Upload File

hp msr router series - apache welcome pageh20628. · hp msr router series security configuration...

  • Home
  • Documents
  • HP MSR Router Series - Apache Welcome Pageh20628. · HP MSR Router Series Security Configuration Guide(V5) Part number: 5998-8191 Software version: CMW520-R2513 Document version:
557
HP MSR Router Series Security Configuration Guide(V5) Part number: 5998-8191 Software version: CMW520-R2513 Document version: 6PW106-20150808

Upload: phamhanh

Post on 16-Aug-2019

232 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • HP MSR Router Series Security Configuration Guide(V5)

    Part number: 5998-8191

    Software version: CMW520-R2513

    Document version: 6PW106-20150808

  • i

    Legal and notice information

    © Copyright 2015 Hewlett-Packard Development Company, L.P.

    No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.

    The information contained herein is subject to change without notice.

    HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

  • i

    Contents

    Security overview ························································································································································· 1 Network security threats ··················································································································································· 1 Network security services ················································································································································· 1 Network security technologies ········································································································································· 2 

    Identity authentication ·············································································································································· 2 Access security ·························································································································································· 2 Data security ····························································································································································· 3 Firewall and connection control ······························································································································ 3 Attack detection and protection ······························································································································ 4 Other security technologies ····································································································································· 5 

    Configuring AAA ························································································································································· 6 Overview ············································································································································································ 6 

    RADIUS ······································································································································································ 7 HWTACACS ·························································································································································· 12 Domain-based user management ························································································································ 14 RADIUS server feature of the router ····················································································································· 15 AAA for MPLS L3VPNs ········································································································································· 16 Protocols and standards ······································································································································· 17 RADIUS attributes ·················································································································································· 17 

    FIPS compliance ····························································································································································· 20 AAA configuration considerations and task list ·········································································································· 20 Configuring AAA schemes ············································································································································ 22 

    Configuring local users ········································································································································· 22 Configuring RADIUS schemes ······························································································································ 27 Configuring HWTACACS schemes ····················································································································· 39 

    Configuring AAA methods for ISP domains ················································································································ 45 Creating an ISP domain ······································································································································· 45 Configuring ISP domain attributes ······················································································································· 46 Configuring authentication methods for an ISP domain ··················································································· 47 Configuring authorization methods for an ISP domain ····················································································· 50 Configuring accounting methods for an ISP domain ························································································· 53 

    Tearing down user connections ···································································································································· 55 Configuring a NAS ID-VLAN binding ·························································································································· 56 Configuring the router as a RADIUS server ················································································································· 56 

    RADIUS server functions configuration task list ·································································································· 56 Configuring a RADIUS user ·································································································································· 56 Specifying a RADIUS client ·································································································································· 57 

    Displaying and maintaining AAA ································································································································ 57 AAA configuration examples ········································································································································ 58 

    Authentication/authorization for Telnet/SSH users by a RADIUS server ························································ 58 Local authentication/authorization for Telnet/FTP users ··················································································· 63 AAA for PPP users by an HWTACACS server ··································································································· 64 Level switching authentication for Telnet users by a RADIUS server ································································ 66 RADIUS authentication/authorization portal users ···························································································· 70 RADIUS authentication and authorization for Telnet users by a network device ··········································· 76 

    Troubleshooting AAA ···················································································································································· 78 Troubleshooting RADIUS ······································································································································· 78 Troubleshooting HWTACACS ······························································································································ 79 

  • ii

    802.1X overview ······················································································································································· 80 802.1X architecture ······················································································································································· 80 Controlled/uncontrolled port and port authorization status ······················································································ 80 802.1X-related protocols ·············································································································································· 81 

    Packet formats ························································································································································ 82 EAP over RADIUS ·················································································································································· 83 

    Initiating 802.1X authentication ··································································································································· 83 802.1X client as the initiator································································································································ 83 Access device as the initiator ······························································································································· 84 

    802.1X authentication procedures ······························································································································ 84 Comparing EAP relay and EAP termination ······································································································· 85 EAP relay ································································································································································ 85 EAP termination ····················································································································································· 86 

    Configuring 802.1X ·················································································································································· 88 HP implementation of 802.1X ······································································································································ 88 

    Access control methods ········································································································································ 88 Using 802.1X authentication with other features ······························································································ 88 

    Configuration prerequisites ··········································································································································· 91 802.1X configuration task list ······································································································································· 91 Enabling 802.1X ···························································································································································· 92 Enabling EAP relay or EAP termination ······················································································································· 92 Setting the port authorization state ······························································································································ 93 Specifying an access control method ·························································································································· 94 Setting the maximum number of concurrent 802.1X users on a port ······································································· 94 Setting the maximum number of authentication request attempts ············································································· 95 Setting the 802.1X authentication timeout timers ······································································································· 95 Configuring the online user handshake function ········································································································ 95 

    Configuration guidelines ······································································································································ 96 Configuration procedure ······································································································································ 96 

    Enabling the proxy detection function ························································································································· 96 Configuring the authentication trigger function ·········································································································· 97 

    Configuration guidelines ······································································································································ 97 Configuration procedure ······································································································································ 98 

    Specifying a mandatory authentication domain on a port ························································································ 98 Configuring the quiet timer ··········································································································································· 98 Enabling the periodic online user re-authentication function ····················································································· 99 Configuring an 802.1X guest VLAN ··························································································································· 99 

    Configuration guidelines ······································································································································ 99 Configuration prerequisites ································································································································ 100 Configuration procedure ···································································································································· 100 

    Configuring an Auth-Fail VLAN ·································································································································· 100 Configuration guidelines ···································································································································· 100 Configuration prerequisites ································································································································ 100 Configuration procedure ···································································································································· 101 

    Configuring an 802.1X critical VLAN ······················································································································· 101 Configuration guidelines ···································································································································· 101 Configuration prerequisites ································································································································ 101 Configuration procedure ···································································································································· 101 

    Specifying supported domain name delimiters ········································································································· 102 Displaying and maintaining 802.1X ························································································································· 102 802.1X authentication configuration example ········································································································· 103 

    Network requirements ········································································································································· 103 Configuration procedure ···································································································································· 103 Verifying the configuration ································································································································· 105 

  • iii

    802.1X guest VLAN and VLAN assignment configuration example ······································································ 105 Network requirements ········································································································································· 105 Configuration procedure ···································································································································· 106 Verifying the configuration ································································································································· 107 

    802.1X with ACL assignment configuration example ····························································································· 108 Network requirements ········································································································································· 108 Configuration procedure ···································································································································· 108 Verifying the configuration ································································································································· 109 

    Configuring EAD fast deployment ························································································································· 110 Overview ······································································································································································· 110 

    Free IP ··································································································································································· 110 URL redirection ····················································································································································· 110 

    Configuration prerequisites ········································································································································· 110 Configuring a free IP ··················································································································································· 111 Configuring the redirect URL ······································································································································· 111 Setting the EAD rule timer ··········································································································································· 111 Displaying and maintaining EAD fast deployment ··································································································· 112 EAD fast deployment configuration example ············································································································ 112 

    Network requirements ········································································································································· 112 Configuration procedure ···································································································································· 113 Verifying the configuration ································································································································· 113 

    Troubleshooting EAD fast deployment ······················································································································· 114 Web browser users cannot be correctly redirected ························································································ 114 

    Configuring MAC authentication ··························································································································· 115 Overview ······································································································································································· 115 

    User account policies ·········································································································································· 115 Authentication methods······································································································································· 115 MAC authentication timers ································································································································· 116 

    Using MAC authentication with other features ········································································································· 116 VLAN assignment ················································································································································ 116 ACL assignment ··················································································································································· 116 

    Configuration task list ·················································································································································· 117 Basic configuration for MAC authentication ············································································································· 117 

    Configuring MAC authentication globally ········································································································ 117 Configuring MAC authentication on a port ····································································································· 118 

    Specifying a MAC authentication domain ················································································································ 118 Configuring MAC authentication delay ····················································································································· 119 Displaying and maintaining MAC authentication ···································································································· 119 MAC authentication configuration examples ············································································································ 120 

    Local MAC authentication configuration example··························································································· 120 RADIUS-based MAC authentication configuration example··········································································· 121 ACL assignment configuration example············································································································ 123 

    Configuring port security ········································································································································ 126 Overview ······································································································································································· 126 

    Port security features ··········································································································································· 126 Port security modes ············································································································································· 127 Support for WLAN ·············································································································································· 129 Working with guest VLAN and Auth-Fail VLAN ······························································································ 130 

    Configuration task list ·················································································································································· 130 Enabling port security ·················································································································································· 131 Setting port security's limit on the number of MAC addresses on a port······························································· 131 Setting the port security mode ···································································································································· 132 

    Configuration prerequisites ································································································································ 132 

  • iv

    Configuration procedure ···································································································································· 132 Configuring port security features ······························································································································ 133 

    Configuring NTK ················································································································································· 133 Configuring intrusion protection ························································································································ 134 Enabling port security traps ································································································································ 134 

    Configuring secure MAC addresses ·························································································································· 135 Configuration prerequisites ································································································································ 136 Configuration procedure ···································································································································· 136 

    Configuring port security for WLAN ports ················································································································ 137 Setting the port security mode of a WLAN port······························································································· 137 Enabling key negotiation ···································································································································· 138 Configuring a PSK ··············································································································································· 138 

    Ignoring authorization information from the server ·································································································· 138 Displaying and maintaining port security ·················································································································· 139 Port security configuration examples ························································································································· 139 

    Configuring the autoLearn mode ······················································································································· 139 Configuring the userLoginWithOUI mode ········································································································ 141 Configuring the macAddressElseUserLoginSecure mode ················································································ 146 

    Troubleshooting port security ······································································································································ 149 Cannot set the port security mode ····················································································································· 149 Cannot configure secure MAC addresses ········································································································ 149 Cannot change port security mode when a user is online ·············································································· 149 

    Configuring IPsec ···················································································································································· 151 Overview ······································································································································································· 151 

    Basic concepts ····················································································································································· 151 IPsec implementation on an encryption card ··································································································· 153 IPsec tunnel interface ··········································································································································· 154 IPsec for IPv6 routing protocols ·························································································································· 155 IPsec RRI································································································································································ 155 Protocols and standards ····································································································································· 156 

    FIPS compliance ··························································································································································· 156 Implementing IPsec ······················································································································································· 156 Implementing ACL-based IPsec ··································································································································· 157 

    Configuring an ACL ············································································································································ 158 Configuring an IPsec transform set ···················································································································· 160 Configuring an IPsec policy ······························································································································· 162 Applying an IPsec policy group to an interface ······························································································· 168 Binding an IPsec policy, IPsec policy group, or IPsec profile to an encryption card ··································· 168 Enabling the encryption engine ························································································································· 170 Enabling the IPsec module backup function ····································································································· 170 Configuring the IPsec session idle timeout ········································································································ 170 Enabling ACL checking of de-encapsulated IPsec packets ············································································· 171 Configuring the IPsec anti-replay function ········································································································ 171 Configuring a shared source interface policy group······················································································· 172 Configuring packet information pre-extraction ································································································ 173 Enabling invalid SPI recovery ···························································································································· 173 Configuring IPsec RRI ·········································································································································· 173 Enabling transparent data transmission without NAT ····················································································· 175 Enabling fragmentation before/after encryption ····························································································· 175 

    Implementing tunnel interface-based IPsec ················································································································ 175 Configuring an IPsec profile ······························································································································· 176 Configuring an IPsec tunnel interface ··············································································································· 178 Enabling packet information pre-extraction on the IPsec tunnel interface ····················································· 179 Applying a QoS policy to an IPsec tunnel interface ························································································ 180 

  • v

    Configuring IPsec for IPv6 routing protocols ············································································································· 180 Displaying and maintaining IPsec ······························································································································ 181 IPsec configuration examples······································································································································ 182 

    Configuring manual mode IPsec tunnel ············································································································ 182 Configuring IKE-based IPsec tunnel ··················································································································· 184 Configuring encryption cards for IPsec services ······························································································ 186 Configuring IPsec interface backup ··················································································································· 189 Configuring IPsec with IPsec tunnel interfaces·································································································· 192 Configuring IPsec for RIPng ································································································································ 196 Configuring IPsec RRI ·········································································································································· 200 

    Configuring IKE ······················································································································································· 203 Overview ······································································································································································· 203 

    IKE security mechanism ······································································································································· 203 IKE operation ······················································································································································· 203 IKE functions ························································································································································· 204 Relationship between IKE and IPsec ·················································································································· 205 Protocols and standards ····································································································································· 205 

    FIPS compliance ··························································································································································· 205 IKE configuration task list ············································································································································ 206 Configuring a name for the local security gateway ································································································· 206 Configuring an IKE proposal ······································································································································ 207 Configuring an IKE peer ·············································································································································· 208 Setting keepalive timers ··············································································································································· 210 Setting the NAT keepalive timer ································································································································· 211 Configuring a DPD detector ········································································································································ 211 Disabling next payload field checking ······················································································································ 212 Displaying and maintaining IKE ································································································································· 212 IKE configuration examples ········································································································································ 212 

    Configuring main mode IKE with pre-shared key authentication ··································································· 212 Configuring aggressive mode IKE with NAT traversal ···················································································· 217 

    Troubleshooting IKE ····················································································································································· 220 Invalid user ID ······················································································································································ 220 Proposal mismatch ·············································································································································· 220 Failed to establish an IPsec tunnel ····················································································································· 221 ACL configuration error ······································································································································ 221 

    Configuring IKEv2 ··················································································································································· 222 Overview ······································································································································································· 222 

    New features in IKEv2 ········································································································································ 223 Protocols and standards ····································································································································· 223 

    IKEv2 configuration task list ········································································································································ 224 Configuring global IKEv2 parameters ······················································································································· 224 

    Configuring the cookie challenging function···································································································· 224 Configuring the IKEv2 DPD function ·················································································································· 225 Setting limits on the number of IKEv2 SAs ········································································································ 225 Configuring an address pool for assigning addresses to initiators ······························································· 226 

    Configuring an IKEv2 proposal ·································································································································· 226 Configuring an IKEv2 policy ······································································································································· 227 Configuring an IKEv2 keyring ···································································································································· 228 Configuring an IKEv2 profile ······································································································································ 228 Displaying and maintaining IKEv2 ····························································································································· 231 IKEv2 configuration examples ···································································································································· 231 

    Configuring IKEv2 pre-shared key authentication ··························································································· 231 Configuring IKEv2 certificate authentication ···································································································· 237 

  • vi

    Troubleshooting IKEv2 ················································································································································· 244 No matching IKEv2 proposal found ·················································································································· 244 IPsec tunnels cannot be set up ··························································································································· 245 

    Configuring PKI ······················································································································································· 246 Overview ······································································································································································· 246 

    PKI terminology ···················································································································································· 246 PKI architecture ···················································································································································· 247 PKI operation ······················································································································································· 247 PKI applications ··················································································································································· 248 FIPS compliance ·················································································································································· 248 

    PKI configuration task list ············································································································································ 248 Configuring an entity DN ············································································································································ 249 Configuring a PKI domain ··········································································································································· 250 Requesting a PKI certificate ········································································································································· 252 

    Configuring automatic certificate request ········································································································· 252 Manually requesting a certificate ······················································································································ 253 

    Retrieving a certificate manually ································································································································ 254 Verifying PKI certificates ·············································································································································· 255 

    Verifying certificates with CRL checking ··········································································································· 255 Verifying certificates without CRL checking ······································································································ 256 

    Destroying the local RSA key pair ······························································································································ 256 Deleting a certificate ···················································································································································· 256 Configuring a certificate access control policy ········································································································· 257 Displaying and maintaining PKI ································································································································· 257 PKI configuration examples ········································································································································· 258 

    Certificate request from an RSA Keon CA server ···························································································· 258 Certificate request from a Windows 2003 CA server ···················································································· 261 IKE negotiation with RSA digital signature ······································································································· 264 Certificate access control policy configuration example················································································· 266 

    Troubleshooting PKI configurationTroubleshooting PKI configuration ···································································· 268 Failed to obtain the CA certificate ····················································································································· 268 Failed to request local certificates ····················································································································· 268 Failed to retrieve CRLs ········································································································································ 269 

    Managing public keys ············································································································································ 270 FIPS compliance ··························································································································································· 270 Configuration task list ·················································································································································· 271 Creating a local asymmetric key pair ························································································································ 271 Displaying or exporting the local host public key ···································································································· 272 Displaying and recording the host public key information ······················································································ 273 Displaying the host public key in a specific format and saving it to a file ···························································· 273 Exporting the host public key in a specific format to a file ····················································································· 273 Destroying a local asymmetric key pair ···················································································································· 274 Configuring the local RSA key pair for certificate request ······················································································ 274 Exporting an RSA key pair ·········································································································································· 274 Importing an RSA key pair ·········································································································································· 275 Specifying the peer public key on the local device ·································································································· 275 Displaying public keys ················································································································································· 276 Public key configuration examples ·······················································�


HP a-MSR Router Series High Terminal Access Command Reference

PowerPoint-Präsentation · MSR Elixir 2 MSR Hubba Hubba NX MSR Freelite 2 Coleman Darwin 2 VauDe Arco 1-2 P 2 - Mann Zelte Hersteller Coleman VauDe MSR MSR MSR Modell Darwin 2 Arco

HPE FlexNetwork MSR Router Seriesh20628. · HPE FlexNetwork MSR Router Series Comware 7 Security Configuration Guide Part number: 5200-3024 Software version: MSR-CMW710-R0413 Document

Tellabs 8800 Multi Service Router MSR Series Enabling New

HP 1910-CMW520-R1513P05 Release Notes

HP MSR Router Seriesh20628. · HP MSR Router Series IP Multicast Configuration Guide(V7) Part number: 5998-5679 Software version: CMW710-R0106 ... IPv6 multicast forwarding over a

 · 2020. 10. 5. · 04 05 msr-i msr- 1 s 0.6 0.5 0.4 0.3 msr- msr- msr- msr- msr 1b 1 noi -2205 exi rcl/4 rtl/4 k 100 l/min(nor.) ) mpq 0.2 0.1 *22-14 120 msr-ib.msr- 1.2 1.0 0.8

A5000 CMW520 R2303 Release Notes

HPE FlexNetwork MSR Router Series1 SIC/DSIC MSR series routers modular design and support a wide range of SICs and DSICs. A SIC use occupies one SIC slot and a DSIC occupies two SIC

HP MSR Router Series - h20628. · HP MSR Router Series Layer 3 ... Overview ... Setting the maximum number of dynamic ARP entries for a device

Design of the MultiService Router (MSR): A Platform for Networking Research

HP a-MSR Router Series High Voice Command Reference

Table of Contents - gdc.com MSR 30 Series Routers System Description Table of Contents i ... 3.1.2 MSR 30-40 Router View ... 4.1 H3C MSR 30 Series Feature List

HP A-MSR Router Series - Hewlett Packard Enterpriseh17007. A-MSR Router Series Interface Module Guide Part number: 5998-2053 Software version: CMW520-R2207P02 Document version: …

Hp a5500si-Cmw520-r2220 Release Notes

HP A5120EI-CMW520-R2220P02 Release Notes (Software Feature Changes)

HP a-MSR Router Series High Network Management and Monitoring Command Reference

HP MSR Router Seriesh20628. · 2019-01-17 · HP MSR Router Series MPLS Configuration Guide(V5) Part number: ... Configuring inter-AS option B ... Enabling FRR on the ingress node

MSR - hm · msr 500 msr 800 msr 830 msr 850 msr 1000 msr 1050

A5800_5820X-CMW520-R1211P04 Release Notes

HP MSR Router Series - h20628. MSR Router Series Layer 3 - IP Routing ... BGP route summarization configuration example ... Troubleshooting BGP

HPE FlexNetwork MSR Router Series - Apache …h20628. FlexNetwork MSR Router Series Comware 7 Security Configuration Guide Part number: 5998-6958 Software version: CMW710-R0403L02

MSR 175 Shock Transportation Data Logger: Protect your goods! · 2019. 3. 11. · MSR Dashboard, MSR ReportGenerator and MSR ShockViewer. The MSR Dashboard allows you to configure

3Com S2900-CMW520-R1101P09 Release Notes

H3C S5800_5820X-CMW520-R1211 Release Notes

Washington WASHINGTON UNIVERSITY IN ST LOUIS [email protected] Design of the MultiService Router (MSR): A Platform for Networking Research Fred Kuhns

HPE FlexNetwork MSR Router Series - …h20628. · HPE FlexNetwork MSR Router Series Comware 7 Layer 3 ... Load sharing ... BGP load balancing

Hp a5120ei-Cmw520-r2220p02 Release Notes

HPE FlexNetwork MSR Router Series - …h20628. FlexNetwork MSR Router Series ... Configuring Option 184 parameters for DHCP ... 186 Command and hardware

Tellabs 8800 Multiservice Router Series - files.moonblink.comfiles.moonblink.com/tlab-8800-msr-datasheet.pdf · Tellabs® 8800 Multiservice Router Series DATA SHEET See tellabs.com

Borax 10 MSR - Minera Santa Rita – MSR

HP A-MSR Router Series - Hewlett Packard Enterprise...1 SIC/DSIC A-MSR series routers adopt modular design and support a wide range of optional SICs and DSICs. A SIC occupies one SIC

HP 1910-CMW520-R1513P51 Release Notes (Software Feature Changes)

HP MSR Router Seriesh20628. · HP MSR Router Series Layer 3 - IP Routing Configuration Guide(V7) Part number: 5998-7722b Software version: CMW710-R0304 Document version: 6PW104-20150914

HP 1910 Fast Ethernet Switch Series CMW520-R1104 Release Notes