SAT10 Ethernet Security

7/27/2019 SAT10 Ethernet Security

1/52

HUAWEI

Learning Objectives


2/52

HUAWEI

Security Management of Devices


3/52

HUAWEI

Password Management

Privileged EXEC mode password.

Line login password.


4/52

HUAWEI

Privileged EXEC Mode Password

enable [0|7]password

no enable password

Quidway(config)# enable password 0

addidasQuidway>enable

Password

Quidway#


5/52

HUAWEI

Line Types

The "Line" login mode is for unifying differnttypes of ports on a device.

A Quidway series Ethernet switch provides two

types of l ines:AUX l ine.

VTY (virtual Terminal) l ine


6/52

HUAWEI

Line Login Passwords

Quidway(conf ig)#line vty 0 4

Quidway(conf ig- l ine-vty0-4)# login

Quidway(conf ig- l in e-vty0-4)# password addidas

Line Login Password Authentication

Line Login Password Local Authentication

Quidway(conf ig)#l ine vty 0 4

Quidway(conf ig- l ine-vty0-4)# login localQuidway(conf ig)# user yh password 0 n ick


7/52

HUAWEI

Line Login Passwords

Quidway(config)# aaa enable

Quidway(config)# aaa authentication login defaultlocal(radius)

Quidway(config)# user yh password 7 nick

Quidway(config)# l ine vty 0 4

Quidway(config-line-vty0-4)# login authenticationdefault

Line Login Authentication Over an AAA Server


8/52


9/52

HUAWEI

c vae eac vae e ermnaService

exec

no exec

Quidway(config)#line vty 0 4

Quidway(config-l ine-vty0-4)#no exec


10/52

HUAWEI

EXEC Timeout

exec-timeout minutes seconds

no exec-timeout

Quidway(config)#line vty 0 4

Quidway(config-l ine-vty0-4)#exec-timeout 10


11/52

HUAWEI

Privilege Levels

privilege level level

userusername privilege level

Quidway(config)#line vty 0 4Quidway(config-l ine-vty0-4)#privi lege level15

Quidway(config)#user yh privilege 1


12/52

HUAWEI

Quidway(config)#show user allLine User Host(s) Idle Location

I 0 AUX 0 idle 0

* 1 VTY 0 yh1 idle 0 1.1.4.239

2 VTY 1 idle 0

3 VTY 2 idle 0

4 VTY 3 idle 0

5 VTY 4 idle 0

Show Users over Lines


13/52

HUAWEI

Clear a Line of the User

clear line line-number| line-type-name

Quidway#clear line 3

Quidway#clear l ine vty 0

[Conf irm]

[OK]


14/52

HUAWEI

Ethernet Access List

Internet

Department A

Department B

Server


15/52

HUAWEI

Access List

The access list applies to all the portson the device.

It is used to sort data packets arriving ateach port and attach different action labelsto them.

Packet filtering.

Packet monitoring.

Committed access rate.

Packet gathering.COS (Class Of Service)

Major functions of an access list:


16/52

HUAWEI

Flow Classification

Classfication entries of Layer 2 Flows

Packet over Ethernet.

Source/destination MAC address.

Ethernet encapsulated structure.

Vlan ID

input/output port.

Protocol type.Source/destination IP address.

Source/destination port number.

DSCP.

Classfication entries of L3/L4 Flows


17/52

HUAWEI

IP Packet Filtering

IPheader

TCPheader

Application-levelheader

Data

L3/L4 PacketFilters

Source/

destinationIP address

Source/

destinationSocket Port

TCP/IP packet filtering elements

Application state and dataflow

Application Gateways

ccess s n a u way


18/52

HUAWEI

ccess s n a u wayS3526 Switch

Rule-map

Flow-action

Time-range

ACL = rule-map

+ flow-action

[ + time-range ]


19/52

HUAWEI

Add/Delete a L2 Flow Rule

rule-map l2rule_name [ datagram-type { arp |

rarp } ] [ vlan vlan_id ] ingress { inport_num |

in_mac| any} egress { outport_num | out_mac|

any}

no rule-maprule_name


20/52

HUAWEI

Add/Delete a L3/L4 Flow Rule

rule-map l3rule_name [protocol_type ] sourceip

souce_wildcard_mask [ src_port_operator

source_port1 [ source_port2 ] ]destinationip destination_wildcard_mask

[ dst_port_operator dest_port1 [ dest_port2 ] ]

no rule-map rule-name


21/52

HUAWEI

Sort Layer 2 and Layer 3/4 Flows

IP 1.1.1.1

MASK:255.255.0.0

IP 1.2.1.1MASK:255.255.0.0

1.1.1.2 1.1.1.3 1.1.1.4 1.2.1.2 1.2.1.3 1.2.1.4

Layer 3 Flow Rule

ayer 2lowule

Sale dept.VLAN

Engineering dept.VLAN

ypeso aagrams ncapsu

ae nan


22/52

HUAWEI

ypes o aagrams ncapsuae n anEthernet Frame

6 6 2 46-1500

DestinationAddress SourceAddress Type Data

0800 IP datagram

0806 ARP Request/Acknowledgment

8035 RARP Request/Acknowledgment

Ethernet_II Encapsulated Structure

2

2

2

IP

ARP

RARP


23/52

HUAWEI

"ingress" and "egress"

101..1

Source Destination

ingress egress


24/52

HUAWEI

Protocol Type of an IP Datagram

Protocol type number is used by IP protocol

to transmit upper layer message

Common protocol type:

TCP:6;UDP:17;


25/52

HUAWEI

IP Address and Subnet Mask

IP address: 140.252.1.1

Subnet Mask:255.255.255.0

IP address: 140.252.1.0

Subnet mask:255.255.255.0

fS /


26/52

HUAWEI

An Example of Setting a L3/L4 Flow Rule Map

"E tM t h"P i i l


27/52

HUAWEI

"Exact Match" Principle

Add/D l t Fl A ti


28/52

HUAWEI

Add/Delete a Flow Action

flow-action action_name { coscos_value | car

traffic_namecoscos_value | monitor-port |

gather| deny }

no flow-actionaction_name

Fi Ki d fFl A ti L b l


29/52

HUAWEI

Five Kinds of Flow-Action Labels

Five Kinds of Flow-ActionLabels in S3526

Add/D l t M it P t


30/52

HUAWEI

Add/Delete a Monitor Port

monitor-portport_num

Quidway(config)#monitor-port ethernet 0/9

Setting new mirror port: Ethernet0/9 succeeded.

no monitor-portport_num

Add/D l t Ti R


31/52

HUAWEI

Add/Delete Time Ranges

time-range time_range_name

from 1st_start_time to 1st_end_time

[ from 2nd_start_time to 2nd_end_time ]

[ from 3th_start_time to 3th_end_time ]

no time-rangetime_range_name

AnexampleofAddingTimeRanges


32/52

HUAWEI

An example of Adding Time Ranges

Suppose that an administrator wants to put an

ACL into effect within the following three

separate time ranges each day: from 8:00 to

8:30, from 12:00 to :13:30 and from 18:00 to

18:30, and the time-range name is "denytime".The following settings should be made:

Quidway(config)#time-range denytime from

8:00:00 to 8:30:00 from 12:00:00 to 13:30:00

from 18:00:00 to 18:30:00

Add/DeleteanACL


33/52

HUAWEI

Add/Delete an ACL

acl acl_name

rule_map_name flow_action_name

time-range time_range_name { on | off}

no aclacl_name

Activate/DisableanACL


34/52

HUAWEI

Activate/Disable an ACL

access-group acl_name

no access-group acl_name

AnExampleofConfiguringanACL


35/52

HUAWEI

An Example of Configuring an ACL

Quidway(config)# rule-map l3 FromHostA

10.110.12.6 255.255.0.0 0.0.0.0 0.0.0.0

Quidway(config)#flow-action DenyAction

Quidway(config)#time-range DenyTime from

8:00:00 to 18:00:00

Quidway(config)#acl DenyHostA FromHostA

DenyAction time-range DenyTime on

Quidway(config)#access-group DenyHostA

ACLMaintenance


36/52

HUAWEI

ACL Maintenance

show rule-map [rule_name ]

show flow-action [action_name ]

show time-range [ time_range_name ]

show acl [acl_name ]

MaintenanceofStatistics-TypeACLs


37/52

HUAWEI

Maintenance of Statistics-Type ACLs

show acl statistics [acl_name ]

clear acl statistics [acl_name ]

BackgroundofQoS


38/52

HUAWEI

Background of QoS

How to implement QOS


39/52

HUAWEI

One of the means is to increase the bandwidth ofthe entire network, but there is a limit to thebandwidth, and increasing the bandwidth iscostly and can only ensure the QoS to a certainextent.

Other effective means to ensure the QoS are:Implement queuing mechanisms for congestion management, e.g. FIFO,PQ, CQ, WFQ and CBWFQ.

Implement the random early detection to avoid congestion.

Implement the generalized traffic shaping to smooth the traffic.

Implement the CAR to impose a traffic flow control.

How to implement QOS

o unc ons o a


40/52

HUAWEISwitch

Queuing mechanisms to avoid congestion at ports

Priority Queuing

W eighted Round Robin Queuing

Committed Access Rate for imposing a trafficflow control.

Queues at a Port


41/52

HUAWEI

Queues at a Port

frame

frame

frame

frame

frame

frame

frame

frame

frame

frame

frame

frame frame

cos2,3cos2,3 cos4,5cos4,5cos0,1cos0,1 cos6,7cos6,7

Output SchedulerOutput Scheduler

OutputOutput

There are four queues at each port: High, Medium,Normal and Low.

Low

Normal

Medium

High


42/52

Priority Queuing


43/52

HUAWEI

This queuing mechanism is designed for key servic

which are required to take precedence over otherservices, when congestion occurs, to reduce the

response delay.

Packets in a lower-priority queue shall not beforwarded until all the packets in a higher-priority

queue have.

Priority Queuing

high

medium

normal

low

WRR Queuing


44/52

HUAWEI

WRR Queuing

high

medium

normal

lo w

40%

30%

10%

20%

Weight

ueu ng o e on gura onC d


45/52

HUAWEICommands

To set the queuing m ode of a port (s) to W R R iglobal conf iguration m ode:

egress queueport_l istweightweight0weight1

weight3

To restore the queuing m ode of a por t (s) to PQglobal conf iguration m ode:

no egress queueport_l ist

Conf igurat ion exam p le:Quidway(conf ig)#egress queue ethernet0/1 to

weight 10 20 30 40

Implementation of a CAR


46/52

HUAWEI

Implementation of a CAR

T oen B uc k e t

The token bucket is used to implement a CARfor a flow control.

on gura onC d


47/52

HUAWEI

To add a CAR in the global configura tion mode:

Commands

traffic traffic_mode_name

cdrcommitted_data_rate k

no traffictraffic_mode_name

Quidway(config)# traffichosttrafficcdr10000k

mp emen a on oFlo Based Traffic Control


48/52

HUAWEI

10.110.8.68 10.120.10.88

e0/4 e0/20

Host AHost B

Flow-Based Traffic Control

A S3526 switch can implement f low-based

traffic control using ACLs.

ra c on roConfiguration Example


49/52

HUAWEIConfiguration Example

Quidway(config)#rule-map l3 r1 10.110.8.68 255.25

10.120.10.88 255.255.0.0

Quidway(config)#traffic traffic1 cdr 10000 k

Quidway(config)#flow-action action1 car traffic1 cos

Quidway(config)#acl a1 r1 action1Quidway(config)#access-group a1

Quidway(config)#egress queue e0/4 weight 5 25 30

Quidway(config)#egress queue e0/20 weight 5 25 3

eans o nsure e ecur y oPorts


50/52

HUAWEIPorts

MAC Learning Management of Ports

Binding MAC addresses to ports

MAC Learning Management


51/52

HUAWEI

g g

mac-address-table mac-learning disable

no mac-address-table mac-learning disable

mac-address-table max-mac-count max_mac_count

no mac-address-table max-mac-count

Bind MAC Addresses to a Port


52/52

HUAWEI

1. To bind static MAC addresses to a port in the globconfiguration mode:

Quidway(config)#mac-address-table static 0000.e066

interface ether0/8 vlan 8

Quidway(config)#mac-address-table static 0000.e068interface ether0/8 vlan 8

2. In the port configuration mode, to set the maximum

MAC addresses that can be learned by the port in qu

Quidway(config-if-Ethernet0/8)#mac-address-tablemax-mac-count 0

SAT10 Ethernet Security

Documents

Transcript of SAT10 Ethernet Security