No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the Device as an HTTPS Server

Example for Configuring the Device as an HTTPS Server

Networking Requirements

As shown in Figure 17-2, users access the gateway Router through web.

To prevent data intercepting and tampering during data transmission, a network administrator requires that users use HTTPS to access the Router securely.

Figure 17-2  Networking diagram of HTTPS server configuration

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VLAN and a VLANIF interface, and configure the interface to allow enterprise users to access the router.
  2. Configure a server SSL policy and apply the default PKI domain to the server SSL policy. The CA server is not required.
  3. Configure an HTTPS server to ensure confidentiality and integrity of data transmission between users and the Router.

Procedure

  1. Create a VLAN and configure the interface.

    # Create VLAN 11 on the Router.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] vlan batch 11
    

    # Add Eth0/0/1 connecting to users to VLAN 11.

    [Router] interface ethernet 0/0/1
    [Router-Ethernet0/0/1] port link-type access
    [Router-Ethernet0/0/1] port default vlan 11
    [Router-Ethernet0/0/1] quit

    # Create VLANIF 11 and assign IP address 10.1.1.1/24 to VLANIF 11.

    [Router] interface vlanif11
    [Router-Vlanif11] ip address 10.1.1.1 24
    [Router-Vlanif11] quit
    

  2. Configure a server SSL policy.

    # Apply the default PKI domain default to the server SSL policy.

    [Router] ssl policy userserver type server
    [Router-ssl-policy-userserver] pki-realm default
    

    # Set the maximum number of sessions that can be saved and the timeout period of a saved session are set.

    [Router-ssl-policy-userserver] session cachesize 20 timeout 7200
    [Router-ssl-policy-userserver] quit

  3. Configure the HTTPS server.

    # Bind the SSL policy userserver to the HTTPS server.

    [Router] http secure-server ssl-policy userserver

    # Configure the port number of the HTTPS service.

    [Router] http secure-server port 1278

    # Enable the HTTPS server function on the Router.

    [Router] http secure-server enable
    Warning: The HTTP server has not configured with SSL policy. Continue starting HTTP secure server? [Y/N]: y
      This operation will take several minutes, please wait.........................................................
    Info: Succeeded in starting the HTTPS server

  4. Verify the configuration.

    # Run the display ssl policy userserver command to view the configuration of the SSL policy userserver.

    [Router] display ssl policy userserver
      ------------------------------------------------------------------------------
      Policy name                             :   userserver                             
      Policy ID                               :   2                                
      Policy type                             :   Server                            
      Cipher suite                            :   rsa_aes_128_cbc_sha               
      PKI realm                               :   default                                  
      Cache number                            :   20                                
      Time out(second)                        :   7200                              
      Server certificate load status          :   loaded                            
      CA certificate chain load status        :   unloaded                            
      SSL renegotiation status                :   enable
      Bind number                             :   1                                 
      SSL connection number                   :   0                                 
      ------------------------------------------------------------------------------

    # Start the web browser on a computer, and enter https://10.1.1.1:1278 in the address box. The web management system is displayed, and you can manage the Router on the web pages.

Configuration Files

Configuration file of the Router

#                                                                               
 sysname Router
#
ssl policy userserver type server
 pki-realm default
 session cachesize 20 timeout 7200
#
 http secure-server ssl-policy userserver
 http secure-server enable
 http secure-server port 1278
#
vlan batch 11
#
interface Vlanif11
 ip address 10.1.1.1 255.255.255.0
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 11
# 
return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13429

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next