Download Print this page

HP 6125G Configuration Manual

Hp 6125g & 6125g/xg blade switches security configuration guide-r2103.
Hide thumbs

Advertisement

HP 6125 Blade Switch Series
Security
Part number: 5998-3160
Software version: Release 2103
Document version: 6W100-20120907

Advertisement

Troubleshooting

   Related Manuals for HP 6125G

   Summary of Contents for HP 6125G

  • Page 1: Configuration Guide

    HP 6125 Blade Switch Series Security Configuration Guide Part number: 5998-3160 Software version: Release 2103 Document version: 6W100-20120907...

  • Page 2

    HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

  • Page 3: Table Of Contents

    Contents Configuring AAA ························································································································································· 1   AAA overview ··································································································································································· 1   RADIUS ······································································································································································ 2   HWTACACS ····························································································································································· 7   Domain-based user management ··························································································································· 9   AAA for MPLS L3VPNs ········································································································································· 10   Protocols and standards ······································································································································· 10   RADIUS attributes ·················································································································································· 11  ...

  • Page 4: Table Of Contents

    Access control methods ········································································································································ 74   Using 802.1X authentication with other features ······························································································ 74   Configuration prerequisites ··········································································································································· 79   802.1X configuration task list ······································································································································· 79   Enabling 802.1X ···························································································································································· 80   Configuration guidelines ······································································································································ 80   Configuration procedure ······································································································································ 80  ...

  • Page 5: Table Of Contents

    Configuration prerequisites ··········································································································································· 98   Configuring a free IP ····················································································································································· 98   Configuring the redirect URL ········································································································································· 99   Setting the EAD rule timer ············································································································································· 99   Displaying and maintaining EAD fast deployment ····································································································· 99   EAD fast deployment configuration example ············································································································ 100  ...

  • Page 6: Table Of Contents

    Cannot configure secure MAC addresses ········································································································ 132   Cannot change port security mode when a user is online ·············································································· 133   Configuring a user profile ······································································································································ 134   Overview ······································································································································································· 134   User profile configuration task list ······························································································································ 134   Creating a user profile ················································································································································...

  • Page 7: Table Of Contents

    Configuring CRL-checking-disabled PKI certificate verification ······································································ 165   Destroying a local RSA key pair ································································································································ 165   Deleting a certificate ···················································································································································· 166   Configuring an access control policy ························································································································ 166   Displaying and maintaining PKI ································································································································· 166   PKI configuration examples ········································································································································· 167  ...

  • Page 8: Table Of Contents

    SFTP server configuration example ···························································································································· 209   Configuring SCP ······················································································································································ 212   Overview ······································································································································································· 212   Configuring the switch as an SCP server ·················································································································· 212   Configuring the switch as the SCP client ··················································································································· 213   SCP client configuration example ······················································································································ 213  ...

  • Page 9: Table Of Contents

    Introduction ·························································································································································· 240   Configuration procedure ···································································································································· 240   Configuring ARP active acknowledgement ··············································································································· 240   Introduction ·························································································································································· 240   Configuration procedure ···································································································································· 240   Configuring ARP detection ·········································································································································· 241   Introduction ·························································································································································· 241   Configuring user validity check ························································································································· 241  ...

  • Page 10: Table Of Contents

    Support and other resources ·································································································································· 270   Contacting HP ······························································································································································ 270   Subscription service ············································································································································ 270   Related information ······················································································································································ 270   Documents ···························································································································································· 270   Websites ······························································································································································· 270   Conventions ·································································································································································· 271   Index ········································································································································································ 273   viii...

  • Page 11: Configuring Aaa, Aaa Overview

    Configuring AAA AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It can provide the following security functions: Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants different users different rights and controls their access to resources and •...

  • Page 12: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol.

  • Page 13

    Figure 3 Basic RADIUS message exchange process RADIUS operates in the following manner: The host initiates a connection request that carries the user’s username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.

  • Page 14

    Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible values and their meanings. Table 1 Main values of the Code field Code Packet type Description...

  • Page 15

    The Attributes field (variable in length) carries the specific authentication, authorization, and • accounting information that defines the configuration details of the request or response. This field may contain multiple attributes, each with three sub-fields: Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.

  • Page 16

    Attribute Attribute Session-Timeout ARAP-Security-Data Idle-Timeout Password-Retry Termination-Action Prompt Called-Station-Id Connect-Info Calling-Station-Id Configuration-Token NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility.

  • Page 17: Hwtacacs

    Figure 5 Segment of a RADIUS packet containing an extended attribute Type Length Vendor-ID Vendor-ID (continued) Vendor-Type Vendor-Length Vendor-Data (Specified attribute value……) …… HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.

  • Page 18

    Figure 6 Basic HWTACACS message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...

  • Page 19: Domain-based User Management

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends the user an authorization request packet to the HWTACACS server.

  • Page 20: Aaa For Mpls L3vpns, Protocols And Standards

    In addition, AAA provides the following services for login users to enhance switch security: • Command authorization—Enables the NAS to defer to the authorization server to determine whether a command entered by a login user is permitted for the user, making sure that login users execute only commands they are authorized to execute.

  • Page 21: Radius Attributes

    RADIUS attributes Commonly used standard RADIUS attributes Attribute Description User-Name Name of the user to be authenticated. User password for PAP authentication, present only in Access-Request packets in User-Password PAP authentication mode. Digest of the user password for CHAP authentication, present only in CHAP-Password Access-Request packets in CHAP authentication mode.

  • Page 22

    Attribute Description Type of the Accounting-Request packet. Possible values are as follows: • 1—Start. • 2—Stop. • 3—Interim-Update. • 4—Reset-Charge. Acct-Status-Type • 7—Accounting-On. (Defined in 3GPP, the 3rd Generation Partnership Project.) • 8—Accounting-Off. (Defined in 3GPP.) • 9 to 14—Reserved for tunnel accounting. •...

  • Page 23

    Sub-attribute Description Remaining, available total traffic of the connection, in different units for Remanent_Volume different server types. Operation for the session, used for session control. It can be: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value.

  • Page 24: Aaa Configuration Considerations And Task List

    Sub-attribute Description Output-Interval-Gigawords Result of bytes output within an accounting interval divided by 4G bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. Product_ID Product name. AAA configuration considerations and task list To configure AAA, you must complete these tasks on the NAS: Configure the required AAA schemes.

  • Page 25: Configuring Aaa Schemes, Configuring Local Users

    Task Remarks schemes Complete at least one task. Configuring RADIUS schemes Configuring HWTACACS schemes Creating an ISP domain Required. Configuring ISP domain attributes Optional. Configuring AAA authentication methods for Configuring AAA an ISP domain methods for ISP domains Required. Configuring AAA authorization methods for an ISP domain Complete at least one task.

  • Page 26

    User group: • Each local user belongs to a local user group and bears all attributes of the group, such as the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes." Password control attributes: •...

  • Page 27

    Step Command Remarks Optional. A local user with no password configured directly passes authentication after providing the valid local username and attributes. To enhance security, Configure a password for the password [ { cipher | simple } configure a password for each local user.

  • Page 28

    Step Command Remarks Optional. By default, no authorization attribute is configured for a local user. authorization-attribute { acl For LAN users, only acl, idle-cut, acl-number | dle-cut minute | user-profile, and vlan are level level | user-profile supported. profile-name | user-role { guest Configure the authorization For SSH, terminal, and Web users, | guest-manager |...

  • Page 29

    By default, every newly added local user belongs to the system default user group system and bears all attributes of the group. To change the user group to which a local user belongs, use the user-group command in local user view. To configure attributes for a user group: Step Command...

  • Page 30: Configuring Radius Schemes

    Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the switch can cooperate with and defines a set of parameters that the switch uses to exchange information with the RADIUS servers. There may be authentication/authorization servers and accounting servers, or primary servers and secondary servers. The parameters include the IP addresses of the servers, the shared keys, and the RADIUS server type.

  • Page 31

    Specifying the RADIUS authentication/authorization servers You can specify one primary authentication/authorization server and up to 16 secondary authentication/authorization servers for a RADIUS scheme. When the primary server is not available, a secondary server is used. In a scenario where redundancy is not required, specify only the primary server.

  • Page 32

    By setting the maximum number of real-time accounting attempts for a scheme, you make the switch disconnect users for whom no accounting response is received before the number of accounting attempts reaches the limit. When the switch receives a connection teardown request from a host or a connection teardown notification from an administrator, it sends a stop-accounting request to the accounting server.

  • Page 33

    Specifying the shared keys for secure RADIUS communication The RADIUS client and RADIUS server use the MD5 algorithm to authenticate packets exchanged between them and use shared keys for packet authentication and user passwords encryption. They must use the same key for the same type of communication. A shared key configured in this task is for all servers of the same type (accounting or authentication) in the scheme, and has a lower priority than a shared key configured individually for a RADIUS server.

  • Page 34

    For level switching authentication, the user-name-format keep-original and user-name-format • without-domain commands produce the same results. They make sure usernames sent to the RADIUS server carry no ISP domain name. To set the username format and the traffic statistics units for a RADIUS scheme: Step Command Remarks...

  • Page 35

    servers in active state. If no other servers are in active state at the time, it considers the authentication or accounting attempt a failure. For more information about RADIUS server states, see "Setting the status of RADIUS servers." To set the maximum number of RADIUS request transmission attempts for a scheme: Step Command Remarks...

  • Page 36

    If one server is in active state and all the others are in blocked state, the switch only tries to • communicate with the server in active state, even if the server is unavailable. After receiving an authentication/accounting response from a server, the switch changes the status •...

  • Page 37

    between the NAS and the RADIUS server, the source IP address of outgoing RADIUS packets must be a public IP address of the NAS. You can specify a source IP address for outgoing RADIUS packets in RADIUS scheme view for a specific RADIUS scheme, or in system view for all RADIUS schemes whose servers are in the same VPN.

  • Page 38

    Step Command Remarks radius scheme Enter RADIUS scheme view. radius-scheme-name Optional. Set the RADIUS server The default RADIUS server timer response-timeout seconds response timeout timer. response timeout timer is 3 seconds. Optional. Set the quiet timer for the timer quiet minutes servers.

  • Page 39

    Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name Disabled by default. accounting-on enable Enable accounting-on and [ interval seconds | send The default interval is 3 seconds and the configure parameters. send-times ] * default number of send-times is 50.

  • Page 40

    NOTE: Whether interpretation of RADIUS class attribute as CAR parameters is supported depends on two factors: Whether the switch supports CAR parameters assignment. • Whether the RADIUS server supports assigning CAR parameters through the class attribute. • Enabling the trap function for RADIUS With the trap function, a NAS sends a trap message when either of the following events occurs: The status of a RADIUS server changes.

  • Page 41: Configuring Hwtacacs Schemes

    To set the DSCP value for RADIUS protocol packets: Step Command Remarks Enter system view. system-view Optional. Set the DSCP value for IPv4 radius dscp dscp-value By default, the DSCP value in IPv4 RADIUS protocol packets. RADIUS protocol packets is 0. Optional.

  • Page 42

    Task Remarks Specifying the HWTACACS authentication servers Required Specifying the HWTACACS authorization servers Optional Specifying the HWTACACS accounting servers and the relevant parameters Optional Specifying the shared keys for secure HWTACACS communication Required Specifying the VPN to which the servers belong Optional Setting the username format and traffic statistics units Optional...

  • Page 43

    Step Command Remarks Enter HWTACACS hwtacacs scheme hwtacacs-scheme-name scheme view. • Specify the primary HWTACACS authentication server: primary authentication ip-address Configure at least one [ port-number | vpn-instance command. vpn-instance-name ] * Specify HWTACACS authentication servers. • Specify the secondary HWTACACS No authentication server is authentication server: specified by default.

  • Page 44

    When the switch receives a connection teardown request from a host or a connection teardown command from an administrator, it sends a stop-accounting request to the accounting server. You can enable buffering of non-responded stop-accounting requests to allow the switch to buffer and resend a stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the configured limit.

  • Page 45

    Step Command Remarks Specify a shared key for secure HWTACACS key { accounting | authentication | No shared key is specified by authentication, authorization, authorization } [ cipher | simple ] key default. or accounting communication. NOTE: A shared key configured on the switch must be the same as that configured on the HWTACACS server. Specifying the VPN to which the servers belong After you specify a VPN for an HWTACACS scheme, all the authentication, authorization, and accounting servers specified for the scheme belong to the VPN.

  • Page 46

    Step Command Remarks Optional. Set the format for usernames user-name-format { keep-original | sent to the HWTACACS By default, the ISP domain name with-domain | without-domain } servers. is included in a username. Optional. data-flow-format { data { byte | Specify the unit for data flows giga-byte | kilo-byte | mega-byte } The default unit is byte for data...

  • Page 47

    Step Command Remarks Specify a source IP address By default, the IP address of the for outgoing HWTACACS nas-ip ip-address outbound interface is used as the packets. source IP address. Setting timers for controlling communication with HWTACACS servers The switch uses the following timers to control the communication with an HWTACACS server: Server response timeout timer (response-timeout)—Defines the HWTACACS request •...

  • Page 48: Configuring Aaa Methods For Isp Domains, Configuration Prerequisites, Creating An Isp Domain

    Task Command Remarks display hwtacacs Display the configuration information [ hwtacacs-server-name [ statistics ] ] Available in any view or statistics of HWTACACS schemes. [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] display stop-accounting-buffer Display information about buffered hwtacacs-scheme stop-accounting requests for which no...

  • Page 49: Configuring Isp Domain Attributes

    Step Command Remarks Enter system view. system-view Create an ISP domain and domain isp-name enter ISP domain view. Return to system view. quit Optional. Specify the default ISP domain default enable By default, the default ISP domain is the domain. isp-name system predefined ISP domain system.

  • Page 50: Configuring Aaa Authentication Methods For An Isp Domain

    Step Command Remarks Specify the maximum number Optional. access-limit enable of online users in the ISP max-user-number No limit by default. domain. Optional. Disabled by default. Configure the idle cut function. idle-cut enable minute [ flow ] This command is effective for only LAN users.

  • Page 51

    Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each access type and service type, limiting the authentication protocols that can be used for access. Determine whether to configure an authentication method for all access types or service types. Follow these guidelines when you configure AAA authentication methods for an ISP domain: The authentication method specified with the authentication default command is for all types of •...

  • Page 52: Configuring Aaa Authorization Methods For An Isp Domain

    Configuring AAA authorization methods for an ISP domain In AAA, authorization is a separate process at the same level as authentication and accounting. Its responsibility is to send authorization requests to the specified authorization servers and to send authorization information to users after successful authorization. Authorization method configuration is optional in AAA configuration.

  • Page 53: Configuring Aaa Accounting Methods For An Isp Domain

    Step Command Remarks Enter ISP domain view. domain isp-name authorization default { hwtacacs-scheme Optional. Specify the default hwtacacs-scheme-name [ local ] | local | authorization method for The authorization method is none | radius-scheme radius-scheme-name all types of users. local for all types of users. [ local ] } Optional.

  • Page 54: Tearing Down User Connections

    If you specify the radius-scheme radius-scheme-name local or hwtacacs-scheme • hwtacacs-scheme-name local option when you configure an accounting method, local accounting is the backup method and is used only when the remote server is not available. • If you specify only the local or none keyword in an accounting method configuration command, the switch has no backup accounting method and performs only local accounting or does not perform any accounting.

  • Page 55: Configuring A Nas Id-vlan Binding, Displaying And Maintaining Aaa, Aaa Configuration Examples

    Configuring a NAS ID-VLAN binding The access locations of users can be identified by their access VLANs. In application scenarios where identifying the access locations of users is a must, configure NAS ID-VLAN bindings on the switch. Then, when a user gets online, the switch obtains the NAS ID by the access VLAN of the user and sends the NAS ID to the RADIUS server through the NAS-identifier attribute.

  • Page 56: Configuration Procedure

    Figure 10 Network diagram Configuration procedure Configure the switch: # Assign IP addresses to the interfaces. (Details not shown.) # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit...

  • Page 57: Aaa For Telnet Users By Separate Servers

    Verify the configuration: Telnet to the switch as a user and enter the correct username and password. You pass authentication and log in to the switch. Issuing the display connection command on the switch, you can see information about the user connection. AAA for Telnet users by separate servers Network requirements As shown in...

  • Page 58: Authentication/authorization For Ssh/telnet Users By A Radius Server

    [Switch-radius-rd] quit # Create a local user named hello. [Switch] local-user hello [Switch-luser-hello] service-type telnet [Switch-luser-hello] password simple hello [Switch-luser-hello] quit # Configure the AAA methods for the ISP domain. [Switch] domain bbb [Switch-isp-bbb] authentication login local [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login radius-scheme rd [Switch-isp-bbb] quit Verify the configuration:...

  • Page 59

    Log in to IMC, click the Service tab, and select User Access Manager > Access Device from the navigation tree. Click Add. Configure the following parameters: Set the shared key for secure authentication and accounting communication to expert. Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select Device Management Service as the service type.

  • Page 60: Configuring The Switch

    Figure 14 Adding an account for device management Configuring the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.

  • Page 61: Aaa For 802.1x Users By A Radius Server

    [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure authentication communication to expert. [Switch-radius-rad] key authentication expert # Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs on IMC.

  • Page 62

    Figure 15 Network diagram Configuration prerequisites Configure the interfaces and VLANs as shown in Figure 15. Make sure the host can get a new IP address manually or automatically and can access resources in the authorized VLAN after passing authentication. Configuring the RADIUS server This example assumes that the RADIUS server runs on IMC PLAT 5.0 (E0101) and IMC UAM 5.0 (E0101).

  • Page 63

    Figure 16 Adding the switch to IMC as an access device Define a charging policy: Click the Service tab, and select Accounting Manager > Charging Plans from the navigation tree. Click Add. Configure the following parameters: Enter UserAcct as the plan name. Select Flat rate as the charging template.

  • Page 64

    Figure 17 Defining a charging policy Add a service: Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree. Click Add. Configure the following parameters: Enter Dot1x auth as the service name and bbb as the service suffix. The service suffix indicates the authentication domain for 802.1X users.

  • Page 65

    Figure 18 Adding a service Create an account for 802.1X users: Click the User tab, and select All Access Users from the navigation tree. Click Add. Configure the following parameters: Select the user test, or add the user if it does not exist. Enter dot1x as the account name and set the password.

  • Page 66

    Figure 19 Creating an account for 802.1X users Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rad and enter its view. <Switch> system-view [Switch] radius scheme rad # Set the server type for the RADIUS scheme. When you use IMC, set the server type to extended. [Switch-radius-rad] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

  • Page 67: Verifying The Configuration

    # Configure bbb as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at login, the authentication and accounting methods of the default domain is used for the user. [Switch] domain default enable bbb Configure 802.1X authentication: # Enable 802.1X globally.

  • Page 68: Level Switching Authentication For Telnet Users By An Hwtacacs Server

    Total 1 connection matched. As the Authorized VLAN field in the output shows, VLAN 4 has been assigned to the user. Level switching authentication for Telnet users by an HWTACACS server Network requirements As shown in Figure 20, configure the switch to: Use local authentication for the Telnet user and assign the privilege level of 0 to the user after the •...

  • Page 69

    [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit # Enable the switch to provide Telnet service. [Switch] telnet server enable # Configure the switch to use AAA for Telnet users.

  • Page 70

    0 commands. <Switch> telnet 192.168.1.70 Trying 192.168.1.70 ... Press CTRL+K to abort Connected to 192.168.1.70 ... ****************************************************************************** * Copyright (c) 2004-2012 Hewlett-Packard Development Company,L.P.. * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ******************************************************************************...

  • Page 71: Radius Authentication And Authorization For Telnet Users By A Switch

    Login authentication Username:test@bbb Password: <Switch> ? User view commands: display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function When switching to user privilege level 3, the Telnet user only needs to enter password enabpass...

  • Page 72

    Figure 22 Network diagram RADIUS server Vlan-int3 Vlan-int2 Vlan-int2 192.168.1.1/24 10.1.1.1/24 10.1.1.2/24 Telnet user Switch A Switch B 192.168.1.2 Configuration procedure Assign an IP address to each interface as shown in Figure 22. (Details not shown.) Configure the NAS: # Enable the Telnet server on Switch A. <SwitchA>...

  • Page 73: Troubleshooting Aaa, Troubleshooting Radius

    <SwitchB> system-view [SwitchB] radius-server user aaa # Configure plaintext password aabbcc for user aaa. [SwitchB-rdsuser-aaa] password simple aabbcc [SwitchB-rdsuser-aaa] quit # Specify the IP address of the RADIUS client as 10.1.1.1 and the plaintext shared key as abc. [SwitchB] radius-server client-ip 10.1.1.1 key simple abc Verify the configuration: After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Switch A.

  • Page 74: Troubleshooting Hwtacacs

    Analysis The NAS and the RADIUS server cannot communicate with each other. The NAS is not configured with the IP address of the RADIUS server. The UDP ports for authentication/authorization and accounting are not correct. The port numbers of the RADIUS server for authentication, authorization and accounting are being used by other applications.

  • Page 75: X Overview, X Architecture, Controlled/uncontrolled Port And Port Authorization Status

    802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.

  • Page 76: X-related Protocols

    Figure 24 Authorization state of a controlled port Authenticator system 1 Authenticator system 2 Controlled port Uncontrolled port Controlled port Uncontrolled port Port authorized Port unauthorized In the unauthorized state, a controlled port controls traffic in one of the following ways: •...

  • Page 77: Packet Formats

    Packet formats EAP packet format Figure 25 shows the EAP packet format. Figure 25 EAP packet format Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure • (4). Identifier—Used for matching Responses with Requests. •...

  • Page 78: Eap Over Radius, Initiating 802.1x Authentication, X Client As The Initiator

    Value Type Description The client sends an EAPOL-Logoff message to tell the 0x02 EAPOL-Logoff network access device that it is logging off. Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or • EAPOL-Logoff, this field is set to 0, and no Packet body field follows. Packet body—Content of the packet.

  • Page 79: Access Device As The Initiator, X Authentication Procedures

    the authentication server does not support the multicast address, you must use an 802.1X client, the HP iNode 802.1X client for example, that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client, the 802.1X client available with Windows XP for example, cannot send EAPOL-Start packets.

  • Page 80: A Comparison Of Eap Relay And Eap Termination, Eap Relay

    A comparison of EAP relay and EAP termination Packet exchange method Benefits Limitations • Supports various EAP The RADIUS server must support the authentication methods. EAP-Message and Message-Authenticator attributes, EAP relay • The configuration and processing is and the EAP authentication method simple on the network access used by the client.

  • Page 81

    Figure 31 802.1X authentication procedure in EAP relay mode When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. The network access device responds with an Identity EAP-Request packet to ask for the client username.

  • Page 82

    The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.

  • Page 83: Eap Termination

    EAP termination Figure 32 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used. Figure 32 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4).

  • Page 84: Configuring 802.1x, Hp Implementation Of 802.1x, Access Control Methods, Using 802.1x Authentication With Other Features

    Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port.

  • Page 85

    With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN. On a periodic online user re-authentication enabled port, if a user has been online before you enable the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless the user passes re-authentication and the VLAN for the user has changed.

  • Page 86

    Authentication status VLAN manipulation Re-maps the MAC address of the user to the VLAN specified for the user. A user in the 802.1X guest VLAN passes 802.1X If the authentication server assigns no VLAN, re-maps the MAC address of the authentication user to the initial PVID on the port.

  • Page 87

    Authentication status VLAN manipulation A user in the Auth-Fail VLAN fails 802.1X The user is still in the Auth-Fail VLAN. re-authentication Re-maps the MAC address of the user to the server-assigned VLAN. A user in the Auth-Fail VLAN passes If the authentication server assigns no VLAN, re-maps the MAC 802.1X authentication address of the user to the initial PVID on the port.

  • Page 88

    Authentication status VLAN manipulation A user in the 802.1X guest VLAN or the The PVID of the port remains unchanged. All 802.1X users on Auth-Fail VLAN fails authentication because this port can access only resources in the guest VLAN or the all the RADIUS servers is reachable.

  • Page 89: Configuration Prerequisites, X Configuration Task List

    If port-based access control is used, the port sends a multicast Identity EAP/Request to the 802.1X • users to trigger authentication. ACL assignment You can specify an ACL for an 802.1X user to control its access to network resources. After the user passes 802.1X authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL to the port to filter the traffic from this user.

  • Page 90: Enabling 802.1x, Configuration Guidelines, Configuration Procedure, Enabling Eap Relay Or Eap Termination

    Enabling 802.1X Configuration guidelines • If the PVID of a port is a voice VLAN, the 802.1X function cannot take effect on the port. For more information about voice VLANs, see Layer 2 LAN Switching Configuration Guide. — 802.1X is mutually exclusive with link aggregation and service loopback group configuration on a •...

  • Page 91: Setting The Port Authorization State

    Step Command Remarks Optional. By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server. Configure EAP relay or dot1x authentication-method EAP termination. { chap | eap | pap } Specify the eap keyword to enable EAP termination.

  • Page 92: Specifying An Access Control Method

    Specifying an access control method You can specify an access control method for one port in Ethernet interface view, or for multiple ports in system view. If different access control methods are specified for a port in system view and Ethernet interface view, the one specified later takes effect.

  • Page 93: Setting The 802.1x Authentication Timeout Timers, Configuring The Online User Handshake Function

    access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response. To set the maximum number of authentication request attempts: Step Command Remarks Enter system view. system-view Set the maximum number of Optional.

  • Page 94: Configuration Guidelines, Configuration Procedure, Configuring The Authentication Trigger Function

    Configuration guidelines Follow these guidelines when you configure the online user handshake function: To use the online handshake security function, make sure the online user handshake function is • enabled. HP recommends that you use the iNode client software and IMC server to guarantee the normal operation of the online user handshake security function.

  • Page 95: Configuration Procedure, Specifying A Mandatory Authentication Domain On A Port, Configuring The Quiet Timer

    Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start • packets to initiate 802.1X authentication. Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these •...

  • Page 96: Enabling The Periodic Online User Re-authentication Function, Configuration Guidelines, Configuration Procedure

    You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response. To configure the quiet timer: Step Command Remarks Enter system view. system-view Enable the quiet timer. dot1x quiet-period By default, the timer is disabled.

  • Page 97: Configuring An 802.1x Guest Vlan, Configuration Guidelines, Configuration Prerequisites, Configuration Procedure

    Step Command Remarks Enable periodic online user dot1x re-authenticate By default, the function is disabled. re-authentication. Configuring an 802.1X guest VLAN Configuration guidelines Follow these guidelines when you configure an 802.1X guest VLAN: You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different •...

  • Page 98: Configuring An 802.1x Auth-fail Vlan, Configuration Guidelines, Configuration Prerequisites, Configuration Procedure

    Step Command Remarks Enter system view. system-view • (Approach 1) In system view: dot1x guest-vlan guest-vlan-id [ interface Use either approach. Configure an 802.1X interface-list ] By default, no 802.1X guest guest VLAN for one • (Approach 2) In Ethernet interface view: VLAN is configured on any or more ports.

  • Page 99: Configuring An 802.1x Critical Vlan, Configuration Guidelines, Configuration Prerequisites, Configuration Procedure

    Step Command Remarks Enter system view. system-view interface interface-type Enter Ethernet interface view. interface-number Configure the Auth-Fail VLAN By default, no Auth-Fail VLAN is dot1x auth-fail vlan authfail-vlan-id on the port. configured. Configuring an 802.1X critical VLAN Configuration guidelines Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X critical VLAN on a port, so •...

  • Page 100: Specifying Supported Domain Name Delimiters, Displaying And Maintaining 802.1x, X Authentication Configuration Example, Network Requirements

    Specifying supported domain name delimiters By default, the access device supports the at sign (@) as the delimiter. You can also configure the access device to accommodate 802.1X users that use other domain name delimiters. The configurable delimiters include the at sign (@), back slash (\), and forward slash (/). If an 802.1X username string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter.

  • Page 101

    Use RADIUS servers to perform authentication, authorization, and accounting for the 802.1X users. If RADIUS authentication fails, perform local authentication on the access device. If RADIUS accounting fails, the access device logs the user off. Configure the host at 10.1.1.1/24 as the primary authentication and accounting servers, and the host at 10.1.1.2/24 as the secondary authentication and accounting servers.

  • Page 102

    # Configure the IP addresses of the secondary authentication and accounting RADIUS servers. [Device-radius-radius1] secondary authentication 10.1.1.2 [Device-radius-radius1] secondary accounting 10.1.1.2 # Specify the shared key between the access device and the authentication server. [Device-radius-radius1] key authentication name # Specify the shared key between the access device and the accounting server. [Device-radius-radius1] key accounting money # Exclude the ISP domain name from the username sent to the RADIUS servers.

  • Page 103: Verifying The Configuration, X With Guest Vlan And Vlan Assignment Configuration Example, Network Requirements

    Verifying the configuration Use the display dot1x interface gigabitethernet 1/0/1 command to verify the 802.1X configuration. After an 802.1X user passes RADIUS authentication, you can use the display connection command to view the user connection information. If the user fails RADIUS authentication, local authentication is performed.

  • Page 104

    Figure 34 Network diagram Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see Security Command Reference. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN.

  • Page 105

    Configure a RADIUS scheme: # Configure RADIUS scheme 2000 and enter its view. <Device> system-view [Device] radius scheme 2000 # Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets. [Device-radius-2000] primary authentication 10.11.1.1 1812 [Device-radius-2000] primary accounting 10.11.1.1 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc...

  • Page 106: X With Acl Assignment Configuration Example, Network Requirements, Configuration Procedure

    802.1X with ACL assignment configuration example Network requirements As shown in Figure 35, the host at 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network access device. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.

  • Page 107

    # Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the domain. [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Configure a time range ftp for the weekdays from 8:00 to 18:00. [Device] time-range ftp 8:00 to 18:00 working-day # Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1 on the weekdays during business hours.

  • Page 108: Configuring Ead Fast Deployment, Overview, Url Redirection, Configuration Prerequisites, Configuring A Free Ip

    Configuring EAD fast deployment Overview Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.

  • Page 109: Configuring The Redirect Url, Setting The Ead Rule Timer, Displaying And Maintaining Ead Fast Deployment

    To configure a free IP: Step Command Remarks Enter system view. system-view dot1x free-ip ip-address Configure a free IP. By default, no free IP is configured. { mask-address | mask-length } Configuring the redirect URL Follow these guidelines when you configure the redirect URL: •...

  • Page 110: Ead Fast Deployment Configuration Example, Network Requirements

    Task Command Remarks Display 802.1X session display dot1x [ sessions | statistics ] information, statistics, or [ interface interface-list ] [ | { begin | Available in any view configuration information. exclude | include } regular-expression ] EAD fast deployment configuration example Network requirements As shown in Figure...

  • Page 111

    Configure the authentication server to provide authentication, authorization, and accounting • services. Configuration procedure Configure an IP address for each interface. (Details not shown.) Configure DHCP relay: # Enable DHCP. <Device> system-view [Device] dhcp enable # Configure a DHCP server for a DHCP server group. [Device] dhcp relay server-group 1 ip 192.168.2.2 # Enable the relay agent on VLAN interface 2.

  • Page 112: Troubleshooting Ead Fast Deployment, Web Browser Users Cannot Be Correctly Redirected

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access that segment before passing 802.1X authentication. If you use a web browser to access any external website beyond the free IP segments, you are redirected to the web server, which provides the 802.1X client software download service.

  • Page 113: Configuring Mac Authentication, Overview, User Account Policies, Authentication Approaches

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.

  • Page 114: Mac Authentication Timers, Using Mac Authentication With Other Features, Vlan Assignment, Acl Assignment

    For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA" MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards • the user idle.

  • Page 115: Basic Configuration For Mac Authentication

    Task Remarks Specifying a MAC authentication domain Optional Basic configuration for MAC authentication Create and configure an authentication domain, also called "an ISP domain." • For local authentication, create local user accounts, and specify the lan-access service for the • accounts.

  • Page 116: Specifying A Mac Authentication Domain, Displaying And Maintaining Mac Authentication

    Step Command Remarks • (Approach 1) In system view: mac-authentication interface Disabled by default. interface-list Enable MAC authentication for • (Approach 2) In interface Enable MAC authentication. ports in bulk in system view or an view: individual port in Ethernet interface interface-type interface view.

  • Page 117: Mac Authentication Configuration Examples, Local Mac Authentication Configuration Example

    Task Command Remarks display mac-authentication Display MAC authentication [ interface interface-list ] [ | { begin Available in any view information. | exclude | include } regular-expression ] Clear MAC authentication reset mac-authentication statistics Available in user view statistics. [ interface interface-list ] MAC authentication configuration examples Local MAC authentication configuration example Network requirements...

  • Page 118: Radius-based Mac Authentication Configuration Example

    # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain aabbcc.net # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated and in lowercase.

  • Page 119

    Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure that: • The device detects whether a user has gone offline every 180 seconds. If a user fails authentication, the device does not authenticate the user within 180 seconds. All MAC authentication users belong to ISP domain 2000 and share the user account aaa with •...

  • Page 120: Acl Assignment Configuration Example

    [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Specify username aaa and plaintext password 123456 for the account shared by MAC authentication users. [Device] mac-authentication user-name-format fixed account aaa password simple 123456 Verifying the configuration # Display MAC authentication settings and statistics. <Device>...

  • Page 121

    Use MAC-based user accounts for MAC authentication users. The MAC addresses are hyphen separated and in lower case. Figure 39 Network diagram Configuration procedure Make sure the RADIUS server and the access device can reach each other. Configure the ACL assignment: # Configure ACL 3000 to deny packets destined for 10.0.0.1.

  • Page 122

    # Enable MAC authentication for port GigabitEthernet 1/0/1. [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] mac-authentication Configure the RADIUS servers: # Add a user account with 00-e0-fc-12-34-56 as both the username and password on the RADIUS server, and specify ACL 3000 as the authorization ACL for the user account. (Details not shown.) Verifying the configuration After the host passes authentication, perform the display connection command on the device to view online user information.

  • Page 123: Configuring Port Security, Overview, Port Security Features, Port Security Modes

    Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. It applies to a network that requires different authentication methods for different users on a port. Port security prevents unauthorized access to the network by checking the source MAC address of inbound traffic and prevents access to unauthorized devices by checking the destination MAC address of outbound traffic.

  • Page 124

    MAC learning control—Includes two modes, autoLearn and secure. MAC address learning is • permitted on a port in autoLearn mode and disabled in secure mode. Authentication—Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address.

  • Page 125

    Controlling MAC address learning autoLearn • A port in this mode can learn MAC addresses, and allows frames from learned or configured MAC addresses to pass. The automatically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

  • Page 126: Working With Guest Vlan And Auth-fail Vlan, Configuration Task List, Enabling Port Security

    This mode is similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. macAddressElseUserLoginSecure • This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. For wired users, the port performs MAC authentication 30 seconds after receiving non-802.1X frames and performs MAC authentication and then, if the authentication fails, 802.1X authentication upon receiving 802.1X frames.

  • Page 127: Setting Port Security's Limit On The Number Of Mac Addresses On A Port

    When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes. You cannot disable port security when online users are present. Before enabling port security, disable 802.1X and MAC authentication globally.

  • Page 128: Configuring Port Security Features, Configuration Prerequisites, Configuration Procedure, Configuring Ntk

    Configuration prerequisites Before you set a port security mode for a port, complete the following tasks: Disable 802.1X and MAC authentication. • Verify that the port does not belong to any aggregation group or service loopback group. • If you are configuring the autoLearn mode, set port security’s limit on the number of MAC addresses. •...

  • Page 129: Configuring Intrusion Protection, Enabling Port Security Traps

    ntk-withmulticasts—Forwards only broadcast frames, multicast frames, and unicast frames with • authenticated destination MAC addresses. To configure the NTK feature: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number port-security ntk-mode By default, NTK is disabled on a Configure the NTK feature.

  • Page 130: Configuring Secure Mac Addresses

    dot1xlogfailure/dot1xlogon/dot1xlogoff—802.1X authentication failure, success, and 802.1X • user logoff. ralmlogfailure/ralmlogon/ralmlogoff—MAC authentication failure, MAC authentication user • logon, and MAC authentication user logoff. intrusion—Detection of illegal frames. • To enable port security traps: Step Command Remarks Enter system view. system-view port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | By default, port security traps are Enable port security traps.

  • Page 131

    Can be saved and Type Address sources Aging mechanism survive a device reboot? Converted from sticky MAC addresses or automatically learned All dynamic secure Dynamic Same as sticky MAC addresses. after the dynamic MAC addresses are secure MAC function lost at reboot. is enabled.

  • Page 132: Ignoring Authorization Information, Displaying And Maintaining Port Security

    Step Command Remarks Optional. By default, sticky MAC addresses Enable the dynamic secure port-security mac-address dynamic can be saved to the configuration MAC function. file, and once saved, can survive a device reboot. NOTE: You can display dynamic secure MAC addresses only by using the display port-security mac-address security command.

  • Page 133: Port Security Configuration Examples, Configuring The Autolearn Mode

    Port security configuration examples Configuring the autoLearn mode Network requirements Figure 40. Configure port GigabitEthernet 1/0/1 on the Device, as follows: Accept up to 64 users on the port without authentication. • Permit the port to learn and add MAC addresses as sticky MAC addresses, and set the sticky MAC •...

  • Page 134

    Disableport Timeout: 30s OUI value: GigabitEthernet1/0/1 is link-up Port mode is autoLearn NeedToKnow mode is disabled Intrusion Protection mode is DisablePortTemporarily Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted Security MAC address learning mode is sticky Security MAC address aging type is absolute The output shows that the port security's limit on the number of secure MAC addresses on the port is 64, the port security mode is autoLearn, intrusion protection traps are enabled, and the intrusion protection...

  • Page 135: Configuring The Userloginwithoui Mode

    IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 Description: GigabitEthernet1/0/1 Interface ..The port should be re-enabled 30 seconds later. [Device-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state: UP IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 Description: GigabitEthernet1/0/1 Interface ..

  • Page 136

    Configuration procedure Configurations on the host and RADIUS servers are not shown. The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Referenced. Configure the RADIUS protocol: # Configure a RADIUS scheme named radsun. <Device>...

  • Page 137

    <Device> display radius scheme radsun SchemeName : radsun Index : 1 Type : standard Primary Auth Server: IP: 192.168.1.2 Port: 1812 State: active Encryption Key : N/A VPN instance : N/A Probe username : N/A Probe interval : N/A Primary Acct Server: IP: 192.168.1.3 Port: 1813 State: active...

  • Page 138

    # Display the port security configuration. <Device> display port-security interface gigabitethernet 1/0/1 Equipment port-security is enabled Trap is disabled Disableport Timeout: 20s OUI value: Index is 1, OUI value is 123401 Index is 2, OUI value is 123402 Index is 3, OUI value is 123403 Index is 4, OUI value is 123404...

  • Page 139: Configuring The Macaddresselseuserloginsecure Mode

    802.1X Multicast-trigger is enabled Mandatory authentication domain: NOT configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Critical VLAN: NOT configured Critical recovery-action: NOT configured Max number of on-line users is 2048 EAPOL Packet: Tx 16331, Rx 102 Sent EAP Request/Identity Packets : 16316 EAP Request/Challenge Packets: 6 EAP Success Packets: 4, Fail Packets: 5 Received EAPOL Start Packets : 6...

  • Page 140

    Configure the RADIUS protocol: Configure the RADIUS authentication/accounting and ISP domain settings the same as Configuring the userLoginWithOUI mode. Configure port security: # Enable port security. <Device> system-view [Device] port-security enable # Configure the device to use hyphenated, lowercased MAC addresses of users as the usernames and passwords for MAC authentication.

  • Page 141

    Fixed username: mac Fixed password: not configured Offline detect period is 60s Quiet period is 5s Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 3 Current domain is mac Silent MAC User info: MAC Addr From Port...

  • Page 142: Troubleshooting Port Security, Cannot Set The Port Security Mode, Cannot Configure Secure Mac Addresses

    Mandatory authentication domain: NOT configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Critical VLAN: NOT configured Critical recovery-action: NOT configured Max number of on-line users is 2048 EAPOL Packet: Tx 16331, Rx 102 Sent EAP Request/Identity Packets : 16316 EAP Request/Challenge Packets: 6 EAP Success Packets: 4, Fail Packets: 5 Received EAPOL Start Packets : 6...

  • Page 143: Cannot Change Port Security Mode When A User Is Online

    Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn. Solution Set the port security mode to autoLearn. [Device-GigabitEthernet1/0/1] undo port-security port-mode [Device-GigabitEthernet1/0/1] port-security max-mac-count 64 [Device-GigabitEthernet1/0/1] port-security port-mode autolearn [Device-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1 Cannot change port security mode when a user is online Symptom...

  • Page 144: Configuring A User Profile, Overview, User Profile Configuration Task List, Creating A User Profile

    Configuring a user profile Overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. Different user profiles are applicable to different application scenarios. The user profile supports working with 802.1X authentication. It is capable of restricting authenticated users' behaviors.

  • Page 145: Applying A Qos Policy, Enabling A User Profile

    Applying a QoS policy You can apply QoS policies in user profile view to implement traffic management functions. Follow these guidelines when you apply a QoS policy: • After a user profile is created, apply a QoS policy in user profile view to implement restrictions on online users.

  • Page 146: Displaying And Maintaining User Profiles

    Displaying and maintaining user profiles Task Command Remarks Display information about all the display user-profile [ | { begin | exclude Available in any view created user profiles. | include } regular-expression ]...

  • Page 147: Configuring Password Control, Overview

    Configuring password control Overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail. Minimum password length •...

  • Page 148

    You can allow a user to log in a certain number of times within a specified period of time after the password expires, so that the user does not need to change the password immediately. For example, if you set the maximum number of logins with an expired password to three and the time period to 15 days, a user can log in three times within 15 days after the password expires.

  • Page 149: Password Control Configuration Task List

    Depending on the system security requirements, you can set the minimum number of categories a password must contain and the minimum number of characters of each category. There are four password combination levels: 1, 2, 3, and 4, each representing the number of categories that a password must at least contain.

  • Page 150: Enabling Password Control, Configuring Password Control

    For local user passwords, the settings with a smaller application range have a higher priority. • • For super passwords, the settings configured specifically for super passwords, if any, override those configured in system view. Complete the following tasks to configure password control: Task Remarks Enabling password control...

  • Page 151: Setting Global Password Control Parameters

    When global password control is enabled but the minimum password length restriction function is • disabled, the minimum password length is four characters, and the password must have at least four different characters. • When global password control and the minimum password length restriction function are both enabled, the minimum password length is that configured by the password-control length length command.

  • Page 152: Setting User Group Password Control Parameters, Setting Local User Password Control Parameters

    Step Command Remarks Set the number of days during Optional. which the user is warned of password-control the pending password alert-before-expire alert-time 7 days by default. expiration. Optional. Set the maximum number of password-control days and maximum number By default, a user can log in three expired-user-login delay delay of times that a user can log in times within 30 days after the...

  • Page 153: Setting Super Password Control Parameters

    Step Command Remarks Optional By default, the setting for the user Configure the password group to which the local user password-control aging aging-time aging time for the local user. belongs is used; if no aging time is configured for the user group, the setting in system view is used.

  • Page 154: Setting A Local User Password In Interactive Mode, Displaying And Maintaining Password Control

    Setting a local user password in interactive mode You can set a password for a local user in interactive mode. When doing so, you need to confirm the password. To set a password for a local user in interactive mode: Step Command Enter system view.

  • Page 155

    A password cannot contain the username or the reverse of the username. • • No character occurs consecutively three or more times in a password. Implementing the following super password control policy: A super password must contain at least three types of valid characters, five or more of each type. •...

  • Page 156

    [Sysname-luser-test] password-control aging 20 # Configure the password of the local user in interactive mode. [Sysname-luser-test] password Password:*********** Confirm :*********** Updating user(s) information, please wait..[Sysname-luser-test] quit Verifying the configuration # Display the global password control configuration information. <Sysname> display password-control Global password control configurations: Password control: Enabled...

  • Page 157: Managing Public Keys, Overview, Configuration Task List

    Managing public keys Overview To protect data confidentiality during transmission, the data sender uses an algorithm and a key (a character string) to encrypt the plain text data before sending the data out, and the receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure Figure 42 Encryption and decryption The keys that participate in the conversion between the plain text and the cipher text can be the same or...

  • Page 158: Creating A Local Asymmetric Key Pair, Displaying Or Exporting The Local Host Public Key

    Task Remarks Creating a local asymmetric key pair Configuring a local asymmetric key pair Displaying or exporting the local host public key Perform the tasks as on the local device needed. Destroying a local asymmetric key pair Specifying the peer public key on the local device Creating a local asymmetric key pair When you create an asymmetric key pair on the local device, follow these guidelines: Create an asymmetric key pair of the proper type to work with a target application.

  • Page 159

    If your local device functions to authenticate the peer device, you must specify the peer public key on the local device. For more information, see "Specifying the peer public key on the local device." Displaying and recording the host public key information To display the local public key: Task Command...

  • Page 160: Destroying A Local Asymmetric Key Pair, Specifying The Peer Public Key On The Local Device

    Destroying a local asymmetric key pair You may need to destroy a local asymmetric key pair and generate a new pair when an intrusion event has occurred, the storage media of the device is replaced, the asymmetric key has been used for a long time, or the local certificate expires.

  • Page 161: Displaying And Maintaining Public Keys, Public Key Configuration Examples

    Step Command Remarks Enter system view. system-view Specify a name for the public public-key peer keyname key and enter public key view. Enter public key code view. public-key-code begin Spaces and carriage returns are Configure the peer public key. Enter or copy the key allowed between characters, but are not saved.

  • Page 162

    <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 163: Importing A Peer Public Key From A Public Key File

    E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1E F999B2BF9C4A10203010001 [DeviceB-pkey-key-code] public-key-code end [DeviceB-pkey-public-key] peer-public-key end # Display the host public key of Device A saved on Device B. [DeviceB] display public-key peer name devicea ===================================== Key Name : devicea Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7...

  • Page 164

    ++++++++ ++++++++ # Display the public keys of the local RSA key pairs. [DeviceA] display public-key local rsa public ===================================================== Time of Key pair created: 09:50:06 2012/03/07 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 =====================================================...

  • Page 165

    230 User logged in. [ftp] binary 200 Type set to I. [ftp] get devicea.pub 227 Entering Passive Mode (10,1,1,1,5,148). 125 BINARY mode data connection already open, transfer starting for /devicea.pub. 226 Transfer complete. FTP: 299 byte(s) received in 0.189 second(s), 1.00Kbyte(s)/sec. [ftp] quit 221 Server closing.

  • Page 166: Configuring Pki, Overview, Pki Terms

    Configuring PKI Overview The Public Key Infrastructure (PKI) is a general security infrastructure used to provide information security through public key technologies. PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key pair consists of a private key and a public key.

  • Page 167: Pki Architecture, Pki Operation

    such as phone, disk, and email. As different CAs might use different methods to examine the binding of a public key with an entity, make sure that you understand the CA policy before selecting a trusted CA for certificate request. PKI architecture A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository.

  • Page 168: Pki Applications, Pki Configuration Task List

    An entity submits a certificate request to the RA. The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server or other distribution point to provide directory navigation service, and notifies the entity that the certificate is successfully issued.

  • Page 169: Configuring An Entity Dn

    Task Remarks Optional. Deleting a certificate Optional. Configuring an access control policy Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished name (DN). A CA identifies a certificate applicant uniquely by entity DN.

  • Page 170: Configuring A Pki Domain

    Step Command Remarks Optional. Configure the locality for the locality locality-name entity. No locality is specified by default. Optional. Configure the organization organization org-name No organization is specified by name for the entity. default. Optional. Configure the unit name for organization-unit org-unit-name the entity.

  • Page 171: Submitting A Pki Certificate Request, Configuration Guidelines, Configuration Procedure

    Configuration guidelines Up to two PKI domains can be created on a switch. • The CA name is required only when you retrieve a CA certificate. It is not used when in local • certificate request. The certificate request URL does not support domain name resolution. •...

  • Page 172: Submitting A Certificate Request In Auto Mode, Submitting A Certificate Request In Manual Mode

    An online certificate request can be submitted in manual mode or auto mode. Submitting a certificate request in auto mode IMPORTANT: In auto mode, an entity does not automatically re-request a certificate to replace a certificate that is expiring or has expired. After the certificate expires, the service using the certificate might be interrupted. In auto mode, an entity automatically requests a certificate from the CA server through SCEP if it has no local certificate for an application working with PKI, and then retrieves the certificate and saves the certificate locally.

  • Page 173: Retrieving A Certificate Manually, Configuration Guidelines

    request-certificate domain command with the pkcs10 keyword. To save the request information to a local file, use the pki request-certificate domain command with the pkcs10 filename filename option. • Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the certificate will be abnormal.

  • Page 174: Configuring Pki Certificate Verification, Configuration Procedure, Configuration Guidelines, Configuring Crl-checking-enabled Pki Certificate Verification

    The configuration made by the pki retrieval-certificate configuration is not saved in the • configuration file. Make sure the switch’s system time falls in the validity period of the certificate so that the certificate • is valid. Configuration procedure To retrieve a certificate manually: Step Command Remarks...

  • Page 175: Configuring Crl-checking-disabled Pki Certificate Verification, Destroying A Local Rsa Key Pair

    Step Command Remarks Optional. By default, the CRL update period Set the CRL update period. crl update-period hours depends on the next update field in the CRL file. Optional. Enable CRL checking. crl check enable Enabled by default. Return to system view. quit "Retrieving a certificate Retrieve the CA certificate.

  • Page 176: Deleting A Certificate, Configuring An Access Control Policy, Displaying And Maintaining Pki

    For more information about the public-key local destroy command, see Security Command Reference. Deleting a certificate When a certificate requested manually is about to expire or you want to request a new certificate, you can delete the current local certificate or CA certificate. To delete a certificate: Step Command...

  • Page 177: Pki Configuration Examples, Certificate Request From An Rsa Keon Ca Server

    Task Command Remarks display pki certificate { { ca | local } domain domain-name | Display the contents or request request-status } [ | { begin | Available in any view status of a certificate. exclude | include } regular-expression ] display pki crl domain Display CRLs.

  • Page 178

    Configure extended attributes: After configuring the basic attributes, perform configuration on the jurisdiction configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting. Configure the CRL distribution behavior: After completing the configuration, you must perform CRL related configurations.

  • Page 179

    Apply for certificates: # Retrieve the CA certificate and save it locally. [Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..

  • Page 180: Certificate Request From A Windows 2003 Ca Server

    00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE...

  • Page 181

    After the SCEP add-on installation completes, a URL is displayed, which you must configure on the switch as the URL of the server for certificate registration. Modify the certificate service attributes: Select Control Panel > Administrative Tools > Certificate Authority from the start menu. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA.

  • Page 182

    Press CTRL+C to abort. Input the bits in the modulus [default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ Apply for certificates: # Retrieve the CA certificate and save it locally. [Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4...

  • Page 183: Certificate Attribute Access Control Policy Configuration Example

    Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier:...

  • Page 184

    Figure 48 Network diagram Configuration procedure The configuration procedure involves SSL configuration and HTTPS configuration. For more information about SSL configuration, see "Configuring SSL." For more information about HTTPS configuration, see Fundamentals Configuration Guide. The PKI domain to be referenced by the SSL policy must exist. For how to configure a PKI domain, see "Configure the PKI domain:."...

  • Page 185: Troubleshooting Pki, Failed To Retrieve A Ca Certificate, Failed To Request A Local Certificate

    Apply the SSL server policy and certificate attribute access control policy to HTTPS service and enable HTTPS service: # Apply SSL server policy myssl to HTTPS service. [Device] ip https ssl-server-policy myssl # Apply the certificate attribute access control policy of myacp to HTTPS service. [Device] ip https certificate access-control-policy myacp # Enable HTTPS service.

  • Page 186: Failed To Retrieve Crls

    Solution Make sure the network connection is physically proper. • • Retrieve a CA certificate. Regenerate a key pair. • Specify a trusted CA. • Use the ping command to verify that the RA server is reachable. • Specify the authority for certificate request. •...

  • Page 187: Configuring Ssh2.0, Overview, Ssh Operation

    Configuring SSH2.0 Overview Secure Shell (SSH) offers an approach to logging in to a remote device securely. Using encryption and strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password interception. The switch can not only work as an SSH server to support connections with SSH clients, but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.

  • Page 188

    either case, the client sends a packet to the server to notify the server of the protocol version that it decides to use. The server compares the version number carried in the packet with that of its own. If the server supports the version, the negotiation succeeds and the server and the client proceed with key and algorithm negotiation.

  • Page 189: Ssh Connection Across Vpns

    An SSH2.0 server might require the client to pass both password authentication and publickey authentication or either of them. However, if the client is running SSH1, the client only needs to pass either authentication, regardless of the requirement of the server. The following gives the steps of the authentication stage: The client sends the server an authentication request that includes the username, the authentication method, and the information related to the authentication method (for example, the password in...

  • Page 190: Configuring The Switch As An Ssh Server, Ssh Server Configuration Task List

    Figure 49 Network diagram For more information about MCE, see Layer 3—IP Routing Configuration Guide. Configuring the switch as an SSH server SSH server configuration task list Task Remarks Generating DSA or RSA key pairs Required Enabling the SSH server function Required Configuring the user interfaces for SSH clients Required...

  • Page 191: Enabling The Ssh Server Function, Configuring The User Interfaces For Ssh Clients

    The length of the modulus of RSA server keys and host keys must be in the range of 512 to 2048 bits. • Some SSH2.0 clients require that the length of the key modulus be at least 768 bits on the SSH server side.

  • Page 192: Configuring A Client Public Key

    Step Command Remarks Enter system view. system-view Enter user interface view of user-interface vty number one or more user interfaces. [ ending-number ] Set the login authentication By default, the authentication authentication-mode scheme mode to scheme. mode is password. Optional. Configure the user interfaces protocol inbound { all | ssh } All protocols are supported by...

  • Page 193: Configuring An Ssh User

    Importing a client public key from a public key file Step Command Enter system view. system-view Import the public key from a public key file. public-key peer keyname import sshkey filename Configuring an SSH user To configure an SSH user that uses publickey authentication, you must perform the procedure in this section.

  • Page 194: Setting The Ssh Management Parameters

    Configuration procedure To configure an SSH user and specify the service type and authentication method: Step Command Remarks Enter system view. system-view • For Stelnet users: ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname } Create an SSH user, and...

  • Page 195: Setting The Dscp Value For Packets Sent By The Ssh Server

    Step Command Remarks Optional. Set the SSH user ssh server authentication-timeout authentication timeout period. time-out-value 60 seconds by default. Optional. Set the maximum number of ssh server authentication-retries SSH authentication attempts. times 3 by default. Setting the DSCP value for packets sent by the SSH server A field in an IPv4 or IPv6 header contains 8 bits and is used to identify the service type of an IP packet.

  • Page 196: Configuring Whether First-time Authentication Is Supported

    Step Command Remarks Enter system view. system-view • Specify a source IPv4 address or interface for the Select either approach. SSH client: By default, an SSH client ssh client source { ip ip-address | interface Specify a source IP uses the IP address of interface-type interface-number } address or interface for the outbound interface...

  • Page 197: Establishing A Connection Between The Ssh Client And Server

    Step Command Remarks Specify the host public key ssh client authentication server name of the server. server assign publickey keyname Establishing a connection between the SSH client and server Task Command Remarks • For an IPv4 server: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 |...

  • Page 198: Displaying And Maintaining Ssh, Ssh Server Configuration Examples

    Displaying and maintaining SSH Task Command Remarks display sftp client source [ | { begin Display the source IP address or | exclude | include } Available in any view interface set for the SFTP client. regular-expression ] Display the source IP address or display ssh client source [ | { begin interface information on an SSH | exclude | include }...

  • Page 199

    # Generate the RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 200: When The Switch Acts As A Server For Publickey Authentication

    The switch supports a variety of SSH client software, such as PuTTY, and OpenSSH. The following example uses PuTTY Version 0.58. To establish a connection to the SSH server: Launch PuTTY.exe to enter the interface as shown in Figure In the Host Name (or IP address) text box, enter the IP address of the server 192.168.1.40. Figure 51 Specifying the host name (or IP address) Click Open to connect to the server.

  • Page 201

    Figure 52 Network diagram Configuration procedure During SSH server configuration, the client public key is required. Use the client software to generate RSA key pairs on the client before configuring the SSH server. Generate the RSA key pairs on the SSH client: Run PuTTYGen.exe, select SSH-2 RSA and click Generate.

  • Page 202

    Figure 54 Generating process After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 55 Saving the key pair on the client...

  • Page 203

    Click Save private key to save the private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). Transmit the public key file to the server through FTP or TFTP.

  • Page 204

    # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Specify the private key file and establish a connection to the SSH server: Launch PuTTY.exe to enter the interface as shown in Figure In the Host Name (or IP address) text box, enter the IP address of the server 192.168.1.40.

  • Page 205: Ssh Client Configuration Examples, When Switch Acts As Client For Password Authentication

    Figure 57 Specifying the private key file Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username. After entering the username (client002), you can enter the configuration interface of the server. SSH client configuration examples When switch acts as client for password authentication Network requirements...

  • Page 206

    [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 207

    [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] quit # Establish a connection between the SSH client and the SSH server: If the client supports first-time authentication, you can directly establish a connection from the client to the server. # Establish an SSH connection to server 10.165.87.136. <SwitchA>...

  • Page 208: When Switch Acts As Client For Publickey Authentication

    [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server 10.165.87.136 as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136. <SwitchA> ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 Press CTRL+K to abort...

  • Page 209

    [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit Then, transmit the public key file to the server through FTP or TFTP. Configure the SSH server: # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.

  • Page 210

    [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Establish an SSH connection to the server 10.165.87.136. <SwitchA> ssh2 10.165.87.136 Username: client002 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n Later, you will find that you have logged in to Switch B successfully.

  • Page 211: Configuring Sftp, Overview, Configuring The Switch As An Sftp Server, Enabling The Sftp Server

    Configuring SFTP Overview The Secure File Transfer Protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The switch can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The switch can also serve as an SFTP client, enabling a user to log in from the switch to a remote device for secure file transfer.

  • Page 212: Configuring The Switch As An Sftp Client

    Step Command Remarks Configure the SFTP Optional. sftp server idle-timeout connection idle timeout time-out-value 10 minutes by default. period. Configuring the switch as an SFTP client Specifying a source IP address or interface for the SFTP client You can configure a client to use only a specified source IP address or interface to access the SFTP server, enhancing the service manageability.

  • Page 213: Working With Sftp Directories

    Task Command Remarks • Establish a connection to the remote IPv4 SFTP server and enter SFTP client view: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher...

  • Page 214: Working With Sftp Files, Displaying Help Information

    Step Command Remarks Create a new directory on the mkdir remote-path Optional. remote SFTP server. Delete one or more directories rmdir remote-path&<1-10> Optional. from the SFTP server. Working with SFTP files SFTP file operations include: Changing the name of a file •...

  • Page 215: Terminating The Connection To The Remote Sftp Server

    Step Command Remarks Display a list of all commands or the help information of an help [ all | command-name ] SFTP client command. Terminating the connection to the remote SFTP server Step Command Remarks For more information, see Enter SFTP client view. "Establishing a connection to the Execute the command in user view.

  • Page 216

    Figure 60 Network diagram Configuration procedure During SFTP server configuration, the client public key is required. Use the client software to generate RSA key pairs on the client before configuring the SFTP server. Configure the SFTP client: # Create VLAN-interface 1 and assign an IP address to it. <SwitchA>...

  • Page 217

    [SwitchB] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 218

    -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub -rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z sftp-client> delete z The following File will be deleted: Are you sure to delete it? [Y/N]:y This operation might take a long time.Please wait...

  • Page 219: Sftp Server Configuration Example

    -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub -rwxrwxrwx 1 noone...

  • Page 220

    Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server. [Switch] ssh server enable # Enable the SFTP server. [Switch] sftp server enable # Configure an IP address for VLAN-interface 1, which the client will use as the destination for SSH connection.

  • Page 221

    Figure 62 SFTP client interface...

  • Page 222: Configuring Scp, Overview, Configuring The Switch As An Scp Server

    Configuring SCP Overview Secure copy (SCP) is based on SSH2.0 and offers a secure approach to copying files. SCP uses SSH connections for copying files. The switch can act as the SCP server, allowing a user to log in to the switch for file upload and download. The switch can also act as an SCP client, enabling a user to log in from the switch to a remote server for secure file transfer.

  • Page 223: Configuring The Switch As The Scp Client, Scp Client Configuration Example

    Configuring the switch as the SCP client To upload or download files to or from an SCP server: Step Command Remarks • Upload a file to the IPv4 SCP server: scp server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } |...

  • Page 224: Scp Server Configuration Example

    Figure 63 Network diagram Configuration procedure # Create VLAN-interface 1 and assign an IP address to it. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface1] quit # Download the file remote.bin from the SCP server, save it locally and change the file name to local.bin. <SwitchA>...

  • Page 225

    ++++++++ ++++++++++++++ +++++ ++++++++ # Generate the DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.

  • Page 226: Configuring Ssl, Overview, Ssl Security Mechanism, Ssl Protocol Stack

    Configuring SSL Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as Hypertext Transfer Protocol (HTTP). It is widely used in e-business and online banking to ensure secure data transmission over the Internet. SSL security mechanism Secure connections provided by SSL have these features: Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the key...

  • Page 227: Configuration Task List, Configuring An Ssl Server Policy

    Figure 66 SSL protocol stack SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and • encrypts the data before transmitting it to the peer end. • SSL handshake protocol—Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client.

  • Page 228

    Step Command Remarks Optional. By default, no PKI domain is specified for an SSL server policy. The SSL server generates a certificate itself instead of requesting one from the CA. After you specify a PKI domain, the Specify a PKI domain for the SSL server requests a certificate pki-domain domain-name SSL server policy.

  • Page 229: Ssl Server Policy Configuration Example

    SSL server policy configuration example Network requirements As shown in Figure 67, users need to access and control the device through web pages. For security of the device and to make sure that data is not eavesdropped or tampered with, configure the device so that users must use HTTPS (Hypertext Transfer Protocol Secure, which uses SSL) to log in to the web interface of the device.

  • Page 230: Configuring An Ssl Client Policy

    [Device-pki-domain-1] quit # Create the local RSA key pairs. [Device] public-key local create rsa # Retrieve the CA certificate. [Device] pki retrieval-certificate ca domain 1 # Request a local certificate for Device. [Device] pki request-certificate domain 1 # Create an SSL server policy named myssl. [Device] ssl server-policy myssl # Specify the PKI domain for the SSL server policy as 1.

  • Page 231: Displaying And Maintaining Ssl, Troubleshooting Ssl

    Step Command Remarks Optional. No PKI domain is configured by default. After you specify a PKI domain, the SSL client requests a certificate through the PKI domain. Specify a PKI domain for the If the SSL server requires pki-domain domain-name SSL client policy.

  • Page 232

    Analysis SSL handshake failure may result from the following causes: • The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the certificate is not trusted. The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the •...

  • Page 233: Configuring Tcp Attack Protection, Overview, Enabling The Syn Cookie Feature

    Configuring TCP attack protection Overview An attacker can attack the switch during the process of establishing a TCP connection. To prevent such an attack, the switch provides the SYN Cookie feature. Enabling the SYN Cookie feature As a general rule, the establishment of a TCP connection involves the following three handshakes. The request originator sends a SYN message to the target server.

  • Page 234

    Task Command Remarks display tcp status [ | { begin | exclude | Display current TCP connection state. Available in any view include } regular-expression ]...

  • Page 235: Configuring Ip Source Guard, Overview, Static Ip Source Guard Entries, Dynamic Ip Source Guard Entries

    Configuring IP source guard Overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent illegal hosts from using a legal IP address to access the network. IP source guard can filter packets according to the packet source IP address and source MAC address. IP source guard entries fall into the following types: •...

  • Page 236: Configuring The Ipv4 Source Guard Function, Configuration Task List

    and obtain IP addresses through DHCP. Once DHCP allocates an IP address to a client, IP source guard automatically adds the client entry to allow the client to access the network. A user using an IP address not obtained through DHCP cannot access the network. Dynamic IPv4 source guard entries are generated dynamically based on DHCP snooping or DHCP relay entries to filter incoming IPv4 packets on a port.

  • Page 237: Configuring A Static Ipv4 Source Guard Entry

    Step Command Remarks Enter system view. system-view The term "interface" collectively refers to the following types of interface interface-type Enter interface view ports and interfaces: Layer 2 interface-number Ethernet ports and VLAN interfaces. ip verify source { ip-address | Configure IPv4 source guard ip-address mac-address | Not configured by default.

  • Page 238: Setting The Maximum Number Of Ipv4 Source Guard Entries, Displaying And Maintaining Ip Source Guard

    Setting the maximum number of IPv4 source guard entries The maximum number of IPv4 source guard entries is used to limit the total number of static and dynamic IPv4 source guard entries on a port. When the number of IPv4 binding entries on a port reaches the maximum, the port does not allowed new IPv4 binding entries any more.

  • Page 239

    On port GigabitEthernet 1/0/1 of Device A, only IP packets from Host A can pass. • • On port GigabitEthernet 1/0/2 of Device B, only IP packets from Host A can pass. On port GigabitEthernet 1/0/1 of Device B, only IP packets sourced from 192.168.0.2/24 can •...

  • Page 240: Dynamic Ipv4 Source Guard Using Dhcp Snooping Configuration Example

    # Configure GigabitEthernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass. [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [DeviceB-GigabitEthernet1/0/2] quit # Configure the IPv4 source guard function on GigabitEthernet 1/0/1 to filter packets based on the source IP address.

  • Page 241

    Figure 70 Network diagram Configuration procedure Configure DHCP snooping. # Enable DHCP snooping. <Device> system-view [Device] dhcp-snooping # Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port. [Device] interface gigabitethernet1/0/2 [Device-GigabitEthernet1/0/2] dhcp-snooping trust [Device-GigabitEthernet1/0/2] quit Configure the IPv4 source guard function.

  • Page 242: Dynamic Ipv4 Source Guard Using Dhcp Relay Configuration Example

    Dynamic IPv4 source guard using DHCP relay configuration example Network requirements As shown in Figure 71, the host and the DHCP server are connected to the switch through interfaces VLAN-interface 100 and VLAN-interface 200 respectively. DHCP relay is enabled on the switch. The host (with the MAC address of 0001-0203-0406) obtains an IP address from the DHCP server through the DHCP relay agent.

  • Page 243: Troubleshooting Ip Source Guard

    Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 Vlan100 DHCP-RLY Troubleshooting IP source guard Symptom Failed to configure static or dynamic IP source guard on a port. Analysis IP source guard is not supported on a port in an aggregation group or a service loopback group. Solution Remove the port from the aggregation group or service loopback group.

  • Page 244: Configuring Arp Attack Protection, Overview, Arp Attack Protection Configuration Task List

    Configuring ARP attack protection Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways: Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP •...

  • Page 245: Configuring Arp Defense Against Ip Packet Attacks, Configuring Arp Source Suppression

    Task Remarks Optional. Configuring ARP automatic scanning and fixed Configure this function on gateways (recommended). Optional. Configuring ARP gateway protection Configure this function on access devices (recommended). Optional. Configuring ARP filtering Configure this function on access devices (recommended). Configuring ARP defense against IP packet attacks If the device receives a large number of IP packets from a host addressed to unreachable destinations: •...

  • Page 246: Displaying And Maintaining Arp Defense Against Ip Packet Attacks, Configuration Example

    Step Command Remarks Enter system view. system-view Optional. Enable ARP black hole routing. arp resolving-route enable Enabled by default. Displaying and maintaining ARP defense against IP packet attacks Task Command Remarks display arp source-suppression [ | Display the ARP source suppression { begin | exclude | include } Available in any view configuration information.

  • Page 247: Configuring Arp Packet Rate Limit, Introduction, Configuration Procedure

    Configuration considerations If the attacking packets have the same source address, you can enable the ARP source suppression function with the following steps: Enable ARP source suppression. Set the threshold for ARP packets from the same source address to 100. If the number of ARP requests sourced from the same IP address in five seconds exceeds 100, the device suppresses the IP packets sourced from this IP address from triggering any ARP requests within the following five seconds.

  • Page 248: Configuring Source Mac Address Based Arp Attack Detection, Configuration Procedure

    Configuring source MAC address based ARP attack detection With this feature enabled, the device checks the source MAC address of ARP packets delivered to the CPU. It detects an attack when one MAC address sends more ARP packets in five seconds than the specified threshold.

  • Page 249: Configuration Example

    Task Command Remarks display arp anti-attack source-mac { slot Display attacking MAC addresses slot-number | interface interface-type detected by source MAC address based Available in any view interface-number } [ | { begin | exclude | ARP attack detection. include } regular-expression ] Configuration example Network requirements As shown in...

  • Page 250: Configuring Arp Packet Source Mac Address Consistency Check, Introduction, Configuration Procedure, Configuring Arp Active Acknowledgement

    [Device] arp anti-attack source-mac filter # Set the threshold to 30. [Device] arp anti-attack source-mac threshold 30 # Set the age timer for detection entries to 60 seconds. [Device] arp anti-attack source-mac aging-time 60 # Configure 0012-3f86-e94c as a protected MAC address. [Device] arp anti-attack source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC address consistency check...

  • Page 251: Configuring Arp Detection, Introduction, Configuring User Validity Check

    Step Command Remarks Enable the ARP active acknowledgement arp anti-attack active-ack enable Disabled by default function. Configuring ARP detection Introduction ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding functions.

  • Page 252: Configuring Arp Packet Validity Check

    At least the configured rules, static IP source guard binding entries, DHCP snooping entries, or • 802.1X security entries must be available for user validity check. Otherwise, ARP packets received from ARP untrusted ports will be discarded, except the ARP packets with an OUI MAC address as the sender MAC address when voice VLAN is enabled.

  • Page 253: Configuring Arp Restricted Forwarding, Displaying And Maintaining Arp Detection

    Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id Enable ARP detection for the arp detection enable Disabled by default. VLAN. Return to system view. quit Enable ARP packet validity arp detection validate { dst-mac | ip | check and specify the objects to Disabled by default.

  • Page 254: User Validity Check Configuration Example

    User validity check configuration example Network requirements As shown in Figure 74, configure Switch B to perform user validity check based on 802.1X security entries for connected hosts. Figure 74 Network diagram Configuration procedure Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A.

  • Page 255: User Validity Check And Arp Packet Validity Check Configuration Example

    [SwitchB-luser-test] password simple test [SwitchB-luser-test] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default). [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit...

  • Page 256: Arp Restricted Forwarding Configuration Example

    Configure Host A as DHCP client, and Host B as user. (Details not shown.) Configure Switch B: # Enable DHCP snooping. <SwitchB> system-view [SwitchB] dhcp-snooping [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/3] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port (a port is an untrusted port by default).

  • Page 257

    Figure 76 Network diagram Configuration procedure Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 72. (Details not shown.) Configure DHCP address pool 0 on Switch A as a DHCP server. <SwitchA>...

  • Page 258: Configuring Arp Automatic Scanning And Fixed Arp, Configuration Guidelines

    [SwitchB] arp detection validate dst-mac ip src-mac # Configure port isolation. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port-isolate enable [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port-isolate enable [SwitchB-GigabitEthernet1/0/2] quit After the preceding configurations are complete, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 have their MAC and IP addresses checked first, and then are checked against the static IP source guard binding entries and finally DHCP snooping entries.

  • Page 259: Configuring Arp Gateway Protection, Configuration Procedure, Configuration Guidelines

    The number of static ARP entries changed from dynamic ARP entries is restricted by the number of • static ARP entries that the device supports. As a result, the device may fail to change all dynamic ARP entries into static ARP entries. •...

  • Page 260: Configuring Arp Filtering, Configuration Example

    Step Command Remarks Enable ARP gateway protection for a arp filter source ip-address Disabled by default specified gateway. Configuration example Network requirements As shown in Figure 77, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B.

  • Page 261

    Configuration guidelines Follow these guidelines when you configure ARP filtering: You can configure up to eight ARP filtering entries on a port. • Commands arp filter source and arp filter binding cannot be both configured on a port. • If ARP filtering works with ARP detection, MFF, and ARP snooping, ARP filtering applies first. •...

  • Page 262

    [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, GigabitEthernet 1/0/1 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.2 and 000f-e349- 1 233, and discard other ARP packets. GigabitEthernet 1/0/2 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.9 and 000f-e349- 1 233 and discard other ARP packets.

  • Page 263: Configuring Nd Attack Defense, Overview

    Configuring ND attack defense Overview The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.

  • Page 264: Enabling Source Mac Consistency Check For Nd Packets

    The mapping between the source IPv6 address and the source MAC address in the Ethernet frame • header is invalid. To identify forged ND packets, HP developed the source MAC consistency check feature. Enabling source MAC consistency check for ND packets Use source MAC consistency check on a gateway to filter out ND packets that carry different source MAC addresses in the Ethernet frame header and the source link layer address option.

  • Page 265: Configuring Urpf, Overview, How Urpf Works

    Configuring URPF The term "router" in this feature refers to both routers and Layer 3 switches. Overview Unicast Reverse Path Forwarding (URPF) protects a network against source spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers launch source spoofing attacks by creating packets with forged source addresses.

  • Page 266

    Figure 81 URPF work flow   URPF checks the source address validity: Discards packets with a broadcast source address. Discards packets with an all-zero source address but a non-broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet, and is not discarded.) For other packets, proceeds to step 2.

  • Page 267: Urpf Configuration Example, Configuring Urpf

    If yes, proceeds to step 5. If not, proceeds to step 4. URPF checks whether the receiving interface matches the output interface of the matching FIB entry. If yes, proceeds to step 8. If not, proceeds to step 9. URPF checks whether the source IP address matches an ARP entry. If yes, proceeds to step 8.

  • Page 268

    Configuration procedure Enable URPF check on Switch A. <SwitchA> system-view [SwitchA] ip urpf strict Enable URPF check on Switch B. <SwitchB> system-view [SwitchB] ip urpf strict...

  • Page 269: Configuring Mff, Overview

    Configuring MFF Overview Traditional Ethernet networking solutions use the VLAN technology to isolate users at Layer 2 and to allow them to communicate at Layer 3. However, when a large number of hosts need to be isolated at Layer 2, many VLAN resources are occupied, and many IP addresses are used because you have to assign a network segment to each VLAN and an IP address to each VLAN interface for Layer 3 communication.

  • Page 270: Basic Concepts, Operation Modes

    NOTE: An MFF-enabled device and a host cannot ping each other. Basic concepts A device with MFF enabled provides two types of ports: user port and network port. If you enable MFF for a VLAN, each port in the VLAN must be an MFF network or user port. Link aggregation is supported by network ports in an MFF-enabled VLAN, but is not supported by user ports in the VLAN.

  • Page 271: Working Mechanism, Protocols And Standards, Configuring Mff, Configuration Prerequisites

    The MFF device also forges ARP requests to get the gateway’s MAC address based on ARP snooping entries. After learning the gateway’s MAC address and then receiving an ARP packet with a different source MAC address from the default gateway, the MFF device will replace the old MAC address with the new one.

  • Page 272: Enabling Mff, Configuring A Network Port, Enabling Periodic Gateway Probe

    Enabling MFF To enable MFF and specify an MFF operating mode: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id Enable MFF and specify an mac-forced-forwarding { auto | Disabled by default. MFF operating mode. default-gateway gateway-ip } Configuring a network port Step Command...

  • Page 273: Displaying And Maintaining Mff, Mff Configuration Examples, Auto-mode Mff Configuration Example In A Tree Network

    You can specify a server’s IP address in either manual or automatic MFF mode. The server can be a DHCP server, a server providing some other service, or the real IP address of a VRRP standby group. After you specify a server’s IP address and then an ARP request from the server is received, the MFF device will search the IP-to-MAC address entries it has stored, and reply with the corresponding MAC address to the server.

  • Page 274

    Figure 84 Network diagram Configuration procedure Configure the IP address of VLAN-interface 1 on the gateway. <Gateway> system-view [Gateway] interface Vlan-interface 1 [Gateway-Vlan-interface1] ip address 10.1.1.100 24 Configure the DHCP server: # Enable DHCP, and configure a DHCP address pool. <Device>...

  • Page 275: Auto-mode Mff Configuration Example In A Ring Network

    # Enable DHCP snooping. <SwitchB> system-view [SwitchB] dhcp-snooping # Enable MFF in automatic mode. [SwitchB] vlan 100 [SwitchB-vlan-100] mac-forced-forwarding auto [SwitchB-vlan-100] quit # Configure GigabitEthernet 1/0/6 as a network port. [SwitchB] interface gigabitethernet 1/0/6 [SwitchB-GigabitEthernet1/0/6] mac-forced-forwarding network-port # Configure GigabitEthernet 1/0/6 as a DHCP snooping trusted port. [SwitchB-GigabitEthernet1/0/6] dhcp-snooping trust Auto-mode MFF configuration example in a ring network Network requirements...

  • Page 276

    # Add gateway’s IP address into DHCP address pool 1. [Device-dhcp-pool-1] gateway-list 10.1.1.100 [Device-dhcp-pool-1] quit # Configure the IP address of VLAN-interface 1. [Device] interface Vlan-interface 1 [Device-Vlan-interface1] ip address 10.1.1.50 24 Configure Switch A: # Enable DHCP snooping. <SwitchA> system-view [SwitchA] dhcp-snooping # Enable STP.

  • Page 277: Manual-mode Mff Configuration Example In A Tree Network

    [SwitchB-GigabitEthernet1/0/6] mac-forced-forwarding network-port # Configure GigabitEthernet 1/0/6 as a DHCP snooping trusted port. [SwitchB-GigabitEthernet1/0/6] dhcp-snooping trust Enable STP on Switch C. <SwitchC> system-view [SwitchC] stp enable Manual-mode MFF configuration example in a tree network Network requirements As shown in Figure 86, all the devices are in VLAN 100.

  • Page 278: Manual-mode Mff Configuration Example In A Ring Network

    [SwitchA-GigabitEthernet1/0/2] mac-forced-forwarding network-port Configure Switch B: # Configure manual-mode MFF. [SwitchB] vlan 100 [SwitchB-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchB-vlan-100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping. [SwitchB-vlan-100] arp-snooping enable [SwitchB-vlan-100] quit # Configure GigabitEthernet 1/0/6 as a network port. [SwitchB] interface gigabitethernet 1/0/6 [SwitchB-GigabitEthernet1/0/6] mac-forced-forwarding network-port Manual-mode MFF configuration example in a ring network...

  • Page 279

    # Configure manual-mode MFF. [SwitchA] vlan 100 [SwitchA-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchA-vlan-100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping. [SwitchA-vlan-100] arp-snooping enable [SwitchA-vlan-100] quit # Configure GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 as network ports. [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] mac-forced-forwarding network-port [SwitchA-GigabitEthernet1/0/2] quit...

  • Page 280: Support And Other Resources, Contacting Hp, Subscription Service, Related Information, Documents, Websites

    Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: Product model names and numbers • • Technical support registration number (if applicable) Product serial numbers •...

  • Page 281: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...

  • Page 282

    Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 283: Index

    Index A B C D E H I M O P R S T U Configuring ARP packet source MAC address consistency check,240 AAA configuration considerations and task list,14 Configuring MFF,261 AAA configuration examples,45 Configuring password control,140 overview,1 Configuring PKI certificate verification,164 Applying a QoS policy,135...

  • Page 284

    Displaying and maintaining public keys,151 Overview,1 13 Displaying and maintaining SSH,188 Overview,255 Displaying and maintaining SSL,221 Overview,201 Displaying and maintaining TCP attack protection,223 Displaying and maintaining user profiles,136 Password control configuration example,144 Displaying or exporting the local host public key,148 Password control configuration task list,139 PKI configuration...

  • Page 285

    URPF configuration example,257 Using MAC authentication with other features,104 User profile configuration task list,134...

Comments to this Manuals

Symbols: 0
Latest comments: