such as only IP static routes do not typically support the use of ACLs.
e
us
y
ACLs can be useful at both the network edge as well as the network core and
d
tu
distribution levels.
f-s
l
se
At the network edge, ACLs can be useful for preventing unwanted or

ee
unnecessary IP packets from entering the network infrastructure. Implementing

oy
ACLs at the network edge can help improve network performance by reducing
pl
the volume of packets that are handled by upstream switches and routers which
Em
also helps reduce system resource usage in the form of buffers and CPU
P
utilization.
H
Implementing ACLs in the network core and distribution levels can be useful for
security and performance purposes. ACLs can be used to ensure various
collections of clients only have access to selected destinations. These destinations
may be specific, hosts, entire subnets, or even particular applications. For
Rev 10.41 3 3
security purposes, you may want to ensure communications are restricted, for
instance, that all hosts and servers in a given VLAN are only allowed to
communicate within that VLAN or with a limited number of other specific
VLANs.
d.
te
Note
bi
The extent of ACL support varies among the HP switch families. For example, some
i
oh
switches may support applying ACLs to ports, trunks, and VLANs whereas other switches
pr
may support applying ACLs to ports and trunks only. In other cases, some switches support
s
i
specifying extensive criteria for identifying the traffic to be filtered, while other switches
rt
pa
support less extensive criteria. Later in this section, a table can be found that summarizes
n
the ACL feature support on HP switches.
i
or
le
ho
w
in
P
H
of
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
3 4 Rev 10.41
Technet24.ir
ACLs
Implementing ACLs: Static options

Static and dynamic applications of ACLs
Selected HP switches allow you to implement ACLs in a static manner while several
d.
others also allow you to implement ACLs in a dynamic manner. Later in this section,
te
a table summarizes the ACL feature support on various HP switches.
i bi
oh
Using static ACLs implies that you are configuring ACLs on the switch and storing
pr
them in the switch configuration file. Once a static ACL is applied to a physical port
s
i
rt
or trunk or a VLAN interface, the ACL is fixed in place until you later modify it or
pa
remove it.
in
or
In contrast, using dynamic ACLs involves configuring them on an external system such
le
as a supported RADIUS server (Microsoft IAS, FreeRADIUS, and others) or HP
ho
Identity Driven Manager. A dynamic ACL can only be applied to a physical port and
w
its application to a port is triggered dynamically based on the successful
in
P
authentication of a client. The application of this type of ACL is temporary. That is,
H
the ACL is active for the duration of the clients session. When the clients session
of
ends, the ACL is removed from the port.
de
i
ts
As will be explained later in this section, the structure of an ACL can be categorized
ou
as either being a standard type or an extended type. When implementing ACLs in a
r
fe
static manner, you can use either the standard or extended format. Applying a
ns
dynamic ACL through a RADIUS server requires the use of the extended ACL format.
tra
or
Static applications of ACLs

n
tio
Implementing static ACLs implies that you configure the ACLs on the switch and store
uc
them in the switch configuration file. There are three applications or approaches for
od
implementing static ACLs that are supported by selected HP switches. These are:
r
ep
.R
Routed IP Traffic ACL (RACL)An RACL is an ACL configured on a specific

ly
VLAN to filter routed IP traffic entering or leaving the switch on that interface.
on
An RACL can also filter traffic having a destination on the switch itself.
e
us
y
An RACL can be used to filter inbound traffic, or outbound traffic, or both on a

d
tu
given VLAN. To filter traffic in both directions, you must apply the ACL twice
f-s
one instance of the ACL would specify the criterion that corresponds to in
l
se
and a second instance would specify the criterion that corresponds to out.
ee
oy
Note
pl
Em
Except for filtering IP traffic to an IP address on the switch itself, RACLs can operate
only while IP routing is enabled on the switch. A RACL corresponds to a Layer 3
P
H
traffic filter.
VLAN ACL (VACL)A VACL is an ACL configured on a specific VLAN to filter

IP traffic entering the switch on that VLAN interface. That is, VLAN traffic that is
switched among sources and destinations in the same VLAN.
Rev 10.41 3 5
A VACL can be used only to filter inbound traffic on a VLAN.
Note
VACLs can operate while IP routing is NOT enabled on the switch. A VACL
d.
corresponds to a Layer 2 traffic filter.
te
i bi
oh
pr
Note
s
The terms RACL and VACL were introduced with the HP Switch 8200zl, 5400zl,
i
rt
3500yl, and 6200yl series.
pa
in
Static Port ACLA static port ACL filters IP traffic entering the switch on a port,
or

le
group of ports, or a static trunk. The IP traffic is filtered regardless of whether it
ho
is routed or switched.
w
in
A static port ACL can also filter traffic having a destination on the switch itself.
P
H
of
Note
de
Since a static port ACL supports both switched and routed traffic, it provides Layer 2
i
and Layer 3 traffic filtering. ts
rou
fe
In summary, a given ACL can be implemented statically on a VLAN as a RACL or

ns
VACL (or both), and on a physical port or static trunk. The HP Switch 8200zl,
tra
5400zl, 3500yl, and 6200yl series support all of these ACL implementations. A
or
table at the end of this module summarizes the HP switch ACL feature support.
n
tio
uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
3 6 Rev 10.41
Technet24.ir
ACLs
Implementing ACLs: Dynamic options

What are Dynamic port ACLs?
Dynamic port ACLs enhance network and switch management access security and
d.
traffic control by permitting or denying authenticated client access to specific network
te
resources. The network resources you identify may be individual servers, entire
i bi
oh
subnets, and even the switch management interfaces. This includes preventing clients
pr
from using applications, such as Telnet, SSH, Web browser, and SNMP, if you do not
s
i
want their access privileges to include these capabilities.
rt
pa
This feature is designed for use at the network edge where you can apply RADIUS-
in
assigned, per-port ACLs for Layer 3 and 4 filtering of IP traffic entering the switch
or
from authenticated clients. A given dynamic port ACL is associated with a unique
le
ho
username/password pair or client MAC address, and applies only to IP traffic
w
entering the switch from clients that authenticate with the unique credentials.
in
P
H
Note
of
Dynamic, per-port ACLs applied through a RADIUS server can also be augmented
de
using the Identity-Driven Management (IDM) application that is supported by PCM+.
i
ts
IDM operates in conjunction with a RADIUS server to provide an easy-to-use interface
ou
for implementing per-user access controls at the network edge.
r
fe
IDM is also more convenient to use because it enables you to centrally manage ACLs
ns
for all users across multiple RADIUS servers. Details about IDM capabilities and
tra
deployment will be covered in a later module.

or
n
Benefits
tio
uc
od
Using RADIUS or IDM to dynamically apply per-port ACLs to edge ports enables the
r
switch to filter IP traffic coming from outside the network. Removing unwanted IP
ep
.R
traffic as soon as possible can help to improve network and system performance.
ly
Applying dynamic port ACLs to ports on the network edge can be less complex than
on
configuring static port and VLAN-based ACLs in the network core to filter unwanted
e
us
IP traffic that could have been filtered at the edge.

dy
The switch allows multiple dynamic port ACLs on a given port, up to the maximum
tu
f-s
number of authenticated clients allowed on the port. Also, dynamic port ACLs can be
l
se
assigned regardless of whether other ACLs affecting the same port are statically
ee
configured on the switch.

oy
Requirements
pl
Em
Implementing dynamic port ACLs requires:

P
H
Deployment of a RADIUS server.

Use of an 802.1X, Web, or MAC authentication service on the switch to provide
the client authentication support.
Rev 10.41 3 7
Configuring each ACL on the RADIUS server, instead of the switch, and
assigning each ACL to a username/password pair or MAC address identifier.
Similarly, the ACLs are configured in IDM, if the PCM+/IDM solution is

implemented in conjunction with a RADIUS server.
d.
te
Dynamic port ACLs are supported by various HP switches. These include the HP
bi
Switch 8200zl, 5400zl, 3500yl, and 6200yl, 5300xl, 3400cl, and 6400cl series.
i
oh
You can implement dynamic port ACLs on these switches using a RADIUS server
pr
directly or though IDM.
s
i
rt
pa
Comparison of static and dynamic ACL options
in
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
This table highlights several notable differences between the static ACLs configurable
e
us
on switch VLANs and ports, and the dynamic port ACLs that can be assigned to
individual ports by a RADIUS server or IDM operating in conjunction with a RADIUS
y
d
tu
server.
f-s
l
se
ee
oy
pl
Em
P
H
3 8 Rev 10.41
Technet24.ir
ACLs
Elements of an ACL
An ACL consists of the following elements or building blocks:
ACL identifierA given static ACL is identified by using a number or
d.
alphanumeric name. The number you configure can be between 1 and 199 and
te
the name can be up to 64 alphanumeric characters.
ibi
oh
pr
Note
s
i
The ACL identifier for dynamic, per-port ACLs uses an internal system identifier that
rt
pa
associates the ACL with user credentials or a MAC address.
n
i
or
As described earlier, an ACL itself is comprised of one or more ACEs. When an
le
ACL is comprised of multiple ACEs, these entries share the same ACL identifier
ho
(ID).
w
in
In this case, all of the entries with the same ACL ID are applied to the same port,
P
H
trunk, or VLAN interface for filtering IP traffic. In the case of the dynamic form of
of
an ACL, it can only be applied to a physical port.
de
i
CriteriaEach ACE in an ACL is a filter statement that identifies the
ts
ou
characteristics of traffic to receive special handling. The characteristics to be
r
matched can be one or more of the fields in a packets Layer 3 and Layer 4
fe
ns
headers. These criteria can include the IP protocol type, source/destination IP

tra
addresses, and source/destination port numbers.

or
DirectionEach ACE must specify the direction of the traffic for which packets
n

tio
will be evaluated. This can be either inbound or outbound for an interface.

uc
od
ActionEach ACE also defines the action you want taken for packets that match
r
the criteria that has been specified. Packets matching the criteria can be either
ep
.R
permitted (forwarded) or denied (dropped).

ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 3 9
Types of ACLs
From a configuration perspective, there are two primary types of ACLs:
Standard / BasicA standard ACL uses only a packet's source IP address as a
d.
criterion for permitting or denying the packet.
te
bi
ExtendedAn extended ACL offers more options for specifying criteria for
i
oh
filtering packets compared to a standard ACL. The additional criteria includes
pr
the destination IP address, source port number, destination port number, and
s
i
various other IP protocols in addition to IP, TCP and UDP.
rt
pa
A standard or extended ACL can use either a number or a name for the ACL ID. The
n
i
HP switches that support ACLs allow you to define 99 numbered, standard ACLs and
or
100 numbered, extended ACLs. For a standard ACL, the numeric identifier can be
le
ho
from 1 to 99. For an extended ACL, the numeric identifier can be from 100 to 199.
w
in
P
Note
H
The specific manner in which an ACL is assigned to an interface corresponds to the
of
type of application for the ACL; a RACL, VACL, static port, or dynamic port ACL.
de
i
ts
ou
When a name is used for the identifier of a standard or extended ACL, it can be up
r
to 64 alphanumeric characters including spaces. The use of named ACLs increases

fe
ns
the quantity of ACLs that you can define on a switch. By using named ACLs, you can
tra
also define more than 199 ACLs should you reach the limit of 99 numbered,
or
standard ACLs and 100 numbered, extended ACLs. Defining named ACLs can also
n
be more convenient to use for the purposes of organizing and referencing the ACLs.
tio
uc
The maximum number of ACLs supported on a HP switch is 2048, although some

od
switches support a smaller number. Switches that support up to 2048 ACLs include
r
ep
the HP Switch 8200zl, 5400zl, 3500yl, and 6200yl series. Regardless of the specific
.R
limit on a particular switch, the ACLs defined may be in any combination of

ly
on
numbered and named ACLs, standard and extended.

e
us
ACLs share internal routing switch resources with several other features. This includes
the QoS, IDM, Virus-Throttling, ICMP, and Management VLAN features. The switch
y
d
tu
typically provides ample resources for all features. However, if the internal resources
f-s
become fully subscribed, additional ACLs cannot be applied until the necessary
l
se
resources are released from other purposes.

ee
oy
pl
Em
P
H
3 10 Rev 10.41
Technet24.ir
ACLs
ACL criteria
Standard / Basic ACLs
A standard ACL allows you to filter traffic based solely on a packets source IP
d.
address. The IP address can be specified as a single address or as a range of
te
addresses using a mask.
i bi
oh
A standard ACL is useful when you need to:
pr
s
Permit or deny any IP traffic based on source IP address only.
rt
pa
Quickly control the IP traffic from a specific address. This allows you to isolate
n
IP traffic problems generated by a specific device, group of devices, or a
i
or
subnet threatening to degrade network performance. This gives you an
le
opportunity to troubleshoot without sacrificing performance for users outside of
ho
w
the problem area
in
Extended ACLs
P
H
of
An extended ACL allows you to define multiple criteria to filter traffic. This enables
de
you to more closely define your IP packet-filtering.
i
ts
ou
An extended ACL allows you to filter traffic based on criteria that includes the source
r
IP address, destination IP address, IP protocol type, source port, and destination port.
fe
ns
You can also filter traffic based on the IP precedence and Type of Service (ToS) fields
tra
that are located in the IP header. For ICMP and IGMP traffic, you can even specify
or
criteria identifying the particular ICMP or IGMP message type.

n
tio
The IP protocol type criterion can be specified as a number from 0 to 255 or by

uc
using one of several well-known names. For example, the IP protocol type can be
od
identified as ip, tcp, udp, ospf, and a various other names.

r
ep
.R
The TCP/UDP port can also be specified by using a number or a well-known name.
ly
Examples of well-known names you can specify include telnet, http, and bgp.
on
For applications that may implement the ToS field settings, you can also use the IP
e
us
Precedence and ToS criteria options to filter packets as well. The IP header has an 8-
y
bit field called the Type of Service (ToS). Traditionally, IP Precedence has used the
d
tu
first three bits of this field to assign 8 possible precedence levels. These correspond
f-s
l
to the following IP Precedence criteria values:

se
ee
Precedence Setting Value Precedence Setting Value

oy
pl
routine 000 (0) flash override 100 (4)

Em
priority 001 (1) critical 101 (5)

P
H
immediate 010 (2) internet (control) 110 (6)

flash 011 (3) network (control) 111 (7)
Rev 10.41 3 11
IP Precedence provides a means of specifying a relative level of priority or class of

service for handling a packet. The remaining five bits of the ToS field can be used to
specify other packet attributes that correspond to the type of service that may be
requested for packet delivery. These correspond to the following four ToS criteria
values:
d.
te
Normal (0)
bii
max-reliability (2)
oh

pr
max-throughput (4)
s
minimize-delay (8)
rt
pa
n
Note
i
or
Not all switches support all criteria for extended ACLs. For details about the
le
specifically supported features, refer to the Access Security guide (or Advanced
ho
Traffic Management guide) for the switch model.
w
in
P
Defining a standard ACL: Numbered format
H
of
A standard ACL can be defined and applied using the CLI. Some HP switches also
de
allow you to configure ACLs using the web browser management interface.
i
ts
ou
The elements of the access-list command used to define a standard ACL include the
r
fe
ACL ID, which is used to associate one or more ACL entries; an action, which may be
ns
permit or deny; and a source IP address or range of IP addresses.

tra
or
In the first example, a single source IP address is specified using the keyword host. To
n
specify a range of IP addresses, the address may be combined with a wildcard

tio
mask. This mask can be specified in one of two ways:

uc
od
Dotted-decimal notationThis notation consists of a quad dotted-decimal mask

r
ep
that corresponds to a string of 0s designating bit positions that must match in

.R
the source IP address of a packet. The mask may also have a string of 1s that
ly
designate bit positions that are considered a match regardless of their actual
on
value.
e
us
CIDR notationThe Classless Internet Domain Routing (CIDR) notation consists

y
of specifying a forward slash and an integer number after the IP address. The
tu
f-s
number specifies the length of the mask in bits and designates the bit positions
l
se
of the source IP address that must match.

ee
Details about these formats will described after the next page.
oy
pl
Em
P
H
3 12 Rev 10.41
Technet24.ir
ACLs
How an ACL mask works

For an ACL mask, you specify a 0 for significant bit positions, those that must
match
Example 1: You want to specify all addresses in the range 10.1.10.0 through 10.1.10.255
d.

te
which have a common value in the first 24 bits
i bi
oh
10.1.10.0 00001010 00000001 00001010 00000000
pr
10.1.10.255 00001010 00000001 00001010 11111111
s
ACL mask 00000000 00000000 00000000 11111111 Last 8 bits are
i
not significant
rt
This range can be defined in an ACL as: 10.1.10.0 0.0.0.255 or
pa
10.1.10.0/24
in
or
Example 2: You want to specify all addresses in the range: 10.1.32.0 through
le
10.1.47.255 which have a common value in the first 20 bits
ho
w
10.1.32.0 00001010 00000001 00100000 00000000
in
10.1.47.255 00001010 00000001 00101111 11111111
P
ACL mask 00000000 00000000 00001111 11111111 Last 12 bits are
H
not significant
of
This range can be defined in an ACL as: 10.1.32.0 0.0.15.255 or
de
10.1.32.0/20
i
ts
Figure 1
rou
fe
Common IP addressing mask

ns
tra
In common IP addressing, a network (or subnet) mask defines which part of the IP
or
address to use for the network number (or subnet) and which part to use for the hosts
n
on the network. Thus, the bits set to 1 in a network mask define the part of an IP
tio
address to use for the network (or subnet) number, and the bits set to 0 in the mask
uc
od
define the part of the address to use for the host number.
r
ep
In the first example above, 10.1.10.0 corresponds to the subnet with a subnet mask of
.R
255.255.255.0 which is a 24-bit address mask. Valid host numbers in the fourth
ly
on
octet are between 1 and 254. Therefore, valid IP addresses that could be assigned
to devices are from 10.1.10.1 through 10.1.10.254. The IP addresses 10.1.10.0 and
e
us
10.1.10.255 are reserved for identifying the subnet and broadcast addresses,
y
d
respectively.
tu
f-s
The second example can be more difficult to understand since the boundary between
l
se
the subnet and host numbers occurs within the third octet instead of on a full octet
ee
boundary. In this second example above, 10.1.32.0 corresponds to the subnet with a
oy
subnet mask of 255.255.240.0 which is a 20-bit address mask. Valid host numbers
pl
Em
can use the last four bits of the third octet and the 8 bits of the fourth octet. The valid
IP addresses that could be assigned to devices are from 10.1.32.1 through
P
H
10.1.47.254. The IP addresses 10.1.32.0 and 10.1.47.255 are reserved for identifying
the subnet and broadcast addresses, respectively.
Rev 10.41 3 13
Using an ACL or CIDR mask

In an ACL, IP addresses and masks provide criteria for determining whether to deny
or permit a packet, or to pass it to the next ACE in the list. If there is a match, the
configured deny or permit action occurs. If there is not a match, the packet is
d.
compared with the next ACE in the ACL.
te
bi
An ACL mask uses 0 bits to identify the portion of an IP address in a packet that
i
oh
must match and 1 bits to identity the portion of an IP address in a packet that does
pr
NOT need to match. The notation involves specifying a quad dotted-decimal value
s
i
which is the inverse of the common IP addressing masks you may be more familiar
rt
pa
with.
in
You can also use CIDR notation to specify the mask for an ACL entry. The switch
or
interprets the bits specified with CIDR notation as the IP address bits (relative to the
le
ho
left-most bit position) in an ACL that a corresponding IP address in a packet must
w
match. The switch converts the mask to inverse notation for ACL use. A CIDR mask
in
involves specifying the number of 0 bits using the /n syntax. It is equivalent in
P
H
purpose to the ACL mask, but simply uses a different syntax.
of
de
Both dotted-decimal and CIDR notations are acceptable when defining address
i
ts
ranges for an ACL, but the ACE is stored in the configuration file using the ACL mask
ou
notation.
r
fe
ns
tra
Note
Where a standard network mask defines how to identify the network and host
or
numbers in an IP address, the mask used with ACEs defines which bits in a packets IP
n
tio
address must match the corresponding bits in the IP address listed in an ACE, and
uc
which bits can be wildcards.

rod
ep
In the first example, lets assume that you want to identify any host within the
.R
10.1.10.0/24 subnet for the ACL entry. To do this you would specify an IP address
ly
and ACL mask of the form 10.1.10.0 0.0.0.255. The equivalent entry using a CIDR
on
mask would be 10.1.10.0/24.

e
us
In the second example, lets assume that you want to identify any host within the
y
d
tu
10.1.32.0/20 subnet for the ACL entry. To do this you would specify an IP address
f-s
and ACL mask of the form 10.1.32.0 0.0.15.255. The equivalent entry using a CIDR
l
se
mask would be 10.1.32.0/20.

ee
oy
Note
pl
Em
There is NOT necessarily any correspondence between the mask you use to
configure IP addresses on devices and the ACL mask you specify in ACLs.
P
H
For example, suppose a subnet is assigned the IP address 10.1.0.0 255.255.0.0 or

10.1.0.0/16 using CIDR mask. For the purposes of defining ACLs, you may want to
identify all devices with IP addresses that have a common value in the first 24 bits,
such as 10.1.32.*. In this case, the ACL mask would be 10.1.32.0 0.0.0.255, or
10.1.32.0/24 using a CIDR mask
3 14 Rev 10.41
Technet24.ir
ACLs
Defining a standard ACL: Named format

The CLI command syntax for creating a named ACL differs from the command syntax
for creating a numbered ACL. A named, standard ACL is identified by an
d.
alphanumeric string of up to 64 characters and is created by entering the named
te
ACL (nacl) context. A numbered, standard ACL, identified by a number in the range
i bi
of 1 to 99, can be created without having to leave the global configuration context.
oh
pr
In the graphic above, the first example shows how you access the named ACL
s
i
context using the ip access-list command. Then, you can specify the criteria, in the
rt
pa
case for a standard ACL, for a particular ACE starting with the permit or deny
n
keyword. You can add more than one ACE to a given ACL once you have accessed
i
or
the named ACL context for that particular ACL.
le
ho
w
Note
in
Once a numbered ACL has been created, it can be accessed using the named ACL
P
H
context. This is useful if it becomes necessary to edit a numbered ACL by inserting or
of
removing individual ACEs, just as you might need to do for a named ACL.
de
Inserting or deleting an ACE is done by sequence number, and requires the use of
i
the named ACL context. ts
rou
fe
Viewing ACLs and ACEs

ns
tra
The show access-list command options enable you to view a variety of information
or
about ACLs that have been configured on a switch.

n
tio
The show access-list command displays ACL summary information. This command
uc
lists the configured ACLs, regardless of whether they are assigned to any interfaces.
rod
ep
TypeIndicates whether the listed ACL is a standard (std) ACL or extended (ext)
.R
ACL.
ly
on
ApplIndicates whether the listed ACL has been applied to an interface

(yes/no).
e
us
NameShows the identifier (name or number) assigned to each configured

y

d
tu
ACL.
f-s
The show access-list config command displays a listing of all configured ACLs on the
l
se
switch as they appear in the switch configuration file. This command also allows you
ee
to list the configuration of a specific ACL.

oy
pl
Em
Note
P
The sequence number is listed for ProVision ASIC products only. These include the HP
H
Switch 8200zl, 5400zl, 3500yl, and 6200yl series.
Other command options include:
Rev 10.41 3 15
show access-list vlan <vid>List the name and type for each ACL application
assigned to a particular VLAN on the switch.
show access-list ports < all | port-list >Lists the ACL static port assignment for
either all ports and trunks, or for the specified ports and/or trunks.
d.
show access-list <acl-id>Displays detailed content information for a specific
te
ACL.
ibi
oh
show access-list resourcesDisplays the currently available per-slot resource
pr

availability. Refer to the Monitoring Resources section in the current
s
i
Management and Configuration Guide for your switch.
rt
pa
show access-list radius <all | port-list>Lists the dynamic per-port ACLs
i
currently assigned through RADIUS for either all ports and trunks, or for the
or
le
specified ports and/or trunks.
ho
w
in
P
H
of
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
3 16 Rev 10.41
Technet24.ir
ACLs
Filtering routed traffic: Assigning an ACL as a RACL

To assign an ACL to an interface, you use the ip access-group command. You can
use either the global configuration level or the VLAN context level to assign or
remove an ACL implemented as a RACL. A RACL enables you to filter routed IP traffic
d.
entering or leaving the switch on a VLAN.
te
i bi
oh
pr
Note
s
The command option indicating the direction of the traffic to be filtered that you can
i
rt
specify for the ip access-group command depends on the type of application;
pa
RACL, VACL, or port/trunk.
in
or
Keep the following points in mind when configuring any ACL:
le
ho
The switch allows you to assign a nonexistent ACL name or number to a VLAN.
in
In this case, if you subsequently configure an ACL with that name or number, it
P
automatically becomes active on the assigned VLAN.
H
of
If you delete an assigned ACL from the switch without subsequently using the
de
no form of this command to remove the assignment to a VLAN, the ACL
i
ts
assignment remains and will automatically activate any new ACL you create
ou
with the same identifier (name or number).
r
fe
ns
Operating notes: Using a RACL

tra
For a given VLAN interface on a switch configured for routing, you can assign an
or
n
ACL as a RACL to filter inbound IP traffic and another ACL as a RACL to filter
tio
outbound IP traffic. You can also use one ACL for both inbound and outbound RACL
uc
applications. You can even use the same ACL for multiple VLANs.
od
r
ep
In fact, the same ACL could potentially be used for any of the possible static
.R
applications. For example, the same ACL may be assigned as a RACL on one VLAN,
ly
a VACL on another VLAN, and as a static per-port ACL on some physical port or
on
trunk.
e
us
Except for any IP traffic with a destination IP address on the switch itself, RACLs filter
dy
only routed IP traffic that is entering or leaving the switch on a given VLAN.
tu
f-s
Therefore, if routing is not enabled on the switch, there is no routed IP traffic for
l
se
RACLs to filter.
ee
RACLs screen routed IP traffic entering or leaving the switch on a given VLAN
oy
interface. This implies the following:

pl
Em
IP traffic arriving on the switch through one VLAN and leaving the switch
P
through another VLAN.

H
IP traffic arriving on the switch through one subnet and leaving the switch
through another subnet within the same, multinetted VLAN
Rev 10.41 3 17
To filter the routed IP traffic of interest requires that you assign a RACL to screen IP
traffic inbound or outbound on the appropriate VLAN(s). In the case of a multinetted
VLAN, this implies the following:
IP traffic inbound from different subnets in the same VLAN is screened by the
same inbound RACL.
d.
te
IP traffic outbound from different subnets is screened by the same outbound
bi

i
oh
RACL.
pr
A RACL does not filter switched IP traffic unless the switch itself is the source or
si
destination. Also, a RACL does not filter IP traffic moving between ports belonging to
rt
pa
the same VLAN or subnet (in the case of a subnetted VLAN).
in
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
3 18 Rev 10.41
Technet24.ir
ACLs
Filtering switched traffic: Assigning an ACL as a

VACL
For a given VLAN interface, you can assign an ACL as a VACL to filter any IP traffic
d.
entering the switch on that VLAN. You can also use the same ACL for assignment to
te
bi
multiple VLANs.
i
oh
You can use either the global configuration level or the VLAN context level to assign
pr
or remove an ACL implemented as a VACL.
si
rt
pa
Notice that you specify the vlan keyword with the ip access-group command when
n
implementing an ACL as a VACL. In contrast, when implementing an ACL as a RACL,
i
or
you can choose in or out.
le
ho
Operating notes: Using a VACL
w
in
A given ACL implemented as a VACL can be assigned to multiple static VLANs
P
H
A VACL filters IP traffic entering the switch on the VLAN to which it is assigned
of

de
Is not affected by the IP routing setting on the switch
i
Traffic subject to filtering by a VACL: ts
ou

r
Switched IP traffic moving between ports belonging to the same VLAN

fe
ns
Switched IP traffic moving between ports belonging to the same subnet of a

tra
multinetted VLAN
or
n
Traffic NOT subject to filtering by a VACL:

tio

uc
Any IP traffic leaving the switch

rod
IP traffic routed between different VLANs

ep
.R
IP traffic routed between different subnets of the same VLAN

ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 3 19
Assigning an ACL to a port

For a given port, port list, or static port trunk, you can assign an ACL as a static port
ACL to filter any IP traffic entering the switch on that interface. You can also use the
same ACL for assignment to multiple interfaces.
d.
te
You can use either the global configuration level or the interface context level to
i bi
assign or remove an ACL implemented as static port ACL.
oh
pr
Notice that you specify the in keyword of the ip access-group command when
s
i
implementing an ACL as a static port ACL. In contrast, when implementing an ACL as
rt
pa
a:
n
i
RACL, you can choose in or out.
or

le
VACL, you can only choose in.
ho

w
Operating notes: Using a static port ACL
in
P
Filters any IP traffic inbound on the designated port, regardless of whether it is
of
switched or routed
de
If a port is configured with an ACL, the ACL must be removed before the port is
i

added to the trunk ts

ou
r
Adding a port to a trunk applies the trunks ACL configuration to the new
fe

ns
member
tra
Removing a port from an ACL-configured trunk removes the ACL configuration

or
from that port

n
tio
uc
If a port is configured with an ACL, you must remove the ACL before the port is
od
added to the trunk. Adding a port to a trunk applies the trunks ACL configuration to
r
ep
the new member. Also, if you remove a port from an ACL-configured trunk, the ACL
.R
configuration is removed from that port.

ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
3 20 Rev 10.41
Technet24.ir
ACLs
Implied rules
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
ou
Figure 2
r
fe
ns
tra
When an ACL has been applied to an interface, inbound or outbound packets

or
(depending on user configuration) are tested against each ACL entry in the access
n
list until there is a match. When a packet meets the test conditions of an ACL entry,
tio
uc
the specified action (permit or deny) is followed, and the packet is not tested further
od
against the remaining conditions in the ACL.

r
ep
In every IP access group there is an implied member, which denies all traffic that is
.R
not specifically permitted by any of the explicit ACL entries. While in many traffic-
ly
on
filtering applications this is a desired effect, sometimes it is not. The implied deny
e
any ACL entry can cause unexpected results if you are not aware of its existence.
us
In this example, all packets that fail to match the conditions of the first entry in the
y
d
tu
ACL will be subjected to the implicit ACE that denies traffic from any source address.
f-s
As a result, no inbound traffic will be accepted through the VLAN. Therefore, an ACL
l
se
should have at least one entry that contains the permit action.
ee
Editing ACLs: ACE sequence numbering

oy
pl
Em
The ACEs in any ACL are sequentially numbered. In the default state, the sequence
number of the first ACE in a list is 10 and subsequent ACEs are numbered in
P
H
increments of 10. For example, in the graphic, the show access-list output displays
the ACEs for one ACL that are numbered 10, 20, and 30, respectively.
Rev 10.41 3 21
When you add an entry to an ACL, by default, it goes to the end of the list. You can
add an ACE to the end of a numbered or named ACL by using either the access-list
command for numbered ACLs or the ip access-list command for named ACLs.
On some switches (8200zl, 5400zl, 3500yl, and 6200yl), if you need to add an
ACL entry to some location other than the end of the list, you can specify a sequence
d.
te
number so that the ACE is inserted in the correct location relative to the other existing
bi
ACEs. To use this feature, you must be in the named ACL (nacl) context.
i
oh
pr
From the named ACL context level, you can also easily remove an ACE using the no
s
<sequence-number> command. In addition, you can redefine the sequence numbers
i
rt
pa
of all ACEs in a given ACL using the ip access-list resequence <start-sequence>
<increment> command, where <start-sequence> is the sequence number you want to
n
i
or
assign to the first ACE and <increment> is the incrementing value by which
le
subsequent ACEs will be numbered.
ho
w
When you have many ACL configuration changes to make to an existing
in
configuration, you can use one of several approaches listed in the graphic:
P
H
Remove one or more ACEs and then redefine them in the preferred order.
of

de
Use the copy command to transfer the ACL configuration to a server for
i
editing: ts
ou
You can use the copy command-output show access-list config tftp command to
r
fe
transfer the entire ACL configuration to a text file on the server. You can then edit
ns
tra
the file to make the necessary changes. When you are done, use the copy tftp
or
command-file command to transfer the modified ACL configuration to the switch

n
tio
uc
Note
od
It is important to insert no ip access-list commands at the beginning of the file if you

r
ep
are replacing any ACL using the same number or name identifier.
.R
ly
Use TFTP (or SFTP if SSH is enabled) to transfer the switch configuration file to
on
a server for editing.

e
us
Then you can modify the ACLs listed in the configuration file and add any
dy
additional ones that are necessary. When completed, you can transfer the file
tu
f-s
back to the startup configuration or a particular named configuration file

l
se
instance.
ee
It is important to note that the manual modification of ACL entries can result in
oy
anomalous behavior. For example, if you delete all permit ACEs from an ACL without
pl
Em
removing its inbound or outbound association with an interface, all inbound traffic on
that interface will be denied. On the other hand, if you remove the ACLs inbound or
P
H
outbound association with an interface, some resources may be unprotected during

the interval between removal of the incorrect ACL and the definition and application
of the corrected ACL.
3 22 Rev 10.41
Technet24.ir
ACLs
Defining the extended ACL

Standard ACLs use only source IP addresses for filtering criteria, extended ACLs use
multiple filtering criteria. At a minimum, an extended ACL contains an ACL ID; an
action (permit or deny), a protocol, a source IP address, and a destination IP
d.
address.
te
i bi
Using an extended ACL allows you to more specifically control the IP packet-filtering
oh
pr
process. Extended ACLs allow filtering based on the following criteria:
s
i
Source and destination IP addresses. The IP address can be specified in one of
rt

pa
several formats that identify a specific host IP address, a subnet, a group of IP
n
addresses, or any IP address.
i
or
IP protocol. This can be specified as a number from 0 to 255, or one of several
le

ho
well-known names. Examples of well-known names are ip, tcp, udp, and icmp.
w
in
Optional message type criteria for IGMP, and ICMP protocols.
P
H
Optional source and/or destination TCP/UDP ports. In addition, you can
of
specify a comparison operator to more easily qualify the ports. For TCP, the
de
established option can be used to specify whether TCP SYN packets will be
i
allowed. ts
r ou
Optional IP precedence and ToS criteria.

fe

ns
Optional logging keyword which is applicable only to the deny action.

tra

or
To define an extended ACL you first use the ip access-list extended command to
n
define an ACL ID. This command also causes the extended named ACL context to be
tio
accessed. From this context level you can specify one or more ACEs.
uc
od
Identifying traffic by protocol type

r
ep
.R
IP protocol options
ly
on
An extended ACL allows you to filter traffic based on the protocol type field in the IP
e
header. Specifying a value for this criterion is required in an extended ACL. For this
us
criterion, you can specify any one of the following:

dy
tu
A protocol number in the range of 0 to 255

f-s
l
A well-known protocol name listed in the table below:

se

ee
ah esp gre icmp

oy
igmp ip ip-in-ip ipv6-in-ip

pl
Em
ospf pim sctp tcp

P
udp vrrp
H
Note
Not all switches support the protocols listed in the table while some switches support
several other protocols. For details about the specifically supported protocols, refer to
Rev 10.41 3 23
the Access Security guide (or Advanced Traffic Management guide) for the switch
model.
If you do not want to specify a protocol as selection criteria, you should specify ip as
the protocol. This will cause all IP traffic to be tested against the ACL entry.
d.
te
The Internet Assigned Numbers Authority has a Web site that contains a database
bi
listing well-known protocol and port names at http://www.iana.org.
i
oh
pr
ICMP protocol options
s
i
rt
IP hosts rely heavily on the Internet Control Messaging Protocol (ICMP) and it would
pa
likely have a negative impact on network communication if you were to deny all
n
i
ICMP traffic. Some HP switches allow you to identify individual ICMP message types
or
in an ACL entry. This option is useful where it is necessary to permit some types of
le
ho
ICMP traffic and deny other types, instead of simply permitting or denying all types
w
of ICMP traffic.
in
P
In an extended ACL using icmp as the IP protocol type, you can optionally specify an
H
individual ICMP message type or message type/code pair to further define the
of
criteria for a match. This option, if used, is specified after the destination IP address
de
i
criterion. ts
ou
As an alternative, the ACE can include the well-known name of an ICMP message
r
fe
type. Some examples of these message type names are: echo, echo-reply, host-
ns
unreachable, and port-unreachable.

tra
or
IGMP protocol options

n
tio
Similar to ICMP, IGMP is also a protocol for which you may want to selectively filter
uc
based on message type criteria. This option is useful where it is necessary to permit
od
some types of IGMP traffic and deny other types, instead of simply permitting or
r
ep
denying all types of IGMP traffic.

.R
ly
In an extended ACL using igmp as the IP protocol type, you can optionally specify an
on
individual IGMP message type. As an alternative, the ACE can include the well-
e
known name of an IGMP message type. Some examples of these message type
us
names are: host-report, host-query, v2-host-report, v3-host-report, v2-host-leave, and

dy
tu
trace.
f-s
Identifying TCP/UDP traffic by port number or name

l
se
ee
An extended ACL also allows you to filter traffic based on the destination port, the
oy
source port, or both. These fields are located in the layer 4 (TCP or UDP) header. The
pl
Em
port identifier may be any one of the following:

P

H
A well-known port name listed in the table below:

TCP
bgp dns ftp http
3 24 Rev 10.41
Technet24.ir
ACLs
imap4 ldap nntp pop2

pop3 smtp ssl telnet
UDP
bootpc bootps dns ntp
d.
te
bi
radius radius- rip snmp
i
oh
old
pr
snmp- tftp
s
i
rt
trap
pa
in
or
If you specify a source or destination port number or name, you also need to specify
le
ho
a comparison operator. The comparison operators are:
w
eqEqual to
in

P
gtGreater than
H
ltLess than
of

de
neqNot equal to
i
ts
range <start> <end>Range of port numbers from start to end, inclusive.
ou

r
fe
For the TCP protocol, you can optionally include the established keyword which is
ns
used to control TCP connection traffic. It can be used so that synchronizing packets
tra
associated with establishing a TCP connection are blocked in one direction on a

or
VLAN, while allowing all other IP traffic for the same type of connection in the
n
tio
opposite direction.
uc
od
For example, a Telnet connection request requires TCP traffic to move both ways
r
ep
between a host and the target device. Simply applying a deny action to inbound
.R
Telnet traffic on a VLAN would prevent Telnet sessions in either direction because
ly
responses to outbound requests would be blocked. However, by using the established

on
keyword, inbound Telnet traffic arriving in response to outbound Telnet requests

e
us
would be permitted, but inbound Telnet traffic trying to establish a connection would
y
be denied.
d
tu
f-s
ProVision 5300xl 3400cl/6400cl Comware

l
se
Max ACLs 2048 255 Depends 3000

Layer 2 VLAN (VACL Yes, in No No Yes, in / out
ee
Layer 3 VLAN (RACL) Yes, in/out Yes, in/out No Yes, in/out

oy
Static Per-port Yes, in No Yes, in Yes, in/out

pl
Em
Dynamic Per-port Yes Yes Yes

Sequence Numbers Yes No No Yes
P
Any IP protocol Yes No No Yes

H
Any TCP/UDP port Yes Yes Yes Yes

ToS / Precedence Yes No No Yes
DSCP No No No Yes
Rev 10.41 3 25
This table provides a summary of ACL feature support on the indicated HP switch
models.
Depending on the type of ACL and the switch model, you may be able to assign an
ACL to an interface to filter inbound, outbound, or both.
d.
All switches listed support the configuration of ACLs through the CLI. The 9300m also
te
supports configuration of ACLs through the web management interface.
bi
i
oh
The maximum number of ACLs varies by switch model. In the case of the 3400cl and
pr
6400cl models, the maximum number supported depends in particular based on the
s
i
usage of the switch rule and mask resources. Refer to the Advanced Traffic
rt
pa
Management Guide for additional information on how to monitor these resources.
n
i
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
3 26 Rev 10.41
Technet24.ir
ACLs
Comware ACLs
Comware ACLs support the same types of ACLs that have been discussed to this
point. The biggest difference is that ACLs are applied using QoS policies or using the
packet-filter command.
d.
te
Port based ACL
bi

i
oh
QoS Policy
pr
s
packet-filter command
i
rt
pa
VLAN ACL
in
QoS Policy
or
le
IP Interface ACL
ho

w
packet-filter command
in
P
These are the steps necessary to configure an ACL using the QoS policy method:
H
of
Create an ACL
de
Create a traffic classifier. This usually specifies an ACL
i

ts
ou
Create a traffic behavior. This setting overrides the action defined in the ACL
r
fe
itself.
ns
tra
Create a QoS policy to link the traffic classifier (ACL) and the behavior.
or
Note
n
tio
It is possible to define multiple ACLs, traffic classifiers, and traffic behaviors and
uc
apply each one sequentially in a QoS Policy.

r od
ep
Assign the QoS policy to the switch:

.R
Globally
ly
on
VLAN (VACL)
e
us
Port (PACL)
dy
tu
These are the steps to create an ACL using the packet-filter command.
f-s
l
Create the ACL

se

ee
Assign the ACL using the packet-filter command

oy
pl
Port (PACL)
Em
Routed Interface (RACL)

P
H
There is an advantage of the packet-filter command that ACLs can be modified

dynamically. To modify an ACL applied with a QoS policy, the policy must first be
removed.
Rev 10.41 3 27
Introduction to ACL
Introduction
An access control list (ACL) is a set of rules (that is, a set of permit or deny
statements) for identifying traffic based on matching criteria such as source address,
d.
destination address, and port number. The selected traffic will then be permitted or
te
bi
rejected by predefined security policies. ACLs are widely used in technologies
i
oh
where traffic identification is desired, such as packet filtering and QoS.
pr
s
Application of ACLs on the Switch
i
rt
pa
The switch supports two ACL application modes:
in
Hardware-based application: An ACL is assigned to a piece of hardware. For
or

example, an ACL is applied to an Ethernet interface or VLAN interface for
le
ho
packet filtering or is referenced by a QoS policy for traffic classification. Note
w
that when an ACL is referenced to implement QoS, the actions defined in the
in
ACL rules, deny or permit, do not take effect; actions to be taken on packets
P
H
matching the ACL depend on the traffic behavior definition in QoS.
of
de
Software-based application: An ACL is referenced by a piece of upper layer
i
ts
software. For example, an ACL can be referenced to configure login user
ou
control behavior, thus controlling Telnet, SNMP and Web users. Note that when
r
fe
an ACL is reference by the upper layer software, actions to be taken on packets

ns
matching the ACL depend on those defined by the ACL rules.

tra
or
Note
n
When an ACL is assigned to a piece of hardware and referenced by a QoS

tio
uc
policy for traffic classification, the switch does not take action according to the
od
traffic behavior definition on a packet that does not match the ACL.
r
ep
This is a table of the IPv4 ACL categories

.R
ly
on
Catetory ACL number Matching criteria

e
Basic IPv4 ACL 2000 to 2999 Source IP address

us
Source IP address, destination

y
d
IP address, protocol carried

tu
Advanced IPv4 ACL 3000 to 3999 over IP, and other Layer 3 or
f-s
Layer 4 protocol header

l
se
information
ee
Layer 2 protocol header fields

oy
such as source MAC address,

Ethernet frame header
pl
4000 to 4999 destination MAC address,

ACL
Em
802.1p priority, and link layer

protocol type
P
H
IPv4 ACL Naming

When creating an IPv4 ACL, you can specify a unique name for it. Afterwards, you
can identify the ACL by its name. An IPv4 ACL can have only one name. Whether to
specify a name for an ACL is up to you. After creating an ACL, you cannot specify a
name for it, nor can you change or remove its name.
3 28 Rev 10.41
Technet24.ir
ACLs
Note
The name of an IPv4 ACL must be unique among IPv4 ACLs. However, an IPv4
ACL and an IPv6 ACL can share the same name.
IPv4 ACL Rule Order
d.
te
An ACL can contain multiple rules, which are identified by their rule IDs. Each rule
i bi
defines a condition that is different from those for the other rules of the ACL.
oh
pr
Because these rules may overlap or conflict, the term of rule order is introduced to
s
determine which rule will apply. A packet concerned is compared against the rules
i
rt
of the ACL in the rule order until a matching rule is found, and is then processed as
pa
per the rule.
in
or
Two rule orders are available for IPv4 ACLs:
le
ho
config: ACL rules are sorted in ascending order of rule ID. That is, a rule with a
w
smaller ID number has a higher priority.
in
P
auto: ACL rules are sorted in depth-first order. The depth-first order differs with
ACL categories.
of
de
For more details on the auto rule order, see the user manual.
i
ts
ou
Rule Numbering Step with IPv4 ACLs
r
fe
Meaning of the rule numbering step

ns
tra
The rule numbering step defines the increment by which the system numbers rules
or
automatically. By default, the rule numbering step is 5, and if you do not specify ID
n
tio
numbers for the rules when creating them, rules are automatically numbered 0, 5,
uc
10, 15, and so on.

od
Whenever the step changes, the rules are renumbered, starting from 0. For
r
ep
example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step
.R
from 5 to 2 will cause the rules to be renumbered 0, 2, 4, 6 and 8.

ly
on
Likewise, when the default step is restored, ACL rules are renumbered in the default
e
us
step. For example, there are four ACL rules numbered 0, 2, 4, and 6 in steps of 2.
y
When the default step is restored, the rules are renumbered 0, 5, 15, and 15.
d
tu
f-s
Benefits of using the rule numbering step

l
se
The concept of ACL rule numbering step is introduced to facilitate insertion of new
ee
rules in an ACL that already contains ACL rules, and a bigger step means more
oy
numbering flexibility. This is helpful when the config rule order is adopted, in which
pl
Em
case ACL rules are sorted in ascending order of rule ID. For example, for an ACL
with four rules: rule 0, rule 5, rule 10, and rule 15, you can insert a rule numbered
P
H
1, 2, 3, or 4 between rule 0 and rule 5.

If no ID is specified for a rule when the rule is created, the system automatically
assigns it the smallest multiple of the step that is bigger than the current biggest rule
ID, starting with 0. For example, given the step of 5, if the present biggest rule ID is
Rev 10.41 3 29
28, the newly defined rule will be numbered 30. If the ACL does not contain any
rule, the first defined rule will be numbered 0.
Effective Time Period of an IPv4 ACL
You can control when a rule can take effect by referencing one or more time ranges
d.
in the rule.
te
bi
You may reference a time range before or after creating it. However, a rule
i
oh
referencing a time range can take effect only after the time range is defined and
pr
becomes active.
si
rt
pa
IP Fragments Filtering with IPv4 ACLs
n
Traditional packet filtering matches only first fragments of IP packets. All subsequent
i
or
non-first fragments are allowed to pass through. As attackers may fabricate non-first
le
ho
fragments to attack your network, this results in security risks.
w
As for the configuration of a rule for an IPv4 ACL, the fragment keyword specifies
in
P
that the rule applies to non-first fragment packets only, and does not apply to non-
H
fragment packets or the first fragment packets. ACL rules that do not contain this
of
keyword apply to both non-fragment packets and fragment packets.
de
i
ts
ou
Note
For information on IPv6 ACLs, see the Master ASE Network Infrastructure course
r
fe
titled HP Enterprise Networks or the user manual.

ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
3 30 Rev 10.41
Technet24.ir
ACLs
Summary: ACLs
This module provided an overview of the key ACL concepts you need to understand
for implementing them. These concepts include understanding how ACLs are
comprised of one or more entries called ACEs and that the ACEs share a common
d.
ACL identifier. The ACEs specify the filtering criteria that will be applied to packets to
te
bi
determine whether or not the configured action (permit or deny) will be applied.
i
oh
pr
Once created, an ACL can be assigned to a switch interface. Until an ACL is
s
assigned to an interface, it has no effect on traffic processed by the switch.
i
rt
Depending on the switch model, you may be able to assign an ACL to a VLAN, port,
pa
port list or trunk interface.
n
i
or
A given ACL may be used for various traffic filtering purposes. These include:
le
ho
Inbound on a VLANswitched traffic only
w
Inbound or outbound on a VLANrouted traffic only
in

P
Inbound on a static port
H
Inbound on a dynamic port
of

de
i
ts
ou
Note
r
The traffic filtering purposes for which you can implement an ACL depend on the HP
fe
ns
switch model.
tra
or
There are two major types of ACLs that you can configure. A standard ACL is used
n
when the source address is sufficient to filter the traffic of interest. An extended ACL is
tio
useful for more complex filtering requirements where you may need to identify traffic
uc
od
based on IP protocol type, source and destination IP addresses, source and

r
destination port numbers, and other criteria.

ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 3 31
H
P
Em
pl
oy
3 32
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
MAC Lockdown and Lockout

Module 4
In this module, the MAC Lockdown and MAC Lockout features are described. These
d.
te
two features provide a type of port-based security. Both involve the specification of
bi
MAC addresses as part of their configuration. Whereas, MAC Lockdown is used to
i
oh
ensure a particular device can only access the network through designated ports,
pr
s
MAC Lockout is used to ensure a particular device does not access the network
i
rt
through one or more switches.
pa
n
Scenario: MAC Lockdown and MAC Lockout
i
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
Figure 1
on
e
The IT staff frequently needs to support visiting faculty from other colleges as part of
us
joint seminar programs and research projects. Typically, the visiting faculty work out
y
d
of several visitor offices with telephone and computer hookup services and bring in
tu
f-s
their own notebooks.

l
se
It is the security policy to not allow the visiting faculty to connect in the full-time
ee
faculty lounge which they are allowed to use for its other intended purposes. One
oy
consideration for enforcing any access controls is that the IT staff does not have
pl
Em
administrative rights to the computers of the visiting faculty.

P
So the essential challenge for the IT staff is to allow the visiting faculty access to only
H
the resources they require while keeping them from any unauthorized locations.
Rev 10.41 4 1
MAC Lockdown explained
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
Figure 2
ou
r
fe
MAC Lockdown is the permanent assignment of a MAC address to a specific port

ns
and VLAN. MAC Lockdown is supported on a variety of HP switches.

tra
MAC Lockdown is a type of port security based on Layer 2 static addressing. To use
or
n
this feature you must manually define the MAC addresses of devices for which you
tio
want to enforce the restriction of using designated ports within particular VLANs.
uc
od
Therefore, when configured, a device with a specified MAC address can only
r
connect to the designated port and will only be assigned to the associated VLAN of
ep
.R
that port.
ly
If the device is moved to a different port on the switch, the switch will detect that the
on
MAC address is not connecting to the appropriate port and will quietly drop all
e
us
traffic from the device.

y
d
The MAC address cannot be used on any other port on a given switch unless it is
tu
f-s
configured in another MAC Lockdown entry that involves a different VLAN. That is,
l
se
you cannot lock down a given MAC address to multiple ports in the same VLAN, but
ee
you can lock down multiple MAC addresses to the same port of a given VLAN.
oy
To lockdown a MAC address, the associated device does necessarily need to be

pl
Em
directly connected to the switch where MAC Lockdown is configured.

P
H
4 2 Rev 10.41
Technet24.ir
Implementing MAC Lockdown on ProVision
d.
te
i bi
oh
pr
si
rt
pa
in
or
le
ho
w
in
Figure 3
P
H
of
Implementing MAC Lockdown is a fairly simple task. You will first need to obtain the
de
MAC addresses of the devices that you want to lock down on a particular switch.
i
ts
ou
You use the static-mac command to specify three required parameters:
r
fe
MAC address of the device

ns
tra
VLAN identifier
or
Port identifier
n
tio
The MAC address can be specified in one of several different formats as indicated in
uc
the graphic above. You can use a dash or semicolon to delimit each hexadecimal
od
octet, each pair of three hexadecimal octets, or choose not to use either delimiter.
r
ep
.R
You can use the show static-mac command to display the locked down MAC
ly
addresses configured on the switch.

on
e
Viewing MAC Lockdown log messages

us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Figure 4
Rev 10.41 4 3
This graphic shows an example of Event Log messages that will be generated if a
locked down device is inadvertently or otherwise plugged into a port on the switch
that is not on the MAC Lockdown list for the device.
In this example, a device is initially connected to port A9 successfully. This port is a
member of VLAN 8 and has a static MAC address configured for this particular
d.
te
device. Note that the virtual LAN enabled and virtual LAN disabled messages
bi
occur because this device is the one and only device in the referenced VLAN at this
i
oh
time on the switch.
pr
s
At a later time, the Ethernet cable connecting to the locked down device is moved to
i
rt
pa
another port on the switch, port A11. This port does not have this devices MAC
address configured as a MAC Lockdown entry. In fact, since port A11 is apparently
n
i
or
part of the same VLAN, it cannot be configured with a MAC Lockdown entry for the
le
same MAC address/VLAN pair. If port A11 was a member of a different VLAN, then
ho
it could be a candidate for configuring the same MAC address, since the VLAN ID
w
would be different from the entry configured on port A9.
in
P
H
Although the Event Log indicates the port is enabled (on-line), the device is actually
of
prevented from transmitting any packets into the network as implied by the move
de
<mac-address> to port A11 denied messages.
i
ts
ou
Message throttling is imposed on the logging of these MAC Lockdown messages on
r
a per-module basis. What this means is that the logging system checks again after
fe
ns
the first 5 minutes to see if another attempt has been made to move to the wrong
tra
port.
or
If this is the case the log file registers the most recent attempt and then checks again
n
tio
after one hour. If there are no further attempts in that period then it will continue to
uc
check every 5 minutes. If another attempt was made during the one hour period then
od
the log resets itself to check once a day. Using this message throttling measure
r
ep
prevents the log file from becoming too full with multiple occurrences of these
.R
messages.
ly
on
Note
e
us
You can also configure the switch to send the same messages to a Syslog server.
y
d
MAC Lockdown considerations

tu
f-s
MAC Lockdown is a good replacement for port security to create tighter control over
l
se
MAC addresses and to which ports they are allowed to connect. Whereas port
ee
security can learn a MAC address, and optionally have the port disabled if the
oy
address limit is exceeded, for MAC Lockdown, an address must be configured to

pl
Em
prevent the port from learning an unexpected address.

P
Configuration of the MAC Lockdown and Port-Security features are mutually exclusive.
H
The Port-Security feature will be described in a later section.

MAC Lockdown is a straightforward one-to-one relationship of a devices MAC
address and the port it is allowed to use. MAC Lockdown does require manual entry,
but it also prevents unexpected occurrences.
4 4 Rev 10.41
Technet24.ir
If you deploy multiple path technologies, such as MSTP, RSTP, or meshing, in your
network and you also implement the MAC Lockdown feature, a situation could arise
where the MAC Lockdown is not enforced. This could occur if an alternate path
becomes active and the locked down device is not directly connected to the switch
on which MAC Lockdown is configured.
d.
te
Depending on the topology design, the alternate path may potentially:
i bi
oh
Bypass the switch with MAC Lockdown configured altogether, or
pr
Enter the switch with MAC Lockdown configured over a different port.
i
rt
It is recommended that no more than 500 MAC Lockdown entries be configured per
pa
switch.
n
i
or
le
ho
w
in
P
H
of
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 4 5
MAC Lockout explained
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
de
i
ts
ou
r
fe
ns
tra
MAC Lockout is the configuration of a particular MAC address as a drop on all

ports and VLANs on a given switch. Any traffic from the designated MAC address
or
n
will be quietly dropped if encountered on any port. This feature is configured on a

tio
per-switch basis for each MAC address.

uc
od
One important point to note is that, similar to MAC Lockdown, the device with the
r
ep
locked out MAC address does not have to be connected directly to the switch where
.R
the lockout is configured for enforcement to occur.

ly
on
The only requirements are that packets from a locked out device:
e
us
Reach a switch where it is configured

dy
Traverse a Layer 2 path, i.e., not routed in between

tu

f-s
Implementing MAC Lockout

l
se
ee
Implementing MAC Lockout is also a fairly simple task. You will first need to obtain
oy
the MAC addresses of the devices that you want to lock out from a particular switch.
pl
Em
You use the lockout-mac command to specify a single MAC address of the device
you want to lock out.
P
H
Just like when you configure MAC Lockdown, you can specify the MAC address for
the lockout-mac command in one of several different formats as indicated in the
graphic above. You can use a dash or semicolon to delimit each hexadecimal octet,
each pair of three hexadecimal octets, or choose not to use either delimiter.
4 6 Rev 10.41
Technet24.ir
You can use the show lockout-mac command to display the locked out MAC
addresses configured on the switch.
Viewing MAC Lockout log messages
d.
te
i bi
oh
pr
s
i
rt
pa
n
Figure 5
i
or
le
This graphic shows an example of Event Log messages that will be generated if a
ho
locked down device is plugged into a port on the switch where the MAC address is
w
in
configured as a locked out entry.
P
H
In this example, a device with a prohibited MAC address is connected to port A2
of
that happens to be a member of VLAN 10. Note that the virtual LAN enabled
de
message occurs because this device is the one and only device in the referenced
i
VLAN at this time on the switch. ts
rou
Although the Event Log indicates the port is enabled (on-line), the device is actually
fe
ns
prevented from transmitting any packets into the network as implied by the maclock:
tra
module <slot-id> <mac-address>detected on port A2 messages.

or
Similar to how MAC Lockdown event messages are handled, message throttling is
n
tio
imposed on the logging of these MAC Lockout messages on a per-module basis.

uc
Using this message throttling measure prevents the log file from becoming too full
od
with multiple occurrences of these messages.

r
ep
.R
ly
Note
on
You can also configure the switch to send the same messages to a Syslog server.
e
us
MAC Lockout considerations

y
d
tu
f-s
MAC Lockout is a powerful feature to stop a known device from accessing a switch.
l
se
Keeping in mind you must know the MAC address in advance, MAC Lockout is
preferable to relying upon port-security to stop access from known devices because it
ee
oy
can be blocked for all ports on the switch with one command.
pl
Em
Unlike MAC Lockdown, MAC Lockout does operate independently of Port-security.

The two can be used in conjunction with each other to allow some flexibility in
P
H
learning MAC addresses and allowing access, while at the same time denying
access to a specific device. When using the two together, take note that if a MAC
address is locked out, it will be denied access even if it appears in a static learn
table as an acceptable address.
Rev 10.41 4 7
It is recommended that no more than 16 MAC Lockouts be coded per switch, if less
than or equal to 1024 VLANs are configured, or no more than 8 per switch, if more
than 1024 VLANs are configured. If too many students were to attempt to access the
network from inappropriate locations, some other way of preventing such access
would need to be considered.
d.
te
i bi
oh
pr
si
rt
pa
in
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
4 8 Rev 10.41
Technet24.ir
Using MAC Lockdown and MAC Lockout together
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
Figure 6
in
P
H
When using MAC Lockdown to bind a device to a particular port on a switch, you
of
must consider the entire layer of network access for that device. For example,
de
considering the above diagram, if a device had its MAC address locked down to a
i
ts
port on the Layer 2 switch on the far left, that device could not be used on any other
ou
port on that particular switch. But, the device could be connected to another switch at
r
fe
Layer 2 and still have access to the core network.

ns
tra
This may or may not be the desired result, but if the goal is to actually lock down a
or
device to a specific location on the network, then the device needs to be locked
n
tio
down to a specific port on one switch and locked out of all other switches it could
uc
have potential access to at the same access layer.

rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 4 9
Comware MAC Table Configuration

MAC Lockdown
Usually, a switch can populate its MAC address table automatically by learning the
d.
source MAC addresses of incoming frames.
te
bi
To improve port security, you can manually add MAC address entries to the MAC
i
oh
address table to bind ports with MAC addresses, fending off MAC address spoofing
pr
attacks.
s
i
rt
pa
Note
When using the mac-address command to add a MAC address entry, ensure
in
that the interface specified by the interface keyword is already assigned to the
or
VLAN specified by the vlan keyword, and that the VLAN already exists.
le
ho
Otherwise the command fails.
w
in
P
The command used to configure a MAC Lockdown is the mac-address command:
H
of
<A5800>system-view
de
[A5800] mac-address static <mac-addr> interface <port-id> vlan
i
<vid> ts
rou
fe
ns
MAC Lockout
tra
or
Usually, a device can populate its MAC address table automatically by learning the
n
source MAC addresses of received frames.

tio
uc
You can configure blackhole MAC address entries to filter out packets with certain
od
source or destination MAC addresses.

r
ep
The command used to configure a MAC Lockout is the mac-address command:

.R
ly
<A5800>system-view
on
[A5800] mac-address blackhole <mac-addr> vlan <vid>

e
us
Notice that a blackhole command is necessary for all desired VLANs.

y
d
tu
It may be desirable to use these features together to completely protect a network.

f-s
Use one command to lock a device down on one device and use the blackhole
l
se
command on other devices in the network to keep the device from moving to another
ee
switch.
oy
pl
Em
P
H
4 10 Rev 10.41
Technet24.ir
Summary: MAC Lockdown and Lockout

This module provided an overview of the MAC Lockout and MAC Lockdown security
features, the capabilities of each, the key differences, and how to configure and
monitor the features.
d.
te
MAC Lockdown
bi

i
oh
Useful for preventing station movement and MAC address hijacking
pr
s
Involves permanent assignment of a MAC address to a particular port and
i
rt
VLAN, one instance is allowed
pa
n
Multiple different MAC addresses can be locked down to a single port
i
or
Same MAC address within a different VLAN can be assigned to some other
le
ho
port
w
in
ProVision: Configured using static-mac <mac-address> vlan <vid> interface
P
<portid> command
H
of
Comware: Configured using mac-address static <mac-address> interface
de
<portid> vlan <vlan-id> command.
i
ts
ou
MAC Lockout
r
fe
Useful when particular MAC addresses can be identified as unwanted on a

ns
switch
tra
or
MAC addresses are locked out from all ports, packets sent to or from given
n
MAC address are dropped by the switch

tio
uc
Implemented on a per switch basis as a simple blacklist

rod

ep
ProVision: Configured using lockout-mac <mac-address> command

.R
Comware: Configured using mac-address blackhole <mac-address> vlan

ly
on
<vlan-id> command
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 4 11
H
P
Em
pl
oy
4 12
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
Port Security
Module 5
In this module, the port security feature is described. This feature enables you to
d.
te
configure each switch port with a unique list of device MAC addresses that are
bi
authorized to access the network through that port. This enables individual ports to
i
oh
detect, prevent, and log attempts by unauthorized devices to communicate through
pr
s
the switch.
i
rt
pa
The closest feature to ProVision Port Security on a Comware device is the max MAC
n
address feature described in the previous module.
i
or
Scenario: Port security
le
ho
w
The HP Port Security feature provides the type of flexibility that allows the switch to
in
learn one MAC address at a time.
P
H
of
In a campus environment there is much concern regarding advanced
de
piggybacking techniques
i
ts
Server MAC address is hijacked and traffic stolen
ou
r
fe
In highly sensitive areas there must be tighter control of MAC addresses

ns

tra
Should be tied to a network port so that they can never be changed

or
In more secure areas, more flexibility is required so that on-site administrators

n
can plug into a switch as needed for maintenance and troubleshooting and not
tio
uc
worry about triggering disablement of a port

od
Ideally, you want the switch to learn or unlearn one MAC address at a time
r

ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 5 1
Port security explained
d.
te
i bi
oh
pr
Figure 1
s
i
rt
pa
Using port security, you can configure each switch port with a unique list of the MAC
n
addresses of devices that are authorized to access the network through a given port.
i
or
This enables individual ports to detect, prevent, and log attempts by unauthorized
le
devices to communicate through the switch.
ho
w
On a per-port basis, you can configure security measures to block unauthorized
in
devices and to send a notice (alarm) of a security violation. Once you have
P
H
configured port security, you can then monitor the network for security violations
of
through one or more of the following:
i de
SNMP traps sent to network management tools such as PCM or PCM+
ts
ou
Event Log entries on the switch
r
fe
ns
Intrusion Log entries on the switch

tra
Each port can have one or more MAC addresses specified as the only allowable
or
devices to pass network traffic through the port. These addresses can be learned
n
tio
dynamically as devices connect or preconfigured through the CLI.

uc
ProVision: Port security operating notes

rod
ep
The factory default setting for port security is off for each port. This mode of
.R
operation is referred to as continuous mode in which any device can access a port
ly
on
without causing a security response. The various modes of port security operation will
be described in several pages.
e
us
Eavesdrop protection
dy
tu
Configuring port security on a switch port automatically enables eavesdrop

f-s
l
protection for that port. This prevents use of the port to flood unicast packets
se
addressed to MAC addresses unknown to the switch. This feature blocks

ee
unauthorized users from eavesdropping on traffic intended for addresses that have
oy
pl
aged-out of the switchs address table.

Em
Heres how eavesdrop protection works. Suppose an intruder connected to a given

P
H
switch sends a stream of unicast packets, all with different source and destination
addresses. The intent of this attack, similar to a SYN flood, is to fill up the switch's
address table. When the address table becomes full and a valid client sends a
unicast packet to an address that has since aged out due to this attack, the switch
floods the unicast packet to all ports because it can no longer add it to its full
5 2 Rev 10.41
Technet24.ir
Port Security
address table. Eavesdrop protection will prevent this valid packet from being sent
(flooded) and therefore prevent it from being sent to the hacker's port where the
hacker was hoping to eavesdrop on traffic.
d.
Note
te
Eavesdrop prevention does not affect multicast and broadcast traffic, meaning that
i bi
the switch floods these two traffic types out a given port regardless of whether port
oh
security is enabled on that port.
pr
s
i
rt
Blocking unauthorized traffic
pa
n
This inherent capability of port security prevents an intruder from transmitting traffic
i
or
into the network without necessarily disabling the port. If the port is not automatically
le
disabled by port security, the switch security measures still block unauthorized traffic.
ho
w
The benefit of this flexibility is that you can implement port security on a port
in
connecting to a shared device such as a hub or switch. For a scenarios like that,
P
traffic from a detected intruder on one MAC address can be blocked while still
H
of
allowing network access to other authorized users.
de
i
Note
ts
ou
Broadcast and multicast traffic is always allowed, and can be read by intruders
r
fe
connected to a port on which you have configured port security.

ns
tra
Disabling a port
or
n
tio
For selected modes of operation, you can optionally have a port disabled when an
uc
intrusion is detected. This implies that an administrator must manually re-enable it at

od
a later time.
r
ep
Trunk group exclusion

.R
ly
Port security does not operate on either a static or dynamic trunk group. If you
on
configure port security on one or more ports that are later added to a trunk group,
e
us
the switch will reset the port security parameters for those ports to the factory-default
y
configuration.
d
tu
f-s
l
se
Note
Ports configured for either Active or Passive LACP, and which are not members of a
ee
trunk, can be configured for port security.

oy
pl
Em
Comware Port Security Features

P
H
NTK
The need to know (NTK) feature checks the destination MAC addresses in outbound
frames and allows frames to be sent to only devices passing authentication, thus
preventing illegal devices from intercepting network traffic.
Rev 10.41 5 3
Intrusion protection
The intrusion protection feature checks the source MAC addresses in inbound frames
and takes a pre-defined action accordingly upon detecting illegal frames. The action
may be disabling the port temporarily, disabling the port permanently, or blocking
frames from the MAC address for three minutes (unmodifiable).
d.
te
Trapping
bi
i
oh
The trapping feature enables the device to send traps upon detecting specified
pr
frames that result from, for example, intrusion or user login/logout operations,
s
i
helping you monitor user behaviors.
rt
pa
n
i
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
5 4 Rev 10.41
Technet24.ir
Port Security
Comparison: Port security and MAC Lockdown
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
ns
tra
or
n
tio
Figure 2
uc
od
Because port-security relies upon MAC addresses, it is often confused with the MAC
r
ep
Lockdown feature. MAC lockdown is a very different feature and is implemented on

.R
a different architectural level.

ly
on
Port security maintains a list of allowed MAC addresses on a per-port basis. An

e
address can exist on multiple ports of a switch. The list of allowed MAC addresses
us
for a given port can be dynamically learned, manually defined, or even a

y
d
combination of both. Port security also deals with MAC addresses only, whereas,
tu
f-s
MAC Lockdown specifies both a MAC address and a VLAN

l
se
MAC Lockdown is not a list; it is a global parameter on the switch for a given MAC
ee
address/VLAN pair that takes precedence over any other security mechanism. The
oy
MAC address will be allowed to communicate with a specific port on the switch
pl
Em
based on the port/VLAN pair configured.

P
One other important distinction is that MAC Lockdown is not a type of port
H
lockdown. That is, when a MAC Lockdown entry is configured, the MAC address is
locked to the designated port, not the other way around. The designated port can
receive traffic from another device with a different MAC address that may be
subjected to other security settings such as port-security.
Rev 10.41 5 5
MAC address learn modes

ProVison Comware
Description
Learn mode Port mode
d.
Any MAC address is learned as
continuous Default
te
devices connect (default)
i bi
MAC addresses can be
oh
static autoLearn predefined, other addresses
pr
can be learned
si
MAC addresses can be
rt
configured secure
pa
predefined, no addresses can
be learned
n
i
limited-
or
N/A MAC addresses can be learned
continuous
le
ho
userLogin, userLoginSecure,
userLoginSecureExt, userLogin ProVision: Used in conjunction
w
With OUI, with 802.1X to temporarily
in
macAddressWithRadius, learn a MAC address of an
P
port-access macAddressOrUserLogin Secure, 802.1X authenticated session
H
macAddressElseUserLoginSecure
of
, Comware: Used for 802.1X /
de
macAddressElseUserLoginSecure MAC authentication
i
Ext
ts
ou
Figure 3
r
fe
ns
ProVision
tra
or
For each port or port-list of a switch supporting the Port Security feature, you can
n
tio
configure one of five MAC address learning modes. The default port security setting
uc
for each port is set to continuous learn mode. That is, any device can access a port
od
without causing a security response.

r
ep
.R
The learn modes specify how each port acquires authorized addresses. These learn
ly
modes are.
on
ContinuousAllows the port to learn addresses from inbound traffic from

e

us
any connected device.

d y
StaticEnables you to set a fixed limit on the number of MAC addresses

tu

f-s
authorized for the port and to specify some or all of the authorized addresses.
l
se
If you specify only some of the authorized addresses, the port learns the
ee
remaining authorized addresses from the traffic it receives from connected

oy
devices. You can configure a limit value from 1 to 8.

pl
Em
ConfiguredRequires that you specify all MAC addresses that will be

authorized for use of the port. The port is not allowed to learn addresses from
P
H
inbound traffic. You can configure a limit value from 1 to 64.

Limited-continuousSets a finite limit to the number of learned addresses
allowed per port. You can configure a limit value from 1 to 64.
5 6 Rev 10.41
Technet24.ir
Port Security
Port-accessEnables you to use port security in conjunction with 802.1X

port-based access control. This topic will be covered in detail in a later
module.
In the pages that follow, the static, configured, and limited-continuous learn modes
will be described in more detail.
d.
te
Comparison of static and configured modes
i bi
oh
Configured learn mode aspects
pr
s
i
Configured mode requires you to specify the MAC addresses of the devices
rt
pa
authorized for a port (or port list). For the address-limit parameter, which defines the
n
maximum number of MAC addresses that will comprise the list, you can specify a
i
or
value from 1 (default) to 8. No MAC addresses will be learned dynamically. So, for
le
example, if you specify 8 for the address-limit parameter, but only define 7 MAC
ho
addresses, the remaining entry will remain empty.
w
in
The MAC addresses that are defined for each configured port are not aged out. That
P
H
is, they are saved in the switch configuration file and are therefore maintained across
of
reboots. You must manually delete them, if necessary. This step will be described
de
later.
i
ts
ou
Any other detected MAC address will not be allowed and will be handled as an
r
fe
intruder.
ns
Static learn mode aspects

tra
or
Static mode allows you to specify the MAC addresses of the devices authorized for a
n
tio
port (or port list) along with address-limit parameter. You can specify a value from 1
uc
(default) to 8 for the address-limit parameter.

od
In contrast to the configured mode, for the static mode, you can authorize specific
r
ep
devices for the port, while still allowing the port to accept other, non-specified
.R
devices. That is, if you define fewer MAC addresses compared to the address-limit
ly
on
parameter, then the port authorizes the remaining MAC addresses in the order in
e
which it automatically learns them.

us
y
For example, if you use address-limit to specify two authorized devices, but you
d
tu
define only one MAC address , the port adds the one specifically authorized MAC
f-s
address to its authorized devices list and the first additional MAC address it detects.
l
se
Any subsequently detected MAC address will not be allowed and will be handled as
ee
an intruder.
oy
pl
Keep in mind, for the static learn mode, regardless of the address-limit parameters
Em
value you specify, it is possible to define no actual MAC addresses and allow the list
P
to be populated dynamically. Unless you have a controlled environment in terms of

H
how devices connect to particular ports, this approach is not recommended.
Note
Both statically defined MAC addresses and those learned addresses that become
Rev 10.41 5 7
authorized do not age-out.
Comware
Control MAC address learning
d.
te
autoLearn: A port in this mode can learn MAC addresses. These automatically
bi
learned MAC addresses are secure MAC addresses. You can also configure
i
oh
secure MAC addresses by using the port-security mac-address security
pr
command. A secure MAC address never ages out by default. When the number
si
rt
of secure MAC addresses reaches the upper limit, the port turns to secure mode.
pa
n
i
In addition, you can configure MAC addresses manually by using the mac-
or
address dynamic and mac-address static commands for a port in autoLearn
le
ho
mode.
w
in
A port in autoLearn mode allows only frames sourced from the MAC addresses
P
H
that are in the MAC address table to pass.
of
de
On a port operating in autoLearn mode, the dynamic MAC address learning
i
ts
function in MAC address management is disabled.
ou
r
Secure: On a port operating in secure mode, MAC address learning is disabled

fe

ns
but you can configure MAC addresses by using the mac-address static and mac-
tra
address dynamic commands.

or
n
A port in secure mode allows only frames sourced from the MAC addresses that
tio
uc
are in the MAC address table to pass.

od
Perform 802.1X authentication

r
ep
.R
userLogin: A port in this mode performs 802.1X authentication and implements

ly
port-based access control. The port can service multiple 802.1X users. If one
on
802.1X user passes authentication, all the other 802.1X users of the port can
e
us
access the network without authentication.

y
d
userLoginSecure: A port in this mode performs 802.1X authentication and

tu
implements MAC-based access control. The port services only one user passing
f-s
l
802.1X authentication.
se
ee
userLoginSecureExt: This mode is similar to the userLoginSecure mode except

oy
that this mode supports multiple online 802.1X users.

pl
Em
userLoginWithOUI: This mode is similar to the userLoginSecure mode. In

addition, a port in this mode also permits frames from a user whose MAC
P
H
address contains a specified OUI (organizationally unique identifier).

For wired users, the port performs 802.1X authentication upon receiving
802.1X frames, and performs OUI check upon receiving non-802.1X frames.
5 8 Rev 10.41
Technet24.ir
Port Security
For wireless users, the port performs OUI check at first. If the OUI check
fails, the port performs 802.1X authentication.
Perform MAC authentication
macAddressWithRadius: A port in this mode performs MAC authentication for
d.
users and services multiple users.
te
bi
Perform a combination of MAC authentication and 802.1X authentication
i
oh
pr
macAddressOrUserLoginSecure: This mode is the combination of the
s
macAddressWithRadius and userLoginSecure modes.
i
rt
pa
For wired users, the port performs MAC authentication upon receiving non-
n
802.1X frames and performs 802.1X authentication upon receiving 802.1X
i
or
frames.
le
ho
For wireless users, the port performs 802.1X authentication first. If 802.1X
w
authentication fails, MAC authentication is performed.
in
P
macAddressOrUserLoginSecureExt: This mode is similar to the
of
macAddressOrUserLoginSecure mode except that a port in this mode supports
de
multiple 802.1X and MAC authentication users.
i
ts
macAddressElseUserLoginSecure: This mode is the combination of the
ou

macAddressWithRadius and userLoginSecure modes, with MAC authentication

r
fe
having a higher priority as the Else keyword implies.

ns
tra
For non-802.1X frames, a port in this mode performs only MAC authentication.
or
n
For 802.1X frames, it performs MAC authentication and then, if the

tio
authentication fails, 802.1X authentication.

uc
od
macAddressElseUserLoginSecureExt: This mode is similar to the

r
ep
macAddressElseUserLoginSecure mode except that a port in this mode supports

.R
multiple 802.1X and MAC authentication users as the keyword Ext implies.
ly
on
e
us
Limited-continuous learn mode

dy
tu
Using the limited-continuous learn mode offers flexibility in a secure environment

f-s
where port security is important, but also keeping the administration costs to an
l
se
acceptable level. It is recommended to keep the address limit at 1 and allow for
ee
several devices to connect dynamically only where appropriate. The more flexibility
oy
pl
you try to implement with port security, the less security you actually achieve.
Em
The limited-continuous learn mode sets a finite limit to the number of dynamically
P
learned MAC addresses allowed per port. Although you can set the range from 1
H
(default) to 64, MAC addresses learned through the limited-continuous mode are not
manageable. That is, you cannot manually enter or remove these addresses from a
ports authorized list.
Rev 10.41 5 9
All MAC addresses learned through the limited-continuous mode appear in the
switch and port address tables and age out based on the global mac-age-time
parameter. You can view the setting for this parameter using the show system-
information command. The default value is 300 seconds.
Since any of the learned MAC addresses are temporary, they are lost during a
d.
te
reboot of the switch. This differs from how MAC addresses associated with ports
bi
configured to use the static or configured learn modes are handled. For those modes,
i
oh
the MAC addresses are retained over reboots and do not age out.
pr
s
The actions that can be taken for a detected intruder with limited-continuous learn
i
rt
pa
mode are the same as those allowed for the static and configured modes. When a
n
port is re-enabled and operating in limited-continuous mode, it is possible for the
i
or
port to relearn and therefore allow a MAC address that caused the address-limit to
le
be exceeded.
ho
w
Implementing port security
in
P
H
of
i de
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
Figure 4
dy
Port security is configured using the port-security command. The graphic above
tu
f-s
shows the command syntax and a configuration example specifying the limited-
l
se
continuous learn mode.

ee
When you configure port security for a port or list of ports you specify the following:
oy
pl
Learn modeThe factory default setting is continuous mode for all ports.
Em
ActionThe action to be applied when an intrusion is detected. You can

P
specify one of three options: send an alarm only, send an alarm and disable
the port, or take no action. The default action is none for all learn modes.
Address limitSpecifies the maximum number of MAC addresses that will
be allowed in the ports authorized list. This parameter applies only to the
static, configured, and limited-continuous modes.
5 10 Rev 10.41
Technet24.ir
Port Security
For the static and configured modes, you can specify a value from 1 to 8. For
the limited-continuous mode you can specify a value from 1 to 64. The default is
1 for all three modes.
MAC addressesFor the configured and static modes, you can define from
1 to 8 MAC addresses subject to the address-limit parameter setting.
d.
te
Clear intrusion flagYou specify this option to clear the intrusion flag for
bi

i
oh
one or more specified ports. Resetting intrusion flag is necessary for
pr
subsequent events to be listed in the intrusion log.
s
i
rt
Consider the following points when planning your port security configuration and
pa
monitoring needs:
n
i
or
On which ports do you want port security implemented?
le
Which devices (MAC addresses) are authorized on each port? Up to 8 MAC
ho

w
addresses can be authorized for ports using the static and configured mode,
in
and up to 64 MAC addresses can be authorized for ports using the limited-
P
continuous mode.
H
of
For each port, what security actions do you want? You can configure the switch
de

to:
i
ts
ou
Send intrusion alarms to an SNMP management station.
r
fe
Optionally, you can have the port automatically disabled when an

ns
tra
intrusion is detected
or
How do you want to learn of the security violation attempts the switch detects?
n
tio
You can use one or more of these methods:

uc
Through a network management tool such as PCM or PCM+.

od
r
ep
Through the switchs Intrusion Log which can be examined through the
.R
CLI, menu, and web browser management interfaces.

ly
on
Through the switchs Event Log which can also be examined through the
e
CLI, menu, and web browser management interfaces.

us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 5 11
Viewing port security settings
d.
te
bi
i
oh
pr
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
ou
Figure 5
r
fe
ns
To view the port security configuration of all ports, you use the show port-
tra
security command. You can also specify a port list to view the settings for those
or
particular ports.
n
tio
uc
The MAC addresses that are currently active, learned and predefined, can be viewed
od
using the show mac-address command. This command also allows you to
r
ep
specify a port list.

.R
Viewing the Intrusion Log

ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Figure 6
5 12 Rev 10.41
Technet24.ir
Port Security
The graphic above shows examples of the types of messages you may typically find
in the Intrusion and Event logs. In this particular example, a port has been configured
for static learn mode with one predefined MAC address.
When the switch detects an intrusion attempt on a port, it enters a record of this
event in the Intrusion Log. No further intrusion attempts on that port will appear in the
d.
te
log until you acknowledge the earlier intrusion event by resetting the alert flag.
i bi
oh
At some later point in time, if a device with the incorrect MAC address connects to
pr
the port in the example above, an intrusion will be detected. This results in messages
s
being generated in the Intrusion and Event logs. Because the action configured is
i
rt
pa
send-disable, the port is also automatically disabled.
in
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
ns
tra
or
Figure 7
n
tio
uc
Once the problem has been detected and subsequently diagnosed, the administrator
od
can choose to clear the intrusion flag and then re-enable the port.
r
ep
The Intrusion Log holds up to 20 entries and manages the log in a last-in first-out
.R
manner when the log becomes full. The Intrusion Log entries cannot be manually
ly
on
deleted. As other alarms are generated they replace the older ones once the log
e
becomes full.
us
y
Troubleshooting Port Security

d
tu
f-s
When trying to add a static MAC address, you keep receiving the message
l
se
inconsistent value
ee
Address limit set for that port is not large enough to allow for one more
oy
MAC address
pl
Em
Address is already in the authorized listcheck the port status

P
H
Each time you try to remove a MAC address from the authorized list, it keeps
reappearing almost instantly
Lower the address-limit first by one number, then remove the specific MAC
address
Rev 10.41 5 13
Port is disabled from an intrusionafter the port is reenabled, the port will not
disable itself after another intrusion
Be sure to reset the intrusion flag
Configuring Comware Port Security
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
r ou
fe
ns
tra
Figure 8
or
n
In Comware, the port security commands are used to configure features similar to the
tio
ProVision feature set as well as 802.1X and MAC authentication. 802.1X and MAC
uc
authentication are discussed in the AIS or ASE Network Security Track of the HP
rod
Certification Program.
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
5 14 Rev 10.41
Technet24.ir
Port Security
Summary: Port Security

Implementation issues
Benefit
d.
Provides host authentication Although the switch can learn
te
authorized MAC addresses
bi
A port can be configured to learn
i
dynamically, maintaining the
oh
authorized MAC addresses
addresses in the event of a
pr
A port can be configured to forward traffic change or move can be a difficult
s
from authorized MAC addresses and reject management task
i
rt
traffic from unauthorized MAC addresses
pa
Removing/changing statically
The action taken when an unauthorized defined or dynamically learned
n
i
MAC address transmits can be set to: MAC addresses requires manual
or
-- Take no action intervention
le
-- Send an alert (trap)
ho
-- Disable the port
w
-- Temporarily disable the port
in
P
Figure 9
H
of
The graphic above summarizes several of the key benefits of deploying port security
de
on HP switches along with some of the implementation issues to consider.
i
ts
r ou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 5 15
H
P
Em
pl
oy
5 16
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
Traffic Filters
Module 6
d.
te
In this module, Layer 2 traffic filters will be discussed. In the case of both ProVision
i bi
oh
and Comware software, traffic can be controlled based on source and destination
pr
port.
si
rt
Scenario: Traffic Filters
pa
in
A company currently has both surveillance and user traffic on separate networks. This
or
has become difficult to manage and expand. It is desired to combine both types of
le
ho
traffic on the same switch without having to reconfigure IP addressing while keeping
w
the two types of devices from communicating.
in
P
H
of
i de
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
Figure 1
ee
oy
pl
Em
P
H
Rev 10.41 6 1
ProVision Source Port Filters
d.
te
ibi
oh
pr
s
i
rt
pa
n
i
or
Figure 2
le
ho
You can enhance in-band security and improve control over access to network
w
in
resources by configuring static filters to forward (the default action) or drop unwanted
P
traffic. That is, you can configure a traffic filter to either forward or drop all network
H
of
traffic moving to outbound (destination) ports and trunks (if any) on the switch.
i de
ts
Operating Rules for Source-Port Filters
ou
r
fe
You can configure one source-port filter for each physical port and port trunk
ns
on the switch. (Refer to the filter command on page 12-18.)

tra
or
You can include all destination ports and trunks in the switch on a single
n
source-port filter.
tio
uc
Each source-port filter includes:

od
r
One source port or port trunk (trk1, trk2, ...trkn)

ep
.R
A set of destination ports and/or port trunks that includes all untrunked LAN
ly
ports and port trunks on the switch

on
e
An action (forward or drop) for each destination port or port trunk

us
y
d
tu
When you create a source-port filter, the switch automatically sets the filter to forward
f-s
traffic from the designated source to all destinations for which you do not specifically
l
se
configure a drop action. Thus, it is not necessary to configure a source-port filter for
ee
traffic you want the switch to forward unless the filter was previously configured to
oy
drop the desired traffic.

pl
Em
When you create a source port filter, all ports and port trunks (if any) on the
P
switch appear as destinations on the list for that filter, even if routing is disabled
H
and separate VLANs and/or subnets exist. Where traffic would normally be
allowed between ports and/or trunks, the switch automatically forwards traffic to
the outbound ports and/or trunks you do not specifically configure to drop
traffic. (Destination ports that comprise a trunk are listed collectively by the trunk
name such as Trk1 instead of by individual port name.)
6 2 Rev 10.41
Technet24.ir
Traffic Filters
Packets allowed for forwarding by a source-port filter are subject to the same
operation as inbound packets on a port that is not configured for source-port
filtering.
With multiple IP addresses configured on a VLAN, and routing enabled on the
switch, a single port or trunk can be both the source and destination of packets
d.
te
moving between subnets in that same VLAN. In this case, you can prevent the
bi
traffic of one subnet from being routed to another subnet of the same port by
i
oh
configuring the port or trunk as both the source and destination for traffic to
pr
drop.
s
i
rt
pa
n
Comware Port Isolation
i
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
ns
tra
Figure 3
or
Usually, Layer 2 traffic isolation is achieved by assigning ports to different VLANs. To

n
tio
save VLAN resources, port isolation is introduced to isolate ports within a VLAN,
uc
allowing for greater flexibility and security.

rod
ep
Ports in the same isolation group are isolated from each other, but they can
.R
exchange Layer 2 traffic with ports in other isolation groups in the same VLAN, as
ly
well as ports in the same VLAN but not assigned to any isolation group.
on
e
For ports in an isolation group to exchange Layer 2 traffic with outside ports, the
us
isolation group must have some uplink ports, which are non-isolation group member
d y
ports within the VLAN. There is no limit on the number of uplink ports in an isolation
tu
f-s
group.
l
se
Configuration
ee
oy
Port Isolation is configured in two steps.

pl
Em
1. Create a port isolation group.

P
2. Enable the port isolation group on individual interfaces and bridge aggregation
H
groups.
Rev 10.41 6 3
Use cases
d.
te
bi
i
oh
pr
si
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
ou
Figure 4
r
fe
ns
Both the ProVision and Comware software features can be configured to fulfill
tra
multiple use cases. Here are a few.

or
Guests are allowed to communicate with the Internet only. They are not allowed
n

tio
to talk to each other.

uc
The gaming network allows devices to talk to each other but nothing else.
od

r
ep
The authorized clients network allows devices to talk to each other and to the
.R
Internet but not to the guests or the gaming network.

ly
on
How would you configure each feature to accomplish these use cases?
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
6 4 Rev 10.41
Technet24.ir
Spanning Tree Protection

Module 7
Objectives
d.
te
bi
i
oh
After completing this module, you will be able to:
pr
Configure the features that protect spanning tree from rogue devices
i
rt
BPDU Filtering
pa
n
BDPU Protection
i
or
Root Guard
le
ho
TCN Guard
w
in
Reduce occurrences of spanning tree re-convergence
H
of
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
r od
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 7 1
Spanning-tree vulnerabilities
d.
te
ibi
oh
pr
si
rt
pa
in
or
le
ho
Figure 1
w
in
P
H
There are various vulnerabilities that exist across the spectrum of networking and IP
of
de
protocols. This includes the original Spanning Tree Protocol (STP) and the Rapid
i
ts
Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP) variants.
ou
r
fe
Note
ns
ProCurve switches support configuration of MSTP with backward operational

tra
compatibility for RSTP and STP.

or
The IEEE 802.1D standard originally described STP, but was updated (2004) to
n
reference RSTP (formerly IEEE 802.1w). The IEEE 802.1Q standard describes
tio
MSTP (formerly IEEE 802.1s).

uc
rod
Selecte ProCurve switches support security enhancements for spanning-tree

ep
.R
environments by providing protection from attacks that target the vulnerabilities of the
ly
STP, RSTP, and MSTP protocols.

on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
7 2 Rev 10.41
Technet24.ir
To prevent broadcast storms, a network must have a loop free topology. STP, as well
as RSTP and MSTP, helps network devices to create this topology. All devices running
any of these protocols exchange bridge protocol data units (BPDUs) to elect a root
bridge and to determine which path among multiple potential paths to the root
bridge is the shortest. Any other redundant paths are then temporarily blocked until
d.
they are needed.
te
bi
STP, RSTP, and MSTP are designed to allow any network device to join the spanning
i
oh
tree. This openness ensures that all loops are eliminated, but leaves choices about
pr
disabling links that may be vulnerable to manipulation from unauthorized devices. As
s
i
rt
BPDUs have no authentication aspect and can be easily spoofed, a rogue device can
pa
send BPDUs and join the spanning tree. This can affect path selection, and the rogue
n
i
device may even become the root bridge.
or
le
The rogue device might be controlled by a hacker or simply a device controlled by a
ho
different system. In either case, the result is the same. Incorrect links may be
w
deactivated, impeding the networks ability to handle traffic efficiently. A hacker may
in
P
even use the rogue device to launch a DoS attack by causing constant topology
H
changes to the spanning tree.
of
de
i
ts
rou
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 7 3
BPDU filtering and protection
d.
te
i bi
oh
pr
si
rt
pa
n
i
or
le
ho
w
Figure 2
in
P
H
of
Two features that help protect your network from spanning-tree vulnerabilities are
de
BPDU protection and BPDU filtering. Both forms of protection operate at the port
i
level. ts
ou
BPDU filteringThe BPDU filtering feature protects a network from

r
fe

ns
unauthorized BPDUs. It can be used to exclude specific ports from becoming

tra
part of spanning tree operations. In effect, BPDU filtering disables spanning-

or
tree operation on a given port by simply not participating in the process of

n
determining paths to the root bridge.

tio
uc
A port with the BPDU filter enabled will ignore incoming BPDU packets and stay
od
locked in the spanning-tree forwarding state. Any other ports on the switch that
r
ep
are not configured for BPDU filtering will maintain their role. Unlike BPDU
.R
protection (described below), a port configured for BPDU filtering does not take
ly
any punitive action in response to received BPDUs.

on
e
BPDU protectionThe BPDU protection feature monitors a port for

us
incoming BPDUs. If the port receives a BPDU, the switch disables the port,
dy
tu
protecting the network from an apparently rogue device. You can configure the
f-s
amount of time for which a port is disabled. The default causes the port to
l
se
remain disabled until it is manually re-enabled by the administrator.

ee
oy
pl
Em
P
H
7 4 Rev 10.41
Technet24.ir
Guidelines for using BPDU filtering and protection

You should choose between BPDU protection and BPDU filtering based on the ports
expected role.
d.
For example, you might enable BPDU protection on edge ports. Edge devices with a
te
single link should not be sending BPDUs, so an incoming BPDU may indicate an
i bi
attack. BPDU protection offers a more secure alternative to BPDU filtering, since it
oh
pr
allows you to disable the port. BPDU protection also allows you to have an alert sent
s
as SNMP trap message when a BPDU is received.
i
rt
pa
On the other hand, some BPDUs may be unauthorized, but not necessarily malicious.
n
And you might not want to deactivate a port simply because a BPDU has arrived on
i
or
it. For example, suppose your switch connects to a device controlled by another
le
authority and which is running its own spanning tree. You would not want to
ho
w
deactivate the link to this system even if its administrators have inappropriately
in
allowed a BPDU to cross into your side of the network. Instead, simply configure the
P
port to ignore the BPDUs with BPDU filtering.
H
of
Some other reasons why you may want to use BPDU filtering could include:
i de
ts
You may want to allow spanning-tree operations to run on selected ports of the
ou
switch rather than every port of the switch.
r
fe
You may want to eliminate the need for a topology change when a port's link
ns
status changes. For example, a port that connects to downstream servers and
tra
workstations can be configured to remain outside of spanning-tree operations.

or
n
Configuring BPDU filtering

tio
uc
od
r
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Figure 3
Rev 10.41 7 5
To configure BPDU filtering or BPDU protection, you use the spanning-tree

command. You can enable BPDU filtering on one or more ports with this command.
You can also specify all to enable BPDU filtering on all switch ports.
d.
One important factor to keep in mind is that ports with BPDU filtering enabled
te
remain active, i.e., the ports continue to learn and forward frames. However, the
ibi
oh
spanning-tree subsystem cannot receive or transmit BPDUs on the port. Since the port
pr
remains in a forwarding state and permits all broadcast traffic, this can create a
s
network storm if there are any loops (trunks or redundant links) using these ports.
i
rt
pa
You can use the show spanning-tree config to list the ports that have BPDU
in
filtering enabled.
or
le
Configuring BPDU protection
ho
w
in
P
H
of
i de
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
Figure 4
P
To enable BPDU protection on one or more ports, you also use the spanning-tree
H
command. You can also specify all to enable BPDU protection on all switch ports.
By default, BPDU protection permanently disables a port if it receives a BPDU.
However, you can configure BPDU protection to impose a temporary disable period
instead. Using the spanning-tree command, you can configure a timeout value,
7 6 Rev 10.41
Technet24.ir
which applies to any port running BPDU protection. The timeout value can be
between 0 and 65,535 seconds. Specifying 0 returns BPDU protection to the default
behavior of permanently disabling protected ports. The upper value is equivalent to
approximately 18 hours. Note that this is a global setting for all ports with BPDU
protection enabled.
d.
te
You can use the show spanning-tree bpdu-protection command to list the
bi
ports that have BPDU protection enabled and determine if any errant BPDUs have
i
oh
been received on each port.
pr
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
od
r
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 7 7
Root Guard and TCN Guard
d.
te
ibi
oh
pr
si
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
ou
r
Figure 5
fe
ns
tra
Root Guard
or
Root guard is only available when running MSTP. When a port is enabled as root-
n
tio
guard, it cannot be selected as the root port even if it receives superior STP BPDUs.
uc
The port is assigned an alternate port role and enters a blocking state if it receives
od
superior STP BPDUs. (A superior BPDU contains better information on the root
r
ep
bridge and/or path cost to the root bridge, which would normally replace the current
.R
root bridge selection.)

ly
on
The superior BPDUs received on a port enabled as root-guard are ignored. All other
e
BPDUs are accepted and the external devices may belong to the spanning tree as
us
long as they do not claim to be the Root device.

y
d
tu
Use this command on MSTP switch ports that are connected to devices located in
f-s
other administrative network domains to:

l
se

ee
Ensure the stability of the core MSTP network topology so that undesired
oy
or damaging influences external to the network do not enter.

pl
Em
Protect the configuration of the CIST root bridge that serves as the common
root for the entire network.
P
H
TCN-Guard
When tcn-guard is enabled for a port, it causes the port to stop propagating
received topology change notifications and topology changes to other ports.
7 8 Rev 10.41
Technet24.ir
Comware Spanning Tree Protection

An MSTP-enabled switch supports the following protection functions:
BPDU guard
d.
Root guard
te

bi
Loop guard
i
oh

pr
TC-BPDU guard
s
i
rt
Note
pa
Among loop guard, root guard and edge port settings, only one function can
in
take effect on a port at any given point in time.
or
le
ho
Configuration prerequisites
w
in
MSTP must be correctly configured on the switch before the protection functions are
P
configured.
H
of
BPDU guard
de
i
ts
MSTP provides the BPDU guard function to protect the system against attacks
ou
involving forged configuration BPDUs. For access layer switches, the access ports
r
fe
generally connect directly with user terminals (such as PCs) or file servers. In this
ns
case, the access ports are configured as edge ports to allow rapid transition. Under
tra
normal conditions, these ports do not receive configuration BPDUs. If these ports do
or
receive configuration BPDUs, the system automatically sets these ports as non-edge
n
tio
ports and starts a new spanning tree calculation process, which causes a change in
uc
network topology. So if someone forges configuration BPDUs maliciously to attack the

od
switches, network instability occurs.

r
ep
.R
With the BPDU guard function enabled on the switch, when edge ports receive
ly
configuration BPDUs, MSTP closes these ports and notifies the NMS that these ports
on
have been closed by MSTP. Ports closed this way can be restored only by the network
e
us
administrators.
dy
Configure BPDU guard on a switch with edge ports configured.

tu
f-s
Note
l
se
BPDU guard does not take effect on loopback test-enabled ports.

ee
You can disable MSTP on certain ports so that they do not take part in spanning
oy
tree calculation, which saves the CPU resources of the switch.

pl
Em
Root guard
P
H
MSTP provides the root guard function to prevent undesired network topology
changes and network congestion that can result from configuration errors or
malicious attacks. The root bridge and secondary root bridge of a spanning tree are
ideally located in the same MST region. Especially for the CIST, the root bridge and
Rev 10.41 7 9
secondary root bridge are generally put in a high-bandwidth core region during
network design. However, due to possible configuration errors or malicious attacks in
the network, the legal root bridge may receive a configuration BPDU with a higher
priority. In this case, the current legal root bridge is superseded by another device,
which causes an undesired change in the network topology. Traffic that should go
d.
over high-speed links is switched to low-speed links, resulting in network congestion.
te
bi
If the root guard function is enabled on a port of a root bridge, this port keeps
i
oh
playing the role of designated port on all MSTIs. Once this port receives a
pr
configuration BPDU with a higher priority from an MSTI, it immediately sets that port
s
i
rt
to the listening state in the MSTI, without forwarding the packet. (This is equivalent to
pa
disconnecting the link connected with this port in the MSTI.) If the port receives no
n
i
BPDUs with a higher priority within twice the forwarding delay, it reverts to its
or
original state.
le
ho
Configure root guard on a designated port.
w
in
Loop guard
P
H
The loop guard function suppresses the occurrence of loops that result from link
of
de
congestion or unidirectional link failures.
i
ts
A switch generally maintains the state of the root port and blocked ports by receiving
ou
BPDUs from the upstream device. However, if these ports fail to receive BPDUs from
r
fe
the upstream devices due to link congestion or unidirectional link failures, the
ns
tra
downstream device reselects the port roles. Ports in forwarding state that failed to
receive upstream BPDUs become designated ports, and the blocked ports transition
or
to the forwarding state, resulting in loops in the switched network. The loop guard
n
tio
function can be used to suppress the occurrence of such loops.

uc
od
If a loop guardenabled port fails to receive BPDUs from the upstream device, and if
r
ep
the port takes part in STP calculation, all the instances on the port, no matter what
.R
roles the port plays, are set to, and stay in, the Discarding state.
ly
on
Configure loop guard on the root port or an alternate port of a switch.

e
us
TC-BPDU guard
y
d
The BPDUs used to notify the switch of topology changes are called Topology
tu
f-s
Change BPDUs, or TC-BPDUs. When the switch receives TC-BPDUs the switch flushes
l
se
its forwarding address entries. If someone forges TC-BPDUs to attack the switch, the
ee
switch receives a large number of TC-BPDUs within a short time and becomes busy
oy
with forwarding address entry flushing. This affects network stability.

pl
Em
The TC-BPDU guard function lets you set the maximum number of immediate
forwarding address entry flushes that the switch can perform within a certain period
P
H
of time after receiving the first TC-BPDU. For TC-BPDUs received in excess of the limit,
the switch performs forwarding address entry flush only when the time period
expires. This prevents frequent flushing of forwarding address entries.
HP recommends that you keep the TC-BPDU guard feature enabled.
7 10 Rev 10.41
Technet24.ir
DHCP Protection
Module 8
In this Module, the DHCP snooping feature is described. Collectively, DHCP
d.
te
snooping, Dynamic ARP protection, and the Dynamic IP Protection are referred to as
bi
advanced network protection features.
i
oh
pr
DHCP vulnerabilities
si
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
ou
r
fe
Figure 1
ns
tra
DHCP is designed to work in the trusted internal network and does not provide
or
authentication or access controls. Because of this lack of built-in security, a DHCP

n
tio
server has no way of verifying that the client requesting an address is a legitimate
uc
client on the network. Similarly, the DHCP client has no way of knowing if the DHCP
od
server that offers it an address is a legitimate server. Therefore, DHCP is vulnerable to

r
ep
attacks from both rogue clients and servers.

.R
There are two types of common DHCP attacks from which you should protect your
ly
on
network:
e
us
Address spoofingA rogue DHCP server on the network can assign

y
invalid IP addressing information to client devices. This includes the IP

d
tu
addresses of the client itself, the default gateway, DNS servers, and WINS
f-s
servers. Without valid IP addresses, the legitimate client devices are unable to
l
se
contact other legitimate IP network devices and users are prevented from
ee
reaching the resources they need to do their jobs.

oy
pl
Address exhaustionAn attacker can access the network and request IP

Em
addresses until the DHCP servers supply of available IP addresses is

P
exhausted. This prevents legitimate clients from receiving IP addresses and

H
accessing the network.

Both of these attacks can disrupt network service and cause security breaches.
Rev 10.41 8 1
Protecting against DHCP attacks: DHCP Snooping
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
Figure 2
of
de
HP switches that support the DHCP snooping feature can to protect your network
i
ts
against these DHCP address spoofing and exhaustion attacks. With DHCP snooping
ou
configured, the switch takes the role of a security guard, overseeing DHCP
r
fe
exchanges and ensuring that DHCP clients and servers act as they should.
ns
tra
As part of the DHCP snooping process, the switch distinguishes between trusted and
untrusted ports. Trusted ports connect to the networks own trusted devices, such as
or
n
the DHCP server. The switch allows DHCP packets to flow freely on these ports. On
tio
untrusted ports, the switch inspects DHCP packets to determine whether or not the
uc
packets will be allowed.

rod
ep
Here are three of the types of activities performed by the DHCP snooping feature:
.R
DHCP server packets should not originate from untrusted ports. So if the switch
ly

on
detects these types of packets, it immediately discards them.

e
us
The switch also verifies information in DHCP client packets before allowing the
y
packets onto the network. For example, the switch drops packets in which the
d
tu
source MAC address does not match the DHCP check MAC addressa sign
f-s
of spoofing.
l
se
The switch can also be configured to handle packets that have the DHCP
ee

oy
option 82 parameter presentanother potential sign of suspicious behavior.

pl
DHCP option 82 is described on the next slide.

Em
By filtering DHCP packets, the switch acts somewhat like a firewall between untrusted
P
H
clients and DHCP servers. In this way, the switch can provide protection from DHCP
attacks for your network.
DHCP snooping allows the switches to protect your network from other attacks as
well. It does so by capitalizing on the information it learns while filtering DHCP
packets. The switch builds and maintains a DHCP snooping table, which tracks the
8 2 Rev 10.41
Technet24.ir
DHCP Protection
information that corresponds to each DHCP lease processed through an untrusted

port. The DHCP snooping table can hold up to 8192 entries.
The DHCP snooping table contains the following information:
MAC address of the client.
d.
Leased IP address of the client.
te

bi
i
Lease time in seconds.
oh

pr
VLAN identifier.
s
i
rt
Interface identifier of the port connecting directly to or toward the client.
pa

n
Using this table to verify IP-to-MAC address bindings, the switch can learn which IP
i
or
addresses should legitimately send traffic on which ports and it can also detect
le
malicious hosts that try to spoof ARP packets. Well discuss how the switch makes
ho
good use of what it has learned through DHCP snooping when we explain dynamic
w
in
ARP protection in the next module.
P
H
of
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
od
r
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 8 3
Using option 82 with DHCP snooping
d.
te
ibi
oh
pr
s i
rt
pa
n
i
Figure 3
or
le
ho
DHCP options
w
in
In general, DHCP packets carry a number of data fields that are more specifically
P
called options. Each option is used to convey information about the client, a DHCP
H
of
relay agent, or the DHCP server. Examples of DHCP options include:
de
Option 3The default gateways (routers) IP address.
i

ts
ou
Option 6The DNS servers IP address.
r
fe
Option 12The clients host name. In the case of Windows, this

ns
corresponds to the computer name.

tra
Option 50The IP address requested by the client. If a client is renewing a

or
previously assigned IP address, this option specifies that IP address.

n
tio
Option 51The IP address lease time.

uc

od
Option 53The DHCP message type, e.g., Discover, Offer, and so forth.
r
ep
Option 54The DHCP servers IP address. This field would be filled in by a

.R
DHCP relay agent.

ly
on
Option 55Identifies the parameters being requested by the client. This list
e
us
can include the default gateway, subnet mask of an assigned IP address, and
NetBIOS support features.
dy
tu
Option 58IP address renewal time which is usually less than the lease time.
f-s

l
se
Option 60Identifies the clients vendor class, e.g., Microsoft.

ee
Option 61Provides identifying information about the client, such as the

oy
media connection type, e.g., Ethernet, and the MAC address.

pl
Em
Option 82Provides identifying information about the DHCP relay agent.

P
DHCP snooping feature support for option 82

H
The DHCP snooping feature blocks DHCP attacks by filtering DHCP packets on
untrusted ports. In addition, the DHCP snooping feature can facilitate the functions of
DHCP itself by using option 82.
8 4 Rev 10.41
Technet24.ir
DHCP Protection
Option 82 can be used to provide identifying information about the DHCP relay
agent. Option 82 allows a DHCP server to apply specialized configuration policies
when assigning IP addresses and other configuration information to clients based on
what value is in option 82. For example, you may want certain ranges of IP
addresses to be associated with certain areas of the network. Or, a service providers
d.
DHCP server might limit a certain switch port to a set number of IP addresses,
te
bi
ensuring that a subscriber network does not consume too many IP addresses.
i
oh
To a DHCP server, however, all incoming DHCP packets will look alike without
pr
option 82 information specified. With option 82, the switch acts as the DHCP
si
rt
servers eyes, adding the information that the DHCP server needs so that it can select
pa
the correct configuration policy. This information includes the following:
in
or
Remote IDThe remote identifier corresponds to an address identifier of the
le
switch. It can be the switchs IP address or MAC address.
ho
w
Circuit IDThe circuit identifier corresponds to the physical switch port on
in
which the client DHCP request was received.
P
H
A general requirement of option 82 is that a switch must act as the relay for the
of
DHCP request in order to modify or insert the information. Therefore, unless a switch
i de
is the DHCP relay, it cannot normally manipulate DHCP requests and must forward
ts
ou
the DHCP packets.
r
fe
This limitation can affect the following two scenarios:

ns
tra
Another switch acts as the DHCP relay, but is not configured to insert the
or
correct value for option 82 or does not support the capability.

n
tio
The DHCP client is on the same subnet as the DHCP server, so the switch does
uc
not need to act as a relay. That is, the DHCP client and DHCP server can
od
potentially communicate directly with the switch merely forwarding the packets.
r
ep
However, with DHCP snooping enabled on a VLAN, the switch can inspect all DHCP
.R
packets on untrusted ports. This configuration capability allows the switch to modify
ly
on
or insert option 82 for those scenarios where the DHCP client and server are in the
e
same subnet.
us
y
Handling untrusted endpoints: Filtering packets with option 82

d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Figure 4
Rev 10.41 8 5
DHCP option 82 is a valuable capability that you can take advantage of, but one
that can also be potentially hijacked by endpoints in an untrusted network. For
example, a hacker can create an option 82 to manipulate the DHCP server into
sending a client the wrong configuration.
However, the DHCP snooping feature also includes a capability that allows the
d.
te
switch to snoop for option 82 information inside of DHCP requests from untrusted
bi
endpoints. When the switch detects option 82, you can configure the switch to take
i
oh
one of three actions:
pr
s
Permit the request
rt
pa
Drop the request entirely
n
Replace the request with option 82 information you have configured
or
In the graphic above, the switch is configured to override an unauthorized option 82
le
ho
with the correct option information, forcing the client network to comply with the
w
policy.
in
P
H
Note
of
For those VLANs that have DHCP snooping enabled, the value you specify for option
de
82 through DHCP snooping overrides the global configuration information that may
i
ts
have been defined for option 82 using the dhcp-relay command.
ou
r
fe
ns
Guidelines: DHCP snooping with option 82

tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
Figure 5
dy
By default, a switch using DHCP snooping detects and drops any DHCP request
tu
f-s
received on an untrusted port that also includes option 82. You should preserve this
l
se
behavior whenever your switch connects directly to the clients. An option 82 that is
ee
received directly from a DHCP client can indicate a malicious attack which the switch
oy
must prevent.
pl
Em
On the other hand, a switch that runs DHCP snooping might connect to another
switch that also runs DHCP snooping. For example, in the graphic above, the switch
P
H
on the left should pass on DHCP requests with option 82 to the switch on the right.
Lastly, you can configure your switch to overwrite a detected option 82 setting in a
packet received from a client with the switchs own information, thereby enforcing
your networks policy.
8 6 Rev 10.41
Technet24.ir
DHCP Protection
Enabling DHCP snooping
d.
te
i bi
oh
pr
s
i
rt
pa
Figure 6
n
i
or
The first step when implementing DHCP snooping is to enable DHCP snooping
le
globally on the switch. To do this you use the dhcp-snooping command. This
ho
command in effect enables (or disables, if the no form of the command is
w
specified) the ability to use the feature.
in
P
H
The next step is to enable the DHCP snooping feature on particular VLANs. To do
of
this, you use the dhcp-snooping vlan command and specify the VLANs you want
de
to protect with the DHCP snooping feature. To specify a range of VLAN identifiers,
i
ts
you use a hyphen. A comma-delimited list is not allowed.
ou
r
Once DHCP snooping is enabled and configured, the switch will begin to build a
fe
ns
DHCP snooping binding database.

tra
In the graphic, other options supported by the dhcp-snooping command are listed.
or
Several of these will be explained in the pages that follow.

n
tio
Configuring DHCP snooping

uc
od
r
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
Figure 7
H
By default, all the ports on the switch are untrusted in the context of the DHCP
snooping feature. The switch inspects all the traffic received on these ports, looking
for DHCP packets. If the switch detects DHCP server packets that originate from
Rev 10.41 8 7
untrusted ports, it immediately discards the packets. Remember untrusted ports should
not connect to DHCP servers.
If the switch detects DHCP client packets, it verifies the MAC address to ensure that
the client is not trying to misuse DHCP. Specifically, the switch checks the clients
hardware address (chaddr) field in the DHCP header to ensure that it matches the
d.
te
source MAC address in the packet. If the two addresses do not match, the client is
bi
attempting to spoof a MAC address, probably to masquerade as a legitimate device.
i
oh
The switch discards the packet, preventing the misbehaving client from receiving an
pr
IP address.
si
rt
pa
This verify MAC check is enabled by default when you activate DHCP snooping. You
can disable this check if you no longer want the switch to perform it. You use the no
in
or
dhcp-snooping verify mac command to do disable this check.
le
ho
Since devices that are connected to untrusted ports should not be transmitting DHCP
w
server packets, but your DHCP server must be allowed to do so, you will need to
in
define one or more ports as trusted so that the switch does not disrupt DHCP
P
H
operations.
of
To define trusted ports, you use the dhcp-snooping trust command to specify the
de
i
trusted ports. For example, you would designate an uplink port and a port that
ts
ou
connects directly to a DHCP server as trusted ports. When you define a trusted port,
r
the switch does not filter any DHCP packets on that port.
fe
ns
In addition to defining trusted ports, you can define the authorized DHCP servers on
tra
your network. In this case, the switch allows a DHCP server packet only if it meets
or
two criteria:
n
tio
The packet has been received on a trusted port.

uc

od
The packet is from an authorized DHCP server IP address.

r

ep
To define an authorized server, you use the dhcp-snooping authorized-server

.R
command from the global configuration mode context. If you have more than one
ly
on
DHCP server, you will need to specify the command once for each DHCP server.
e
us
Configuring option 82
dy
tu
After you have enabled DHCP snooping on a VLAN, the switch can always insert
f-s
option 82 into DHCP requests whether the clients and DHCP servers are in the same
l
se
VLAN or different VLANs.

ee
When you configure option 82, you specify a value for the switchs remote identifier
oy
pl
that gets inserted into the DHCP header. If an option 82 field is not present in a
Em
packet received from a client, the switch inserts the value you configured. If an option
P
82 value was already inserted by the client, then the switch replaces it with value you
H
configured.
The switch actually inserts two values into a DHCP header that correspond to option
82:
The switchs remote ID. You can configure this value.
8 8 Rev 10.41
Technet24.ir
DHCP Protection
The circuit ID for the physical port on which the DHCP request arrived. This
value is not configurable.
The remote ID can be configured as one of three possible values using the dhcp-
snooping remote-id command.
d.
The switchs base MAC address (mac).
te
bi
The switchs IP address on the VLAN that received the request (subnet-ip).
oh
pr
The switchs management IP address (mgmt-ip)
si
Typically, you should select the subnet ip option when your switch includes multiple
rt
pa
VLANs for which all client requests are relayed to the same DHCP server. Selecting
n
this option lets the server determine the correct DHCP pool that applies to the request
i
or
based on the subnet IP address.
le
ho
The options you configure for option 82 with DHCP snooping override any global
w
configuration information specified using the dhcp-relay command. However, on
in
VLANs that do not use DHCP snooping, the global configuration applies.
P
H
of
You can also configure your switch to snoop specifically for option 82 in filtered
de
DHCP requests that are received from clients. If the switch detects this option, it takes
i
one of three actions: ts
ou
The switch can drop the request.

r
fe

ns
The switch can forward the request as is, keeping the option 82 value that was
tra
received.
or
The switch can forward the request, but replace the unauthorized option 82
n

tio
value with the value you configured.

uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 8 9
Viewing the DHCP snooping configuration
d.
te
i bi
oh
pr
si
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
ou
r
fe
ns
tra
Figure 8
or
The show dhcp-snooping command allows you to determine the following

n
tio
information:
uc
od
If DHCP snooping is enabled.

r
ep
VLANs for which it is enabled.

.R
DHCP option 82 settings.

ly

on
DHCP binding (lease) database settings.

e

us
The DHCP binding database status.

y

d
tu
The Read at boot: line entry indicates whether or not the DHCP snooping
f-s
binding database was read successfully at boot time. The File status:, Write
l
se
attempts:, Write failures:, and Last successful file update: provide the most
ee
recent status information about the remotely stored file.

oy
pl
How you can configure DHCP snooping to store the switchs DHCP binding
Em
(lease) database is covered later in this section.

P
H
Authorized DHCP servers that are configured.

Which ports are trusted or untrusted.
8 10 Rev 10.41
Technet24.ir
DHCP Protection
Viewing DHCP snooping statistics
d.
te
bi
i
oh
pr
s
i
rt
pa
in
or
le
ho
Figure 9
w
in
The show dhcp-snooping stats command allows you to view statistics about
P
H
DHCP packets that the switch has filtered. The statistics provide information about the
of
packet type, the action taken, the reason the action was taken, and the count of
de
packets involved. The packet type refers to whether the packet originated from a
i
ts
DHCP server or a DHCP client. The action taken is either forward or drop.
rou
Two reasons that a switch may forward a DHCP packet are:

fe
ns
The server packet was received on a trusted port.

tra
The client packet was a legitimate request that was then forwarded out a
or
trusted port.
tio
uc
The reasons that a switch may drop a DHCP packet include:

od
The server packet was received on an untrusted port.

r
ep

.R
The server packet was received from an unauthorized DHCP server.

ly
on
The client packet was destined out an untrusted port.

e
The client packet included an illegitimate option 82 field.

us
The client packet was a bad DHCP release request that may indicate a
d

tu
potential DoS attack.

f-s
l
se
The client packets DHCP MAC address field did not match the clients Ethernet
ee
MAC address.
oy
pl
Em
P
H
Rev 10.41 8 11
Viewing and managing DHCP snooping binding database
d.
te
i bi
oh
pr
Figure 10
s
i
rt
The show dhcp-snooping binding command allows you to view the IP-to-MAC
pa
address bindings in the DHCP snooping database. The switch refers back to these IP-
n
i
or
to-MAC bindings as part of several attack protections, including ARP protection,
le
which will be explained in the next section.
ho
w
You can optionally configure the switch to save the DHCP snooping database to a
in
specific URL on a TFTP server so they will not be lost if the switch is rebooted. If the
P
H
switch is rebooted, it will read its binding database from the specified location. To
of
configure this location, you use the dhcp-snooping database command. The
de
options you can specify for this command are:
i
ts
ou
fileMust be in an URL format that specifies TFTP as the protocol, the IP
r
address of the TFTP server, and a filename that will contain the database
fe
ns
information. The maximum number of characters that you can specify following
tra
the file keyword is 63.

or
delayThis is the number of seconds to wait before writing to the database.

n

tio
The default is 300 seconds.

uc
od
timeoutThis is the number of seconds to wait for the database file transfer
r
to finish before returning an error. A value of zero means retry indefinitely. The
ep
.R
default is 300 seconds.

ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
8 12 Rev 10.41
Technet24.ir
DHCP Protection
Example configuration
d.
te
i bi
oh
pr
si
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
Figure 11
ns
tra
This graphic shows a portion of a switch configuration file with dynamic DHCP
or
snooping configured.
n
tio
Based on the VLAN definitions, the switch relays DHCP requests from VLAN 8 and
uc
VLAN 24 to a DHCP server at IP address 10.1.10.10. This server is in VLAN 10 and

od
connects to a trusted port.

r
ep
.R
The switch snoops DHCP traffic on VLAN 8 and 24 and checks for indications of
ly
attacks. As part of these checks, the switch looks for the option 82 field in DHCP
on
requests from untrusted endpoints, replacing any information in this field with its own
e
IP address associated with the VLAN on which the DHCP request was received. The
us
DHCP binding database is also stored on a TFTP server.

y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 8 13
Comware DHCP Snooping

DHCP Snooping Overview
Function of DHCP Snooping
d.
te
As a DHCP security feature, DHCP snooping can implement the following:
i bi
oh
1. Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
pr
2. Recording IP-to-MAC mappings of DHCP clients
si
rt
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
pa
n
If there is an unauthorized DHCP server on a network, the DHCP clients may obtain
i
or
invalid IP addresses and network configuration parameters, and cannot normally
le
communicate with other network devices. With DHCP snooping, the ports of a
ho
w
device can be configured as trusted or untrusted, ensuring the clients to obtain IP
in
addresses from authorized DHCP servers.
P
H
Trusted: A trusted port forwards DHCP messages normally.
of
de
Untrusted: An untrusted port discards the DHCP-ACK or DHCP-OFFER messages
i
from any DHCP server. ts
ou
You should configure ports that connecting to authorized DHCP servers and other
r
fe
DHCP snooping devices as trusted, and other ports as untrusted. With such
ns
tra
configurations, DHCP clients obtain IP addresses from authorized DHCP servers

only, while unauthorized DHCP servers cannot assign IP addresses to DHCP clients.
or
n
tio
Recording IP-to-MAC mappings of DHCP clients

uc
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from

rod
trusted ports to record DHCP snooping entries, including MAC addresses of clients,
ep
IP addresses obtained by the clients, ports that connect to DHCP clients, and VLANs
.R
to which the ports belong. With DHCP snooping entries, DHCP snooping can
ly
on
implement the following:

e
us
ARP detection: Whether ARP packets are sent from an authorized client is
y
determined based on DHCP snooping entries. This feature prevents ARP attacks
d
tu
from unauthorized clients.

f-s
l
se
IP Source Guard: IP Source Guard uses dynamic binding entries generated by

ee
DHCP snooping to filter packets on a per-port basis, and thus prevents

oy
unauthorized packets from traveling through.

pl
Em
VLAN mapping: The device replaces service provider VLANs (SVLANs) in

packets with customer VLANs (CVLANs) by searching corresponding DHCP
P
H
snooping entries for DHCP client information including IP addresses, MAC

addresses, and CVLANs, when sending the packets to clients.
8 14 Rev 10.41
Technet24.ir
DHCP Protection
Application Environment of Trusted Ports

Configuring a trusted port connected to a DHCP server
d.
te
ibi
oh
pr
si
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
ns
tra
or
n
Figure 12
tio
uc
A DHCP snooping devices port that is connected to an authorized DHCP server

od
should be configured as a trusted port to forward reply messages from the DHCP
r
ep
server, so that the DHCP client is guaranteed to obtain IP addresses from the
.R
authorized DHCP server.

ly
on
Configuring trusted ports in a cascaded network

e
us
In a cascaded network involving multiple DHCP snooping devices, the ports

y
connected to other DHCP snooping devices should be configured as trusted ports.

d
tu
f-s
To save system resources, you can disable the trusted ports, which are indirectly
l
se
connected to DHCP clients, from recording clients IP-to-MAC bindings upon

ee
receiving DHCP requests.

oy
DHCP Snooping Support for Option 82

pl
Em
Option 82 records the location information of the DHCP client. The administrator
P
can locate the DHCP client to further implement security control and accounting.
H
If DHCP snooping supports Option 82, it will handle a clients request according to
the contents defined in Option 82, if any. The handling strategies are described in
the table below.
Rev 10.41 8 15
If a reply returned by the DHCP server contains Option 82, the DHCP snooping
device will remove the Option 82 before forwarding the reply to the client. If the
reply contains no Option 82, the DHCP snooping device forwards it directly.
If a clients Handling Padding The DHCP snooping device will
requesting strategy format
d.
message has
te
bi
Option 82 Drop Random Drop the message.
i
oh
pr
Keep Random Forward the message without changing
s
Option 82.
i
rt
pa
Replace Normal Forward the message after replacing the
original Option 82 with the Option 82
n
i
padded in normal format.
or
le
Verbose Forward the message after replacing the
ho
original Option 82 with the Option 82
w
padded in verbose format.
in
User defined Forward the message after replacing the
P
H
original Option 82 with the user-defined
of
Option 82.
de
No Option 82 - Normal Forward the message after adding the
i
ts
Option 82 padded in normal format.
ou
- Verbose Forward the message after adding the

r
fe
no Option 82 Option 82 padded in verbose

ns
format.
tra
- User defined Forward the message after adding the

or
user-defined Option 82.

n
tio
uc
od
r
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
8 16 Rev 10.41
Technet24.ir
DHCP Protection
Summary: ProVision DHCP snooping

This module described the capabilities of the DHCP snooping feature and how to
configure this feature.
d.
DHCP snooping protects against attacks involving IP address spoofing and IP
te
address exhaustion
bi
i
oh
The primary configuration steps are:
pr

s
Enable DHCP snooping globally
i
rt
pa
Specify the VLANs to be protected
n
i
Define trusted ports
or
le
With DHCP snooping enabled, a switch differentiates between trusted and
ho

untrusted ports
w
in
Drops DHCP server packets received on untrusted ports
P
H
Filters/modifies DHCP client packets received on untrusted ports
of
de
A DHCP IP address to MAC address binding database is used to track valid
i
DHCP assignments ts
ou
A DHCP server uses information in option 82 to apply the correct policies to

r
fe

ns
DHCP requests
tra
A switch with DHCP snooping enabled can control DHCP requests

or
containing this option and can also modify the value

n
tio
uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 8 17
H
P
Em
pl
oy
8 18
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
ARP Protection
Module 9
In this module, the Dynamic ARP protection feature is described. Collectively,
d.
te
Dynamic ARP protection, DHCP snooping, and the Dynamic IP Protection are referred
bi
to as advanced network protection features.
i
oh
pr
ARP vulnerabilities
si
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
rou
Figure 1
fe
ns
ARP is used to resolve a devices IP address to its MAC address. ARP creates and
tra
populates a table of known IP addresses and the associated MAC addresses as it

or
requests information for unknown MAC addresses. Most ARP devices update their
n
tio
tables every time they receive an ARP packet even if they did not request the
uc
information. This makes ARP vulnerable to attacks such as ARP poisoning, ARP
od
snooping, and DoS.

r
ep
.R
ARP poisoning occurs when an unauthorized device forges an illegitimate ARP

ly
response, and other devices use the response to change their ARP tables. In the
on
example shown here:

e
us
Device A broadcasts a request for device Bs MAC address.

dy
tu
Device C, the intruder, responds by matching device Bs IP address to device Cs

f-s
MAC address.
l
se
At the same time, device C sends a packet to device B, posing as device A. Any
ee
response intended for device B, the legitimate owner of the IP address, now
oy
pl
goes astray to device C.

Em
When device A updates its ARP table with the spoofed entry, device As ARP
P
table is considered poisoned. Because device Bs IP address is matched with

H
device Cs MAC address, all IP traffic that device A wants to send to device B is
sent to device C instead.
Rev 10.41 9 1
By positioning itself using a traditional man-in-the-middle style attack, device C can

capture information such as usernames and passwords, email messages, and other
confidential company information.
ARP poisoning can also take the form of unsolicited ARP responses and can lead to
DoS attacks. For example, device C can poison other devices ARP tables by
d.
te
associating the network gateways IP address with the MAC address of some
bi
endpoint station. Because the endpoint station does not have access to outside
i
oh
networks, outgoing traffic is prevented from leaving the network. The endpoint station
pr
may also become easily overwhelmed by the unexpected traffic.
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
9 2 Rev 10.41
Technet24.ir
ARP Protection
Dynamic ARP protection
d.
te
i bi
oh
pr
s
i
rt
pa
in
or
Figure 2
le
ho
Switches that support dynamic ARP protection can protect a network against these
w
types of ARP attacks. Similar to the DHCP snooping feature, the dynamic ARP
in
protection feature allows you to designate trusted and untrusted ports.
P
H
of
If a port is untrusted, the switch:
de
Intercepts all ARP requests and responses on untrusted ports before forwarding
i

them.
ts
rou
fe
Verifies the IP-to-MAC address bindings on untrusted ports with the information
ns
stored in the lease database maintained by DHCP snooping and any user
tra
configured static bindings (non-DHCP environments).

or
If the binding is valid, the switch updates its local ARP cache or forwards
n
tio
the packet to the appropriate destination.

uc
od
If the binding is invalid, the switch simply drops the packets, preventing
r
ep
other devices from receiving them and being tricked by the false
.R
information.
ly
on
Since the switch verifies the IP-to-MAC address binding by checking the information
e
against what is stored in its DHCP snooping table, you should enable DHCP
us
snooping as part of configuring ARP protection. However, if you are not using DHCP,
dy
you can configure static IP-to-MAC address bindings, and the switch will use this
tu
f-s
information to verify ARP packets.

l
se
Even if you are using DHCP snooping, you may want to add static IP-to-MAC address
ee
bindings to the DHCP snooping table so that the switch can verify IP-to-MAC
oy
bindings for any devices that have been assigned static IP addresses.
pl
Em
In addition to verifying IP-to-MAC address bindings, you can configure the switch to
P
perform three additional checks. The switch can verify the following:
H
Source MAC address

Destination MAC address
IP address
Rev 10.41 9 3
Guidelines: Using dynamic ARP protection
d.
te
ibi
oh
pr
si
rt
pa
in
or
le
ho
w
in
Figure 3
P
H
The switches on your network must be able to exchange ARP packets and update
of
their ARP tables accordingly. To facilitate this exchange, you must configure ports that
i de
connect to other switches as trusted ports. In this example, ports A23 and A24 are
ts
ou
considered trusted ports. Other ports, which connect to end users, are marked as
r
untrusted ports by default.

fe
ns
If your network includes switches that do not support dynamic ARP protection, you
tra
should use a router to separate these switches into their own Layer 2 domains. Since
or
ARP packets do not cross Layer 2 barriers, the unprotected switches cannot receive
n
tio
ARP packets from a hacker and subsequently pass them onto other unprotected
uc
switches. The switch with IP routing and dynamic ARP protection enabled would
od
process all ARP packets.

r
ep
.R
Configuring dynamic ARP protection

ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Figure 4
The first step when implementing dynamic ARP protection is to enable dynamic ARP
protection globally on the switch. To do this you use the arp-protect command.
9 4 Rev 10.41
Technet24.ir
ARP Protection
This command in effect enables (or disables, if the no form of the command is
specified) the ability to use the feature.
The next step is to enable the dynamic ARP protection feature on particular VLANs.
To do this, you use the arp-protect vlan command and specify the VLANs you
want to protect with the dynamic ARP protection feature. To specify a range of VLAN
d.
te
identifiers, you use a hyphen. A comma-delimited list is not allowed.
ibi
oh
By default, all ports are untrusted in the context of dynamic ARP protection. This
pr
means that the switch will check the ARP requests and responses received on all the
s
ports that are members of the protected VLANs.
i
rt
pa
To configure a trusted port, you use the arp-protect trust command. The switch
in
will not check the ARP requests and responses that it receives on the trusted port.
or
le
Optional configuration steps
ho
w
in
P
H
of
i de
ts
ou
r
fe
ns
tra
or
Figure 5
n
tio
uc
A routing switch maintains a DHCP binding database, which is used for DHCP and
od
ARP packet validation. The DHCP snooping feature maintains the lease database by
r
ep
learning the IP-to-MAC bindings on untrusted ports.

.R
You can also define static IP-to-MAC address bindings if your network does not use
ly
on
DHCP or if some devices have statically assigned IP addresses. The switch uses the
static IP-to-MAC address bindings you define for both DHCP snooping and dynamic
e
us
ARP protection. To add a static IP-to-MAC address binding for a port to the
dy
database, you use the ip source binding command. This command associates a
tu
f-s
given IP address to a specific MAC address, VLAN ID, and port ID.
l
se
You can also enable additional checks for the VLANs protected by the dynamic ARP
ee
protection feature using the arp-protect validate command. You can specify from
oy
one to three of the following options:

pl
Em
src-macThe switch checks ARP request and response packets to ensure that
P
the source MAC address in the Ethernet header matches the sender MAC
H
address in the body of the ARP packet. If the two addresses do not match, the
switch drops the packet.
dest-macThe switch checks each unicast ARP response packet to ensure
that the destination MAC address in the Ethernet header matches the target
Rev 10.41 9 5
MAC address in the body of the ARP packet. If the two addresses do not
match, the switch drops the packet.
ipThe switch checks the sender and target IP addresses in the body of an
ARP packet to ensure it does not contain an invalid IP address. If an invalid
IP address is detected, the switch drops the ARP packet. Invalid IP addresses
d.
te
are defined as:
i bi
oh
0.0.0.0
pr
255.255.255.255
si
rt
pa
All Class D (multicast) IP addresses
n
All class E IP addresses
i
or
le
Viewing the dynamic ARP protection configuration
ho
w
in
P
H
of
i de
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
Figure 6
ep
.R
To view the configuration for dynamic ARP protection, you use the show arp-
ly
on
protect command. The resulting display indicates:

e
Whether ARP protection is enabled.

us
The VLANs that are protected.

d

tu
f-s
Which optional validation checks are enabled.

l
se
Which ports are trusted or untrusted.

ee
oy
pl
Em
P
H
9 6 Rev 10.41
Technet24.ir
ARP Protection
Viewing dynamic ARP protection statistics
d.
te
ibi
oh
pr
s
i
rt
pa
n
i
or
Figure 7
le
ho
You use the show arp-protect statistics command to view statistical information
w
about the packets that dynamic ARP protection has filtered.
in
P
The statistics include information about forwarded ARP packets and dropped ARP
H
of
packets. A packet may have been dropped due to several possible violations such as
de
an invalid IP address to MAC address binding (based on the DHCP binding
i
ts
database), source or destination MAC address mismatches, or invalid source or
ou
destination IP addresses. The latter two categories are checked if the associated
r
fe
validation checks are enabled.

ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Figure 8
Rev 10.41 9 7
This graphic shows a portion of a switch configuration file with dynamic ARP
protection configured.
The switch is configured to protect VLAN 8 and VLAN 24. Ports A23 and A24 are
configured as trusted ports which imply they connect to other switches. All other ports
are marked as untrusted by default. Optional dynamic ARP protection validation
d.
te
options are also enabled.
ibi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
9 8 Rev 10.41
Technet24.ir
ARP Protection
Comware ARP Protection

ARP Attack Protection Overview
Although ARP is easy to implement, it provides no security mechanism and thus is
d.
prone to network attacks. An attacker may send:
te
bi
ARP packets by acting as a trusted user or gateway, so that the receiving
oh
devices obtain incorrect ARP entries.
pr
s
A large number of IP packets with unreachable destinations. As a result, the
rt
receiving device continuously resolves destination IP addresses and thus its CPU
pa
is overloaded.
in
or
A large number of ARP packets to bring a great impact to the CPU. For details
le
about ARP attack features and types, refer to ARP Attack Protection Technology
ho
w
White Paper.
in
Currently, ARP attacks and viruses are threatening LAN security. The device can
P
H
provide multiple features to detect and prevent such attacks. This chapter mainly
of
introduces these features.
de
i
Flood Prevention ts
ou
Configuring ARP Defense Against IP Packet Attacks

r
fe
ns
Configuring ARP Source Suppression

tra
Enabling ARP Black Hole Routing

or
n
Configuring ARP Packet Rate Limit

tio
uc
Configuring Source MAC Address-Based ARP Attack Detection

od
r
ep
User and gateway spoofing prevention

.R
Configuring ARP Packet Source MAC Address Consistency Check

ly
on
Configuring ARP Active Acknowledgement

e
us
Configuring ARP Detection

dy

tu
Configuring ARP Automatic Scanning and Fixed ARP

f-s
Configuring ARP Gateway Protection

l
se
ee
Configuring ARP Filtering

oy
pl
Em
Configuring ARP Defense Against IP Packet Attacks

P
H
If a device receives large numbers of IP packets from a host to unreachable

destinations,
The device sends large numbers of ARP requests to the destination subnets,
increasing the load of the destination subnets.
Rev 10.41 9 9
The device keeps trying to resolve destination IP addresses, which increases the
load of the CPU.
To protect the device from IP packet attacks, you can enable the ARP source
suppression function or ARP black hole routing function.
d.
If the packets have the same source address, you can enable the ARP source
te
suppression function. With the function enabled, whenever the number of ARP
i bi
oh
requests triggered by the packets with unresolvable destination IP addresses from a
pr
host within five seconds exceeds a specified threshold, the device suppresses the
s
packets of the sending host from triggering any ARP requests within the following
i
rt
pa
five seconds.
n
If the packets have various source addresses, you can enable the ARP black hole
i
or
routing function. After receiving an IP packet whose destination IP address cannot
le
ho
be resolved by ARP, the device with this function enabled immediately creates a
w
black hole route and simply drops all packets matching the route during the aging
in
time of the black hole route.
P
H
Configuring ARP Packet Rate Limit
of
de
This feature allows you to limit the rate of ARP packets to be delivered to the CPU.
i
ts
For example, if an attacker sends a large number of ARP packets to an ARP
ou
detection enabled device, the CPU of the device may become overloaded because
r
fe
all the ARP packets are redirected to the CPU for checking. As a result, the device
ns
tra
fails to deliver other functions properly or even crashes. To prevent this, you need to
configure ARP packet rate limit.
or
n
It is recommended that you enable this feature after the ARP detection, ARP
tio
uc
snooping, or MFF feature is configured, or use this feature to prevent ARP flood
od
attacks.
r
ep
Configuring Source MAC Address-Based ARP Attack Detection

.R
ly
This feature allows the device to check the source MAC address of ARP packets. If
on
the number of ARP packets sent from a MAC address within five seconds exceeds
e
us
the specified value, the device considers this an attack and adds the MAC address
y
to the attack detection table. Before the attack detection entry is aged out, the
d
tu
device generates an alarm and filters out ARP packets sourced from that MAC
f-s
address (in filter mode), or only generates an alarm (in monitor mode).
l
se
ee
A gateway or critical server may send a large number of ARP packets. To prevent
oy
these ARP packets from being discarded, you can specify the MAC address of the
pl
gateway or server as a protected MAC address. A protected MAC address is

Em
excluded from ARP attack detection even if it is an attacker.

P
H
Only the ARP packets delivered to the CPU are detected.
9 10 Rev 10.41
Technet24.ir
ARP Protection
Configuring ARP Packet Source MAC Address Consistency Check

This feature enables a gateway device to filter out ARP packets with the source MAC
address in the Ethernet header different from the sender MAC address in the ARP
message, so that the gateway device can learn correct ARP entries.
d.
Configuring ARP Active Acknowledgement
te
ibi
oh
Typically, the ARP active acknowledgement feature is configured on gateway
pr
devices to identify invalid ARP packets.
si
ARP active acknowledgement works before the gateway creates or modifies an ARP
rt
pa
entry to avoid generating any incorrect ARP entry. For details about its working
n
mechanism, refer to ARP Attack Protection Technology White Paper.
i
or
le
Configuring ARP Detection
ho
w
The ARP detection feature is mainly configured on an access device to allow only
in
the ARP packets of authorized clients to be forwarded, hence preventing user
P
H
spoofing and gateway spoofing.
of
ARP detection includes ARP detection based on specified objects, and ARP detection
de
i
based on static IP source guard binding entries/DHCP snooping entries/802.1X
ts
ou
security entries/OUI MAC addresses.
r
fe
Enabling ARP Detection Based on Static IP Source Guard Binding

ns
tra
Entries/DHCP Snooping Entries/802.1X Security Entries/OUI MAC

or
Addresses
n
tio
With this feature enabled, the device compares the sender IP and MAC addresses
uc
of an ARP packet received from the VLAN against the static IP Source Guard
od
r
binding entries, DHCP snooping entries, 802.1X security entries, or OUI MAC
ep
addresses to prevent spoofing.

.R
ly
After you enable this feature for a VLAN,

on
e
Upon receiving an ARP packet from an ARP untrusted port, the device
us
compares the sender IP and MAC addresses of the ARP packet against the
dy
static IP Source Guard binding entries. If a match is found, the ARP packet is
tu
f-s
considered valid and is forwarded. If an entry with a matching IP address but

l
se
an unmatched MAC address is found, the ARP packet is considered invalid and
ee
is discarded. If no entry with a matching IP address is found, the device

oy
compares the ARP packets sender IP and MAC addresses against the DHCP
pl
snooping entries, 802.1X security entries, and OUI MAC addresses.

Em
If a match is found in any of the entries, the ARP packet is considered valid and
P
is forwarded. ARP detection based on OUI MAC addresses refers to that if the
sender MAC address of the received ARP packet is an OUI MAC address and
voice VLAN is enabled, the packet is considered valid.
If no match is found, the ARP packet is considered invalid and is discarded.
Rev 10.41 9 11
Upon receiving an ARP packet from an ARP trusted port, the device does not
check the ARP packet.
Configuring ARP Automatic Scanning and Fixed ARP

ARP automatic scanning is usually used together with the fixed ARP feature.
d.
te
With ARP automatic scanning enabled on an interface, the device automatically
bi
scans neighbors on the interface, sends ARP requests to the neighbors, obtains their
i
oh
MAC addresses, and creates dynamic ARP entries.
pr
s
i
Fixed ARP allows the device to change the existing dynamic ARP entries (including
rt
pa
those generated through ARP automatic scanning) into static ARP entries. The fixed
n
ARP feature can effectively prevents ARP entries from being modified by attackers.
i
or
Configuring ARP Gateway Protection
le
ho
The ARP gateway protection feature, if configured on ports not connected with the
w
in
gateway, can block gateway spoofing attacks as follows:
P
H
When such a port receives an ARP packet, it checks whether the sender IP address
of
in the packet is consistent with that of any protected gateway. If yes, it discards the
de
packet. If not, it handles the packets normally.
i
ts
ou
Configuring ARP Filtering
r
fe
ns
To prevent gateway spoofing and user spoofing, the ARP filtering feature controls
tra
the forwarding of ARP packets on a port as follows:

or
The port checks the sender IP and MAC addresses in a received ARP packet against
n
tio
configured ARP filtering entries. If a match is found, the packet is handled normally.
uc
If not, the packet is discarded.

rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
9 12 Rev 10.41
Technet24.ir
ARP Protection
Summary: ARP protection

This module described the capabilities of the dynamic ARP protection feature and
how to configure this feature.
d.
The Dynamic ARP protection feature protects against ARP poisoning, snooping,
te
and DoS attacks
ibi
oh
The key configuration steps are:
pr

s
Enable dynamic ARP protection globally
i
rt
pa
Specify the VLANs to be protected
ni
Define trusted ports connecting to other switches
or
le
Optionally, define static IP-to-MAC address bindings
ho
w
With Dynamic ARP protection enabled, a switch differentiates between trusted
in
and untrusted ports
P
H
Drops invalid ARP packets received on untrusted ports
of
de
Does not perform ARP inspections on trusted ports
i
ts
ou
The dynamic ARP protection makes use of the DHCP snooping binding database
r
that is used to track valid DHCP assignments

fe
ns
tra
or
n
tio
uc
od
r
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 9 13
H
P
Em
pl
oy
9 14
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
IP Spoofing Protection
Module 10
In this module, features that protect against IP spoofing will be introduced.
d.
te
i bi
oh
pr
s
i
rt
pa
n
i
or
le
ho
w
in
P
H
of
i de
ts
ou
r
fe
ns
tra
or
n
tio
uc
Figure 1
od
r
ep
Many network attacks occur when an attacker injects packets with forged IP source
.R
addresses into the network. Also, some network services use the IP source address as
ly
a component in their authentication schemes. For example, the BSD r protocols

on
(rlogin, rcp, rsh) rely on the IP source address for packet authentication. SNMPv1
e
us
and SNMPv2c also frequently use authorized IP address lists to limit management
y
access. An attacker that is able to send traffic that appears to originate from an
d
tu
authorized IP source address may gain access to network services for which he is not
f-s
authorized.
l
se
ee
ProVision switches provide a feature called Dynamic IP Lockdown that provides

oy
protection against IP source address spoofing by means of IP-level port security. IP

pl
packets received on a port enabled for dynamic IP lockdown are only forwarded if
Em
they contain a known IP source address and MAC address binding for the port.
P
H
Dynamic IP lockdown uses information collected in the DHCP Snooping lease

database and through statically configured IP source bindings to create internal, per-
port lists. The internal lists are dynamically created from known IP-to-MAC address
bindings to filter VLAN traffic on both the source IP address and source MAC
address.
Rev 10.41 10 1
Comware switches provide a feature called IP Source Guard that can help to mitigate
an IP spoofing attack. The IP Source Guard function can be enabled on user access
ports of the switch to improve network security. It prevents illegal packets from
traveling through the ports. When a port enabled with the IP Source Guard function
receives a packet, the port looks up the key attributes (including IP address, MAC
d.
address and VLAN tag) of the packet in the binding entries of the IP source guard. If
te
bi
there is a match, the port forwards the packet. If there is no match, the port discards
i
oh
the packet. IP source guard bindings are on a per-port basis. After a binding entry is
pr
configured on a port, it is effective only on that port.
si
rt
pa
in
or
le
ho
w
in
P
H
of
ide
ts
ou
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
10 2 Rev 10.41
Technet24.ir
Dynamic IP Lockdown
The Dynamic IP Lockdown feature is used to prevent IP source address spoofing on a
per-port and per-VLAN basis. When dynamic IP lockdown is enabled, IP packets in
VLAN traffic received on a port are forwarded only if they contain a known source IP
d.
address and MAC address binding for the port. The IP-to-MAC address binding can
te
bi
either be statically configured or learned by the DHCP Snooping feature.
i
oh
pr
Protection Against IP Source Address Spoofing
is
rt
Many network attacks occur when an attacker injects packets with forged IP source
pa
addresses into the network. Also, some network services use the IP source address as
in
a component in their authentication schemes. For example, the BSD r protocols
or
(rlogin, rcp, rsh) rely on the IP source address for packet authentication. SNMPv1
le
ho
and SNMPv2c also frequently use authorized IP address lists to limit management
w
access. An attacker that is able to send traffic that appears to originate from an
in
authorized IP source address may gain access to network services for which he is not
P
H
authorized.
of
Dynamic IP lockdown provides protection against IP source address spoofing by
de
i
means of IP-level port security. IP packets received on a port enabled for dynamic IP
ts
ou
lockdown are only forwarded if they contain a known IP source address and MAC
r
address binding for the port.

fe
ns
Dynamic IP lockdown uses information collected in the DHCP Snooping lease

tra
database and through statically configured IP source bindings to create internal, per-
or
port lists. The internal lists are dynamically created from known IP-to-MAC address
n
tio
bindings to filter VLAN traffic on both the source IP address and source MAC
uc
address.
rod
ep
Prerequisite: DHCP Snooping

.R
Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for
ly
on
its operation on ports and VLAN traffic:

e
Dynamic IP lockdown only enables traffic for clients whose leased IP addresses
us
are already stored in the lease database created by DHCP snooping or added
dy
tu
through a static configuration of an IP-to-MAC binding.

f-s
l
se
Therefore, if you enable DHCP snooping after dynamic IP lockdown is enabled,

ee
clients with an existing DHCP-assigned address must either request a new leased
oy
IP address or renew their existing DHCP-assigned address. Otherwise, a clients

pl
Em
leased IP address is not contained in the DHCP binding database. As a result,

dynamic IP lockdown will not allow inbound traffic from the client.
P
H
It is recommended that you enable DHCP snooping a week before you enable
dynamic IP lockdown to allow the DHCP binding database to learn clients
leased IP addresses. You must also ensure that the lease time for the information
in the DHCP binding database lasts more than a week.
Rev 10.41 10 3
Alternatively, you can configure a DHCP server to re-allocate IP addresses to

DHCP clients. In this way, you repopulate the lease database with current IP-to-
MAC bindings.
The DHCP binding database allows VLANs enabled for DHCP snooping to be
known on ports configured for dynamic IP lockdown. As new IP-to-MAC address
d.
te
and VLAN bindings are learned, a corresponding permit rule is dynamically
bi
created and applied to the port (preceding the final deny any vlan <VLAN_IDs>
i
oh
rule as shown in the example in Figure 11-4. These VLAN_IDs correspond to the
pr
subset of configured and enabled VLANS for which DHCP snooping has been
s
i
rt
configured.
pa
For dynamic IP lockdown to work, a port must be a member of at least one
i
or
VLAN that has DHCP snooping enabled.
le
ho
Disabling DHCP snooping on a VLAN causes Dynamic IP bindings on Dynamic
w
IP Lockdown-enabled ports in this VLAN to be removed. The port reverts back to
in
switching traffic as usual.
P
H
Filtering IP and MAC Addresses Per-Port and Per-VLAN
of
de
This section contains an example that shows the following aspects of the Dynamic IP
i
Lockdown feature: ts
ou
r
Internal Dynamic IP lockdown bindings dynamically applied on a per-port basis

fe

ns
from information in the DHCP Snooping lease database and statically

tra
configured IP-to-MAC address bindings

or
Packet filtering using source IP address, source MAC address, and source VLAN
n
tio
as criteria
uc
Enabling Dynamic IP Lockdown

rod
ep
To enable dynamic IP lockdown on all ports or specified ports, enter the ip source-
.R
lockdown command at the global configuration level. Use the no form of the
ly
command to disable dynamic IP lockdown.

on
e
[no] ip source-lockdown <port-list>

us
Enables dynamic IP lockdown globally on all ports or on specified ports on the

y
d
tu
routing switch.
f-s
l
Operating Notes
se
ee
Dynamic IP lockdown is enabled at the port configuration level and applies to

oy
all bridged or routed IP packets entering the switch. The only IP packets that are
pl
Em
exempt from dynamic IP lockdown are broadcast DHCP request packets, which
are handled by DHCP snooping.
P
H
DHCP snooping is a prerequisite for Dynamic IP Lockdown operation. The

following restrictions apply:
10 4 Rev 10.41
Technet24.ir
DHCP snooping is required for dynamic IP lockdown to operate. To enable

DHCP snooping, enter the dhcp-snooping command at the global
configuration level.
Dynamic IP lockdown only filters packets in VLANs that are enabled for
DHCP snooping. In order for Dynamic IP lockdown to work on a port, the
d.
te
port must be configured for at least one VLAN that is enabled for DHCP
bi
snooping.
i
oh
pr
To enable DHCP snooping on a VLAN, enter the dhcp-snooping vlan [vlan-
is
rt
id-range] command at the global configuration level or the dhcp-snooping
pa
command at the VLAN configuration level.
in
or
Dynamic IP lockdown is not supported on a trusted port. (However, note that
le
the DHCP server must be connected to a trusted port when DHCP snooping
ho
is enabled.)
w
in
P
By default, all ports are untrusted. To remove the trusted configuration from
H
a port, enter the no dhcp-snooping trust <port-list> command at the global
of
de
configuration level.
i
ts
After you enter the ip source-lockdown command (enabled globally with the
ou

desired ports entered in <port-list>), the dynamic IP lockdown feature remains

r
fe
disabled on a port if any of the following conditions exist:

ns
tra
If DHCP snooping has not been globally enabled on the switch.

or
If the port is not a member of at least one VLAN that is enabled for DHCP
n
tio
snooping.
uc
od
If the port is configured as a trusted port for DHCP snooping.

r
ep
Dynamic IP lockdown is activated on the port only after you make the following
.R
configuration changes:
ly
on
Enable DHCP snooping on the switch.

e
us
Configure the port as a member of a VLAN that has DHCP snooping

dy
enabled.
tu
f-s
Remove the trusted-port configuration.

l
se
You can configure dynamic IP lockdown only from the CLI; this feature cannot be
ee
configured from the web management or menu interface.

oy
pl
If you enable dynamic IP lockdown on a port, you cannot add the port to a
Em
trunk.
P
H
Dynamic IP lockdown must be removed from a trunk before the trunk is removed.
Adding an IP-to-MAC Binding to the DHCP Binding Database
A switch maintains a DHCP binding database, which is used for dynamic IP
lockdown as well as for DHCP and ARP packet validation. The DHCP snooping
Rev 10.41 10 5
feature maintains the lease database by learning the IP-to-MAC bindings of VLAN
traffic on untrusted ports. Each binding consists of the client MAC address, port
number, VLAN identifier, leased IP address, and lease time.
Dynamic IP lockdown supports a total of 4K static and dynamic bindings with up to
64 bindings per port. When DHCP snooping is enabled globally on a VLAN,
d.
te
dynamic bindings are learned when a client on the VLAN obtains an IP address from
bi
a DHCP server. Static bindings are created manually with the CLI or from a
i
oh
downloaded configuration file.
pr
s
When dynamic IP lockdown is enabled globally or on ports the bindings associated
i
rt
pa
with the ports are written to hardware. This occurs during these events:
n
Switch initialization
or
le
Hot swap
ho
w
A dynamic IP lockdown-enabled port is moved to a DHCP snooping-enabled
in
VLAN
P
H
DHCP snooping or dynamic IP lockdown characteristics are changed such that
of
dynamic IP lockdown is enabled on the ports
de
i
Potential Issues with Bindings ts
ou
When dynamic IP lockdown enabled, and a port or switch has the maximum
r

fe
number of bindings configured, the client DHCP request will be dropped and the
ns
tra
client will not receive an IP address through DHCP.

or
When dynamic IP lockdown is enabled and a port is configured with the

n
maximum number of bindings, adding a static binding to the port will fail.
tio
uc
When dynamic IP lockdown is enabled globally, the bindings for each port are
od
written to hardware. If global dynamic IP lockdown is enabled and disabled

r
ep
several times, it is possible to run out of buffer space for additional bindings.
.R
The software will delay adding the bindings to hardware until resources are
ly
on
available.
e
us
Adding a Static Binding

y
d
To add the static configuration of an IP-to-MAC binding for a port to the lease
tu
f-s
database, enter the ip source-binding command at the global configuration level.

l
Use the no form of the command to remove the IP-to-MAC binding from the
se
database.
ee
oy
[no] ip source-binding <vlan-id> <ip-address> <mac-address>

pl
<portnumber>
Em
vlan-id Specifies a valid VLAN ID number to bind with the specified

P
H
MAC and IP addresses on the port in the DHCP binding database.

ip-address Specifies a valid client IP address to bind with a VLAN and
MAC address on the port in the DHCP binding database.
10 6 Rev 10.41
Technet24.ir
mac-address Specifies a valid client MAC address to bind with a VLAN

and IP address on the port in the DHCP binding database.
port-number Specifies the port number on which the IP-to-MAC address
and VLAN binding is configured in the DHCP binding database.
d.
te
Note
bi
Note that the ip source-binding command is the same command used by the
i
oh
Dynamic ARP Protection feature to configure static bindings. The Dynamic ARP
pr
Protection and Dynamic IP Lockdown features share a common list of source IP-to-
is
MAC address bindings.
rt
pa
n
Verifying the Dynamic IP Lockdown Configuration
i
or
To display the ports on which dynamic IP lockdown is configured, enter the show ip
le
ho
source-lockdown status command at the global configuration level.
w
in
show ip source-lockdown status
P
Displaying the Static Configuration of IP-to-MAC Bindings
H
of
To display the static configurations of IP-to-MAC bindings stored in the DHCP lease
de
database, enter the show ip source-lockdown bindings command.
i
ts
ou
show ip source-lockdown bindings [port-number]
r
fe
port-number (Optional) Specifies the port number on which source IP-

ns
to-MAC address and VLAN bindings are configured in the DHCP lease
tra
database.
or
n
Debugging Dynamic IP Lockdown

tio
uc
To enable the debugging of packets dropped by dynamic IP lockdown, enter the

od
debug dynamic-ip-lockdown command.

r
ep
.R
debug dynamic-ip-lockdown
ly
To send command output to the active CLI session, enter the debug destination
on
session command.
e
us
Counters for denied packets are displayed in the debug dynamic-ip-lockdown

y
d
command output. Packet counts are updated every five minutes. An example of the
tu
f-s
command output is shown in Figure 11-7.

l
se
When dynamic IP lockdown drops IP packets in VLAN traffic that do not contain a
ee
known source IP-to-MAC address binding for the port on which the packets are
oy
received, a message is entered in the event log.

pl
Em
P
H
Rev 10.41 10 7
IP Source Guard
IP source guard filters packets based on the following types of binding entries:
IP-port binding entry
d.
MAC-port binding entry
te

bi
IP-MAC-port binding entry
i
oh

pr
IP-VLAN-port binding entry
s
i
rt
MAC-VLAN-port binding entry
pa
IP-MAC-VLAN-port binding entry
i
or
Depending on how the entity is created, an IP source guard binding entry can be
le
static or dynamic:
ho
w
A static binding is configured manually. It is suitable when there are a few hosts
in

in a LAN or you need to configure a binding entry for a host separately.
P
H
A dynamic binding is implemented in cooperation with DHCP snooping or
of

de
DHCP Relay. It is suitable when there are many hosts in a LAN, and DHCP is
i
ts
used to allocate IP addresses to the hosts. Once DHCP allocates an IP address
ou
for a user, the IP source guard function automatically adds a binding entry
r
fe
based on the DHCP entry to allow the user to access the network. If a user
ns
specifies an IP address instead of getting one through DHCP, the user does not
tra
trigger DHCP to allocate an IP address, and therefore no IP source guard

or
binding is added for the user to access the network. In this way, IP address
n
tio
collision and theft are prevented.

uc
od
Note
r
ep
You cannot configure the IP source guard function on a port in an aggregation

.R
group, nor can you add a port configured with IP source guard to an
ly
aggregation group.
on
e
us
Configuring Dynamic IP Source Guard Binding

y
d
tu
Dynamic IP source binding allows a port to obtain binding entries automatically

f-s
through cooperation with DHCP protocols.

l
se
Cooperating with DHCP snooping, IP source guard will automatically obtain the
ee

oy
DHCP snooping entries that are generated during dynamic IP address allocation
pl
on a Layer 2 Ethernet port.

Em
Cooperating with DHCP Relay, IP source guard will automatically obtain the
P
DHCP Relay entries that are generated during dynamic IP address allocation
across network segments on a VLAN interface.
These dynamically obtained binding entries contain such information as MAC
address, IP address, VLAN tag, port information and entry type. IP source guard
10 8 Rev 10.41
Technet24.ir
applies these binding entries to the port, so that the port can filter packets according
to the binding entries.
<A5800>system-view
d.
[A5800-GE1/0/1]ip check source [ip-address | ip-address mac-
te
address | mac-address]
i bi
oh
Note
pr
s
To implement dynamic binding in IP source guard, make sure that DHCP
i
rt
snooping or DHCP Relay is configured and works normally.
pa
in
Displaying and Maintaining IP Source Guard
or
le
Display ip check source [interface <port-id> | ip-address <ip-
ho
addr> | mac-addrss <mac-addr>] [slot <slot-id>]
w
in
P
H
of
de
i
ts
ou
r
fe
ns
tra
or
n
tio
uc
od
r
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 10 9
H
P
Em
pl
oy
10 10
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
Rev 10.41
oh
i bi
te
d.
Technet24.ir
Virus Throttling
Module 11
In this module, the connection-rate filtering feature is described.
d.
te
Scenario: Protecting against viruses
ibi
oh
pr
Connection-rate filtering is a countermeasure tool you can use in your incident-
si
management program to help detect and manage worm-type security threats
rt
pa
received by the switch in inbound IP traffic.
in
Connection-rate filtering
or
le
ho
w
in
P
H
of
i de
ts
rou
fe
ns
tra
Figure 1
or
The HP connection-rate filtering feature allows you to receive notifications of worm-

n
tio
like behavior that is detected in inbound IP traffic. Traffic examined by the

uc
connection-rate filtering feature can be switched or routed. Depending on how you

od
configure the feature, traffic from the source host can be blocked, throttled
r
ep
(temporarily blocked), or you can simply be notified. Notifications are written to the
.R
Event log and can be sent as SNMP traps.

ly
on
This feature also provides a method for allowing legitimate, high connection-rate
e
us
traffic from a given host while still protecting your network from possibly malicious
y
traffic from other hosts.

d
tu
f-s
Connection-rate filtering can help protect your network against both known and
l
unknown viruses. Rather than stop virus attacks based on signature files, connection-
se
rate filtering monitors behavior, working on the principle that a worm will request
ee
oy
sessions with a large number of devices on the network as it attempts to spread. You
pl
dont have to wait for a signature file so that you can protect your network against a
Em
new threat. And you dont have to take the time to painstakingly update each
P
computer or rely on your users to do the update.

H
The connection-rate filtering feature minimizes the damage caused by infected

computers because it slows or completely stops the traffic from computers that exhibit
infected behavior. Uninfected computers can continue to be used because the switch
is fully functional even if your network is under attack.
Rev 10.41 11 1
Connection-rate filtering operation
d.
te
i bi
oh
pr
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
i de
ts
ou
Figure 2
r
fe
ns
Origin of the connection-rate filtering feature

tra
or
The connection-rate filtering feature is based on the Virus Throttle software invented
n
at HP Labs and implemented in various HP networking devices. The fundamental

tio
uc
mode of operation is to limit the number of new outgoing connections, i.e.,

od
sessions, initiated from a given computer to one or more other computers.

r
ep
Throttling viruses can also be compared to onramp metering lights. Each car is like a
.R
connection. The meter restricts access to the highway to one car per light while
ly
on
allowing cars already on the highway to continue moving freely. Similarly, the
connection-rate filtering feature restricts the number of new connections, but allows
e
us
traffic associated with existing connections to flow freely.

dy
tu
How it works
f-s
l
se
When an application on a computer makes a connection request, the connection-rate

ee
filtering feature performs the following steps:

oy
It compares the destination IP address of the packet to a working set of

pl

Em
recently contacted destinations.

P
If the destination IP address is listed in the working set, the new connection is
H
allowed and all packets to that destination are processed immediately.

If the destination IP address is not listed in the working set, then the connection
rate threshold for the source IP address is checked.
11 2 Rev 10.41
Technet24.ir
Virus Throttling
The connection rate threshold determines how many new connections a source is
allowed to initiate in a set time period. The connection rate is a good indicator
of virus activity. For example, in most circumstances a computer may open one
new connection per second while an infected computer may attempt to open
hundreds.
d.
te
If the new connection request exceeds the sources threshold, the configured
bi
action is applied. The connection-rate filtering feature can send both a
i
oh
notification and block traffic associated with new connections. The duration for
pr
which traffic is throttled can either be temporary, a short penalty period, or
is
rt
the traffic can be permanently blocked. When a source computer is blocked,
pa
the administrator must manually unblock it.
in
or
Connection-rate sensitivity
le
ho
The switch includes a global sensitivity setting that allows you to adjust the ability of
w
connection-rate filtering to detect relatively high instances of connection-rate attempts
in
from a given source.
P
H
Generally, normal network traffic has a fairly different profile compared to traffic
of
de
introduced into the network by malicious agents. However, when a legitimate
i
ts
computer generates multiple connections in a short period of time, connection-rate
ou
filtering could potentially generate a false positive and treat the computer as an
r
fe
infected system. Lowering the sensitivity or changing the filter mode (notify-only,
ns
throttle, or block) may reduce the number of false positives.

tra
On the other hand, relaxing filtering and sensitivity settings does lower the switchs
or
ability to detect worm-like traffic in the early stages of an attack. Your approach
n
tio
should be carefully investigated and planned to ensure that a risky vulnerability is not
uc
created.
rod
ep
As an alternative, you can use connection-rate ACLs to selectively enable allow

.R
legitimate traffic on some ports.

ly
on
Operational notes and considerations

e
us
You should understand the implications of connection-rate filtering. Some of the

dy
important points to keep in mind include:

tu
f-s
First, whether the switch throttles or blocks suspicious traffic, it does this on
l
se
inbound traffic from the computer, not on traffic outbound to the computer.
ee
oy
Note
pl
Connection-rate filtering is implemented on a per-port basis. A port configured with

Em
connection-rate filtering may connect directly to an edge device or to some other

P
switch, behind which may be many incoming source flows.

H
When a source IP address is throttled, you cannot cancel the throttle action
the penalty period must expire. On the other hand, you must manually cancel
a block that is applied to a source IP address. Carefully tuning the global
Rev 10.41 11 3
sensitivity level is key to saving yourself the effort of reopening a wrongfully

blocked port.
Once you have configured connection-rate filtering on a port, that port is fixed
as far as trunking is concerned. You cannot add it or remove it from a trunk
unless you first disable connection-rate filtering on the port.
d.
te
Connection-rate filtering also supports its own special form of ACLs called
bi

i
oh
connection-rate ACLs. These will be described later in this section.
pr
Guidelines: Using connection-rate filtering
si
rt
pa
On this page and the next one, some general guidelines for using connection-rate
n
filtering are listed. Because every network can have its own distinct traffic profiles,
i
or
there is no one approach that will both secure your network and eliminate false
le
positives. Since connection-rate filtering operates based on a configured sensitivity
ho
w
level of incoming connection requests per time period, using this feature will require
in
that you have an understanding of what are normal traffic patterns for both highly
P
active servers and typical end-user computers.
H
of
For a network that is relatively attack-free you should set the global sensitivity to low
de
and enable notify-only mode on the ports you want to monitor with connection-rate
i
ts
ou
filtering.
r
fe
If SNMP trap receivers are available in your network, use the snmp-server command
ns
to configure the switch to send SNMP traps. Then monitor the Event log or the SNMP
tra
trap receivers to identify computers exhibiting high connection rates.

or
Check any hosts that exhibit relatively high connection rate behavior to determine
n
tio
whether malicious code or legitimate use is the cause of the behavior. Computers
uc
demonstrating high, but legitimate connection rates, such as heavily used servers,
rod
may trigger a connection-rate filter. For these sources you should consider doing the
ep
following:
.R
ly
Configuring connection rate ACLs to create policy exceptions for trusted

on
sources so that selected traffic bypasses connection-rate filtering checks.

e
us
Enabling throttle or block mode on the identified ports. Remember, connection-

dy
rate filtering keys off of the source IP address. Therefore, enabling throttle or
tu
f-s
block mode will only affect those sources that exceed the global sensitivity
l
se
level.
ee
Implementing and managing features like connection-rate filtering that operate based
oy
on dynamic changes in network activity requires an iterative approach to the

pl
Em
configuration process when you begin using it. But, you also need to maintain the
practice of carefully monitoring the Event log or trap receivers for any sign of high
P
H
connectivity-rate activity that could indicate an attack by malicious code.

For a network that is under significant attack, the general guidelines have similarities
to those described on the prior page, but imply more scrutiny will be applied. The
major difference is the policy used for managing computers exhibiting high
connection rates. This allows better network performance for unaffected computers
11 4 Rev 10.41
Technet24.ir
Virus Throttling
and helps to identify hosts that may require updates or patches to eliminate malicious
code.
Compared to a network that is relatively attack free, you should set the global
sensitivity to medium and enable throttle mode for a network under significant attack.
As described previously, you will then need to monitor the Event log or the SNMP
d.
te
trap receivers to identify computers exhibiting high connection rates.
i bi
oh
Check any hosts that exhibit relatively high connection rate behavior to determine
pr
whether malicious code or legitimate use is the cause of the behavior. On hosts you
s
identify as needing attention to remove malicious behavior:
i
rt
pa
To immediately halt an attack from a specific computer, group of hosts, or a
n
subnet, you can use the per-port block mode on the ports traversed by these
i
or
sources.
le
ho
After gaining control of the situation, you can use connection-rate ACLs to
w
more selectively manage traffic to allow receipt of normal routed traffic from
in
reliable computers.
P
H
of
Implementing connection-rate filtering
de
i
ts
To configure connection-rate filtering, there are three primary tasks involved:
ou
You enable connection-rate filtering globally when you configure the detection
r

fe
sensitivity. You must determine the sensitivity for your network, i.e., how many
ns
tra
new connections a second are too many?

or
Although the feature is enabled when you set the detection sensitivity, you must
n
perform the next task to make connection-rate filtering operative.

tio
uc
You assign connection-rate filtering to one or more ports. As part of this task,
od
you specify the action that will be applied if suspicious behavior is detected.
r
ep
The action can be configured on a per-port basis.

.R
ly
Optionally, you can configure connection-rate ACLs to allow selective traffic to

on
bypass connection-rate filtering from one or more hosts. This type of ACL is
e
us
separate from the standard and extended ACLs that were described in a
y
previous section.
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 11 5
Enabling connection-rate filtering
d.
te
ibi
oh
pr
si
rt
pa
in
or
le
ho
w
in
P
H
of
Figure 3
i de
ts
You use the connection-rate-filter sensitivity command to enable connection-
ou
rate filtering and specify the global sensitivity detection level. The no connection-
r
fe
rate-filter command disables connection-rate filtering on the switch.

ns
tra
The sensitivity setting determines how the switch interprets a given computers
or
attempts to connect to a series of different destination devices as a possible attack by

n
a malicious agent. The sensitivity setting also determines the throttle mode penalty
tio
periods as shown in the table above.

uc
od
The options for configuring the global detection sensitivity are:

r
ep
lowSets the connection-rate sensitivity to the lowest possible sensitivity,

.R
which allows a mean of 54 destinations in less than 0.1 seconds, and a

ly
on
corresponding penalty time for throttle mode of less than 30 seconds.

e
us
mediumSets the connection-rate sensitivity to allow a mean of 37

y
destinations in less than 1 second, and a corresponding penalty time for

d
tu
throttle mode between 30 and 60 seconds.

f-s
l
se
highSets the connection-rate sensitivity to allow a mean of 22 destinations

ee
in less than 1 second, and a corresponding penalty time for throttle mode
oy
between 60 and 90 seconds.

pl
Em
aggressiveSets the connection-rate sensitivity to the highest possible level,

which allows a mean of 15 destinations in less than 1 second, and a
P
H
corresponding penalty time for throttle mode between 90 and 120 seconds.
11 6 Rev 10.41
Technet24.ir
Virus Throttling
Configuring the ports
d.
te
i bi
oh
pr
s
i
rt
pa
n
Figure 4
i
or
le
You use the filter connection-rate command to assign connection-rate filtering for
ho
one or more ports and specify the filtering mode. The no filter connection-rate
w
in
command is used to remove connection-rate filtering from one or more ports.
P
H
The filtering mode specifies the manner in which the switch will respond if a relatively
of
high number of inbound connection attempts are detected from a given source. That
de
is, if the global sensitivity threshold you configured is exceeded.
i
ts
ou
The filtering modes are:
r
fe
notify-onlyIf the global sensitivity threshold is exceeded for a specific

ns
computer, this option generates an Event log message and sends a similar
tra
message to any SNMP trap receivers configured.

or
n
throttleIf the global sensitivity threshold is exceeded for a specific

tio

uc
computer, this option generates the notify-only message and also blocks all
od
traffic inbound from the offending computer for a penalty period. After the
r
ep
penalty period expires, the switch allows traffic from the offending host to
.R
resume, and re-examines the traffic. If the suspect behavior continues, the
ly
switch again blocks the traffic from the offending computer and repeats the
on
cycle.
e
us
blockIf the global sensitivity threshold is exceeded for a specific computer,

dy
this option generates the notify-only messaging and also blocks all traffic
tu
f-s
inbound from the offending computer.

l
se
ee
Note
oy
The connection request frequency, mean number of new destinations,

pl
and penalty period are not configurable.

Em
P
H
Rev 10.41 11 7
Viewing the configuration
d.
te
bii
oh
pr
s
i
rt
pa
n
i
or
Figure 5
le
ho
The show connection-rate-filter command displays the connection-rate-filtering
w
configuration. This command answers these questions:
in
P
Is the feature enabled?
of
On which ports is it enabled?
i de
What action does the switch take against suspicious traffic for each port?
ts
ou
Viewing throttled and blocked hosts

r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
Figure 6
d
tu
f-s
The show connection-rate-filter command also supports three additional

l
se
options. These options allow you to view how your switch is currently implementing
ee
connection-rate filtering.
oy
pl
all-hostsThis option displays all source IP addresses that are currently

Em
throttled or blocked.
P
H
blocked-hostsThis option displays only those source IP addresses that are

currently blocked.
throttled-hostsThis option displays only those source IP addresses that are
currently throttled.
11 8 Rev 10.41
Technet24.ir
Virus Throttling
Managing blocked hosts
d.
te
i bi
oh
pr
s
i
rt
Figure 7
pa
n
If the list of blocked-hosts shows an IP address that you have cleared for renewed
i
or
network access, then you must manually remove the block by using the connection-
le
ho
rate-filter unblock command. You can remove all blocks at once, all blocks for IP
w
addresses in a given subnet, or only the block on a specific IP address.
in
P
Keep in mind, that throttled hosts cannot be managed, the temporary block is
H
removed when the throttle period expires.
of
ide
Note ts
ou
HP recommends that, before you unblock a source IP address that has been blocked by
r
fe
connection-rate filtering, you inspect the computer with current antivirus tools and remove
ns
any malicious agents that pose a threat to your network.

tra
If a trusted source IP address frequently triggers connection-rate blocking with legitimate,

or
high connection-rate traffic, then you should consider either changing the sensitivity level
n
or configuring a connection-rate ACL to create a filtering exception for that source.

tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 11 9
Using connection-rate ACLs

A computer sending legitimate, routed traffic can trigger connection-rate filtering in
some circumstances. If you can verify that such a computer is indeed sending valid
traffic and is not a threat to your network, you may want to configure a connection-
d.
rate ACL that allows this traffic to bypass connection-rate filtering.
te
ibi
A connection-rate ACL is an optional feature that consists of one or more explicitly
oh
pr
configured ACEs used to specify whether to enforce the configured connection-rate
s
policy on traffic from a particular source. Use of connection-rate ACLs allows you to
i
rt
apply exceptions to the configured connection-rate filtering policy. This enables you
pa
to bypass connection-rate filtering for legitimate traffic from a trusted source.
in
or
For example, where a connection-rate policy has been configured, you can apply a
le
connection-rate ACL that causes the switch bypass connection-rate policy filtering on
ho
w
traffic from:
in
A trusted server exhibiting a relatively high IP connection rate due to heavy
H
demand
of
de
A trusted traffic source on the same port as other, untrusted traffic sources
i
ts
Connection-rate ACLs support some of the parameters of extended ACLs that you are
ou
already familiar with, although there are several differences. These differences are
r
fe
illustrated on the next page. The criteria that you can specify for a connection-rate
ns
ACL can include the source IP address of traffic from a specific host, group of hosts,
tra
or a subnet, and can also include source and destination TCP/UDP criteria.
or
n
Configuring connection-rate ACLs

tio
uc
rod
ep
.R
ly
on
e
us
dy
tu
f-s
l
se
ee
oy
pl
Em
Figure 8
P
H
You use the ip access-list connection-rate-filter command to define a

connection-rate ACL, specifically to define the name that will be used for a particular
ACL. Unlike standard and extended ACLs, connection-rate ACLs only use names.
When this command is entered, the CLI displays the connection-rate filtering named
ACL context level (cfg-crf-nacl).
11 10 Rev 10.41
Technet24.ir
Virus Throttling
The filter option assigns connection-rate filtering to traffic that matches the IP address
and TCP/UDP port criteria. The ignore option specifies that traffic matching the
criteria is to bypass connection-rate filtering.
When you define an ACE for a connection-rate ACL, you can define it using the
source IP address criterion only or you can specify source IP address and TCP/UDP
d.
te
criteria.
i bi
oh
Similar to standard and extended ACLs, the source IP address may be specified in
pr
one of four forms:
is
any host (literal term)
rt

pa
Single host
i
or
Address with a dotted decimal mask
le
ho
Address with a bit mask length
w
in
A connection-rate ACL also allows you to identify traffic based on the destination
P
port, the source port, or both. These fields are located in the layer 4 (TCP or UDP)
H
header. The port identifier may be any one of the following:
of
de
i
ts
ou
A well-known port name listed in the table below:
r
fe
TCP
ns
tra
bgp dns ftp http

or
imap4 ldap nntp pop2

n
tio
pop3 smtp ssl telnet

uc
UDP
od
bootpc bootps dns ntp

r
ep
radius radius-old rip snmp

.R
ly
snmp-trap tftp
on
e
us
If you specify a source or destination port number or name, you also need to specify
y
a comparison operator. The comparison operators are:

d
tu
f-s
eqEqual to
l
se
gtGreater than
ee
ltLess than
oy

pl
neqNot equal to
Em
range <start> <end>Range of port numbers from start to end, inclusive.

P
H
Just like standard and extended ACLs, there is an implicit ACE in a connection-rate
ACL that is hidden. The implicit ACE is activated if a given packet does not match
any of the other ACEs of the ACL. The implicit ACE in a connection-rate ACL
functions differently that the implicit ACE of standard and extended ACLs.
Rev 10.41 11 11
In a connection-rate ACL, the format of the implicit ACE is filter ip any. This ACE
sends a packet that does not match any of the explicitly defined ACEs to the
connection-rate filtering process.
To preempt the implicit ACE, you can configure an ignore IP any ACE as the last
explicit entry in the connection-rate ACL. The switch will then ignore (permit) traffic
d.
te
that does not match the other ACEs in the ACL without filtering the traffic through the
bi
connection-rate policy.
i
oh
pr
Applying connection-rate ACLs
s
i
rt
pa
n
i
or
le
ho
w
Figure 9
in
P
H
To apply a connection-rate ACL, you use the vlan <vid> ip access-group
of
command. The no form of the command removes the connection-rate ACL
de
assignment from the VLAN.
i
ts
ou
A connection-rate ACL is applied at the VLAN level, but the ACL is evaluated for
r
fe
inbound traffic only on ports configured for connection-rate filtering in that VLAN.
ns
The ACL has no effect on ports in the VLAN that are not configured for connection-
tra
rate filtering.
or
The switch allows only one connection-rate ACL assignment per VLAN. If a
n
tio
connection-rate ACL is already assigned to a VLAN and you assign another

uc
connection-rate ACL to that VLAN, the second ACL overwrites the first one. A
od
connection-rate ACL can be used in addition to any standard or extended ACLs

r
ep
already assigned to the VLAN.

.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
11 12 Rev 10.41
Technet24.ir
Virus Throttling
d.
te
i bi
oh
pr
s
i
rt
pa
in
or
le
ho
w
in
P
H
of
Figure 10
i de
This graphic shows a portion of a switch configuration file with connection-rate
ts
ou
filtering configured.
r
fe
The global detection sensitivity is set to low which implies the connection-rate policy
ns
is the least sensitive. The switch is configured to protect the ports of modules A and B.
tra
The filter mode is set to notify-only on some ports, throttle on one port, and block on
or
the remaining ports.

n
tio
A connection-rate ACL is defined to ignore TCP-based RADIUS traffic from one

uc
od
particular server. Traffic matching this ACE will bypass connection-rate filtering and
r
ep
will not be subject to throttling should the server at some point trigger the connection-
.R
rate policy action.

ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
Rev 10.41 11 13
Summary: Connection-rate filtering

This module described the capabilities of the connection-rate filtering feature and
how to configure this feature.
d.
Connection-rate filtering can be used to detect worm-like network activity
te
bi
Monitors inbound IP traffic for a relatively high rate of connection requests
i
oh
from any given host on a port
pr
s
The key configuration steps are:
i
rt
pa
Enable connection-rate filtering globally and set the detection sensitivity
n
level
i
or
Assign connection-rate filtering to specific ports and specify the action to be
le
ho
taken
w
in
Optionally, configure connection-rate ACLs
P
H
Connection-rates for a given source that exceed a threshold can be throttled,
of
blocked, or result in a notification only
de
i
A connection-rate ACL allows you to specify selected traffic from a source that
ts
ou
should bypass the connection-rate filtering process
r
fe
ns
tra
or
n
tio
uc
rod
ep
.R
ly
on
e
us
y
d
tu
f-s
l
se
ee
oy
pl
Em
P
H
11 14 Rev 10.41
H
P
Em
pl
oy
ee
se
lf-s
tu
dy
us
e
on
ly
.R
ep
rod
uc
tio
n
or
tra
ns
fe
r ou
ts
ide
of
H
P
in
w
ho
le
or
i n
pa
rt
i s
pr
oh
i bi
te
d.
Technet24.ir
d.
te
i bi
oh
pr
is
rt
pa
i n
or
le
ho
w
in
P
H
of
ide
ts
r ou
fe
ns
tra
or
n
tio
uc
r od
ep
.R
ly
on
e
us
d y
tu
f-s
l
se
ee
oy
pl
Em
To learn more about HP Networking, visit

P
H
www.hp.com/networking
2010 Hewlett-Packard Development Company, L.P. The information contained herein is
subject to change without notice. The only warranties for HP products and services are set forth
in the express warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. HP shall not be liable for technical
or editorial errors or omissions contained herein.

Implementing+HP+Network+Infrastructure+Security+-+Student+Guide+Rev+10 41

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Implementing+HP+Network+Infrastructure+Security+-+Student+Guide+Rev+10 41

Diunggah oleh

Hak Cipta:

Format Tersedia

Implementing HP Network Infrastructure Security

Rev. 10.41 - Course #: 00243555

Rev. 10.41 - Course #: 00243555

Implementing ACLs: Dynamic options ..................................................... 3 - 7

Elements of an ACL .............................................................................. 3 - 9

Types of ACLs ..................................................................................... 3 - 10

ACL criteria ........................................................................................ 3 - 11

How an ACL mask works ..................................................................... 3 - 13

Filtering routed traffic: Assigning an ACL as a RACL ................................ 3 - 17

Filtering switched traffic: Assigning an ACL as a VACL ............................. 3 - 19

Assigning an ACL to a port ................................................................. 3 - 20

Implied rules ....................................................................................... 3 - 21

Defining the extended ACL ...................................................................3 - 23

Comware ACLs ...................................................................................3 - 27

Summary: ACLs .................................................................................. 3 - 31

Module 4: MAC Lockdown and Lockout ........................................................ 4 - 1

Scenario: MAC Lockdown and MAC Lockout ........................................... 4 - 1

MAC Lockdown explained .................................................................... 4 - 2

MAC Lockout explained ........................................................................ 4 - 6

Using MAC Lockdown and MAC Lockout together .................................... 4 - 9

Comware MAC Table Configuration ...................................................... 4 - 10

Summary: MAC Lockdown and Lockout.................................................. 4 - 11

Scenario: Port security........................................................................... 5 - 1

Summary: Port Security ........................................................................ 5 - 15

Dynamic ARP protection ........................................................................ 9 - 3

Guidelines: Using dynamic ARP protection .............................................. 9 - 4

Comware ARP Protection ...................................................................... 9 - 9

Summary: ARP protection ..................................................................... 9 - 13

Module 10: IP Spoofing Protection ............................................................... 10 - 1

Dynamic IP Lockdown .......................................................................... 10 - 3

IP Source Guard ................................................................................. 10 - 8

Module 11: Virus Throttling .......................................................................... 11 - 1

Scenario: Protecting against viruses ....................................................... 11 - 1

Connection-rate filtering ....................................................................... 11 - 1

Connection-rate filtering operation......................................................... 11 - 2

Using connection-rate ACLs ................................................................ 11 - 10

Summary: Connection-rate filtering ....................................................... 11 - 14

Welcome to the Implementing HP Network Infrastructure Security certification class.

Lesson 1: Introduction to Data Integrity and Privacy

Lesson 2: Key Management and Public Key Infrastructure (PKI)

Lesson 3: Wireless Data Integrity and Privacy

Module 3: Trusted Network Infrastructure Built-In

Lesson 1: DHCP Snooping and ARP Protection

Lesson 2: MAC Spoofing Protection and STP Protection

Module 4: Network Access Control

Lesson 1: Access Control through VLANs and ACLs

Lesson 2: Authentication Credentials

Lesson 3: Authentication Protocols

Lesson 4: Authentication, Authorization, and Accounting

Lesson 5: Network Authentication Methods

Module 5: More Solutions for Controlling Traffic

Lesson 3: Next Generation Firewalls

SSL with a CA signed certificate

capable of SSL/TLS operation.

encrypted, authenticated transactions. The authentication type includes server

certificate authentication with user password authentication.

Server Certificate authentication with User Password Authentication. This option is a

authenticate itself to the switch.

certificates (CA-Signed Certificates) and used later on to verify that authenticity

of those signed certificates. Trusted certificates are distributed as an integral part

certificates are pre-installed).

Manager Level: Manager privileges on the switch.

Operator Level: Operator privileges on the switch.