Using HP switch security features

HP switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network operation, therefore, HP strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible malicious actions.

Since security incidents can originate with sources inside as well as outside of an organization, your access security provisions must protect against internal and external threats while preserving the necessary network access for authorized clients and users. It is important to evaluate the level of management access vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place. This includes both configurable security options and physical access to the switch.

Switch management access is available through the following methods:

Front panel access to the console serial port, see Physical security
Inbound Telnet access
Web-browser access (WebAgent)
SNMP access

For guidelines on locking down your switch for remote management access, see Using the Management Interface wizard.

Physical security

Physical access to the switch allows the following:

Use of the console serial port (CLI and Menu interface) for viewing and changing the current configuration and for reading status, statistics, and log messages.
Use of the switch's USB port for file transfers and autorun capabilities.
Use of the switch's Clear and Reset buttons for these actions:
- clearing (removing) local password protection
- rebooting the switch
- restoring the switch to the factory default configuration (and erasing any non-default configuration settings)

Keeping the switch in a locked wiring closet or other secure space helps prevent unauthorized physical access.

As additional precautions, you can do the following:

Disable or re-enable the password-clearing function of the Clear button.
Configure the Clear button to reboot the switch after clearing any local user names and passwords.
Modify the operation of the Reset+Clear button combination so that the switch reboots, but does not restore the switch's factory default settings.
Disable or re-enable password recovery.
Disable USB autorun by setting a Manager password, or enable USB autorun in secure mode so that security credentials are required to use this feature.

For the commands used to configure the Clear and Reset buttons, see Configuring front panel security. For information on using USB Autorun, see ”Using USB to transfer files to and from switch” and “Using USB autorun” in the Management and Configuration Guide.

Using the Management Interface wizard

The Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. It guides you through the process of locking down the following switch operations or protocols:

setting local passwords
restricting SNMP access
enabling/disabling Telnet
enabling/disabling SSH
enabling/disabling remote Web management (WebAgent)
restricting WebAgent access to SSL
enabling/disabling USB autorun
setting timeouts for SSH/Telnet sessions

The wizard can also be used to view the pre-configured defaults and see the current settings for switch access security. The wizard can be launched either via the CLI or the WebAgent.


	NOTE: The wizard's security settings can also be configured using standard commands via the CLI, Menu, or WebAgent.

WebAgent: Management Interface wizard

To use the Management Inteface wizard from the WebAgent, follow the steps below:

In the navigation tree, select Security.
Click on the Security Wizard. The Welcome window appears.

This page allows you to choose between two setup types:
- Typical—provides a multiple page, step-by-step method to configure security settings, with on-screen instructions for each option.
- Advanced—provides a single summary screen in which to configure all security settings at once.

See the WebAgent Online Help for detailed information about using the Management Interface wizard.

SNMP security guidelines

In the default configuration, the switch is open to access by management stations running SNMP, management applications capable of viewing and changing the settings and status data in the switch MIB (Management Information Base). So controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.

General SNMP access to the switch

The switch supports SNMP versions 1, 2c, and 3, including SNMP community and trap configuration. The default configuration supports versions 1 and 2c compatibility, which uses plain text and does not provide security options.

HP recommends you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected operation).

SNMPv3 security options include:

Configuring device communities as a means for excluding management access by unauthorized stations
Configuring for access authentication and privacy
Reporting events to the switch CLI and to SNMP trap receivers
Restricting non-SNMPv3 agents to either read-only access or no access
Co-existing with SNMPv1 and v2c if necessary.

SNMP access to the authentication configuration MIB

Beginning with software release K.12.xx, a management station running an SNMP networked device management application, such as HP PCM+ or HP OpenView, can access the management information base (MIB) for read access to the switch status and read/write access to the switc's authentication configuration (hpSwitchAuth). This means that the switch's default configuration now allows SNMP access to security settings in hpSwitchAuth.


	NOTE: Downloading and booting from the K.12.xx or greater software version for the first time enables SNMP access to the authentication configuration MIB (the default action). If SNMPv3 and other security safeguards are not in place, the switch's authentication configuration MIB is exposed to unprotected SNMP access and you should use the command shown below to disable this access.


	CAUTION: If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then you should implement the following security precautions when downloading and booting from software release K.12.xx or greater: If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above is not desirable for your network, then immediately after downloading and booting from the K.12.xx or greater software for the first time, use the following command to disable this feature: `snmp-server mib hpswitchauthmib excluded` If you choose to leave the authentication configuration MIB accessible, then you should do the following to help ensure that unauthorized workstations cannot use SNMP tools to access the MIB: Configure SNMP version 3 management and access security on the switch. Disable SNMP version 2c on the switch.

For details on this feature, see Using SNMP to view and configure switch authentication features.

See “Configuring for Network Management Applications” in the Management and Configuration Guide for your switch.

Precedence of security options

This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch.

Precedence of Port-based security options

Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port.

Disabled/Enabled physical port
MAC lockout (applies to all ports on the switch.)
MAC lockdown
Port security
Authorized IP Managers
Application features at higher levels in the OSI model, such as SSH.

The above list does not address the mutually exclusive relationship that exists among some security features.

Precedence of Client-based authentication: Dynamic Configuration Arbiter

Starting in software release K.13.xx, the Dynamic Configuration Arbiter (DCA) is implemented to determine the client-specific parameters that are assigned in an authentication session.

A client-specific authentication configuration is bound to the MAC address of a client device and may include the following parameters:

Untagged client VLAN ID
Tagged VLAN IDs
Per-port CoS (802.1p) priority
Per-port rate-limiting on inbound traffic
Client-based ACLs

DCA allows client-specific parameters configured in any of the following ways to be applied and removed as needed in a specified hierarchy of precedence. When multiple values for an individual configuration parameter exist, the value applied to a client session is determined in the following order (from highest to lowest priority) in which a value configured with a higher priority overrides a value configured with a lower priority:

Attribute profiles applied through the Network Immunity network-management application using SNMP, see HP E-Network Immunity Manager
802.1X authentication parameters (RADIUS-assigned)
Web- or MAC-authentication parameters (RADIUS-assigned)
Local, statically-configured parameters

Although RADIUS-assigned settings are never applied to ports for non-authenticated clients, the DCA allows configuring and assigning client-specific port configurations to non-authenticated clients, provided that a client's MAC address is known in the switch in the forwarding database. DCA arbitrates the assignment of attributes on both authenticated and non-authenticated ports.

DCA does not support the arbitration and assignment of client-specific attributes on trunk ports.

HP E-Network Immunity Manager

HP E-Network Immunity Manager (NIM) is a plug-in to HP PCM+ and a key component of the HP E-Network Immunity security solution that provides comprehensive detection and per-port-response to malicious traffic at the HP network edge. NIM allows you to apply policy-based actions to minimize the negative impact of a client's behavior on the network. For example, using NIM you can apply a client-specific profile that adds or modifies per-port rate-limiting and VLAN ID assignments.


	NOTE: NIM actions only support the configuration of per-port rate-limiting and VLAN ID assignment; NIM does not support CoS (802.1p) priority assignment and ACL configuration.

NIM-applied parameters temporarily override RADIUS-configured and locally configured parameters in an authentication session. When the NIM-applied action is removed, the previously applied client-specific parameter (locally configured or RADIUS-assigned) is re-applied unless there have been other configuration changes to the parameter. In this way, NIM allows you to minimize network problems without manual intervention.

NIM also allows you to configure and apply client-specific profiles on ports that are not configured to authenticate clients (unauthorized clients), provided that a client's MAC address is known in the switch forwarding database.

The profile of attributes applied for each client (MAC address) session is stored in the hpicfUsrProfile MIB, which serves as the configuration interface for NIM. A client profile consists of NIM-configured, RADIUS-assigned, and statically configured parameters. Using show commands for 802.1X, web or MAC authentication, you can verify which RADIUS-assigned and statically configured parameters are supported and if they are supported on a per-port or per-client basis.

A NIM policy accesses the hpicfUsrProfileMIB through SNMP to perform the following actions:

Bind (or unbind) a profile of configured attributes to the MAC address of a client device on an authenticated or unauthenticated port.
Configure or unconfigure an untagged VLAN for use in an authenticated or unauthenticated client session.


	NOTE: The attribute profile assigned to a client is often a combination of NIM-configured, RADIUS-assigned, and statically configured settings. Precedence is always given to the temporarily applied NIM-configured parameters over RADIUS-assigned and locally configured parameters.

For information on NIM, go to the HP Networking Web site at www.hp.com/solutions.

Arbitrating client-specific attributes

In previous releases, client-specific authentication parameters for 802.1X Web, and MAC authentication are assigned to a port using different criteria. A RADIUS-assigned parameter is always given highest priority and overrides statically configured local passwords. 802.1X authentication parameters override Web or MAC authentication parameters.

Starting in release K.13.xx, DCA stores three levels of client-specific authentication parameters and prioritizes them according to the following hierarchy of precedence:

NIM access policy (applied through SNMP)
RADIUS-assigned
1. 802.1X authentication
2. Web or MAC authentication
Statically (local) configured

Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.

For example, NIM may configure only rate-limiting for a specified client session, while RADIUS-assigned values may include both an untagged VLAN ID and a rate-limiting value to be applied. In this case, DCA applies the NIM-configured rate-limiting value and the RADIUS-assigned VLAN (if there are no other conflicts).

Also, you can assign NIM-configured parameters (for example, VLAN ID assignment or rate-limiting) to be activated in a client session when a threat to network security is detected. When the NIM-configured parameters are later removed, the parameter values in the client session return to the RADIUS-configured or locally configured settings, depending on which are next in the hierarchy of precedence.

In addition, DCA supports conflict resolution for QoS (port-based CoS priority) and rate-limiting (ingress) by determining whether to configure either strict or non-strict resolution on a switch-wide basis. For example, if multiple clients authenticate on a port and a rate-limiting assignment by a newly authenticating client conflicts with the rate-limiting values assigned to previous clients, by using Network Immunity you can configure the switch to apply any of the following attributes:

Apply only the latest rate-limiting value assigned to all clients.
Apply a client-specific rate-limiting configuration to the appropriate client session (overwrites any rate-limit previously configured for other client sessions on the port).

For information about how to configure RADIUS-assigned and locally configured authentication settings, see:

RADIUS-assigned 802.1X authentication: Port-Based and User-Based Access Control (802.1X)
RADIUS-assigned Web or MAC authentication: Web-based and MAC authentication
RADIUS-assigned CoS, rate-limiting, and ACLS: RADIUS services supported on HP switches
Statically (local) configured: Configuring Username and Password Security

HP PCM+ Identity-Driven Manager (IDM)

HP PMC IDM is a plug-in to HP PCM+ and uses RADIUS-based technologies to create a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of access security policy from a central management server, with policy enforcement to the network edge, and protection against both external and internal threats.

Using IDM, a system administrator can configure automatic and dynamic security to operate at the network edge when a user connects to the network. This operation enables the network to:

approve or deny access at the edge of the network instead of in the core;
distinguish among different users and what each is authorized to do;
configure guest access without compromising internal security.

Criteria for enforcing RADIUS-based security for IDM applications includes classifiers such as:

authorized user identity
authorized device identity (MAC address)
software running on the device
physical location in the network
time of day

Responses can be configured to support the networking requirements, user (SNMP) community, service needs, and access security level for a given client and device.

For more information on IDM, go to the HP Networking Web site at www.hp.com/solutions.

Access security features

This section provides an overview of the switch’s access security features, authentication protocols, and methods. Access Security and Switch Authentication Features lists these features and provides summary configuration guidelines.


	NOTE: Beginning with software release K.14.xx, the Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. See Using the Management Interface wizard for details.

Access Security and Switch Authentication Features

Feature	Default setting	Security guidelines	More information and configuration details
Manager password	no password	Configuring a local Manager password is a fundamental step in reducing the possibility of unauthorized access through the switch's WebAgent and console (CLI and Menu) interfaces. The Manager password can easily be set by any one of the following methods: CLI: password manager command, or Management interface wizard WebAgent: the password options under the Security tab, or Management interface wizard Menu interface: Console Passwords option SNMP	Using the Management Interface wizard Using SNMP to view and configure switch authentication features
Telnet and Web-browser access (WebAgent)	enabled	The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL (see below for details) should be used for remote access. This enables you to employ increased access security while still retaining remote client access. Also, access security on the switch is incomplete without disabling Telnet and the standard Web browser access (WebAgent). Among the methods for blocking unauthorized access attempts using Telnet or the WebAgent are the following two CLI commands: `no telnet-server`: This command blocks inbound Telnet access. `no web-management`: This command prevents use of the WebAgent through http (port 80) server access. If you choose not to disable Telnet and the WebAgent, you may want to consider using RADIUS accounting to maintain a record of password-protected access to the switch.	Using the Management Interface wizard For more on Telnet and the WebAgent, see "Interface Access and System Information" in the Management and Configuration Guide. For RADIUS accounting, see RADIUS Authentication, Authorization, and Accounting
SSH	disabled	SSH provides Telnet-like functions through encrypted, authenticated transactions of the following types: client public-key authentication: uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch. switch SSH and user password authentication: this option is a subset of the client public-key authentication, and is used if the switch has SSH enabled without a login access configured to authenticate the client's key. In this case, the switch authenticates itself to clients, and users on SSH clients then authenticate themselves to the switch by providing passwords stored on a RADIUS or TACACS+ server, or locally on the switch. secure copy (SC) and secure FTP (SFTP): By opening a secure, encrypted SSH session, you can take advantage of SC and SFTP to provide a secure alternative to TFTP for transferring sensitive switch information. For more on SC and SFTP, see the section titled "Using Secure Copy and SFTP" in the "File Transfers" appendix of the Management and Configuration Guide for your switch.	Using the Management Interface wizard
SSL	disabled	Secure Socket Layer (SSL) and Transport Layer Security (TLS) provide remote Web browser access (WebAgent) to the switch via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operation. The authenticated type includes server certificate authentication with user password authentication.	Using the Management Interface wizard Secure web management
SNMP	public, unrestricted	In the default configuration, the switch is open to access by management stations running SNMP management applications capable of viewing and changing the settings and status data in the switch MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.	Using HP switch security features Using the Management Interface wizard Management and Configuration Guide, Chapter 14, see the section "Using SNMP Tools To Manage the Switch"
Authorized IP Managers	none	This feature uses IP addresses and masks to determine whether to allow management access to the switch across the network through the following : Telnet and other terminal emulation applications The WebAgent SNMP (with a correct community name)	Authorized IP Managers
Secure Management VLAN	disabled	This feature creates an isolated network for managing the HP switches that offer this feature. When a secure management VLAN is enabled, CLI, Menu interface, and WebAgent access is restricted to ports configured as members of the VLAN.	See "Static Virtual LANs (VLANs)" in the Advanced Traffic Management Guide for your switch
ACLs for Management Access Protection	none	ACLs can also be configured to protect management access by blocking inbound IP traffic that has the switch itself as the destination IP address.	Access Control Lists (ACLs)IPv4 Access Control Lists (ACLs)
TACACS+ Authentication	disabled	This application uses a central server to allow or deny access to TACACS-aware devices in your network. TACACS+ uses user name/password sets with associated privilege levels to grant or deny access through either the switch serial (console) port or remotely, with Telnet. If the switch fails to connect to a TACACS+ server for the necessary authentication service, it defaults to its own locally configured passwords for authentication control. TACACS+ allows both login (read-only) and enable (read/write) privilege level access.	TACACS+ Authentication and Accounting
RADIUS Authentication	disabled	For each authorized client, RADIUS can be used to authenticate operator or manager access privileges on the switch via the serial port (CLI and Menu interface), Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access methods.	RADIUS Authentication, Authorization, and Accounting
802.1X Access Control	none	This feature provides port-based or user-based authentication through a RADIUS server to protect the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control client access to network services. Included in the general features are the following: user-based access control supporting up to 32 authenticated clients per port port-based access control allowing authentication by a single client to open the port switch operation as a supplicant for point-to-point connections to other 802.1X-compliant HP switches
Web and MAC Authentication	none	These options are designed for application on the edge of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access. Because neither method requires clients to run any special supplicant software, both are suitable for legacy systems and temporary access situations where introducing supplicant software is not an attractive option. Both methods rely on using a RADIUS server for authentication. This simplifies access security management by allowing you to control access from a master database in a single server. It also means the same credentials can be used for authentication, regardless of which switch or switch port is the current access point into the LAN. Web authentication uses a webpage login to authenticate users for access to the network. MAC authentication grants access to a secure network by authenticating device MAC addresses for access to the network.	Web-based and MAC authentication


	NOTE: Beginning with software release K.14.xx, the Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. See Using the Management Interface wizard for details.

Network security features

This section outlines features and defence mechanisms for protecting access through the switch to the network.

Network Security—Default Settings and Security Guidelines

Feature Default setting Security guidelines More information and configuration details

Secure File Transfers not applicable Secure Copy and SFTP provide a secure alternative to TFTP and auto-TFTP for transferring sensitive information such as configuration files and log information between the switch and other devices. Management and Configuration Guide, Appendix A "File Transfers", see "Using Secure Copy and SFTP"

USB Autorun enabled (disabled once a password has been set) Used in conjunction with HP PCM+, this feature allows diagnosis and automated updates to the switch via the USB flash drive. When enabled in secure mode, this is done with secure credentials to prevent tampering. Note that the USB Autorun feature is disabled automatically, once a password has been set on the switch. Management and Configuration Guide, Appendix A "File Transfers", see "USB Autorun"

Traffic/Security Filters

none

These statically configured filters enhance in-band security (and improve control over access to network resources) by forwarding or dropping inbound network traffic according to the configured criteria. Filter options include:

source-port filters: Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis.
multicast filters: Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports or dropped on a per-port (destination) basis.
protocol filters: Inbound traffic having the selected frame (protocol) type will be forwarded or dropped on a per-port (destination) basis.

Access Control Lists (ACLs)

none

ACLs can filter traffic to or from a host, a group of hosts, or entire subnets. Layer 3 IP filtering with Access Control Lists (ACLs) enables you to improve network performance and restrict network use by creating policies for:

Switch Management Access: Permits or denies in-band management access. This includes preventing the use of certain TCP or UDP applications (such as Telnet, SSH, WebAgent, and SNMP) for transactions between specific source and destination IP addresses.)
Application Access Security: Eliminating unwanted IP, TCP, or UDP traffic by filtering packets where they enter or leave the switch on specific interfaces.

NOTE: On ACL Security Use:

ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.

IPv4 Access Control Lists (ACLs)

Port Security, MAC Lockdown, and MAC Lockout

none

The features listed below provide device-based access security in the following ways:

Port security: Enables configuration of each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port. This enables individual ports to detect, prevent, and log attempts by unauthorized devices to communicate through the switch. Some switch models also include eavesdrop prevention in the port security feature.
MAC lockdown: This static addressing feature is used as an alternative to port security to prevent station movement and MAC address hijacking by restricting a given MAC address to use only one assigned port on the switch, the client device to a specific VLAN.
MAC lockout: This feature enables blocking of a specific MAC address so that the switch drops all traffic to or from the specified address.

Port Security

Key Management System (KMS)

none

KMS is available in several HP switch models and is designed to configure and maintain key chains for use with KMS-capable routing protocols that use time-dependent or time-independent keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys.) KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request.

Key Management System

Connection-Rate Filtering based on Virus-Throttling Technology

none

This feature helps protect the network from attack and is recommended for use on the network edge. It is primarily focused on the class of worm-like malicious code that tries to replicate itself by taking advantage of weaknesses in network applications behind unsecured ports. In this case, the malicious code tries to create a large number of outbound connections on an interface in a short time. Connection-Rate filtering detects hosts that are generating traffic that exhibits this behavior, and causes the switch to generate warning messages and (optionally) to throttle or drop all traffic from the offending hosts.

Virus throttling (connection-rate filtering)

ICMP Rate-Limiting none This feature helps defeat ICMP denial-of-service attacks by restricting ICMP traffic to percentage levels that permit necessary ICMP functions, but throttle additional traffic that may be due to worms or viruses (reducing their spread and effect). Management and Configuration Guide, in the chapter on "Port Traffic Controls" see "ICMP Rate-Limiting"

Spanning Tree Protection

none

These features prevent your switch from malicious attacks or configuration errors:

BPDU Filtering and BPDU Protection: Protects the network from denial-of-service attacks that use spoofing BPDUs by dropping incoming BPDU frames and blocking traffic through a port.
STP Root Guard: Protects the STP root bridge from malicious attacks or configuration mistakes.

Advanced Traffic Management Guide, see "Multiple Instance Spanning-Tree Operation"

DHCP Snooping, Dynamic ARP Protection, and Dynamic IP Lockdown

none

These features provide the following additional protections for your network:

DCHP Snooping: Protects your network from common DHCP attacks, such as address spoofing and repeated address requests.
Dynamic ARP Protection: Protects your network from ARP cache poisoning.
Dynamic IP Lockdown: Prevents IP source address spoofing on a per-port and per-VLAN basis.
Instrumentation Monitor: Helps identify a variety of malicious attacks by generating alerts for detected anomalies on the switch.

Using named source-port filters

A company wants to manage traffic to the Internet and its accounting server on a 26-port switch. Their network is pictured in Network configuration for named source-port filters. Switch port 1 connects to a router that provides connectivity to a WAN and the Internet. Switch port 7 connects to the accounting server. Two workstations in accounting are connected to switch ports 10 and 11.

Network configuration for named source-port filters

Editing a source-port filter

The switch includes in one filter the actions for all destination ports and trunks configured for a given source port or trunk. Thus, if a source-port filter already exists and you want to change the currently configured action for some destination ports or trunks, use the filter source-port command to update the existing filter. For example, suppose you configure a filter to drop traffic received on port 8 and destined for ports 1 and 2. The resulting filter is shown on the left in the following figure. Later, you update the filter to drop traffic received on port 8 and destined for ports 3 through 5. Since only one filter exists for a given source port, the filter on traffic from port 8 appears as shown on the right in the following figure:

Assigning Additional Destination Ports to an Existing Filter

Displaying traffic/security filters

This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters.

Syntax

show filter

corresponding filter index (IDX) numbers. IDX: An automatically assigned index number used to identify the filter for a detailed information listing. A filter retains its assigned IDX number for as long as the filter exists in the switch. The switch assigns the lowest available IDX number to a new filter. This can result in a newer filter having a lower IDX number than an older filter if a previous filter deletion created a gap in the filter listing.

Filter Type

Indicates the type of filter assigned to the IDX number (source-port, multicast, or protocol).

Value

Indicates the port number or port-trunk name of the source port or trunk assigned to the filte

[index]

Lists the filter type and other data for the filter corresponding to the index number in the show filter output. Also lists, for each outbound destination port in the switch, the port number, port type, and filter action (forward or drop). The switch assigns the lowest available index number to a new filter. If you delete a filter, the index number for that filter becomes available for the next filter you create.

Example

To display the filters created, and then list the details of the multicast filter for multicast address 010000-224466:

Display filter data

Filter Type	Indicates the type of filter assigned to the IDX number (source-port, multicast, or protocol).
Value	Indicates the port number or port-trunk name of the source port or trunk assigned to the filte

prev	up	next
Viewing	home	Overview