How to solve network security problems with vswitch settings

In view of the increasing prevalence of cyberattacks on the Internet and to strengthen the network security management of the company's internal networks, it is required to take reinforcement measures for switches connected to external routes. First, redundant ports are disabled; the second is binding IP, MAC, and PORT to prevent access from unfamiliar hosts. The third is to set the user and password for the console port and VTY (virtual terminal) of the switch.
The Unit is the Quidway S3026E switch connected to the external route. Access relevant information online and start configuring the S3026E switch. Based on the information, the shutdown command closes the PORT, and the arp command binds IP, MAC, and PORT. The shutdown command can shut down the port. However, after saving the configuration and restarting the switch, the port can still connect to the terminal microcomputer and query the port status, but "administratively down" is displayed ". However, send the relevant information to Huawei for technical support and respond to possible hardware faults, which need to be resolved on site. Report to the higher-level business department and agree to be assisted by the Local Technical Company. Local technicians have configured CONSOLE and VTY users and passwords. However, binding IP addresses, MAC addresses, and ports and disabling redundant ports cannot be achieved. Unlike my own configuration policies, local technicians use a more complex access control table to bind the three. When I configure to close the redundant port, the situation is exactly the same as that of me. After the restart, I can still connect to the terminal microcomputer. Finally, the local technical staff had to shake their heads and leave. In my opinion, www.2cto.com tries its best to use existing devices to save costs. Replacing switches is not the best solution. Although the local technicians failed to solve the problem, I was reminded in the last sentence. At that time, the local technical staff once explained that the switch software version was low, and the CLI was still similar to CISCO. So can we upgrade it? The local technical staff replied to the switch earlier. Huawei does not support the software upgrade and the upgrade package cannot be downloaded. I checked the S3026E upgrade software on the Internet and finally found it on www.h3c.com. Since it is not a Huawei employee and cannot get the download permission, I had to notify the local technical staff to download and send it to myself. The software Version of The S3026E switch is VRP Version 3.10 RELEASE 0002 and Bootrom Version is 119, which is indeed too low. Fortunately, local technicians have sent the upgraded software. These include Bootrom_V130, Bootrom_V160, and VRP3.10-R0035. I was excited when I received the software upgrade and read the instructions. Upgrade the vswitch software immediately. Configure the TFTP server as required and the vswitch management IP address. Note: the TFTP server must be set in a CIDR block. Restart the vswitch and press Ctrl + B. After selecting the menu, press Ctrl + u to go to The BOOTROM loading menu and select "Set TFTP protocol parameter ". The process is as follows:
Update Bootrom1. Set TFTP protocol parameter2. Set FTP protocol parameter3. Set XMODEM protocol parameter0.return to boot menuEnter your choice (0-3): 1 Load file name: s3026e-130.btmSwitch IP address: 192.168.3.2Server IP address: 192.168.3.80Subnet mask: 255.255.255.0Are you sure to download file to flash? (Y/N) yARP broadcast 1 www.2cto.com TFTP from server 192.168.3.80; our IP address is 192.168.3.2Filename 's3026e-130. btm '. load address: 0x80800000Loading: #################### donedownload time: 920769 usBytes transferred = 349336 (55498 hex) erasing Bootrom .... x. x. x. x. x. x -- doneWriting to Bootrom... +++ ++ doneUpdate bootrom successful!
Restart the vswitch. The show version and Bootrom versions are changed to 130. Upgrade the vswitch Bootrom to 160. When upgrading the VRP version, back up the original VRP version. On the one hand, because the FLASH space of the switch is insufficient, You need to delete the original file to free up enough space. On the other hand, you can restore the VRP if the upgrade fails. When upgrading VRP: Quidway # dele/u s3026e-vrp3.10-0002.binQuidway (config) # tftp get // 192.168.3.80/s3026e-r0035.bin ................................ ........................................ ............................ downloading succeeds! Quidway # boot bootldr s3026e-r0035.bin restart switch, disp version, VRP Version has changed to "VRP Software, version 3.10, RELEASE 0035 ". After the vswitch www.2cto.com is upgraded, configure the vswitch. To configure CONSOLE and VTY users and passwords, you must first create a user and set the user password and service type, then go to the CONSOLE and VTY interface views, and set the authentication method. In this version, there are four types of service: FTP, set FTP user; LAN-ACCESS, set ETHERNET through RJ45 Internet user; TELNET, login user; SSH, Secure Shell user. There are three methods for CONSOLE and VTY authentication Logon: NO. PASSWORD is not required for Logon; PASSWORD is required for Logon; SCHEME requires the user name and PASSWORD. The user must be an SSH user or a TELNET user, that is to say, TELNET (SSH) is the same as the CONSOLE user and password, which may be its deficiency. Configure IP, MAC, and PORT, and use the AM user-bind command. Remember, you must first enable AM. By default, the AM function is disabled. Shut down the redundant port, save the configuration, restart the switch, and everything is OK. This article is from the fat shark network.