Home » HP Manuals » Servers » HP 6125G » Manual Viewer

HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 251

Configuring ARP detection, Introduction, Configuring user validity check, Configuration guideliens

Add to My Manuals
Save this manual to your list of manuals

Page 251 highlights

Step 2. Enable the ARP active acknowledgement function. Command Remarks arp anti-attack active-ack enable Disabled by default Configuring ARP detection Introduction ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding functions. If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies. ARP detection does not check ARP packets received from ARP trusted ports. Configuring user validity check This feature enables a device to check user validity as follows: 1. Upon receiving an ARP packet from an ARP untrusted interface, the device checks the packet against the configured rules. If a match is found, the ARP packet is processed according to the matching rule. If no match is found, the device checks the packet against static IP Source Guard binding entries 2. The device compares the sender IP and MAC addresses of the ARP packet against the static IP source guard binding entries. If a match is found, the ARP packet is considered valid and is forwarded. If an entry with a matching IP address but an unmatched MAC address is found, the ARP packet is considered invalid and is discarded. If no entry with a matching IP address is found, the device compares the ARP packet's sender IP and MAC addresses against the DHCP snooping entries, 802.1X security entries, and OUI MAC addresses. 3. If a match is found from those entries, the ARP packet is considered valid and is forwarded. (For a packet to pass user validity check based on OUI MAC addresses, the sender MAC address must be an OUI MAC address and the voice VLAN must be enabled.) 4. If no match is found, the ARP packet is considered invalid and is discarded. For more information about voice VLANs and OUI MAC addresses, see Layer 2-LAN Switching Configuration Guide. Configuration guideliens Follow these guidelines when you configure user validity check: • Static IP source guard binding entries are created by using the ip source binding command. For more information, see "Configuring IP source guard." • Dynamic DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3-IP Services Configuration Guide. • 802.1X security entries are generated by 802.1X. After a client passes 802.1X authentication and uploads its IP address to an ARP detection enabled device, the device automatically generates an 802.1X security entry. Therefore, the 802.1X client must be able to upload its IP address to the device. For more information, see "Configuring 802.1X." 241

Section	Page
Title Page	1
Security Configuration Guide	3
Configuring AAA	11
AAA overview	11
RADIUS	12
Client/server model	12
Security and authentication mechanisms	12
Basic RADIUS message exchange process	12
RADIUS packet format	13
Extended RADIUS attributes	16
HWTACACS	17
Differences between HWTACACS and RADIUS	17
Basic HWTACACS message exchange process	17
Domain-based user management	19
AAA for MPLS L3VPNs	20
Protocols and standards	20
RADIUS attributes	21
Commonly used standard RADIUS attributes	21
HP proprietary RADIUS sub-attributes	22
AAA configuration considerations and task list	24
Configuring AAA schemes	25
Configuring local users	25
Local user configuration task list	26
Configuring local user attributes	26
Configuring user group attributes	28
Displaying and maintaining local users and local user groups	29
Configuring RADIUS schemes	30
RADIUS scheme configuration task list	30
Creating a RADIUS scheme	30
Specifying the RADIUS authentication/authorization servers	31
Specifying the RADIUS accounting servers and the relevant parameters	31
Specifying the shared keys for secure RADIUS communication	33
Specifying the VPN to which the servers belong	33
Setting the username format and traffic statistics units	33
Setting the supported RADIUS server type	34
Setting the maximum number of RADIUS request transmission attempts	34
Setting the status of RADIUS servers	35
Specifying the source IP address for outgoing RADIUS packets	36
Setting timers for controlling communication with RADIUS servers	37
Configuring RADIUS accounting-on	38
Configuring the IP address of the security policy server	39
Configuring interpretation of RADIUS class attribute as CAR parameters	39
Enabling the trap function for RADIUS	40
Enabling the RADIUS listening port of the RADIUS client	40
Setting the DSCP value for RADIUS protocol packets	40
Displaying and maintaining RADIUS	41
Configuring HWTACACS schemes	41
HWTACACS configuration task list	41
Creating an HWTACACS scheme	42
Specifying the HWTACACS authentication servers	42
Specifying the HWTACACS authorization servers	43
Specifying the HWTACACS accounting servers and the relevant parameters	43
Specifying the shared keys for secure HWTACACS communication	44
Specifying the VPN to which the servers belong	45
Setting the username format and traffic statistics units	45
Specifying a source IP address for outgoing HWTACACS packets	46
Setting timers for controlling communication with HWTACACS servers	47
Displaying and maintaining HWTACACS	47
Configuring AAA methods for ISP domains	48
Configuration prerequisites	48
Creating an ISP domain	48
Configuring ISP domain attributes	49
Configuring AAA authentication methods for an ISP domain	50
Configuring AAA authorization methods for an ISP domain	52
Configuring AAA accounting methods for an ISP domain	53
Tearing down user connections	54
Configuring a NAS ID-VLAN binding	55
Displaying and maintaining AAA	55
AAA configuration examples	55
AAA for Telnet users by an HWTACACS server	55
Network requirements	55
Configuration procedure	56
AAA for Telnet users by separate servers	57
Network requirements	57
Configuration procedure	57
Authentication/authorization for SSH/Telnet users by a RADIUS server	58
Network requirements	58
Configuring the RADIUS server	58
Configuring the switch	60
Verifying the configuration	61
AAA for 802.1X users by a RADIUS server	61
Network requirements	61
Configuration prerequisites	62
Configuring the RADIUS server	62
Configuring the switch	66
Verifying the configuration	67
Level switching authentication for Telnet users by an HWTACACS server	68
Network requirements	68
Configuration considerations	68
Configuration procedure	68
RADIUS authentication and authorization for Telnet users by a switch	71
Network requirements	71
Configuration procedure	72
Troubleshooting AAA	73
Troubleshooting RADIUS	73
Symptom 1	73
Analysis	73
Solution	73
Symptom 2	73
Analysis	74
Solution	74
Symptom 3	74
Analysis	74
Solution	74
Troubleshooting HWTACACS	74
802.1X overview	75
802.1X architecture	75
Controlled/uncontrolled port and port authorization status	75
802.1X-related protocols	76
Packet formats	77
EAP packet format	77
EAPOL packet format	77
EAP over RADIUS	78
EAP-Message	78
Message-Authenticator	78
Initiating 802.1X authentication	78
802.1X client as the initiator	78
Access device as the initiator	79
802.1X authentication procedures	79
A comparison of EAP relay and EAP termination	80
EAP relay	80
EAP termination	83
Configuring 802.1X	84
HP implementation of 802.1X	84
Access control methods	84
Using 802.1X authentication with other features	84
VLAN assignment	84
Guest VLAN	85
Auth-Fail VLAN	86
Critical VLAN	87
ACL assignment	89
Configuration prerequisites	89
802.1X configuration task list	89
Enabling 802.1X	90
Configuration guidelines	90
Configuration procedure	90
Enabling EAP relay or EAP termination	90
Setting the port authorization state	91
Specifying an access control method	92
Setting the maximum number of concurrent 802.1X users on a port	92
Setting the maximum number of authentication request attempts	92
Setting the 802.1X authentication timeout timers	93
Configuring the online user handshake function	93
Configuration guidelines	94
Configuration procedure	94
Configuring the authentication trigger function	94
Configuration guidelines	94
Configuration procedure	95
Specifying a mandatory authentication domain on a port	95
Configuring the quiet timer	95
Enabling the periodic online user re-authentication function	96
Configuration guidelines	96
Configuration procedure	96
Configuring an 802.1X guest VLAN	97
Configuration guidelines	97
Configuration prerequisites	97
Configuration procedure	97
Configuring an 802.1X Auth-Fail VLAN	98
Configuration guidelines	98
Configuration prerequisites	98
Configuration procedure	98
Configuring an 802.1X critical VLAN	99
Configuration guidelines	99
Configuration prerequisites	99
Configuration procedure	99
Specifying supported domain name delimiters	100
Displaying and maintaining 802.1X	100
802.1X authentication configuration example	100
Network requirements	100
Configuration procedure	101
Verifying the configuration	103
802.1X with guest VLAN and VLAN assignment configuration example	103
Network requirements	103
Configuration procedure	104
Verifying the configuration	105
802.1X with ACL assignment configuration example	106
Network requirements	106
Configuration procedure	106
Verifying the configuration	107
Configuring EAD fast deployment	108
Overview	108
Free IP	108
URL redirection	108
Configuration prerequisites	108
Configuring a free IP	108
Configuring the redirect URL	109
Setting the EAD rule timer	109
Displaying and maintaining EAD fast deployment	109
EAD fast deployment configuration example	110
Network requirements	110
Configuration procedure	111
Verifying the configuration	111
Troubleshooting EAD fast deployment	112
Web browser users cannot be correctly redirected	112
Symptom	112
Analysis	112
Solution	112
Configuring MAC authentication	113
Overview	113
User account policies	113
Authentication approaches	113
MAC authentication timers	114
Using MAC authentication with other features	114
VLAN assignment	114
ACL assignment	114
Configuration task list	114
Basic configuration for MAC authentication	115
Configuring MAC authentication globally	115
Configuring MAC authentication on a port	115
Specifying a MAC authentication domain	116
Displaying and maintaining MAC authentication	116
MAC authentication configuration examples	117
Local MAC authentication configuration example	117
Network requirements	117
Configuration procedure	117
Verifying the configuration	118
RADIUS-based MAC authentication configuration example	118
Network requirements	118
Configuration procedure	119
Verifying the configuration	120
ACL assignment configuration example	120
Network requirements	120
Configuration procedure	121
Verifying the configuration	122
Configuring port security	123
Overview	123
Port security features	123
NTK	123
Intrusion protection	123
Port security traps	123
Port security modes	123
Controlling MAC address learning	125
Performing 802.1X authentication	125
Performing MAC authentication	125
Performing a combination of MAC authentication and 802.1X authentication	125
Working with guest VLAN and Auth-Fail VLAN	126
Configuration task list	126
Enabling port security	126
Setting port security's limit on the number of MAC addresses on a port	127
Setting the port security mode	127
Configuration prerequisites	128
Configuration procedure	128
Configuring port security features	128
Configuring NTK	128
Configuring intrusion protection	129
Enabling port security traps	129
Configuring secure MAC addresses	130
Configuration prerequisites	131
Configuration procedure	131
Ignoring authorization information	132
Displaying and maintaining port security	132
Port security configuration examples	133
Configuring the autoLearn mode	133
Network requirements	133
Configuration procedure	133
Verifying the configuration	133
Configuring the userLoginWithOUI mode	135
Network requirements	135
Configuration procedure	136
Verifying the configuration	136
Configuring the macAddressElseUserLoginSecure mode	139
Network requirements	139
Configuration procedure	139
Verifying the configuration	140
Troubleshooting port security	142
Cannot set the port security mode	142
Symptom	142
Analysis	142
Solution	142
Cannot configure secure MAC addresses	142
Symptom	142
Analysis	143
Solution	143
Cannot change port security mode when a user is online	143
Symptom	143
Analysis	143
Solution	143
Configuring a user profile	144
Overview	144
User profile configuration task list	144
Creating a user profile	144
Applying a QoS policy	145
Enabling a user profile	145
Displaying and maintaining user profiles	146
Configuring password control	147
Overview	147
Password control configuration task list	149
Configuring password control	150
Enabling password control	150
Setting global password control parameters	151
Setting user group password control parameters	152
Setting local user password control parameters	152
Setting super password control parameters	153
Setting a local user password in interactive mode	154
Displaying and maintaining password control	154
Password control configuration example	154
Network requirements	154
Configuration procedure	155
Verifying the configuration	156
Managing public keys	157
Overview	157
Configuration task list	157
Creating a local asymmetric key pair	158
Displaying or exporting the local host public key	158
Displaying and recording the host public key information	159
Displaying the host public key in a specific format and saving it to a file	159
Exporting the host public key in a specific format to a file	159
Destroying a local asymmetric key pair	160
Specifying the peer public key on the local device	160
Displaying and maintaining public keys	161
Public key configuration examples	161
Manually specifying the peer public key on the local device	161
Network requirements	161
Configuration procedure	161
Importing a peer public key from a public key file	163
Network requirements	163
Configuration procedure	163
Configuring PKI	166
Overview	166
PKI terms	166
PKI architecture	167
PKI operation	167
PKI applications	168
PKI configuration task list	168
Configuring an entity DN	169
Configuring a PKI domain	170
Configuration guidelines	171
Configuration procedure	171
Submitting a PKI certificate request	171
Submitting a certificate request in auto mode	172
Submitting a certificate request in manual mode	172
Configuration guidelines	172
Configuration procedure	173
Retrieving a certificate manually	173
Configuration guidelines	173
Configuration procedure	174
Configuring PKI certificate verification	174
Configuration guidelines	174
Configuring CRL-checking-enabled PKI certificate verification	174
Configuring CRL-checking-disabled PKI certificate verification	175
Destroying a local RSA key pair	175
Deleting a certificate	176
Configuring an access control policy	176
Displaying and maintaining PKI	176
PKI configuration examples	177
Certificate request from an RSA Keon CA server	177
Network requirements	177
Configuring the CA server	177
Configuring the switch	178
Verifying the configuration	179
Certificate request from a Windows 2003 CA server	180
Network requirements	180
Configuring the CA server	180
Configuring the switch	181
Verifying the configuration	182
Certificate attribute access control policy configuration example	183
Network requirements	183
Configuration procedure	184
Troubleshooting PKI	185
Failed to retrieve a CA certificate	185
Symptom	185
Analysis	185
Solution	185
Failed to request a local certificate	185
Symptom	185
Analysis	185
Solution	186
Failed to retrieve CRLs	186
Symptom	186
Analysis	186
Solution	186
Configuring SSH2.0	187
Overview	187
SSH operation	187
Version negotiation	187
Key and algorithm negotiation	188
Authentication	188
Session request	189
Interaction	189
SSH connection across VPNs	189
Configuring the switch as an SSH server	190
SSH server configuration task list	190
Generating DSA or RSA key pairs	190
Configuration guidelines	190
Configuration procedure	191
Enabling the SSH server function	191
Configuring the user interfaces for SSH clients	191
Configuration guidelines	191
Configuration procedure	191
Configuring a client public key	192
Configuring a client public key manually	192
Importing a client public key from a public key file	193
Configuring an SSH user	193
Configuration guidelines	193
Configuration procedure	194
Setting the SSH management parameters	194
Setting the DSCP value for packets sent by the SSH server	195
Configuring the switch as an SSH client	195
SSH client configuration task list	195
Specifying a source IP address/interface for the SSH client	195
Configuring whether first-time authentication is supported	196
Enabling the switch to support first-time authentication	196
Disabling first-time authentication	196
Establishing a connection between the SSH client and server	197
Setting the DSCP value for packets sent by the SSH client	197
Displaying and maintaining SSH	198
SSH server configuration examples	198
When the switch acts as a server for password authentication	198
Network requirements	198
Configuration procedure	198
When the switch acts as a server for publickey authentication	200
Network requirements	200
Configuration procedure	201
SSH client configuration examples	205
When switch acts as client for password authentication	205
Network requirements	205
Configuration procedure	205
When switch acts as client for publickey authentication	208
Network requirements	208
Configuration procedure	208
Configuring SFTP	211
Overview	211
Configuring the switch as an SFTP server	211
Enabling the SFTP server	211
Configuring the SFTP connection idle timeout period	211
Configuring the switch as an SFTP client	212
Specifying a source IP address or interface for the SFTP client	212
Establishing a connection to the SFTP server	212
Working with SFTP directories	213
Working with SFTP files	214
Displaying help information	214
Terminating the connection to the remote SFTP server	215
Setting the DSCP value for packets sent by the SFTP client	215
SFTP client configuration example	215
Network requirements	215
Configuration procedure	216
SFTP server configuration example	219
Network requirements	219
Configuration procedure	219
Configuring SCP	222
Overview	222
Configuring the switch as an SCP server	222
Configuring the switch as the SCP client	223
SCP client configuration example	223
Network requirements	223
Configuration procedure	224
SCP server configuration example	224
Network requirements	224
Configuration procedure	224
Configuring SSL	226
Overview	226
SSL security mechanism	226
SSL protocol stack	226
Configuration task list	227
Configuring an SSL server policy	227
SSL server policy configuration example	229
Network requirements	229
Configuration considerations	229
Configuration procedure	229
Configuring an SSL client policy	230
Displaying and maintaining SSL	231
Troubleshooting SSL	231
Symptom	231
Analysis	232
Solution	232
Configuring TCP attack protection	233
Overview	233
Enabling the SYN Cookie feature	233
Displaying and maintaining TCP attack protection	233
Configuring IP source guard	235
Overview	235
Static IP source guard entries	235
Dynamic IP source guard entries	235
Configuration task list	236
Configuring the IPv4 source guard function	236
Configuring IPv4 source guard on a port	236
Configuring a static IPv4 source guard entry	237
Setting the maximum number of IPv4 source guard entries	238
Displaying and maintaining IP source guard	238
IP source guard configuration examples	238
Static IPv4 source guard configuration example	238
Network requirements	238
Configuration procedure	239
Verifying the configuration	240
Dynamic IPv4 source guard using DHCP snooping configuration example	240
Network requirements	240
Configuration procedure	241
Verifying the configuration	241
Dynamic IPv4 source guard using DHCP relay configuration example	242
Network requirements	242
Configuration procedure	242
Verifying the configuration	242
Troubleshooting IP source guard	243
Symptom	243
Analysis	243
Solution	243
Configuring ARP attack protection	244
Overview	244
ARP attack protection configuration task list	244
Configuring ARP defense against IP packet attacks	245

Match case Limit results 1 per page

241

Step

Command

Remarks

Enable the ARP active acknowledgement

function.

arp anti-attack active-ack enable

Disabled by default

Configuring ARP detection

Introduction

ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user

spoofing and gateway spoofing attacks.

ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding

functions. If both ARP packet validity check and user validity check are enabled, the former one applies

first, and then the latter applies.

ARP detection does not check ARP packets received from ARP trusted ports.

Configuring user validity check

This feature enables a device to check user validity as follows:

Upon receiving an ARP packet from an ARP untrusted interface, the device checks the packet

against the configured rules. If a match is found, the ARP packet is processed according to the

matching rule. If no match is found, the device checks the packet against static IP Source Guard

binding entries

The device compares the sender IP and MAC addresses of the ARP packet against the static IP

source guard binding entries. If a match is found, the ARP packet is considered valid and is

forwarded. If an entry with a matching IP address but an unmatched MAC address is found, the

ARP packet is considered invalid and is discarded. If no entry with a matching IP address is found,

the device compares the ARP packet’s sender IP and MAC addresses against the DHCP snooping

entries, 802.1X security entries, and OUI MAC addresses.

If a match is found from those entries, the ARP packet is considered valid and is forwarded. (For

a packet to pass user validity check based on OUI MAC addresses, the sender MAC address must

be an OUI MAC address and the voice VLAN must be enabled.)

If no match is found, the ARP packet is considered invalid and is discarded.

For more information about voice VLANs and OUI MAC addresses, see

Layer 2—LAN Switching

Configuration Guide

Configuration guideliens

Follow these guidelines when you configure user validity check:

•

Static IP source guard binding entries are created by using the

ip source binding

command. For

more information, see "

Configuring IP source guard

•

Dynamic DHCP snooping entries are automatically generated by DHCP snooping. For more

information, see

Layer 3—IP Services Configuration Guide

•

802.1X security entries are generated by 802.1X. After a client passes 802.1X authentication and

uploads its IP address to an ARP detection enabled device, the device automatically generates an

802.1X security entry. Therefore, the 802.1X client must be able to upload its IP address to the device.

For more information, see "

Configuring 802.1X

HP 6125G HP 6125G &amp; 6125G/XG Blade Switches Security Configuration Gui - Page 251

Configuring ARP detection, Introduction, Configuring user validity check, Configuration guideliens

Page 251 highlights

HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 251