Manualshelf

Common Criteria for HP Networking Switches

ManualsBrandsHP ManualsComputer AccessoriesHP 20-port Gig-T / 4-port SFP v2 zl Module
11121314151617181920
14
Access Control
Secure Management VLAN
Secure Management VLANs are designed to restrict management access to the switch to only those
nodes connected to the Management VLAN. That is, only clients who are connected to ports who are
members of the Secure Management VLAN can be allowed to gain management access to the HP
switch. This sharply limits the universe of devices that can attempt unauthorized access.
Configuring a Management VLAN takes only one command:
HP Switch(config)# management-vlan < vid | vlan-name >
Any VLAN can be assigned as the management VLAN. Take care to ensure that the same VLAN is
configured as Management VLAN on all HP switches that are to be members of the management VLAN.
There are a few restrictions on Secure Management VLANs worth noting:
Only one VLAN per switch can be identified as the Secure Management VLAN.
IP addresses must be assigned manually to the Secure Management VLAN. The switch will not
allow the Management VLAN to acquire its address through DHCP/Bootp.
To maintain the secure nature of the management VLAN, only ProCurve switch ports that are
connecting authorized management stations, or those extending the management VLAN to
other HP switches, should be members of the Management VLAN.
Internet Group Management Protocol (IGMP) is not supported on the Management VLAN.
Routing to or from the Secure Management VLAN is not permitted. Routing can be enabled on
the switch and all other VLANs will be routable, but the Secure Management VLAN will remain
isolated.
For more information on the Secure Management VLAN see the Advanced Traffic Management Guide
for your switch.
Authorized IP Managers
In cases where configuring a Secure Management VLAN is too restrictive, it’s possible to identify up to
10 IP addresses or address groups that are allowed management access to the switch via the network.
The command to configure the management stations is as follows:
HP Switch(config)# ip authorized-manager <IP address> mask < mask bits > < operator |
manager >
Once configured, only those addresses identified will be granted access to the switch over the network.
The addresses are configured using a mask to allow the 10 entries to be either a single host (using a
mask of 255.255.255.255) or groups of hosts. Note that the access level is also configurable. Some
addresses can be limited to operator access while others are granted full manager status. It’s important
to keep in mind that this is not fool-proof access control. IP spoofing will defeat this protection, as will
an authorized workstation whose security has been compromised. It also does not protect against