HP ProCurve Switch Software IPv6 Configuration Guide 3500 switches 3500yl switches 5400zl switches 6200yl switches 6600 switches 8200zl switches Software version K.14.
HP ProCurve 3500 Switches 3500yl Switches 5400zl Switches 6200yl Switch 6600 Switches 8200zl Switches March 2010 K.14.
© Copyright 2008 - 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change with out notice. All Rights Reserved. Disclaimer This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of HewlettPackard.
Contents Product Publications and IPv6 Command Index About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii IPv6 Command Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv 1 Getting Started Contents . . . . . . . . . . . . . . .
2 Introduction to IPv6 Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Migrating to IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 IPv6 Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Dual-Stack Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Domain Name System (DNS) Resolution . . . . . . . . . . . . . . . . . . . . . . . 2-14 IPv6 Neighbor Discovery (ND) Controls . . . . . . . . . . . . . . . . . . . . . . . 2-15 Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15 Loopback Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stateless Autoconfiguration of a Global Unicast Address . . . . . . . . . 3-16 Static Configuration of a Global Unicast Address . . . . . . . . . . . . . . . 3-17 Prefixes in Routable IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18 Unique Local Unicast IPv6 Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19 Multicast Application to IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . . 3-19 Overview of the Multicast Operation in IPv6 . . . . . . . . . . . . . .
Neighbor Discovery (ND) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16 Duplicate Address Detection (DAD) . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17 DAD Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17 Configuring DAD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18 Operating Notes for Neighbor Discovery . . . . . . . . . . . . . . . . . . .
Configuring (Enabling or Disabling) the Timep Mode . . . . . . . . . . . . 5-14 TFTP File Transfers Over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17 Enabling TFTP for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18 Using TFTP to Copy Files over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19 Using Auto-TFTP for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23 SNMP Management for IPv6 . . . . . .
Enabling or Disabling MLD Snooping on a VLAN . . . . . . . . . . . . . . . . . 7-8 Configuring Per-Port MLD Traffic Filters . . . . . . . . . . . . . . . . . . . . . . . 7-9 Configuring the Querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10 Configuring Fast Leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10 Configuring Forced Fast Leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Planning an ACL Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-27 IPv6 Traffic Management and Improved Network Performance . . . 8-27 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28 Guidelines for Planning the Structure of an ACL . . . . . . . . . . . . . . . . 8-29 ACL Configuration and Operating Rules . . . . . . . . . . . . . . . . . . . . . . .
Sequence Numbering in ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-64 Inserting an ACE in an Existing ACL . . . . . . . . . . . . . . . . . . . . . . . 8-65 Deleting an ACE from an Existing ACL . . . . . . . . . . . . . . . . . . . . 8-67 Resequencing the ACEs in an IPv6 ACL . . . . . . . . . . . . . . . . . . . . 8-68 Attaching a Remark to an ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-69 Operating Notes for Remarks . . . . . . . . . . . . . . . . . . . . . . . .
Traceroute for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 DNS Resolver for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10 DNS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10 Viewing the Current Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12 Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Product Publications and IPv6 Command Index About Your Switch Manual Set Note For the latest version of all ProCurve switch documentation, including Release Notes covering recently added features, please visit the ProCurve Networking Web site at www.procurve.com, click on Technical support, and then click on Product manuals (all). Printed Publications The two publications listed below are printed and shipped with your switch.
The two publications listed below support all of the switches covered by this manual except the ProCurve Series 2900 switches: xiv ■ Command Line Interface Reference Guide—Provides a comprehensive description of CLI commands, syntax, and operations. ■ Event Log Message Reference Guide—Provides a comprehensive descrip tion of event log messages.
IPv6 Command Index This index provides a tool for locating descriptions of individual IPv6 com mands covered in this guide. Note A link-local address must include %vlan< vid > without spaces as a suffix. For example: fe80::110:252%vlan20 The index begins on the next page.
Command Min.
Command ipv6 nd dad-attempts < 0 - 600 > Min.
xviii
1 Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Screen Simulations . . . . . . . . . . . . . . . . .
Getting Started Introduction Introduction This guide is intended for use with the following ProCurve switches: ■ 8200zl switches ■ 6600 switches ■ 5400zl switches ■ 3500, 3500yl and 6200yl switches It describes how to use the command line interface (CLI), Menu interface, and web browser to configure, manage, monitor, and troubleshoot switch opera tion. For an overview of product documentation for the above switches, refer to “Product Documentation” on page xiii.
Getting Started Conventions ■ Italics indicate variables for which you must supply a value when execut ing the command. For example, in this command syntax, you must provide one or more port numbers: Syntax: aaa port-access authenticator < port-list > Command Prompts In the default configuration, your switch displays a CLI prompt similar to the following example: ProCurve 8212zl# To simplify recognition, this guide uses ProCurve to represent command prompts for all switch models.
Getting Started Sources for More Information Keys Simulations of actual keys use a bold, sans-serif typeface with square brackets. For example, the Tab key appears as [Tab] and the “Y” key appears as [Y]. Sources for More Information For information about switch operation and features not covered in this guide, consult the following sources: ■ Note Feature Index—For information on which manual to consult for a given software feature, refer to the “Software Feature Index” on page xiv.
Getting Started Sources for More Information • • • • • ■ ■ ■ ■ time protocols port configuration, trunking, traffic control, and PoE operation Redundant management SNMP, LLDP, and other network management topics file transfers, switch monitoring, troubleshooting, and MAC address management Advanced Traffic Management Guide—Use this guide for information on topics such as: • VLANs: Static port-based and protocol VLANs, and dynamic GVRP VLANs • spanning-Tree: 802.1D (STP), 802.1w (RSTP), and 802.
Getting Started Sources for More Information Getting Documentation From the Web To obtain the latest versions of documentation and release notes for your switch, go to the ProCurve Networking manuals web page at www.hp.com/go/ procurve/manuals. Online Help Menu Interface If you need information on specific parameters in the menu interface, refer to the online help provided in the interface. For example: Online Help for Menu Figure 1-2.
Getting Started Need Only a Quick Start? Command Line Interface If you need information on a specific command in the CLI, type the command name followed by help. For example: Figure 1-3. Example of CLI Help WebAgent (Web Browser Interface) If you need information on specific features in the HP ProCurve WebAgent, use the online Help. You can access the Help by clicking on the “Help” text in any WebAgent screen. To download the WebAgent help files to a local server, go to: www.hp.
Getting Started To Set Up and Install the Switch in Your Network ■ In the Main Menu of the Menu interface select 8. Run Setup For more on using the Switch Setup screen, see the Installation and Getting Started Guide you received with the switch.
2 Introduction to IPv6 Contents Migrating to IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 IPv6 Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Dual-Stack Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Connecting to Devices Supporting IPv6 Over IPv4 Tunneling . . . . . . 2-5 Information Sources for Tunneling IPv6 Over IPv4 . . . . . . . . . . .
Introduction to IPv6 Contents Diagnostic and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14 ICMP Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14 Ping6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14 Traceroute6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14 Debug/Syslog Enhancements . . . . . . . . . . . .
Introduction to IPv6 Migrating to IPv6 Migrating to IPv6 To successfully migrate to IPv6 involves maintaining compatibility with the large installed base of IPv4 hosts and routers for the immediate future. To achieve this purpose, software release K.13.01 and greater supports dual-stack (IPv4/IPv6) operation and connections to IPv6-aware routers for routing IPv6 traffic between VLANs and across IPv4 networks. Note Beginning with release K.13.
Introduction to IPv6 Migrating to IPv6 IPv6 Propagation IPv6 is currently in the early stages of deployment worldwide, involving a phased-in migration led by the application of basic IPv6 functionality. In these applications, IPv6 traffic is switched among IPv6-capable devices on a given LAN, and routed between LANs using IPv6-capable routers.
Introduction to IPv6 Migrating to IPv6 Connecting to Devices Supporting IPv6 Over IPv4 Tunneling The switches covered by this guide can interoperate with IPv6/IPv4 devices capable of tunneling IPv6 traffic across an IPv4 infrastructure. Some examples include: Note ■ traffic between IPv6/IPv4 routers (router/router) ■ traffic between an IPv6/IPv4 router and an IPv6/IPv4 host capable of tunneling (router/host) Tunneling requires an IPv6-capable router. A switch running software release K.13.
Introduction to IPv6 Use Model Use Model Adding IPv6 Capability IPv6 was designed by the Internet Engineering Task Force (IETF) to improve on the scalability, security, ease of configuration, and network management capabilities of IPv4. IPv6 provides increased flexibility and connectivity for existing networked devices, addresses the limited address availability inherent in IPv4, and the infrastructure for the next wave of Internet devices, such as PDAs, mobile phones and appliances.
Introduction to IPv6 Configuration and Management Configuration and Management This section outlines the configurable management features supporting IPv6 operation on your ProCurve IPv6-ready switch. Management Features Software releases K.13.01and greater provide host-based IPv6 features that enable the switches covered in this guide to be managed from an IPv6 management station and to operate in both IPv6 and IPv4/IPv6 network environments. Note Software releases K.13.
Introduction to IPv6 Configuration and Management traffic on a VLAN to be routed to other VLANs supporting IPv6-aware devices. (Using software release K.13.01 or greater, an external, IPv6-aware router is required to forward traffic between VLANs.) Multiple, global unicast addresses can be configured on a VLAN that receives RAs specifying different prefixes. DHCPv6 (Stateful) Address Configuration The IPv6 counterpart to DHCP client for IPv4 operation is DHCPv6.
Introduction to IPv6 Configuration and Management Refer to “Default IPv6 Router” on page 4-29 and “View IPv6 Gateway, Route, and Router Neighbors ” on page 4-30. Neighbor Discovery (ND) in IPv6 The IPv6 Neighbor Discovery protocol operates in a manner similar to the IPv4 ARP protocol to provide for discovery of IPv6 devices such as other switches, routers, management stations, and servers on the same interface.
Introduction to IPv6 Configuration and Management IPv6 Management Features The switch's IPv6 management features support operation in an environment employing IPv6 servers and management stations.With a link to a properly configured IPv6 router, switch management extends to routed traffic solu tions. (Refer to the documentation provided for the IPv6 router.) Otherwise, IPv6 management for the switches covered by this guide are dependent on switched management traffic solutions.
Introduction to IPv6 Configuration and Management IP Preserve IP Preserve operation preserves both the IPv4 and IPv6 addresses configured on VLAN 1 (the default VLAN) when a configuration file is downloaded to the switch using TFTP. Refer to “IP Preserve for IPv6” on page 5-28. Multicast Listener Discovery (MLD) MLD operates in a manner similar to IGMP in IPv4 networks.
Introduction to IPv6 Configurable IPv6 Security Configurable IPv6 Security This section outlines the configurable IPv6 security features supported in software release K.14.01. SSHv2 on IPv6 SSHv2 provides for the authentication between clients and servers, and protection of data integrity, and privacy. It is used most often to provide a secure alternative to Telnet and is also used for secure file transfers (SFTP and SCP). Beginning with software release K.13.
Introduction to IPv6 Configurable IPv6 Security that the IP address of a networked management device must be authorized before the switch will attempt to authenticate the device by invoking any other access security features.
Introduction to IPv6 Diagnostic and Troubleshooting Diagnostic and Troubleshooting Software releases K.13.01 and greater include the IPv6 diagnostic and trouble shooting features listed in this section. ICMP Rate-Limiting Controlling the frequency of ICMPv6 error messages can help to prevent DoS (Denial- of- Service) attacks. With IPv6 enabled on the switch, you can control the allowable frequency of these messages with ICMPv6 rate-limiting. Refer to “ICMP Rate-Limiting” on page 9-2.
Introduction to IPv6 Diagnostic and Troubleshooting The switches covered by this guide now support a prioritized list of up to three DNS server addresses. (Earlier software releases supported only one DNS server address.) Also, the server address list can include both IPv4 and IPv6 DNS server addresses. (An IPv6 DNS server can respond to IPv4 queries, and the reverse.
Introduction to IPv6 IPv6 Scalability IPv6 Scalability As of software release K.14.01, the switches covered by this guide support the following: ■ Dual stack operation (IPv4 and IPv6 addresses on the same VLAN).
3 IPv6 Addressing Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 IPv6 Address Structure and Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Address Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Address Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Network Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 Addressing Contents Prefixes in Routable IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18 Unique Local Unicast IPv6 Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19 Multicast Application to IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . . 3-19 Overview of the Multicast Operation in IPv6 . . . . . . . . . . . . . . . . . . . . 3-20 IPv6 Multicast Address Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 Addressing Introduction Introduction IPv6 supports multiple addresses on an interface, and uses them in a manner comparable to subnetting an IPv4 VLAN. For example, where the switch is configured with multiple VLANs and each is connected to an IPv6 router, each VLAN will have a single link-local address and one or more global unicast addresses. This section describes IPv6 addressing and outlines the options for configuring IPv6 addressing on the switch.
IPv6 Addressing IPv6 Address Structure and Format An IPv6 address includes a network prefix and an interface identifier. Network Prefix The network prefix (high-order bits) in an IPv6 address begins with a wellknown, fixed prefix for defining the address type.
IPv6 Addressing IPv6 Addressing Options IPv6 Addressing Options IPv6 Address Sources IPv6 addressing sources provide a flexible methodology for assigning addresses to VLAN interfaces on the switch.
IPv6 Addressing IPv6 Addressing Options Stateful Address Autoconfiguration. This method allows use of a DHCPv6 server to automatically configure IPv6 addressing on a host in a manner similar to stateful IP addressing with a DHCPv4 server. For software releases K.13.01 and greater, a DHCPv6 server can provide routable IPv6 addressing and NTP (timep) server addresses.
IPv6 Addressing IPv6 Address Sources IPv6 Address Sources IPv6 addressing sources provide a flexible methodology for assigning addresses to VLAN interfaces on the switch.
IPv6 Addressing IPv6 Address Sources servers. These lifetimes cannot be reset using control from the switch console or SNMP methods. Refer to “Preferred and Valid Address Lifetimes” on page 3 24. Stateful (DHCPv6) Address Configuration Stateful addresses are defined by a system administrator or other authority, and automatically assigned to the switch and other devices through the Dynamic Host Configuration Protocol (DHCPv6).
IPv6 Addressing IPv6 Address Sources Static Address Configuration Generally, static address configuration should be used when you want specific, non-default addressing to be assigned to a VLAN interface.
IPv6 Addressing Address Types and Scope Address Types and Scope Address Types IPv6 uses these IP address types: Note ■ Unicast: Identifies a specific IPv6 interface. Traffic having a unicast destination address is intended for a single interface. Like IPv4 addresses, unicast addresses can be assigned to a specific VLAN on the switch and to other IPv6 devices connected to the switch. At a minimum, a given interface must have at least a link-local address.
IPv6 Addressing Address Types and Scope Global Unicast Address. Applies to a unique IPv6 routable address on the internet. A unique global address has a routing prefix and a unique device identifier.When Autoconfiguration is enabled on a VLAN receiving an IPv6 router advertisement (RA), the prefix specified in the RA and the device identifier specified in the link-local address are combined to create a unique, global unicast address.
IPv6 Addressing Address Types and Scope Routable Global Unicast Prefix. This well-known 3-bit fixed-prefix indi cates a routable address used to identify a device on a VLAN interface that is accessible by routing from multiple networks. The complete prefix is 64 bits, followed by a 64-bit interface identifier.
IPv6 Addressing Link-Local Unicast Address Other Prefix Types.
IPv6 Addressing Link-Local Unicast Address Because all VLANs configured on the switch use the same MAC address, all automatically generated link-local addresses on the switch will have the same link-local address. However, since the scope of a link-local address includes only the VLAN on which it was generated, this should not be a problem.
IPv6 Addressing Link-Local Unicast Address MAC Address IPv6 I/F Identifier Full Link-Local Unicast Address 00-15-60-7a-ad-c0 215:60ff:fe7a:adc0 fe80::215:60ff:fe7a:adc0/64 09-c1-8a-44-b4-9d 11c1:8aff:fe44:b49d fe80::11c1:8aff:fe44:b49d/64 00-1a-73-5a-7e-57 21a:73ff:fe5a:7e57 fe80::21a:73ff:fe5a:7e57/64 The EUI method of generating a link-local address is automatically imple mented on the switches covered by this guide when IPv6 is enabled on a VLAN interface.
IPv6 Addressing Global Unicast Address Global Unicast Address A global unicast address is required for unicast traffic to be routed across VLANs within an organization as well as across the public internet. To support subnetting, a VLAN can be configured with multiple global unicast addresses.
IPv6 Addressing Global Unicast Address ■ generate a link-local address on the VLAN as described in the preceding section (page 3-13). ■ transmit a router solicitation on the VLAN, and to listen for advertise ments from any IPv6 routers on the VLAN. For each unique router advertisement (RA) the switch receives from any router(s), the switch configures a unique, global unicast address.
IPv6 Addressing Global Unicast Address Prefixes in Routable IPv6 Addresses In routable IPv6 addresses, the prefix uniquely identifies an entity and a unicast subnet within that entity, and is defined by a length value specifying the number of leftmost contiguous (high-order) bits comprising the prefix. For an automatically generated global unicast address, the default prefix length is 64 bits. (Practically speaking, the entire prefix in a /64 address defines the subnet.
IPv6 Addressing Unique Local Unicast IPv6 Address Unique Local Unicast IPv6 Address A unique local unicast address is an address that falls within a specific range, but is used only as a global unicast address within an organization. Traffic having a source address within the defined range should not be allowed beyond the borders of the intended domain or onto the public internet. The current prefix for specifically identifying unique local unicast addresses is fd00/8.
IPv6 Addressing Multicast Application to IPv6 Addressing tions, router advertisements, and responses to DAD messages. It also avoids the bandwidth consumption used for broadcasts by narrowing the scope of possibly interested destinations for various types of messages. Overview of the Multicast Operation in IPv6 When IPv6 is enabled on a VLAN interface on the switch, the interface automatically joins the All-Nodes and Solicited-Node multicast address groups for each of its configured unicast addresses.
IPv6 Addressing Multicast Application to IPv6 Addressing ■ scope: 0001 - 1110 (bits 13-16) For related information, refer to RFC 4291. Multicast Group Identification Multicast ID, Flags and Scope (16 bits) 1111 1111 0xxx xxxx : Group Identifier (112 bits) x...x : x...x : x...x : x...x : x...x : x...x : x...x ■ multicast identifier: The first eight high-order bits, set to ff, identify the address as multicast.
IPv6 Addressing Multicast Application to IPv6 Addressing Bit Use 4 admin-local (smallest administratively configured scope) 5 site-local (single site) 6 unassigned 7 unassigned 8 organization-local (multiple sites within the same organization) 9 unassigned A unassigned B unassigned C unassigned D unassigned E global F reserved For example, the following prefix indicates multicast traffic with a tempo rary multicast address and a link-local scope: ff12 or (binary) 1111 1111 0001 0
IPv6 Addressing Loopback Address ■ RFC 4007: IPv6 Scoped Address Architecture ■ RFC 4291: IP Version 6 Addressing Architecture ■ “Internet Protocol Version 6 Multicast Addresses” (at www.iana.org) ■ RFC 2710: Multicast Listener Discovery (MLD) for IPv6 ■ RFC 3810: Multicast Listener Discovery Version 2 (MLDv2) for IPv6 (Updates RFC 2710.) Loopback Address The IPv6 loopback address is a link-local unicast address that enables a device to send traffic to itself for self-testing purposes.
IPv6 Addressing IPv6 Address Deprecation IPv6 Address Deprecation Preferred and Valid Address Lifetimes Autoconfigured IPv6 global unicast addresses acquire their valid and preferred lifetime assignments from router advertisements. A valid lifetime is the time period during which an address is allowed to remain available and usable on an interface. A preferred lifetime is the length of time an address is intended for full use on an interface, and must be less than or equal to the address's valid lifetime.
IPv6 Addressing IPv6 Address Deprecation Related Information ■ RFC 2462: “IPv6 Stateless Address Autoconfiguration” ■ RFC 4291: “IP Version 6 Addressing Architecture” 3-25
IPv6 Addressing IPv6 Address Deprecation 3-26
4 IPv6 Addressing Configuration Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 General Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Configuring IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Enabling IPv6 with an Automatically Configured Link-Local Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 Addressing Configuration Contents Default IPv6 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29 Router Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29 View IPv6 Gateway, Route, and Router Neighbors . . . . . . . . . . . . . 4-30 Viewing Gateway and IPv6 Route Information . . . . . . . . . . . . . . . . . . 4-30 Viewing IPv6 Router Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 Addressing Configuration Introduction Introduction Feature Default CLI Enable IPv6 with a Link-Local Address disabled 4-6 Configure Global Unicast Autoconfig disabled 4-7 Configure DHCPv6 Addressing disabled 4-9 Configure a Static Link-Local Address None 4-12 Configure a Static Global Unicast Address None 4-13 3 4-17 n/a 4-21 Change DAD Attempts View Current IPv6 Addressing In the default configuration, IPv6 operation is disabled on the switch.
IPv6 Addressing Configuration General Configuration Steps General Configuration Steps The IPv6 configuration on switches running software release K.13.01 or greater includes global and per-VLAN settings. This section provides an over view of the general configuration steps for enabling IPv6 on a given VLAN and can be enabled by any one of several commands. The following steps provide a suggested progression for getting started.
IPv6 Addressing Configuration Configuring IPv6 Addressing 4. If needed, statically configure IPv6 unicast addressing on the VLAN interface as needed. This can include any of the following: • statically replacing the automatically generated link-local address • statically adding global unicast and unique local unicast addresses Configuring IPv6 Addressing In the default configuration on a VLAN, any one of the following commands enables IPv6 and creates a link-local address.
IPv6 Addressing Configuration Enabling IPv6 with an Automatically Configured Link-Local Address Enabling IPv6 with an Automatically Configured Link-Local Address This command enables automatic configuration of a link-local address .
IPv6 Addressing Configuration Enabling Autoconfiguration of a Global Unicast Address and a Default Router Identity on a VLAN Enabling Autoconfiguration of a Global Unicast Address and a Default Router Identity on a VLAN Enabling autoconfig or rebooting the switch with autoconfig enabled on a VLAN causes the switch to configure IPv6 addressing on the VLAN using router advertisements and an EUI-64 interface identifier (page 3-14).
IPv6 Addressing Configuration Enabling Autoconfiguration of a Global Unicast Address and a Default Router Identity on a VLAN — Continued from the previous page. — After verification of uniqueness by DAD, an IPv6 address assigned to a VLAN by autoconfiguration is set to the preferred and valid lifetimes specified by the RA used to generate the address, and is configured as a preferred address. (Refer to “IPv6 Address Deprecation” on page 3-24.) Default: Disabled.
IPv6 Addressing Configuration Enabling DHCPv6 Enabling DHCPv6 Enabling the DHCPv6 option on a VLAN allows the switch to obtain a global unicast address and an NTP (network time protocol) server assignment for a Timep server. (If a DHCPv6 server is not needed to provide a global unicast address to a switch interface, the server can still be configured to provide the NTP server assignment. This is sometimes referred to as “stateless DHCPv6”.
IPv6 Addressing Configuration Enabling DHCPv6 — Continued from the previous page. — After verification of uniqueness by DAD, an IPv6 address assigned to the VLAN by an DHCPv6 server is set to the preferred and valid lifetimes specified in a router advertise ment received on the VLAN for the prefix used in the assigned address, and is configured as a preferred address. (Refer to the section titled “Address Lifetimes” on page 4-33.
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN ■ DHCPv6 and statically configured global unicast addresses are mutually exclusive on a given VLAN. That is, configuring DHCPv6 on a VLAN erases any static global unicast addresses previously configured on that VLAN, and the reverse. (A statically configured link-local address will not be affected by configuring DHCPv6 on the VLAN.
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN Statically Configuring a Link-Local Unicast Address Syntax: [no] ipv6 address fe80::< device-identifier > link-local ■ If IPv6 is not already enabled on the VLAN, this command enables IPv6 and configures a static link-local address. ■ If IPv6 is already enabled on the VLAN, then this command overwrites the current, link- local address with the speci fied static address. (One link-local address is allowed per VLAN interface.
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN ■ If IPv6 was enabled only by a statically configured linklocal address, then deleting the link-local address disables IPv6 on the VLAN. ■ If other IPv6-enabling commands have been configured on the VLAN, then deleting the statically configured link-local address causes the switch to replace it with the default (EUI-64) link-local address for the VLAN, and IPv6 remains enabled.
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN < prefix-length >: Specifies the number of bits in the network prefix. If you are using the eui-64 option, this value must be 64. eui-64: Specifies using the Extended Unique Identifier format to create a device identifier based on the VLAN MAC address. Refer to “Extended Unique Identifier (EUI)” on page 3-14.
IPv6 Addressing Configuration Disabling IPv6 on a VLAN Duplicate Address Detection (DAD) for Statically Configured Addresses Statically configured IPv6 addresses are designated as permanent. If DAD determines that a statically configured address duplicates a previously config ured and reachable address on another device belonging to the VLAN, then the more recent, duplicate address is designated as duplicate. For more on this topic, refer to: ■ “Duplicate Address Detection (DAD)” on page 4-17.
IPv6 Addressing Configuration Neighbor Discovery (ND) Neighbor Discovery (ND) Neighbor Discovery (ND) is the IPv6 equivalent of the IPv4 ARP for layer 2 address resolution, and uses IPv6 ICMP messages to do the following: ■ Determine the link-layer address of neighbors on the same VLAN inter face. ■ Verify that a neighbor is reachable. ■ Track neighbor (local) routers.
IPv6 Addressing Configuration Duplicate Address Detection (DAD) Note: Neighbor and router solicitations must originate on the same VLAN as the receiving device. To support this operation, IPv6 is designed to discard any incoming neighbor or router solicitation that does not have a value of 255 in the IP Hop Limit field. For a complete list of requirements, refer to RFC 246.
IPv6 Addressing Configuration Duplicate Address Detection (DAD) that includes its link-local address. If the newly configured address is from a static or DHCPv6 source and is found to be a duplicate, it is labelled as duplicate in the “Address Status” field of the show ipv6 command, and is not used.
IPv6 Addressing Configuration Duplicate Address Detection (DAD) Syntax: ipv6 nd ns-interval < milliseconds > Used on VLAN interfaces to reconfigure the neighbor discovery time in milliseconds between DAD neighbor solicitations sent for an unresolved destination, or between duplicate address detection neighbor solicitation requests. Increasing this setting is indicated where neighbor solicitation retries or failures are occurring, or in a “slow” (WAN) network . To view the current setting, use show ipv6 nd.
IPv6 Addressing Configuration Duplicate Address Detection (DAD) 4-20 ■ If a previously configured unicast address is changed, a neighbor adver tisement is sent on the VLAN to notify other devices, and also for duplicate address detection. ■ If DAD is disabled when an address is configured, the address is assumed to be unique and is assigned to the interface.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Use these commands to view the current status of the IPv6 configuration on the switch. Syntax: show ipv6 Lists the current, global IPv6 settings and per-VLAN IPv6 addressing on the switch. IPv6 Routing: For software releases K.13.01 through K.14.01, this setting is always Disabled. This is a global setting, and is not configured per-VLAN.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Address Origin: ■ Autoconfig: The address was configured using stateless address autoconfiguration (SLAAC). In this case, the device identifier for global unicast addresses copied from the current link-local unicast address. ■ DHCP: The address was assigned by a DHCPv6 server. Note that addresses having a DHCP origin are listed with a 128 bit prefix length. ■ Manual: The address was statically configured on the VLAN.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration For example, figure 4-1 shows the output on a switch having IPv6 enabled on one VLAN.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Syntax: show ipv6 nd Displays the current IPv6 neighbor discovery settings on the configured VLAN interfaces. For example, figure 4-24 shows the output on a switch having IPv6 enabled on VLANs 1 and 20. ProCurve# show ipv6 nd IPV6 Neighbor Discovery Configuration Current Hop Limit : 0 VLAN Name RCHtime (msecs) ------------ -------DEFAULT_VLAN 30000 VLAN20 30000 NSint (msecs) ------1000 1000 Figure 4-2.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration ■ DAD Attempts: Indicates the number of neighbor solicita tions the switch transmits per-address for duplicate (IPv6) address detection. Implemented when a new address is configured or when an interface with config ured addresses comes up (such as after a reboot). The default setting is 3, and the range is 0 - 600. A setting of “0” disables duplicate address detection.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration ProCurve# show ipv6 vlan 10 Internet (IPv6) Service IPv6 Routing Default Gateway ND DAD DAD Attempts : : : : Disabled fe80::213:c4ff:fedd:14b0%vlan10 Enabled 3 Vlan Name IPv6 Status : VLAN10 : Enabled IPv6 Address/Prefixlength Expiry ------------------------------------------- -----------------------2001:db8:a03:e102::1:101/64 Fri May 19 11:51:15 2009 fe80::1:101/64 permanent Figure 4-3.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration ProCurve(config)# show run Running configuration: . . . vlan 10 name "VLAN10" untagged A1-A12 ipv6 address fe80::1:101 link-local ipv6 address dhcp full rapid-commit . . . Statically configured IPv6 addresses appear in the show run output. Commands for automatic IPv6 address configuration appear in the show run output, but the addresses resulting from these commands do not appear in the output. Figure 4-4.
IPv6 Addressing Configuration Router Access and Default Router Selection Router Access and Default Router Selection Routing traffic between destinations on different VLANs configured on the switch or to a destination on an off-switch VLAN is done by placing the switch on the same VLAN interface or subnet as an IPv6-capable router configured to route traffic to other IPv6 interfaces or to tunnel IPv6 traffic across an IPv4 network.
IPv6 Addressing Configuration Router Access and Default Router Selection Note If the switch does not receive a router advertisement after sending the router solicitations, as described above, then no further router solicitations are sent on that VLAN unless a new IPv6 setting is configured, IPv6 on the VLAN is disabled, then re-enabled, or the VLAN itself is disconnected, then recon nected.
IPv6 Addressing Configuration View IPv6 Gateway, Route, and Router Neighbors View IPv6 Gateway, Route, and Router Neighbors Use these commands to view the switch's current routing table content and connectivity to routers per VLAN. This includes information received in router advertisements from IPv6 routers on VLANs enabled with IPv6 on the switch.
IPv6 Addressing Configuration View IPv6 Gateway, Route, and Router Neighbors ProCurve(config)# show ipv6 route IPv6 Route Entries “Unknown” Address Dest : ::/0 Gateway : fe80::213:c4ff:fedd:14b0%vlan10 Type : static Dist. : 40 Metric : 0 Dest : ::1/128 Gateway : lo0 Dist. : 0 Type : connected Metric : 1 Dist. : 0 Type : connected Metric : 1 Link-Local Address Configured on the Switch Dist. : 0 Type : connected Metric : 1 Link-Local Address Assigned to the Loopback Address Dist.
IPv6 Addressing Configuration View IPv6 Gateway, Route, and Router Neighbors MTU: This is the Maximum Transmission Unit (in bytes) allowed for frames on the path to the indicated router. Hop Limit: The maximum number of router hops allowed. Prefix Advertised: Lists the prefix and prefix size (number of leftmost bits in an address) originating with the indicated router.
IPv6 Addressing Configuration Address Lifetimes Address Lifetimes Every configured IPv6 unicast and anycast address has a lifetime setting that determines how long the address can be used before it must be refreshed or replaced. Some addresses are set as “permanent” and do not expire. Others have both a “preferred” and a “valid” lifetime that specify the duration of their use and availability.
IPv6 Addressing Configuration Address Lifetimes Table 4-1. IPv6 Unicast Addresses Lifetimes Address Source Lifetime Criteria Link-Local Permanent Statically Configured Unicast or Anycast Permanent Autoconfigured Global Finite Preferred and Valid Lifetimes DHCPv6-Configured Finite Preferred and Valid Lifetimes A new, preferred address used as a replacement for a deprecated address can be acquired from a manual, DHCPv6, or autoconfiguration source.
5 IPv6 Management Features Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Viewing and Clearing the IPv6 Neighbors Cache . . . . . . . . . . . . . . . . 5-2 Viewing the Neighbor Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Clearing the Neighbor Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 IPv6 Telnet Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 Management Features Introduction Introduction Feature Default CLI n/a 5-2, 5-5 Enabled 5-6, 5-7, 5-9 SNTP Address None 5-11 Timep Address None 5-15 n/a 5-17 None 5-25 Neighbor Cache Telnet6 TFTP SNMP Trap Receivers This chapter focuses on the IPv6 application of management features that support both IPv6 and IPv4 operation. For additional information on these features, refer to the current Management and Configuration Guide for your switch.
IPv6 Management Features Viewing and Clearing the IPv6 Neighbors Cache Syntax: show ipv6 neighbors [vlan < vid >] Displays IPv6 neighbor information currently held in the neighbor cache. After a period without communication with a given neighbor, the switch drops that neighbor’s data from the cache. The command lists neighbors for all VLAN interfaces on the switch or for only the specified VLAN.
IPv6 Management Features Viewing and Clearing the IPv6 Neighbors Cache — Continued from previous page. — • STALE: A timeout has occurred for reachability of the neigh bor, and an unsolicited discovery packet has been received from the neighbor address. If the path to the neighbor is then used successfully, this state is restored to REACH. • DELAY: Indicates waiting for a response to traffic sent recently to the neighbor address.
IPv6 Management Features Viewing and Clearing the IPv6 Neighbors Cache Clearing the Neighbor Cache When there is an event such as a topology change or an address change, the neighbor cache may have too many entries to allow efficient use.
IPv6 Management Features IPv6 Telnet Operation IPv6 Telnet Operation This section describes Telnet operation for IPv6 on the switch. For IPv4 Telnet operation, refer to the Management and Configuration Guide for your switch. Outbound Telnet to Another Device Syntax: telnet < link-local-addr >%vlan< vid > [oobm] telnet < global-unicast-addr > [oobm] Outbound Telnet establishes a Telnet session from the switch CLI to another IPv6 device, and includes these options.
IPv6 Management Features IPv6 Telnet Operation ProCurve(config)# telnet fe80::215:60ff:fe79:980%vlan10 If the switch is receiving router advertisements from an IPv6 default gateway router, you can Telnet to a device on the same VLAN or another VLAN or subnet by using its global unicast address.
IPv6 Management Features IPv6 Telnet Operation ProCurve# show telnet Telnet Activity ------------------------------------------------------Session : 1 Privilege: Manager From : Console To : 10.0.10.140 ------------------------------------------------------Session : 2 Privilege: Manager From : 2620:0:260:212::2:219 To : ------------------------------------------------------Session : ** 3 The ** in the “Session: indicates the Privilege: Manager session through which show telnet was run.
IPv6 Management Features IPv6 Telnet Operation Enabling or Disabling Inbound Telnet Access Syntax: [ no ] telnet-server [listen ] This command is used at the global config level to enable (the default) or disable all (IPv4 and IPv6) inbound Telnet access to the switch. The no form of the command disables inbound telnet. The listen parameter is available only on switches that have a separate out-of-band management port.
IPv6 Management Features SNTP and Timep ProCurve(config)# show console Inbound Telnet Setting for IPv4 and IPv6 Telnet Console/Serial Link Inbound Telnet Enabled [Yes] : Yes Web Agent Enabled [Yes] : Yes Terminal Type [VT100] : VT100 Screen Refresh Interval (sec) [3] : 3 Displayed Events [All] : All Baud Rate [Speed Sense] : speed-sense Flow Control [XON/XOFF] : XON/XOFF Session Inactivity Time (min) [0] : 0 Figure 5-5.
IPv6 Management Features SNTP and Timep [ no ]sntp Enables SNTP with the current SNTP configuration. The no version disables SNTP without changing the current SNTP configuration. sntp < unicast | broadcast > Configures the SNTP mode. (Default: Broadcast) sntp < 30 - 720 > Changes the interval between time requests.
IPv6 Management Features SNTP and Timep Syntax:. [no ] sntp server priority < 1 - 3 > < link-local-addr >%vlan< vid >[oobm] [1 - 7] [no ] sntp server priority < 1 - 3 > < global-unicast-addr >[oobm] [1 - 7] Configures an IPv6 address for an SNTP server. server priority < 1 - 3 >: Specifies the priority of the server ad dressing being configured.
IPv6 Management Features SNTP and Timep For example, to configure link-local and global unicast SNTP server addresses of: ■ fe80::215:60ff:fe7a:adc0 (on VLAN 10, configured on the switch) ■ 2001:db8::215:60ff:fe79:8980 as the priority “1” and “2” SNTP servers, respectively, using version 7, you would enter these commands at the global config level, as shown below.
IPv6 Management Features SNTP and Timep For example, the show sntp output for the proceeding sntp server command example would appear as follows: ProCurve(config)# show sntp This example illustrates the command output when both IPv6 and IPv4 server addresses are configured. SNTP Configuration Time Sync Mode: Sntp SNTP Mode : Broadcast Poll Interval (sec) [720] : 719 Priority -------1 2 SNTP Server Address ---------------------------------------------2001:db8::215:60ff:fe79:8980 10.255.5.
IPv6 Management Features SNTP and Timep ip timep manual < ipv6-addr > Enable Timep operation with a statically configured [ interval < 1 - 9999 >] IPv6 address for a Timep server. Optionally change the interval between time requests. no ip timep Note Disables Timep operation. To re-enable Timep, it is necessary to reconfigure either the DHCP or the static option.
IPv6 Management Features SNTP and Timep where the address is on VLAN 10, configured on the switch, you would enter this command at the global config level, as shown below. ProCurve(config)# ip timep manual fe80::215:60ff:fe7a:adc0%vlan10 Note In the preceding example, using a link-local address requires that you specify the local scope for the address; VLAN 10 in this case. This is always indicated by %vlan followed immediately (without spaces) by the VLAN identifier.
IPv6 Management Features TFTP File Transfers Over IPv6 Note that the show management command can also be used to display Timep server information.
IPv6 Management Features TFTP File Transfers Over IPv6 Enabling TFTP for IPv6 Client and server TFTP for IPv6 is enabled by default on the switch. However, if it is disabled, you can re-enable it by specifying TFTP client or server functionality with the tftp command. Enter the tftp < client | server> command at the global configuration level.
IPv6 Management Features TFTP File Transfers Over IPv6 Using TFTP to Copy Files over IPv6 Use the TFTP copy commands described in this section to: ■ Download specified files from a TFTP server to a switch on which TFTP client functionality is enabled. ■ Upload specified files from a switch, on which TFTP server functionality is enabled, to a TFTP server.
IPv6 Management Features TFTP File Transfers Over IPv6 ■ flash < primary | secondary >: Copies a software file stored on a remote host to primary or secondary flash memory on the switch. To run a newly downloaded software image, enter the reload or boot system flash command. ■ pub-key-file: Copies a public-key file to the switch. ■ startup-config: Copies a configuration file on a remote host to the startup configuration file on the switch.
IPv6 Management Features TFTP File Transfers Over IPv6 . Syntax: copy tftp < ipv6-addr > < filename > < pc | unix >[oobm] Copies (uploads) a source data file on a switch that is enabled with TFTP server functionality to a file on the TFTP server at the specified IPv6 address, where is one of the following values: ■ command-output < cli-command >: Copies the output of a CLI command to the specified file on a remote host.
IPv6 Management Features TFTP File Transfers Over IPv6 < ipv6-addr >: If this is a link-local address, use this IPv6 address format: fe80::< device-id >%vlan< vid > For example: fe80::123%vlan10 If this is a global unicast address, use this IPv6 format: < ipv6-addr > For example: 2001:db8::123 oobm: For switches that have a separate out-of-band manage ment port, specifies that the transfer will be through the outof-band management interface. (Default is transfer through the data interface.
IPv6 Management Features TFTP File Transfers Over IPv6 Using Auto-TFTP for IPv6 At switch startup, the auto-TFTP for IPv6 feature automatically downloads a software image to the switch from a specified TFTP server, then reboots the switch.
IPv6 Management Features SNMP Management for IPv6 SNMP Management for IPv6 As with SNMP for IPv4, you can manage a switch via SNMP from an IPv6 based network management station by using an application such as ProCurve Manager (PCM) or ProCurve Manager Plus (PCM+). (For more on PCM and PCM+, go to the ProCurve Networking web site at www.procurve.com.
IPv6 Management Features SNMP Management for IPv6 SNMP Configuration Commands Supported IPv6 addressing is supported in the following SNMP configuration commands: For more information on each SNMP configuration procedure, refer to the “Configuring for Network Management Applications” chapter in the current Management and Configuration Guide for your switch. SNMPv1 and V2c Syntax:.
IPv6 Management Features SNMP Management for IPv6 Note IPv6 is not supported in the configuration of an interface IPv6 address as the default source IP address used in the IP headers of SNMP notifications (traps and informs) or responses sent to SNMP requests.
IPv6 Management Features SNMP Management for IPv6 ProCurve(config)# show snmp-server SNMP Communities Community Name -------------------public marker MIB View -------Manager Manager Write Access ----------Unrestricted Unrestricted Trap Receivers Link-Change Traps Enabled on Ports [All] : All Traps Category ---------------------------SNMP Authentication Password change Login failures Port-Security Authorization Server Contact DHCP-Snooping Dynamic ARP Protection Address ---------------------15.29.17.
IPv6 Management Features IP Preserve for IPv6 The show snmpv3 targetaddress command displays the configuration (including the IPv4 or IPv6 address) of the SNMPv3 management stations to which notification messages are sent. ProCurve(config)# show snmpv3 targetaddress snmpTargetAddrTable [rfc2573] Target Name ------------------------1 2 PP.217 PP.218 IP Address ---------------------15.29.17.218 15.29.17.219 15.29.17.
IPv6 Management Features IP Preserve for IPv6 ; J8697A Configuration Editor; Created on release #K.14.01 hostname "ProCurve" time daylight-time-rule None * * * * * * password manager password operator ip preserve Entering an ip preserve statement as the last line in a configuration file stored on a TFTP server allows you to download and execute the file as the startup-config file on an IPv6 switch.
IPv6 Management Features IP Preserve for IPv6 To verify how IP Preserve was implemented in a switch, after the switch reboots, enter the show run command. Figure 5-11 shows an example in which all configurations settings have been copied into the startup-config file except for the IPv6 address of VLAN 1 (2001:db8::214:c2ff:fe4c:e480) and the default IPv6 gateway (2001:db8:0:7::5), which were retained.
6 IPv6 Management Security Features Contents IPv6 Management Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Authorized IP Managers for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Usage Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Configuring Authorized IP Managers for Switch Access . . . . . . . . . . . 6-5 Using a Mask to Configure Authorized Management Stations . . . . . .
IPv6 Management Security Features IPv6 Management Security IPv6 Management Security This chapter describes management security features that are IPv6 counter parts of IPv4 management security features on the switches covered by this guide.
IPv6 Management Security Features Authorized IP Managers for IPv6 Authorized IP Managers for IPv6 The Authorized IP Managers feature uses IP addresses and masks to deter mine which stations (PCs or workstations) can access the switch through the network.
IPv6 Management Security Features Authorized IP Managers for IPv6 ■ ■ You configure each authorized manager address with Manager or Opera tor-level privilege to access the switch. • Manager privilege allows full access to all web browser and console interface screens for viewing, configuration, and all other operations available in these interfaces. • Operator privilege allows read-only access from the web browser and console interfaces.
IPv6 Management Security Features Authorized IP Managers for IPv6 Configuring Authorized IP Managers for Switch Access To configure one or more IPv6-based management stations to access the switch using the Authorized IP Managers feature, enter the ipv6 authorizedmanagers command Syntax: [no] ipv6 authorized-managers [ipv6-mask] [access ] access-method [all | ssh | telnet | web | snmp | tftp] Configures one or more authorized IPv6 addresses to access the switch, where: ipv6-m
IPv6 Management Security Features Authorized IP Managers for IPv6 Notes If you do not enter a value for the ipv6-mask parameter when you configure an authorized IPv6 address, the switch automatically uses FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF as the default mask (see “Configuring Authorized IP Managers for Switch Access” on page 6-5).
IPv6 Management Security Features Authorized IP Managers for IPv6 Conversely, in a mask, a “0” binary bit means that either the “on” or “off” setting of the corresponding IPv6 bit in an authorized address is valid and does not have to match the setting of the same bit in the specified IPv6 address. Figure 6-2 shows the binary expressions represented by individual hexadeci mal values in an ipv6-mask parameter.
IPv6 Management Security Features Authorized IP Managers for IPv6 Example. Figure 6-3 shows an example in which a mask that authorizes switch access to four management stations is applied to the IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37D. The mask is: FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC.
IPv6 Management Security Features Authorized IP Managers for IPv6 to 0 (“off”) and allow the corresponding bits in an authorized IPv6 address to be either “on” or “off”. As a result, only the four IPv6 addresses shown in Figure 6-5 are allowed access.
IPv6 Management Security Features Authorized IP Managers for IPv6 ■ Each authorized station has the same 64-bit device ID (244:17FF:FEB6:D37D) because the value of the last four blocks in the mask is FFFF (binary value 1111 1111). FFFF requires all bits in each corresponding block of an authorized IPv6 address to have the same “on” or “off” setting as the device ID in the specified IPv6 address.
IPv6 Management Security Features Authorized IP Managers for IPv6 Figure 6-7 shows the bits in the fourth block of the mask that determine the valid subnets in which authorized stations with an IPv6 device ID of 244:17FF:FEB6:D37D reside. FFF8 in the fourth block of the mask means that bits 3 - 15 of the block are fixed and, in an authorized IPv6 address, must correspond to the “on” and “off” settings shown for the binary equivalent 0000 in the fourth block of the IPv6 address.
IPv6 Management Security Features Authorized IP Managers for IPv6 Displaying an Authorized IP Managers Configuration Use the show ipv6 authorized-managers command to list the IPv6 stations authorized to access the switch; for example: ProCurve# show ipv6 authorized-managers IPv6 Authorized Managers --------------------------------------Address : 2001:db8:0:7::5 Mask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Access : Manager Address : 2001:db8::a:1c:e3:3 Mask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:fffe Access
IPv6 Management Security Features Authorized IP Managers for IPv6 Additional Examples of Authorized IPv6 Managers Configuration Authorizing Manager Access. The following IPv6 commands authorize manager-level access for one link-local station at a time. Note that when you enter a link-local IPv6 address with the ipv6 authorized-managers command, you must also enter a VLAN ID in the format: %vlan.
IPv6 Management Security Features Authorized IP Managers for IPv6 The next IPv6 command authorizes operator-level access for sixty-four IPv6 stations: thirty-two stations in the subnets defined by 0x0006 and 0x0007 in the fourth block of an authorized IPv6 address: ProCurve(config)# ipv6 authorized-managers 2001:db8:0000:0007:231:17ff:fec5:c967 ffff:ffff:ffff:fffe:ffff:ffff:ffff:ffe0 access operator The following ipv6 authorized-managers command authorizes a single, automat ically generated (EUI-64) IPv6
IPv6 Management Security Features Secure Shell (SSH) for IPv6 Secure Shell (SSH) for IPv6 Beginning with software release K.14.01, SSH for IPv4 and IPv6 operate simultaneously with the same command set. Both are enabled in the default configuration, and are controlled together by the same command set. Secure Shell (SSH) for IPv6 provides the same Telnet-like functions through encrypted, authenticated transactions as SSH for IPv4.
IPv6 Management Security Features Secure Shell (SSH) for IPv6 Syntax:. [no] ip ssh Enables SSH for on the switch for both IPv4 and IPv6, and activates the connection with a configured SSH server (RADIUS or TACACS+). The no form of the command disables SSH on the switch. [cipher < cipher-type >] Specify a cipher type to use for connection. Valid types are: • aes128-cbc • 3des-cbc • aes192-cbc • aes256-cbc • rijndael-cbc@lysator.liu.
IPv6 Management Security Features Secure Shell (SSH) for IPv6 [mac < MAC-type >] Allows configuration of the set of MACs that can be selected. Valid types are: • hmac-md5 • hmac-sha1 • hmac-sha1-96 • hmac-md5-96 Default: All MAC types are available. Use the no form of the command to disable a MAC type. [port < 1-65535 | default >] TCP port number used for SSH sessions in IPv4 and IPv6 connections (Default: 22).
IPv6 Management Security Features Secure Shell (SSH) for IPv6 [listen ] The listen parameter is available only on switches that have a separate out-of-band management port. Values for this parameter are: • • • oobm — inbound SSH access is enabled only on the out-of-band management port. data — inbound SSH access is enabled only on the data ports. both — inbound SSH access is enabled on both the out-of-band management port and on the data ports. This is the default value.
IPv6 Management Security Features Secure Shell (SSH) for IPv6 Displaying an SSH Configuration To verify an SSH configuration and display all SSH sessions running on the switch, enter the show ip ssh command. Information on all current SSH sessions (IPv4 and IPv6) is displayed. With SSH running, the switch supports one console session and up to five other SSH and Telnet (IPv4 and IPv6) sessions. Web browser sessions are also supported, but are not displayed in show ip ssh output.
IPv6 Management Security Features Secure Copy and Secure FTP for IPv6 Secure Copy and Secure FTP for IPv6 You can take advantage of the Secure Copy (SCP) and Secure FTP (SFTP) client applications to provide a secure alternative to TFTP for transferring sensitive switch information, such as configuration files and login informa tion, between the switch and an administrator workstation.
7 Multicast Listener Discovery (MLD) Snooping Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Introduction to MLD Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Configuring MLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 Enabling or Disabling MLD Snooping on a VLAN . . . . . . . . . . . . . . . . . 7-8 Configuring Per-Port MLD Traffic Filters . .
Multicast Listener Discovery (MLD) Snooping Overview Overview Multicast addressing allows one-to-many or many-to-many communication among hosts on a network. Typical applications of multicast communication include audio and video streaming, desktop conferencing, collaborative com puting, and similar applications. Multicast Listener Discovery (MLD) is an IPv6 protocol used on a local link for multicast group management. MLD is enabled per VLAN, and is analogous to the IPv4 IGMP protocol.
Multicast Listener Discovery (MLD) Snooping Introduction to MLD Snooping Introduction to MLD Snooping There are several roles that network devices may play in an IPv6 multicast environment: ■ MLD host—a network node that uses MLD to “join” (subscribe to) one or more multicast groups ■ multicast router—a router that routes multicast traffic between subnets ■ querier—a switch or multicast router that identifies MLD hosts by sending out MLD queries, to which the MLD hosts respond Curiously enough, a net
Multicast Listener Discovery (MLD) Snooping Introduction to MLD Snooping General operation. Multicast communication can take place without MLD, and by default MLD is disabled. In that case, if a switch receives a packet with a multicast destination address, it floods the packet to all ports in the same VLAN (except the port that it came in on). Any network nodes that are listening to that multicast address will see the packet; all other hosts ignore the packet.
Multicast Listener Discovery (MLD) Snooping Introduction to MLD Snooping Note that MLD snooping operates on a single VLAN (though there can be multiple VLANs, each running MLD snooping). Cross-VLAN traffic is handled by a multicast router. Forwarding in MLD snooping.
Multicast Listener Discovery (MLD) Snooping Introduction to MLD Snooping A network node establishes itself as an MLD host by issuing a multicast “join” request (also called a multicast “report”) for a specific multicast address when it starts an application that listens to multicast traffic. The switch to which the node is connected sees the join request and forwards traffic for that multicast address to the node’s port. Queries.
Multicast Listener Discovery (MLD) Snooping Introduction to MLD Snooping Fast leaves and forced fast leaves. The fast leave and forced fast leave functions can help to prune unnecessary multicast traffic when an MLD host issues a leave request from a multicast address. Fast leave is enabled by default and forced fast leave is disabled by default. Both functions are applied to individual ports.
Multicast Listener Discovery (MLD) Snooping Configuring MLD Configuring MLD Several CLI commands are available for configuring MLD parameters on a switch. Enabling or Disabling MLD Snooping on a VLAN Syntax: [no] ipv6 mld Note: This command must be issued in a VLAN context. This command enables MLD snooping on a VLAN. Enabling MLD snooping applies the last-saved or the default MLD configuration, whichever was most recently set. The [no] form of the command disables MLD snooping on a VLAN.
Multicast Listener Discovery (MLD) Snooping Configuring MLD Configuring Per-Port MLD Traffic Filters Syntax: ipv6 mld [auto | blocked | forward ] Note: This command must be issued in a VLAN context. This command sets per-port traffic filters, which specify how each port should handle MLD traffic.
Multicast Listener Discovery (MLD) Snooping Configuring MLD Configuring the Querier Syntax: [no] ipv6 mld querier Note: This command must be issued in a VLAN context. This command enables the switch to act as querier on a VLAN. The [no] form of the command disables the switch from acting as querier on a VLAN. The querier function is enabled by default. If another switch or a multicast router is acting as the MLD querier on the VLAN, this switch will defer to that device.
Multicast Listener Discovery (MLD) Snooping Configuring MLD For example, to disable fast leave on ports in VLAN 8: ProCurve(vlan-8)# no ipv6 mld fastleave a14-a15 To enable fast leave on ports in VLAN 8: ProCurve(vlan-8)# ipv6 mld fastleave a14-a15 Configuring Forced Fast Leave Syntax: [no] ipv6 mld forcedfastleave Note: This command must be issued in a VLAN context. This command enables the forced fast leave function on the specified ports in a VLAN.
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration Displaying MLD Status and Configuration Current MLD Status Syntax: show ipv6 mld Displays MLD status information for all VLANs on the switch that have MLD configured.
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration ff02::1:ff04:3 ff02::1:ff05:1 ff02::1:ff0b:2dfe ff02::1:ff0b:d7d9 ff02::1:ff0b:da09 ff02::1:ff0b:dc38 ff02::1:ff0b:dc8d ff02::1:ff0b:dd56 ff02::1:ff12:e0cd ff02::1:ff4e:98a5 ff02::1:ff57:21a1 ff02::1:ff6b:dd51 ff02::1:ff7b:ac55 ff02::1:ff8f:61ea ff02::1:ffc8:397b ff3e:30:2001:db8:8:0:7:101 ff3e:30:2001:db8:8:0:7:102 FILT FILT FILT FILT FILT FILT FILT FILT FILT FILT FILT FILT FILT FILT FILT FILT FILT 0h:4m:5s 0h:4m:3s 0h:3
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration The following information is shown for each VLAN that has MLD snooping enabled: ■ VLAN ID number and name ■ Querier address: IPv6 address of the device acting as querier for the VLAN ■ Querier up time: the length of time in seconds that the querier has been acting as querier ■ Querier expiry time: If this switch is the querier, this is the amount of time until the switch sends the next general query.
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration Current MLD Configuration Syntax: show ipv6 mld config Displays current global MLD configuration for all MLDenabled VLANS on the switch. show ipv6 vlan config Displays current MLD configuration for the specified VLAN, including per-port configuration information.
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration The specific form of the command might look like this: ProCurve# show ipv6 mld vlan 8 config MLD Service Vlan Config VLAN ID : 8 VLAN NAME : VLAN8 MLD Enabled [No] : Yes Querier Allowed [Yes] : Yes Port ---A13 A14 A15 A16 A17 A18 A19 A20 A21 A22 A23 A24 Type --------100/1000T 100/1000T 100/1000T 100/1000T 100/1000T 100/1000T 100/1000T 100/1000T 100/1000T 100/1000T 100/1000T 100/1000T | + | | | | | | | | | | | | Port Mod
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration Ports Currently Joined Syntax: show ipv6 mld vlan group Lists the ports currently joined for all IPv6 multicast group addresses in the specified VLAN vid—VLAN ID show ipv6 mld vlan group Lists the ports currently joined for the specified IPv6 multicast group address in the specified VLAN vid—VLAN ID ipv6-addr—address of the IPv6 multicast group for which you want information For example, the general
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration The following information is shown: ■ VLAN ID and name ■ port information for each IPv6 multicast group address in the VLAN (general group command) or for the specified IPv6 multicast group address (specific group command): • group multicast address • last reporter: last MLD host to send a join to the group address • group expiry time: the time until the group expires if no further joins are seen • port name for e
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration For example, the general form of the command: ProCurve# show ipv6 mld statistics MLD Service Statistics Total vlans with MLD enabled Current count of multicast groups joined : 2 : 36 MLD Joined Groups Statistics VLAN ID ------8 9 VLAN NAME -----------VLAN8 VLAN9 filtered -----------26 10 standard -----------0 0 total -----------26 10 Figure 7-9.
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration Counters Syntax: show ipv6 mld vlan counters Displays MLD counters for the specified VLAN vid—VLAN ID ProCurve# show ipv6 mld vlan 8 counters MLD Service Vlan Counters VLAN ID : 8 VLAN NAME : VLAN8 General Query Rx General Query Tx Group Specific Query Rx Group Specific Query Tx V1 Member Report Rx V2 Member Report Rx Leave Rx Unknown MLD Type Rx Unknown Pkt Rx Forward to Routers Tx Counter Forward to Vlan Tx Counter
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration The following information is shown: ■ VLAN number and name ■ For each VLAN: • number of general queries received • number of general queries sent • number of group-specific queries received • number of group-specific queries sent • number of MLD version 1 member reports (joins) received • number of MLD version 2 member reports (joins) received • number of leaves received • number of MLD packets of unknown
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration 7-22
8 IPv6 Access Control Lists (ACLs) Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Overview of Options for Applying IPv6 ACLs on the Switch . . . . . . 8-6 Static ACLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Command Summary for Configuring ACLs . . . . . . . . . . . . . .
IPv6 Access Control Lists (ACLs) Contents How an ACE Uses a Prefix To Screen Packets for SA and DA Matches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32 Prefix Usage Differences Between ACLs and Other IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-33 Configuring and Assigning an IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . 8-34 General Steps for Implementing IPv6 ACLs . . . . . . . . . . . . . . . . . . . .
IPv6 Access Control Lists (ACLs) Contents Operating Notes for Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-73 Displaying ACL Configuration Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-75 Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-76 Display the Content of All ACLs on the Switch . . . . . . . . . . . . . . . . . . 8-77 Display the IPv4 and IPv6 VACL Assignments for a VLAN . . . . . . . .
IPv6 Access Control Lists (ACLs) Introduction Introduction An Access Control List (ACL) contains one or more Access Control Entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing the switch’s interfaces. This chapter describes how to configure, apply, and edit static IPv6 ACLs for filtering IPv6 traffic in a network populated with the switches covered by this guide, and how to monitor IPv6 ACL actions.
IPv6 Access Control Lists (ACLs) Introduction IPv6 traffic filtering with ACLs can help to improve network performance and restrict network use by creating policies for: ■ Switch Management Access: Permits or denies in-band manage ment access. This includes limiting and/or preventing the use of designated protocols that run on top of IPv6, such as TCP, UDP, ICMP, and others.
IPv6 Access Control Lists (ACLs) Overview of Options for Applying IPv6 ACLs on the Switch Overview of Options for Applying IPv6 ACLs on the Switch To apply IPv6 ACL filtering, assign a configured IPv6 ACL to the interface on which you want the traffic filtering to occur. VLAN IPv6 traffic ACLs can be applied statically using the switch configuration. Port traffic ACLs can be applied either statically or dynamically (using a RADIUS server). Static ACLS Static ACLs are configured on the switch.
IPv6 Access Control Lists (ACLs) Overview of Options for Applying IPv6 ACLs on the Switch Command Summary for Configuring ACLs Create an IPv6 ACL or Add an ACE to the End of an Existing IPv6 ACL ProCurve(config)# ipv6 access-list < name-str > ProCurve(config-ipv6-acl)# < deny | permit > 8-45 < ipv6 | esp | ah | sctp | ipv6-protocol-nbr > < any | host | SA/< prefix-length >> < any | host < DA > | DA/< prefix-length >> < tcp | udp > < any | host | SA/< prefix-length > > [comparison-operator <
IPv6 Access Control Lists (ACLs) Overview of Options for Applying IPv6 ACLs on the Switch — Continued from preceding page.
IPv6 Access Control Lists (ACLs) Terminology Terminology Access Control Entry (ACE): A policy consisting of criteria and an action (permit or deny) to execute on a packet if it meets the criteria.
IPv6 Access Control Lists (ACLs) Terminology ACL ID: An alphanumeric string used to identify an ACL. See also identifier and name-str. Note: RADIUS-assigned ACLs are identified by client authentication data and do not use the ACL ID strings described in this chapter. ACL Prefix: Follows any IPv6 address listed in an IPv6 ACE. Analogous to the ACL mask used with IPv4 ACEs.
IPv6 Access Control Lists (ACLs) Terminology Note that an empty ACL does not include an Implicit Deny and does not filter traffic. However, if you configure any ACE in an empty ACL that is already assigned to an interface, the ACL immediately begins filtering traffic, which includes application of the Implicit Deny. identifier: A term used in ACL syntax statements to represent the alphanumeric name by which the ACL can be accessed. An identifier can have up to 64 characters. See also NAME-STR.
IPv6 Access Control Lists (ACLs) Terminology on a VLAN interface, but outbound, switched traffic is not filtered by ACLs. In software release K.14.01, RACLs are supported for IPv4 traffic, but not for IPv6 traffic. (Refer also to “IPv6 ACL Applications” on page 8-13.) Permit: An ACE configured with this action allows the switch to forward an IPv6 packet for which there is a match.
IPv6 Access Control Lists (ACLs) Overview Static Port ACL: An ACL statically configured on a specific port, group of ports, or trunk. A static port ACL filters incoming IPv6 traffic on the port. VACL: See “VLAN ACL”. VLAN ACL (VACL): An ACL applied to all IPv6 traffic entering the switch on a given VLAN interface. See also “Access Control List”. Wildcard: The bits in an SA or DA of a packet that are ignored when determining whether the packet is a match for a given ACE.
IPv6 Access Control Lists (ACLs) Overview ■ RADIUS-assigned ACL: on a port having an ACL assigned by a RADIUS server to filter an authenticated client’s traffic, filters inbound IPv4 and IPv6 traffic (or IPv4-only traffic) from that client (For information on RADIUS-assigned ACLs, refer to the chapter titled “Configuring RADIUS Server Support for Switch Services” in the latest Access Security Guide for your switch.
IPv6 Access Control Lists (ACLs) Overview The prefix for this example is /64.
IPv6 Access Control Lists (ACLs) Overview Dynamic (RADIUS-assigned) port ACLs are configured on RADIUS servers and can be configured to filter IPv4 and IPv6 traffic inbound from clients authenticated by such servers. For example, in figure 8-1, client “A” connects to a given port and is authenticated by a RADIUS server. Because the server is configured to assign a dynamic ACL to the port, the IPv4 and IPv6 traffic inbound on the port from client “A” is filtered.
IPv6 Access Control Lists (ACLs) Overview ■ If you configure 802.1X user-based security on a port and the RADIUS response includes a RADIUS-assigned ACL for at least one authen ticated client, then the RADIUS response for all other clients authen ticated on the port must also include a RADIUS-assigned ACL. Inbound IP traffic on the port from a client that authenticates without receiving a RADIUS-assigned ACL will be dropped and the client will be de-authenticated. ■ Using 802.
IPv6 Access Control Lists (ACLs) Overview ■ For the Web authentication method, clients must authenticate using IPv4. However, this does not prevent the client from using a dual stack, or the port receiving a RADIUS-assigned ACL configured with ACEs to filter IPv6 traffic. ■ The RADIUS server must support IPv4 and have an IPv4 address. RADIUS clients can be dual stack, IPv6-only, or IPv4-only. ■ 802.1X rules for client access apply to both IPv6 and IPv4 clients for RADIUS-assigned ACLs. Refer to “802.
IPv6 Access Control Lists (ACLs) Overview Filtering Inbound Traffic with Multiple ACLS. When traffic inbound on a port is subject to multiple ACL assignments, and a RADIUS-assigned, userbased ACL is present, then this traffic must satisfy the following conditions to be permitted on the switch: 1 Originate with an authenticated client associated with the RADIUS-assigned ACL (if present). 2 Be permitted by the RADIUS-assigned ACL (if present).
IPv6 Access Control Lists (ACLs) Overview Notes Software release K.14.01 supports connection-rate ACLs for inbound IPv4 traffic, but not for IPv6 traffic. Beginning with software release K.14.01, static ACL mirroring and static ACL rate-limiting are deprecated in favor of classifier-based mirroring and ratelimiting features that do not use ACLs. If ACL mirroring or ACL rate-limiting are already configured in a switch running software version K.13.xx, then downloading and booting from release K.14.
IPv6 Access Control Lists (ACLs) Overview ■ In any ACL, you can apply an ACL log function to ACEs that have an explicit “deny” action. (The logging occurs when there is a match on a “deny” ACE that includes the log keyword.) The switch sends ACL logging output to Syslog, if configured, and optionally, to a console session. You can create ACLs for the switch configuration using either the CLI or a text editor.
IPv6 Access Control Lists (ACLs) Overview 3. Design the ACLs for the control points (interfaces) you have selected. Where you are using explicit “deny” ACEs, you can optionally use the ACL logging feature for notification that the switch is denying unwanted packets. 4. Configure the ACLs on the selected switches. 5. Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL or VACL) appropriate for each assignment.
IPv6 Access Control Lists (ACLs) IPv6 ACL Operation IPv6 ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). An ACL applies only to the switch in which it is configured. ACLs operate on assigned interfaces, and offer these traffic filtering options: ■ IPv6 traffic inbound on a port. ■ IPv6 traffic inbound on a VLAN.
IPv6 Access Control Lists (ACLs) IPv6 ACL Operation Implicit Deny. If a packet does not have a match with the criteria in any of the ACEs in the ACL, the ACL denies (drops) the packet. If you need to override the implicit deny so that a packet that does not have a match will be permitted, then configure permit ipv6 any any as the last ACE in the ACL.
IPv6 Access Control Lists (ACLs) IPv6 ACL Operation implementing an ACL depends in part on configuring ACEs in the correct order for the overall policy you want the ACL to enforce. Test a packet against criteria in first ACE. Is there a match? 1. If a match is not found with the first ACE in an ACL, the switch proceeds to the next ACE and so on. Yes Perform action (permit or deny). End No Test the packet against criteria in second ACE. Is there a match? Yes Perform action (permit or deny).
IPv6 Access Control Lists (ACLs) IPv6 ACL Operation 1. Permit inbound IPv6 traffic from 2001:db8:0:fb::11:42. 2. Deny only the inbound Telnet traffic from 2001:db8:0:fb::11:101. 3. Permit inbound IPv6 traffic from 2001:db8:0:fb::11:101. 4. Permit only inbound Telnet traffic from 2001:db8:0:fb::11:33. 5. Deny any other inbound IPv6 traffic.
IPv6 Access Control Lists (ACLs) Planning an ACL Application insert an explicit permit ipv6 any any as the last ACE in the ACL. Doing so permits any packet not explicitly denied by earlier entries. (Note that this solution would not apply in the preceding example, where the intention is for the switch to forward only the explicitly permitted packets entering the switch on VLAN 100.
IPv6 Access Control Lists (ACLs) Planning an ACL Application Depending on the source and/or destination of a given IPv6 traffic type, you must also determine the ACL application(s) (VACL or static port ACL) needed to filter the traffic on the applicable switch interfaces. Answering the following questions can help you to design and properly position ACLs for optimum network usage.
IPv6 Access Control Lists (ACLs) Planning an ACL Application ■ blocking access to sensitive data storage or restricted equipment ■ preventing specific TCP, UDP, and ICMP traffic types, including unau thorized access using functions such as Telnet, SSH, and web browser You can also enhance switch management security by using ACLs to block IPv6 traffic that has the switch itself as the destination address (DA).
IPv6 Access Control Lists (ACLs) Planning an ACL Application ■ On any ACL, the switch implicitly denies IPv6 packets that are not explicitly permitted or denied by the ACEs configured in the ACL. If you want the switch to forward a packet for which there is not a match in an ACL, append an ACE that enables Permit Any forwarding as the last ACE in an ACL. This ensures that no packets reach the Implicit Deny case for that ACL.
IPv6 Access Control Lists (ACLs) Planning an ACL Application ■ Explicitly Permitting IPv6 Traffic: Entering a permit ipv6 any any ACE in an ACL permits the IPv6 traffic not previously permitted or denied by that ACL. Any ACEs listed after that point do not have any effect. ■ Explicitly Denying IPv6 Traffic: Entering a deny ipv6 any any ACE in an ACL denies IPv6 traffic not previously permitted or denied by that ACL. Any ACEs listed after that point have no effect.
IPv6 Access Control Lists (ACLs) Planning an ACL Application How an ACE Uses a Prefix To Screen Packets for SA and DA Matches For an IPv6 ACL, a match with a packet occurs when both the protocol and the SA/DA configured in a given ACE within the ACL are a match with the same criteria in a packet being filtered by the ACL. In IPv6 ACEs, prefixes define how many leading bits in the SA and DA to use for determining a match.
IPv6 Access Control Lists (ACLs) Planning an ACL Application To summarize, when the switch compares an IPv6 packet to an ACE in an ACL, it uses the subnet prefixes configured with the SA and DA in the ACE to determine how many leftmost, contiguous bits in the ACE’s SA and DA must be matched by the same bits in the SA and DA carried by the packet.
IPv6 Access Control Lists (ACLs) Configuring and Assigning an IPv6 ACL Configuring and Assigning an IPv6 ACL ACL Feature Page Adding or Removing an ACL 8-59 Enabling or Disabling ACL Filtering 8-62 General Steps for Implementing IPv6 ACLs 1. Configure one or more ACLs. This creates and stores the ACL(s) in the switch configuration. 2. Assign an ACL.
IPv6 Access Control Lists (ACLs) Configuring and Assigning an IPv6 ACL ACL Configuration After you enter an ACL command, you may want to inspect the resulting configuration. This is especially true where you are entering multiple ACEs into an ACL. Also, it is helpful to understand the configuration structure when using later sections in this chapter. The basic ACL structure includes four elements: 1. ACL identity: This is a string of up to 64 characters specifying the ACL name. 2.
IPv6 Access Control Lists (ACLs) Configuring and Assigning an IPv6 ACL ACL Configuration Structure Individual ACEs in an IPv6 ACL include: ■ Optional remark statements ■ A permit/deny statement ■ Source and destination IPv6 addressing ■ Choice of IPv6 criteria ■ Optional ACL log command (for deny entries) ipv6 access-list < identifier > [ seq-# ] [ remark < remark-str ] < permit | deny > 0 - 255 esp ah sctp icmp < SA > [operator < value >] < DA > [operator < value >] [type [code] | icmp-msg ] [ds
IPv6 Access Control Lists (ACLs) Configuring and Assigning an IPv6 ACL For example, the ACL in figure 8-8 filters traffic for individual hosts in some instances and all hosts in others: ProCurve# show run . . . ipv6 access-list "Sample-List-1" 10 permit ipv6 2001:db8:0:130::55/128 2001:db8:0:130::240/128 20 permit tcp ::/0 ::/0 eq 23 30 remark "ALLOWS HTTP FROM SINGLE HOST." 30 permit tcp 2001:db8:0:140::14/128 eq 80 ::/0 eq 3871 40 remark "DENIES HTTP FROM ANY TO ANY.
IPv6 Access Control Lists (ACLs) Configuring and Assigning an IPv6 ACL ACL Configuration Factors The Sequence of Entries in an ACL Is Significant When the switch uses an ACL to determine whether to permit or deny a packet, it compares the packet to the criteria specified in the individual Access Control Entries (ACEs) in the ACL, beginning with the first ACE in the list and proceeding sequentially until a match is found.
IPv6 Access Control Lists (ACLs) Configuring and Assigning an IPv6 ACL Table 8-2. Line # Effect of the Above ACL on Inbound IPv6 Traffic in the Assigned VLAN Action n/a Shows IP type (IPv6) and ID (Sample-List-2). 10 A packet from source address 2001:db8:235:10 will be denied (dropped). This ACE filters out all packets received from 2001:db8:235:10. As a result, IPv6 traffic from that device will not be allowed and packets from that device will not be compared against any later entries in the list.
IPv6 Access Control Lists (ACLs) Configuring and Assigning an IPv6 ACL A Configured ACL Has No Effect Until You Apply It to an Interface The switch stores ACLs in the configuration file. Until you actually assign an ACL to an interface, it is present in the configuration, but not used (and does not use any of the monitored resources described in the appendix titled “Monitored Resources” in the latest version of the Management and Config uration Guide for your switch.
IPv6 Access Control Lists (ACLs) Configuring and Assigning an IPv6 ACL General ACE Rules These rules apply to all ACEs you create or edit using the CLI: Adding or Inserting an ACE in an ACL. To add an ACE to the end of an ACL, use the ipv6 access-list < name-str > command to enter the context for a specific IPv6 ACL. (If the ACL does not already exist in the switch configura tion, this command creates it.) Then enter the text of the ACE without specifying a sequence number.
IPv6 Access Control Lists (ACLs) Configuring and Assigning an IPv6 ACL Table 8-3. Examples of CIDR Notation for Prefix Lengths SA or DA Used In an ACL with CIDR Notation Resulting Prefix Length Defining an Address Match Meaning 2620:0:a03:e102::/64 2620:0:a03:e102 The leftmost 64 bits must match. The remaining 64 bits are wildcards. 2620:0:a03:e102:215::/80 2620:0:a03:e102:215 The leftmost 80 bits must match. The remaining 48 bits are wildcards.
IPv6 Access Control Lists (ACLs) Configuration Commands Configuration Commands Command Summary for Configuring ACLs Create an IPv6 ACL or Add an ACE to the End of an Existing IPv6 ACL ProCurve(config)# ipv6 access-list < name-str > ProCurve(config-ipv6-acl)# < deny | permit > 8-45 < ipv6 | esp | ah | sctp | ipv6-protocol-nbr > < any | host | SA/< prefix-length >> < any | host < DA > | DA/< prefix-length >> < tcp | udp > < any | host | SA/< prefix-length > > [comparison-operator < value >] <
IPv6 Access Control Lists (ACLs) Configuration Commands Continued from preceding page.
IPv6 Access Control Lists (ACLs) Configuration Commands ■ TCP flag (control bit) options ■ filtering for TCP traffic based on whether the subject traffic is initi ating a connection (“established” option) ■ optional DSCP (IP precedence and ToS) criteria The switch allows up to 2048 ACLs each for IPv4 and IPv6 (with RADIUSbased ACL resources drawn from the IPv4 allocation). The total is determined from the number of unique identifiers in the configuration.
IPv6 Access Control Lists (ACLs) Configuration Commands Topic Page creating or editing ACLs offline 8-84 enabling ACL “Deny” logging 8-89 Creating an ACL and/or Entering the IPv6 ACL (ipv6-acl) Context. This command is a prerequisite for entering or editing ACEs in an ACL. (For a summary of the ACL syntax options, refer to “Command Summary for Configuring ACLs” on page 8-43.
IPv6 Access Control Lists (ACLs) Configuration Commands Syntax: < deny | permit > < ipv6 | ipv6-protocol | ipv6-protocol-nbr > (ipv6 acl < any | host < SA > | SA/ prefix-length > context) < any | host < DA > | DA/ prefix-length > [ dscp < tos-bits | precedence ] [ log ] Appends an ACE to the end of the list of ACEs in the current ACL. In the default configuration, ACEs are automatically assigned consecutive sequence numbers in increments of 10 and can be renumbered using resequence (page 8-68).
IPv6 Access Control Lists (ACLs) Configuration Commands < ipv6 | ipv6-protocol | ipv6-protocol-nbr > Used after deny or permit to specify the packet protocol type required for a match. An ACL must include one of the follow ing: • ipv6 — any IPv6 packet. • ipv6-protocol — any one of the following IPv6 protocol names: esp ah sctp icmp* tcp* udp* * For TCP, UDP, and ICMP, additional, optional criteria can be specified, as described on pages 8-52 through 8-56.
IPv6 Access Control Lists (ACLs) Configuration Commands Note: For more on how prefix lengths are used in IPv6 ACLs, refer to “How an ACE Uses a Prefix To Screen Packets for SA and DA Matches” on page 8-32. < any | host < DA > | DA/prefix-length > This is the second instance of addressing in an IPv6 ACE. It follows the first (SA) instance, described earlier in this section, and defines the destination IPv6 address (DA) that a packet must carry to have a match with the ACE.
IPv6 Access Control Lists (ACLs) Configuration Commands 0 - 63: Select a specific DSCP codepoint by entering its decimal equivalent. (Refer to table 8-4, “DSCP Codepoints with Decimal Equivalents” on page 8-51 Assured Forwarding (AF) codepoint matches: AF af11 af12 af13 af21 af22 af23 DSCP Match 001010 001100 001110 010010 010100 010110 AF af31 af32 af33 af41 af42 af43 DSCP Match 011010 011100 011110 100010 100100 100110 default: Matches with the 000000 (default) DSCP.
IPv6 Access Control Lists (ACLs) Configuration Commands [log] This option can be used after the DA to generate an Event Log message if: • The action is deny. (Not applicable to permit actions.) • There is a match. • ACL logging is enabled. (Refer to “Enabling ACL Logging on the Switch” on page 8-90.) For a given ACE, if log is used, it must be the last keyword entered. Table 8-4.
IPv6 Access Control Lists (ACLs) Configuration Commands Options for TCP and UDP Traffic in IPv6 ACLs. An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic. (For a summary of the syntax options, refer to “Command Summary for Configuring ACLs” on page 8-43.
IPv6 Access Control Lists (ACLs) Configuration Commands Comparison Operators: • eq < tcp/udp-port-nbr > — “Equal To”; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to < tcp/udp-port-nbr >. • gt < tcp/udp-port-nbr > — “Greater Than”; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be greater than < tcp/udp-port-nbr >.
IPv6 Access Control Lists (ACLs) Configuration Commands [established] — This option applies only where TCP is the configured IPv6 protocol type. It blocks the synchronizing packet associated with establishing a new TCP connection while allowing all other IPv6 traffic for existing connections. For example, a Telnet connect requires TCP traffic to move both ways between a host and the target device.
IPv6 Access Control Lists (ACLs) Configuration Commands summary of the syntax options, refer to “Command Summary for Configuring ACLs” on page 8-43.) Syntax: < deny | permit > icmp < SA > < DA > [ icmp-type [icmp-code]] < deny | permit > icmp < SA > < DA > [ icmp-type-name ] Using icmp as the packet protocol type, you can optionally specify an individual ICMP packet type or packet type/code pair to further define the criteria for a match.
IPv6 Access Control Lists (ACLs) Configuration Commands [ icmp-type-name ] These name options are an alternative to the [icmp-type [ icmp-code] ] methodology described above. For more infor mation, visit the IANA website cited above.
IPv6 Access Control Lists (ACLs) Configuration Commands Management Station 5400zl 2001:db8::1:10:1 2001:db8::1:10:10 Campus Intranet Workgroup“A” 3500yl 2001:db8::1:20:128 6200yl 2001:db8::1:10:2 2001:db8::1:20:0/121 3500yl 2001:db8::1:30:128 Server “1” 2001:db8::1:10:3 Server “2” 2001:db8::1:10:4 Workgroup “B” 2001:db8::1:30:0/121 Figure 8-11.
IPv6 Access Control Lists (ACLs) Configuration Commands The configuration of the example in the switch appears as follows: Port-1(config)# show access-list config ipv6 access-list "Test-01" 10 permit ipv6 2001:db8::1:10:10/128 ::/0 20 deny tcp 2001:db8::1:20:0/121 2001:db8::1:10:3/128 eq 23 log 30 deny ipv6 2001:db8::1:20:0/121 2001:db8::1:10:4/128 log 40 deny tcp 2001:db8::1:30:0/121 2001:db8::1:10:4/128 eq 23 log 50 deny ipv6 2001:db8::1:30:0/121 2001:db8::1:10:3/128 60 deny icmp ::/0 ::/0 133 70 permit
IPv6 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface Adding or Removing an ACL Assignment On an Interface Filtering Switched IPv6 Traffic Inbound on a VLAN For a given VLAN interface, you can assign an ACL as a VACL to filter switched IPv6 traffic entering the switch on that VLAN. You can also use the same ACL for assignment to multiple VLANs. For limits and operating rules, refer to “ACL Configuration and Operating Rules” on page 8-30.
IPv6 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface ProCurve(config)# vlan 20 ipv6 access-group List-010 vlan ProCurve(config)# vlan 20 ProCurve(vlan-20)# ipv6 access-group List-015 vlan ProCurve(vlan-20)# exit Enables a VACL from the Global Configuration Level Enables a VACL from a VLAN Context.
IPv6 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface and operating rules, refer to “ACL Configuration and Operating Rules” on page 8-30. Syntax: [no] interface < port-list | Trkx > ipv6 access-group < identifier > in Assigns an ACL as a static port ACL to a port, port list, or static trunk to filter switched IPv6 traffic entering the switch on that interface.
IPv6 Access Control Lists (ACLs) Deleting an ACL Deleting an ACL Syntax: no ipv6 access-list < identifier > Used in the global config context to remove the specified IPv6 ACL from the switch’s running-config file. < identifier >: The alphanumeric name by which the ACL can be accessed.
IPv6 Access Control Lists (ACLs) Editing an Existing ACL Editing an Existing ACL The CLI provides the capability for editing in the switch by using sequence numbers to insert or delete individual ACEs. An offline method is also avail able. This section describes using the CLI for editing ACLs. To use the offline method for editing ACLs, refer to “Creating or Editing ACLs Offline” on page 8-84.
IPv6 Access Control Lists (ACLs) Editing an Existing ACL Sequence Numbering in ACLs The ACEs in any ACL are sequentially numbered. In the default state, the sequence number of the first ACE in a list is “10” and subsequent ACEs are numbered in increments of 10.
IPv6 Access Control Lists (ACLs) Editing an Existing ACL To continue from figure 8-17 and append a final ACE to the end of the ACL: ProCurve(config-ipv6-acl)# deny ipv6 2001:db8:0:5ad::/64 any ProCurve (config-ipv6-acl)# permit ipv6 any any ProCurve(config-ipv6-acl)# show run ACE appended as line 70, below. . . . Appended as line 80, below.
IPv6 Access Control Lists (ACLs) Editing an Existing ACL Enters the “Named-ACL context for “My-list”. ProCurve(Config)# ipv6 access-list My-list ProCurve(config-ipv6-acl)# 45 permit icmp host 2001:db8:0:5ad::33 ::/0 ProCurve(config-ipv6-acl)# show run . . . ipv6 access-list "My-list" 10 permit ipv6 2001:db8:0:5ad::25/128 ::/0 Inserts a new ACE 20 permit ipv6 2001:db8:0:5ad::111/128 ::/0 assigned to line 35.
IPv6 Access Control Lists (ACLs) Editing an Existing ACL Deleting an ACE from an Existing ACL This action provides the option of using either the sequence number of an ACE or the syntax of the ACE to delete the ACE from an ACL. Syntax: no <1-2147483647> no < permit | deny > < ipv6-ACE-criteria > Both command options require entering the configuration context of the ACL containing the ACE you want to delete. The first command option deletes the ACE assigned to the specified sequence number.
IPv6 Access Control Lists (ACLs) Editing an Existing ACL ProCurve(config)# show access-list My-List config ACL Before Deleting an ACE ipv6 access-list "My-List" 10 permit ipv6 fe80::100/128 ::/0 20 deny ipv6 fe80::110/128 fe80::/124 30 deny ipv6 fe80::111/128 fe80::/124 40 permit ipv6 ::/0 ::/0 Enters the IPv6 ACL (config-ipv6-acl) context for “My-List”. exit ProCurve(config)# ipv6 access-list My-List This command deletes the ACE at line 30.
IPv6 Access Control Lists (ACLs) Editing an Existing ACL ProCurve(config)# show access-list My-List config ipv6 access-list "My-List" 10 permit ipv6 fe80::100/128 ::/0 20 deny ipv6 fe80::110/128 fe80::/124 40 permit ipv6 ::/0 ::/0 exit ProCurve(config)# ipv6 access-list resequence My-List 100 100 ProCurve(config)# show access-list config ipv6 access-list "My-List" 100 permit ipv6 fe80::100/128 ::/0 200 deny ipv6 fe80::110/128 fe80::/124 300 permit ipv6 ::/0 ::/0 exit Figure 8-22.
IPv6 Access Control Lists (ACLs) Editing an Existing ACL Syntax: remark < remark-str > < 1-2147483647 > remark < remark-str > no < seq-# > remark These commands are used in the ACL context to enter a comment related to an adjacent ACE. To associate a remark with a specific ACE, do one of the following: • Enter the remark first (without a sequence number) and immediately follow it with the ACE (also without a sequence number).
IPv6 Access Control Lists (ACLs) Editing an Existing ACL Appending Remarks and Related ACEs to the End of an ACL. To include a remark for an ACE that will be appended to the end of the current ACL, enter the remark first, then enter the related ACE. This results in the remark and the subsequent ACE having the same sequence number.
IPv6 Access Control Lists (ACLs) Editing an Existing ACL ProCurve(config-ipv6-acl)# 15 remark "PERMIT HTTP; STATION 23; SUBNET 1D" ProCurve(config-ipv6-acl)# 15 permit tcp host 2001:db8:0:1d::23 eq 2001:db8:0:2f::/64 ProCurve(config-ipv6-acl)# show access config . . . 80 The above two commands insert a remark with its corresponding ACE (same sequence number) between two previously configured ACEs.
IPv6 Access Control Lists (ACLs) Editing an Existing ACL Using the no <1-2147483647> command without the remark keyword deletes both the remark and the ACE to which it is attached. Operating Notes for Remarks ■ An “orphan” remark is a remark that does not have an ACE counter part with the same sequence number. The resequence command renumbers an orphan remark as a sequential, standalone entry without a permit or deny ACE counterpart.
IPv6 Access Control Lists (ACLs) Editing an Existing ACL ProCurve(config-ipv6-acl)# permit ipv6 host fe80::a1:121 fe80::/104 ProCurve(config-ipv6-acl)# deny tcp any eq ftp 2001:db8:0:a1::/64 ProCurve(config-ipv6-acl)# remark Marketing ProCurve(config-ipv6-acl)# remark Channel_Mktg Port_1_5400(config-ipv6-acl)# show access-list Accounting config ipv6 access-list "Accounting" 10 permit ipv6 fe80::a1:121/128 fe80::/104 20 deny tcp ::/0 eq 21 2001:db8:0:a1::/64 30 remark "Channel_Mktg" exit Where multiple rema
IPv6 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying ACL Configuration Data The show commands in this section apply to both IPv6 and IPv4 ACLs. For information on IPv4 ACL operation, refer to the chapter titled “IPv4 Access Control Lists” in the Access Security Guide for your switch. ACL Commands Function Pag e show access-list Displays a brief listing of all IPv4 and IPv6 ACLs on 8-76 the switch.
IPv6 Access Control Lists (ACLs) Displaying ACL Configuration Data Display an ACL Summary This command lists the configured IPv4 and IPv6 ACLs, regardless of whether they are assigned to any interfaces. Syntax: show access-list List a summary table of the name, type, and application status of all ACLs (IPv4 and IPv6) configured on the switch.
IPv6 Access Control Lists (ACLs) Displaying ACL Configuration Data Display the Content of All ACLs on the Switch This command lists the configuration details for every IPv4 and IPv6 ACL in the running-config file, regardless of whether any are actually assigned to filter traffic on specific interfaces. Syntax: show access-list config List the configured syntax for all IPv4 and IPv6 ACLs currently configured on the switch.
IPv6 Access Control Lists (ACLs) Displaying ACL Configuration Data Display the IPv4 and IPv6 VACL Assignments for a VLAN This command lists the identifiers and type(s) of VACLs currently assigned to a particular VLAN in the running-config file. For IPv6 ACLs, the switch supports one VACL assignment per VLAN. For IPv4 ACLs, the switch supports one inbound and one outbound RACL assignment per VLAN, and one VACL assignment per VLAN.
IPv6 Access Control Lists (ACLs) Displaying ACL Configuration Data Display Static Port (and Trunk) ACL Assignments This command lists the identification and type(s) of current static port ACL assignments to individual switch ports and trunks, as configured in the running-config file. (The switch allows one static port ACL assignment per port.) Syntax: show access-list ports < all | port-list > Lists the current static port ACL assignments for ports and trunks in the running config file.
IPv6 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying the Content of a Specific ACL This command displays a specific IPv6 or IPv4 ACL configured in the running config file in an easy-to-read tabular format. Note This information also appears in the show running display. If you execute write memory after configuring an ACL, it also appears in the show config display. For information on IPv4 ACL operation, refer to the latest version of the Access Security Guide for your switch.
IPv6 Access Control Lists (ACLs) Displaying ACL Configuration Data ProCurve(config)# show access-list Accounting Access Control Lists Name: Accounting Type: ipv6 Applied: Yes Indicates whether the ACL is applied to an interface. SEQ Entry Remark Field (Appears if remark configured.
IPv6 Access Control Lists (ACLs) Displaying ACL Configuration Data ProCurve(config)# show access-list List-120 Access Control Lists Name: List-120 Type: Extended Applied: No Indicates whether the ACL is applied to an interface. SEQ Entry Remark Field (Appears if remark configured.). ---------------------------------------------------------------------10 Action: permit Remark: Telnet Allowed Src IP: 10.30.133.27 Mask: 0.0.0.0 Port(s): eq 23 Source Address Dst IP: 0.0.0.0 Mask: 255.255.255.
IPv6 Access Control Lists (ACLs) Displaying ACL Configuration Data Table 8-5. Descriptions of Data Types Included in Show Access-List < acl-id > Output Field Description Name The ACL identifier. For IPv6 ACLs, is an alphanumeric name. For IPv4 ACLs, can be a number from 1 to 199, or an alphanumeric name. Type IPv6, Standard, or Extended. IPv6 ACLs use a source and a destination address, plus IPv6 protocol specifiers. Standard ACLs are IPv4 only, and use only a source IP address.
IPv6 Access Control Lists (ACLs) Creating or Editing ACLs Offline Creating or Editing ACLs Offline The section titled “Editing an Existing ACL” on page 8-63 describes how to use the CLI to edit an ACL, and is most applicable in cases where the ACL is short or there is only a minor editing task to perform. The offline method provides a useful alternative to using the CLI for creating or extensively editing a large ACL.This section describes how to: ■ move an existing ACL to a TFTP server ■ use a text (.
IPv6 Access Control Lists (ACLs) Creating or Editing ACLs Offline If you are replacing an ACL on the switch with a new ACL that uses the same number or name syntax, begin the command file with a no ip accesslist command to remove the earlier version of the ACL from the switch’s running-config file. Otherwise, the switch will append the new ACEs in the ACL you download to the existing ACL.
IPv6 Access Control Lists (ACLs) Creating or Editing ACLs Offline ipv6 access-list "acl-001" ; CREATED ON JUNE 10 The “ ; ” enables a comment in the file.
IPv6 Access Control Lists (ACLs) Creating or Editing ACLs Offline In this example, the CLI would show output similar to the following to indicate that the ACL was successfully downloaded to the switch: Note If a transport error occurs, the switch does not execute the command and the ACL is not configured. ProCurve(config)# copy tftp command-file fe80::1ad:17 acl-001.txt pc Running configuration may change, do you want to continue [y/n]? y 1. ipv6 access-list "acl-001" 6. ; CREATED ON JUNE 10 10.
IPv6 Access Control Lists (ACLs) Creating or Editing ACLs Offline ProCurve(config)# show run . . . ipv6 access-list "acl-001" 10 remark "Telnet Denied Here" 10 deny tcp ::/0 ::/0 eq 23 30 deny tcp ::/0 ::/0 log 40 deny icmp ::/0 ::/0 134 50 deny icmp ::/0 ::/0 133 60 permit ipv6 ::/0 ::/0 exit . . . vlan 20 ipv6 access-group "acl-001" vlan exit . . . As a part of the instruction set included in the .txt file, the ACL is assigned to inbound IP traffic on VLAN 20.
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs Testing and Troubleshooting ACLs You can monitor ACL performance by using the “Deny” logging option (which generates log messages when there is a “deny” ACE match) and the ACE statistics counters (which maintain running totals of the packet matches on each ACE in an ACL).
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includes both the deny action and the optional log parameter, an ACL log message is sent to the designated debug destination. The first time a packet matches an ACE with deny and log configured, the message is sent immediately to the destination and the switch starts a wait-period of approximately five minutes.
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs For example, suppose that you want to configure the following on a switch receiving IPv6 traffic and configured for IPv4 routing: ■ For port B1 on VLAN 10 configure an IPv6 ACL with an ACL-ID of “NO-TELNET” and use the PACL in option to deny Telnet traffic entering the switch from IP address FE80::10:3. ■ Configure the switch to send an ACL log message to the current console session and to a Syslog server at 10.10.50.
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs ProCurve(config)# ipv6 access-list NO-TELNET ProCurve(config-ipv6-acl)# remark "deny fe80::10:3 Telnet traffic." ProCurve(config-ipv6-acl)# deny tcp host fe80::10:3 any eq telnet log ProCurve(config-ipv6-acl)# permit ipv6 any any ProCurve(config-ipv6-acl)# exit ProCurve(config)# vlan 10 ipv6 access-group NO-TELNET vlan ProCurve(config)# logging 10.10.50.
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs Monitoring Static ACL Performance ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface.
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs Syntax: show statistics aclv4 < acl-name-str > port < port-# > aclv4 < acl-name-str > vlan < vid > < in | out | vlan > aclv6 < acl-name-str > port < port-# > aclv6 < acl-name-str > vlan < vid > vlan Displays the current match (hit) count per ACE for the speci fied IPv6 or IPv4 static ACL assignment on a specific interface: Total: This column lists the running total of the matches the switch has detected for the ACEs in an applied ACL since
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs ACE Counter Operation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset. For example, in ACL line 10 below, there has been a total of 37 matches on the ACE since the last time the ACL’s counters were reset.
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs ProCurve# show statistics aclv6 V6-02 vlan 20 vlan HitCounts for ACL V6-02 Total ( ( ( ( ( ( ( 5) 4) 136) 2) 10) 8) 155) 10 20 30 40 50 60 70 permit icmp ::/0 fe80::20:2/128 128 permit icmp ::/0 fe80::20:3/128 128 permit tcp fe80::20:1/128 ::/0 eq 23 deny icmp ::/0 fe80::20:1/128 128 deny tcp ::/0 ::/0 eq 23 deny icmp ::/0 ::/0 133 permit ipv6 ::/0 ::/0 Figure 8-41.
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs IPv6 Counter Operation with Multiple Interface Assignments Note The examples of counters in this section use small values to help illustrate counter operation. The counters in real-time network applications are gener ally much more active and show higher values. Where the same IPv6 ACL is assigned to multiple interfaces, the switch maintains a separate instance of each ACE counter in the ACL.
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs Using the topology in figure 8-44, a workstation at FE80::20:117 on port B2 attempting to ping and Telnet to the workstation at FE80::20:2 is filtered through the PACL instance of the “V6-01” ACL assigned to port B2, resulting in the following: ProCurve# ping6 fe80::20:2%vlan20 fe80:0000:0000:0000:0000:0000:0020:0002 is alive, time = 5 ms ProCurve# telnet fe80::20:2%vlan20 Telnet failed: Connection timed out. ProCurve# Figure 8-45.
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs has multiple assignments as an RACL, then a match with an ACE in any RACL instance of the ACL increments that same counter on all RACL-assigned instances of that ACL. (The ACE counters for VACL and PACL instances of an ACL are not affected by counter activity in RACL instances of the same ACL.) For example, suppose that an IPv4 ACL named “Test-1” is configured as shown in figure 8-47 to block Telnet access to a server at 10.10.20.
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs In the above case: ■ Matches with ACEs 10 or 20 that originate on VLAN 20 will increment only the counters for the instances of these two ACEs in the Test-1 VACL assignment on VLAN 20. The same counters in the instances of ACL Test-1 assigned to VLANs 50 and 70 will not be incremented. ■ Any Telnet requests to 10.10.20.
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs ProCurve(config)# show statistics aclv4 Test-1 vlan 20 vlan Hit Counts for ACL Test-1 Total ( ( 5) 2) Indicates denied attempts to Telnet to 10.10.20.12 filtered by the instance of the “Test-1” VACL assignment on VLAN 20. 10 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 eq 23 log 20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.
IPv6 Access Control Lists (ACLs) Testing and Troubleshooting ACLs ProCurve(config)# show statistics aclv4 Test-1 vlan 50 in Hit Counts for ACL Test-1 Total Indicates the same type of data as shown in figure 8-50 for the VACL assignment of the “Test-1” ACL. That is, the Ping attempt incremented the counters for ACE 20 and the Telnet attempt incremented the counters for ACE 10 in the VLAN 50 RACL instance of the ACL. ( 6) 10 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 eq 23 log ( 1) 20 permit ip 0.
IPv6 Access Control Lists (ACLs) General ACL Operating Notes General ACL Operating Notes ACLs do not provide DNS hostname support. ACLs cannot be config ured to screen hostname IP traffic between the switch and a DNS. ACLs Do Not Affect Serial Port Access. ACLs do not apply to the switch’s serial port. ACL Logging. • The ACL logging feature generates a message only when packets are explicitly denied as the result of a match, and not when explicitly permitted or implicitly denied.
IPv6 Access Control Lists (ACLs) General ACL Operating Notes “Monitoring Resources” in the latest Management and Configuration Guide for your switch. See also the appendix titled “Scalability and System Maxi mums” in the same guide. Protocol Support. ACL criteria does not include use of MAC address infor mation or QoS. Replacing or Adding To an Active IPv6 ACL Policy. If you assign an IPv6 ACL to an interface and subsequently add or replace ACEs in that ACL, each new ACE becomes active when you enter it.
9 IPv6 Diagnostic and Troubleshooting Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 ICMP Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Ping for IPv6 (Ping6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Traceroute for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 Diagnostic and Troubleshooting Introduction Introduction Feature Default CLI IPv6 ICMP Message Interval and Token Bucket 100 ms 10 max tokens 9-3 ping6 traceroute6 Enabled n/a The IPv6 ICMP feature enables control over the error and informational message rate for IPv6 traffic, which can help mitigate the effects of a Denialof-service attack. Ping6 enables verification of access to a specific IPv6 device, and traceroute6 enables tracing the route to an IPv6-enabled device on the network.
IPv6 Diagnostic and Troubleshooting ICMP Rate-Limiting Controlling the frequency of ICMPv6 error messages can help to prevent DoS (Denial- of- Service) attacks. With IPv6 enabled on the switch, you can control the allowable frequency of these messages with ICMPv6 rate-limiting. Syntax:.
IPv6 Diagnostic and Troubleshooting Ping for IPv6 (Ping6) Ping for IPv6 (Ping6) The Ping6 test is a point-to-point test that accepts an IPv6 address or IPv6 host name to see if an IPv6 switch is communicating properly with another device on the same or another IPv6 network. A ping test checks the path between the switch and another device by sending IP packets (ICMP Echo Requests). To use a ping6 command with an IPv6 host name or fully qualified domain names, refer to “DNS Resolver for IPv6” on page 9-10.
IPv6 Diagnostic and Troubleshooting Ping for IPv6 (Ping6) Syntax: ping6 < ipv6-address | hostname | switch-number > [repetitions < 1 - 10000 >] [timeout < 1 - 60 >] [data-size < 0 - 65507 >] [data-fill < 0 - 1024 >] [source < ipv6-addr | vid >] [oobm] ping6 | hostname | switch-number> [repetitions < 1 - 10000 >] [timeout < 1 - 60 >] [data-size < 0 - 65507 >] [data-fill < 0 - 1024 >] [source < ipv6-addr | vid >] [oobm] Pings the specified IPv6 host by sending ICMP version 6 (IC
IPv6 Diagnostic and Troubleshooting Ping for IPv6 (Ping6) ProCurve# ping6 fe80::2:1%vlan10 fe80:0000:0000:0000:0000:0000:0002:0001 is alive, time = 975 ms ProCurve# ping6 2001:db8::a:1c:e3:3 repetitions 3 2001:0db8:0000:0000:000a:001c:00e3:0003 is alive, iteration 1, time = 15 ms 2001:0db8:0000:0000:000a:001c:00e3:0003 is alive, iteration 2, time = 15 ms 2001:0db8:0000:0000:000a:001c:00e3:0003 is alive, iteration 3, time = 15 ms 3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) min/
IPv6 Diagnostic and Troubleshooting Traceroute for IPv6 Traceroute for IPv6 The traceroute6 command enables you to trace the route from a switch to a host device that is identified by an IPv6 address or IPv6 host name. In the command output, information on each (router) hop between the switch and the destination IPv6 address is displayed. To use a traceroute6 command with an IPv6 host name or fully qualified domain names, refer to “DNS Resolver for IPv6” on page 9-10.
IPv6 Diagnostic and Troubleshooting Traceroute for IPv6 Syntax: traceroute6 < ipv6-address | hostname > [minttl < 1-255 > [maxttl < 1-255 > [timeout < 1 - 60 >] [probes < 1-5 >] [source < ipv6-addr | vid |oobm> traceroute6 | hostname > [minttl < 1-255 >] [maxttl < 1-255 >] [timeout < 1 - 60 >] [probes < 1-5 >] [source < ipv6-addr | vid | oobm> Lists the IPv6 address of each hop in the route to the specified destination host device with the time (in microseconds) required for a
IPv6 Diagnostic and Troubleshooting Traceroute for IPv6 maxttl: Maximum number of hops allowed for each probe packet sent along the route. Valid values: 1 - 255. Default: 30. • If the maxttl value is less than the actual number of hops required to reach the host, the traceroute output displays only the IPv6 addresses of the hops detected by the configured maxttl value.
IPv6 Diagnostic and Troubleshooting DNS Resolver for IPv6 DNS Resolver for IPv6 The Domain Name System (DNS) resolver is designed for local network domains where it enables use of a host name or fully qualified domain name to support DNS-compatible commands from the switch. Beginning with soft ware release K.13.
IPv6 Diagnostic and Troubleshooting DNS Resolver for IPv6 — Continued from the previous page. — The no form of the command removes the specified address from the server address list configured on the switch. < ip-addr >: Specifies the address of an IPv6 or IPv4 DNS server. [oobm]: For switches that have a separate out-of-band manage ment (OOBM) port, this parameter specifies that communica tion with the DNS server goes through that OOBM port. Syntax:.
IPv6 Diagnostic and Troubleshooting DNS Resolver for IPv6 Assume that the above, configured DNS server supports an IPv6 device having a host name of “mars-1” (and an IPv6 address of fe80::215:60ff:fe7a:adc0) in the “mygroup.procurve.net” domain. In this case you can use the device's host name alone to ping the device because the mygroup.procurve.net domain has been configured as the domain name on the switch and the address of a DNS server residing in that domain is also configured on the switch.
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Debug/Syslog for IPv6 The Debug/System logging (Syslog) for IPv6 feature provides the same logging functions as the IPv4 version, allowing you to record IPv4 and IPv6 Event Log and debug messages on a remote device to troubleshoot switch or network operation. For example, you can send messages about routing misconfigura tions and other network protocol details to an external device, and later use them to debug network-level problems.
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Debug Command Syntax: [no] debug < debug-type > Configures the types of IPv4 and IPv6 messages that are sent to Syslog servers or other debug destinations, where is any of the following event types: acl When a match occurs on an ACL “deny” statement with a log parameter, an ACL message is sent to configured debug destinations. (Default: Disabled - ACL messages for traffic that matches “deny” entries are not sent.
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Syntax:. [no] debug < debug-type > (Continued) ip [ ospf < adj | event | flood | lsa-generation | packet | retransmission | spf > ] Configures specified IPv4 OSPF message types to be sent to configured debug destinations: adj — Adjacency changes. event — OSPF events. flood — Information on flood messages. lsa-generation — New LSAs added to database. packet — Packets sent/received. retransmission — Retransmission timer messages.
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Configuring Debug Destinations A Debug/Syslog destination device can be a Syslog server (up to six maximum) and/or a console session: ■ 9-16 Use the debug destination < logging | session | buffer > command to enable (and disable) Syslog messaging on a Syslog server or to a CLI session for the debug message types configured with the debug and logging com mands (see “Configuring Debug and Event Log Messaging” on page 9-13): • debug destination log
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Logging Command Syntax: [no] logging < syslog-ipv4-addr > Enables or disables Syslog messaging to the specified IPv4 address. You can configure up to six addresses. If you config ure an address when none are already configured, this com mand enables destination logging (Syslog) and the Event debug type. Therefore, at a minimum, the switch begins send ing Event Log messages to configured Syslog servers.
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 9-18
A IPv6 Terminology For IPv6 ACL terminology, refer to “Terminology” on page 8-9. DAD Duplicate Address Detection. Refer to “Duplicate Address Detection (DAD)” on page 4-17. Device Identifier The low-order bits in an IPv6 address that identify a specific device. For example, in the link-local address 2001:db8:a10:101:212:79ff:fe88:a100/64, the bits forming 212:79ff:fe88:a100 comprise the device identifier. DoS Denial-of-Service. EUI-64 Extended Unique Identifier.
IPv6 Terminology A-2
Index Symbols … 4-7, 4-14 %vlan suffix … 5-6, 5-11, 5-12, 5-15 Numerics 802.1X ACL, IPv6, effect on … 8-16 port-based access not recommended … 8-17 A ACL debug messages … 9-14 end … 8-39 filtering process … 8-29 rules, operation … 8-30 traffic not filtered … 8-29 VLANs … 8-31 ACL, IPv4 802.
DSCP setting … 8-21 DSCP, ToS setting … 8-21 dual stack … 8-18 dual-stack operation … 8-4 duplicate sequence number … 8-41 dynamic … 8-4, 8-6, 8-23 dynamic port (RADIUS) ACL … 8-4 dynamic port ACL … 8-12 dynamic port ACL application … 8-15 dynamic port ACL operation defined … 8-14 dynamic port joins to a VLAN … 8-31 editing … 8-63 offline … 8-84 effect of replacing … 8-40 empty … 8-59 empty ACL … 8-10, 8-63 established … 8-34, 8-54 exit statement … 8-39 features, common to all … 8-20 filtering methods … 8-1
purpose … 8-5 RACL operation defined … 8-13 RADIUS-assigned … 8-4, 8-6, 8-9, 8-10, 8-16, 8-23 RADIUS-assigned ACL … 8-9 implicit deny IPv6 … 8-15 multiple clients connected … 8-16 RADIUS-assigned, IPv6 denied traffic … 8-16 RADIUS-assigned, limit … 8-40, 8-45 remark … 8-12 remove from an ACE … 8-72 removing from a VLAN … 8-59, 8-60 replacing … 8-31 replacing active ACEs … 8-40 resequence … 8-7, 8-43 resource monitor … 8-104 rules, configuration … 8-30 SA, defined … 8-12 scalability … 8-40, 8-45 security use
binary expressions of hexadecimal blocks … 6-7, 6-11 configuration command … 6-5 configuration examples … 6-8, 6-13 configuring access privilege … 6-4 displaying configuration … 6-12 feature description … 6-3 IP mask used to configure single station … 6-5 IP masks used to configure multiple stations … 6-6 precedence among security settings … 6-4 using IP masks … 6-3, 6-5 autoconfigured address effect of static address … 4-14 autoconfigured unicast address DHCPv6 precedence … 4-11 autorun TFTP download of ke
nd ns-interval, 1000 ms … 4-19 nd reachable-time, 3000 ms … 4-19 ping6 data-size and data-fill, 0 … 9-5 ping6 repetitions, 1 … 9-5 ping6 timeout, 1 second … 9-5 SSHv2, enabled … 2-12 traceroute 6 defaults … 9-8 denial-of-service ICMPv6 rate limiting … 2-14 deprecated address … 4-22 device identifier in IPv6 address … 3-4 See also interface identifier.
I IANA … 8-53 IANA, protocol numbers … 8-48, 8-55 ICMP bucket-size … 9-3 error-interval … 9-3 for IPv6 … 2-14 rate-limiting controls … 9-2 inform messages … 5-24 interface identifier in global unicast address … 3-18 in IPv6 address IP address quick start … 1-7 IP authorized managers for IPv6 … 2-12 IP masks for multiple authorized manager stations … 6-6 for single authorized manager station … 6-5 used in configuring authorized IP management … 6-5 used in configuring authorized IP management stations … 6-3 I
switching traffic between different VLANs … 2-3 Syslog … 9-13 Telnet … 2-10 view current use … 5-7 Telnet6 access … 5-9 telnet6 … 5-6 Telnet6, view configuration … 5-9 TFTP … 2-10 TFTP6 transfers … 5-17 time protocols … 2-8, 2-10 Timep See Timepv6.
neighbor discovery for IPv6 nodes … 2-15 IPv6 similar to IPv4 ARP … 2-9, 4-16 neighbor solicitations used in duplicate address detection … 4-18 neighbor, clear cache … 5-2 notifications displaying configuration … 5-26 supported in IPv6 … 5-24 NTP server … 2-8 O oobm copy tftp … 5-19, 5-21 dns server-address … 9-10 listen … 6-18 listening ports … 6-15 snmp-server listen … 5-25 sntp server priority … 5-12 telnet … 5-6 telnet-server … 5-9 tftp … 5-18 timep … 5-15 traceroute … 9-8 with ping … 9-5 OSPF debug me
S SA … 8-12 SCP See SCP/SFTP. SCP/SFTP secure file transfer session limit … 6-20 secure copy See SCP/SFTP. secure FTP See SCP/SFTP. security for IPv6 … 2-12 IPv6 authorized managers … 2-12 precedence of authorized IP manager settings … 6-4 SSHv2 for IPv6 … 2-12 security, ACL, IPv6 See ACL, IPv6, security use. setup screen … 1-7 sFlow … 5-24 SFTP See SCP/SFTP.
TFTP auto-TFTP feature … 5-23 disabled … 5-23 downloading command … 5-19 downloading configuration file … 5-19 downloading key file … 5-19 downloading public-key file … 5-20 downloading software images … 5-20 downloading startup-config file … 5-20 downloading trusted certificate … 5-19 enabling client functionality … 5-18 enabling server functionality … 5-18 uploading command output … 5-21 uploading configuration file … 5-21 uploading crash data file … 5-21 uploading crash log … 5-21 uploading event log … 5
router advertisements used in IPv6 … 4-28 selecting default IPv6 router … 4-29 switching IPv4 and IPv6 traffic on same VLAN … 2-3, 3-6 switching IPv6 traffic between different VLANs … 2-3 unique local unicast address configuration … 3-11 unique local unicast address prefix … 3-12 using an external router … 2-4 W warranty … -ii web browser interface IPv6 support … 2-11 wildcard See ACL, IPv6, wildcard.
12 – Index
ProCurve 5400zl Switches Installation and Getting Startd Guide Technology for better business outcomes To learn more, visit www.hp.com/go/procurve/ © Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
