configuration guide - security - huawei

Quidway S9300 Terabit Routing Switch

V100R002C01

Configuration Guide - Security

Issue 02

Date 2010–02–26

Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For anyassistance, please contact our local office or company headquarters.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Copyright © Huawei Technologies Co., Ltd. 2010. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are the property of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

http://www.huawei.com

mailto:[email protected]

Contents

About This Document.....................................................................................................................1

1 AAA and User Management Configuration.........................................................................1-11.1 Introduction to AAA and User Management..................................................................................................1-21.2 AAA and User Management Features Supported by the S9300.....................................................................1-21.3 Configuring AAA Schemes............................................................................................................................1-4

1.3.1 Establishing the Configuration Task......................................................................................................1-41.3.2 Configuring an Authentication Scheme.................................................................................................1-51.3.3 Configuring an Authorization Scheme...................................................................................................1-61.3.4 Configuring an Accounting Scheme......................................................................................................1-81.3.5 (Optional) Configuring a Recording Scheme.........................................................................................1-91.3.6 Checking the Configuration.................................................................................................................1-10

1.4 Configuring a RADIUS Server Template.....................................................................................................1-101.4.1 Establishing the Configuration Task....................................................................................................1-111.4.2 Creating a RADIUS Server Template..................................................................................................1-121.4.3 Configuring a RADIUS Authentication Server...................................................................................1-121.4.4 Configuring the RADIUS Accounting Server.....................................................................................1-121.4.5 Configuring a RADIUS Authorization Server.....................................................................................1-131.4.6 (Optional) Setting a Shared Key for a RADIUS Server.......................................................................1-131.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server.......................................1-141.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server...................................................................1-151.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server.................................................1-151.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server.........................................................1-161.4.11 Checking the Configuration...............................................................................................................1-17

1.5 Configuring an HWTACACS Server Template............................................................................................1-181.5.1 Establishing the Configuration Task....................................................................................................1-181.5.2 Creating an HWTACACS Server Template........................................................................................1-191.5.3 Configuring an HWTACACS Authentication Server..........................................................................1-191.5.4 Configuring the HWTACACS Accounting Server..............................................................................1-201.5.5 Configuring an HWTACACS Authorization Server...........................................................................1-201.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets...........................................1-211.5.7 (Optional) Setting the Shared Key of an HWTACACS Server...........................................................1-211.5.8 (Optional) Setting the User Name Format for an HWTACACS Server..............................................1-221.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server..........................................................1-23

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security Contents

Issue 02 (2010–02–26) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

1.5.10 (Optional) Setting HWTACACS Timers...........................................................................................1-231.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet.................................................1-241.5.12 Checking the Configuration...............................................................................................................1-24

1.6 Configuring a Service Scheme......................................................................................................................1-251.6.1 Establishing the Configuration Task....................................................................................................1-251.6.2 Creating a Service Scheme...................................................................................................................1-261.6.3 Setting the Administrator Level...........................................................................................................1-261.6.4 Configuring a DHCP Server Group.....................................................................................................1-271.6.5 Configuring an Address Pool...............................................................................................................1-271.6.6 Configure Primary and Secondary DNS Servers.................................................................................1-281.6.7 Checking the Configuration.................................................................................................................1-28

1.7 Configuring a Domain...................................................................................................................................1-291.7.1 Establishing the Configuration Task....................................................................................................1-291.7.2 Creating a Domain...............................................................................................................................1-301.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain........................1-311.7.4 Configuring a RADIUS Server Template for a Domain......................................................................1-321.7.5 Configuring an HWTACACS Server Template for a Domain............................................................1-321.7.6 (Optional) Configuring a Service Scheme for a Domain.....................................................................1-331.7.7 (Optional) Setting the Status of a Domain...........................................................................................1-331.7.8 (Optional) Configuring the Domain Name Delimiter..........................................................................1-341.7.9 Checking the Configuration.................................................................................................................1-34

1.8 Configuring Local User Management...........................................................................................................1-351.8.1 Establishing the Configuration Task....................................................................................................1-351.8.2 Creating a Local User...........................................................................................................................1-361.8.3 (Optional) Setting the Access Type of the Local User.........................................................................1-371.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access.........................................1-371.8.5 (Optional) Setting the Status of a Local User......................................................................................1-381.8.6 (Optional) Setting the Level of a Local User.......................................................................................1-381.8.7 (Optional) Setting the Access Limit for a Local User..........................................................................1-391.8.8 Checking the Configuration.................................................................................................................1-39

1.9 Maintaining AAA and User Management....................................................................................................1-401.9.1 Clearing the Statistics...........................................................................................................................1-401.9.2 Monitoring the Running Status of AAA..............................................................................................1-401.9.3 Debugging............................................................................................................................................1-41

1.10 Configuration Examples..............................................................................................................................1-411.10.1 Example for Configuring RADIUS Authentication and Accounting................................................1-411.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization................1-44

2 NAC Configuration................................................................................................................... 2-12.1 Introduction to NAC........................................................................................................................................2-2

2.1.1 Web Authentication................................................................................................................................2-22.1.2 802.1x Authentication............................................................................................................................2-32.1.3 MAC Address Authentication................................................................................................................2-3

ContentsQuidway S9300 Terabit Routing Switch


ii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2010–02–26)

2.2 NAC Features Supported by the S9300..........................................................................................................2-42.3 Configuring Web Authentication....................................................................................................................2-4

2.3.1 Establishing the Configuration Task......................................................................................................2-42.3.2 Configuring the Web Authentication Server..........................................................................................2-52.3.3 Binding the Web Authentication Server to the Interface.......................................................................2-52.3.4 Configuring the Free Rule for Web Authentication...............................................................................2-62.3.5 (Optional) Configuring the Web Authentication Policy........................................................................2-62.3.6 (Optional) Setting the Port that Listens to the Portal Packets................................................................2-72.3.7 (Optional) Setting the Version of the Portal Protocol Packets...............................................................2-72.3.8 Checking the Configuration...................................................................................................................2-8

2.4 Configuring 802.1x Authentication.................................................................................................................2-82.4.1 Establishing the Configuration Task......................................................................................................2-92.4.2 Enabling Global 802.1x Authentication.................................................................................................2-92.4.3 Enabling 802.1x Authentication on an Interface..................................................................................2-102.4.4 (Optional) Enabling MAC Bypass Authentication..............................................................................2-112.4.5 Setting the Authentication Method for the 802.1x User......................................................................2-122.4.6 (Optional) Configuring the Interface Access Mode.............................................................................2-132.4.7 (Optional) Configuring the Authorization Status of an Interface.........................................................2-142.4.8 (Optional) Setting the Maximum Number of Concurrent Access Users..............................................2-152.4.9 (Optional) Enabling DHCP Packets to Trigger Authentication...........................................................2-162.4.10 (Optional) Configuring 802.1x Timers..............................................................................................2-162.4.11 (Optional) Configuring the Quiet Timer Function.............................................................................2-172.4.12 (Optional) Configuring the 802.1x Re-authentication.......................................................................2-182.4.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication................................................2-182.4.14 (Optional) Enabling the S9300 to Send Handshake Packets to Online Users....................................2-192.4.15 (Optional) Setting the Retransmission Count of the Authentication Request....................................2-202.4.16 Checking the Configuration...............................................................................................................2-20

2.5 Configuring MAC Address Authentication..................................................................................................2-212.5.1 Establishing the Configuration Task....................................................................................................2-222.5.2 Enabling Global MAC Address Authentication...................................................................................2-222.5.3 Enabling MAC Address Authentication on an Interface......................................................................2-232.5.4 (Optional) Enabling Direct Authentication..........................................................................................2-242.5.5 Configuring the User Name for MAC Address Authentication...........................................................2-252.5.6 (Optional) Configuring the Domain for MAC Address Authentication..............................................2-262.5.7 (Optional) Setting the Timers of MAC Address Authentication.........................................................2-272.5.8 (Optional) Configuring the Guest VLAN for MAC Address Authentication......................................2-282.5.9 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication.......................................................................................................................................................................2-282.5.10 (Optional) Re-Authenticating a User with the Specific MAC Address.............................................2-292.5.11 Checking the Configuration...............................................................................................................2-30

2.6 Maintaining NAC..........................................................................................................................................2-302.6.1 Clearing the Statistics About 802.1x Authentication...........................................................................2-312.6.2 Clearing Statistics About MAC Address Authentication.....................................................................2-31



iii

2.6.3 Debugging 802.1x Authentication.......................................................................................................2-312.6.4 Debugging MAC Address Authentication...........................................................................................2-32

2.7 Configuration Examples................................................................................................................................2-322.7.1 Example for Configuring Web Authentication....................................................................................2-322.7.2 Example for Configuring 802.1x Authentication.................................................................................2-352.7.3 Example for Configuring MAC Address Authentication....................................................................2-38

3 DHCP Snooping Configuration..............................................................................................3-13.1 Introduction to DHCP Snooping.....................................................................................................................3-33.2 DHCP Snooping Features Supported by the S9300........................................................................................3-33.3 Preventing the Bogus DHCP Server Attack....................................................................................................3-5

3.3.1 Establishing the Configuration Task......................................................................................................3-63.3.2 Enabling DHCP Snooping..................................................................................................................... 3-63.3.3 Configuring an Interface as a Trusted Interface.....................................................................................3-83.3.4 (Optional) Enabling Detection of Bogus DHCP Servers.......................................................................3-83.3.5 Checking the Configuration...................................................................................................................3-9

3.4 Preventing the DoS Attack by Changing the CHADDR Field....................................................................... 3-93.4.1 Establishing the Configuration Task....................................................................................................3-103.4.2 Enabling DHCP Snooping...................................................................................................................3-103.4.3 Checking the CHADDR Field in DHCP Request Messages...............................................................3-123.4.4 Checking the Configuration.................................................................................................................3-12

3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases.............3-133.5.1 Establishing the Configuration Task....................................................................................................3-133.5.2 Enabling DHCP Snooping...................................................................................................................3-143.5.3 Enabling the Checking of DHCP Request Messages...........................................................................3-153.5.4 (Optional) Configuring the Option 82 Function..................................................................................3-163.5.5 Checking the Configuration.................................................................................................................3-17

3.6 Setting the Maximum Number of DHCP Snooping Users...........................................................................3-183.6.1 Establishing the Configuration Task....................................................................................................3-183.6.2 Enabling DHCP Snooping...................................................................................................................3-183.6.3 Setting the Maximum Number of DHCP Snooping Users..................................................................3-203.6.4 (Optional) Configuring MAC Address Security on an Interface.........................................................3-203.6.5 Checking the Configuration.................................................................................................................3-21

3.7 Limiting the Rate of Sending DHCP Messages............................................................................................3-223.7.1 Establishing the Configuration Task....................................................................................................3-223.7.2 Enabling DHCP Snooping...................................................................................................................3-233.7.3 Limiting the Rate of Sending DHCP Messages...................................................................................3-243.7.4 Checking the Configuration.................................................................................................................3-25

3.8 Configuring the Packet Discarding Alarm Function.....................................................................................3-253.8.1 Establishing the Configuration Task....................................................................................................3-253.8.2 Enabling DHCP Snooping...................................................................................................................3-263.8.3 Enabling the Checking of DHCP Messages.........................................................................................3-273.8.4 Configuring the Packet Discarding Alarm Function............................................................................3-28



iv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2010–02–26)

3.8.5 Checking the Configuration.................................................................................................................3-293.9 Maintaining DHCP Snooping.......................................................................................................................3-30

3.9.1 Clearing DHCP Snooping Statistics.....................................................................................................3-303.9.2 Resetting the DHCP Snooping Binding Table.....................................................................................3-303.9.3 Backing Up the DHCP Snooping Binding Table.................................................................................3-30

3.10 Configuration Examples..............................................................................................................................3-313.10.1 Example for Preventing the Bogus DHCP Server Attack..................................................................3-313.10.2 Example for Preventing the DoS Attack by Changing the CHADDR Field.....................................3-343.10.3 Example for Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP AddressLeases............................................................................................................................................................3-363.10.4 Example for Limiting the Rate of Sending DHCP Messages............................................................3-393.10.5 Example for Applying DHCP Snooping on a Layer 2 Network........................................................3-423.10.6 Example for Enabling DHCP Snooping on the DHCP Relay Agent.................................................3-463.10.7 Example for Configuring DHCP Snooping on a VPLS Network......................................................3-51

4 ARP Security Configuration....................................................................................................4-14.1 Introduction to ARP Security..........................................................................................................................4-24.2 ARP Security Supported by the S9300...........................................................................................................4-24.3 Limiting ARP Entry Learning.........................................................................................................................4-4

4.3.1 Establishing the Configuration Task......................................................................................................4-44.3.2 Enabling Strict ARP Entry Learning......................................................................................................4-54.3.3 Configuring Interface-based ARP Entry Limitation..............................................................................4-74.3.4 Checking the Configuration...................................................................................................................4-7

4.4 Configuring ARP Anti-Attack........................................................................................................................4-84.4.1 Establishing the Configuration Task......................................................................................................4-94.4.2 Preventing the ARP Address Spoofing Attack......................................................................................4-94.4.3 Preventing the ARP Gateway Duplicate Attack...................................................................................4-104.4.4 Preventing the Man-in-the-Middle Attack...........................................................................................4-104.4.5 Configuring ARP Proxy on a VPLS Network.....................................................................................4-114.4.6 Configuring DHCP to Trigger ARP Learning.....................................................................................4-124.4.7 (Optional) Configuring the S9300 to Discard Gratuitous ARP Packets..............................................4-134.4.8 Enabling Log and Alarm Functions for Potential Attacks...................................................................4-144.4.9 Checking the Configuration.................................................................................................................4-14

4.5 Suppressing Transmission Rate of ARP Packets..........................................................................................4-154.5.1 Establishing the Configuration Task....................................................................................................4-154.5.2 Configuring Source-based ARP Suppression......................................................................................4-164.5.3 Configuring Source-based ARP Miss Suppression..............................................................................4-174.5.4 Setting the Suppression Time of ARP Miss Messages........................................................................4-174.5.5 Suppressing Transmission Rate of ARP Packets.................................................................................4-184.5.6 Checking the Configuration.................................................................................................................4-19

4.6 Maintaining ARP Security............................................................................................................................4-204.6.1 Displaying the Statistics About ARP Packets......................................................................................4-204.6.2 Clearing the Statistics on ARP Packets................................................................................................4-20



v

4.6.3 Clearing the Statistics on Discarded ARP Packets...............................................................................4-214.6.4 Debugging ARP Packets......................................................................................................................4-21

4.7 Configuration Examples................................................................................................................................4-214.7.1 Example for Configuring ARP Security Functions..............................................................................4-224.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks..........................4-25

5 Source IP Attack Defense Configuration..............................................................................5-15.1 Overview of IP Source Guard.........................................................................................................................5-25.2 IP Source Guard Features Supported by the S9300........................................................................................5-35.3 Configuring IP Source Guard..........................................................................................................................5-5

5.3.1 Establishing the Configuration Task......................................................................................................5-55.3.2 (Optional) Configuring a Static User Binding Entry............................................................................. 5-55.3.3 Enabling IP Source Guard......................................................................................................................5-65.3.4 Configuring the Check Items of IP Packets...........................................................................................5-65.3.5 Checking the Configuration...................................................................................................................5-7

5.4 Configuring IP Source Trail............................................................................................................................5-85.4.1 Establishing the Configuration Task......................................................................................................5-85.4.2 Configuring IP Source Trail Based on the Destination IP Address.......................................................5-95.4.3 Checking the Configuration...................................................................................................................5-9

5.5 Configuring URPF........................................................................................................................................5-105.5.1 Establishing the Configuration Task....................................................................................................5-105.5.2 Enabling URPF....................................................................................................................................5-105.5.3 Setting the URPF Check Mode on an Interface...................................................................................5-115.5.4 (Optional) Disabling URPF for the Specified Traffic..........................................................................5-125.5.5 Checking the Configuration.................................................................................................................5-12

5.6 Maintaining Source IP Attack Defense.........................................................................................................5-135.6.1 Clearing the Statistics on IP Source Trail............................................................................................5-13

5.7 Configuration Examples................................................................................................................................5-135.7.1 Example for Configuring IP Source Guard..........................................................................................5-145.7.2 Example for Configuring IP Source Trail............................................................................................5-155.7.3 Example for Configuring URPF..........................................................................................................5-17

6 Local Attack Defense Configuration......................................................................................6-16.1 Overview of Local Attack Defense.................................................................................................................6-26.2 Local Attack Defense Features Supported by the S9300................................................................................6-26.3 Configuring the Attack Defense Policy.......................................................................................................... 6-3

6.3.1 Establishing the Configuration Task......................................................................................................6-36.3.2 Creating an Attack Defense Policy........................................................................................................ 6-46.3.3 Configuring the Whitelist.......................................................................................................................6-46.3.4 Configuring the Blacklist.......................................................................................................................6-46.3.5 Configuring User-Defined Flows...........................................................................................................6-56.3.6 Configuring the Rule for Sending Packets to the CPU..........................................................................6-66.3.7 Applying the Attack Defense Policy......................................................................................................6-66.3.8 Checking the Configuration...................................................................................................................6-7



vi Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2010–02–26)

6.4 Configuring Attack Source Tracing................................................................................................................6-86.4.1 Establishing the Configuration Task......................................................................................................6-86.4.2 Creating an Attack Defense Policy........................................................................................................6-96.4.3 Enabling the Automatic Attack Source Tracing.....................................................................................6-96.4.4 Configuring the Threshold of Attack Source Tracing..........................................................................6-106.4.5 (Optional) Configuring the Attack Source Alarm Function.................................................................6-106.4.6 Applying the Attack Defense Policy....................................................................................................6-116.4.7 Checking the Configuration.................................................................................................................6-12

6.5 Maintaining the Attack Defense Policy........................................................................................................6-136.5.1 Clearing Statistics About Packets Destined for the CPU.....................................................................6-136.5.2 Clearing Statistics About Attack Sources............................................................................................6-13

6.6 Configuration Examples................................................................................................................................6-146.6.1 Example for Configuring the Attack Defense Policy...........................................................................6-14

7 PPPoE+ Configuration..............................................................................................................7-17.1 PPPoE+ Overview...........................................................................................................................................7-27.2 PPPoE+ Features Supported by the S9300.....................................................................................................7-27.3 Configuring PPPoE+.......................................................................................................................................7-2

7.3.1 Establishing the Configuration Task......................................................................................................7-27.3.2 Enabling PPPoE+ Globally....................................................................................................................7-37.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets.................................7-37.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets............................................7-47.3.5 Configuring the PPPoE Trusted Interface..............................................................................................7-47.3.6 Checking the Configuration...................................................................................................................7-5

7.4 Configuration Examples..................................................................................................................................7-57.4.1 Example for Configuring PPPoE+.........................................................................................................7-5

8 MFF Configuration....................................................................................................................8-18.1 MFF Overview................................................................................................................................................8-28.2 MFF Features Supported by the S9300...........................................................................................................8-38.3 Configuring MFF............................................................................................................................................8-4

8.3.1 Establishing the Configuration Task......................................................................................................8-48.3.2 Enabling Global MFF.............................................................................................................................8-58.3.3 Configuring the MFF Network Interface...............................................................................................8-58.3.4 Enabling MFF in a VLAN.....................................................................................................................8-68.3.5 (Optional) Configuring the Static Gateway Address.............................................................................8-68.3.6 (Optional) Enabling Timed Gateway Address Detection.......................................................................8-78.3.7 (Optional) Setting the Server Address...................................................................................................8-78.3.8 Checking the Configuration...................................................................................................................8-7

8.4 Configuration Examples..................................................................................................................................8-88.4.1 Example for Configuring MFF..............................................................................................................8-8

9 Interface Security Configuration............................................................................................9-19.1 Interface Security Overview............................................................................................................................9-2



vii

9.2 Interface Security Features Supported by the S9300......................................................................................9-29.3 Configuring Interface Security........................................................................................................................9-2

9.3.1 Establishing the Configuration Task......................................................................................................9-39.3.2 Enabling the Interface Security Function...............................................................................................9-39.3.3 (Optional) Configuring the Protection Action in Interface Security......................................................9-49.3.4 Setting the Maximum Number of MAC Addresses Learned by an Interface........................................9-49.3.5 Enabling Sticky MAC on an Interface...................................................................................................9-59.3.6 Checking the Configuration...................................................................................................................9-5

9.4 Configuration Examples..................................................................................................................................9-69.4.1 Example for Configuring Interface Security..........................................................................................9-6

10 Traffic Suppression Configuration....................................................................................10-110.1 Introduction to Traffic Suppression............................................................................................................10-210.2 Traffic Suppression Features Supported by the S9300...............................................................................10-210.3 Configuring Traffic Suppression.................................................................................................................10-2

10.3.1 Establishing the Configuration Task..................................................................................................10-210.3.2 Configuring Traffic Suppression on an Interface...............................................................................10-310.3.3 Checking the Configuration...............................................................................................................10-4

10.4 Configuration Examples..............................................................................................................................10-410.4.1 Example for Configuring Traffic Suppression...................................................................................10-4

11 ACL Configuration................................................................................................................11-111.1 Introduction to the ACL..............................................................................................................................11-211.2 Classification of ACLs Supported by the S9300........................................................................................11-211.3 Configuring an ACL....................................................................................................................................11-3

11.3.1 Establishing the Configuration Task..................................................................................................11-311.3.2 Creating an ACL................................................................................................................................11-411.3.3 (Optional) Setting the Time Range When an ACL Takes Effect.......................................................11-511.3.4 (Optional) Configuring the Description of an ACL...........................................................................11-511.3.5 Configuring a Basic ACL...................................................................................................................11-611.3.6 Configuring an Advanced ACL.........................................................................................................11-611.3.7 Configuring a Layer 2 ACL...............................................................................................................11-711.3.8 (Optional) Setting the Step of an ACL...............................................................................................11-811.3.9 Checking the Configuration...............................................................................................................11-8

11.4 Configuring ACL6......................................................................................................................................11-911.4.1 Establishing the Configuration Task..................................................................................................11-911.4.2 Creating an ACL6............................................................................................................................11-1011.4.3 (Optional) Creating the Time Range of the ACL6...........................................................................11-1011.4.4 Configuring a Basic ACL6...............................................................................................................11-1111.4.5 Configuring an Advanced ACL6.....................................................................................................11-1111.4.6 Checking the Configuration.............................................................................................................11-12

11.5 Configuration Examples............................................................................................................................11-1311.5.1 Example for Configuring a Basic ACL............................................................................................11-1311.5.2 Example for Configuring an Advanced ACL..................................................................................11-16



viii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2010–02–26)

11.5.3 Example for Configuring a Layer 2 ACL........................................................................................11-2011.5.4 Example for Configuring an ACL6..................................................................................................11-22



ix

Figures

Figure 1-1 Networking diagram of RADIUS authentication and accounting....................................................1-42Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization....................1-45Figure 2-1 Typical networking of NAC...............................................................................................................2-2Figure 2-2 Network diagram for configuring Web authentication.....................................................................2-33Figure 2-3 Networking diagram for configuring 802.1x authentication............................................................2-36Figure 2-4 Networking diagram for configuring MAC address authentication.................................................2-39Figure 3-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2 network..................3-4Figure 3-2 Networking diagram for applying DHCP snooping on the S9300 that functions as the DHCP relay agent...............................................................................................................................................................................3-4Figure 3-3 Networking diagram for preventing the bogus DHCP server attack................................................3-32Figure 3-4 Networking diagram for preventing the DoS attack by changing the CHADDR field....................3-34Figure 3-5 Networking diagram for preventing the attacker from sending bogus DHCP messages for extending IPaddress leases......................................................................................................................................................3-37Figure 3-6 Networking diagram for limiting the rate for sending DHCP messages..........................................3-40Figure 3-7 Networking diagram for configuring DHCP snooping....................................................................3-42Figure 3-8 Networking diagram for enabling DHCP snooping on the DHCP relay agent................................3-47Figure 3-9 Networking diagram for configuring DHCP snooping on a VPLS network....................................3-51Figure 4-1 Networking diagram for configuring ARP security functions.........................................................4-22Figure 4-2 Networking diagram for prevent man-in-the-middle attacks...........................................................4-26Figure 5-1 Diagram of IP/MAC spoofing attack..................................................................................................5-2Figure 5-2 Diagram of the URPF function...........................................................................................................5-3Figure 5-3 Networking diagram for configuring IP source guard......................................................................5-14Figure 5-4 Networking diagram for configuring IP source trail........................................................................5-16Figure 5-5 Networking diagram for configuring URPF.....................................................................................5-17Figure 6-1 Networking diagram for Configuring the attack defense policy......................................................6-14Figure 7-1 Networking diagram for configuring PPPoE+................................................................................... 7-6Figure 8-1 Networking diagram for configuring MFF.........................................................................................8-9Figure 9-1 Networking diagram for configuring interface security.....................................................................9-6Figure 10-1 Networking diagram for configuring traffic suppression...............................................................10-5Figure 11-1 Networking diagram for disabling URPF for the specified traffic...............................................11-13Figure 11-2 Networking diagram for configuring IPv4 ACLs.........................................................................11-16Figure 11-3 Networking diagram for configuring layer 2 ACLs.....................................................................11-20Figure 11-4 Networking diagram for configuring ACL6 and filtering IPv6 packets.......................................11-23

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security Figures


xi

Tables

Table 3-1 Matching table between type of attacks and DHCP snooping operation modes.................................3-5Table 3-2 Relation between the type of attacks and the type of discarded packets............................................3-25

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security Tables


xiii

About This Document

Intended AudienceThis document provides the basic concepts, configuration procedures, and configurationexamples in different application scenarios of the security feature supported by the S9300.

This document describes how to configure the security feature.

This document is intended for:

l Data configuration engineers

l Commissioning engineers

l Network monitoring engineers

l System maintenance engineers

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

DANGERIndicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize or supplementimportant points of the main text.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security About This Document


1

Command ConventionsThe command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Change HistoryUpdates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Updates in Issue 02 (2010-02-26)Based on issue 01 (2010-01-20), the document is updated as follows:

The following information is modified:

l Example for Configuring the Attack Defense Policy: 6.6.1 Example for Configuring theAttack Defense Policy

l Example for Configuring URPF: 5.7.3 Example for Configuring URPF

Updates in Issue 01 (2010-01-20)Initial commercial release.

About This DocumentQuidway S9300 Terabit Routing Switch


2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2010–02–26)

1 AAA and User Management Configuration

About This Chapter

This chapter describes the principle and configuration of Authentication, Authorization, andAccounting (AAA), local user management, Remote Authentication Dial in User Service(RADIUS), HUAWEI Terminal Access Controller Access Control System (HWTACACS), anddomain.

1.1 Introduction to AAA and User ManagementThis section describes the knowledge of AAA and user management.

1.2 AAA and User Management Features Supported by the S9300This section describes the AAA and user management features supported by the S9300.

1.3 Configuring AAA SchemesThis section describes how to configure an authentication scheme, an authorization scheme, anda recording scheme on the S9300.

1.4 Configuring a RADIUS Server TemplateThis section describes how to configure a RADIUS server template on the S9300.

1.5 Configuring an HWTACACS Server TemplateThis section describes how to configure an HWTACACS server template on the S9300.

1.6 Configuring a Service SchemeThis section describes how to configure a service scheme in the S9300 to store authorizationinformation about users.

1.7 Configuring a DomainThis section describes how to configure a domain on the S9300.

1.8 Configuring Local User ManagementThis section describes how to configure local user management on the S9300.

1.9 Maintaining AAA and User ManagementThis section describes how to maintain AAA and user management.

1.10 Configuration ExamplesThis section provides several configuration examples of AAA and user management.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security 1 AAA and User Management Configuration


1-1

1.1 Introduction to AAA and User ManagementThis section describes the knowledge of AAA and user management.

AAA

AAA provides the following types of services:

l Authentication: determines the user who can access the network.

l Authorization: authorizes the user to use certain services.

l Accounting: records network resource usage of the user.

AAA adopts the client/server model, which features good extensibility and facilitatesconcentrated management over user information.

Domain-based User Management

User authentication, authorization, and accounting are performed in the domain view. Users canbe managed based on the domain. You can configure authorization, create authentication andaccounting schemes, and create RADIUS or HWTACACS templates in the domain.

Local User Management

To perform local user management, you need to set up the local user database, maintain userinformation, and manage users on the local S9300.

1.2 AAA and User Management Features Supported by theS9300

This section describes the AAA and user management features supported by the S9300.

AAA

The S9300 provides authentication schemes in the following modes:

l Non-authentication: completely trusts users and does not check their validity. This modeis seldom used.

l Local authentication: configures user information including the user name, password, andattributes of the local user on the S9300. In local authentication mode, the processing speedis fast, but the capacity of information storage is restricted by the hardware.

l Remote authentication: configures user information including the user name, password,and attributes of the local user on an authentication server. The S9300 functions as the clientto communicate with the authentication server. Thus, the user is remotely authenticatedthrough the RADIUS or HWTACACS protocol.

The S9300 provides authorization schemes in the following modes:

l Non-authorization: completely trusts users and directly authorizes them.

1 AAA and User Management ConfigurationQuidway S9300 Terabit Routing Switch


1-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2010–02–26)

l Local authorization: authorizes users according to the configured attributes of local useraccounts on the S9300.

l Remote authorization: authorizes users remotely through HWTACACS. The S9300functions as the client to communicate with the authorization server.

l If-authenticated authorization: authorizes users after the users pass authentication in localor remote authentication mode.

The S9300 provides the following accounting modes:l None: Users are not charged.

l RADIUS accounting: The S9300 sends the accounting packets to the RADIUS server. Thenthe RADIUS server performs accounting.

l HWTACACS accounting: The S9300 sends the accounting packets to the HWTACACSserver. Then the HWTACACS server performs accounting.

In the RADIUS and HWTACACS accounting modes, the S9300 generates accounting packetswhen a user goes online or goes offline, and then sends them to the RADIUS or HWTACACSserver. The server then performs accounting based on the information in the packets, such aslogin time, logout time and traffic volume.

The S9300 supports interim accounting. It means that the S9300 generates accounting packetsperiodically and sends the accounting packets to the accounting server when a user is online. Inthis way, the duration of abnormal accounting can be minimized when the communicationbetween the S9300 and the accounting server is interrupted.

Local User ManagementTo perform local user management, you need to set up the local user database, maintain userinformation, and manage users on the local S9300.

In local authentication or local authorization mode, you need to perform the task of 1.8Configuring Local User Management.

Domain-based User ManagementThe S9300 manages users based on the domain. You can configure authentication andauthorization schemes in a domain. Then, the specified schemes are adopted to performauthentication and authorization for users that belong to the domain.

All the users of the S9300 belong to a domain. The domain that a user belongs to depends onthe character string that follows the domain name delimiter. The domain name delimiter can be@,|, or %.. For example, the user of "user@huawei" belongs to the domain "huawei". If there isno "@" in the user name, the user belongs to the domain default.

By default, there are two domains named default and default-admin in the S9300, which cannotbe deleted but can be modified. If the domain of an access user cannot be obtained, the defaultdomain is used.l Domain default is used for common access user. By default, local authentication is

performed for the users in domain default.l Domain default_admin is used for administrators. By default, local authentication is

performed for the users in domain default_admin.The S9300 supports up to 128 domains, including the two default domains.

The priority of authorization configured in a domain is lower than the priority configured on anAAA server. That is, the authorization attribute sent by the AAA server is used preferentially.



1-3

The authorization attribute in the domain takes effect only when the AAA server does not haveor provide this authorization. In this manner, you can add services flexibly based on the domainmanagement, regardless of the attributes provided by the AAA server.

RADIUS and HWTACACS Server TemplatesWhen RADIUS or HWTACACS is specified in an authentication or an authorization schemefor communication between the client and the server, you must configure a RADIUS or anHWTACACS server template.

l In a RADIUS server template, you can set the attributes such as the IP addresses, portnumber, and key of the authentication server and accounting server.

l In an HWTACACS template, you can set the attributes such as the IP addresses, portnumber, and key of the authentication server, accounting server, and authorization server.

NOTE

Authentication and authorization are used together in RADIUS; therefore, you cannot use RADIUS aloneto perform authorization.

1.3 Configuring AAA SchemesThis section describes how to configure an authentication scheme, an authorization scheme, anda recording scheme on the S9300.

1.3.1 Establishing the Configuration Task

1.3.2 Configuring an Authentication Scheme

1.3.3 Configuring an Authorization Scheme

1.3.4 Configuring an Accounting Scheme

1.3.5 (Optional) Configuring a Recording Scheme

1.3.6 Checking the Configuration


Applicable EnvironmentAn AAA scheme of the S9300 consists of the authentication scheme, authorization scheme,accounting scheme, and recording scheme. The S9300 chooses the authentication, authorization,accounting, and recording modes (local processing, remote processing, or no processing) andrelevant parameters for users according to the AAA scheme.

After an AAA scheme is configured, you can apply this AAA scheme (excluding the recordingscheme) to a domain. The S9300 then uses the scheme to perform authentication, authorization,and accounting for users in the domain. You can configure different recording schemes fordifferent transactions in the AAA view.

Pre-configuration TasksNone




Issue 02 (2010–02–26)

Data Preparation

To configure AAA schemes, you need the following data.

No. Data

1 Name of the authentication scheme andauthentication mode

2 Name of the authorization scheme,authorization mode, (optional) user level incommand-line-based authorization mode onthe HWTACACS server, and (optional)timeout interval for command-line-basedauthorization

3 Name of the accounting scheme andaccounting mode

4 (Optional) Name of the recording scheme,name of the HWTACACS server templateassociated with the recording scheme, andrecording policy used to record events

1.3.2 Configuring an Authentication Scheme

ContextNOTE

By default, the local authentication mode is used. If users are not authenticated, you must create anauthentication scheme or modify the default authentication scheme by setting the authentication mode tonone. Then, you apply this authentication scheme to the domain that users belong to.

You need to set the authentication modes for a user logging in to the S9300 and upgrading user levelsseparately.

Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 Run:aaa

The AAA view is displayed.

Step 3 Run:authentication-scheme authentication-scheme-name

An authentication scheme is created and the authentication scheme view is displayed.



1-5

By default, there is an authentication scheme named default on the S9300. This scheme can bemodified but cannot be deleted.

Step 4 Run:authentication-mode { hwtacacs | radius | local }*[ none ]

Or

authentication-mode none

The authentication mode is set.

none indicates the non-authentication mode. By default, the local authentication mode is used.

If multiple authentication modes are used in an authentication scheme, the non-authenticationmode must be used as the last authentication mode.

If the authentication mode is set to RADIUS or HWTACACS, you must configure a RADIUSor an HWTACACS server template and apply the template in the view of the domain that theuser belongs to.

NOTE

If multiple authentication modes are used in an authentication scheme, the authentication modes take effectaccording to their configuration sequence. The S9300 adopts the next authorization mode only when thecurrent authorization mode is invalid. The S9300, however, does not adopt any other authorization modewhen users are not authorized in the current authorization mode.

Step 5 Run:authentication-super { hwtacacs | super }* [ none ]

Or,

authentication-super none

The authentication mode for upgrading user levels is set.

The none parameter indicates that the non-authentication mode is used. That is, user levels arechanged by users. By default, the local authentication mode is used for upgrading user levels.

When the local authentication mode is used for upgrading user levels, you need to run the superpassword command in the system view to set the password for upgrading user levels. For detailson the super password command, see the Quidway S9300 Terabit Routing Switch CommandReference - Basic Configurations.

----End

1.3.3 Configuring an Authorization Scheme

ContextNOTE

You can configure command-line-based authorization only when HWTACACS is adopted.

Procedure





Issue 02 (2010–02–26)


Step 2 Run:aaa


Step 3 Run:authorization-scheme authorization-scheme-name

An authorization scheme is created and the authorization scheme view is displayed.

By default, an authorization scheme named default exists on the S9300. This scheme can bemodified but cannot be deleted.

Step 4 Run:authorization-mode { hwtacacs | if-authenticated | local }*[ none ] or authorization-mode none

The authorization mode is set.

By default, the local authorization mode is used.

If multiple authorization modes are used in an authorization scheme, the non-authorization modemust be used as the last authorization mode.

When using the HWTACACS authorization mode, you must create an HWTACACS servertemplate and apply the template to the domain that the user belongs to.

NOTE

If multiple authorization modes are used in an authorization scheme, the authentication modes take effectaccording to their configuration sequence. The S9300 adopts the next authorization mode only when thecurrent authorization mode is invalid. The S9300, however, does not adopt any other authorization modewhen users are not authorized in the current authorization mode.

Step 5 (Optional) Run:authorization-cmd privilege-level hwtacacs [ local ]

The command-line-based authorization function is configured for users at a level.

By default, the command-line-based authorization function is not configured for users at levels0 to 15.

If command-line authorization is enabled, you must create an HWTACACS server template andapply the template in the view of the domain that the user belongs to.

Step 6 (Optional) Run:authorization-cmd no-response-policy { online | offline [ max-times max-times-value ] }

A policy is configured for command-line-based authorization failure.

By default, a policy is used to keep the user online when command-line-based authorizationfails.

The policy for command-line-based authorization failure is used only when the HWTACACSserver fails or the local user is not configured. The policy for command-line-based authorizationfailure cannot be triggered in the following situations:l The server works normally but the input command line fails to pass authorization on the

HWTACACS server.



1-7

l When the HWTACACS server fails, the command-line-based authorization mode changesto the local authorization mode. Authorization fails because the level of the input commandis higher than the level set on the local end.

----End

1.3.4 Configuring an Accounting Scheme

Procedure



Step 2 Run:aaa


Step 3 Run:accounting-scheme accounting-scheme-name

An accounting scheme is created and the accounting scheme view is displayed.

By default, the S9300 provides an accounting scheme named default. This scheme can bemodified but cannot be deleted.

Step 4 Run:accounting-mode { hwtacacs | radius | none }

The accounting mode is set.

By default, the accounting mode is none.

If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS orHWTACACS server template and apply the template to the corresponding user domain.

Step 5 (Optional) Run:accounting realtime interval

Interim accounting is enabled and the accounting interval is set.

By default, interim accounting is enabled and the accounting interval is 5 minutes.

The accounting interval depends on network situations. A short interval increases the traffic onthe network and burdens the device that receive interim accounting packets. A long intervalincreases the errors of accounting when the communication between accounting server and theS9300 fails.

Step 6 (Optional) Run:accounting start-fail { online | offline }

The policy for remote accounting-start failure is set.

If accounting start fails when a user logs in, the S9300 processes the user according to the policyfor accounting start failure.

By default, the S9300 forbids a user to get online when accounting start fails.




Issue 02 (2010–02–26)

Step 7 (Optional) Run:accounting interim-fail [ max-times times ] { online | offline }

The policy for remote interim accounting-start failure is set.

If the accounting fails after a user goes online, the S9300 processes the user according to thepolicy for interim accounting failure.

By default, the number of interim accounting failures is set to 3 and the policy keeps the useronline.

----End

1.3.5 (Optional) Configuring a Recording Scheme

ContextTo monitor the device and locate faults, you can configure a recording scheme to record thefollowing:l Commands that are run on the S9300

l Information about connections

l System events

NOTE

You can configure the recording function only when HWTACACS is adopted.

Procedure



Step 2 Run:aaa


Step 3 Run:recording-scheme recording-scheme-name

A recording scheme is created and the recording scheme view is displayed.

By default, no recording scheme exists on the S9300.

Step 4 Run:recording-mode hwtacacs template-name

An HWTACACS server template that is associated with the recording scheme is configured.

By default, a recording scheme is not associated with an HWTACACS server template.

Step 5 Run:quit

Return to the AAA view.



1-9

Step 6 Run:cmd recording-scheme recording-scheme-name

The commands that are used on the S9300 are recorded.

By default, the commands that are used on the S9300 are not recorded.

Step 7 Run:outbound recording-scheme recording-scheme-name

The information about connections is recorded.

By default, information about connections is not recorded.

Step 8 Run:system recording-scheme recording-scheme-name

System events are recorded.

By default, system events are not recorded.

----End


PrerequisiteThe configurations of AAA schemes are complete.

Procedurel Run the display aaa configuration command to check the summary of AAA.l Run the display authentication-scheme [ authentication-scheme-name ] command to

check the configuration of the authentication scheme.l Run the display authorization-scheme [ authorization-scheme-name ] command to check

the configuration of the authorization scheme.l Run the display recording-scheme [ recording-scheme-name ] command to check the

configuration of the recording scheme.l Run the display access-user command to check the summary of all online users.

----End

1.4 Configuring a RADIUS Server TemplateThis section describes how to configure a RADIUS server template on the S9300.


1.4.2 Creating a RADIUS Server Template

1.4.3 Configuring a RADIUS Authentication Server

1.4.4 Configuring the RADIUS Accounting Server

1.4.5 Configuring a RADIUS Authorization Server




Issue 02 (2010–02–26)

1.4.6 (Optional) Setting a Shared Key for a RADIUS Server

1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server

1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server

1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server

1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server



Applicable Environment

In remote authentication or authorization mode, you need to configure a server template asrequired. You need to configure a RADIUS server template if RADIUS is used in theauthentication scheme.

NOTE

There are default parameters of a RADIUS server template, and the default parameters can be changedaccording to the networking. You can modify the RADIUS configuration only when the RADIUS servertemplate is not in use.

Pre-configuration Tasks

None

Data Preparation

To configure a RADIUS server template, you need the following data.

No. Data

1 IP address of the RADIUS authenticationserver

2 IP address of the RADIUS accounting server

3 (Optional) Shared key of the RADIUS server

4 (Optional) User name format supported bythe RADIUS server

5 (Optional) Traffic unit of the RADIUS server

6 (Optional) Timeout interval for a RADIUSserver to send response packets and numberof times for retransmitting request packets ona RADIUS server

7 (Optional) Format of the NAS port attributeof the RADIUS server



1-11

1.4.2 Creating a RADIUS Server Template

Procedure



Step 2 Run:radius-server template template-name

A RADIUS server template is created and the RADIUS server template view is displayed.

----End

1.4.3 Configuring a RADIUS Authentication Server

Procedure




The RADIUS server template view is displayed.

Step 3 Run:radius-server authentication ip-address port [ source loopback interface-number ]

The primary RADIUS authentication server is configured.

By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the portnumber is 0.

Step 4 (Optional) Run:radius-server authentication ip-address port [ source loopback interface-number ] secondary

The secondary RADIUS authentication server is configured.

By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the portnumber is 0.

----End

1.4.4 Configuring the RADIUS Accounting Server

Procedure





Issue 02 (2010–02–26)




Step 3 Run:radius-server accounting ip-address port [ source loopback interface-number ]

The primary RADIUS accounting server is configured.

By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the portnumber is 0.

Step 4 (Optional) Run:radius-server accounting ip-address port [ source loopback interface-number ] secondary

The secondary RADIUS accounting server is configured.

By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the portnumber is 0.

----End

1.4.5 Configuring a RADIUS Authorization Server

ContextThe RADIUS authorization server is mainly used to dynamically authorize users during serviceselection.

Procedure



Step 2 Run:radius-server authorization ip-address { server-group group-name | shared-key { cipher | simple } key-string } * [ ack-reserved-interval interval ]

The RADIUS authorization server is configured.

By default, no RADIUS authorization server is configured in the S9300.

----End

1.4.6 (Optional) Setting a Shared Key for a RADIUS Server

ContextWhen exchanging authentication packets, the S9300 and the RADIUS server encrypt importantinformation such as the password by using the Message Digest 5 (MD5) algorithm to ensure the



1-13

security of information transmitted over a network. To guarantee the validity of the authenticatorand the authenticated, the keys on the S9300 and the RADIUS server must be the same.

Procedure





Step 3 Run:radius-server shared-key { cipher | simple } key-string

The shared key is set for a RADIUS server.

By default, the shared key of a RADIUS server is huawei.

----End

1.4.7 (Optional) Setting the User Name Format Supported by aRADIUS Server

ContextNOTE

A user name is in the user name@domain name format and the characters after @ refer to the domain name.In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of thefollowing symbols: \ / : < > | ' %

Procedure





Step 3 Run:radius-server user-name domain-included

The user name format supported by a RADIUS server is set.

By default, a user name supported by a RADIUS server contains the domain name. That is, theS9300 sends the user name, domain name, and domain name delimiter to the RADIUS serverfor authentication.




Issue 02 (2010–02–26)

When the RADIUS server does not accept the user name that contains the domain name, youcan run the undo radius-server user-name domain-included command to delete the domainname before sending it to the RADIUS server.

----End

1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server

Procedure





Step 3 Run:radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

The traffic unit is set for a RADIUS server.

By default, the traffic is expressed in bytes on the S9300.

----End

1.4.9 (Optional) Setting Retransmission Parameters on a RADIUSServer

Procedure





Step 3 Run:radius-server timeout seconds

The timeout interval for a RADIUS server to send response packets is set.

By default, the timeout interval for a RADIUS server to send response packets is five seconds.

To check whether a RADIUS server is available, the S9300 periodically sends request packetsto the RADIUS server. If no response is received from the RADIUS server within the timeoutinterval, the S9300 retransmits the request packets.

Step 4 Run:



1-15

radius-server retransmit retry-times

The number of times for retransmitting request packets on a RADIUS server is set.

By default, the number of times for retransmitting request packets on a RADIUS server is 3.

After retransmitting request packets to a RADIUS server for the set number of times, theS9300 considers that the RADIUS server is unavailable.

----End

1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server

ContextThe NAS port format and the NAS port ID format are developed by Huawei, which are used tomaintain connectivity and service cooperation among devices of Huawei. The NAS port formatand NAS port ID format have new and old forms respectively. The ID format of the physicalport that access users belong to depends on the format of the NAS port attribute.

For Ethernet access users:l NAS port

– New NAS port format: slot number (8 bits) + subslot number (4 bits) + port number (8bits) + VLAN ID (12 bits).

– Old NAS port format: slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits).

l NAS port ID– New format of NAS port ID: slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx. Where

slot ranges from 0 to 15, subslot 0 to 15, port 0 to 255, and VLAN ID 1 to 4094.– Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) +

card number (3 bytes) + VLANID (9 characters)

For ADSL access users:l NAS port format: slot number (4 bits) + subslot number (2 bits) + port number (2 bits) +

VPI (8 bits) + VCI (16 bits).l NAS port ID

– New format of NAS port ID: slot=xx; subslot=x; VPI=xxx; VCI=xxxxx, in whichslot ranges from 0 to 15, subslot ranges from 0 to 9, port 0 to 9, VPI 0 to 255, andVCI 0 to 65535.

– Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) +card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixedwith 0s if they contain less bytes than specified.

Procedure







Issue 02 (2010–02–26)


Step 3 Run:radius-server nas-port-format { new | old }

The format of NAS port used by the RADIUS server is specified.

By default, the new format of NAS port is used.

Step 4 Run:radius-server nas-port-id-format { new | old }

The format of the NAS port ID used by the RADIUS server is specified.

By default, the new format of the NAS port ID is used.

----End


PrerequisiteThe configurations of the RADIUS server template are complete.

Procedurel Run the display radius-server configuration [ template template-name ] command to

check the configuration of the RADIUS server template.

----End

ExampleAfter completing the configurations of the RADIUS server template, you can run the displayradius-server configuration command to check the configuration of all templates.

<Quidway> display radius-server configuration -------------------------------------------------------------------

Server-template-name : radius Protocol-version : standard Traffic-unit : B Shared-secret-key : huawei Timeout-interval(in second) : 5 Primary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Primary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Secondary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Secondary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Retransmission : 3 Domain-included : YES ------------------------------------------------------------------- -------------------------------------------------------------------

Server-template-name : test Protocol-version : standard Traffic-unit : B Shared-secret-key : hello Timeout-interval(in second) : 5 Primary-authentication-server : 10.1.1.2; 1812; LoopBack:NULL

Primary-accounting-server : 10.1.1.2; 1812; LoopBack:NULL



1-17

Secondary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Secondary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Retransmission : 5 Domain-included : YES ------------------------------------------------------------------- Total of radius template :2

1.5 Configuring an HWTACACS Server TemplateThis section describes how to configure an HWTACACS server template on the S9300.


1.5.2 Creating an HWTACACS Server Template

1.5.3 Configuring an HWTACACS Authentication Server

1.5.4 Configuring the HWTACACS Accounting Server

1.5.5 Configuring an HWTACACS Authorization Server

1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets

1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server

1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server

1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server

1.5.10 (Optional) Setting HWTACACS Timers

1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet




In remote authentication or authorization mode, you need to configure a server template asrequired. You need to configure an HWTACACS server template if HWTACACS is used in anauthentication or an authorization scheme.

NOTE

The S9300 does not check whether the HWTACACS template is in use when you modify attributes of theHWTACACS server except for deleting the configuration of the server.


None

Data Preparation

To configure an HWTACACS server template, you need the following data.




Issue 02 (2010–02–26)

No. Data

1 Name of the HWTACACS server template

2 IP addresses of HWTACACS authenticationauthorization, and accounting servers

3 (Optional) Source IP address of theHWTACACS server

4 (Optional) Shared key of the HWTACACSserver

5 (Optional) User name format supported bythe HWTACACS server

6 (Optional) Traffic unit of the HWTACACSserver

7 (Optional) Timeout interval for theHWTACACS server to send responsepackets and time when the primaryHWTACACS server is restored to the activestate

1.5.2 Creating an HWTACACS Server Template

Procedure



Step 2 Run:hwtacacs-server template template-name

An HWTACACS server template is created and the HWTACACS server template view isdisplayed.

----End

1.5.3 Configuring an HWTACACS Authentication Server

Procedure






1-19

The HWTACACS server template view is displayed.

Step 3 Run:hwtacacs-server authentication ip-address [ port ]

The IP address of the primary HWTACACS authentication server is configured.

By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0 and theport number is 0.

Step 4 (Optional) Run:hwtacacs-server authentication ip-address [ port ] secondary

The IP address of the secondary HWTACACS authentication server is configured.

By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0 andthe port number is 0.

----End

1.5.4 Configuring the HWTACACS Accounting Server

Procedure





Step 3 Run:hwtacacs-server accounting ip-address [ port ]

The primary HWTACACS accounting server is configured.

By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0 and the portnumber is 0.

Step 4 Run:hwtacacs-server accounting ip-address [ port ] secondary

The secondary HWTACACS accounting server is configured.

By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0 and theport number is 0.

----End

1.5.5 Configuring an HWTACACS Authorization Server

Procedure

Step 1 Run:




Issue 02 (2010–02–26)

system-view




Step 3 Run:hwtacacs-server authorization ip-address [ port ]

The IP address of the primary HWTACACS authorization server is configured.

By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0 and theport number is 0.

Step 4 (Optional) Run:hwtacacs-server authorization ip-address [ port ] secondary

The IP address of the secondary HWTACACS authorization server is configured.

By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0 and theport number is 0.

----End

1.5.6 (Optional) Configuring the Source IP Address of HWTACACSPackets

Procedure





Step 3 Run:hwtacacs-server source-ip ip-address

The source IP address of HWTACACS packets is configured.

By default, the source IP address of an HWTACACS packet is 0.0.0.0. In this case, the S9300uses the IP address of the outgoing interface as the source IP address of the HWTACACS packet.

After you specify the source IP address of HWTACACS packets, the specified address is usedfor the communication between the S9300 and the HWTACACS server. In this case, theHWTACACS server uses the specified IP address to communicate with the S9300.

----End

1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server



1-21

ContextSetting the shared key ensures the security of communication between the S9300 and anHWTACACS server. To ensure the validity of the authenticator and the authenticated, the sharedkeys set on the S9300 and the HWTACACS server must be the same.

Procedure





Step 3 Run:hwtacacs-server shared-key { cipher | simple } key-string

The shared key is set for the HWTACACS server.

By default, no shared key is set for the HWTACACS server.

----End

1.5.8 (Optional) Setting the User Name Format for an HWTACACSServer

ContextNOTE

A user name is in the user name@domain name format and the character string after "@" refers to thedomain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also beany of the following symbols: \ / : < > | ' %

Procedure





Step 3 Run:hwtacacs-server user-name domain-included

The user name format is set for an HWTACACS server.

By default, a user name supported by an HWTACACS server contains the domain name. Thatis, the S9300 sends the user name, domain name, and domain name delimiter to the RADIUSserver for authentication.




Issue 02 (2010–02–26)

If an HWTACACS server does not accept the user name that contains the domain name, youcan use the undo hwtacacs-server user-name domain-included command to delete the domainname before sending it to the HWTACACS server.

----End

1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server

Procedure





Step 3 Run:hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }

The traffic unit is set for an HWTACACS server.

By default, the traffic is expressed in bytes on the S9300.

----End

1.5.10 (Optional) Setting HWTACACS Timers

Procedure





Step 3 Run:hwtacacs-server timer response-timeout

The timeout interval for an HWTACACS server to send response packets is set.

By default, the timeout interval for an HWTACACS server to send response packets is fiveseconds.

If the S9300 receives no response from an HWTACACS server during the timeout interval, itconsiders the HWTACACS server as unavailable. In this case, the S9300 performsauthentication or authorization in other modes.

Step 4 Run:hwtacacs-server timer quiet value



1-23

The time taken to restore an HWTACACS server to the active state is set.

By default, the time taken by the primary HWTACACS server to restore to the active state isfive minutes.

----End

1.5.11 (Optional) Configuring Retransmission of Accounting-StopPacket

ContextIf the HWTACACS accounting mode is used, the S9300 sends an Accounting-Stop packet tothe HWTACACS server after a user goes offline. If the connectivity of the network is notdesirable, you can enable the function of retransmitting the Accounting-Stop packet to preventthe loss of accounting information.

Procedure



Step 2 Run:hwtacacs-server accounting-stop-packet resend { disable | enable number }

The function of retransmitting the Accounting-Stop packet is configured.

You can enable the function of retransmitting the Accounting-Stop packet and set theretransmission count, or disable the function. By default, the retransmission function is enabledand the retransmission count is 10.

----End


PrerequisiteThe configurations of the HWTACACS server template are complete.

Procedurel Run the display hwtacacs-server template [ template-name ] command to check the

configuration of the HWTACACS server template.

----End

ExampleAfter completing the configurations of the HWTACACS server template, you can run thedisplay hwtacacs-server template [ template-name ] command to view the configuration ofthe template.




Issue 02 (2010–02–26)

<Quidway> display hwtacacs-server template hhh --------------------------------------------------------------------- HWTACACS-server template name : hhh Primary-authentication-server : 100.1.1.2:26 Primary-authorization-server : 100.1.1.3:26 Primary-accounting-server : 0.0.0.0:0 Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 0.0.0.0:0 Secondary-accounting-server : 0.0.0.0:0 Current-authentication-server : 100.1.1.2:26 Current-authorization-server : 100.1.1.3:26 Current-accounting-server : 0.0.0.0:0 Source-IP-address : 0.0.0.0 Shared-key : lsj Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 20 Domain-included : Yes Traffic-unit : B --------------------------------------------------------------------- Total 1,1 printed

1.6 Configuring a Service SchemeThis section describes how to configure a service scheme in the S9300 to store authorizationinformation about users.


1.6.2 Creating a Service Scheme

1.6.3 Setting the Administrator Level

1.6.4 Configuring a DHCP Server Group

1.6.5 Configuring an Address Pool

1.6.6 Configure Primary and Secondary DNS Servers




Access users must acquire authorization information before getting online. Authorizationinformation about users can be managed through the service scheme.


Before configuring a service scheme, complete the following tasks:l Creating a DHCP server group

l Creating an address pool

Data Preparation

To configure a service scheme, you need the following data.



1-25

No. Data

1 Service scheme

2 Administrator level

3 User priority

4 Name of the DHCP server group

5 Name and position of the address pool

6 IP address of the primary and secondary DNSservers

1.6.2 Creating a Service Scheme

ContextThe service scheme is the aggregation of authorization information about users. After a servicescheme is created, you can set attributes of users in the service scheme view.

Procedure



Step 2 Run:aaa


Step 3 Run:service-scheme service-scheme-name

A service scheme is created.

service-scheme-name is a string of 1 to 32 characters, excluding /, :, *, ?, <, >, and @.

By default, no service scheme is configured in the S9300.

----End

1.6.3 Setting the Administrator Level

Procedure






Issue 02 (2010–02–26)

Step 2 Run:aaa



The service scheme view is displayed.

Step 4 Run:adminuser-priority level

The administrator is enabled to log in to the S9300 and the administrator level is set.

The value of level ranges from 0 to 15. If this command is not run, the administrator level isdisplayed as 16, which is invalid.

----End

1.6.4 Configuring a DHCP Server Group

PrerequisiteA DHCP server group is configured. For the procedure for configuring the DHCP server group,see the Quidway S9300 Terabit Routing Switch Configuration Guide - IP Services.

Procedure



Step 2 Run:aaa




Step 4 Run:dhcp-server group group-name

A DHCP server group is configured.

----End

1.6.5 Configuring an Address Pool

PrerequisiteAn IP address pool is configured. For the procedure for configuring the DHCP server group, seethe Quidway S9300 Terabit Routing Switch Configuration Guide - IP Services.



1-27

Procedure



Step 2 Run:aaa




Step 4 Run:ip-pool pool-name [ move-to new-position ]

An IP address pool is configured or the position of a configured address pool is moved.

----End

1.6.6 Configure Primary and Secondary DNS Servers

Procedure



Step 2 Run:aaa




Step 4 Run:dns ip-address

The IP address of the primary DNS server is configured.

Step 5 Run:dns ip-address secondary

The IP address of the secondary DNS server is configured.

----End





Issue 02 (2010–02–26)

Procedure

Step 1 Run the display service-scheme [ name name ] command to view the configuration of a servicescheme.

----End

ExampleRun the display service-scheme command to view all the information about the service scheme.

<Quidway> display service-scheme ------------------------------------------------------------------- service-scheme-name scheme-index ------------------------------------------------------------------- svcscheme1 0 svcscheme2 1 -------------------------------------------------------------------

Total of service scheme: 2

Run the display service-scheme name svcscheme1 command to view the configuration ofservice scheme svcscheme1.

<Quidway> display service-scheme name svcscheme1 service-scheme-name : svcscheme1 service-scheme-primary-dns : - service-scheme-secondry-dns : - service-scheme-uppriority : 0 service-scheme-downpriority : 0 service-scheme-adminlevel : 16 service-scheme-dhcpgroup : - service-scheme-flowstatup : false service-scheme-flowstatdown : false Idle-data-attribute(time,rate): <0,60>

1.7 Configuring a DomainThis section describes how to configure a domain on the S9300.


1.7.2 Creating a Domain

1.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain

1.7.4 Configuring a RADIUS Server Template for a Domain

1.7.5 Configuring an HWTACACS Server Template for a Domain

1.7.6 (Optional) Configuring a Service Scheme for a Domain

1.7.7 (Optional) Setting the Status of a Domain

1.7.8 (Optional) Configuring the Domain Name Delimiter





1-29

Applicable EnvironmentTo perform authentication and authorization for a user logging in to the S9300, you need toconfigure a domain.

NOTE

The modification of a domain takes effect next time a user logs in.

Pre-configuration TasksBefore configuring a domain, complete the following tasks:l Configuring authentication and authorization schemes

l Configuring a RADIUS server template if RADIUS is used in an authentication scheme

l Configuring an HWTACACS server template if HWTACACS is used in an authenticationor an authorization scheme

l Configuring local user management in local authentication or authorization mode

Data PreparationTo configure a domain, you need the following data.

No. Data

1 Name of the domain

2 Names of authentication and authorizationschemes of the domain

3 (Optional) Name of the RADIUS servertemplate or the HWTACACS server templateof the domain

4 (Optional) Status of the domain

1.7.2 Creating a Domain

ProcedureStep 1 Run:

system-view


Step 2 Run:aaa


Step 3 Run:domain domain-name

A domain is created and the domain view is displayed.




Issue 02 (2010–02–26)

The S9300 has two default domains: default and default_admin. Domain default is used forcommon access users, and domain default_admin is used for administrators.

The S9300 supports up to 128 domains, including the two default domains.

----End

PostrequisiteAfter creating a domain, you can run the domain domain-name [ admin ] command in the systemview to configure the domain as the global default domain. The access users whose domainnames cannot be obtained are added to this domain.

If you do not run the domain domain-name [ admin ] command, the S9300 adds the commonusers and administrators whose domain names cannot be obtained to domains default anddefault_admin respectively.

1.7.3 Configuring Authentication , Authorization and AccountingSchemes for a Domain


system-view


Step 2 Run:aaa



The domain view is displayed.

Step 4 Run:authentication-scheme authentication-scheme-name

An authentication scheme is configured for the domain.

By default, the authentication scheme named default is used for a domain.

Step 5 Run:authorization-scheme authorization-scheme-name

An authorization scheme is configured for the domain.

By default, no authorization scheme is bound to a domain.

Step 6 Run:accounting-scheme accounting-scheme-name

An accounting scheme is configured for the domain.

By default, the accounting scheme named default is used for a domain.

----End



1-31

1.7.4 Configuring a RADIUS Server Template for a Domain

ContextIf a remote RADIUS authentication scheme is used in a domain, you must apply a RADIUSserver template to the domain.

Procedure



Step 2 Run:aaa




Step 4 Run:radius-server template-name

A RADIUS server template is configured for the domain.

By default, no RADIUS server template is configured for a domain.

----End

1.7.5 Configuring an HWTACACS Server Template for a Domain

ContextIf the remote HWTACACS authentication or authorization mode is used in a domain, you needto apply an HWTACACS server template to the domain.

Procedure



Step 2 Run:aaa






Issue 02 (2010–02–26)


Step 4 Run:hwtacacs-server template-name

An HWTACACS server template is configured for the domain.

By default, no HWTACACS server template is configured for a domain.

----End

1.7.6 (Optional) Configuring a Service Scheme for a Domain

ContextConfiguring a service scheme for a domain is to bind a service scheme to a domain. Users in thedomain obtain service information, such as the IP address and DNS server, from the servicescheme.

Procedure



Step 2 Run:aaa





A service scheme is bound to the domain.

By default, no service scheme is bound to the domain.

Before binding a service scheme to a domain, you must create the service scheme.

----End

1.7.7 (Optional) Setting the Status of a Domain

Procedure





1-33

Step 2 Run:aaa




Step 4 Run:state { active | block }

The status of the domain is set.

When a domain is in blocking state, users that belong to this domain cannot log in. By default,the domain is in active state after being created.

----End

1.7.8 (Optional) Configuring the Domain Name Delimiter

ContextA user account on the S9300 consists of a user name and a domain name. The user name anddomain name are separated by the domain name delimiter. For example, if the defined domainname delimiter is @, the user account of user1 in domain dom1 is user1@dom1.

Procedure



Step 2 Run:aaa


Step 3 Run:domain-name-delimiter delimiter

The domain name delimiter is configured.

delimiter can be set to anyone of \, /, :, <, >, |, @, ', and %.

By default, the domain name delimiter is @.

----End


PrerequisiteThe configurations of the domain are complete.




Issue 02 (2010–02–26)

Procedurel Run the display domain [ name domain-name ] command to check the configuration of

the domain.

----End

Example

After the configuration, you can run the display domain command to view the summary of alldomains.

<Quidway> display domain ------------------------------------------------------------------------- DomainName index ------------------------------------------------------------------------- default 0 default_admin 1 huawei 2 -------------------------------------------------------------------------

Total: 3

Run the display domain [ name domain-name ] command, and you can view the configurationof a specified domain.

<Quidway> display domain name huawei Domain-name : huawei Domain-state : Active Authentication-scheme-name : scheme0 Accounting-scheme-name : default Authorization-scheme-name : - Service-scheme-name : - RADIUS-server-group : - Accounting-copy-RADIUS-group : - Hwtacacs-server-template : -

1.8 Configuring Local User ManagementThis section describes how to configure local user management on the S9300.


1.8.2 Creating a Local User

1.8.3 (Optional) Setting the Access Type of the Local User

1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access

1.8.5 (Optional) Setting the Status of a Local User

1.8.6 (Optional) Setting the Level of a Local User

1.8.7 (Optional) Setting the Access Limit for a Local User





1-35

Applicable EnvironmentYou can create a local user on the S9300, configure attributes of the local user, and performauthentication and authorization for users logging in to the S9300 according to information aboutthe local user.

Pre-configuration TasksNone

Data PreparationTo configure local user management, you need the following data.

No. Data

1 User name and password

2 Access type of the local user

3 Name of the FTP directory that the local usercan access

4 Status of the local user

5 Level of the local user

6 Maximum number of local access users

1.8.2 Creating a Local User

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name password { simple | cipher } password

A local user is created.

If the user name contains the domain name delimiter, such as @, |, and %, the character stringbefore @ refers to the user name and the character string after @ refers to the domain name. Ifthe user name does not contain domain name delimiter, the entire character string represents theuser name and the domain name is default.

----End




Issue 02 (2010–02–26)

1.8.3 (Optional) Setting the Access Type of the Local User

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name service-type { 8021x | bind | ftp | ssh | telnet | web }*

The access type of the local user is set.

By default, a local user can use all access types.

A user can successfully log in only when its access type matches the specified access type.

----End

1.8.4 (Optional) Configuring the FTP Directory That a Local UserCan Access

ContextNOTE

If the access type of a local user is set to FTP, you must configure the FTP directory that the local user canaccess; otherwise, the FTP user cannot log in.

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name ftp-directory directory

The FTP directory that a local user can access is configured.

By default, the FTP directory that a local user can access is null.

----End



1-37

1.8.5 (Optional) Setting the Status of a Local User

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name state { active | block }

The status of a local user is set.

By default, a local user is in active state.

The S9300 processes a local user in active or blocking state as follows:

l If the local user is in active state, the S9300 receives the authentication request of this userfor further processing.

l If the local user is in blocking state, the S9300 rejects the authentication request of this user.

----End

1.8.6 (Optional) Setting the Level of a Local User

ContextAfter the level of a local user is set, the login user can run the command only when the level isequal to or higher than the command level.

Similar to the command levels, users are classified into 16 levels numbered 0 to 15. The greaterthe number, the higher the user level.

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name level level

The level of a local user is set.




Issue 02 (2010–02–26)

By default, the level of a local user is determined by the management module. For example,there is a user level in the user interface view. If a user level is not set, the user level is 0.

NOTE

You can run the user-interface command in the system view to enter the user interface view. For detailson the user-interface command, see "Basic Configuration Commands" in the Quidway S9300 TerabitRouting Switch Command Reference.

----End

1.8.7 (Optional) Setting the Access Limit for a Local User

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name access-limit max-number

The maximum number of online local users is set.

By default, the number of access users with the same user name is not restricted on the S9300.

----End


PrerequisiteThe configurations of the local user are complete.

Procedurel Run the display local-user [ username user-name ] command to check the attributes of

the local user.

----End

ExampleAfter completing the configuration of local user management, you can run the display local-user command to view brief information about attributes of the local user.

<Quidway> display local-user ---------------------------------------------------------------------------- No. User-Name State AuthMask AdminLevel ---------------------------------------------------------------------------- 0 lsj A A -



1-39

---------------------------------------------------------------------------- Total 1 user(s)

Run the display local-user [ username user-name ] command, and you can view detailedinformation about a specified user.

<Quidway> display local-user username lsj The contents of local user : Password : hello State : Active Auth-Type-Mask : A Admin-level : - Idle-Cut : No FTP-directory : - Access-Limit :No Accessed-Num :0

1.9 Maintaining AAA and User ManagementThis section describes how to maintain AAA and user management.

1.9.1 Clearing the Statistics

1.9.2 Monitoring the Running Status of AAA

1.9.3 Debugging

1.9.1 Clearing the Statistics

Context

CAUTIONStatistics cannot be restored after you clear them. So, confirm the action before you use thecommand.

Run the following command in the user view to clear the statistics.

Procedurel Run the reset hwtacacs-server statistics { all | accounting | authentication |

authorization } command to clear the statistics on the HWTACACS server.

----End

1.9.2 Monitoring the Running Status of AAA

Procedure

Step 1 Run the display aaa configuration command to view AAA running information.

----End




Issue 02 (2010–02–26)

ExampleRun the display aaa configuration command to view AAA running information.<Quidway> display aaa configuration Domain Name Delimiter : @ Domain : total: 128 used: 5 Authentication-scheme : total: 128 used: 1 Accounting-scheme : total: 128 used: 3 Authorization-scheme : total: 128 used: 1 Service-scheme : total: 128 used: 0

1.9.3 Debugging

Context

CAUTIONDebugging affects the performance of the system. So, after debugging, run the undo debuggingall command to disable it immediately.

When a running fault occurs on the RADIUS or HWTACACS server, run the debuggingcommands in the user view to locate the fault.

Procedurel Run the debugging radius packet command to debug RADIUS packets.l Run the debugging hwtacacs { all | error | event | message | receive-packet | send-

packet } command to debug HWTACACS.

----End

1.10 Configuration ExamplesThis section provides several configuration examples of AAA and user management.

1.10.1 Example for Configuring RADIUS Authentication and Accounting

1.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization

1.10.1 Example for Configuring RADIUS Authentication andAccounting

Networking RequirementsAs shown in Figure 1-1, users access the network through Switch A and are located in thedomain huawei. Switch B acts as the network access server of the destination network. Theaccess request of the user needs to pass the network of Switch A andSwitch B to reach theauthentication server. The user can access the destination network through Switch B after passingthe remote authentication. The remote authentication mode on Switch B is as follows:



1-41

l The RADIUS server performs authentication and accounting for access users.

l The RADIUS server 129.7.66.66/24 functions as the primary authentication and accountingserver. The RADIUS server 129.7.66.67/24 functions as the secondary authentication andaccounting server. The default authentication port and accounting port are 1812 and 1813respectively.

Figure 1-1 Networking diagram of RADIUS authentication and accounting

S9300-AS9300-B

DestinationNetwork

Domain Huawei

Network129.7.66.66/24

129.7.66.67/24

Configuration RoadmapThe configuration roadmap is as follows:

1. Configure a RADIUS server template.2. Configure the authentication and accounting schemes.3. Apply the RADIUS server template, the authentication and accounting schemes to the

domain.

Data PreparationTo complete the configuration, you need the following data:

l Name of the domain that a user belongs to

l Name of the RADIUS server template

l Name of the authentication scheme, authentication mode, name of the accounting scheme,and accounting mode

l IP addresses, authentication and accounting port numbers of the primary and secondaryRADIUS servers

l Key and retransmission times of the RADIUS server




Issue 02 (2010–02–26)

NOTE

The following configurations are performed on Switch B.

Procedure

Step 1 Configure a RADIUS server template.

# Configure the RADIUS template named shiva.

<Quidway> system-view[Quidway] radius-server template shiva

# Configure the IP addresses and port numbers of the primary RADIUS authentication andaccounting servers.

[Quidway-radius-shiva] radius-server authentication 129.7.66.66 1812[Quidway-radius-shiva] radius-server accounting 129.7.66.66 1813

# Set the IP addresses and port numbers of the secondary RADIUS authentication and accountingservers.

[Quidway-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary[Quidway-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary

# Set the key and retransmission count for the RADIUS server.

[Quidway-radius-shiva] radius-server shared-key cipher hello[Quidway-radius-shiva] radius-server retransmit 2[Quidway-radius-shiva] quit

Step 2 Configure the authentication and accounting schemes.

# Configure authentication scheme1, with the authentication mode being RADIUS.

[Quidway] aaa[Quidway-aaa] authentication-scheme 1[Quidway-aaa-authen-1] authentication-mode radius[Quidway-aaa-authen-1] quit

# Configure the accounting scheme1, with the accounting mode being RADIUS.

[Quidway-aaa] accounting-scheme 1[Quidway-aaa-accounting-1] accounting-mode radius[Quidway-aaa-accounting-1] quit

Step 3 Configure the domain huawei and apply authentication scheme1, accounting scheme1, andRADIUS template shiva to the domain.[Quidway-aaa] domain huawei[Quidway-aaa-domain-huawei] authentication-scheme 1[Quidway-aaa-domain-huawei] accounting-scheme 1[Quidway-aaa-domain-huawei] radius-server shiva

Step 4 Verify the configuration.

After running the display radius-server configuration template command on Switch B, youcan view that the configuration of the RADIUS server template meets the requirements.

<Quidway> display radius-server configuration template shiva

-------------------------------------------------------------------

Server-template-name : shiva Protocol-version : standard Traffic-unit : B Shared-secret-key : 3MQ*TZ,O3KCQ=^Q`MAF4<1!! Timeout-interval(in second) : 5



1-43

Primary-authentication-server : 129.7.66.66; 1812; LoopBack:NULL

Primary-accounting-server : 129.7.66.66; 1813; LoopBack:NULL

Secondary-authentication-server : 129.7.66.67; 1812; LoopBack:NULL

Secondary-accounting-server : 129.7.66.67; 1813; LoopBack:NULL

Retransmission : 2 Domain-included : YES -------------------------------------------------------------------

----End

Configuration Files

#sysname Quidway#radius-server template shiva radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary radius-server retransmit 2#aaa authentication-scheme default authentication-scheme 1 authentication-mode radius authorization-scheme default accounting-scheme default accounting-scheme 1 accounting-mode radius domain default domain default_admin domain huawei authentication-scheme 1 accounting-scheme 1 radius-server shiva#return

1.10.2 Example for Configuring HWTACACS Authentication,Accounting, and Authorization

Networking Requirements

As shown in Figure 1-2:

l Access users are first authenticated locally. If local authentication fails, the HWTACACSserver is adopted to authenticate access users.

l HWTACACS authentication is required before the level of access users is promoted. If theHWTACACS authentication is not responded, local authentication is performed.

l HWTACACS authorization is performed to access users.

l All access users need to be charged.

l Interim accounting is performed every 3 minutes.




Issue 02 (2010–02–26)

l The primary HWTACACS server is 129.7.66.66/24, and the IP address of the secondaryHWTACACS server is 129.7.66.67/24. The port number of the server for authentication,accounting, and authorization is 49.

Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization

S9300-AS9300-B

DestinationNetwork

Domain Huawei

Network129.7.66.66/24

129.7.66.67/24


1. Configure an HWTACACS server template.2. Configure the authentication, authorization, and accounting schemes.3. Apply the HWTACACS server template, authentication, authorization, and accounting

schemes to the domain.


l Name of the domain that the user belongs to

l Name of the HWTACACS server template

l Name of the authentication scheme, authentication mode, name of the authorizationscheme, authorization mode, name of the accounting scheme, and accounting mode

l IP addresses, authentication port numbers, authorization port numbers, and accounting portnumbers of the primary and secondary HWTACACS servers

l Key of the HWTACACS server

NOTE

The following configurations are performed on Switch B.



1-45

Procedure

Step 1 Configure an HWTACACS server template.

# Configure an HWTACACS server template named ht.

<Quidway> system-view[Quidway] hwtacacs-server template ht

# Configure the IP address and port number of the primary HWTACACS server forauthentication, authorization, and accounting.

[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49[Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49[Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49

# Configure the IP address and port number of the secondary HWTACACS server forauthentication, authorization, and accounting.

[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary[Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary[Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary

# Configure the key of the TACACS server.

[Quidway-hwtacacs-ht] hwtacacs-server shared-key cipher hello[Quidway-hwtacacs-ht] quit

Step 2 Configure the authentication, authorization, and accounting schemes.

# Create an authentication scheme 1-h and set the authentication mode to local-HWTACACS,that is, the system performs the local authentication first and then the HWTACACSauthentication. The HWTACACS authentication supersedes the local authentication when thelevel of a user is promoted.

[Quidway] aaa[Quidway-aaa] authentication-scheme l-h[Quidway-aaa-authen-l-h] authentication-mode local hwtacacs[Quidway-aaa-authen-l-h] authentication-super hwtacacs super[Quidway-aaa-authen-l-h] quit

# Create an authorization scheme hwtacacs, and set the authorization mode to HWTACACS.

[Quidway-aaa] authorization-scheme hwtacacs[Quidway-aaa-author-hwtacacs] authorization-mode hwtacacs[Quidway-aaa-author-hwtacacs] quit

# Create an accounting scheme hwtacacs, and set the accounting mode to HWTACACS.

[Quidway-aaa] accounting-scheme hwtacacs[Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs

# Set the interval of interim accounting to 3 minutes.

[Quidway-aaa-accounting-hwtacacs] accounting realtime 3[Quidway-aaa-accounting-hwtacacs] quit

Step 3 Create a domain Huawei and apply the authentication scheme 1-h, the HWTACACSauthentication scheme, the HWTACACS accounting scheme, and the HWTACACS templateof ht to the domain.[Quidway-aaa] domain huawei[Quidway-aaa-domain-huawei] authentication-scheme l-h[Quidway-aaa-domain-huawei] authorization-scheme hwtacacs[Quidway-aaa-domain-huawei] accounting-scheme hwtacacs[Quidway-aaa-domain-huawei] hwtacacs-server ht




Issue 02 (2010–02–26)

[Quidway-aaa-domain-huawei] quit[Quidway-aaa] quit


Run the display hwtacacs-server template command on Switch B, and you can see that theconfiguration of the HWTACACS server template meets the requirements.

<Quidway> display hwtacacs-server template ht --------------------------------------------------------------------------- HWTACACS-server template index : 0 HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49 Primary-authorization-server : 129.7.66.66:49 Primary-accounting-server : 129.7.66.66:49 Secondary-authentication-server : 129.7.66.67:49 Secondary-authorization-server : 129.7.66.67:49 Secondary-accounting-server : 129.7.66.67:49 Current-authentication-server : 129.7.66.66:49 Current-authorization-server : 129.7.66.66:49 Current-accounting-server : 129.7.66.66:49 Source-IP-address : 0.0.0.0 Shared-key : 3MQ*TZ,O3KCQ=^Q`MAF4<1!! Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------------------------------------------------------------------------

Run the display domain command on Switch B, and you can see that the configuration of thedomain meets the requirements.

<Quidway> display domain name huawei

Domain-name : huawei Domain-state : Active Authentication-scheme-name : l-h Accounting-scheme-name : hwtacacs Authorization-scheme-name : hwtacacs Service-scheme-name : - RADIUS-server-group : - Accounting-copy-RADIUS-group : - Hwtacacs-server-template : ht

----End

Configuration Files#sysname Quidway#hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 hwtacacs-server authentication 129.7.66.67 secondary hwtacacs-server authorization 129.7.66.66 hwtacacs-server authorization 129.7.66.67 secondary hwtacacs-server accounting 129.7.66.66 hwtacacs-server accounting 129.7.66.67 secondary hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!#aaa authentication-scheme default authentication-scheme l-h authentication-mode local hwtacacs authentication-super hwtacacs super authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs



1-47

accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs accounting realtime 3 domain default domain default_admin domain huawei authentication-scheme l-h accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server ht#return




Issue 02 (2010–02–26)

2 NAC Configuration

About This Chapter

This chapter describes the working principle and configuration of network access control (NAC).

2.1 Introduction to NACThis section describes the working principle of NAC.

2.2 NAC Features Supported by the S9300This section describes the NAC features supported by the S9300.

2.3 Configuring Web AuthenticationThis section describes how to configure the Web authentication function.

2.4 Configuring 802.1x AuthenticationThis section describes how to configure the 802.1x authentication function.

2.5 Configuring MAC Address AuthenticationThis section describes how to configure the MAC address authentication function.

2.6 Maintaining NACThis section describes how to clear statistics about NAC and debug NAC.

2.7 Configuration ExamplesThis section provides several configuration examples of NAC.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security 2 NAC Configuration


2-1

2.1 Introduction to NACThis section describes the working principle of NAC.

Traditional network security technologies focus on the threat brought by external computers,rather than the threat brought by internal computers. In addition, the current network devicescannot prevent the attacks initiated by the internal devices on the network. Network AccessControl (NAC) is an architecture of secure access, with the end-to-end security concept. NACconsiders the internal network security from the perspective of user terminals, rather thannetwork devices.

Figure 2-1 Typical networking of NAC

NAD ACS

S9300

Remediationserver

AAA server

Directoryserver

PVS & Aduitserver

User

As shown in Figure 2-1, NAC, as a controlling scheme for network security access, includesthe following parts:l User: Access users who need to be authenticated. If 802.1x is adopted for user

authentication, users need to install client software.l NAD: Network access devices, including routers and switches (hereinafter referred to as

the S9300), which are used to authenticate and authorize users. The NAD needs to workwith the AAA server to prevent unauthorized terminals from accessing the network,minimize the threat brought by insecure terminals, prevent unauthorized access requestsfrom authorized terminals, and thus protect core resources.

l ACS: Access control server that is used to check terminal security and health, managepolicies and user behaviors, audit rule violations, strengthen behavior audit, and preventmalicious damages from terminals.

2.1.1 Web Authentication2.1.2 802.1x Authentication2.1.3 MAC Address Authentication

2.1.1 Web Authentication

Web authentication is also called Portal authentication. When opening a browser for the firsttime and entering a URL, users are forcibly re-directed to the authentication page of the Web

2 NAC ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010–02–26)

server. Users can access network resources only after passing the authentication. Users that donot pass the authentication can only access the specified site server. When a user enters its username and password on the Web page, the Portal protocol is used to authenticate the user. Thisprocess is Web authentication.

The Portal protocol enables Web servers to communicate with other devices. The portal protocolis based on client/server model and uses the User Datagram Protocol (UDP) as the transmissionprotocol. In Web authentication, the Web authentication server and the S9300 communicatewith each other through the portal protocol. In this case, the S9300 functions as the client. Whenobtaining the user name and password entered by the user on the authentication page, the Webauthentication server transfers them to the S9300 through the portal protocol.

2.1.2 802.1x Authentication

The IEEE 802.1x standard (hereinafter referred to as 802.1x), is an interface-based networkaccess control protocol. Interface-based network access control is used to authenticate andcontrol access devices on an interface of a LAN access control device. User devices connectedto the interface can access the sources on the LAN only after they pass the authentication.

802.1x focuses on the status of the access interface only. When an authorized user accesses thenetwork by sending the user name and password, the interface is open. When an unauthorizeduser or no user accesses the network, the interface is closed. The authentication result is reflectedby the status of the interface. The IP address negotiation and allocation that are considered incommon authentication technologies are not involved. Therefore, 802.1x authentication is thesimplest implementation scheme among the authentication technologies.

802.1x supports the authentication mode based on the access interface and the MAC address.l Authentication mode based on the access interface: Other users can access network

resources without authentication when the first user under the interface is successfullyauthenticated. But other users are disconnected when the first user goes offline.

l Authentication mode based on the MAC address: Access users under this interface needbe authenticated.

802.1x supports the following authentication modes:l EAP termination mode: The network access device terminates EAP packets, obtains the

user name and password from the packets, encrypts the password, and sends the user nameand password to the AAA server for authentication.

l EAP transparent transmission authentication: Also called EAP relay authentication. Thenetwork access device directly encapsulates authentication information about 802.1x usersand EAP packets into the attribute field of RADIUS packets and sends them to the RADIUSserver. Therefore, the EAP packets do not need to be converted to the RADIUS packetsbefore they are sent to the RADIUS server.

2.1.3 MAC Address Authentication

MAC address authentication is an authentication method that controls the network accessauthority of a user based on the interface and MAC address. No client software needs to beinstalled. The user name and password are the MAC address of the user device. After detectingthe MAC address of a user for the first time, the device starts authenticating the user.

In the MAC bypass authentication, the device first triggers the 802.1x authentication toauthenticate the user. If the 802.1x authentication is not performed for a long time, the device



2-3

sends the MAC address of the user, which is considered to be the user name and password ofthe user, to the AAA server for authentication.

2.2 NAC Features Supported by the S9300This section describes the NAC features supported by the S9300.

Functioning as the network access device (NAD), the S9300 supports the following NACfeatures:l 802.1x authentication based on the port

l 802.1x authentication based on the MAC address

l EAPOL termination authentication

l EAPOL transparent transmission authentication

l MAC address authentication

l MAC bypass authentication

l Web authentication

2.3 Configuring Web AuthenticationThis section describes how to configure the Web authentication function.


2.3.2 Configuring the Web Authentication Server

2.3.3 Binding the Web Authentication Server to the Interface

2.3.4 Configuring the Free Rule for Web Authentication

2.3.5 (Optional) Configuring the Web Authentication Policy

2.3.6 (Optional) Setting the Port that Listens to the Portal Packets

2.3.7 (Optional) Setting the Version of the Portal Protocol Packets




The Web authentication can be configured for users who cannot install client software. Suchusers can enter the user names and passwords in the Internet Web Browser for authentication.


Web authentication is only an implementation scheme to authenticate the user identity. Tocomplete the user identity authentication, you need to select the RADIUS or local authenticationmethod. Before configuring Web authentication, complete the following tasks:




Issue 02 (2010–02–26)

l Configuring the Internet Service Provider (ISP) authentication domain and AAA schemes,that is, RADIUS or local authentication schemes, for the user

l Configuring the user name and password on the RADIUS server if RADIUS authenticationis used

l Adding the user name and password manually on the S9300 if local authentication is used

Data Preparation

To configure Web authentication, you need the following data.

No. Data

1 Name, IP address, and URL of the Web Server

2 Version number and interface number of the Portal protocol

3 Authentication-free rule ID

2.3.2 Configuring the Web Authentication Server

Context

To perform Web authentication for users, you must configure the Web authentication server.

Procedure



Step 2 Run:web-auth-server server-name ip-address [ port port-number [ all ] ] [ shared-key { cipher | simple } key-string ] [ url url-string ]

The Web authentication server is configured.

Up to 16 Web authentication servers can be configured.

----End

2.3.3 Binding the Web Authentication Server to the Interface

Context

After the Web authentication server is bound to the VLANIF interface, the Web authenticationcan be performed for all the access users under the VLANIF interface.



2-5

Procedure



Step 2 Run:interface interface-type interface-number

The interface view is displayed.

Currently, the S9300 can perform Web authentication for users only through VLANIF interfaces.

Step 3 Run:web-auth-server server-name

The Web authentication server is bound to the VLANIF interface.

You must configure a Web authentication server in the system view first and then bind the serverto the interface according to the server name in the interface view.

----End

2.3.4 Configuring the Free Rule for Web Authentication

ContextYou need to configure the free rule in the following situations:l After opening the HTTP browser, the user is forcibly re-directed to the authentication page

of the Web authentication server. The free rule is mandatory if the Web authentication isadopted.

l Some special users need to access certain resources when they fail to pass theauthentication.

Procedure



Step 2 Run:portal free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id }* } }*

The free rule is configured.

When the free rule is configured for Web authentication users, user packets matching the rulecan be forwarded before the Web authentication. Therefore, users without the Webauthentication possess certain access authority.

----End

2.3.5 (Optional) Configuring the Web Authentication Policy




Issue 02 (2010–02–26)

ContextWhen the RADIUS server is adopted to authenticate users, do as follows if the user authenticationinformation returned by the RADIUS server needs to be sent to the Web authentication server.

Procedure



Step 2 Run:web-auth-server reply-message

The device is configured to send the reply message for user authentication to the Webauthentication server.

By default, the S9300 sends the reply message for user authentication to the Web authenticationserver.

----End

2.3.6 (Optional) Setting the Port that Listens to the Portal Packets

ContextDo as follows to configure the port number for the S9300 to receive portal packets when theS9300 communicates with the Web server. The port number must be consistent with thedestination port number contained in the packets sent by the Web authentication server and isglobally unique.

Procedure



Step 2 Run:web-auth-server listening-port

The number of the port number that listens to Portal packets is configured.

By default, the port number that listens to portal packets is 2000.

----End

2.3.7 (Optional) Setting the Version of the Portal Protocol Packets

ContextWhen the S9300 communicates with the Web authentication server by using the Portal protocol,version numbers of the portal protocols used by the S9300 and the Web authentication servermust be the same.



2-7

Procedure



Step 2 Run:web-auth-server version v2 [ v1 ]

The version of the portal protocol is set.

By default, two versions coexist. If version 1 is not selected, only version 2 is in use.

----End


ContextThe configurations of Web authentication are complete.

Procedurel Run the display web-auth-server configuration command to view the configuration of a

Web authentication server.

----End

Example# View the configuration of the Web authentication server.

<Quidway> display web-auth-server configuration Listening port : 2000 Portal : version 1, version 2 Include reply message : enabled ------------------------------------------------------------------------ Web-auth-server Name : servera IP-address : 100.1.1.114 Shared-key : Port / PortFlag : 10 / NO URL : ------------------------------------------------------------------------ 1 Web authentication server(s) in total

2.4 Configuring 802.1x AuthenticationThis section describes how to configure the 802.1x authentication function.


2.4.2 Enabling Global 802.1x Authentication

2.4.3 Enabling 802.1x Authentication on an Interface

2.4.4 (Optional) Enabling MAC Bypass Authentication

2.4.5 Setting the Authentication Method for the 802.1x User




Issue 02 (2010–02–26)

2.4.6 (Optional) Configuring the Interface Access Mode

2.4.7 (Optional) Configuring the Authorization Status of an Interface

2.4.8 (Optional) Setting the Maximum Number of Concurrent Access Users

2.4.9 (Optional) Enabling DHCP Packets to Trigger Authentication

2.4.10 (Optional) Configuring 802.1x Timers

2.4.11 (Optional) Configuring the Quiet Timer Function

2.4.12 (Optional) Configuring the 802.1x Re-authentication

2.4.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication

2.4.14 (Optional) Enabling the S9300 to Send Handshake Packets to Online Users

2.4.15 (Optional) Setting the Retransmission Count of the Authentication Request



Applicable EnvironmentYou can configure 802.1x to implement port-based network access control, that is, toauthenticate and control access devices on an interface of a LAN access control device.

Pre-configuration Tasks802.1x authentication is only an implementation scheme to authenticate the user identity. Tocomplete the user identity authentication, you need to select the RADIUS or local authenticationmethod. Before configuring 802.1x authentication, complete the following tasks:l Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local

authentication schemes, for the 1x userl Configuring the user name and password on the RADIUS server if RADIUS authentication

is usedl Adding the user name and password manually on the S9300 if local authentication is used

Data PreparationNone.

2.4.2 Enabling Global 802.1x Authentication

ContextBefore the configuration of 802.1x authentication, 802.1x needs to be globally enabled first.

Procedure




2-9


Step 2 Run:dot1x

802.1x authentication is globally enabled.

Running this command is equivalent to enabling 802.1x authentication globally. Relatedconfigurations of 802.1x authentication take effect only after 802.1x authentication is enabled.

By default, 802.1x authentication is disabled.

----End

2.4.3 Enabling 802.1x Authentication on an Interface

Context

CAUTIONIf 802.1x is enabled on the interface, MAC address authentication or direct authentication cannotbe enabled on the interface. If MAC address authentication or direct authentication is enabledon the interface, 802.1x cannot be enabled on the interface.

You can enable 802.1x on an interface in the following ways.

Procedurel In the system view:

1. Run:system-view

The system view is displayed.2. Run:

dot1x interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

802.1x authentication is enabled on the interfaces.

You can enable the 802.1x function on interfaces in batches by specifying the interfacelist in the dot1x command in the system view.

l In the interface view:1. Run:

system-view


interface { ethernet | gigabitethernet } interface-number

The interface view is displayed.3. Run:

dot1x




Issue 02 (2010–02–26)

802.1x authentication is enabled on the interface.

You can run the undo dot1x command only when no online user exists.

----End

2.4.4 (Optional) Enabling MAC Bypass Authentication

Context

The 802.1x client software cannot be installed or used on some special terminals, such as printers.In this case, the MAC bypass authentication can be adopted.

If 802.1x authentication on the terminal fails, the access device sends the user name andpassword, namely, the MAC address of the terminal, to the RADIUS server for authentication.This process is MAC address bypass authentication.

You can configure MAC address bypass authentication in the following ways.


1. Run:system-view


2. Run:dot1x mac-bypass interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

MAC bypass authentication is enabled on interfaces.

You can configure MAC address bypass authentication on interfaces in batches byspecifying the interface list in the dot1x mac-bypass command in the system view.

l In the interface view:

1. Run:system-view


2. Run:interface { ethernet | gigabitethernet } interface-number


3. Run:dot1x mac-bypass enable

MAC address bypass authentication is enabled on the interface.

After you run the dot1x mac-bypass enable command, the commands of enabling 802.1xauthentication on the interface are overwritten. The details are as follows:

– If 802.1x authentication is disabled on the interface, 802.1x authentication is enabledafter you run the dot1x mac-bypass enable command.



2-11

– If 802.1x authentication has been enabled, the authentication mode is changed from802.1x authentication to MAC address bypass authentication on the interface after yourun the dot1x mac-bypass enable command.

To disable MAC address bypass authentication, run the undo dot1x command. Note that802.1x functions are disabled.

----End

2.4.5 Setting the Authentication Method for the 802.1x User

Context

The authentication method for the 802.1x user can be set according to the actual networkingenvironment and security requirement.

Procedure



Step 2 Run:dot1x authentication-method { chap | eap | pap }

The authentication method is set for the 802.1x user.

By default, CHAP authentication is used for an 802.1x user. If you run the dot1x authentication-method command repeatedly, the latest configuration takes effect.

l The Password Authentication Protocol (PAP) uses the two-way handshake mechanism andsends the password in plain text.

l The Challenge Handshake Authentication Protocol (CHAP) uses the three-way handshakemechanism. It transmits only the user name but not the password on the network; therefore,compared with PAP authentication, CHAP authentication is more secure and reliable andprotects user privacy better.

l In Extensible Authentication Protocol (EAP) authentication, the S9300 sends theauthentication information of an 802.1x user to the RADIUS server through EAP packetswithout converting EAP packets into RADIUS packets. To use the PEAP, EAP-TLS, EAP-TTLS, or EAP-MD5 authentication, you only need to enable the EAP authentication.

PAP authentication and CHAP authentication are two kinds of termination authenticationmethods and EAP authentication is a kind of relay authentication method.

CAUTIONIf local authentication is adopted, you cannot use the EAP authentication for 802.1x users.

----End




Issue 02 (2010–02–26)

2.4.6 (Optional) Configuring the Interface Access Mode

ContextThe 802.1x protocol can work in the following modes:l Interface mode: If the MAC address of a device connected to an interface passes

authentication, all the MAC addresses of other devices connected to the interface can accessthe network without authentication.

l MAC mode: The MAC address of each device connected to the interface must passauthentication to access the network.

You can configure the access mode of an interface in the following ways.


1. Run:system-view


dot1x port-method { mac | port interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> }

The access mode of interfaces is configured.

You can configure the access mode of interfaces in batches by specifying the interfacelist in the dot1x port-method command in the system view.


system-view




dot1x port-method { mac | port }

The access mode of the interface is configured.

By default, the access mode of an interface is MAC mode.

CAUTIONIf the dot1x port-method { mac | port } command is run to change the access controlmode of an interface when an online 802.1x user exists, the online user is disconnectedforcibly.

----End



2-13

2.4.7 (Optional) Configuring the Authorization Status of anInterface

Context

Do as follows to authorize users and control their access scope after users pass authentication.

You can configure the authorization status of an interface in the following ways.


1. Run:system-view


2. Run:dot1x port-control { auto | authorized-force | unauthorized-force } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The authorization status of interfaces is set.

You can configure the authorization status of interfaces in batches by specifying theinterface list in the dot1x port-control command in the system view.


1. Run:system-view




3. Run:dot1x port-control { auto | authorized-force | unauthorized-force }

The authorization status of the interface is configured.

By default, the authorization status of an interface is auto.

– auto: An interface is initially in unauthorized state and sends and receives only EAPoLpackets. Therefore, users cannot access network resources. If a user passes theauthentication, the interface is in authorized state and allows users to access networkresources.

– authorized-force: An interface is always in authorized state and allows users to accessnetwork resources without authentication.

– unauthorized-force: An interface is always in unauthorized state and does not users toaccess network resources.

----End




Issue 02 (2010–02–26)

2.4.8 (Optional) Setting the Maximum Number of ConcurrentAccess Users

Context

When the number of access users on interfaces reaches the maximum value, the S9300 does nottrigger authentication for subsequent access users. These subsequent access users thus cannotaccess the network.

You can set the maximum number of access users on interfaces in the following ways.


1. Run:system-view


2. Run:dot1x max-user user-number interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The maximum number of concurrent access users is set on the interfaces.

You can configure the maximum number of concurrent access users on interfaces inbatches by specifying the interface list in the dot1x max-user command in the systemview.


1. Run:system-view




3. Run:dot1x max-user user-number

The maximum number of concurrent access users is set on the interface.

By default, each interface allows up to 8192 concurrent access users.

This command takes effect only to the interface where users are authenticated based onMAC addresses If users are authenticated based on the interface, the maximum number ofaccess users is automatically set to 1. Therefore, only one user needs to be authenticatedon the interface, and other users can access the network after the first user passes theauthentication.



2-15

CAUTIONIf the number of users already existing on the interface is greater than the maximum numberthat you set, all the users are disconnected from the interface.

The maximum number of NAC access users allowed by the S9300 depends on the modelsof the S9300. The specification is 8192 multiplied by number of slots of the LPU.

----End

2.4.9 (Optional) Enabling DHCP Packets to Trigger Authentication

Context

After DHCP packets are enabled to trigger authentication, 802.1x allows the S9300 to triggerthe user identity authentication when the access user runs DHCP to apply for the IP address. Inthis case, an 802.1x user is authenticated without dial-up by using the client software. This speedsup network deployment.

Procedure



Step 2 Run:dot1x dhcp-trigger enable

Dynamic Host Configuration Protocol (DHCP) packets are enabled to trigger userauthentication.

By default, DHCP packets do not trigger authentication.

After you run the dot1x dhcp-trigger enable command, users cannot obtain IP addressesthrough DHCP if they do not pass the authentication.

----End

2.4.10 (Optional) Configuring 802.1x Timers

Context

When enabled, 802.1x starts many timers to ensure the reasonable and ordered exchangesbetween supplicants, the authenticator, and the authentication server.

To adjust the exchange process, you can run some commands to change values of some timers,but some timers cannot be adjusted. It may be necessary in certain cases or in poor networkingenvironment. Normally, it is recommended that you retain the default settings of the timers.




Issue 02 (2010–02–26)

Procedure



Step 2 Run:dot1x timer { client-timeout client-timeout-value | handshake-period handshake-period-value | quiet-period quiet-period-value | reauthenticate-period reauthenticate-period-value | server-timeout server-timeout-value | tx-period tx-period-value }

The timers of 802.1x authentication are set.

l client-timeout: Authentication timeout timer of the client. By default, the timeout timer is30s.

l handshake-period: Interval of handshake packets from the S9300 to the 802.1X client. Bydefault, the handshake interval is 15s.

l quiet-period: Period of the quiet timer. By default, the quiet timer is 60s.

l reauthenticate-period: Re-authentication interval. By default, the re-authentication intervalis 3600s.

l server-timeout: Timeout timer of the authentication server. By default, the timeout timer ofthe authentication server is 30s.

l tx-period: Interval for sending authentication requests. By default, the interval for sendingthe authentication request packets is 30s.

The dot1x timer command only sets the values of the timers, and you need to enable thecorresponding timers by running commands or adopting the default settings.

----End

2.4.11 (Optional) Configuring the Quiet Timer Function

Context

If a user fails to pass 802.1x authentication after the quiet timer function is enabled, the S9300considers the user as quiet for a period and does not process authentication requests from theuser in this period. In this manner, the impact caused by frequent authentication is prevented.

Procedure



Step 2 Run:dot1x quiet-period

The quiet timer function is enabled.

By default, the quiet timer function is disabled.



2-17

During the quite period, the S9300 discards the 802.1x authentication request packets from theuser. You can run the dot1x timer command to set the quiet period. For details, see .

----End

2.4.12 (Optional) Configuring the 802.1x Re-authentication

ContextWhen the 802.1x authentication is not complete when the session times out, the S9300disconnects the session and initiates re-authentication.

You can configure 802.1x re-authentication in the following ways.


1. Run:system-view


dot1x reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

Re-authentication is enabled on interfaces.

You can configure 802.1x re-authentication on interfaces in batches by specifying theinterface list in the dot1x reauthenticate command in the system view.


system-view




dot1x reauthenticate enable

Re-authentication is enabled on the interface.

By default, 802.1x re-authentication is disabled on an interface.

You can run the dot1x timer command to set the timeout timer of the re-authentication.For details, see .

----End

2.4.13 (Optional) Configuring the Guest VLAN for 802.1xAuthentication




Issue 02 (2010–02–26)

ContextWhen the guest VLAN is enabled, the S9300 sends authentication request packets to all theinterface on which 802.1x is enabled. If an interface does not return a response when themaximum number of times for re-authentication is reached, the S9300 adds this interface to theguest VLAN. Then users in the guest VLAN can access resources in the guest VLAN without802.1x authentication. Authentication, however, is required when such users access externalresources. Thus certain resources are available for users without authentication.

NOTE

The configured guest VLAN cannot be the default VLAN of the interface.

You can configure the guest VLAN in the following ways.


1. Run:system-view


dot1x guest-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The guest VLAN is configured on interfaces.

You can configure the guest VLAN on interfaces in batches by specifying the interfacelist in the dot1x guest-vlan command in the system view.


system-view




dot1x guest-vlan vlan-id

The guest VLAN is configured on the interface.

By default, no guest VLAN is configured on an interface.

----End

2.4.14 (Optional) Enabling the S9300 to Send Handshake Packets toOnline Users

ContextThe S9300 can send handshake packets to a Huawei client to detect whether the user is online.



2-19

If the client does not support the handshake function, the S9300 will not receive handshakeresponse packets within the handshake interval. In this case, you need to disable the userhandshake function to prevent the S9300 from disconnecting users by mistake.

Procedure



Step 2 Run:dot1x handshake

The handshake with 802.1x users is enabled.

By default, the S9300 is enabled to send handshake packets to online users.

You can run the dot1x timer command to set the handshake interval. For details, see .

----End

2.4.15 (Optional) Setting the Retransmission Count of theAuthentication Request

Context

If the S9300 does not receive a response after sending an authentication request to a user, theThe S9300 retransmits the authentication request to the user. When no response is received whenthe authentication request has been sent for the maximum number of times, the S9300 does notretransmit the authentication request to the user.

Procedure



Step 2 Run:dot1x retry max-retry-value

The retransmission count of the authentication request is set.

By default, the S9300 retransmits an authentication request to an access user twice.

----End


PrerequisiteThe configurations of 802.1x authentication are complete.




Issue 02 (2010–02–26)

Procedurel Run the display dot1x [ sessions | statistics ] [ interface { interface-type interface-

number1 [ to interface-number2 ] } &<1-10> ] command to view the configuration of802.1x authentication.

----End

Example

View the information about 802.1x authentication on GE 1/0/0.

<Quidway> display dot1x interface GigabitEthernet 1/0/0 GigabitEthernet1/0/0 current state : UP 802.1x protocol is Enabled[mac-bypass] Port control type is Auto Authentication method is MAC-based Reauthentication is disabled Max online user is 8192 Current online user is 2 Guest VLAN is disabled Authentication Success: 1 Failure: 11 EAPOL Packets: TX : 24 RX : 4 Sent EAPOL Request/Identity Packets : 11 EAPOL Request/Challenge Packets : 1 Multicast Trigger Packets : 0 DHCP Trigger Packets : 0 EAPOL Success Packets : 1 EAPOL Failure Packets : 11 Received EAPOL Start Packets : 2 EAPOL LogOff Packets : 0 EAPOL Response/Identity Packets : 1 EAPOL Response/Challenge Packets: 1 Index MAC/VLAN UserOnlineTime UserName 16514 0000-0002-2347/800 2009-06-09 19:10:40 000000022347 16523 001e-90aa-e855/800 2009-06-09 19:14:43 abc@huawei Controlled User(s) amount to 2 , print number:2.

2.5 Configuring MAC Address AuthenticationThis section describes how to configure the MAC address authentication function.


2.5.2 Enabling Global MAC Address Authentication

2.5.3 Enabling MAC Address Authentication on an Interface

2.5.4 (Optional) Enabling Direct Authentication

2.5.5 Configuring the User Name for MAC Address Authentication

2.5.6 (Optional) Configuring the Domain for MAC Address Authentication

2.5.7 (Optional) Setting the Timers of MAC Address Authentication

2.5.8 (Optional) Configuring the Guest VLAN for MAC Address Authentication

2.5.9 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC AddressAuthentication



2-21

2.5.10 (Optional) Re-Authenticating a User with the Specific MAC Address



Applicable EnvironmentMAC address authentication can be configured to authenticate terminals on which clientsoftware cannot be installed, such as faxes and printers.

Pre-configuration TasksMAC address authentication is only an implementation scheme to authenticate the user identity.To complete the user identity authentication, you need to select the RADIUS or localauthentication method. Before configuring MAC address authentication, complete the followingtasks:l Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local

authentication schemes, for the 802.1x user.l Configuring the user name and password on the RADIUS server if RADIUS authentication

is used.l Adding the user name and password manually on the S9300 if local authentication is used.

Data PreparationTo configure MAC address authentication, you need the following data.

No. Data

1 Number of the interface on which MAC address authentication is enabled

2.5.2 Enabling Global MAC Address Authentication

ContextBefore the configuration of MAC address authentication, enable MAC address authenticationglobally.

Procedure



Step 2 Run:mac-authen

MAC address authentication is enabled globally.




Issue 02 (2010–02–26)

Running this command is equivalent to enabling global MAC address authentication. Relatedconfigurations of MAC address authentication take effect only after MAC address authenticationis enabled.

By default, MAC address authentication is disabled globally.

----End

2.5.3 Enabling MAC Address Authentication on an Interface

Context

CAUTIONIf MAC address authentication is enabled on the interface, 802.1x authentication or directauthentication cannot be enabled on the interface. If 802.1x or direct authentication is enabledon the interface, MAC address authentication cannot be enabled on the interface.

You can enable the MAC address authorization on an interface in the following ways.


1. Run:system-view


2. Run:mac-authen interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

MAC Address authentication is enabled on the interfaces.

You can enable the MAC address authorization on interfaces in batches by specifyingthe interface list in the mac-authen command in the system view.


1. Run:system-view




3. Run:mac-authen

MAC Address authentication is enabled on the interface.



2-23

You must ensure that no online user exists before disabling MAC address authenticationby the undo mac-authen command.

----End

2.5.4 (Optional) Enabling Direct Authentication

Context

After direct authentication is enabled, users who connect to the network through this interfacepass the authentication directly.

CAUTIONIf direct authentication is enabled on an interface, 802.1x authentication and MAC addressauthentication cannot be enabled on the interface. If 802.1x authentication or MAC addressauthentication is enabled on the interface, direct authentication cannot be enabled on theinterface.

You can enable direct authentication in the following ways.

Procedure

Step 1 In the system view:1. Run:

system-view


direct-authen interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

Direct authentication is enabled on interfaces.

You can configure direct authentication of interfaces in batches by specifying the interfacelist in the direct-authen command in the system view.

Step 2 In the interface view:1. Run:

system-view




direct-authen enable

Direct authentication is enabled on the interface.




Issue 02 (2010–02–26)

By default, direct authentication is disabled on an interface.

----End

2.5.5 Configuring the User Name for MAC Address Authentication

ContextA user can use a fixed user name or the MAC address as the user name.

The user name for which MAC address authentication is used can be configured globally andon an interface.l The global configuration is valid for all interfaces.

l The configuration on an interface is valid only for the specified interface. The user nameconfigured on an interface takes precedence over the user name configured globally. If theuser name is not configured on an interface, the globally configured user name is used.

Procedurel Configuring a fixed user name for a user that uses MAC address authentication

1. Run:system-view


mac-authen username fixed

The S9300 is configured to use a fixed user name for a user that uses MAC addressauthentication.

3. Run:mac-authen username username

A fixed user name is configured for the user.4. Run:

mac-authen password password

The password is set.l Configuring a MAC address as a user name for a user that uses MAC address authentication

1. Run:system-view


mac-authen username macaddress

Users that use MAC address authentication are configured to use their MAC addressesas their user names.

3. (Optional) Run:mac-authen username macaddress [ format { with-hyphen | without-hyphen } ]

The format of the user name is set.

There are two formats for a MAC address used as the user name, that is, the hyphenatedMAC address (such as 0010-8300-0011) and the MAC address without hyphens (such



2-25

as 001083000011). By default, a MAC address without hyphens is used as the username for a user that uses MAC address authentication.

After you run the mac-authen username macaddress command, the access users areauthenticated by using their MAC addresses as the user names and passwords.

l Configuring the format of the user name in the interface view1. Run:

system-view




mac-authen username { fixed user-name [ password password ] | macaddress format { with-hyphen | without-hyphen } }

The format of the user name for which MAC address authentication is used isconfigured.

----End

2.5.6 (Optional) Configuring the Domain for MAC AddressAuthentication

ContextIf the user authenticates the format of the user name through MAC address authentication or theformat of the user name does not contain the domain name, you must configure the authenticationdomain. If the authentication domain is specified in the user name of a fixed format, theauthentication domain of the user is used.

NOTE

Before configuring the authentication domain for the user who uses MAC address authentication, you needto confirm that a domain is available. Otherwise, the system displays an error message during theconfiguration.

The domain for which MAC address authentication is used can be configured globally and onan interface.l The global configuration is valid for all interfaces.

l The configuration on an interface is valid only for the specified interface. The domainconfigured on an interface takes precedence over the domain configured globally. If thedomain is not configured on an interface, the globally configured domain is used.


1. Run:system-view





Issue 02 (2010–02–26)

2. Run:mac-authen domain isp-name

A domain name is configured for a user who uses MAC address authentication.


1. Run:system-view




3. Run:mac-authen domain isp-name

A domain name is configured for a user who uses MAC address authentication.

The default authentication domain is domain default.

----End

2.5.7 (Optional) Setting the Timers of MAC Address Authentication

Procedure



Step 2 Run:mac-authen timer { guest-vlan reauthenticate-period interval | offline-detect offline-detect-value | quiet-period quiet-value | server-timeout server-timeout-value }

Parameters of timers for MAC address authentication are set.

l guest-vlan reauthenticate-period: Interval for re-authenticating users in a guest VLAN. Bydefault, the re-authentication interval is 30s.

l offline-detect: Offline-detect timer used to set the interval for the S9300 to check whethera user goes offline. By default, the offline timer is 300s.

l quiet-period: Quiet timer. After the user authentication fails, the S9300 waits for a certainperiod before processing authentication requests of the user. During the quiet period, theS9300 does not process authentication requests from the user. By default, the quiet timer is60s.

l server-timeout: Server timeout timer. In the user authentication process, if the connectionbetween the S9300 and the RADIUS server times out, the authentication fails. By default,the time interval of the authentication server is 30s.

----End



2-27

2.5.8 (Optional) Configuring the Guest VLAN for MAC AddressAuthentication

ContextIf the MAC authentication fails after the guest VLAN function is enabled, the S9300 adds theaccess interface of the user to the guest VLAN. Then users in the guest VLAN can accessresources in the guest VLAN without MAC address authentication. Authentication, however, isrequired when such users access external resources. Thus certain resources are available forusers without authentication.

NOTE

The VLAN to be configured as the guest VLAN must exist in the system and cannot be the default VLANof the interface.

You can configure the guest VLAN in the following ways.


1. Run:system-view


mac-authen guest-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The guest VLAN of interfaces is configured.

You can configure the guest VLAN of interfaces in batches by specifying the interfacelist in the mac-authen guest-vlan command in the system view.


system-view




mac-authen guest-vlan vlan-id

The guest VLAN of the interface is configured.

By default, no guest VLAN is configured on an interface.

----End

2.5.9 (Optional) Setting the Maximum Number of Access UsersWho Adopt MAC Address Authentication




Issue 02 (2010–02–26)

Context

When the number of access users on an interface reaches the limit, the S9300 does not triggerthe authentication for the users connecting to the interface later; therefore, these users cannotaccess the network.

You can configure the maximum number of access users who adopt MAC address authenticationin the following ways.


1. Run:system-view


2. Run:mac-authen max-user user-number interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

The maximum number of access users who adopt MAC address authentication is seton interfaces.

You can configure the maximum number of access users of interfaces in batches byspecifying the interface list in the mac-authen max-user command in the systemview.


1. Run:system-view




3. Run:mac-authen max-user user-number

The maximum number of access users who adopt MAC address authentication on theinterface is set.

By default, the maximum number of access users who adopt MAC address authenticationon an interface of the S9300 is 8192.

The maximum number of NAC access users allowed by the S9300 depends on the modelsof the S9300. The specification is 8192 multiplied by number of slots of the LPU.

----End

2.5.10 (Optional) Re-Authenticating a User with the Specific MACAddress



2-29

ContextIf re-authentication of a user with the specific MAC address is enabled, the online user is re-authenticated periodically. If a user passes the authentication, the user needs to be re-authorized;otherwise, the user goes offline.

You can run the mac-authen timer command to set the interval of re-authentication. For details,see 2.5.7 (Optional) Setting the Timers of MAC Address Authentication.

Procedure



Step 2 Run:mac-authen reauthenticate mac-address mac-address

A specified user that passes MAC address authentication is re-authenticated.

If the user does not pass the MAC authentication, the user is not authenticated again.

----End


PrerequisiteThe configurations of MAC address authentication are complete.

Procedurel Run the display mac-authen [ interface { interface-type interface-number1 [ to interface-

number2 ] } &<1-10> ] command to view the configuration of MAC address authentication.

----End

ExampleView information about MAC address authentication on GE 1/0/1.

<Quidway> display mac-authen interface gigabitethernet 1/0/1

GigabitEthernet1/0/1 current state : UP MAC address authentication is Enabled Max online user is 8192 Current online user is 1 Guest VLAN is disabled Authentication Success: 1, Failure: 0

Index MAC/VLAN UserOnlineTime 16400 00e0-fc33-0011/15 2009-05-18 09:21:55 Controlled User(s) amount to 1

2.6 Maintaining NACThis section describes how to clear statistics about NAC and debug NAC.




Issue 02 (2010–02–26)

2.6.1 Clearing the Statistics About 802.1x Authentication

2.6.2 Clearing Statistics About MAC Address Authentication

2.6.3 Debugging 802.1x Authentication

2.6.4 Debugging MAC Address Authentication

2.6.1 Clearing the Statistics About 802.1x Authentication

Context

CAUTIONStatistics cannot be restored after being cleared. Therefore, confirm the action before you runthe following commands.

After you confirm to reset the statistics, do as follows in user view.

Procedurel Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interface-

number2 ] } ] command to clear the statistics about 802.1x authentication.

----End

2.6.2 Clearing Statistics About MAC Address Authentication

Context

CAUTIONStatistics cannot be restored after being cleared. Therefore, confirm the action before you runthe following commands.

After you confirm to reset the statistics, do as follows in user view.

Procedurel Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to

interface-number2 ] } ] command to clear the statistics about MAC address authentication.

----End

2.6.3 Debugging 802.1x Authentication



2-31

Context


When a fault occurs during 802.1x authentication, run the following debugging commands inthe user view to locate the fault.

Procedurel Run the debugging dot1x { all | error | event | info | message | packet } command to

enable debugging of 802.1x authentication packets.

----End

2.6.4 Debugging MAC Address Authentication

Context


When a fault occurs during MAC address authentication, run the following debuggingcommands in the user view to locate the fault.

Procedurel Run the debugging mac-auten { all | error | event | info | message | packet } command

to enable debugging of MAC address authentication packets.

----End

2.7 Configuration ExamplesThis section provides several configuration examples of NAC.

2.7.1 Example for Configuring Web Authentication

2.7.2 Example for Configuring 802.1x Authentication

2.7.3 Example for Configuring MAC Address Authentication

2.7.1 Example for Configuring Web Authentication




Issue 02 (2010–02–26)

Networking RequirementsAs shown in Figure 2-2, the requirements are as follows:l The user interacts with the Web authentication server through the Switch.

l The authentication is performed by the RADIUS server.

l The user can access only the Web authentication server before authentication.

l After passing the Web authentication, the user can access the external network.

Figure 2-2 Network diagram for configuring Web authentication

Internet

User

Web server192.168.2.20

RADIUS server192.168.2.30

VLANIF 10192.168.1.10

GE1/0/0

VLANIF 20192.168.2.10VLAN 20

GE 2/0/0

GE 1/0/1 GE 1/0/2

Switch


1. Set the IP address of the Layer 3 interface connected to the user.2. Configure a RADIUS server template.3. Configure an AAA authentication template.4. Configure a domain.5. Configure the Web authentication function.


l IP address and URL of the Web authentication server

l IP address of the Layer 3 interface connected to the authentication terminal

l IP address and port number of the RADIUS authentication server

l Key of the RADIUS server (hello) and the retransmission count (2)

l Name of the AAA authentication scheme (web1)

l Name of the RADIUS server template (rd1)



2-33

l Name of the user domain (isp1)

NOTEIn this example, only the configuration of the Switch is provided, and the configurations of the Web serverand RADIUS server are omitted.

Procedure

Step 1 Set the IP address of the Layer 3 interface connected to the user.<Quidway> system-view[Quidway] vlan 10[Quidway-vlan10] quit[Quidway] interface gigabitethernet1/0/0[Quidway-GigabitEthernet1/0/0] port link-type access[Quidway-GigabitEthernet1/0/0] port default vlan 10[Quidway-GigabitEthernet1/0/0] quit[Quidway] interface vlanif 10[Quidway-Vlanif10] ip address 192.168.1.10 24[Quidway-Vlanif10] quit


# Configure a RADIUS server template rd1.

[Quidway] radius-server template rd1

# Set the IP address and port number of the primary RADIUS authentication server.

[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812

# Set the key and retransmission count of the RADIUS server.

[Quidway-radius-rd1] radius-server shared-key cipher hello[Quidway-radius-rd1] radius-server retransmit 2[Quidway-radius-rd1] quit

Step 3 Create an authentication scheme web1 and set the authentication method to RADIUSauthentication.[Quidway] aaa[Quidway-aaa] authentication-scheme web1[Quidway-aaa-authen-1] authentication-mode radius[Quidway-aaa-authen-1] quit

Step 4 Create a domain isp1 and bind the authentication scheme and RADIUS server template to thedomain.[Quidway-aaa] domain isp[Quidway-aaa-domain-isp1] authentication-scheme web1[Quidway-aaa-domain-isp1] radius-server rd1

Step 5 Configure the Web authentication function.

# Set the IP address and URL of the Web authentication server

[Quidway] web-auth-serer isp1 192.168.2.20 url www.isp1.com

# Bind the Web authentication server to the Layer 3 interface.

[Quidway] interface vlanif 10[Quidway-Vlanif10] web-auth-server isp1[Quidway-Vlanif10] quit

# Configure a free rule to redirect the user to the Web authentication page when the user startsthe Web browser.

[Quidway] portal free-rule 20 destination ip 192.168.2.20 mask 24 source any




Issue 02 (2010–02–26)


Run the display web-auth-server configuration command on the Switch, and you can viewthe configuration of the Web authentication server.

<Quidway> display web-auth-server configuration Listening port : 2000 Portal : version 1, version 2 Include reply message : enabled ------------------------------------------------------------------------ Web-auth-server Name : isp1 IP-address : 192.168.1.10 Shared-key : 3MQ*TZ,O3KCQ=^Q`MAF4<1!! Port / PortFlag : 50100 / NO URL : www.isp1.com ------------------------------------------------------------------------ 1 Web authentication server(s) in total

----End

Configuration Files

#sysname Quidway#vlan batch 10# web-auth-server isp1 192.168.2.20 port 50100 url www.isp1.com portal free-rule 20 destination ip 192.168.2.20 mask 255.255.255.0 source any#radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2#aaa authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 radius-server rd1#interface Vlanif10 ip address 192.168.1.10 255.255.255.0 web-auth-server web #interface GigabitEthernet1/0/0 port link-type access port default vlan 10 # return

2.7.2 Example for Configuring 802.1x Authentication


As shown in Figure 2-3, the requirements are as follows:l 802.1x authentication is performed for the user connected to GE 1/0/0 to control the user's

access to the Internet. The default access control mode is adopted, that is, the Switchcontrols access of the user based on the MAC address of the user.

l The authentication is performed by the RADIUS server.



2-35

l The maximum number of users on GE 1/0/0 is 100.

l MAC address bypass authentication is performed for the printer connected to GE 1/0/0.

Figure 2-3 Networking diagram for configuring 802.1x authentication

Internet

User


GE 1/0/0

VLANIF 20192.168.2.10

GE 2/0/0

GE 2/0/1

Printer

Switch


1. Configure a RADIUS server template.2. Configure an AAA authentication template.3. Configure a domain.4. Configure the 802.1x authentication function.







NOTEIn this example, only the configuration of the Switch is provided, and the configuration of RADIUS serveris omitted.

Procedure





Issue 02 (2010–02–26)

# Configure a RADIUS server template rd1.

[Quidway] radius-server template rd1

# Set the IP address and port number of the primary RADIUS authentication server.

[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812





Step 4 Configure the 802.1x authentication function.

# Enable 802.1x authentication globally and on GE 1/0/0.

[Quidway] dot1x[Quidway] interface gigabitethernet1/0/0[Quidway-GigabitEthernet1/0/0] dot1x

# Set the maximum number of access users on GE 1/0/0.

[Quidway-GigabitEthernet1/0/0] dot1x max-user 100

# Configure MAC address bypass authentication.

[Quidway-GigabitEthernet1/0/0] dot1x mac-bypass


Run the display dot1x interface command on the Switch, and you can view the configurationand statistics of 802.1x authentication.

<Quidway> display dot1x interface GigabitEthernet 1/0/0 GigabitEthernet1/0/0 current state : UP 802.1x protocol is Enabled[mac-bypass] The port is an authenticator Port control type is Auto Authentication method is MAC-based Reauthentication is disabled Max online user is 100 Current online user is 1 Guest VLAN is disabled

Authentication Success: 4 Failure: 0 EAPOL Packets: TX : 8 RX : 16 Sent EAPOL Request/Identity Packets : 4 EAPOL Request/Challenge Packets : 4 Multicast Trigger Packets : 0 DHCP Trigger Packets : 0 EAPOL Success Packets : 4 EAPOL Failure Packets : 0 Received EAPOL Start Packets : 4



2-37

EAPOL LogOff Packets : 3 EAPOL Response/Identity Packets : 4 EAPOL Response/Challenge Packets: 4

Controlled User(s) amount to 1, print number:1

----End

Configuration Files

#sysname Quidway#dot1x #radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2#aaa authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 radius-server rd1#interface GigabitEthernet1/0/0 dot1x mac-bypass dot1x max-user 100# return

2.7.3 Example for Configuring MAC Address Authentication

Networking RequirementsAs shown in Figure 2-4, the requirements are as follows:l Authentication is performed for the user connected to GE 1/0/0 to control the users access

to the Internet.l The authentication is performed by the RADIUS server.

l The default authentication method is used, that is, the MAC address without hyphens isused as the user name in authentication.

l The maximum number of users on GE 1/0/0 is 100.




Issue 02 (2010–02–26)

Figure 2-4 Networking diagram for configuring MAC address authentication

Internet

User


GE 1/0/0

VLANIF 20192.168.2.10

GE 2/0/0

GE 2/0/1

Switch


1. Configure a RADIUS server template.2. Configure an AAA authentication template.3. Configure the domain of the users that use MAC address authentication.4. Configure the MAC address authentication.







NOTEIn this example, only the configuration of the Switch is provided, and the configuration of RADIUS serveris omitted.

ProcedureStep 1 Configure a RADIUS server template.

# Configure a RADIUS server template rd1.[Quidway] radius-server template rd1

# Set the IP address and port number of the primary RADIUS authentication server.[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812




2-39




Step 4 Configure the MAC address authentication function.

# Enable MAC address authentication globally and on GE 1/0/0.

[Quidway] mac-authen[Quidway] interface gigabitethernet1/0/0[Quidway-GigabitEthernet1/0/0] mac-authen

# Set the maximum number of access users on GE 1/0/0.

[Quidway-GigabitEthernet1/0/0] mac-authen max-user 100[Quidway-GigabitEthernet1/0/0] quit

# Specify domain isp1 as the domain of the users that use MAC address authentication.

[Quidway] mac-authen domain isp1


Run the display mac-authen interface command on the Switch, and you can view theconfiguration of MAC address authentication.

<Quidway> display mac-authen interface GigabitEthernet 1/0/0 MAC address authentication is Enabled Max online user is 100 Current online user is 2 Guest VLAN is disabled Authentication Success: 2, Failure: 1 Controlled User(s) amount to 2 , print number:2

----End

Configuration Files

#sysname Quidway#mac-authen mac-authen domain isp#radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2#aaa authentication-scheme web1 authentication-mode radius domain isp1




Issue 02 (2010–02–26)

authentication-scheme web1 radius-server rd1#interface GigabitEthernet1/0/0 mac-authen mac-authen max-user 100 # return



2-41

3 DHCP Snooping Configuration

About This Chapter

This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP)snooping on the S9300 to defend against DHCP attacks.

3.1 Introduction to DHCP SnoopingThis section describes the principle of DHCP snooping.

3.2 DHCP Snooping Features Supported by the S9300This section describes the DHCP snooping features supported by the S9300.

3.3 Preventing the Bogus DHCP Server AttackThis section describes how to prevent the attackers from attacking the DHCP server through theS9300 by forging the DHCP server.

3.4 Preventing the DoS Attack by Changing the CHADDR FieldThis section describes how to prevent the attackers from attacking the DHCP server bymodifying the CHADDR.

3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP AddressLeasesThis section describes how to prevent the attackers from attacking the DHCP server by forgingthe DHCP messages for extending IP address leases.

3.6 Setting the Maximum Number of DHCP Snooping UsersThis section describes how to set the maximum number of DHCP snooping users. This is becauseauthorized users cannot access the network when an attacker applies for IP addressescontinuously.

3.7 Limiting the Rate of Sending DHCP MessagesThis section describes how to prevent attackers from sending a large number of DHCP Requestmessages to attack the S9300.

3.8 Configuring the Packet Discarding Alarm FunctionAn alarm is generated when the number of discarded packets exceeds the threshold.

3.9 Maintaining DHCP SnoopingThis section describes how to maintain DHCP snooping.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security 3 DHCP Snooping Configuration


3-1

3.10 Configuration ExamplesThis section provides several configuration examples of DHCP snooping.

3 DHCP Snooping ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010–02–26)

3.1 Introduction to DHCP SnoopingThis section describes the principle of DHCP snooping.

DHCP snooping intercepts and analyzes DHCP messages transmitted between DHCP clientsand a DHCP server. In this manner, DHCP snooping creates and maintains a DHCP snoopingbinding table, and filters untrusted DHCP messages according to the table. The binding tablecontains the MAC address, IP address, lease, binding type, VLAN ID, and interface information.

DHCP snooping ensures that authorized users can access the network by recording the mappingbetween IP addresses and MAC addresses of clients. In this manner, DHCP snooping acts as afirewall between DHCP clients and a DHCP server.

DHCP snooping prevents attacks including DHCP Denial of Service (DoS) attacks, bogus DHCPserver attacks, and bogus DHCP messages for extending IP address leases.

3.2 DHCP Snooping Features Supported by the S9300This section describes the DHCP snooping features supported by the S9300.

The S9300 supports security features such as the trusted interface, DHCP snooping bindingtable, binding of the IP address, MAC address, and interface, and Option 82. In this manner,security of the device enabled with DHCP is ensured.

As the Terabit Routing Switch, the S9300 supports Layer 2 switching functions and Layer 3routing functions. DHCP snooping can be used in the applications of Layer 2 switching functionsand Layer 3 routing features.

Applying DHCP Snooping on the S9300 on a Layer 2 NetworkWhen being deployed on a Layer 2 network, the S9300 is located between the DHCP relay andthe Layer 2 user network. Figure 3-1 shows the DHCP snooping application on the S9300 whereDHCP snooping is enabled.



3-3

Figure 3-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2network

S9300DHCP relay

DHCP server

Untrusted

Trusted

User network

L3 network

L2 network

Applying DHCP Snooping on the S9300 That Functions as the DHCP Relay AgentThe S9300 provides Layer 3 routing functions, and can function as the DHCP relay agent on anetwork. As shown in Figure 3-2, the S9300 that is enabled with DHCP snooping function asthe DHCP relay agent.

Figure 3-2 Networking diagram for applying DHCP snooping on the S9300 that functions asthe DHCP relay agent

S9300DHCP relay

DHCP server

Untrusted

Trusted

User network

L3 network

L2 network




Issue 02 (2010–02–26)

NOTE

When the S9300 is deployed on a Layer 2 network or functions as the DHCP relay agent, DHCP snoopingis enabled. In this manner, the S9300 can defend against attacks shown in Table 3-1.The difference is that: when the S9300 functions as the DHCP relay agent, it supports the associationfunction between ARP and DHCP snooping. The S9300, however, does not support the association functionwhen it is deployed on a Layer 2 network.

DHCPv6 SnoopingThe S9300 supports DHCPv6 snooping. That is, after DHCP snooping is enabled, binding entriesare also created for the users using IPv6 addresses. A DHCPv6 snooping binding entry consistsof the IPv6 address, MAC address, interface number, and VLAN ID of a user.

DHCP Snooping over VPLSWhen the S9300 is deployed on the VPLS network and DHCP snooping over VPLS is enabled,DHCP over VPLS messages are sent to the CPU of the main control board for processing. Inthis case, if you set related parameters of DHCP snooping on the interface, the S9300 can processDHCP messages on the VPLS network.

NOTE

The master physical interface of the S9300 do not support DHCP snooping over VPLS.

Type of Attacks Defended Against by DHCP SnoopingDHCP snooping provides different operation modes according to the type of attacks, as shownin Table 3-1.

Table 3-1 Matching table between type of attacks and DHCP snooping operation modes

Type of Attacks DHCP Snooping Operation Mode

Bogus DHCP server attack Setting an interface to trusted or untrusted

DoS attack by changing the value of theCHADDR field

Checking the CHADDR field in DHCPmessages

Attack by sending bogus messages toextend IP address leases

Checking whether DHCP request messagesmatch entries in the DHCP snooping bindingtable

DHCP flooding attack Limiting the rate of sending DHCP messages

3.3 Preventing the Bogus DHCP Server AttackThis section describes how to prevent the attackers from attacking the DHCP server through theS9300 by forging the DHCP server.


3.3.2 Enabling DHCP Snooping

3.3.3 Configuring an Interface as a Trusted Interface



3-5

3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers



Applicable EnvironmentWhen a bogus DHCP server exists on a network, the bogus DHCP server on the network replieswith incorrect messages such as the incorrect IP address of the gateway, incorrect domain nameserver (DNS) server, and incorrect IP address to the DHCP client. As a result, the DHCP clientcannot access the network or cannot access the correct destination network.

To prevent a bogus DHCP server attack, you can configure DHCP snooping on the S9300,configure the network-side interface to be trusted and the user-side interface to be untrusted, anddiscard DHCP Reply messages received from untrusted interfaces.

To locate a bogus DHCP server, you can configure detection of bogus DHCP servers on theS9300. In this case, the S9300 obtains related information about DHCP servers by checkingDHCP Reply messages, and records the information in the log. This facilitates networkmaintenance.

Pre-configuration TasksBefore preventing the bogus DHCP server attack, complete the following tasks:l Configuring the DHCP server

Data PreparationTo prevent the bogus DHCP server attack, you need the following data.

No. Data

1 Type and number of the interface that needsto be set to be trusted


ContextYou need to enable DHCP snooping globally before enabling DHCP snooping on aninterfaceor in a VLAN. By default, DHCP snooping is disabled globally and on an interfaceorin a VLAN.

Before enabling DHCP snooping, enable DHCP globally.

Procedure

Step 1 Run:




Issue 02 (2010–02–26)

system-view


Step 2 Run:dhcp enable

DHCP is enabled globally.

Step 3 Run:dhcp snooping enable

DHCP snooping is enabled globally.



The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface.

Or, run:

vlan vlan-id

The VLAN view is displayed.


DHCP snooping is enabled on the interfaceor in a VLAN.

DHCP snooping must be enabled on all the user-side interfaces of the S9300. Otherwise,configurations related to DHCP snooping do not take effect on the interfaces. This restrictiondoes not apply to a network-side interface.

Step 6 (Optional) Run:quit

Return to the system view.

Step 7 (Optional) Run:dhcp snooping over-vpls enable

DHCP snooping is enabled on the S9300 of the VPLS network.

On the VPLS network, after the dhcp snooping over-vpls enable command is run on theS9300, DHCP over VPLS messages are sent to the CPU of the main control board for processing.In this case, if you set related parameters of DHCP snooping on the interface, the S9300 canprocess DHCP messages on the VPLS network. The dhcp snooping over-vpls enable commandtakes effect only after DHCP snooping is enabled globally and on the interface.

DHCP snooping over VPLS is often deployed on the PE of the VPLS network to control DHCPmessages sent to the VPLS network from the user side. The dhcp snooping over-vpls enablecommand is run in the system view. Other configurations of DHCP snooping over VPLS arethe same as configurations of DHCP snooping.

NOTE

The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.

----End



3-7

3.3.3 Configuring an Interface as a Trusted Interface

ContextGenerally, the interface connected to the DHCP server is configured as trusted and otherinterfaces are configured as untrusted.

After DHCP snooping is enabled on an interface, the interface is an untrusted interface by default.


system-view




The interface is the network-side interface connected to the DHCP server.

Or, run:

vlan vlan-id


Step 3 In the interface viewRun:dhcp snooping trusted [ no-user-binding ]Or, in the VLAN view, run: dhcp snooping trusted interface interface-type interface-number [ no-user-binding ]

The interface is configured as a trusted interface.

DHCP Reply messages sent from a trusted interface are forwarded and DHCP Request messagessent from the trusted interface are discarded; DHCP Discover messages sent from an untrustedinterface are discarded.

If the no-user-binding keyword is not used in the command, a binding entry is created whenthe interface receives a DHCP Ack message sent to a user who does not go online through thelocal device. If this keyword is used in the command, no binding entry is created in this case.

When running the dhcp snooping trusted command in the VLAN view, the specified interfacemust belong to the VLAN. Compared with the dhcp snooping trusted command run in theinterface view, the dhcp snooping trusted command run in the VLAN view is more accuratebecause a specified interface in a specified VLAN can be configured as a trusted interface.

----End

3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers

ContextAfter detection of bogus DHCP servers is enabled, the S9300 records IP addresses of the DHCPservers contained in all DHCP Reply messages. If a DHCP Reply message is sent from an




Issue 02 (2010–02–26)

untrusted interface, the S9300 considers the DHCP server as a bogus server and records it intothe log. The network administrator can then maintain the network according to the log.

NOTE

Before enabling detection of bogus DHCP servers, ensure that DHCP snooping is enabled globally and onthe interface. Otherwise, the detection function does not take effect.

Procedure



Step 2 Run:dhcp server detect

Detection of bogus DHCP servers is enabled.

By default, detection of bogus DHCP servers is disabled on the S9300.

----End


PrerequisiteThe configurations of preventing the bogus DHCP server attack are complete.

Procedurel Run the display dhcp snooping global command to check information about global DHCP

snooping.l Run the display dhcp snooping interface interface-type interface-number command to

check information about DHCP snooping on the interface.l Run the display dhcp snooping user-bind { all | ip-address ip-address | ipv6-address

ipv6-address | mac-address mac-address | interface interface-type interface-number |vlan vlan-id [ interface interface-type interface-number ] } command to check theinformation about DHCP Snooping bind-table.

l Run the display this command in the system view to check the configuration of detectionof bogus DHCP servers.

You can only check whether detection of bogus DHCP servers is enabled through thedisplay this command. The detection information is recorded in the log, and you can obtainrelated information by viewing the log.

----End

3.4 Preventing the DoS Attack by Changing the CHADDRField

This section describes how to prevent the attackers from attacking the DHCP server bymodifying the CHADDR.



3-9



3.4.3 Checking the CHADDR Field in DHCP Request Messages




The attacker may change the client hardware address (CHADDR) carried in DHCP messagesinstead of the source MAC address in the frame header to apply for IP addresses continuously.The S9300, however, only checks the validity of packets based on the source MAC address inthe frame header. The attack packets can still be forwarded normally. The MAC address limitcannot take effect in this manner.

To prevent the attacker from changing the CHADDR field, you can configure DHCP snoopingon the S9300 to check the CHADDR field carried in DHCP Request messages. If the CHADDRfield matches the source MAC address in the frame header, the message is forwarded. Otherwise,the message is discarded.


Before preventing the DoS attack by changing the CHADDR field, complete the following tasks:

l Configuring the DHCP server

l Configuring the DHCP relay agent

Data Preparation

To prevent the DoS attack by changing the CHADDR field, you need the following data.

No. Data

1 Type and number of the interface enabledwith the check function


Context

You need to enable DHCP snooping globally before enabling DHCP snooping on aninterfaceor in a VLAN. By default, DHCP snooping is disabled globally and on an interfaceorin a VLAN.





Issue 02 (2010–02–26)

Procedure










Or, run:

vlan vlan-id













3-11

NOTE


----End

3.4.3 Checking the CHADDR Field in DHCP Request Messages

Context

If the CHADDR field in DHCP Request messages matches the source MAC address in theEthernet frame header, the messages are forwarded. Otherwise, the messages are discarded.

Procedure





The interface is the user-side interface.

Or, run:

vlan vlan-id


Step 3 Run:dhcp snooping check mac-address enable

The interface or the interface in a VLANis configured to check the CHADDR field in DHCPRequest messages.

By default, an interface or the interface in a VLANdoes not check the CHADDR field in DHCPRequest messages on the S9300.

----End


Prerequisite

The configurations of preventing the DoS attack by changing the CHADDR field are complete.


snooping.




Issue 02 (2010–02–26)

l Run the display dhcp snooping interface interface-type interface-number command tocheck information about DHCP snooping on the interface.

----End

3.5 Preventing the Attacker from Sending Bogus DHCPMessages for Extending IP Address Leases

This section describes how to prevent the attackers from attacking the DHCP server by forgingthe DHCP messages for extending IP address leases.



3.5.3 Enabling the Checking of DHCP Request Messages

3.5.4 (Optional) Configuring the Option 82 Function




The attacker pretends to be a valid user and continuously sends DHCP Request messagesintending to extend the IP address lease. As a result, certain expired IP addresses cannot bereused.

To prevent the attacker from sending bogus DHCP messages to extend IP address leases, youcan create the DHCP snooping binding table on the S9300 to check DHCP Request messages.If the source IP address, source MAC address, VLAN, and interface of the DHCP Requestmessages match entries in the binding table, the DHCP Request messages are then forwarded.Otherwise, the DHCP Request messages are discarded.

NOTE

IP addresses are classified in to IPv4 addresses and IPv6 addresses. The S9300 checks the source IPaddresses of DHCP Request messages, including IPv4 addresses and IPv6 addresses.

The S9300 checks DHCP Request messages as follows:

1. Checks whether the destination MAC address is all-f. If the destination MAC address isall-f, the S9300 considers that the DHCP Request message is a broadcast message that auser sends to goes online for the first time and does not check the DHCP Request messageagainst the binding table. Otherwise, the S9300 considers that the user sends the DHCPRequest message is renew lease of the IP address and checks the DHCP Request messageagainst the binding table.

2. Checks whether the CIADDR field in the DHCP Request message matches an entry in thebinding table. If not, the S9300 forwards the message directly. If yes, the S9300 checkswhether the VLAN ID, IP address, and interface information of the message match thebinding table. If all these fields match the binding table, the S9300 forwards the message;otherwise, the S9300 discards the message.



3-13

Pre-configuration TasksBefore preventing the attacker from sending bogus DHCP messages for extending IP addressleases, complete the following tasks:l Configuring the DHCP server


Data PreparationTo prevent the attacker from sending bogus DHCP messages for extending IP address leases,you need the following data.

No. Data

1 Type and number of the interface enabledwith detection of bogus DHCP servers

2 Static IP addresses from which packets areforwarded




Procedure













Issue 02 (2010–02–26)

Or, run:

vlan vlan-id











NOTE


----End

3.5.3 Enabling the Checking of DHCP Request Messages

Procedure






Or, run:



3-15

vlan vlan-id


Step 3 Run:dhcp snooping check user-bind enable

The interface or the interface in a VLANis enabled to check DHCP Request messages.

By default, an interface or the interface in a VLANis disabled from checking DHCP Requestmessages.

NOTE

The dhcp snooping check user-bind enable command can also check whether the Release packet matchthe binding table, thus preventing unauthorized users from releasing the IP addresses of authorized users.

----End

3.5.4 (Optional) Configuring the Option 82 Function

ContextAfter the Option 82 function is enabled, the S9300 can generate binding entries for users ondifferent interfaces according to the Option 82 field in DHCP messages.

When the Option 82 function is used on the DHCP relay agent, the generated binding table doesnot contain information about the interface if the set Option 82 field does not contain informationabout the interface. The following situations are caused:l The DHCP Reply messages of the DHCP server are listened to by users on other interfaces

in a VLAN.l After a user logs in, this valid user is forged if users on other interfaces in a VLAN forge

the IP address and MAC address.

When DHCP snooping is used at Layer 2, the S9300 can obtain information about the interfacerequired by the binding table even if the Option 82 function is not configured.

Procedure



Step 2 Run: interface interface-type interface-number



Or, run:

vlan vlan-id


Step 3 Run:dhcp option82 insert enable




Issue 02 (2010–02–26)

The Option 82 is appended to DHCP messages.

Or, run:

dhcp option82 rebuild enable

The Option 82 is forcibly appended to DHCP messages.

l After the dhcp option82 insert enable command is used, the Option 82 is appended to DHCPmessages if original DHCP messages do not carry the Option 82 field; If the DHCP messagecontains an Option 82 field previously, the S9300 checks whether the Option 82 field containsthe Remote-id. If the Option 82 field contains the Remote-id, the S9300 retains the originalOption 82 field. If not, the S9300 inserts the Remote-id to the Option 82 field. By default,the Remote-id is the MAC address of the S9300.

l After the dhcp option82 rebuild enable command is used, the Option 82 field is appendedto DHCP messages if original DHCP messages do not carry the Option 82 field; the originalOption 82 field is removed and a new one is appended if the original DHCP messages carrythe Option 82 field.

Step 4 Run:quit


Step 5 (Optional) Run:dhcp option82 [ circuit-id | remote-id ] format { default | common | extend | user-defined text }

The format of the Option 82 field is set.

NOTE

If the user-defined format of the Option 82 field is used, it is recommended that you specify the interfacetype, interface number, and slot ID in text.

----End


PrerequisiteThe configurations of preventing the attacker from sending bogus DHCP messages for extendingIP address leases are complete.


snooping.


l Run the display dhcp snooping user-bind{ all | ip-address ip-address | ipv6-addressipv6-address | mac-address mac-address | interface interface-type interface-number |vlan vlan-id [ interface interface-type interface-number ] } command to check the DHCPsnooping binding table.



3-17

l Run the display dhcp option82 interface interface-type interface-number command tocheck the status of the Option 82 field.

----End

3.6 Setting the Maximum Number of DHCP Snooping UsersThis section describes how to set the maximum number of DHCP snooping users. This is becauseauthorized users cannot access the network when an attacker applies for IP addressescontinuously.



3.6.3 Setting the Maximum Number of DHCP Snooping Users

3.6.4 (Optional) Configuring MAC Address Security on an Interface




To prevent malicious users from applying for IP addresses, you can set the maximum numberof DHDCP snooping users.

When the number of DHCP snooping users reaches the maximum value, users cannotsuccessfully apply for IP addresses.


Before setting the maximum number of DHCP snooping users, complete the following tasks:l Enabling DHCP snooping globally

l Enabling check of the DHCP snooping binding table

Data Preparation

To set the maximum number of DHCP snooping users, you need the following data.

No. Data

1 Type and number of the interface, VLAN ID,and maximum number of DHCP snoopingusers





Issue 02 (2010–02–26)



Procedure










Or, run:

vlan vlan-id









On the VPLS network, after the dhcp snooping over-vpls enable command is run on theS9300, DHCP over VPLS messages are sent to the CPU of the main control board for processing.In this case, if you set related parameters of DHCP snooping on the interface, the S9300 can



3-19

process DHCP messages on the VPLS network. The dhcp snooping over-vpls enable commandtakes effect only after DHCP snooping is enabled globally and on the interface.


NOTE


----End

3.6.3 Setting the Maximum Number of DHCP Snooping Users

Context

If an unauthorized user applies for IP addresses maliciously, authorized users cannot access thenetwork. To address this problem, you can set the maximum number of access users.

Procedure





Or, run:

vlan vlan-id


Step 3 Run:dhcp snooping max-user-number max-user-number

The maximum number of DHCP snooping users allowed on an interface or in a VLAN is set.

By default, a maximum of 4096 users can access an interface of the S9300 or a VLAN

This command takes effect only when DHCP snooping is enabled globally and on the interfaceand is valid only for DHCP users. When the number of DHCP snooping users on an interfaceor in a VLAN reaches the maximum value set through the dhcp snooping max-user-numbercommand, no more users can access the interface.

----End

3.6.4 (Optional) Configuring MAC Address Security on an Interface




Issue 02 (2010–02–26)

Context

When MAC address security of DHCP snooping is enabled, packets are processed as followsfor a non-DHCP user:

l If a static MAC address is not configured, the packets are discarded after reaching theinterface where the dhcp snooping sticky-mac command is run.

l If a static MAC address is configured, the packets are forwarded normally.

MAC addresses of DHCP users in the dynamic binding table can be converted to static MACaddresses, and packets of these users can be forwarded normally. MAC addresses of static usersin the static binding table cannot be converted to static MAC addresses. Therefore, you need toconfigure static MAC addresses for the static users to have the packets forwarded normally.

Procedure





The interface is a user-side interface.

Step 3 Run:dhcp snooping sticky-mac

MAC address security of DHCP snooping is enabled on the interface.

By default, MAC address security of DHCP snooping is disabled on the S9300.

The dhcp snooping sticky-mac command takes effect only after DHCP snooping is enabledglobally.

If the dhcp snooping sticky-mac command is run, the interface neither learns the MAC addressof the received IP packet nor forwards or sends the received IP packet. The DHCP messagesreceived by the interface are sent to the CPU of the main control board, and then a dynamicbinding table is generated. After the dynamic binding table is generated, static MAC addressesare sent to the corresponding interface. That is, dynamic MAC addresses are converted to staticMAC addresses. The static MAC address entry includes information about the MAC addressand VLAN ID of the user. Subsequently, only the packets whose source MAC address matchesthe static MAC address can pass through the interface; otherwise, the packets are discarded.

MAC addresses of static users in the static binding table cannot be converted to static MACaddresses. You need to configure static MAC addresses for the static users to have the packetsforwarded normally.

----End




3-21

Prerequisite

The configurations of setting the maximum number of users are complete.


snooping.

l Run the display dhcp snooping interface interface-type interface-number command tocheck information about DHCP snooping on an interface.

----End

3.7 Limiting the Rate of Sending DHCP MessagesThis section describes how to prevent attackers from sending a large number of DHCP Requestmessages to attack the S9300.



3.7.3 Limiting the Rate of Sending DHCP Messages




If an attacker sends DHCP Request messages continuously on a network, the DHCP protocolstack of the S9300 is affected.

To prevent an attacker from sending a large number of DHCP Request messages, you canconfigure DHCP snooping on the S9300 to check DHCP Request messages and limit the rateof sending DHCP Request messages. Only a certain number of DHCP Request messages canbe sent to the protocol stack during a certain period. Excessive DHCP Request messages arediscarded.


Before limiting the rate of sending packets, complete the following tasks:

l Configuring the DHCP server


Data Preparation

To limit the rate of sending packets, you need the following data.




Issue 02 (2010–02–26)

No. Data

1 Rate at which DHCP messages are sent to theprotocol stack




Procedure










Or, run:

vlan vlan-id








3-23






NOTE


----End

3.7.3 Limiting the Rate of Sending DHCP Messages

Procedure



Step 2 Run:dhcp snooping check dhcp-rate enable

The S9300 is enabled to check the rate of sending DHCP messages.

By default, the S9300 is disabled from checking the rate of sending DHCP messages.

Step 3 Run:dhcp snooping check dhcp-rate rate

The rate of sending DHCP messages is set.

By default, the maximum rate of sending DHCP messages is 100 pps. The DHCP packetsexceeding the rate are discarded.

Step 4 Run:dhcp snooping check dhcp-rate alarm enable

The alarm function is enabled for the DHCP packets discarded because they exceed thetransmission rate.

Step 5 (Optional) Run:dhcp snooping check dhcp-rate alarm threshold threshold

The alarm threshold of the number of DHCP packets discarded because they exceed thetransmission rate is set.




Issue 02 (2010–02–26)

By default, the alarm threshold of discarded DHCP packets is 100 pps. An alarm is generatedwhen the number of discarded DHCP packets exceeds the threshold.

----End


PrerequisiteThe configurations of limiting the rate of sending DHCP messages are complete.


snooping.

----End

3.8 Configuring the Packet Discarding Alarm FunctionAn alarm is generated when the number of discarded packets exceeds the threshold.



3.8.3 Enabling the Checking of DHCP Messages

3.8.4 Configuring the Packet Discarding Alarm Function




With DHCP snooping configured, the S9300 discards packets sent from an attacker. Table3-2 shows the relation between the type of attacks and the type of discarded packets.

Table 3-2 Relation between the type of attacks and the type of discarded packets

Type of Attacks Type of Discarded Packets

Bogus attack DHCP Reply messages received fromuntrusted interfaces

DoS attack by changing the CHADDR field DHCP Request messages whose CHADDRfield does not match the source MAC addressin the frame header

Attack by sending bogus messages to extendIP address leases

DHCP Request messages that do not matchentries in the binding table



3-25

Type of Attacks Type of Discarded Packets

Attack by sending a large number of DHCPRequest messages and ARP packets

Messages exceeding the rate limit

After the packet discarding alarm function is enabled, an alarm is generated when the numberof discarded packets on the S9300 reaches the alarm threshold.

Pre-configuration TasksBefore configuring the packet discarding alarm function, complete the following tasks:l Configuring the DHCP server


l Configuring the S9300 to discard DHCP Reply messages on the untrusted interface at theuser side

l Configuring the checking of DHCP messages

l Configuring the checking of the CHADDR field in DHCP Request messages

l Configuring the checking of the rate of sending DHCP messages

Data PreparationTo configure the packet discarding alarm function, you need the following data.

No. Data

1 Alarm threshold for the number of discardedpackets




Procedure







Issue 02 (2010–02–26)







Or, run:

vlan vlan-id











NOTE


----End

3.8.3 Enabling the Checking of DHCP Messages



3-27

Procedure





The interface is a user-side interface.

Or, run:

vlan vlan-id


Step 3 Run:dhcp snooping check { mac-address | user-bind } enable

The function of checking DHCP messages is enabled.

l After you run the mac-address command, the S9300 checks whether the MAC address inthe header of a DHCP Request message is the same as the value of the CHADDR field inthe message. If the MAC address is different from of the value of the CHADDR field, theDHCP Request message is discarded.

l After you run the user-bind command, the S9300 checks whether the DHCP Request orRelease message matches the binding table; the unmatched message is discarded.

By default, the S9300 does not check DHCP messages.

----End

3.8.4 Configuring the Packet Discarding Alarm Function

ContextThe packet discarding alarm function can be configured globally and on the interface.l The packet discarding alarm function configured globally takes effect for all interfaces.

l The packet discarding alarm function configured on an interface takes effect for a specifiedinterface. If the packet discarding alarm function is not configured on an interface, theglobal configuration is used.

NOTE

If you need to configure the alarm function for the DHCP messages that are discarded because they exceedthe transmission rate, see 3.7.3 Limiting the Rate of Sending DHCP Messages.

Procedurel Configuring the packet discarding alarm function globally

1. Run:system-view




Issue 02 (2010–02–26)


dhcp snooping alarm threshold threshold

The alarm threshold of the number of globally discarded packets is set.

By default, the global alarm threshold of the number of discarded DHCP messages is100 pps.

l Configuring the packet discarding alarm function on an interface1. Run:

system-view


interface interface-type interface-number


dhcp snooping alarm { mac-address | user-bind | untrust-reply } enable

The packet discarding alarm function is enabled on the interface.

– mac-address: If the MAC address in the packet header is different from the MACaddress of the DHCP message, the message is discarded.

– user-bind: If the DHCP message does not match the binding table, the messageis discarded. The DHCP message refers to the DHCP Request message except forthe Discover message.

– untrust-reply: If an untrusted interface receives a Reply message sent by theDHCP server, the message is discarded.

By default, the packet discarding alarm function is disabled on an interface.4. Run:

dhcp snooping alarm { mac-address | user-bind | untrust-reply } threshold threshold

The alarm threshold of the number of discarded packets is set on the interface.

By default, an interface uses the threshold set in the dhcp snooping alarmthreshold command. If the command is not run in the system view, the interface usesthe default threshold, 100 pps.

----End


PrerequisiteThe configurations of the packet discarding alarm function are complete.


snooping.



3-29


----End

3.9 Maintaining DHCP SnoopingThis section describes how to maintain DHCP snooping.

3.9.1 Clearing DHCP Snooping Statistics

3.9.2 Resetting the DHCP Snooping Binding Table

3.9.3 Backing Up the DHCP Snooping Binding Table

3.9.1 Clearing DHCP Snooping Statistics

ContextTo clear the statistics on DHCP snooping discarded packets, run the following commands in thesystem view.

Procedurel Run the reset dhcp snooping statistics global command to clear the statistics on globally

discarded packets.l Run the reset dhcp snooping statistics interface interface-type interface-number

command to clear the statistics on discarded packets on the interface.

----End

3.9.2 Resetting the DHCP Snooping Binding Table

ContextTo clear entries in the DHCP snooping binding table, run the following command in the userview or system view.

Procedurel Run the reset dhcp snooping user-bind [ [ vlan vlan-id | interface interface-type interface-

number ]* | ip-address ip-address | ipv6-address ipv6-address ] command to reset theDHCP snooping binding table.

----End

3.9.3 Backing Up the DHCP Snooping Binding Table

ContextTo back up the DHCP snooping binding table, run the following command in the system view.




Issue 02 (2010–02–26)

Procedurel Run the dhcp snooping user-bind autosave file-name command to back up the DHCP

snooping binding table.– If the binding table is backed up, the system automatically backs up the binding table

to a specified path every one hour or after 300 dynamic binding entries are generated.– If the binding table is not backed up, the dynamic DHCP snooping binding table is lost

after the S9300 restarts. As a result, users that obtain IP addresses dynamically fromthe DHCP server cannot communicate normally. Then, the users need to log in again.

----End

3.10 Configuration ExamplesThis section provides several configuration examples of DHCP snooping.

3.10.1 Example for Preventing the Bogus DHCP Server Attack

3.10.2 Example for Preventing the DoS Attack by Changing the CHADDR Field

3.10.3 Example for Preventing the Attacker from Sending Bogus DHCP Messages for ExtendingIP Address Leases

3.10.4 Example for Limiting the Rate of Sending DHCP Messages

3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network

3.10.6 Example for Enabling DHCP Snooping on the DHCP Relay Agent

3.10.7 Example for Configuring DHCP Snooping on a VPLS Network

3.10.1 Example for Preventing the Bogus DHCP Server Attack

Networking RequirementsAs shown in Figure 3-3, the Switch is deployed between the user network and the Layer 2network of the ISP. To prevent the bogus DHCP server attack, it is required that DHCP snoopingbe configured on the Switch, the user-side interface be configured as untrusted, the network-side interface be configured as trusted, and the packet discarding alarm function be configured.



3-31

Figure 3-3 Networking diagram for preventing the bogus DHCP server attack

GE1/0/0

DHCP relay

DHCP server

ISP network

User network

GE2/0/0

L2 network

L3 network

S9300

Configuration RoadmapThe configuration roadmap is as follows: (Assume that the DHCP server has been configured.)

1. Enable DHCP snooping globally and on the interface.2. Configure the interface connected to the DHCP server as a trusted interface.3. Configure the user-side interface as an untrusted interface. The DHCP Request messages

including Offer, ACK, and NAK messages received from the untrusted interface arediscarded.

4. Configure the packet discarding alarm function.


l GE 1/0/0 being the trusted interface and GE 2/0/0 being the untrusted interface

l Alarm threshold being 120

NOTE

This configuration example provides only the commands related to the DHCP snooping configuration.

ProcedureStep 1 Enable DHCP snooping.

# Enable DHCP snooping globally.

<Quidway> system-view[Quidway] dhcp enable[Quidway] dhcp snooping enable




Issue 02 (2010–02–26)

# Enable DHCP snooping on the user-side interface.

Step 2 Configure the interface as trusted or untrusted.

# Configure the interface at the DHCP server side as trusted.

[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] dhcp snooping trusted[Quidway-GigabitEthernet1/0/0] quit

# Configure the interface at the user side as untrusted.

After DHCP snooping is enabled on GE 2/0/0, the mode of GE 2/0/0 is untrusted by default.

Step 3 Configure the packet discarding alarm function.

# Configure the Switch to discard the Reply messages received by the untrusted interfaces.

[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm untrust-reply enable

# Set the alarm threshold.

[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm untrust-reply threshold 120[Quidway-GigabitEthernet2/0/0] quit


Run the display dhcp snooping command on the Switch, and you can view that DHCP snoopingis enabled globally and in the interface view.

<Quidway> display dhcp snooping global dhcp snooping enable

Dhcp snooping enable is configured at these vlan :NULL

Dhcp snooping enable is configured at these interface : GigabitEthernet2/0/0

Dhcp snooping trusted is configured at these interface : GigabitEthernet1/0/0

Dhcp option82 insert is configured at these interface :NULL

Dhcp option82 rebuild is configured at these interface :NULL

dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 60

<Quidway> display dhcp snooping interface gigabitethernet 1/0/0 dhcp snooping trusted

<Quidway> display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp packet dropped by untrust-reply checking = 60

----End

Configuration Files

# sysname Quidway# dhcp enable



3-33

dhcp snooping enable# interface GigabitEthernet1/0/0 dhcp snooping trusted#interface GigabitEthernet2/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120#return

3.10.2 Example for Preventing the DoS Attack by Changing theCHADDR Field


As shown in Figure 3-4, the Switch is deployed between the user network and the ISP Layer 2network. To prevent the DoS attack by changing the CHADDR field, it is required that DHCPsnooping be configured on the Switch. The CHADDR field of DHCP Request messages ischecked. If the CHADDR field of DHCP Request messages matches the source MAC addressin the frame header, the messages are forwarded. Otherwise, the messages are discarded. Thepacket discarding alarm function is configured.

Figure 3-4 Networking diagram for preventing the DoS attack by changing the CHADDR field

GE1/0/0

DHCP relay

DHCP server

ISP network

User network

GE2/0/0

L2 network

L3 network

S9300

Configuration Roadmap

The configuration roadmap is as follows:

1. Enable DHCP snooping globally and on the interface.




Issue 02 (2010–02–26)

2. Enable the checking of the CHADDR field of DHCP Request messages on the user-sideinterface.

3. Configure the packet discarding alarm function.


l Alarm threshold

NOTE


Procedure

Step 1 Enable DHCP snooping.




[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] dhcp snooping enable[Quidway-GigabitEthernet2/0/0] quit

Step 2 Enable the checking of the CHADDR field of DHCP Request messages on the user-sideinterface.[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] dhcp snooping check mac-address enable


# Enable the packet discarding alarm function.

[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm mac-address enable


[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm mac-address threshold 120


Run the display dhcp snooping command on the Switch, and you can view that DHCP snoopingis enabled globally and in the interface view.




Dhcp snooping trusted is configured at these interface :NULL



dhcp packet drop count within alarm range : 0



3-35

dhcp packet drop count total : 25

<Quidway> display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping check mac-address dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp packet dropped by mac-address checking = 25

----End

Configuration Files

# sysname Quidway# dhcp enable dhcp snooping enable#interface GigabitEthernet2/0/0 dhcp snooping enable dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120#return

3.10.3 Example for Preventing the Attacker from Sending BogusDHCP Messages for Extending IP Address Leases

Networking RequirementsAs shown in Figure 3-5, the Switch is deployed between the user network and the ISP Layer 2network. To prevent the attacker from sending bogus DHCP messages for extending IP addressleases, it is required that DHCP snooping be configured on the Switch and the DHCP snoopingbinding table be created. If the received DHCP Request messages match entries in the bindingtable, they are forwarded; otherwise, they are discarded. The packet discarding alarm functionis configured.




Issue 02 (2010–02–26)

Figure 3-5 Networking diagram for preventing the attacker from sending bogus DHCP messagesfor extending IP address leases

GE1/0/0

DHCP relay

DHCP server

ISP network

User network

GE2/0/0

L2 network

L3 network

S9300


1. Enable DHCP snooping globally and on the interface.2. Use the operation mode of the DHCP snooping binding table to check DHCP Request

messages.3. Configure the packet discarding alarm function.4. Configure the Option 82 function and create a binding table that contains information about

the interface.


l ID of the VLAN that each interface belongs to

l Static IP addresses from which packets are forwarded

l Alarm threshold

NOTE


Procedure





3-37




Step 2 Configure the checking of packets.

# Configure the checking of DHCP Request messages on the user-side interface.

[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] dhcp snooping check user-bind enable[Quidway-GigabitEthernet2/0/0] quit

Step 3 Configure static binding entries.

# Configure static binding entries assigned to the user side.

[Quidway] user-bind static ip-address 10.1.1.3 mac-address 0000-005e-008a interface gigabitethernet 2/0/0 vlan 3



[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm user-bind enable


[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm user-bind threshold 120

Step 5 Configure the Option 82 function.

# Configure the user-side interface to append the Option 82 field to DHCP messages.

[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] dhcp option82 insert enable[Quidway-GigabitEthernet2/0/0] quit


Run the display dhcp snooping command on the Switch, and you can view that DHCP snoopingis enabled globally and on the interface.





Dhcp option82 insert is configured at these interface : GigabitEthernet2/0/0



<Quidway> display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable




Issue 02 (2010–02–26)

dhcp option82 insert enable dhcp snooping check user-bind dhcp snooping alarm check user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp packet dropped by user-bind checking = 45

Run the display user-bind all command, and you can view all the static binding entries of users.

<Quidway> display user-bind allbind-table:ifname O/I-vlan mac-address ip-address tp lease vsi-------------------------------------------------------------------------------GE2/0/0 3/ -- 0000-005e-008a 10.1.1.3 S 0 ---------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1

Run the display dhcp option82 interface command, and you can find that the function ofinserting the Option 82 field into packets is enabled on the interface.

<Quidway> display dhcp option82 interface gigabitethernet 2/0/0 dhcp option82 insert enable

----End

Configuration Files

# sysname Quidway# dhcp enable dhcp snooping enable# user-bind static ip-address 10.1.1.3 mac-address 0000-005e-008a interface gigabitethernet 2/0/0 vlan 3#interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp option82 insert enable#return

3.10.4 Example for Limiting the Rate of Sending DHCP Messages

Networking RequirementsAs shown in Figure 3-6, to prevent the attacker from sending a large number of DHCP Requestmessages, it is required that DHCP snooping be enabled on the Switch to control the rate ofsending DHCP Request messages to the protocol stack. At the same time, the packet discardingalarm function is enabled.



3-39

Figure 3-6 Networking diagram for limiting the rate for sending DHCP messages

S9300 DHCP relay

DHCP server

DHCP client

Attacker

GE1/0/1

GE1/0/2 GE2/0/1L2 network

L2 network

L3 network


1. Enable DHCP snooping globally and in the interface view.2. Set the rate of sending DHCP Request messages to the protocol stack.3. Configure the packet discarding alarm function.


l Rate of sending DHCP Request messages

l Alarm threshold

NOTE


Procedure




# Enable DHCP snooping on the user-side interface. The configuration procedure of GE 1/0/2is the same as the configuration procedure of GE 1/0/1, and is not mentioned here.





Issue 02 (2010–02–26)

Step 2 Limit the rate for sending DHCP messages.

# Enable the checking of the rate of sending DHCP Request messages.

[Quidway] dhcp snooping check dhcp-rate enable

# Set the rate of sending DHCP Request messages.

[Quidway] dhcp snooping check dhcp-rate 90



[Quidway] dhcp snooping check dhcp-rate alarm enable


[Quidway] dhcp snooping check dhcp-rate alarm threshold 120


Run the display dhcp snooping global command on the Switch, and you can view that DHCPsnooping is enabled globally, and packet discarding alarm is enabled.

[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80


Dhcp snooping enable is configured at these interface : GigabitEthernet1/0/1 GigabitEthernet1/0/2





----End

Configuration Files# sysname Quidway# dhcp enable dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm threshold 80#interface GigabitEthernet1/0/1 dhcp snooping enable#interface GigabitEthernet1/0/2 dhcp snooping enable#return



3-41

3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network

Networking RequirementsAs shown in Figure 3-7, DHCP clients are connected to the Switch through VLAN 10. DHCPclient1 uses the dynamically allocated IP address and DHCP client2 uses the statically configuredIP address. It is required that DHCP snooping be configured on user-side interfaces GE 1/0/0and GE 1/0/1 of the Switch to prevent the following type of attacks:

l Bogus DHCP server attack

l DoS attack by changing the value of the CHADDR field

l Attack by sending bogus messages to extend IP address leases

l Attack by sending a large number of DHCP Request messages

Figure 3-7 Networking diagram for configuring DHCP snooping

GE2/0/0

DHCP relay DHCP server

DHCP client1

GE1/0/0

DHCP client2IP:10.1.1.1/24MAC:0001-0002-0003

S9300

GE1/0/1


1. Enable DHCP snooping globally and in the interface view.2. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.3. Configure the DHCP snooping binding table and check DHCP Request messages by

matching them with entries in the binding table to prevent attackers from sending bogusDHCP messages for extending IP address leases.

4. Configure the checking of the CHADDR field in DHCP Request messages to preventattackers from changing the CHADDR field in DHCP Request messages.

5. Set the rate of sending DHCP Request messages to the protocol stack to prevent attackersfrom sending a large number of DHCP Request messages.




Issue 02 (2010–02–26)

6. Configure the Option 82 function and create the binding table that contains informationabout the interface.

7. Configure the packet discarding alarm function and the alarm function for checking therate of sending packets.

Data Preparation

To complete the configuration, you need the following data:

l VLAN that the interface belongs to being 10

l GE 1/0/0 and GE 1/0/1 configured as untrusted and GE 2/0/0 configured as trusted

l Static IP address from which packets are forwarded being 10.1.1.1/24 and correspondingMAC address being 0001-0002-0003

l Rate of sending DHCP messages to the protocol stack being 90

l Mode of the Option 82 function being insert

l Alarm threshold of the number of discarded packets being 120

l Alarm threshold for checking the rate of sending packets being 80

NOTE


Procedure




# Enable DHCP snooping on the interface at the user side. The configuration procedure of GE1/0/1 is the same as the configuration procedure of GE 1/0/0, and is not mentioned here.


Step 2 Configure the interface as trusted.

# Configure the interface connecting to the DHCP server as trusted and enable DHCP snoopingon all the interfaces connecting to the DHCP client. If the interface on the client side is notconfigured as trusted, the default mode of the interface is untrusted after DHCP snooping isenabled on the interface. This prevents bogus DHCP server attacks.


Step 3 Configure the checking for certain types of packets.

# Enable the checking of DHCP Request messages on the interfaces at the DHCP client side toprevent attackers from sending bogus DHCP messages for extending IP address leases. Theconfiguration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentionedhere.



3-43


# Enable the checking of the CHADDR field on the interfaces at the DHCP client side to preventattackers from changing the CHADDR field in DHCP Request messages. The configuration ofGE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here.

[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable[Quidway-GigabitEthernet1/0/0] quit

Step 4 Configure the DHCP snooping binding table.

# If you use the static IP address, configuring DHCP snooping static entries is required.

[Quidway] user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/1 vlan 10

Step 5 Limit the rate of sending DHCP messages.

# Check the rate of sending DHCP messages to prevent attackers from sending DHCP Requestmessages.

[Quidway] dhcp snooping check dhcp-rate enable[Quidway] dhcp snooping check dhcp-rate 90


# Configure the user-side interface to append the Option 82 field to DHCP messages. Theconfiguration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentionedhere.



# Enable the packet discarding alarm function, and set the alarm threshold of the number ofdiscarded packets. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0,and is not mentioned here.

[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm mac-address enable[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm user-bind enable[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply enable[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm mac-address threshold 120[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm user-bind threshold 120[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply threshold 120[Quidway-GigabitEthernet1/0/0] quit

# Enable the alarm function for checking the rate of sending packets, and set the alarm thresholdfor checking the rate of sending packets.

[Quidway] dhcp snooping check dhcp-rate alarm enable[Quidway] dhcp snooping check dhcp-rate alarm threshold 80


Run the display dhcp snooping global command on the Switch, and you can view that DHCPsnooping is enabled globally. You can also view the statistics on alarms.

[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90




Issue 02 (2010–02–26)

dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80




Dhcp option82 insert is configured at these interface : GigabitEthernet1/0/0 GigabitEthernet1/0/1



Run the display dhcp snooping interface command, and you can view information about DHCPsnooping on the interface.

[Quidway] display dhcp snooping interface gigabitethernet 1/0/0 dhcp snooping enable dhcp option82 insert enable dhcp snooping check user-bind dhcp snooping alarm check user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp packet dropped by user-bind checking = 0 dhcp snooping check mac-address dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp packet dropped by mac-address checking = 0 dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp packet dropped by untrust-reply checking = 0

[Quidway] display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping trusted

Run the display user-bind all command, and you can view the static binding entries of users.[Quidway] display user-bind allbind-table:ifname O/I-vlan mac-address ip-address tp lease vsi-------------------------------------------------------------------------------GE1/0/1 10/ -- 0001-0002-0003 10.1.1.1 S 0 ---------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1

Run the display dhcp option82 interface command, and you can view the configuration ofOption 82 on the interface.[Quidway] display dhcp option82 interface gigabitethernet 1/0/0 dhcp option82 insert enable

----End

Configuration Files

# sysname Quidway# vlan batch 10# dhcp enable dhcp snooping enable dhcp snooping check dhcp-rate enable



3-45

dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm threshold 80# user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/1 vlan 10#interface GigabitEthernet1/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp option82 insert enable#interface GigabitEthernet1/0/1 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp option82 insert enable#interface GigabitEthernet2/0/0 dhcp snooping trusted#return

3.10.6 Example for Enabling DHCP Snooping on the DHCP RelayAgent

Networking RequirementsAs shown in Figure 3-8, the Switch is connected to the DHCP server and DHCP client; theDHCP relay function is enabled; DHCP client1 uses the dynamically allocated IP address andDHCP client2 uses the statically configured IP address. It is required that DHCP snooping beconfigured on the Switch to prevent the following types of attacks:

l Bogus DHCP server attack

l DoS attack by changing the value of the CHADDR field

l Attack by sending bogus messages for extending IP address leases

l Attack by sending a large number of DHCP Request messages

When users log out abnormally after requesting for IP addresses, the system detects this failureautomatically, and then deletes the binding in the DHCP binding table, and notifies the DHCPserver to release IP addresses.




Issue 02 (2010–02–26)

Figure 3-8 Networking diagram for enabling DHCP snooping on the DHCP relay agent

DHCP server

DHCP relay

DHCP client1 DHCP client2

S9300

IP:10.1.1.1/24

GE1/0/0

GE2/0/0

MAC:0001-0002-0003


1. Enable DHCP snooping globally and in the interface view.2. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.3. Configure the DHCP snooping binding table and check DHCP Request messages by

matching them with entries in the binding table to prevent attackers from sending bogusDHCP messages for extending IP address leases.

4. Configure the checking of the CHADDR field in DHCP Request messages to preventattackers from changing the CHADDR field in DHCP Request messages.

5. Set the rate of sending DHCP Request messages to the protocol stack to prevent attackersfrom sending a large number of DHCP Request messages.

6. Configure the Option 82 function and create the binding table that contains informationabout the interface.

7. Configure the packet discarding alarm function and the alarm function for checking therate of sending packets.


l GE 1/0/0 belonging to VLAN 10 and GE 2/0/0 belonging to VLAN 20

l Static IP address from which packets are forwarded being 10.1.1.1/24 and correspondingMAC address being 0001-0002-0003

l GE 1/0/0 configured as untrusted and GE 2/0/0 configured as trusted

l Rate of sending DHCP messages to the CPU being 90

l Mode of the Option 82 function being insert



3-47

l Alarm threshold of the number of discarded packets being 120

l Alarm threshold for checking the rate of sending packets being 80

NOTE


For the configuration of DHCP Relay, see Configuring the DHCP Relay Agent in Quidway S9300 TerabitRouting Switch Configuration Guide - IP Service.

Procedure




# Enable DHCP snooping on the interface at the user side.


Step 2 Configure the interface as trusted.

# Configure the interface connecting to the DHCP server as trusted and enable DHCP snoopingon the interfaces connecting to the DHCP client. If the interface on the client side is notconfigured as trusted, the default mode of the interface is untrusted after DHCP snooping isenabled on the interface. This prevents bogus DHCP server attacks.


Step 3 Enable the checking for certain types of packets and configure the DHCP snooping binding table.

# Enable the checking of DHCP Request messages on the interface at the DHCP client side toprevent attackers from sending bogus DHCP messages for extending IP address leases.


# Enable the checking of the CHADDR field on the interface at the DHCP client side to preventattackers from changing the CHADDR field in DHCP Request messages.

[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable[Quidway-GigabitEthernet1/0/0] quit

Step 4 Configure the DHCP snooping binding table.

# If you use the static IP address, configuring DHCP snooping static entries is required.


Step 5 Limit the rate of sending DHCP messages

# Check the rate of sending DHCP messages to prevent attackers from sending DHCP Requestmessages.




Issue 02 (2010–02–26)

[Quidway] dhcp snooping check dhcp-rate enable[Quidway] dhcp snooping check dhcp-rate 90


# Configure the user-side interface to append the Option 82 field to DHCP messages.



# Enable the packet discarding alarm function, and set the alarm threshold of the number ofdiscarded packets.

[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm user-bind enable[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm mac-address enable[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply enable[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm user-bind threshold 120[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm mac-address threshold 120[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply threshold 120[Quidway-GigabitEthernet1/0/0] quit

# Enable the alarm function for checking the rate of sending packets and set the alarm thresholdfor checking the rate of sending packets.

[Quidway] dhcp snooping check dhcp-rate alarm enable[Quidway] dhcp snooping check dhcp-rate alarm threshold 80

Step 8 Associate ARP with DHCP snooping.

# The system sends the ARP packet to probe the IP address that expires within the aging timein the DHCP snooping entry and does not exist in the ARP entry. If no user is detected withinthe specified number of detection times, the system deletes the binding relation in the DHCPbinding table and notifies the DHCP server to release the IP address.

[Quidway] arp dhcp-snooping-detect enable


Run the display dhcp snooping global command on the Switch, and you can view that DHCPsnooping is enabled globally. You can also view the statistics on alarms.

[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80









3-49

Run the display dhcp snooping interface command, and you can view information about DHCPsnooping on the interface.

[Quidway] display dhcp snooping interface gigabitethernet 1/0/0 dhcp snooping enable dhcp option82 insert enable dhcp snooping check user-bind dhcp snooping alarm check user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp packet dropped by user-bind checking = 0 dhcp snooping check mac-address dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp packet dropped by mac-address checking = 0 dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp packet dropped by untrust-reply checking = 0

[Quidway] display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping trusted

Run the display user-bind all command, and you can view the static binding entries of users.[Quidway] display user-bind allbind-table:ifname O/I-vlan mac-address ip-address tp lease vsi-------------------------------------------------------------------------------GE1/0/0 10/ -- 0001-0002-0003 10.1.1.1 S 0 ---------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1

Run the display dhcp option82 interface command, and you can view the configuration ofOption 82 on the interface.[Quidway] display dhcp option82 interface gigabitethernet 1/0/0 dhcp option82 insert enable

----End

Configuration Files

# sysname Quidway# vlan batch 10# dhcp enable dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm threshold 80# user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/0 vlan 10#interface GigabitEthernet1/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp option82 insert enable#




Issue 02 (2010–02–26)

interface GigabitEthernet2/0/0 dhcp snooping trusted# arp dhcp-snooping-detect enable#return

3.10.7 Example for Configuring DHCP Snooping on a VPLSNetwork


As shown in Figure 3-9, the DHCP client is connected to the VPLS network through the LANswitch; PE1 and PE2 are connected through a VPLS public network. DHCP snooping is enableon PE1; the interface at the DHCP client side is configured as untrusted and the interface at theDHCP server side is configured as trusted.

In addition, PE1 can prevent the following attacks:

l Bogus DHCP server attacks

l DoS attacks by changing the value of the CHADDR field

l Attacks by sending bogus messages for extending IP address leases

l Attacks by sending a large number of DHCP Request messages

DHCP client 1 uses the dynamically allocated IP address and DHCP client 2 uses the staticallyconfigured IP address.

Figure 3-9 Networking diagram for configuring DHCP snooping on a VPLS network

DHCP server

DHCP client1 DHCP client2

PE1

IP:10.1.1.1/24

GE1/0/0

GE2/0/0

MAC:0001-0002-0003

PE2

GE2/0/0GE3/0/0

Loopback11.1.1.9/32

Loopback12.2.2.9/32

LAN SwitchGE1/0/0

GE2/0/0 GE2/0/1

VLANIF10100.1.1.1/24

VLANIF10100.1.1.2/24

NOTE

Users apply to the DHCP server for IP addresses through the Layer 2 network; therefore, DHCP relaydevices are not required in the preceding networking.



3-51


1. Configure the VPLS, which involves the following:l Configure the routing protocol on the backbone network to ensure the connectivity of

routers.l Configure basic MPLS functions and establish an LSP between PEs.

l Enable MPLS L2VPN on PEs.

l Create a VSI on the PEs and specify LDP as the signaling protocol, and then bind theVSI to the AC interfaces.

2. Configure DHCP snooping, which involves the following:l Enable DHCP snooping in the system view and in the interface view, and enable DHCP

snooping over VPLS.l Configure interfaces as trusted or untrusted to prevent bogus DHCP server attacks.

l Set the maximum number of DHCP snooping users to prevent malicious IP addressapplication. Malicious IP address application prevents authorized users applying for IPaddresses.

l Configure the checking of the CHADDR value to prevent DoS attacks by changing thevalue of the CHADDR field.

l Configure the checking of DHCP Request messages against the DHCP snoopingbinding table to prevent attacks by sending bogus messages for extending IP addressleases.

l Configure Option 82 and create a binding table covering accurate interface information.

l Configure the alarm function.


l Static IP address from which packets are forwarded

l Maximum number of users

l Alarm threshold

l VSI name and VSI ID

l IP address of the peer and tunnel policy used for setting up the peer relation

l Interface bound to a VSI

NOTE

The following example only provides the configuration procedure of the Switch. For details on theconfiguration of other devices, see the related operation guides.

Procedure

Step 1 Configure the VPLS.1. Configure an IGP on the MPLS backbone network. In this example, OSPF is adopted to

advertise routes.

Assign an IP address to each interface on PEs as shown in Figure 3-9.




Issue 02 (2010–02–26)

# Configure PE1.

<PE1> system-view[PE1] interface loopback 1[PE1-LoopBack1] ip address 1.1.1.9 32[PE1-LoopBack1] quit[PE1] interface gigabitethernet 2/0/0[PE1-GigabitEthernet2/0/0] port link-type trunk[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 10[PE1-GigabitEthernet2/0/0] quit[PE1] interface vlanif 10[PE1-Vlanif10] ip address 100.1.1.1 24[PE1-Vlanif10] quit[PE1] ospf[PE1-ospf-1] area 0[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0[PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255[PE1-ospf-1-area-0.0.0.0] quit[PE1-ospf-1] quit

# Configure PE2.

<PE1> system-view[PE2] interface loopback 1[PE2-LoopBack1] ip address 2.2.2.9 32[PE2-LoopBack1] quit[PE2] interface gigabitethernet 2/0/0[PE2-GigabitEthernet2/0/0] port link-type trunk[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 10[PE2-GigabitEthernet2/0/0] quit[PE2] interface vlanif 10[PE2-Vlanif10] ip address 100.1.1.2 24[PE2-Vlanif10] quit[PE2] ospf[PE2-ospf-1] area 0[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0[PE2-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255[PE2-ospf-1-area-0.0.0.0] quit[PE2-ospf-1] quit

After the configuration, run the display ip routing-table command on PE1 and PE2. Youcan view that PEs can learn routes and ping each other.

Take the display on PE1 as an example.

<PE1> display ip routing-tableRoute Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 6 Routes : 6

Destination/Mask Proto Pre Cost Flags NextHop Interface

1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 2.2.2.9/32 OSPF 10 1 D 100.1.1.2 Vlanif10 100.1.1.0/24 Direct 0 0 D 100.1.1.1 vlanif10 100.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0<PE1> ping 100.1.1.2 PING 100.1.1.2: 56 data bytes, press CTRL_C to break Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=255 time=2 ms Reply from 100.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms



3-53

Reply from 100.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 100.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 100.1.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms

--- 100.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms

2. Enable basic MPLS functions and LDP on the MPLS backbone network.

# Configure PE1.

[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls[PE1-mpls] quit[PE1] mpls ldp[PE1-mpls-ldp] quit[PE1] interface vlanif 10 [PE1-Vlanif10] mpls[PE1-Vlanif10] mpls ldp[PE1-Vlanif10] quit

# Configure PE2.

[PE2] mpls lsr-id 2.2.2.9 [PE2] mpls[PE2-mpls] quit[PE2] mpls ldp[PE2-mpls-ldp] quit[PE2] interface vlanif 10 [PE2-Vlanif10] mpls[PE2-Vlanif10] mpls ldp[PE2-Vlanif10] quit

After the configuration, run the display mpls ldp session command on PE1 or PE2. Youcan view that the Status item of the peer between PE1 and PE2 is Operational, whichindicates that the peer relation is established. Run the display mpls lsp command, and youcan view the establishment of the LSP.

Take the display on PE1 as an example.

<PE1> display mpls ldp session

LDP Session(s) in Public Network ------------------------------------------------------------------------------ Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv ------------------------------------------------------------------------------ 2.2.2.9:0 Operational DU Passive 000:00:01 7/6 ------------------------------------------------------------------------------ TOTAL: 1 session(s) Found. LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM <PE1> display mpls ldp lspLDP LSP Information ------------------------------------------------------------------------------ SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface ------------------------------------------------------------------------------ 1 1.1.1.9/32 3/NULL 127.0.0.1 Vlanif10/InLoop0 2 2.2.2.9/32 NULL/3 100.1.1.2 -------/Vlanif10




Issue 02 (2010–02–26)

------------------------------------------------------------------------------ TOTAL: 2 Normal LSP(s) Found. TOTAL: 0 Liberal LSP(s) Found. A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale

3. Enable MPLS L2VPN on PEs.

# Configure PE1.

[PE1] mpls l2vpn[PE1] quit

# Configure PE2.

[PE2] mpls l2vpn[PE2] quit

4. Create VSIs and specify LDP as the signaling protocol of VSIs.

# Configure PE1.

[PE1] vsi v123 static[PE1-vsi-v123] pwsignal ldp[PE1-vsi-v123-ldp] vsi-id 2[PE1-vsi-v123-ldp] peer 2.2.2.9[PE1-vsi-v123-ldp] quit[PE1-vsi-v123] quit

# Configure PE2.

[PE1] vsi v123 static[PE2-vsi-v123] pwsignal ldp[PE2-vsi-v123-ldp] vsi-id 2[PE2-vsi-v123-ldp] peer 1.1.1.9[PE2-vsi-v123-ldp] quit[PE2-vsi-v123] quit

5. Bind the VSI to the interfaces on the PEs.

# Configure PE1.

[PE1] interface gigabitethernet 1/0/0[PE1-GigabitEthernet1/0/0] port link-typ trunk[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 20[PE1-GigabitEthernet1/0/0] quit[PE1] interface vlanif 20[PE1-Vlanif20] l2 binding vsi v123[PE1-Vlanif20] quit

# Configure PE2.

[PE1] interface gigabitethernet 3/0/0[PE1-GigabitEthernet3/0/0] port link-typ trunk[PE1-GigabitEthernet3/0/0] port trunk allow-pass vlan 30[PE1-GigabitEthernet3/0/0] quit[PE1] interface vlanif 30[PE1-Vlanif30] l2 binding vsi v123[PE1-Vlanif30] quit

After the configuration, run the display vsi name a2 verbose command on PE1, and youcan find that VSI v123 sets up a PW to PE2, and the status of the VSI is Up.

<PE1> display vsi name v123 verbose

***VSI Name : v123 Administrator VSI : no Isolate Spoken : disable VSI Index : 0 PW Signaling : ldp Member Discovery Style : static



3-55

PW MAC Learn Style : unqualify Encapsulation Type : vlan MTU : 1500 Diffserv Mode : uniform Mpls Exp : -- DomainId : 255 Domain Name : VSI State : up

VSI ID : 2 *Peer Router ID : 2.2.2.9 VC Label : 27648 Peer Type : dynamic Session : up Tunnel ID : 0x802000

Interface Name : Vlanif20 State : up

**PW Information:

*Peer Ip Address : 2.2.2.9 PW State : up Local VC Label : 21504 Remote VC Label : 21504 PW Type : label Tunnel ID : 0x802000 FIB Link-ID : 1

Step 2 Configure DHCP snooping.1. Enable DHCP snooping.

Enable DHCP snooping globally and on the interface.

# Configure PE1.

[PE1] dhcp enable[PE1] dhcp snooping enable[PE1] interface gigabitethernet 1/0/0[PE1-GigabitEthernet1/0/0] dhcp snooping enable [PE1-GigabitEthernet1/0/0] quit[PE1] interface gigabitethernet 2/0/0[PE1-GigabitEthernet2/0/0] dhcp snooping enable [PE1-GigabitEthernet2/0/0] quit

Enable DHCP snooping over VPLS.

# Configure PE1.

[PE1] dhcp snooping over-vpls enable

2. Configure the trusted interface.

# Configure PE1.

Configure the interface connecting to the DHCP server as a trusted interface and enableDHCP snooping on all the interfaces connected to the DHCP client. If the interface at theclient side is not configured with "Trusted", the default interface mode is "Untrusted" afterDHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks.

[PE1] interface gigabitethernet 2/0/0[PE1-GigabitEthernet2/0/0] dhcp snooping trusted [PE1-GigabitEthernet2/0/0] quit

3. Configure the DHCP snooping binding table.

# Configure PE1.




Issue 02 (2010–02–26)

Set the maximum number of DHCP snooping users on interfaces at the DHCP client side.In this manner, malicious IP address application can be prevented and authorized users cansuccessfully apply for IP addresses.

[PE1] interface gigabitethernet 1/0/0[PE1-GigabitEthernet1/0/0] dhcp snooping max-user-number 3000[PE1-GigabitEthernet1/0/0] quit

Configure static binding entries. If users adopt static IP addresses, you need to manuallyconfigure static DHCP snooping entries.

[PE1] user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/0 vlan 20

4. Configure the checking of specific packets.

# Configure PE1.

# Check DHCP Request messages on the interfaces at the DHCP client side to preventattacks by sending bogus DHCP messages to extend IP address leases.

[PE1] interface gigabitethernet 1/0/0[PE1-GigabitEthernet1/0/0] dhcp snooping check user-bind enable

# Check the CHADDR field on the interfaces at the DHCP client side to prevent attacksby changing the value of the CHADDR field.

[PE1-GigabitEthernet1/0/0] dhcp snooping check mac-address enable[PE1-GigabitEthernet1/0/0] quit

5. Configure Option 82.

# Configure PE1.

# Configure DHCP messages to carry interface information; therefore, the binding tablecovers more accurate interface information.

[PE1] interface gigabitethernet 1/0/0[PE1-GigabitEthernet1/0/0] dhcp option82 insert enable[PE1-GigabitEthernet1/0/0] quit

6. Configure the alarm function.

# Configure PE1.

Enable the alarm function of discarding packets and set the alarm threshold for discardingpackets.

[PE1] interface gigabitethernet 1/0/0[PE1-GigabitEthernet1/0/0] dhcp snooping alarm user-bind enable[PE1-GigabitEthernet1/0/0] dhcp snooping alarm mac-address enable[PE1-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply enable[PE1-GigabitEthernet1/0/0] dhcp snooping alarm user-bind threshold 120[PE1-GigabitEthernet1/0/0] dhcp snooping alarm mac-address threshold 120[PE1-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply threshold 120[PE1-GigabitEthernet1/0/0] quit

Enable the alarm function of limiting the rate of packets and set the alarm threshold forlimiting the rate of packets.

[PE1] dhcp snooping check dhcp-rate enable[PE1] dhcp snooping check dhcp-rate alarm enable[PE1] dhcp snooping check dhcp-rate alarm threshold 80


After the configuration, users can dynamically apply for IP addresses.



3-57

Run the display dhcp snooping global command on PE1. You can view that DHCP snoopingis enabled globally and in the interface view. You can also view the statistics on the alarms sentto the NMS.

<PE1> display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80







Run the display dhcp snooping interface command on PE1, and you can view informationabout DHCP snooping on the interface.

<PE1> display dhcp snooping interface gigabitethernet 1/0/0 dhcp snooping enable dhcp option82 insert enable dhcp snooping check user-bind dhcp snooping alarm check user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp packet dropped by user-bind checking = 0 dhcp snooping check mac-address dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp packet dropped by mac-address checking = 0 dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp packet dropped by untrust-reply checking = 0 dhcp snooping max-user-number 3000<PE1> display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0

Run the display user-bind all command on PE1, and you can view static binding entries ofusers.

<PE1> display user-bind allbind-table:ifname O/I-vlan mac-address ip-address tp lease vsi-------------------------------------------------------------------------------GE1/0/0 20/ -- 0001-0002-0003 10.1.1.1 S 0 ---------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1

----End

Configuration Filesl Configuration file of PE1

# sysname PE1




Issue 02 (2010–02–26)

# vlan batch 10 20 # dhcp enable dhcp snooping enable dhcp snooping over-vpls enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80 user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface GigabitEthernet1/0/0 vlan 20# mpls lsr-id 1.1.1.9 mpls# mpls l2vpn#vsi v123 static pwsignal ldp vsi-id 2 peer 2.2.2.9#mpls ldp#interface Vlanif10 ip address 100.1.1.1 255.255.255.0 mpls mpls ldp#interface Vlanif20 l2 binding vsi v123#interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 20 dhcp snooping enable dhcp option82 insert enable dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping max-user-number 3000 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable dhcp snooping trusted# interface LoopBack1 ip address 1.1.1.9 255.255.255.255#ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 100.1.1.0 0.0.0.255#return

l Configuration file of PE2

# sysname PE2# vlan batch 10 30



3-59

# mpls lsr-id 2.2.2.9 mpls# mpls l2vpn#vsi v123 static pwsignal ldp vsi-id 2 peer 1.1.1.9#mpls ldp#interface Vlanif10 ip address 100.10.1.2 255.255.255.0 mpls mpls ldp #interface Vlanif30 l2 binding vsi v123#interface GigabitEthernet2/0/10 port link-type trunk port trunk allow-pass vlan 10 #interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 30# interface LoopBack1 ip address 2.2.2.9 255.255.255.255#ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 100.1.1.0 0.0.0.255#return




Issue 02 (2010–02–26)

4 ARP Security Configuration

About This Chapter

This chapter describes the principle and configuration of ARP security features.

4.1 Introduction to ARP SecurityThis section describes the principle of ARP security.

4.2 ARP Security Supported by the S9300The ARP security features supported by the S9300 includes limitation on ARP entry learning,ARP anti-spoofing, preventing ARP gateway attack, suppressing ARP packet source,suppressing ARP miss packet source, preventing ARP man-in-the-middle attack, limitation onthe transmission rate of ARP packets and ARP proxy on a VPLS network.

4.3 Limiting ARP Entry LearningAfter the strict ARP entry learning is enabled, the S9300 learns only the response messages ofthe ARP request messages sent locally.

4.4 Configuring ARP Anti-AttackThis section describes how to configure the ARP anti-attack function.

4.5 Suppressing Transmission Rate of ARP PacketsThis section describes how to suppress the transmission rate of the ARP packets.

4.6 Maintaining ARP SecurityThis section describes how to maintain ARP security.

4.7 Configuration ExamplesThis section provides several configuration examples of ARP security.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security 4 ARP Security Configuration


4-1

4.1 Introduction to ARP SecurityThis section describes the principle of ARP security.

ARP Attack

On a network, ARP entries are easily attacked. Attackers send a large number of ARP Requestand Response packets to attack network devices. Attacks are classified into ARP buffer overflowattacks and ARP Denial of Service (DoS) attacks.

l ARP buffer overflow attacks: Attackers send a large number of bogus ARP request packetsand gratuitous ARP packets, which results in ARP buffer overflow. Therefore, normal ARPentries cannot be cached and packet forwarding is interrupted.

l ARP DoS attacks: Attackers send a large number of ARP request and response packets orother packets that can trigger the ARP processing. The device is then busy with ARPprocessing during a long period and ignores other services. Normal packet forwarding isthus interrupted.

Attackers scan hosts on the local network segment or hosts on other network segments throughtools. Before returning response packets, the S9300 searches for ARP entries. If the MAC addresscorresponding to the destination IP address does not exist, the ARP module on the S9300 sendsARP Miss messages to the upper-layer software and requires the upper-layer software to sendARP request packets to obtain the destination MAC address. A large number of scanning packetsgenerate a large number of ARP Miss packets. The resources of the system are then wasted inprocessing ARP Miss packets. This affects the processing of other services and hence is calledscanning attack.

ARP Security

ARP security is used to filter out untrusted ARP packets and enable timestamp suppression forcertain ARP packets to guarantee the security and robustness of network devices.

4.2 ARP Security Supported by the S9300The ARP security features supported by the S9300 includes limitation on ARP entry learning,ARP anti-spoofing, preventing ARP gateway attack, suppressing ARP packet source,suppressing ARP miss packet source, preventing ARP man-in-the-middle attack, limitation onthe transmission rate of ARP packets and ARP proxy on a VPLS network.

Limitation on ARP Entry Learning

You can configure the strict ARP entry learning so that the S9300 can learn only the responsemessages of the ARP requests sent locally.

You can set the maximum number of ARP entries that can be dynamically learned by aninterface. This prevents malicious use of ARP entries and ensures that the S9300 can learn theARP entries of authorized users.

4 ARP Security ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010–02–26)

ARP Anti-SpoofingARP spoofing means that attackers use ARP packets sent by other users to construct bogus ARPpackets and modify ARP entries on the gateway. As a result, the authorized users aredisconnected from the network.

The S9300 can prevent ARP spoofing by using the following methods:l Fixed MAC address: After learning an ARP entry, the S9300 does not allow the

modification on the MAC address that is performed through ARP entry learning until thisARP entry ages. Thus the S9300 prevents the ARP entries of authorized users from beingmodified without permission.The fixed MAC address methods have two modes: fixed-mac and fixed-all. In fixed-macmode, the MAC addresses cannot be modified, but the VLANs and interfaces can bemodified; in fixed-all mode, the MAC addresses, VLANs, and interfaces cannot bemodified.

l Send-ack: The S9300 does not modify the ARP entry immediately when it receives an ARPpacket requesting for modifying a MAC address. Instead, the S9300 sends a unicast packetfor acknowledgement to the user matching this MAC address in the original ARP table.

Preventing ARP Gateway AttackARP gateway attack means that an attacker sends gratuitous ARP packets with the source IPaddress as the bogus gateway address on a local area network (LAN). After receiving thesepackets, the host replaces its gateway address with the address of the attacker. As a result, noneof the hosts on a LAN can access the network.

When the S9300 receives ARP packets with the bogus gateway address, there are the followingsituations:l The source IP address in the ARP packets is the same as the IP address of the interface that

receives the packets.l The source IP address in the ARP packets is the virtual IP address of the incoming interface

but the source MAC address of ARP packets is not the virtual MAC address of the VirtualRouter Redundancy Protocol (VRRP) group when the VRRP group is in virtual MACaddress mode.

In one of the preceding situation, the S9300 generates ARP anti-attack entries and discards thepackets with the same source MAC address in the Ethernet header in a period (the default valueis three minutes). This can prevent ARP packets with the bogus gateway address from beingbroadcast on a VLAN.

Suppressing ARP Packet SourceWhen a large number of packets are sent from a source IP address, the CPU resources of thedevice and the bandwidth reserved for sending ARP packets are occupied.

The S9300 can suppress the transmission rate of the ARP packets with a specified source IPaddress. If the number of ARP packets with a specified source IP address received by theS9300 within a specified period exceeds the set threshold, the S9300 does not process theexcessive ARP request packets.

Suppressing ARP Miss Packet SourceWhen a host sends a large number of IP packets whose destination IP address cannot be resolvedto attack the device,



4-3

the S9300 suppresses the ARP Miss packets that have the specified source IP address. If a largenumber of IP packets whose destination IP address cannot be resolved are sent to the S9300from a source IP address, the ARP Miss packets are triggered. The S9300 takes statistics on theARP Miss packets. If a source IP address triggers the ARP Miss packets continuously in a periodand the triggered rate exceeds the set threshold, the S9300 considers that an attack occurs. Inthis case, the S9300 delivers ACL rules to discard the IP packets sent from this address in aperiod (the default value is 50 seconds).

Preventing ARP Man-in-the-Middle Attack

A man-in-the-middle on the network may send a packet carrying its own MAC address and theIP address of the server to the client. The client learns the MAC address and IP address containedin the packet and considers the man-in-the-middle as the server. Then, the man-in-the-middlesends a packet carrying its own MAC address and the IP address of the client to the server. Theserver can learn the IP address and MAC address of the man-in-the-middle and consider theman-in-the-middle as the client. In this way, the man-in-the-middle obtains the data exchangedbetween the server and the client.

To prevent the man-in-the-middle attacks, you can configure the S9300 to check the ARP packetsaccording to the binding table. Only the packets that match the content of the binding table canbe forwarded; the other packets are discarded.

Limitation on the Transmission Rate of ARP Packets

The transmission rate of the ARP packets on the S9300 can be limited. This prevents theexcessive ARP packets from being transmitted to the security module and degrading systemperformance.

ARP Proxy on a VPLS Network

On the VPLS network, the S9300 can process ARP packets on the PW. If the ARP packets areARP request packets and the destination IP address of the packets matches an entry in the DHCPsnooping binding table, the S9300 constructs ARP reply packets before sending them to therequester of the PW. The attacks caused by PW-side ARP packets broadcast to the AC on aVPLS network are thus prevented.

4.3 Limiting ARP Entry LearningAfter the strict ARP entry learning is enabled, the S9300 learns only the response messages ofthe ARP request messages sent locally.


4.3.2 Enabling Strict ARP Entry Learning

4.3.3 Configuring Interface-based ARP Entry Limitation






Issue 02 (2010–02–26)

Applicable EnvironmentAfter the strict ARP entry learning is enabled, the S9300 learns only the response messages ofthe ARP request messages sent locally.

You can configure the limitation on ARP entry learning based on interfaces to limit the numberof ARP entries dynamically learned by the interfaces.

Pre-configuration TasksBefore configuring the limitation on ARP entry learning, complete the following task:l Setting the parameters of the link layer protocol and the IP address of the interface and

enabling the link-layer protocol

Data PreparationTo configure the limitation on ARP entry learning, you need the following data.

No. Data

1 Type and number of the interface where youneed to configure the limitation on ARP entrylearning

4.3.2 Enabling Strict ARP Entry Learning

ContextStrict ARP entry learning means that the S9300 learns only the response packets of the locallysent ARP Request packets.

Procedurel Configuring strict ARP entry learning globally

1. Run:system-view


arp learning strict

Strict ARP learning is enabled.

By default, strict ARP learning is disabled on the S9300.l Configuring strict ARP entry learning on an interface

1. Run:system-view




4-5

interface interface-type interface-number


The interface is a VLANIF interface.3. Run:

arp learning strict { force-enable | force-disable | trust }

The strict ARP entry learning function is enabled on the interface.

– force-enable: enables strict ARP entry learning on an interface.

– force-disable: disables strict ARP entry learning on an interface.

– trust: indicates that the configuration of strict ARP entry learning on an interfaceis the same as that configured globally.

By default, the configuration of strict ARP entry learning on an interface is the sameas that configured globally.

l Configuring strict ARP entry learning on an GE or Ethernet subinterface1. Run:

system-view


interface interface-type interface-number [.subnumber ]

The GE or Ethernet subinterface view is displayed.3. Run:


The strict ARP entry learning function is enabled on the GE or Ethernet subinterface.

– force-enable: enables strict ARP entry learning on an GE or Ethernet subinterface.

– force-disable: disables strict ARP entry learning on an GE or Ethernetsubinterface.

– trust: indicates that the configuration of strict ARP entry learning on an GE orEthernet subinterface is the same as that configured globally.

By default, the configuration of strict ARP entry learning on an GE or Ethernetsubinterface is the same as that configured globally.

l Configuring strict ARP entry learning on an Eth-trunk subinterface1. Run:

system-view


interface eth-trunk trunk-id [.subnumber ]

The Eth-trunk subinterface view is displayed.3. Run:


The strict ARP entry learning function is enabled on the Eth-trunk subinterface.

– force-enable: enables strict ARP entry learning on an Eth-trunk subinterface.




Issue 02 (2010–02–26)

– force-disable: disables strict ARP entry learning on an Eth-trunk subinterface.

– trust: indicates that the configuration of strict ARP entry learning on an Eth-trunksubinterface is the same as that configured globally.

By default, the configuration of strict ARP entry learning on an Eth-trunk subinterfaceis the same as that configured globally.

----End

4.3.3 Configuring Interface-based ARP Entry Limitation

ContextIf attackers occupy a large number of ARP entries, the S9300 cannot learn the ARP entries ofauthorized users. To prevent such attacks, you can set the maximum number of ARP entries thatcan be dynamically learned by an interface.

Procedure





The interface can be a GE interface, an Ethernet interface, an Eth-Trunk, or a VLANIF interface.

Step 3 Run:arp-limit [ vlan vlan-id1 [ to vlan-id2 ]] maximum maximum

Interface-based ARP entry limitation is configured.

The vlan parameter can be only used on GE interfaces, Ethernet interfaces, or Eth-Trunks.

----End


PrerequisiteThe configurations of ARP entry limitation are complete.

Procedurel Run the display arp learning strict command to view the configuration of strict ARP entry

learning.l Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ]

command to view the maximum number of ARP entries that can be learned by an interfaceor a VLAN.

----End



4-7

ExampleRun the display arp learning strict command, and you can view the configuration of strict ARPentry learning.

<Quidway> display arp learning strictThe global configuration:arp learning strict interface LearningStrictState------------------------------------------------------------ Vlanif100 force-disable Vlanif200 force-enable------------------------------------------------------------ Total:2 force-enable:1 force-disable:1

Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ]command, and you can view the maximum number of ARP entries that can be learned by aninterface or a VLAN.

<Quidway> display arp-limit interface GigabitEthernet 1/0/10 interface LimitNum VlanID LearnedNum(Mainboard)--------------------------------------------------------------------------- GigabitEthernet1/0/10 1000 3 0 GigabitEthernet1/0/10 1000 4 0 GigabitEthernet1/0/10 1000 5 0 GigabitEthernet1/0/10 1000 6 0 GigabitEthernet1/0/10 1000 7 0 GigabitEthernet1/0/10 1000 8 0 GigabitEthernet1/0/10 1000 9 0 GigabitEthernet1/0/10 1000 10 0--------------------------------------------------------------------------- Total:8<Quidway> display arp-limit vlan 3 interface LimitNum VlanID LearnedNum(Mainboard)--------------------------------------------------------------------------- GigabitEthernet1/0/10 1000 3 0--------------------------------------------------------------------------- Total:1

4.4 Configuring ARP Anti-AttackThis section describes how to configure the ARP anti-attack function.


4.4.2 Preventing the ARP Address Spoofing Attack

4.4.3 Preventing the ARP Gateway Duplicate Attack

4.4.4 Preventing the Man-in-the-Middle Attack

4.4.5 Configuring ARP Proxy on a VPLS Network

4.4.6 Configuring DHCP to Trigger ARP Learning

4.4.7 (Optional) Configuring the S9300 to Discard Gratuitous ARP Packets

4.4.8 Enabling Log and Alarm Functions for Potential Attacks





Issue 02 (2010–02–26)


Applicable EnvironmentOn an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked; therefore,it is required to configure the ARP anti-attack function on the access layer or convergence layerto ensure network security.

l To prevent attackers from forging the ARP packets of authorized users and modifying theARP entries on the gateway, you can configure the ARP address anti-spoofing function.

l To prevent attackers from forging the gateway address, sending gratuitous ARP packetswhose source IP addresses are the gateway address on the LAN, and thus making the hostchange the gateway address into the address of the attacker, you can configure the ARPgateway anti-collision function.

l To prevent unauthorized users from accessing external networks by sending ARP packetsto the S9300, you can configure the ARP packet checking function.

Pre-configuration TasksBefore configuring ARP anti-attack, complete the following task:l Setting the parameters of the link layer protocol and the IP address of the interface and

enabling the link-layer protocol

Data PreparationTo configure ARP anti-attack, you need the following data.

No. Data

1 (Optional) Alarm threshold of the ARPpackets discarded because they do not matchthe binding table.

4.4.2 Preventing the ARP Address Spoofing Attack

Procedure



Step 2 Run:arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

The ARP anti-spoofing function is enabled.

You can use only one ARP anti-spoofing mode. If an ARP anti-spoofing mode is already used,the latest configuration overrides the previous configuration.



4-9

By default, the ARP anti-spoofing function is disabled on the S9300.

----End

4.4.3 Preventing the ARP Gateway Duplicate Attack

Procedure



Step 2 Run:arp anti-attack gateway-duplicate enable

The ARP anti-attack function for preventing ARP packets with the bogus gateway address isenabled.

After this function is enabled, the ARP packets with the bogus gateway address on an interfaceof the S9300 are not broadcast to other interfaces. By default, this function is disabled on theS9300.

----End

4.4.4 Preventing the Man-in-the-Middle Attack

ContextTo prevent man-in-the-middle attacks, you can configure the S9300 to check ARP packets. Ifthe packets received on the interface or the interface in a VLAN match the binding table, thepackets are forwarded; otherwise, the packets are discarded.

In addition, you can configure the alarm function. When the number of discarded packets exceedsthe threshold, an alarm is generated.

NOTE

Binding entries of DHCP users are created automatically after DHCP snooping is enabled. If a user usesa static IP address, you need to configure the binding entry of the user manually. A DHCP snooping bindingentry consists of the IP address, MAC address, interface number, and VLAN ID of a user.

For the configuration of DHCP snooping, see 3.3.2 Enabling DHCP Snooping. For the configuration ofa static binding entry, see 5.3.2 (Optional) Configuring a Static User Binding Entry.

Procedure








Issue 02 (2010–02–26)

Or, run:

vlan vlan-id


Step 3 Run:arp anti-attack check user-bind enable

The IP source guard function is enabled on the interface.

By default, the interfaces or the interfaces in a VLAN are not enabled with the IP source guardfunction.

Step 4 In the interface view, run :arp anti-attack check user-bind check-item { ip-address | mac-address | vlan }*Or in the VLAN view, run:arp anti-attack check user-bind check-item { ip-address | mac-address | interface }*

The check items of ARP packets are configured.

By default, the check items consist of IP address, MAC address, VLAN, and interface. Thepackets that do not match the binding table are discarded.

Step 5 (Optional)In the interface view, run :arp anti-attack check user-bind alarm enable

The alarm function for the discarded ARP packets is enabled.

By default, the alarm function is disabled.

Step 6 (Optional) In the interface view, run :arp anti-attack check user-bind alarm threshold threshold

The alarm threshold of the number of ARP packets discarded because they do not match thebinding table is set.

By default, the alarm threshold is the same as the threshold set in arp anti-attack check user-bind alarm threshold that is run in the system view. If the alarm threshold is not set in thesystem view, the default threshold on the interface is 100.

----End

4.4.5 Configuring ARP Proxy on a VPLS Network

ContextTo prevent attacks caused by PW-side ARP packets broadcast to the AC on a VPLS network,you can configure ARP proxy on the S9300 to process the PW-side ARP packets.

Procedure





4-11

Step 2 Run:arp over-vpls enable

ARP proxy is enabled on the S9300 of a VPLS network.

By default, ARP proxy is disabled on the S9300 of a VPLS network.

On a VPLS network, after the arp over-vpls enable command is run on the S9300, ARP packetson the PW are sent to the main control board for processing.

l If the ARP packets are ARP request packets and the destination IP address of the packetsmatch an entry in the DHCP snooping binding table, the S9300 constructs ARP reply packetsbefore sending them to the requester of the PW. The attacks caused by PW-side ARP packetsbroadcast to the AC on a VPLS network are thus prevented.

l If the ARP packets are not ARP request packets, or the packets are ARP request packets butthe destination IP address of the packets do not match entries in the DHCP snooping bindingtable, the ARP packets are forwarded normally.

The arp over-vpls enable command needs to be used with DHCP snooping over VPLS becausethe DHCP snooping binding table is used. For the configuration of DHCP snooping over VPLS,see 3.3.2 Enabling DHCP Snooping.

----End

4.4.6 Configuring DHCP to Trigger ARP Learning

Context

This task is performed to enable DHCP-triggered ARP learning. When the DHCP server assignsan IP address to the user, the S9300 obtains the MAC address of the user and generates the ARPentry corresponding to the IP address after responding to DHCP ACK messages. In this manner,the S9300 does not need to learn ARP entries of the user hosts.

Procedure



Step 2 Run:interface vlanif interface-number

The VLANIF interface view is displayed.

Step 3 Run:arp learning dhcp-trigger

The S9300 is configured to learn ARP entries according to the DHCP ACK message receivedon the VLANIF interface, and to discard ARP request packets for querying the destination hostof the network segment of the interface.

By default, the S9300 does not learn ARP entries when receiving DHCP ACK messages. Whenthe traffic passes, ARP learning is triggered.




Issue 02 (2010–02–26)

NOTE

l To use the arp learning dhcp-trigger command, ensure that the DHCP relay function is enabled onthe VLANIF interface.

l If the DHCP user and DHCP server are located on the same network segment, you cannot use the arplearning dhcp-trigger command.

----End

4.4.7 (Optional) Configuring the S9300 to Discard Gratuitous ARPPackets

ContextIf a large number of gratuitous ARP packets are sent to attack the S9300, the S9300 cannotprocess valid ARP packets. You can configure the S9300 to discard the gratuitous ARP packets.

The function of discarding gratuitous ARP packets can be enabled in the system view or theVLANIF interface view.l If the function is enabled in the system view, all the interfaces of the S9300 discard the

gratuitous ARP packets.l If the function is enabled in the VLANIF interface view, the VLANIF interface discards

the gratuitous ARP packets.l Before enabling an interface to discard gratuitous ARP packets, you do not need to enable

the function globally.

Procedurel Enabling the function of discarding gratuitous ARP packets globally

1. Run:system-view


arp anti-attack gratuitous-arp drop

The S9300 is enabled to discard gratuitous ARP packets.

By default, the S9300 does not discard gratuitous ARP packets.l Enabling the function of discarding gratuitous ARP packets on an VLANIF interface

1. Run:system-view


interface vlanif interface-number


Generally, this function is enabled on the user-side interface.3. Run:

arp anti-attack gratuitous-arp drop



4-13

The interface is enabled to discard gratuitous ARP packets.

By default, the interfaces of the S9300 do not discard gratuitous ARP packets.

----End

4.4.8 Enabling Log and Alarm Functions for Potential Attacks


system-view


Step 2 Run:arp anti-attack log-trap-timer time

Log and alarm functions are enabled for potential attacks.

time specifies the interval for writing an ARP log and sending an alarm. By default, the value is0, indicating that log and alarm functions are disabled.

----End


PrerequisiteThe configurations of ARP anti-attack are complete.

Procedurel Run the display arp anti-attack configuration { entry-check | gateway-duplicate | log-

trap-timer | all } command to check the configuration of ARP anti-attack.l Run the display arp anti-attack gateway-duplicate item command to check information

about bogus gateway address attack on the network.l Run the display arp anti-attack check user-bind interface interface-type interface-

number command to check the configuration of the binding table for checking ARP packets.

----End

ExampleRun the display arp anti-attack configuration all command, and you can view theconfiguration of ARP anti-attack.

<Quidway> display arp anti-attack configuration all ARP anti-attack entry-check mode: fixed-MAC

ARP gateway-duplicate anti-attack function: enabled

ARP anti-attack log-trap-timer: 30seconds (The log and trap timer of speed-limit, default is 0 and means disabled.)

Run the display arp anti-attack gateway-duplicate item command, and you can viewinformation about bogus gateway address attack on the network.




Issue 02 (2010–02–26)

<Quidway> display arp anti-attack gateway-duplicate item interface IP address MAC address VLANID aging time------------------------------------------------------------------------------- GigabitEthernet1/0/1 2.1.1.1 0000-0000-0002 2 153 GigabitEthernet1/0/1 2.1.1.1 0000-0000-0004 2 179-------------------------------------------------------------------------------There are 2 records in gateway conflict table

Run the display arp anti-attack check user-bind interface interface-type interface-numbercommand, and you can view the configuration of the binding table for checking ARP packets.

<Quidway> display arp anti-attack check user-bind interface GigabitEthernet 1/0/0 arp anti-attack check user-bind enable arp anti-attack check user-bind alarm enable arp anti-attack check user-bind alarm threshold 50 ARP packet drop count = 10

4.5 Suppressing Transmission Rate of ARP PacketsThis section describes how to suppress the transmission rate of the ARP packets.


4.5.2 Configuring Source-based ARP Suppression

4.5.3 Configuring Source-based ARP Miss Suppression

4.5.4 Setting the Suppression Time of ARP Miss Messages

4.5.5 Suppressing Transmission Rate of ARP Packets



Applicable EnvironmentOn an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked; therefore,it is required to configure ARP suppression features on the access layer or convergence layer toensure network security.

l To prevent excessive ARP packets from increasing the CPU workload and occupyingexcessive ARP entries, you can suppress the transmission rate of ARP packets. Then thetransmission rate of the ARP packets transmitted to the main control board is limited.

l To prevent a host from sending excessive IP packets whose destination IP addresses cannotbe resolved, you can suppress the source IP address that sends the packets, that is, configurethe suppression on ARP Miss source. Then these IP packets are discarded.

l After the IP source guard function is enabled on an interface, all the ARP packets passingthrough the interface are forwarded to the security module for check. If excessive ARPpackets are sent to the security module, the security module will be impacted. In this case,you can suppress the transmission rate of the ARP packets; the packets that exceed thetransmission rate are discarded.

Pre-configuration TasksBefore configuring ARP suppression, complete the following task:



4-15

l Setting the parameters of the link layer protocol and the IP address of the interface andenabling the link-layer protocol

Data PreparationTo configure ARP suppression, you need the following data.

No. Data

1 Maximum transmission rate of the ARPpackets sent by a specified source IP address(Optional) Source IP address and maximumtransmission rate of the ARP packets sent bya specified source IP address

2 Maximum transmission rate of the ARP Misspackets sent by a specified source IP address(Optional) Source IP address and maximumtransmission rate of the ARP Miss packetssent by a specified source IP address

3 Maximum transmission rate of the ARPpackets sent to the security module(Optional) Alarm threshold of the number ofARP packets discarded because they exceedthe transmission rate.

4.5.2 Configuring Source-based ARP Suppression

ContextA user may have special requirements; therefore, you can set the suppression rate for ARPpackets with a specified source IP address different from packets with other source IP addresses.


system-view


Step 2 Run:arp speed-limit source-ip maximum maximum

The suppression rate of ARP packets is set.

Step 3 (Optional) Run:arp speed-limit source-ip ip-address maximum maximum

The suppression rate of ARP packets with a specified source IP address is set.

After the preceding configurations are complete, the suppression rate of ARP packets with aspecified source IP address is the value specified by maximum in step 3, and the suppression




Issue 02 (2010–02–26)

rate of ARP packets with other source IP addresses is the value specified by maximum in step2.

If the suppression rate of ARP packets is set to 0, it indicates that ARP packets are not suppressed.By default, the suppression rate of ARP packets is 5 pps.

----End

4.5.3 Configuring Source-based ARP Miss Suppression

ContextA user may have special requirements; therefore, you can set the timestamp suppression rate forARP Miss packets with a specified source IP address different from ARP Miss packets withother source IP addresses.


system-view


Step 2 Run:arp speed-limit source-ip maximum maximum

The suppression rate of ARP Miss packets is set.

Step 3 (Optional) Run:arp speed-limit source-ip ip-address maximum maximum

The suppression rate of ARP Miss packets with a specified source IP address is set.

After the preceding configurations are complete, the suppression rate of ARP Miss packets witha specified source IP address is the value specified by maximum in step 3, and the suppressionrate of ARP Miss packets with other source IP addresses is the value specified by maximum instep 2.

If the suppression rate of ARP packets is set to 0, it indicates that ARP Miss packets are notsuppressed. By default, the suppression rate of ARP Miss packets is 5 pps.

----End

4.5.4 Setting the Suppression Time of ARP Miss Messages

ContextAfter the VLANIF interface receives unreachable IP unicast packets, the packets are sent to theCPU of the main control board because the ARP entries corresponding to the packets are notfound in the forwarding table. Then, the main control board is triggered to learn ARP entries.

When the main control board learns ARP entries, it sends ARP broadcast request packets andgenerates fake ARP entries. The main control board sends the fake ARP entries to the LPU. TheLPU does not send ARP Miss messages after receiving the fake ARP entry. If the main controlboard does not learn valid ARP entries, it deletes fake ARP entries. Then, ARP Miss messagesare sent continuously and ARP learning is triggered again.



4-17

The fake ARP entry is aged within five seconds and thus deleted by default. That is, ARP Missmessages are not sent to the CPU of the main control board within five seconds by default. Whena large number of fake ARP entries are generated on the S9300, the S9300 is attacked byunknown packets. In this case, you can adjust the interval for sending unknown packets to reducethe sent unknown unicast packets and the CPU usage of the main control board.

Procedure



Step 2 Run:interface vlanif interface-number


Step 3 Run:arp-miss suppress suppress-time

The suppression time for the S9300 to send ARP Miss messages is set.

By default, the suppression time for the S9300 to send ARP Miss messages is 5 seconds.

----End

4.5.5 Suppressing Transmission Rate of ARP Packets

ContextBefore configuring the global ARP suppression, ensure that the IP source guard function isenabled on the interface.

Procedure



Step 2 Run:arp anti-attack rate-limit enable

The transmission rate of ARP packets is limited.

By default, ARP suppression is disabled globally.

Step 3 Run:arp anti-attack rate-limit limit

The threshold for transmission rate of ARP packets is set.

After the threshold is set, the excessive packets are discarded. By default, the threshold for thetransmission rate of ARP packets is 100 pps.

Step 4 (Optional) Run:




Issue 02 (2010–02–26)

arp anti-attack rate-limit alarm enable

The alarm function for the ARP packets discarded because the transmission rate is exceeded isenabled.

By default, the alarm function is disabled.

Step 5 (Optional) Run:arp anti-attack rate-limit alarm threshold threshold

The alarm threshold of the number of ARP packets discarded because the transmission rate isexceeded is set.

By default, the alarm threshold of discarded ARP packets is 5.

----End


PrerequisiteThe configurations of the limitation on ARP transmission rate are complete.

Procedurel Run the display arp anti-attack configuration { arp-speed-limit | arpmiss-speed-

limit | all } command to view the configuration of ARP source suppression.

----End

ExampleRun the display arp anti-attack configuration all command, and you can view theconfiguration of ARP anti-attack.




ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------ 10.0.0.1 200 10.0.0.3 300 10.0.0.8 0 2.1.1.10 1000 Others 500 ------------------------------------------------------------------------ 4 specified IP addresses are configured, spec is 1024 items.

ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------ 10.0.0.1 200 10.0.0.2 300 10.0.0.8 0 2.1.1.10 1000 Others 500



4-19

------------------------------------------------------------------------ 4 specified IP addresses are configured, spec is 1024 items.

4.6 Maintaining ARP SecurityThis section describes how to maintain ARP security.

4.6.1 Displaying the Statistics About ARP Packets

4.6.2 Clearing the Statistics on ARP Packets

4.6.3 Clearing the Statistics on Discarded ARP Packets

4.6.4 Debugging ARP Packets

4.6.1 Displaying the Statistics About ARP Packets

Procedurel Run the display arp packet statistics [ slot slot-id ] command to view the statistics on

ARP packets.

----End

ExampleRun the display arp packet statistics command, and you can view the statistics on ARP packets.

<Quidway> display arp packet statisticsARP Pkt Received: sum 25959ARP Learnt Count: sum 3ARP Pkt Discard For Limit: sum 0ARP Pkt Discard For SpeedLimit: sum 0ARP Pkt Discard For Other: sum 23

4.6.2 Clearing the Statistics on ARP Packets

Context

CAUTIONStatistics cannot be restored after you clear them. So, confirm the action before you use thecommand.

Run the following command in the user view to clear the statistics.

Procedurel Run the reset arp packet statistics [ slot slot-id ] command to clear the statistics on ARP

packets.

----End




Issue 02 (2010–02–26)

4.6.3 Clearing the Statistics on Discarded ARP Packets

Context

CAUTIONStatistics cannot be restored after being cleared. So, confirm the action before you run thecommand.

To clear the statistics on discarded ARP packets, run the following commands in the user view.

Procedurel Run the reset arp anti-attack statistics check user-bind { global | interface interface-

type interface-number } command to clear the statistics on the packets discarded becausethey do not match the binding table.

l Run the reset arp anti-attack statistics rate-limit command to clear the statistics on theARP packets discarded because the transmission rate exceeds the limit.

----End

4.6.4 Debugging ARP Packets

Context


If a running fault occurs, run the following debugging commands in the user view to locate thefault.

Procedurel Run the debugging arp packet [ slot slot-id | interface interface-type interface-number ]

command to debug ARP packets.l Run the debugging arp process [ slot slot-id | interface interface-type interface-

number ] command to debug the processing of ARP packets.

----End

4.7 Configuration ExamplesThis section provides several configuration examples of ARP security.



4-21

4.7.1 Example for Configuring ARP Security Functions

4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks

4.7.1 Example for Configuring ARP Security Functions


As shown in Figure 4-1, the Switch is connected to a server through GE 1/0/3 and is connectedto four users in VLAN 10 and VLAN 20 through GE 1/0/1 and GE 1/0/2. There are the followingARP attacks on the network:l The server may send several packets with an unreachable destination IP address, and the

number of these packets is larger than the number of packets from common users.l After virus attacks occur on User 1, a large number of ARP packets are sent. Among these

packets, the source IP address of certain ARP packets changes on the local network segmentand the source IP address of certain ARP packets is the same as the IP address of thegateway.

l User 3 constructs a large number of ARP packets with a fixed IP address to attack thenetwork.

l User 4 constructs a large number of ARP packets with an unreachable destination IP addressto attack the network.

It is required that ARP security functions be configured on the Switch to prevent the precedingattacks. The suppression rate of ARP Miss packets set on the server should be greater than thesuppression rate of other users.

Figure 4-1 Networking diagram for configuring ARP security functions

S9300

Server

GE1/0/3

GE1/0/2GE1/0/1

User1 User2

VLAN10

User3 User4

VLAN20






Issue 02 (2010–02–26)

1. Enable strict ARP learning.2. Enable interface-based ARP entry restriction.3. Enable the ARP anti-spoofing function.4. Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway

address.5. Configure the rate suppression function for ARP packets.6. Configure the rate suppression function for ARP Miss packets.7. Enable log and alarm functions for potential attacks.


l Number of limited ARP entries on the interface being 20

l Anti-spoofing mode used to prevent attacks that is initiated by User 1 being fixed-mac

l IP address of the server being 2.2.2.2/24

l IP address of User 4 that sends a large number of ARP packets being 2.2.4.2/24

l Maximum suppression rate for ARP packets of User 4 being 200 pps and maximumsuppression rate for ARP packets of other users being 300 pps

l Maximum suppression rate for ARP Miss packets of common users being 400 pps andmaximum suppression rate for ARP Miss packets on the server being 1000 pps

l Interval for writing an ARP log and sending an alarm being 30 seconds

Procedure

Step 1 Enable strict ARP learning.<Quidway> system-view[Quidway] arp learning strict

Step 2 Configure interface-based ARP entry restriction.

# The number of limited ARP entries on each interface is 20. The following lists the configurationof GE 1/0/1, and the configurations of other interfaces are the same as the configuration of GE1/0/1.

[Quidway] interface gigabitethernet 1/0/1[Quidway-GigabitEthernet1/0/1] arp-limit vlan 10 maximum 20[Quidway-GigabitEthernet1/0/1] quit

Step 3 Enable the ARP anti-spoofing function.

# Set the ARP anti-spoofing mode to fixed-mac to prevent ARP spoofing attacks initiated byUser 1.

[Quidway] arp anti-attack entry-check fixed-mac enable

Step 4 Enable the ARP anti-attack function for preventing ARP packets with the bogus gatewayaddress.

# Enable the ARP anti-attack function for preventing ARP packets with the bogus gatewayaddress to prevent User 1 from sending ARP packets with the bogus gateway address.

[Quidway] arp anti-attack gateway-duplicate enable



4-23

Step 5 Configure the rate suppression function for ARP packets.

# Set the suppression rate for ARP packets sent by User 4 to 200 pps. To prevent all users fromsending a large number of ARP packets incorrectly, set the suppression rate for ARP packets ofthe system to 300 pps.

[Quidway] arp speed-limit source-ip maximum 300[Quidway] arp speed-limit source-ip 2.2.2.4 maximum 200

Step 6 Configure the rate suppression function for ARP Miss packets.

# Set the suppression rate for ARP Miss packets of the system to 400 pps to prevent users fromsending a large number of IP packets with an unreachable destination IP address.

[Quidway] arp-miss speed-limit source-ip maximum 400

# Set the suppression rate for ARP Miss packets on the server to 1000 pps to prevent the serverfrom sending a large number of IP packets with an unreachable destination IP address, and toprevent communication on the network when the rate for the server to send IP packets with anunreachable destination IP address is not as required.

[Quidway] arp-miss speed-limit source-ip 2.2.2.2 maximum 1000

Step 7 Enable log and alarm functions for potential attacks.[Quidway] arp anti-attack log-trap-timer 30


After the configuration, run the display arp learning strict command, and you can viewinformation about strict ARP learning.

<Quidway> display arp learning strict The global configuration:arp learning strict interface LearningStrictState------------------------------------------------------------------------------------------------------------------------ Total:0 force-enable:0 force-disable:0

You can use the display arp-limit command to check the maximum number of ARP entrieslearned by the interface.

<Quidway> display arp-limit interface GigabitEthernet1/0/1 interface LimitNum VlanID LearnedNum(Mainboard)--------------------------------------------------------------------------- GigabitEthernet1/0/1 20 10 0--------------------------------------------------------------------------- Total:1

You can use the display arp anti-attack configuration all command to check the configurationof ARP anti-attack.




ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------ 2.2.4.2 200 Others 300




Issue 02 (2010–02–26)

------------------------------------------------------------------------ 1 specified IP addresses are configured, spec is 1024 items.

ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------ 2.2.2.2 1000 Others 400 ------------------------------------------------------------------------ 1 specified IP addresses are configured, spec is 1024 items.

You can use the display arp packet statistics command to view the number of discarded ARPpackets and the number of learned ARP entries. In addition, you can also use the display arpanti-attack gateway-duplicate item command to view information about attacks from thepackets with the forged gateway address on the current network.

<Quidway> display arp packet statisticsARP Pkt Received: sum 167ARP Learnt Count: sum 8ARP Pkt Discard For Limit: sum 5ARP Pkt Discard For SpeedLimit: sum 0ARP Pkt Discard For Other: sum 3

----End

Configuration Files# sysname Quidway#vlan batch 10 20 30# arp speed-limit source-ip maximum 300 arp-miss speed-limit source-ip maximum 400 arp learning strict arp anti-attack log-trap-timer 30# arp anti-attack entry-check fixed-mac enable arp anti-attack gateway-duplicate enable arp-miss speed-limit source-ip 2.2.2.2 maximum 1000 arp speed-limit source-ip 2.2.4.2 maximum 200#interface GigabitEthernet 1/0/1 port hybrid pvid vlan 10 port hybrid tagged vlan 10 arp-limit vlan 10 maximum 20 #interface GigabitEthernet 1/0/2 port hybrid pvid vlan 20 port hybrid tagged vlan 20 arp-limit vlan 20 maximum 20 #interface GigabitEthernet 1/0/3 port hybrid pvid vlan 30 port hybrid untagged vlan 30 arp-limit vlan 30 maximum 20 #return

4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks



4-25

Networking RequirementsAs shown in Figure 4-2, two users are connected to the Switch through GE 1/0/1 and GE 1/0/2respectively. Assume that the user connected to GE 1/0/2 is an attacker. To prevent the man-in-the-middle attacks, you can configure the IP source guard function. After the IP source guardfunction is configured on the Switch, the Switch checks the IP packets according to the bindingtable. Only the IP packets that match the content of the binding table can be forwarded; the otherIP packets are discarded. In addition, you can enable the alarm function for discarded packets.

Figure 4-2 Networking diagram for prevent man-in-the-middle attacks

Client

Attacker

S9300

GE1/0/1

GE1/0/2

Server

IP:10.0.0.1/24MAC:1-1-1VLAN ID:10


1. Enable the IP source guard function.2. Configure the check items for ARP packets.3. Configure a static binding table.4. Enable the alarm function for discarded packets.


l Interfaces enabled with IP source guard: GE 1/0/1 and GE 1/0/2

l Check items: IP address + MAC address

l Alarm threshold of the number of discarded ARP packets: 80

l IP address of the client configured in the static binding table: 10.0.0.1/2; MAC address:1-1-1; VLAN ID: 10

Procedure

Step 1 Configure the IP source guard function.

# Enable the IP source guard function on GE 1/0/1 connected to the client.




Issue 02 (2010–02–26)

[Quidway] interface gigabitethernet 1/0/1[Quidway-GigabitEthernet1/0/1] arp anti-attack check user-bind enable[Quidway-GigabitEthernet1/0/1] arp anti-attack check user-bind check-item ip-address mac-address[Quidway-GigabitEthernet1/0/1] quit

# Enable the IP source guard function on GE 1/0/2 connected to the attacker.

[Quidway] interface gigabitethernet 1/0/2[Quidway-GigabitEthernet1/0/2] arp anti-attack check user-bind enable[Quidway-GigabitEthernet1/0/2] arp anti-attack check user-bind check-item ip-address mac-address[Quidway-GigabitEthernet1/0/2] quit

Step 2 Configure the check items of the static binding table.

# Configure Client in the static binding table.


Step 3 Configure the alarm function for discarded packets.

# Set the alarm threshold of the ARP packets discarded because they do not match the bindingtable.

[Quidway] arp anti-attack check user-bind alarm threshold 80


Run the display this command, and you can view the global alarm threshold set for the ARPpackets discarded because they do not match the binding table. The alarm threshold takes effecton all interfaces.

<Quidway> display this# arp anti-attack check user-bind alarm threshold 80

Run the display arp anti-attack check user-bind interface command, and you can view theconfiguration of the IP source guard function on the interface.

<Quidway> display arp anti-attack check user-bind interface gigabitethernet 1/0/1 arp anti-attack check user-bind enable arp anti-attack check user-bind alarm enable ARP packet drop count = 0

<Quidway> display arp anti-attack check user-bind interface gigabitethernet 1/0/2 arp anti-attack check user-bind enable arp anti-attack check user-bind alarm enable ARP packet drop count = 20

The preceding information indicates that GE 1/0/1 does not discard ARP packets, whereas GE1/0/2 has discarded ARP packets. It indicates that the anti-attack function takes effect.

----End

Configuration Files# sysname Quidway#vlan batch 10# arp anti-attack check user-bind alarm threshold 80 # user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 1/0/1 vlan 10



4-27

#interface gigabitethernet 1/0/1 arp anti-attack check user-bind enable arp anti-attack check user-bind check-item ip-address mac-address#interface gigabitethernet 1/0/2 arp anti-attack check user-bind enable arp anti-attack check user-bind check-item ip-address mac-address#return




Issue 02 (2010–02–26)

5 Source IP Attack Defense Configuration

About This Chapter

This chapter describes the principle and configuration of attacking IP source addresses.

5.1 Overview of IP Source GuardThis section describes the principle of the IP source Guard.

5.2 IP Source Guard Features Supported by the S9300This section describes how the IP Source Guard feature is supported in the S9300.

5.3 Configuring IP Source GuardThis section describes how to configure IP source guard.

5.4 Configuring IP Source TrailThis section describes how to configure IP source trail.

5.5 Configuring URPFThis section describes how to configure URPF.

5.6 Maintaining Source IP Attack DefenseThis section describes how to maintain source IP source attack defense.

5.7 Configuration ExamplesThis section provides a configuration example of IP source guard.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security 5 Source IP Attack Defense Configuration


5-1

5.1 Overview of IP Source GuardThis section describes the principle of the IP source Guard.

The source IP address spoofing is a common attack on the network, for example, the attackerforges a valid user and sends IP packets to the server or forges the source IP address of users forcommunication. As a result, valid users cannot acquire normal network services. To tackle suchattacks, the S9300 provides the following methods:l IP Source Guardl IP Source Traill URPF (Unicast Reverse Path Forwarding)

IP Source GuardIP source guard is a measure to filter the IP packets on interfaces. Thus the invalid packets cannotpass through the interfaces and the security of the interfaces is improved.

The attacker sends a packet carrying the IP address and MAC address of an authorized user tothe server. The server considers the attacker as an authorized user and learns the IP address andMAC address. The actual user, however, cannot obtain service from the server. Figure 5-1 showsthe diagram of IP/MAC spoofing attack.

Figure 5-1 Diagram of IP/MAC spoofing attack

DHCP server

DHCP clientAttacker

IP:1.1.1.1/24MAC:1-1-1

IP:1.1.1.2/24MAC:2-2-2

IP:1.1.1.3/24MAC:3-3-3

S9300IP:1.1.1.3/24MAC:3-3-3

To prevent the IP/MAC spoofing attack, you can configure the IP source guard function on theS9300. Then the S9300 matches the IP packets reaching an interface with the entries in thebinding table. If the packets match entries in the binding table, the packets can pass through theinterface; otherwise, the packets are discarded.

IP Source TrailThe IP source trail function is a policy defending against the DoS attack, which traces the sourceof the attack and take corresponding measures after considering it as an attack. In the tracing of

5 Source IP Attack Defense ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010–02–26)

the attack sources, the attack sources are judged according to traffic statistics that are collectedbased on the destination IP address (victim), source IP address, and inbound interface of packets.

The main process of the IP Source Trail function is as follows:

1. After confirming that a user is attacked, configure the IP Source Trail function based onthe IP address of the user.

2. The CPU of the LPU collects statistics about packets with the destination address being thevictim IP address. Such information is regularly sent to the CPU of the main control boardor available upon the request of the main control board.

3. The main control board confirms the attack source based on the received statistics. Theadministrator configures the ACL on the interface directly connected to the possible attacksource and set the ACL action to deny.

URPF

Unicast Reverse Path Forwarding (URPF) is mainly used to prevent network attacks by blockingpackets from bogus source addresses.

As shown in Figure 5-2, S9300-A forges the packets with the source address being 2.1.1.1 andsend a request to S9300-B. S9300-B sends a packet to the real source address 2.1.1.1 to respondto the request. In this way, S9300-A attacks S9300-B and S9300-C by sending the illegal packet.

Figure 5-2 Diagram of the URPF function

1.1.1.1/24

S9300-A

2.1.1.1/24

Source address

S9300-B

2.1.1.1/24

S9300-C

When a packet is sent to a URPF-enabled interface, URPF obtains the source address andinbound interface of the packet. URPF searches for the entry corresponding to the source addressin the forwarding table. If the enry is found, URPF checks whether the outbound interface is thesame as the inbound interface of the packets. If the actual inbound interface is different from theinbound interface found in the forwarding table, the packet is discarded. In this way, URPF canprotect the network against vicious attacks initiated by modifying the source address.

5.2 IP Source Guard Features Supported by the S9300This section describes how the IP Source Guard feature is supported in the S9300.

IP Source Guard

The IP Source Guard feature is used to check the IP packets according to the binding table,including source IP addresses, source MAC addresses, and VLAN. In addition, the S9300 cancheck IP packets based on:

l IP+MAC



5-3

l IP+VLAN

l IP+MAC+VLAN

l ...

NOTE

IP addresses here include IPv4 addresses and IPv6 addresses. That is, after the IP Source Guard feature isenabled, the S9300 checks both the source IPv4 addresses and source IPv6 addresses of IP packets fromusers.

The S9300 provides two binding mechanisms:l After the DHCP snooping function is enabled for DHCP users, the binding table is

dynamically generated for the DHCP users.l When users use static IP addresses, you need to configure the binding table by running

commands.

NOTE

For the configurations of DHCP snooping, see 3 DHCP Snooping Configuration.

IP Source TrailNOTE

Currently, only IPv4 addresses can be traced when the IP Source Trail feature is enabled on the S9300.

l The IP source trail feature of the S9300 is based on the destination IP addresses.The IP Source Trail feature is configured according to the IP address of the attacked user.The CPU of the LPU collects statistics about packets with the user IP address as thedestination address. Such information is regularly sent to the CPU of the main control boardor available when required by the main control board.

l Querying statistics about the IP Source Trail is supported globally.The global query of the statistics provides the brief mode and detailed mode:– In brief mode, information about the source address, source interface, total traffic (the

number of bytes and packets), and the average rate (bbp and pps) of the traffic in a periodof time is exported.

– In detailed mode, information about the current rate of the traffic, the maximum rate,and the start time and end time of the traffic (the query time is displayed if the trafficdoes not end when the traffic is queried) is exported besides the information exportedin brief mode.

l Querying statistics about the IP Source Trail based on board is supported.When the statistics are queried based on board, the main control board finds the cachedstatistics result according to the destination IP address and displays records from thespecified board in brief mode.

URPFURPF only functions at the inbound interface of the S9300. If URPF is enabled on an interface,the URPF check is conducted to packets received by the interface.

The S9300 supports two kinds of URPF check modes: strict check and loose check.l Strict check: The source addresses of packets must exist in the FIB table of the S9300.

Packets can be forwarded only when the outbound interface is the same as the inboundinterface of the packets. Otherwise, packets are dropped.




Issue 02 (2010–02–26)

l Loose check: Regardless whether the source addresses of packets exist in the FIB table ofthe S9300, or whether the corresponding outbound interfaces match the inbound interfacesof the packets, packets are forwarded.

NOTE

The S9300 supports the checking of the source IPv4 addresses and source IPv6 addresses of the packetspassing the inbound interface.

5.3 Configuring IP Source GuardThis section describes how to configure IP source guard.


5.3.2 (Optional) Configuring a Static User Binding Entry

5.3.3 Enabling IP Source Guard

5.3.4 Configuring the Check Items of IP Packets



Applicable EnvironmentAfter the IP source guard function is configured on the S9300, the S9300 checks the IP packetsaccording to the binding table. Only the IP packets that match the content of the binding tablecan be forwarded; the other IP packets are discarded.

Pre-configuration TasksBefore configuring IP source guard, complete the following tasks:l 3.3.2 Enabling DHCP Snooping if there are DHCP users

Data PreparationTo configure IP source guard, you need the following data.

No. Data

1 (Optional) User information in a staticbinding entry, including the IPv4 or IPv6address, MAC address, VLAN ID, andinterface number of the user

2 Type and number of the interface enabledwith the IP source guard function

5.3.2 (Optional) Configuring a Static User Binding Entry



5-5

ContextBefore forwarding the data of the users who assigned IP addresses statically, the S9300 cannotautomatically learn the MAC addresses of the users or generate binding table entries for theseusers. You need to create the binding table manually.

Procedure



Step 2 Run:user-bind static { [ ip-address ip-address | ipv6-address ipv6-address ] | mac-address mac-address }* [ interface interface-type interface-number | vlan vlan-id [ cevlan vlan-id ] ]*

A static user binding entry is configured.

----End

5.3.3 Enabling IP Source Guard

Procedure





This is a user-side interface. The interface can be an Ethernet interface, a GE interface, or anEth-Trunk interface.

Or, run:

vlan vlan-id


Step 3 Run:ip source check user-bind enable

The IP source guard function is enabled on the interfaceor in a VLAN.

By default, the interfaces or interfaces in a VLANof an S9300 are not enabled with the IP sourceguard function.

----End

5.3.4 Configuring the Check Items of IP Packets




Issue 02 (2010–02–26)

Context

After the function of checking IP packets is enabled, the S9300 checks the received IP packetsagainst the binding table. The check items include the source IPv4 address, source IPv6 address,source MAC address, VLAN ID, and interface number.

Procedure





This is a user-side interface. The interface can be an Ethernet interface, a GE interface, or anEth-Trunk interface.

Or, run:

vlan vlan-id


Step 3 In the interface view, run:ip source check user-bind check-item { [ ip-address | ipv6-address ] | mac-address | vlan }*

Or in the VLAN view, run:

ip source check user-bind check-item { [ ip-address | ipv6-address ] | mac-address | interface }*

The check items of IP packets are configured.

When receiving an IP packet, the interface checks the IP packet according to the check items,including the source IPv4 or IPv6 address, source MAC address, VLAN, or the combination ofthese three items. If the IP packet matches the binding table according to the check items, thepacket is forwarded; otherwise, the packet is discarded.

By default, the check items consist of the IPv4 address, IPv6 address, MAC address, VLAN ID,and interface number.

NOTE

This command is valid only for dynamic binding entries.

----End


Prerequisite

The configurations of IP source guard are complete.



5-7

Procedure

Step 1 Run the display user-bind { all | { [ ip-address ip-address | ipv6-address ipv6-address ] | mac-address mac-address | vlan vlan-id | interface interface-type interface-number } * } commandto view information about the static binding table.

Step 2 Run the display ip source check user-bind interface interface-type interface-numbercommand to view the configuration of the IP source guard function on the interface.

----End

5.4 Configuring IP Source TrailThis section describes how to configure IP source trail.


5.4.2 Configuring IP Source Trail Based on the Destination IP Address




When a user host is under attack, you can configure IP source trail on the S9300 connected tothe host to trace the attack source and take defense measures after confirming the attack source.

CAUTIONIf the NetStream function is enabled on the S9300, the IP source trail function cannot beconfigured. To enable the IP source trail function, you must disable the NetStream function first.If the IP source trail function is enabled, the NetStream function cannot be enabled.

For the configuration of the NetStream function, see NetStream Configuration in the QuidwayS9300 Terabit Routing Switch Configuration Guide - Network Management.


Before configuring IP source trail, complete the following task:

l Setting parameters of the link layer protocol and IP addresses for the interfaces to ensurethat the link layer protocol is in Up state on the interfaces

l Ensuring that the NetStream function is disabled on the S9300

Data Preparation

To configure IP source trail, you need the following data.




Issue 02 (2010–02–26)

No. Data

1 Destination IP address of the attacked userhost

5.4.2 Configuring IP Source Trail Based on the Destination IPAddress

Procedure



Step 2 Run:ip source-trail ip-address ip-address

IP source trail based on the destination IP address is configured.

----End


PrerequisiteThe configurations of IP source trail are complete.

Procedurel Run the display ip source-trail [ ip-address ip-address ] command to check the statistics

on IP source trail.

----End

Example

Run the display ip source-trail command, and you can view the statistics on IP source trail.

<Quidway> display ip source-trail ip-address 10.0.0.1 Destination Address: 10.0.0.1 SrcAddr SrcIF Bytes Pkts Bits/s Pkts/s ---------------------------------------------------------------------- 198.19.1.8 GE2/0/1 5.151M 114.681K 5.222M 14.534K 198.19.1.11 GE2/0/1 4.825M 107.420K 5.223M 14.535K 198.19.1.7 GE2/0/1 4.433M 98.708K 5.223M 14.537K 198.19.1.5 GE2/0/1 2.868M 63.861K 5.227M 14.546K 198.19.1.9 GE2/0/1 2.215M 49.339K 5.230M 14.553K 198.19.1.3 GE2/0/1 1001.083K 21.762K 5.248M 14.605K



5-9

5.5 Configuring URPFThis section describes how to configure URPF.


5.5.2 Enabling URPF

5.5.3 Setting the URPF Check Mode on an Interface

5.5.4 (Optional) Disabling URPF for the Specified Traffic



Applicable EnvironmentTo prevent source address spoofing attacks on a network, you can configure URPF to checkwhether the source IP address of a packet matches the incoming interface. If the source IP addressmatches the incoming interface, the source IP address is considered as valid and the packets areallowed to pass; otherwise, the source IP address is considered as pseudo and the packets arediscarded.

Pre-configuration TasksBefore configuring URPF, complete the following task:l Setting parameters of the link layer protocol and IP addresses for the interfaces to ensure

that the link layer protocol is in Up state on the interfaces

Data PreparationTo configure URPF, you need the following data.

No. Data

1 Slot number of the LPU where URPF needsto be enabled

2 Type and number of the interface

3 URPF check mode

5.5.2 Enabling URPF

ContextYou can perform URPF configurations on an interface only after enabling global URPF on anLPU.




Issue 02 (2010–02–26)

Procedure



Step 2 Run:urpf slot slot-number

URPF is enabled on an LPU.

By default, URPF is disabled on an LPU.

----End

5.5.3 Setting the URPF Check Mode on an Interface

Procedure





The URPF check function can be configured on GE interfaces and Eth-Trunks of the S9300.

NOTE

URPF needs to be configured on the physical interface. This is because URPF is implemented on thephysical interface.

Step 3 Run:urpf { loose | strict } [ allow-default-route ]

The URPF check mode is configured on the interface.

URPF determines the mode for processing a default route according to the value of allow-default-route.

l When neither the allow-default-route parameter is specified nor the source address ofpackets exists in the FIB table, the packets are discarded in URPF strict or loose check modeeven if a corresponding default route is found.

l When the allow-default-route parameter is specified and the source address of a packet doesnot exist in the FIB table,

– Packets pass URPF check and are forwarded in URPF strict check mode if the outgoinginterface of a default route is the same as the incoming interface of the packets. Packetsare discarded if the outgoing interface of a default route is different from the incominginterface of the packets.



5-11

– Packets pass URPF check and are forwarded in URPF loose check mode regardless ofwhether the outgoing interface of a default route is the same as the incoming interface ofthe packets.

----End

5.5.4 (Optional) Disabling URPF for the Specified Traffic

Context

After the URPF function is enabled on an interface, the S9300 performs the URPF check on alltraffic passing through the interface. To prevent the packets of a certain type from beingdiscarded, you can disable the URPF check for these packets. For example, if the S9300 isconfigured to trust all the packets from a certain server, the S9300 does not check these packets.

NOTE

Only the S9300 installed with an EA/EC/ED LPU supports this function.

To disable the URPF function, you need to run commands in the traffic behavior view andassociate the traffic behavior and a traffic classifier with a traffic policy.

Procedure



Step 2 Run:traffic behavior behavior-name

A traffic behavior is created and the traffic behavior view is displayed.

Step 3 Run:ip urpf disable

The URPF function is disabled.

By default, the RUPF function is enabled in a traffic behavior.

After the URPF function is enabled on an interface, the S9300 performs the URPF check on alltraffic passing through the interface. If you need to disable the URPF function, you can runcommands in the traffic behavior view and associate the traffic behavior and a traffic classifierwith a traffic policy. When the traffic policy is applied globally or applied to a board, an interface,or a VLAN, the S9300 does not perform URPF check on the traffic that match the traffic classifierrules.

For the configuration procedures of traffic classifier and traffic policy, see Class-based QoSConfiguration in the Quidway S9300 Terabit Routing Switch Configuration Guide - QoS.

----End





Issue 02 (2010–02–26)

PrerequisiteThe configurations of URPF are complete.

Procedurel Run the display this command in the interface view to check whether URPF is enabled on

the current interface.

----End

Example

Run the display this command to check whether URPF is enabled on GE 1/0/0.

[Quidway-GigabitEthernet1/0/0] display this#interface GigabitEthernet1/0/0 urpf loose allow-default-route#return

5.6 Maintaining Source IP Attack DefenseThis section describes how to maintain source IP source attack defense.

5.6.1 Clearing the Statistics on IP Source Trail

5.6.1 Clearing the Statistics on IP Source Trail

ContextAll the statistical entries on IP source trail are null upon query after the reset command is run toclear the statistics on IP source trail.

Procedurel Run the reset ip source-trail command to clear all the statistics on IP source trail.

l Run the reset ip source-trail ip-address ip-address command to clear the statistics on IPsource trail based on a tracing instance.

----End

5.7 Configuration ExamplesThis section provides a configuration example of IP source guard.

5.7.1 Example for Configuring IP Source Guard

5.7.2 Example for Configuring IP Source Trail

5.7.3 Example for Configuring URPF



5-13

5.7.1 Example for Configuring IP Source Guard

Networking RequirementsAs shown in Figure 5-3, Host A is connected to the Switchthrough GE 1/0/1 and Host B isconnected to the Switch through GE 1/0/2. You need to configure the IP source guard functionon the Switch so that Host B cannot forge the IP address and MAC address on Host A and theIP packets from Host A can be sent to the server.

Figure 5-3 Networking diagram for configuring IP source guard

Host AIP:10.0.0.1/24MAC:1-1-1

Host BIP:10.0.0.2/24MAC:2-2-2

S9300

GE1/0/1 GE1/0/2

Server

(Attacker)

Packets:SIP:10.0.0.1/24

SMAC:2-2-2

Configuration RoadmapAssume that the user is configured with an IP address statically. The configuration roadmap isas follows:

1. Enable the IP source guard function on the interfaces connected to Host A and Host B.2. Configure the check items of IP packets.3. Configure a static binding table.


l Interface connected to Host A: GE 1/0/1; interface connected to Host B: GE 1/0/2

l Check items: IP address and MAC address

l IP address of Host A: 10.0.0.1/24; MAC address of Host A: 1-1-1

l VLAN where Host A resides: VLAN 10

NOTE

This configuration example provides only the commands related to the IP Source Guard configuration.




Issue 02 (2010–02–26)

Procedure

Step 1 Enable the IP source guard function.

# Enable the IP source guard function on GE 1/0/1 connected to Host A.

[Quidway] interface gigabitethernet 1/0/1[Quidway-GigabitEthernet1/0/1] ip source check user-bind enable[Quidway-GigabitEthernet1/0/1] ip source check user-bind check-item ip-address mac-address[Quidway-GigabitEthernet1/0/1] quit

# Enable the IP source guard function on GE 1/0/2 connected to Host B.

[Quidway] interface gigabitethernet 1/0/2[Quidway-GigabitEthernet1/0/2] ip source check user-bind enable[Quidway-GigabitEthernet1/0/2] ip source check user-bind check-item ip-address mac-address[Quidway-GigabitEthernet1/0/2] quit

Step 2 Configure the check items of the static binding table.

# Configure Host A in the static binding table.



Run the display user-bind all command on the Switch to view information about the bindingtable.

<Quidway> display user-bind allbind-table:ifname vsi O/I-vlan mac-address ip-address tp lease-------------------------------------------------------------------------------GE1/0/1 -- 10/ -- 0001-0001-0001 10.0.0.1 S 0-------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1

The preceding information indicates that Host A exists in the static binding table, whereas HostB does not exist.

----End

Configuration Files# sysname Quidway# user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface GigabitEthernet 1/0/1 vlan 10#interface GigabitEthernet 1/0/1 ip source check user-bind enable ip source check user-bind check-item ip-address mac-address#interface GigabitEthernet 1/0/2 ip source check user-bind enable ip source check user-bind check-item ip-address mac-address#return

5.7.2 Example for Configuring IP Source Trail



5-15

Networking RequirementsAs shown in Figure 5-4, User A is connected to GE 1/0/1 on the Switch. It is required that IPsource trail be enabled on the Switch so that the attack source can be traced after User A suffersfrom DoS attacks.

Figure 5-4 Networking diagram for configuring IP source trail

ISPGE1/0/1

S9300UserA10.0.0.3

Configuration RoadmapConfigure IP source trail in the system view of the Switch.


l Interface connecting the Switch and the user host: GE 1/0/1

l IP address of the attacked user host: 10.0.0.3

Procedure

Step 1 Configure IP source trail based on the destination IP address.<Quidway> system-view[Quidway] ip source-trail ip-address 10.0.0.3


Run the display ip source-trail ip-address ip-address command, and you can view the traceresult of 10.0.0.3.

<Quidway> display ip source-trail ip-address 10.0.0.3 Destination Address: 10.0.0.3 SrcAddr SrcIF Bytes Pkts Bits/s Pkts/s ---------------------------------------------------------------------- 192.10.1.11 GE1/0/2 4.825M 107.420K 5.223M 14.535K 101.1.1.17 GE2/0/1 4.433M 98.708K 5.223M 14.537K 101.1.1.5 GE2/0/1 2.868M 63.861K 5.227M 14.546K 198.19.1.9 GE3/0/1 2.215M 49.339K 5.230M 14.553K 198.19.1.3 GE3/0/1 1001.083K 21.762K 5.248M 14.605K

----End

Configuration Files# sysname Quidway#




Issue 02 (2010–02–26)

ip source-trail ip-address 10.0.0.3#return

5.7.3 Example for Configuring URPF

Networking RequirementsAs shown in Figure 5-5, the Switch is connected to the router of the ISP through GE 1/0/0 andis connected to the user network through GE 2/0/0. To protect the Switch against the attack basedon the source address at the user side, you need to enable the URPF check function and matchingof the default route on the Switch.

Figure 5-5 Networking diagram for configuring URPF

GE1/0/0

S9300

ISPGE2/0/0

User network

Configuration RoadmapEnable URPF on user side interface GE 2/0/0 of the Switch.

Data PreparationTo complete the configuration, you need the following data:l URPF strict check mode

NOTE

As shown in Figure 5-5, the networking of symmetric routes is adopted. URPF strict check is recommendedin the case of symmetric routes.

The URPF takes effect when the unicast route functions normally. The following configurationprocedure lists only URPF-related configurations, and the configurations of IP addresses andunicast route are not mentioned.

Procedure

Step 1 Enable URPF on an LPU.<Quidway> system-view[Quidway] urpf slot 2

Step 2 Set the URPF check mode on an interface.[Quidway] interface gigabitethernet 2/0/0[Quidway-GigabitEthernet2/0/0] urpf strict allow-default-route

NOTE

URPF takes effect for only the packets forwarded at Layer 3.



5-17


Run the display this command in the view of GE 2/0/0 to view the URPF configuration.

[Quidway-GigabitEthernet2/0/0] display this#interface GigabitEthernet2/0/0 urpf strict allow-default-route#return

----End

Configuration Files# sysname Quidway#urpf slot 2#interface GigabitEthernet2/0/0 urpf strict allow-default-route#return




Issue 02 (2010–02–26)

6 Local Attack Defense Configuration

About This Chapter

This chapter describes the principle and configuration of local attack defense.

6.1 Overview of Local Attack DefenseThis section describes the principle of the local attack defense.

6.2 Local Attack Defense Features Supported by the S9300This section describes how the local attack defense feature is supported in the S9300.

6.3 Configuring the Attack Defense PolicyThis section describes how to configure the attack defense policy.

6.4 Configuring Attack Source TracingAfter the attack source tracing function is configured, the system can actively defend againstpossible attack packets by analyzing whether packets directing at the CPU attack the CPU.

6.5 Maintaining the Attack Defense PolicyThis section describes how to clear statistics about the attack sources and the packets sent to theCPU.

6.6 Configuration ExamplesThis section provides several configuration examples of attack defense policy.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security 6 Local Attack Defense Configuration


6-1

6.1 Overview of Local Attack DefenseThis section describes the principle of the local attack defense.

With the development and wide application of the network, users poses higher requirement forsecurity of the network and network devices. On the network, a large number of packets includingthe malicious attack packets are sent to the Central Processing Unit (CPU). These packets causehigh CPU usage, degrade the system performance, and affect service provisioning. Themalicious packets that aim at attacking the CPU busy the CPU in processing the attack packetsduring a long period. Therefore, other normal services are interrupted and even the system fails.

To protect the CPU and enable the CPU to process and respond to normal services, the packetsto be sent to the CPU need to be limited. For example, filtering and classifying packets to besent to the CPU, limiting the number of such packets and their rate, and setting the priority ofsuch packets. Packets that do not conform to certain rules are directly discarded to ensure thatthe CPU can process normal services.

The local attack defense feature of the S9300 is specially designed for packets directing at theCPU and mainly used to protect the S9300 from attacks and ensure that the existing services runnormally upon attacks.

6.2 Local Attack Defense Features Supported by the S9300This section describes how the local attack defense feature is supported in the S9300.

The S9300 implements the local attack defense feature through the following methods:l Whitelist

A whitelist refers to a group of valid users or users with high priorities. You can set thewhitelist by defining ACLs. Then packets matching the whitelist are sent first. In addition,existing services and user services with high priority are protected. Valid users thatnormally access the system and the users with the high priority can be added to the whitelist.

l BlacklistA blacklist refers to a group of invalid users. You can define the blacklist through ACLrules. Then, the packets matching the blacklist are discarded. The invalid users that areinvolved in attacks can be added to the blacklist.

l User-defined flowsUsers can define ACL rules for the user-defined flows. When unknown attacks occur onthe network, you can flexibly specify the characteristics of the attack data flows and limitthe data flows that match the specified characteristic.

l CARCAR is used to set the rate of sending the classified packets to the CPU. You can set thecommitted information rate (CIR, also called the average rate) and the committed burst size(CBS). By setting different CAR rules for different packets, you can reduce the interventionbetween different packets to prevent the CPU. CAR can also be used to set the total rate ofpackets sent to the CPU. When the total rate exceeds the upper limit, the system discardsthe packets, avoiding the CPU overload.

6 Local Attack Defense ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010–02–26)

6.3 Configuring the Attack Defense PolicyThis section describes how to configure the attack defense policy.


6.3.2 Creating an Attack Defense Policy

6.3.3 Configuring the Whitelist

6.3.4 Configuring the Blacklist

6.3.5 Configuring User-Defined Flows

6.3.6 Configuring the Rule for Sending Packets to the CPU

6.3.7 Applying the Attack Defense Policy




When a large number of users access the S9300, the CPU of the S9300 may be attacked by thepackets sent by attackers or the CPU needs to process a large number of packets.


Before configuring an attack defense policy, complete the following tasks.

l Connecting interfaces and setting the physical parameters of each interface to make thephysical layer in Up state

l (Optional) If the attack defense policy needs to be applied to the main control board, installa flexible plug-in card to the main control board

Data Preparation

To configure an attack defense policy, you need the following data.

No. Data

1 Number and description of the attack defense policy

2 Number and rules of the ACL for blacklisted users

3 Number of the user-defined flow

4 CIR and CBS of the packets sent to the CPU

5 Number of the LPU to which the attack defense policy is applied



6-3


Procedure



Step 2 Run:cpu-defend policy policy-number

An attack defense policy is created.

Step 3 (Optional) Run:description text

The description of the attack defense policy is set.

----End

6.3.3 Configuring the Whitelist

ContextYou can create a whitelist and add users matching the specific characteristic to the whitelist.The system allows the packets of whitelist users to pass through and first forwards the packetsof whitelist users. The CAR and deny cannot be configured for the packets of whitelist users.The S9300 supports the flexible setting of the whitelist through ACLs.

Procedure




The attack defense policy view is displayed.

Step 3 Run:whitelist whitelist-id acl acl-number

The user-defined whitelist is created.

The ACL used by the whitelist can be a basic ACL, an advanced ACL, or a layer 2 ACL. Fordetails on ACL configuration, see 11.3 Configuring an ACL.

By default, no whitelist is configured on the S9300.

----End

6.3.4 Configuring the Blacklist




Issue 02 (2010–02–26)

ContextYou can create a blacklist and add users matching the specific characteristic into the blacklist.The packets sent from the users in the blacklist are discarded by default. The S9300 supportsthe flexible setting of the blacklist through ACLs.

Procedure





Step 3 Run:blacklist blacklist-id acl acl-number

A customized blacklist is created.

The ACL used by the blacklist can be a basic ACL, an advanced ACL, or a layer 2 ACL. Forthe configuration procedure, see 11.3 Configuring an ACL.

By default, no blacklist is configured on the S9300.

----End

6.3.5 Configuring User-Defined Flows

ContextThe S9300 supports the binding of the user-defined flow to the ACL rule. When unknown attacksemerge on the network, the S9300 can flexibly identify the characteristics of the attack dataflows and limit the data flows that match the specified characteristic.

Procedure





Step 3 Run:user-defined-flow flow-id acl acl-number

The ACL rule of the user-defined flow is set.

The S9300 has eight user-defined flows. By default, no ACL rule is configured for user-definedflows.



6-5

The ACL applied to the user-defined flows can be a basic ACL, an advanced ACL, or a layer 2ACL. For the configuration procedure, see 11.3 Configuring an ACL.

----End

6.3.6 Configuring the Rule for Sending Packets to the CPU

Context

NOTE

The rule applied to the same packet sent to the CPU can be car or deny. If both car and deny are set, thelatest setting takes effect.

Procedure





Step 3 (Optional) Run:car { packet-type | user-defined-flow flow-id } cir cir-value [ cbs cbs-value ] *

CAR is configured for packets destined for the CPU and the rate threshold is set.

Step 4 (Optional) Run:deny { packet-type packet-type | user-defined-flow flow-id }

The action performed for the packets destined for the CPU is set to deny.

By default, the CAR is set on the S9300 for packets destined for the CPU. The default CAR canbe viewed through the display cpu-defend configuration command.

----End


Context

The attack defense policy can be applied to the main control board or all the LPUs in the systemview or to the specified LPU in the slot view.

NOTE

When the attack defense policy is applied on the LPU, the cpu-defend-policy command is run in eitherthe system view or the slot view. That is, if the cpu-defend-policy command is run in the system view andglobal is specified, the cpu-defend-policy command cannot be run in the slot view. In a similar manner,if the cpu-defend-policy command is run in the slot view, the cpu-defend-policy command with specifiedglobal cannot be run in the system view.




Issue 02 (2010–02–26)

Procedurel Applying the attack defense policy in the system view

1. Run:system-view


cpu-defend-policy policy-number [ global ]

An attack defense policy is applied.

– If you do not specify global in the command, the attack defense policy is appliedon the main control board. A flexible plug-in card needs to be installed on the maincontrol board to support the application.

– If you specify global in the command, the attack defense policy is applied on allthe LPUs.

l Applying the attack defense policy in the slot view1. Run:

system-view


slot slot-id

The slot view is displayed.3. Run:

cpu-defend-policy policy-number


The attack defense policy applied in the slot view takes effect only to the LPU in thisslot.

----End


Procedurel Run the display cpu-defend policy command to view the information about the attack

defense policy.l Run the display cpu-defend [ packet-type ] statistics [ all | slot slot-id ] command to view

statistics about packets directing at the CPU.

----End

ExampleRun the display cpu-defend policy 8 command to view the information about attack defensepolicy 8.

<Quidway> display cpu-defend policy 8 Number : 8 Description : arp defend attack



6-7

Related slot : <4> Configuration : Car user-defined-flow 1 : CIR(64) CBS(10000) Car user-defined-flow 2 : CIR(64) CBS(10000) Car user-defined-flow 3 : CIR(64) CBS(10000) Car user-defined-flow 4 : CIR(64) CBS(10000) Car user-defined-flow 5 : CIR(64) CBS(10000) Car user-defined-flow 6 : CIR(64) CBS(10000) Car user-defined-flow 7 : CIR(64) CBS(10000) Car user-defined-flow 8 : CIR(64) CBS(10000)

Run the display cpu-defend tcp statistics slot 4 to view statistics about TCP packets directingat the CPU.

<Quidway> display cpu-defend tcp statistics slot 4 CPCAR on slot 4-------------------------------------------------------------------------------Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets)tcp 0 0 0 0-------------------------------------------------------------------------------

6.4 Configuring Attack Source TracingAfter the attack source tracing function is configured, the system can actively defend againstpossible attack packets by analyzing whether packets directing at the CPU attack the CPU.



6.4.3 Enabling the Automatic Attack Source Tracing

6.4.4 Configuring the Threshold of Attack Source Tracing

6.4.5 (Optional) Configuring the Attack Source Alarm Function





A large number of attack packets may attack the CPUs of devices on the network. Attack sourcetracing, as a means of proactive attack defense, actively defend against possible attack packetsby analyzing whether packets directing at the CPU may attack the CPU.


Before configuring attack source tracing, complete the following task.

l Connecting interfaces and setting the physical parameters of each interface to make thephysical layer in Up state

l (Optional) If the attack defense policy needs to be applied to the main control board, installa flexible service unit to the main control board.




Issue 02 (2010–02–26)

Data PreparationTo configure attack source tracing, you need the following data.

No. Data

1 Number and description of the attack defense policy

2 Rate checking threshold in attack source tracing

3 Rate alarm threshold in attack source tracing

4 Number of the LPU to which the attack defense policy is applied


Procedure




An attack defense policy is created.

Step 3 (Optional) Run:description text

The description of the attack defense policy is set.

----End

6.4.3 Enabling the Automatic Attack Source Tracing

ContextConfigurations relating to other attack source tracing features, such as checking threshold andalarm threshold in attack source tracing, can be conducted after the automatic attack sourcetracing function is enabled.

Procedure






6-9


Step 3 Run:auto-defend enable

The automatic attack source tracing function is enabled.

----End

6.4.4 Configuring the Threshold of Attack Source Tracing

ContextAfter the threshold of attack source tracing is configured, a log is recorded when the number ofpackets sent by the possible attack source in a given period exceeds the threshold. TheS9300supports the source tracing of ARP packets, DHCP packets, and IGMP packets to be sentto the CPU.

Procedure





Step 3 Run:auto-defend threshold threshold-value

The threshold of attack source tracing is configured.

By default, the threshold of attack source tracing is set to 128 pps.

----End

6.4.5 (Optional) Configuring the Attack Source Alarm Function

ContextAfter the attack source alarm function is enabled, a trap is sent to the Network ManagementSystem (NMS) when the number of packets sent by the possible attack source in a given periodexceeds the alarm threshold.

Procedure



Step 2 Run:




Issue 02 (2010–02–26)

cpu-defend policy policy-number


Step 3 Run:auto-defend alarm enable

The attack source alarm function is enabled.

Step 4 Run:auto-defend alarm threshold threshold-value

The threshold of the attack source alarm function is set.

By default, the threshold of the attack source alarm function is set to 128 pps.

----End


ContextThe attack defense policy can be applied to the main control board or all the LPUs in the systemview or to the specified LPU in the slot view.

NOTE

When the attack defense policy is applied on the LPU, the cpu-defend-policy command is run in eitherthe system view or the slot view. That is, if the cpu-defend-policy command is run in the system view andglobal is specified, the cpu-defend-policy command cannot be run in the slot view. In a similar manner,if the cpu-defend-policy command is run in the slot view, the cpu-defend-policy command with specifiedglobal cannot be run in the system view.

Procedurel Applying the attack defense policy in the system view

1. Run:system-view


cpu-defend-policy policy-number [ global ]


– If you do not specify global in the command, the attack defense policy is appliedon the main control board. A flexible plug-in card needs to be installed on the maincontrol board to support the application.

– If you specify global in the command, the attack defense policy is applied on allthe LPUs.

l Applying the attack defense policy in the slot view1. Run:

system-view




6-11

slot slot-id

The slot view is displayed.

3. Run:cpu-defend-policy policy-number


The attack defense policy applied in the slot view takes effect only to the LPU in thisslot.

----End


Procedurel Run the display cpu-defend policy policy-number command to view the attack defense

policy.

l Run the display auto-defend attack-source [ slot slot-id ] command to view the list ofattack sources configured globally or in a specified slot.

----End

Example

Run the display cpu-defend policy 8 command to view the information about attack defensepolicy 8.

<Quidway> display cpu-defend policy 8 Number : 8 Description : arp defend attack Related slot : <4> Configuration : Car user-defined-flow 1 : CIR(64) CBS(10000) Car user-defined-flow 2 : CIR(64) CBS(10000) Car user-defined-flow 3 : CIR(64) CBS(10000) Car user-defined-flow 4 : CIR(64) CBS(10000) Car user-defined-flow 5 : CIR(64) CBS(10000) Car user-defined-flow 6 : CIR(64) CBS(10000) Car user-defined-flow 7 : CIR(64) CBS(10000) Car user-defined-flow 8 : CIR(64) CBS(10000)

Run the display auto-defend attack-source slot 4 command to view the attack source of theLPU in slot 4.

<Quidway> display auto-defend attack-source slot 4 -- Attack Source Port Table (LPU4) ---------- InterfaceName Vlan:Outer/Inner TOTAL -------------------------------------------- GigabitEthernet3/0/0 199/299 156464 --------------------------------------------

-- Attack Source User Table (LPU4) -------------------------------------------- InterfaceName Vlan:Outer/Inner MacAddress ARP DHCP IGMP TOTAL ------------------------------------------------------------------------------ GigabitEthernet3/0/0 199/299 0003-5556-3244 143111 0 0 143111 ------------------------------------------------------------------------------




Issue 02 (2010–02–26)

6.5 Maintaining the Attack Defense PolicyThis section describes how to clear statistics about the attack sources and the packets sent to theCPU.

6.5.1 Clearing Statistics About Packets Destined for the CPU

6.5.2 Clearing Statistics About Attack Sources

6.5.1 Clearing Statistics About Packets Destined for the CPU

Context

CAUTIONStatistics about ARP packets cannot be restored being cleared. So, confirm the action before youuse the command.

Procedure

Step 1 Run the reset cpcar [ packet-type ] statistics [ all | slot slot-id ] command to clear statisticsabout packets directing at the CPU.

----End

6.5.2 Clearing Statistics About Attack Sources

Context

CAUTIONStatistics about ARP packets cannot be restored after being cleared. So, confirm the action beforeyou use the command.

Procedure

Step 1 Run the reset auto-defend attack-source [ slot slot-id ] command to clear statistics about attacksources.

----End



6-13

6.6 Configuration ExamplesThis section provides several configuration examples of attack defense policy.

6.6.1 Example for Configuring the Attack Defense Policy

6.6.1 Example for Configuring the Attack Defense Policy

Networking RequirementsAs shown in Figure 6-1, three local user networks net1, net2 and net3 access the Internet throughthe Switch. The Switch is connected to a large number of users, and receives many packets tobe sent to the CPU. In this case, the CPU of the Switch may be attacked by packets directing atthe CPU. To protect the CPU and enable the Switch to process services normally, you need toconfigure local attack defense.

You need to configure the following attack defense features on the Switch:

l Users on net1 are authorized users; therefore, they are added to the whitelist so that theirpackets can be always forwarded.

l As the users on net2 are authorized but unfixed users, you need to separately define therules for sending the packets of net2 users to the CPU and limit the CIR to 5 Mbit/s.

l Uses on net3 often attack the network; therefore, they are added to the blacklist. In thismanner, they cannot access the network.

Figure 6-1 Networking diagram for Configuring the attack defense policy

S9300

GE1/0/1GE2/0/1

GE1/0/2

Net1: 1.1.1.0/24

Net2: 2.2.2.0/24

Internet

Net3: 3.3.3.0/24

GE1/0/3


1. Configure the ACL and define rules for filtering the packets to be sent to the CPU.2. Create an attack defense policy and configure the whitelist, blacklist and user-defined flow.




Issue 02 (2010–02–26)

3. Configure the rule for sending packets to the CPU.4. Apply the attack defense policy.


l Number of the attack defense policy

l IDs of the whitelist, blacklist, and user-defined flows

l ACL rule and number

l The rate of sending packets to the CPU

l Slot number of the LPU on which the attack defense policy is applied

NOTE

The following provides only the configuration procedure of the local attack defense feature supported bythe Switch. For details on the routing configuration, see the Quidway S9300Terabit Routing SwitchConfiguration Guide - IP Routing.

Procedure

Step 1 Configure the rule for filtering packets to be sent to the CPU.

# Define the ACL rules.

<Quidway> system-view[Quidway] acl number 2001[Quidway-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255[Quidway-acl-basic-2001] quit[Quidway] acl number 2002[Quidway-acl-basic-2002] rule permit source 2.2.2.0 0.0.0.255[Quidway-acl-basic-2002] quit[Quidway] acl number 2003[Quidway-acl-basic-2003] rule permit source 3.3.3.0 0.0.0.255[Quidway-acl-basic-2003] quit

Step 2 Create an attack defense policy.

# Create an attack defense policy and configure the whitelist, blacklist and user-defined flow.

[Quidway] cpu-defend policy 6[Quidway-cpu-defend-policy-6] whitelist 1 acl 2001[Quidway-cpu-defend-policy-6] user-defined-flow 1 acl 2002[Quidway-cpu-defend-policy-6] blacklist 1 acl 2003

Step 3 Configure the rule for sending packets to the CPU.

# Set the CIR for the user-defined flow.

[Quidway-cpu-defend-policy-6] car user-defined-flow 1 cir 5000

# Set the CIR for the ICMP.

[Quidway-cpu-defend-policy-6] car packet-type icmp cir 5000[Quidway-cpu-defend-policy-6] quit

Step 4 Apply the attack defense policy.

# Apply the attack defense policy to LPU 1.

[Quidway] slot 1[Quidway-slot-1] cpu-defend-policy 6[Quidway-slot-1] quit



6-15

# Apply the attack defense policy to LPU 2.

[Quidway] slot 2[Quidway-slot-2] cpu-defend-policy 6[Quidway-slot-2] quit


# View information about the configured attack defense policy.

<Quidway> display cpu-defend policy 6 Number : 6 Related slot : <1,2> Configuration : Whitelist 1 ACL number : 2001 Blacklist 1 ACL number : 2003 User-defined-flow 1 ACL number : 2002 Car user-defined-flow 1 : CIR(5000) CBS(940000) Car user-defined-flow 2 : CIR(64) CBS(10000) Car user-defined-flow 3 : CIR(64) CBS(10000) Car user-defined-flow 4 : CIR(64) CBS(10000) Car user-defined-flow 5 : CIR(64) CBS(10000) Car user-defined-flow 6 : CIR(64) CBS(10000) Car user-defined-flow 7 : CIR(64) CBS(10000) Car user-defined-flow 8 : CIR(64) CBS(10000) Car packet-type icmp : CIR(5000) CBS(940000)

# View information about CAR on LPU 1.

<Quidway> display cpu-defend configuration slot 1----------------------------------------------------------------------Packet Name Status Cir(Kbps) Cbs(Bytes) Queue----------------------------------------------------------------------icmp Enabled 5000 940000 2----------------------------------------------------------------------

# View information about CAR on LPU 2.

<Quidway> display cpu-defend configuration slot 2----------------------------------------------------------------------Packet Name Status Cir(Kbps) Cbs(Bytes) Queue----------------------------------------------------------------------icmp Enabled 5000 940000 2----------------------------------------------------------------------

----End

Configuration Files#sysname Quidway#acl number 2001 rule 5 permit source 1.1.1.0 0.0.0.255#acl number 2002 rule 5 permit source 2.2.2.0 0.0.0.255#acl number 2003 rule 5 permit source 3.3.3.0 0.0.0.255#cpu-defend policy 6 whitelist 1 acl 2001 blacklist 1 acl 2003 user-defined-flow 1 acl 2002 car user-defined-flow 1 cir 5000 cbs 940000 car packet-type icmp cir 5000 cbs 940000#slot 1




Issue 02 (2010–02–26)

cpu-defend-policy 6#slot 2 cpu-defend-policy 6# return



6-17

7 PPPoE+ Configuration

About This Chapter

This chapter describes how to configure PPPoE+.

7.1 PPPoE+ OverviewThis section describes the principle of PPPoE+.

7.2 PPPoE+ Features Supported by the S9300This section describes the PPPoE+ features supported by the S9300.

7.3 Configuring PPPoE+This section describes how to configure PPPoE+.

7.4 Configuration ExamplesThis section provides several configuration examples of PPPoE+.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security 7 PPPoE+ Configuration


7-1

7.1 PPPoE+ OverviewThis section describes the principle of PPPoE+.

Currently, PPPoE provides good authentication and security mechanism, but still has certaindisadvantages, for example, account embezzlement.

In common PPPoE dialup mode, when users dial up through PPPoE from different interfaces ofdevices, they can access the newtork as long as their accounts are authenticated successfully onthe same RADIUS server. After PPPoE+ is enabled, you need to enter the user name andpassword in authentication and the authentication packet carries information including theinterface. If the port number identified by the RADIUS server is different from the configuredone, the authentication fails. In this manner, unauthorized users cannot embezzle the accountsof authorized users (mainly the company) to access the Internet.

7.2 PPPoE+ Features Supported by the S9300This section describes the PPPoE+ features supported by the S9300.

The S9300 can add the device type and interface number to the received PPPoE packets. In thismanner, the PPPoE server can perform policy control flexibly for the client according to theinformation in the received PPPoE packets, for example, IP address allocation control andflexible accounting.

7.3 Configuring PPPoE+This section describes how to configure PPPoE+.


7.3.2 Enabling PPPoE+ Globally

7.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets

7.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets

7.3.5 Configuring the PPPoE Trusted Interface



Applicable EnvironmentTo prevent the access of unauthorized users during PPPoE authentication, you need to configurePPPoE+ on the S9300. In this case, interface information is added to the PPPoE packets. Thesecurity of the network is thus ensured.

Pre-configuration TasksNone.

7 PPPoE+ ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010–02–26)

Data Preparation

To configure PPPoE+, you need the following data.

No. Data

1 Interface number related to PPPoE authentication

2 Format and contents of the fields to be added to PPPoE packets

7.3.2 Enabling PPPoE+ Globally

Procedure



Step 2 Run:pppoe intermediate-agent information enable

PPPoE+ is enabled globally.

After the pppoe intermediate-agent information enable command is run in the system view,PPPoE+ is enabled on all the interfaces.

By default, PPPoE+ is disabled globally.

----End

7.3.3 Configuring the Format and Contents of Fields to Be AddedTo PPPoE Packets

Context

After PPPoE+ is enabled globally, the user-side interface on the S9300 adds information incommon format to the received PPPoE packets. You can modify the format of the field to beappended through this task.

Procedure



Step 2 Run:pppoe intermediate-agent information format { circuit-id | remote-id } { common | extend | user-defined text }

The format and contents of fields to be added to PPPoE packets are set.



7-3

After the pppoe intermediate-agent information format command is run in the system view,all the interfaces add fields in specified format to the received PPPoE packets.

----End

7.3.4 Configuring the Action for Processing Original Fields inPPPoE Packets

ContextYou can configure the action for processing original fields in PPPoE packets in the system viewand in the interface view. The configuration in the system view is valid for all the interfaces. Toadopt a different action on an interface, run the pppoe intermediate-agent informationpolicy command in the interface view. In this case, the action for processing packets on theinterface depends on the configuration of the interface.

Procedure



Step 2 Run:pppoe intermediate-agent information policy { drop | keep | replace }

The action for all the interfaces to process original fields in PPPoE packets is configured.

l drop: removes the original fields from PPPoE packets.

l keep: reserves the contents and format of original fields in PPPoE packets.

l replace: replaces the original fields in PPPoE packets according to the set field formatregardless of whether the packets carry the fields.

By default, the user-side interface on the S9300 replaces the original fields in the received PPPoEpackets after PPPoE+ is enabled globally.

Step 3 (Optional) Run:interface interface-type interface-number

The Ethernet interface view is displayed.

Then run:

pppoe intermediate-agent information policy { drop | keep | replace }

The action for all the interfaces to process original fields in PPPoE packets is configured.

----End

7.3.5 Configuring the PPPoE Trusted Interface

ContextTo prevent bogus PPPoE servers and the security risk caused by PPPoE packets forwarded tonon-PPPoE service interfaces, you can configure the interface connecting the S9300 and thePPPoE server as the trusted interface. After the trusted interface is configured, PPPoE packets




Issue 02 (2010–02–26)

sent from the PPPoE client to the PPPoE server are forwarded through the trusted interface only.In addition, only the PPPoE packets received from the trusted interface are forwarded to thePPPoE client.

NOTE

The trusted interface only controls protocol packets in PPPoE discovery period, and does not control servicepackets in PPPoE session period.

Procedure




The Ethernet interface view is displayed.

Step 3 Run:pppoe uplink-port trusted

The interface is configured as the trusted interface.

----End


Procedurel Run the display pppoe intermediate-agent information format command to check

information about the circuit ID and remote ID that are globally set.

l Run the display pppoe intermediate-agent information policy command to check theglobally set action for processing original fields in PPPoE packets.

----End

7.4 Configuration ExamplesThis section provides several configuration examples of PPPoE+.

7.4.1 Example for Configuring PPPoE+

7.4.1 Example for Configuring PPPoE+


As shown in Figure 7-1, the Switch is connected to the upstream device BRAS and thedownstream device PC; the PPPoE server is configured on the BRAS device. PPPoE+ is enabledon the Switch to control and monitor dialup users.



7-5

Figure 7-1 Networking diagram for configuring PPPoE+

S9300

BRASPPPoE server

PPPoE client PPPoE client

PPPoE+

GE1/0/0

GE2/0/2GE2/0/1

IP network



1. Enable PPPoE+ globally.

NOTE

After PPPoE+ is enabled globally, PPPoE+ is enabled on all the interfaces.

2. Configure the contents and format of fields to be added to PPPoE packets on the Switch.3. Configure the action for the Switch to process PPPoE packets.4. Configure the interface connecting the Switch and the PPPoE server as the trusted interface.

Data Preparation

None.

Procedure

Step 1 Enable PPPoE+.<Quidway> system-view[Quidway] pppoe intermediate-agent information enable

Step 2 Configure the format of information fields.

Configure the Switch to add the circuit ID in extend format to PPPoE packets, that is, the formatin hexadecimal notation is used.

[Quidway] pppoe intermediate-agent information format circuit-id extend




Issue 02 (2010–02–26)

Step 3 Configure the action for processing original fields in PPPoE packets.

Configure all the interfaces to replace original fields in PPPoE packets with the circuit ID of theSwitch.

[Quidway] pppoe intermediate-agent information policy replace

Step 4 Configure the trusted interface.

Configure GE 1/0/0 as the trusted interface.

[Quidway] interface gigabitethernet 1/0/0[Quidway-GigabitEthernet1/0/0] pppoe uplink-port trusted[Quidway-GigabitEthernet1/0/0] quit

----End

Configuration Files# sysname Quidway# pppoe intermediate-agent information enable pppoe intermediate-agent information format circuit-id extend#interface GigabitEthernet1/0/0 pppoe uplink-port trusted#return



7-7

8 MFF Configuration

About This Chapter

This section describes the principle and configuration of the MAC-Forced Forwarding (MFF)function.

8.1 MFF OverviewThis section describes the principle of the MFF function.

8.2 MFF Features Supported by the S9300This section describes the MFF features supported by the S9300.

8.3 Configuring MFFThe MFF function isolates users at Layer 2 and forwards traffic through the gateway.

8.4 Configuration ExamplesThis section provides a configuration example of MFF.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security 8 MFF Configuration


8-1

8.1 MFF OverviewThis section describes the principle of the MFF function.

BackgroundIn traditional Ethernet solutions, VLANs are usually configured on switches to implement Layer2 isolation and Layer 3 interconnection between clients. When many users need to be isolatedon Layer 2, a large number of VLANs are required. In addition, to enable the clients tocommunicate on Layer 3, each VLAN must be assigned an IP network segment and eachVLANIF interface needs an IP address. This wastes IP addresses. In addition, the network iseasy to attack and the malicious attacks from users on the network cannot be prevented.

The MFF function provides a solution to this problem and implements Layer 2 isolation andLayer 3 interconnection between the clients in a broadcast domain. The MFF intercepts the ARPrequests from users and replies with ARP responses containing the MAC address of the gatewaythrough the ARP proxy. In this manner, the MFF forces users to send all traffic, including thetraffic on the same subnet, to the gateway so that the gateway can monitor data traffic. Thisprevents malicious attacks and improves network security.

MFF Interface RoleTwo types of interfaces are involved in the MFF function: network interface and user interface.

l User interfaceA user interface is an interface directly connected to users.MFF processes packets on a user interface as follows:– Allows protocol packets to pass through.

– Sends ARP and DHCP packets to the CPU.

– If the interface has learned the MAC address of the gateway, MFF allows the unicastpackets whose destination MAC address is the MAC address of the gateway to passthrough and discards other packets. If the interface has not learned the MAC address ofthe gateway, MFF discards all packets.

– Rejects multicast packets and broadcast packets.

l Network interfaceA network interface is an interface connected to another network device, for example, anaccess switch, an aggregate switch, or a gateway.MFF processes packets on a network interface as follows:– Allows multicast and DHCP packets to pass through.

– Sends ARP packets to the CPU.

– Rejects broadcast packets.

8 MFF ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010–02–26)

NOTE

l The network interfaces include:

l Uplink interfaces connected to the gateway

l Interfaces connected to other MFF devices when multiple MFF devices are deployed on thenetwork

l Interfaces between the MFF devices on a ring network

l The interface role is irrelevant to the position of the interface on a network.

l On a VLAN where MFF is enabled, an interface must be a network interface or a user interface.

8.2 MFF Features Supported by the S9300This section describes the MFF features supported by the S9300.

Static Gateway

The static gateway is applicable to the scenario where the IP addresses are set statically. Whenusers are assigned IP addresses statically, the users cannot obtain the gateway informationthrough the DHCP packets. In this case, a static gateway address needs to be configured for eachVLAN. If the static gateway address is not configured, all the users cannot communicate witheach other except for the DHCP users.

Gateway Address Detection and Maintenance

If the function of timed gateway address detection is enabled, MFF sends detection packetsperiodically to check whether the gateway address needs to be updated.

The detection packet is a forged ARP packet whose source IP address and MAC address are theaddresses of the first user in the MFF user list. If the first user entry is deleted, the MFF selectsanother user entry to forge the ARP packet. If the gateway does not have any matching userinformation after the user entry is deleted, the MFF deletes the probe information.

ARP Proxy

The Layer 3 communication between users is implemented through the ARP proxy. The ARPproxy reduces the number of broadcast packets at the network side and user side.

The MFF processes ARP packets as follows:

l Responds to the ARP requests of users.The MFF substitutes for the gateway to respond to the ARP requests of users. Therefore,all the packets of users are forwarded at Layer 3 by the gateway. The ARP packet of a usermay be the request for the gateway address or the request for the IP addresses of other users.

l Responds to the ARP requests of the gateway.The MFF substitutes for user hosts to respond to the ARP requests of the gateway. If theARP entry mapping the request of the gateway exists on the MFF, the MFF returns aresponse with the requested address to the gateway. If the entry does not exist, the MFFforwards the request. In this way, the number of broadcast packets is reduced.

l Monitors the ARP packets on the network and updates the IP address and MAC address ofthe gateway.



8-3

Server Deployment on the Network

The IP address of the server can be the IP address of the DHCP server, the IP address of anotherserver, or the virtual IP address of the VRRP group.

If a network interface receives an ARP request whose source IP address is the IP address of theserver, the interface responds to the ARP request as a gateway. That is, the packets sent fromusers are forwarded to the gateway, and then sent to the server. The packets sent by the server,however, are not forwarded to the gateway.

8.3 Configuring MFFThe MFF function isolates users at Layer 2 and forwards traffic through the gateway.


8.3.2 Enabling Global MFF

8.3.3 Configuring the MFF Network Interface

8.3.4 Enabling MFF in a VLAN

8.3.5 (Optional) Configuring the Static Gateway Address

8.3.6 (Optional) Enabling Timed Gateway Address Detection

8.3.7 (Optional) Setting the Server Address




At the access layer of the Metro Ethernet, you can configure the MFF function to implement theLayer 2 isolation between access users. The traffic between users is forwarded by the gatewayat the Layer 3. In this way, you can filter the user traffic, perform traffic scheduling based onpolicies, and charge users.


Before configuring basic MFF functions, complete the following tasks.

If DHCP users exist, you need to perform the following operations:

l Enabling DHCP snooping

l Configuring the trusted interface of DHCP snooping

Data Preparation

To configure the MFF function, you need the following data.




Issue 02 (2010–02–26)

No. Data

1 VLAN ID of the MFF device

2 Type and number of the network interface to be configured

3 (Optional) IP address of the static gateway to be configured

4 (Optional) IP address of the server to be configured

8.3.2 Enabling Global MFF

ContextYou can perform other MFF configurations only after enabling the global MFF.

Procedure



Step 2 Run:mac-forced-forwarding enable

The global MFF is enabled.

By default, the global MFF is disabled.

----End

8.3.3 Configuring the MFF Network Interface

ContextThe MFF function of a VLAN takes effect after you configure at least one network interface onthe VLAN.

NOTE

This task can be performed before the global MFF is enabled; however, it takes effect only after the globalMFF is enabled.

Procedure






8-5



Step 3 Run:mac-forced-forwarding network-port

The interface is configured as a network interface.

By default, the interface is a user interface.

----End

8.3.4 Enabling MFF in a VLAN

Procedure



Step 2 Run:vlan vlan-id


Step 3 Run:mac-forced-forwarding enable

The MFF function is enabled for the VLAN.

By default, the MFF function is disabled in a VLAN.

----End

8.3.5 (Optional) Configuring the Static Gateway Address

Procedure





Step 3 Run:mac-forced-forwarding static-gateway ip-address

The IP address of the static gateway is set.

----End




Issue 02 (2010–02–26)

8.3.6 (Optional) Enabling Timed Gateway Address Detection

Procedure





Step 3 Run:mac-forced-forwarding gateway-detect

The timed gateway address detection is enabled.

After the timed gateway address detection is enabled, the S9300 sends ARP packets periodicallyto detect the gateway.

By default, the timed gateway address detection is disabled.

----End

8.3.7 (Optional) Setting the Server Address

Procedure





Step 3 Run:mac-forced-forwarding server ip-address &<1~10>

The IP address of the server deployed on the network is set.

----End


Procedurel Run the display mac-forced-forwarding network-port command to view the MFF

network interface.



8-7

l Run the display mac-forced-forwarding vlan vlan-id command to view information aboutMFF users and gateway on the VLAN.

----End

ExampleRun the display mac-forced-forwarding network-port command, and you can see informationabout the network-side interface matching the MFF VLAN.

<Quidway> display mac-forced-forwarding network-port--------------------------------------------------------------------------------VLAN ID Network-ports--------------------------------------------------------------------------------VLAN 10 GigabitEthernet2/0/0 GigabitEthernet2/0/1 GigabitEthernet2/0/2 GigabitEthernet2/0/3VLAN 100 GigabitEthernet1/0/10 GigabitEthernet1/0/15

Run the display mac-forced-forwarding vlan vlan-id command, and you can see informationabout MFF users and gateway on the VLAN.

<Quidway> display mac-forced-forwarding vlan 100Servers: 192.168.1.2 192.168.1.3--------------------------------------------------------------------User IP User MAC Gateway IP Gateway MAC--------------------------------------------------------------------192.168.1.10 00-01-00-01-00-01 192.168.1.254 00-02-00-02-00-01192.168.1.11 00-01-00-01-00-02 192.168.1.254 00-02-00-02-00-01192.168.1.12 00-01-00-01-00-03 192.168.1.252 00-02-00-02-00-03--------------------------------------------------------------------[Vlan 100] MFF host total count = 3

8.4 Configuration ExamplesThis section provides a configuration example of MFF.

8.4.1 Example for Configuring MFF

8.4.1 Example for Configuring MFF

Networking RequirementsAs shown in Figure 8-1, all the user hosts obtain IP addresses through the DHCP server and allthe devices are located in VLAN 10. To implement Layer 2 isolation and Layer 3 interconnectionbetween the hosts, you need to configure the MFF function on Switch A and Switch B.




Issue 02 (2010–02–26)

Figure 8-1 Networking diagram for configuring MFF

DHCP server

S9300-A

S9300-B

GE1/0/0

GE2/0/2

AR

10.10.10.1/24

GE1/0/1 GE1/0/3

GE2/0/1

GE1/0/2

GE2/0/1


1. Configure DHCP snooping.2. Enable global MFF.3. Configure the MFF network interfaces.4. Enable MFF for the VLAN.5. (Optional) Enable the function of timed gateway address detection.6. (Optional) Configure the server.


l VLAN ID of the MFF device

l Type and number of the network interface to be configured

l (Optional) IP address of the server to be configured

Procedure

Step 1 Configure DHCP snooping.

# Enable global DHCP snooping on Switch A.

<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] dhcp enable[SwitchA] dhcp snooping enable



8-9

# Enable DHCP snooping on the interfaces of the Switch A. Take the configuration on GE 1/0/1as an example. The configurations on GE 1/0/2, GE 1/0/3, and GE 2/0/1 are similar to theconfiguration on GE 1/0/1 and are not mentioned here.

[SwitchA] interface gigabitethernet 1/0/1[SwitchA-GigabitEthernet1/0/1] dhcp snooping enable[SwitchA-GigabitEthernet1/0/1] quit

# Set the status of interface GE 2/0/1 on Switch A to Trusted.

[SwitchA] interface gigabitethernet 2/0/1[SwitchA-GigabitEthernet2/0/1] dhcp snooping trusted[SwitchA-GigabitEthernet2/0/1] quit

# Enable global DHCP snooping on Switch B.

<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] dhcp enable[SwitchB] dhcp snooping enable

# Enable DHCP snooping on the interfaces of the Switch B. Take the configuration on GE 1/0/0as an example. The configurations on GE 2/0/1 and GE 2/0/2 are similar to the configuration onGE 1/0/0 and are not mentioned here.

[SwitchB] interface gigabitethernet 1/0/0[SwitchB-GigabitEthernet1/0/0] dhcp snooping enable[SwitchB-GigabitEthernet1/0/0] quit

# Set the status of interface GE 1/0/0 on Switch B to Trusted.

[SwitchB] interface gigabitethernet 1/0/0[SwitchB-GigabitEthernet1/0/0] dhcp snooping trusted[SwitchB-GigabitEthernet1/0/0] quit

Step 2 Enable global MFF.

# Enable global MFF on Switch A.

[SwitchA] mac-forced-forwarding enable

# Enable global MFF on Switch B.

[SwitchB] mac-forced-forwarding enable

Step 3 Configure the MFF network interfaces.

# Configure GE 2/0/1 of Switch A as the network interface.

[SwitchA] interface gigabitethernet 2/0/1[SwitchA-GigabitEthernet2/0/1] mac-forced-forwarding network-port[SwitchA-GigabitEthernet2/0/1] quit

# Configure GE 1/0/0 and GE 2/0/1 of Switch B as the network interfaces.

[SwitchB] interface gigabitethernet 1/0/0[SwitchB-GigabitEthernet1/0/0] mac-forced-forwarding network-port[SwitchB-GigabitEthernet1/0/0] quit[SwitchB] interface gigabitethernet 2/0/1[SwitchB-GigabitEthernet2/0/1] mac-forced-forwarding network-port[SwitchB-GigabitEthernet2/0/1] quit

Step 4 Enable MFF for the VLAN.

# Enable MFF for VLAN 10 on Switch A.

[SwitchA] vlan 10[SwitchA-vlan10] mac-forced-forwarding enable




Issue 02 (2010–02–26)

# Enable MFF for VLAN 10 on Switch B.

[SwitchB] vlan 10[SwitchB-vlan10] mac-forced-forwarding enable

Step 5 (Optional) Enable the function of timed gateway address detection.

# Enable the function of timed gateway address detection on Switch A.

[SwitchA-vlan10] mac-forced-forwarding gateway-detect

# Enable the function of timed gateway address detection on Switch B.

[SwitchB-vlan10] mac-forced-forwarding gateway-detect

Step 6 (Optional) Configure the server.

# Configure the server on Switch A.

[SwitchA-vlan10] mac-forced-forwarding server 10.10.10.1

# Configure the server on Switch B.

[SwitchB-vlan10] mac-forced-forwarding server 10.10.10.1

----End

Configuration Filesl Configuration file of Switch A# sysname SwitchA# vlan batch 10#dhcp enabledhcp snooping enablemac-forced-forwarding enable#vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1#interface gigabitethernet1/0/1 port link-type access port default vlan 10 dhcp snooping enable #interface gigabitethernet1/0/2 port link-type access port default vlan 10 dhcp snooping enable #interface gigabitethernet1/0/3 port link-type access port default vlan 10 dhcp snooping enable #interface gigabitethernet2/0/1 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable dhcp snooping trusted mac-forced-forwarding network-port#return



8-11

l Configuration file of Switch B# sysname SwitchB# vlan batch 10#dhcp enabledhcp snooping enablemac-forced-forwarding enable#vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1#interface gigabitethernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable dhcp snooping trusted mac-forced-forwarding network-port#interface gigabitethernet2/0/1 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable mac-forced-forwarding network-port#interface gigabitethernet2/0/2 port link-type access port default vlan 10 dhcp snooping enable#return




Issue 02 (2010–02–26)

9 Interface Security Configuration

About This Chapter

This chapter describes the principle and configuration of interface security.

9.1 Interface Security OverviewThis section describes the principle of the interface security function.

9.2 Interface Security Features Supported by the S9300This section describes the interface security features supported by the S9300.

9.3 Configuring Interface SecurityThis section describes how to configure the interface security function.

9.4 Configuration ExamplesThis section provides a configuration example of interface security.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security 9 Interface Security Configuration


9-1

9.1 Interface Security OverviewThis section describes the principle of the interface security function.

The interface security function is a security protection mechanism that controls the access to thenetwork.

The interface security function records the MAC address of the host connected to an interfaceof the S9300, that is, the network adapter ID of the host. Only the host with the specified MACaddress can communicate with this interface. Hosts with other MAC addresses are preventedform communicating with the interface. The interface security function prevents certain devicesfrom accessing the network, thus enhancing network security.

9.2 Interface Security Features Supported by the S9300This section describes the interface security features supported by the S9300.

The Ethernet and GE interfaces on the S9300 support the interface security function. Afterinterface security is configured on an Ethernet interface or a GE interface, the S9300 considersthe following types of MAC addresses authorized:

l Static MAC addresses that are manually configured

l Dynamic MAC addresses learned before the number of MAC addresses reaches the upperlimit

l Dynamic or static MAC addresses in a DHCP snooping table

The S9300 considers other types of MAC addresses unauthorized. When an interface receivesthe packets sent from unauthorized MAC addresses, the interface security function takes effect.Currently, the S9300 supports the following protection actions in interface security:

l protect: When an interface receives the packets sent from unauthorized MAC addresses, itdoes not learn the source MAC addresses of the packets or forward the packets. Instead,the interface directly discards them.

l restrict: When an interface receives the packets sent from unauthorized MAC addresses, itdoes not learn the source MAC addresses of the packets or forward the packets. Instead,the interface directly discards them and sends a trap to the Network Management System(NMS).

9.3 Configuring Interface SecurityThis section describes how to configure the interface security function.


9.3.2 Enabling the Interface Security Function

9.3.3 (Optional) Configuring the Protection Action in Interface Security

9.3.4 Setting the Maximum Number of MAC Addresses Learned by an Interface

9.3.5 Enabling Sticky MAC on an Interface


9 Interface Security ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010–02–26)


Applicable EnvironmentThe interface security function records the MAC address of the host connected to an interfaceof the S9300, that is, the network adapter ID of the host. Only the host with the specified MACaddress can communicate with this interface. Hosts with other MAC addresses are preventedform communicating with the interface. The interface security function prevents certain devicesfrom accessing the network, thus enhancing network security.


Data PreparationBefore configuring interface security, you need the following data.

No. Data

1 Interface type and number

2 Maximum number of MAC addresses that can be learned by an interface

9.3.2 Enabling the Interface Security Function

ContextYou can perform other configurations of interface security, for example, configuring protectionactions, setting the maximum number of MAC addresses that can be learned, and configuringthe sticky MAC address only after the interface security function is enabled.

Procedure





The interface can be an Ethernet interface or a GE interface.

Step 3 Run:port-security enable

The interface security function is enabled.



9-3

By default, the interface security function is disabled on interfaces of the S9300.

----End

9.3.3 (Optional) Configuring the Protection Action in InterfaceSecurity

Procedure






Step 3 Run:port-security protect-action { protect | restrict }

The protection action in interface security is configured.

By default, the protection action is restrict.

----End

9.3.4 Setting the Maximum Number of MAC Addresses Learned byan Interface

ContextNOTE

l If the sticky MAC function is disabled, this task can limit the maximum number of MAC addressesdynamically learned by an interface.

l If the sticky MAC function is enabled, this task can limit the maximum number of sticky MACaddresses learned by an interface.

l For the sticky MAC function, see 9.3.5 Enabling Sticky MAC on an Interface.

Procedure








Issue 02 (2010–02–26)


Step 3 Run:port-security maximum max-number

The maximum number of MAC addresses learned by an interface is set.

After the interface security function is enabled, the maximum number of MAC addresses learnedby an interface is 1 by default.

----End

9.3.5 Enabling Sticky MAC on an Interface

ContextThe sticky MAC function converts a dynamic MAC address learned by an interface into a staticMAC address. It seems that the MAC address is stuck to the interface. When the number ofMAC addresses learned by an interface reaches the maximum, the interface cannot learn newMAC addresses. The interface converts the dynamic MAC addresses to sticky MAC addresses,and only the hosts with the sticky MAC addresses are allowed to communicate with theS9300.

After this function is enabled, the S9300 does not need to learn the MAC addresses again afterrestart. In addition, hosts using untrusted MAC addresses are prevented from communicatingwith the S9300 through this interface.

Procedure






Step 3 Run:port-security mac-address sticky

The sticky MAC function is enabled on the interface.

By default, the sticky MAC function is disabled on an interface.

----End


Procedurel Run the display current-configuration interface interface-type interface-number

command to check the current configuration of the interface.



9-5

l Run the display sticky-mac command to view the sticky MAC entries.

----End

ExampleRun the display sticky-mac command, and you can view the sticky MAC address entries.<Quidway> display sticky-mac interface GigabitEthernet 2/0/1MAC Address VLAN/VSI Port Type----------------------------------------------------------------------0018-2000-0083 1 GigabitEthernet2/0/1 sticky mac

Total 1 printed

9.4 Configuration ExamplesThis section provides a configuration example of interface security.

9.4.1 Example for Configuring Interface Security

9.4.1 Example for Configuring Interface Security

Networking RequirementsAs shown in Figure 9-1, a company wants to prevent the computers of non-employees fromaccessing the intranet of the company to protect information security. To achieve this goal, thecompany needs to enable the sticky MAC function on the interfaces connected to computers ofemployees and set the maximum number of MAC addresses learned by the interfaces to be thesame as the number of trusted computers.

Figure 9-1 Networking diagram for configuring interface security

S9300

PC1

PC2

PC3

GE1/0/1

LAN switch

Internet

VLAN 10




Issue 02 (2010–02–26)



1. Create a VLAN and set the VALN attribute of the interface to trunk.2. Enable the interface security function.3. Configure the protection action.4. Set the maximum number of MAC addresses that can be learned by the interfaces.5. Enable the sticky MAC function on the interfaces.

Data Preparation

To complete the configuration, you need the following data:

l VLAN ID carried in packets that the interface allows to pass through.

l Types and numbers of the interfaces connected to the computers

l Protection action

l Maximum number of MAC addresses learned by interfaces

Procedure

Step 1 Create a VLAN and set the VALN attribute of the interface.<Quidway> system-view[Quidway] vlan 10[Quidway-vlan10] quit[Quidway] interface gigabitethernet 1/0/1[Quidway-GigabitEthernet1/0/1] port link-type trunk[Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 10

Step 2 Configure the interface security function.

# Enable the interface security function.

[Quidway-GigabitEthernet1/0/1] port-security enable

# Configure the protection action.

[Quidway-GigabitEthernet1/0/1] port-security protect-action protect

# Set the maximum number of MAC addresses that can be learned by the interface.

[Quidway-GigabitEthernet1/0/1] port-security maximum 4

# Enable the sticky MAC function on the interface.

[Quidway-GigabitEthernet1/0/1] port-security mac-address sticky

To enable the interface security function on other interfaces, repeat the preceding steps.


If PC1 is replaced by another PC, this PC cannot access the intranet of the company.

----End



9-7

Configuration FilesThe following lists the configuration files of the Switch.

# sysname Quidway#interface GigabitEthernet1/0/1 port-security enable port-security protect-action protect port-security mac-address sticky port-security maximum 4#return




Issue 02 (2010–02–26)

10 Traffic Suppression Configuration

About This Chapter

This chapter describes the principle and configuration of traffic suppression .

10.1 Introduction to Traffic SuppressionThis section describes the principle of traffic suppression.

10.2 Traffic Suppression Features Supported by the S9300This section describes the traffic suppression features supported by the S9300.

10.3 Configuring Traffic SuppressionThis section describes how to configure traffic suppression on a specified interface.

10.4 Configuration ExamplesThis section provides several configuration examples of traffic suppression.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security 10 Traffic Suppression Configuration


10-1

10.1 Introduction to Traffic SuppressionThis section describes the principle of traffic suppression.

Broadcast packets entering the S9300 are forwarded on all the interfaces in a VLAN, andmulticast packets are also forwarded on interfaces of the multicast group. After unknown unicastpackets enter the S9300, the S9300 broadcast the packets to all the interfaces. These three typesof packets consume great bandwidth, reduces available bandwidth of the system, and affectsnormal forwarding and processing capabilities.

The traffic suppression function can be used to limit the traffic entering the interface, and toprotect the S9300 against the three types of traffic. It also guarantees available bandwidth andprocessing capabilities of the S9300 when the traffic is abnormal.

10.2 Traffic Suppression Features Supported by the S9300This section describes the traffic suppression features supported by the S9300.

The traffic suppression function can be configured on Ethernet interfaces of the S9300 .

10.3 Configuring Traffic SuppressionThis section describes how to configure traffic suppression on a specified interface.


10.3.2 Configuring Traffic Suppression on an Interface




To limit the rate of incoming broadcast, multicast, and unknown unicast packets on an interfaceand protect the device against traffic attacks, you can configure traffic suppression on theinterface.


None

Data Preparation

To configure traffic suppression, you need the following data.

10 Traffic Suppression ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010–02–26)

No. Data

1 Type and number of the interface wheretraffic suppression needs to be configured

2 Type of traffic (broadcast, multicast, orunknown unicast traffic) that needs to besuppressed

3 Mode in which traffic is suppressed (packetrate, bit rate, or rate percentage on a physicalinterface)

4 Limited rate, including packet rate,committed information rate (CIR),committed burst size (CBS), and bandwidthpercentage

10.3.2 Configuring Traffic Suppression on an Interface

ContextDo as follows on the S9300 where traffic suppression needs to be configured.

Procedure





Traffic suppression can be configured on Ethernet interfaces or GE interfaces of the S9300.

Step 3 Run:{ broadcast-suppression | multicast-suppression | unicast-suppression } { percent-value | cir cir-value [ cbs cbs-value ] | packets packets-per-second }

Traffic suppression is configured.

Traffic suppression for three types of traffic can be configured on an interface of the S9300.Select one of the following traffic suppression mode for the traffic on an interface:

l To configure traffic suppression based on the packet rate, you must select the packetsparameter.

l To configure traffic suppression based on the bit rate, you must select the cir and cbsparameters.

l To configure traffic suppression based on the bandwidth percentage, you must select thepercent-value parameter.



10-3

NOTE

l The suppression based on bandwidth percentage equals to the suppression based on packet rate.Assume the bandwidth on an interface is bandwidth (kbit/s). The percent-value parameter equalsto the packets keyword. That is, (bandwidth x percent x 1000 x 1000/(84 x 8)). Here, 84 indicatesthe average packet length (including the 64-byte packet body and 20-byte frame spacing and checkinformation), and 8 indicates the number of bits in a byte.

l If traffic suppression based on the bit rate is set for a type of traffic on an interface, the bandwidthpercentage set for other types of traffic is converted to the bit rate through the following formula:Bit rate = Bandwidth of the interface x Percentage.

l The traffic limit (pps) for a type of packets cannot be set together with the traffic limit based on bitrate for other types of packets on the same interface. For example, if the bit rate for multicast packetsis set on an interface, you cannot set the traffic limit (pps) for broadcast packets.

l If traffic suppression is configured for a type of traffic on an interface, the latest configurationoverrides the previous configuration when the configuration of traffic suppression for this type oftraffic at different rate is sent.

----End


PrerequisiteThe configurations of traffic suppression are complete.

Procedurel Run the display flow-suppression interface interface-type interface-number command to

check the configuration of traffic suppression.

----End

Example

Run the display flow-suppression interface interface-type interface-number command, andyou can view the configuration of traffic suppression on a specified interface.

<Quidway> display flow-suppression interface gigabitethernet 1/0/0 storm type rate mode set rate value------------------------------------------------------------------------------- unknown-unicast bps cir: 1000(kbit/s), cbs: 188000(byte) multicast bps cir: 1000(kbit/s), cbs: 188000(byte) broadcast bps cir: 1000(kbit/s), cbs: 188000(byte)-------------------------------------------------------------------------------

10.4 Configuration ExamplesThis section provides several configuration examples of traffic suppression.

10.4.1 Example for Configuring Traffic Suppression

10.4.1 Example for Configuring Traffic Suppression




Issue 02 (2010–02–26)

Networking RequirementsAs shown in Figure 10-1, the Switch is connected to the Layer 2 network and Layer 3 router.To limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer2 network, you can configure traffic suppression on GE 1/0/2.

Figure 10-1 Networking diagram for configuring traffic suppression

S9300

GE1/0/2 GE1/0/3L2 network L3 network

Configuration RoadmapConfigure traffic suppression in the interface view of GE 1/0/2.

Data PreparationTo complete the configuration, you need the following data:l GE 1/0/2 where traffic suppression is configured

l Traffic suppression for broadcast and unknown unicast packets based on the bit rate

l Traffic suppression for multicast packets based on the rate percentage

l Maximum rate of broadcast and unknown unicast packets being 100 kbit/s after trafficsuppression is configured

l Maximum rate of multicast packets being 80 percent of the interface rate after trafficsuppression is configured

Procedure

Step 1 Enter the interface view.<Quidway> system-view[Quidway] interface gigabitethernet 1/0/2

Step 2 Configure traffic suppression for broadcast packets.[Quidway-GigabitEthernet1/0/2] broadcast-suppression cir 100

Step 3 Configure traffic suppression for multicast packets.[Quidway-GigabitEthernet1/0/2] multicast-suppression 80

Step 4 Configure traffic suppression for unknown unicast packets.[Quidway-GigabitEthernet1/0/2] unicast-suppression cir 100


Run the display flow-suppression interface command, and you can view the configuration oftraffic suppression on GE 1/0/2.

<Quidway> display flow-suppression interface gigabitethernet 1/0/2 storm type rate mode set rate value



10-5

------------------------------------------------------------------------------- unknown-unicast bps cir: 100(kbit/s), cbs: 18800(byte) multicast percent percent: 80% broadcast bps cir: 100(kbit/s), cbs: 18800(byte)-------------------------------------------------------------------------------

----End

Configuration Files# sysname Quidway#interface gigabitethernet 1/0/2 unicast-suppression cir 100 cbs 18800 multicast-suppression percent 80 broadcast-suppression cir 100 cbs 18800 #return




Issue 02 (2010–02–26)

11 ACL Configuration

About This Chapter

The ACL classifies packets according to the rules. After these rules are applied to the interfaceson the S9300, the S9300 can determine packets that are received and rejected.

11.1 Introduction to the ACLThis section describes the basic concepts and parameters of an ACL.

11.2 Classification of ACLs Supported by the S9300This section describes the classification of ACLs supported by the S9300.

11.3 Configuring an ACLThis section describes how to create an ACL, set the time range, configure the description of anACL, configure basic ACLs, advanced ACLs, and Ethernet frame header ACLs, and set the stepof an ACL.

11.4 Configuring ACL6This section describes how to configure basic ACL6 and advanced ACL6.

11.5 Configuration ExamplesThis section provides configuration examples of the ACL.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - Security 11 ACL Configuration


11-1

11.1 Introduction to the ACLThis section describes the basic concepts and parameters of an ACL.

To filter packets, a set of rules needs to be configured on the S9300 to determine the data packetsthat can pass through. These rules are defined in an ACL.

An ACL is a series of orderly rules composed of permit and deny clauses. The clauses aredescribed based on the source address, destination address, and port number of a packet, and soon. The ACL classifies packets according to the rules. After these rules are applied to heS9300, the S9300 can determine packets that are received and rejected.

11.2 Classification of ACLs Supported by the S9300This section describes the classification of ACLs supported by the S9300.

NOTE

In this manual, the ACL refers to the access control list that is used filter IPv4 packets, and the ACL6 refersto the access control list that is used to filter IPv6 packets.

Classification of ACLs

The S9300 supports basic ACLs, advanced ACLs, and layer 2 ACLs for IPv4 packets.

l Basic ACLs: classify and define data packets according to their source addresses,fragmentation flag, and effective time range.

l Advanced ACLs: classify and define data packets more refinedly according to the sourceaddress, destination address, source port number, destination port number, protocol type,precedence, and effective time range.

l Frame header-based ACLs: classify and define data packets according to the source MACaddress, destination MAC address, and protocol type.

The S9300 supports basic ACL6s and advanced ACL6s for IPv6 packets.l A basic ACL6 can use the source IP address, fragmentation flag, and effective time range

as the elements of rules.l An advanced ACL6 can use the source IP address and destination IP address of data packets,

protocol type supported by IP, features of the protocol such as the source port number anddestination port number, ICMPv6 protocol, and ICMPv6 Code as the elements of rules.

Application of ACLs

ACLs defined on the S9300 can be applied in the following scenarios:l Hardware-based application: The ACL is sent to the hardware. For example, when QoS is

configured, the ACL is imported to classify packets. Note that when the ACL is importedby QoS, the packets matching the ACL rule in deny mode are discarded. If the action inthe ACL is set to be in permit mode, the packets matching the ACL are processed by theS9300 according to the action defined by the traffic behavior in QoS. For details on thetraffic behavior, see the Quidway S9300 Terabit Routing Switch Configuration Guide -QoS.

11 ACL ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010–02–26)

l Software-based application: When the ACL is imported by the upper-layer software, forexample, the ACL is imported when the control function is configured for login users, youcan use the ACL to control FTP, Telnet and SSH users. When the S9300 functions as aTFTP client, you can configure an ACL to specify the TFTP servers that the S9300 canaccess through TFTP.

When the ACL is imported by the upper-layer software, the packets matching the ACL areprocessed by the S9300 according to the action deny or permit defined in the ACL. Fordetails on login user control, see the Quidway S9300 Terabit Routing Switch ConfigurationGuide - Basic Configurations.

NOTE

l When the ACL is sent to the hardware and is imported by QoS to classify packets, the S9300 does notprocess packets according to the action defined in the traffic behavior, if the packets does not matchthe ACL rule.

l When the ACL is imported by the upper-layer software and is used to control FTP , Telnet or SSHlogin users, the S9300 discards the packets, if the packets does not match the ACL rule.

11.3 Configuring an ACLThis section describes how to create an ACL, set the time range, configure the description of anACL, configure basic ACLs, advanced ACLs, and Ethernet frame header ACLs, and set the stepof an ACL.

ContextNOTE

11.3.5 Configuring a Basic ACL, 11.3.6 Configuring an Advanced ACL, and 11.3.7 Configuring aLayer 2 ACL are optional and can be configured as required.

11.3.1 Establishing the Configuration TaskEstablishing the Configuration Task of ACL.

11.3.2 Creating an ACL

11.3.3 (Optional) Setting the Time Range When an ACL Takes EffectWhen a time range is specified for an ACL, the ACL takes effect only in this time range. If notime range is specified for the ACL, the ACL is always effective until it is deleted or the rulesof the ACL are deleted.

11.3.4 (Optional) Configuring the Description of an ACL

11.3.5 Configuring a Basic ACL

11.3.6 Configuring an Advanced ACL

11.3.7 Configuring a Layer 2 ACL

11.3.8 (Optional) Setting the Step of an ACL


11.3.1 Establishing the Configuration TaskEstablishing the Configuration Task of ACL.



11-3

Applicable EnvironmentACLs can be used in multiple services, such as routing policies and packet filtering, to distinguishthe types of packets and process them accordingly.


Data PreparationTo configure an ACL, you need the following data.

No. Data

1 Name of the time range when the ACL takes effect, start time, and end time

2 Number of the ACL

3 Number of ACL rule and the rule that identifies the type of packets, includingprotocol, source address, source port, destination address, destination port, the typeand code of Internet Control Message Protocol (ICMP), IP precedence, and Type ofService (ToS) value

4 Description of the ACL

5 Step of the ACL

11.3.2 Creating an ACL

ContextAn ACL consists of a series of rules defined by multiple permit or deny clauses. You need tocreate an ACL before configuring the rules of the ACL.

To create an ACL, you need to:l Specify the number of the ACL. For example, the ACL with the number ranging from 2000

to 2999 is a basic ACL, and the ACL with the number ranging from 3000 to 3999 is anadvanced ACL.

l Set the match order of the ACL rules. This parameter is optional. By default, the match-order is config.


system-view


Step 2 Run:acl [ number ] acl-number

An ACL is created.




Issue 02 (2010–02–26)

l To create a basic ACL, you can set the value of acl-number ranging from 2000 to 2999.

l To create an advanced ACL, you can set the value of acl-number ranging from 3000 to 3999.

l To create a layer 2 ACL, you can set the value of acl-number ranging from 4000 to 4999.

----End

11.3.3 (Optional) Setting the Time Range When an ACL Takes EffectWhen a time range is specified for an ACL, the ACL takes effect only in this time range. If notime range is specified for the ACL, the ACL is always effective until it is deleted or the rulesof the ACL are deleted.


system-view


Step 2 Run:time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] }

A time range is set.

You can set the same name for multiple time ranges to describe a special period. For example,three time ranges are set with the same name test:l Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59, a definite time range

l Time range 2: 8:00-18:00 on Monday to Friday, a periodic time range

l Time range 3: 14:00-18:00 on Saturday and Sunday, a periodic time range

The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday andSunday in the year 2009.

----End

11.3.4 (Optional) Configuring the Description of an ACL


system-view


Step 2 Run:acl as-number

The ACL view is displayed.

Step 3 Run:description text

The description of the ACL is configured.

The description of an ACL is a string of up to 127 characters, describing the usage of the ACL.



11-5

By default, no description is configured for an ACL.

----End

11.3.5 Configuring a Basic ACL

ContextDo as follows on the S9300.

Procedure



Step 2 Run:acl [ number ] acl-number [ match-order { auto | config } ]

A basic ACL is created.

To create a basic ACL, you can set the value of acl-number ranging from 2000 to 2999.

match-order indicates the match order of ACL rules.l auto: indicates that the ACL rules are matched on the basis of depth first principle.

l config: indicates that the rules are matched on the basis of the configuration order.

If match-order is not used, the match order is config.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | source { source-address source-wildcard | any } | time-range time-name ] *

An ACL rule is created.

----End

11.3.6 Configuring an Advanced ACL

Procedure




An advanced ACL is created.

To create an advanced ACL, the value of acl-number ranges from 3000 to 3999.

match-order indicates the match order of ACL rules.




Issue 02 (2010–02–26)

l auto: indicates that the ACL rules are matched on the basis of depth first principle.



Step 3 Run the following command as required:l When protocol is specified as the Transmission Control Protocol (TCP) or the User Datagram

Protocol (UDP), run:rule [ rule-id ] { deny | permit } { tcp | udp } [ destination { destination-address destination-wildcard | any } | destination-port eq port | dscp dscp | fragment | precedence precedence | source { source-address source-wildcard | any } | source-port eq port | time-range time-name | tos tos ] *

An ACL rule is created.l When protocol is specified as ICMP, run:

rule [ rule-id ] { deny | permit } icmp [ destination { destination-address destination-wildcard | any } | fragment | icmp-type { icmp-name | icmp-type icmp-code } | precedence precedence | source { source-address source-wildcard | any } | time-range time-name ] *

An ACL rule is created.l When protocol is specified as another protocol rather than TCP, UDP, or ICMP, run:

rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | dscp dscp | fragment | precedence precedence | source { source-address source-wildcard | any } | time-range time-name | tos tos ] *


You can configure different advanced ACLs on the S9300 according to the protocol carried byIP. Different parameter combinations are available for different protocol types.

NOTE

dscp dscp and precedence precedence cannot be specified at the same time.

----End

11.3.7 Configuring a Layer 2 ACL

Procedure




A layer 2 ACL is created.

To create a layer 2 ACL, the value of acl-number ranges from 4000 to 4999.

match-order indicates the match order of ACL rules.l auto: indicates that the ACL rules are matched on the basis of depth first principle.




11-7


Step 3 Run:rule [ rule-id ] { deny | permit } [ source-mac source-mac-address source-mac-mask ] [ dest-mac dest-mac-address dest-mac-mask | type protocol-type protocol-type-mask ]


----End

11.3.8 (Optional) Setting the Step of an ACL

Procedure



Step 2 Run:acl [ number ] acl-number

The ACL view is displayed.

Step 3 Run:step step-value

The step of an ACL is set.

When changing ACL configurations, note the following:

l The undo step command sets the default step of an ACL and re-arranges the numbers ofACL rules.

l By default, the value of step-value is 5.

----End


PrerequisiteThe configurations of the ACL are complete.

Procedurel Run the display acl { acl-number | all } command to check the configured ACL.l Run the display time-range { all | time-name } command to check the time range.

----End

Example# Run the display acl command, and you can view the ACL number, number of rules, and step,and details of ACL rules.




Issue 02 (2010–02–26)

<Quidway> display acl 3000Advanced ACL 3000, 1 ruleAcl's step is 5 rule 5 deny ip source 10.1.1.1 0

# Run the display time-range command, and you can view the configuration and status of thecurrent time range.

<Quidway> display time-range allCurrent time is 14:19:16 12-4-2008 TuesdayTime-range : time1 ( Inactive ) 10:00 to 12:00 dailyfrom 09:09 2008/9/9 to 23:59 2099/12/31

11.4 Configuring ACL6This section describes how to configure basic ACL6 and advanced ACL6.


11.4.2 Creating an ACL6

11.4.3 (Optional) Creating the Time Range of the ACL6When a time range is specified for the ACL6, the ACL6 takes effect only in this time range. Ifno time range is specified for the ACL6, the ACL6 is always effective until it is deleted or therules of the ACL6 are deleted.

11.4.4 Configuring a Basic ACL6

11.4.5 Configuring an Advanced ACL6




An ACL6 can be applied to the following tasks:l Configuring the packet filtering policy

l Configuring policy-based routing

l Configuring a routing policy


None

Data Preparation

To configure an ACL6, you need the following data.

No. Data

1 Number of the ACL6



11-9

No. Data

2 (Optional) Name of the time range during which the ACL6 is valid and the start timeand end time of the time range

3 Number of the ACL6 and the rule of identifying the packet type, including protocoltype, source address and source interface, destination address and destinationinterface, ICMPv6 type and code, precedence, and ToS

11.4.2 Creating an ACL6

ContextTo create an ACL6, you need to:l Specify a number to identify the ACL6 type. For example, the ACL6 with the number

ranging from 2000 to 2999 is a basic ACL6 and the ACL6 with the number ranging from3000 to 3999 is an advanced ACL6.

l Set the match order of the ACL6. This parameter is optional. By default, the match orderis config.

Procedure



Step 2 Run:acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]

An ACL6 is created.

l The acl6-number value of a basic ACL6 ranges from 2000 to 2999.

l The acl6-number value of an advanced ACL6 ranges from 3000 to 3999.

----End

11.4.3 (Optional) Creating the Time Range of the ACL6When a time range is specified for the ACL6, the ACL6 takes effect only in this time range. Ifno time range is specified for the ACL6, the ACL6 is always effective until it is deleted or therules of the ACL6 are deleted.

Procedure



Step 2 Run:




Issue 02 (2010–02–26)

time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] }

The time range is created.

You can set the same name for multiple time ranges to describe a special period. For example,three time ranges are set with the same name, that is, test.l Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59

l Time range 2: 8:00-18:00 on Monday to Friday

l Time range 3: 14:00-18:00 on Saturday and Sunday

The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday andSunday in the year 2009.

----End

11.4.4 Configuring a Basic ACL6

Procedure




An ACL6 is created.

The acl6-number value of a basic ACL6 ranges from 2000 to 2999.

match-order indicates the match order of ACL6 rules.l auto indicates that the ACL rules are matched on the basis of depth first principle.



Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name ] *

The rule of the ACL6 is configured.

----End

11.4.5 Configuring an Advanced ACL6

Procedure





11-11


An advanced ACL6 is created.

The acl6-number value of an advanced ACL6 ranges from 3000 to 3999.

match-order indicates the match order of ACL6 rules.

l auto indicates that the ACL rules are matched on the basis of depth first principle.



Step 3 Perform the following steps as required to configure rules for the ACL6:

You can configure the advanced ACL6 on the S9300 according to the type of the protocol carriedby IP. The parameters vary according to the protocol type.

l When protocol is TCP or UDP, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port |fragment | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | source-port operator port | time-range time-name |tos tos ]*

l When protocol is ICMPv6, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | icmpv6-type { icmp6-type-name | icmp6-type icmp6-code | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name |tos tos ]*

l When protocol is not TCP, UDP, or ICMPv6, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | precedenceprecedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | tos tos ]*

----End


PrerequisiteThe configurations of the ACL6 are complete.

Procedurel Run the display acl ipv6 { acl6-number | all } command to view the rules of the ACL6.

l Run the display time-range { all | time-name } command to view information about thetime range.

----End




Issue 02 (2010–02–26)

Example# Run the display acl ipv6 command, and you can see the ACL number, the number of rules,and content of the rules.

<Quidway> display acl ipv6 2002Basic IPv6 ACL 2002, 2 rules rule 0 permit time-range time1 (0 times matched) (Inactive) rule 1 permit (0 times matched)

# Run the display time-range command, and you can see the configuration and status of thecurrent time range.

<Quidway> display time-range allCurrent time is 09:33:31 5-21-2009 Thursday

Time-range : time1 ( Inactive ) 12:00 to 23:00 working-day

11.5 Configuration ExamplesThis section provides configuration examples of the ACL.

11.5.1 Example for Configuring a Basic ACL

11.5.2 Example for Configuring an Advanced ACL

11.5.3 Example for Configuring a Layer 2 ACL

11.5.4 Example for Configuring an ACL6

11.5.1 Example for Configuring a Basic ACL

Networking RequirementsAs shown in Figure 11-1, GE 1/0/1 of the Switch is connected to the user, and GE 2/0/1 isconnected to the upstream router. To prevent source address spoofing, you need to configurestrict URPF check on GE 1/0/1 and GE 2/0/1. In addition, it is required that the Switch truststhe packets from user A whose IP address is 10.0.0.2/24. In this case, you also need to disableURPF check for the packets sent by user A.

Figure 11-1 Networking diagram for disabling URPF for the specified traffic

S9300

PC AIP:10.0.0.2/24

GE1/0/1 GE2/0/1

PC B



11-13


1. Configure the URPF function.2. Configure the ACL.3. Configure the traffic classifier.4. Configure the traffic behavior.5. Configure the traffic policy.6. Apply the traffic policy to an interface.


l Interfaces enabled with URPF: GE 1/0/1 and GE 2/0/1

l ACL number: 2000

l IP address of user A: 10.0.0.2/24

l Names of traffic classifier, traffic behavior, and traffic policy: tc1, tb1, and tp1

l Interface where the traffic policy is applied: GE 1/0/1

Procedure

Step 1 Configure the URPF function.

# Enable the URPF function on the LPU.

<Quidway> system-view[Quidway] urpf slot 1[Quidway] urpf slot 2

# Configure the URPF mode on the interface.

[Quidway] interface gigabitethernet 1/0/1[Quidway-GigabitEthernet1/0/1] urpf strict[Quidway-GigabitEthernet1/0/1] quit[Quidway] interface gigabitethernet 2/0/1[Quidway-GigabitEthernet2/0/1] urpf strict[Quidway-GigabitEthernet2/0/1] quit

Step 2 Configure the traffic classifier that is based on the ACL rules.

# Define the ACL rules.

[Quidway] acl 2000[Quidway-acl-basic-2000] rule permit source 10.0.0.2 0.0.0.255[Quidway-acl-basic-2000] quit

# Configure the traffic classifier and define the ACL rules.

[Quidway] traffic classifier tc1[Quidway-classifier-tc1] if-match acl 2000[Quidway-classifier-tc1] quit

Step 3 Configure the traffic behavior.




Issue 02 (2010–02–26)

# Define the traffic behavior and disable the URPF function in the traffic behavior view.

[Quidway] traffic behavior tb1[Quidway-behavior-tb1] ip uprf disable[Quidway-behavior-tb1] quit

Step 4 Configure the traffic policy.

# Define the traffic policy and associate the traffic classifier and traffic behavior with the trafficpolicy.

[Quidway] traffic policy tp1[Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1[Quidway-trafficpolicy-tp1] quit

# Apply the traffic policy to GE 1/0/1.

[Quidway] interface gigabitethernet 1/0/1[Quidway-GigabitEthernet1/0/1] traffic-policy tp1 inbound[Quidway-GigabitEthernet1/0/1] quit


# Check the configuration of the ACL rules.

<Quidway> display acl 2000Basic ACL 2000, 1 ruleAcl's step is 5 rule 5 permit source 10.0.0.0 0.0.0.255 (0 times matched)

# Check the configuration of the traffic classifier.

<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 20 Operator: OR Rule(s) : if-match acl 2000

# Check the configuration of the traffic policy.

<Quidway> display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: default-class Behavior: be -none- Classifier: tc1 Behavior: tb1 urpf switch: off

----End

Configuration Files

# sysname Quidway# urpf slot 1 urpf slot 2#acl number 2000 rule 5 permit source 10.0.0.0 0.0.0.255 #traffic classifier tc1 operator or precedence 20 if-match acl 2000 #



11-15

traffic behavior tb1 ip urpf disable#traffic policy tp1 classifier tc1 behavior tb1#interface GigabitEthernet1/0/1 urpf strict traffic-policy tp1 inbound#interface GigabitEthernet2/0/1 urpf strict #return

11.5.2 Example for Configuring an Advanced ACL

Networking RequirementsAs shown in Figure 11-2, the departments of the company are connected through the Switchs.It is required that the IPv4 ACL be configured correctly. The personnel of the R&D departmentand marketing department cannot access the salary query server at 10.164.9.9 from 8:00 to 17:30,whereas the personnel of the president's office can access the server at any time.

Figure 11-2 Networking diagram for configuring IPv4 ACLs

Salary query server10.164.9.9

Marketing department10.164.2.0/24 President's office

10.164.1.0/24

R&D department10.164.3.0/24

GE2/0/1

GE1/0/1

GE1/0/3

GE1/0/2


1. Assign IP addresses to interfaces.2. Configure the time range.3. Configure the ACL.4. Configure the traffic classifier.




Issue 02 (2010–02–26)

5. Configure the traffic behavior.6. Configure the traffic policy.7. Apply the traffic policy to an interface.


l VLAN that the interface belongs to

l Name of the time range

l ACL ID and rules

l Name of the traffic classifier and classification rules

l Name of the traffic behavior and actions

l Name of the traffic policy, and traffic classifier and traffic behavior associated with thetraffic policy

l Interface that a traffic policy is applied to

ProcedureStep 1 Assign IP addresses to interfaces.

# Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces.

Add GE 1/0/1, GE 2/0/1, and GE 3/0/1 to VLAN 10, VLAN 20, and VLAN 30 respectively,and add GE 2/0/1 to VLAN 100. The first IP address of the network segment is taken as theaddress of the VLANIF interface. Take GE 1/0/1 as an example. The configurations of otherinterfaces are similar to the configuration of GE 1/0/1, and are not mentioned here.

<Quidway> system-view[Quidway] vlan batch 10 20 30 100[Quidway] interface gigabitethernet 1/0/1[Quidway-GigabitEthernet1/0/1] port link-type access[Quidway-GigabitEthernet1/0/1] port default vlan 10[Quidway-GigabitEthernet1/0/1] quit[Quidway] interface vlanif 10[Quidway-Vlanif10] ip address 10.164.1.1 255.255.255.0[Quidway-Vlanif10] quit

Step 2 Configure the time range.

# Configure the time range from 8:00 to 17:30.

<Quidway> system-view[Quidway] time-range satime 8:00 to 17:30 working-day

Step 3 Configure ACLs.

# Configure the ACL for the personnel of the marketing department to access the salary queryserver.

[Quidway] acl 3002[Quidway-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime[Quidway-acl-adv-3002] quit

# Configure the ACL for the personnel of the R&D department to access the salary query server.

[Quidway] acl 3003[Quidway-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination



11-17

10.164.9.9 0.0.0.0 time-range satime[Quidway-acl-adv-3003] quit

Step 4 Configure ACL-based traffic classifiers.

# Configure the traffic classifier c_market to classify the packets that match ACL 3002.

[Quidway] traffic classifier c_market[Quidway-classifier-c_market] if-match acl 3002[Quidway-classifier-c_market] quit

# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.

[Quidway] traffic classifier c_rd[Quidway-classifier-c_rd] if-match acl 3003[Quidway-classifier-c_rd] quit

Step 5 Configure traffic behaviors.

# Configure the traffic behavior b_market to reject packets.

[Quidway] traffic behavior b_market[Quidway-behavior-b_market] deny[Quidway-behavior-b_market] quit

# Configure the traffic behavior b_rd to reject packets.

[Quidway] traffic behavior b_rd[Quidway-behavior-b_rd] deny[Quidway-behavior-b_rd] quit

Step 6 Configure traffic policies.

# Configure the traffic policy p_market and associate the traffic classifier c_market and thetraffic behavior b_market with the traffic policy.

[Quidway] traffic policy p_market[Quidway-trafficpolicy-p_market] classifier c_market behavior b_market[Quidway-trafficpolicy-p_market] quit

# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the trafficbehavior b_rd with the traffic policy.

[Quidway] traffic policy p_rd[Quidway-trafficpolicy-p_rd] classifier c_rd behavior b_rd[Quidway-trafficpolicy-p_rd] quit

Step 7 Apply the traffic policy.

# Apply the traffic policy p_market to GE 1/0/2.

[Quidway] interface gigabitethernet 1/0/2[Quidway-GigabitEthernet1/0/2] traffic-policy p_market inbound[Quidway-GigabitEthernet1/0/2] quit

# Apply the traffic policy p_rd to GE 1/0/3.

[Quidway] interface gigabitethernet 1/0/3[Quidway-GigabitEthernet1/0/3] traffic-policy p_rd inbound[Quidway-GigabitEthernet1/0/3] quit


# Check the configuration of ACL rules.

<Quidway> display acl all Total nonempty ACL number is 2

Advanced ACL 3002, 1 rule




Issue 02 (2010–02–26)

Acl's step is 5 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-rangesatime (0 times matched)(Active)

Advanced ACL 3003, 1 ruleAcl's step is 5 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-rangesatime (0 times matched)(Active)


<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: c_market Precedence: 5 Operator: OR Rule(s) : if-match acl 3002

Classifier: c_rd Precedence: 10 Operator: OR Rule(s) : if-match acl 3003


<Quidway> display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: p_market Classifier: default-class Behavior: be -none- Classifier: c_market Behavior: b_market Deny

Policy: p_rd Classifier: default-class Behavior: be -none- Classifier: c_rd Behavior: b_rd Deny

----End

Configuration Files

# sysname Quidway# vlan batch 10 20 30 40 100 # time-range satime 08:00 to 17:30 working-day#acl number 3002 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-rangesatime#acl number 3003 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-rangesatime#traffic classifier c_market operator or precedence 5 if-match acl 3002traffic classifier c_rd operator or precedence 10 if-match acl 3003#traffic behavior b_market



11-19

denytraffic behavior b_rd deny#traffic policy p_market classifier c_market behavior b_markettraffic policy p_rd classifier c_rd behavior b_rd#interface Vlanif10 ip address 10.164.1.1 255.255.255.0#interface Vlanif20 ip address 10.164.2.1 255.255.255.0#interface Vlanif30 ip address 10.164.3.1 255.255.255.0#interface Vlanif100 ip address 10.164.9.1 255.255.255.0 #interface GigabitEthernet1/0/1 port link-type access port default vlan 10#interface GigabitEthernet1/0/2 port link-type access port default vlan 20 traffic-policy p_rd inbound#interface GigabitEthernet1/0/3 port link-type access port default vlan 30 traffic-policy p_rd inbound #interface GigabitEthernet2/0/1 port link-type access port default vlan 100#return

11.5.3 Example for Configuring a Layer 2 ACL

Networking RequirementsAs shown in Figure 11-3, the Switch that functions as the gateway is connected to the PC. It isrequired that the ACL configured to prevent the packets with the source MAC address as 00e0-f201-0101 and the destination MAC address as 0260-e207-0002 from passing through.

Figure 11-3 Networking diagram for configuring layer 2 ACLs

GE1/0/1GE2/0/1IP network

00e0-f201-0101




Issue 02 (2010–02–26)


1. Configure the ACL.2. Configure the traffic classifier.3. Configure the traffic behavior.4. Configure the traffic policy.5. Apply the traffic policy to an interface.


l ACL ID and rules

l Name of the traffic classifier and classification rules

l Name of the traffic behavior and actions

l Name of the traffic policy, and traffic classifier and traffic behavior associated with thetraffic policy

l Interface that a traffic policy is applied to

Procedure

Step 1 Configure an ACL.

# Configure the required layer 2 ACL.

[Quidway] acl 4000[Quidway-acl-ethernetframe-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff dest-mac 0260-e207-0002 ffff-ffff-ffff [Quidway-acl-ethernetframe-4000] quit

Step 2 Configure the traffic classifier that is based on the ACL.

# Configure the traffic classifier tc1 to classify packets that match ACL 4000.

[Quidway] traffic classifier tc1[Quidway-classifier-tc1] if-match acl 4000[Quidway-classifier-tc1] quit

Step 3 Configure the traffic behavior.

# Configure the traffic behavior tb1 to reject packets.

[Quidway] traffic behavior tb1[Quidway-behavior-tb1] deny[Quidway-behavior-tb1] quit

Step 4 Configure the traffic policy.

# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.

[Quidway] traffic policy tp1[Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1[Quidway-trafficpolicy-tp1] quit

Step 5 Apply the traffic policy.

# Apply the traffic policy tp1 to GE 2/0/1.



11-21

[Quidway] interface gigabitethernet 2/0/1[Quidway-GigabitEthernet2/0/1] traffic-policy tp1 inbound[Quidway-GigabitEthernet2/0/1] quit


# Check the configuration of ACL rules.

<Quidway> display acl 4000Ethernet frame ACL 4000, 1 ruleAcl's step is 5 rule 5 deny source-mac 00e0-f201-0101 ffff-ffff-ffff dest-mac 0260-e207-0002 ffff-ffff-ffff(0 times matched)


<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 15 Operator: OR Rule(s) : if-match acl 4000


<Quidway> display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: default-class Behavior: be -none- Classifier: tc1 Behavior: tb1 Deny

----End

Configuration Files

# sysname Quidway#acl number 4000 rule 5 deny source-mac 00e0-f201-0101 ffff-ffff-ffff dest-mac 0260-e207-0002 ffff-ffff-ffff #traffic classifier tc1 operator or precedence 15 if-match acl 4000#traffic behavior tb1 deny#traffic policy tp1 classifier tc1 behavior tb1#interface GigabitEthernet2/0/1 traffic-policy tp1 inbound #return

11.5.4 Example for Configuring an ACL6




Issue 02 (2010–02–26)

Networking RequirementsAs shown in Figure 11-4, Switch A and Switch B are connected through GE interfaces. Youneed to configure an ACL6 rule on Switch A to prevent the IPv6 packets with the source IPaddress 3001::2 from entering GE 1/0/0 of Switch A.

Figure 11-4 Networking diagram for configuring ACL6 and filtering IPv6 packets

S9300-A S9300-B

Loopback23002::2/64

GE1/0/03001::1/64 3001::2/64

GE1/0/0VLAN 10


1. Set the number of the ACL6.2. Configure the rules in the ACL6.3. Define the classification, action, and policy to be performed on the packets.


l ACL6 number

l Source IPv6 address permitted by the ACL6 rule

l Names of traffic classifier, traffic behavior, and traffic policy

l Interface where the traffic policy is applied

Procedure

Step 1 Enable IPv6 forwarding capability on Switch A and Switch B, set the parameters for theinterfaces, and check the connectivity.

# Configure Switch A.

<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] ipv6[SwitchA] interface gigabitethernet 1/0/0[SwitchA-GigabitEthernet1/0/0] port link-type trunk[SwitchA-GigabitEthernet1/0/0] port trunk allow-pass vlan 10[SwitchA-GigabitEthernet1/0/0] quit[SwitchA] interface vlanif 10[SwitchA-Vlanif10] ipv6 enable[SwitchA-Vlanif10] ipv6 address 3001::1 64[SwitchA-Vlanif10] quit

# Configure a static route on Switch A.

[SwitchA] ipv6 route-static 3002:: 64 3001::2

# Configure Switch B.



11-23

<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] ipv6[SwitchB] interface loopback 2[SwitchB-LoopBack2] ipv6 enable[SwitchB-LoopBack2] ipv6 address 3002::2 64[SwitchB-LoopBack2] quit[SwitchB] interface gigabitethernet 1/0/0[SwitchB-GigabitEthernet1/0/0] port link-type trunk[SwitchB-GigabitEthernet1/0/0] port trunk allow-pass vlan 10[SwitchB-GigabitEthernet1/0/0] quit[SwitchB] interface vlanif 10[SwitchB-Vlanif10] ipv6 enable[SwitchB-Vlanif10] ipv6 address 3001::2 64[SwitchB-Vlanif10] quit

# Ping interface VLANIF 10 of Switch A from VLANIF 10 of Switch B.

[SwitchB] ping ipv6 -a 3001::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 80 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 40 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 30 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=64 time = 1 ms --- 3001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/40/80 ms

The ping succeeds without timeout or abnormal delay.

# Ping interface VLANIF 10 of Switch A from loopback2 of Switch B.



Step 2 Create an ACL6 rule and apply the rule to the interface to reject the IPv6 packets from 3001::2.

# Configure Switch A.

[SwitchA] acl ipv6 number 3001[SwitchA-acl6-adv-3001] rule deny ipv6 source 3001::2/128[SwitchA-acl6-adv-3001] quit[SwitchA] traffic classifier class1




Issue 02 (2010–02–26)

[SwitchA-classifier-class1] if-match ipv6 acl 3001[SwitchA-classifier-class1] quit[SwitchA] traffic behavior behav1[SwitchA-behavior-behav1] deny[SwitchA-behavior-behav1] quit[SwitchA] traffic policy policy1[SwitchA-trafficpolicy-policy1] classifier class1 behavior behav1[SwitchA-trafficpolicy-policy1] quit[SwitchA] interface gigabitethernet 1/0/0[SwitchA-GigabitEthernet1/0/0] traffic-policy policy1 inbound[SwitchA-GigabitEthernet1/0/0] quit


# Ping interface VLANIF 10 of Switch A from VLANIF 10 of Switch B.

[SwitchB] ping ipv6 -a 3001::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 3001::1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss round-trip min/avg/max = 0/0/0 ms

The ping fails.

# Ping interface VLANIF 10 of SwitchA from loopback2 of Switch B.



----End

Configuration Filesl Configuration file of Switch A

# sysname SwitchA# ipv6#acl ipv6 number 3001 rule 0 deny ipv6 source 3001::2/128#



11-25

traffic classifier class1 operator or if-match ipv6 acl 3001#traffic behavior behav1 deny#traffic policy policy1 classifier class1 behavior behav1#interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 traffic-policy policy1 inbound#interface Vlanif10 ipv6 enable ipv6 address 3001::1/64# ipv6 route-static 3002:: 64 3001::2#return

l Configuration file of Switch B# sysname SwitchB# ipv6#interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10#interface Vlanif 10 ipv6 enable ipv6 address 3001::2/64#interface LoopBack2 ipv6 enable ipv6 address 3002::2/64#return




Issue 02 (2010–02–26)

configuration guide - security - huawei

Documents