KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

431

432

433

434

435

436

437

438

439

440

SNMPv3 security options include:

• Configuring device communities as a means for excluding management access by unauthorized

stations

• Configuring for access authentication and privacy

• Reporting events to the switch CLI and to SNMP trap receivers

• Restricting non-SNMPv3 agents to either read-only access or no access

• Co-existing with SNMPv1 and v2c if necessary.

SNMP access to the authentication configuration MIB

Beginning with software release K.12.xx, a management station running an SNMP networked

device management application, such as HP PCM+ or HP OpenView, can access the management

information base (MIB) for read access to the switch status and read/write access to the switc's

authentication configuration (hpSwitchAuth). This means that the switch's default configuration now

allows SNMP access to security settings in hpSwitchAuth.

CAUTION: If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network,

then you should implement the following security precautions when downloading and booting from

software release K.12.xx or greater:

• If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above is

not desirable for your network, then immediately after downloading and booting from the

K.12.xx or greater software for the first time, use the following command to disable this feature:

snmp-server mib hpswitchauthmib excluded

• If you choose to leave the authentication configuration MIB accessible, then you should do

the following to help ensure that unauthorized workstations cannot use SNMP tools to access

the MIB:

1. Configure SNMP version 3 management and access security on the switch.

2. Disable SNMP version 2c on the switch.

NOTE: Downloading and booting from the K.12.xx or greater software version for the first time

enables SNMP access to the authentication configuration MIB (the default action). If SNMPv3 and

other security safeguards are not in place, the switch's authentication configuration MIB is exposed

to unprotected SNMP access and you should use the command shown below to disable this access.

For details on this feature, see “Using SNMP to view and configure switch authentication features”

(page 180).

See “Configuring for Network Management Applications” in the Management and Configuration

Guide for your switch.

Precedence of security options

This section explains how port-based security options, and client-based attributes used for

authentication, get prioritized on the switch.

Precedence of Port-based security options

Where the switch is running multiple security options, it implements network traffic security based

on the OSI (Open Systems Interconnection model) precedence of the individual options, from the

lowest to the highest. The following list shows the order in which the switch implements configured

security features on traffic moving through a given port.

1. Disabled/Enabled physical port

2. MAC lockout (applies to all ports on the switch.)

Using HP switch security features 437