HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
32
TCP-FTPD 3200453 1006 5 193 45 33
TCP-WWW 546778274 11170 887 12 8 32
TCP-other 49148540 3752 79 47 30 32
UDP-DNS 117240379 570 190 3 7 34
UDP-other 45502422 2272 73 30 8 37
ICMP 14837957 125 24 5 12 34
IP-other 77406 5 0 47 52 27
Type DstIP(Port) SrcIP(Port) Pro ToS If(Direc) Pkts
DstMAC(VLAN) SrcMAC(VLAN)
TopLblType(IP/MASK) Lbl-Exp-S-List
IP 11.1.1.1(1024) 11.1.1.2(21) 6 128 ET1/0(I) 42996
L2 0012-3f86-e94c(10) 0012-3f86-e86a(0) ET1/4/0(I) 1253
MPLS LDP(3.3.3.3/24) 1:18-6-0 ET1/1(O) 291
2:24-6-0
3:30-6-1
IP& 192.168.123.1(2048) 192.168.1.1(0) 1 0 ET1/1(O) 10
L2 0012-3f86-e95d(0) 0012-3f86-e116(1008)
IP& 172.16.1.1(68) 172.16.2.1(67) 17 64 ET1/2(I) 1848
MPLS LDP(4.4.4.4/24) 1:55-6-0
2:16-6-1
#
For more information on NetStream capabilities, see “NetStream” in the Network Management and Monitoring
Configuration Guide.
sFlow
sFlow is a traffic monitoring technology used to collect and analyze traffic statistics.
The sFlow system involves an sFlow agent and a remote sFlow collector. The sFlow agent collects traffic statistics and
packet information from sFlow-enabled interfaces, and encapsulates them into sFlow packets. When the sFlow packet
buffer is full, or the age time of sFlow packets is reached, the sFlow agent sends the packets to a specified sFlow
collector. The sFlow collector analyzes the sFlow packets and displays the results.
sFlow has the following two sampling mechanisms:
• Flow sampling—packet-based sampling used to obtain packet content information
• Counter sampling—time-based sampling used to obtain port traffic statistics
sFlow has the following advantages:
• Supporting traffic monitoring on Gigabit Ethernet and higher-speed networks
• Providing good scalability to allow one sFlow collector to monitor multiple sFlow agents
• Saving costs by embedding the sFlow agent in a device, instead of using a dedicated sFlow agent device; only the
sFlow agent is supported on HP Comware devices
Only the sFlow agent is supported on HP Comware devices.
The following example shows the basic configuration of sFlow.
Specify an sFlow collector.