Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 1991 to Favourites
    image text
    Enable zoom 
    							 326 
Figure 117 SSL protocol stack 
 
 
•  SSL record protocol —Fragments data to be transmitted, co mputes and adds MAC to the data, and 
encrypts the data before transmitting it to the peer end. 
•   SSL handshake protocol —Negotiates the cipher suite to be used for secure communication 
(including the symmetric encryption algorithm,  key exchange algorithm, and MAC algorithm), 
securely exchanges the key between the server and client, and implements identity authentication 
of the server and client. Through the SSL handshake protocol, a session is established between a 
client and the server. A session consists of a set of parameters, including the session ID, peer 
certificate, cipher suite, and master secret. 
•   SSL change cipher spec protocol —Used for notification between the client and the server that the 
subsequent packets are to be protected and transm itted based on the newly negotiated cipher suite 
and key. 
•   SSL alert protocol —Enables the SSL client and server to send  a l e r t  m e s s a g e s  t o  e a c h  o t h e r.  A n  a l e r t  
message contains the alert severity level and a description. 
Configuration task list 
 
Task Remarks 
Configuring an SSL server policy  Required 
Configuring an SSL client policy Optional 
 
Configuring an SSL server policy 
An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy 
takes effect only after it is associated with an application layer protocol such as HTTP. 
Before configuring an SSL server policy, configure the PKI domain for the SSL server policy to use to 
obtain a certificate for the SSL server. For more information about PKI domain configuration, see 

1Configuring PKI . 
SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. 
When the switch acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and 
can identify the SSL 2.0 Client Hello message from a client supporting SSL 2.0 and SSL 3.0/TLS 1.0 and 
notify the client to use SSL 3.0 or TLS 1.0 to communicate with the server. 
To configure an SSL server policy: 
 
Step Command Remarks 
1.   Enter system view. 
system-view N/A
    Add page 1992 to Favourites
    image text
    Enable zoom 
    							 327 
Step Command Remarks 
2.  Create an SSL server policy 
and enter its view.  ssl server-policy 
policy-name N/A 
3.  Specify a PKI domain for the 
SSL server policy.  pki-domain 
domain-name  By default, no PKI domain is 
specified for an SSL server policy.
 
If the client requires 
certificate-based authentication for 
the SSL server, you must use this 
command to specify a PKI domain 
for the server and request a local 
certificate for the server through the 
PKI domain. 
4.
  Specify the cipher suite(s) for 
the SSL server policy to 
support.  ciphersuite
 
[ rsa_3des_ede_cbc_sha  | 
rsa_aes_128_cbc_sha  | 
rsa_aes_256_cbc_sha  | 
rsa_des_cbc_sha | 
rsa_rc4_128_md5 | 
rsa_rc4_128_sha ] *  Optional. 
By default, an SSL server policy 
supports all cipher suites. 
5.
  Set the handshake timeout 
time for the SSL server.  handshake timeout
 time  Optional. 
3,600 seconds by default. 
6.
  Set the SSL connection close 
mode.  close-mode wait  Optional. 
Not wait by default. 
7.
  Set the maximum number of 
cached sessions and the 
caching timeout time.  session 
{ cachesize  size | timeout 
time  } *  Optional. 
The defaults are as follows: •
 500 for the maximum number 
of cached sessions. 
• 3600 seconds for the caching 
timeout time. 
8.   Enable the SSL server to 
perform digital 
certificate-based 
authentication for SSL clients.  client-verify enable 
Optional. 
By default, the SSL server does not 
require clients to be authenticated.
 
9.
  Enable SSL client weak 
authentication.  client-verify weaken  Optional. 
Disabled by default. 
This command takes effect only 
when the client-verify enable
 
command is configured. 
 
SSL server policy configuration example 
Network requirements 
As shown in  Figure 118, u sers need to access and control the device through web pages. 
For security of the device and to make sure that data is not eavesdropped or tampered with, configure the 
device so that users must use HTTPS (Hypertext Transfer  Protocol Secure, which uses SSL) to log in to the 
web interface of the device.
    Add page 1993 to Favourites
    image text
    Enable zoom 
    							 328 
Figure 118 Network diagram 
 
 
Configuration considerations 
To achieve the goal, perform the following configurations: 
•  Configure Device to work as the HTTPS server and request a certificate for Device. 
•   Request a certificate for Host so that Device can authenticate the identity of Host. 
•   Configure a CA server to issue certificates to Device and Host.  
Configuration procedure 
In this example, Windows Ser ver works as the CA se rver and the Simple Certificate Enrollment Protocol 
(SCEP) plug-in is installed on the CA server.  
Before performing the following configurations, make sure the switch, the host, and the CA server can 
reach each other. 
1.  Configure the HTTPS server (Device): 
# Create a PKI entity named  en, and configure the common name as  http-server1 and the FQDN 
as  ssl.security.com . 
 system-view 
[Device] pki entity en 
[Device-pki-entity-en] common-name http-server1 
[Device-pki-entity-en] fqdn ssl.security.com 
[Device-pki-entity-en] quit 
# Create PKI domain  1, specify the trusted CA as  ca server, the URL of the registration server as 
http://10.1.2.2/certsrv/mscep/mscep.dll , the authority for certificate request as RA, and the 
entity for certificate request as  en. 
[Device] pki domain 1 
[Device-pki-domain-1] ca identifier ca server 
[Device-pki-domain-1] certificate request url 
http://10.1.2.2/certsrv/mscep/mscep.dll 
[Device-pki-domain-1] certificate request from ra 
[Device-pki-domain-1] certificate request entity en 
[Device-pki-domain-1] quit 
# Create the local RSA key pairs.  
[Device] public-key local create rsa 
# Retrieve the CA certificate.  
[Device] pki retrieval-certificate ca domain 1 
# Request a local certificate for Device. 
[Device] pki request-certificate domain 1
    Add page 1994 to Favourites
    image text
    Enable zoom 
    							 329 
# Create an SSL server policy named myssl.  
[Device] ssl server-policy myssl 
# Specify the PKI domain for the SSL server policy as  1.  
[Device-ssl-server-policy-myssl] pki-domain 1 
# Enable client authentication.  
[Device-ssl-server-policy-myssl] client-verify enable 
[Device-ssl-server-policy-myssl] quit 
# Configure HTTPS service to use SSL server policy  myssl. 
[Device] ip https ssl-server-policy myssl 
# Enable HTTPS service. 
[Device] ip https enable 
# Create a local user named  usera, and set the password to  123 and service type to telnet. 
[Device] local-user usera 
[Device-luser-usera] password simple 123 
[Device-luser-usera] service-type telnet 
2. Configure the HTTPS client (Host): 
On Host, launch IE, enter http://10.1.2.2/certsrv in the address bar and request a certificate for 
Host as prompted. 
3. Verify your configuration: 
Launch IE on the host, enter https://10.1.1.1 in  the address bar, and select the certificate issued 
by the CA server. The web interface of the sw itch should appear. After entering username usera 
and password  123, you should be able to log in to the  web interface to access and manage the 
switch. 
For more information about PKI configuration commands, see 
1Configuring PKI . 
For more information about the  public-key local create rsa command, see Security Command Reference .  
For more information about HTTPS, see  Fundamentals Configuration Guide. 
Configuring an SSL client policy 
An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL 
client policy takes effect only after it is associated with an application layer protocol. 
If the SSL server is configured to authenticate the SS L client, you must configure the PKI domain for the SSL 
client policy to use to obtain the certificate of the client. For more information about PKI domain 
configuration, see 
1Configuring PKI . 
To configure an SSL client policy: 
 
Step Command Remarks 
1.   Enter system view. 
system-view N/A 
2.  Create an SSL client policy 
and enter its view.  ssl client-policy
 policy-name  N/A
    Add page 1995 to Favourites
    image text
    Enable zoom 
    							 330 
Step Command Remarks 
3.  Specify a PKI domain for the 
SSL client policy.  pki-domain 
domain-name  Optional. 
No PKI domain is configured by 
default. 
If the SSL server requires 
certificate-based authentication for 
SSL clients, you must use this 
command to specify a PKI domain 
for the client and request a local 
certificate for the client through the 
PKI domain. 
4.
  Specify the preferred cipher 
suite for the SSL client policy.  prefer-cipher 
{
 rsa_3des_ede_cbc_sha  | 
rsa_aes_128_cbc_sha  | 
rsa_aes_256_cbc_sha  | 
rsa_des_cbc_sha | 
rsa_rc4_128_md5 | 
rsa_rc4_128_sha  }  Optional. 
rsa_rc4_128_md5 by default. 
5.
  Specify the SSL protocol 
version for the SSL client 
policy.  version {
 ssl3.0 | tls1.0  }  Optional. 
TLS 1.0 by default. 
6.
  Enable the SSL client to 
perform certificate-based 
authentication for the SSL 
server.  server-verify enable 
Optional. 
Enabled by default. 
 
Displaying and maintaining SSL 
 
Task Command Remarks 
Display SSL server policy 
information. display ssl server-policy 
{
 policy-name  |  all  } [ |  { begin  | 
exclude  | include  } 
regular-expression  ]  Available in any view 
Display SSL client policy 
information.  display ssl client-policy 
{
 policy-name  |  all  } [ |  { begin  | 
exclude  | include  } 
regular-expression  ]   Available in any view
 
 
Troubleshooting SSL 
Symptom 
As the SSL server, the switch fails to handshake with the SSL client. 
Analysis 
SSL handshake failure may result from the following causes: 
•  The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the 
certificate is not trusted.
    Add page 1996 to Favourites
    image text
    Enable zoom 
    							 331 
•  The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the 
certificate is not trusted. 
•   The server and the client have no matching cipher suite. 
Solution 
1. Issue the debugging ssl  command and view the debugging in formation to locate the problem: 
{ If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, 
request one for it. 
{ If the server’s certificate cannot be trusted, insta ll the root certificate of the CA that issued the 
local certificate to the SSL server on the SSL client, or let the server request a certificate from the 
CA that the SSL client trusts. 
{  If the SSL server is configured to authenticate the client, but the SSL client has no certificate or 
the certificate cannot be trusted, reques t and install a certificate for the client. 
2. Use the  display ssl server-policy  command to view the cipher suites that the SSL server policy 
supports. If the server and the client ha ve no matching cipher suite, use the ciphersuite  command 
to modify the cipher suite configuration of the SSL server.
    Add page 1997 to Favourites
    image text
    Enable zoom 
    							 332 
Configuring TCP attack protection 
Overview 
An attacker can attack the switch during the process of establishing a TCP connection. To prevent such 
an attack, the switch provides the SYN Cookie feature. 
Enabling the SYN Cookie feature 
As a general rule, the establishment of a TCP connection involves the following three handshakes. 
1. The request originator sends a SYN message to the target server. 
2. After receiving the SYN message, the target  server establishes a TCP connection in the 
SYN_RECEIVED state, returns a SYN ACK message  to the originator, and waits for a response. 
3. After receiving the SYN ACK message, the originat or returns an ACK message, establishing the 
TCP connection. 
Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number 
of SYN messages to the server to establish TCP connections, but they never make any response to SYN 
ACK messages. As a result, a large number of incomp lete TCP connections are established, resulting in 
heavy resource consumption and making the se rver unable to handle services normally. 
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the 
server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. Only 
after receiving an ACK message from the client can the server establish a connection, and then enter the 
ESTABLISHED state. In this way, incomplete TCP co nnections could be avoided to protect the server 
against SYN Flood attacks. 
Follow these guidelines when you enable the SYN Cookie feature: 
•   If you enable MD5 authentication for TCP connections on the HP 5500 EI, the SYN Cookie 
configuration is ineffective. Then, if you disable MD5 authentication for TCP connections, the SYN 
Cookie configuration automatically becomes effective. For more information about MD5 
authentication, see  Layer 3—IP Routing Configuration Guide.   
•   With the SYN Cookie feature enabled, only the maximum segment size (MSS), is negotiated during 
TCP connection establishment, instead of  the window’s zoom factor and timestamp. 
To enable the SYN Cookie feature: 
 
Step Command  Remarks 
1.  Enter system view. 
system-view N/A 
2.  Enable the SYN Cookie feature. 
tcp syn-cookie enable Enabled by default 
 
Displaying and maintaining TCP attack protection
    Add page 1998 to Favourites
    image text
    Enable zoom 
    							 333 
Task Command Remarks 
Display current TCP connection state. display tcp status  [ | { begin |  exclude | 
include  } regular-expression ]   Available in any view
    Add page 1999 to Favourites
    image text
    Enable zoom 
    							 334 
Configuring IP source guard 
Overview 
IP source guard is intended to improve port security by blocking illegal packets. For example, it can 
prevent illegal hosts from using a legal IP address to access the network. 
IP source guard can filter packets according to the packet source IP address and source MAC address. 
IP source guard entries fall into the following types: 
•  IP-port binding entry 
•   MAC-port binding entry 
•   IP-MAC-port binding entry 
After receiving a packet, an IP source guard-enabled  port obtains the key attributes (source IP address 
and source MAC) of the packet and then looks them up in  the IP source guard entries. If there is a match, 
the port forwards the packet. Otherwise, the port discards the packet, as shown in  Figure 119. 
Figure 119  Diagram for the IP source g

uard function 
 
 
A binding entry can be statically configured or dynamically added. 
Static IP source guard entries 
A static IP source guard entry is configured manually.  It is suitable for scenarios where few hosts exist on 
a LAN and their IP addresses are manually configured. For example, you can configure a static binding 
entry on a port that connects a server, allowing the po rt to receive packets from and send packets to only 
the server. 
A static IPv4 source guard entry filters IPv4 packets re ceived by the port or cooperates with ARP detection 
to check the validity of users. A static IPv6 source  guard entry filters IPv6 packets received by the port 
cooperates with the ND detection feature to check the validity of users.  
For information about ARP detection, see  Configuring ARP attack protection. F
 or information about ND 
detection, see  Configuring ND attack defense . 
A stati

c IP source guard entry can be a gl obal or port-based static binding entry.
    Add page 2000 to Favourites
    image text
    Enable zoom 
    							 335 
Global static binding entry 
A global static binding entry is a MAC-IP binding entry configured in system view. It is effective on all 
ports. A port forwards a packet when the packet’s IP address and MAC address both match those of a 
global static binding entry or a static  binding entry configured on the port.  
Global static binding entries are us ed to protect against host spoofing attacks, which exploit the IP 
address or MAC address of a legal user host. 
Port-based static binding entry 
A port-based static bind ing entry binds an IP address, MAC address, or any combination of the three 
with a port. Such an entry is effective on only the specified port. A port forwards a packet only when the 
IP address and MAC address (if any) of the packet all ma tch those in a static binding entry on the port 
or a global static binding entry. All other packets will be dropped.  
Port-based static binding entries are used to check th e validity of users who are trying to access a port. 
Dynamic IP source guard entries 
Dynamic IP source guard entries are generated dynamically according to client entries on the DHCP 
snooping or DHCP relay agent device. They are suitable for scenarios where many hosts reside on a LAN 
and obtain IP addresses through DHCP. Once DHCP allocates an IP address to a client, IP source guard 
automatically adds the client entry to allow the client to access the network. A user using an IP address 
not obtained through DHCP cannot access the networ k. Dynamic IPv6 source guard entries can also be 
obtained from client entries on the ND snooping device. 
•   Dynamic IPv4 source guard entries are generated dynamically based on DHCP snooping or DHCP 
relay entries to filter incomi ng IPv4 packets on a port. 
•   Dynamic IPv6 source guard entries are generated dynamically based on DHCPv6 snooping or ND 
snooping entries to filter inco ming IPv6 packets on a port. 
For information about DHCP snooping, DHCP relay, DHCPv6 snooping, and ND snooping, see  Layer 
3—IP Services Configuration Guide . 
Configuration task list 
Complete the following tasks to configure IPv4 source guard:  
Task Remarks 
Configuring IPv4 source guard on a port  Required 
Configuring a static IPv4 source guard entry Optional 
Setting the maximum number of IPv4 source guard entries Optional 
 
Complete the following tasks to configure IPv6 source guard:  
Task Remarks 
Configuring IPv6 source guard on a port Required 
Configuring a static IPv6 source guard entry Optional 
Setting the maximum number of IPv6 source guard entries Optional
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide