Aruba FlexFabric 12900E Switch Series Security Configuration Guide

Category
Software
Type
Configuration Guide

This manual is also suitable for

HPE FlexFabric 12900E Switch Series
Security Configuration Guide
Software
version: Release 5210
Document version: 6W100-20230424
© Copyright 2023 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring keychains ··················································································· 1
About keychains ················································································································································· 1
Operating mechanism ································································································································ 1
Time modes ··············································································································································· 1
Restrictions and guidelines: Keychain configuration ·························································································· 1
Configuring a keychain in absolute time mode ·································································································· 1
Configuring a keychain in periodic time mode ··································································································· 2
Verifying and maintaining keychains ·················································································································· 4
Keychain configuration examples ······················································································································ 4
Example: Configuring keychains ················································································································ 4
Managing public keys ···················································································· 9
About public key management ··························································································································· 9
Asymmetric key algorithm overview ··········································································································· 9
Usage of asymmetric key algorithms ········································································································· 9
Public key management tasks at a glance ········································································································· 9
Creating a local key pair··································································································································· 10
Importing a local key pair ································································································································· 11
Distributing a local host public key ··················································································································· 11
About distribution of local host public keys ······························································································ 11
Exporting a host public key ······················································································································ 12
Displaying a host public key ····················································································································· 12
Configuring a peer host public key ··················································································································· 13
About peer host public key configuration ································································································· 13
Restrictions and guidelines for peer host public key configuration ·························································· 13
Importing a peer host public key from a public key file ············································································ 13
Entering a peer host public key ················································································································ 13
Destroying a local key pair ······························································································································· 14
Configuring master keys ·································································································································· 14
Setting a master key ································································································································ 14
Clearing master keys ······························································································································· 15
Verifying and maintaining public keys ·············································································································· 16
Examples of public key management ·············································································································· 16
Example: Entering a peer host public key ································································································ 16
Example: Importing a public key from a public key file ············································································ 18
Configuring PKI ··························································································· 21
About PKI ························································································································································· 21
PKI terminology ········································································································································ 21
PKI architecture ········································································································································ 22
Retrieval, usage, and maintenance of a digital certificate ········································································ 23
PKI applications ······································································································································· 23
Support for MPLS L3VPN ························································································································ 24
PKI tasks at a glance ······································································································································· 24
Configuring a PKI entity ··································································································································· 25
About PKI entities ····································································································································· 25
Restrictions and guidelines for PKI entity configuration ··········································································· 25
PKI entity tasks at a glance ······················································································································ 25
Configuring the DN for the PKI entity ······································································································· 25
Configuring a PKI domain ································································································································ 27
About PKI domains ·································································································································· 27
PKI domain tasks at a glance ··················································································································· 27
Creating a PKI domain ····························································································································· 27
Specifying the trusted CA ························································································································· 28
Specifying the PKI entity name ················································································································ 28
Specifying the certificate request reception authority··············································································· 28
Specifying the certificate request URL ····································································································· 28
ii
Specifying the VPN instance where the certificate request reception authority and the CRL repository
belong ······················································································································································ 29
Setting the SCEP polling interval and maximum polling attempts ··························································· 29
Specifying the LDAP server ····················································································································· 29
Specifying the fingerprint for root CA certificate verification····································································· 29
Specifying the key pair for certificate request ·························································································· 30
Specifying the intended purpose for the certificate ·················································································· 30
Specifying the source IP address for PKI protocol packets ····································································· 31
Specifying the encryption algorithm for certificate files in PKCS#7 format ·············································· 31
Specifying the storage path for certificates and CRLs ····················································································· 32
Requesting a certificate···································································································································· 32
About certificate request configuration ····································································································· 32
Restrictions and guidelines for certificate request configuration ······························································ 32
Prerequisites for certificate request configuration ···················································································· 33
Enabling the automatic online certificate request mode··········································································· 33
Manually submitting an online certificate request ···················································································· 34
Manually submitting a certificate request in offline mode ········································································· 34
Aborting a certificate request ··························································································································· 35
Obtaining certificates········································································································································ 35
Verifying PKI certificates ·································································································································· 36
About certification verification ·················································································································· 36
Restrictions and guidelines for certificate verification ·············································································· 37
Verifying certificates with CRL checking ·································································································· 37
Verifying certificates without CRL checking ····························································································· 38
Exporting certificates ········································································································································ 38
Removing a certificate······································································································································ 39
Configuring a certificate-based access control policy ······················································································ 40
About certificate-based access control policies ······················································································· 40
Procedure ················································································································································· 40
Enabling local certificate expiration notification ······························································································· 41
Obtaining the CRL············································································································································ 41
Verifying and maintaining PKI ·························································································································· 42
PKI configuration examples ····························································································································· 43
Example: Requesting a certificate from an RSA Keon CA server ···························································· 43
Example: Requesting a certificate from a Windows Server 2003 CA server ··········································· 45
Example: Requesting a certificate from an OpenCA server ····································································· 49
Example: Importing and exporting certificates ························································································· 52
Troubleshooting PKI configuration ··················································································································· 57
Failed to obtain the CA certificate ············································································································ 57
Failed to obtain local certificates ·············································································································· 58
Failed to request local certificates ············································································································ 58
Failed to obtain CRLs ······························································································································· 59
Failed to import the CA certificate ············································································································ 60
Failed to import the local certificate ·········································································································· 60
Failed to export certificates ······················································································································ 61
Failed to set the storage path ··················································································································· 61
Configuring crypto engines ·········································································· 62
About crypto engines ······································································································································· 62
Verifying and maintaining crypto engines ········································································································ 62
Displaying crypto engine information ······································································································· 62
Displaying and clearing crypto engine statistics ······················································································· 62
Configuring SSH ·························································································· 63
About SSH ······················································································································································· 63
SSH applications ······································································································································ 63
How SSH works ······································································································································· 63
SSH authentication methods ···················································································································· 64
SSH support for Suite B ··························································································································· 65
Configuring the device as an SSH server ········································································································ 65
SSH server tasks at a glance ··················································································································· 65
Generating local key pairs ························································································································ 66
iii
Specifying the SSH service port ··············································································································· 67
Enabling the Stelnet server ······················································································································ 67
Enabling the SFTP server ························································································································ 67
Enabling the SCP server ·························································································································· 68
Enabling NETCONF over SSH ················································································································ 68
Configuring the user lines for SSH login ·································································································· 68
Configuring a client's host public key ······································································································· 69
Configuring an SSH user ························································································································· 70
Configuring the SSH management parameters ······················································································· 71
Specifying a PKI domain for the SSH server ··························································································· 73
Disconnecting SSH sessions ··················································································································· 74
Configuring the device as an Stelnet client ······································································································ 74
Stelnet client tasks at a glance················································································································· 74
Generating local key pairs ························································································································ 74
Specifying the source IP address for outgoing SSH packets ··································································· 74
Establishing a connection to an Stelnet server ························································································ 75
Deleting server public keys saved in the public key file on the Stelnet client··········································· 76
Establishing a connection to an Stelnet server based on Suite B ···························································· 76
Configuring the device as an SFTP client ········································································································ 77
SFTP client tasks at a glance ··················································································································· 77
Generating local key pairs ························································································································ 77
Specifying the source IP address for outgoing SFTP packets ································································· 77
Establishing a connection to an SFTP server ·························································································· 78
Deleting server public keys saved in the public key file on the SFTP client············································· 79
Establishing a connection to an SFTP server based on Suite B ······························································ 79
Working with SFTP directories ················································································································· 80
Working with SFTP files ··························································································································· 81
Displaying help information ······················································································································ 81
Terminating the connection with the SFTP server ··················································································· 82
Configuring the device as an SCP client ·········································································································· 82
SCP client tasks at a glance ···················································································································· 82
Generating local key pairs ························································································································ 82
Specifying the source IP address for outgoing SCP packets ··································································· 83
Establishing a connection to an SCP server ···························································································· 83
Deleting server public keys saved in the public key file on the SCP client ·············································· 84
Establishing a connection to an SCP server based on Suite B································································ 85
Specifying algorithms for SSH2 ······················································································································· 85
About algorithms for SSH2 ······················································································································· 85
Specifying key exchange algorithms for SSH2 ························································································ 85
Specifying public key algorithms for SSH2 ······························································································ 85
Specifying encryption algorithms for SSH2 ······························································································ 86
Specifying MAC algorithms for SSH2 ······································································································ 86
Verifying and maintaining SSH ························································································································ 86
Displaying public key information ············································································································· 86
Verifying SSH server running status ······································································································· 87
Verifying SSH client configuration ············································································································ 87
Displaying SSH2 algrithms ······················································································································· 87
Stelnet configuration examples ························································································································ 87
Example: Configuring the device as an Stelnet server (password authentication) ·································· 87
Example: Configuring the device as an Stelnet server (publickey authentication) ··································· 90
Example: Configuring the device as an Stelnet client (password authentication) ···································· 95
Example: Configuring the device as an Stelnet client (publickey authentication) ···································· 99
Example: Configuring Stelnet based on 128-bit Suite B algorithms······················································· 101
SFTP configuration examples ························································································································ 105
Example: Configuring the device as an SFTP server (password authentication) ·································· 105
Example: Configuring the device as an SFTP client (publickey authentication) ···································· 107
Example: Configuring SFTP based on 192-bit Suite B algorithms························································· 111
SCP configuration examples ·························································································································· 115
Example: Configuring SCP with password authentication ····································································· 115
Example: Configuring SCP file transfer with a Linux SCP client ···························································· 116
Example: Configuring SCP based on Suite B algorithms ······································································ 118
NETCONF over SSH configuration examples ······························································································· 125
iv
Example: Configuring NETCONF over SSH with password authentication ··········································· 125
Configuring SSL ························································································ 127
About SSL ······················································································································································ 127
SSL security services ····························································································································· 127
SSL protocol stack ································································································································· 127
SSL protocol versions ···························································································································· 128
Restrictions and guidelines: SSL configuration ······························································································ 128
SSL tasks at a glance ···································································································································· 128
Configuring an SSL server policy ··················································································································· 129
Configuring an SSL client policy ···················································································································· 130
Disabling SSL protocol versions for the SSL server ······················································································ 131
Disabling SSL session renegotiation·············································································································· 132
Enabling the server-preferred order during cipher suite negotiation ······························································ 132
Verifying and maintaining SSL ······················································································································· 132
Configuring packet filter ············································································· 134
About packet filtering with ACLs ···················································································································· 134
Packet filter tasks at a glance ························································································································ 134
Applying an ACL to filter packets globally ······································································································ 134
Applying an ACL to an interface for packet filtering ······················································································· 134
Applying an ACL to an Ethernet service instance for packet filtering····························································· 135
Applying an ACL to a service template for packet filtering ····································································· 135
Configuring logging and SNMP notifications for packet filtering ···································································· 136
Setting the packet filtering default action ······································································································· 136
Verifying and maintaining packet filter ··········································································································· 136
Verifying the packet filter running status ································································································ 136
Displaying packet filter statistics ············································································································ 137
Clearing packet filter statistics················································································································ 137
Packet filter configuration examples ·············································································································· 137
Example: Configuring interface-based packet filter················································································ 137
Configuring DHCP snooping ······································································ 140
About DHCP snooping ··································································································································· 140
Application of trusted and untrusted ports······························································································ 140
DHCP snooping support for Option 82 ··································································································· 141
DHCP snooping on a DRNI network ······································································································ 142
Restrictions and guidelines: DHCP snooping configuration ··········································································· 143
DHCP snooping tasks at a glance ················································································································· 143
Configuring basic DHCP snooping features ·································································································· 144
Configuring basic DHCP snooping features in a common network ······················································· 144
Configuring basic DHCP snooping features in a VXLAN network ························································· 145
Configuring DHCP snooping support for Option 82 ······················································································· 147
Configuring DHCP snooping entry auto backup ···························································································· 148
Setting the maximum number of DHCP snooping entries ············································································· 148
Configuring DHCP packet rate limit ··············································································································· 149
Configuring DHCP snooping security features ······························································································ 149
Enabling DHCP starvation attack protection ·························································································· 149
Enabling DHCP-REQUEST attack protection ························································································ 150
Configuring a DHCP packet blocking port······························································································ 150
Enabling the giaddr field check in DHCP requests ························································································ 151
Enabling client offline detection on the DHCP snooping device ···································································· 151
Enabling DHCP snooping logging and packet drop alarm ············································································· 152
Enabling DHCP snooping logging ·········································································································· 152
Configuring packet drop alarm ··············································································································· 152
Disabling DHCP snooping on an interface ····································································································· 153
Verifying and maintaining DHCP snooping ···································································································· 153
Verifying DHCP snooping configuration ································································································· 153
Displaying and clearing DHCP snooping entries ··················································································· 153
Displaying and clearing DHCP packet statistics on the DHCP snooping device ··································· 154
Displaying DRNI status information ······································································································· 154
Displaying and clearing DRNI synchronization statistics for DHCP snooping entries···························· 154
v
DHCP snooping configuration examples ······································································································· 154
Example: Configuring basic DHCP snooping features globally ····························································· 154
Example: Configuring basic DHCP snooping features for a VLAN ························································ 155
Example: Configuring DHCP snooping support for Option 82 ······························································· 156
Configuring DHCPv6 snooping ·································································· 159
About DHCPv6 snooping ······························································································································· 159
Application of trusted and untrusted ports······························································································ 159
DHCPv6 snooping on a DRNI network ·································································································· 160
Restrictions and guidelines: DHCPv6 snooping configuration ······································································· 161
DHCPv6 snooping tasks at a glance·············································································································· 161
Configuring basic DHCPv6 snooping features ······························································································· 162
Configuring basic DHCPv6 snooping features in a common network ···················································· 162
Configuring basic DHCPv6 snooping features in a VXLAN network ······················································ 163
Configuring DHCP snooping support for Option 18 ······················································································· 164
Configuring DHCP snooping support for Option 37 ······················································································· 164
Configuring DHCPv6 snooping entry auto backup························································································· 165
Setting the maximum number of DHCPv6 snooping entries ·········································································· 165
Configuring DHCPv6 packet rate limit············································································································ 166
Enabling DHCPv6-REQUEST check ············································································································· 166
Configuring a DHCPv6 packet blocking port ·································································································· 167
Enabling Relay-Forward packet check··········································································································· 167
Enabling client offline detection on the DHCPv6 snooping device ································································ 168
Enabling DHCPv6 snooping logging and alarm ····························································································· 168
Enabling DHCPv6 snooping logging ······································································································ 168
Configuring packet drop alarm ··············································································································· 168
Verifying and maintaining DHCPv6 snooping ································································································ 169
Displaying trusted port information········································································································· 169
Displaying and clearing DHCPv6 snooping entries ················································································ 169
Displaying and clearing DHCPv6 packet statistics for DHCPv6 snooping ············································· 170
Displaying DRNI status information ······································································································· 170
Displaying and clearing DRNI synchronization statistics for DHCPv6 snooping entries ························ 170
DHCPv6 snooping configuration examples···································································································· 170
Example: Configuring DHCPv6 snooping ······························································································ 170
Configuring ARP attack protection ····························································· 172
About ARP attack protection ·························································································································· 172
ARP attack protection tasks at a glance ········································································································ 172
Configuring unresolvable IP attack protection ······························································································· 172
About unresolvable IP attack protection································································································· 172
Configuring ARP source suppression ···································································································· 173
Configuring ARP blackhole routing ········································································································ 173
Verifying and maintaining unresolvable IP attack protection·································································· 174
Example: Configuring unresolvable IP attack protection········································································ 174
Configuring ARP packet rate limit ·················································································································· 175
Configuring source MAC-based ARP attack detection ·················································································· 176
About source MAC-based ARP attack detection ··················································································· 176
Restrictions and guidelines ···················································································································· 176
Procedure ··············································································································································· 176
Displaying and maintaining source MAC-based ARP attack detection ·················································· 177
Example: Configuring source MAC-based ARP attack detection ·························································· 177
Configuring ARP packet source MAC consistency check ·············································································· 178
About ARP packet source MAC consistency check ··············································································· 178
Procedure ··············································································································································· 178
Display and maintenance commands for ARP packet source MAC consistency check ························ 178
Configuring ARP active acknowledgement ···································································································· 178
Configuring authorized ARP··························································································································· 179
About authorized ARP ···························································································································· 179
Procedure ··············································································································································· 179
Example: Configuring authorized ARP on a DHCP server ···································································· 180
Example: Configuring authorized ARP on a DHCP relay agent ····························································· 181
Configuring ARP attack detection ·················································································································· 182
vi
About ARP attack detection ··················································································································· 182
Restrictions and guidelines: ARP attack detection ················································································· 183
Configuring user validity check ·············································································································· 183
Configuring ARP packet validity check ·································································································· 184
Configuring ARP restricted forwarding ··································································································· 185
Ignoring ingress ports of ARP packets during user validity check ························································· 186
Enabling ARP attack detection logging ·································································································· 186
Verifying and maintaining ARP attack detection ···················································································· 187
Configuring ARP scanning and fixed ARP ····································································································· 187
Triggering an ARP scanning ·················································································································· 188
Configuring automatic ARP scanning ···································································································· 188
Configuring fixed ARP ···························································································································· 189
Configuring ARP gateway protection ············································································································· 189
About ARP gateway protection ·············································································································· 189
Restrictions and guidelines ···················································································································· 189
Procedure ··············································································································································· 189
Example: Configuring ARP gateway protection ····················································································· 189
Configuring ARP filtering ································································································································ 190
ARP filtering ··········································································································································· 190
Restrictions and guidelines ···················································································································· 190
Procedure ··············································································································································· 191
Example: Configuring ARP filtering ········································································································ 191
Configuring ARP sender IP address checking ······························································································· 192
About ARP sender IP address checking ································································································ 192
Procedure ··············································································································································· 192
Configuring ND attack defense ·································································· 193
About ND attack defense ······························································································································· 193
Configuring ND packet rate limit ···················································································································· 193
Enabling source MAC consistency check for ND messages ········································································· 194
Configuring ND attack detection ···················································································································· 195
About ND attack detection ····················································································································· 195
Restrictions and guidelines for ND attack detection configuration ························································· 195
Configuring ND attack detection for a VSI ····························································································· 196
Enabling ND attack detection logging ···································································································· 196
Verifying and maintaining ND attack detection ······················································································ 197
Enabling ND scanning···································································································································· 197
Configuring attack detection and prevention ·············································· 198
About attack detection and prevention ··········································································································· 198
Attacks that the device can prevent ··············································································································· 198
Single-packet attacks ····························································································································· 198
Scanning attacks ···································································································································· 199
Flood attacks ·········································································································································· 200
TCP fragment attack ······························································································································ 201
Login DoS attack ···································································································································· 201
Login dictionary attack ··························································································································· 201
Attack detection and prevention tasks at a glance ························································································· 202
Configuring and applying an attack defense policy ························································································ 202
Creating an attack defense policy ·········································································································· 202
Configuring a single-packet attack defense policy ················································································· 202
Configuring a scanning attack defense policy ························································································ 204
Configuring a flood attack defense policy ······························································································ 204
Configuring attack detection exemption ································································································· 209
Applying an attack defense policy to the device ···················································································· 210
Enabling log non-aggregation for single-packet attack events ······································································ 210
Configuring TCP fragment attack prevention ································································································· 211
Enabling the login delay ································································································································· 211
Verifying and maintaining attack detection and prevention ············································································ 211
Verifying attack defense configuration ··································································································· 211
Displaying attack detection and prevention entries ················································································ 211
Displaying and clearing attack detection and prevention statistics ························································ 212
vii
Configuring IP source guard ······································································ 214
About IPSG ···················································································································································· 214
IPSG operating mechanism ··················································································································· 214
Static IPSG bindings ······························································································································ 214
Dynamic IPSG bindings ························································································································· 215
Restrictions and guidelines: IPSG configuration ···························································································· 215
IPSG tasks at a glance··································································································································· 216
Configuring the IPv4SG feature ····················································································································· 216
Enabling IPv4SG on an interface ··········································································································· 216
Configuring a static IPv4SG binding ······································································································ 216
Configuring the IPv6SG feature ····················································································································· 217
Enabling IPv6SG on an interface ··········································································································· 217
Configuring a static IPv6SG binding ······································································································ 218
Verifying and maintaining IPSG ····················································································································· 219
Displaying IPv4SG binding information ·································································································· 219
Displaying IPv6SG binding information ·································································································· 219
IPSG configuration examples ························································································································ 219
Example: Configuring static IPv4SG ······································································································ 219
Example: Configuring DHCP snooping-based dynamic IPv4SG ··························································· 220
Example: Configuring DHCP relay agent-based dynamic IPv4SG ························································ 221
Example: Configuring static IPv6SG ······································································································ 222
Example: Configuring DHCPv6 snooping-based dynamic IPv6SG address bindings ··························· 223
Example: Configuring DHCPv6 snooping-based dynamic IPv6SG prefix bindings ······························· 224
Example: Configuring DHCPv6 relay agent-based dynamic IPv6SG ···················································· 225
Configuring uRPF ······················································································ 227
About uRPF···················································································································································· 227
uRPF application scenario ····················································································································· 227
uRPF check modes ································································································································ 227
Network application ································································································································ 227
Restrictions and guidelines: uRPF configuration ··························································································· 228
Enabling uRPF globally ·································································································································· 228
Enabling uRPF on an interface ······················································································································ 228
Verifying and maintaining uRPF····················································································································· 229
Document conventions and icons ······························································ 230
Conventions ··················································································································································· 230
Network topology icons ·································································································································· 231
Support and other resources ····································································· 232
Accessing Hewlett Packard Enterprise Support····························································································· 232
Accessing updates ········································································································································· 232
Websites ················································································································································ 233
Customer self repair ······························································································································· 233
Remote support ······································································································································ 233
Documentation feedback ······················································································································· 233
Index ·········································································································· 235
1
Configuring keychains
About keychains
A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication
by periodically changing the key and authentication algorithm without service interruption.
Operating mechanism
Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving
lifetime. When the system time is within the lifetime of a key in a keychain, an application uses the
key to authenticate incoming and outgoing packets. The keys in the keychain take effect one by one
according to the sequence of the configured lifetimes. In this way, the authentication algorithms and
keys are dynamically changed to implement dynamic authentication.
Time modes
A keychain operates in absolute time mode or periodic time mode. The lifetime for a key varies by
time mode.
•
Absolute time mode—Each time point during a key's lifetime is the UTC time and is not
affected by the system's time zone or daylight saving time.
•
Periodic time mode—A key's lifetime is calculated based on the local time and is affected by
the system's time zone and daylight saving time.
 daily—The lifetime for a key is from the specified start time to the specified end time of each
day.
 weekly—The lifetime for a key is from the specified start day to the specified end day of
each week.
 monthly—The lifetime for a key is from the specified start date to the specified end date of
each month.
 yearly—The lifetime for a key is from the specified start month to the specified end month of
each year.
Restrictions and guidelines: Keychain
configuration
Follow these guidelines when you configure a keychain:
•
To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set
non-overlapping sending lifetimes for the keys in the keychain.
•
The keys used by the local device and the peer device must have the same authentication
algorithm and key string.
Configuring a keychain in absolute time mode
1. Enter system view.
system-view
2. Create a keychain and enter keychain view.
2
keychain keychain-name mode absolute
3. (Optional.) Configure TCP authentication.
ï‚¡ Set the kind value in the TCP Enhanced Authentication Option.
tcp-kind kind-value
By default, the kind value is 254.
ï‚¡ Set an algorithm ID for a TCP authentication algorithm.
tcp-algorithm-id { hmac-md5 | hmac-sha-256 | md5 } algorithm-id
By default, the algorithm ID is 3 for the MD5 authentication algorithm, 5 for the HMAC-MD5
authentication algorithm, and 7 for the HMAC-SHA-256 authentication algorithm.
When the local device uses TCP to communicate with a peer device from another vendor, make
sure both devices have the same kind value and algorithm ID settings. If they do not, modify the
settings on the local device.
4. (Optional.) Set a tolerance time for accept keys in the keychain.
accept-tolerance { value | infinite }
By default, no tolerance time is configured for accept keys in a keychain.
If authentication information is changed, information mismatch occurs on the local and peer
devices, and the service might be interrupted. Use this command to ensure continuous packet
authentication.
5. Create a key and enter key view.
key key-id
6. Configure the key.
ï‚¡ Specify an authentication algorithm for the key.
authentication-algorithm { hmac-md5 | hmac-sha-1 | hmac-sha-256 |
md5 }
By default, no authentication algorithm is specified for a key.
ï‚¡ Configure a key string for the key.
key-string { cipher | plain } string
By default, no key string is configured.
ï‚¡ Set the sending lifetime in UTC mode for the key.
send-lifetime utc start-time start-date { duration { duration-value
| infinite } | to end-time end-date }
By default, the sending lifetime is not configured for a key.
ï‚¡ Set the receiving lifetime in UTC mode for the key.
accept-lifetime utc start-time start-date { duration
{ duration-value | infinite } | to end-time end-date }
By default, the receiving lifetime is not configured for a key.
ï‚¡ (Optional.) Specify the key as the default send key.
default-send-key
By default, a keychain does not have a default send key.
You can specify only one key as the default send key in a keychain.
Configuring a keychain in periodic time mode
1. Enter system view.
system-view
2. Create a keychain and enter keychain view.
3
keychain keychain-name mode periodic { daily | monthly | weekly |
yearly }
3. (Optional.) Configure TCP authentication.
ï‚¡ Set the kind value in the TCP Enhanced Authentication Option.
tcp-kind kind-value
By default, the kind value is 254.
ï‚¡ Set an algorithm ID for a TCP authentication algorithm.
tcp-algorithm-id { hmac-md5 | hmac-sha-256 | md5 } algorithm-id
By default, the algorithm ID is 3 for the MD5 authentication algorithm, 5 for the HMAC-MD5
authentication algorithm, and 7 for the HMAC-SHA-256 authentication algorithm.
When the local device uses TCP to communicate with a peer device from another vendor, make
sure both devices have the same kind value and algorithm ID settings. If they do not, modify the
settings on the local device.
4. (Optional.) Set a tolerance time for accept keys in the keychain.
accept-tolerance { value | infinite }
By default, no tolerance time is configured for accept keys in a keychain.
If authentication information is changed, information mismatch occurs on the local and peer
devices, and the service might be interrupted. Use this command to ensure continuous packet
authentication.
5. Create a key and enter key view.
key key-id
6. Configure the key.
ï‚¡ Specify an authentication algorithm for the key.
authentication-algorithm { hmac-md5 | hmac-sha-1 | hmac-sha-256 |
md5 }
By default, no authentication algorithm is specified for a key.
ï‚¡ Configure a key string for the key.
key-string { cipher | plain } string
By default, no key string is configured.
ï‚¡ Set the daily, weekly, monthly, or yearly sending lifetime in periodic time mode for the key.
send-lifetime daily start-day-time to end-day-time
send-lifetime date { month-day&<1-31> | start-month-day to
end-month-day }
send-lifetime day { week-day | start-week-day to end-week-day }
send-lifetime month { month | start-month to end-month }
By default, the sending lifetime is not configured for a key.
ï‚¡ Set the daily, weekly, monthly, or yearly receiving lifetime in periodic time mode for the key.
accept-lifetime daily start-day-time to end-day-time
accept-lifetime date { month-day&<1-31> | start-month-day to
end-month-day }
accept-lifetime day { week-day | start-week-day to end-week-day }
accept-lifetime month { month | start-month to end-month }
By default, the receiving lifetime is not configured for a key.
ï‚¡ (Optional.) Specify the key as the default send key.
default-send-key
4
By default, a keychain does not have a default send key.
You can specify only one key as the default send key in a keychain.
Verifying and maintaining keychains
To display keychain information, execute the following command in any view:
display keychain [ name keychain-name [ key key-id ] ]
Keychain configuration examples
Example: Configuring keychains
Network configuration
As shown in Figure 1, establish an OSPF neighbor relationship between Device A and Device B, and
use a keychain to authenticate packets between the devices. Configure key 1 and key 2 for the
keychain and make sure key 2 is used immediately when key 1 expires.
Figure 1 Network diagram
Procedure
1. Configure Device A:
# Configure IP addresses for interfaces. (Details not shown.)
# Configure OSPF.
<DeviceA> system-view
[DeviceA] ospf 1 router-id 1.1.1.1
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
# Create a keychain named abc, and specify the absolute time mode for it.
[DeviceA] keychain abc mode absolute
# Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string
and the sending and receiving lifetimes for the key.
[DeviceA-keychain-abc] key 1
[DeviceA-keychain-abc-key-1] authentication-algorithm md5
[DeviceA-keychain-abc-key-1] key-string plain 123456
[DeviceA-keychain-abc-key-1] send-lifetime utc 10:00:00 2019/02/06 to 11:00:00
2019/02/06
[DeviceA-keychain-abc-key-1] accept-lifetime utc 10:00:00 2019/02/06 to 11:00:00
2019/02/06
[DeviceA-keychain-abc-key-1] quit
# Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string
and the sending and receiving lifetimes for the key.
[DeviceA-keychain-abc] key 2
HGE1/0/1
192.1.1.2/24
HGE1/0/1
192.1.1.1/24
Device BDevice A
5
[DeviceA-keychain-abc-key-2] authentication-algorithm hmac-md5
[DeviceA-keychain-abc-key-2] key-string plain pwd123
[DeviceA-keychain-abc-key-2] send-lifetime utc 11:00:00 2019/02/06 to 12:00:00
2019/02/06
[DeviceA-keychain-abc-key-2] accept-lifetime utc 11:00:00 2019/02/06 to 12:00:00
2019/02/06
[DeviceA-keychain-abc-key-2] quit
[DeviceA-keychain-abc] quit
# Configure HundredGigE 1/0/1 to use keychain abc for authentication.
[DeviceA] interface HundredGigE1/0/1
[DeviceA-HundredGigE1/0/1] ospf authentication-mode keychain abc
[DeviceA-HundredGigE1/0/1] quit
2. Configure Device B:
# Configure IP addresses for interfaces. (Details not shown.)
# Configure OSPF.
<DeviceB> system-view
[DeviceB] ospf 1 router-id 2.2.2.2
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
# Create a keychain named abc, and specify the absolute time mode for it.
[DeviceB] keychain abc mode absolute
# Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string
and the sending and receiving lifetimes for the key.
[DeviceB-keychain-abc] key 1
[DeviceB-keychain-abc-key-1] authentication-algorithm md5
[DeviceB-keychain-abc-key-1] key-string plain 123456
[DeviceB-keychain-abc-key-1] send-lifetime utc 10:00:00 2019/02/06 to 11:00:00
2019/02/06
[DeviceB-keychain-abc-key-1] accept-lifetime utc 10:00:00 2019/02/06 to 11:10:00
2019/02/06
[DeviceB-keychain-abc-key-1] quit
# Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string
and the sending and receiving lifetimes for the key.
[DeviceB-keychain-abc] key 2
[DeviceB-keychain-abc-key-2] key-string plain pwd123
[DeviceB-keychain-abc-key-2] authentication-algorithm hmac-md5
[DeviceB-keychain-abc-key-2] send-lifetime utc 11:00:00 2019/02/06 to 12:00:00
2019/02/06
[DeviceB-keychain-abc-key-2] accept-lifetime utc 11:00:00 2019/02/06 to 12:00:00
2019/02/06
[DeviceB-keychain-abc-key-2] quit
[DeviceB-keychain-abc] quit
# Configure HundredGigE 1/0/1 to use keychain abc for authentication.
[DeviceB] interface HundredGigE1/0/1
[DeviceB-HundredGigE1/0/1] ospf authentication-mode keychain abc
[DeviceB-HundredGigE1/0/1] quit
6
Verifying the configuration
1. When the system time is within the lifetime from 10:00:00 to 11:00:00 on the day 2019/02/06,
verify the status of the keys in keychain abc.
# Display keychain information on Device A. The output shows that key 1 is the valid key.
[DeviceA] display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
HMAC-SHA-256 : 7
MD5 : 3
Default send key ID : None
Active send key ID : 1
Active accept key IDs: 1
Key ID : 1
Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg==
Algorithm : md5
Send lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06
Send status : Active
Accept lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06
Accept status : Active
Key ID : 2
Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06
Send status : Inactive
Accept lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06
Accept status : Inactive
# Display keychain information on Device B. The output shows that key 1 is the valid key.
[DeviceB]display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
HMAC-SHA-256 : 7
MD5 : 3
Default send key ID : None
Active send key ID : 1
Active accept key IDs: 1
7
Key ID : 1
Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg==
Algorithm : md5
Send lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06
Send status : Active
Accept lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06
Accept status : Active
Key ID : 2
Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06
Send status : Inactive
Accept lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06
Accept status : Inactive
2. When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2019/02/06,
verify the status of the keys in keychain abc.
# Display keychain information on Device A. The output shows that key 2 becomes the valid
key.
[DeviceA]display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
HMAC-SHA-256 : 7
MD5 : 3
Default send key ID : None
Active send key ID : 2
Active accept key IDs: 2
Key ID : 1
Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg==
Algorithm : md5
Send lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06
Send status : Inactive
Accept lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06
Accept status : Inactive
Key ID : 2
Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06
Send status : Active
Accept lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06
Accept status : Active
8
# Display keychain information on Device B. The output shows that key 2 becomes the valid
key.
[DeviceB]display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
HMAC-SHA-256 : 7
MD5 : 3
Default send key ID : None
Active send key ID : 1
Active accept key IDs: 1
Key ID : 1
Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg==
Algorithm : md5
Send lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06
Send status : Inactive
Accept lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06
Accept status : Inactive
Key ID : 2
Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06
Send status : Active
Accept lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06
Accept status : Active
9
Managing public keys
About public key management
This chapter describes public key management for the following asymmetric key algorithms:
•
Revest-Shamir-Adleman Algorithm (RSA).
•
Digital Signature Algorithm (DSA).
•
Elliptic Curve Digital Signature Algorithm (ECDSA).
Asymmetric key algorithm overview
Asymmetric key algorithms are used by security applications to secure communications between
two parties, as shown in Figure 2. Asymmetric key algorithms use two separate keys (one public and
one private) for encryption and decryption. Symmetric key algorithms use only one key.
Figure 2 Encryption and decryption
A key owner can distribute the public key in plain text on the network but must keep the private key in
privacy. It is mathematically infeasible to calculate the private key even if an attacker knows the
algorithm and the public key.
Usage of asymmetric key algorithms
Security applications (such as SSH, SSL, and PKI) use the asymmetric key algorithms for the
following purposes:
•
Encryption and decryption—Any public key receiver can use the public key to encrypt
information, but only the private key owner can decrypt the information.
•
Digital signature—The key owner uses the private key to digitally sign information to be sent.
The receiver decrypts the information with the sender's public key to verify information
authenticity.
RSA, DSA, and ECDSA can all perform digital signature, but only RSA can perform encryption and
decryption.
Public key management tasks at a glance
To manage public keys, perform the following tasks:
1. Creating a local key pair
2. Importing a local key pair
3. Distributing a local host public key
Choose one of the following tasks:
ï‚¡ Exporting a host public key
Receiver
Key
Plain text Cipher text Plain text
Sender
Encryption Decryption
Key
10
ï‚¡ Displaying a host public key
To enable the peer device to authenticate the local device, you must distribute the local device's
public key to the peer device.
4. Configuring a peer host public key
Choose one of the following tasks:
ï‚¡ Importing a peer host public key from a public key file
ï‚¡ Entering a peer host public key
To encrypt information sent to a peer device or authenticate the digital signature of the peer
device, you must configure the peer device's public key on the local device.
5. (Optional.) Destroying a local key pair
6. (Optional.) Configuring master keys
Creating a local key pair
Restrictions and guidelines
When you create a local key pair, follow these guidelines:
•
The key algorithm must be the same as required by the security application.
•
When you create an RSA or DSA key pair, enter an appropriate key modulus length at the
prompt. The longer the key modulus length, the higher the security, and the longer the key
generation time.
When you create an ECDSA key pair, choose the appropriate elliptic curve. The elliptic curve
determines the ECDSA key length. The longer the key length, the higher the security, and the
longer the key generation time.
See Table 1 for more information about key modulus lengths and key lengths.
•
If you do not assign the key pair a name, the system assigns the default name to the key pair
and marks the key pair as default. You can also assign the default name to another key pair, but
the system does not mark the key pair as default. The key pair name must be unique among all
manually named key pairs that use the same key algorithm. If a name conflict occurs, the
system asks whether you want to overwrite the existing key pair.
•
The key pairs are automatically saved and can survive system reboots.
Table 1 A comparison of different types of asymmetric key algorithms
Type
Generated key pairs
Modulus/key length
RSA
• One host key pair, if you specify a key pair
name.
• One server key pair and one host key pair, if
you do not specify a key pair name.
Both key pairs use their default names.
NOTE:
Only SSH 1.5 uses the RSA server key pair.
Key modulus length: 512 to 2048 bits.
Default: 1024 bits.
To ensure security, use a minimum of
768 bits.
DSA One host key pair.
Key modulus length: 512 to 2048 bits.
Default: 1024 bits.
To ensure security, use a minimum of
768 bits.
ECDSA One host key pair. Key length: 192, 256, 384, or 521 bits.
11
Procedure
1. Enter system view.
system-view
2. Create a local key pair.
public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1
| secp521r1 ] | rsa } [ name key-name ]
Importing a local key pair
About this task
This task imports a key pair from a key pair file to the device. The imported key pairs are
automatically saved and can survive system reboots.
Perform this task when the key pair to be imported is saved in a different file than the certificate. If the
key pair and the certificate are saved in the same file, the device can obtain the key pair by importing
the certificate.
Restrictions and guidelines
The device supports importing the RSA host key pair but not the RSA server key pair.
If you do not assign the key pair a name, the system assigns the default name to the key pair and
marks the key pair as default. You can also assign the default name to another key pair, but the
system does not mark the key pair as default. The name of a key pair must be unique among all
manually named key pairs that use the same key algorithm. If a name conflict occurs, the system
asks whether you want to overwrite the existing key pair.
To import the encrypted key pair into the device successfully, provide the decryption password.
See Table 2 for information about supported key modulus lengths and key lengths.
Table 2 Length of key pair
Type Modulus/key length
RSA Key modulus length: 512 to 2048 bits.
ECDSA Key length: 192, 256, 384, or 521 bits.
Prerequisites
Before performing this task, save the key pair file to the local storage directory of the device through
FTP or other methods.
Procedure
1. Enter system view.
system-view
2. Import a local key pair.
public-key local import { ecdsa | rsa } [ key-name ] filename filename
Distributing a local host public key
About distribution of local host public keys
You must distribute a local host public key to a peer device so the peer device can perform the
following operations:
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273

Aruba FlexFabric 12900E Switch Series Security Configuration Guide

Category
Software
Type
Configuration Guide
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI