H3c-technologies H3C SecBlade LB Cards Manuel d'utilisateur

H3C LB ProductsSecurity Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: L1000-A:

v Configuring virtual fragment reassembly ············································································································

89 Configuring password control Password control can be configured only at the CLI. Password control refers to a set of functions provided by the loc

90 With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system ch

91 Password combination level Minimum number of character types Minimum number of characters for each type Level 4 Four One When a user sets or ch

92 The previous four types of settings have the following priorities: { For local user passwords, the settings with a smaller application scope have

93 Setting global password control parameters The action specified the password-control login-attempt command takes effect immediately, and thus affe

94 Step Command Remarks 12. Set the maximum account idle time. password-control login idle-time idle-time Optional. 90 days by default. Setting use

95 Step Command Remarks 4. Configure the minimum password length for the local user. password-control length length Optional. By default, the settin

96 Setting a local user password in interactive mode You can set a password for a local user in interactive mode. When doing so, you need to confirm

97 • No character occurs consecutively three or more times in a password. Implement the following super password control policy: A super password mu

98 [LB-luser-test] password-control aging 20 # Configure the password of the local user in interactive mode. [LB-luser-test] password Password:******

vi Index ·············································································································································

99 Managing public keys To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text d

100 Task Remarks Configuring a local asymmetric key pair on the local device Creating a local asymmetric key pair Choose one or more tasks. Displayin

101 Displaying and recording the host public key information Task Command Remarks Display the local RSA public keys display public-key local rsa pub

102 time, or the local certificate expires. For more information about the local certificate, see "Configuring PKI." To destroy a local asy

103 Step Command Remarks 4. Configure the peer public key. Type or copy the key Spaces and carriage returns are allowed between characters. 5. Retu

104 Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ ++++++++ # Display the public key

105 DB12 5035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A1020 3010001 [DeviceB-pkey-key-code] public-key-code end [D

106 It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ +++++

107 # From Device B, use FTP to log in to Device A, and get the public key file devicea.pub with the file transfer mode of binary. <DeviceB> ft

108 Configuring PKI Overview The PKI uses a general security infrastructure to provide information security through public key technologies. PKI, al

1 Security overview Network security threats are happened or potential threats to data confidentiality, data integrity, data availability or authorize

109 CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishin

110 PKI operation In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check the validity of certificat

111 Recommended configuration procedure for manual request Step Remarks 1. Creating a PKI entity Required. Create a PKI entity and configure the id

112 Step Remarks 5. Requesting a local certificate Required. When requesting a certificate, an entity introduces itself to the CA by providing its i

113 Step Remarks 2. Creating a PKI domain Required. Create a PKI domain, setting the certificate request mode to Auto. Before requesting a PKI certi

114 Figure 41 PKI entity configuration page 3. Configure the parameters, as described in Table 15. 4. Click Apply. Table 15 Configuration items

115 Figure 42 PKI domain list 2. Click Add. Figure 43 PKI domain configuration page 3. Configure the parameters, as described in Table 16. 4.

116 Item Description Institution Select the authority for certificate request. • CA—Entity requests a certificate from a CA. • RA—Entity requests a

117 Item Description CRL Update PeriodEnter the CRL update period, that is, the interval at which the PKI entity downloads the latest CRLs. This item

118 Requesting a local certificate 1. From the navigation tree, select Security > Certificate Management > Certificate. 2. Click Request Cer

2 • Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the de

119 3. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 48 RSA key pair destruction page Retrievin

120 Item Description Password Enter the password for protecting the private key, which was specified when the certificate was exported. After retrie

121 Figure 52 CRL information PKI configuration examples This section provides examples of configuring PKI. Certificate request from a Windows 2003

122 { Click Next to begin the installation. b. Install the SCEP add-on: Because a CA server running Windows 2003 server operating system does not

123 Figure 54 Creating a PKI entity b. Create a PKI domain: { From the navigation tree, select Security > Certificate Management > Domain.

124 Figure 55 Creating a PKI domain c. Generate an RSA key pair: { From the navigation tree, select Security > Certificate Management > Cer

125 Figure 57 Retrieving the CA certificate e. Request a local certificate: { From the navigation tree, select Security > Certificate Manageme

126 Figure 59 Detailed information about the local certificate

127 Certificate request from an RSA Keon CA server 1. Network requirements As shown in Figure 60, configure the LB product working as the PKI entity

128 Figure 61 Creating a PKI entity b. Create a PKI domain: { From the navigation tree, select Security > Certificate Management > Domain.

3 The device compares the head information against the preset ACL rules and processes (discards or forwards) the packet based on the comparison result

129 Figure 62 Creating a PKI domain c. Generate an RSA key pair: { From the navigation tree, select Security > Certificate Management > Cer

130 Figure 64 Retrieving the CA certificate e. Request a local certificate: { From the navigation tree, select Security > Certificate Manageme

131 Configuring PKI in the CLI PKI configuration task list Task Remarks Configuring an entity DN Required. Configuring a PKI domain Required. Subm

132 Step Command Remarks 1. Enter system view. system-view N/A 2. Create an entity and enter its view. pki entity entity-name No entity exists by

133 • Polling interval and count—After an applicant makes a certificate request, the CA might need a long period of time if it verifies the certific

134 submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to a CA by an "out-of-band" means

135 • Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the certificate will be abnormal. 2. Configu

136 Step Command Remarks 2. Retrieve a certificate manually • In online mode: pki retrieval-certificate { ca | local } domain domain-name • In off

137 Verifying PKI certificates without CRL checking Step Command Remarks 1. Enter system view. system-view N/A 2. Enter PKI domain view. pki doma

138 Step Command Remarks 2. Create a certificate attribute group and enter its view. pki certificate attribute-group group-name No certificate attri

4 minimum password length, minimum password update interval, password aging, and early notice on pending password expiration. RSH Remote shell (RSH) a

139 The LB product submits a local certificate request to the CA server. The device acquires the CRLs for certificate verification. Figure 67 Network

140 [LB-pki-domain-torsa] certificate request entity aaa # Configure the URL for the CRL distribution point. [LB-pki-domain-torsa] crl url http://4.4

141 Serial Number: 9A96A48F 9A509FD7 05FFF4DF 104AD094 Signature Algorithm: sha1WithRSAEncryption Issuer:

142 Figure 68 Network diagram 2. Configuring the CA server a. Install the certificate service suites: { Select Control Panel > Add or Remove

143 [LB-pki-domain-torsa] ca identifier myca # Configure the URL of the registration server in the format of http://host:port/ certsrv/mscep/mscep.dl

144 Data: Version: 3 (0x2) Serial Number: 48FA0FD9 00000000 000C Signature Algorithm: sha1WithRSAEncryption

145 Certificate attribute-based access control policy configuration 1. Network requirements The client accesses the remote Hypertext Transfer Protoc

146 c. Create the certificate attribute-based access control policy of myacp and add two access control rules: [LB] pki certificate access-control-p

147 • The network connection is not proper. For example, the network cable might be damaged or loose. • No CA certificate has been retrieved. • Th

148 • Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of certificates will be abnormal. • The Windows 2

5 Configuring security zones Overview In traditional firewall security policy applications, a firewall connects an internal network and an external n

149 Configuring SSL Secure Sockets Layer (SSL) can be configured only at the CLI. Overview Secure Sockets Layer (SSL) is a security protocol that pro

150 SSL protocol stack The SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protoco

151 Step Command Remarks 1. Enter system view. system-view N/A 2. Create an SSL server policy and enter its view. ssl server-policy policy-name N/

152 SSL server policy configuration example Network requirements As shown in Figure 72, users need to access and control LB through webpages. For se

153 [LB] public-key local create rsa # Retrieve the CA certificate. [LB] pki retrieval-certificate ca domain 1 # Request a local certificate for LB.

154 Step Command Remarks 3. Specify a PKI domain for the SSL client policy. pki-domain domain-name Optional. No PKI domain is specified by default.

155 Solution 1. Issue the debugging ssl command and view the debugging information to locate the problem: { If the SSL client is configured to auth

156 Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH implements remote login and

157 Stages Description Algorithm negotiation SSH supports multiple algorithms. Based on the local algorithms, the two parties determine the key excha

158 signature. Finally, it informs the client of the authentication result. The device supports using the publickey algorithm RSA for digital signatu

6 Figure 1 Network diagram Configuring a security zone in the Web interface Recommended configuration procedure Step Remarks 1. Creating a securi

159 SSH server configuration task list Task Remarks Generating local RSA key pairs Required. Enabling the SSH server function Required for Stelnet

160 When the device acts as an SCP server, only one SCP user is allowed to access to the SCP server at one time. To enable the SSH server function:

161 Configuring a client's host public key This configuration task is only necessary if publickey authentication is configured for users and the

162 Importing a client public key from a public key file Step Command 1. Enter system view. system-view 2. Import the public key from a public key

163 • If you change the authentication mode or public key for an SSH user that has logged in, the change takes effect only at the next login of the

164 Step Command Remarks 5. Set the maximum number of SSH authentication attempts. ssh server authentication-retries times Optional. 3 by default. A

165 Step Command Remarks 2. Specify a source IP address or source interface for the Stelnet client. • Specify a source IPv4 address or source inte

166 Establishing a connection to an Stelnet server You can launch the Stelnet client to establish a connection to an Stelnet server, and specify the

167 Specifying a source IP address or source interface for the SFTP client By default, an SFTP client uses the IP address of the outbound interface s

168 Task Command Remarks Establish a connection to an SFTP server and enter SFTP client view. • Establish a connection to an IPv4 SFTP server: sftp

7 Figure 2 Security zone management page 2. Click Add. Figure 3 Creating a security zone 3. Configure the security zone as described in Table 1

169 Step Command Remarks 8. Delete one or more directories from the SFTP server. rmdir remote-path&<1-10> Optional. Working with SFTP fi

170 Terminating the connection with the SFTP server Step Command Remarks 1. Enter SFTP client view. For more information, see "Establishing a

171 Displaying and maintaining SSH Task Command Remarks Display the source IP address or interface configured for the SFTP client. display sftp clie

172 Configuration procedure 1. Configure the Stelnet server: # Generate the RSA key pairs. <LB> system-view [LB] public-key local create rsa T

173 Figure 75 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the

174 Configuration considerations In the server configuration, the client public key is required. Use the client software to generate the RSA key pair

175 Figure 78 Generating process c. After the key pair is generated, click Save public key and specify the file name as key.pub to save the public

176 d. Click Save private key to save the private key. A confirmation dialog box appears. e. Click Yes and enter the name of the file for saving t

177 Figure 80 Specifying the host name (or IP address) c. Select Connection > SSH > Auth from the navigation tree. d. Click Browse… to bri

178 Figure 81 Specifying the private key file e. Click Open to connect to the server. If the connection is successfully established, the system a

8 Figure 4 Modifying a security zone 3. Modify the zone as described in Table 2. 4. Click Apply. Table 2 Configuration items Item Description Zon

179 [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a

180 Connected to 192.168.1.40 ... The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n Enter passwo

181 Enter password: After you enter the correct username and password, you can log in to the router successfully. Publickey authentication enabled S

182 <Router> system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greate

183 SFTP configuration examples Password authentication enabled SFTP server configuration example Network requirements As shown in Figure 84, you can

184 [LB-ui-vty0-4] protocol inbound ssh [LB-ui-vty0-4] quit # Configure a local user named client002 with the password aabbcc and the service type ss

185 Figure 86 Network diagram Configuration considerations In the server configuration, the client public key is required. Use the client software

186 ++++++++ # Enable the SSH server function. [Router] ssh server enable # Enable the SFTP server function. [Router] sftp server enable # Configure

187 This operation might take a long time.Please wait... File successfully Removed sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug

188 # Exit SFTP client view. sftp-client> quit Connection closed. <LB> SCP file transfer with password authentication This section provides

Copyright © 2013, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmitted

9 Security zone configuration example Network requirements A company deploys a firewall (LB in Figure 5) to connect its internal network to the Inter

189 # Enable the user interface to support SSH. [Router-ui-vty0-4] protocol inbound ssh [Router-ui-vty0-4] quit # Create a local user named client001

190 Configuring RSH The feature can be configured only at the CLI. Remote shell (RSH) allows users to execute OS commands on a remote host that runs

191 Figure 89 Network diagram Configuration Procedure 1. Check that the RSH daemon has been installed and started properly on the remote host: a.

192 d. Look at the Status column to check whether the Remote Shell Daemon service is started. In this example, the service is not started yet. e. D

193 Managing sessions Overview Session management is a common feature designed to implement session-based services such as NAT and intrusion protecti

194 deleted only when the session initiator or responder sends a request to close it or you clear it manually. • Supporting both control channels an

195 Figure 93 Session configuration 2. Configure the parameters as described in Table 20. 3. Click Apply.

196 Table 20 Configuration items Item Description Enable unidirectional traffic detection Enable or disable unidirectional traffic detection. • When

197 Figure 94 Session table Table 21 Field description Field Description Init Src IP Source IP address and port number of packets from the session

198 Figure 95 Detailed information of a session Table 22 Field description Field Description Protocol Transport layer protocol: • TCP. • UDP. •

10 Figure 6 Configuring the Trust zone 2. Add interface GigabitEthernet 0/1 to security zone DMZ: a. Click the icon for security zone DMZ. b.

199 Managing sessions in the CLI Session management task list Task Remarks Setting session aging times based on protocol state Optional. Configurin

200 To set session aging times based on application layer protocol type: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the ag

201 unidirectional sessions exist. If yes, configure the hybrid mode to ensure the normal processing of unidirectional sessions. If no, configure the

202 Enabling session logging Step Command Remarks 1. Enter system view. system-view N/A 2. Enter system view of the virtual device. switchto vd v

203 Step Command Remarks 2. Specify the flow log version. userlog flow export version version-number Optional. 1.0 by default. 3. Specify the sourc

204 Task Command Remarks Clear sessions. reset session [ vd-name vd-name ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type

205 Configuring session acceleration Overview In some specific applications, session acceleration helps improve system performance for setting up ses

206 Configuring virtual fragment reassembly Overview To prevent service modules (such as NAT) from processing packet fragments that arrive out of ord

207 2. Configure the parameters as described in Table 23. 3. Click Apply. Table 23 Configuration items Item Description Security Zone Specify a sec

208 Configuring the LB product 1. Configure IP addresses for the interfaces and assign the interfaces to security zones. (Details not shown.) 2. C

11 Figure 7 Configuring the DMZ zone 3. Add interface GigabitEthernet 0/2 to security zone Untrust: a. Click the icon for security zone Untrust

209 Figure 101 Configuring virtual fragment reassembly After the configuration, if the LB product receives disordered fragments from security zone

210 Configuration example Network requirements As shown in Figure 102, configure devices as follows: • LB connects to Host and Router. • NAT is ena

211 Configuring attack detection and protection The term "router" in this document refers to both routers and LB products. Overview Attack

212 Single-packet attack Description Large ICMP For some hosts and devices, large ICMP packets cause memory allocation error and thus crash down the

213 receive the expected ACK packets, and thus have to maintain large amounts of half-open connections. In this way, the attacker exhausts the system

214 • When the device detects that an FTP, Telnet, SSH, SSL, or web user has failed to provide the correct username, password, or verification code

215 TCP proxy The TCP proxy function can protect servers from SYN flood attacks. A device enabled with the TCP proxy function can function as a TCP p

216 Figure 105 Data exchange process in unidirectional proxy mode When the TCP proxy receives a SYN message sent from a client to a protected serve

217 After receiving a SYN message from a client to a protected server, the TCP proxy sends back a SYN ACK message with the window size of 0 on behalf

218 Figure 107 Packet inspection configuration page 2. Configure packet inspection, as described in Table 25. 3. Click Apply. Table 25 Configurat

12 Figure 8 Configuring the Untrust zone Configuring a security zone at the CLI Security zone configuration task list Task Remarks Creating a secu

219 Packet inspection configuration example Network requirements As shown in Figure 108, the internal network is the trusted zone and the external ne

220 Figure 109 Enabling Land and Smurf attack detection for the untrusted zone Verifying the configuration Check that the device can detect Land an

221 Figure 110 ICMP flood detection configuration page 2. Select a security zone. 3. In the Attack Prevention Policy area, select the Discard pac

222 Table 26 Configuration items Item Description Protected Host Configuration IP Address Specify the IP address of the protected host. Action Thre

223 Figure 112 UDP flood detection configuration page 2. Select a security zone. 3. In the Attack Prevention Policy area, select the Discard pack

224 Table 27 Configuration items Item Description Protected Host Configuration IP Address Specify the IP address of the protected host. Action Thres

225 Figure 114 SYN flood detection configuration page 2. Select a security zone. 3. In the Attack Prevention Policy area, specify the protection

226 6. Click Apply. Table 28 Configuration items Item Description Protected Host Configuration IP Address Specify the IP address of the protected h

227 Figure 116 Connection limit configuration page 2. Configure the connection limits for the security zone, as described in Table 29. 3. Click A

228 Table 30 Configuration items Item Description Security Zone Select a security zone to perform scanning detection configuration for it. Enable Sca

13 security zone name, or specify both the security zone name and security zone ID. If you specify both the security zone name and security zone ID,

229 • Configure source IP address-based connection limit for the trusted zone, and set the number of connections each host can initiate to 100. • C

230 Figure 120 Configuring scanning detection for the untrusted zone 4. Configure connection limits for the trusted zone: a. From the navigation

231 c. In the Attack Prevention Policy area, select Discard packets when the specified attack is detected. Click Apply. Figure 123 Configuring SYN f

232 Detection > Statistics from the navigation tree to view how many times that a connection limit per destination IP address has been exceeded an

233 Figure 125 TCP proxy configuration Enabling TCP Proxy for a Security Zone 1. From the navigation tree, select Security > Intrusion Detectio

234 Figure 127 Protected IP address entry configuration page 3. Enter the destination IP address and select the port number of the TCP connection.

235 Figure 128 Network diagram Configuring the LB product 1. Assign IP addresses for the interfaces and then add interface GigabitEthernet 0/1 to

236 Figure 130 Adding an IP address entry for protection 4. Configure the SYN flood detection feature, specifying to automatically add protected I

237 Figure 132 Configuring global settings Configuring blacklist Recommended configuration procedure Task Remarks 1. Enabling the blacklist funct

238 Figure 133 Blacklist management page Adding a blacklist entry manually 1. From the navigation tree, select Security > Intrusion Detection

14 Step Command Remarks 2. Enter VD system view. switchto vd vd-name Required for a security zone of a non-default VD. 3. Enter security zone view.

239 field Description Add Method Type of the blacklist entry. Possible values include: • Auto—Added by the scanning detection feature automatically.

240 Figure 136 Enabling the blacklist feature 3. Add a blacklist entry for Host D: a. In the Blacklist Configuration area, click Add. b. On the

241 d. Set the scanning threshold to 4500. e. Select Add the source IP to the blacklist. f. Click Apply. Figure 139 Configuring scanning detection

242 Figure 140 Intrusion detection statistics Table 34 Attack types description Attack type Description Fraggle A Fraggle attack occurs when an at

243 Attack type Description Source Route A source route attack exploits the source route option in the IP header to probe the topology of a network.

244 Configuring attack detection and protection at the CLI Attack detection and protection configuration task list • Configure attack protection fun

245 Step Command Remarks 2. Enter virtual device (VD) system view. switchto vd vd-name Required for a non-default VD. 3. Create an attack protecti

246 Step Command Remarks 4. Enable signature detection for single-packet attacks. signature-detect { fraggle | icmp-redirect | icmp-unreachable | la

247 Step Command Remarks 8. Enable the blacklist function. blacklist enable Required to make the blacklist entries added by the scanning attack prot

248 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD system view. switchto vd vd-name Required for a non-default VD. 3. En

15 If the destination zone belongs to a different VD than the source zone, specify the destination zone in this format: vd-name-zone-id. For example,

249 Step Command Remarks 2. Enter VD system view. switchto vd vd-name Required for a non-default VD. 3. Enter attack protection policy view. attac

250 Step Command Remarks 1. Enter system view. system-view N/A 2. Configure TCP proxy operating mode. • Unidirectional mode: tcp-proxy mode unidi

251 Configuring connection limits Connection limit configuration task list Task Remarks Creating a connection limit policy Required. Configuring th

252 Applying the connection limit policy To make a connection limit policy take effect, apply it globally or to a service module. To apply a connecti

253 • By source or destination IP address—Collect statistics on packets sent to a security zone on the device by source IP addresses or on packets s

254 Configuring attack protection functions on security zones Network requirements As shown in Figure 141, security zone Trust on LB is connected to

255 # Enable blacklist function. [LB] blacklist enable # Create attack protection policy 1. [LB] attack-defense policy 1 # Enable Smurf attack protec

256 Configuring the blacklist function Network requirements As shown in Figure 142, Host D is an attacker in the external network. Configure LB to fi

257 Configuring connection limit Network requirements As shown in Figure 143, a company has five public IP addresses: 202.38.1.1/24 to 202.38.1.5/24.

258 Verifying the configuration # Use the display connection-limit policy command to display the information about the connection limit policy. [LB]

16 Configuring a time range A time range resource defines a time range, which can be referenced by an ACL to control when a rule is effective. You ca

259 # Create attack protection policy 1. [LB] attack-defense policy 1 # Enable UDP flood attack protection. [LB-attack-defense-policy-1] defense udp-

260 Flow Statistics Information ------------------------------------------------------------ Zone

261 # Add interface GigabitEthernet 0/2 to security zone Untrust. [LB] zone name Untrust [LB-zone-Untrust] import interface gigabitethernet 0/2 [LB-z

262 Configuring TCP attack protection TCP attack protection can be configured only at the CLI. Overview Attackers can attack the device during the pr

263 With the SYN Cookie feature enabled, only the maximum segment size (MSS), is negotiated during TCP connection establishment, instead of the windo

264 Configuring ND attack defense ND attack defense can be configured only at the CLI. Overview The IPv6 Neighbor Discovery (ND) protocol provides ri

265 • The Ethernet frame header and the source link layer address option of the ND packet contain different source MAC addresses. • The mapping be

266 Index A C D E M N O P R S T A AAA configuration considerations and task list,49 AAA configuration examples,78 C Configuration guidelines,20 Conf

267 Overview,211 Overview,149 Overview,37 Overview,156 Overview,193 P Password control configuration example,96 Password control configuration task

17 4. Click Apply. Table 3 Configuration items Item Description Name Enter the name for the time range resource. If a time range resource with the s

18 Configuring ACLs An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as s

Preface The H3C load balancing (LB) product configuration guides describe the software features, the software configuration procedures, and the config

19 • config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this approac

20 Rule numbering ACL rules can be manually numbered or automatically numbered. This section describes how automatic ACL rule numbering works. The W

21 Configuring ACLs in the Web interface Recommended configuration procedure Step Remarks 1. Creating an ACL. Required. The category of the created

22 Figure 12 ACL configuration page 3. Configure an ACL as described in Table 5. 4. Click Apply. Table 5 Configuration items Item Description AC

23 Figure 14 Basic ACL rule configuration page 4. Configure a rule as described in Table 6. 5. Click Apply. Table 6 Configuration items Item Des

24 Figure 15 Rules of an advanced ACL 3. Click Add to enter the advanced ACL rule configuration page. Figure 16 Advanced ACL rule configuration pa

25 Item Description Time Range Select a time range for the rule. If you select None, the rule is always effective. Available time ranges are configur

26 Item Description ToS Specify the ToS preference. If you configure the IP precedence or ToS precedence and the DSCP priority, the DSCP priority ta

27 Table 8 Configuration items Item Description Rule ID Select the Rule ID box, and enter a number for the rule. If you do not specify the rule ID, t

28 Configuring ACLs at the CLI Configuration task list Task Remarks Configuring a basic ACL Required. Configure at least one task. Applicable to IPv

Convention Description &<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times

29 Step Command Remarks 7. Add or edit a rule range remark. rule [ rule-id ] remark text Optional. By default, no rule range remarks are configure

30 Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IPv4 advanced ACL and enter its view. acl number acl-number [ name ac

31 Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IPv6 advanced ACL and enter its view. acl ipv6 number acl6-number [ n

32 Step Command Remarks 2. Create an Ethernet frame header ACL and enter its view. acl number acl-number [ name acl-name ] [ match-order { auto |

33 Copying an IPv6 basic or IPv6 advanced ACL Step Command 1. Enter system view. system-view 2. Copy an existing IPv6 basic or IPv6 advanced ACL t

34 Task Command Remarks Display information about the ACL acceleration feature. display acl accelerate { acl-number | all } [ | { begin | exclude | i

35 Configuration procedure # Create a periodic time range from 8:00 to 18:00 on working days. <LB> system-view [LB] time-range work 8:0 to 18:

36 Destination net unreachable. Ping statistics for 1000::100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows the datab

37 Configuring AAA The feature can be configured only at the CLI. Overview Authentication, Authorization, and Accounting (AAA) provides a uniform fra

38 AAA can be implemented through multiple protocols. The device supports RADIUS and HWTACACS, of which RADIUS is most often used. RADIUS Remote Aut

Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on t

39 Figure 22 Basic RADIUS message exchange process RADIUS operates in the following manner: 1. The host initiates a connection request that carrie

40 Figure 23 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packe

41 { Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RF

42 No. Attribute No. Attribute 30 Called-Station-Id 77 Connect-Info 31 Calling-Station-Id 78 Configuration-Token 32 NAS-Identifier 79 EAP-Mess

43 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RA

44 Figure 25 Basic HWTACACS message exchange process for a Telnet user HWTACACS operates in the following manner: 1. A Telnet user sends an access

45 9. The user enters the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication

46 • Command accounting—Allows the accounting server to record all commands executed on the device or all authorized commands successfully executed.

47 Commonly used standard RADIUS attributes No. Attribute Description 1 User-Name Name of the user to be authenticated. 2 User-Password User pass

48 No. Attribute Description 61 NAS-Port-Type Type of the physical port of the NAS that is authenticating the user. Possible values include: • 15—E

i Contents Security overview ·························································································································

49 No. Sub-attribute Description 25 Result_Code Result of the Trigger-Request or SetPolicy operation, zero for success and any other value for failu

50 2. Configure AAA methods for the ISP domain. { Authentication method—No authentication (none), local authentication (local), or remote authentic

51 Configuring AAA schemes Configuring local users This section describes information about configuring local users only from the CLI. For informatio

52 Authorization attributes indicate the rights that a user has after passing local authentication. Authorization attributes include the user level,

53 Step Command Remarks 4. Assign service types for the local user. service-type { ftp | { ssh | telnet | terminal } * | web } By default, no servic

54 Configuring user group attributes User groups simplify local user configuration and management. A user group comprises a group of local users and

55 Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can cooperate with and defines a set of parameters that th

56 You can specify one primary authentication/authorization server and up to 16 secondary authentication/authorization servers for a RADIUS scheme. W

57 If you delete an accounting server that is serving users, the device no longer sends real-time accounting requests or stop-accounting requests for

58 Step Command Remarks 3. Specify a shared key for secure RADIUS authentication/authorization or accounting communication. key { accounting | authe

ii Enabling ACL acceleration for an IPv4 basic or IPv4 advanced ACL ····························································· 33Displaying and ma

59 Setting the supported RADIUS server type The supported RADIUS server type determines the type of the RADIUS protocol that the device uses to commu

60 functioning as the backup of the primary servers. Typically, the device chooses servers based on these rules: • When the primary server is in act

61 Step Command Remarks 3. Set the RADIUS server status. • Set the status of the primary RADIUS authentication/authorization server: state primary

62 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Specify a sour

63 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Set the RADIUS

64 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Specify a sec

65 Step Command Remarks 2. Enable the trap function for RADIUS. radius trap { accounting-server-down | authentication-error-threshold | authenticati

66 Task Remarks Specifying the HWTACACS authentication servers Required Specifying the HWTACACS authorization servers Optional Specifying the HWTA

67 Step Command Remarks 3. Specify HWTACACS authentication servers. • Specify the primary HWTACACS authentication server: primary authentication ip

68 stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the configured limit. In the latter case, t

iii Importing a public key from a public key file ···································································································

69 Specifying a VPN for the HWTACACS scheme You can specify a VPN for all the AAA servers in an HWTACACS scheme. However, the VPN has a lower priorit

70 The source address of outgoing HWTACACS packets is typically the IP address of an egress interface on the NAS to communicate with the HWTACACS ser

71 real-time accounting, the device must send periodically real-time accounting packets to the accounting server for online users. Consider the perfo

72 Creating an ISP domain In a networking scenario with multiple ISPs, the device can connect users of different ISPs. Different ISP users can have d

73 • Self-service server location—Allows users to access the self-service server to manage their own accounts and passwords. An ISP domain attribute

74 By default, an ISP domain uses the local authentication method. Configuration prerequisites Before configuring authentication methods, complete th

75 Step Command Remarks 4. Specify the authentication method for login users. authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ]

76 • You can configure a default authorization method for an ISP domain. This method will be used for all users who support the authentication metho

77 2. Determine the access type or service type to be configured. With AAA, you can configure an accounting method for each access type and service

78 Displaying and maintaining AAA Task Command Remarks Display the configuration of ISP domains. display domain [ isp-name ] [ | { begin | exclude |

iv Enabling the SFTP server function ·················································································································

79 a. Log in to IMC, click the Service tab, and select User Access Manager > Access Device Management > Access Device from the navigation tree

80 Figure 31 Adding an account for device management Configuring LB # Assign an IP address to interface GigabitEthernet 0/1, the Telnet user access

81 # Set the shared key for secure authentication communication to expert. [LB-radius-rad] key authentication expert # Specify the service type for t

82 # Enable the Telnet server on the device. [LB] telnet server enable # Configure LB to use AAA for Telnet users. [LB] user-interface vty 0 4 [LB-ui

83 Figure 33 Network diagram Configuration considerations 1. Configure LB to use AAA, particularly, local authentication for Telnet users: { Crea

84 [LB-ui-vty0-4] quit # Use RADIUS authentication for user privilege level switching authentication and, if RADIUS authentication is not available,

85 A username configured on the RADIUS server is in the format $enablevel$, where level specifies the privilege level to which the user wants to swit

86 * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed.

87 • The user is not configured on the RADIUS server. • The password entered by the user is incorrect. • The RADIUS server and the NAS are configu

88 • The accounting server IP address is correctly configured on the NAS. Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Trou