Blocking TCP/IP Ports with ProCurve Manager

Phil Barnett · ‎06-16-2010

Hi there

We have just upgraded our network with a HP 5406ZL as our Core switch with edge switches consisting of the 2510 and 2520 range. We were told when we ordered all of the kit that the switches and ProCurve Manager would allow us to block certain ports from being used, e.g the ports that iTunes uses.

We have been told by someone from the same company that you can't limit the ports in this way and we can't find the options because we have a severe lack of knowledge with ProCurve Manager.

Could anyone shine some light on this?

Mohammed Faiz · ‎06-16-2010

Hi,

There's no functionality within PCM that would do that for you that I'm aware of (I'm sure someone else on the forum can confirm/correct this).
The only method that'd you would have to do this would be to create ACLs for the various vlans that you want to restrict traffic on. You could then use PCM to push these ACLs out to the switches but it wouldn't write them for you.

Phil Barnett · ‎06-16-2010

Thanks for the response, would an ACL be able to limit traffic to a particular application on a VLAN? I don't know much on ACLs.

Thanks again

Javed Padinhakara · ‎06-17-2010

As Faiz says, there is no direct way to address this.

However, there is a feature in PCM, where you can create a policy to turn off/on a port(or group of ports), based on criteria's like
- generation of particular event
- scheduled to execute in a periodic manner.

Leveraging this, possibly we could meet your requirement to some extent by determining if the end-user connected to the port exibits certain behaviour which would cause an event to be generated at switch ( and PCM being a trap-listener would get notified ). Once such an event happens, you could configure the Port on/off policy ("Portsettings:Enable/Disable Port) to turn off the required port(s).

Check the admin Guide @
http://cdn.procurve.com/training/Manuals/PCM-AdminGuide-Jan2010-5990-8850.pdf

for various features, especially the section on Policy Manager.

HTH
Javed

ps:-Noticed that you have joined recently and hence thought will share an important the ettique followed in the forum - assign points on scale (1-10) to people trying to help; its an appreciation for the time they spend in responding to your questions

Mohammed Faiz · ‎06-17-2010

An ACL would allow you to limit traffic on a port (and in certain very specific cases, protocol) basis.
So for example here's a line from an ACL that allows DNS traffic from a particular server:

permit udp 0.0.0.0 255.255.255.255 192.168.10.10 0.0.0.0 eq 53

Check out the chapter on ACLs in the manual, it'll explain them much better than I can :)

http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ASG-Mar10-10-ACLs.pdf

Phil Barnett · ‎06-24-2010

Thanks for all the responses, from what I've been reading in the manual and looking at on the switches I can only apply an ACL to a port on the 5400 which will edit traffic going through that port. As the 2520 don't have ACL natively I'm guessing that you can't push an ACL onto the individual ports of the 2520?

Thanks