To Next Page

To Previous Page

353

Configuring TCP fragment attack protection

The TCP fragment attack protection feature enables the device to drop attack TCP fragments to prevent

TCP fragment attacks that packet filter cannot detect. As defined in RFC 1858, attack TCP fragments refer

to the following TCP fragments:

• First fragments in which the TCP header is smaller than 20 bytes.

• Non-first fragments with a fragment offset of 8 bytes (FO=1).

To configure TCP fragment attack protection:

Ste

Command

Remarks

1. Enter system view. system-view

N/A

2. Enable TCP fragment attack

protection.

attack-defense tcp fragment

enable

By default, TCP fragment attack

protection is enabled.

Displaying and maintaining TCP attack protection

Task Command Remarks

Display current TCP connection state.

display tcp status [ | { begin | exclude |

include } regular-expression ]

Available in any view

Table of Contents3
Configuring AAA14
AAA Overview14
Radius15
Hwtacacs20
Domain-Based User Management22
RADIUS Server Feature of the Switch23
AAA for MPLS L3Vpns24
Protocols and Standards25
RADIUS Attributes25
FIPS Compliance28
AAA Configuration Considerations and Task List28
Configuring AAA Schemes30
Configuring Local Users30
Configuring RADIUS Schemes34
Configuring HWTACACS Schemes47
Configuring AAA Methods for ISP Domains54
Configuration Prerequisites54
Creating an ISP Domain54
Configuring ISP Domain Attributes55
Configuring AAA Authentication Methods for an ISP Domain56
Configuring AAA Authorization Methods for an ISP Domain58
Configuring AAA Accounting Methods for an ISP Domain59
Tearing down User Connections61
Configuring a NAS ID-VLAN Binding61
Specifying the Device ID Used in Stateful Failover Mode61
Configuring a Switch as a RADIUS Server62
RADIUS Server Functions Configuration Task List62
Configuring a RADIUS User62
Specifying a RADIUS Client63
Displaying and Maintaining AAA63
AAA Configuration Examples64
AAA for Telnet Users by an HWTACACS Server64
AAA for Telnet Users by Separate Servers65
Authentication/Authorization for Ssh/Telnet Users by a RADIUS Server67
Level Switching Authentication for Telnet Users by an HWTACACS Server70
RADIUS Authentication and Authorization for Telnet Users by a Switch74
Troubleshooting AAA76
Troubleshooting RADIUS76
Troubleshooting HWTACACS77
802.1X Overview78
802.1X Architecture78
Controlled/Uncontrolled Port and Port Authorization Status78
802.1X-Related Protocols79
Packet Formats80
EAP over RADIUS81
Initiating 802.1X Authentication81
802.1X Client as the Initiator81
Access Device as the Initiator82
802.1X Authentication Procedures82
A Comparison of EAP Relay and EAP Termination83
EAP Relay83
EAP Termination86
Configuring 802.1X87
HP Implementation of 802.1X87
Access Control Methods87
Using 802.1X Authentication with Other Features87
Configuration Prerequisites93
802.1X Configuration Task List93
Enabling 802.1X94
Configuration Guidelines94
Configuration Procedure94
Enabling EAP Relay or EAP Termination94
Setting the Port Authorization State95
Specifying an Access Control Method96
Setting the Maximum Number of Concurrent 802.1X Users on a Port96
Setting the Maximum Number of Authentication Request Attempts97
Setting the 802.1X Authentication Timeout Timers97
Configuring the Online User Handshake Function97
Configuration Guidelines98
Configuration Procedure98
Configuring the Authentication Trigger Function98
Configuration Guidelines99
Configuration Procedure99
Specifying a Mandatory Authentication Domain on a Port99
Configuring the Quiet Timer100
Enabling the Periodic Online User Re-Authentication Function100
Configuration Guidelines100
Configuration Procedure101
Configuring a Port to Send EAPOL Frames Untagged101
Setting the Maximum Number of 802.1X Authentication Attempts for MAC Authentication Users101
Configuring a VLAN Group102
Configuring an 802.1X Guest VLAN102
Configuration Guidelines102
Configuration Prerequisites103
Configuration Procedure103
Configuring an 802.1X Auth-Fail VLAN104
Configuration Guidelines104
Configuration Prerequisites104
Configuration Procedure104
Configuring an 802.1X Critical VLAN105
Configuration Guidelines105
Configuration Prerequisites105
Configuration Procedure105
Specifying Supported Domain Name Delimiters106
Configuring an 802.1X Voice VLAN106
Configuration Guidelines107
Configuration Prerequisites107
Configuration Procedure107
Configuring 802.1X MAC Address Binding107
Displaying and Maintaining 802.1X108
802.1X Authentication Configuration Example109
Network Requirements109
Configuration Procedure109
Verifying the Configuration111
With Guest VLAN and VLAN Assignment Configuration Example111
Network Requirements111
Configuration Procedure112
Verifying the Configuration113
With ACL Assignment Configuration Example114
Network Requirements114
Configuration Procedure114
Verifying the Configuration115
Configuring EAD Fast Deployment116
Overview116
Free IP116
URL Redirection116
Configuration Prerequisites116
Configuring a Free IP116
Configuring the Redirect URL117
Setting the EAD Rule Timer117
Displaying and Maintaining EAD Fast Deployment118
EAD Fast Deployment Configuration Example118
Network Requirements118
Configuration Procedure119
Verifying the Configuration119
Troubleshooting EAD Fast Deployment120
Web Browser Users Cannot be Correctly Redirected120
Configuring MAC Authentication121
Overview121
User Account Policies121
Authentication Approaches121
MAC Authentication Timers122
Using MAC Authentication with Other Features122
VLAN Assignment122
ACL Assignment122
Guest VLAN122
Critical VLAN123
Configuration Task List123
Basic Configuration for MAC Authentication123
Configuring MAC Authentication Globally124
Configuring MAC Authentication on a Port124
Specifying a MAC Authentication Domain125
Configuring a MAC Authentication Guest VLAN125
Configuring a MAC Authentication Critical VLAN126
Configuring MAC Authentication Delay127
Enabling MAC Authentication Multi-VLAN Mode128
Displaying and Maintaining MAC Authentication128
MAC Authentication Configuration Examples129
Local MAC Authentication Configuration Example129
RADIUS-Based MAC Authentication Configuration Example131
ACL Assignment Configuration Example133
Configuring Portal Authentication135
Overview135
Extended Portal Functions135
Portal System Components135
Portal System Using the Local Portal Server137
Portal Authentication Modes138
Portal Support for EAP139
Layer 2 Portal Authentication Process140
Layer 3 Portal Authentication Process141
Portal Stateful Failover144
Portal Authentication Across Vpns146
Portal Configuration Task List146
Configuration Prerequisites147
Specifying the Portal Server148
Specifying the Local Portal Server for Layer 2 Portal Authentication148
Specifying a Portal Server for Layer 3 Portal Authentication149
Configuring the Local Portal Server149
Customizing Authentication Pages149
Configuring the Local Portal Server152
Enabling Portal Authentication153
Enabling Layer 2 Portal Authentication153
Enabling Layer 3 Portal Authentication154
Controlling Access of Portal Users154
Configuring a Portal-Free Rule154
Configuring an Authentication Source Subnet156
Setting the Maximum Number of Online Portal Users156
Specifying an Authentication Domain for Portal Users157
Configuring Layer 2 Portal Authentication to Support Web Proxy157
Enabling Support for Portal User Moving158
Specifying an Auth-Fail VLAN for Portal Authentication158
Configuring RADIUS Related Attributes159
Specifying NAS-Port-Type for an Interface159
Specifying a NAS ID Profile for an Interface160
Specifying a Source IP Address for Outgoing Portal Packets160
Configuring Portal Stateful Failover161
Specifying an Auto Redirection URL for Authenticated Portal Users162
Configuring Portal Detection Functions163
Configuring Online Layer 2 Portal User Detection163
Configuring the Portal Server Detection Function163
Configuring Portal User Information Synchronization165
Logging off Portal Users166
Displaying and Maintaining Portal166
Portal Configuration Examples167
Configuring Direct Portal Authentication167
Configuring Re-DHCP Portal Authentication171
Configuring Cross-Subnet Portal Authentication173
Configuring Direct Portal Authentication with Extended Functions175
Configuring Re-DHCP Portal Authentication with Extended Functions177
Configuring Cross-Subnet Portal Authentication with Extended Functions180
Configuring Portal Stateful Failover182
Configuring Portal Server Detection and Portal User Information Synchronization189
Configuring Layer 2 Portal Authentication195
Troubleshooting Portal198
Inconsistent Keys on the Access Device and the Portal Server198
Incorrect Server Port Number on the Access Device199
Configuring Triple Authentication200
Overview200
Triple Authentication Mechanism200
Using Triple Authentication with Other Features201
Configuring Triple Authentication201
Triple Authentication Configuration Examples202
Triple Authentication Basic Function Configuration Example202
Triple Authentication Supporting VLAN Assignment and Auth-Fail VLAN Configuration Example204
Configuring Port Security210
Overview210
Port Security Features210
Port Security Modes211
Working with Guest VLAN and Auth-Fail VLAN213
Configuration Task List213
Enabling Port Security214
Setting Port Security's Limit on the Number of MAC Addresses on a Port214
Setting the Port Security Mode215
Configuration Prerequisites215
Configuration Procedure215
Configuring Port Security Features216
Configuring NTK216
Configuring Intrusion Protection216
Enabling Port Security Traps217
Configuring Secure MAC Addresses217
Configuration Prerequisites218
Configuration Procedure218
Ignoring Authorization Information219
Displaying and Maintaining Port Security220
Port Security Configuration Examples220
Configuring the Autolearn Mode220
Configuring the Userloginwithoui Mode223
Configuring the Macaddresselseuserloginsecure Mode227
Troubleshooting Port Security230
Cannot Set the Port Security Mode230
Cannot Configure Secure MAC Addresses230
Cannot Change Port Security Mode When a User Is Online231
Configuring a User Profile232
Overview232
User Profile Configuration Task List232
Creating a User Profile232
Applying a Qos Policy233
Enabling a User Profile233
Displaying and Maintaining User Profiles234
Configuring Password Control235
Overview235
FIPS Compliance237
Password Control Configuration Task List238
Configuring Password Control238
Enabling Password Control238
Setting Global Password Control Parameters239
Setting User Group Password Control Parameters241
Setting Local User Password Control Parameters241
Setting Super Password Control Parameters242
Setting a Local User Password in Interactive Mode242
Displaying and Maintaining Password Control243
Password Control Configuration Example243
Configuring HABP246
Overview246
Configuring HABP247
Configuring the HABP Server247
Configuring an HABP Client247
Displaying and Maintaining HABP248
HABP Configuration Example248
Managing Public Keys251
Overview251
FIPS Compliance251
Configuration Task List252
Creating a Local Asymmetric Key Pair252
Displaying or Exporting the Local Host Public Key253
Destroying a Local Asymmetric Key Pair254
Specifying the Peer Public Key on the Local Device255
Displaying and Maintaining Public Keys256
Public Key Configuration Examples256
Manually Specifying the Peer Public Key on the Local Device256
Importing a Peer Public Key from a Public Key File258
Configuring PKI261
Overview261
PKI Terms261
PKI Architecture262
PKI Operation263
PKI Applications263
PKI Configuration Task List263
Configuring an Entity DN264
Configuring a PKI Domain265
Configuration Guidelines266
Configuration Procedure266
Submitting a PKI Certificate Request267
Submitting a Certificate Request in Auto Mode267
Submitting a Certificate Request in Manual Mode267
Retrieving a Certificate Manually269
Configuration Guidelines269
Configuration Procedure269
Configuring PKI Certificate Verification269
Configuration Guidelines270
Configuring CRL-Checking-Enabled PKI Certificate Verification270
Configuring CRL-Checking-Disabled PKI Certificate Verification270
Destroying a Local RSA Key Pair271
Deleting a Certificate271
Configuring an Access Control Policy271
Displaying and Maintaining PKI272
PKI Configuration Examples272
Certificate Request from an RSA Keon CA Server273
Certificate Request from a Windows 2003 CA Server276
Certificate Attribute Access Control Policy Configuration Example279
Troubleshooting PKI280
Failed to Retrieve a CA Certificate280
Failed to Request a Local Certificate281
Failed to Retrieve Crls281
Configuring Ipsec283
Overview283
Basic Concepts283
Ipsec for Ipv6 Routing Protocols286
Protocols and Standards286
FIPS Compliance286
Configuring Ipsec286
Implementing ACL-Based Ipsec286
Feature Restrictions and Guidelines286
ACL-Based Ipsec Configuration Task List287
Configuring Acls287
Configuring an Ipsec Proposal289
Configuring an Ipsec Policy290
Applying an Ipsec Policy Group to an Interface294
Configuring the Ipsec Session Idle Timeout294
Enabling ACL Checking of De-Encapsulated Ipsec Packets295
Configuring the Ipsec Anti-Replay Function295
Configuring Packet Information Pre-Extraction296
Configuring Ipsec for Ipv6 Routing Protocols296
Displaying and Maintaining Ipsec297
Ipsec Configuration Examples298
IKE-Based Ipsec Tunnel for Ipv4 Packets Configuration Example298
Ipsec for Ripng Configuration Example300
Configuring IKE304
Overview304
IKE Security Mechanism304
IKE Operation304
IKE Functions305
Relationship between IKE and Ipsec306
Protocols and Standards306
IKE Configuration Task List306
Configuring a Name for the Local Security Gateway307
Configuring an IKE Proposal307
Configuring an IKE Peer308
Setting Keepalive Timers310
Setting the NAT Keepalive Timer310
Configuring a DPD Detector311
Disabling Next Payload Field Checking311
Displaying and Maintaining IKE312
IKE Configuration Example312
Troubleshooting IKE315
Invalid User ID315
Proposal Mismatch315
Failing to Establish an Ipsec Tunnel316
ACL Configuration Error316
Configuring SSH2.0317
Overview317
SSH Operation317
SSH Connection Across Vpns319
FIPS Compliance320
Configuring the Switch as an SSH Server320
SSH Server Configuration Task List320
Generating Local Key Pairs320
Enabling the SSH Server Function321
Configuring the User Interfaces for SSH Clients321
Configuring a Client's Host Public Key322
Configuring an SSH User323
Setting the SSH Management Parameters324
Setting the DSCP Value for Packets Sent by the SSH Server325
Configuring the Switch as an SSH Client326
SSH Client Configuration Task List326
Specifying a Source IP Address/Interface for the SSH Client326
Configuring Whether First-Time Authentication Is Supported326
Establishing a Connection between the SSH Client and Server327
Setting the DSCP Value for Packets Sent by the SSH Client328
Displaying and Maintaining SSH329
SSH Server Configuration Examples329
When the Switch Acts as a Server for Password Authentication330
When the Switch Acts as a Server for Publickey Authentication332
SSH Client Configuration Examples337
When Switch Acts as Client for Password Authentication337
When Switch Acts as Client for Publickey Authentication340
Configuring SFTP343
Overview343
FIPS Compliance343
Configuring the Switch as an SFTP Server343
Enabling the SFTP Server343
Configuring the SFTP Connection Idle Timeout Period344
Configuring the Switch as an SFTP Client344
Specifying a Source IP Address or Interface for the SFTP Client344
Establishing a Connection to the SFTP Server345
Working with SFTP Directories345
Working with SFTP Files346
Displaying Help Information347
Terminating the Connection to the Remote SFTP Server347
Setting the DSCP Value for Packets Sent by the SFTP Client347
SFTP Client Configuration Example348
SFTP Server Configuration Example351
Configuring SCP354
Overview354
FIPS Compliance354
Configuring the Switch as an SCP Server354
Configuring the Switch as the SCP Client355
SCP Client Configuration Example355
SCP Server Configuration Example356
Configuring SSL358
Overview358
SSL Security Mechanism358
SSL Protocol Stack358
FIPS Compliance359
Configuration Task List359
Configuring an SSL Server Policy359
SSL Server Policy Configuration Example361
Configuring an SSL Client Policy363
Displaying and Maintaining SSL364
Troubleshooting SSL364
Configuring TCP Attack Protection365
Overview365
Enabling the SYN Cookie Feature365
Configuring TCP Fragment Attack Protection366
Displaying and Maintaining TCP Attack Protection366
Configuring IP Source Guard367
Overview367
Static IP Source Guard Binding Entries367
Dynamic IP Source Guard Binding Entries368
Configuration Task List368
Configuring the Ipv4 Source Guard Feature369
Configuring Ipv4 Source Guard on an Interface369
Configuring a Static Ipv4 Source Guard Binding Entry370
Setting the Maximum Number of Ipv4 Source Guard Binding Entries371
Configuring the Ipv6 Source Guard Feature372
Configuring Ipv6 Source Guard on an Interface372
Configuring a Static Ipv6 Source Guard Binding Entry373
Setting the Maximum Number of Ipv6 Source Guard Binding Entries374
Displaying and Maintaining IP Source Guard374
IP Source Guard Configuration Examples375
Static Ipv4 Source Guard Configuration Example375
Dynamic Ipv4 Source Guard Using DHCP Snooping Configuration Example377
Dynamic Ipv4 Source Guard Using DHCP Relay Configuration Example378
Static Ipv6 Source Guard Configuration Example379
Dynamic Ipv6 Source Guard Using Dhcpv6 Snooping Configuration Example380
Dynamic Ipv6 Source Guard Using ND Snooping Configuration Example381
Global Static IP Source Guard Configuration Example382
Troubleshooting IP Source Guard384
Configuring ARP Attack Protection385
Overview385
ARP Attack Protection Configuration Task List385
Configuring ARP Defense against IP Packet Attacks386
Configuring ARP Source Suppression386
Enabling ARP Black Hole Routing387
Displaying and Maintaining ARP Defense against IP Packet Attacks387
Configuration Example387
Configuring ARP Packet Rate Limit389
Introduction389
Configuration Procedure389
Configuring Source MAC Address Based ARP Attack Detection390
Configuration Procedure390
Displaying and Maintaining Source MAC Address Based ARP Attack Detection391
Configuration Example391
Configuring ARP Packet Source MAC Address Consistency Check392
Introduction392
Configuration Procedure392
Configuring ARP Active Acknowledgement392
Configuration Procedure393
Configuring ARP Detection393
Introduction393
Configuring User Validity Check393
Configuring ARP Packet Validity Check394
Configuring ARP Restricted Forwarding395
Configuring the ARP Detection Logging Function396
Displaying and Maintaining ARP Detection396
User Validity Check Configuration Example396
User Validity Check and ARP Packet Validity Check Configuration Example398
ARP Restricted Forwarding Configuration Example399
Configuring ARP Automatic Scanning and Fixed ARP401
Configuration Guidelines401
Configuration Procedure401
Configuring ARP Gateway Protection402
Configuration Guidelines402
Configuration Procedure402
Configuration Example402
Configuring ARP Filtering403
Configuration Guidelines403
Configuration Procedure403
Configuration Example404
Configuring ND Attack Defense405
Overview405
Enabling Source MAC Consistency Check for ND Packets406
Configuring the ND Detection Function406
Introduction to ND Detection406
Configuration Guidelines407
Configuration Procedure407
Displaying and Maintaining ND Detection407
ND Detection Configuration Example408
Network Requirements408
Configuration Procedure408
Configuring URPF410
Overview410
URPF Check Modes410
How URPF Works410
Network Application413
Configuring URPF413
URPF Configuration Example413
Configuring MFF415
Overview415
Basic Concepts416
Operation Modes416
Working Mechanism417
Protocols and Standards417
Configuring MFF418
Configuration Prerequisites418
Enabling MFF418
Configuring a Network Port418
Enabling Periodic Gateway Probe418
Specifying the IP Addresses of Servers419
Displaying and Maintaining MFF419
MFF Configuration Examples420
Auto-Mode MFF Configuration Example in a Tree Network420
Auto-Mode MFF Configuration Example in a Ring Network421
Manual-Mode MFF Configuration Example in a Tree Network423
Manual-Mode MFF Configuration Example in a Ring Network424
Configuring SAVI427
Overview427
Configuring Global SAVI427
SAVI Configuration in Dhcpv6-Only Address Assignment Scenario428
Network Requirements428
Configuration Considerations428
Packet Check Principles429
Configuration Procedure429
SAVI Configuration in SLAAC-Only Address Assignment Scenario430
Network Requirements430
Configuration Considerations430
Packet Check Principles431
Configuration Procedure431
SAVI Configuration in Dhcpv6+Slaac Address Assignment Scenario432
Network Requirements432
Configuration Considerations432
Packet Check Principles433
Configuration Procedure433
Configuring Blacklist435
Overview435
Configuring the Blacklist Feature435
Displaying and Maintaining the Blacklist435
Blacklist Configuration Example436
Network Requirements436
Configuration Procedure436
Verifying the Configuration436
Configuring FIPS438
Overview438
FIPS Self-Tests438
Power-Up Self-Test438
Conditional Self-Tests438
Triggering a Self-Test438
Configuration Procedure439
Enabling the FIPS Mode439
Triggering a Self-Test440
Displaying and Maintaining FIPS440
FIPS Configuration Example440
Network Requirements440
Configuration Procedure440
Verifying the Configuration441
Support and Other Resources443
Contacting HP443
Subscription Service443
Related Information443
Documents443
Websites443
Conventions444
Index446

Brand	HP
Model	3600 v2 Series
Category	Switch
Language	English

HP 3600 v2 Series Configuration Guide

Table of Contents

Other manuals for HP 3600 v2 Series

Questions and Answers:

HP 3600 v2 Series Specifications

Related product manuals