No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using User ACLs to Control Network Access Rights of Enterprise's Internal Users Based on Groups

Example for Using User ACLs to Control Network Access Rights of Enterprise's Internal Users Based on Groups

Networking Requirements

As shown in Figure 1-22, a large number of terminals in an office area of an enterprise connect to the enterprise internal network through the switch. A department has multiple branches in different locations, so the terminals of the same department cannot use the IP addresses of the same network segment.

The administrator requires that the switch authenticate the terminals (including computers and printers) of every department, to prevent unauthorized users. In addition, due to the differentiated responsibilities, the administrator wants to grant different network access rights to the users of different department, avoiding secret information leak caused by mutual access between users.

The following requirements must be met:
  • The marketing and R&D departments cannot communicate with each other.
  • The marketing and IT departments cannot communicate with each other.
Figure 1-22  Using user ACLs to control network access rights of enterprise's internal users based on groups

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain, and bind the RADIUS server template and AAA scheme to the authentication domain, ensuring that the Switch and RADIUS server can communicate with each other and terminals can be authenticated by the RADIUS server.

  2. Some terminals cannot have the 802.1X client installed, for example, printers. To ensure that all terminals can be authenticated, configure MAC address authentication and 802.1X authentication, and configure MAC address authentication to be used first.

  3. Each department has a large number of terminals and the terminals of the same department are located on different network segments. The workload of configuring network access policy for the terminals one by one is huge. Therefore, configure the UCL group to classify the terminals into different types, and associate a user ACL with the UCL group so that the terminals in each group can share the ACL rules. The workload of administrator is reduced, and ACL resource use efficiency on the device is improved.

  4. Create service schemes and apply the service schemes to the UCL group to control the network access right of each department based on groups.

NOTE:

This example only provides the configurations on the Switch. The configurations on LAN switch and RADIUS server are not provided here.

Procedure

  1. Configure VLANs and IP addresses for interfaces to ensure network connections.

    # Create VLAN 10, VLAN 20, VLAN 30, and VLAN 40.

    <Quidway> system-view
    [Quidway] sysname Switch
    [Switch] vlan batch 10 20 30 40
    

    # Configure GE1/0/1, GE1/0/2, GE1/0/3, and GE2/0/1 of Switch as trunk interfaces and add the interfaces to VLAN 10, VLAN 20, VLAN 30, and VLAN 40. Take the configurations on GE1/0/1 as an example. The configurations on GE1/0/2, GE1/0/3, and GE2/0/1 are similar to the configurations on GE1/0/1, and are not mentioned here.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] port link-type trunk
    [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
    [Switch-GigabitEthernet1/0/1] quit

    # Create VLANIF 10, VLANIF 20, VLANIF 30, and VLANIF 40, and assign IP addresses to these VLANIF interfaces so that reachable routes can be set up between the terminals, Switch, and enterprise internal servers.

    [Switch] interface vlanif 10
    [Switch-Vlanif10] ip address 192.168.1.1 24
    [Switch-Vlanif10] quit
    [Switch] interface vlanif 20
    [Switch-Vlanif20] ip address 192.168.2.1 24
    [Switch-Vlanif20] quit
    [Switch] interface vlanif 30
    [Switch-Vlanif30] ip address 192.168.3.1 24
    [Switch-Vlanif30] quit
    [Switch] interface vlanif 40
    [Switch-Vlanif40] ip address 192.168.4.29 24
    [Switch-Vlanif40] quit
    

  2. Create and configure a RADIUS server template, an AAA scheme, and an authentication domain.

    # Create and configure the RADIUS server template rd1.

    [Switch] radius-server template rd1
    [Switch-radius-rd1] radius-server authentication 192.168.4.30 1812
    [Switch-radius-rd1] radius-server shared-key cipher huawei@2017
    [Switch-radius-rd1] radius-server retransmit 2
    [Switch-radius-rd1] quit

    # Create AAA scheme abc and set the authentication mode to RADIUS.

    [Switch] aaa
    [Switch-aaa] authentication-scheme abc
    [Switch-aaa-authen-abc] authentication-mode radius
    [Switch-aaa-authen-abc] quit

    # Create authentication domain abc11, and bind the AAA scheme abc and RADIUS server template rd1 to the authentication domain.

    [Switch-aaa] domain abc11
    [Switch-aaa-domain-abc11] authentication-scheme abc
    [Switch-aaa-domain-abc11] radius-server rd1
    [Switch-aaa-domain-abc11] quit
    [Switch-aaa] quit
    

  3. Configure MAC address authentication and 802.1X authentication.

    # Set the NAC mode to unified mode.

    NOTE:

    By default, the NAC mode is unified mode, so this step can be skipped.

    After the common mode and unified mode are switched, you must restart the device to make each function take effect in the new mode.

    [Switch] authentication unified-mode
    # Configure a MAC access profile.
    [Switch] mac-access-profile name m1
    [Switch-mac-access-profile-m1] mac-authen username fixed A-123 password cipher Huawei123    
    [Switch-mac-access-profile-m1] quit
    # Configure an 802.1X access profile.
    NOTE:

    By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

    [Switch] dot1x-access-profile name d1
    [Switch-dot1x-access-profile-d1] quit
    # Configure an authentication profile.
    [Switch] authentication-profile name p1
    [Switch-authen-profile-p1] mac-access-profile m1    
    [Switch-authen-profile-p1] dot1x-access-profile d1    
    [Switch-authen-profile-p1] authentication dot1x-mac-bypass
    [Switch-authen-profile-p1] quit

    # Enable MAC address authentication and 802.1X authentication on GE1/0/1, GE1/0/2, and GE1/0/3.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] authentication-profile p1
    [Switch-GigabitEthernet1/0/1] quit
    [Switch] interface gigabitethernet 1/0/2
    [Switch-GigabitEthernet1/0/2] authentication-profile p1
    [Switch-GigabitEthernet1/0/2] quit
    [Switch] interface gigabitethernet 1/0/3
    [Switch-GigabitEthernet1/0/3] authentication-profile p1
    [Switch-GigabitEthernet1/0/3] quit

  4. Create an UCL group, associate the user ACL with the UCL group, and apply the user ACL to filter packets.

    # Create UCL groups group_m, group_r, and group_it. Add the marketing department to group_m, R&D department to group_r, and IT department to group_it.

    [Switch] ucl-group 1 name group_m
    [Switch] ucl-group 2 name group_r
    [Switch] ucl-group 3 name group_it
    
    NOTE:

    The user group information of marketing, IT and R&D departments must have been configured on the RADIUS server.

    # Create user ACL 6001 and configure ACL rules. Configure rule 5 and rule 10 to prevent access between the marketing and R&D departments; configure rule 15 and rule 20 to prevent access between the marketing and IT departments.

    [Switch] acl 6001
    [Switch-acl-ucl-6001] rule 5 deny ip source ucl-group name group_m destination ucl-group name group_r
    [Switch-acl-ucl-6001] rule 10 deny ip source ucl-group name group_r destination ucl-group name group_m
    [Switch-acl-ucl-6001] rule 15 deny ip source ucl-group name group_m destination ucl-group name group_it
    [Switch-acl-ucl-6001] rule 20 deny ip source ucl-group name group_it destination ucl-group name group_m
    [Switch-acl-ucl-6001] quit
    

    # Configure user ACL-based packet filtering to make the user ACL take effect.

    [Switch] traffic-filter inbound acl 6001
    

  5. Configure service schemes service-scheme1, service-scheme2, and service-scheme3, and apply the service schemes to UCL groups group_m, group_r, and group_it to control the network access right of each department based on groups.

    [Switch] aaa
    [Switch-aaa] service-scheme service-scheme1 
    [Switch-aaa-service-service-scheme1] ucl-group name group_m
    [Switch-aaa-service-service-scheme1] quit
    [Switch-aaa] service-scheme service-scheme2 
    [Switch-aaa-service-service-scheme2] ucl-group name group_r
    [Switch-aaa-service-service-scheme2] quit
    [Switch-aaa] service-scheme service-scheme3 
    [Switch-aaa-service-service-scheme3] ucl-group name group_it
    [Switch-aaa-service-service-scheme3] quit
    [Switch-aaa] quit
    [Switch] quit
    NOTE:

    After the preceding steps are complete, configure the RADIUS server to associate the service schemes with users.

  6. Verify the configuration.

    # Run the display acl all command to view information about the user ACL.

    <Switch> display acl all
     Total nonempty ACL number is 1                                                                                                     
                                                                                                                                        
    Ucl-group ACL 6001, 4 rules                                                                                                         
    Acl's step is 5                                                                                                                     
     rule 5 deny ip source ucl-group name group_m destination ucl-group name group_r                           
     rule 10 deny ip source ucl-group name group_r destination ucl-group name group_m                    
     rule 15 deny ip source ucl-group name group_m destination ucl-group name group_it       
     rule 20 deny ip source ucl-group name group_it destination ucl-group name group_m       
    

    # Run the display ucl-group all command to view information about all UCL groups.

    <Switch> display ucl-group all
    ID       UCL group name                                                         
    --------------------------------------------------------------------------------
    1        group_m                                                                
    2        group_r                                                                
    3        group_it                                                               
    --------------------------------------------------------------------------------
    Total : 3  

    # Run the display dot1x command to check the 802.1X authentication configuration. The command output (802.1x protocol is Enabled) shows that the 802.1X authentication has been enabled on the interface GE1/0/1, GE1/0/2, and GE1/0/3.

    # Run the display mac-authen command to check the MAC address authentication configuration. The command output (MAC address authentication is enabled) shows that MAC address authentication has been enabled on the interface GE1/0/1, GE1/0/2, and GE1/0/3.

    # The marketing and R&D departments, and the marketing and IT departments cannot communicate with each other.

Configuration Files

Switch configuration file

#
sysname Switch
#                                                                               
vlan batch 10 20 30 40
#
authentication-profile name p1
 dot1x-access-profile d1
 mac-access-profile m1
 authentication dot1x-mac-bypass
ucl-group 1 name group_m                                                                 
ucl-group 2 name group_r                                                                  
ucl-group 3 name group_it                           
#
radius-server template rd1
 radius-server shared-key cipher %^%#zH_B2{mN=177WZ2z+G|5)c'OKD[VaPNYP4>&6uC~%^%#
 radius-server authentication 192.168.4.30 1812 weight 80
 radius-server retransmit 2
#
acl number 6001
 rule 5 deny ip source ucl-group name group_m destination ucl-group name group_r           
 rule 10 deny ip source ucl-group name group_r destination ucl-group name group_m                               
 rule 15 deny ip source ucl-group name group_m destination ucl-group name group_it                                  
 rule 20 deny ip source ucl-group name group_it destination ucl-group name group_m 
#
aaa
 authentication-scheme abc
  authentication-mode radius
 service-scheme service-scheme1                                               
  ucl-group name group_m                                                            
 service-scheme service-scheme2                                          
  ucl-group name group_r                                                        
 service-scheme service-scheme3                     
  ucl-group name group_it   
 domain abc11
  authentication-scheme abc
  radius-server rd1
#                                                                               
interface Vlanif10                                                              
 ip address 192.168.1.1 255.255.255.0       
# 
interface Vlanif20                                                              
 ip address 192.168.2.1 255.255.255.0        
#
interface Vlanif30                                                              
 ip address 192.168.3.1 255.255.255.0        
#
interface Vlanif40                                                              
 ip address 192.168.4.29 255.255.255.0        
#                                                                               
interface GigabitEthernet1/0/1                                                  
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                           
 authentication-profile p1                               
#                                                                               
interface GigabitEthernet1/0/2                                                  
 port link-type trunk                                                           
 port trunk allow-pass vlan 20                                           
 authentication-profile p1
# 
interface GigabitEthernet1/0/3                                                  
 port link-type trunk                                                           
 port trunk allow-pass vlan 30                                           
 authentication-profile p1
# 
interface GigabitEthernet2/0/1                                                  
 port link-type trunk                                                           
 port trunk allow-pass vlan 40
# 
traffic-filter inbound acl 6001
# 
dot1x-access-profile name d1
#
mac-access-profile name m1
 mac-authen username fixed A-123 password cipher %^%#(!XnF'#X^Sc=[&,fH38!OKNNEjez>NO`Z*NJK*s4%^%#
#
return
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 126452

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next