No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using User ACLs to Control Network Access Rights of Enterprise's Internal Users Based on Groups

Example for Using User ACLs to Control Network Access Rights of Enterprise's Internal Users Based on Groups

Networking Requirements

As shown in Figure 2-21, a large number of terminals in an office area of an enterprise connect to the enterprise internal network through the switch. Some departments have multiple branches in different locations, so the terminals of the same department cannot use the IP addresses of the same network segment.

The administrator requires that the switch authenticate the terminals (including computers and printers) of every department, to prevent unauthorized users. In addition, due to the differentiated responsibilities, the administrator wants to grant different network access rights to the users of different department, avoiding secret information leak caused by mutual access between users.

The following requirements must be met:
  • The marketing department cannot access the IT department.
  • The R&D department cannot access the IT department.
Figure 2-21  Using user ACLs to control network access rights of enterprise's internal users based on groups

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain, and bind the RADIUS server template and AAA scheme to the authentication domain, ensuring that the Switch and RADIUS server can communicate with each other and terminals can be authenticated by the RADIUS server.

  2. Some terminals cannot have the 802.1X client installed, for example, printers. To ensure that all terminals can be authenticated, configure MAC address authentication and 802.1X authentication, and configure MAC address authentication to be used first.

  3. Each department has a large number of terminals and the terminals of some departments the same department are located on different network segments. The workload of configuring network access policy for the terminals one by one is huge. Therefore, configure the UCL group to classify the terminals into different types, and associate a user ACL with the UCL group so that the terminals in each group can share the ACL rules. The workload of administrator is reduced, and ACL resource use efficiency on the device is improved.

  4. Create service schemes and apply the service schemes to the UCL group to control the network access right of each department based on groups.

NOTE:

This example only provides the configurations on the Switch. The configurations on LAN switch and RADIUS server are not provided here.

Procedure

  1. Configure VLANs and IP addresses for interfaces to ensure network connections.

    # Create VLAN 10, VLAN 20, VLAN 30, and VLAN 40.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 10 20 30 40
    

    # Configure GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4 of Switch as trunk interfaces and add the interfaces to VLAN 10, VLAN 20, VLAN 30, and VLAN 40. Take the configurations on GE0/0/1 as an example. The configurations on GE0/0/2, GE0/0/3, and GE0/0/4 are similar to the configurations on GE0/0/1, and are not mentioned here.

    [Switch] interface gigabitethernet 0/0/1
    [Switch-GigabitEthernet0/0/1] port link-type trunk
    [Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
    [Switch-GigabitEthernet0/0/1] quit

    # Create VLANIF 10, VLANIF 20, VLANIF 30, and VLANIF 40, and assign IP addresses to these VLANIF interfaces so that reachable routes can be set up between the terminals, Switch, and enterprise internal servers.

    [Switch] interface vlanif 10
    [Switch-Vlanif10] ip address 192.168.1.1 24
    [Switch-Vlanif10] quit
    [Switch] interface vlanif 20
    [Switch-Vlanif20] ip address 192.168.2.1 24
    [Switch-Vlanif20] quit
    [Switch] interface vlanif 30
    [Switch-Vlanif30] ip address 192.168.3.1 24
    [Switch-Vlanif30] quit
    [Switch] interface vlanif 40
    [Switch-Vlanif40] ip address 192.168.4.29 24
    [Switch-Vlanif40] quit
    

  2. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.

    # Create and configure the RADIUS server template rd1.

    [Switch] radius-server template rd1
    [Switch-radius-rd1] radius-server authentication 192.168.4.30 1812
    [Switch-radius-rd1] radius-server shared-key cipher huawei@2017
    [Switch-radius-rd1] radius-server retransmit 2
    [Switch-radius-rd1] quit

    # Create AAA scheme abc and set the authentication mode to RADIUS.

    [Switch] aaa
    [Switch-aaa] authentication-scheme abc
    [Switch-aaa-authen-abc] authentication-mode radius
    [Switch-aaa-authen-abc] quit

    # Create authentication domain abc11, and bind the AAA scheme abc and RADIUS server template rd1 to the authentication domain.

    [Switch-aaa] domain abc11
    [Switch-aaa-domain-abc11] authentication-scheme abc
    [Switch-aaa-domain-abc11] radius-server rd1
    [Switch-aaa-domain-abc11] quit
    [Switch-aaa] quit
    

  3. Configure MAC address authentication and 802.1X authentication.

    # Set the NAC mode to unified mode.

    NOTE:

    By default, the NAC mode is unified mode, so this step can be skipped.

    After the common mode and unified mode are switched, you must restart the device to make each function take effect in the new mode.

    [Switch] authentication unified-mode
    # Configure a MAC access profile.
    [Switch] mac-access-profile name m1
    [Switch-mac-access-profile-m1] mac-authen username fixed A-123 password cipher Huawei123    
    [Switch-mac-access-profile-m1] quit
    # Configure an 802.1X access profile.
    NOTE:

    By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

    [Switch] dot1x-access-profile name d1
    [Switch-dot1x-access-profile-d1] quit
    # Configure an authentication profile.
    [Switch] authentication-profile name p1
    [Switch-authen-profile-p1] mac-access-profile m1    
    [Switch-authen-profile-p1] dot1x-access-profile d1    
    [Switch-authen-profile-p1] authentication dot1x-mac-bypass
    [Switch-authen-profile-p1] quit

    # Enable MAC address authentication and 802.1X authentication on GE0/0/1, GE0/0/2, and GE0/0/3.

    [Switch] interface gigabitethernet 0/0/1
    [Switch-GigabitEthernet0/0/1] authentication-profile p1
    [Switch-GigabitEthernet0/0/1] quit
    [Switch] interface gigabitethernet 0/0/2
    [Switch-GigabitEthernet0/0/2] authentication-profile p1
    [Switch-GigabitEthernet0/0/2] quit
    [Switch] interface gigabitethernet 0/0/3
    [Switch-GigabitEthernet0/0/3] authentication-profile p1
    [Switch-GigabitEthernet0/0/3] quit

  4. Create an UCL group, associate the user ACL with the UCL group, and apply the user ACL to filter packets.

    # Create UCL groups group_m and group_r. Add the marketing department to group_m and R&D department to group_r.

    [Switch] ucl-group 1 name group_m
    [Switch] ucl-group 2 name group_r
    
    NOTE:

    The user group information of marketing and R&D departments must have been configured on the RADIUS server.

    # Create user ACL 6001 and configure ACL rules. Configure rule 5 to prevent the marketing department from accessing the IT department; configure rule 10 to prevent the R&D department from accessing the IT department.

    [Switch] acl 6001
    [Switch-acl-ucl-6001] rule 5 deny ip source ucl-group name group_m destination 192.168.3.0 0.0.0.255
    [Switch-acl-ucl-6001] rule 10 deny ip source ucl-group name group_r destination 192.168.3.0 0.0.0.255
    [Switch-acl-ucl-6001] quit
    

    # Configure user ACL-based packet filtering to make the user ACL take effect.

    [Switch] traffic-filter inbound acl 6001
    

  5. Configure service schemes service-scheme1 and service-scheme2, and apply the service schemes to UCL groups group_m and group_r to control the network access right of each department based on groups.

    [Switch] aaa
    [Switch-aaa] service-scheme service-scheme1 
    [Switch-aaa-service-service-scheme1] ucl-group name group_m
    [Switch-aaa-service-service-scheme1] quit
    [Switch-aaa] service-scheme service-scheme2 
    [Switch-aaa-service-service-scheme2] ucl-group name group_r
    [Switch-aaa-service-service-scheme2] quit
    [Switch-aaa] quit
    [Switch] quit
    NOTE:

    After the preceding steps are complete, configure the RADIUS server to associate the service schemes with users.

  6. Verify the configuration.

    # Run the display acl all command to view information about the user ACL.

    <Switch> display acl all
     Total nonempty ACL number is 1                                                                                                     
                                                                                                                                        
    Ucl-group ACL 6001, 2 rules                                                                                                         
    Acl's step is 5                                                                                                                     
     rule 5 deny ip source ucl-group name group_m destination 192.168.3.0 0.0.0.255                                   
     rule 10 deny ip source ucl-group name group_r destination 192.168.3.0 0.0.0.255            
    

    # Run the display ucl-group all command to view information about all UCL groups.

    <Switch> display ucl-group all
    ID       UCL group name                                                         
    --------------------------------------------------------------------------------
    1        group_m                                                                
    2        group_r                                                                
    --------------------------------------------------------------------------------
    Total : 2  

    # Run the display dot1x command to check the 802.1X authentication configuration. The command output (802.1x protocol is Enabled) shows that the 802.1X authentication has been enabled on the interface GE0/0/1, GE0/0/2, and GE0/0/3.

    # Run the display mac-authen command to check the MAC address authentication configuration. The command output (MAC address authentication is enabled) shows that MAC address authentication has been enabled on the interface GE0/0/1, GE0/0/2, and GE0/0/3.

    # The marketing department cannot access the IT department and the R&D department cannot access the IT department.

Configuration Files

Switch configuration file

#
sysname Switch
#                                                                               
vlan batch 10 20 30 40
#
authentication-profile name p1
 dot1x-access-profile d1
 mac-access-profile m1
 authentication dot1x-mac-bypass
ucl-group 1 name group_m                                                                 
ucl-group 2 name group_r                                                                  
#
radius-server template rd1
 radius-server shared-key cipher %^%#zH_B2{mN=177WZ2z+G|5)c'OKD[VaPNYP4>&6uC~%^%#
 radius-server authentication 192.168.4.30 1812 weight 80
 radius-server retransmit 2
#
acl number 6001
 rule 5 deny ip source ucl-group name group_m destination 192.168.3.0 0.0.0.255                               
 rule 10 deny ip source ucl-group name group_r destination 192.168.3.0 0.0.0.255 
#
aaa
 authentication-scheme abc
  authentication-mode radius
 service-scheme service-scheme1                                               
  ucl-group name group_m                                                            
 service-scheme service-scheme2                                          
  ucl-group name group_r                                                        
 domain abc11
  authentication-scheme abc
  radius-server rd1
#                                                                               
interface Vlanif10                                                              
 ip address 192.168.1.1 255.255.255.0       
# 
interface Vlanif20                                                              
 ip address 192.168.2.1 255.255.255.0        
#
interface Vlanif30                                                              
 ip address 192.168.3.1 255.255.255.0        
#
interface Vlanif40                                                              
 ip address 192.168.4.29 255.255.255.0        
#                                                                               
interface GigabitEthernet0/0/1                                                  
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                           
 authentication-profile p1                               
#                                                                               
interface GigabitEthernet0/0/2                                                  
 port link-type trunk                                                           
 port trunk allow-pass vlan 20                                           
 authentication-profile p1
# 
interface GigabitEthernet0/0/3                                                  
 port link-type trunk                                                           
 port trunk allow-pass vlan 30                                           
 authentication-profile p1
# 
interface GigabitEthernet0/0/4                                                  
 port link-type trunk                                                           
 port trunk allow-pass vlan 40
# 
traffic-filter inbound acl 6001
# 
dot1x-access-profile name d1
#
mac-access-profile name m1
 mac-authen username fixed A-123 password cipher %^%#(!XnF'#X^Sc=[&,fH38!OKNNEjez>NO`Z*NJK*s4%^%#
#
return
Translation
Download
Updated: 2019-03-28

Document ID: EDOC1000178177

Views: 219836

Downloads: 712

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next