e.09.xx software update for the procurve 5300 series switch products
DESCRIPTION
Technical Training. E.09.xx software update for the ProCurve 5300 series switch products. Dec 2004. E.09.xx firmware update for the ProCurve 5300 series switch products. New Features Connection Rate Filtering (Virus Throttling). - PowerPoint PPT PresentationTRANSCRIPT
© 2004 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Technical Training
E.09.xx software update for the ProCurve 5300 series switch products
Dec 2004
2
E.09.xx firmware update for the ProCurve 5300 series switch products New Features• Connection Rate Filtering (Virus Throttling)
3
E.09.xx firmware update for the ProCurve 5300 series switch products New Features• Connection Rate Filtering (Virus Throttling)• Multiple 802.1X users per port• Concurrent 802.1X and MAC Auth or Web Auth• 802.1X Guest Vlan• Radius authentication for switch manager login
4
E.09.xx firmware update for the ProCurve 5300 series switch products New Features• Connection Rate Filtering (Virus Throttling)• Multiple 802.1X users per port• Concurrent 802.1X and MAC Auth or Web Auth• 802.1X Guest Vlan• Radius authentication for switch manager login• UDP directed broadcast forwarding
5
E.09.xx firmware update for the ProCurve 5300 series switch products New Features• Connection Rate Filtering (Virus Throttling)• Multiple 802.1X users per port• Concurrent 802.1X and MAC Auth or Web Auth• 802.1X Guest Vlan• Radius authentication for switch manager login• UDP directed broadcast forwarding• 802.1ab Link Layer Discovery Protocol (LLDP)
6
E.09.xx firmware update for the ProCurve 5300 series switch products New Features• Connection Rate Filtering (Virus Throttling)• Multiple 802.1X users per port• Concurrent 802.1X and MAC Auth or Web Auth• 802.1X Guest Vlan• Radius authentication for switch manager login• 802.1ab Link Layer Discovery Protocol (LLDP)• UDP directed broadcast forwarding• Multiple configuration files
The Geek Translation
hp
The Geek Translation
Cold Raw Dead Fish
hp
The Geek Translation
Cold Raw Dead Fish
hp
The Geek Translation
Connection Rate
FilteringCold Raw Dead Fish
hp
11
Connection Rate Filtering Most anti-virus software works by preventing infection
Works well but occasionally fails
When it fails, the virus can spread very rapidly and cause lots of damage• Many infected machines• Clogged networks
Example – SQLSlammer, MS-Blaster, SASSER
12
Connection Rate Filtering Most anti-virus software works by preventing infection
Works well but occasionally fails
When it fails, the virus can spread very rapidly and cause lots of damage• Many infected machines• Clogged networks
Example – SQLSlammer, MS-Blaster, SASSER
05:29 Jan 25 ‘03 – 0 infected
13
Connection Rate Filtering Most anti-virus software works by preventing infection
Works well but occasionally fails
When it fails, the virus can spread very rapidly and cause lots of damage• Many infected machines• Clogged networks
Example – SQLSlammer, MS-Blaster, SASSER
05:29 Jan 25 ‘03 – 0 infected
06:00 Jan 25 ‘03 – 74855 infected
17
Connection Rate Filtering
What does CRF do to reduce the threat?
18
Connection Rate Filtering
What does CRF do to reduce the threat?• Filter function based on connection rate
only
19
Connection Rate Filtering
What does CRF do to reduce the threat?• Filter function based on connection rate only• Does not look inside packets for signatures
20
Connection Rate Filtering
What does CRF do to reduce the threat?• Filter function based on connection rate only• Does not look inside packets for signatures• Functions only on routed traffic (NOT on
switched traffic)
21
Connection Rate Filtering
What does CRF do to reduce the threat?• Filter function based on connection rate only• Does not look inside packets for signatures• Functions only on routed traffic (NOT on switched
traffic)• Many valid nodes will create false positives
22
Connection Rate Filtering
What does CRF do to reduce the threat?• Filter function based on connection rate only• Does not look inside packets for signatures• Functions only on routed traffic (NOT on switched
traffic)• Many valid nodes will create false positives• Must be manually configured
23
Connection Rate Filtering
What does CRF do to reduce the threat?• Filter function based on connection rate only• Does not look inside packets for signatures• Functions only on routed traffic (NOT on switched
traffic)• Many valid nodes will create false positives• Must be manually configured• Must configure Sensitivity and Response
24
Connection Rate FilteringSensitivity
25
Connection Rate FilteringSensitivity
Connection Rate Filtering Sensitivity
Max interval between new IP connection requests from same source
Number of New connections without exceeding max interval Penalty Period
Low 0.1 Second 54 <30 Seconds
Medium 1.0 second 37 30 - 60 Seconds
High 1.0 second 22 60 - 90 Seconds
Aggressive 1.0 second 15 90 - 120 Seconds
26
Connection Rate FilteringSensitivity
Connection Rate Filtering Sensitivity
Max interval between new IP connection requests from same source
Number of New connections without exceeding max interval Penalty Period
Low 0.1 Second 54 <30 Seconds
Medium 1.0 second 37 30 - 60 Seconds
High 1.0 second 22 60 - 90 Seconds
Aggressive 1.0 second 15 90 - 120 Seconds
Example: At medium sensitivity, a host may be trigger the filter by issuing 37 new outbound connections in a 36 second period if the gap between any two new connections does not exceed 1 second. When there is a gap that exceeds 1 second, the counter is reset.
27
Connection Rate Filtering Response
• notify-only– Generates event log entry and trap event when
sensitivity threshold exceeded
28
Connection Rate Filtering Response
• notify-only– Generates event log entry and trap event when
sensitivity threshold exceeded• throttle
– Generates event log and trap and then blocks routing of traffic from offending host for penalty period defined by sensitivity
– After penalty period the function is reset and routing resumes
29
Connection Rate Filtering Response
• notify-only– Generates event log entry and trap event when sensitivity
threshold exceeded• throttle
– Generates event log and trap and then blocks routing of traffic from offending host for penalty period defined by sensitivity
– After penalty period the function is reset and routing resumes
• block– Generates event log and trap and then blocks
routing of traffic from offending host until manually reset by administrator
30
Connection Rate Filtering Typical deployment scenario (not set and forget)
31
Connection Rate Filtering Typical deployment scenario (not set and forget)• Deploy in notify-only mode
32
Connection Rate Filtering Typical deployment scenario (not set and forget)• Deploy in notify-only mode• Set sensitivity to low
33
Connection Rate Filtering Typical deployment scenario (not set and forget)• Deploy in notify-only mode• Set sensitivity to low• Monitor the nodes that are triggering
34
Connection Rate Filtering Typical deployment scenario (not set and forget)• Deploy in notify-only mode• Set sensitivity to low• Monitor the nodes that are triggering• Determine the characteristic of valid traffic
from those nodes
35
Connection Rate Filtering Typical deployment scenario (not set and forget)• Deploy in notify-only mode• Set sensitivity to low• Monitor the nodes that are triggering• Determine the characteristic of valid traffic from
those nodes• Increase sensitivity, or create an exception
ACL for nodes generating false positives
36
Connection Rate Filtering Typical deployment scenario (not set and forget)• Deploy in notify-only mode• Set sensitivity to low• Monitor the nodes that are triggering• Determine the characteristic of valid traffic from
those nodes• Increase sensitivity, or create an exception ACL
for nodes generating false positives• Activate throttling or blocking
37
Connection Rate Filtering Typical deployment scenario (not set and forget)• Deploy in notify-only mode• Set sensitivity to low• Monitor the nodes that are triggering• Determine the characteristic of valid traffic from
those nodes• Increase sensitivity, or create an exception ACL
for nodes generating false positives• Activate throttling or blocking• Monitor and adjust
38
Connection Rate Filtering What to do with nodes generating legitimate traffic that triggers the CRF?
Use of connection-rate ACLs provides the option to apply exceptions to the configured connection-rate filtering policy.
■ A trusted server exhibiting a relatively high IP connection rate due to heavy demand
■ A trusted traffic source on the same port as other, untrusted traffic sources.
39
Connection Rate Filtering Basic CLI commands [no] connection-rate-filter sensitivity < low | medium | high | aggressive >
Global enable/disable and global sensitivity
40
Connection Rate Filtering Basic CLI commands [no] connection-rate-filter sensitivity < low | medium | high | aggressive >
Global enable/disable and global sensitivity
Reboot the switch after running this command to enable/disable or change CRF sensitivity!
41
Connection Rate Filtering Basic CLI commands [no] filter connection-rate [eth] port-list <notify-only | throttle | block>
Port based configuration of the response
42
Connection Rate Filtering Basic CLI commands [no] ip access-list connection-rate-filter name-str
< ignore | filter > ip < any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask
>< ignore | filter > < udp | tcp >< any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask
>< source-port | destination-port | all-ports >
43
Connection Rate Filtering Basic CLI commands [no] ip access-list connection-rate-filter name-str
< ignore | filter > ip < any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask
>< ignore | filter > < udp | tcp >< any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask
>< source-port | destination-port | all-ports >
ACLs are ONLY required as exceptions to the CRF policy
44
Connection Rate Filtering Config Example
45
Connection Rate Filtering Config example Connection Rate ACL
46
Connection Rate Filtering - Summary CRF is not set and forget
47
Connection Rate Filtering - Summary CRF is not set and forget Operates ONLY on routed traffic
48
Connection Rate Filtering - Summary CRF is not set and forget Operates ONLY on routed traffic Requires a switch reboot after enabling, disabling or changing sensitivity of CRF
49
Connection Rate Filtering - Summary CRF is not set and forget Operates ONLY on routed traffic Requires a switch reboot after enabling, disabling or changing sensitivity of CRF
Once a host has been blocked, it remains in this state regardless of the port setting – must unblock explicitly
50
Connection Rate Filtering - Summary CRF is not set and forget Operates ONLY on routed traffic Requires a switch reboot after enabling, disabling or changing sensitivity of CRF
Once a host has been blocked, it remains in this state regardless of the port setting – must unblock explicitly
CRF is host based (host is blocked, not port)
51
Connection Rate Filtering - Summary CRF is not set and forget Operates ONLY on routed traffic Requires a switch reboot after enabling, disabling or changing sensitivity of CRF
Once a host has been blocked, it remains in this state regardless of the port setting – must unblock explicitly
CRF is host based (host is blocked, not port) Sensitivity is set globally, response is set per port, filtering is host based
52
Connection Rate Filtering - Benefits Behavior based
53
Connection Rate Filtering - Benefits Behavior based Handles unknown worms
54
Connection Rate Filtering - Benefits Behavior based Handles unknown worms No signature file
55
Connection Rate Filtering - Benefits Behavior based Handles unknown worms No signature file Slows or stops routing of suspect traffic
56
Connection Rate Filtering - Benefits Behavior based Handles unknown worms No signature file Slows or stops routing of suspect traffic Allows switch to continue to operate during attack
57
Connection Rate Filtering - Benefits Behavior based Handles unknown worms No signature file Slows or stops routing of suspect traffic Allows switch to continue to operate during attack Event log and traps help identify the attacker
58
Connection Rate Filtering - Benefits Behavior based Handles unknown worms No signature file Slows or stops routing of suspect traffic Allows switch to continue to operate during attack Event log and traps help identify the attacker Notifies IT and allows time to respond
59
Connection Rate Filtering lab• Requires any 5300 switch and one windows PC with traffic
generation tool installed– Configure routable vlans– Set various sensitivities and responses– Generate traffic to be routed– Observe behavior
www.hp.com/go/hpprocurve
Q&AConnection Rate Filtering
61
Multiple 802.1X users per port – Current Situation
- one client per one 802.1X enabled switch port
62
Multiple 802.1X users per port – Current Situation
- one client per one 802.1X enabled switch port- protocol uses multicast address
63
Multiple 802.1X users per port – Current Situation
- one client per one 802.1X enabled switch port- protocol uses multicast address- port based authentication
64
Multiple 802.1X users per port – Current Situation
- one client per one 802.1X enabled switch port- protocol uses multicast address- port based authentication
- successful authentication by a client opens the port for all traffic
65
Multiple 802.1X users per port – Current Situation
- one client per one 802.1X enabled switch port- protocol uses multicast address- port based authentication
- successful authentication by a client opens the port for all traffic
- piggy back attack relatively easy
66
Multiple 802.1X users per port – E.09.xx- Supports up to 32 802.1X clients per port
67
Multiple 802.1X users per port – E.09.xx- Supports up to 32 802.1X clients per port- All authenticated clients must use the same UNTAGGED Vlan
68
Multiple 802.1X users per port – E.09.xx- Supports up to 32 802.1X clients per port- All authenticated clients must use the same UNTAGGED Vlan- Each instance must be associated with a particular source MAC address
69
Multiple 802.1X users per port – E.09.xx- Supports up to 32 802.1X clients per port- All authenticated clients must use the same UNTAGGED Vlan- Each instance must be associated with a particular source MAC address- Associated instance must use only its associated source MAC address as dest. address for 802.1X packets (will prevent confusion of other 802.1X clients connected to the same port)
70
Multiple 802.1X users per port – E.09.xx- Supports up to 32 802.1X clients per port- All authenticated clients must use the same UNTAGGED Vlan- Each instance must be associated with a particular source MAC address- Associated instance must use only its associated source MAC address as dest address for 802.1X packets (will prevent confusion of other 802.1X clients connected to the same port)
- An 802.1X protocol instance must be able to receive unicast 802.1X packets
71
Multiple 802.1X users per port – E.09.xx- Supports up to 32 802.1X clients per port- All authenticated clients must use the same UNTAGGED Vlan- Each instance must be associated with a particular source MAC address- Associated instance must use only its associated source MAC address as dest address for 802.1X packets (will prevent confusion of other 802.1X clients connected to the same port)
- An 802.1X protocol instance must be able to receive unicast 802.1X packets - Authentication is client based
72
Multiple 802.1X users per port – E.09.xx- Supports up to 32 802.1X clients per port- All authenticated clients must use the same UNTAGGED Vlan- Each instance must be associated with a particular source MAC address- Associated instance must use only its associated source MAC address as dest address for 802.1X packets (will prevent confusion of other 802.1X clients connected to the same port)
- An 802.1X protocol instance must be able to receive unicast 802.1X packets - Authentication is client based
- successful authentication by a client opens port to traffic with the authenticators SA only
73
Multiple 802.1X users per port – E.09.xx[no] aaa port-access authenticator < [ethernet] <port-list>[control | client-limit |quiet-period | tx-period | supplicant-timeout | server-timeout | max-requests | reauth-period | auth-vid | unauth-vid | initialize | reauthenticate | clear-statistics | logoff-period]
74
Multiple 802.1X users per port – E.09.xx[no] aaa port-access authenticator < [ethernet] <port-list>[control | client-limit |quiet-period | tx-period | supplicant-timeout | server-timeout | max-requests | reauth-period | auth-vid | unauth-vid | initialize | reauthenticate | clear-statistics | logoff-period]
Default client limit is 1. Need to explicitly enter value >1 to enable multiple authenticated clients per port
75
Multiple 802.1X users per port – E.09.xx[no] aaa port-access authenticator < [ethernet] <port-list>[control | client-limit |quiet-period | tx-period | supplicant-timeout | server-timeout | max-requests | reauth-period | auth-vid | unauth-vid | initialize | reauthenticate | clear-statistics | logoff-period]
Default client limit is 1. Need to explicitly enter value >1 to enable multiple authenticated clients per port
There is no port-based authentication with E.09.xx! All 802.1x authentication in this revision is client based
76
Multiple 802.1X users per port – E.09.xx[no] aaa port-access authenticator < [ethernet] <port-list>[control | client-limit |quiet-period | tx-period | supplicant-timeout | server-timeout | max-requests | reauth-period | auth-vid | unauth-vid | initialize | reauthenticate | clear-statistics | logoff-period]
Default client limit is 1. Need to explicitly enter value >1 to enable multiple authenticated clients per port.
There is no port-based authentication with E.09.xx! All 802.1x authentication in this revision is client based
#show config (no port based show command for client limit)..aaa port-access authenticator B2aaa port-access authenticator B2 client-limit 18aaa port-access authenticator active.
77
Multiple 802.1X users per port – E.09.xx
5300
5300
uplink
Is this a valid configuration?
78
Multiple 802.1X users per port – E.09.xx
5300
5300
uplink
Is this a valid configuration?With 802.1X authentication on uplink?
supplicant
authenticator
79
Multiple 802.1X users per port – E.09.xx
5300
5300
uplink
Is this a valid configuration?With 802.1X authentication on uplink?What about mixed revisions?
supplicant
authenticator
E.08.xx
E.09.xx
80
Multiple 802.1X users per port – E.09.xx
5300
5300
uplink
Is this a valid configuration?With 802.1X authentication on uplink?What about mixed revisions?Conclusion?
E.08.xx
E.09.xx
supplicant
authenticator
81
Multiple 802.1X users per port – E.09.xx
5300
5300
uplink
Is this a valid configuration?With 802.1X authentication on uplink?What about mixed revisions?Conclusion?
E.08.xx
E.09.xx
supplicant
authenticator
Do not enable 802.1X authentication on uplinks!
82
Multiple 802.1X users per port – E.09.xx Summary
•Prior to E.09.xx, 802.1X was port based•E.09.xx is client based
•Possible to run into supplicant incompatibilities or cases where implementation relied on port based behavior
•Not appropriate for switch uplink ports•Maximum of 32 authenticated clients per port•Default client-limit is 1
83
Concurrent 802.1X and web or MAC auth Prior to E.09.xx, 802.1X and Web/MAC auth were mutually exclusive features
84
Concurrent 802.1X and web or MAC auth Prior to E.09.xx, 802.1X and Web/MAC auth were mutually exclusive features
E.09.xx allows the simultaneous operation of 802.1X and Web/MAC Auth on the same port
85
Concurrent 802.1X and web or MAC auth Prior to E.09.xx, 802.1X and Web/MAC auth were mutually exclusive features
E.09.xx allows the simultaneous operation of 802.1X and Web/MAC Auth on the same port
Concurrent 802.1X and Web Auth operation OR concurrent 802.1X and MAC Auth operation. The ability to run all three (802.1X, Web Auth, MAC Auth) concurrently does not exist
86
Concurrent 802.1X and web or MAC auth Prior to E.09.xx, 802.1X and Web/MAC auth were mutually exclusive features
E.09.xx allows the simultaneous operation of 802.1X and Web/MAC Auth on the same port
Concurrent 802.1X and Web Auth operation OR concurrent 802.1X and MAC Auth operation. The ability to run all three (802.1X, Web Auth, MAC Auth) concurrently does not exist
Useful for migration where all clients do not have supplicant
87
Concurrent 802.1X and web or MAC auth Prior to E.09.xx, 802.1X and Web/MAC auth were mutually exclusive features
E.09.xx allows the simultaneous operation of 802.1X and Web/MAC Auth on the same port
Concurrent 802.1X and Web Auth operation OR concurrent 802.1X and MAC Auth operation. The ability to run all three (802.1X, Web Auth, MAC Auth) concurrently does not exist
Useful for migration where all clients do not have supplicant Popular example is the Mitel configuration
88
Concurrent 802.1X and web or MAC auth Prior to E.09.xx, 802.1X and Web/MAC auth were mutually exclusive features
E.09.xx allows the simultaneous operation of 802.1X and Web/MAC Auth on the same port
Concurrent 802.1X and Web Auth operation OR concurrent 802.1X and MAC Auth operation. The ability to run all three (802.1X, Web Auth, MAC Auth) concurrently does not exist
Useful for migration where all clients do not have supplicant Popular example is the Mitel configuration Total number of clients; 802.1x, web auth, MAC auth, must not exceed 32 on a port
89
Concurrent 802.1X and web or MAC auth802.1x Port Control State
Web or MAC Auth State
Action
Auto Disabled 802.1X performs authentication
Auto Enabled Hybrid authentication, 802.1X authentication result takes precedence to Web or MAC Auth authentication result
Force Authorized Disabled All clients granted access
Force Authorized Enabled Web or MAC auth perform authentication
Force Unauthorized
Don’t Care All clients denied access
90
Concurrent 802.1X and web or MAC auth and Multiple 802.1X users per port
aaa port-access authenticator <port-list> [control <authorized | auto | unauthorized>][client-limit]
91
Concurrent 802.1X and web or MAC auth and Multiple 802.1X users per port
aaa port-access authenticator <port-list> [control <authorized | auto | unauthorized>][client-limit]
AND aaa port-access web-based [e] < port-list >
92
Concurrent 802.1X and web or MAC auth and Multiple 802.1X users per port
aaa port-access authenticator <port-list> [control <authorized | auto | unauthorized>][client-limit]
AND aaa port-access web-based [e] < port-list > OR aaa port-access mac-based [e] < port-list >
93
Concurrent 802.1X and web or MAC auth and Multiple 802.1X users per port
aaa port-access authenticator <port-list> [control <authorized | auto | unauthorized>][client-limit]
AND aaa port-access web-based [e] < port-list > OR aaa port-access mac-based [e] < port-list >
show config..aaa port-access authenticator B2aaa port-access authenticator B2 client-limit 18aaa port-access authenticator activeaaa port-access mac-based B2..
94
Concurrent 802.1X and web or MAC auth and Multiple 802.1X users per port
The Competition: Enterasys has addressed the problem by allowing multiple 802.1X sessions to concurrently run on a port, with client traffic ultimately filtered by authorized client
Enterasys allows concurrency between their 802.1X and Mac authentication features, however not between their 802.1x and Web Auth features.
Extreme Networks allows concurrency between their 802.1X and Web Auth features. They don’t have MAC auth feature.
95
Concurrent MAC/802.1X example
PC
Configured to use 802.1X authentication
Data vlan = 2 (untagged)
IP Phone
Configured to use MAC authentication
Voice vlan = 50 (tagged)
5300 switch running E.09.xx code
Authenticates phone with MAC auth
Authenticates PC via 802.1X
96
802.1X Guest VLAN In earlier releases, a “friendly” client computer not running 802.1X supplicant software could not be authenticated on a port protected by 802.1X access security
As a result, the port would become blocked and the client could not access the network
97
802.1X Guest VLAN In earlier releases, a “friendly” client computer not running 802.1X supplicant software could not be authenticated on a port protected by 802.1X access security
As a result, the port would become blocked and the client could not access the network
This prevented the client from: ■ Acquiring IP addressing from a DHCP server ■ Downloading the 802.1X supplicant software necessary for an authentication session
98
802.1X Guest VLAN In earlier releases, a “friendly” client computer not running 802.1X supplicant software could not be authenticated on a port protected by 802.1x access security
As a result, the port would become blocked and the client could not access the network
This prevented the client from: ■ Acquiring IP addressing from a DHCP server ■ Downloading the 802.1X supplicant software necessary for an authentication session
Configuring the 802.1X Open VLAN mode on a port changes how the port responds when it detects a new client
99
802.1X Guest VLAN The 802.1X Open VLAN mode solves this problem by temporarily suspending the port’s static VLAN memberships and placing the port in a designated Unauthorized-Client VLAN
100
802.1X Guest VLAN The 802.1X Open VLAN mode solves this problem by temporarily suspending the port’s static VLAN memberships and placing the port in a designated Unauthorized-Client VLAN
In this state the client can proceed with initialization services, such as acquiring IP addressing and 802.1X client software, and starting the authentication process
101
802.1X Guest VLAN The 802.1X Open VLAN mode solves this problem by temporarily suspending the port’s static VLAN memberships and placing the port in a designated Unauthorized-Client VLAN
In this state the client can proceed with initialization services, such as acquiring IP addressing and 802.1X client software, and starting the authentication process
May want to set up DHCP server and a server that can download 802.1X supplicant on the guest VLAN
102
802.1X Guest VLAN The 802.1X Open VLAN mode solves this problem by temporarily suspending the port’s static VLAN memberships and placing the port in a designated Unauthorized-Client VLAN
In this state the client can proceed with initialization services, such as acquiring IP addressing and 802.1X client software, and starting the authentication process
May want to set up DHCP server and a server that can download 802.1X supplicant on the guest VLAN
Still want to keep the radius server on a protected VLAN
103
802.1X Guest VLAN Use Models for 802.1X Open VLAN Modes; Unauthorized-Client VLAN Configure this VLAN when unauthenticated, friendly clients will need access to some services before being authenticated
104
802.1X Guest VLAN Use Models for 802.1X Open VLAN Modes; Unauthorized-Client VLAN Configure this VLAN when unauthenticated, friendly clients will need access to some services before being authenticated
Authorized-Client VLAN Configure this VLAN for authenticated clients to control the untagged VLAN membership
105
802.1X Guest VLAN summary Avoid using authorized client VLAN on ports with client-limit >1 unless all clients can operate on same untagged VLAN
106
802.1X Guest VLAN summary Avoid using authorized client VLAN on ports with client-limit >1 unless all clients can operate on same untagged VLAN
All unauthenticated clients on an unauthorized client VLAN can communicate
107
802.1X Guest VLAN summary Avoid using authorized client VLAN on ports with client-limit >1 unless all clients can operate on same untagged VLAN
All unauthenticated clients on an unauthorized client VLAN can communicate
With 802.1X authentication enabled:aaa port-access authenticator <port-list> [auth-vid <vlan-
id>]
108
802.1X Guest VLAN summary Avoid using authorized client VLAN on ports with client-limit >1 unless all clients can operate on same untagged VLAN
All unauthenticated clients on an unauthorized client VLAN can communicate
With 802.1X authentication enabled:aaa port-access authenticator <port-list> [auth-vid <vlan-id>]
aaa port-access authenticator <port-list> [unauth-vid <vlan-id>]
109
802.1X Guest VLAN summary Avoid using authorized client VLAN on ports with client-limit >1 unless all clients can operate on same untagged VLAN
All unauthenticated clients on an unauthorized client VLAN can communicate
With 802.1X authentication enabled:aaa port-access authenticator <port-list> [auth-vid <vlan-id>]
aaa port-access authenticator <port-list> [unauth-vid <vlan-id>]
Show config..aaa port-access authenticator B2 auth-vid 123..
110
Radius authorization for switch mgr login-Same feature as released in E.08.53
Eliminates login – enable – login again to gain mgr privilege• "[no] aaa authentication login privilege-mode" • Visible by "show running-config" and "show authentication" when
enabled• Radius server service-attribute type Administrative (6) is the
manager privilege level• Radius server service-attribute type NAS-prompt (7) is just the
operator level• Applies to attempts to login via serial console, telnet, or ssh
www.hp.com/go/hpprocurve
Q&A802.1X
112
UDP Directed Broadcast Forwarding
113
UDP Directed Broadcast ForwardingRouters don’t forward broadcasts generally, however it
may be desirable for example for DHCP, SNTP etc
114
UDP Directed Broadcast ForwardingRouters don’t forward broadcasts generally, however it may be
desirable for example for DHCP, SNTP etcOnly applies when routing is enabled
115
UDP Directed Broadcast ForwardingRouters don’t forward broadcasts generally, however it may be
desirable for example for DHCP, SNTP etcOnly applies when routing is enabledIdentifies broadcast packet to be forwarded by UDP port number
116
UDP Directed Broadcast ForwardingRouters don’t forward broadcasts generally, however it may be
desirable for example for DHCP, SNTP etcOnly applies when routing is enabledIdentifies broadcast packet to be forwarded by UDP port number Configured on a per-VLAN basis
117
UDP Directed Broadcast ForwardingRouters don’t forward broadcasts generally, however it may be
desirable for example for DHCP, SNTP etcOnly applies when routing is enabledIdentifies broadcast packet to be forwarded by UDP port number Configured on a per-VLAN basisThe UDP forwarder contains a server address table for each configured VLAN. Each server entry contains an IP address and an associated UDP port. A broadcast packet received on the switch will be forwarded based on this configured table
118
UDP Directed Broadcast ForwardingRouters don’t forward broadcasts generally, however it may be
desirable for example for DHCP, SNTP etcOnly applies when routing is enabledIdentifies broadcast packet to be forwarded by UDP port number Configured on a per-VLAN basisThe UDP forwarder contains a server address table for each configured VLAN. Each server entry contains an IP address and an associated UDP port. A broadcast packet received on the switch will be forwarded based on this configured tablePacket can be unicast forwarded to a specific host, or bcast forwarded to a destination subnet
119
UDP Directed Broadcast ForwardingPacket processing
A packet received on the switch will get forwarded if the following conditions are met
120
UDP Directed Broadcast ForwardingPacket processing
A packet received on the switch will get forwarded if the following conditions are met The received packet is a broadcast packet
121
UDP Directed Broadcast ForwardingPacket processing
A packet received on the switch will get forwarded if the following conditions are metThe received packet is a broadcast packetThe destination UDP port of the packet is present in the configured server table
122
UDP Directed Broadcast ForwardingPacket processing
A packet received on the switch will get forwarded if the following conditions are metThe received packet is a broadcast packetThe destination UDP port of the packet is present in the configured server tableThe configured server address is either a unicast or a subnet broadcast address
123
UDP Directed Broadcast ForwardingPacket processing
A packet received on the switch will get forwarded if the following conditions are metThe received packet is a broadcast packetThe destination UDP port of the packet is present in the configured server tableThe configured server address is either a unicast or a subnet broadcast address
*DHCP forwarding is enabled by default on the 5300 with E.09.xx since this was the behavior in previous releases
124
UDP Directed Broadcast Forwarding[no] ip udp-bcast-forward
Enables broadcast forwarding on the switch
125
UDP Directed Broadcast Forwarding[no] ip udp-bcast-forwardEnables broadcast forwarding on the switch
[no] ip forward-protocol udp <IP-ADDR> <port-num>| <port-name>Configures a forwarding address for specific bcast type
126
UDP Directed Broadcast Forwarding[no] ip udp-bcast-forward
Enables broadcast forwarding on the switch
[no] ip forward-protocol udp <IP-ADDR> <port-num>| <port-name>Configures a forwarding address for specific bcast type
show ip forward-protocol [vlan <VLAN-ID>]Shows bcast forwarding configuration
127
802.1ab Link Layer Discovery Protocol (LLDP)
128
802.1ab Link Layer Discovery Protocol (LLDP) Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery Protocol (CDP)
129
802.1ab Link Layer Discovery Protocol (LLDP) Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery Protocol (CDP)
5300xl supports CDPv1 and LLDP with E.09.xx code
130
802.1ab Link Layer Discovery Protocol (LLDP) Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery Protocol (CDP)
5300xl supports CDPv1 and LLDP with E.09.xx code 3400cl is the first ProCurve product to support only
LLDP
131
802.1ab Link Layer Discovery Protocol (LLDP) Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery Protocol (CDP)
5300xl supports CDPv1 and LLDP with E.09.xx code 3400cl is the first ProCurve product to support only LLDP LLDP sent and received
132
802.1ab Link Layer Discovery Protocol (LLDP) Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery Protocol (CDP)
5300xl supports CDPv1 and LLDP with E.09.xx code 3400cl is the first ProCurve product to support only LLDP LLDP sent and received LLDP can be disabled (default enabled) not sent,
received, info not stored
133
802.1ab Link Layer Discovery Protocol (LLDP) Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery Protocol (CDP)
5300xl supports CDPv1 and LLDP with E.09.xx code 3400cl is the first ProCurve product to support only LLDP LLDP sent and received LLDP can be disabled (default enabled) not sent, received,
info not stored ProCurve Manager today queries the CDP MIB via
SNMP (Later versions will read both CDP & LLDP MIBs (Version 2.0)
134
802.1ab Link Layer Discovery Protocol (LLDP) Standards based discovery protocol roughly
equivalent to the proprietary Cisco Discovery Protocol (CDP)
5300xl supports CDPv1 and LLDP with E.09.xx code 3400cl is the first ProCurve product to support only LLDP LLDP sent and received LLDP can be disabled (default enabled) not sent, received
info not stored ProCurve Manager today queries the CDP MIB via SNMP
(Later versions will read both CDP & LLDP MIBs (Version 2.0) 3400cl will NOT be discovered by any other PNB
product today• It will when LLDP ships on other products (incl.
PCM+)• Receives CDP packets and uses them to update
LLDP information
135
802.1ab Link Layer Discovery Protocol (LLDP) Operating Rules Port Trunking: LLDP manages trunked ports
individually
136
802.1ab Link Layer Discovery Protocol (LLDP) Operating Rules Port Trunking LLDP manages trunked ports individually Spanning-Tree Blocking: Spanning tree does not
prevent LLDP packet transmission or receipt on STP-blocked links
137
802.1ab Link Layer Discovery Protocol (LLDP) Operating Rules Port Trunking LLDP manages trunked ports individually Spanning-Tree Blocking Spanning tree does not prevent
LLDP packet transmission or receipt on STP-blocked links 802.1X Blocking: Ports blocked by 802.1X operation
do not allow transmission or receipt of LLDP packets
138
802.1ab Link Layer Discovery Protocol (LLDP) Operating Rules Port Trunking LLDP manages trunked ports individually Spanning-Tree Blocking Spanning tree does not prevent
LLDP packet transmission or receipt on STP-blocked links 802.1X Blocking Ports blocked by 802.1X operation do not
allow transmission or receipt of LLDP packets IP Address Advertisements: In the default operation,
if a port belongs to only one static VLAN, then the port advertises the lowest-order IP address configured on that VLAN. If a port belongs to multiple VLANs, then the port advertises the lowest-order IP address configured on the VLAN with the lowest VID. If the qualifying VLAN does not have an IP address, the port advertises 127.0.0.1 as its IP address
139
802.1ab Link Layer Discovery Protocol (LLDP)[no] lldp enable <PORT-LIST>
Configures ports to send/rec LLDP :default all enabled[no] lldp run
Starts sending and receiving LLDP :default on lldp interval <seconds>
LLDP transmit interval in seconds :default 30lldp holdtime-multiplier <integer>
Multiples of interval to keep an entry valid :default 4lldp clear
Flushes remote device informationshow lldp [<local-device|remote-devices> [<PORT_LIST>]
[detail] ]
140
802.1ab Link Layer Discovery Protocol (LLDP)
CDP and LLDP do not interact, they are configured independently, transmit and receive their own packets, and maintain separate neighbor tables
141
Multiple Configuration Files Allows storing of three configuration files
• Useful for saving a configuration file for pri/sec flash images• Commands should be familiar with addition of “filename”• # boot [system [flash <primary|secondary>] [config FILENAME]]• # copy config FILENAME tftp ... (tftp options)• # copy config FILENAME-1 config FILENAME-2• # copy tftp config FILENAME ... (tftp options)• # erase startup-config (no change)• # erase config FILENAME• # reload (no change)• # rename config FILENAME-1 FILENAME-2• # startup-default [<primary|secondary>] config FILENAME• # show config files
142
Multiple Configuration Files
Reboot command
Secondary boot path
Running config
Primary boot path
Startup config
Prior to E.09.xx, the same startup config wouldBe used regardless of whether you booted fromPrimary or secondary
143
Multiple Configuration Files
Reboot command
Secondary boot path
Running config
Primary boot path Startup configOptions
File1File2file3
With E.09.xx and newer code, it is possible to Store multiple config files on the switch and chooseWhich version to use for a image specific reboot policy:(# startup-default [<primary|secondary>] config FILENAME)
144
Multiple Configuration FilesHP ProCurve Switch 5304XL(config)# show config files
Configuration files:
id | act pri sec | name --+-------------+----------------------------------------- 1 | * | E0803 2 | * | crf_test 3 | * | E0901
Example shows that there is a config file named “E0803” associated with the primary boot path (pri flash), “E0901”Associated with the secondary boot path, and “crf_test” which is the active config file.
www.hp.com/go/hpprocurve
Q&A