Meeting Customer Needs for Secure, Mobile, Multi
Download
Report
Transcript Meeting Customer Needs for Secure, Mobile, Multi
Technical Training
E.09.xx software update for the ProCurve
5300 series switch products
Dec 2004
© 2004 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
E.09.xx firmware update for the ProCurve 5300
series switch products
New Features
• Connection Rate Filtering (Virus Throttling)
2
E.09.xx firmware update for the ProCurve 5300
series switch products
New Features
•
•
•
•
•
Connection Rate Filtering (Virus Throttling)
Multiple 802.1X users per port
Concurrent 802.1X and MAC Auth or Web Auth
802.1X Guest Vlan
Radius authentication for switch manager login
3
E.09.xx firmware update for the ProCurve 5300
series switch products
New Features
•
•
•
•
•
•
Connection Rate Filtering (Virus Throttling)
Multiple 802.1X users per port
Concurrent 802.1X and MAC Auth or Web Auth
802.1X Guest Vlan
Radius authentication for switch manager login
UDP directed broadcast forwarding
4
E.09.xx firmware update for the ProCurve 5300
series switch products
New Features
•
•
•
•
•
•
•
Connection Rate Filtering (Virus Throttling)
Multiple 802.1X users per port
Concurrent 802.1X and MAC Auth or Web Auth
802.1X Guest Vlan
Radius authentication for switch manager login
UDP directed broadcast forwarding
802.1ab Link Layer Discovery Protocol (LLDP)
5
E.09.xx firmware update for the ProCurve 5300
series switch products
New Features
•
•
•
•
•
•
•
•
Connection Rate Filtering (Virus Throttling)
Multiple 802.1X users per port
Concurrent 802.1X and MAC Auth or Web Auth
802.1X Guest Vlan
Radius authentication for switch manager login
802.1ab Link Layer Discovery Protocol (LLDP)
UDP directed broadcast forwarding
Multiple configuration files
6
The Geek Translation
hp
The Geek Translation
Cold Raw
Dead
Fish
hp
The Geek Translation
Cold Raw
Dead
Fish
hp
The Geek Translation
Connectio
n Rate
Filtering
Cold Raw
Dead
Fish
hp
Connection Rate Filtering
Most anti-virus software works by
preventing infection
Works well but occasionally fails
When it fails, the virus can
spread very rapidly and cause
lots of damage
• Many infected machines
• Clogged networks
Example – SQLSlammer, MSBlaster, SASSER
11
Connection Rate Filtering
05:29 Jan 25 ‘03 – 0 infected
Most anti-virus software works by
preventing infection
Works well but occasionally fails
When it fails, the virus can
spread very rapidly and cause
lots of damage
• Many infected machines
• Clogged networks
Example – SQLSlammer, MSBlaster, SASSER
12
Connection Rate Filtering
05:29 Jan 25 ‘03 – 0 infected
Most anti-virus software works by
preventing infection
Works well but occasionally fails
When it fails, the virus can
spread very rapidly and cause
lots of damage
• Many infected machines
• Clogged networks
06:00 Jan 25 ‘03 – 74855 infected
Example – SQLSlammer, MSBlaster, SASSER
13
Connection Rate Filtering
What does CRF do to reduce the threat?
17
Connection Rate Filtering
What does CRF do to reduce the threat?
• Filter function based on connection rate
only
18
Connection Rate Filtering
What does CRF do to reduce the threat?
• Filter function based on connection rate only
• Does not look inside packets for signatures
19
Connection Rate Filtering
What does CRF do to reduce the threat?
• Filter function based on connection rate only
• Does not look inside packets for signatures
• Functions only on routed traffic (NOT on
switched traffic)
20
Connection Rate Filtering
What does CRF do to reduce the threat?
• Filter function based on connection rate only
• Does not look inside packets for signatures
• Functions only on routed traffic (NOT on
switched traffic)
• Many valid nodes will create false positives
21
Connection Rate Filtering
What does CRF do to reduce the threat?
• Filter function based on connection rate only
• Does not look inside packets for signatures
• Functions only on routed traffic (NOT on
switched traffic)
• Many valid nodes will create false positives
• Must be manually configured
22
Connection Rate Filtering
What does CRF do to reduce the threat?
• Filter function based on connection rate only
• Does not look inside packets for signatures
• Functions only on routed traffic (NOT on
switched traffic)
• Many valid nodes will create false positives
• Must be manually configured
• Must configure Sensitivity and Response
23
Connection Rate Filtering
Sensitivity
24
Connection Rate Filtering
Sensitivity
Connection
Rate
Filtering
Sensitivity
Max interval
between new IP
connection
requests from
same source
Number of New
connections
without
exceeding max
interval
Penalty Period
Low
0.1 Second
54
<30 Seconds
Medium
1.0 second
37
30 - 60 Seconds
High
1.0 second
22
60 - 90 Seconds
Aggressive
1.0 second
15
90 - 120 Seconds
25
Connection Rate Filtering
Sensitivity
Connection
Rate
Filtering
Sensitivity
Max interval
between new IP
connection
requests from
same source
Number of New
connections
without
exceeding max
interval
Penalty Period
Low
0.1 Second
54
<30 Seconds
Medium
1.0 second
37
30 - 60 Seconds
High
1.0 second
22
60 - 90 Seconds
Aggressive
1.0 second
15
90 - 120 Seconds
Example: At medium sensitivity, a host may be trigger the
filter by issuing 37 new outbound connections in a 36 second
period if the gap between any two new connections does not
exceed 1 second. When there is a gap that exceeds 1 second,
the counter is reset.
26
Connection Rate Filtering
Response
• notify-only
– Generates event log entry and trap event when
sensitivity threshold exceeded
27
Connection Rate Filtering
Response
• notify-only
– Generates event log entry and trap event when
sensitivity threshold exceeded
• throttle
– Generates event log and trap and then blocks
routing of traffic from offending host for penalty
period defined by sensitivity
– After penalty period the function is reset and
routing resumes
28
Connection Rate Filtering
Response
• notify-only
– Generates event log entry and trap event when
sensitivity threshold exceeded
• throttle
– Generates event log and trap and then blocks routing
of traffic from offending host for penalty period defined
by sensitivity
– After penalty period the function is reset and routing
resumes
• block
– Generates event log and trap and then blocks
routing of traffic from offending host until
manually reset by administrator
29
Connection Rate Filtering
Typical deployment scenario
(not set and forget)
30
Connection Rate Filtering
Typical deployment scenario
(not set and forget)
• Deploy in notify-only mode
31
Connection Rate Filtering
Typical deployment scenario
(not set and forget)
• Deploy in notify-only mode
• Set sensitivity to low
32
Connection Rate Filtering
Typical deployment scenario
(not set and forget)
• Deploy in notify-only mode
• Set sensitivity to low
• Monitor the nodes that are triggering
33
Connection Rate Filtering
Typical deployment scenario
•
•
•
•
(not set and forget)
Deploy in notify-only mode
Set sensitivity to low
Monitor the nodes that are triggering
Determine the characteristic of valid traffic
from those nodes
34
Connection Rate Filtering
Typical deployment scenario
(not set and forget)
Deploy in notify-only mode
Set sensitivity to low
Monitor the nodes that are triggering
Determine the characteristic of valid traffic from
those nodes
• Increase sensitivity, or create an exception
ACL for nodes generating false positives
•
•
•
•
35
Connection Rate Filtering
Typical deployment scenario
(not set and forget)
Deploy in notify-only mode
Set sensitivity to low
Monitor the nodes that are triggering
Determine the characteristic of valid traffic from
those nodes
• Increase sensitivity, or create an exception ACL
for nodes generating false positives
• Activate throttling or blocking
•
•
•
•
36
Connection Rate Filtering
Typical deployment scenario
(not set and forget)
Deploy in notify-only mode
Set sensitivity to low
Monitor the nodes that are triggering
Determine the characteristic of valid traffic from
those nodes
• Increase sensitivity, or create an exception ACL
for nodes generating false positives
• Activate throttling or blocking
• Monitor and adjust
•
•
•
•
37
Connection Rate Filtering
What to do with nodes generating legitimate
traffic that triggers the CRF?
Use of connection-rate ACLs provides the option to apply
exceptions to the configured connection-rate filtering policy.
■ A trusted server exhibiting a relatively high IP connection
rate due to heavy demand
■ A trusted traffic source on the same port as other, untrusted
traffic sources.
38
Connection Rate Filtering
Basic CLI commands
[no] connection-rate-filter sensitivity < low | medium | high | aggressive >
Global enable/disable and global sensitivity
39
Connection Rate Filtering
Basic CLI commands
[no] connection-rate-filter sensitivity < low | medium | high | aggressive >
Global enable/disable and global sensitivity
Reboot the switch after running this command to
enable/disable or change CRF sensitivity!
40
Connection Rate Filtering
Basic CLI commands
[no] filter connection-rate [eth] port-list <notify-only | throttle | block>
Port based configuration of the response
41
Connection Rate Filtering
Basic CLI commands
[no] ip access-list connection-rate-filter name-str
< ignore | filter > ip
< any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask >
< ignore | filter > < udp | tcp >
< any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask >
< source-port | destination-port | all-ports >
42
Connection Rate Filtering
Basic CLI commands
[no] ip access-list connection-rate-filter name-str
< ignore | filter > ip
< any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask >
< ignore | filter > < udp | tcp >
< any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask >
< source-port | destination-port | all-ports >
ACLs are ONLY required as exceptions to the CRF policy
43
Connection Rate Filtering
Config Example
44
Connection Rate Filtering
Config example Connection Rate ACL
45
Connection Rate Filtering - Summary
CRF is not set and forget
46
Connection Rate Filtering - Summary
CRF is not set and forget
Operates ONLY on routed traffic
47
Connection Rate Filtering - Summary
CRF is not set and forget
Operates ONLY on routed traffic
Requires a switch reboot after enabling,
disabling or changing sensitivity of CRF
48
Connection Rate Filtering - Summary
CRF is not set and forget
Operates ONLY on routed traffic
Requires a switch reboot after enabling, disabling or
changing sensitivity of CRF
Once a host has been blocked, it remains in
this state regardless of the port setting – must
unblock explicitly
49
Connection Rate Filtering - Summary
CRF is not set and forget
Operates ONLY on routed traffic
Requires a switch reboot after enabling, disabling or
changing sensitivity of CRF
Once a host has been blocked, it remains in this
state regardless of the port setting – must unblock
explicitly
CRF is host based (host is blocked, not port)
50
Connection Rate Filtering - Summary
CRF is not set and forget
Operates ONLY on routed traffic
Requires a switch reboot after enabling, disabling or
changing sensitivity of CRF
Once a host has been blocked, it remains in this
state regardless of the port setting – must unblock
explicitly
CRF is host based (host is blocked, not port)
Sensitivity is set globally, response is set per
port, filtering is host based
51
Connection Rate Filtering - Benefits
Behavior based
52
Connection Rate Filtering - Benefits
Behavior based
Handles unknown worms
53
Connection Rate Filtering - Benefits
Behavior based
Handles unknown worms
No signature file
54
Connection Rate Filtering - Benefits
Behavior based
Handles unknown worms
No signature file
Slows or stops routing of suspect traffic
55
Connection Rate Filtering - Benefits
Behavior based
Handles unknown worms
No signature file
Slows or stops routing of suspect traffic
Allows switch to continue to operate during
attack
56
Connection Rate Filtering - Benefits
Behavior based
Handles unknown worms
No signature file
Slows or stops routing of suspect traffic
Allows switch to continue to operate during attack
Event log and traps help identify the attacker
57
Connection Rate Filtering - Benefits
Behavior based
Handles unknown worms
No signature file
Slows or stops routing of suspect traffic
Allows switch to continue to operate during attack
Event log and traps help identify the attacker
Notifies IT and allows time to respond
58
Connection Rate Filtering
lab
• Requires any 5300 switch and one windows PC with traffic
generation tool installed
– Configure routable vlans
– Set various sensitivities and responses
– Generate traffic to be routed
– Observe behavior
59
Q&A
Connection Rate Filtering
www.hp.com/go/hpprocurve
Multiple 802.1X users per port – Current
Situation
- one client per one 802.1X enabled
switch port
61
Multiple 802.1X users per port – Current
Situation
- one client per one 802.1X enabled switch port
- protocol uses multicast address
62
Multiple 802.1X users per port – Current
Situation
- one client per one 802.1X enabled switch port
- protocol uses multicast address
- port based authentication
63
Multiple 802.1X users per port – Current
Situation
- one client per one 802.1X enabled switch port
- protocol uses multicast address
- port based authentication
- successful authentication by a
client opens the port for all traffic
64
Multiple 802.1X users per port – Current
Situation
- one client per one 802.1X enabled switch port
- protocol uses multicast address
- port based authentication
- successful authentication by a client
opens the port for all traffic
- piggy back attack relatively easy
65
Multiple 802.1X users per port – E.09.xx
- Supports up to 32 802.1X clients per port
66
Multiple 802.1X users per port – E.09.xx
- Supports up to 32 802.1X clients per port
- All authenticated clients must use the same
UNTAGGED Vlan
67
Multiple 802.1X users per port – E.09.xx
- Supports up to 32 802.1X clients per port
- All authenticated clients must use the same UNTAGGED Vlan
- Each instance must be associated with a particular
source MAC address
68
Multiple 802.1X users per port – E.09.xx
- Supports up to 32 802.1X clients per port
- All authenticated clients must use the same UNTAGGED Vlan
- Each instance must be associated with a particular source
MAC address
- Associated instance must use only its associated
source MAC address as dest. address for 802.1X packets
(will prevent confusion of other 802.1X clients
connected to the same port)
69
Multiple 802.1X users per port – E.09.xx
- Supports up to 32 802.1X clients per port
- All authenticated clients must use the same UNTAGGED Vlan
- Each instance must be associated with a particular source
MAC address
- Associated instance must use only its associated source MAC
address as dest address for 802.1X packets (will prevent
confusion of other 802.1X clients connected to the same port)
- An 802.1X protocol instance must be able to receive
unicast 802.1X packets
70
Multiple 802.1X users per port – E.09.xx
- Supports up to 32 802.1X clients per port
- All authenticated clients must use the same UNTAGGED Vlan
- Each instance must be associated with a particular source
MAC address
- Associated instance must use only its associated source MAC
address as dest address for 802.1X packets (will prevent
confusion of other 802.1X clients connected to the same port)
- An 802.1X protocol instance must be able to receive unicast
802.1X packets
- Authentication is client based
71
Multiple 802.1X users per port – E.09.xx
- Supports up to 32 802.1X clients per port
- All authenticated clients must use the same UNTAGGED Vlan
- Each instance must be associated with a particular source
MAC address
- Associated instance must use only its associated source MAC
address as dest address for 802.1X packets (will prevent
confusion of other 802.1X clients connected to the same port)
- An 802.1X protocol instance must be able to receive unicast
802.1X packets
- Authentication is client based
- successful authentication by a client opens port to
traffic with the authenticators SA only
72
Multiple 802.1X users per port – E.09.xx
[no] aaa port-access authenticator < [ethernet] <port-list>
[control | client-limit |quiet-period | tx-period | supplicant-timeout |
server-timeout | max-requests | reauth-period | auth-vid | unauth-vid |
initialize | reauthenticate | clear-statistics | logoff-period]
73
Multiple 802.1X users per port – E.09.xx
[no] aaa port-access authenticator < [ethernet] <port-list>
[control | client-limit |quiet-period | tx-period | supplicant-timeout |
server-timeout | max-requests | reauth-period | auth-vid | unauth-vid |
initialize | reauthenticate | clear-statistics | logoff-period]
Default client limit is 1. Need to explicitly enter value >1 to enable
multiple authenticated clients per port
74
Multiple 802.1X users per port – E.09.xx
[no] aaa port-access authenticator < [ethernet] <port-list>
[control | client-limit |quiet-period | tx-period | supplicant-timeout |
server-timeout | max-requests | reauth-period | auth-vid | unauth-vid |
initialize | reauthenticate | clear-statistics | logoff-period]
Default client limit is 1. Need to explicitly enter value >1 to enable
multiple authenticated clients per port
There is no port-based authentication with E.09.xx! All 802.1x
authentication in this revision is client based
75
Multiple 802.1X users per port – E.09.xx
[no] aaa port-access authenticator < [ethernet] <port-list>
[control | client-limit |quiet-period | tx-period | supplicant-timeout |
server-timeout | max-requests | reauth-period | auth-vid | unauth-vid |
initialize | reauthenticate | clear-statistics | logoff-period]
Default client limit is 1. Need to explicitly enter value >1 to enable
multiple authenticated clients per port.
There is no port-based authentication with E.09.xx! All 802.1x
authentication in this revision is client based
#show config (no port based show command for client limit)
.
.
aaa port-access authenticator B2
aaa port-access authenticator B2 client-limit 18
aaa port-access authenticator active
.
76
Multiple 802.1X users per port – E.09.xx
Is this a valid configuration?
5300
uplink
5300
77
Multiple 802.1X users per port – E.09.xx
Is this a valid configuration?
With 802.1X authentication on uplink?
5300
authenticator
uplink
supplicant
5300
78
Multiple 802.1X users per port – E.09.xx
Is this a valid configuration?
With 802.1X authentication on uplink?
What about mixed revisions?
5300
E.09.xx
authenticator
uplink
supplicant
5300
E.08.xx
79
Multiple 802.1X users per port – E.09.xx
Is this a valid configuration?
With 802.1X authentication on uplink?
What about mixed revisions?
Conclusion?
5300
E.09.xx
authenticator
uplink
supplicant
5300
E.08.xx
80
Multiple 802.1X users per port – E.09.xx
Is this a valid configuration?
With 802.1X authentication on uplink?
What about mixed revisions?
Conclusion?
5300
E.09.xx
authenticator
uplink
supplicant
5300
Do not enable 802.1X
authentication on uplinks!
E.08.xx
81
Multiple 802.1X users per port – E.09.xx
Summary
•Prior to E.09.xx, 802.1X was port based
•E.09.xx is client based
•Possible to run into supplicant incompatibilities or cases
where implementation relied on port based behavior
•Not appropriate for switch uplink ports
•Maximum of 32 authenticated clients per port
•Default client-limit is 1
82
Concurrent 802.1X and web or MAC auth
Prior to E.09.xx, 802.1X and Web/MAC auth were
mutually exclusive features
83
Concurrent 802.1X and web or MAC auth
Prior to E.09.xx, 802.1X and Web/MAC auth were mutually
exclusive features
E.09.xx allows the simultaneous operation of 802.1X
and Web/MAC Auth on the same port
84
Concurrent 802.1X and web or MAC auth
Prior to E.09.xx, 802.1X and Web/MAC auth were mutually
exclusive features
E.09.xx allows the simultaneous operation of 802.1X and
Web/MAC Auth on the same port
Concurrent 802.1X and Web Auth operation OR
concurrent 802.1X and MAC Auth operation. The ability
to run all three (802.1X, Web Auth, MAC Auth)
concurrently does not exist
85
Concurrent 802.1X and web or MAC auth
Prior to E.09.xx, 802.1X and Web/MAC auth were mutually
exclusive features
E.09.xx allows the simultaneous operation of 802.1X and
Web/MAC Auth on the same port
Concurrent 802.1X and Web Auth operation OR concurrent
802.1X and MAC Auth operation. The ability to run all three
(802.1X, Web Auth, MAC Auth) concurrently does not exist
Useful for migration where all clients do not have
supplicant
86
Concurrent 802.1X and web or MAC auth
Prior to E.09.xx, 802.1X and Web/MAC auth were mutually
exclusive features
E.09.xx allows the simultaneous operation of 802.1X and
Web/MAC Auth on the same port
Concurrent 802.1X and Web Auth operation OR concurrent
802.1X and MAC Auth operation. The ability to run all three
(802.1X, Web Auth, MAC Auth) concurrently does not exist
Useful for migration where all clients do not have supplicant
Popular example is the Mitel configuration
87
Concurrent 802.1X and web or MAC auth
Prior to E.09.xx, 802.1X and Web/MAC auth were mutually
exclusive features
E.09.xx allows the simultaneous operation of 802.1X and
Web/MAC Auth on the same port
Concurrent 802.1X and Web Auth operation OR concurrent
802.1X and MAC Auth operation. The ability to run all three
(802.1X, Web Auth, MAC Auth) concurrently does not exist
Useful for migration where all clients do not have supplicant
Popular example is the Mitel configuration
Total number of clients; 802.1x, web auth, MAC auth,
must not exceed 32 on a port
88
Concurrent 802.1X and web or MAC auth
802.1x Port
Control State
Web or MAC Action
Auth State
Auto
Disabled
802.1X performs authentication
Auto
Enabled
Hybrid authentication, 802.1X
authentication result takes
precedence to Web or MAC Auth
authentication result
Force Authorized
Disabled
All clients granted access
Force Authorized
Enabled
Web or MAC auth perform
authentication
Force
Unauthorized
Don’t Care
All clients denied access
89
Concurrent 802.1X and web or MAC auth and
Multiple 802.1X users per port
aaa port-access authenticator <port-list>
[control <authorized | auto | unauthorized>]
[client-limit]
90
Concurrent 802.1X and web or MAC auth and
Multiple 802.1X users per port
aaa port-access authenticator <port-list>
[control <authorized | auto | unauthorized>]
[client-limit]
AND
aaa port-access web-based [e] < port-list >
91
Concurrent 802.1X and web or MAC auth and
Multiple 802.1X users per port
aaa port-access authenticator <port-list>
[control <authorized | auto | unauthorized>]
[client-limit]
AND
aaa port-access web-based [e] < port-list >
OR
aaa port-access mac-based [e] < port-list >
92
Concurrent 802.1X and web or MAC auth and
Multiple 802.1X users per port
aaa port-access authenticator <port-list>
[control <authorized | auto | unauthorized>]
[client-limit]
AND
aaa port-access web-based [e] < port-list >
OR
aaa port-access mac-based [e] < port-list >
show config
.
.
aaa port-access authenticator B2
aaa port-access authenticator B2 client-limit 18
aaa port-access authenticator active
aaa port-access mac-based B2
.
.
93
Concurrent 802.1X and web or MAC auth and
Multiple 802.1X users per port
The Competition:
Enterasys has addressed the problem by allowing multiple
802.1X sessions to concurrently run on a port, with client
traffic ultimately filtered by authorized client
Enterasys allows concurrency between their 802.1X and Mac
authentication features, however not between their 802.1x and
Web Auth features.
Extreme Networks allows concurrency between their 802.1X
and Web Auth features. They don’t have MAC auth feature.
94
Concurrent MAC/802.1X example
PC
IP Phone
Configured to
use 802.1X
authentication
Configured to
use MAC
authentication
Data vlan = 2
(untagged)
Voice vlan = 50
(tagged)
5300 switch running
E.09.xx code
Authenticates phone
with MAC auth
Authenticates PC via
802.1X
95
802.1X Guest VLAN
In earlier releases, a “friendly” client computer not
running 802.1X supplicant software could not be
authenticated on a port protected by 802.1X access
security
As a result, the port would become blocked and the
client could not access the network
96
802.1X Guest VLAN
In earlier releases, a “friendly” client computer not running
802.1X supplicant software could not be authenticated on a
port protected by 802.1X access security
As a result, the port would become blocked and the client
could not access the network
This prevented the client from:
■ Acquiring IP addressing from a DHCP server
■ Downloading the 802.1X supplicant software
necessary for an authentication session
97
802.1X Guest VLAN
In earlier releases, a “friendly” client computer not running
802.1X supplicant software could not be authenticated on a
port protected by 802.1x access security
As a result, the port would become blocked and the client
could not access the network
This prevented the client from:
■ Acquiring IP addressing from a DHCP server
■ Downloading the 802.1X supplicant software necessary for
an authentication session
Configuring the 802.1X Open VLAN mode on a port
changes how the port responds when it detects a new
client
98
802.1X Guest VLAN
The 802.1X Open VLAN mode solves this problem by
temporarily suspending the port’s static VLAN
memberships and placing the port in a designated
Unauthorized-Client VLAN
99
802.1X Guest VLAN
The 802.1X Open VLAN mode solves this problem by
temporarily suspending the port’s static VLAN memberships
and placing the port in a designated Unauthorized-Client VLAN
In this state the client can proceed with initialization
services, such as acquiring IP addressing and 802.1X
client software, and starting the authentication process
100
802.1X Guest VLAN
The 802.1X Open VLAN mode solves this problem by
temporarily suspending the port’s static VLAN memberships
and placing the port in a designated Unauthorized-Client VLAN
In this state the client can proceed with initialization services,
such as acquiring IP addressing and 802.1X client software,
and starting the authentication process
May want to set up DHCP server and a server that can
download 802.1X supplicant on the guest VLAN
101
802.1X Guest VLAN
The 802.1X Open VLAN mode solves this problem by
temporarily suspending the port’s static VLAN memberships
and placing the port in a designated Unauthorized-Client VLAN
In this state the client can proceed with initialization services,
such as acquiring IP addressing and 802.1X client software,
and starting the authentication process
May want to set up DHCP server and a server that can
download 802.1X supplicant on the guest VLAN
Still want to keep the radius server on a protected VLAN
102
802.1X Guest VLAN
Use Models for 802.1X Open VLAN Modes;
Unauthorized-Client VLAN Configure this VLAN when
unauthenticated, friendly clients will need access to
some services before being authenticated
103
802.1X Guest VLAN
Use Models for 802.1X Open VLAN Modes;
Unauthorized-Client VLAN Configure this VLAN when
unauthenticated, friendly clients will need access to some
services before being authenticated
Authorized-Client VLAN Configure this VLAN for
authenticated clients to control the untagged VLAN
membership
104
802.1X Guest VLAN summary
Avoid using authorized client VLAN on ports with clientlimit >1 unless all clients can operate on same untagged
VLAN
105
802.1X Guest VLAN summary
Avoid using authorized client VLAN on ports with client-limit >1
unless all clients can operate on same untagged VLAN
All unauthenticated clients on an unauthorized client
VLAN can communicate
106
802.1X Guest VLAN summary
Avoid using authorized client VLAN on ports with client-limit >1
unless all clients can operate on same untagged VLAN
All unauthenticated clients on an unauthorized client VLAN can
communicate
With 802.1X authentication enabled:
aaa port-access authenticator <port-list> [auth-vid <vlan-id>]
107
802.1X Guest VLAN summary
Avoid using authorized client VLAN on ports with client-limit >1
unless all clients can operate on same untagged VLAN
All unauthenticated clients on an unauthorized client VLAN can
communicate
With 802.1X authentication enabled:
aaa port-access authenticator <port-list> [auth-vid <vlan-id>]
aaa port-access authenticator <port-list> [unauth-vid <vlan-id>]
108
802.1X Guest VLAN summary
Avoid using authorized client VLAN on ports with client-limit >1
unless all clients can operate on same untagged VLAN
All unauthenticated clients on an unauthorized client VLAN can
communicate
With 802.1X authentication enabled:
aaa port-access authenticator <port-list> [auth-vid <vlan-id>]
aaa port-access authenticator <port-list> [unauth-vid <vlan-id>]
Show config
.
.
aaa port-access authenticator B2 auth-vid 123
.
.
109
Radius authorization for switch mgr login
-Same feature as released in E.08.53
Eliminates login – enable – login again to gain mgr privilege
• "[no] aaa authentication login privilege-mode"
• Visible by "show running-config" and "show authentication" when
enabled
• Radius server service-attribute type Administrative (6) is the
manager privilege level
• Radius server service-attribute type NAS-prompt (7) is just the
operator level
• Applies to attempts to login via serial console, telnet, or ssh
110
Q&A
802.1X
www.hp.com/go/hpprocurve
UDP Directed Broadcast Forwarding
112
UDP Directed Broadcast Forwarding
Routers don’t forward broadcasts generally, however it
may be desirable for example for DHCP, SNTP etc
113
UDP Directed Broadcast Forwarding
Routers don’t forward broadcasts generally, however it may be
desirable for example for DHCP, SNTP etc
Only applies when routing is enabled
114
UDP Directed Broadcast Forwarding
Routers don’t forward broadcasts generally, however it may be
desirable for example for DHCP, SNTP etc
Only applies when routing is enabled
Identifies broadcast packet to be forwarded by UDP port
number
115
UDP Directed Broadcast Forwarding
Routers don’t forward broadcasts generally, however it may be
desirable for example for DHCP, SNTP etc
Only applies when routing is enabled
Identifies broadcast packet to be forwarded by UDP port
number
Configured on a per-VLAN basis
116
UDP Directed Broadcast Forwarding
Routers don’t forward broadcasts generally, however it may be
desirable for example for DHCP, SNTP etc
Only applies when routing is enabled
Identifies broadcast packet to be forwarded by UDP port
number
Configured on a per-VLAN basis
The UDP forwarder contains a server address table for
each configured VLAN. Each server entry contains an IP
address and an associated UDP port. A broadcast packet
received on the switch will be forwarded based on this
configured table
117
UDP Directed Broadcast Forwarding
Routers don’t forward broadcasts generally, however it may be
desirable for example for DHCP, SNTP etc
Only applies when routing is enabled
Identifies broadcast packet to be forwarded by UDP port
number
Configured on a per-VLAN basis
The UDP forwarder contains a server address table for each
configured VLAN. Each server entry contains an IP address and
an associated UDP port. A broadcast packet received on the
switch will be forwarded based on this configured table
Packet can be unicast forwarded to a specific host, or
bcast forwarded to a destination subnet
118
UDP Directed Broadcast Forwarding
Packet processing
A packet received on the switch will get forwarded if the
following conditions are met
119
UDP Directed Broadcast Forwarding
Packet processing
A packet received on the switch will get forwarded if the
following conditions are met
The received packet is a broadcast packet
120
UDP Directed Broadcast Forwarding
Packet processing
A packet received on the switch will get forwarded if the
following conditions are met
The received packet is a broadcast packet
The destination UDP port of the packet is present in the
configured server table
121
UDP Directed Broadcast Forwarding
Packet processing
A packet received on the switch will get forwarded if the
following conditions are met
The received packet is a broadcast packet
The destination UDP port of the packet is present in the
configured server table
The configured server address is either a unicast or a
subnet broadcast address
122
UDP Directed Broadcast Forwarding
Packet processing
A packet received on the switch will get forwarded if the
following conditions are met
The received packet is a broadcast packet
The destination UDP port of the packet is present in the
configured server table
The configured server address is either a unicast or a subnet
broadcast address
*DHCP forwarding is enabled by default on the 5300
with E.09.xx since this was the behavior in previous
releases
123
UDP Directed Broadcast Forwarding
[no] ip udp-bcast-forward
Enables broadcast forwarding on the switch
124
UDP Directed Broadcast Forwarding
[no] ip udp-bcast-forward
Enables broadcast forwarding on the switch
[no] ip forward-protocol udp <IP-ADDR> <port-num>| <port-name>
Configures a forwarding address for specific bcast type
125
UDP Directed Broadcast Forwarding
[no] ip udp-bcast-forward
Enables broadcast forwarding on the switch
[no] ip forward-protocol udp <IP-ADDR> <port-num>| <port-name>
Configures a forwarding address for specific bcast type
show ip forward-protocol [vlan <VLAN-ID>]
Shows bcast forwarding configuration
126
802.1ab Link Layer Discovery Protocol (LLDP)
127
802.1ab Link Layer Discovery Protocol (LLDP)
Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery
Protocol (CDP)
128
802.1ab Link Layer Discovery Protocol (LLDP)
Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery
Protocol (CDP)
5300xl supports CDPv1 and LLDP with E.09.xx code
129
802.1ab Link Layer Discovery Protocol (LLDP)
Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery
Protocol (CDP)
5300xl supports CDPv1 and LLDP with E.09.xx code
3400cl is the first ProCurve product to support only
LLDP
130
802.1ab Link Layer Discovery Protocol (LLDP)
Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery
Protocol (CDP)
5300xl supports CDPv1 and LLDP with E.09.xx code
3400cl is the first ProCurve product to support only LLDP
LLDP sent and received
131
802.1ab Link Layer Discovery Protocol (LLDP)
Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery
Protocol (CDP)
5300xl supports CDPv1 and LLDP with E.09.xx code
3400cl is the first ProCurve product to support only LLDP
LLDP sent and received
LLDP can be disabled (default enabled) not sent,
received, info not stored
132
802.1ab Link Layer Discovery Protocol (LLDP)
Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery
Protocol (CDP)
5300xl supports CDPv1 and LLDP with E.09.xx code
3400cl is the first ProCurve product to support only LLDP
LLDP sent and received
LLDP can be disabled (default enabled) not sent, received,
info not stored
ProCurve Manager today queries the CDP MIB via
SNMP (Later versions will read both CDP & LLDP MIBs
(Version 2.0)
133
802.1ab Link Layer Discovery Protocol (LLDP)
Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery
Protocol (CDP)
5300xl supports CDPv1 and LLDP with E.09.xx code
3400cl is the first ProCurve product to support only LLDP
LLDP sent and received
LLDP can be disabled (default enabled) not sent, received
info not stored
ProCurve Manager today queries the CDP MIB via SNMP
(Later versions will read both CDP & LLDP MIBs (Version 2.0)
3400cl will NOT be discovered by any other PNB
product today
• It will when LLDP ships on other products (incl.
PCM+)
• Receives CDP packets and uses them to update
LLDP information
134
802.1ab Link Layer Discovery
Protocol (LLDP) Operating Rules
Port Trunking: LLDP manages trunked ports
individually
135
802.1ab Link Layer Discovery
Protocol (LLDP) Operating Rules
Port Trunking LLDP manages trunked ports individually
Spanning-Tree Blocking: Spanning tree does not
prevent LLDP packet transmission or receipt on STPblocked links
136
802.1ab Link Layer Discovery
Protocol (LLDP) Operating Rules
Port Trunking LLDP manages trunked ports individually
Spanning-Tree Blocking Spanning tree does not prevent
LLDP packet transmission or receipt on STP-blocked links
802.1X Blocking: Ports blocked by 802.1X operation
do not allow transmission or receipt of LLDP packets
137
802.1ab Link Layer Discovery
Protocol (LLDP) Operating Rules
Port Trunking LLDP manages trunked ports individually
Spanning-Tree Blocking Spanning tree does not prevent
LLDP packet transmission or receipt on STP-blocked links
802.1X Blocking Ports blocked by 802.1X operation do not
allow transmission or receipt of LLDP packets
IP Address Advertisements: In the default operation,
if a port belongs to only one static VLAN, then the port
advertises the lowest-order IP address configured on
that VLAN. If a port belongs to multiple VLANs, then
the port advertises the lowest-order IP address
configured on the VLAN with the lowest VID. If the
qualifying VLAN does not have an IP address, the port
advertises 127.0.0.1 as its IP address
138
802.1ab Link Layer Discovery
Protocol (LLDP)
[no] lldp enable <PORT-LIST>
Configures ports to send/rec LLDP :default all enabled
[no] lldp run
Starts sending and receiving LLDP :default on
lldp interval <seconds>
LLDP transmit interval in seconds :default 30
lldp holdtime-multiplier <integer>
Multiples of interval to keep an entry valid :default 4
lldp clear
Flushes remote device information
show lldp [<local-device|remote-devices> [<PORT_LIST>] [detail] ]
139
802.1ab Link Layer Discovery
Protocol (LLDP)
CDP and LLDP do not interact, they are configured independently,
transmit and receive their own packets, and maintain separate
neighbor tables
140
Multiple Configuration Files
Allows storing of three configuration files
•
•
Useful for saving a configuration file for pri/sec flash images
Commands should be familiar with addition of “filename”
•
•
•
•
•
•
•
•
•
•
#
#
#
#
#
#
#
#
#
#
boot [system [flash <primary|secondary>] [config FILENAME]]
copy config FILENAME tftp ... (tftp options)
copy config FILENAME-1 config FILENAME-2
copy tftp config FILENAME ... (tftp options)
erase startup-config (no change)
erase config FILENAME
reload (no change)
rename config FILENAME-1 FILENAME-2
startup-default [<primary|secondary>] config FILENAME
show config files
141
Multiple Configuration Files
Primary boot path
Reboot command
Startup config
Running config
Secondary boot path
Prior to E.09.xx, the same startup config would
Be used regardless of whether you booted from
Primary or secondary
142
Multiple Configuration Files
Primary boot path
Reboot command
Secondary boot path
Startup config
Options
File1
File2
file3
Running config
With E.09.xx and newer code, it is possible to
Store multiple config files on the switch and choose
Which version to use for a image specific reboot policy:
(# startup-default [<primary|secondary>] config FILENAME)
143
Multiple Configuration Files
HP ProCurve Switch 5304XL(config)# show config files
Configuration files:
id | act pri sec | name
--+-------------+----------------------------------------1|
*
| E0803
2| *
| crf_test
3|
* | E0901
Example shows that there is a config file named “E0803”
associated with the primary boot path (pri flash), “E0901”
Associated with the secondary boot path, and “crf_test”
which is the active config file.
144
Q&A
www.hp.com/go/hpprocurve