topic Re: Blocking TCP/IP Ports with ProCurve Manager in Switches, Hubs, and Modems

Blocking TCP/IP Ports with ProCurve Manager

Phil Barnett — Wed, 16 Jun 2010 10:04:17 GMT

Hi there

We have just upgraded our network with a HP 5406ZL as our Core switch with edge switches consisting of the 2510 and 2520 range. We were told when we ordered all of the kit that the switches and ProCurve Manager would allow us to block certain ports from being used, e.g the ports that iTunes uses.

We have been told by someone from the same company that you can't limit the ports in this way and we can't find the options because we have a severe lack of knowledge with ProCurve Manager.

Could anyone shine some light on this?

Re: Blocking TCP/IP Ports with ProCurve Manager

Mohammed Faiz — Wed, 16 Jun 2010 12:26:02 GMT

Hi,

There's no functionality within PCM that would do that for you that I'm aware of (I'm sure someone else on the forum can confirm/correct this).
The only method that'd you would have to do this would be to create ACLs for the various vlans that you want to restrict traffic on. You could then use PCM to push these ACLs out to the switches but it wouldn't write them for you.

Re: Blocking TCP/IP Ports with ProCurve Manager

Phil Barnett — Thu, 17 Jun 2010 06:16:01 GMT

Thanks for the response, would an ACL be able to limit traffic to a particular application on a VLAN? I don't know much on ACLs.

Thanks again

Re: Blocking TCP/IP Ports with ProCurve Manager

Javed Padinhakara — Thu, 17 Jun 2010 08:25:25 GMT

As Faiz says, there is no direct way to address this.

However, there is a feature in PCM, where you can create a policy to turn off/on a port(or group of ports), based on criteria's like
- generation of particular event
- scheduled to execute in a periodic manner.

Leveraging this, possibly we could meet your requirement to some extent by determining if the end-user connected to the port exibits certain behaviour which would cause an event to be generated at switch ( and PCM being a trap-listener would get notified ). Once such an event happens, you could configure the Port on/off policy ("Portsettings:Enable/Disable Port) to turn off the required port(s).

Check the admin Guide @
http://cdn.procurve.com/training/Manuals/PCM-AdminGuide-Jan2010-5990-8850.pdf

for various features, especially the section on Policy Manager.

HTH
Javed

ps:-Noticed that you have joined recently and hence thought will share an important the ettique followed in the forum - assign points on scale (1-10) to people trying to help; its an appreciation for the time they spend in responding to your questions

Re: Blocking TCP/IP Ports with ProCurve Manager

Mohammed Faiz — Thu, 17 Jun 2010 13:22:16 GMT

An ACL would allow you to limit traffic on a port (and in certain very specific cases, protocol) basis.
So for example here's a line from an ACL that allows DNS traffic from a particular server:

permit udp 0.0.0.0 255.255.255.255 192.168.10.10 0.0.0.0 eq 53

Check out the chapter on ACLs in the manual, it'll explain them much better than I can :)

http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ASG-Mar10-10-ACLs.pdf

Re: Blocking TCP/IP Ports with ProCurve Manager

Phil Barnett — Thu, 24 Jun 2010 08:18:42 GMT

Thanks for all the responses, from what I've been reading in the manual and looking at on the switches I can only apply an ACL to a port on the 5400 which will edit traffic going through that port. As the 2520 don't have ACL natively I'm guessing that you can't push an ACL onto the individual ports of the 2520?

Thanks