09 Security Configuration Guide

HomeSupportSwitchesH3C S5500 Switch SeriesConfigure & DeployConfiguration GuidesH3C S5500-HI Configuration Guides-Release 52xx-6W10209 Security Configuration Guide
Download Book
Title Size Downloads
09 Security Configuration Guide-book.pdf 4.13 MB

Preface

The H3C S5500-HI documentation set includes 11 configuration guides, which describe the software features for the H3C S5500-HI Switch Series and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.

The Security Configuration Guide describes security fundamentals and configuration. It covers the authentication features (including AAA, 802.1X, MAC authentication, portal authentication, and so on) and attack protection features (including IP source guard, ARP attack protection, and so on).

This preface includes:

·     Audience

·     Added and modified features

·     Conventions

·     About the H3C S5500-HI documentation set

·     Obtaining documentation

·     Technical support

·     Documentation feedback

Audience

This documentation is intended for:

·     Network planners

·     Field technical support and servicing engineers

·     Network administrators working with the S5500-HI series

Added and modified features

This documentation set is for Release 52xx. The following describes the feature changes between releases:

·     Release 5206 has the following feature changes over Release 5203:

 

Configuration guide

Added and modified features

AAA

Added feature: Specifying multiple secondary HWTACACS servers

MAC authentication

Added feature: Enabling MAC authentication multi-VLAN mode

IP source guard

Added feature: 802.1X-based dynamic IPv4 source guard binding entries.

ARP attack protection

Added feature: ARP Detection logging function.

 

·     Release 5203 has the following feature changes over Release 5101:

 

Configuration guide

Added and modified features

AAA

Added features:

·     Setting a DSCP value for an ISP domain.

·     Setting the DSCP value for RADIUS protocol packets.

·     Configuring status detection for RADIUS authentication/authorization servers

·     RADIUS/HWTACACS authentication, authorization, and accounting support ciphertext shared key configuration.

·     Setting ciphertext shared keys for secure RADIUS communication.

Modified feature: Configuring a password for the local user.

Removed feature: Setting the password display mode for all local users.

802.1X

Added features:

·     Configuring 802.1X critical VLAN.

·     Specifying supported domain name delimiters.

·     Configuring a port to send EAPOL frames untagged.

·     Setting the maximum number of authentication request attempts.

Configuring an 802.1X VLAN group.

EAD fast deployment

N/A

MAC authentication

Added features:

·     Configuring a MAC authentication critical VLAN.

Configuring MAC authentication delay.

Portal

Added features:

·     Configuring IPv6 portal.

Setting a ciphertext shared key.

Triple authentication

N/A

Port security

N/A

User profile

N/A

Password control

Modified features: Clearing all users from the password control blacklist.

HABP

N/A

Public Key

N/A

PKI

Added feature: Setting a ciphertext password for certificate revocation.

IPsec

Added features:

·     Configuring ACL-based IPsec.

Configuring IKE.

SSH2.0

Added features:

·     Configuring the service type as SCP for SSH users.

·     Configuring the device as an SCP client.

·     Setting the DSCP value for IPv4 or IPv6 protocol packets sent by the SSH server.

·     Setting the DSCP value for IPv4 or IPv6 protocol packets sent by the Stelnet client.

Setting the DSCP value for IPv4 or IPv6 protocol packets sent by the SFTP client.

SSL

N/A

TCP attack protection

N/A

IP source guard

N/A

ARP attack protection

Added feature: Configuring a user validity check rule.

ND attack defense

N/A

URPF

N/A

MFF

N/A

SAVI

Added feature: Setting the deletion delay time for SAVI.

Black list

N/A

FIPS

FIPS is a newly added feature.

 

Conventions

This section describes the conventions used in this documentation set.

Command conventions

Convention

Description

Boldface

Bold text represents commands and keywords that you enter literally as shown.

Italic

Italic text represents arguments that you replace with actual values.

[ ]

Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... }

Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.

[ x | y | ... ]

Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none.

{ x | y | ... } *

Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one.

[ x | y | ... ] *

Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none.

&<1-n>

The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times.

#

A line that starts with a pound (#) sign is comments.

 

GUI conventions

Convention

Description

Boldface

Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK.

Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

 

Convention

Description

< >

Button names are inside angle brackets. For example, click <OK>.

[ ]

Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window.

/

Multi-level menus are separated by forward slashes. For example, [File/Create/Folder].

 

Symbols

Convention

Description

WARNING WARNING

An alert that calls attention to important information that if not understood or followed can result in personal injury.

CAUTION CAUTION

An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT IMPORTANT

An alert that calls attention to essential information.

NOTE

An alert that contains additional or supplementary information.

TIP TIP

An alert that provides helpful information.

 

Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

 

Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.

About the H3C S5500-HI documentation set

The H3C S5500-HI documentation set includes:

 

Category

Documents

Purposes

Product description and specifications

Marketing brochure

Describe product specifications and benefits.

Technology white papers

Provide an in-depth description of software features and technologies.

Hardware specifications and installation

Compliance and safety manual

CE DOCs

Provide regulatory information and the safety instructions that must be followed during installation.

Installation quick start

Guides you through initial installation and setup procedures to help you quickly set up your device.

Installation guide

Provides a complete guide to switch installation and specifications.

LSPM1FAN and LSPM1FANB Installation Manual

Describes the appearances, specifications, installation, and removal of the pluggable fan modules available for the products.

User manuals for power modules

Describe the specifications, installation, and replacement of hot swappable power modules.

RPS Ordering Information for H3C Low-End Ethernet Switches

Helps you order RPSs for switches that can work with an RPS.

User manuals for RPSs

Describe the specifications, installation, and replacement of RPSs.

User manuals for interface cards

Describe the specifications, installation, and replacement of expansion interface cards.

H3C Low End Series Ethernet Switches Pluggable Modules Manual

Describes the specifications of pluggable transceiver modules.

Pluggable SFP[SFP+][XFP] Transceiver Modules Installation Guide

Describe the installation, and replacement of SFP/SFP+/XFP transceiver modules.

Software configuration

Configuration guides

Describe software features and configuration procedures.

Command references

Provide a quick reference to all available commands.

Operations and maintenance

Release notes

Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading.

 

Obtaining documentation

You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com.

Click the links on the top navigation bar to obtain different categories of product documentation:

[Technical Support & Documents > Technical Documents] – Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation.

[Products & Solutions] Provides information about products and technologies, as well as solutions.

[Technical Support & Documents > Software Download] – Provides the documentation released with the software version.

Technical support

service@h3c.com

http://www.h3c.com

Documentation feedback

You can e-mail your comments about product documentation to info@h3c.com.

We appreciate your comments.

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网