Common Criteria for HP Networking Switches

unauthorized access through the serial console. It’s recommended that this feature be used in

conjunction with a secondary authentication scheme, such as password protection.

Consider the following standard ACL:

ip access-list standard "mgmt-traffic"

10 permit 10.1.1.0 0.0.0.255

20 permit 10.1.0.50 0.0.0.0

exit

This list, when applied inbound on the VLAN or port on which the management interface resides, will

allow only hosts from 10.1.1.0/24 or 10.1.0.50 to access the switch. All traffic from other source IP

addresses is dropped.

Note that all ACLs have an implicit “deny any” at the bottom. Traffic must be permitted explicitly to pass

through an applied ACL.

ACL options and configuration can vary by switch platform. For more information on Access Control

Lists, see the Advanced Traffic Management Guide for your switch.

Authentication

By default, no user authentication is configured, thus leaving the switch open to anyone with physical or

remote access. Two types of users can be configured to provide different levels of access to the switch.

 Manager – full access (default)

o Ability to make configuration changes

o All “enable” command contexts

o Read and write access

 Operator – limited access

o Status and counters, event-log and show commands

o All “login” command contexts

o Read-only access

Each access method (console, SSH, etc.) allows you to configure a primary and secondary way of

authenticating users. HP switches default to the following:

HP Switch # show authentication

Status and Counters - Authentication Information

Respect Privilege : Disabled

| Login Login Login

Access Task | Primary Server Group Secondary

----------- + ---------- ------------ ----------

Console | Local None

Telnet | Local None