Page 1: Configuration Guide
HPE FlexFabric 7900 Switch Series Security Configuration Guide Part number: 5200-0992b Software version: Release 2150 and later Document version: 6W101-20170622...
Page 2 © Copyright 2016, 2017 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents Configuring AAA ·············································································· 1 Overview ·································································································································· 1 RADIUS ···························································································································· 2 HWTACACS ······················································································································ 6 AAA implementation on the device ·························································································· 9 Protocols and standards ····································································································· 10 RADIUS attributes ············································································································· 11 FIPS compliance······················································································································ 14 ...
Page 4 Configuration guidelines ····································································································· 60 Configuration procedure ····································································································· 61 Distributing a local host public key ······························································································· 62 Exporting a host public key ·································································································· 62 Displaying a host public key ································································································· 62 Destroying a local key pair ········································································································· 63 ...
Page 5 SSL configuration task list ········································································································ 103 Configuring an SSL server policy ······························································································· 103 Configuring an SSL client policy ································································································ 106 Displaying and maintaining SSL ································································································ 108 Configuring IPsec ········································································· 109 Overview ······························································································································ 109 Security protocols and encapsulation modes ·········································································...
Page 6 IKE negotiation failed because no matching IKE proposals were found ······································· 153 IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·············· 153 IPsec SA negotiation failed because no matching IPsec transform sets were found ······················· 154 ...
Page 7 Establishing a connection to an SCP server based on Suite B ·················································· 196 Specifying algorithms for SSH2 ································································································· 196 Specifying key exchange algorithms for SSH2 ······································································· 196 Specifying public key algorithms for SSH2 ············································································ 197 Specifying encryption algorithms for SSH2 ············································································...
Page 8 Configuring user validity check ··························································································· 254 Configuring ARP packet validity check ················································································· 255 Configuring ARP restricted forwarding ················································································· 256 Enabling ARP attack detection logging ················································································· 256 Displaying and maintaining ARP attack detection ··································································· 256 User validity check and ARP packet validity check configuration example ····································...
Page 9 Index ························································································· 285 ...
Page 10: Configuring Aaa
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.
Page 11: Radius
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
Page 12 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
Page 13 Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Code Packet type Description...
Page 14 Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. For more information, see "Commonly used standard RADIUS attributes." Table 2 Commonly used RADIUS attributes Attribute Attribute User-Name Acct-Authentic User-Password Acct-Session-Time CHAP-Password Acct-Input-Packets NAS-IP-Address Acct-Output-Packets NAS-Port Acct-Terminate-Cause...
Page 15: Hwtacacs
Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes. The extended attributes implement functions that the standard RADIUS protocol does not provide.
Page 16 Differences between HWTACACS and RADIUS HWTACACS and RADIUS have many features in common, such as using a client/server model, using shared keys for data encryption, and providing flexibility and scalability. Table 3 lists the primary differences between HWTACACS and RADIUS. Table 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS...
Page 17 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
Page 18: Aaa Implementation On The Device
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
Page 19: Protocols And Standards
• No authentication—This method trusts all users and does not perform authentication. For security purposes, do not use this method. • Local authentication—The NAS authenticates users by itself, based on the locally configured user information including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space.
Page 20: Radius Attributes
User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HPE device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
Page 21 Attribute Description Type of the Accounting-Request packet. Possible values include: • 1—Start. • 2—Stop. • 3—Interim-Update. • 4—Reset-Charge. Acct-Status-Type • 7—Accounting-On. (Defined in the 3rd Generation Partnership Project.) • 8—Accounting-Off. (Defined in the 3rd Generation Partnership Project.) • 9 to 14—Reserved for tunnel accounting. •...
Page 22 Subattribute Description Operation for the session, used for session control. Possible values include: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets from the same session, this attribute must be the same value. For retransmitted packets from different sessions, this attribute does not have to be the same value.
Page 23: Fips Compliance
Subattribute Description Output-Interval-Gigaword Amount of bytes output within an accounting interval, in units of 4G bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. Product_ID Product name. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and...
Page 24: Configuring Aaa Schemes
Tasks at a glance (Required.) Configure AAA methods for ISP domains: (Required.) Creating an ISP domain (Optional.) Setting the ISP domain status (Required.) Perform at least one of the following tasks to configure AAA authentication, authorization, and accounting methods for the ISP domain: Configuring authentication methods for an ISP domain Configuring authorization methods for an ISP domain Configuring accounting methods for an ISP domain...
Page 25 password length, password composition checking, password complexity checking, and login attempt limit. You can configure a password control attribute in system view, user group view, or local user view. A password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see "Configuring password...
Page 26 Step Command Remarks • In non-FIPS mode: service-type { ftp | { ssh | telnet | terminal } * } Assign services to the By default, no service is authorized • local user. to a local user. In FIPS mode: service-type { ssh | terminal } * By default, a created local user is in...
Page 27 Step Command Remarks • Set the password aging time: password-control aging aging-time • Set the minimum password length: password-control length length • Configure the password composition policy: password-control composition type-number Optional. (Optional.) Configure type-number [ type-length By default, the local user uses password control type-length ] password control attributes of the...
Page 28: Configuring Radius Schemes
Step Command Remarks • Set the password aging time: password-control aging aging-time • Set the minimum password length: password-control length length • Configure the password composition policy: password-control Optional. composition type-number By default, the user group uses (Optional.) Configure type-number [ type-length the global password control password control attributes type-length ]...
Page 29 Tasks at a glance (Optional.) Setting the username format and traffic statistics units (Optional.) Setting the maximum number of RADIUS request transmission attempts (Optional.) Setting the status of RADIUS servers (Optional.) Enabling the RADIUS server load sharing feature (Optional.) Specifying the source IP address for outgoing RADIUS packets (Optional.) Setting RADIUS timers (Optional.)
Page 30 To create a RADIUS scheme: Step Command Remarks Enter system view. system-view Create a RADIUS scheme radius scheme By default, no RADIUS scheme is and enter RADIUS scheme defined. radius-scheme-name view. Specifying the RADIUS authentication servers A RADIUS authentication server completes authentication and authorization together, because authorization information is piggybacked in authentication responses sent to RADIUS clients.
Page 31 If redundancy is not required, specify only the primary server. A RADIUS accounting server can act as the primary accounting server for one scheme and a secondary accounting server for another scheme at the same time. When RADIUS server load sharing is enabled, the device distributes the workload over all servers without considering the primary and secondary server roles.
Page 32 Step Command Remarks By default, no shared key is specified. Specify a shared key for key { accounting | The shared key configured on the secure RADIUS authentication } { cipher | device must be the same as the communication. simple } string shared key configured on the RADIUS server.
Page 33 NAS does not receive a server response for the request within the response timeout timer. For more information about the RADIUS server response timeout timer, see "Setting RADIUS timers." You can set the maximum number for the NAS to retransmit a RADIUS request to the same server. When the maximum number is reached, the NAS tries to communicate with other RADIUS servers in active state.
Page 34 is set to active state, server detection is enabled for the server on which an existing test profile is specified. By default, the device sets the status of all RADIUS servers to active. However, in some situations, you must change the status of a server. For example, if a server fails, you can change the status of the server to blocked to avoid communication attempts to the server.
Page 35 server is unreachable, the device returns an accounting failure message rather than searching for another active accounting server. To enable the RADIUS server load sharing feature: Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme view. radius-scheme-name Enable the RADIUS algorithm loading-share server load sharing...
Page 36 Step Command Remarks radius scheme Enter RADIUS scheme view. radius-scheme-name By default, the source IP address specified by the radius nas-ip Specify a source IP address nas-ip { ipv4-address | ipv6 command in system view is used. for outgoing RADIUS ipv6-address } If the source IP address is not packets.
Page 37 IP address of the security policy server on the NAS. The security policy server is the management and control center of the HPE EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS.
Page 38 • Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services. An Access-Accept packet received for a user must contain the matching attribute value. Otherwise, the user cannot log in to the device. Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.
Page 39: Configuring Hwtacacs Schemes
Configuring HWTACACS schemes Configuration task list Tasks at a glance (Required.) Creating an HWTACACS scheme (Required.) Specifying the HWTACACS authentication servers (Optional.) Specifying the HWTACACS authorization servers (Optional.) Specifying the HWTACACS accounting servers (Required.) Specifying the shared keys for secure HWTACACS communication (Optional.) Specifying an MPLS L3VPN instance for the scheme (Optional.)
Page 40 Step Command Remarks • Specify the primary HWTACACS authentication server: primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key By default, no authentication { cipher | simple } string | server is specified. single-connection | vpn-instance Two HWTACACS authentication vpn-instance-name ] * Specify HWTACACS...
Page 41 If redundancy is not required, specify only the primary server. An HWTACACS server can act as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time. HWTACACS does not support accounting for FTP, SFTP, and SCP users. To specify HWTACACS accounting servers for an HWTACACS scheme: Step Command...
Page 42 Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, an HWTACACS Specify a VPN instance for vpn-instance vpn-instance-name scheme belongs to the public the HWTACACS scheme. network. Setting the username format and traffic statistics units A username is in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name.
Page 43 • The IP address specified in system view applies to all HWTACACS schemes in which the HWTACACS servers are in a VPN or the public network. Before sending an HWTACACS packet, the NAS selects a source IP address in the following order: The source IP address specified for the HWTACACS scheme.
Page 44 • If the secondary server is unreachable, the device performs the following operations: Changes the server status to blocked. Starts a quiet timer for the server. Tries to communicate with the next secondary server in active state that has the highest priority.
Page 45: Configuring Aaa Methods For Isp Domains
Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by specifying configured AAA schemes in ISP domain view. Each ISP domain has a set of system-defined AAA methods, which are local authentication, local authorization, and local accounting. If you do not configure any AAA methods for an ISP domain, the device uses the system-defined AAA methods for users in the domain.
Page 46: Configuring Authentication Methods For An Isp Domain
Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name By default, an ISP domain is in Set the state of the ISP active state, and users in the state { active | block } domain. domain can request network services.
Page 47: Configuring Authorization Methods For An Isp Domain
Step Command Remarks By default, the default authentication super { hwtacacs-scheme Specify user role authentication methods hwtacacs-scheme-name | radius-scheme authentication methods. are used for user role radius-scheme-name } * authentication. Configuring authorization methods for an ISP domain Configuration prerequisites Before configuring authorization methods, complete the following tasks: Determine the access type or service type to be configured.
Page 48: Configuring Accounting Methods For An Isp Domain
Configuring accounting methods for an ISP domain Configuration prerequisites Before configuring accounting methods, complete the following tasks: Determine the access type or service type to be configured. With AAA, you can configure an accounting method for each access type and service type. Determine whether to configure the default accounting method for all access types or service types.
Page 49: Setting The Maximum Number Of Concurrent Login Users
Step Command Remarks Enter system view. system-view Enable the session-control By default, the session-control radius session-control enable feature. feature is disabled. Setting the maximum number of concurrent login users Perform this task to set the maximum number of concurrent users that can log on to the device through a specific protocol, regardless of their authentication methods.
Page 50 Figure 9 Network diagram Configuration procedure Configure the HWTACACS server: # Set the shared keys for secure communication with the switch to expert. (Details not shown.) # Add an account for the SSH user and specify the password. (Details not shown.) Configure the switch: # Assign IP addresses to the interfaces.
Page 51: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users
[Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Enable the default user role feature to assign authenticated SSH users the default user role network-operator. [Switch] role default-role enable Verifying the configuration # Initiate an SSH connection to the switch, and enter the correct username and password. The user logs in to the switch.
Page 52: Authentication And Authorization For Ssh Users By A Radius Server
[Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Configure an HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authorization 10.1.1.2 49 [Switch-hwtacacs-hwtac] key authorization simple expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit...
Page 53 • Include domain names in the usernames sent to the RADIUS server. • Assign the default user role network-operator to SSH users after they pass authentication. The RADIUS server runs on IMC. Add an account with the username hello@bbb on the RADIUS server.
Page 54 Figure 12 Adding the switch as an access device # Add an account for device management. Click the User tab, and select Access User View > Device Mgmt User from the navigation tree. Then, click Add to configure a device management account as follows: a.
Page 55 Figure 13 Adding an account for device management Configure the switch: # Assign an IP address to VLAN-interface 2, the SSH user access interface. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.
Page 56: Troubleshooting Radius
[Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include domain names in the usernames sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain [Switch-radius-rad] quit # Create ISP domain bbb and configure authentication, authorization, and accounting methods...
Page 57: Radius Packet Delivery Failure
If the problem persists, contact Hewlett Packard Enterprise Support. RADIUS packet delivery failure Symptom RADIUS packets cannot reach the RADIUS server. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server. • The NAS is not configured with the IP address of the RADIUS server. •...
Page 58: Configuring Password Control
Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.
Page 59: Password Updating And Expiration
when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: • A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.
Page 60: User Login Control
Current login passwords of device management users are not stored in the password history, because a device management user password is saved in cipher text and cannot be recovered to a plaintext password. User login control First login With the global password control feature enabled, users must change the password at first login before they can access the system.
Page 61: Fips Compliance
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control features can be configured in several different views, and different views support different features.
Page 62: Setting Global Password Control Parameters
Step Command Remarks Enter system view. system-view • In non-FIPS mode, the global password control feature is disabled by default. Enable the global password password-control enable • control feature. In FIPS mode, the global password control feature is enabled and cannot be disabled by default.
Page 63: Setting User Group Password Control Parameters
Step Command Remarks Set the maximum number of password-control history history password records for The default setting is 4. max-record-num each user. By default, the maximum number password-control login-attempt of login attempts is 3 and a user Configure the login attempt login-times [ exceed { lock | failing to log in after the specified limit.
Page 64: Setting Local User Password Control Parameters
Setting local user password control parameters Step Command Remarks Enter system view. system-view By default, no local user exists. Local user password control applies to device management Create a device local-user user-name class users instead of network access management user and enter manage users.
Page 65: Displaying And Maintaining Password Control
Step Command Remarks Enter system view. system-view Set the password expiration password-control super aging The default setting is 90 days. time for super passwords. aging-time • In non-FIPS mode, the default setting is 10 Configure the minimum password-control super length characters.
Page 66: Configuration Procedure
• The minimum password update interval is 36 hours. • The maximum account idle time is 30 days. • A password cannot contain the username or the reverse of the username. • No character appears consecutively three or more times in a password. Configure a super password control policy for user role network-operator to meet the following requirements: •...
Page 67: Verifying The Configuration
# Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text. [Sysname] super password role network-operator simple 123456789ABGFTweuix@#$%! Updating user information. Please wait ..# Create a device management user named test. [Sysname] local-user test class manage # Set the service type of the user to Telnet.
Page 68 <Sysname> display local-user user-name test class manage Total 1 local users matched. Device management user test: State: Active Service type: Telnet User group: system Bind attributes: Authorization attributes: Work directory: flash: User role list: network-operator Password control configurations: Password aging: Enabled (20 days) Password length: Enabled (24 characters)
Page 69: Managing Public Keys
Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 14.
Page 70: Configuration Procedure
• Enter an appropriate key modulus length at the prompt (see Table 5). The longer the key modulus length, the higher the security, the longer the key generation time. • If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default.
Page 71: Distributing A Local Host Public Key
Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can perform the following operations: • Use the public key to encrypt information sent to the local device. •...
Page 72: Destroying A Local Key Pair
Task Command Display local ECDSA public keys. display public-key local ecdsa public [ name key-name ] Display local DSA public keys. display public-key local dsa public [ name key-name ] NOTE: Do not distribute the RSA server public key serverkey (default) to a peer device. Destroying a local key pair To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs:...
Page 73: Entering A Peer Host Public Key
Entering a peer host public key Before you perform this task, make sure you have displayed the key on the peer device and recorded the key. For information about displaying a host public key, see "Displaying a host public key." Use the display public-key local public command to display the public key on the peer device.
Page 74 Figure 15 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).
Page 75: Example For Importing A Public Key From A Public Key File
[DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA...
Page 76 <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 77 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> binary 200 TYPE is now 8-bit binary ftp> get devicea.pub 227 Entering Passive Mode (10,1,1,1,118,252) 150 Accepted data connection 226 File successfully transferred 301 bytes received in 0.003 seconds (98.0 kbyte/s)
Page 78: Configuring Pki
Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.
Page 79: Pki Architecture
• The private key is compromised. • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.
Page 80: Pki Applications
A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.
Page 81: Fips Compliance
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)
Page 82: Configuring A Pki Domain
Step Command Remarks By default, no PKI entities exist. Create a PKI entity and pki entity entity-name To create multiple PKI entities, repeat enter its view. this step. Set a common name for the common-name By default, the common name is not entity.
Page 83 Step Command Remarks By default, the certificate request URL is not specified. Specify the certificate certificate request url url-string Do not configure this command request URL. [ vpn-instance vpn-instance-name ] when you request a certificate in offline mode. (Optional.) Set the By default, the switch polls the CA SCEP polling interval server for the certificate request...
Page 84: Requesting A Certificate
Step Command Remarks By default, the certificate can be used by all applications, including IKE, SSL clients, and SSL server. 11. (Optional.) Specify the The extension options contained intended use for the usage { ike | ssl-client | ssl-server } * in an issued certificate depend on certificate.
Page 85: Configuring Automatic Certificate Request
• A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA, ECDSA, or RSA). If DSA or ECDSA is used, a PKI domain can have only one local certificate. If RSA is used, a PKI domain can have one local certificate for signature, and one local certificate for encryption.
Page 86: Aborting A Certificate Request
Step Command Remarks Obtain the CA "Obtaining certificates." certificate. This command is not saved in the configuration file. This command triggers the PKI Submit a certificate entity to automatically generate pki request-certificate domain request or generate a a key pair if the key pair domain-name [ password password ] certificate request in specified in the PKI domain...
Page 87: Configuration Guidelines
Configuration guidelines • To import a local certificate containing an encrypted key pair, you must provide the challenge password. Contact the CA administrator to obtain the password. • If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to obtain a new one, use the pki delete-certificate command to remove the existing CA certificate and local certificates first.
Page 88: Verifying Certificates Without Crl Checking
If no CRL repository is found after the selection process, the device obtains the CRL through SCEP. In this scenario, the CA certificate and the local certificates must have been obtained. To verify certificates with CRL checking: Step Command Remarks Enter system view.
Page 89: Exporting Certificates
After you change the storage path for certificates or CRLs, the certificate files (with the .cer or .p12 extension) and CRL files (with the .crl extension) in the original path are moved to the new path. To specify the storage path for the certificates and CRLs: Task Command Remarks...
Page 90: Configuring A Certificate-Based Access Control Policy
To remove a certificate: Step Command Remarks Enter system view. system-view If you use the peer keyword without pki delete-certificate domain domain-name { ca specifying a serial Remove a certificate. | local | peer [ serial serial-num ] } number, the command removes all peer certificates.
Page 91: Displaying And Maintaining Pki
Step Command Remarks By default, no certificate access control rules are configured, and all certificates can pass the verification. Create a certificate access rule [ id ] { deny | permit } control rule. group-name You can create multiple access control rules are for a certificate-based access control policy.
Page 92 Configuring the RSA Keon CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA. Subject DN—DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country (C).
Page 93 ......++++++ ........++++++ Create the key pair successfully. Request a local certificate: # Obtain the CA certificate and save it locally. [Device] pki retrieve-certificate domain torsa ca The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Retrieved the certificates successfully.
Page 94: Requesting A Certificate From A Windows Server 2003 Ca Server
Full Name: DirName: CN = myca Signature Algorithm: sha1WithRSAEncryption b0:9d:d9:ac:a0:9b:83:99:bf:9d:0a:ca:12:99:58:60:d8:aa: 73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af: 25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c: f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from a Windows Server 2003 CA server Network requirements Configure the PKI entity (the device) to request a local certificate from a Windows Server 2003 CA...
Page 95 a. Select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager from the start menu. b. Select Web Sites from the navigation tree. c. Right-click Default Web Site and select Properties > Home Directory. d. Specify the path for certificate service in the Local path box. e.
Page 96 SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain winserver Start to request the general certificate ... …… Certificate requested successfully. Verifying the configuration # Display information about the local certificate in PKI domain winserver.
Page 97: Requesting A Certificate From An Openca Server
herment X509v3 Subject Key Identifier: C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34 X509v3 Authority Key Identifier: keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9 X509v3 CRL Distribution Points: Full Name: URI:file://\\g07904c\CertEnroll\sec.crl Authority Information Access: CA Issuers - URI:http://gc/CertEnroll/gc_sec.crt CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2: 14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e: 29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec: cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99: 31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc: 0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03:...
Page 98 Configuring the OpenCA server The configuration is not shown. For information about how to configure an OpenCA server, see related manuals. When you configure the CA server, use the OpenCA version later than version 0.9.2 because the earlier versions do not support SCEP. Configuring the device Synchronize the device's system time with the CA server for the device to correctly request certificates.
Page 99 fingerprint:5AA3 DEFD 7B23 2A25 16A3 14F4 C81C C0FA SHA1 fingerprint:9668 4E63 D742 4B09 90E0 4C78 E213 F15F DC8E 9122 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain openca Start to request the general certificate ... ……...
Page 100: Certificate Import And Export Configuration Example
Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B X509v3 Authority Key Identifier: keyid:85:EB:D5:F7:C9:97:2F:4B:7A:6D:DD:1B:4D:DD:00:EE:53:CF:FD:5B X509v3 Issuer Alternative Name: DNS:root@docm.com, DNS:, IP Address:192.168.154.145, IP Address:192.168.154.138 Authority Information Access: CA Issuers - URI:http://192.168.222.218/pki/pub/cacert/cacert.crt OCSP - URI:http://192.168.222.218:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://192.168.222.218:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl...
Page 101 Figure 22 Network diagram Configuration procedure Export the certificate on Device A to specified files: # Export the CA certificate to a .pem file. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.
Page 102 friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD … -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 Key Attributes: <No Attributes>...
Page 103 Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9f:6e:2f:f6:cb:3d:08:19:9a:4a:ac:b4:ac:63: ce:8d:6a:4c:3a:30:19:3c:14:ff:a9:50:04:f5:00:...
Page 104 Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subencr 11 Subject Public Key Info:...
Page 105: Troubleshooting Pki Configuration
X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://titan:830/...
Page 106: Failed To Obtain The Ca Certificate
Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No trusted CA is specified. •...
Page 107: Failed To Request Local Certificates
Check the registration policy on the CR or RA, and make sure the attributes of the PKI entity meet the policy requirements. Obtain the CRL from the CRL repository. Specify the correct source IP address that the CA server can accept. For the correct settings, contact the CA administrator.
Page 108: Failed To Import The Ca Certificate
Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No CA certificate has been obtained before you try to obtain CRLs. • The URL of the CRL repository is not configured and cannot be obtained from the CA certificate or local certificates in the PKI domain.
Page 109: Failed To Import A Local Certificate
Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis • The PKI domain does not have a locally stored CA certificate, and the certificate file to be imported does not contain the CA certificate chain. •...
Page 110: Failed To Set The Storage Path
If the problem persists, contact Hewlett Packard Enterprise Support. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis • The specified storage path does not exist. • The specified storage path is illegal. •...
Page 111: Configuring Ssl
Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...
Page 112: Fips Compliance
Figure 24 SSL protocol stack The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication, authenticates the server and client, and securely exchanges the keys between the server and client.
Page 113 Step Command Remarks By default: • In non-FIPS mode, • In non-FIPS mode: the device supports ssl version { ssl3.0 | tls1.0 | tls1.1 } * (Optional.) Disable SSL 3.0, TLS 1.0, TLS disable specific SSL protocol 1.1, and TLS 1.2. •...
Page 114 Step Command Remarks • In non-FIPS mode: ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha256 | ecdhe_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_128_gcm_sha25 ecdhe_ecdsa_aes_256_cbc_sha384 ecdhe_ecdsa_aes_256_gcm_sha38 4 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | Specify the cipher suites By default, an SSL server rsa_aes_128_cbc_sha256 |...
Page 115: Configuring An Ssl Client Policy
Configuring an SSL client policy An SSL client policy is a set of SSL parameters that the client uses to establish a connection to the server. An SSL client policy takes effect only after it is associated with an application such as DDNS. To configure an SSL client policy: Step Command...
Page 116 Step Command Remarks • In non-FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha256 ecdhe_ecdsa_aes_128_cbc_sh a256 | ecdhe_ecdsa_aes_128_gcm_s ha256 | ecdhe_ecdsa_aes_256_cbc_sh a384 | ecdhe_ecdsa_aes_256_gcm_s ha384 | ecdhe_rsa_aes_128_cbc_sha2 56 | ecdhe_rsa_aes_128_gcm_sha 256 | ecdhe_rsa_aes_256_cbc_sha3 84 | ecdhe_rsa_aes_256_gcm_sha 384 | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | •...
Page 117: Displaying And Maintaining Ssl
Step Command Remarks • In non-FIPS mode: By default, an SSL client version { ssl3.0 | tls1.0 | tls1.1 | policy uses TLS 1.0. Specify the SSL version for tls1.2 } As a best practice to ensure the SSL client policy. •...
Page 118: Configuring Ipsec
Configuring IPsec The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide). CAUTION: •...
Page 119: Security Protocols And Encapsulation Modes
Security protocols and encapsulation modes Security protocols IPsec comes with two security protocols, AH and ESP. They define how to encapsulate IP packets and the security services that they can provide. • AH (protocol 51) defines the encapsulation of the AH header in an IP packet, as shown Figure 27.
Page 120: Security Association
Figure 27 shows how the security protocols encapsulate an IP packet in different encapsulation modes. Figure 27 Security protocol encapsulations in different modes Mode Transport Tunnel Protocol Data AH IP Data Data ESP-T ESP IP Data ESP-T AH-ESP Data ESP-T Data ESP-T Security association...
Page 121: Authentication And Encryption
Authentication and encryption Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. The receiver compares the local digest with that received from the sender. If the digests are identical, the receiver considers the packet intact and the sender's identity valid.
Page 122: Protocols And Standards
• Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it. • Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL.
Page 123: Implementing Acl-Based Ipsec
Implementing ACL-based IPsec Feature restrictions and guidelines ACLs for IPsec take effect only on traffic that is generated by the device and traffic that is destined for the device. They do not take effect on traffic forwarded through the device. For example, an ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it cannot protect all the data flows and voice flows that are forwarded by the device.
Page 124: Configuring An Acl
Configuring an ACL IPsec uses ACLs to identify the traffic to be protected. Keywords in ACL rules An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected by IPsec.
Page 125 Step Command Remarks Create an IPsec ipsec transform-set By default, no IPsec transform set transform set and enter transform-set-name exists. its view. Optional. Specify the security protocol for the IPsec protocol { ah | ah-esp | esp } By default, the IPsec transform set transform set.
Page 126: Configuring A Manual Ipsec Policy
Step Command Remarks By default, the PFS feature is not used for SA negotiation. For more information about PFS, • "Configuring IKE." In non-FIPS mode: pfs { dh-group1 | dh-group2 | The security level of the dh-group5 | dh-group14 | (Optional.) Enable the Diffie-Hellman (DH) group of the dh-group19 | dh-group20 |...
Page 127 Step Command Remarks (Optional.) Configure a description for the IPsec description text By default, no description is configured. policy. By default, no ACL is specified for an IPsec policy. Specify an ACL for the security acl [ ipv6 ] { acl-number IPsec policy.
Page 128: Configuring An Ike-Based Ipsec Policy
Step Command Remarks • Configure an authentication key in hexadecimal format for AH: sa hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication key in character format for By default, no keys are configured for the IPsec SA.
Page 129 • The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional on the responder. The remote IP address specified on the local end must be the same as the local IP address specified on the remote end. For an IPsec SA established through IKE negotiation: •...
Page 130 Step Command Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 Specify the local IP address local-address { ipv4-address | address of the interface to which...
Page 131 Step Command Remarks (Optional.) Configure a By default, no description is description for the IPsec description text configured. policy template. By default, no ACL is specified for security acl [ ipv6 ] { acl-number | an IPsec policy template. (Optional.) Specify an ACL name acl-name } [ aggregation | for the IPsec policy template.
Page 132: Applying An Ipsec Policy To An Interface
Step Command Remarks By default, time-based SA lifetime ipsec sa global-duration 14. Configure the global SA is 3600 seconds, and { time-based seconds | lifetime. traffic-based SA lifetime is traffic-based kilobytes } 1843200 kilobytes. 15. (Optional.) Enable the global IPsec SA idle timeout By default, the global IPsec SA ipsec sa idle-time seconds feature, and set the global...
Page 133: Configuring Ipsec Anti-Replay
Step Command Remarks Enter system view. system-view Enable ACL checking for ipsec decrypt-check enable By default, this feature is enabled. de-encapsulated packets. Configuring IPsec anti-replay The IPsec anti-replay feature protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window. This feature checks the sequence number of each received IPsec packet against the current IPsec packet sequence number range of the sliding window.
Page 134: Binding A Source Interface To An Ipsec Policy
• IPsec anti-replay sequence numbers for outbound packets. This feature, used together with IPsec redundancy, ensures uninterrupted IPsec traffic forwarding and anti-replay protection when the master device in an IRF fabric fails. To configure IPsec anti-replay redundancy: Step Command Remarks Enter system view.
Page 135: Enabling Qos Pre-Classify
Step Command Remarks ipsec { ipv6-policy | policy } Bind a source interface to an By default, no source interface is policy-name local-address IPsec policy. bound to an IPsec policy. interface-type interface-number Enabling QoS pre-classify If you apply both an IPsec policy and a QoS policy to an interface, QoS classifies packets by using the new headers added by IPsec.
Page 136: Configuring Ipsec For Ipv6 Routing Protocols
You can configure the DF bit in system view and interface view. The interface-view DF bit setting takes precedence over the system-view DF bit setting. If the interface-view DF bit setting is not configured, the interface uses the system-view DF bit setting. Follow these guidelines when you configure the DF bit: •...
Page 137 • The IPsec transform set used by the IPsec profile at the two tunnel ends must have the same security protocol, encryption and authentication algorithms, and packet encapsulation mode. • The local inbound and outbound IPsec SAs must have the same SPI and key. The IPsec SAs on the devices in the same scope must have the same key.
Page 138: Configuring Snmp Notifications For Ipsec
Configuring SNMP notifications for IPsec After you enable SNMP notifications for IPsec, the IPsec module notifies the NMS of important module events. The notifications are sent to the device's SNMP module. You can configure the notification transmission parameters for the SNMP module to specify how the SNMP module displays notifications.
Page 139: Ipsec Configuration Examples
Task Command Clear IPsec statistics. reset ipsec statistics [ tunnel-id tunnel-id ] IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 28, establish an IPsec tunnel between Switch A and Switch B to protect data flows between the switches.
Page 140 # Apply the IPsec transform set tran1. [SwitchA-ipsec-policy-manual-map1-10] transform-set tran1 # Specify the remote IP address of the IPsec tunnel as 2.2.3.1. [SwitchA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1 # Configure inbound and outbound SPIs for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the inbound and outbound SA keys for ESP.
Page 141: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets
[SwitchB-ipsec-policy-manual-use1-10] sa string-key outbound esp simple gfedcba [SwitchB-ipsec-policy-manual-use1-10] sa string-key inbound esp simple abcdefg [SwitchB-ipsec-policy-manual-use1-10] quit # Apply the IPsec policy use1 to interface VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1 Verifying the configuration After the configuration is completed, an IPsec tunnel between Switch A and Switch B is established, and the traffic between the switches is IPsec protected.
Page 142 Figure 29 Network diagram Configuration procedure Configure Switch A: # Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Configure an ACL to identify data flows between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] quit...
Page 143 # Specify the local and remote IP addresses of the IPsec tunnel as 2.2.2.1 and 2.2.3.1. [SwitchA-ipsec-policy-isakmp-map1-10] local-address 2.2.2.1 [SwitchA-ipsec-policy-isakmp map1-10] remote-address 2.2.3.1 # Apply the IKE profile profile1. [SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Specify the card in slot 1 for processing the traffic on VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] service slot 1 # Apply the IPsec policy map1 to VLAN-interface 1.
Page 144: Configuring Ipsec For Ripng
# Apply ACL 3101. [SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101 # Apply the IPsec transform set tran1. [SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1 # Specify the local and remote IP addresses of the IPsec tunnel as 2.2.3.1 and 2.2.2.1. [SwitchB-ipsec-policy-isakmp-map1-10] local-address 2.2.3.1 [SwitchB-ipsec-policy-isakmp-use1-10] remote-address 2.2.2.1 # Apply the IKE profile profile1.
Page 145 # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure basic RIPng. <SwitchA> system-view [SwitchA] ripng 1 [SwitchA-ripng-1] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ripng 1 enable [SwitchA-Vlan-interface100] quit # Create and configure the IPsec transform set named tran1. [SwitchA] ipsec transform-set tran1 [SwitchA-ipsec-transform-set-tran1] encapsulation-mode transport [SwitchA-ipsec-transform-set-tran1] protocol esp...
Page 146 [SwitchB-ipsec-profile-profile001] transform-set tran1 [SwitchB-ipsec-profile-profile001] sa spi outbound esp 123456 [SwitchB-ipsec-profile-profile001] sa spi inbound esp 123456 [SwitchB-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [SwitchB-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [SwitchB-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1. [SwitchB] ripng 1 [SwitchB-ripng-1] enable ipsec-profile profile001 [SwitchB-ripng-1] quit...
Page 147 Checkzero : Enabled Default Cost : 0 Maximum number of balanced paths : 8 Update time 30 sec(s) Timeout time 180 sec(s) Suppress time : 120 sec(s) Garbage-Collect time : 120 sec(s) Number of periodic updates sent : 186 Number of trigger updates sent : 1 IPsec profile name: profile001 # Use the display ipsec sa command to display the established IPsec SAs.
Page 148: Configuring Ike
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).
Page 149: Ike Security Mechanism
Figure 32 IKE exchange process in main mode As shown in Figure 32, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. • Key exchange—Used for exchanging the DH public value and other values, such as the random number.
Page 150: Protocols And Standards
DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials. The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm.
Page 151: Configuring An Ike Profile
Tasks at a glance Remarks (Optional.) Configuring the IKE keepalive feature (Optional.) Configuring the IKE NAT keepalive feature (Optional.) Configuring IKE DPD (Optional.) Enabling invalid SPI recovery (Optional.) Setting the maximum number of IKE SAs (Optional.) Configuring SNMP notifications for IKE Configuring an IKE profile An IKE profile is intended to provide a set of parameters for IKE negotiation.
Page 152 Step Command Remarks Enter system view. system-view Create an IKE profile and By default, no IKE profile is ike profile profile-name enter its view. configured. match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] By default, an IKE profile has | range low-ipv4-address no peer ID.
Page 153: Configuring An Ike Proposal
Step Command Remarks By default, no inside VPN instance is specified for an IKE profile, and the device 10. (Optional.) Specify an inside inside-vpn vpn-instance vpn-name forwards protected data to the VPN instance. VPN instance where the interface receiving the data resides.
Page 154: Configuring An Ike Keychain
Step Command Remarks • In non-FIPS mode: By default, an IKE proposal uses authentication-algorithm the HMAC-SHA1 authentication { md5 | sha | sha256 | sha384 | Specify an authentication algorithm in non-FIPS mode and sha512 } algorithm for the IKE the HMAC-SHA256 •...
Page 155: Configuring The Global Identity Information
Step Command Remarks • In non-FIPS mode: pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | By default, no pre-shared key is hostname host-name } key configured. { cipher cipher-key | simple For security purposes, all Configure a pre-shared simple-key }...
Page 156: Configuring The Ike Keepalive Feature
Configuring the IKE keepalive feature IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive timeout time, you must configure the keepalive interval on the local device. If the peer receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
Page 157: Enabling Invalid Spi Recovery
The local device sends a DPD message to the peer, and waits for a response from the peer. If the peer does not respond within the retry interval specified by the retry seconds parameter, the local device resends the message. If still no response is received within the retry interval, the local end sends the DPD message again.
Page 158: Setting The Maximum Number Of Ike Sas
Setting the maximum number of IKE SAs You can set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs. • The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency.
Page 159: Displaying And Maintaining Ike
Displaying and maintaining IKE Execute display commands in any view and reset commands in user view. Task Command Display configuration information about all IKE display ike proposal proposals. display ike sa [ verbose [ connection-id Display information about the current IKE SAs. connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-name ] ] ] Delete IKE SAs.
Page 160 # Use the ESP protocol for the IPsec transform set. [SwitchA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192 [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create IKE keychain keychain1. [SwitchA] ike keychain keychain1 # Specify 12345zxcvb!@#$%ZXCVB in plain text as the pre-shared key to be used with the remote peer at 2.2.2.2.
Page 161: Verifying The Configuration
# Create IPsec transform set tran1. [SwitchB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [SwitchB-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit...
Page 162: Troubleshooting Ike
Troubleshooting IKE IKE negotiation failed because no matching IKE proposals were found Symptom The IKE SA is in Unknown state. <Sysname> display ike sa Connection-ID Remote Flag ------------------------------------------------------------------ 192.168.222.5 Unknown IPSEC Flags: RD--READY RL--REPLACED FD-FADING When IKE event debugging and packet debugging are enabled, the following messages appear: IKE event debugging message: The attributes are unacceptable.
Page 163: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found
Analysis • If the following debugging information appeared, the matched IKE profile is not using the matched IKE proposal: Failed to find proposal 1 in profile profile1. • If the following debugging information appeared, the matched IKE profile is not using the matched IKE keychain: Failed to find keychain keychain1 in profile profile1.
Page 164 Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE negotiation phase 1. If no matching IKE profiles were found and the IPsec policy has an IKE profile specified, the IPsec SA negotiation fails. # Verify that matching IKE profiles were found in IKE negotiation phase 1.
Page 165 SA idle time: Verify that the ACL used by the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching will fail. For example, if the initiator's ACL defines a flow from one network segment to another but the responder's ACL defines a flow from one host to another host, IPsec proposal matching will fail.
Page 166 Advanced ACL 3000, named -none-, 2 rules, ACL's step is 5 rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255 Configure the missing settings (for example, the remote address).
Page 167: Configuring Ikev2
Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs fewer message exchanges than IKEv1.
Page 168: New Features In Ikev2
New features in IKEv2 DH guessing In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished.
Page 169: Configuring An Ikev2 Profile
• The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources. Typically, the longer the key, the stronger the algorithm.
Page 170 Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
Page 171 Step Command Remarks By default, no keychain is specified for an IKEv2 profile. Specify a keychain. keychain keychain-name Perform this task when the pre-shared key authentication method is specified. By default, the device uses PKI domains configured in system view. certificate domain domain-name Specify a PKI domain.
Page 172: Configuring An Ikev2 Policy
Step Command Remarks 15. (Optional.) Enable the config-exchange { request | set By default, all configuration configuration exchange { accept | send } } exchange options are disabled. feature. Configuring an IKEv2 policy During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address of the local security gateway as the matching criterion.
Page 173 You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority. To configure an IKEv2 proposal: Step Command Remarks Enter system view. system-view By default, an IKEv2 proposal named default exists. In non-FIPS mode, the default proposal uses the following settings: •...
Page 174: Configuring An Ikev2 Keychain
Step Command Remarks In non-FIPS mode: dh { group1 | group14 | group19 | group2 | group20 | group24 | By default, an IKEv2 proposal does group5 } * Specify the DH groups. not have any DH groups. In FIPS mode: dh { group14 | group19 | group20 | group24 } * Configuring an IKEv2 keychain...
Page 175: Configure Global Ikev2 Parameters
Configure global IKEv2 parameters Enabling the cookie challenging feature Enable cookie challenging on responders to protect them against DoS attacks that use a large number of source IP addresses to forge IKE_SA_INIT requests. To enable cookie challenging: Step Command Remarks Enter system view.
Page 176: Displaying And Maintaining Ikev2
Step Command Remarks Set the IKEv2 NAT keepalive By default, the IKEv2 NAT ikev2 nat-keepalive seconds interval. keepalive interval is 10 seconds. Displaying and maintaining IKEv2 Execute display commands in any view and reset commands in user view. Task Command Display the IKEv2 proposal configuration.
Page 177 # Configure IPv4 advanced ACL 3101 to identify traffic between Switch A and Switch B. [SwitchA] acl advanced 3101 [SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
Page 178 [SwitchA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec apply policy map1 [SwitchA-Vlan-interface1] quit Configure Switch B: # Assign an IP address to VLAN-interface 1. <SwitchB> system-view [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure IPv4 advanced ACL 3101 to identify traffic between Switch A and Switch B.
Page 179: Ikev2 With Rsa Signature Authentication Configuration Example
[SwitchB-ikev2-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0 [SwitchB-ikev2-profile-profile1] quit # Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10. [SwitchB] ipsec policy use1 10 isakmp # Specify remote IP address 1.1.1.1 for the IPsec tunnel. [SwitchB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1 # Specify ACL 3101 to identify the traffic to be protected.
Page 180 [SwitchA-vlan-interface1] quit # Configure IPv4 advanced ACL 3101 to identify traffic between Switch A and Switch B. [SwitchA] acl advanced 3101 [SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
Page 181 [SwitchA-ikev2-profile-profile1] certificate domain domain1 # Set the local ID to FQDN name www.switcha.com. [SwitchA-ikev2-profile-profile1] identity local fqdn www.switcha.com # Specify the peer ID that the IKEv2 profile matches. The peer ID is FQDN name www.routerb.com. [SwitchA-ikev2-profile-profile1] match remote identity fqdn www.routerb.com [SwitchA-ikev2-profile-profile1] quit # Create an IKEv2 proposal named 10.
Page 182 [SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [SwitchB-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms.
Page 183 [SwitchB-ikev2-profile-profile2] match remote identity fqdn www.switcha.com [SwitchB-ikev2-profile-profile2] quit # Create an IKEv2 proposal named 10. [SwitchB] ikev2 proposal 10 # Specify the integrity protection algorithm as HMAC-MD5. [SwitchB-ikev2-proposal-10] integrity md5 # Specify the encryption algorithm as 3DES-CBC. [SwitchB-ikev2-proposal-10] encryption 3des-cbc # Specify the DH group as Group 1.
Page 184: Troubleshooting Ikev2
Troubleshooting IKEv2 IKEv2 negotiation failed because no matching IKEv2 proposals were found Symptom The IKEv2 SA is in IN-NEGO status. <Sysname> display ikev2 sa Tunnel ID Local Remote Status --------------------------------------------------------------------------- 123.234.234.124/500 123.234.234.123/500 IN-NEGO Status: IN-NEGO: Negotiating, EST: Establish, DEL:Deleting Analysis Certain IKEv2 proposal settings are incorrect.
Page 185 Solution Use the display ikev2 sa command to examine whether an IKEv2 SA exists on both ends. If the IKEv2 SA on one end is lost, delete the IKEv2 SA on the other end by using the reset ikev2 sa command and trigger new negotiation. If an IKEv2 SA exists on both ends, go to the next step.
Page 186: Configuring Ssh
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.
Page 187: Ssh Authentication Methods
Table 6 Stages to establish an SSH session Stages Description The SSH server listens to the connection requests on port 22. After a Connection establishment client initiates a connection request, the server and the client establish a TCP connection. Version negotiation The two parties determine a version to use after negotiation.
Page 188: Ssh Support For Suite B
correct password and passes validity check by the remote AAA server, the SSH server returns an authentication success message to the client. For more information about AAA, see " Configuring AAA." NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. Publickey authentication The server authenticates a client by verifying the digital signature of the client.
Page 189: Fips Compliance
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see "Configuring FIPS." Configuring the device as an SSH server SSH server configuration task list Tasks at a glance Remarks...
Page 190: Enabling The Stelnet Server
Configuration guidelines When you generate local key pairs, follow these restrictions and guidelines: • The SSH server operating in FIPS mode supports only RSA and ECDSA key pairs. If both RSA and ECDSA key pairs exist on the server, the server uses the ECDSA key pair. •...
Page 191: Enabling The Scp Server
Step Command Remarks By default, the SFTP server is Enable the SFTP server. sftp server enable disabled. Enabling the SCP server After you enable the SCP server on the device, a client can log in to the device through SCP. When acting as an SCP server, the device does not support SCP connections initiated by SSH1 clients.
Page 192: Configuring A Client's Host Public Key
Step Command Remarks Enter VTY user line view. line vty number [ ending-number ] By default, the authentication mode is password. Set the login authentication authentication-mode scheme For more information about this mode to scheme. command, see Fundamentals Command Reference. Configuring a client's host public key In publickey authentication, the server compares the SSH username and client's host public key that it receives from the client with those locally saved.
Page 193: Configuring An Ssh User
Importing the client's host public key from the public key filele Before you import the host public key, upload the client's public key file (in binary) to the server, for example, through FTP or TFTP. During the import process, the server automatically converts the host public key in the public key file to a string in PKCS format.
Page 194: Setting The Ssh Management Parameters
For a client that sends the user's public key information to the server through a digital certificate, specify a PKI domain on the server to verify the client's digital certificate. For successful verification, the specified PKI domain must have the correct CA certificate. To specify the PKI domain, use the ssh user or ssh server pki-domain command.
Page 195: Specifying A Pki Domain For The Ssh Server
Step Command Remarks The default setting is 3. If the authentication method is Set the maximum number of ssh server any, the total number of publickey SSH authentication authentication-retries times authentication attempts and attempts. password authentication attempts cannot exceed the upper limit. •...
Page 196: Configuring The Device As An Stelnet Client
Configuring the device as an Stelnet client Stelnet client configuration task list Tasks at a glance (Optional.) Specifying the source IP address for SSH packets (Required.) Establishing a connection to an Stelnet server (Optional.) Establishing a connection to an Stelnet server based on Suite B Specifying the source IP address for SSH packets As a best practice, specify the IP address of a loopback interface as the source address of SSH packets for the following purposes:...
Page 197 Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 Stelnet server: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 |...
Page 198: Establishing A Connection To An Stelnet Server Based On Suite B
Establishing a connection to an Stelnet server based on Suite Task Command Remarks • Establish a connection to an IPv4 Stelnet server based on Suite B: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source...
Page 199: Establishing A Connection To An Sftp Server
Step Command Remarks Enter system view. system-view By default, the source IP address for SFTP packets is not • Specify the source IPv4 address configured. for SFTP packets: For IPv4 SFTP packets, the sftp client source { ip ip-address device uses the primary IPv4 | interface interface-type Specify the source address of the output interface in...
Page 200 Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 SFTP server: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1...
Page 201: Establishing A Connection To An Sftp Server Based On Suite B
Establishing a connection to an SFTP server based on Suite After the connection is established, you are in SFTP client view of the server and can perform file or directory operations. To establish a connection to an SFTP server based on Suite B: Task Command Remarks...
Page 202: Working With Sftp Files
Working with SFTP files Task Command Remarks Change the name of a file on the rename old-name new-name Available in SFTP client view. SFTP server. Download a file from the remote get remote-file [ local-file ] Available in SFTP client view. server and save it locally.
Page 203 • If you choose to not continue, the connection cannot be established. As a best practice, configure the server's host public key on the device in an insecure network. The client cannot establish connections to both IPv4 and IPv6 SCP servers. To transfer files with an SCP server:...
Page 204 Task Command Remarks • In non-FIPS mode, connect to the IPv4 SCP server, and transfer files with this server: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |...
Page 205: Establishing A Connection To An Scp Server Based On Suite B
Establishing a connection to an SCP server based on Suite B Task Command Remarks • Establish a connection to an IPv4 SCP server based on Suite B: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain...
Page 206: Specifying Public Key Algorithms For Ssh2
Step Command Remarks • In non-FIPS mode: ssh2 algorithm key-exchange By default, SSH2 uses the key { dh-group-exchange-sha1 exchange algorithms | dh-group1-sha1 | ecdh-sha2-nistp256, dh-group14-sha1 | ecdh-sha2-nistp384, ecdh-sha2-nistp256 | Specify key exchange dh-group-exchange-sha1, ecdh-sha2-nistp384 } * algorithms for SSH2. dh-group14-sha1, and •...
Page 207: Specifying Mac Algorithms For Ssh2
Specifying MAC algorithms for SSH2 Step Command Remarks Enter system view. system-view • In non-FIPS mode: ssh2 algorithm mac { md5 | By default, SSH2 uses the MAC md5-96 | sha1 | sha1-96 | algorithms sha2-256, sha2-512, sha2-256 | sha2-512 } * Specify MAC algorithms for sha1, md5, sha1-96, and md5-96 •...
Page 208 • The switch acts as the Stelnet server and uses password authentication. • The username and password of the client are saved on the switch. Figure 37 Network diagram Stelnet client Stelnet server Vlan-int2 192.168.1.56/24 192.168.1.40/24 Host Switch Configuration procedure Configure the Stelnet server: # Generate RSA key pairs.
Page 209 [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Create a local device management user named client001. [Switch] local-user client001 class manage # Specify the plaintext password as aabbcc and the service type as ssh for the user. [Switch-luser-manage-client001] password simple aabbcc [Switch-luser-manage-client001] service-type ssh # Assign the network-admin user role to the user.
Page 210: Publickey Authentication Enabled Stelnet Server Configuration Example
c. Click Open to connect to the server. If the connection is successfully established, the system prompts you to enter the username and password. After entering the username (client001 in this example) and password (aabbcc in this example), you can enter the CLI of the server. Publickey authentication enabled Stelnet server configuration example Network requirements...
Page 211 Figure 40 Generating a key pair on the client b. Continuously move the mouse and do not place the mouse over the green progress bar shown in Figure 41. Otherwise, the progress bar stops moving and the key pair generating progress stops.
Page 212 c. After the key pair is generated, click Save public key to save the public key. A file saving window appears. d. Enter a file name (key.pub in this example), and click Save. Figure 42 Saving a key pair on the client e.
Page 213 The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully.
Page 214 Figure 43 Specifying the host name (or IP address) c. Select Connection > SSH from the navigation tree. The window shown in Figure 44 appears. d. Specify the Preferred SSH protocol version as 2 in the Protocol options area. Figure 44 Specifying the preferred SSH version...
Page 215: Password Authentication Enabled Stelnet Client Configuration Example
e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 45 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK. Figure 45 Specifying the private key file g.
Page 216 Configuration procedure Configure the Stelnet server: # Generate RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 217 # Assign the network-admin user role to the user. [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Create an SSH user named client001. Specify the service type as stelnet and the authentication method as password for the user. By default, password authentication is used if no SSH user is created.
Page 218 [SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. <SwitchA> ssh2 192.168.1.40 publickey key1 Username: client001 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. client001@192.168.1.40's password: Enter a character ~ and a dot to abort.
Page 219: Publickey Authentication Enabled Stelnet Client Configuration Example
Publickey authentication enabled Stelnet client configuration example Network requirements As shown in Figure • You can log in to Switch B through the Stelnet client that runs on Switch A. • After login, you are assigned the user role network-admin for configuration management. •...
Page 220 Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [SwitchB] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes.
Page 221: Stelnet Configuration Example Based On 128-Bit Suite B Algorithms
<SwitchA> ssh2 192.168.1.40 Username: client002 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n client002@192.168.1.40's password: Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * Without the owner's prior written consent,...
Page 222 NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an Stelnet client. # Upload the server's certificate file ssh-server-ecdsa256.p12 and the client's certificate file ssh-client-ecdsa256.p12 to the Stelnet client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server256 for verifying the server's certificate and enter its view.
Page 223 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a9:16:e9:c1:76:f0:32:fc:4b:f9:8f:b6:7f: 31:a0:9f:de:a7:cc:33:29:27:2c:71:2e:f9:0d:74:cb:25:c9: 00:d2:52:18:7f:58:3f:cc:7e:8b:d3:42:65:00:cb:63:f8:02: 30:01:a2:f6:a1:51:04:1c:61:78:f6:6b:7e:f9:f9:42:8d:7c: a7:bb:47:7c:2a:85:67:0d:81:12:0b:02:98:bc:06:1f:c1:3c: 9b:c2:1b:4c:44:38:5a:14:b2:48:63:02:2b # Create a PKI domain named client256 for the client's certificate and enter its view. [SwitchA] pki domain client256 # Disable CRL checking. [SwitchA-pki-domain-client256] undo crl check enable [SwitchA-pki-domain-client256] quit # Import the local certificate file ssh-client-ecdsa256.p12 to the PKI domain client256.
Page 224 Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:66:02:31:00:9a:6d:fd:7d:ab:ae:54:9a:81:71:e6:bb:ad: 5a:2e:dc:1d:b3:8a:bf:ce:ee:71:4e:8f:d9:93:7f:a3:48:a1: 5c:17:cb:22:fa:8f:b3:e5:76:89:06:9f:96:47:dc:34:87:02: 31:00:e3:af:2a:8f:d6:8d:1f:3a:2b:ae:2f:97:b3:52:63:b6: 18:67:70:2c:93:2a:41:c0:e7:fa:93:20:09:4d:f4:bf:d0:11: 66:0f:48:56:01:1e:c3:be:37:4e:49:19:cf:c6 # Assign an IP address to VLAN-interface 2. <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0 [SwitchA-Vlan-interface2] quit Configure the Stelnet server: # Upload the server's certificate file ssh-server-ecdsa256.p12 and the client's certificate file...
Page 225: Sftp Configuration Examples
[SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Create an SSH user named client001. Specify the authentication method publickey for the user and specify client256 as the PKI domain for verifying the client's certificate. [Switch] ssh user client001 service-type stelnet authentication-type publickey assign pki-domain client256 Establish an SSH connection to the Stelnet server based on the 128-bit Suite B algorithms.
Page 226 Figure 49 Network diagram Configuration procedure Configure the SFTP server: # Generate RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 227: Publickey Authentication Enabled Sftp Client Configuration Example
[Switch-luser-manage-client002] password simple aabbcc [Switch-luser-manage-client002] service-type ssh [Switch-luser-manage-client002] authorization-attribute user-role network-admin work-directory flash:/ [Switch-luser-manage-client002] quit # Create an SSH user named client002. Specify the authentication method as password and the service type as sftp for the user. By default, password authentication is used if no SSH user is created.
Page 228 • After login, you are assigned the user role network-admin to execute file management and transfer operations. • Switch B acts as the SFTP server and uses publickey authentication and the RSA public key algorithm. Figure 51 Network diagram Configuration procedure In the server configuration, the client's host public key is required.
Page 229 ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [SwitchB] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 230 # Display files under the current directory of the server, delete the file z, and verify the result. sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey...
Page 231: Sftp Configuration Example Based On 192-Bit Suite B Algorithms
NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SFTP client. # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server384 for verifying the server's certificate and enter its view.
Page 232 [SwitchA] pki import domain server384 p12 local filename ssh-server-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-).
Page 233 # Disable CRL checking. [SwitchA-pki-domain-client384] undo crl check enable [SwitchA-pki-domain-client384] quit # Import the local certificate file ssh-client-ecdsa384.p12 to the PKI domain client384. [SwitchA] pki import domain client384 p12 local filename ssh-client-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters.
Page 234 33:71:75:5e:11:c9:a6:51:4b:3e:7c:eb:2a:4d:87:2b:71:7c: 30:64:fe:14:ce:06:d5:0a:e2:cf:9a:69:19:ff # Assign an IP address to VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit Configure the SFTP server: # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP server through FTP or TFTP. (Details not shown.) # Create a PKI domain named client384 for verifying the client's certificate and import the file of the client's certificate to this domain.
Page 235: Scp Configuration Examples
SCP configuration examples Unless otherwise noted, devices in the configuration example are in non-FIPS mode. When you configure SCP on devices operating in FIPS mode, follow these restrictions and guidelines: • The modulus length of the key pair must be 2048 bits. •...
Page 236 .++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+. Create the key pair successfully. # Generate an ECDSA key pair. [SwitchB] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the SCP server. [SwitchB] scp server enable # Configure an IP address for VLAN-interface 2. The SCP client uses this address as the destination for SCP connection.
Page 237: Scp Configuration Example Based On Suite B Algorithms
NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SCP client. # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP client through FTP or TFTP.
Page 238 # Display information about local certificates in the PKI domain server256. [SwitchA] display pki certificate domain server256 local Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=CN, ST=Beijing, L=Beijing, O=AA, OU=Software, CN=SuiteB CA Validity Not Before: Aug 21 08:39:51 2015 GMT Not After : Aug 20 08:39:51 2016 GMT Subject: C=CN, ST=Beijing, O=AA, OU=Software, CN=SSH Server secp256 Subject Public Key Info:...
Page 239 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name[default name: client256]: # Display information about local certificates in the PKI domain client256.
Page 240 [SwitchA-pki-domain-server384] quit # Import the local certificate file ssh-server-ecdsa384.p12 to the PKI domain server384. [SwitchA] pki import domain server384 p12 local filename ssh-server-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters.
Page 241 # Create a PKI domain named client384 for the client's certificate ecdsa384 and enter its view. [SwitchA] pki domain client384 # Disable CRL checking. [SwitchA-pki-domain-client384] undo crl check enable [SwitchA-pki-domain-client384] quit # Import the local certificate file ssh-client-ecdsa384.p12 to the PKI domain client384. [SwitchA] pki import domain client384 p12 local filename ssh-client-ecdsa384.p12 The system is going to save the key pair.
Page 242 97:b3:79:d8:25:a0:e2:0e:ed:00:c9:48:3e:c9:71:43:c9:b4: 2a:a6:0a:27:80:9e:d4:0f:f2:db:db:5b:40:b1:a9:0a:e4:02: 31:00:ee:00:e1:07:c0:2f:12:3f:88:ea:fe:19:05:ef:56:ca: 33:71:75:5e:11:c9:a6:51:4b:3e:7c:eb:2a:4d:87:2b:71:7c: 30:64:fe:14:ce:06:d5:0a:e2:cf:9a:69:19:ff # Assign an IP address to VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit Configure the SCP server: # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP server through FTP or TFTP.
Page 243: Netconf Over Ssh Configuration Example With Password Authentication
Establish an SCP connection to the SCP server: Based on the 128-bit Suite B algorithms: # Specify server256 as the PKI domain of the server's certificate. [SwitchB]ssh server pki-domain server256 # Create an SSH user client001. Specify the authentication method publickey for the user and specify client256 as the PKI domain for verifying the client's certificate.
Page 244: Network Requirements
Network requirements As shown in Figure • The switch uses local password authentication. • The client's username and password are saved on the switch. Establish a NETCONF-over-SSH connection between the host and the switch, so that you can perform NETCONF operations after logging in to the switch. Figure 55 Network diagram Configuration procedure # Generate RSA key pairs.
Page 245: Verifying The Configuration
[Switch] netconf ssh server enable # Configure an IP address for VLAN-interface 2. The client uses this address as the destination for NETCONF-over-SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface2] quit # Set the authentication mode to AAA for the user lines. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit...
Page 246: Configuring Ip Source Guard
Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops all packets that do not match the table. IPSG is a per-interface packet filter. Configuring the feature on one interface does not affect packet forwarding on another interface. The IPSG binding table can include global and interface-specific bindings.
Page 247: Dynamic Ipsg Bindings
Static IPv4SG bindings on an interface implement the following functions: • Filter IPv4 or IPv6 incoming packets on the interface. • Cooperate with ARP detection in IPv4 for user validity checking. For information about ARP detection, see "Configuring ARP attack protection."...
Page 248: Configuring The Ipv4Sg Feature
Configuring the IPv4SG feature You cannot configure the IPv4SG feature on a service loopback interface. If IPv4SG is enabled on an interface, you cannot assign the interface to a service loopback group. Enabling IPv4SG on an interface When you enable IPSG on an interface, the static and dynamic IPSG are both enabled. •...
Page 249: Configuring The Ipv6Sg Feature
Configuring a static IPv4SG binding on an interface Step Command Remarks Enter system view. system-view The following interface types are supported: interface interface-type • Layer 2 Ethernet interface. Enter interface view. interface-number • Layer 3 Ethernet interface. • VLAN interface. By default, no static IPv4SG bindings exist on an interface.
Page 250: Configuring A Static Ipv6Sg Binding
Configuring a static IPv6SG binding You can configure global static and interface-specific static IPv6SG bindings. Global static bindings take effect on all interfaces. Interface-specific static bindings take priority over global static bindings. An interface first uses the bindings on the interface to match packets. If no match is found, the interface uses the global bindings.
Page 251: Ipsg Configuration Examples
Task Command display ipv6 source binding [ static ] [ ip-address ipv6-address ] Display IPv6SG bindings [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type (in standalone mode). interface-number ] [ slot slot-number ] display ipv6 source binding [ static ] [ ip-address ipv6-address ] Display IPv6SG bindings [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type (in IRF mode).
Page 252: Dynamic Ipv4Sg Using Dhcp Snooping Configuration Example
# On FortyGigE 1/0/1, configure a static IPv4SG binding for Host A. [SwitchA-FortyGigE1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [SwitchA-FortyGigE1/0/1] quit Configure Switch B: # Configure an IP address for each interface. (Details not shown.) # Enable IPv4SG on FortyGigE 1/0/2. <SwitchB>...
Page 253: Dynamic Ipv4Sg Using Dhcp Relay Agent Configuration Example
Figure 58 Network diagram Configuration procedure Configure the DHCP server: For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide. Configure the device: # Configure IP addresses for the interfaces. (Details not shown.) # Enable DHCP snooping. <Switch> system-view [Switch] dhcp snooping enable # Configure FortyGigE 1/0/2 as a trusted interface.
Page 254: Static Ipv6Sg Configuration Example
Figure 59 Network diagram Configuration procedure Configure dynamic IPv4SG: # Configure IP addresses for the interfaces. (Details not shown.) # Enable IPv4SG on VLAN-interface 100 and verify the source IP address and MAC address for dynamic IPSG. <Switch> system-view [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] ip verify source ip-address mac-address [Switch-Vlan-interface100] quit Configure the DHCP relay agent:...
Page 255 Configuration procedure # Enable IPv6SG on FortyGigE 1/0/1. <Switch> system-view [Switch] interface fortygige 1/0/1 [Switch-FortyGigE1/0/1] ipv6 verify source ip-address mac-address # On FortyGigE 1/0/1, configure a static IPv6SG binding for the host. [Switch-FortyGigE1/0/1] ipv6 source binding ip-address 2001::1 mac-address 0001-0202-0202 [Switch-FortyGigE1/0/1] quit Verifying the configuration # Verify that the static IPv6SG binding is configured successfully on the switch.
Page 256: Configuring Arp Attack Protection
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
Page 257: Configuring Arp Source Suppression
• ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer (25 seconds) is reached or the route becomes reachable. After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request.
Page 258: Configuration Example
Configuration example Network requirements As shown in Figure 61, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered as the consequence of an unresolvable IP attack.
Page 259: Configuring Arp Packet Rate Limit
Configuring ARP packet rate limit The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU. An ARP attack detection-enabled device will send all received ARP packets to the CPU for inspection. Processing excessive ARP packets will make the device malfunction or even crash. To solve this problem, configure ARP packet rate limit.
Page 260: Configuring Source Mac-Based Arp Attack Detection
Configuring source MAC-based ARP attack detection This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to an ARP attack entry.
Page 261: Configuration Example
Configuration example Network requirements As shown in Figure 62, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients. To solve this problem, configure source MAC-based ARP attack detection on the gateway.
Page 262: Configuring Arp Packet Source Mac Consistency Check
Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. This feature allows the gateway to learn correct ARP entries.
Page 263: Configuration Procedure
Configuration procedure To enable authorized ARP: Step Command Remarks Enter system view. system-view Enter Layer 3 Ethernet interface, Layer 3 aggregate interface interface-type interface, or VLAN interface interface-number view. Enable authorized ARP on arp authorized enable By default, authorized ARP is disabled. the interface.
Page 264: Configuring Arp Packet Validity Check
Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id By default, ARP attack detection is Enable ARP attack detection. arp detection enable disabled. Return to system view. quit Enter Layer 2 Ethernet interface interface-type interface view. interface-number (Optional.) Configure the interface as a trusted interface arp detection trust...
Page 265: Configuring Arp Restricted Forwarding
Configuring ARP restricted forwarding NOTE: ARP restricted forwarding does not apply to ARP packets with multiport MAC as their destination MAC addresses. ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted interfaces and have passed user validity check as follows: •...
Page 266: User Validity Check And Arp Packet Validity Check Configuration Example
Task Command Display the ARP attack detection display arp detection statistics [ interface interface-type statistics. interface-number ] Clear the ARP attack detection reset arp detection statistics [ interface interface-type statistics. interface-number ] User validity check and ARP packet validity check configuration example Network requirements As shown in...
Page 267: Configuring Arp Scanning And Fixed Arp
[SwitchB-FortyGigE1/0/1] dhcp snooping binding record [SwitchB-FortyGigE1/0/1] quit # Enable ARP attack detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface (an interface is an untrusted interface by default). [SwitchB-vlan10] interface fortygige 1/0/3 [SwitchB-FortyGigE1/0/3] arp detection trust [SwitchB-FortyGigE1/0/3] quit # Configure a static IP source guard binding on interface FortyGigE 1/0/2 for user validity check.
Page 268: Configuration Procedure
• To delete a static ARP entry converted from dynamic or a dynamic ARP entry converted from static, use the undo arp ip-address [ vpn-instance-name ] command. You can also use the reset arp all command to delete all ARP entries including the converted entries. Configuration procedure To configure ARP scanning and fixed ARP: Step...
Page 269: Configuration Example
Configuration example Network requirements As shown in Figure 64, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B. Configure Switch B to block such attacks. Figure 64 Network diagram Configuration procedure # Configure ARP gateway protection on Switch B.
Page 270: Configuration Procedure
• If ARP filtering works with ARP attack detection and ARP snooping, ARP filtering applies first. Configuration procedure To configure ARP filtering: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface or Layer 2 aggregate interface-number interface view.
Page 271 # Verify that FortyGigE 1/0/2 permits ARP packets from Host B and discards other ARP packets.
Page 272: Configuring Urpf
Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Page 273 Figure 67 uRPF work flow Checks the received packet Broadcast source address? All-zero source address? Broadcast destination Discards the packet address? Matching FIB entry Default route found? found? Loose uRPF? Loose uRPF? Matching route is a direct Receiving route? interface matches the output interface of the default route？...
Page 274 If yes, proceeds to step 3. If no, proceeds to step 6. uRPF checks whether the check mode is loose: If yes, proceeds to step 8. If no, uRPF checks whether the matching route is a direct route: − If yes, proceeds to step 5. −...
Page 275: Network Application
Network application Figure 68 Network diagram Configure strict uRPF check between an ISP network and a customer network, and loose uRPF check between ISPs. Configuration procedure uRPF checks only incoming packets on interfaces. You can enable uRPF globally or on an interface. Global uRPF takes effect on all interfaces of the device.
Page 276: Displaying And Maintaining Urpf
If strict uRPF is enabled globally or on these interfaces, the interfaces still perform loose uRPF. To enable uRPF globally: Step Command Remarks Enter system view. system-view Enable uRPF globally. ip urpf { loose | strict } By default, uRPF is disabled. To enable uRPF on an interface: Step Command...
Page 277 Configuration procedure Enable strict uRPF check on Switch A. <SwitchA> system-view [SwitchA] ip urpf strict Configure Switch B: # Create VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] quit # Specify an IP address for VLAN-interface 10. [SwitchB] interface vlan-interface 10 [SwitchB-Vlan-interface10] ip address 1.1.1.2 255.255.255.0 # Enable strict uRPF check on VLAN-interface 10.
Page 278: Configuring Fips
Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4", from low to high.
Page 279: Configuring Fips Mode
• Do not use FIPS and non-FIPS devices to create an IRF fabric. • To enable FIPS mode for an IRF fabric, you must reboot the entire IRF fabric. • The default MDC supports FIPS commands. Other MDCs do not support FIPS commands. Configuring FIPS mode Entering FIPS mode After you enable FIPS mode and reboot the device, the device operates in FIPS mode.
Page 280: Configuration Changes In Fips Mode
Save the configuration file and specify it as the startup configuration file. Delete the startup configuration file in binary format (an .mdb file). 10. Reboot the device. The system enters FIPS mode. You can use the configured username and password to log in to the device in FIPS mode.
Page 281: Fips Self-Tests
The system provides two methods to exit FIPS mode: automatic reboot and manual reboot. Automatic reboot Select the automatic reboot method. The system automatically creates a default non-FIPS configuration file named non-fips-startup.cfg, and specifies the file as the startup configuration file. The system reboots the device by using the default non-FIPS configuration file.
Page 282: Conditional Self-Tests
Power-up self-tests include the following types: • Known-answer test (KAT) A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer. If they are not identical, the KAT test fails.
Page 283: Triggering Self-Tests
Triggering self-tests To examine whether the cryptography modules operate correctly, you can trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the card where the self-test process exists reboots. To trigger a self-test: Step Command...
Page 284: Entering Fips Mode Through Manual Reboot
include at least 15 characters, and contain uppercase and lowercase letters, digits, and special characters. For more information about the requirements for the password, see the system output. Press ENTER to get started. login: root Password: First login or password reset. For security reason, you need to change your password. Please enter your password.
Page 285 [Sysname] local-user test class manage [Sysname-luser-manage-test] password simple 12345zxcvb!@#$%ZXCVB [Sysname-luser-manage-test] authorization-attribute user-role network-admin [Sysname-luser-manage-test] service-type terminal [Sysname-luser-manage-test] quit # Enable FIPS mode, and choose the manual reboot method to enter FIPS mode. [Sysname] fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y Reboot the device automatically? [Y/N]:n Change the configuration to meet FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter FIPS mode.
Page 286: Exiting Fips Mode Through Automatic Reboot
Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console port. Use the automatic reboot method to exit FIPS mode. Configuration procedure # Disable FIPS mode. [Sysname] undo fips mode enable FIPS mode change requires a device reboot.
Page 287 [Sysname] quit # Delete the startup configuration file in binary format. <Sysname> delete flash:/startup.mdb Delete flash:/startup.mdb?[Y/N]:y Deleting file flash:/startup.mdb...Done. # Reboot the device. <Sysname> reboot Verifying the configuration After the device reboots, enter a username of test and a password of 12345zxcvb!@#$%ZXCVB to enter non-FIPS mode.
Page 288: Configuring Attack Detection And Prevention
Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to drop attack packets to protect a private network. The device supports only TCP fragment attack prevention. Enabling TCP fragment attack prevention The TCP fragment attack prevention feature takes effect only on Layer 3 packets.
Page 289: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.
Page 290: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 291: Support And Other Resources
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
Page 292: Websites
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
Page 293 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 294 Index RADIUS request transmission attempts max, Numerics RADIUS scheme, 3DES RADIUS scheme creation, security IPsec encryption algorithm, RADIUS scheme VPN instance, RADIUS security policy server IP address, RADIUS server SSH user authentication+authorization, concurrent login user max, RADIUS server status, configuration, 1, 14, 40 RADIUS session-control, device implementation,...
Page 295 address configuration (user+packet validity check), Address Resolution Protocol. Use detection configuration, uRPF configuration, 263, 266, 267 filtering configuration, 260, 261 fixed ARP configuration, security IPsec encryption algorithm, gateway protection, 259, 260 logging enable, IPsec security protocol 51, packet rate limit configuration, alert protocol (SSL), packet source MAC consistency check, algorithm...
Page 296 IPsec configuration, AAA SSH user local authentication+HWTACACS authorization+RADIUS accounting, IPsec Encapsulating Security Payload. auto IPsec IKEv2+pre-shared key FIPS mode (automatic reboot), authentication, FIPS mode entry (automatic reboot), IPsec IKEv2+RSA signature FIPS mode exit (automatic reboot), 271, 277 authentication, PKI certificate request (automatic), password control configuration, 49, 52, 56 security IPsec,...
Page 297 IPsec IKEv2 cookie challenge, ARP attack detection (source MAC-based), 251, 252 change cipher spec protocol (SSL), ARP attack detection (user+packet validity checking check), PKI certificate verification (CRL checking), ARP attack detection packet validity check, PKI certificate verification (w/o CRL ARP attack detection restricted forwarding, checking), ARP attack detection user validity check, security IPsec ACL de-encapsulated packet...
Page 298 PKI certificate import/export, SSH device as SFTP client, PKI certificate request (automatic), SSH SCP, PKI certificate request (manual), SSH SCP (Suite B algorithm), PKI certificate request abort, SSH SCP client device, PKI certificate-based access control policy, SSH SCP file+password authentication, PKI domain, SSH Secure Telnet, PKI entity,...
Page 299 cryptography password control parameters (super), FIPS self-test, password control parameters (user group), password setting, security SSL server policy, data SSH SCP client, security SSL configuration, SSH SCP configuration, SSL configuration, SSH SCP file transfer+password data encryption authentication, PKI configuration, 69, 72, 82 SSH SCP server connection establishment (Suite security IPsec encryption algorithm, SSH SCP server enable,...
Page 300 dynamic IPv4 source guard (IPv4SG)+DHCP security host public key, relay agent configuration, security IPsec, dynamic IPv4 source guard (IPv4SG)+DHCP security IPsec IKE, snooping configuration, security public key, digital certificate security SSL, PKI CA certificate, SSH, PKI CA policy, SSH SFTP help information, PKI CA storage path, uRPF, PKI certificate export,...
Page 301 security IPsec IKE invalid SPI recovery, SSH SCP server connection, security IPsec packet logging, SSH SCP server connection (Suite B), security IPsec QoS pre-classify, SSH Secure Telnet server connection, SSH SCP server, SSH Secure Telnet server connection (Suite SSH Secure Telnet server, SSH SFTP server connection, SSH SFTP server, SSH SFTP server connection (Suite B),...
Page 302 fixed ARP IPsec IKEv2 global parameters, configuration, configuration restrictions, handshake protocol (SSL), format history AAA HWTACACS username, password history, AAA RADIUS packet format, host AAA RADIUS username, peer host public key configuration, forwarding public key export, ARP attack detection restricted SSH client host public key configuration, forwarding, HTTP...
Page 303 FIPS compliance, global identity information, AAA RADIUS session-control, identity authentication, implementing invalid SPI recovery, AAA HWTACACS, IPsec negotiation mode, AAA on device, IPsec policy (IKE-based), AAA RADIUS, IPsec policy (IKE-based/direct), security ACL-based IPsec, 112, 114 IPsec policy (IKE-based/template), security application-based IPsec, IPsec SA, security IPsec, IPsec tunnel establishment,...
Page 304 static binding, maintaining, IPsec mirror image ACLs, ACL configuration, non-mirror image ACLs, ACL de-encapsulated packet check, packet DF bit configuration, ACL IPsec anti-replay, packet logging enable, ACL rule keywords, PKI configuration, 69, 72, 82 ACL-based implementation, policy (IKE-based/direct), ACL-based IPsec, policy application to interface, application-based IPsec, policy configuration,...
Page 305 SSH Secure Telnet server connection security IPsec IKE configuration, 139, 141, 150 establishment (Suite B), SSH SFTP server connection AAA device implementation, establishment, AAA ISP domain accounting method, SSH SFTP server connection establishment AAA ISP domain authentication method, (Suite B), AAA ISP domain authorization method, IPv4 source guard (IPv4SG) AAA ISP domain creation,...
Page 306 security host public key display, managing security host public key distribution, security public keys, 60, 64 security key pair creation, manual security key pair destruction, FIPS mode (manual reboot), troubleshooting PKI certificate obtain FIPS mode entry (manual reboot), failure, FIPS mode exit (manual reboot), 271, 277 troubleshooting PKI certificate request message...
Page 307 NETCONF ARP scanning, enable over SSH, authorized ARP configuration, Secure Telnet client user line dynamic IPv4 source guard (IPv4SG)+DHCP configuration, relay agent configuration, SSH, dynamic IPv4 source guard (IPv4SG)+DHCP snooping configuration, SSH client user line configuration, FIPS mode entry (automatic reboot), SSH+password authentication configuration, FIPS mode entry (manual reboot),...
Page 308 security IPsec ACL, SSH Secure Telnet configuration (128-bit Suite B algorithm), security IPsec ACL de-encapsulated packet check, SSH Secure Telnet packet source IP address, security IPsec ACL-based implementation, 112, 114 SSH Secure Telnet server configuration (password authentication-enabled), security IPsec anti-replay, SSH Secure Telnet server configuration security IPsec anti-replay window and (publickey authentication-enabled),...
Page 309 IPsec IKEv2 configuration, 158, 159, 167 ARP active acknowledgement, password control configuration, 49, 52, 56 ARP attack detection configuration (user+packet validity check), PKI configuration, 69, 72, 82 ARP attack detection packet validity check, security IPsec configuration, ARP attack protection (unresolvable IP security IPsec IKE (main mode/pre-shared attack), 247, 249...
Page 310 password control certificate request abort, configuration, 49, 52, 56 certificate verification, display, certificate verification (CRL checking), enable, certificate verification (w/o CRL checking), event logging, certificate-based access control policy, expired password login, configuration, 69, 72, 82 FIPS compliance, CRL, maintain, display, max user account idle time, domain configuration, parameters (global),...
Page 311 procedure configuring ARP gateway protection, 259, 260 applying security IPsec policy to interface, configuring ARP packet rate limit, binding security IPsec source interface to configuring ARP packet source MAC consistency policy, check, configuring AAA, configuring ARP scanning, configuring AAA HWTACACS schemes, configuring authorized ARP configuration, configuring AAA HWTACACS server SSH configuring dynamic IPv4 source guard...
Page 312 configuring relay agent IPv4 source guard configuring SSH SCP client device, (IPv4SG)+DHCP relay agent, configuring SSH SCP file transfer+password configuring Secure Telnet client user line, authentication, configuring security IPsec, configuring SSH Secure Telnet (128-bit Suite B algorithm), configuring security IPsec ACL, configuring SSH Secure Telnet client (password configuring security IPsec ACL authentication-enabled),...
Page 313 displaying security PKI, generating SSH server local key pair, displaying security public key, implementing security ACL-based IPsec, displaying security SSL, importing peer host public key from file, displaying SSH, importing security public key from file, displaying SSH SFTP help information, importing SSH client host public key, displaying uRPF, maintaining AAA HWTACACS,...
Page 314 specifying AAA RADIUS scheme VPN working with SSH SFTP files, instance, profile specifying AAA RADIUS shared keys, AAA RADIUS server status detection test specifying PKI CA storage path, profile, specifying SSH Secure Telnet packet source IPsec IKEv2 configuration, IP address, security IPsec IKE configuration, specifying SSH server PKI domain, security IPsec IPv6 routing protocol profile,...
Page 315 username format, security IPsec QoS pre-classify enable, rate limiting ARP packet rate limit, real-time AAA HWTACACS real-time accounting timer, PKI architecture, AAA RADIUS real-time accounting timer, PKI certificate, rebooting RADIUS FIPS mode (automatic reboot), AAA configuration, 1, 14, 40 FIPS mode (manual reboot), AAA implementation, FIPS mode entry (manual reboot), AAA local user configuration,...
Page 316 PKI RSA Keon CA server certificate client configuration (publickey request, authentication-enabled), PKI Windows 2003 CA server certificate client device configuration, request, configuration, security IPsec IKE signature configuration (128-bit Suite B algorithm), authentication, server configuration (password security public key management, 60, 64 authentication-enabled), SSH client host public key configuration, server configuration (publickey...
Page 317 ARP attack detection maintain, IP source guard (IPSG) configuration, 237, 238, 242 ARP attack detection packet validity check, IP source guard (IPSG) dynamic binding, ARP attack detection restricted IP source guard (IPSG) static binding, forwarding, IPsec ACL, ARP attack detection user validity check IPsec ACL de-encapsulated packet check, configuration, IPsec ACL-based implementation,...
Page 318 IPv4 source guard (IPv4SG) static binding PKI certificate verification (w/o CRL checking), configuration, PKI certificate-based access control policy, IPv6 source guard (IPv6SG) PKI configuration, 69, 72, 82 configuration, PKI CRL, IPv6 source guard (IPv6SG) enable on PKI digital certificate, interface, PKI display, IPv6 source guard (IPv6SG) static binding PKI domain configuration,...
Page 319 SSH server configuration, troubleshooting IPsec IKEv2, SSH server local key pair generation, troubleshooting IPsec SA negotiation failure (invalid identity info), SSH server PKI domain, troubleshooting IPsec SA negotiation failure (no SSH SFTP client configuration (publickey transform set match), authentication-enabled), troubleshooting PKI CA certificate failure, SSH SFTP client device, troubleshooting PKI CA certificate import SSH SFTP configuration,...
Page 320 SFTP SSH2 algorithms, client configuration (publickey authentication-enabled), security IPsec IKE invalid SPI recovery, client device configuration, spoofing configuration, uRPF configuration, 263, 266, 267 configuration (192-bit Suite B algorithm), directories, AAA HWTACACS server SSH user, files, AAA RADIUS Login-Service attribute check help information display, method, packet source IP address,...
Page 321 Secure Telnet server connection IP source guard (IPSG) static binding, establishment, IPv4 source guard (IPv4SG) configuration, Secure Telnet server connection IPv4 source guard (IPv4SG) static binding establishment (Suite B), configuration, Secure Telnet server enable, IPv6 source guard (IPv6SG) configuration, security public key management, 60, 64 IPv6 source guard (IPv6SG) static binding server configuration,...
Page 322 SSH Secure Telnet client configuration security IPsec tunnel for IPv4 packets (publickey authentication-enabled), (manual), SSH Secure Telnet client device, transform set (IPsec), SSH Secure Telnet configuration, Transmission Control Protocol. Use SSH Secure Telnet configuration (128-bit transporting Suite B algorithm), security IPsec encapsulation transport mode, SSH Secure Telnet packet source IP trapping address,...
Page 323 password user login attempt limit, AAA RADIUS implementation, password user login control, AAA RADIUS packet format, security password setting, AAA RADIUS request transmission attempts username max, AAA HWTACACS format, AAA RADIUS session-control, AAA RADIUS format, unicast Unicast Reverse Path Forwarding. Use uRPF validity check updating...

HPE FlexFabric 7900 Series Security Configuration Manual

Configuring AAA

Configuring Password Control

Managing Public Keys

Configuring PKI

Configuring SSL

Configuring Ipsec

Configuring IKE

Configuring Ikev2

Configuring SSH

Configuring IP Source Guard

Configuring ARP Attack Protection

Quick Links

Configuration Guide

Troubleshooting

Related Manuals for HPE FlexFabric 7900 Series

Summary of Contents for HPE FlexFabric 7900 Series