hp 10500 switch series (comware v5) configuration · pdf filei contents 802.1x configuration...
TRANSCRIPT
HP 10500 Switch Series (Comware V5)
Configuration Examples
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained
herein is subject to change without notice. The only warranties for HP products and services
are set forth in the express warranty statements accompanying such products and services.
Nothing herein should be construed as constituting an additional warranty. HP shall not be
liable for technical or editorial errors or omissions contained herein.
Part number: 5889-4906
i
Contents
802.1X configuration examples 1
AAA configuration examples 32
Example: Allowing a specific host to access the network 49
Example: Denying a specific host to access the network 51
Example: Allowing access between specific subnets 53
Example: Denying Telnet packets 55
Example: Allowing TCP connections initiated from a specific subnet 56
Example: Denying FTP traffic 59
Example: Allowing FTP traffic (active FTP) 60
Example: Allowing FTP traffic (passive FTP) 63
Example: Allowing ICMP requests from a specific direction 66
Example: Allowing HTTP/Email/DNS traffic 67
Example: Filtering packets by MAC address 69
Example: Applying ACLs in device management 71
ARP attack protection configuration examples 75
ARP configuration examples 85
Proxy ARP configuration examples 88
Basic MPLS configuration examples 95
BPDU tunneling configuration examples 107
CFD configuration examples 112
DHCP configuration examples 121
DLDP configuration examples 133
DNS configuration examples 142
Ethernet OAM configuration examples 158
IGMP configuration examples 161
IGMP snooping configuration example 173
IP addressing configuration examples 188
IP performance optimization configuration examples 191
IP source guard configuration examples 196
IPv6 basics configuration examples 202
IPv6 multicast VLAN configuration examples 206
IPv6 PIM configuration examples 216
ii
IRF configuration examples 249
Link aggregation configuration examples 300
LLDP configuration examples 314
MAC address table configuration examples 321
MAC authentication configuration examples 327
MFF configuration examples 342
Mirroring configuration examples 355
MLD configuration examples 386
MLD snooping configuration examples 398
MPLS L2VPN configuration examples 413
Multicast VLAN configuration examples 454
NetStream configuration examples 464
NQA configuration examples 470
NTP configuration examples 495
OSPF configuration examples 508
PIM configuration examples 551
Port isolation configuration examples 582
Port security configuration examples 589
QinQ configuration examples 605
Traffic policing configuration examples 626
GTS and rate limiting configuration examples 649
Priority and queue scheduling configuration examples 654
User profile configuration examples 668
Control plane protection configuration examples 674
QoS policy-based routing configuration examples 680
Configuration examples for implementing HQoS through marking local QoS IDs 692
RRPP configuration examples 698
Sampler configuration examples 762
sFlow configuration examples 764
Smart Link and CFD collaboration configuration examples 768
Smart Link configuration examples 786
Monitor Link configuration examples 804
Spanning tree configuration examples 809
SSH configuration examples 831
Static multicast route configuration examples 855
iii
Static routing configuration examples 872
Tunnel configuration examples 885
UDP helper configuration examples 923
URPF configuration examples 926
VLAN configuration examples 929
VLAN mapping configuration examples 938
VPLS configuration examples 955
IPv4-based VRRP configuration examples 1000
IPv6-based VRRP configuration examples 1034
1
802.1X configuration examples This chapter provides examples for configuring 802.1X authentication to control network access of
LAN access users.
Example: Configuring RADIUS-based 802.1X
authentication (non-IMC server)
Applicable product matrix
Product series Software version
HP 10500
Release series 1120
Release series 1130
Release series 1200
Network requirements
As shown in Figure 1:
Users must pass 802.1X authentication to access the Internet, and they use the HP iNode client
to initiate 802.1X authentication.
Switch A uses a RADIUS server (Switch B) to perform RADIUS-based 802.1X authentication and
authorization.
The HP 5500 HI switch functions as the RADIUS server.
Configure GigabitEthernet 1/0/1 to implement MAC-based access control so each user is separately
authenticated. When a user logs off, no other online users are affected.
Figure 1 Network diagram
Configuration restrictions and guidelines
When you configure RADIUS-based 802.1X authentication, follow these restrictions and guidelines:
Switch A
NAS
802.1X Client
192.168.0.2
Vlan-int1
192.168.0.59/24
RADIUS server
IP:10.1.1.1/24
Vlan-int11
10.1.1.2/24
Switch B
GE1/0/1 GE1/0/2
2
The authentication port (UDP) used by RADIUS servers is 1812 according to standard RADIUS
protocols. However, the port (UDP) is set to 1645 on an HP device that functions as the RADIUS
authentication server. Configure the port used for RADIUS authentication to 1645 for the
RADIUS scheme on the access device.
Enable 802.1X globally only after you have configured the authentication-related parameters.
Otherwise, users might fail to pass 802.1X authentication.
The 802.1X configuration takes effect on a port only after you enable 802.1X globally and on
the port.
Configuration procedures
Configuring IP addresses
# Assign an IP address to each interface as shown in Figure 1. Make sure the client, Switch A, and
the RADIUS server can reach each other. (Details not shown.)
Configuring Switch A
1. Configure the RADIUS scheme:
# Create RADIUS scheme radius1 and enter RADIUS scheme view.
[SwitchA] radius scheme radius1
New Radius scheme
[SwitchA-radius-radius1]
# Specify the RADIUS server at 10.1.1.1 as the primary authentication server, set the
authentication port to 1645, and specify the shared key as abc.
[SwitchA-radius-radius1] primary authentication 10.1.1.1 1645 key abc
# Exclude the ISP domain name from the username sent to the RADIUS server.
[SwitchA-radius-radius1] user-name-format without-domain
NOTE:
The access device must use the same username format as the RADIUS server. If the RADIUS server includes
the ISP domain name in the username, so must the access device.
# Set the source IP address for outgoing RADIUS packets to 10.1.1.2.
[SwitchA-radius-radius1] nas-ip 10.1.1.2
[SwitchA-radius-radius1] quit
2. Configure the ISP domain:
# Create ISP domain test and enter ISP domain view.
[SwitchA] domain test
[SwitchA-isp-test]
# Configure ISP domain test to use RADIUS scheme radius1 for authentication and authorization
of all 802.1X users.
[SwitchA-isp-test] authentication lan-access radius-scheme radius1
[SwitchA-isp-test] authorization lan-access radius-scheme radius1
[SwitchA-isp-test] quit
# Specify domain test as the default ISP domain. If a user does not provide any ISP domain
name, it is assigned to the default ISP domain.
[SwitchA] domain default enable test
3
3. Configure 802.1X:
# Enable 802.1X on port GigabitEthernet 1/0/1.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] dot1x
802.1x is enabled on port GigabitEthernet1/0/1.
[SwitchA-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/1 to implement MAC-based access control. This step is
optional, because the port implements MAC-based access control by default.
[SwitchA] dot1x port-method macbased interface gigabitethernet 1/0/1
# Enable 802.1X globally.
[SwitchA] dot1x
802.1x is enabled globally.
Configuring the RADIUS server
# Create RADIUS user guest and enter RADIUS server user view.
system-view
[Sysname] radius-server user guest
[Sysname-rdsuser-guest]
# Set the password to 123456 in plain text for RADIUS user guest.
[Sysname-rdsuser-guest] password simple 123456
[Sysname-rdsuser-guest] quit
# Specify RADIUS client 10.1.1.2, and set the shared key to abc in plain text.
[Sysname] radius-server client-ip 10.1.1.2 key simple abc
Configuring the 802.1X client
1. Open the iNode client as shown in Figure 2.
4
Figure 2 Opening iNode client
2. Click New.
3. On the Create New Connection Wizard window, select 802.1X protocol(X), and then click
Next(N)>.
5
Figure 3 Creating a new connection
4. Configure the connection name, username, and password, and then click Next(N)>.
6
Figure 4 Configuring the connection name, username, and password
The following details must comply wi