HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
33
#
sflow collector < collector-id > ip < ip-address >
#
Specify an IP address for the sFlow agent, and the sFlow version.
#
sflow agent { ip ip-address | ipv6 ipv6-address }
sflow version { 4 | 5 }
#
Configure flow sampling:
#
interface Ethernet0/1/0
sflow sampling-mode { determine | random }
sflow sampling-rate < rate >
sflow flow max-header < length >
sflow flow collector < collector-id >
#
Configure counter sampling:
#
interface Ethernet0/1/1
sflow counter interval < seconds >
sflow counter collector < collector-id >
#
For more information about sFlow, see “sFlow” in the Network Management and Monitoring Configuration Guide.
Classification ACLs
Classification ACLs provide visibility into traffic that traverses an interface. Classification ACLs do not alter the security
policy of a network and are typically constructed to classify individual protocols, source addresses, or destinations. For
example, a match item that permits all traffic could be separated into specific protocols or ports. This more granular
classification of traffic into specific match items can help provide an understanding of the network traffic because each
traffic category has its own hit counter. An administrator may also separate the implicit deny at the end of an ACL into
granular match items to help identify the types of denied traffic.
An administrator can expedite an incident response by using classification ACLs with display acl and reset acl
counter commands.
The following example illustrates the configuration of a classification ACL to identify traffic:
#
acl number 3002 name ACL-SMB-CLASSIFY
description Classification of SMB specific TCP traffic
rule deny tcp destination-port eq 139
rule deny tcp destination-port eq 445
rule deny ip
#
Use the display acl command to view the configuration of ACL 3002. (The ACL counters can be cleared by using the reset
acl counter command.)
#