Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual HP 5500 Ei 5500 Si Switch Series Configuration Guide. The HP manuals for Printer are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 1991

    Page 1991 326 Figure 117 SSL protocol stack • SSL record protocol —Fragments data to be transmitted, co mputes and adds MAC to the data, and encrypts the data before transmitting it to the peer end. • SSL handshake protocol —Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client.... 
     326 
Figure 117 SSL protocol stack 
 
 
•  SSL record protocol —Fragments data to be transmitted, co mputes and adds MAC to the data, and 
encrypts the data before transmitting it to the peer end. 
•   SSL handshake protocol —Negotiates the cipher suite to be used for secure communication 
(including the symmetric encryption algorithm,  key exchange algorithm, and MAC algorithm), 
securely exchanges the key between the server and client, and implements identity authentication 
of the server and client....

    Page 1992

    Page 1992 327 Step Command Remarks 2. Create an SSL server policy and enter its view. ssl server-policy policy-name N/A 3. Specify a PKI domain for the SSL server policy. pki-domain domain-name By default, no PKI domain is specified for an SSL server policy. If the client requires certificate-based authentication for the SSL server, you must use this command to specify a PKI domain for the server and request a local certificate for the server through the PKI domain. 4. Specify the cipher... 
     327 
Step Command Remarks 
2.  Create an SSL server policy 
and enter its view.  ssl server-policy 
policy-name N/A 
3.  Specify a PKI domain for the 
SSL server policy.  pki-domain 
domain-name  By default, no PKI domain is 
specified for an SSL server policy.
 
If the client requires 
certificate-based authentication for 
the SSL server, you must use this 
command to specify a PKI domain 
for the server and request a local 
certificate for the server through the 
PKI domain. 
4.
  Specify the cipher...

    Page 1993

    Page 1993 328 Figure 118 Network diagram Configuration considerations To achieve the goal, perform the following configurations: • Configure Device to work as the HTTPS server and request a certificate for Device. • Request a certificate for Host so that Device can authenticate the identity of Host. • Configure a CA server to issue certificates to Device and Host. Configuration procedure In this example, Windows Ser ver works as the CA se rver and the Simple Certificate Enrollment Protocol... 
     328 
Figure 118 Network diagram 
 
 
Configuration considerations 
To achieve the goal, perform the following configurations: 
•  Configure Device to work as the HTTPS server and request a certificate for Device. 
•   Request a certificate for Host so that Device can authenticate the identity of Host. 
•   Configure a CA server to issue certificates to Device and Host.  
Configuration procedure 
In this example, Windows Ser ver works as the CA se rver and the Simple Certificate Enrollment Protocol...

    Page 1994

    Page 1994 329 # Create an SSL server policy named myssl. [Device] ssl server-policy myssl # Specify the PKI domain for the SSL server policy as 1. [Device-ssl-server-policy-myssl] pki-domain 1 # Enable client authentication. [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit # Configure HTTPS service to use SSL server policy myssl. [Device] ip https ssl-server-policy myssl # Enable HTTPS service. [Device] ip https enable # Create a local user named usera,... 
     329 
# Create an SSL server policy named myssl.  
[Device] ssl server-policy myssl 
# Specify the PKI domain for the SSL server policy as  1.  
[Device-ssl-server-policy-myssl] pki-domain 1 
# Enable client authentication.  
[Device-ssl-server-policy-myssl] client-verify enable 
[Device-ssl-server-policy-myssl] quit 
# Configure HTTPS service to use SSL server policy  myssl. 
[Device] ip https ssl-server-policy myssl 
# Enable HTTPS service. 
[Device] ip https enable 
# Create a local user named  usera,...

    Page 1995

    Page 1995 330 Step Command Remarks 3. Specify a PKI domain for the SSL client policy. pki-domain domain-name Optional. No PKI domain is configured by default. If the SSL server requires certificate-based authentication for SSL clients, you must use this command to specify a PKI domain for the client and request a local certificate for the client through the PKI domain. 4. Specify the preferred cipher suite for the SSL client policy. prefer-cipher { rsa_3des_ede_cbc_sha |... 
     330 
Step Command Remarks 
3.  Specify a PKI domain for the 
SSL client policy.  pki-domain 
domain-name  Optional. 
No PKI domain is configured by 
default. 
If the SSL server requires 
certificate-based authentication for 
SSL clients, you must use this 
command to specify a PKI domain 
for the client and request a local 
certificate for the client through the 
PKI domain. 
4.
  Specify the preferred cipher 
suite for the SSL client policy.  prefer-cipher 
{
 rsa_3des_ede_cbc_sha  |...

    Page 1996

    Page 1996 331 • The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the certificate is not trusted. • The server and the client have no matching cipher suite. Solution 1. Issue the debugging ssl command and view the debugging in formation to locate the problem: { If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, request one for it. { If the server’s certificate cannot be trusted, insta ll the root... 
     331 
•  The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the 
certificate is not trusted. 
•   The server and the client have no matching cipher suite. 
Solution 
1. Issue the debugging ssl  command and view the debugging in formation to locate the problem: 
{ If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, 
request one for it. 
{ If the server’s certificate cannot be trusted, insta ll the root...

    Page 1997

    Page 1997 332 Configuring TCP attack protection Overview An attacker can attack the switch during the process of establishing a TCP connection. To prevent such an attack, the switch provides the SYN Cookie feature. Enabling the SYN Cookie feature As a general rule, the establishment of a TCP connection involves the following three handshakes. 1. The request originator sends a SYN message to the target server. 2. After receiving the SYN message, the target server establishes a TCP connection in the... 
     332 
Configuring TCP attack protection 
Overview 
An attacker can attack the switch during the process of establishing a TCP connection. To prevent such 
an attack, the switch provides the SYN Cookie feature. 
Enabling the SYN Cookie feature 
As a general rule, the establishment of a TCP connection involves the following three handshakes. 
1. The request originator sends a SYN message to the target server. 
2. After receiving the SYN message, the target  server establishes a TCP connection in the...

    Page 1998

    Page 1998 333 Task Command Remarks Display current TCP connection state. display tcp status [ | { begin | exclude | include } regular-expression ] Available in any view 
     333 
Task Command Remarks 
Display current TCP connection state. display tcp status  [ | { begin |  exclude | 
include  } regular-expression ]   Available in any view

    Page 1999

    Page 1999 334 Configuring IP source guard Overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent illegal hosts from using a legal IP address to access the network. IP source guard can filter packets according to the packet source IP address and source MAC address. IP source guard entries fall into the following types: • IP-port binding entry • MAC-port binding entry • IP-MAC-port binding entry After receiving a packet, an IP source... 
     334 
Configuring IP source guard 
Overview 
IP source guard is intended to improve port security by blocking illegal packets. For example, it can 
prevent illegal hosts from using a legal IP address to access the network. 
IP source guard can filter packets according to the packet source IP address and source MAC address. 
IP source guard entries fall into the following types: 
•  IP-port binding entry 
•   MAC-port binding entry 
•   IP-MAC-port binding entry 
After receiving a packet, an IP source...

    Page 2000

    Page 2000 335 Global static binding entry A global static binding entry is a MAC-IP binding entry configured in system view. It is effective on all ports. A port forwards a packet when the packet’s IP address and MAC address both match those of a global static binding entry or a static binding entry configured on the port. Global static binding entries are us ed to protect against host spoofing attacks, which exploit the IP address or MAC address of a legal user host. Port-based static binding entry A... 
     335 
Global static binding entry 
A global static binding entry is a MAC-IP binding entry configured in system view. It is effective on all 
ports. A port forwards a packet when the packet’s IP address and MAC address both match those of a 
global static binding entry or a static  binding entry configured on the port.  
Global static binding entries are us ed to protect against host spoofing attacks, which exploit the IP 
address or MAC address of a legal user host. 
Port-based static binding entry 
A...
    Start reading HP 5500 Ei 5500 Si Switch Series Configuration Guide

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide

    All HP manuals