Hp Procurve 802.1 X Configuration Example
Quick Scroll to:
Port security with 802.1x using HP ProCurve (Aruba) switches and Windows NPS So I'm learning about 802.1x authentication as a means of securing access to the LAN of a client who wants to be PCI compliant (and one part of PCI compliance is securing publicly accessible network jacks). Browse other questions tagged hp-procurve ieee-802.1x mac-auth-bypass or ask your own question. The Overflow Blog The Overflow #47: How to lead with clarity and empathy in the remote world. Hello, Trying to setup user based authentication on ports using 802.1x setup on 2610-48 procurve swicth. My config is: As I understood that when authentication enabled on win7 and passwrod is asked I need to provide operators password, since am not using RADIUS. Note ProCurve Networking recommends that you set the Ethernet speed and duplex to match the switch or hub it is plugged in to. For example: (config-eth 0/1)#speed 10 (config-eth 0/1)#half-duplex Note The ProCurve Secure Router Interface Modules use a slot/port notation for interface identification.
About VLANs
VLANs are a method for segmenting a network into related groups, improving the efficiency of traffic flow and limiting the propagation of multicast and broadcast messages. Traffic between VLANs is blocked unless the VLANs are connected by a router, increasing security.
A VLAN is a group of ports designated by the switch as belonging to the same broadcast domain. That is, all ports carrying traffic for a particular subnet address would belong to the same VLAN. Using a VLAN, you can group users by logical function instead of physical location. This helps to control bandwidth usage by allowing you to group high-bandwidth users on low-traffic segments and to organize users from different LAN segments according to their need for common resources. You can use the switch's console interface to configure up to 30 port-based, IEEE 802.1Q-compliant VLANs. This enables you to use the same port for two or more VLANs and still allows interoperation with older switches that require a separate port for each VLAN.
About GVRP
The GARP VLAN Registration Protocol (GVRP) is an 802.1Q-compliant method for facilitating automatic VLAN membership configuration. GVRP-enabled switches can exchange VLAN configuration information with other GVRP-enabled switches. Unnecessary broadcast traffic and unicast traffic also can be reduced.
Policy rules or other network management methods can determine who is admitted to a VLAN. When a node requests admission to a specific VLAN, GVRP handles the registration of the node with GVRP-enabled switches and maintains that information.
The GVRP protocol is described in the IEEE 802.1p standard.
For a more detailed description of how to use and configure VLANs, refer to the Management and Configuration Guide for your switch.
Devices supported:
- HP ProCurve Switches 1600M, 2400M, 2424M, 4000M, and 8000M
- HP ProCurve Series 2400 switches (2512 and 2524)
- HP ProCurve Series 4100GL switches (4104GL and 4108GL)
- HP ProCurve Series 5300XL switches (5304XL and 5308XL)
Note: If a switch is a Commander, the Stack options will appear at the top of the page.
Note: When multiple VLANs exist on a switch, only one VLAN can be untagged for each port. (In the default configuration, this is VLAN 1, the DEFAULT_VLAN.) When you add a second VLAN to a switch, the default setting on that VLAN is No for all ports. Using the Web browser interface, if you then reconfigure a port to Untagged for a new VLAN while there is an Untagged setting on another VLAN for the same port, the switch automatically reconfigures the other VLAN setting to No. For example, if you configure Port A1 as Untagged for the 2nd VLAN, then the switch automatically reconfigures DEFAULT_VLAN for port A1 as No.
The Primary VLAN
Because certain features and management functions, such as single IP-address stacking, run on only one VLAN in the switch, and because DHCP and Bootp can run per-VLAN, there is a need for a 'dedicated management VLAN' to ensure that multiple instances of DHCP or Bootp on different VLANs do not result in conflicting configuration values for the switch. The primary VLAN is the VLAN the switch uses to run and manage these features and data. In the factory-default configuration, the switch designates the default VLAN (DEFAULT_VLAN) as the primary VLAN. However, to provide more control in your network, you can designate another VLAN as primary. To view the primary VLAN setting, use the VLAN Information screen in the menu interface or the SHOW VLANS command in the CLI. To change the primary VLAN setting, use the VLAN Information screen in the menu interface or the PRIMARY VLAN command in the CLI.
How To...
Access the VLAN Configuration Page from HP TopTools
- Click on the Devices button in the navigation frame.
- Select Device Types from the menu.
- Select Networking Devices.
- Double-click on the device in the device list.
- In the Status page click on the Configuration tab. The device's configuration page displays.
- Select the VLAN Configuration button. The VLAN Configuration page displays.
Access the VLAN Configuration page using the Web Agent
- Click on the Configuration tab.
- Select the VLAN Configuration button. The VLAN Configuration page displays.
Assign Ports to a VLAN
From the Main menu of the switch console:
- Select 2. Switch Configuration
- Select 7. VLAN Menu
- Select 3. VLAN Port Assignment
- Select Edit
- Use the space bar to toggle through the possible configuration values for each port.
Add a VLAN
- Click on the Add/Remove VLANs button at the bottom of the table in the VLAN Configuration page. The Add/Remove VLAN page displays.
- Enter a name for the new VLAN in VLAN Name field below the Current VLAN Definitions list box.
- Enter the 802.1Q ID (an unused number between 1 and 4094) in the field labeled 802.1Q VLAN ID.
- Click onthe Add VLAN button. The VLAN appears in the Current VLAN Definitions box.
Hp Procurve 802.1 X Configuration Example Software
Rename a VLAN
- Click on the Add/Remove VLANs button at the bottom of the table in the VLAN Configuration page. The Add/Remove VLAN page displays.
- Select the VLAN to be renamed from the Current VLAN Definitions list.
- Enter a name for the selected VLAN in the New VLAN Name field.
- Click on the Rename Selected VLAN button to save the new name.
Remove a VLAN
- Click on the Add/Remove VLANs button at the bottom of the table in the VLAN Configuration page. The Add/Remove VLAN page displays.
- Select the VLAN to remove from the Current VLANS box.
- Click on the Remove Selected VLAN button.
- Confirm removal of the VLAN.
Modify Port VLAN Configuration
To modify ports in a VLAN:
- In the VLAN table, click on the Modify button for the VLAN whose ports you want to modify. The Modify Port VLAN Configuration page displays.
- Select the port to be modified.
- Select the Mode, for example, Tagged.
- Click on the Apply button.
The modes are:
- Tagged - When a port is tagged, it allows communication among the different VLANs to which it is assigned.
- Untagged - When a port is untagged, it can only be a member on one VLAN.
- No - The port is not a member of that VLAN.
- Forbid - The port is 'forbidden' to join that VLAN.
Enable GVRP and (Optionally) Change the GVRP Mode for a Port
The VLAN table includes a GVRP Enabled check box. If a check appears in this box, GVRP is enabled and the GVRP Mode button is active. To enable GVRP and view the current GVRP mode assignments for individual ports:
- In the VLAN table, click on the GVRP Enabled check box to activate the GVRP Mode button.
- In the VLAN table, click on the GVRP button to display the GVRP Mode page.
- Select the ports for which you want to assign a different GVRP mode. Hold down the Shift key to select multiple ports.
- In the drop-down list box, select the mode. The choices are:
- Learn - The port will join the advertised VLAN and propagate a VLAN join request through all other forwarding ports that are participating in GVRP.
- Disable - GVRP is disabled for this port.
- Block - The port will not join the advertised VLAN and will not propagate any VLAN joins for the advertised VLAN. GVRP is totally blocked for this port.
- Do one of the following:
- To save your changes and return to the VLAN table, click on the Apply button.
- To return to the VLAN table without saving any changes, click on the Cancel button.
Related Topics
VLAN operation with:
- Spanning Tree (STP and RSTP)
- IP Multicast (IGMP)
Hp Procurve Switch Firmware
Back to ContentsHp Procurve 802.1 X Configuration Example Pdf
Copyright © 2001-2002 by Hewlett-Packard Company