Contents

home

Configuring AAA
About AAA
AAA implementation
AAA network diagram
RADIUS
HWTACACS
LDAP
User management based on ISP domains and user access types
Authentication, authorization, and accounting methods
AAA extended functions
AAA for MPLS L3VPNs
Protocols and standards
FIPS compliance
AAA tasks at a glance
Configuring local users
About local users
Local user configuration tasks at a glance
Configuring attributes for device management users
Configuring attributes for network access users
Configuring user group attributes
Configuring the local user auto-delete feature
Display and maintenance commands for local users and local user groups
Configuring RADIUS
RADIUS tasks at a glance
Configuring a test profile for RADIUS server status detection
Creating a RADIUS scheme
Specifying RADIUS authentication servers
Specifying the RADIUS accounting servers
Specifying the shared keys for secure RADIUS communication
Specifying the MPLS L3VPN instance for a RADIUS scheme
Setting the status of RADIUS servers
Setting RADIUS timers
Specifying the source IP address for outgoing RADIUS packets
Setting the username format and traffic statistics units
Setting the maximum number of RADIUS request transmission attempts
Setting the maximum number of real-time accounting attempts
Setting the DSCP priority for RADIUS packets
Configuring the Login-Service attribute check method for SSH, FTP, and terminal users
Interpreting the RADIUS class attribute as CAR parameters
Configuring the MAC address format for RADIUS attribute 31
Setting the data measurement unit for the Remanent_Volume attribute
Configuring the RADIUS attribute translation feature
Configuring RADIUS stop-accounting packet buffering
Enabling forcibly sending stop-accounting packets
Enabling the RADIUS server load sharing feature
Configuring the RADIUS accounting-on feature
Configuring the RADIUS session-control feature
Configuring the RADIUS DAS feature
Enabling SNMP notifications for RADIUS
Display and maintenance commands for RADIUS
Configuring HWTACACS
HWTACACS tasks at a glance
Creating an HWTACACS scheme
Specifying the HWTACACS authentication servers
Specifying the HWTACACS authorization servers
Specifying the HWTACACS accounting servers
Specifying the shared keys for secure HWTACACS communication
Specifying an MPLS L3VPN instance for the scheme
Setting HWTACACS timers
Specifying the source IP address for outgoing HWTACACS packets
Setting the username format and traffic statistics units
Configuring HWTACACS stop-accounting packet buffering
Display and maintenance commands for HWTACACS
Configuring LDAP
LDAP tasks at a glance
Creating an LDAP server
Configuring the IP address of the LDAP server
Specifying the LDAP version
Setting the LDAP server timeout period
Configuring administrator attributes
Configuring LDAP user attributes
Configuring an LDAP attribute map
Creating an LDAP scheme
Specifying the LDAP authentication server
Specifying the LDAP authorization server
Specifying an LDAP attribute map for LDAP authorization
Display and maintenance commands for LDAP
Creating an ISP domain
About ISP domains
Restrictions and guidelines for the default ISP domain
Creating an ISP domain
Specifying the default ISP domain
Specifying an ISP domain for users that are assigned to nonexistent domains
Configuring ISP domain attributes
Setting ISP domain status
Configuring authorization attributes for an ISP domain
Including the idle timeout period in the user online duration to be sent to the server
Applying an ITA policy to users in an ISP domain
Configuring AAA methods for an ISP domain
Configuring authentication methods for an ISP domain
Configuring authorization methods for an ISP domain
Configuring accounting methods for an ISP domain
Display and maintenance commands for ISP domains
Setting the maximum number of concurrent login users
Configuring and applying an ITA policy
About ITA policies
Procedure
Display and maintenance commands for ITA policies
Configuring a NAS-ID
Configuring the device ID
Configuring the connection recording policy
About the connection recording policy
Restrictions and guidelines
Procedure
Display and maintenance commands for the connection recording policy
AAA configuration examples
Example: Configuring AAA for SSH users by an HWTACACS server
Example: Configuring local authentication, HWTACACS authorization, and RADIUS accounting for SSH users
Example: Configuring authentication and authorization for SSH users by a RADIUS server
Example: Configuring authentication for SSH users by an LDAP server
Example: Configuring AAA for 802.1X users by a RADIUS server
Troubleshooting AAA
RADIUS authentication failure
RADIUS packet delivery failure
RADIUS accounting error
Troubleshooting HWTACACS
LDAP authentication failure
Appendixes
Appendix A Commonly used RADIUS attributes
Appendix B Descriptions for commonly used standard RADIUS attributes
Appendix C RADIUS subattributes (vendor ID 25506)
802.1X overview
About the 802.1X protocol
802.1X architecture
Controlled/uncontrolled port and port authorization status
Packet exchange methods
Packet formats
802.1X authentication procedures
802.1X authentication initiation
Access control methods
802.1X VLAN manipulation
Authorization VLAN
Guest VLAN
Auth-Fail VLAN
Critical VLAN
Critical voice VLAN
802.1X VSI manipulation
802.1X support for VXLANs
Authorization VSI
Guest VSI
Auth-Fail VSI
Critical VSI
ACL assignment
User profile assignment
Redirect URL assignment
Periodic 802.1X reauthentication
EAD assistant
Configuring 802.1X
Restrictions and guidelines: 802.1X configuration
802.1X tasks at a glance
Prerequisites for 802.1X
Enabling 802.1X
Enabling EAP relay or EAP termination
Setting the port authorization state
Specifying an access control method
Specifying a mandatory authentication domain on a port
Setting the 802.1X authentication timeout timers
Configuring 802.1X reauthentication
Setting the quiet timer
Configuring an 802.1X guest VLAN
Enabling 802.1X guest VLAN assignment delay
Configuring an 802.1X Auth-Fail VLAN
Configuring an 802.1X critical VLAN
Configuring the 802.1X critical VLAN on a port
Sending EAP-Success packets to users in the 802.1X critical VLAN
Enabling the 802.1X critical voice VLAN
Configuring an 802.1X guest VSI
Enabling 802.1X guest VSI assignment delay
Configuring an 802.1X Auth-Fail VSI
Configuring an 802.1X critical VSI
Configuring the authentication trigger feature
Setting the maximum number of concurrent 802.1X users on a port
Setting the maximum number of authentication request attempts
Configuring online user handshake
Specifying supported domain name delimiters
Sending 802.1X protocol packets out of a port without VLAN tags
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users
Enabling 802.1X user IP freezing
Configuring 802.1X MAC address binding
Configuring the EAD assistant feature
Enabling logging for 802.1X users
Display and maintenance commands for 802.1X
802.1X authentication configuration examples
Example: Configuring basic 802.1X authentication
Example: Configuring 802.1X guest VLAN and authorization VLAN
Example: Configuring 802.1X with ACL assignment
Example: Configuring 802.1X guest VSI and authorization VSI
Example: Configuring 802.1X with EAD assistant (with DHCP relay agent)
Example: Configuring 802.1X with EAD assistant (with DHCP server)
Troubleshooting 802.1X
EAD assistant URL redirection failure
Configuring MAC authentication
About MAC authentication
User account policies
Authentication methods
VLAN assignment
VSI manipulation
ACL assignment
User profile assignment
Redirect URL assignment
Blackhole MAC attribute assignment
Periodic MAC reauthentication
Restrictions and guidelines: MAC authentication configuration
MAC authentication tasks at a glance
Prerequisites for MAC authentication
Enabling MAC authentication
Specifying a MAC authentication domain
Configuring the user account format
Configuring MAC authentication timers
Configuring a MAC authentication guest VLAN
Configuring a MAC authentication critical VLAN
Enabling the MAC authentication critical voice VLAN
Configuring a MAC authentication guest VSI
Configuring a MAC authentication critical VSI
Enabling MAC authentication offline detection
Setting the maximum number of concurrent MAC authentication users on a port
Enabling MAC authentication multi-VLAN mode on a port
Configuring MAC authentication delay
Configuring periodic MAC reauthentication
Including user IP addresses in MAC authentication requests
Enabling parallel processing of MAC authentication and 802.1X authentication
Enabling logging for MAC authentication users
Display and maintenance commands for MAC authentication
MAC authentication configuration examples
Example: Configuring local MAC authentication
Example: Configuring RADIUS-based MAC authentication
Example: Configuring ACL assignment for MAC authentication
Example: Configuring MAC authentication authorization VSI assignment
Configuring portal authentication
About portal authentication
Advantages of portal authentication
Extended portal functions
Portal system
Portal authentication using a remote portal server
Local portal service
Portal authentication modes
Portal authentication process
Portal support for EAP
Portal filtering rules
Restrictions and guidelines: Portal configuration
Portal authentication tasks at a glance
Prerequisites for portal authentication
Configuring a remote portal authentication server
Configuring a portal Web server
Portal Web server tasks at a glance
Configure basic parameters for a portal Web server
Enabling the captive-bypass feature
Configuring a match rule for URL redirection
Configuring local portal service features
About the local portal service
Restrictions and guidelines for configuring local portal service features
Customizing authentication pages
Configuring a local portal Web service
Enabling portal authentication on an interface
Specifying a portal Web server on an interface
Configuring a portal preauthentication domain
Specifying a preauthentication IP address pool
Specifying a portal authentication domain
About portal authentication domains
Restrictions and guidelines for specifying a portal authentication domain
Specifying a portal authentication domain on an interface
Controlling portal user access
Configuring a portal-free rule
Configuring an authentication source subnet
Configuring an authentication destination subnet
Setting the maximum number of portal users
Enabling strict-checking on portal authorization information
Allowing only users with DHCP-assigned IP addresses to pass portal authentication
Configuring support of Web proxy for portal authentication
Enabling portal roaming
Configuring the portal fail-permit feature
Configuring portal detection features
Configuring online detection of portal users
Configuring portal authentication server detection
Configuring portal Web server detection
Configuring portal user synchronization
Configuring portal packet attributes
Configuring the BAS-IP or BAS-IPv6 attribute
Specifying the device ID
Configuring attributes for RADIUS packets
Specifying a format for the NAS-Port-Id attribute
Applying a NAS-ID profile to an interface
Disabling the Rule ARP or ND entry feature for portal clients
Logging out online portal users
Enabling portal user login/logout logging
Configuring Web redirect
Display and maintenance commands for portal
Portal configuration examples
Example: Configuring direct portal authentication
Example: Configuring re-DHCP portal authentication
Example: Configuring cross-subnet portal authentication
Example: Configuring extended direct portal authentication
Example: Configuring extended re-DHCP portal authentication
Example: Configuring extended cross-subnet portal authentication
Example: Configuring portal server detection and portal user synchronization
Example: Configuring cross-subnet portal authentication for MPLS L3VPNs
Example: Configuring direct portal authentication with a preauthentication domain
Example: Configuring re-DHCP portal authentication with a preauthentication domain
Example: Configuring direct portal authentication using a local portal Web service
Troubleshooting portal
No portal authentication page is pushed for users
Cannot log out portal users on the access device
Cannot log out portal users on the RADIUS server
Users logged out by the access device still exist on the portal authentication server
Re-DHCP portal authenticated users cannot log in successfully
Configuring Web authentication
About Web authentication
Advantages of Web authentication
Web authentication system
Web authentication process
Web authentication support for VLAN assignment
Web authentication support for authorization ACLs
Restrictions and guidelines: Web authentication configuration
Web authentication task at a glance
Prerequisites for Web authentication
Configuring a Web authentication server
Enabling Web authentication
Specifying a Web authentication domain
Setting the redirection wait time
Configuring a Web authentication-free subnet
Setting the maximum number of Web authentication users
Configuring online Web authentication user detection
Configuring an Auth-Fail VLAN
Configuring Web authentication to support Web proxy
Display and maintenance commands for Web authentication
Web authentication configuration examples
Example: Configuring Web authentication by using the local authentication method
Example: Configuring Web authentication by using the RADIUS authentication method
Troubleshooting Web authentication
Failure to come online (local authentication interface using the default ISP domain
Configuring triple authentication
About triple authentication
Typical network of triple authentication
Triple authentication mechanism
Triple authentication support for VLAN assignment
Triple authentication support for ACL authorization
Triple authentication support for online user detection
Restrictions and guidelines: Triple authentication
Triple authentication tasks at a glance
Triple authentication configuration examples
Example: Configuring basic triple authentication
Example: Configuring triple authentication to support authorization VLAN and authentication failure VLAN
Configuring port security
About port security
Major functions
Port security features
Port security modes
Restrictions and guidelines: Port security configuration
Port security tasks at a glance
Enabling port security
Setting the port security mode
Setting port security's limit on the number of secure MAC addresses on a port
Configuring secure MAC addresses
About secure MAC addresses
Prerequisites
Adding secure MAC addresses
Enabling inactivity aging for secure MAC addresses
Enabling the dynamic secure MAC feature
Configuring NTK
Configuring intrusion protection
Ignoring authorization information from the server
Enabling MAC move
Enabling the authorization-fail-offline feature
Setting port security's limit on the number of MAC addresses for specific VLANs on a port
Enabling open authentication mode
Applying a NAS-ID profile to port security
Configuring the escape critical VSI feature
Enabling SNMP notifications for port security
Enabling logging for port security users
Display and maintenance commands for port security
Port security configuration examples
Example: Configuring port security in autoLearn mode
Example: Configuring port security in userLoginWithOUI mode
Example: Configuring port security in macAddressElseUserLoginSecure mode
Troubleshooting port security
Cannot set the port security mode
Cannot configure secure MAC addresses
Configuring user profiles
About user profiles
Prerequisites for user profile
Configuring a user profile
Display and maintenance commands for user profiles
User profile configuration examples
Example: Configuring user profiles and QoS policies
Configuring password control
About password control
Password setting
Password updating and expiration
User login control
Password not displayed in any form
Logging
FIPS compliance
Restrictions and guidelines: Password control configuration
Password control tasks at a glance
Enabling password control
Setting global password control parameters
Setting user group password control parameters
Setting local user password control parameters
Setting super password control parameters
Display and maintenance commands for password control
Password control configuration examples
Example: Configuring password control
Configuring keychains
About keychains
Restrictions and guidelines: Keychain configuration
Configuring a keychain
Display and maintenance commands for keychain
Keychain configuration example
Example: Configuring keychains
Managing public keys
About public key management
Asymmetric key algorithm overview
Usage of asymmetric key algorithms
FIPS compliance
Public key management tasks at a glance
Creating a local key pair
Distributing a local host public key
About distribution of local host public keys
Exporting a host public key
Displaying a host public key
Configuring a peer host public key
About peer host public key configuration
Restrictions and guidelines for peer host public key configuration
Importing a peer host public key from a public key file
Entering a peer host public key
Destroying a local key pair
Display and maintenance commands for public keys
Examples of public key management
Example: Entering a peer host public key
Example: Importing a public key from a public key file
Configuring PKI
About PKI
PKI terminology
PKI architecture
Retrieval, usage, and maintenance of a digital certificate
PKI applications
Support for MPLS L3VPN
FIPS compliance
PKI tasks at a glance
Configuring a PKI entity
Configuring a PKI domain
About PKI domain
PKI domain tasks at a glance
Creating a PKI domain
Specifying the trusted CA
Specifying the PKI entity name
Specifying the certificate request reception authority
Specifying the certificate request URL
Setting the SCEP polling interval and maximum polling attempts
Specifying the LDAP server
Specifying the fingerprint for root CA certificate verification
Specifying the key pair for certificate request
Specifying the intended purpose for the certificate
Specifying the source IP address for PKI protocol packets
Specifying the storage path for certificates and CRLs
Requesting a certificate
About certificate request configuration
Restrictions and guidelines for certificate request configuration
Prerequisites for certificate request configuration
Enabling the automatic online certificate request mode
Manually submitting an online certificate request
Manually submitting a certificate request in offline mode
Aborting a certificate request
Obtaining certificates
Verifying PKI certificates
About certification verification
Restrictions and guidelines for certificate verification
Verifying certificates with CRL checking
Verifying certificates without CRL checking
Exporting certificates
Removing a certificate
Configuring a certificate-based access control policy
About certificate-based access control policies
Procedure
Display and maintenance commands for PKI
PKI configuration examples
Example: Requesting a certificate from an RSA Keon CA server
Example: Requesting a certificate from a Windows Server 2003 CA server
Example: Requesting a certificate from an OpenCA server
Example: Configuring IKE negotiation with RSA digital signature from a Windows Server 2003 CA server
Example: Configuring a certificate-based access control policy
Example: Importing and exporting certificates
Troubleshooting PKI configuration
Failed to obtain the CA certificate
Failed to obtain local certificates
Failed to request local certificates
Failed to obtain CRLs
Failed to import the CA certificate
Failed to import the local certificate
Failed to export certificates
Failed to set the storage path
Configuring IPsec
About IPsec
IPsec framework
IPsec security services
Benefits of IPsec
Security protocols
Encapsulation modes
Security association
Authentication and encryption
IPsec-protected traffic
ACL-based IPsec
IPv6 routing protocol-based IPsec
IPsec policy and IPsec profile
IPsec RRI
Protocols and standards
FIPS compliance
Restrictions and guidelines: IPsec configuration
Implementing ACL-based IPsec
ACL-based IPsec tasks at a glance
Configuring an ACL
Configuring an IPsec transform set
Configuring a manual IPsec policy
Configuring an IKE-based IPsec policy
Applying an IPsec policy to an interface
Enabling ACL checking for de-encapsulated packets
Configuring IPsec anti-replay
Configuring IPsec anti-replay redundancy
Binding a source interface to an IPsec policy
Enabling QoS pre-classify
Configuring the DF bit of IPsec packets
Configuring IPsec RRI
Configuring IPsec for IPv6 routing protocols
IPsec protection for IPv6 routing protocols tasks at a glance
Configuring a manual IPsec profile
Applying the IPsec profile to an IPv6 routing protocol
Configuring the global IPsec SA lifetime and idle timeout
Configuring IPsec fragmentation
Setting the maximum number of IPsec tunnels
Enabling logging for IPsec packets
Configuring SNMP notifications for IPsec
Display and maintenance commands for IPsec
IPsec configuration examples
Example: Configuring a manual mode IPsec tunnel for IPv4 packets
Example: Configuring an IKE-based IPsec tunnel for IPv4 packets
Example: Configuring IPsec for RIPng
Example: Configuring IPsec RRI
Configuring IKE
About IKE
Benefits of IKE
Relationship between IPsec and IKE
IKE negotiation process
IKE security mechanism
Protocols and standards
FIPS compliance
IKE tasks at a glance
Prerequisites for IKE configuration
Configuring an IKE profile
Creating an IKE profile
Configuring peer IDs for the IKE profile
Specifying the IKE keychain or PKI domain
Configuring the IKE phase 1 negotiation mode
Specifying IKE proposals for the IKE profile
Configuring the local ID for the IKE profile
Specifying an inside VPN instance for the IKE profile
Configuring optional features for the IKE profile
Configuring an IKE proposal
Configuring an IKE keychain
Configuring the global identity information
Configuring the IKE keepalive feature
Configuring the IKE NAT keepalive feature
Configuring global IKE DPD
Enabling invalid SPI recovery
Setting the maximum number of IKE SAs
Configuring SNMP notifications for IKE
Display and maintenance commands for IKE
IKE configuration examples
Example: Configuring main-mode IKE with pre-shared key authentication
Example: Configuring an IKE-based IPsec tunnel for IPv4 packets
Troubleshooting IKE
IKE negotiation failed because no matching IKE proposals were found
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly
IPsec SA negotiation failed because no matching IPsec transform sets were found
IPsec SA negotiation failed due to invalid identity information
Configuring IKEv2
About IKEv2
IKEv2 negotiation process
New features in IKEv2
Protocols and standards
IKEv2 tasks at a glance
Prerequisites for IKEv2 configuration
Configuring an IKEv2 profile
Creating an IKEv2 profile
Specifying the local and remote identity authentication methods
Configuring the IKEv2 keychain or PKI domain
Configuring the local ID for the IKEv2 profile
Configuring peer IDs for the IKEv2 profile
Specifying a VPN instance for the IKEv2 profile
Specifying an inside VPN instance for the IKEv2 profile
Configuring optional features for the IKEv2 profile
Configuring an IKEv2 policy
Configuring an IKEv2 proposal
Configuring an IKEv2 keychain
Configure global IKEv2 parameters
Enabling the cookie challenging feature
Configuring the IKEv2 DPD feature
Configuring the IKEv2 NAT keepalive feature
Display and maintenance commands for IKEv2
Troubleshooting IKEv2
IKEv2 negotiation failed because no matching IKEv2 proposals were found
IPsec SA negotiation failed because no matching IPsec transform sets were found
IPsec tunnel establishment failed
Configuring SSH
About SSH
SSH applications
How SSH works
SSH authentication methods
SSH support for Suite B
FIPS compliance
Configuring the device as an SSH server
SSH server tasks at a glance
Generating local key pairs
Specifying the SSH service port
Enabling the Stelnet server
Enabling the SFTP server
Enabling the SCP server
Enabling NETCONF over SSH
Configuring the user lines for SSH login
Configuring a client's host public key
Configuring an SSH user
Configuring the SSH management parameters
Specifying a PKI domain for the SSH server
Disconnecting SSH sessions
Configuring the device as an Stelnet client
Stelnet client tasks at a glance
Generating local key pairs
Specifying the source IP address for outgoing SSH packets
Establishing a connection to an Stelnet server
Deleting server public keys saved in the public key file on the Stelnet client
Establishing a connection to an Stelnet server based on Suite B
Configuring the device as an SFTP client
SFTP client tasks at a glance
Generating local key pairs
Specifying the source IP address for outgoing SFTP packets
Establishing a connection to an SFTP server
Deleting server public keys saved in the public key file on the SFTP client
Establishing a connection to an SFTP server based on Suite B
Working with SFTP directories
Working with SFTP files
Displaying help information
Terminating the connection with the SFTP server
Configuring the device as an SCP client
SCP client tasks at a glance
Generating local key pairs
Specifying the source IP address for outgoing SCP packets
Establishing a connection to an SCP server
Deleting server public keys saved in the public key file on the SCP client
Establishing a connection to an SCP server based on Suite B
Specifying algorithms for SSH2
About algorithms for SSH2
Specifying key exchange algorithms for SSH2
Specifying public key algorithms for SSH2
Specifying encryption algorithms for SSH2
Specifying MAC algorithms for SSH2
Display and maintenance commands for SSH
Stelnet configuration examples
Example: Configuring the device as an Stelnet server (password authentication)
Example: Configuring the device as an Stelnet server (publickey authentication)
Example: Configuring the device as an Stelnet client (password authentication)
Example: Configuring the device as an Stelnet client (publickey authentication)
Example: Configuring Stelnet based on 128-bit Suite B algorithms
SFTP configuration examples
Example: Configuring the device as an SFTP server (password authentication)
Example: Configuring the device as an SFTP client (publickey authentication)
Example: Configuring SFTP configuration example based on 192-bit Suite B algorithms
SCP configuration examples
Example: Configuring SCP with password authentication
Example: Configuring SCP based on Suite B algorithms
NETCONF over SSH configuration examples
Example: Configuring NETCONF over SSH with password authentication
Configuring SSL
About SSL
SSL security services
SSL protocol stack
SSL protocol versions
FIPS compliance
Restrictions and guidelines: SSL configuration
SSL tasks at a glance
Configuring the SSL server
Configuring the SSL client
Configuring an SSL server policy
Configuring an SSL client policy
Disabling SSL protocol versions for the SSL server
Disabling SSL session renegotiation
Display and maintenance commands for SSL
Configuring attack detection and prevention
About attack detection and prevention
Attacks that the device can prevent
Single-packet attacks
Scanning attacks
Flood attacks
TCP fragment attack
Login DoS attack
Login dictionary attack
IP blacklist feature
Attack detection and prevention tasks at a glance
Configuring and applying an attack defense policy
Creating an attack defense policy
Configuring a single-packet attack defense policy
Configuring a scanning attack defense policy
Configuring a flood attack defense policy
Configuring attack detection exemption
Applying an attack defense policy to the device
Enabling log non-aggregation for single-packet attack events
Configuring TCP fragment attack prevention
Configuring the IP blacklist feature
Configuring login attack prevention
Enabling the login delay
Display and maintenance commands for attack detection and prevention
Attack detection and prevention configuration examples
Example: Applying an attack defense policy to the device
Example: Configuring IP blacklist
Configuring TCP attack prevention
About TCP attack prevention
Configuring Naptha attack prevention
Configuring IP source guard
About IPSG
IPSG operating mechanism
Static IPSG bindings
Dynamic IPSG bindings
Restrictions and guidelines: IPSG configuration
IPSG tasks at a glance
Configuring the IPv4SG feature
Enabling IPv4SG on an interface
Configuring a static IPv4SG binding
Configuring the IPv6SG feature
Enabling IPv6SG on an interface
Configuring a static IPv6SG binding
Display and maintenance commands for IPSG
IPSG configuration examples
Example: Configuring static IPv4SG
Example: Configuring DHCP snooping-based dynamic IPv4SG
Example: Configuring DHCP relay agent-based dynamic IPv4SG
Example: Configuring static IPv6SG
Example: Configuring DHCPv6 snooping-based dynamic IPv6SG address bindings
Example: Configuring DHCPv6 snooping-based dynamic IPv6SG prefix bindings
Example: Configuring DHCPv6 relay agent-based dynamic IPv6SG
Configuring ARP attack protection
About ARP attack protection
ARP attack protection tasks at a glance
Configuring unresolvable IP attack protection
About unresolvable IP attack protection
Configuring ARP source suppression
Configuring ARP blackhole routing
Display and maintenance commands for unresolvable IP attack protection
Example: Configuring unresolvable IP attack protection
Configuring ARP packet rate limit
Configuring source MAC-based ARP attack detection
About source MAC-based ARP attack detection
Restrictions and guidelines
Procedure
Display and maintenance commands for source MAC-based ARP attack detection
Example: Configuring source MAC-based ARP attack detection
Configuring ARP packet source MAC consistency check
About ARP packet source MAC consistency check
Procedure
Configuring ARP active acknowledgement
Configuring authorized ARP
About authorized ARP
Procedure
Example: Configuring authorized ARP on a DHCP server
Example: Configuring authorized ARP on a DHCP relay agent
Configuring ARP attack detection
About ARP attack detection
Configuring user validity check
Configuring ARP packet validity check
Configuring ARP restricted forwarding
Ignoring ingress ports of ARP packets during user validity check
Enabling ARP attack detection logging
Display and maintenance commands for ARP attack detection
Example: Configuring user validity check
Example: Configuring user validity check and ARP packet validity check
Example: Configuring ARP restricted forwarding
Configuring ARP scanning and fixed ARP
Configuring ARP gateway protection
About ARP gateway protection
Restrictions and guidelines
Procedure
Example: Configuring ARP gateway protection
Configuring ARP filtering
ARP filtering
Restrictions and guidelines
Procedure
Example: Configuring ARP filtering
Configuring ARP sender IP address checking
About ARP sender IP address checking
Restrictions and guidelines
Procedure
Example: Configuring ARP sender IP address checking
Configuring ND attack defense
About ND attack defense
ND attack defense tasks at a glance
Enabling source MAC consistency check for ND messages
Configuring ND attack detection
About ND attack detection
Restrictions and guidelines
Procedure
Display and maintenance commands for ND attack detection
Example: Configuring ND attack detection
Configuring RA guard
About RA guard
Specifying the role of the attached device
Configuring and applying an RA guard policy
Enabling the RA guard logging feature
Display and maintenance commands for RA guard
Example: Configuring RA guard
Configuring uRPF
About uRPF
uRPF application scenario
uRPF check modes
uRPF extended functions
Network application
Enabling uRPF globally
Display and maintenance commands for uRPF
Configuring MFF
About MFF
MFF network model
Port roles
Processing of ARP packets in MFF
MFF default gateway
Protocols and standards
MFF tasks at a glance
Enabling MFF
Configuring a network port
Enabling periodic gateway probe
Specifying the IP addresses of servers
Display and maintenance commands for MFF
MFF configuration examples
Example: Configuring MFF in a tree network
Example: Configuring MFF in a ring network
Configuring crypto engines
About crypto engines
Crypto engine types
Crypto engine processing mechanism
Display and maintenance commands for crypto engines
Configuring FIPS
About FIPS
FIPS security levels
FIPS functionality
FIPS self-tests
Restrictions and guidelines: FIPS
Entering FIPS mode
About entering FIPS mode
Restrictions and guidelines
Using the automatic reboot method to enter FIPS mode
Using the manual reboot method to enter FIPS mode
Manually triggering self-tests
Exiting FIPS mode
Display and maintenance commands for FIPS
FIPS configuration examples
Example: Entering FIPS mode through automatic reboot
Example: Entering FIPS mode through manual reboot
Example: Exiting FIPS mode through automatic reboot
Example: Exiting FIPS mode through manual reboot
Configuring MACsec
About MACsec
Basic concepts
MACsec services
MACsec application modes
MACsec operating mechanism
Protocols and standards
Restrictions: Hardware compatibility with MACsec
MACsec tasks at a glance
Enabling MKA
Enabling MACsec desire
Configuring a preshared key
Configuring the MKA key server priority
Configuring MACsec protection parameters
About MACsec protection parameters
Restrictions and guidelines for MACsec protection parameter configuration
Configuring MACsec protection parameters in interface view
Configuring MACsec protection parameters by MKA policy
Enabling MKA session logging
Display and maintenance commands for MACsec
MACsec configuration examples
Example: Configuring client-oriented MACsec
Example: Configuring device-oriented MACsec
Troubleshooting MACsec
Cannot establish MKA sessions between MACsec devices
Document conventions and icons
Conventions
Network topology icons
Support and other resources
Accessing Hewlett Packard Enterprise Support
Accessing updates
Websites
Customer self repair
Remote support
Documentation feedback