H3C S5500-EI series User manual
H3C S5500-EI & S5500-SI Switch Series
Security Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Software version: Release 2220
Document version: 6W100-20130527
Copyright © 2013, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H3Care, , IRF, NetPilot, Netflow,
SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of
Hangzhou H3C Technologies Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C S5500-EI & S5500-SI documentation set includes 10 configuration guides, which describe the
software features for the H3C S5500-EI & S5500-SI Switch Series Release 2220, and guide you through
the software configuration procedures. These configuration guides also provide configuration examples
to help you apply software features to different network scenarios.
The Security Configuration Guide describes security fundamentals and configuration. It covers the
authentication features (including AAA, 802.1X, MAC authentication, portal authentication, and so on)
and attack protection features (including IP source guard, ARP attack protection, and so on).
This preface includes:
•Audience
•Added and modified features
•Conventions
•About the S5500-EI & S5500-SI documentation set
•Obtaining documentation
•Technical support
•Documentation feedback
Audience
This documentation is intended for:
•Network planners
•Field technical support and servicing engineers
•Network administrators working with the S5500-EI & S5500-SI series
Added and modified features
Compared to Release 2210, Release 2220 adds and modifies the following features:
Confi
g
uration
g
uide Added and modified features
AAA
Added features:
•Setting a DSCP value for an ISP domain. (Available only on the
S5500-EI series)
•Setting the DSCP value for RADIUS protocol packets.
•Configuring status detection for RADIUS authentication/authorization
servers
•RADIUS/HWTACACS authentication, authorization, and accounting
support ciphertext shared key configuration.
•Setting ciphertext shared keys for secure RADIUS communication.
Modified feature: Configuring a password for the local user.
Removed feature: Setting the password display mode for all local users.
802.1X
Added features:
•Configuring 802.1X critical VLAN.
•Configuring a port to send EAPOL frames untagged.
•Setting the maximum number of authentication request attempts.
•Configuring an 802.1X VLAN group.
EAD fast deployment N/A
MAC authentication
Added features:
•Configuring a MAC authentication critical VLAN.
•Configuring MAC authentication delay.
Portal
Added features:
•Configuring IPv6 portal. (Available only on the S5500-EI series)
•Setting a ciphertext shared key.
Triple authentication N/A
Port security N/A
User profile N/A
Password control Modified features: Clearing all users from the password control blacklist.
HABP N/A
Public Key N/A
PKI Added feature: Setting a ciphertext password for certificate revocation.
IPsec
Added features:
•Configuring ACL-based IPsec.
•Configuring IKE.
SSH2.0
Added features:
•Configuring the service type as SCP for SSH users.
•Configuring the device as an SCP client.
•Setting the DSCP value for IPv4 or IPv6 protocol packets sent by the
SSH server.
•Setting the DSCP value for IPv4 or IPv6 protocol packets sent by the
Stelnet client.
•Setting the DSCP value for IPv4 or IPv6 protocol packets sent by the
SFTP client.
SSL N/A
Confi
g
uration
g
uide Added and modified features
TCP attack protection N/A
IP source guard N/A
ARP attack protection Added feature: Configuring a user validity check rule.
ND attack defense N/A
URPF N/A
SAVI Added feature: Setting the deletion delay time for SAVI.
Black list N/A
FIPS FIPS is a newly added feature.
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Descri
p
tion
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n> The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Descri
p
tion
Boldface Window names, button names, field names, and menu items are in Boldface. For
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention Descri
p
tion
< > Button names are inside angle brackets. For example, click <OK>.
[ ] Window names, menu items, data table and field names are inside square brackets. For
Convention Descri
p
tion
example, pop up the [New User] window.
/ Multi-level menus are separated by forward slashes. For example, [File/Create/Folder].
Symbols
Convention Descri
p
tion
WARNING An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT An alert that calls attention to essential information.
NOTE An alert that contains additional or supplementary information.
TIP An alert that provides helpful information.
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Port numbering in examples
The port numbers in this document are for illustration only and might be unavailable on your device.
About the S5500-EI & S5500-SI documentation set
The H3C S5500-EI & S5500-SI documentation set includes:
Cate
g
or
y
Documents
Pur
p
oses
Product description and
specifications
Marketing brochure Describe product specifications and benefits.
Technology white papers
Provide an in-depth description of software features
and technologies.
Hardware specifications
and installation
Compliance and safety
manual
CE DOCs
Provide regulatory information and the safety
instructions that must be followed during installation.
Quick start Guides you through initial installation and setup
procedures to help you quickly set up your device.
Installation guide Provides a complete guide to switch installation and
specifications.
PSR150-A [ PSR150-D ] Describe the specifications, installation, and
Power Modules User
Manual
replacement of hot swappable 150W power
modules.
RPS Ordering Information
for H3C Low-End Ethernet
Switches
Helps you order RPSs for switches that can work with
an RPS.
User manuals for RPSs Describe the specifications, installation, and
replacement of RPSs.
User manuals for interface
cards
Describe the specifications, installation, and
replacement of expansion interface cards.
H3C Low End Series
Ethernet Switches
Pluggable Modules
Manual
Describes the specifications of pluggable transceiver
modules.
Pluggable SFP[SFP+][XFP]
Transceiver Modules
Installation Guide
Describe the installation, and replacement of
SFP/SFP+/XFP transceiver modules.
Software configuration
Configuration guides Describe software features and configuration
procedures.
Command references Provide a quick reference to all available
commands.
Operations and
maintenance Release notes
Provide information about the product release,
including the version history, hardware and software
compatibility matrix, version upgrade information,
technical support information, and software
upgrading.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with the
software version.
Technical support
servi[email protected]
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
i
Contents
Configuring AAA ························································································································································· 1
AAA overview ···································································································································································1
RADIUS······································································································································································2
HWTACACS ·····························································································································································7
Domain-based user management ···························································································································9
RADIUS server feature of the switch···················································································································· 10
AAA for MPLS L3VPNs (available only on the S5500-EI series)······································································ 11
Protocols and standards ······································································································································· 11
RADIUS attributes ·················································································································································· 12
FIPS compliance ····························································································································································· 15
AAA configuration considerations and task list·········································································································· 15
Configuring AAA schemes············································································································································ 16
Configuring local users········································································································································· 16
Configuring RADIUS schemes······························································································································ 21
Configuring HWTACACS schemes····················································································································· 34
Configuring AAA methods for ISP domains················································································································ 40
Configuration prerequisites ·································································································································· 40
Creating an ISP domain ······································································································································· 41
Configuring ISP domain attributes······················································································································· 41
Configuring AAA authentication methods for an ISP domain·········································································· 42
Configuring AAA authorization methods for an ISP domain ··········································································· 44
Configuring AAA accounting methods for an ISP domain ··············································································· 45
Tearing down user connections···································································································································· 47
Configuring a NAS ID-VLAN binding·························································································································· 47
Specifying the device ID used in stateful failover mode (available only on the S5500-EI series)························· 48
Configuring a switch as a RADIUS server··················································································································· 48
RADIUS server functions configuration task list ·································································································· 48
Configuring a RADIUS user·································································································································· 48
Specifying a RADIUS client ·································································································································· 49
Displaying and maintaining AAA ································································································································ 49
AAA configuration examples········································································································································ 50
AAA for Telnet users by an HWTACACS server ······························································································· 50
AAA for Telnet users by separate servers··········································································································· 51
Authentication/authorization for SSH/Telnet users by a RADIUS server························································ 52
AAA for portal users by a RADIUS server ·········································································································· 56
AAA for 802.1X users by a RADIUS server ······································································································· 65
Level switching authentication for Telnet users by an HWTACACS server····················································· 71
RADIUS authentication and authorization for Telnet users by a switch··························································· 74
Troubleshooting AAA ···················································································································································· 76
Troubleshooting RADIUS······································································································································· 76
Troubleshooting HWTACACS······························································································································ 77
802.1X overview ·······················································································································································78
802.1X architecture······················································································································································· 78
Controlled/uncontrolled port and port authorization status······················································································ 78
802.1X-related protocols ·············································································································································· 79
Packet formats························································································································································ 80
EAP over RADIUS ·················································································································································· 81
Initiating 802.1X authentication··································································································································· 81
ii
802.1X client as the initiator································································································································ 81
Access device as the initiator······························································································································· 82
802.1X authentication procedures ······························································································································ 82
A comparison of EAP relay and EAP termination······························································································ 83
EAP relay································································································································································ 83
EAP termination ····················································································································································· 86
Configuring 802.1X ··················································································································································87
H3C implementation of 802.1X··································································································································· 87
Access control methods ········································································································································ 87
Using 802.1X authentication with other features ······························································································ 87
Configuration prerequisites··········································································································································· 92
802.1X configuration task list······································································································································· 93
Enabling 802.1X···························································································································································· 93
Configuration guidelines ······································································································································ 93
Configuration procedure ······································································································································ 94
Enabling EAP relay or EAP termination ······················································································································· 94
Setting the port authorization state ······························································································································ 95
Specifying an access control method ·························································································································· 95
Setting the maximum number of concurrent 802.1X users on a port······································································· 96
Setting the maximum number of authentication request attempts ············································································· 96
Setting the 802.1X authentication timeout timers······································································································· 97
Configuring the online user handshake function ········································································································ 97
Configuration guidelines ······································································································································ 97
Configuration procedure ······································································································································ 98
Configuring the authentication trigger function ·········································································································· 98
Configuration guidelines ······································································································································ 98
Configuration procedure ······································································································································ 99
Specifying a mandatory authentication domain on a port························································································ 99
Configuring the quiet timer ··········································································································································· 99
Enabling the periodic online user re-authentication function···················································································100
Configuration guidelines ····································································································································100
Configuration procedure ····································································································································100
Configuring a port to send EAPOL frames untagged·······························································································101
Setting the maximum number of 802.1X authentication attempts for MAC authentication users·······················101
Configuring a VLAN group·········································································································································101
Configuring an 802.1X guest VLAN ·························································································································102
Configuration guidelines ····································································································································102
Configuration prerequisites ································································································································103
Configuration procedure ····································································································································103
Configuring an 802.1X Auth-Fail VLAN····················································································································103
Configuration guidelines ····································································································································103
Configuration prerequisites ································································································································104
Configuration procedure ····································································································································104
Configuring an 802.1X critical VLAN ·······················································································································104
Configuration guidelines ····································································································································104
Configuration prerequisites ································································································································105
Configuration procedure ····································································································································105
Specifying supported domain name delimiters·········································································································105
Displaying and maintaining 802.1X ·························································································································106
802.1X authentication configuration example ·········································································································106
Network requirements·········································································································································106
Configuration procedure ····································································································································107
Verifying the configuration·································································································································108
802.1X with guest VLAN and VLAN assignment configuration example ·····························································109
iii
Network requirements·········································································································································109
Configuration procedure ····································································································································110
Verifying the configuration·································································································································111
802.1X with ACL assignment configuration example ·····························································································111
Network requirements·········································································································································111
Configuration procedure ····································································································································112
Verifying the configuration·································································································································112
Configuring EAD fast deployment ························································································································· 114
Overview·······································································································································································114
Free IP···································································································································································114
URL redirection·····················································································································································114
Configuration prerequisites·········································································································································114
Configuring a free IP ···················································································································································114
Configuring the redirect URL·······································································································································115
Setting the EAD rule timer ···········································································································································115
Displaying and maintaining EAD fast deployment···································································································115
EAD fast deployment configuration example············································································································116
Network requirements·········································································································································116
Configuration procedure ····································································································································117
Verifying the configuration·································································································································117
Troubleshooting EAD fast deployment·······················································································································118
Web browser users cannot be correctly redirected ························································································118
Configuring MAC authentication··························································································································· 119
Overview·······································································································································································119
User account policies··········································································································································119
Authentication approaches ································································································································119
MAC authentication timers·································································································································120
Using MAC authentication with other features ·········································································································120
VLAN assignment ················································································································································120
ACL assignment ···················································································································································120
Guest VLAN ·························································································································································120
Critical VLAN·······················································································································································121
Configuration task list ··················································································································································121
Basic configuration for MAC authentication·············································································································121
Configuring MAC authentication globally········································································································122
Configuring MAC authentication on a port ·····································································································122
Specifying a MAC authentication domain················································································································123
Configuring a MAC authentication guest VLAN ······································································································123
Configuring a MAC authentication critical VLAN····································································································124
Configuring MAC authentication delay·····················································································································125
Displaying and maintaining MAC authentication ····································································································125
MAC authentication configuration examples············································································································126
Local MAC authentication configuration example···························································································126
RADIUS-based MAC authentication configuration example···········································································127
ACL assignment configuration example············································································································129
Configuring portal authentication·························································································································· 132
Overview·······································································································································································132
Extended portal functions ···································································································································132
Portal system components···································································································································132
Portal system using the local portal server········································································································134
Portal authentication modes ·······························································································································135
Portal support for EAP (available only on the S5500-EI series) ·····································································136
Layer 2 portal authentication process ···············································································································137
iv
Layer 3 portal authentication process (available only on the S5500-EI series)············································138
Portal stateful failover (available only on the S5500-EI series) ······································································141
Portal authentication across VPNs (available only on the S5500-EI series) ·················································143
Portal configuration task list ········································································································································143
Configuration prerequisites·········································································································································145
Specifying the portal server ········································································································································145
Specifying the local portal server for Layer 2 portal authentication······························································145
Specifying a portal server for Layer 3 portal authentication (available only on the S5500-EI series)·······146
Configuring the local portal server ····························································································································146
Customizing authentication pages ····················································································································147
Configuring the local portal server····················································································································150
Enabling portal authentication····································································································································150
Enabling Layer 2 portal authentication·············································································································150
Enabling Layer 3 portal authentication (available only on the S5500-EI series) ·········································151
Controlling access of portal users ······························································································································152
Configuring a portal-free rule·····························································································································152
Configuring an authentication source subnet (available only on the S5500-EI series) ·······························153
Setting the maximum number of online portal users························································································154
Specifying an authentication domain for portal users·····················································································154
Configuring Layer 2 portal authentication to support Web proxy·································································155
Enabling support for portal user moving ··········································································································155
Specifying an Auth-Fail VLAN for portal authentication ··························································································156
Configuring RADIUS related attributes ······················································································································156
Specifying NAS-Port-Type for an interface ·······································································································156
Specifying a NAS ID profile for an interface ···································································································157
Specifying a source IP address for outgoing portal packets (available only on the S5500-EI series)················158
Configuring portal stateful failover (available only on the S5500-EI series) ·························································158
Specifying an auto redirection URL for authenticated portal users·········································································160
Configuring portal detection functions·······················································································································160
Configuring online Layer 2 portal user detection ····························································································160
Configuring the portal server detection function (available only on the S5500-EI series) ··························161
Configuring portal user information synchronization (available only on the S5500-EI series) ··················162
Logging off portal users···············································································································································163
Displaying and maintaining portal ····························································································································163
Portal configuration examples ····································································································································164
Configuring direct portal authentication···········································································································164
Configuring re-DHCP portal authentication······································································································169
Configuring cross-subnet portal authentication ································································································171
Configuring direct portal authentication with extended functions··································································173
Configuring re-DHCP portal authentication with extended functions ····························································175
Configuring cross-subnet portal authentication with extended functions·······················································177
Configuring portal stateful failover····················································································································179
Configuring portal server detection and portal user information synchronization·······································187
Configuring Layer 2 portal authentication········································································································192
Troubleshooting portal·················································································································································196
Inconsistent keys on the access device and the portal server·········································································196
Incorrect server port number on the access device··························································································196
Configuring triple authentication ··························································································································· 198
Overview·······································································································································································198
Triple authentication mechanism ·······················································································································198
Using triple authentication with other features ·································································································199
Configuring triple authentication································································································································199
Triple authentication configuration examples ···········································································································200
Triple authentication basic function configuration example ···········································································200
v
Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ··············202
Configuring port security········································································································································ 208
Overview·······································································································································································208
Port security features ···········································································································································208
Port security modes ·············································································································································208
Working with guest VLAN and Auth-Fail VLAN ······························································································211
Configuration task list ··················································································································································211
Enabling port security ··················································································································································212
Setting port security's limit on the number of MAC addresses on a port·······························································212
Setting the port security mode ····································································································································213
Configuration prerequisites ································································································································213
Configuration procedure ····································································································································213
Configuring port security features ······························································································································214
Configuring NTK ·················································································································································214
Configuring intrusion protection ························································································································214
Enabling port security traps································································································································215
Configuring secure MAC addresses ··························································································································215
Configuration prerequisites ································································································································216
Configuration procedure ····································································································································216
Ignoring authorization information ····························································································································217
Displaying and maintaining port security··················································································································217
Port security configuration examples ·························································································································218
Configuring the autoLearn mode·······················································································································218
Configuring the userLoginWithOUI mode ········································································································220
Configuring the macAddressElseUserLoginSecure mode················································································225
Troubleshooting port security······································································································································227
Cannot set the port security mode·····················································································································227
Cannot configure secure MAC addresses ········································································································228
Cannot change port security mode when a user is online··············································································228
Configuring a user profile ······································································································································ 230
Overview·······································································································································································230
User profile configuration task list······························································································································230
Creating a user profile ················································································································································230
Applying a QoS policy ···············································································································································231
Enabling a user profile ················································································································································231
Displaying and maintaining user profiles··················································································································232
Configuring password control································································································································ 233
Overview·······································································································································································233
FIPS compliance ···························································································································································235
Password control configuration task list·····················································································································236
Configuring password control ····································································································································236
Enabling password control·································································································································236
Setting global password control parameters····································································································237
Setting user group password control parameters ····························································································238
Setting local user password control parameters ······························································································239
Setting super password control parameters ·····································································································240
Setting a local user password in interactive mode ··························································································240
Displaying and maintaining password control ·········································································································240
Password control configuration example ··················································································································241
Configuring HABP··················································································································································· 244
Overview·······································································································································································244
Configuring HABP························································································································································245
vi
Configuring the HABP server ·····························································································································245
Configuring an HABP client ·······························································································································245
Displaying and maintaining HABP·····························································································································246
HABP configuration example······································································································································246
Managing public keys············································································································································ 249
Overview·······································································································································································249
FIPS compliance ···························································································································································249
Configuration task list ··················································································································································250
Creating a local asymmetric key pair························································································································250
Displaying or exporting the local host public key ····································································································251
Destroying a local asymmetric key pair ····················································································································252
Specifying the peer public key on the local device··································································································252
Displaying and maintaining public keys ···················································································································253
Public key configuration examples·····························································································································254
Manually specifying the peer public key on the local device ········································································254
Importing a peer public key from a public key file··························································································256
Configuring PKI ······················································································································································· 259
Overview·······································································································································································259
PKI terms·······························································································································································259
PKI architecture····················································································································································260
PKI operation ·······················································································································································260
PKI applications ···················································································································································261
PKI configuration task list ············································································································································261
Configuring an entity DN············································································································································262
Configuring a PKI domain···········································································································································263
Configuration guidelines ····································································································································264
Configuration procedure ····································································································································264
Submitting a PKI certificate request····························································································································264
Submitting a certificate request in auto mode··································································································265
Submitting a certificate request in manual mode·····························································································265
Retrieving a certificate manually ································································································································266
Configuration guidelines ····································································································································266
Configuration procedure ····································································································································267
Configuring PKI certificate verification ······················································································································267
Configuration guidelines ····································································································································267
Configuring CRL-checking-enabled PKI certificate verification ·······································································267
Configuring CRL-checking-disabled PKI certificate verification ······································································268
Destroying a local RSA key pair ································································································································268
Deleting a certificate····················································································································································269
Configuring an access control policy ························································································································269
Displaying and maintaining PKI ·································································································································269
PKI configuration examples·········································································································································270
Certificate request from an RSA Keon CA server ····························································································270
Certificate request from a Windows 2003 CA server ····················································································273
Certificate attribute access control policy configuration example ·································································276
Troubleshooting PKI ·····················································································································································278
Failed to retrieve a CA certificate······················································································································278
Failed to request a local certificate ···················································································································278
Failed to retrieve CRLs ········································································································································279
Configuring IPsec ···················································································································································· 280
Overview·······································································································································································280
Basic concepts ·····················································································································································280
IPsec for IPv6 routing protocols··························································································································283
vii
Protocols and standards ·····································································································································283
FIPS compliance ···························································································································································283
Configuring IPsec ·························································································································································283
Implementing ACL-based IPsec ···································································································································283
Feature restrictions and guidelines ····················································································································284
ACL-based IPsec configuration task list ·············································································································284
Configuring ACLs ················································································································································284
Configuring an IPsec proposal ··························································································································286
Configuring an IPsec policy ·······························································································································287
Applying an IPsec policy group to an interface·······························································································291
Configuring the IPsec session idle timeout········································································································291
Enabling ACL checking of de-encapsulated IPsec packets ·············································································292
Configuring the IPsec anti-replay function ········································································································292
Configuring packet information pre-extraction ································································································293
Configuring IPsec for IPv6 routing protocols·············································································································293
Displaying and maintaining IPsec······························································································································294
IPsec configuration examples······································································································································294
IKE-based IPsec tunnel for IPv4 packets configuration example·····································································294
IPsec for RIPng configuration example··············································································································297
Configuring IKE······················································································································································· 301
Overview·······································································································································································301
IKE security mechanism·······································································································································301
IKE operation ·······················································································································································301
IKE functions·························································································································································302
Relationship between IKE and IPsec··················································································································303
Protocols and standards ·····································································································································303
IKE configuration task list ············································································································································303
Configuring a name for the local security gateway·································································································304
Configuring an IKE proposal ······································································································································304
Configuring an IKE peer··············································································································································305
Setting keepalive timers···············································································································································307
Setting the NAT keepalive timer·································································································································307
Configuring a DPD detector········································································································································308
Disabling next payload field checking ······················································································································308
Displaying and maintaining IKE·································································································································309
IKE configuration example ··········································································································································309
Troubleshooting IKE ·····················································································································································312
Invalid user ID······················································································································································312
Proposal mismatch ··············································································································································312
Failing to establish an IPsec tunnel····················································································································313
ACL configuration error ······································································································································313
Configuring SSH2.0 ··············································································································································· 314
Overview·······································································································································································314
SSH operation ·····················································································································································314
SSH connection across VPNs (Available only on the S5500-EI series)·························································316
FIPS compliance ···························································································································································317
Configuring the switch as an SSH server ··················································································································317
SSH server configuration task list ······················································································································317
Generating DSA or RSA key pairs ····················································································································317
Enabling the SSH server function·······················································································································318
Configuring the user interfaces for SSH clients································································································318
Configuring a client public key··························································································································319
Configuring an SSH user····································································································································320
viii
Setting the SSH management parameters ········································································································321
Setting the DSCP value for packets sent by the SSH server············································································322
Configuring the switch as an SSH client ···················································································································322
SSH client configuration task list························································································································322
Specifying a source IP address/interface for the SSH client ··········································································323
Configuring whether first-time authentication is supported·············································································323
Establishing a connection between the SSH client and server ·······································································324
Setting the DSCP value for packets sent by the SSH client ·············································································325
Displaying and maintaining SSH ·······························································································································325
SSH server configuration examples ···························································································································326
When the switch acts as a server for password authentication ·····································································326
When the switch acts as a server for publickey authentication ·····································································328
SSH client configuration examples·····························································································································333
When switch acts as client for password authentication ················································································333
When switch acts as client for publickey authentication ················································································336
Configuring SFTP····················································································································································· 339
Overview·······································································································································································339
FIPS compliance ···························································································································································339
Configuring the switch as an SFTP server ·················································································································339
Enabling the SFTP server ····································································································································339
Configuring the SFTP connection idle timeout period ·····················································································340
Configuring the switch as an SFTP client···················································································································340
Specifying a source IP address or interface for the SFTP client······································································340
Establishing a connection to the SFTP server····································································································340
Working with SFTP directories···························································································································341
Working with SFTP files······································································································································342
Displaying help information ·······························································································································343
Terminating the connection to the remote SFTP server ····················································································343
Setting the DSCP value for packets sent by the SFTP client ············································································343
SFTP client configuration example ·····························································································································344
SFTP server configuration example ····························································································································347
Configuring SCP······················································································································································ 350
Overview·······································································································································································350
FIPS compliance ···························································································································································350
Configuring the switch as an SCP server ··················································································································350
Configuring the switch as the SCP client···················································································································351
SCP client configuration example······················································································································352
SCP server configuration example ····················································································································353
Configuring SSL······················································································································································· 355
Overview·······································································································································································355
SSL security mechanism ······································································································································355
SSL protocol stack ···············································································································································355
FIPS compliance ···························································································································································356
Configuration task list ··················································································································································356
Configuring an SSL server policy ·······························································································································356
SSL server policy configuration example ··········································································································358
Configuring an SSL client policy ································································································································360
Displaying and maintaining SSL·································································································································360
Troubleshooting SSL·····················································································································································361
Configuring TCP attack protection························································································································· 362
Overview·······································································································································································362
Enabling the SYN Cookie feature ······························································································································362
ix
Displaying and maintaining TCP attack protection ··································································································362
Configuring IP source guard ·································································································································· 364
Overview·······································································································································································364
Static IP source guard entries·····························································································································364
Dynamic IP source guard entries ·······················································································································365
Configuration task list ··················································································································································365
Configuring the IPv4 source guard function··············································································································366
Configuring IPv4 source guard on a port·········································································································366
Configuring a static IPv4 source guard entry···································································································367
Setting the maximum number of IPv4 source guard entries············································································368
Configuring the IPv6 source guard function··············································································································368
Configuring IPv6 source guard on a port·········································································································368
Configuring a static IPv6 source guard entry···································································································369
Setting the maximum number of IPv6 source guard entries············································································370
Displaying and maintaining IP source guard············································································································371
IP source guard configuration examples ···················································································································371
Static IPv4 source guard configuration example ·····························································································371
Dynamic IPv4 source guard using DHCP snooping configuration example·················································373
Dynamic IPv4 source guard using DHCP relay configuration example ························································375
Static IPv6 source guard configuration example ·····························································································376
Dynamic IPv6 source guard using DHCPv6 snooping configuration example·············································376
Dynamic IPv6 source guard using ND snooping configuration example ·····················································378
Global static IP source guard configuration example ·····················································································379
Troubleshooting IP source guard ································································································································380
Configuring ARP attack protection························································································································· 381
Overview·······································································································································································381
ARP attack protection configuration task list ·············································································································381
Configuring ARP defense against IP packet attacks·································································································382
Configuring ARP source suppression ················································································································382
Enabling ARP black hole routing ·······················································································································383
Displaying and maintaining ARP defense against IP packet attacks·····························································383
Configuration example ·······································································································································383
Configuring ARP packet rate limit ······························································································································384
Introduction ··························································································································································384
Configuration procedure ····································································································································385
Configuring source MAC address based ARP attack detection ·············································································386
Configuration procedure ····································································································································386
Displaying and maintaining source MAC address based ARP attack detection··········································386
Configuration example ·······································································································································387
Configuring ARP packet source MAC address consistency check ·········································································388
Introduction ··························································································································································388
Configuration procedure ····································································································································388
Configuring ARP active acknowledgement ···············································································································388
Introduction ··························································································································································388
Configuration procedure ····································································································································388
Configuring ARP detection··········································································································································389
Introduction ··························································································································································389
Configuring user validity check ·························································································································389
Configuring ARP packet validity check·············································································································390
Configuring ARP restricted forwarding ·············································································································391
Displaying and maintaining ARP detection ······································································································391
User validity check configuration example·······································································································392
User validity check and ARP packet validity check configuration example··················································393
x
ARP restricted forwarding configuration example ···························································································394
Configuring ARP automatic scanning and fixed ARP·······························································································396
Configuration guidelines ····································································································································396
Configuration procedure ····································································································································397
Configuring ARP gateway protection ························································································································397
Configuration guidelines ····································································································································397
Configuration procedure ····································································································································397
Configuration example ·······································································································································398
Configuring ARP filtering·············································································································································398
Configuration guidelines ····································································································································399
Configuration procedure ····································································································································399
Configuration example ·······································································································································399
Configuring ND attack defense ····························································································································· 401
Overview·······································································································································································401
Enabling source MAC consistency check for ND packets·······················································································402
Configuring the ND detection function······················································································································402
Introduction to ND detection ······························································································································402
Configuration guidelines ····································································································································403
Configuration procedure ····································································································································403
Displaying and maintaining ND detection·······································································································403
ND detection configuration example·························································································································404
Network requirements·········································································································································404
Configuration procedure ····································································································································404
Configuring URPF···················································································································································· 406
Overview·······································································································································································406
URPF check modes ··············································································································································406
How URPF works ·················································································································································406
Network application ···········································································································································409
Configuring URPF·························································································································································409
URPF configuration example·······································································································································409
Configuring SAVI ···················································································································································· 411
Overview·······································································································································································411
Configuring global SAVI ·············································································································································411
SAVI configuration in DHCPv6-only address assignment scenario ········································································412
Network requirements·········································································································································412
Configuration considerations ·····························································································································412
Packet check principles·······································································································································413
Configuration procedure ····································································································································413
SAVI configuration in SLAAC-only address assignment scenario···········································································414
Network requirements·········································································································································414
Configuration considerations ·····························································································································414
Packet check principles·······································································································································415
Configuration procedure ····································································································································415
SAVI configuration in DHCPv6+SLAAC address assignment scenario··································································416
Network requirements·········································································································································416
Configuration considerations ·····························································································································416
Packet check principles·······································································································································417
Configuration procedure ····································································································································417
Configuring blacklist··············································································································································· 419
Overview·······································································································································································419
Configuring the blacklist feature·································································································································419
Displaying and maintaining the blacklist ··················································································································419
xi
Blacklist configuration example··································································································································420
Network requirements·········································································································································420
Configuration procedure ····································································································································420
Verifying the configuration·································································································································420
Configuring FIPS······················································································································································ 422
Overview·······································································································································································422
FIPS self-tests ·································································································································································422
Power-up self-test ·················································································································································422
Conditional self-tests············································································································································422
Triggering a self-test ············································································································································422
Configuration procedure·············································································································································423
Enabling the FIPS mode······································································································································423
Triggering a self-test ············································································································································424
Displaying and maintaining FIPS ·······························································································································424
FIPS configuration example·········································································································································424
Network requirements·········································································································································424
Configuration procedure ····································································································································424
Verifying the configuration·································································································································425
Index ········································································································································································ 427
1
Configuring AAA
AAA overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It can provide the following security functions:
•Authentication—Identifies users and determines whether a user is valid.
•Authorization—Grants different users different rights and controls their access to resources and
services. For example, a user who has successfully logged in to the switch can be granted read and
print permissions to the files on the switch.
•Accounting—Records all user network service usage information, including the service type, start
time, and traffic. The accounting function not only provides the information required for charging,
but also allows for network security surveillance.
AAA usually uses a client/server model. The client runs on the network access server (NAS), which is
also referred to as the access device. The server maintains user information centrally. In an AAA network,
a NAS is a server for users but a client for the AAA servers. See Figure 1.
Figure 1 Network diagram
When a user tries to log in to the NAS, use network resources, or access other networks, the NAS
authenticates the user. The NAS can transparently pass the user’s authentication, authorization, and
accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and
a remote server exchange user information between them.
In the network shown in Figure 1, there is a RADIUS server and an HWTACACS server. You can choose
different servers for different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and the RADIUS server for accounting.
You can choose the three security functions provided by AAA as needed. For example, if your company
only wants employees to be authenticated before they access specific resources, configure an
authentication server. If network usage information is needed, you must also configure an accounting
server.
AAA can be implemented through multiple protocols. The switch supports using RADIUS and
HWTACACS. RADIUS is often used in practice.
Other manuals for S5500-EI series
22
This manual suits for next models
1
Table of contents
Other H3C Switch manuals
H3C
H3C S5560-EI series User manual
H3C
H3C H3C S7500E-X Quick guide
H3C
H3C S3100V3-EI Series User manual
H3C
H3C S3100-26T P-EI-W User manual
H3C
H3C S5500-28C-EI-DC User manual
H3C
H3C H3C S7500E Series Operating and maintenance manual
H3C
H3C S7500 Series User manual
H3C
H3C s5820x series Installation manual
H3C
H3C S9500 Series User manual
H3C
H3C S6800-4C Operating and maintenance manual
H3C
H3C S5120V3-EI Series User manual
H3C
H3C S10500 Series User manual
H3C
H3C S9500E Series User manual
H3C
H3C S3610 Series User manual
H3C
H3C S3100 Series User manual
H3C
H3C S7500E-XS Series User manual
H3C
H3C S5120-EI Series User manual
H3C
H3C S9500 Series User manual
H3C
H3C S5120-SI Series User manual
H3C
H3C S9500 Series User manual
Popular Switch manuals by other brands
Generac Power Systems
Generac Power Systems 004945-1 owner's manual
NETGEAR
NETGEAR 748TP Hardware installation guide
Western Telematic
Western Telematic AFS-16-1 user guide
MaxiiNet
MaxiiNet Vi30005 installation manual
StarTech.com
StarTech.com SV231DVIUAHR instruction manual
Flowserve
Flowserve UltraSwitch PMV DS User instructions