- Table of Contents
-
- 06-Security Configuration Guide
- 00-Preface
- 01-AAA Configuration
- 02-802.1X Configuration
- 03-MAC Authentication Configuration
- 04-Triple Authentication Configuration
- 05-Port Security Configuration
- 06-User Profile Configuration
- 07-HABP Configuration
- 08-Public Key Configuration
- 09-PKI Configuration
- 10-SSH2.0 Configuration
- 11-SSL Configuration
- 12-TCP Attack Protection Configuration
- 13-IP Source Guard Configuration
- 14-ARP Attack Protection Configuration
- 15-ND Attack Defense Configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
07-HABP Configuration | 127.37 KB |
This chapter includes these sections:
· Displaying and maintaining HABP
|
NOTE: · The term "switch" or "device" in this chapter refers to the switching engine on a WX3000E wireless switch. · The WX3000E series comprises WX3024E and WX3010E wireless switches. · The port numbers in this chapter are for illustration only. |
Introduction to HABP
The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices of an access device to bypass 802.1X authentication and MAC authentication configured on the access device.
As shown in Figure 1, 802.1X authenticator Switch A has two switches attached to it: Switch B and Switch C. On Switch A, 802.1X authentication is enabled globally and on the ports connecting the downstream network devices. The end-user devices (the supplicants) run the 802.1X client software for 802.1X authentication. For Switch B and Switch D, where the 802.1X client is not supported (which is typical of network devices), the communication between them will fail because they cannot pass 802.1X authentication and their packets will be blocked on Switch A. To allow the two switches to communicate, you can use HABP.
Figure 1 Network diagram for HABP application
HABP is a link layer protocol that works above the MAC layer. It is built on the client-server model. Generally, the HABP server is enabled on the authentication device (which is configured with 802.1X or MAC authentication, such as Switch A in the above example), and the attached switches function as the HABP clients, such as Switch B through Switch E in the example. No device can function as both an HABP server and a client at the same time. Typically, the HABP server sends HABP requests to all its clients periodically to collect their MAC addresses, and the clients respond to the requests. After the server learns the MAC addresses of all the clients, it registers the MAC addresses as HABP entries. Then, link layer frames exchanged between the clients can bypass the 802.1X authentication on ports of the server without affecting the normal operation of the whole network. All HABP packets must travel in a specified VLAN. Communication between the HABP server and HABP clients is implemented through this VLAN.
Configuring HABP
Complete the following tasks to configure HABP:
Configuring the HABP server
HABP server is usually configured on the authentication device enabled with 802.1X authentication or MAC address authentication. The HABP server sends HABP requests to the attached switches (HABP clients) at a specified interval, collecting their MAC addresses from the responses. HABP packets are transmitted in the VLAN specified on the HABP server.
Follow these steps to configure an HABP server:
To do… |
Use the command… |
Remarks |
Enter system view |
system-view |
— |
Enable HABP |
habp enable |
Optional Enabled by default |
Configure HABP to work in server mode and specify the VLAN for HABP packets |
habp server vlan vlan-id |
Required HABP works in client mode by default. |
Set the interval to send HABP requests |
habp timer interval |
Optional 20 seconds by default |
|
NOTE: The VLAN specified on the HABP server for transmitting HABP packets must be the same as that to which the HABP clients belong. |
Configuring an HABP client
HABP client is usually configured on each device that is attached to the authentication device. After receiving an HABP request from the HABP server, an HABP client responds to the request, delivering its MAC address to the server, and forwards the HABP request to its attached switches. HABP packets are transmitted in the VLAN to which the HABP client belongs.
Follow these steps to configure an HABP client:
To do… |
Use the command… |
Remarks |
Enter system view |
system-view |
— |
Enable HABP |
habp enable |
Optional Enabled by default |
Configure HABP to work in client mode |
undo habp server |
Optional HABP works in client mode by default. |
Specify the VLAN to which the HABP client belongs |
habp client vlan vlan-id |
Optional By default, an HABP client belongs to VLAN 1. |
|
NOTE: The VLAN to which an HABP client belongs must be the same as that specified on the HABP server for transmitting HABP packets. |
Displaying and maintaining HABP
To do… |
Use the command… |
Remarks |
Display HABP configuration information |
display habp [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display HABP MAC address table entries |
display habp table [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display HABP packet statistics |
display habp traffic [ | { begin | exclude | include } regular-expression ] |
Available in any view |
HABP configuration example
Network requirements
As shown in Figure 2, Switch A is attached with access devices Switch B and Switch C. 802.1X authentication is configured on Switch A for central authentication and management of users (Host A through Host D).
For communication between Switch B and Switch C, enable HABP server on Switch A, enable HABP client on Switch B and Switch C, and specify VLAN 1 for HABP packets.
Configure the HABP server to send HABP request packets to the HABP clients in VLAN 1 at an interval of 50 seconds.
Figure 2 Network diagram for HABP configuration
Configuration procedure
1. Configure Switch A
# Perform 802.1X related configurations on Switch A. For detailed configurations, see the chapter “802.1X configuration.”
# Enable HABP. (HABP is enabled by default. This configuration is optional.)
<SwitchA> system-view
[SwitchA] habp enable
# Configure HABP to work in server mode, and specify VLAN 1 for HABP packets.
[SwitchA] habp server vlan 1
# Set the interval at which the switch sends HABP request packets to 50 seconds.
[SwitchA] habp timer 50
2. Configure Switch B
# Enable HABP. (HABP is enabled by default. This configuration is optional.)
<SwitchA> system-view
[SwitchB] habp enable
# Configure HABP to work in client mode. (HABP works in client mode by default. This configuration is optional.)
[SwitchB] undo habp server
# Specify the VLAN to which the HABP client belongs as VLAN 1. (An HABP client belongs to VLAN 1 by default. This configuration is optional.)
[SwitchB] habp client vlan 1
3. Configure Switch C
Configurations on Switch C are similar to those on Switch B.
4. Verify your configuration
# Display HABP configuration information.
<SwitchA> display habp
Global HABP information:
HABP Mode: Server
Sending HABP request packets every 50 seconds
Bypass VLAN: 1
# Display HABP MAC address table entries.
<SwitchA> display habp table
MAC Holdtime Receive Port
001f-3c00-0030 53 GigabitEthernet1/0/2
001f-3c00-0031 53 GigabitEthernet1/0/1