manualshive.com logo in svg

HP ProCurve Series 3400cl, Release Notes, Page: 68 / 197

Share
Download
HP ProCurve Series 3400cl Release Notes Download Page 68

58    

Enhancements

Release M.10.02 Enhancements

Configuring an ACL in a RADIUS Server

This section provides general guidelines for configuring a RADIUS server to specify RADIUS-based 
ACLs.  Also included is an example configuration for a FreeRADIUS server application. However, to 
configure support for these services on a specific RADIUS server application, please refer to the 
documentation provided with the application. 

Elements in a RADIUS-Based ACL Configuration. 

A RADIUS-based ACL configuration in a 

RADIUS server has the following elements:

vendor and ACL identifiers:

ProCurve (HP) Vendor-Specific ID: 11  

Vendor-Specific Attribute for ACLs: 61 (string = HP-IP-FILTER-RAW)

Setting: HP-IP-FILTER-RAW = < “permit” or “deny” ACE >

(Note that the “string” value and the “Setting” specifier are identical.)

ACL configuration, including:

one or more explicit “permit” and/or “deny” ACEs created by the system operator

implicit 

deny in ip from any to any

 ACE automatically active after the last operator-created 

ACE

ACEs define the ACL for a given client:

A given ACE configuration on a RADIUS server includes the identity of the client to 
which it applies. That is, the ACE includes the client username/password pair or the 
client device’s MAC address.

All ACEs configured on a RADIUS server for the same client are interpreted as belonging 
to the same ACL. (There is no ACL name or number configured on the RADIUS server.)

Example of Configuring a RADIUS-based ACL Using the FreeRADIUS Application. 

This 

example illustrates one method for configuring RADIUS-based ACL support for two different client 
identification methods (username/password and MAC address). For information on how to configure 
this functionality on other RADIUS server types, refer to the documentation provided with the server. 

1.

Enter the HP vendor-specific ID and the ACL VSA in the FreeRADIUS 

dictionary

 file:

Per-Port Mask Usage

ACLs consume per-port (internal) mask resources rapidly and can be affected by 
IGMP usage on the same switch.  For more on this topic, refer to the “ACL 
Resource Usage and Monitoring” and “Extended ACLs” subsections in the 
chapter titled “Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl 
Switches” of the 

Advanced Traffic Management Guide

 for your 3400cl switch.

Item

Limit Notes

Summary of Contents for ProCurve Series 3400cl

Page 1: ...M 10 20 or newer Security Note Downloading and booting software release M 08 89 or greater for the first time automatically enables SNMP access to the hpSwitchAuth MIB objects If this is not desirable for your network ProCurve recommends thatyou disable it after downloading and rebooting with the latest switch software For more information refer to Enforcing Switch Security on page 10 and Using SN...

Page 2: ...s software written by Tim Hudson tjh cryptsoft com Disclaimer HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing perfor...

Page 3: ... for Series 3400cl Switch Features 9 OS Web Java Compatibility Table 9 Enforcing Switch Security 10 Switch Management Access Security 10 Default Settings Affecting Security 10 Local Manager Password 11 Inbound Telnet Access and Web Browser Access 11 Secure File Transfers 11 SNMP Access Simple Network Management Protocol 12 Physical Access to the Switch 13 Other Provisions for Management Access Sec...

Page 4: ... 24 Release M 10 17 24 Enhancements 25 Release M 08 69 Enhancements 25 Release M 08 70 through M 08 72 Enhancements 25 Release M 08 73 Enhancements 25 Release M 08 74 through M 08 77 Enhancements 25 Release M 08 78 Enhancements 26 Using Fastboot To Reduce Boot Time 26 Release M 08 79 Enhancements 26 CLI Port Rate Display 26 Release M 08 80 through M 08 83 Enhancements 27 Release M 08 84 Enhancemen...

Page 5: ...s 77 Release M 10 05 Enhancements 79 Release M 10 06 Enhancements 79 Release M 10 07 Enhancements 80 Release M 10 08 Enhancements 80 Release M 10 09 Enhancements 80 Uni Directional Link Detection UDLD 80 Release M 10 10 Enhancements 88 Spanning Tree Per Port BPDU Filtering 88 Releases M 10 11 through M 10 12 Enhancements 91 Release M 10 13 Enhancements 91 Releases M 10 14 through M 10 16 Enhanceme...

Page 6: ...abling the Use of GVRP Learned Dynamic VLANs in Authentication Sessions 107 Release M 10 34 Enhancements 108 Concurrent TACAS and SFTP 108 Release M 10 35 Enhancements 109 Dynamic ARP Protection 109 Release M 10 36 Enhancements 115 Release M 10 37 Enhancements 115 Configuring MSTP Port Connectivity Parameters 116 Release M 10 38 Enhancements 118 Send SNMP v2c Informs 119 Release M 10 39 Enhancemen...

Page 7: ...ase M 10 71 Enhancements 144 Release M 10 72 Enhancements 144 Software Fixes in Release M 08 51 M 10 72 145 Release M 08 52 145 Release M 08 53 Never Released 145 Release M 08 54 145 Release M 08 55 Release M 08 60 145 Release M 08 61 145 Release M 08 62 147 Release M 08 63 147 Release M 08 64 148 Release M 08 65 148 Release M 08 66 148 Release M 08 67 148 Release M 08 68 149 Release M 08 69 149 R...

Page 8: ...e M 08 86 154 Release M 08 87 155 Release M 08 88 155 Release M 08 89 155 Release M 08 90 156 Release M 08 91 156 Release M 08 92 156 Release M 08 93 157 Release M 08 94 157 Release M 08 95 157 Release M 08 96 157 Release M 08 97 158 Release M 10 01 158 Release M 10 02 158 Release M 10 03 158 Release M 10 04 159 Release M 10 05 159 Release M 10 06 159 Release M 10 07 160 Release M 10 08 160 Releas...

Page 9: ... Release M 10 21 165 Release M 10 22 165 Release M 10 23 166 Release M 10 24 166 Release M 10 25 166 Release M 10 26 167 Release M 10 27 167 Release M 10 28 168 Release M 10 29 168 Release M 10 30 169 Release M 10 31 169 Release M 10 32 170 Release M 10 33 170 Release M 10 34 171 Release M 10 35 171 Release M 10 36 172 Release M 10 37 172 Release M 10 38 172 Release M 10 39 173 Release M 10 40 173...

Page 10: ...175 Release M 10 46 175 Release M 10 47 175 Release M 10 48 176 Release M 10 49 176 Release M 10 50 through M 10 64 177 Release M 10 65 177 Release M 10 66 178 Release M 10 67 179 Release M 10 68 180 Release M 10 69 180 Release M 10 70 181 Release M 10 71 183 Release M 10 72 183 ...

Page 11: ...y ProCurve Sign In After registering and entering the portal click on My Manuals Downloading Software to the Switch ProCurve Networking periodically provides switch software updates through the ProCurve Networking Web site www procurve com After you acquire the new software file you can use one of the following methods for downloading it to the switch For a TFTP transfer from a server do either of...

Page 12: ...t to the switch For a TFTP transfer from a server do either of the following Click on Download OS in the Main Menu of the switch s menu interface and use the default TFTP option Use the copy tftp command in the switch s CLI see below For an Xmodem transfer from a PC or Unix workstation do either of the following Click on Download OS in the Main Menu of the switch s menu interface and select the Xm...

Page 13: ...ready to reboot to activate the downloaded software Figure 1 Message Indicating the Switch Is Ready To Activate the Downloaded Software 3 Reboot the switch After the switch reboots it displays the CLI or Main Menu depending on the Logon Default setting last configured in the menu s Switch Setup screen Xmodem Download From a PC or Unix Workstation This procedure assumes that The switch is connected...

Page 14: ... the write memory command Alternatively you can logout of the switch and change your terminal emulator speed and allow the switch to AutoDetect your new higher baud rate i e 115200 bps 2 Execute the following command in the CLI 3 Execute the terminal emulator commands to begin the Xmodem transfer For example using HyperTerminal a Click on Transfer then Send File b Type the file path and name in th...

Page 15: ...onfiguration as the permanent configuration When the switch reboots for any reason an exact copy of the current startup config file becomes the new running config file in volatile memory When you use the CLI to make a configuration change the switch places the change in the running config file If you want to preserve the change across reboots you must save the change to the startup config file Oth...

Page 16: ... flash ip address of tftp server M_10_17 swi The Primary OS Image will be deleted continue y n y Validating and Writing System Software to FLASH ProCurve3400cl config reload Device will be rebooted do you want to continue y n y Rebooting the System Then reconnect and run the show flash command ProCurve3400cl show flas Image Size Bytes Date Version Primary Image 3576793 09 26 06 M 10 17 Secondary I...

Page 17: ...212zl and Switch 6600 Series 6600 24G 6600 24G 4XG 6600 24XG L Switch 4200vl Series 4204vl 4208vl 4202vl 72 and 4202vl 48G M Switch 3400cl Series 3400 24G and 3400 48G M 08 51 though M 08 97 or M 10 01 and greater Series 6400cl 6400cl 6XG CX4 and 6410cl 6XG X2 M 08 51 though M 08 95 or M 08 99 to M 08 100 and greater N Switch 2810 Series 2810 24G and 2810 48G PA PB Switch 1800 Series Switch 1800 8...

Page 18: ...witch and Router Software Keys numeric Switch 9408sl Switch 9300 Series 9304M 9308M and 9315M Switch 6208M SX and Switch 6308M SX Uses software version number only no alphabetic prefix For example 07 6 04 Software Letter ProCurve Networking Products ...

Page 19: ...Virtual Machines ProCurve Device Minimum Supported Software Version J8434A ProCurve 10 GbE Copper Module M 08 54 J8435A ProCurve 10 GbE Media Flex Module M 08 54 J8436A ProCurve 10 GbE X2 SC SR Optic M 08 51 J8437A ProCurve 10 GbE X2 SC LR Optic M 08 54 J8438A ProCurve 10 GbE X2 SC ER Optic M 08 75 J8439A ProCurve 10 GbE CX4 Media Converter M 08 54 J8440A ProCurve 10 GbE X2 CX4 Transceiver M 08 54...

Page 20: ...access security features and applications For information on specific features refer to the software manuals provided for your switch model Caution In its default configuration the switch is open to unauthorized access of various types ProCurve recommends that you review this section to help ensure that you recognize the potential for unauthorized switch and network access and are aware of the fea...

Page 21: ...ides Telnet like connections through encrypted and authenticated transactions SSLv3 TLSv1 provides remote web browser access to the switch via encrypted paths between the switch and management station clients capable of SSL TLS operation For information on SSH and SSL TLS refer to the chapters on these topics in the Advanced Traffic Management Guide for your switch Also access security on the swit...

Page 22: ...ccess or no access co existing with SNMPv1 and v2c if necessary For more on SNMPV3 refer to the next subsection and to the chapter titled Configuring for Network Management Applications in the Management and Configuration Guide for your switch SNMP Access to the Switch s Authentication Configuration MIB A management station running an SNMP networked device management application such as ProCurve M...

Page 23: ...tions in the Management and Configuration Guide for your switch Physical Access to the Switch Physical access to the switch allows the following use of the console serial port CLI and Menu interface for viewing and changing the current configuration and for reading status statistics and log messages use of the switch s Clear and Reset buttons for these actions clearing removing local password prot...

Page 24: ... your switch RADIUS Authentication For each authorizedclient RADIUS can be used to authenticate operator or manager access privileges on the switch via the serial port CLI and Menu interface Telnet SSH and Secure FTP Secure Copy SFTP SCP access methods Refer to the chapter titled RADIUS Authentication and Accounting in the Access Security Guide for your switch TACACS Authentication This applicatio...

Page 25: ...dvanced Traffic Management Guide for your switch model Web and MAC Authentication These options are designed for application on the edge of a network to provide port based security measures for protecting private networks and the switch itself from unauthorized access Because neither method requires clients to run any special supplicant software both are suitable for legacy systems and temporary a...

Page 26: ...ure alternative to TFTP for transferring sensitive switch information Refer to the chapter titled Configuring Secure Shell SSH in the Access Security Guide for your switch model For more on SC and SFTP refer to the section titled Using Secure Copy and SFTP in the File Transfers appendixoftheManagement and Configuration Guidefor your switch model Secure Socket Layer SSLv3 TLSv1 This feature include...

Page 27: ...t based or client based authentication through a RADIUS server to protect the switch from unauthorized access and to enable the use of RADIUS based user profiles to control client access to network services Included in the general features are the following client based access control supporting up to 32 authenticated clients per port port based access control allowing authentication by a single c...

Page 28: ...ecific VLAN MAC lockout This feature enables blocking of a specific MAC address so that the switch drops all traffic to or from the specified address IP lockdown Available on Series 2600 and 2800 switches only this feature enables restric tion of incoming traffic on a port to a specific IP address subnet and denies all other traffic on that port Refer to the chapter titled Configuring and Monitori...

Page 29: ...entity Driven Management IDM IDM is a plug in to ProCurve Manager Plus PCM and uses RADIUS based technologies to create a user centric approach to network access management and network activity tracking and moni toring IDM enables control of access security policy from a central management server with policy enforcement to the network edge and protection against both external and internal threats ...

Page 30: ... a VLAN all frames with jumbo MTU sizes 1523 to 9220 bytes are incremented to Total Rx Errors Non Genuine Mini GBIC Detection and Protection Initiative Non genuine ProCurve Transceivers and Mini GBICs have been offered for sale in the marketplace To protect customer networks from these unsupported products ProCurve switch software includes the capability to detect and disable non genuine transceiv...

Page 31: ...de on VLANs with an IP address IGMP is supported in the HP MIB rather than the standard IGMP MIBs as the latter reduce Group Membership detail in switched environments Using Delayed Group Flush Thisfeature continues tofilterIGMPgroupsfor aspecifiedadditional period of time after IGMP leaves have been sent The delay in flushing the group filter prevents unregistered traffic from being forwarded by ...

Page 32: ...ng Notes On the Series 3400cl switches the delayed group flush feature offers little additional benefit over the IGMP data driven feature which is enabled by default Forced fast leave can be used when there are multiple devices attached to a port General Switch Traffic Security Guideline Where the switch is running multiple security options it implements network traffic security based on the OSI O...

Page 33: ... from the port to the switch fabric and is visible as the average rate of the outbound traffic originating from the rate limited port The most accurate rate limiting is achieved when using standard 64 byte packet sizes Also rate limiting reflects the available percentage of a port s entire inbound bandwidth The rate of inbound flow for traffic of a given priority and the rate of flow from a rate l...

Page 34: ...ough a 10 GbE link in port 26 or 50 it is recommended that you have someone onsite with the switch able to directly communicate with the switch from another port or the console connection The issue may be avoided by enabling the fastboot feature and using the reload command after updating to M 10 17 refer to Install Recommendations for I 08 12 Boot ROM Update on page 6 If the problem persists it m...

Page 35: ...e Source Port Filter user interface described in Chapter 9 Traffic Security Filters in the Access Security Guide for the switch Information on these features is included in the current documentation for the switch available on the web at http www hp com rnd support manuals Release M 08 70 through M 08 72 Enhancements Software fixes only no new enhancements Release M 08 73 Enhancements Release M 08...

Page 36: ...st command includes the port rate in the display The rate displayed is the average for a period of 5 minutes given in bps for 1G ports or in Kbps for 10G ports You can also use the CLI command show interface port utilization to display port rate over a period of 5 minutes Syntax no fastboot Used in the global configuration mode to enable the fastboot option The no version of the command disables f...

Page 37: ...ware versions the show interfaces port list command can be used to display the current link status and the port rate average over a 5 minute period Port rates are shown in bits per second bps for ports up to 1 Gigabit and are shown in kilobits per second Kbps for 10 Gigabit ports Release M 08 80 through M 08 83 Enhancements Software fixes only no new enhancements ProCurve show interface port utili...

Page 38: ... switch Terminology Domain Suffix Includes all labels to the right of the unique host name in a fully qualified domain name assigned to an IP address For example in the fully qualified domain name device53 ever green trees org the domain suffix is evergreen trees org while device53 is the unique host name assigned to a specific IP address Fully Qualified Domain Name The sequence of labels in a dom...

Page 39: ...me of a device in the same domain as the configured domain suffix can reach that device A ping or traceroute command that includes a fully qualified domain name can reach a device in any domain that is available to the configured DNS server Example Suppose the switch is configured with the domain suffix mygroup procurve net and the IP address for an accessible DNS server If an operator wants to us...

Page 40: ...guring and Using DNS Resolution with Ping and Traceroute Commands 1 Determine the following a the IP address for a DNS server operating in a domain in your network b the domain name for an accessible domain in which there are hosts you want to reach with ping and or traceroute commands This is the domain suffix in the fully qualified domain name for a given host operating in the selected domain Re...

Page 41: ... Configuring another IP address for this value replaces the current IP address with the new one The no form of the command replaces the configured IP address with the null setting which disables host name resolution Default null Syntax no ip dns domain name domain name suffix Configures the domain suffix that is automatically appended to the host name entered with the ping or traceroute command Wh...

Page 42: ...ort DNS Resolution Entity Identity DNS Server IP Address 10 28 229 10 Domain Name and Domain Suffix for Hosts in the Domain pubs outdoors com Host Name Assigned to 10 28 229 219 by the DNS Server docservr Fully Qualified Domain Name for the IP address Used By the Document Server 10 28 229 219 docservr pubs outdoors com Switch IP Address 10 28 192 1 Document Server IP Address 10 28 229 219 10 28 19...

Page 43: ...mand displays the current DNS configuration along with other IP configuration information If the switch configuration currently includes a nondefault non null DNS entry it will also appear in the show run command output ProCurve ping docservr 10 28 229 219 is alive time 1 ms ProCurve traceroute docservr traceroute to 10 28 229 219 1 hop min 30 hops max 5 sec timeout 3 probes 1 10 28 192 2 1 ms 0 m...

Page 44: ...r to Figure 3 on page 29 The switch supports one DNS entry that is one DNS serverIPaddress andthe corresponding domain name suffix Switch Initiated DNS packets go out through the VLAN having the best route to the DNS server even if a Management VLAN has been configured The traceroute command output shows only IP addresses The DNS server address must be manually input It is not be automatically det...

Page 45: ... enabled a device with management access to the switch can view the configuration for the authentication features listed above excluding passwords and keys Using SNMP sets a management device can change the authentication configuration including changes to passwords and keys Operator read write access to the authentication MIB is always denied Message Meaning DNS server address not configured The ...

Page 46: ...as described in the next section If you choose to leave SNMP access to the security MIB open the default setting ProCurve recommends that you configure the switch with the SNMP version 3 management and access security feature and disable SNMP version 2c access Refer to Enforcing Switch Security on page 10 Changing and Viewing the SNMP Access Configuration Syntax snmp server mib hpswitchauthmib exc...

Page 47: ...e current Authentication MIB access state is to use the show run command ProCurve config snmp server mib hpswitchauthmib excluded ProCurve config show snmp server SNMP Communities Community Name MIB View Write Access public Manager Unrestricted Trap Receivers Link Change Traps Enabled on Ports All All Send Authentication Traps No No Address Community Events Sent in Trap Excluded MIBs hpSwitchAuthe...

Page 48: ... t configured a custom path cost for the interface The default of this toggle is to use 802 1t values The reason one might set this control to 802 1D would be for better interoperability with legacy 802 1D STP Spanning Tree Protocol bridges To support legacy STP bridges the following commands options have been added to CLI spanning tree legacy path cost Use 802 1D values for default path cost no s...

Page 49: ...transferred performance can be improved and packet loss due to over subscription can be minimized In previous software versions the 3400cl and the 6400cl switches had four QoS queues of equal size Depending on the mix of prioritized and non prioritized traffic this configuration might not always optimize performance and could result in dropped packets when resources were over subscribed Starting w...

Page 50: ...eues of the same size This configuration is the same as was used by software versions prior to M 08 78 one queue Configures one QoS queue By consolidating packet buffer memory line rate flows with no loss of data may be achieved Note This mode has a small queue used exclusively by Priority 7 management and control packets optimized Configures two QoS queues a small queue for Priority 6 and 7 traff...

Page 51: ... 1 optimized Configures two QoS queues a small queue for Priority 6 and 7 traffic and a large queue for all other traffic 2 typical Configures four QoS queues a large queue for Priority 0 and 3 traffic and three other queues for the remaining traffic This is the default configuration on the switch and is used when QoS Pass Through is disabled 3 balanced Configures four QoS queues of the same size ...

Page 52: ...agement VLAN enhancement to the DHCP option 82 feature For more information on DHCP option 82 operation refer to Configuring DHCP Relay in the chapter titled IP Routing Features in the Advanced Traffic Management Guide When the routing switch is used as a DHCP relay agent with Option 82 enabled it inserts a relay agent information option into client originated DHCP packets being forwarded to a DHC...

Page 53: ...switch Requires that a Management VLAN is already configured on the switch If the Management VLAN is multinetted then the primary IP address configured for the Management VLAN is used for the remote ID ip Specifies the IP address of the VLAN on which the client DHCP packet enters the routing switch In the case of a multinetted VLAN the remote ID suboption uses the IP address of the subnet on which...

Page 54: ...outer behavior by default does not allow broadcast forwarding a client s UDP broadcast requests cannot reach a target server on a different subnet unless the router is configured to forward client UDP broadcasts to that server A switch with routing enabled includes optional per VLAN UDP broadcast forwarding that allows up to 256 server and or subnet entries on the switch 16 entries per VLAN If an ...

Page 55: ...ol lists Added new show sFlow commands RADIUS Assigned Access Control Lists ACLs Introducedwithsoftware release M 10 xxonthe 3400clswitches this feature usesRADIUS assigned per port ACLs for Layer 3 filtering of inbound IP traffic from authenticated clients A given RADIUS assigned ACL is identified by a unique username password pair or client MAC address and applies only to traffic from clients th...

Page 56: ...ping to improve system performance Also applying RADIUS assigned ACLs to ports on the network edge is likely to be less complex than using ACLs in the network core to filter unwanted traffic that could have been filtered at the edge This feature enhances network and switch management access security by permitting or denying authenticated client access to specific network resources and to the switc...

Page 57: ... the inbound IP traffic from an authenticated client on the port to which the client is connected Traffic can be routed or switched and includes traffic having a DA on the switch itself Supports static assignments to filter traffic from a connected device and operates in applictions that may or may not include 802 1X or other types of client authentication When the authenticated client session end...

Page 58: ...destination IP address carried in the header and identifies the destination intended by the packet s originator Deny An ACE configured with this action causes the switch to drop a packet for which there is a match within an applicable ACL Deny Any Any An abbreviated form of deny in ip from any to any which denies any inbound IP traffic from any source to any destination Extended ACL This type of A...

Page 59: ...ard The part of a mask that indicates the bits in a packet s IP addressing that do not need to match the corresponding bits specified in an ACL See also ACL Mask on page 48 Caution Regarding the Use of Source Routing Source routing is enabled by default on the switch and can be used to override ACLs For this reason if you are using ACLs to enhance network security the recommended action is to use ...

Page 60: ... specifically permitted by the ACL To reverse this default use an explicit permit any as the last ACE in the ACL On a given port RADIUS based ACL filtering occurs only for the inbound traffic from the client whose authentication caused a RADIUS based ACL assignment Inbound traffic from any other source including a second authenticated client on the same port will be denied The Packet filtering Pro...

Page 61: ...rt if a statically configured ACL already exists on a port a RADIUS based ACL cannot be assigned to that port In this case if a client authenticates and the RADIUS server is configured to assign a dynamic ACL to the port for that client the client will then be de authenticated For an inbound packet with a destination IP address of 18 28 156 3 the ACL 1 Compares the packet to this ACE first 2 Since...

Page 62: ...Test the packet against criteria in second ACE Is there a match Test packet against criteria in Nth ACE Is there a match No Yes End Perform action permit or deny 1 If a match is not found with the first ACE in an ACL the switchproceedstothenext ACE and so on 2 If a match with an explicit ACE is subsequently found the packet is either permit ted forwarded or denied dropped depending on the action s...

Page 63: ... 11 101 Packets matching this criterion are forwarded and are not compared to any later ACE in the list Packets not matching this criterion will be compared to the next entry in the list 1 Permits inbound IP traffic from the authenticated client to the destinationaddress11 11 11 42 Packetsmatchingthiscriterion are forwarded and are not compared to any later ACE in the list Packetsnotmatchingthiscr...

Page 64: ...he RADIUS server needed by a client for authentication and ACL assignments is accessible from any switch that authorized clients may use Begin by defining the policies you want an ACL to enforce for a given client or group of clients This includes the type of IP traffic permitted or not permitted from the client s and the areas of the network the client s are authorized or not authorized to use Wh...

Page 65: ...determine whether to permit or deny a packet on a particular port it compares the packet to the criteria specified in the individual Access Control Entries ACEs in the ACL beginning with the first ACE in the list and proceeding sequentially until a match is found When a match is found the switch applies the indicated action permit or deny to the packet This is significant because when a match is f...

Page 66: ...rating Rules for RADIUS Based ACLs ACL Assignments Per Port One RADIUS assigned ACL is allowed per port Port Trunks Excluded RADIUS assigned ACLs cannot be assigned to a port trunk Relating a Client to a RADIUS Based ACL A RADIUS based ACL for a particular client must be configured in the RADIUS server under the authentication credentials the server should expect for that client If the client must...

Page 67: ...any to any 80 permit in tcp from any to any 135 137 146 445 permit in tcp from any to any 135 137 139 141 143 146 445 permit in tcp from any to any 135 146 445Note Internal ACEs 1 1 1 3 6 2 Uses shared internal resources which can affect the per port availability of internal ACEs Refer to the section titled Planning an ACL Application on a Series 3400cl or 6400cl Switch in the chapter titled Acces...

Page 68: ...t A given ACE configuration on a RADIUS server includes the identity of the client to which it applies That is the ACE includes the client username password pair or the client device s MAC address All ACEs configured on a RADIUS server for the same client are interpreted as belonging to the same ACL There is no ACL name or number configured on the RADIUS server Example of Configuring a RADIUS base...

Page 69: ...dentical ACL support for the following a client having a username of mobile011 and a password of run101112 a client having a MAC address of 08 E9 9C 4F 00 19 The ACL in this example must achieve the following permit http TCP port 80 traffic from the client to the device at 10 10 10 101 deny http TCP port 80 traffic from the client to all other devices permit all other traffic from the client to al...

Page 70: ... one of the following destination types A specific IP address A contiguous series of IP address or an entire subnet Any IP address Where the traffic type is either TCP or UDP the ACE can optionally include one or more TCP or UDP port numbers mobile011 Auth Type Local User Password run101112 HP IP FILTER RAW permit in tcp from any to 10 10 10 101 HP IP FILTER RAW deny in tcp from any to any HP IP F...

Page 71: ...rs only the inbound traffic having a source MAC address that matches the MAC address of the client whose authentication invoked the ACL assignment to Required destination keyword ip addr Specifies a single destination IP address ip addr mask Specifies a series of contiguous destination IP addresses or all destination IP addresses in a subnet The mask is CIDR notation for the number of leftmost bit...

Page 72: ...ns refer to the chapter titled RADIUS Authentication and Accounting in the Access Security Guide for your switch 2 Configure RADIUS network accounting on the switch optional RADIUS network accounting is necessary to retrieve counter information if the cnt counter option described on page 62 is included in any of the ACEs configured on the RADIUS server Syntax aaa accounting network start stop stop...

Page 73: ...d operation refer to the chapter titled Configuring Port Based and Client Based Access Control in the Access Security Guide for your switch MAC Authentication Option Syntax aaa port access mac based port list This command configures MAC authentication on the switch and activates this feature on the specified ports For more on MAC authentication refer to the chapter titled Web and MAC Authenticatio...

Page 74: ... port No RADIUS ACLs applied on this port If a client authenticates but the server does not return a RADIUS based ACL to the client port then the server does not have a valid ACL configured and assigned to that client s authentication credentials ProCurve show access list radius 10 Radius configured Port based ACL for Port 10 Client 001185C6547D deny in tcp from any to 10 15 240 184 23 cnt Packet ...

Page 75: ...fic Management Guide for your switch 0 7 Indicates that the displayed 802 1p priority has been assigned by a RADIUS server to inbound traffic on the indicated port for a currently active authenticated client session This assignment remains active until the session ends Curr Rate Limit Inbound Indicates the status of the current rate limit setting for inbound traffic No override No RADIUS assigned ...

Page 76: ... field ace client mac address port port Notifies of a problem with the protocol field in the indicated ACE of the access list for the indicated client on the indi cated switch port ACE parsing error FROM keyword ace client mac address port port Notifies of a problem with the FROM keyword in the indi cated ACE of the access list for the indicated client on the indicated switch port ACE parsing erro...

Page 77: ...ce client mac address port port Notifies of a problem with the TCP UDP port field in the indicated ACE of the access list for the indicated client on the indicated switch port Port port No RADIUS ACLs applied on this port Appears in response to the CLI show access list radius port command when there is not currently a RADIUS ACL assigned to the port Rule limit per ACL exceeded ace client mac addre...

Page 78: ...ta into datagrams that are forwarded to a central data collector sFlow destination The central data collector that gathers datagrams from sFlow enabled switch ports on the network The data collector decodes the packet headers and other information to present detailed Layer 2 to Layer 7 usage statistics Viewing SFlow Configuration The showsflowagent command displays read only switch agent informati...

Page 79: ...plays the number of seconds remaining before the switch agent will automati cally disable sFlow this is set by the mangement station and decrements with time Max Datagram Size shows the currently set value typically a default value but this can also be set by the management station The show sflow sampling polling command displays information about sFlow sampling and polling on the switch You can s...

Page 80: ...ned intervals Beginning with software release M 10 04 this capability can be used to detect anomalies caused by security attacks or other irregular operations on the switch The following table shows the parameters that can be monitored and the possible security attacks that may trigger an alert Parameter Name Description pkts to closed ports The count of packets per minute sent to closed TCP UDP p...

Page 81: ...tion failures This indicates an attempt has been made to manage the switch with an invalid login or password Also it might indicate a network management station has not been configured with the correct SNMP authentication parameters for the switch port auth failures min The count of times a client has been unsuccessful logging into the network system delay The response time in seconds of the CPU t...

Page 82: ...en for 1 hour 2 hours 4 hours 8 hours and after that the persisting condition is reported once a day Note that ProCurve switches also have the ability to send event log entries to a syslog server Known Limitations As of release M 10 06 the instrumentation monitor runs once every five minutes The current implementation does not track information such as the port MAC and IP address from which an att...

Page 83: ...orwarding table Default threshold setting when enabled 1000 med learn discards The number of MAC address learn events per minute discarded to help free CPU resources when busy Default threshold setting when enabled 100 med login failures The count of failed CLI login attempts or SNMP management authen tication failures per hour Default threshold setting when enabled 10 med mac address count The nu...

Page 84: ...767 To enable monitoring of learn discards with the default medium threshold value ProCurve config instrumentation monitor learn discards To disable monitoring of learn discards ProCurve config no instrumentation monitor learn discards To enable or disable SNMP trap generation ProCurve config no instrumentation monitor trap Viewing the Current Instrumentation Monitor Configuration The show instrum...

Page 85: ...or information on how to enable disable these services refer to the following command listings For details on each service refer to the latest version of the switch s software documentation available on the ProCurve Networking Web site Port Service 69 TFTP 161 SNMP 520 RIP 1507 Stacking SNMP ProCurve show instrumentation monitor configuration PARAMETER LIMIT mac address count 1000 med ip address c...

Page 86: ...uthorized access If SNMP is disabled both the SNMP port 161 and the stacking port 1507 will remain closed Enabling Disabling RIP To enable disable RIP use the following command Syntax no tftp client server Enables or disables the TFTP client client Enables or disables the TFTP client Default disabled server Enables or disables the TFTP server Default disabled Note Both the tftpcommand withnoargume...

Page 87: ...ion however both stacking and SNMP must be enabled to open the port on the switch If either feature is disabled the port will remain closed Spanning Tree Show Commands The show spanning tree detail command previously displayed 802 1D STP and 802 1w RSTP status and counters for all ports on the switch Beginning with software release M 10 04 this command provides 802 1s MSTP multi instance spanning ...

Page 88: ...g a topology change that occurred on another port that is a TC Detected increment or to propagating a topology change received on another port that is TC Flag Received ProCurve show spanning tree detail Status and Counters RSTP Port s Detailed Information Port 1 Status Up Role Root State Forwarding Priority 128 Path Cost 200000 Root Path Cost 10 Root Bridge ID 1 0001e7 215e00 Designated Bridge ID ...

Page 89: ...anning tree instance inst detail command The show spanning tree port list detail command shows the specified port list MSTP port by port detail The show spanning tree instance inst detail command shows all ports active for a specific instance of MSTP The show spanning tree port list instance inst detail shows the specified port list for the specified instance of MSTP TC ACK Flag Transmitted and TC...

Page 90: ...n UDLD Uni directional Link Detection UDLD monitors a link between two ProCurve switches and blocks the ports on both ends of the link if the link fails at any point between the two devices This feature is particularly useful for detecting failures in fiber links and trunks In the example shown in Figure 20 each ProCurve switch load balances traffic across two ports in a trunk group Without the UD...

Page 91: ...the other end of the link within the keepalive interval the port waits for four more intervals If the port still does not receive a health check packet after waiting for five intervals the port concludes that the link has failed and blocks the UDLD enabled port When a port is blocked by UDLD the event is recorded in the switch log or via an SNMP trap if configured and other port blocking protocols...

Page 92: ...ax no interface port list link keepalive Enables UDLD on a port or range of ports To disable the feature enter the no form of the command Default UDLD disabled Syntax link keepalive interval interval Determines the time interval to send UDLD control packets The interval param eter specifies how often the ports send a UDLD packet You can specify from 10 100 in 100 ms increments where 10 is 1 second...

Page 93: ...t a port waits five seconds to receive a health check reply packet from the port at the other end of the link If the port does not receive a reply the port tries four more times by sending up to four more health check packets If the port still does not receive a reply after the maximum number of retries the port goes down You can change the maximum number of keepalive attempts to a value from 3 10...

Page 94: ...or tagged ports you may receive a warning message if there are any inconsistencies with the port s VLAN configuration see page 87 for potential problems Viewing UDLD Information The following show commands allow you to display UDLD configuration and status via the CLI Syntax show link keepalive Displays all the ports that are enabled for link keepalive Syntax show link keepalive statistics Display...

Page 95: ...System Administrator ProCurve config show link keepalive Total link keepalive enabled ports 4 Keepalive Retries 3 Keepalive Interval 1 sec Port Enabled Physical Keepalive Adjacent UDLD Status Status Switch VLAN 1 Yes up up 00d9d f9b700 200 2 Yes up up 01560 7b1600 untagged 3 Yes down off line 4 Yes up failure 5 No down off line Port 4 is connected but is blocked due to a link keepalive failure Por...

Page 96: ...ics Port 1 Current State up Neighbor MAC Addr 0000a1 b1c1d1 Udld Packets Sent 1000 Neighbor Port 5 Udld Packets Received 1000 State Transitions 2 Port Blocking no Link vlan 1 Port 2 Current State up Neighbor MAC Addr 000102 030405 Udld Packets Sent 500 Neighbor Port 6 Udld Packets Received 450 State Transitions 3 Port Blocking no Link vlan 200 Port 3 Current State off line Neighbor MAC Addr n a Ud...

Page 97: ...port 7 belongs to VLAN 1 and 22 but the user tries to configure UDLD on port 7 to send tagged packets in VLAN 4 the configuration will be accepted The UDLD control packets will be sent tagged in VLAN 4 which may result in the port being blocked by UDLD if the user does not configure VLAN 4 on this port no vlan 22 tagged 20 Possible configuration problem detected on port 18 UDLD VLAN configuration ...

Page 98: ...es To eliminate the need for a topology change when a port s link status changes For example ports that connect to servers and workstations can be configured to remain outside of standard spanning tree operations To protect the network from denial of service attacks with spoofing spanning tree BPDUs by dropping incoming BPDU frames Note BPDU protection imposes a more secure mechanism that implemen...

Page 99: ...elow Figure 23 Example of BPDU Filter Fields in Show Spanning Tree Detail Command ProCurve show spanning tree a9 detail Status and Counters CST Port s Detailed Information Port A1 Status Up BPDU Filtering Yes Errant BPUDUs received 65 MST Region Boundary Yes External Path Cost 200000 External Root Path Cost 420021 Administrative Hello Time Use Global Operational Hello Time 2 AdminEdgePort No OperE...

Page 100: ...s filter state Figure 26 Example of BPDU Filter Status in Show Spanning Tree Configuration Command ProCurve show spanning tree Multiple Spanning Tree MST Information STP Enabled Yes Force Version MSTP operation IST Mapped VLANs 1 7 Protected Ports Filtered Ports A6 A7 Row showing ports with BPDU filters enabled ProCurve config show configuration spanning tree spanning tree A7 bpdu filter spanning ...

Page 101: ...ection When this feature is enabled on a port the switch will disable drop the link of a port that receives a spanning tree BPDU log a message and optionally send an SNMP trap Spanning Tree BPDU Protection The BPDU protection feature is a security enhancement to Spanning Tree Protocol STP operation Itcanbe usedtoprotecttheactive STP topologybydelimiting itslegal boundaries thereby preventing spoof...

Page 102: ...revents the switch from receiving and transmitting BPDU frames on a specific port BPDU Protection Spanning tree configuration mode which disables a port where BPDU frames are received MSTP Multiple Spanning Tree Protocol defined in IEEE 802 1s Each MSTI multiple spanning tree instance on a physical port provides loop free connectivity for the group of VLANs associated with that instance This means...

Page 103: ...nds allow you to configure BPDU protection via the CLI For example to configure BPDU protection on ports 1 to 10 enter ProCurve config spanning tree 1 10 bpdu protection When BPDU protection is enabled the following steps are set in process 1 When an STP BPDU packet is received STP treats it as an unauthorized transmission attempt and shuts down the port that the BPDU came in on 2 An event message...

Page 104: ...ts 3 7 9 Filtered Ports 10 Prio Designated Hello Port Type Cost rity State Bridge Time PtP Edge 1 100 1000T 200000 128 Forwarding 000883 024500 2 Yes No 2 100 1000T 200000 128 Forwarding 000883 122740 2 Yes No 3 100 1000T 200000 128 BpduError 2 Yes Yes 4 100 1000T Auto 128 Disabled 5 100 1000T 200000 128 Forwarding 2 Yes Yes 6 100 1000T 200000 128 Forwarding 2 Yes Yes 7 100 1000T 200000 128 Forwar...

Page 105: ...ction has been enabled When the switch sends out a loop protocol packet and then receives the same packet on a port that has send disable configured it shuts down the port from which the packet was sent You can configure the disable timer parameter for the amount of time you want the port to remain disabled 0 to 604800 seconds If you configure a value of zero the port will not be re enabled To ena...

Page 106: ...d transmit interval 1 10 Allows you to configure the time in seconds between the transmission of loop protection packets Default 5 seconds Syntax show loop protect port list Displays the loop protection status If no ports are specified the information is displayed only for the ports that have loop protection enabled ProCurve config show loop protect 1 4 Status and Counters Loop Protection Informat...

Page 107: ...Release M 10 25 Enhancements Release M 10 25 includes the following enhancement Enhancement PR_1000385565 CLI The port security MAC address limit per port has been increased from 8 to 32 when learn mode is static or configured However the global limit of static configured MAC addresses per ProCurve Series 3400 switch is 400 Release M 10 26 Enhancements Release M 10 26 includes the following enhanc...

Page 108: ...n destination addresses is flooded on unauthenticated ports configured for web authen tication Prerequisites As implemented in 802 1X authentication the disabling of incoming traffic and transmission of outgoing traffic on a MAC authenticated egress port in an unauthenticated state using the aaa port access controlled directions in command is supported only if The 802 1s Multiple Spanning Tree Pro...

Page 109: ...ections in command you can enable the transmission of Wake on LAN traffic on unauthenticated outbound ports that are configured for any of the following port based security features 802 1X authentication MAC authentication Web authentication Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access the last setting you configure with t...

Page 110: ...31 Enhancements Release M 10 31 includes the following enhancement Enhancement PR_1000372989 This enhancement enables the user to set the oper ator manager username password via SNMP Password Command The password command in the CLI is enhanced to support the following syntax Syntax no password manager operator port access user name name hash type password Where manager configures access to the swi...

Page 111: ...y occurs if qos type of service diff services is also configured Enhancement PR_1000401306 Reload IN AT special enhancement Scheduled Reload Additional parameters have been added to the reload command to allow for a scheduled reboot of the switch via the CLI The scheduled reload feature supports the following capabilities It removes the requirement to physically reboot the switch at inconvenient t...

Page 112: ...a device s MAC address to grant access to the network Web browser interface Authenticates clients for network access using a web page for user login Not e You canuse 802 1X port based or client based authentication andeither Web or MAC authentication at the same time on a port with a maximum of 32 clients allowed on the port The default is one client Web authentication and MAC authentication are m...

Page 113: ... and GVRP learned dynamic VLANs for port access authentication must be enabled If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN for authentication sessions on the switch the authentication fails To enable the use of a GVRP learned dynamic VLAN as the untagged VLAN used in an authentication session enter the aaa port access gvrp vlans command Enabling the use ...

Page 114: ...s When a switch port is configured with RADIUS based authentication to accept multiple 802 1X and or MAC or Web authentication client sessions all authenticated clients must use the same port based untagged VLAN membership assigned for the earliest currently active client session Therefore on a port where one or more authenticated client sessions are already running all such clients are on the sam...

Page 115: ...emporary VLAN assignment as a change in the active configuration use the show vlan vlan id command as shown in Figure Figure 9 where vlan id is the static or dynamic VLAN used in the authenticated client session Figure 9 Active Configuration for VLAN 22 Temporarily Changes for the 802 1X Session However as shown in Figure Figure 8 because VLAN 33 is configured as untagged on port A2 and because a ...

Page 116: ...ry untagged VLAN membership The static VLAN VLAN 33 that is permanently configured as untagged on the port becomes available again Therefore when the RADIUS authenticated 802 1X session on port A2 ends VLAN 22 access on port A2 also ends and the untagged VLAN 33 access on port A2 is restored as shown in Figure Figure 11 Figure 11 The Active Configuration for VLAN 33 Restores Port A2 After the 802 ...

Page 117: ...tagged dynamic VLAN the dynamic VLAN configuration must exist at the time of authentication and GVRP for port access authentication must be enabled on the switch If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN for authentication sessions on the switch the authentication fails Syntax aaa port access gvrp vlans Continued 2 After you enable dynamic VLAN assignm...

Page 118: ...AN assignment is handled in an authentication session If you remove the configuration of the static VLAN used to create a temporary client session the 802 1X MAC or Web authenticated client is deauthenticated However if a RADIUS configured dynamic VLAN used for an authentication session is deleted from the switch through normal GVRP operation for example if no GVRP advertisements for the VLAN are ...

Page 119: ...affic destined for a VLAN node to be sent to the attacker s MAC address As a result the attacker can intercept traffic for other hosts in a classic man in the middle attack The attacker gains access to any traffic sent to the poisoned address and can capture passwords e mail and VoIP calls or even modify traffic before resending it Another way in which the ARP cache of known IP addresses and assoc...

Page 120: ...net header are dropped When dynamic ARP protection is enabled only ARP request and reply packets with valid IP to MAC address bindings in their packet header are relayed and used to update the ARP cache Dynamic ARP protection is implemented in the following ways on a switch You can configure dynamic ARP protection only from the CLI you cannot configure this feature from the web or menu interfaces ...

Page 121: ... has dynamic ARP protection enabled it will see ARP packets from Host 1 as invalid resulting in a loss of connectivity On the other hand if Switch A does not support dynamic ARP protection and you configure the port on Switch B connected to Switch A as trusted Switch B opens itself to possible ARP poisoning from hosts attached to Switch A Figure 12 Configuring Trusted Ports for Dynamic ARP Protect...

Page 122: ...c IP to MAC addressbindingsin the DHCP binding database The switch uses manually configured static bindings for DHCP snooping and dynamic ARP protection To add the static configuration of an IP to MAC binding for a port to the database enter the ip source binding command at the global configuration level Syntax no arp protect trust port list port list Specifies a port number or a range of port num...

Page 123: ...level You can configure one or more of the validation checks The following example of the arp protect validate command shows how to configure the validation checks for source MAC address and destination AMC address ProCurve config arp protect validate src mac dst mac Syntax no arp protect validate src mac dst mac ip src mac Optional Drops any ARP request or response packet in which the source MAC ...

Page 124: ... failure and IP validation failures enter the show arp protect statistics command Figure 14 Show arp protect statistics Command ARP Protection Information Enabled Vlans 1 4094 Validate dst mac src mac Port Trust B1 Yes B2 Yes B3 No B4 No B5 No ProCurve config show arp protect ProCurve config show arp protect statistics Status and Counters ARP Protection Counters for VLAN 1 Forwarded pkts 10 Bad so...

Page 125: ...includes the following enhancement Enhancement PR_1000369492 Update of the MSTP implementation to the latest IEEE P802 1Q REV D5 0 specifications to stay in sync with the protocol evolution For more information on selected configuration options and updated MSTP port parameters see Configuring MSTP Port Connectivity Parameters below ProCurve config debug arp protect 1 ARP request is valid DARPP All...

Page 126: ...for BPDUs for 3 seconds if there are none it begins forwarding packets If admin edge port is enabled for a port the setting for auto edge port is ignored whether set to yes or no If admin edge port is disabled and auto edge port has not been disabled then the auto edge port setting controls the behavior of the port The no spanning tree port list auto edge port command disables auto edge port opera...

Page 127: ...otifications and topology changes to other ports Default No disabled Syntax spanning tree port list hello time path cost point to point mac priority hello time global 1 10 When the switch is the CIST root this parameter specifies the interval in seconds between periodic BPDU transmissions by the designated ports This interval also applies to all ports in all switches downstream from each port in t...

Page 128: ...er to determine the port s to use for forwarding The port with the lowest assigned value has the highest priority While the actual priority range is 0 to 240 this command specifies the priority as a multiplier 0 15 of 16 That is when you specify a priority multiplier of 0 15 the actual priority assigned to the switch is priority multiplier x 16 priority The default priority multiplier value is 8 F...

Page 129: ...forms option for SNMP Default Disabled Syntax no snmp server informs retries retries timeout seconds pending pending Allows you to configure options for SNMP informs requests retries Maximum number of times to resend an informs request Default 3 timeout Number of seconds to wait for an acknowledgement before resending the informs request Default 30 seconds pending Maximum number of informs waiting...

Page 130: ...ion of SNMP being used Note SNMP informs are supported on version 2c or 3 only none all non info critical debug OptionsforsendingswitchEventLogmessagestoatrapreceiver Thelevels specified with these options apply only to Event Log messages and not to threshold traps ProCurve config show snmp server SNMP Communities Community Name MIB View Write Access public Manager Unrestricted Trap Receivers Link...

Page 131: ...s methods Console Either direct serial port connection or modem connection Telnet Inbound Telnet must be enabled the default SSH To use RADIUS for SSH access first configure the switch for SSH operation Web Enables RADIUS authentication for web browser interface access to the switch You can configure radius as the primary password authentication method for the above access methods You also need to...

Page 132: ...ent has unconditional access to the network the Enable Primary and Enable Secondary fields are not applicable N A Syntax aaa authentication port access chap radius eap radius local Configures local chap radius or eap radius as the primary password authentication method for port access The default primary authentication is local none authorized Provides options for secondary authentication The none...

Page 133: ...er Default no delimiter no delimiter specifies an aabbccddeeff format single dash specifies an aabbcc ddeeff format multi dash specifies an aa bb cc dd ee ff format multi colon specifies an aa bb cc dd ee ff format no delimiter uppercase specifies an AABBCCDDEEFF format single dash uppercase specifies an AABBCC DDEEFF format multi dash uppercase specifies an AA BB CC DD EE FF format multi colon up...

Page 134: ... the value of Arp Age timer enter the show ip command as shown in Figure 14 Figure 14 Example of show ip Command Displaying Arp Age Syntax no ip arp age 1 1440 infinite Allows the ARP age to be set from 1 to 1440 minutes 24 hours If the option infinite is configured the internal ARP age timeout is set to 99 999 999 seconds approximately 3 2 years An arp age value of 0 zero is stored in the configu...

Page 135: ...ation Editor Created on release K 12 XX hostname 8200LP module 2 type J8702A module 3 type J8702A module 4 type J8702A ip default gateway 15 255 120 1 ip arp age 1000 snmp server community public Unrestricted snmp server host 16 180 1 240 public vlan 1 name DEFAULT_VLAN untagged B1 B24 C1 C24 D1 D24 ip address 15 255 120 85 255 255 248 0 exit gvrp spanning tree ProCurve 12 June 2007 14 45 31 TELNE...

Page 136: ...nt PR_1000428642 SNMP v2c describes two different notification type PDUs traps and informs Prior to this software release only the traps sub type was supported This enhancement adds support for informs Enhancement PR_1000452407 The Dynamic IP Lockdown feature was added for the 3400cl series switches Dynamic IP Lockdown The Dynamic IP Lockdown feature is used to prevent IP source address spoofing o...

Page 137: ...ts The internal lists are dynamically createdfrom knownIP to MAC addressbindings tofilterVLANtrafficonboththe source IP address and source MAC address Differences Between Switch Platforms There are some differences in the feature set and operation of Dynamic IP Lockdown depending on the switch on which it is implemented These are listed below There is no restriction on GVRP on 3500 5400 switches O...

Page 138: ...HCP server to re allocate IP addresses to DHCP clients In this way you repopulate the lease database with current IP to MAC bindings The DHCP binding database allows VLANs enabled for DHCP snooping to be known on ports configured for dynamic IP lockdown As new IP to MAC address and VLAN bindings are learned a corresponding permit rule is dynamically created and applied to the port preceding the fi...

Page 139: ...t 5 is untrusted dynamic IP lockdown applies the following dynamic VLAN filtering on port 5 Figure 19 Example of Internal Statements used by Dynamic IP Lockdown Note that the deny any statement is applied only to VLANs for which DHCP snooping is enabled The permit any statement is applied only to all other VLANs IP Address MAC Address VLAN ID 10 0 8 5 001122 334455 2 10 0 8 7 001122 334477 2 10 0 ...

Page 140: ...lobal configuration level or the dhcp snooping command at the VLAN configuration level Dynamic IP lockdown is not supported on a trusted port However note that the DHCP server must be connected to a trusted port when DHCP snooping is enabled By default all ports are untrusted To remove the trusted configuration from a port enter the no dhcp snooping trust port list command at the global configurat...

Page 141: ... obtains an IP address from a DHCP server Static bindings are created manually with the CLI or from a downloaded configuration file When dynamic IP lockdown is enabled globally or on ports the bindings associated with the ports are written to hardware This occurs during these events Switch initialization Hot swap A dynamic IP lockdown enabled port is moved to a DHCP snooping enabled VLAN DHCP snoo...

Page 142: ...down Configuration To display the ports on which dynamic IP lockdown is configured enter the show ip source lockdown status command at the global configuration level Syntax no ip source binding vlan id ip address mac address port number vlan id Specifies a valid VLAN ID number to bind with the specified MAC and IP addresses on the port in the DHCP binding database ip address Specifies a valid clie...

Page 143: ...nfigurations of IP to MAC bindings stored in the DHCP lease database enter the show ip source lockdown bindings command An example of the show ip source lockdown bindings command output is shown in Figure 21 Syntax show ip source lockdown bindings port number port number Optional Specifies the port number on which source IP to MAC address and VLAN bindings are configured in the DHCP lease database...

Page 144: ... To send command output to the active CLI session enter the debug destination session command Counters for denied packets are displayed in the debugdynamic ip lockdowncommandoutput Packet counts are updated every five minutes An example of the command output is shown in Figure 22 When dynamic IP lockdown drops IP packets in VLAN traffic that do not contain a known source IP to MAC address binding ...

Page 145: ...2 1 0 300 packets DIPLD 01 01 90 00 21 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 299 packets DIPLD 01 01 90 00 26 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 300 packets DIPLD 01 01 90 00 31 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 300 packets DIPLD 01 01 90 00 36 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 299 packets DIPLD 01 01 90 00 41 25 denied ip 192 168 2 100 0 ...

Page 146: ...r filename where filename is the name you choose for the pre enhancement configuration file that you are saving Overview The MSTP VLAN configuration enhancement allows you to preconfigure an MSTP regional topology and ensure that the same VLAN ID to MSTI assignments exist on each MSTP switch in the region The defaultbehavior ofthe spanning treeinstancevlan command changes so that before a static V...

Page 147: ... GVRP VLANs can be mapped to MSTIs and support MSTP load balancing Enabling MSTP on the Switch If you have not enabled MSTP on the switch you must enable it to use this feature To enable MSTP perform these steps 1 Enter the command to enable MSTP ProCurve config spanning tree protocol version mstp You will see this message STP version was changed To activate the change you must save the configurat...

Page 148: ...he VLANs are included in the instance whether they exist or not Syntax no spanning tree instance 1 16 vlan vid vid vid no spanning tree instance 1 16 Configuring MSTP on the switch automatically configures the IST instance and places all statically and dynamically configured VLANs on the switch into the IST instance This command creates a new MST instance MSTI and moves the VLANs you specify from ...

Page 149: ... dynamically configured VLANs on the switch into the IST instance The spanning tree instance vlan command creates a new MST instance and moves the VLANs you specify from the IST to the MSTI You must map a least one VLAN ID to an MSTI when you create it You cannot map a VLAN ID to more than one instance You can create up to 16 MSTIs in a region The no form of the spanning tree instance vlan command...

Page 150: ...switches remain in the same region by mapping all VLAN IDs used in the region to the same MSTIs on each regional switch Whenyouupdateswitchsoftware theexistingMSTPtopologyconfigurationisautomatically saved All existing VLAN ID to MSTI assignments are maintained on a switch for uninter rupted MSTP network operation Release M 10 66 Enhancements Release M 10 66 includes the following enhancement Enha...

Page 151: ...dr control descr text_string no logging ip addr control descr An optional user friendly description that can be associated with a server IP address If no description is entered this is blank If text_string contains white space use quotes around the string IPv4 addresses only Use the no form of the command to remove the description Limit 255 characters Note To remove the description using SNMP set ...

Page 152: ...rve series 2600 2800 3400cl 6400cl switches do not support the following SNMP objects hpicfSyslogPrioritySeverity hpicfSyslogSystemModule Operating Notes Duplicate IP addresses are not stored in the list of syslog servers If the default severity value is in effect all messages that have severities greater than the defaultvalue arepassedtosyslog Forexample if thedefaultseverityis debug allmessages ...

Page 153: ...LACP and link traps on multiple ports at one time The new commands operate in the same manner as the CLI commands no int all lacp and no snmp server enable traps link change all The new SNMP OIDs are hpSwitchLACPConfig OBJECT IDENTIFIER hpSwitchConfig 28 hpSwitchLACPAllPortsStatus OBJECT TYPE SYNTAX INTEGER disabled 1 active 2 passive 3 ACCESS read write STATUS mandatory DESCRIPTION Used to set ad...

Page 154: ...hanced to be consistent with other platforms Release M 10 70 Enhancements Software fixes only no new enhancements Release M 10 71 Enhancements Release M 10 71 includes the following enhancement Not a public release Enhancement PR_0000011636 This enhancement adds the client s IP address to the RADIUS accounting packets sent to the RADIUS server by the switch The IP address of the client is included...

Page 155: ...to fully support LR and CX4 transceivers installed in the optional cl Module J8434A and J8435A Release M 08 55 Release M 08 60 Releases M 08 55 through M 08 60 were never built Release M 08 61 Problems Resolved in Release M 08 61 802 1s PR_1000207608 After the root bridge is agreed the non root switch continues to send out BPDUs claiming to be Root resulting in possible instability in the STP topo...

Page 156: ...ssage similar to Bus error HW Addr 0x594f5531 IP 0x004ff8a8 Task mftTask Task ID 0x126eba0 fp 0x00000000 sp 0x0126e7d0 lr 0x001e655c IP Addmgr PR_1000200338 CPU based protocol stops working The memory corrup tion of text caused many tasks to hang or be SUSPENDED since the switch is trying to execute invalid instructions MIB PR_1000206519 The RFC 3636 MIB implemented is not correct pre release Open...

Page 157: ...3984 When the limit is reached the warning message is displayed Number of configured addresses on port xx exceeds address limit The address is saved and displayed in the address list of Show Port security xx Data from the added address is passed by the switch Release M 08 63 Problems Resolved in Release M 08 63 Not a general release Crash PR_1000205768 A null System Name in the Web user interface ...

Page 158: ...Optic J8436A transceiver fails self test on boot up when installed in slot B 8 Release M 08 67 Problems Resolved in Release M 08 67 Not a general release Authentication PR_1000217338 Inconsistent authentication results with EAP TLS and EAP PEAP authorization types Config PR_1000207697 Loading a startup configuration file fails when attempting to declare a VLAN in the configuration file as a manage...

Page 159: ... 1X configured with a message similar to Crash aaa8021x_init dereferencing a null pointer writing to low memory CLI PR1000202435 show config does not show IGMP fast leave configuration Config PR_94943 Setup Screen allows Proxy ARP configuration when IP routing is disabled Config PR1000216051 Copying a previously saved startup configuration with stack join mac address to a member switch of the IP s...

Page 160: ... does not work correctly on Gigabit second and 10 Gigabit second ports Mesh PR_1000218463 If a mesh link goes down and a redundant xSTP link external to the mesh goes into a forwarding state connectivity across the mesh may be lost for a previously learned MAC address MIB PR_1000236875 The switch is reporting etherType size errors as part of ifInDiscards but the packets are not really dropped Pack...

Page 161: ... 0x137c980 cr 0x22242040 sp 0x0137bef8 xer 0x00000000 Flow Control PR_1000241296 Switch was unable to support flow control between any ingress and any egress ports SNMP PR_1000003378 SNMP switch time may drift with event log updates occurring every 1 5 hours Web UI PR_1000211978 On a Stack Management Commander when using stack access to view members the screen does not display correct information ...

Page 162: ...te including Port cos rate limiting ingress or ACLs is configured with a non vendor specific attribute only the first vendor specific attribute may be recognized by the switch TCP PR_1000246186 Switch is susceptible to VU 498440 VLAN PR_1000214406 When trying to delete a VLAN created as a management VLAN the switch fails to remove the management VLAN statement from the running configuration file W...

Page 163: ...or ports on CLI New command show interface port utilization not available on Menu nor Web Interface Release M 08 80 Problems Resolved in Release M 08 80 Never released RSTP PR_1000297195 The switch repeatedly flushes its MAC address table resulting in intermittent flooding of all traffic Release M 08 81 Problems Resolved in Release M 08 81 Not a general release XRRP PR_1000291250 When a XRRP route...

Page 164: ...ot be set using setup menu pre release Release M 08 84 Problems Resolved in Release M 08 84 Never released CLI Enhancement PR_1000306695 Added show tech transceivers to display Serial Number information for installed mGBIC and 10Gig X2 transceivers Allows removable transceiver serial numbers to be read without removal of the transceivers from the switch Release M 08 85 Problems Resolved in Release...

Page 165: ...problems after RSTP is disabled Release M 08 88 Problems Resolved in Release M 08 88 Not a general release CLI PR_1000310849 Under a heavy load where packets received on a 10 Gigabit port are dropped the RX drop counter values decrease when they should increase LLDP PR_1000310666 The command show LLDP does not display information learned from CDPv2 packets SNMP Traps PR_1000285195 Switch does not ...

Page 166: ...0 Stack Frame 0x0c8c1a70 HW Addr 0x6a73616c IP 0x007d3bc0 Task mSess1 Task ID 0xc8c2920 fp 0x6b61736a sp 0x0c8c1b30 lr 0x007d3b28 MSTP Enhancement PR_1000310463 Implemented new CLI command spanning tree legacy path cost See MSTP Default Path Cost Controls on page 38 for details Release M 08 91 Problems Resolved in Release M 08 91 Never released MSTP Enhancement PR_1000313986 ImplementednewCLIcomma...

Page 167: ...roadcast forwarding Menu PR_1000318531 When using the Menu interface the Switch hostname may be displayed incorrectly Release M 08 95 Problems Resolved in Release M 08 95 Not a general release STP RSTP MSTP PR_1000300623 In some cases STP RSTP MSTP may allow a loop resulting in a broadcast storm Release M 08 96 Problems Resolved in Release M 08 96 Never released Counters PR_1000321097 Drop counter...

Page 168: ...ACL PR_1000323675 The Switch may crash with a message similar to ASSERT Software exception at aaa8021x_proto c 501 in m8021xCtrl ICMP PR_1000235905 Switch does not send a destination unreachable response message when trying to access an invalid UDP port SNMPv3 PR_1000325021 Under some conditions SNMPv3 lines are not written to the running configuration file Release M 10 02 Problems Resolved in Rel...

Page 169: ...w Commands on page 77 for details Release M 10 05 Problems Resolved in Release M 10 05 Not a general release Enhancement PR_1000311510 Ping conformance as defined in RFC 2925 SSHv2 PR_1000320822 The Switch does not generate SSHv2 keys and may crash with a message similar to TLB Miss Virtual Addr 0x00000000 IP 0x80593a30 Task swInitTask Task ID 0x821ae330 fp 0x00000000 sp 0x821adfb8 ra 0x800803f0 s...

Page 170: ...test mode command causes switch to crash with a message similar to Software exception at parser c 7898 in mSess1 task ID 0x16726c0 ASSERT failed Support This is a test mode command Enhancement PR_1000340595 Added support for PIM Dense Mode For details refer to Chapter 5 PIM DM Dense Mode on the 5300xl Switches in the Advanced Traffic Management Guide for the ProCurve Series 6400cl 5300xl 4200vl 34...

Page 171: ...ogramming or chassis could be faulty Use a PC as the console and perform the update procedure from the backup floppy diskette If unsuccessful w downloading then try replacing chassis CLI PR_1000334494 In the show vlans command the VLAN ID field is blank Enhancement PR_1000336169 Added support for STP Per Port BPDU Filtering and SNMP Traps See Spanning Tree Per Port BPDU Filtering on page 88 for de...

Page 172: ...c 1018 Support this fix is QA only Crash PR_1000348454 Crash when a loop is formed on the network with error message NMI event SW IP 0x002030b4 MSR 0x0000b032 LR 0x002030d4 Task mMst pCtrl Task ID 0x60d6060cr 0x48000040 sp 0x060d5cc8xer 0x00000000 Crash PR_1000350363 Switch crashes when pinging any other HP switch that is being rebooted with the following message Software exception at cli_oper_act...

Page 173: ...lved in Release M 10 15 CLI PR_1000358129 CLI hangs after running RMON traps code Crash PR_1000351410 Bus error when pinging switch IP from local serial console PPC Bus Error exception vector 0x300 Stack frame 0x067d40e8 HW Addr 0x33cc33d2 IP 0x0056a8f8 Task tNetTask Task ID 0x67d4278 fp 0x00000014 sp 0x067d41a8 lr Crash PR_1000352177 Switch crash when pinging an unreachable host repeatedly with a...

Page 174: ...similar to the following Software exception at buffers c 2238 in mPpmgrCtrl task ID 0x6351358 ASSERT failed Enhancement PR_1000346164 RSTP MSTP BPDU Protection enhancement See Spanning Tree BPDU Protection on page 91 for details Release M 10 18 Release M 10 19 Releases M 10 18 and M 10 19 were never built Release M 10 20 Problems Resolved in Release M 10 20 10 GbE no PR Resolution for failure to i...

Page 175: ...ith IGMP enabled may cause the switch to crash with a message similar to Software exception at sw_sem c 112 in swInitTask task ID 0x836b2c40 semTake NULL semaphore ip_igmp_init c 1304 Web UI PR_1000373711 Attempting to access the WebUI of a stack member without being logged on as Manager returns a 404 Page Not Found error XRRP PR_1000368594 When XRRP infinite failback is enabled the switch fails t...

Page 176: ...e toaconfiguredsyslogserver is not disabled when a specific event log message has been disabled via MIB Release M 10 24 Problems Resolved in Release M 10 24 Never released CLI PR_1000364628 The command output from show ip rip peer yields an improperly formatted peer IP address Enhancement PR_1000335860 This enhancement provides a configuration option for the source IP address field of SNMP respons...

Page 177: ...that isn t linked may cause the switch to crash with a message similar to Divide by Zero Error IP 0x8017becc Task mSess1 Task ID 0x834b19d0 fp 0x00000018 sp 0x834b0d20 ra 0x8017be18 sr 0x1000fc01 Division by 0 Crash at cli_opershow_action c 1298 CLI PR_1000380660 The show tech transceivers CLI command displays the wrong message when inserting an A version transceiver into a switch that only suppor...

Page 178: ...leased CLI Config PR_1000375830 When using the no VLAN command the user is asked if they want to remove the VLAN Answering no will result in the VLAN being removed anyway CLI config PR_1000391119 Copying a configuration file to a switch with a BPDU protection timeout value set may produce an error similar to CCCCCline 10007 1200 Error setting configuration CLI PR_1000390385 The CLI help text for s...

Page 179: ...ngs PR_1000364740 Due to the passage of the Energy Policy Act of 2005 Pub L no 109 58 119 Stat 594 2005 starting in March 2007 daylight time in the United States will begin on the second Sunday in March and end on the first Sunday in November CLI PR_1000395256 The loop protect PORT LIST receiver action action command does not enable the ports as it should Release M 10 31 Problems Resolved in Relea...

Page 180: ... comes up for secure ports RX counters PR_1000401065 ACL deny matches on a port cause the Rx Drop counter to increment on software versions M 10 20 or higher RX counters PR_1000401395 Drops Rx ifInDiscards incorrectly increments if a port is blocked by LACP or if the port receives tagged traffic from a VID for which that port is not a member Crash PR_1000392863 The switch may crash when setmib tcp...

Page 181: ...in mAdMgrCtrl task ID 0x65a3370 BCM ASIC call failed Table full DHCP Snooping PR_1000403133 DHCP Snooping stops working after some period of time Release M 10 34 Problems Resolved in Release M 10 34 QoS PR_1000399873 The QoS priority bits are incorrectly set to priority zero on fragmented frames Menu PR_1000392862 The menu will allow invalid values greater than 720 sec to be entered for the SNTP p...

Page 182: ...than minimum skip count the switch returns an error preventing PCM from collecting sampling data Enhancement PR_1000369492 Update of the MSTP implementation to the latest IEEE P802 1Q REV D5 0 specifications to stay in sync with the protocol evolution Release M 10 38 Problems Resolved in Release M 10 38 Not a General Release TFTP PR_1000426821 TFTP transfers do not work when there is no IP address...

Page 183: ...cation page to load CLI PR_1000438486 When using the port access mac based CLI command the client MAC address is sent in lower case as the username to the RADIUS server This fix adds an option so that the MAC address is in uppercase when sent to the RADIUS server This fix adds additional parameters to the CLI command to support this aaa port access mac based addr format Release M 10 41 Problems Re...

Page 184: ... PR_1000452407 The Dynamic IP Lockdown feature was added for the 3400cl series switches For more information see Release M 10 43 Enhancements on page 126 Release M 10 44 Problems Resolved in Release M 10 44 Not a Public Release Loop Protection PR_1000447746 Client based AAA stops any packets with unau thenticated source MAC addresses including BPDU s and loop protect packets creating loops that ca...

Page 185: ...ommand aaa authentication ssh enable public key enter triggers an error Not legal combination of authentication methods but it should be a valid command syntax DIPLD 1000457808 When a user with a DHCP assigned IP address de authenticates and then re authenticates the DIPLD bindings show the port is bound to multiple IP addresses and the switch will accept traffic from both IP addresses Release M 1...

Page 186: ... DST to start the last Sunday in March and DST to end the last Sunday in October SNMP PR_1000715545 Buffered log messages those log messages occurring in the switch s event log prior to an IP address being enabled are not filtered properly at boot up when the switch is configured to send those log messages as traps For example non critical log entries may get sent to trap destinations configured t...

Page 187: ...x80150828 Task mSess1 Task ID 0x85e48550 fp 0x85e47978 sp 0x85e478e0 ra 0x801507cc sr 0x1000fc01 Crash PR_1000464612 Booting from the secondary image or some types of configu ration file manipulation for example use of the CLI command erase start may cause the switch to crash with a message similar to the following Software exception at ConfigTree cc 508 in mChassCtrl Tagged Untagged VLANs PR_1000...

Page 188: ...ntication process to halt Crash PR_0000001756 Some SNMP set commands may cause the switch to crash with a message similar to the following Software exception at bcmHwVlans c 149 in mAdMgrCtrl task ID 0x18636e8 ASIC call failed Entry not found Crash PR_0000002433 A certain sequence of CLI commands may cause the switch to crash with a message similar to the following Software exception at dsnoop_ctr...

Page 189: ...pedandthentheTelnetwindowisclosed the Telnet session may become unresponsive and fail to reset with the kill command issued at the console prompt This may require the switch to be reloaded to become active again GVRP RADIUS PR_0000006051 RADIUS assigned VLANs are not correctly propa gated in GVRP Web Management PR_0000002153 The Web Management interface does not allow configuration of static port ...

Page 190: ...lease M 10 69 Not a Public Release Management PR_0000005902 The switch management may become unresponsive resulting in loss of TELNET Web Management and console access functionality of the switch PCM PR_0000008113 Repeated ProCurve Manager Config Scans may trigger subse quent Config Scan failure SFTP SCP PR_0000008270 Beginning with software version M 10 67 SFTP SCP will not close the client sessi...

Page 191: ...ication of the PC is delayed 802 1X PR_0000010275 For a port that is being authenticated via 802 1X the user fails authentication if the unauth vid value is configured CLI PR_0000010942 The CLI command output for show run does not display aaa port access port when MAC based authentication with mixed port access mode is configured Other show commands may also be affected CLI PR_0000010378 Session t...

Page 192: ...auth vid is configured and the client limit is reached on a switch port a properly credentialed re authentication following an improperly creden tialed authentication attempt for example incorrect password will leave the 802 1x client in the unauthorized VLAN instead of applying the appropriate authorized VLAN SNMP Traps PR_0000007448 1000469020 The switch no longer sends warm cold start SNMP trap...

Page 193: ...n that contains the lines interface all lacp and snmp server enable traps link change all from a TFTP server to the switch may cause an unexpected reboot with a message similar to the following Software exception at cli_xlate c 3692 in mftTask task ID 0x5ee17f0 SNMP PR_0000002764 The SNMP MIB object that allows authenticator functionality on a port to be enabled or disabled hpicfDot1xPaePortAuth c...

Page 194: ...ing clients that require bootP to fail to retrieve their configurations and initialize Authentication PR_0000011138 If the RADIUS server becomes unavailable the eap radius authorized option allows the switch to authenticate devices If the response time of the RADIUS subsystem is greater than the server timeout value on the switch or the device supplicant then switch will not be able to authenticat...

Page 195: ...or authenti cation completion before the client will be authorized on an unauthenticated VLAN If 802 1X is associated with an unauthenticated VLAN when the unauth period is zero Web or MAC auth may not get the opportunity to initiate authentication at all if the first packet from the client is an 802 1X packet Alternatively if the first packet sent was not 802 1X Web or MAC auth could be initiated...

Page 196: ...b or MAC authenticator can have unauthenticated VLAN enabled if 802 1X authenticator is enabled on the same port Please use unauthenticated VLAN for Web or MAC authentication instead Event log message when the configuration is changed mgr Disabled unauthenticated VLAN on port number for the 802 1X Unauthenticated VLAN cannot be simultaneously enabled on both 802 1X and Web or MAC authentication Cr...

Page 197: ... 2004 2009 Hewlett Packard Development Company LP The information contained herein is subject to change without notice October 2009 Manual Part Number 5991 4764 ...

Reviews:

No comments