Overview

Information provided here gives an overview of the security features included on your switch. Access Security and Switch Authentication Features outlines the access security and authentication features, while Network Security—Default Settings and Security Guidelines highlights the additional features designed to help secure and protect your network. For detailed information on individual features, see the references provided.

Before you connect your switch to a network, Hewlett Packard Enterprise strongly recommends that you review the section titled . It outlines potential threats for unauthorized switch and network access, and provides guidelines on how to prepare the switch for secure network operation.

You can enhance in-band security and improve control over access to network resources by configuring static filters to forward (the default action) or drop unwanted traffic. That is, you can configure a traffic filter to either forward or drop all network traffic moving to outbound (destination) ports and trunks (if any) on the switch

Applicable switch models

As of June 2010, Traffic/Security filers are available on these current switch models:

Switch model filter availability

Model Source-Port Filters Protocol Filters Multicast Filters
8200zl Switches Yes Yes Yes
8400cl Switches Yes No No
5400zl Switches Yes Yes Yes
4200vl Switches Yes No No
3800 Switches Yes Yes Yes
3500/3500yl Switches Yes Yes Yes
3400cl Switches Yes No No
2800 Switches Yes No No
2510 Switches Yes Yes Yes
2500 Switches Yes Yes Yes
4000m and 8000m Switches Yes Yes Yes

Filter Limits

The switch accepts up to 101 static filters. These limitations apply:

  • Source-port filters: up to 78

  • Multicast filters: up to 16 with 1024 or fewer VLANs configured. Up to 8 with more than 1024 VLANs configured.

  • Protocol filters: up to 7

Using port trunks with filter

The switch manages a port trunk as a single source or destination for sourceport filtering. If you configure a port for filtering before adding it to a port trunk, the port retains the filter configuration, but suspends the filtering action while a member of the trunk. If you want a trunk to perform filtering, first configure the trunk, then configure the trunk for filtering. See Configuring a filter on a port trunk.

Filter types and operation

The following table represents the types of static filters and their selection criteria:

Filter types and criteria

Static Filter Type Selection criteria
Source-port Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis.
Multicast Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports (the default) or dropped on a per-port (destination) basis.
Protocol Inbound traffic having the selected frame (protocol) type will be forwarded or dropped on a per-port (destination) basis.

Source-Port Filters

This filter type enables the switch to forward or drop traffic from all end nodes on the indicated source-port to specific destination ports.

Source-port filer application

Source-port filer application

Operating Rules for Source-Port Filters

  • You can configure one source-port filter for each physical port and port trunk on the switch. (See Defining and configuring named source-port filters.)

  • You can include all destination ports and trunks in the switch on a single source-port filter.

  • Each source-port filter includes:

    • One source port or port trunk (trk1, trk2, ...trkn)

    • A set of destination ports and port trunks that includes all untrunked LAN ports and port trunks on the switch

    • An action (forward or drop) for each destination port or port trunk

    When you create a source-port filter, the switch automatically sets the filter to forward traffic from the designated source to all destinations for which you do not specifically configure a “drop” action. Thus, it is not necessary to configure a source-port filter for traffic you want the switch to forward unless the filter was previously configured to drop the desired traffic.

  • When you create a source port filter, all ports and port trunks (if any) on the switch appear as destinations on the list for that filter, even if routing is disabled and separate VLANs and subnets exist. Where traffic would normally be allowed between ports and trunks, the switch automatically forwards traffic to the outbound ports and trunks you do not specifically configure to drop traffic. (Destination ports that comprise a trunk are listed collectively by the trunk name— such as Trk1— instead of by individual port name.)

  • Packets allowed for forwarding by a source-port filter are subject to the same operation as inbound packets on a port that is not configured for source-port filtering.

  • With multiple IP addresses configured on a VLAN, and routing enabled on the switch, a single port or trunk can be both the source and destination of packets moving between subnets in that same VLAN. In this case, you can prevent the traffic of one subnet from being routed to another subnet of the same port by configuring the port or trunk as both the source and destination for traffic to drop.

Example

If you wanted to prevent server “A” from receiving traffic sent by workstation “X”, but do not want to prevent any other servers or end nodes from receiving traffic from workstation “X”, you would configure a filter to drop traffic from port 5 to port 7. The resulting filter would drop traffic from port 5 to port 7, but would forward all other traffic from any source port to any destination port. (See Filter blocking traffic only from Port 5 to Server A and Filter for the actions shown in Figure 308.

Filter blocking traffic only from Port 5 to Server A

Name source-port filters

You can specify named source-port filters that may be used on multiple ports and port trunks. A port or port trunk can only have one source-port filter, but by using this capability you can define a source-port filter once and apply it to multiple ports and port trunks. This can make it easier to configure and manage source-port filters on your switch. The commands to define, configure, apply, and display the status of named source-port filters are described below.

Operating rules for named source—port filters

  • A port or port trunk may only have one source-port filter, named or not named.

  • A named source-port filter can be applied to multiple ports or port trunks.

  • Once a named source-port filter is defined, subsequent changes only modify its action, they don’t replace it.

  • To change the named source-port filter used on a port or port trunk, the current filter must first be removed, using the no filter source-port named-filter <filter-name> command.

  • A named source-port filter can only be deleted when it is not applied to any ports.

Static multicast filters

This filter type enables the switch to forward or drop multicast traffic to a specific set of destination ports. This helps to preserve bandwidth by reducing multicast traffic on ports where it is unnecessary, and to isolate multicast traffic to enhance security.

You can configure up to 16 static multicast filters (defined by the filter command). However, if an IGMP-controlled filter for a joined multicast group has the same multicast address as a static multicast filter configured on a given port, the IGMP-controlled filter overrides the static multicast filter configured on that port. Note that in the default configuration, IGMP is disabled on VLANs configured in the switch. To enable IGMP on a specific VLAN, use the vlan <vid> ip igmp command. (For more on this command, see “Multimedia Traffic Control with IP Multicast (IGMP)” in the multicast and routing guide for your switch.)

The total of static multicast filters and IGMP multicast filters together can range from 389 to 420, depending on the current max-vlans setting in the switch. If multiple VLANs are configured, then each filter is counted once per VLAN in which it is used

Multicast filter limits

Max-VLANs setting Max # multicast filters (static and IGMP combined)
1 (minimum) 420
8 (default) 413
32 or higher 389

Per-Port IP Multicast Filters

The static multicast filters described in this section filter traffic having a multicast address you specify. To filter all multicast traffic on a per-VLAN basis, see “Configuring and Displaying IGMP” in the multicast and routing guide for your switch.

IP Multicast Filters

Multicast filters are configured using the Ethernet format for the multicast address. IP multicast addresses occur in the range of 224.0.0.0 through 239.255.255.255 (which corresponds to the Ethernet multicast address range of 01005e-000000 through 01005e-7fffff). Any static Traffic/ Security filters configured with a multicast filter type and a multicast address in this range will continue to be in effect unless IGMP learns of a multicast group destination in this range. In this case, IGMP takes over the filtering function for the multicast destination addresses for as long as the IGMP group is active. If the IGMP group subsequently deactivates, the static filter resumes control over traffic to the multicast address.


[CAUTION: ]

CAUTION: If Spanning Tree is enabled, then the MSTP multicast MAC address (0180c2- 000000) should not be filtered. (STP will not operate properly if the MSTP multicast MAC address is filtered.)


Protocol filters

This filter type enables the switch to forward or drop, on the basis of protocol type, traffic to a specific set of destination ports on the switch. Filtered protocol types include:

  • Appletalk

  • ARP

  • IPX

  • NetBEUI

  • SNA

Only one filter for a particular protocol type can be configured at any one time. For example, a separate protocol filter can be configured for each of the protocol types listed above, but only one of those can be an IP filter. Also, the destination ports for a protocol filter can be on different VLANs.

You can configure up to seven protocol filters.

Filtering index

The switch automatically assigns each new filter to the lowest-available index (IDX) number. The index numbers are included in the show filter command described in the next section and are used with the show filter <index> command to display detailed information about a specific filter.

If there are no filters currently configured, and you create three filters in succession, they will have index numbers 1 - 3. However, if you then delete the filter using index number “2” and then configure two new filters, the first new filter will receive the index number “2” and the second new filter will receive the index number "4". This is because the index number “2” was made vacant by the earlier deletion, and was therefore the lowest index number available for the next new filter.

CLI Wizard: Operating notes and restrictions

  • Once a password has been configured on the switch, you cannot remove it using the CLI wizard. Passwords can be removed by executing the no password command directly from the CLI.

  • When you restrict SNMP access to SNMPv3 only, the options SNMPv2 community name and access level will not appear.

  • The wizard displays the first available SNMPv2 community and allows the user to modify the first community access parameters.

  • The wizard creates a new SNMP community only when no communities have been configured on the switch.

  • The USB Autorun feature is disabled as soon as an operator or manager password is set on the switch. Once a password has been set, the USB autorun option is no longer provided as part of the wizard.