Saturday , December 28 2024

port security on Huawei switches

How to prevent unauthorized users from connecting their PCs to an enterprise network? How to prevent employees from connecting unauthorized devices to a LAN or moving their computers without permission?

Port Security is a Layer 2 feature, which can be enabled on an interface, to prevent devices with untrusted MAC address, from accessing a switch interface. When enabled, MAC address of the device connected to the port, is dynamically learned by the switch and stored in a memory (by default it is not aged out). Only this MAC address is then allowed to forward traffic over switch port (only one trusted MAC is allowed by default). Every different MAC address will cause the port to go into one of the following states:

  • Protect – packets coming from untrusted MAC address will be dropped,
  • Restrict – packets coming from untrusted MAC address will be dropped and SNMP trap message will be generated (default behavior),
  • Shutdown – port will be put into shutdown state.

Let’s configure  port security feature on a switch port and see, how it works.

<labnarioSW1>sys
Enter system view, return user view with Ctrl+Z.
[labnarioSW1]interface gi0/0/1
[labnarioSW1-GigabitEthernet0/0/1]port link-type access
[labnarioSW1-GigabitEthernet0/0/1]port-security enable

Generate some traffic from your PC, so that switch could learn PC’s MAC address. As you can see, my PC’s MAC address of aabb-ccdd-eeff was dynamically learned and assigned to the GigabitEthernet 0/0/1 port.

[labnarioSW1-GigabitEthernet0/0/1]display mac-address security
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  
               VSI/SI    MAC-Tunnel  
-------------------------------------------------------------------------------
aabb-ccdd-eeff 1           -      -      GE0/0/1         security  -           
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 1

Let’s see what happens, when different PC with different MAC address will be connected to the same port.

<labnarioSW1>
Sep 18 2013 12:51:06-08:00 labnarioSW1 L2IFPPI/4/PORTSEC_ACTION_ALARM:OID 1.3.6.1
.4.1.2011.5.25.42.2.1.7.6 The number of MAC address on interface (6/6) GigabitEth
ernet0/0/1 reaches the limit, and the port status is : 1. (1:restrict;2:protect;3
:shutdown)

All the traffic coming from different PC is dropped by the switch. Port GigabitEthernet 0/0/1 has changed its status to restrict, only MAC address of aabb-ccdd-eeff is allowed to send traffic over this port. All the other traffic will be dropped and SNMP message will be generated.

If we want our port to go into different state than the default restrict state, we can use the following options:

[labnarioSW1-GigabitEthernet0/0/1]port-security protect-action ?
  protect    Discard packets
  restrict   Discard packets and warning
  shutdown   shutdown

It is important to note that this secure MAC address, which was learned dynamically by the switch, is stored in a switch memory and will not be aged out, but in case of the switch reload, it will disappear from memory. To avoid this, MAC address sticky can be configured. This option instructs our switch to save this MAC address to the configuration file.

[labnarioSW1-GigabitEthernet0/0/1]port-security mac-address sticky

MAC address sticky has an option to define MAC address manually. This option can be used in case when PC is not actually connected to the switch port and its MAC address cannot be dynamically learned:

[labnarioSW1-GigabitEthernet0/0/1]port-security mac-address sticky aaaa-bbbb-cccc vlan 1

[labnarioSW1-GigabitEthernet0/0/1]display mac-address security
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  
               VSI/SI    MAC-Tunnel  
-------------------------------------------------------------------------------
aaaa-bbbb-cccc 1           -      -      GE0/0/1         sticky    -    
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 1

If we want to define more than one secure MAC address (this is the default behavior), we can use a command as follows:

[labnarioSW1-GigabitEthernet0/0/1]port-security max-mac-num 2

Now I can add the second secure MAC address:

[labnarioSW1-GigabitEthernet0/0/1]port-security mac-address sticky cccc-bbbb-aaaa vlan 1
[labnarioSW1-GigabitEthernet0/0/1]display mac-address security
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  
               VSI/SI    MAC-Tunnel  
-------------------------------------------------------------------------------
aaaa-bbbb-cccc 1           -      -      GE0/0/1         sticky    -    
cccc-bbbb-aaaa 1           -      -      GE0/0/1         sticky    -    

-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 2

The last option of the Port Security feature is aging time. By default every MAC address, learned dynamically and stored in a switch memory as a secure MAC address, will not be aged out. This default behavior can be changed and aging time can be set using the following command.

[labnarioSW1-GigabitEthernet0/0/1]port-security aging-time 2

Keep in mind, that this value represents time in minutes.

Read More »

GRE over IPSec on Huawei AR routers

If you want to recall how to configure GRE, just look at GRE on Huawei routers.

You can return to IPSec configuration, reading IPSec on Huawei AR router.

Today, I’m going to put them together and try to configure GRE over IPSec.

Based on the topology below, configure IP adresses and OSPF protocol to ensure connectivity between all routers (omitted here).

Configure tunnel interface on labnario_1 and labnario_3:

[labnario_1]interface Tunnel0/0/0
[labnario_1-Tunnel0/0/0] ip address 10.0.0.1 255.255.255.0 
[labnario_1-Tunnel0/0/0] tunnel-protocol gre
[labnario_1-Tunnel0/0/0] source 150.0.0.1
[labnario_1-Tunnel0/0/0] destination 160.0.0.1

[labnario_3]interface Tunnel0/0/0
[labnario_3-Tunnel0/0/0] ip address 10.0.0.2 255.255.255.0 
[labnario_3-Tunnel0/0/0] tunnel-protocol gre
[labnario_3-Tunnel0/0/0] source 160.0.0.1
[labnario_3-Tunnel0/0/0] destination 150.0.0.1

Use ping command to check if the tunnel interface has been set up:

[labnario_3]ping 150.0.0.1
  PING 150.0.0.1: 56  data bytes, press CTRL_C to break
    Request time out
    Reply from 150.0.0.1: bytes=56 Sequence=2 ttl=254 time=50 ms
    Reply from 150.0.0.1: bytes=56 Sequence=3 ttl=254 time=30 ms
    Reply from 150.0.0.1: bytes=56 Sequence=4 ttl=254 time=30 ms
    Reply from 150.0.0.1: bytes=56 Sequence=5 ttl=254 time=40 ms

  --- 150.0.0.1 ping statistics ---
    5 packet(s) transmitted
    4 packet(s) received
    20.00% packet loss
    round-trip min/avg/max = 30/37/50 ms

Configure IPSec on labnario_1 and labnario_3 (labnario_3 configuration is omitted here):

[labnario_1]acl 3500
[labnario_1-acl-adv-3500]rule permit gre source 150.0.0.1 0 destination 160.0.0.1 0
[labnario_1]ipsec proposal labnario

[labnario_1]ike local-name labnario_1

[labnario_1]ike peer labnario_3 v1
[labnario_1-ike-peer-labnario_3]exchange-mode aggressive 
[labnario_1-ike-peer-labnario_3]local-id-type name 
[labnario_1-ike-peer-labnario_3]pre-shared-key cipher labnario
[labnario_1-ike-peer-labnario_3]remote-name labnario_3
[labnario_1-ike-peer-labnario_3]remote-address 160.0.0.1 

[labnario_1]ipsec policy labnario 1 isakmp
[labnario_1-ipsec-policy-isakmp-labnario-1]security acl 3500
[labnario_1-ipsec-policy-isakmp-labnario-1]ike-peer labnario_3
[labnario_1-ipsec-policy-isakmp-labnario-1]proposal labnario 

[labnario_1-GigabitEthernet0/0/0]ipsec policy labnario

<labnario_1>dis ike sa
    Conn-ID  Peer            VPN   Flag(s)                Phase  
  ---------------------------------------------------------------
       11    160.0.0.1       0     RD|ST                  2     
       10    160.0.0.1       0     RD|ST                  1     

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

<labnario_1>dis ipsec sa

===============================
Interface: GigabitEthernet0/0/0
 Path MTU: 1500
===============================

  -----------------------------
  IPSec policy name: "labnario"
  Sequence number  : 1
  Acl Group        : 3500
  Acl rule         : 5
  Mode             : ISAKMP
  -----------------------------
    Connection ID     : 11
    Encapsulation mode: Tunnel
    Tunnel local      : 150.0.0.1
    Tunnel remote     : 160.0.0.1
    Flow source       : 150.0.0.1/255.255.255.255 47/0
    Flow destination  : 160.0.0.1/255.255.255.255 47/0
    Qos pre-classify  : Disable

    [Outbound ESP SAs] 
      SPI: 2472318789 (0x935c9745)
      Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 1887436800/3557
      Max sent sequence-number: 0
      UDP encapsulation used for NAT traversal: N

    [Inbound ESP SAs] 
      SPI: 3680592061 (0xdb6160bd)
      Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 1887436800/3557
      Max received sequence-number: 0
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N

Finally, configure static routes that inject traffic from PC1 and PC2 into tunnel interface:

[labnario_1]ip route-static 172.16.10.0 255.255.255.0 Tunnel0/0/0

[labnario_3]ip route-static 172.16.0.0 255.255.255.0 Tunnel0/0/0

Let’s verify whether traffic between hosts, passing through tunnel interface, is encrypted by IPSec (use ping between PC1 and PC2):

<labnario_1>dis ipsec statistics esp
 Inpacket count            : 844
 Inpacket auth count       : 0
 Inpacket decap count      : 0
 Outpacket count           : 852
 Outpacket auth count      : 0
 Outpacket encap count     : 0
 Inpacket drop count       : 0
 Outpacket drop count      : 0
 BadAuthLen count          : 0
 AuthFail count            : 0
 InSAAclCheckFail count    : 0
 PktDuplicateDrop count    : 0
 PktSeqNoTooSmallDrop count: 0
 PktInSAMissDrop count     : 0

Now we can try to spy captured packets between PCs:

 

Read More »

from Huawei CLI – fixdisk

I’ve had only one case when I used this command and … full success.

Sometimes it can happen that the file system doesn’t work properly. When you run dir command, you can find the space, which usage status is unknown. The system prompts you that the file system should be restored. Then you can run fixdisk command to release the unknown space.

Notice that:

  • It is not recommended to use it when the file system works correctly.
  • It doesn’t help when physical medium is damaged.
  • Do not use it when CPU usage is high.
Lost chains in flash detected, please use fixdisk to recover them!
<labnario>fixdisk flash:
Fixdisk flash: will take long time if needed
%Fixdisk flash: completed.

Read More »

Huawei eNSP – news

A new Huawei network simulator eNSP has been released.

You can download it clicking on the picture below:

huawei-enterprise-network-simulation-platform

 

Anyway, the first version of Huawei eNSP was introduced one year ago. I would like to know your opinions about the simulator. What is your experience with it? Is it helpful of useless for you? Feel free to express you thoughts.

Read More »