00479814-Configuration Guide - Security (V100R006C05 - 03)

Quidway ME60 Multiservice Control Gateway
V100R006C05
Configuration Guide - Security
Issue 03
Date 2009-07-01
Part Number 00479814
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any
assistance, please contact our local office or company headquarters.

Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com

Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions
and other Huawei trademarks are the property of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but the statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Proprietary and Confidential
Contents
About This Document.....................................................................................................................1
1 Security Overview......................................................................................................................1-1
1.1 Introduction to Network Security....................................................................................................................1-2
1.1.1 Background............................................................................................................................................1-2
1.1.2 Network Security Service.......................................................................................................................1-2
1.2 Security Features of the ME60........................................................................................................................1-2
1.2.1 Firewall...................................................................................................................................................1-2
1.2.2 URPF......................................................................................................................................................1-3
1.2.3 SBC........................................................................................................................................................1-3
1.2.4 DPI.........................................................................................................................................................1-3
1.2.5 Lawful Interception................................................................................................................................1-3
1.2.6 User Log.................................................................................................................................................1-3
2 Firewall Configuration..............................................................................................................2-1
2.1 Introduction.....................................................................................................................................................2-2
2.1.1 Functions of Firewall.............................................................................................................................2-2
2.1.2 Classification of Firewalls......................................................................................................................2-2
2.1.3 Terms Related to the Firewall................................................................................................................2-3
2.1.4 Firewall Functions of the ME60.............................................................................................................2-4
2.2 Configuring a Zone.........................................................................................................................................2-6
2.2.1 Establishing the Configuration Task......................................................................................................2-6
2.2.2 (Optional) Configuring the VSU to Work as the SSU...........................................................................2-7
2.2.3 (Optional) Configuring the Default Master SSU...................................................................................2-7
2.2.4 Creating a Zone......................................................................................................................................2-8
2.2.5 Configuring the Priority of a Zone.........................................................................................................2-8
2.2.6 Adding User Domains or Interfaces to the Zone....................................................................................2-9
2.2.7 Creating an Interzone...........................................................................................................................2-10
2.2.8 Enabling Firewall in the Interzone.......................................................................................................2-10
2.2.9 Checking the Configuration.................................................................................................................2-11
2.3 Setting the Aging Time of the Firewall Session Table.................................................................................2-11
2.3.1 Establishing the Configuration Task....................................................................................................2-11
2.3.2 (Optional) Setting the Aging Time of the Firewall Session Table.......................................................2-12
Configuration Guide - Security Contents
Issue 03 (2009-07-01) Huawei Proprietary and Confidential
i
2.4 Configuring ACL-based Packet Filtering.....................................................................................................2-12
2.4.2 Configuring ACL-based Packet Filtering in an Interzone....................................................................2-13
2.5 Configuring ASPF.........................................................................................................................................2-14
2.5.2 Configuring ASPF in the Interzone......................................................................................................2-15
2.6 Configuring the Blacklist..............................................................................................................................2-15
2.6.2 Enabling the Blacklist..........................................................................................................................2-16
2.6.3 (Optional) Adding a Blacklist Entry....................................................................................................2-17
2.6.4 (Optional) Configuring the Packet Filtering Type of the Blacklist......................................................2-17
2.7 Configuring Port Mapping............................................................................................................................2-18
2.7.2 Configuring Port Mapping...................................................................................................................2-19
2.8 Configuring P2P Traffic Control...................................................................................................................2-19
2.8.2 Enabling P2P Traffic Control...............................................................................................................2-21
2.8.3 Configuring the CAR Table.................................................................................................................2-21
2.8.4 Configuring P2P Traffic Control in an Interzone.................................................................................2-22
2.8.5 Configuring P2P Traffic Control Globally...........................................................................................2-22
2.9 Configuring Firewall Logs............................................................................................................................2-23
2.9.2 Enabling the Firewall Log....................................................................................................................2-24
2.9.3 Configuring a Session Log...................................................................................................................2-24
2.9.4 (Optional) Configuring Output Interval of Logs..................................................................................2-25
2.10 Configuration Examples..............................................................................................................................2-26
2.10.1 Example for Configuring ACL-based Packet Filtering......................................................................2-26
2.10.2 Example for Configuring ASPF and Port Mapping...........................................................................2-28
2.10.3 Example for Configuring the Blacklist..............................................................................................2-31
3 NAT Configuration....................................................................................................................3-1
3.1 Introduction.....................................................................................................................................................3-2
3.1.1 NAT Overview.......................................................................................................................................3-2
3.1.2 NAT Types.............................................................................................................................................3-3
3.1.3 Advantages and Disadvantages of NAT................................................................................................3-4
3.1.4 Many-to-Many NAT and Address Pool.................................................................................................3-4
3.1.5 Internal Server........................................................................................................................................3-5
3.1.6 References..............................................................................................................................................3-5
3.2 Configuring NAT............................................................................................................................................3-5
Contents
ii Huawei Proprietary and Confidential
Issue 03 (2009-07-01)
3.2.4 Configuring the Public Address Pool.....................................................................................................3-7
3.2.5 Configuring NAT in an Interzone..........................................................................................................3-8
3.2.6 (Optional) Configuring the Internal NAT Server...................................................................................3-9
3.2.7 Checking the Configuration...................................................................................................................3-9
3.3 Configuration Examples................................................................................................................................3-10
3.3.1 Example for Configuring NAT............................................................................................................3-10
4 Traffic Statistics and Monitoring Configuration.................................................................4-1
4.1 Introduction.....................................................................................................................................................4-2
4.2 Configuring Traffic Statistics and Monitoring................................................................................................4-2
4.2.4 Enabling Traffic Statistics and Monitoring............................................................................................4-4
4.2.5 Setting the Session Threshold................................................................................................................4-5
4.3 Configuring Zone-based Traffic Statistics and Monitoring............................................................................4-5
4.3.2 Enabling Traffic Statistics and Monitoring in a Zone............................................................................4-6
4.4 Configuring IP Address-based Traffic Statistics and Monitoring...................................................................4-8
4.4.2 Enabling IP Address-based Traffic Statistics and Monitoring...............................................................4-8
4.5.1 Example for Configuring System-Level Traffic Statistics and Monitoring.........................................4-10
4.5.2 Example for Configuring Zone-based Traffic Statistics and Monitoring............................................4-11
4.5.3 Example for Configuring IP Address-based Traffic Statistics and Monitoring...................................4-13
5 Attack Defense Configuration.................................................................................................5-1
5.1 Introduction.....................................................................................................................................................5-2
5.1.1 Type of Network Attacks.......................................................................................................................5-2
5.1.2 Typical Attacks......................................................................................................................................5-2
5.2 Configuring Attack Defense............................................................................................................................5-5
5.2.4 Enabling Attack Defense........................................................................................................................5-7
5.2.5 Configuring Flood Attack Defense........................................................................................................5-9
5.2.6 (Optional) Configuring Scanning Attack Defense...............................................................................5-10
5.2.7 (Optional) Configuring Large ICMP Packet Attack Defense..............................................................5-10
iii
5.3.1 Example for Configuring Land Attack Defense...................................................................................5-11
5.3.2 Example for Configuring SYN Flood Attack Defense........................................................................5-13
5.3.3 Example for Configuring IP Address Sweeping Attack Defense........................................................5-16
6 IPSec Configuration...................................................................................................................6-1
6.1 Introduction.....................................................................................................................................................6-2
6.1.1 Overview of IPSec................................................................................................................................. 6-2
6.1.2 Terms Related to IPSec..........................................................................................................................6-2
6.1.3 IPSec Features Supported by the ME60.................................................................................................6-5
6.2 Defining Data Flows to Be Protected..............................................................................................................6-6
6.2.2 Defining Data Flows to Be Protected.....................................................................................................6-7
6.3 Configuring an IPSec Proposal.......................................................................................................................6-8
6.3.2 Creating an IPSec Proposal and Entering the IPSec Proposal View......................................................6-9
6.3.3 Configuring the IPSec Protocol..............................................................................................................6-9
6.3.4 Configuring the Authentication Algorithm..........................................................................................6-10
6.3.5 Configuring the Encryption Algorithm................................................................................................6-11
6.3.6 Configuring the Encapsulation Mode..................................................................................................6-11
6.4 Configuring an IPSec Policy.........................................................................................................................6-12
6.4.2 Creating an IPSec Policy and Entering the IPSec Policy View...........................................................6-13
6.4.3 Configuring the ACL Used in the IPSec Policy...................................................................................6-14
6.4.4 Applying the IPSec Proposal to the IPSec Policy................................................................................6-14
6.4.5 Configuring the SA Duration...............................................................................................................6-15
6.4.6 Configuring the Local and Remote IP Addresses of the Tunnel (for Manual Mode)..........................6-16
6.4.7 Configuring the SPI for an SA (for Manual Mode).............................................................................6-16
6.4.8 Configuring Key for an SA (for Manual Mode)..................................................................................6-17
6.4.9 Configuring the IKE Peer for the IPSec Policy (for IKE Negotiation Mode).....................................6-18
6.4.10 Configuring the PFS Feature Used in the IKE Negotiation...............................................................6-18
6.4.11 Configuring the Global SA Duration.................................................................................................6-19
6.4.12 Checking the Configuration...............................................................................................................6-19
6.5 Configuring IPSec Policies by Using the IPSec Policy Template................................................................6-20
6.5.2 Creating an IPSec Policy Template and Entering the IPSec Policy Template View...........................6-21
6.5.3 Configuring the ACL Used in the IPSec Policy Template...................................................................6-22
6.5.4 Applying the IPSec Proposal to the IPSec Policy Template................................................................6-22
6.5.5 Configuring the SA Duration...............................................................................................................6-22
6.5.6 Configuring the IKE Peer for the IPSec Policy Template....................................................................6-23
6.5.7 Configuring the PFS Feature Used in the IKE Negotiation.................................................................6-23
Contents
iv Huawei Proprietary and Confidential
Issue 03 (2009-07-01)
6.5.8 Configuring the Global SA Duration...................................................................................................6-24
6.5.9 Applying the IPSec Policy Template...................................................................................................6-24
6.6 Applying an IPSec Policy or an IPSec Policy Group to an Interface............................................................6-25
6.6.2 Configuring the IPSec Behavior in the Traffic Policy.........................................................................6-26
6.6.3 Applying an IPSec Policy or an IPSec Policy Group to an Interface...................................................6-26
6.7 Maintaining IPSec.........................................................................................................................................6-27
6.7.1 Clearing IPSec Packet Statistics...........................................................................................................6-27
6.7.2 Debugging IPSec..................................................................................................................................6-28
6.8.1 Example for Establishing an SA Manually..........................................................................................6-28
7 IKE Configuration......................................................................................................................7-1
7.1 Introduction.....................................................................................................................................................7-2
7.1.1 Overview of IKE....................................................................................................................................7-2
7.1.2 NAT Traversal in IPSec.........................................................................................................................7-4
7.1.3 IKE Features of the ME60.....................................................................................................................7-4
7.2 Setting the Local ID Used in IKE Negotiation...............................................................................................7-5
7.2.2 Setting the Local ID Used in IKE Negotiation......................................................................................7-5
7.3 Configuring an IKE Security Proposal............................................................................................................7-6
7.3.2 Creating the IKE Security Proposal and Entering the IKE Security Proposal View.............................7-7
7.3.3 Specifying an Encryption Algorithm.....................................................................................................7-7
7.3.4 Specifying an Authentication Method....................................................................................................7-8
7.3.5 Configuring the Authentication Algorithm............................................................................................7-8
7.3.6 Specifying a DF Group..........................................................................................................................7-9
7.3.7 Configuring the Duration of ISAKMP SA.............................................................................................7-9
7.4 Configuring Attributes of the IKE Peer........................................................................................................7-10
7.4.2 Creating an IKE Peer and Entering the IKE Peer View.......................................................................7-11
7.4.3 Configuring the IKE Negotiation Mode...............................................................................................7-12
7.4.4 Configuring the IKE Security Proposal...............................................................................................7-12
7.4.5 Configuring the Local ID Type............................................................................................................7-13
7.4.6 Configuring NAT Traversal in IPSec...................................................................................................7-13
7.4.7 Configuring the Identity Authenticator................................................................................................7-14
7.4.8 Configuring the Peer IP Address or Address Segment........................................................................7-14
7.4.9 Configuring the Peer Name..................................................................................................................7-15
7.5 Tuning the IKE Configuration......................................................................................................................7-15
v
7.5.2 Setting the Interval of Keepalive Packets.............................................................................................7-16
7.5.3 Setting the Timeout Time of Keepalive Packets..................................................................................7-17
7.5.4 Setting the Interval of NAT Update Packets........................................................................................7-17
7.6 Maintaining IKE............................................................................................................................................7-18
7.6.1 Displaying the IKE Configuration.......................................................................................................7-18
7.6.2 Clearing the Security Tunnel................................................................................................................7-18
7.6.3 Debugging IKE....................................................................................................................................7-19
7.7.1 Example for Establishing an SA Through IKE Negotiation................................................................7-19
8 URPF Configuration..................................................................................................................8-1
8.1 Introduction.....................................................................................................................................................8-2
8.1.1 Overview of URPF.................................................................................................................................8-2
8.1.2 URPF Features of the ME60..................................................................................................................8-4
8.2 Configuring URPF.......................................................................................................................................... 8-5
8.2.2 Enabling URPF on an Interface............................................................................................................. 8-5
8.2.3 (Optional) Configuring URPF Check for Certain Type of Packets.......................................................8-6
8.3 Configuration Examples..................................................................................................................................8-7
8.3.1 Example for Configuring URPF............................................................................................................ 8-7
9 SBC Configuration.....................................................................................................................9-1
9.1 Introduction.....................................................................................................................................................9-3
9.1.1 Background of an SBC...........................................................................................................................9-3
9.1.2 SBC Functions Supported by the ME60................................................................................................9-4
9.1.3 References..............................................................................................................................................9-5
9.2 Configuring Basic SBC Information...............................................................................................................9-5
9.2.2 Configuring the Operation Mode of the VSU to SBC...........................................................................9-6
9.2.3 Configuring the Application Mode........................................................................................................9-7
9.3 Configuring an SBC Backup Group................................................................................................................9-8
9.3.2 Configuring a Backup Group.................................................................................................................9-8
9.4 Configuring IMS Architecture-based SBC Functions..................................................................................9-10
9.4.2 Configuring a Media Address Mapping Group....................................................................................9-11
9.4.3 Configuring the Ia Interface.................................................................................................................9-12
9.4.4 (Optional) Configuring the MG Timer and Idle Cut Attributes...........................................................9-14
9.4.5 (Optional) Configuring the Validity Check of Media Streams............................................................9-16
9.4.6 (Optional) Configuring the Maximum Number of Sessions Supported by a Mapping Group............9-16
9.4.7 (Optional) Setting the Total Bandwidth Supported by an SBC Board................................................9-17
9.4.8 (Optional) Enabling the QoS Report Function.....................................................................................9-17
Contents
vi Huawei Proprietary and Confidential
Issue 03 (2009-07-01)
9.4.9 Enabling the Media Address Mapping Group......................................................................................9-18
9.5 Configuring the NGN Architecture-based Signaling and Media Address Mapping.....................................9-20
9.5.2 Configuring a Mapping Group for Signaling and Media Addresses...................................................9-21
9.5.3 Enabling a Mapping Group for Signaling and Media Addresses.........................................................9-23
9.5.4 (Optional) Enabling Dual-homing.......................................................................................................9-23
9.6 Configuring the IADMS Proxy.....................................................................................................................9-24
9.6.2 Enabling the IADMS Proxy.................................................................................................................9-25
9.6.3 Loading the IADMS MIB....................................................................................................................9-26
9.6.4 Configuring the Port Numbers.............................................................................................................9-26
9.6.5 (Optional) Configuring the IADMS Timer and Other Optional Functions.........................................9-27
9.7 Configuring Signaling Attack Defense.........................................................................................................9-28
9.7.2 Enabling Signaling Attack Defense.....................................................................................................9-29
9.7.3 Configuring the Defense Mode............................................................................................................9-29
9.7.4 (Optional) Configuring the Threshold and Security Factor for Access Rate.......................................9-30
9.7.5 (Optional) Configuring Other Optional Parameters.............................................................................9-31
9.8 Configuring the CAC Function.....................................................................................................................9-32
9.8.2 Enabling the CAC Function.................................................................................................................9-33
9.8.3 (Optional) Configuring the CAC Parameters for a Single User...........................................................9-33
9.8.4 (Optional) Configuring the CAC Parameters for All Users.................................................................9-34
9.8.5 (Optional) Configuring Other Optional Parameters.............................................................................9-35
9.9 Configuring the Session-based CAR.............................................................................................................9-36
9.9.2 Enabling the Session-based CAR.........................................................................................................9-37
9.9.3 Configuring the CAR Level.................................................................................................................9-37
9.9.4 Configuring the CAR Rule...................................................................................................................9-38
9.10 Configuring Signaling NAT........................................................................................................................9-39
9.10.1 Establishing the Configuration Task..................................................................................................9-39
9.10.2 Configuring a NAT Address..............................................................................................................9-40
9.10.3 Configuring IMS Signaling NAT.......................................................................................................9-41
9.10.4 Configuring the Traffic Policy for Signaling NAT............................................................................9-41
9.10.5 Applying the Traffic Policy................................................................................................................9-42
9.10.6 (Optional) Configuring the Aging Time of the NAT Session Table..................................................9-43
vii
9.11 Configuring SBC Lawful Interception........................................................................................................9-44
9.11.2 Configuring Lawful Interception.......................................................................................................9-45
9.12 Configuring SBC Attack Defense...............................................................................................................9-46
9.12.2 Configuring Flood Attack Defense....................................................................................................9-47
9.12.3 Configuring Single Packet Attack Defense........................................................................................9-47
9.13 Maintaining the SBC...................................................................................................................................9-49
9.13.1 Debugging an SBC.............................................................................................................................9-49
9.13.2 Clearing SBC Operation Information................................................................................................9-50
9.14.1 Example for Configuring the SIP Signaling Proxy and Media Proxy...............................................9-51
9.14.2 Example for Configuring the U-Path Signaling Proxy and Media Proxy..........................................9-55
9.14.3 Example for Controlling User Registration Control..........................................................................9-57
9.14.4 Example for Configuring the IADMS Proxy.....................................................................................9-59
9.14.5 Example for Configuring IMS Architecture-based SBC Functions...................................................9-62
10 DPI Configuration.................................................................................................................10-1
10.1 Introduction.................................................................................................................................................10-2
10.1.1 Overview of DPI................................................................................................................................10-2
10.1.2 DPI Functions Supported by the ME60.............................................................................................10-4
10.2 Configuring Basic DPI Functions...............................................................................................................10-4
10.2.2 (Optional) Configuring the VSU to Work as the DPI Board.............................................................10-5
10.2.3 (Optional) Configuring the MAC Address of the DPI Board............................................................10-6
10.2.4 Configuring the Packet Inspection Mode...........................................................................................10-6
10.2.5 (Optional) Configuring the PTS.........................................................................................................10-7
10.3 Configuring Network-side DPI...................................................................................................................10-8
10.3.2 Creating a DPI Policy.........................................................................................................................10-9
10.3.3 Configuring the DPI Policy..............................................................................................................10-10
10.3.4 Configuring a Global DPI Policy Group..........................................................................................10-11
10.3.5 Configuring a DPI Traffic Policy.....................................................................................................10-11
10.3.6 Applying the Traffic Policy to the Network Side............................................................................10-13
10.3.7 Checking the Configuration.............................................................................................................10-14
10.4 Configuring User-side DPI........................................................................................................................10-14
10.4.1 Establishing the Configuration Task................................................................................................10-14
10.4.2 Creating and Configuring a DPI Policy...........................................................................................10-15
10.4.3 Configuring a Common DPI Policy Group......................................................................................10-15
Contents
viii Huawei Proprietary and Confidential
Issue 03 (2009-07-01)
10.4.4 Applying the User-side DPI Policy to the Domain..........................................................................10-16
10.4.5 (Optional) Enabling DPI on a BAS Interface...................................................................................10-16
10.4.6 (Optional) Configuring the Restriction Policy.................................................................................10-18
10.4.7 Checking the Configuration.............................................................................................................10-18
10.5 Configuration Examples............................................................................................................................10-19
10.5.1 Example for configuring the DPI Function......................................................................................10-19
11 Lawful Interception Configuration....................................................................................11-1
11.1 Introduction.................................................................................................................................................11-2
11.1.1 Concept of Lawful Interception.........................................................................................................11-2
11.1.2 Principle of Lawful Interception........................................................................................................11-2
11.1.3 Role of the ME60 in Lawful Interception..........................................................................................11-6
11.2 Configuring Lawful Interception................................................................................................................11-7
11.2.2 Configuring the IP Address of the X3 Interface.................................................................................11-7
11.2.3 Configuring the Type and Port Number of the X3 Interface.............................................................11-8
11.2.4 Enabling Lawful Interception.............................................................................................................11-9
11.3 Configuration Examples............................................................................................................................11-10
11.3.1 Example for Configuring Lawful Interception.................................................................................11-10
12 User Log Configuration........................................................................................................12-1
12.1 Introduction.................................................................................................................................................12-2
12.2 Configuring the User Log...........................................................................................................................12-2
12.2.2 Configuring the User Log Host..........................................................................................................12-2
12.2.3 Configuring the Version of User Log Packets...................................................................................12-3
12.2.4 Enabling the User Log Function........................................................................................................12-4
12.2.5 Applying the User Log.......................................................................................................................12-4
12.3 Debugging the User Log.............................................................................................................................12-5
12.4.1 Example for Configuring the User Log..............................................................................................12-5
A Glossary..................................................................................................................................... A-1
B Acronyms and Abbreviations.................................................................................................B-1
ix
Figures
Figure 2-1 Networking of ACL-based packet filtering......................................................................................2-26
Figure 2-2 Networking of ASPF and port mapping...........................................................................................2-29
Figure 2-3 Networking of blacklist configuration..............................................................................................2-31
Figure 3-1 Schematic diagram of NAT................................................................................................................3-3
Figure 3-2 Schematic diagram of PAT.................................................................................................................3-4
Figure 3-3 Networking of NAT..........................................................................................................................3-10
Figure 4-1 Limiting the number of sessions initiated by external server.............................................................4-2
Figure 4-2 Networking of system-level traffic statistics and monitoring...........................................................4-10
Figure 4-3 Networking of zone-based traffic statistics and monitoring.............................................................4-12
Figure 4-4 Networking of IP address-based traffic statistics and monitoring....................................................4-14
Figure 5-1 Networking of Land attack defense..................................................................................................5-12
Figure 5-2 Networking of SYN Flood attack defense........................................................................................5-14
Figure 5-3 Networking of IP address sweeping attack defense.........................................................................5-16
Figure 6-1 Packets format in transport mode.......................................................................................................6-3
Figure 6-2 Packets format in tunnel mode........................................................................................................... 6-4
Figure 6-3 Networking of IPSec configuration..................................................................................................6-29
Figure 7-1 Process of setting up an SA................................................................................................................7-3
Figure 7-2 Networking of IKE configuration.....................................................................................................7-20
Figure 8-1 Schematic diagram of the source address spoofing attack................................................................. 8-2
Figure 8-2 URPF applied on a single-homed client.............................................................................................8-3
Figure 8-3 URPF applied on a multi-homed client..............................................................................................8-3
Figure 8-4 URPF applied on a multi-homed client with multiple ISPs............................................................... 8-4
Figure 8-5 Networking of URPF configuration...................................................................................................8-7
Figure 9-1 Networking for configuring the SIP signaling proxy and media proxy...........................................9-52
Figure 9-2 Networking for configuring the U-Path signaling proxy and media proxy......................................9-55
Figure 9-3 Networking of user registration control............................................................................................9-58
Figure 9-4 Networking for configuring the IADMS proxy................................................................................9-60
Figure 9-5 Example for configuring IMS architecture-based SBC functions....................................................9-63
Figure 10-1 Comparison between DPI and the common packet analysis..........................................................10-2
Figure 10-2 Networking of DPI application.......................................................................................................10-4
Figure 10-3 Networking for DPI configuration...............................................................................................10-19
Figure 11-1 Scenario for lawful interception.....................................................................................................11-3
Figure 11-2 Process of lawful interception........................................................................................................11-5
Configuration Guide - Security Figures
xi
Figure 11-3 Networking of lawful interception................................................................................................11-10
Figure 12-1 Networking for configuring the user log........................................................................................12-6
Figures
xii Huawei Proprietary and Confidential
Issue 03 (2009-07-01)
Tables
Table 9-1 Characteristics of the NGN..................................................................................................................9-4
Table 9-2 Default thresholds of the access rate for signaling protocols.............................................................9-30
Table 9-3 Default thresholds of registration rate and call rate for a user...........................................................9-34
Table 9-4 Default thresholds for registration rate and call rate for all users......................................................9-35
Table 11-1 Description of interfaces for lawful interception.............................................................................11-4
Table 12-1 Difference between the two versions of the user log packets..........................................................12-3
Configuration Guide - Security Tables
xiii
About This Document
Purpose
This document describes the security services supported by the ME60, including the basic
knowledge, configuration procedures and configuration examples. The document provides
guideline for configuring the firewall, NAT, traffic statistics and monitoring, attack defense,
URPF, SBC, DPI, lawful interception, and user log. In addition, the document provides the
glossary and acronyms and abbreviations.
For more information about the configuration commands, refer to "Security Commands" in the
Quidway ME60 Multiservice Control Gateway Command Reference.
Related Versions
The following table lists the product version related to this document.
Product Name Version
ME60 V100R006C05

Intended Audience
This document is intended for:
l Technical support engineers
l Maintenance engineers
Organization
This document is organized as follows.
Configuration Guide - Security About This Document
1
Chapter Content
1 Security Overview This chapter provides basic knowledge about the security
service, including threats to Internet security, network
security overview, and implementation of network security.
2 Firewall Configuration This chapter describes the configuration of the firewall,
including the security zone, ACL packet filtering, ASPF,
blacklist, port mapping, and firewall log.
3 NAT Configuration This chapter describes the concept, fundamental,
configuration, and maintenance of NAT.
4 Traffic Statistics and
Monitoring Configuration
This chapter describes the fundamentals, configuration, and
maintenance of traffic statistics and monitoring.
5 Attack Defense
Configuration
This chapter describes the fundamentals, configuration, and
maintenance of attack defense.
6 IPSec Configuration This chapter describes the fundamentals, implementation,
and configuration of IPSec.
7 IKE Configuration This chapter describes the fundamentals, implementation,
and configuration of IKE.
8 URPF Configuration This chapter describes the fundamentals, implementation,
and configuration of URPF.
9 SBC Configuration This chapter describes the fundamentals, configuration, and
maintenance of SBC features. By reading this chapter, you
will know how to configure the signaling proxy and media
proxy, IADMS proxy, signaling attack defense, CAC, and
session-based CAR.
10 DPI Configuration This chapter describes the fundamentals of DPI and how to
configure network-side DPI and user-side DPI.
11 Lawful Interception
Configuration
This chapter describes the concept, process, and
configuration of lawful interception.
12 User Log Configuration This chapter describes the concept and configuration of user
logs.
A Glossary This appendix provides the glossary of this document.
B Acronyms and
Abbreviations
This appendix lists the acronyms and abbreviations
mentioned in this manual and provides explanation.

Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
About This Document
2 Huawei Proprietary and Confidential
Issue 03 (2009-07-01)
Symbol Description
DANGER
Indicates a hazard with a high level of risk, which if not
avoided, will result in death or serious injury.
WARNING
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
CAUTION
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
TIP
Indicates a tip that may help you solve a problem or save
time.
NOTE
Provides additional information to emphasize or supplement
important points of the main text.

General Conventions
The general conventions that may be found in this document are defined as follows.
Convention Description
Times New Roman Normal paragraphs are in Times New Roman.
Boldface Names of files, directories, folders, and users are in
boldface. For example, log in as user root.
Italic Book titles are in italics.
Courier New Examples of information displayed on the screen are in
Courier New.

Command Conventions
The command conventions that may be found in this document are defined as follows.
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[ ] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by
vertical bars. One item is selected.
3
[ x | y | ... ] Optional items are grouped in brackets and separated by
vertical bars. One item is selected or no item is selected.
{ x | y | ... }
*
Optional items are grouped in braces and separated by
vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]
*
Optional items are grouped in brackets and separated by
vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.

GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Boldface Buttons, menus, parameters, tabs, window, and dialog titles
are in boldface. For example, click OK.
> Multi-level menus are in boldface and separated by the ">"
signs. For example, choose File > Create > Folder.

Keyboard Operations
The keyboard operations that may be found in this document are defined as follows.
Format Description
Key Press the key. For example, press Enter and press Tab.
Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl+Alt
+A means the three keys should be pressed concurrently.
Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A means
the two keys should be pressed in turn.

Mouse Operations
The mouse operations that may be found in this document are defined as follows.
About This Document
4 Huawei Proprietary and Confidential
Issue 03 (2009-07-01)
Action Description
Click Select and release the primary mouse button without moving
the pointer.
Double-click Press the primary mouse button twice continuously and
quickly without moving the pointer.
Drag Press and hold the primary mouse button and move the
pointer to a certain position.

Update History
Updates between document versions are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Updates in Issue 03 (2009-07-01)
Third commercial release.
Fixing Bugs.
Second commercial release.
Added chapter "IMS Architecture-based SBC Configuration".
Initial commercial release.
5
1 Security Overview
About This Chapter
This chapter provides basic knowledge about the security service, including threats to Internet
security, network security overview, and implementation of network security.
1.1 Introduction to Network Security
This section describes the background and concept of network security.
1.2 Security Features of the ME60
This section describes the security features supported by the ME60.
Configuration Guide - Security 1 Security Overview
1-1
1.1 Introduction to Network Security
This section describes the background and concept of network security.
1.1.1 Background
1.1.2 Network Security Service
1.1.1 Background
With the rapid development of the Internet, more enterprises use Internet services for
development. The Internet is, however, an open network and so, confidential information and
resources of enterprises face malicious threats and attacks. Various measures must be taken to
minimize the risks.
1.1.2 Network Security Service
Network security service is the measure taken against security threats to protect network security.
Network security service is an integrated technology that enables the security of the following:
l Intranet (against illegal access)
l Data exchange between internal and external networks
1.2 Security Features of the ME60
This section describes the security features supported by the ME60.
1.2.1 Firewall
1.2.2 URPF
1.2.3 SBC
1.2.4 DPI
1.2.5 Lawful Interception
1.2.6 User Log
1.2.1 Firewall
The firewall is introduced to avoid security risks in network transmission and to prevent external
attacks. The firewall supports the following features:
l Packet filtering
l ASPF
l Blacklist
l Port mapping
l P2P traffic control
1 Security Overview
1-2 Huawei Proprietary and Confidential
Issue 03 (2009-07-01)
l Attack defense
l NAT
l Traffic statistics and monitoring
l Firewall log
1.2.2 URPF
Unicast reverse path forwarding (URPF) is used to prevent attacks of IP address spoofing.
The ME60 can perform loose URPF check or strict URPF check for all IP packets on an interface.
1.2.3 SBC
The session border controller (SBC) provides channels for all information flows and media flows
that pass the network. The SBC functions as the gateway for information transmission. It
guarantees the security and service performance of the IP network and solves the problem of
NAT traversal.
1.2.4 DPI
Deep packet inspection (DPI) analyzes the application layer of the packet to identify services
and applications. DPI provides the policies for network control and management.
1.2.5 Lawful Interception
Lawful interception is a law enforcement behavior carried out to monitor the communications
service on the public communications network, according to the related law and the norm for
the public communications network.
The ME60 functions as the network equipment of the carrier to implement lawful interception.
The X3 interface of the ME60 sends the content of communication (CC) to the lawful
interception gateway (LIG). The X1 interface of the ME60 obtains information sent by the LIG,
for example, information about the intercepted object.
1.2.6 User Log
Most countries have specific requirements for information security. An ISP must have the
capability of recording activities of users, such as login, logout, and access to network resources.
The ME60 provides user logs to record information about user login and logout so that carriers
and security agents can manage and monitor users.
Configuration Guide - Security 1 Security Overview
1-3
2 Firewall Configuration
About This Chapter
This chapter describes the configuration of the firewall, including the security zone, ACL packet
filtering, ASPF, blacklist, port mapping, and firewall log.
2.1 Introduction
This section describes the concept and fundamentals of the firewall.
2.2 Configuring a Zone
This section describes how to configure the firewall and partition the network.
2.3 Setting the Aging Time of the Firewall Session Table
This section describes how to set the aging time of the firewall session table
2.4 Configuring ACL-based Packet Filtering
This section describes how to filter data packets through the ACL.
2.5 Configuring ASPF
This section describes how to configure the ME60 to check the application layer information
about data flows to filter data packets.
2.6 Configuring the Blacklist
This section describes how to configure the blacklist to filter out data packets from attackers.
2.7 Configuring Port Mapping
This section describes how to configure the port mapping function so that the firewall can identify
the packets of the application-layer protocols that use non-well-known port numbers.
2.8 Configuring P2P Traffic Control
This section describes how to limit bandwidth of P2P sessions.
2.9 Configuring Firewall Logs
This section describes how to configure firewall logs.
2.10 Configuration Examples
This section provides several configuration examples of the firewall.
Configuration Guide - Security 2 Firewall Configuration
2-1
2.1 Introduction
This section describes the concept and fundamentals of the firewall.
The concept of firewall originates from architecture. In a building, a firewall is used to prevent
fire from spreading.
In communication networks, the firewall has similar function. A firewall is a system or a group
of systems that execute access control policies. A firewall monitors the channel between the
internal network, which is reliable, and the external networks, which are unreliable. Thus, the
risks in external networks cannot affect the internal network.
2.1.1 Functions of Firewall
2.1.2 Classification of Firewalls
2.1.3 Terms Related to the Firewall
2.1.4 Firewall Functions of the ME60
2.1.1 Functions of Firewall
A firewall is used at the ingress of a protected area. The firewall protects the network based on
ACL policies. The firewall provides the following functions:
l Controlling the access to the protected site, including users and information
l Preventing attackers from accessing other security devices
l Controlling the output from the protected site, including users and information
When the firewall resides between an internal network and an external network, it protects the
internal network against illegal access, such as unauthorized and unauthenticated access, and
malicious attacks.
When the firewall resides at the ingress of important resources (such as key servers and secret
databases) in an internal network, it prevents certain users from accessing the resources, even if
the users are in the internal network.
The firewall can also function as a gateway that controls the access right to the Internet. For
example, the firewall allows certain users in the internal network to access the Internet after the
users are authenticated.
2.1.2 Classification of Firewalls
Firewalls are classified into the following types: packet filtering firewall, proxy firewall, and
stateful firewall.
Packet Filtering Firewall
A packet filtering firewall checks the packets at the network layer, and then forwards or discards
the packets according to the security policy. The packet filtering firewall filters packets by using
the access control list (ACL). Packets are filtered based on the quintuple (source and destination
IP addresses, source and destination port numbers, and IP protocol number), IP flag, and delivery
direction.
Issue 03 (2009-07-01)
The packet filtering firewall is simple, easy to use, and economical, but it has the following
disadvantages:
l As the complexity and length of the ACL increase, the filtering performance degrades
exponentially.
l The static ACL rules cannot meet the dynamic security requirements.
l The packet filtering firewall does not check the state of a session or analyze data and hence,
the network is subject to IP address spoofing.
Proxy Firewall
A proxy firewall works at the application layer and takes over the services between the internal
network and external network. The proxy firewall checks the requests of users. If the
authentication is successful, the firewall connects to a genuine server and forwards the request.
The firewall then forwards the response of the server to the user.
The proxy firewall can completely control the exchange of network information and the session
process and hence, it provides high security. The proxy firewall, however, has the following
disadvantages:
l The processing speed is low because of software limitation, and the proxy firewall is subject
to the denial of service (DoS) attack.
l The upgrade is difficult because the application proxy is required for each protocol.
NOTE
The ME60 can function as the proxy firewall for only the SYN packets of TCP.
Stateful Firewall
A stateful firewall is an extension to the packet filtering firewall. The stateful firewall not only
treats each data packet as an independent unit in the ACL check and filtering, but also considers
the association of the packets.
The stateful firewall monitors the TCP/UDP sessions by using various state tables. The ACL
then determines the sessions that can be established. Only the data packets associated with the
permitted sessions are forwarded. The stateful firewall also analyzes the application layer state
of the data packets in the TCP/UDP sessions, and filters out unqualified data packets.
The stateful firewall has high processing speed and ensures high security because of the
combined advantages of the packet filtering firewall and proxy firewall.
The ME60supports the packet filtering firewall and the stateful firewall.
2.1.3 Terms Related to the Firewall
Security Zone
The security zone, also referred to as a zone, is a basic concept of firewall. All the security
policies are enforced based on the zones.
A security zone consists of more than one interface or user domain. The interfaces and users in
a zone have the same security attributes. The security priority of a zone is globally unique. That
is, the priorities of any two zones are different.
2-3
The ME60considers the data delivery in a zone reliable, and therefore, it does not enforce any
security policy. The firewall checks the data and enforces the security policies only when the
data flows from one zone to another.
Security Interzone
Any two zones can form an interzone, which has an independent interzone view. Most firewall
configurations are performed in the interzone view.
Assume that there are two zones, namely, zone1 and zone2. In the view of the interzone, ACL
packet filtering can be configured. The ACL packet filtering policy is then enforced on the data
delivered between zone1 and zone2.
Direction
In an interzone, data is delivered in a certain direction: inbound or outbound.
l Inbound: indicates that data flows from a zone with lower priority to a zone with higher
priority.
l Outbound: indicates that data flows from a zone with higher priority to a zone with lower
priority.
2.1.4 Firewall Functions of the ME60
ME60supports the following firewall functions: ACL-based packet filtering, application specific
packet filtering (ASPF), blacklist, port mapping, NAT, traffic statistics and monitoring, and
attack defense.
This chapter describes only the functions of ACL-based packet filtering, ASPF, blacklist, P2P
traffic control, and firewall logs. The other features are described in the following chapters:
l Chapter 3 "NAT Configuration"
l Chapter 4 "Traffic Statistics and Monitoring Configuration"
l Chapter 5 "Attack Defense Configuration"
ACL-based Packet Filtering
ACL-based packet filtering is used to analyze the quintuple of packets to be forwarded. The
ME60 compares the packet information with the ACL rules and determines whether to forward
or discard the packets.
In addition, the ME60 can filter the fragmented IP packets. Thus the attacker cannot attack the
network by using a non-first fragment packet.
ASPF
ASPF is applied to the application layer, namely, the status-based packet filtering. ASPF detects
the application-layer sessions that attempt to pass the firewall, and denies unnecessary packets.
The ACL-based packet filtering firewall detects packets at the network and transport layers. The
ASPF function and the common packet filtering firewall can be used together. Thus, the
ME60 can enforce the security policies on an internal network.
ME60 can apply ASPF depending on the application layer protocols such as the File Transfer
Protocol (FTP), H.323, Hyper Text Transport Protocol (HTTP), Huawei Conference Control
Issue 03 (2009-07-01)
Protocol (HWCC), Internet Location Service (ILS), Network Basic Input/Output System
(NetBIOS), and Real Time Streaming Protocol (RTSP).
Blacklist
A blacklist filters packets based on the source IP address. Compared with the ACL, the matching
fields used in the blacklist are simple and hence the packets can be filtered at a higher speed.
The packets from certain IP addresses can be filtered out.
The firewall can add IP addresses to the blacklist dynamically. By judging the packet behaviors,
the firewall detects an attack from an IP address. The firewall adds the IP address of the attacker
to the blacklist so that packets from the attacker can be filtered out and discarded.
port mapping
Application layer protocols use the well-known ports for communication. Port mapping allows
you to define a set of port numbers for different applications. You can also specify the hosts that
can use the non-well-known ports.
Port mapping is meaningful only when it is used with service-sensitive features such as ASPF
and NAT. For example, the internal FTP server 10.10.10.10 in the private network of an
enterprise provides the FTP service through port 2121. Users can use only 2121 as the port
number to access the FTP server through the NAT server. By default, port 21 is used for FTP
packets. The FTP server cannot identify the FTP packets that use port 21. In this case, you need
to map port 2121 to the FTP protocol. After port mapping, the NAT server can identify the FTP
packets that use port 2121 and send the FTP packets to the FTP server. In this way, users can
access the FTP server.
P2P Traffic Control
Common point-to-point (P2P) applications, such as BitTorrent (BT), eMule, and eDonkey
usually occupy a great amount of bandwidth and lead to a bandwidth shortage. Therefore,
bandwidth must be controlled for the P2P applications.
The firewall of the ME60can identify the packets from a P2P application by the characteristic
string in the packets and controls the bandwidth assigned to a P2P session. In this manner, the
ME60 ensures the provisioning of other services.
Firewall Log
The firewall records the behaviors and states of the firewall in real time. For example, the
measures taken against IP address spoofing and the detection of malicious attacks are recorded
in the firewall log.
The firewall logs are categorized into the following types:
l Session log, which is sent to the log server in real time
l Blacklist log, which is sent to the information center in real time
l Defense log and statistics log, which are sent to the information center periodically
These logs help you find out the security hole, detect the attempts to violate the security policies,
and learn the type of a network attack. The real-time log is also used to detect the intrusion that
is underway.
2-5
2.2 Configuring a Zone
This section describes how to configure the firewall and partition the network.
2.2.1 Establishing the Configuration Task
2.2.2 (Optional) Configuring the VSU to Work as the SSU
2.2.3 (Optional) Configuring the Default Master SSU
2.2.4 Creating a Zone
2.2.5 Configuring the Priority of a Zone
2.2.6 Adding User Domains or Interfaces to the Zone
2.2.7 Creating an Interzone
2.2.8 Enabling Firewall in the Interzone
2.2.9 Checking the Configuration
Applicable Environment
Before configuring the firewall, you need to configure the zones. You can then configure the
firewall based on zones or interzones.
NOTE
l The ME60 implements firewall features after the Versatile Service Unit (VSU) is configured to the
Security Service Unit (SSU). Therefore, you need to install the VSU before configuring the firewall.
For the functions of the VSU in SSU mode, refer to the Quidway ME60 Multiservice Control Gateway
Product Description.
l You can run the set lpu-work-mode { dpi |sbc | ssu | tsu } slot slot-id command to implement different
service functions.
l In this manual, the VSU operating in SSU mode is called the SSU.
Pre-configuration Task
Before configuring a zone, complete the following tasks:
l Installing the VSU
l Configuring the user domains or interfaces that you need to add to the zone
Data Preparation
To configure a zone, you need the following data.
No. Data
1 Name of the zone
2 Priority of the zone
Issue 03 (2009-07-01)
No. Data
3 User domains or interfaces to be added to the zone

Context
Do as follows on the ME60.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
set lpu-work-mode ssu slot slot-id
The operation mode of the VSU is set to TSU.
NOTE
l The configured operation mode takes effect after the VSU is restarted.
l The command for configuring the operation mode of the VSU is not recorded in the system
configuration file. You can run the display device or display lpu-work-mode command to view the
operation mode of the VSU. If the operation mode is configured properly, you need not configure the
operation mode again.
----End
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssu master default slot-id slot-id
The default master SSU is configured.
The ME60 can be equipped with multiple SSUs. One is the master board, and the others are
slave boards.
2-7
If the default master SSU is not specified, the ME60 selects the SSU registered first as the master.
By default, the master SSU is not specified.
----End
2.2.4 Creating a Zone
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall zone zone-name
A zone is created.
Up to 128 zones can be configured on the ME60. No default zone exists.
----End
2.2.5 Configuring the Priority of a Zone
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
The zone view is displayed.
Step 3 Run:
priority security-priority
The priority of the zone is set.
The priority must be configured; otherwise, other configurations cannot be performed. The
priority of a zone ranges from 1 to 200 and is globally unique.
----End
Issue 03 (2009-07-01)
2.2.6 Adding User Domains or Interfaces to the Zone
Context
NOTE
l A user domain or an interface can be added to only one zone. If a user domain or an interface is added
to multiple zones, the last zone takes effect.
l When layer-3 leased line users connect to the ME60 through a layer-3 device (for example, a router),
the ME60 can implement the firewall function only by adding interfaces to zones.
You can add a user domain and an interface to the same zone. That is, a zone can consist of user
domains and interfaces.
Procedure
l Adding a user domain to the zone
1. Run:
system-view
2. Run:
aaa
The AAA view is displayed.
3. Run:
domain domain-name
The domain view is displayed.
4. Run:
zone zone-name
The domain is added to the zone.
l Adding an interface to the zone
1. Run:
system-view
2. Run:
interface interface-type interface-number
The interface view is displayed.
3. Run:
zone zone-name
The interface is added to the zone.
4. Run:
shutdown
The interface is disabled.
5. Run:
undo shutdown
2-9
The interface is enabled.
NOTE
After adding an interface to a zone, you must run the shutdown command to disable the interface
first, and then run the undo shutdown command to re-enable the interface. Thus, the configuration
takes effect.
----End
2.2.7 Creating an Interzone
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall interzone zone-name1 zone-name2
An interzone is created.
You need to specify two existing zones in the interzone.
----End
2.2.8 Enabling Firewall in the Interzone
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
The interzone view is displayed.
Step 3 Run:
firewall enable
The firewall is enabled.
----End
Issue 03 (2009-07-01)
Run the following commands to check the previous configuration.
Action Command
Check the
configuration of the
interzone.
display firewall interzone [ zone-name1 zone-name2 ]
Check the
zone.
display firewall zone [ zone-name ] [ domain | interface |
priority ]

2.3 Setting the Aging Time of the Firewall Session Table
This section describes how to set the aging time of the firewall session table
2.3.2 (Optional) Setting the Aging Time of the Firewall Session Table
The ME60 establishes a session table for data flows of each protocol, such as TCP, UDP, and
ICMP, to record the connection status of the protocol. The aging time is set for the session table.
If a record in the session table does not match any packet within the aging time, the system
deletes the record.
To change the session duration of a protocol, set the aging time of the firewall session table.
Before setting the aging time of the firewall session table, complete the following tasks:
l (Optional) Configuring the VSU to Work as the SSU
l Configuring zones and adding interfaces or user domains to the zones (See "Configuring
a Zone.")
l Configuring interzone and enabling firewall in the interzone (See "Configuring a Zone.")
Data Preparation
To set the aging time of the firewall session table, complete the following tasks:
2-11
No. Data
1 Aging time of the session table for each application layer protocol

2.3.2 (Optional) Setting the Aging Time of the Firewall Session
Table
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall session aging-time session-type aging-time
The aging time of the firewall session table is configured.
By default, the aging times of the SYN, FIN-RST, TCP, and UDP session tables are 5 seconds,
10 seconds, 240 seconds, and 40 seconds respectively. For the aging times of other session tables,
refer to the Quidway ME60 Multiservice Control Gateway Command Reference.
NOTE
In general, you do not need to change the aging time of a session table.
----End
Run the following commands in any view to check the previous configuration.
Action Command
Check the aging time of the
firewall session table.
display firewall session aging-time
Check the aging time of the
firewall session table.
display firewall session table [ verbose ] [ source { inside |
global } src-ip-address [ destination { inside | global } dest-
ip-address ] ]

2.4 Configuring ACL-based Packet Filtering
This section describes how to filter data packets through the ACL.
Issue 03 (2009-07-01)
2.4.2 Configuring ACL-based Packet Filtering in an Interzone
When data is delivered between two zones, the ACL-based packet filtering firewall enforces the
filtering policies according to the ACL rules. The ACLs for filtering packet are classified into
the basic ACL and the advanced ACL.
Before configuring ACL-based packet filtering, complete the following tasks:
a Zone.")
l Creating basic ACL or advanced ACL rules (Refer to the Quidway ME60 Multiservice
Control Gateway Configuration Guide - IP Services.)
Data Preparation
To configure ACL-based packet filtering, you need the following data.
No. Data
1 Names of the two zones
2 ACL number
3 Direction in which the ACL is applied

2.4.2 Configuring ACL-based Packet Filtering in an Interzone
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
2-13
Step 3 Run:
packet-filter acl-number { inbound | outbound }
ACL-based packet filtering is configured.
You can configure ACL-based packet filtering in the interzone for the inbound and outbound
packets.
By default, ACL-based packet filtering is not configured in the interzone.
NOTE
l The time range configured in ACL is also applicable to packet filtering.
l For an ACL configured for VPN, you must configure the VPN instance name.
----End
2.5 Configuring ASPF
This section describes how to configure the ME60 to check the application layer information
about data flows to filter data packets.
2.5.2 Configuring ASPF in the Interzone
When data is delivered between two zones, ASPF checks the packets at the application layer
and discards the unmatched packets.
Before configuring ASPF, complete the following tasks:
a Zone.")
Data Preparation
To configure ASPF, you need the following data.
No. Data
1 Names of the two zones
Issue 03 (2009-07-01)
No. Data
2 Type of the application protocol
3 (Optional) Aging time of the session table for each application layer protocol

2.5.2 Configuring ASPF in the Interzone
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
detect { all | ftp | h323 | http | hwcc | ils | netbios | rtsp }
The ASPF function is configured.
The application protocols all require interaction of two parties, so the direction does not need to
be configured. The ME60 checks the packets in the two directions.
By default, ACL-based packet filtering is not configured in the interzone.
----End
Run the following command to check the previous configuration.
Action Command
Check the ASPF
firewall interzone.
display firewall interzone [ zone-name1 zone-name2 ]

2.6 Configuring the Blacklist
This section describes how to configure the blacklist to filter out data packets from attackers.
2-15
2.6.2 Enabling the Blacklist
2.6.3 (Optional) Adding a Blacklist Entry
2.6.4 (Optional) Configuring the Packet Filtering Type of the Blacklist
The blacklist can filter out the packets sent from a specified IP address. An IP address can be
added to the blacklist manually or automatically.
When the attack defense module of the firewall detects an attack through the packet behavior,
the firewall adds the source IP address of the packet to the blacklist. Thus, all the packets from
this IP address are filtered out.
NOTE
The IP address that is added to the blacklist must belong to a zone (it may be a zone with low security).
The firewall can then detect the attack from this IP address.
Before configuring the blacklist, complete the following tasks:
a Zone.")
l Configuring attack defense if the auto blacklisting function is enabled (See chapter 5
"Attack Defense Configuration.")
Data Preparation
To configure the blacklist, you need the following data.
No. Data
1 IP address to be added to blacklist (the VPN instance can be included)
2 (Optional) Aging time of blacklist entry
3 (Optional) Packet filtering type of blacklist

2.6.2 Enabling the Blacklist
Context
Issue 03 (2009-07-01)
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall blacklist enable
The blacklist is enabled.
By default, the blacklist is disabled.
----End
2.6.3 (Optional) Adding a Blacklist Entry
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall blacklist item ip-address [ timeout minutes ] [ vpn-instance vpn-instance-
name ]
A blacklist entry is added.
By running this command, you can add entries to the blacklist manually. You can specify the
IP address, aging time, and VPN instance when adding the entry. The aging time refers to the
period during which the IP address is effective after it is added to the blacklist. When the IP
address expires, it is released from the blacklist. If the aging time is not specified, the IP address
remains in the blacklist.
NOTE
The blacklist entries without the aging time are written to the configuration file. The blacklist entries with
the aging time are not written in the confirmation file, but you can view them by using the display firewall
blacklist item [ ip-address ] [ vpn-instance vpn-instance-name ] command.
An IP address can be added to the blacklist regardless of whether the blacklist is enabled or not.
That is, even though the blacklist is not enabled, you can also add entries, but the entries are
invalid.
----End
2.6.4 (Optional) Configuring the Packet Filtering Type of the
Blacklist
2-17
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall blacklist filter-type { icmp | others | tcp | udp }
The packet filtering type of the blacklist is configured.
Configuring packet filtering types helps to specify the types of packets that are filtered out in
the blacklist, including ICMP, TCP, and UDP.
By default, all types of packets matching the blacklist are filtered out.
----End
2.7 Configuring Port Mapping
This section describes how to configure the port mapping function so that the firewall can identify
the packets of the application-layer protocols that use non-well-known port numbers.
2.7.2 Configuring Port Mapping
Through port mapping, the firewall can identify packets of the application-layer protocols that
use the non-well-known port numbers. This function can be applied to the sensitive features at
the application layer such as ASPF. Port mapping is applicable to application protocols such as
FTP, H.323, HTTP, RTSP, and SMTP.
Port mapping is implemented based on the ACL. Port mapping takes effect only when the packet
matches an ACL rule. Port mapping employs the basic ACL (ranging from 2000 to 2999). In
the ACL-based packet filtering, the ME60 matches the destination IP address of the packet with
the IP address configured in the basic ACL rule.
NOTE
Port mapping is applied only to the data delivered in the interzone. Therefore, when configuring port
mapping, you must configure the zones and interzone.
Before configuring port mapping, complete the following tasks:
Issue 03 (2009-07-01)
a Zone.")
l Creating basic ACL rules (Refer to the Quidway ME60 Multiservice Control Gateway
Configuration Guide - IP Services.)
Data Preparation
To configure port mapping, you need the following data.
No. Data
1 Type of application layer protocol
2 User-defined port to be mapped
3 Number of the basic ACL

2.7.2 Configuring Port Mapping
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
port-mapping protocol-name port port acl acl-number
Port mapping is configured.
You can map multiple ports to a protocol, or map a port to multiple protocols. The mappings,
however, must be distinguished by the ACL. That is, packets matching different ACL rules use
different mapping entries.
NOTE
Port mapping is used to identify the protocol type of the packets destined for an IP address (such as the IP
address of a WWW server). Therefore, when configuring the basic ACL rules, you need to match the
destination IP addresses of the packets with the source IP addresses defined in ACL rules.
----End
2.8 Configuring P2P Traffic Control
This section describes how to limit bandwidth of P2P sessions.
2-19
2.8.2 Enabling P2P Traffic Control
2.8.3 Configuring the CAR Table
2.8.4 Configuring P2P Traffic Control in an Interzone
2.8.5 Configuring P2P Traffic Control Globally
The P2P traffic control function can be deployed to limit the bandwidth assigned to the P2P
applications like BT. P2P traffic control can be deployed globally or in an interzone.
The global P2P traffic control is applicable to all the P2P sessions. You can configure the limit
of P2P sessions on the equipment.
ACLs are used to control bandwidth of P2P applications between zones. The equipment controls
bandwidth of the P2P sessions matching the ACL rules. Basic ACLs (numbered from 2000 to
2999) or advanced ACLs (numbered from 3000 to 3999) are used for P2P traffic control.
Before configuring P2P traffic control, complete the following tasks:
a Zone.")
l Configuring the time range during which P2P traffic control takes effect (Refer to the
Quidway ME60 Multiservice Control Gateway Configuration Guide - IP Services.)
Data Preparation
To configure P2P traffic control, you need the following data.
No. Data
1 Names of the two zones where P2P traffic control is configured
2 Number of the ACL used for P2P traffic control
3 Direction in which P2P traffic control is applied
4 CAR class, CAR value, and time range
Issue 03 (2009-07-01)
No. Data
5 (Optional) Maximum number of P2P sessions

2.8.2 Enabling P2P Traffic Control
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall p2p-car enable
P2P traffic control is enabled.
Before configuring the P2P traffic control function, you must enable this function. After you
run this command, P2P traffic control is enabled globally and in the interzone.
By default, P2P traffic control is disabled.
----End
2.8.3 Configuring the CAR Table
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall car-class class-id cir cir [ time-range range-name ]
The CAR table is configured.
Before configuring the P2P traffic control function, you must configure a CAR table. The CAR
table needs to be referenced when P2P traffic control is implemented in an interzone or the entire
system.
2-21
Up to 1024 classes can be configured in a CAR table. Each class is configured with a default
CAR and the CARs for five time ranges. The default ACL is used if the current time is not in
any configured time range.
By default, the CAR table contains no CAR classes.
----End
2.8.4 Configuring P2P Traffic Control in an Interzone
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
p2p-car acl-number class class-id { inbound | outbound }
P2P traffic control is configured.
Within an interzone, the P2P traffic control can be configured for inbound and outbound traffic
respectively.
By default, the P2P bandwidth control is not configured in an interzone.
NOTE
The time range configured in ACL is also applicable to P2P traffic control.
----End
2.8.5 Configuring P2P Traffic Control Globally
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Issue 03 (2009-07-01)
firewall p2p-car class class-id
P2P traffic control is configured globally.
Step 3 (Optional) Run:
firewall p2p-car session-limit session-number
The maximum number of P2P sessions is set.
The global P2P traffic control takes effect on all the P2P sessions. The global P2P bandwidth
control allows you to set the CAR classes and limit on the total number of P2P sessions.
By default, global P2P bandwidth control is not configured.
----End
Action Command
Check the CAR table configured for P2P
traffic control.
display firewall car-class
Check the configuration of global P2P
bandwidth control.
display firewall p2p-car

2.9 Configuring Firewall Logs
This section describes how to configure firewall logs.
2.9.2 Enabling the Firewall Log
2.9.3 Configuring a Session Log
2.9.4 (Optional) Configuring Output Interval of Logs
The firewall logs record the behaviors and states of the firewall. These logs help you find out
the security hole, analyze the attempts to violate the security policies, and detect the network
attacks.
Before configuring the firewall log, complete the following tasks:
2-23
a Zone.")
Data Preparation
To configure the firewall log, you need the following data.
No. Data
1 Type of the firewall log
2 IP address and port number of the log host, the IP address and the port number that
the ME60 uses to communicate with the log host (for session log)
3 Conditions under which the session information is logged, including the ACL number
and the direction (for session log)
4 (Optional) Interval for exporting the defense log or statistics log

2.9.2 Enabling the Firewall Log
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall log { all | blacklist | defend | session | statistics } enable
The firewall log is enabled.
If you use the all keyword in the command, all the firewall logs are enabled. You can also choose
to enable logs one type after another.
By default, no firewall log is enabled.
----End
2.9.3 Configuring a Session Log
Issue 03 (2009-07-01)
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall session log-type binary host host-ip-address host-port source src-ip-
address src-port
The log host is configured for session logs.
Step 3 Run:
Step 4 Run:
session-log acl-number { inbound | outbound }
Conditions for generating the session logs are configured.
The session log is exported to a log host in real time. Therefore, you need to configure the log
host first. To configure the log host, specify the IP address and port number of the log host and
the IP address and port number that the ME60 uses to communicate with the log host.
An ACL is referenced in the interzone view to help decide the session for which the session log
is recorded. In addition, the inbound and outbound traffic is served respectively.
By default, the log host is not configured, and the interzone is not configured with the conditions
for generating the session log.
----End
2.9.4 (Optional) Configuring Output Interval of Logs
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall { defend | statistics} log-time time
The output interval of the defense log or statistics log is set.
The output interval, in seconds, indicates the interval during which the logs are exported.
The session log is exported to the log host in real time, and the blacklist log is exported to the
information center in real time. Therefore, you do not need to set the output interval for the two
types of logs. The output interval needs to be set only for the defense log and statistics log.
2-25
By default, the output interval for either of the two logs is 30 seconds.
----End
Action Command
Check the output interval for the defense
log or statistics log.
display firewall log-time [ defend | statistics ]

This section provides several configuration examples of the firewall.
2.10.1 Example for Configuring ACL-based Packet Filtering
2.10.2 Example for Configuring ASPF and Port Mapping
2.10.3 Example for Configuring the Blacklist
2.10.1 Example for Configuring ACL-based Packet Filtering
Networking Requirements
As shown in Figure 2-1, GE1/0/0 of the ME60 is connected to an internal network with a high
security priority; GE2/0/0 of the ME60 is connected to an external network with a low security
priority. The firewall needs to filter the packets between internal and external networks. The
requirements are as follows:
l A host (202.39.2.3) in the external network is allowed to access the server in the internal
network.
l Other hosts are not allowed to access the server in the internal network.
Figure 2-1 Networking of ACL-based packet filtering
FTP server
129.38.1.2
ME60
WAN
GE1/0/0
GE2/0/0
129.38.1.1/24
202.38.160.1/16
Internal
network
Telnet server
129.38.1.3
WWW server
129.38.1.4
PC
202.39.2.3
Issue 03 (2009-07-01)

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses of the interfaces.
2. Configure zones and the interzone.
3. Add the interfaces to the zones.
4. Configure ACLs.
5. Configure ACL-based packet filtering in the interzone view.
Data Preparation
To complete the configuration, you need the following data:
l Slot number of the VSU: 3
l IP addresses of interfaces and servers, as shown in Figure 2-1
l Network security priorities, 100 for the internal network and 1 for the external network
l Number of the ACLs that filter the outbound and inbound packets, ACL 3101 for the
outbound packets and ACL 3102 for the inbound packets
Configuration Procedure
1. (Optional) Configure the VSU to function as the SSU.
<Quidway> system-view
[Quidway] set lpu-work-mode ssu slot 3
[Quidway] quit
<Quidway> reset slot 3
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] ip address 129.38.1.1 255.255.255.0
[Quidway-GigabitEthernet1/0/0] quit
[Quidway] firewall zone zone1
[Quidway-zone-zone1] priority 100
[Quidway-zone-zone1] quit
[Quidway] firewall interzone zone1 zone2
[Quidway-interzone-zone1-zone2] firewall enable
[Quidway-interzone-zone1-zone2] quit
[Quidway-GigabitEthernet1/0/0] zone zone1
[Quidway-GigabitEthernet1/0/0] shutdown
[Quidway-GigabitEthernet1/0/0] undo shutdown
2-27
5. Configure ACLs.
[Quidway] acl 3102
[Quidway-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination
129.38.1.2 0.0.0.0
129.38.1.3 0.0.0.0
129.38.1.4 0.0.0.0
[Quidway-acl-adv-3102] rule deny ip
[Quidway-acl-adv-3102] quit
6. Configure packet filtering.
[Quidway-interzone-zone1-zone2] packet-filter 3102 inbound
Configuration Files
#
sysname Quidway
#
acl number 3102
rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0
rule 20 deny ip
#
interface GigabitEthernet1/0/0
zone zone1
undo shutdown
ip address 129.38.1.1 255.255.255.0
#
zone zone2
undo shutdown
ip address 202.38.160.1 255.255.0.0
#
firewall zone zone1
priority 100
#
firewall zone zone2
priority 1
#
firewall interzone zone1 zone2
firewall enable
packet-filter 3102 inbound
#
return
2.10.2 Example for Configuring ASPF and Port Mapping
As shown in Figure 2-2, GE1/0/0 of the ME60 is connected to an internal network with a high
security priority; GE2/0/0 of the ME60 is connected to an external network with a low security
priority. The firewall needs to filter the packets between internal and external networks and
perform ASPF check. The requirements are as follows:
l A host (202.39.2.3) in the external network is allowed to access the server in the internal
network.
Issue 03 (2009-07-01)
l Other hosts are not allowed to access the server in the internal network.
l The firewall checks the FTP state of the connections and filters the unqualified packets.
l The packets sent from the external host to the FTP server through port 2121 are considered
as FTP packets.
Figure 2-2 Networking of ASPF and port mapping
FTP server
129.38.1.2
ME60
WAN
GE1/0/0
GE2/0/0
129.38.1.1/24
202.38.160.1/16
Internal
network
Telnet server
129.38.1.3
WWW server
129.38.1.4
PC
202.39.2.3

4. Configure ACLs.
5. Configure ACL-based packet filtering in the interzone view.
6. Configure ASPF in the interzone.
7. Map port 2121 to the FTP protocol.
Data Preparation
l Number of the ACL that filters the inbound data: 3102
l Number of the ACL required in port mapping: 2102
2-29
[Quidway] quit
5. Configure ACLs.
[Quidway] acl 2102
[Quidway-acl-basic-2102] rule permit source 129.38.1.2 0.0.0.0
[Quidway-acl-basic-2102] quit
[Quidway] acl 3102
129.38.1.2 0.0.0.0
129.38.1.3 0.0.0.0
129.38.1.4 0.0.0.0
[Quidway-acl-adv-3102] rule deny ip
7. Configure ASPF.
[Quidway-interzone-zone1-zone2] detect ftp
8. Configure port mapping.
[Quidway] port-mapping ftp port 2121 acl 2102
Configuration Files
#
sysname Quidway
#
acl number 2102
rule 5 permit source 129.38.1.2 0
#
Issue 03 (2009-07-01)
acl number 3102
rule 20 deny ip
#
zone zone1
undo shutdown
ip address 129.38.1.1 255.255.255.0
#
zone zone2
undo shutdown
ip address 202.38.160.1 255.255.0.0
#
firewall zone zone1
priority 100
#
firewall zone zone2
priority 1
#
firewall enable
detect ftp
#
port-mapping ftp port 2121 acl 2102
#
return
2.10.3 Example for Configuring the Blacklist
As shown in Figure 2-3, GE1/0/0 of the ME60 is connected to an enterprise network with a high
security priority; GE2/0/0 of the ME60 is connected to the Internet with a low security priority.
The firewall needs to apply the attack defense and blacklist to packets from the Internet to the
enterprise network. If the firewall finds that an IP address attacks the enterprise network through
IP address sweeping, it blacklists the IP address. The maximum number of sessions is 5000 pps,
and the timeout time of the blacklist is 30 minutes.
In addition, if the firewall detects that IP address 202.39.1.2 attacks the enterprise network more
than once, you can add the IP address to the blacklist manually. The IP addresses added manually
are always in the blacklist.
Figure 2-3 Networking of blacklist configuration
Server
1.1.0.2
ME60
Internet GE1/0/0
GE2/0/0
1.1.0.1/16 2.2.0.1/16
Enterprise
network
2-31

3. Configure ACLs.
6. Configure the parameters for preventing the attack of IP address sweeping.
7. Add blacklist entries manually.
Data Preparation
[Quidway] quit
4. Configure ACLs.
[Quidway] acl 2000
[Quidway-acl-basic-2000] rule permit source any
Issue 03 (2009-07-01)
7. Configure the parameters for preventing the attack of IP address sweeping.
[Quidway] firewall defend ip-sweep enable
[Quidway] firewall defend ip-sweep blacklist-timeout 30
[Quidway] firewall defend ip-sweep max-rate 5000
8. Configure the blacklist.
[Quidway] firewall blacklist enable
[Quidway] firewall blacklist item 202.39.1.2
Configuration Files
#
sysname Quidway
#
acl number 2000
rule 5 permit source any
#
firewall blacklist enable
firewall blacklist item 202.39.1.2
#
firewall defend ip-sweep enable
firewall defend ip-sweep max-rate 5000
firewall defend ip-sweep blacklist-timeout 30
#
zone zone1
undo shutdown
ip address 1.1.0.1 255.255.0.0
#
zone zone2
undo shutdown
ip address 2.2.0.1 255.255.0.0
#
firewall zone zone1
priority 100
#
firewall zone zone2
priority 1
#
firewall enable
#
return
2-33
3 NAT Configuration
About This Chapter
This chapter describes the concept, fundamental, configuration, and maintenance of NAT.
3.1 Introduction
This section describes the concept and fundamentals of NAT.
3.2 Configuring NAT
This section describes how to configure the NAT function.
This section provides a configuration example of NAT.
Configuration Guide - Security 3 NAT Configuration
3-1
3.1 Introduction
This section describes the concept and fundamentals of NAT.
3.1.1 NAT Overview
3.1.2 NAT Types
3.1.3 Advantages and Disadvantages of NAT
3.1.4 Many-to-Many NAT and Address Pool
3.1.5 Internal Server
3.1.6 References
3.1.1 NAT Overview
Network address translation (NAT) enables hosts in a private network to access the public
network.
Private Address and Public Address
A private network address, referred to as a private address, is the IP address of an internal network
or a host. A public network address, referred to as a public address, is a unique IP address on
the Internet. As specified by the Internet Assigned Number Authority (IANA), the following IP
addresses are reserved as private addresses:
l Class A: 10.0.0.0-10.255.255.255
l Class B: 172.16.0.0-172.31.255.255
l Class C: 192.168.0.0-192.168.255.255
After planning the scale of the intranet, an enterprise chooses the appropriate address segment
for the intranet. The private address segments of enterprises can overlap each other. Errors may
occur during communication, if an intranet does not use one of the defined private address
segments.
Rationale of NAT
As shown in Figure 3-1, the network address must be translated when a host on the internal
network obtains access to the Internet or interworks with the hosts on a public network.
3 NAT Configuration
Issue 03 (2009-07-01)
Figure 3-1 Schematic diagram of NAT
PC WWW client PC
10.1.1.10 10.1.1.48
........
GE1/0/0
Router
Internal network
External network
203.196.3.23 POS2/0/0
WWW Server
202.18.245.251
Internet

The internal network uses network segment 10.0.0.0 and its public IP address is 203.196.3.23.
The internal host 10.1.1.48 accesses the external server 202.18.245.251 through WWW.
The host sends a data packet. It uses port 6084 as the source port and port 80 as the destination
port. After the address is translated, the source address/port of the packet is changed to
203.196.3.23:32814, and the destination address/port is not changed. A table of address-port
mapping is configured on the router.
After the WWW server responds, the router translates the destination IP address/port in the
returned data packet to 10.1.1.48:6084. In this manner, the internal host obtains access to the
external server.
3.1.2 NAT Types
NAT is classified into types: static NAT and port address translation (PAT).
Static NAT
Static NAT maps a private address to a public address. That is, the number of private addresses
is equal to the number of public addresses. Static NAT cannot save public addresses, but can
hide internal networks.
When an internal network sends a packet to an external network, static NAT translates the source
IP address of the packet into a public address. When the external network returns a response,
static NAT translates the destination IP address of the response packet into the private address.
PAT
PAT, which is also called network address port translation (NAPT), maps a public address to
multiple private addresses. Therefore, the public addresses are saved. PAT translates the source
IP addresses of the packets from hosts that reside on the private network into a public address.
3-3
The translated port numbers of these packets are different, and thus the private networks can
share a public address.
A table of private address-port mapping is configured for PAT. When the PAT server receives
a packet to be transmitted to the external network, it replaces the source port with the one
matching the private address of the packet by using this table. That is, packets from a private
network share the same public address but have different ports. When the external networks
return response packets to the internal networks, the destination IP addresses are translated to
private addresses according to the port numbers. Figure 3-2 shows the sketch map of PAT.
Figure 3-2 Schematic diagram of PAT
Internet
192.168.1.2
Datagram 1
Src IP: 192.168.1.3
Src Port:23
Datagram 2
Src IP: 192.168.1.3
Src Port:80
Datagram 1
Src IP: 202.169.10.1
Src Port:10023
Datagram 2
Src IP: 202.169.10.1
Src Port:10080
Datagram 3
Src IP: 192.168.1.2
Src Port:23
Datagram 4
Src IP: 192.168.1.2
Src Port:80
Datagram 3
Src IP: 202.169.10.1
Src Port:11023
Datagram 4
Src IP: 202.169.10.1
Src Port:11080
192.168.1.3 Router
PAT

3.1.3 Advantages and Disadvantages of NAT
The advantages of NAT are as follows:
l Hosts on the internal networks can access external resources, and the public addresses can
be saved.
l Privacy of internal hosts is protected.
The disadvantages of NAT are as follows:
l The address of data packets need to be translated, so the headers of the data packets related
to IP address cannot be encrypted.
l The IP addresses of hosts are hidden, so the source IP addresses cannot be traced. This
hinders network debugging.
3.1.4 Many-to-Many NAT and Address Pool
3 NAT Configuration
Issue 03 (2009-07-01)
As shown in Figure 3-1, when an internal host accesses the external network, the source IP
address is translated to a public address, which can be selected from the address pool of the
ME60.
When all the hosts on the internal network access the external network at the same time, they
share an external address. If too many hosts attempt to access the external network, it is difficult
to perform NAT. To solve this problem, a private network needs multiple public addresses. In
this case, a public address pool is required for the many-to-many NAT.
A public address pool is a set of valid public addresses. You can configure the public address
pool based on the number of public IP addresses and internal hosts. When an internal host
accesses an external network, the ME60 selects an IP address from the public address pool as
the source address of the packets.
3.1.5 Internal Server
NAT can shield the internal hosts. In actual situations, external networks may need to access the
internal hosts. For example, the users on the external networks need to access a WWW server
or an FTP server on the internal network.
You can add internal servers flexibly through NAT. For example, use 202.110.10.10 as the public
address of the Web server, 202.110.10.11 as the public address of the FTP server, and addresses
like 202.110.10.12:8080 as the public address of the Web server. You can also provide multiple
identical servers (such as Web servers) for external users.
By configuring internal servers, you can map the public addresses and ports to the internal
servers. The external hosts can then access internal servers.
The NAT function of the ME60supports multi-instance of internal servers, so external networks
can access the hosts in an MPLS VPN. For example, host 10.110.1.1 in VPN1 provides WWW
service, and the public address of the host is 202.110.10.20. External users can access the WWW
service provided by MPLS VPN1 by using 202.110.10.20.
3.1.6 References
For more information about NAT, refer to the following document:
RFC 1631: The IP Network Address Translator (NAT)
3.2 Configuring NAT
This section describes how to configure the NAT function.
3.2.4 Configuring the Public Address Pool
3.2.5 Configuring NAT in an Interzone
3.2.6 (Optional) Configuring the Internal NAT Server
3-5
NAT needs to be configured at the juncture between the private network and the public network.
The addresses can be translated through NAT.
NAT is configured based on the interzone. NAT is applied to the data from the high-security
zone to the low-security zone. The ACL type, namely, basic ACL or advanced ACL, also needs
to be specified. NAT is implemented only on the packets that match ACL rules.
Before configuring NAT, complete the following tasks:
l Configuring zones and adding interfaces or user domains to the zones (See chapter 2
"Firewall Configuration.")
l Configuring interzone and enabling firewall in the interzone (See chapter 2 "Firewall
Configuration.")
Data Preparation
To configure NAT, you need the following data.
No. Data
1 Number of the public address pool, start IP address, and end IP address
2 Number of the basic ACL or advanced ACL
3 (Optional) Information about the internal server, including the protocol type, external
address, external port number, internal address (the VPN instance may be included),
and internal port number

Context
Procedure
Step 1 Run:
system-view
3 NAT Configuration
Issue 03 (2009-07-01)
Step 2 Run:
NOTE
----End
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
The ME60 can be equipped with multiple SSUs. One is the master board, and the others are
slave boards.
----End
3.2.4 Configuring the Public Address Pool
Context
CAUTION
The IP addresses in the configured public address pool cannot be the same as the existing
addresses, including the IP addresses of device interface and the IP addresses in the user address
pool.
3-7
Procedure
Step 1 Run:
system-view
Step 2 Run:
nat address-group group-index start-address end-address
The public address pool is configured.
A public address pool is a set of public addresses. When NAT is performed on the internal data
packets, the ME60 selects an IP address from the address pool as the source address.
The public address pools are numbered with numerals. Up to 128 address pools can be
configured. You can specify one or more public addresses in a public address pool. When start-
address is the same as end-address, it indicates that only one public address is contained in the
address pool.
By default, no public address pool is configured on the ME60.
----End
3.2.5 Configuring NAT in an Interzone
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
nat outbound acl-number address-group group-index [ no-pat ]
NAT is configured.
When configuring NAT in an interzone, you need to specify the ACL and the public address
pool. The address of a packet is translated only when the packet matches the specified ACL and
the behavior defined by the ACL is permit. If the behavior is deny, the packets are discarded.
If the no-pat keyword is specified in the command, it indicates that the static NAT is used. That
is, the one-to-one translation is performed on private and public addresses. By default, PAT is
used, because it can save public addresses.
By default, NAT is not configured in the interzone.
----End
3 NAT Configuration
Issue 03 (2009-07-01)
3.2.6 (Optional) Configuring the Internal NAT Server
Context
CAUTION
l When configuring the internal NAT server, ensure that global-address and host-address do
not conflict with the interface addresses and the IP addresses in the user address pool.
l Zones must be configured at the user side and internal server side. In the interzone, enable
the firewall by running the firewall enable command.
Procedure
Step 1 Run:
system-view
Step 2 Run:
nat server protocol { tcp | udp } global global-address { global-protocol | begin-
port } inside host-address { host-protocol | begin-port } [ vpn-instance vpn-
instance-name ] or nat server [ protocol { protocol-number | icmp } ] global global-
address inside host-address [ vpn-instance vpn-instance-name ]
The internal NAT server is configured.
After the internal server is configured, external networks can access the servers on the internal
network. When an external host sends an access request to the public address (global-address)
of the internal NAT server, the NAT server translates the destination address of the request into
a private address (host-address). The request is then forwarded to the server on the internal
network.
The internal NAT server is valid for all zones. If multiple private networks share an internal
server address, you need to configure VPN instances to distinguish them.
By default, no internal NAT server is configured on the ME60.
----End
Action Command
Check the configuration of NAT. display nat { address-group [ group-index ] |
all | outbound | server }

3-9
This section provides a configuration example of NAT.
3.3.1 Example for Configuring NAT
3.3.1 Example for Configuring NAT
As shown in Figure 3-3, a company is divided into two zones. The staff zone has a high security
priority, and is allocated a private address segment 10.110.0.0/16. The server zone has a medium
security priority, and is allocated a private address segment 192.168.20.0/24. This zone can be
accessed by staff and external users.
l In the staff zone, the users in 10.110.10.0/24 are allowed to access the Internet, but others
cannot. The public addresses range from 202.169.10.2 to 202.169.10.6. PAT is used to save
public addresses.
l Two internal servers can be accessed by external users. The internal IP address of the WWW
server is 192.168.20.2:8080 and its public address is 202.169.10.3. The internal IP address
of the FTP server is 192.168.20.3 and its public address is 202.169.10.2.
Figure 3-3 Networking of NAT
ME60
Internet
GE3/0/0
202.169.10.1/16
GE1/0/0
10.110.0.1/16
GE2/0/0
192.168.20.1/24
WWW server
192.168.20.2
FTP server
192.168.20.3

l Configure IP addresses of the interfaces.
l Configure zones and the interzone.
l Add the interfaces to the zones.
l Configure ACLs.
l Configure the public address pool.
3 NAT Configuration
Issue 03 (2009-07-01)
l Configure ACL-based packet filtering in the interzone view.
l Configure NAT in the interzone.
l Configure the internal NAT server.
Data Preparation
l Security priorities of the three zones, 100 for the staff zone, 60 for the server zone, and 20
for the zone representing external networks
l Number of ACL used for filtering outbound packets and NAT: 2101
[Quidway] quit
2. Assign an IP address to each interface.
3-11
5. Configure an ACL.
[Quidway] acl 2101
[Quidway-acl-basic-2101] rule permit source 10.110.10.0 0.0.0.255
[Quidway-acl-basic-2101] rule deny source 10.110.0.0 0.0.255.255
6. Configure the public address pool.
[Quidway] nat address-group 1 202.169.10.2 202.169.10.6
7. Configure NAT and ACL packet filtering.
[Quidway-interzone-zone1-zone3] packet-filter 2101 outbound
[Quidway-interzone-zone1-zone3] nat outbound 2101 address-group 1
8. Configure internal servers.
[Quidway] nat server protocol tcp global 202.169.10.3 www inside 192.168.20.2
8080
[Quidway] nat server protocol tcp global 202.169.10.2 ftp inside 192.168.20.3
ftp
Configuration Files
#
sysname Quidway
#
acl number 2101
rule 5 permit source 10.110.10.0 0.0.0.255
rule 10 deny source 10.110.0.0 0.0.255.255
#
zone zone1
undo shutdown
ip address 10.110.0.1 255.255.0.0
#
zone zone2
undo shutdown
ip address 192.168.20.1 255.255.255.0
#
zone zone3
undo shutdown
ip address 202.169.10.1 255.255.0.0
#
firewall zone zone1
priority 100
#
firewall zone zone2
priority 60
#
firewall zone zone3
priority 20
#
nat address-group 1 202.169.10.2 202.169.10.6
nat server protocol tcp global 202.169.10.3 8080 inside 192.168.20.2 8080
nat server protocol tcp global 202.169.10.2 ftp inside 192.168.20.3 ftp
3 NAT Configuration
Issue 03 (2009-07-01)
#
port-mapping http port 8080 acl 2101
#
firewall enable
detect ftp
#
firewall enable
packet-filter 2101 outbound
nat outbound 2101 address-group 1
detect ftp
#
firewall enable
detect ftp
#
return
3-13
4 Traffic Statistics and Monitoring
Configuration
About This Chapter
This chapter describes the fundamentals, configuration, and maintenance of traffic statistics and
monitoring.
4.1 Introduction
This section describes the concept and rationale of traffic statistics and monitoring.
4.2 Configuring Traffic Statistics and Monitoring
This section describes how to configure traffic statistics and monitoring in the entire system.
4.3 Configuring Zone-based Traffic Statistics and Monitoring
This section describes how to configure zone-based traffic statistics and monitoring.
4.4 Configuring IP Address-based Traffic Statistics and Monitoring
This section describes how to configure traffic statistics and monitoring based on IP addresses.
This section provides several configuration examples of traffic statistics and monitoring.
Configuration Guide - Security 4 Traffic Statistics and Monitoring Configuration
4-1
4.1 Introduction
This section describes the concept and rationale of traffic statistics and monitoring.
A firewall not only monitors data traffic, but also detects the setup of sessions between internal
and external networks, generates statistics, and analyzes the data. The firewall can analyze the
logs by using special software after the event. The firewall also has certain analysis functions
that enables it to analyze data in real time.
By checking whether the number of TCP/UDP sessions initiated from external networks to the
internal network exceeds the threshold, the firewall decides whether to restrict new sessions
from external networks to the internal network or an IP address in the internal network. If the
firewall finds that the number of sessions in the system exceeds the threshold, it speeds up the
aging of sessions. This ensures that new sessions are set up. In this way, DoS attack can be
prevented if the system is too busy.
Figure 4-1 shows an application of the firewall. The IP address-based statistics function is
enabled for the packets from external networks to the internal network. If the number of TCP
sessions initiated by external networks to Web server 129.9.0.1 exceeds the threshold, the
ME60 forbids external networks to initiate new sessions until the number of sessions is smaller
than the threshold.
Figure 4-1 Limiting the number of sessions initiated by external server
Ethernet
Internal network
Web server
129.9.0.1
ME60
TCP connection
Internet

On the ME60, traffic statistics and monitoring can be configured in the system view.
4.2 Configuring Traffic Statistics and Monitoring
This section describes how to configure traffic statistics and monitoring in the entire system.
4.2.4 Enabling Traffic Statistics and Monitoring
4.2.5 Setting the Session Threshold
4 Traffic Statistics and Monitoring Configuration
Issue 03 (2009-07-01)
System-level traffic statistics and monitoring applies to all the data flows in interzones that are
enabled with the firewall feature. That is, the ME60 collects statistics of the ICMP, TCP, TCP
proxy, and UDP sessions in the interzones. When the number of sessions exceeds the threshold,
the ME60 restricts the sessions until the number is less than the threshold.
Before configuring system-level traffic statistics and monitoring, complete the following tasks:
Configuration.")
Data Preparation
To configure system-level traffic statistics and monitoring, you need to following data.
No. Data
1 Type of sessions to be counted, namely TCP, UDP, ICMP, or TCP proxy
2 Session threshold

Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
4-3
NOTE
l The command for configuring the operation mode of the VSU is not recorded in the system configuration
file. You can run the display device or display lpu-work-mode command to view the operation mode of
the VSU. If the operation mode is configured properly, you need not configure the operation mode again.
----End
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ME60can be equipped with multiple SSUs. One is the master board, and the others are slave
boards.
----End
4.2.4 Enabling Traffic Statistics and Monitoring
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall statistics system enable
System-level traffic statistics and monitoring is enabled.
By default, the traffic statistics and monitoring function is enabled on the ME60.
----End
Issue 03 (2009-07-01)
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall statistics system session { icmp | tcp | tcp-proxy | udp } session-limit
The session threshold is set.
For the system-level traffic statistics function, you can set the threshold for each type of session.
For example, you can set the threshold for TCP sessions to 500000. In this case, when the number
of TCP sessions in all interzones exceeds 500000, the ME60 denies new TCP sessions in all the
interzones and reports an alarm to the information center. If traffic volume falls below 75% of
the threshold, the ME60 generates the recovery log and sends the log to the information center.
By default, the threshold for ICMP sessions is 20480, the thresholds for TCP and UDP sessions
are both 500000, and the threshold for TCP-Proxy sessions is 250000.
----End
Action Command
Check the traffic statistics of the system. display firewall statistics system { discard |
normal }

4.3 Configuring Zone-based Traffic Statistics and
Monitoring
This section describes how to configure zone-based traffic statistics and monitoring.
4.3.2 Enabling Traffic Statistics and Monitoring in a Zone
4-5
The zone-based traffic statistics and monitoring applies to the data flows between zones. That
is, the ME60 counts the total TCP and UDP sessions between the local zone and other zones.
When the number of sessions exceeds the threshold, the ME60 restricts the sessions until the
number is less than the threshold.
The zone-based traffic statistics and monitoring can be configured in the inbound or outbound
direction. The inbound direction means that the ME60 counts and monitors the sessions initiated
by local zone. The outbound direction means that the ME60 counts and monitors the sessions
destined for this zone.
Before configuring zone-based traffic statistics and monitoring, complete the following tasks:
Configuration.")
Data Preparation
To configure system-level traffic statistics and monitoring, you need to following data.
No. Data
1 Type of sessions to be monitored, namely, TCP or UDP
2 Direction of traffic statistics and monitoring
3 Session threshold

4.3.2 Enabling Traffic Statistics and Monitoring in a Zone
Context
Procedure
Step 1 Run:
system-view
Issue 03 (2009-07-01)
Step 2 Run:
Step 3 Run:
statistics zone enable { inzone | outzone }
Traffic statistics and monitoring is enabled in the zone.
By default, traffic statistics and monitoring function is disabled in the zones.
----End
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
statistics zone session { inzone | outzone } { tcp | udp } session-limit
The session threshold is set in the zone.
You can configure the thresholds for TCP and UDP sessions in the inbound and outbound
directions respectively. For example, you can set the threshold for inbound TCP sessions to
500000. In this case, when the number of TCP sessions initiated by this zone exceeds 500000,
the ME60 denies new TCP sessions from this zone.
By default, the thresholds for inbound and outbound TCP and UDP sessions are both 500000.
----End
Action Command
Check the traffic statistics of the zone. display firewall statistics zone zone-name
{ inzone | outzone }

4-7
4.4 Configuring IP Address-based Traffic Statistics and
Monitoring
This section describes how to configure traffic statistics and monitoring based on IP addresses.
4.4.2 Enabling IP Address-based Traffic Statistics and Monitoring
The IP address-based traffic statistics and monitoring is to count and monitor the TCP and UDP
sessions set up on an IP address in the zone. When the number of sessions set up on an IP address
exceeds the threshold, the ME60 restricts the sessions until the number is less than the threshold.
The IP address-based traffic statistics and monitoring can be configured in the inbound or
outbound direction. The inbound direction means that the ME60 counts and monitors the
sessions initiated on the IP address. The outbound direction means that the ME60 counts and
monitors the sessions destined for this IP address.
Before configuring IP address-based traffic statistics and monitoring, complete the following
tasks:
Configuration.")
Data Preparation
To configure IP address-based traffic statistics and monitoring, you need to following data.
No. Data
1 Type of sessions to be monitored, namely, TCP or UDP
2 Direction of traffic statistics and monitoring
3 Session threshold

4.4.2 Enabling IP Address-based Traffic Statistics and Monitoring
Issue 03 (2009-07-01)
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
statistics ip enable { inzone | outzone }
IP address-based traffic statistics and monitoring is enabled in the zone.
By default, traffic statistics and monitoring function is disabled in the zones.
----End
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
statistics ip session { inzone | outzone } { tcp | udp } session-limit
The session threshold is set for IP address-based traffic statistics and monitoring.
You can configure the thresholds for TCP and UDP sessions in the inbound and outbound
directions respectively. For example, you can set the threshold for inbound TCP sessions to
10000. In this case, when the number of TCP sessions initiated from an IP address exceeds
10000, the ME60 denies new TCP sessions from this IP address.
By default, the thresholds for inbound and outbound TCP and UDP sessions are both 10240.
----End
4-9
This section provides several configuration examples of traffic statistics and monitoring.
4.5.1 Example for Configuring System-Level Traffic Statistics and Monitoring
4.5.2 Example for Configuring Zone-based Traffic Statistics and Monitoring
4.5.3 Example for Configuring IP Address-based Traffic Statistics and Monitoring
4.5.1 Example for Configuring System-Level Traffic Statistics and
Monitoring
GE2/0/1 of the ME60 is connected to the Internet; GE1/0/1 of the ME60 is connected to the FTP
server and the Web server of an enterprise Intranet. The TCP and UDP sessions from the Internet
to the enterprise Intranet are monitored. The session threshold is 40000.
Figure 4-2 Networking of system-level traffic statistics and monitoring
WEB Server
ME60
Internet
FTP Server
10.10.10.1/24
GE1/0/1 GE2/0/1
20.10.10.1/24

l Enable system-level traffic statistics and monitoring.
l Set the session threshold.
Data Preparation
Issue 03 (2009-07-01)
l IP addresses of interfaces, as shown in Figure 4-2
l Session threshold
[Quidway] quit
3. Enable system-level traffic statistics and monitoring.
[Quidway] firewall statistics system enable
4. Set the session threshold.
[Quidway] firewall statistics system session tcp 40000
[Quidway] firewall statistics system session udp 40000
Configuration Files
#
sysname Quidway
#
undo shutdown
ip address 20.10.10.1 255.255.255.0
#
undo shutdown
ip address 10.10.10.1 255.255.255.0
#
firewall statistics system enable
firewall statistics system session tcp 40000
firewall statistics system session udp 40000
#
4.5.2 Example for Configuring Zone-based Traffic Statistics and
Monitoring
GE1/0/0 of the ME60 is connected to an enterprise network with a high security priority; GE2/0/0
of the ME60 is connected to the Internet with a low security priority. The TCP and UDP sessions
from the Internet to enterprise networks are monitored. The session threshold is 50000.
4-11
Figure 4-3 Networking of zone-based traffic statistics and monitoring
GE1/0/0
1.1.0.1/16
GE2/0/0
2.2.0.1/16
Internet
Enterprise
network
ME60

l Configure an ACL.
l Configure zone-based traffic statistics and monitoring.
Data Preparation
[Quidway] quit
Issue 03 (2009-07-01)
5. Configure zone-based traffic statistics and monitoring.
[Quidway-zone-zone1] statistics zone enable inzone
[Quidway-zone-zone1] statistics zone session inzone tcp 50000
[Quidway-zone-zone1] statistics zone session inzone udp 50000
Configuration Files
#
sysname Quidway
#
zone zone1
undo shutdown
ip address 1.1.0.1 255.255.0.0
#
zone zone2
undo shutdown
ip address 2.2.0.1 255.255.0.0
#
firewall zone zone1
priority 100
statistics zone enable inzone
statistics zone session inzone tcp 50000
statistics zone session inzone udp 50000
#
firewall zone zone2
priority 1
#
firewall enable
#
return
4.5.3 Example for Configuring IP Address-based Traffic Statistics
and Monitoring
GE1/0/0 of the ME60 is connected to an enterprise network with a high security priority; GE2/0/0
of the ME60 is connected to the Internet with a low security priority. The TCP and UDP sessions
from the Internet to enterprise networks are monitored. The session threshold is 50000. In
addition, the TCP or UDP sessions to each IP address in the enterprise networks cannot exceed
1000.
4-13
Figure 4-4 Networking of IP address-based traffic statistics and monitoring
GE1/0/0
1.1.0.1/16
GE2/0/0
2.2.0.1/16
Internet
Enterprise
network
ME60
(firewall)

l Configure an ACL.
l Configure zone-based traffic statistics and monitoring.
l Configure IP address-based traffic statistics and monitoring.
Data Preparation
[Quidway] quit
Issue 03 (2009-07-01)
5. Configure zone-based traffic statistics and monitoring.
[Quidway-zone-zone1] statistics zone enable inzone
[Quidway-zone-zone1] statistics zone session inzone tcp 50000
[Quidway-zone-zone1] statistics zone session inzone udp 50000
6. Configure IP address-based traffic statistics and monitoring.
[Quidway-zone-zone1] statistics ip enable inzone
[Quidway-zone-zone1] statistics ip session inzone tcp 1000
[Quidway-zone-zone1] statistics ip session inzone udp 1000
Configuration Files
#
sysname Quidway
#
zone zone1
undo shutdown
ip address 1.1.0.1 255.255.0.0
#
zone zone2
undo shutdown
ip address 2.2.0.1 255.255.0.0
#
firewall zone zone1
priority 100
statistics zone enable inzone
statistics zone session inzone tcp 50000
statistics zone session inzone udp 50000
statistics ip session inzone tcp 1000
statistics ip session inzone udp 1000
statistics ip enable inzone
#
firewall zone zone2
priority 1
#
firewall enable
#
return
4-15
5 Attack Defense Configuration
About This Chapter
This chapter describes the fundamentals, configuration, and maintenance of attack defense.
5.1 Introduction
This section describes the concept and fundamentals of attack defense.
5.2 Configuring Attack Defense
This section describes how to configure the attack defense function.
This section provides several configuration example of attack defense.
Configuration Guide - Security 5 Attack Defense Configuration
5-1
5.1 Introduction
This section describes the concept and fundamentals of attack defense.
When a network attack occurs, it interrupts services, and severely affects servers or hosts on the
network to illegally obtain sensitive data. Certain network attacks also destroy the network
equipment directly, and such attacks may lead to service interruption.
With the attack defense feature, the ME60 firewall can detect various network attacks and protect
the intranet against malicious attacks, and thus the intranet and the system can run properly.
5.1.1 Type of Network Attacks
5.1.2 Typical Attacks
5.1.1 Type of Network Attacks
Network attacks are divided into three types: DoS attack, scanning and snooping attack, and
defective packet attack.
DoS Attack
Denial of service (DoS) attack is an attack to a system with a large number of data packets. This
prevents the system from receiving requests from authorized users or suspends the host. Typical
DoS attacks are SYN flood and Fraggle. Unlike other attacks, the DoS attackers prevent
authorized users from accessing resources or routers, instead of searching for the ingress of the
Intranet.
Scanning and Snooping Attack
Scanning and snooping attack involves identifying the existing systems on the network through
ping scanning (including ICMP and TCP scanning), and then finding potential targets. Through
TCP scanning, the attackers can find out the operating system and the monitored services.
Through scanning and snooping, the attacker can learn the service type and potential security
hole, which facilitates further intrusion.
Defective Packet Attack
Defective packet attack involves sending defective IP packets to the system. Under such an
attack. the system quits abnormally when processing the packets. The typical defective packet
attacks include Ping of Death and Teardrop.
5.1.2 Typical Attacks
Land Attack
Land attack involves setting the source and destination addresses of a TCP SYN packet to the
IP address of the attacked target. The target then sends the SYN-ACK message to its own IP
address, and an ACK message is sent back to the target. This forms a null session. Every null
session exists until it times out. The responses to the Land attack vary according to the targets.
For instance, many UNIX hosts step responding while Windows NT hosts slow down.
Issue 03 (2009-07-01)
Smurf Attack
Simple Smurf attack targets a network. The attacker sends an ICMP request to the broadcast
address of the network. All the hosts on the network then respond to the request and the network
is congested. The traffic caused by Smurf attack is one or two orders of magnitude higher than
the traffic caused by ping of large packets.
Advanced Smurf attack targets hosts. The attacker changes the source address of an ICMP
request to the IP address of the target host. The host then stop responding. The attack occurs
only when the traffic of the attack packets is large enough. Theoretically, the more the number
of hosts on the network, the more effective is the attack. Fraggle attack is another form of the
Smurf attack.
WinNuke Attack
WinNuke attack involves sending an out-of-band (OOB) data packet to the NetBIOS port (139)
of the target host running the Windows operating system. The NetBIOS fragment then overlaps
and the host stops responding. An Internet Group Management Protocol (IGMP) fragment packet
can also damage the target host because the IGMP packet usually cannot be fragmented. An
attack occurs when a host receives an IGMP packet.
SYN Flood Attack
Due to resource limitation, the TCP/IP stack limits the number of TCP sessions. The attacker
forges an SYN packet, whose source address is fraudulent or nonexistent, and then sends the
packet to the server to initiate a session. After receiving the packet, the server responds with an
SYN-ACK packet. The server cannot receive the ACK, and a semi-connection is created. If the
attacker sends a large number of forged SYN packets to the server, the created semi-connections
exhaust the system resources and users cannot access the network until these semi-connections
time out. In certain applications where the number of sessions is not limited, the SYN Flood
attack can also exhaust the system resources such as the memory.
ICMP and UDP Flood Attack
ICMP and UDP Flood attacker sends a large number of ICMP packets (such as ping packets)
and UDP packets to the target host in a short time and requests for responses. The host is then
overloaded and cannot process legal tasks.
IP Address Sweeping and Port Scanning Attack
IP address sweeping and port scanning attacker detects the IP addresses and ports of the target
hosts by using scanning tools. The attacker then determines the hosts that exist on the target
network according to the response. The attacker can then find the ports that are used to provide
services.
Ping of Death Attack
The length field of an IP packet contains 16 bits, so the maximum length of an IP packet is 65535
bytes. If the data length of an ICMP packet is greater than 65507 bytes, then:
ICMP data + IP header (20) + ICMP header (8) > 65535
After receiving such large packets, some routers or systems may stop responding or reboot
because of inappropriate processing. Ping of Death attack is an attack to the system initiated by
ICMP large packets.
5-3
ICMP-Redirect and ICMP-Unreachable Attack
Network equipment requests a host in the same subnet to change the route by sending an ICMP-
redirect packet to the host. Malicious attackers may, however, send forged redirect packets to
the hosts in other subnets. The hosts may then change the routes and the IP packet forwarding
may be abnormal.
Another type of attack is sending an ICMP-unreachable packet. After receiving the ICMP
unreachable packets of a network (code is 0) or a host (code is 1), some systems consider the
subsequent packets sent to this destination as unreachable. The system then disconnects the
destination from the host.
Teardrop Attack
The More Fragment (MF) bit, offset field, and length field in an IP packet indicate the segment
of the original packet contained in this fragment. Some systems running TCP/IP may stop
running when receiving a forged segment containing an overlap offset. The Teardrop attack uses
the flaw of some systems that do not check the validity of fragment information.
Fraggle Attack
After receiving the UDP packets, port 7 (ECHO) and port 19 (Chargen) can return responses.
Port 7 responds to the received packets with ICMP Echo Reply, whereas port 19 responds with
a generated character string. Similar to the large ICMP packet attack, the two UDP ports generate
many ineffective response packets, which occupy the network bandwidth.
The attacker can send a UDP packet to the destination network. The source address of the UDP
packet is the IP address of the host to be attacked and its destination address is the broadcast
address or network address of the host's subnet. The destination port number of the packet is 7
or 19. Then, all the systems enabled with this function return packets to the target host. In this
case, the high traffic volume blocks the network or the host stops responding. In addition, the
systems without this function generate ICMP-unreachable messages, which also consume
bandwidth. If the source port is changed to Chargen and destination port is changed to ECHO,
the systems generate response packets continuously and cause more serious damage.
IP-Fragment Attack
In an IP packet, some fields are relevant to flag bits and fragment, including Fragment Offset,
Length, Don't Fragment (DF), and MF.
If the previous fields conflict and are not processed appropriately, the equipment may stop
running. In the following cases, the fields conflict:
l DF is set, and MF is also set or the value of Fragment Offset is not 0.
l The value of DF is 0, but the total values of Fragment Offset and Length is larger than
65535.
The fragment packets increase the cache and reassemble loads on the destination equipment.
Thus, the fragment packets with the equipment address as the destination address should be
discarded directly.
Issue 03 (2009-07-01)
Tracert Attack
Tracert attack traces the path of an ICMP timeout packet returned when the value of Time To
Live (TTL) is 0 and an ICMP port-unreachable packet. In this way, the attacker pries the network
architecture.
5.2 Configuring Attack Defense
This section describes how to configure the attack defense function.
5.2.4 Enabling Attack Defense
5.2.5 Configuring Flood Attack Defense
5.2.6 (Optional) Configuring Scanning Attack Defense
5.2.7 (Optional) Configuring Large ICMP Packet Attack Defense
On the ME60, you can enable the attack defense for an area to be protected. The area to be
protected may be user domains, interfaces, or specified IP addresses.
Before configuring attack defense, complete the following tasks:
Configuration.")
l Configuring zone-based or IP address-based traffic statistics and monitoring for Flood
attack and scanning attack defense, because detecting Flood and scanning attacks needs
the session statistics (See chapter 4 "Traffic Statistics and Monitoring.")
Data Preparation
To configure attack defense, you need the following data.
No. Data
1 Attack type, a specified type or all types
5-5
No. Data
2 Zones or IP addresses (the VPN instance may be included) to be protected against
Flood attacks (ICMP Flood, SYN Flood, and UDP Flood), maximum session rate
3 Enabling mode of TCP proxy to prevent SYN Flood attack, always enabled, always
disabled, or auto enabled (that is, enabled when the session rate exceeds the threshold)
4 Timeout of blacklist and maximum rate to prevent scanning attacks (IP address
sweeping and port scanning)
5 Maximum packet length to prevent large ICMP packet attack

Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
NOTE
----End
Context
Procedure
Step 1 Run:
system-view
Issue 03 (2009-07-01)
Step 2 Run:
ME60can be equipped with multiple SSUs. One is the master board, and the others are slave
boards.
----End
5.2.4 Enabling Attack Defense
Context
NOTE
Steps 2-19 are optional and can be performed in any sequence. You can select these steps to defend different
types of attacks.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall defend all enable
All types of attack defense are enabled.
Step 3 Run:
firewall defend fraggle enable
The Fraggle attack defense is enabled.
Step 4 Run:
firewall defend icmp-flood enable
The ICMP Flood attack defense is enabled.
Step 5 Run:
firewall defend icmp-redirect enable
The ICMP redirect attack defense is enabled.
Step 6 Run:
firewall defend icmp-unreachable enable
The ICMP unreachable attack defense is enabled.
Step 7 Run:
firewall defend ip-fragment enable
5-7
The IP-Fragment attack defense is enabled.
Step 8 Run:
The IP address sweeping attack defense is enabled.
Step 9 Run:
firewall defend land enable
The Land attack defense is enabled.
Step 10 Run:
firewall defend large-icmp enable
The large ICMP packet attack defense is enabled.
Step 11 Run:
firewall defend ping-of-death enable
The Ping of Death attack defense is enabled.
Step 12 Run:
firewall defend port-scan enable
The port scanning attack defense is enabled.
Step 13 Run:
firewall defend smurf enable
The Smurf attack defense is enabled.
Step 14 Run:
firewall defend syn-flood enable
The SYN Flood attack defense is enabled.
Step 15 Run:
firewall defend tcp-flag enable
The TCP flag attack defense is enabled.
Step 16 Run:
firewall defend teardrop enable
The Teardrop attack defense is enabled.
Step 17 Run:
firewall defend tracert enable
The Tracert attack defense is enabled.
Step 18 Run:
firewall defend udp-flood enable
The UDP Flood attack defense is enabled.
Step 19 Run:
firewall defend winnuke enable
The WinNuke attack defense is enabled.
Issue 03 (2009-07-01)
By default, attack defense is not enabled on the ME60.
----End
Context
Steps 2-4 are optional and can be performed in any sequence. You can select these steps to defend
different types of attacks.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall defend icmp-flood { zone zone-name | ip ip-address [ vpn-instance vpn-
instance-name ] } [ max-rate rate-number ]
Parameters of ICMP Flood attack defense are configured.
Step 3 Run:
firewall defend syn-flood { zone zone-name | ip ip-address [ vpn-instance vpn-
instance-name ] } [ max-rate rate-number ] [ tcp-proxy { auto | on | off } ]
Parameters of SYN Flood attack defense are configured.
Step 4 Run:
firewall defend udp-flood { zone zone-name | ip ip-address [ vpn-instance vpn-
instance-name ] } [ max-rate rate-number ]
Parameters of UDP Flood attack defense are configured.
To prevent the Flood attacks, you need to specify the zones or IP addresses to be protected.
Otherwise, the configured parameters are invalid. You can specify the maximum session rate.
When the session rate exceeds this value, the ME60 considers it as an attack and takes measures.
NOTE
The maximum access rate applies to the Flood attack initiated from multiple source addresses to the same
destination address. For the Flood attack to the same data flow (with the same quintuple), the maximum
access rate is not configurable. The default value is 20 pps. That is, when the rate of SYN or ICMP packets
reaches 20 pps, the ME60 considers it as Flood attack and discards the packets. In this case, the rate-
number parameter is invalid.
For Flood attack defense, the priority of the IP is higher than the priority of the zone. If Flood
attack defense is configured for both a specified IP address and the zone where the IP address
resides, then the attack defense based on IP address takes effect. If you cancel the attack defense
based on IP address, the attack defense based on zone takes effect.
By default, the maximum session rate for Flood attacks is 1000 pps, and the TCP proxy is enabled
in the SYN Flood attack defense.
5-9
NOTE
In Flood attack defense, you can specify up to 4096 IP addresses to be protected.
----End
5.2.6 (Optional) Configuring Scanning Attack Defense
Context
Step 2 and step 3 are optional and can be performed in any sequence. You can select these steps
to defend different types of attacks.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall defend ip-sweep { max-rate rate-number | blacklist-timeout interval }
Parameters of IP address sweeping attack defense are configured.
Step 3 Run:
firewall defend port-scan { max-rate rate-number | blacklist-timeout interval }
Parameters of port scanning attack defense are configured.
For scanning attack defenses, the following two parameters need to be configured:
l Maximum session rate: When the IP address-based or port-based session rate exceeds this
value, the ME60 considers it as an attack, and then adds the IP address or port to the blacklist
and denies new sessions.
l Blacklist timeout: When the duration of IP address or port in the blacklist exceeds this value,
the ME60 releases the IP address or port from the blacklist and allows new sessions.
By default, the maximum session rate in IP address sweeping and port scanning attack defense
is 4000 pps, and the blacklist timeout is 20 minutes.
----End
5.2.7 (Optional) Configuring Large ICMP Packet Attack Defense
Context
Procedure
Step 1 Run:
system-view
Issue 03 (2009-07-01)
Step 2 Run:
firewall defend large-icmp max-length length
Parameters of large ICMP packet attack defense are configured.
For large ICMP packet attack defense, only one parameter needs to be configured, namely, the
maximum packet length. When the length of an ICMP packet exceeds this value, the ME60
considers it as an attack and discards the packet.
By default, the maximum length of ICMP packet is 4000 bytes.
----End
Action Command
Check the enabled attack defenses. display firewall defend flag
Check the configuration of Flood attack
defenses.
display firewall defend { icmp-flood | syn-
flood | udp-flood } [ zone [ zone-name ] | ip [ ip-
address ] [ vpn-instance vpn-instance-name ] ]
Check the configurations of other types of
attack defense.
display firewall defend attack-type

This section provides several configuration example of attack defense.
5.3.1 Example for Configuring Land Attack Defense
5.3.2 Example for Configuring SYN Flood Attack Defense
5.3.3 Example for Configuring IP Address Sweeping Attack Defense
5.3.1 Example for Configuring Land Attack Defense
As shown in Figure 5-1, GE1/0/0 of the ME60 is connected to an intranet with a high priority.
GE2/0/0 of the ME60 is connected to the Internet with a low priority. You need to configure
Land attack defense for the traffic from the Internet to the intranet.
5-11
Figure 5-1 Networking of Land attack defense
Server
ME60
Internet
GE1/0/0
GE2/0/0
1.1.0.1/16 2.2.0.1/16
Enterprise
network

l Configure IP addresses of interfaces.
l Configure Land attack defense.
Data Preparation
l Network security priorities, 100 for the internal network, and 1 for the external network
Configuration Procedures
1. (Optional) Configure the VSU to the SSU.
[Quidway] quit
2. Configure IP addresses of interfaces.
[Quidway] acl 2000
[Quidway-acl-basic-2000] rule permit
Issue 03 (2009-07-01)
6. Configure Land attack defense.
[Quidway] firewall defend land enable
Configuration Files
#
sysname Quidway
#
firewall defend land enable
#
zone zone1
undo shutdown
ip address 1.1.0.1 255.255.0.0
#
zone zone2
undo shutdown
ip address 2.2.0.1 255.255.0.0
#
acl number 2000
rule 5 permit
#
firewall zone zone1
priority 100
#
firewall zone zone2
priority 1
#
firewall enable
#
return
5.3.2 Example for Configuring SYN Flood Attack Defense
5-13
GE2/0/0 of the ME60 is connected to the Internet with a low priority. You need to configure
SYN Flood attack defense for the traffic from the Internet to the intranet.
Figure 5-2 Networking of SYN Flood attack defense
Server
1.1.0.2
ME60
Internet
GE1/0/0
GE2/0/0
1.1.0.1/16 2.2.0.1/16
Enterprise
network

l Configure SYN Flood attack defense.
Data Preparation
[Quidway] quit
Issue 03 (2009-07-01)
[Quidway] acl 2000
6. Configure SYN Flood attack defense. For the entire intranet, the maximum SYN session
rate is 1000 pps and TCP proxy is automatically enabled. For server 1.1.0.2, the maximum
SYN session rate is 2000 pps and TCP proxy is enabled manually.
[Quidway] firewall defend syn-flood enable
[Quidway] firewall defend syn-flood zone zone1 max-rate 1000 tcp-proxy auto
[Quidway] firewall defend syn-flood ip 1.1.0.2 max-rate 2000 tcp-proxy on
Configuration Files
#
sysname Quidway
#
firewall defend syn-flood enable
firewall defend syn-flood zone zone1
firewall defend syn-flood ip 1.1.0.2 max-rate 2000 tcp-proxy on
#
zone zone1
undo shutdown
ip address 1.1.0.1 255.255.0.0
#
zone zone2
undo shutdown
ip address 2.2.0.1 255.255.0.0
#
acl number 2000
rule 5 permit
#
firewall zone zone1
priority 100
#
firewall zone zone2
priority 1
#
5-15
firewall enable
#
return
5.3.3 Example for Configuring IP Address Sweeping Attack
Defense
GE2/0/0 of the ME60 is connected to the Internet with a low priority. You need to configure IP
address sweeping attack defense for the traffic from the Internet to the intranet. The maximum
number of sessions is 5000 pps, and the blacklist timeout is 30 minutes.
Figure 5-3 Networking of IP address sweeping attack defense
Server
ME60
Internet
GE1/0/0
GE2/0/0
1.1.0.1/16 2.2.0.1/16
Enterprise
network

l Configure IP address sweeping attack defense.
Data Preparation
Issue 03 (2009-07-01)
[Quidway] quit
[Quidway] acl 2000
6. Configure IP address sweeping attack defense.
[Quidway] firewall defend ip-sweep enable
[Quidway] firewall defend ip-sweep blacklist-timeout 30
[Quidway] firewall defend ip-sweep max-rate 5000
Configuration Files
#
sysname Quidway
#
firewall defend ip-sweep max-rate 5000
firewall defend ip-sweep blacklist-timeout 30
#
zone zone1
undo shutdown
ip address 1.1.0.1 255.255.0.0
#
zone zone2
5-17
undo shutdown
ip address 2.2.0.1 255.255.0.0
#
acl number 2000
rule 5 permit
#
firewall zone zone1
priority 100
#
firewall zone zone2
priority 1
#
firewall enable
#
return
Issue 03 (2009-07-01)
6 IPSec Configuration
About This Chapter
This chapter describes the rationale, implementation, and configuration of IPSec.
6.1 Introduction
This section describes the concept and rationale of IPSec.
6.2 Defining Data Flows to Be Protected
This section describes how to define the data flows to be protected.
6.3 Configuring an IPSec Proposal
This section describes how to configure an IPSec protocol.
6.4 Configuring an IPSec Policy
This section describes how to configure an IPSec policy.
6.5 Configuring IPSec Policies by Using the IPSec Policy Template
This section describes how use the IPSec template to configure IPSec policies.
6.6 Applying an IPSec Policy or an IPSec Policy Group to an Interface
This section describes how to apply an IPSec policy or an IPSec policy group to an interface.
6.7 Maintaining IPSec
This section provides the commands clearing the IPSec statistics and debugging IPSec.
This section provides an configuration example of IPSec.
Configuration Guide - Security 6 IPSec Configuration
6-1
6.1 Introduction
This section describes the concept and rationale of IPSec.
6.1.1 Overview of IPSec
6.1.2 Terms Related to IPSec
6.1.3 IPSec Features Supported by the ME60
6.1.1 Overview of IPSec
The IP Security (IPSec) protocol family is a series of protocols defined by the Internet
Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and
cryptology-based security for IP packets. The two communicating parties can encrypt data and
authenticate the data source at the IP layer to ensure confidentiality, data integrity, data source
authentication, and anti-replay for packets during transmission on the network.
NOTE
l Confidentiality is to encrypt a client data and then transmit it in cipher text.
l Data integrity is to authenticate the received data to find out whether the packet is modified.
l Data authentication is to authenticate the data source to make sure the data is sent from a real sender.
l Anti-replay is to prevent malicious clients from repeatedly sending data packets. In other words, the
receiver denies old or repeated data packets.
IPSec implements the above features using the Authentication Header (AH) security protocol
and the Encapsulating Security Payload security protocol. The Internet Key Exchange (IKE)
also provides auto-negotiation key exchange, Security Association setup, and maintenance
services to simplify the use and management of IPSec.
l AH mainly provides data source authentication, data integrity authentication and anti-
replay. The AH cannot encrypt the packet.
l ESP provides encryption function apart from the functions provided by the AH. The data
integrity authentication of the ESP does not cover the IP header. ESP can authenticate and
encrypt packets at the same time or either authenticate or encrypt packets only.
NOTE
AH and ESP can be used either independently or in combination. There are two types of encapsulation
modes for both AH and ESP: transport mode and tunnel mode. For details about the two modes, see
"Encapsulation Modes of IPSec"
l IKE is used to negotiate the key for IPSec. By exchanging the key obtained according to
the cryptographic algorithms applied in AH and ESP, the peers negotiate a key.
NOTE
IKE negotiation is not necessary. The IPSec policy and algorithm can also be negotiated manually. For
comparisons of these two negotiation modes, see "Negotiation Modes".
6.1.2 Terms Related to IPSec
Security Association
IPSec provides secure communication between IPSec peers (two communication ends).
Issue 03 (2009-07-01)
A security association (SA) is a set of conventions adopted by the communication parties. The
conventions include the protocol adopted (AH, ESP, or both), encapsulation mode of the protocol
(transport mode or tunnel mode), password algorithm (DES or 3DES), shared key of specified
data flows, and lifetime of the shared key. SA is the basis of IPSec.
An SA is unidirectional. If two hosts communicate through ESP, both the hosts need two SAs.
One protects outbound packets, and the other protects inbound packets.
In addition, if both AH and ESP are applied to protect data flow between peers, two SAs are
needed for AH and ESP respectively. Therefore, each host requires four SAs.
An SA is identified uniquely by three parameters: security parameter index (SPI), destination
IP address, and security protocol ID (AH or ESP). SPI is a 32-bit number that uniquely identifies
an SA. SPI is contained in the AH/ESP header during transmission.
An SA has a duration. The duration is calculated through either of the following methods:
l Time-based duration: updates the SA at a specific interval.
l Traffic-based duration: updates the SA after certain data (bytes) is transmitted.
The SA becomes invalid when any one of the duration expires. Before the duration expires, IKE
negotiates a new SA for IPSec. A new SA, therefore, is prepared before the old SA becomes
invalid.
SA specifies the protocol encapsulation mode.
Encapsulation Modes of IPSec
IPSec has two encapsulation modes:
l Transport mode: AH/ESP is inserted behind the IP header but before all transport layer
protocols or all other IPSec protocols. Figure 6-1 shows transport mode.
l Tunnel mode: AH/ESP is inserted before the original IP header but behind the new IP
header. Figure 6-2 shows tunnel mode.
Figure 6-1 Packets format in transport mode
Mode
Protocol
Transport
AH
ESP
AH-ESP
ESP data ESP Tail ESP Auth data
IP Header AH data TCP Header
IP Header TCP Header
ESP data ESP Tail ESP Auth data IP Header TCP Header AH

6-3
Figure 6-2 Packets format in tunnel mode
Mode
Protocol
Tunnel
AH
ESP
AH-ESP
new IP Header AH data TCP Header
ESP data ESP Tail ESP Auth data new IP Header TCP Header AH
raw IP Header
new IP Header ESP data TCP Header raw IP Header ESP Tail ESP Auth data
raw IP Header

Use either of the modes according to actual situations.
l The tunnel mode is safer than the transport mode. The tunnel mode can authenticate and
encrypt original IP data packets completely. In addition, it can hide the client IP address
by using the IP address of the IPSec peer.
l The tunnel mode occupies more bandwidth than the transport mode because it has an extra
IP header.
The transport mode is suitable for communication between two hosts or between a host and a
security gateway. In the transport mode, the two devices encrypting or decrypting packets must
be the original packet sender and final receiver respectively.
Most of the data flows between two security gateways (or routers) are usually not their own
communication traffic. Therefore, the tunnel mode is used between security gateways. Packets
encrypted by one security gateway can be decrypted only by another corresponding security
gateway. That is, a new IP header must be added to a packet, and the IP packet is sent to the
security gateway that can decrypt it.
Authentication Algorithms and Encryption Algorithms
l Authentication algorithms
The AH and ESP can authenticate the integrity of an IP packet to determine whether the packet
is modified during transmission. The authentication is implemented based on the hash function.
The hash function is an algorithm that does not limit the length of input messages but always
sends out messages of a certain length. The output message is called message summary. To
authenticate the integrity, IPSec peers calculate the packet based on the hash function. If the
message summary is the same at both the ends, it indicates the packet is integrated and not
modified. There are two IPSec authentication algorithms:
l Message Digest 5 (MD5): receives a message of any length and generates a 128-bit message
summary.
l Secure Hash Algorithm (SHA-1): receives a message of less than 264 bits and generates a
160-bit message summary.
The SHA-1 summary is longer than that of MD5, and so SHA-1 is safer than MD5.
l Encryption algorithms
Issue 03 (2009-07-01)
ESP can encrypt an IP packet to prevent disclosure of the packet contents during the transmission.
The encryption algorithm is implemented by encrypting or decrypting data with the same key
through a symmetric key system. IPSec uses two encryption algorithms:
l DES: encrypts a 64-bit plain text by using a 56-bit key.
l 3DES: encrypts a plain text by using three 56-bit DES keys (168-bit key).
The 3DES algorithm is much safer than DES; however, its encryption speed is comparatively
slower.
Negotiation Modes
There are two negotiation modes for establishing an SA: manual mode (manual) and IKE auto-
negotiation mode (isakmp).
The manual mode is a bit complex because all information about SA has to be configured
manually, and it does not support some advanced features of IPSec, such as key update timer.
The manual mode implements IPSec independent of IKE.
The IKE auto-negotiation mode is much easier because the SA can be established and maintained
through IKE auto-negotiation as long as security policies of IKE negotiation are configured.
The manual mode is feasible in the case where few peer devices are deployed or in a small-sized
static environment. For a medium or large-sized dynamic networking environment, IKE auto-
negotiation mode is recommended.
IPSec allows systems, network subscribers, or administrators to control the granularity of
security services between peers. For instance, IPSec policies of a group prescribe that data flows
from a subnet should be protected using AH and ESP and be encrypted using 3DES. In addition,
the policies prescribe that data flows from another site should be protected using ESP only and
be encrypted using DES only. IPSec can provide security protection in various levels for different
data flows based on SA.
6.1.3 IPSec Features Supported by the ME60
The ME60 implements the previously mentioned functions of IPSec.
Through IPSec, the peers can perform various security protections (authentication, encryption
or both) on data flows that are differentiated based on the ACL.
To implement the IPSec function, you need to configure the IPSec policy and QoS traffic policy
on the ME60. Apply the QoS traffic policy configured with the IPSec behavior to the entire
equipment or the incoming interface, and then apply the IPSec policy or IPSec policy group to
the outgoing interface. After the configuration, user packets can be encrypted.
For the packets sent by a user, the ME60 checks whether the packets need to be encrypted through
IPSec according to the QoS traffic policy. If the packets need to be encrypted, the ME60
determines whether to encrypt the packets and how to encrypt the packets according to the IPSec
policy configured on the outgoing interface of the packets.
The configuration roadmap of IPSec is as follows:
1. Define data flows to be protected and use ACL rules to differentiate them.
2. Define a security proposal and specify the security protocol, authentication algorithm,
encryption algorithm, and encapsulation mode.
6-5
3. Define a security policy or a security policy group and specify the association relationship
between data flow and IPSec proposal, SA negotiation mode, peer IP address, the required
key, and the SA duration.
4. Apply the IPSec policy on the interface of the ME60.
For the configuration roadmap of the QoS traffic policy, see chapter 2 "Class-based QoS
Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide
- QoS.
6.2 Defining Data Flows to Be Protected
This section describes how to define the data flows to be protected.
6.2.2 Defining Data Flows to Be Protected
Packets that need protection are defined based on the pre-defined advanced ACL.
Packets are first matched with the rules in the ACL. Packets that only match permit statements
in the ACL are protected through IPSec. Packets that match deny statements in the ACL are
sent out directly without protection.
NOTE
Although their format and configuration method are the same, the IPSec ACL differs from the firewall
ACL in terms of function. A common ACL is used to determine to permit or deny some data on an interface.
For more information, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide -
IP Services.
Data flows need to be authenticated for the security purpose. Some data flows should be
authenticated and encrypted for high security requirements. The IPSec policy can only provide
a security protection method. You should, therefore, define various ACLs and IPSec policies
for different data flows accordingly.
ACLs defined on the local router and ACLs on the remote router should correspond to each other
(mirroring). The encrypted data at one end can be authenticated and decrypted at the peer end.
If a data flow defined by the remote ACL is not encrypted, the local router regards it as an attack
packet and discards it.
For example, at the local end:
[Quidway] acl number 3101
[Quidway-acl-adv-3101] rule 1 permit ip source 173.1.1.0 0.0.0.255 destination
173.2.2.0 0.0.0.255
At the remote end:
[Quidway-acl-adv-3101] rule 1 permit ip source 173.2.2.0 0.0.0.255 destination
173.1.1.0 0.0.0.255
Issue 03 (2009-07-01)
NOTE
l The IPSec protects data flows that only match the permit statements in the ACL. You should, therefore,
define the ACL accurately. The any keyword should be used cautiously.
l It is recommended that you configure a mirror relationship between the local ACL and the remote ACL.
l Using the display acl command, you can view all ACLs, including ACL for communication filtering
and ACL for encryption.
None.
Data Preparation
To define data flows to be protected, you need the following data.
No. Data
1 ACL number
2 (Optional) Configuration sequence of ACL rules
3 (Optional) Numbers of the ACL rules
4 Protocol type
5 (Optional) Source and destination IP addresses and wildcard character
6 (Optional) Source and destination port numbers and the operator for comparing the
port numbers of the source and destination addresses
7 (Optional) ICMPv6 packet type and message code information
8 (Optional) Packet precedence
9 (Optional) Service type
10 (Optional) Name of a time range
11 (Optional) Whether to log the packets that meet the requirements
12 (Optional) Whether this rule takes effect only on the fragmented packets except the
first fragment packet

6.2.2 Defining Data Flows to Be Protected
Context
Procedure
Step 1 Run:
system-view
6-7
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
An advanced ACL is created.
Step 3 Run the following commands to configure ACL rules:
l rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard |any } | destination-port operator port |dscp dscp |fragment-type fragment-type
|precedence precedence |source { source-ip-address source-wildcard |any } | source-port
operator port |syn-flag syn-flag-value |time-range time-name |tos tos |vpn-instance vpn-
instance-name ]*
l rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard |any } | destination-port operator port |dscp dscp | fragment-type fragment-
type |precedence precedence |source { source-ip-address source-wildcard |any } | source-
port operator port |time-range time-name |tos tos |vpn-instance vpn-instance-name ]*
l rule [ rule-id ] { deny |permit } protocol [destination { destination-ip-address destination-
wildcard |any } | dscp dscp |fragment-type fragment-type | icmp-type { icmp-name | icmp-
type icmp-code } | precedence precedence | source { source-ip-address source-wildcard |
any } | time-range time-name |tos tos |vpn-instance vpn-instance-name ]*
l rule [ rule-id ] { deny |permit } protocol [destination { destination-ip-address destination-
wildcard |any } | dscp dscp |fragment-type fragment-type |precedence precedence |source
{ source-ip-address source-wildcard |any } | time-range time-name |tos tos |vpn-instance
vpn-instance-name ]*
For the configuration of the advanced ACL, refer to the Quidway ME60 Multiservice Control
Gateway Configuration Guide - IP Services.
----End
6.3 Configuring an IPSec Proposal
This section describes how to configure an IPSec protocol.
6.3.2 Creating an IPSec Proposal and Entering the IPSec Proposal View
6.3.3 Configuring the IPSec Protocol
6.3.4 Configuring the Authentication Algorithm
6.3.5 Configuring the Encryption Algorithm
6.3.6 Configuring the Encapsulation Mode
The IPSec proposal needs to be configured during configuring IPSec.
Issue 03 (2009-07-01)
Before configuring an IPSec proposal, complete the following task:
l Defining Data Flows to Be Protected
Data Preparation
To configure an IPSec proposal, you need the following data.
No. Data
1 Name of the IPSec proposal (a character string of 1 to 15 characters )
2 Security protocol adopted: AH, ESP or AH-ESP
3 Authentication algorithm adopted: MD5 or SHA-1
4 Encryption algorithm adopted: DES or 3DES
5 Encapsulation mode adopted: transport mode or tunnel mode

6.3.2 Creating an IPSec Proposal and Entering the IPSec Proposal
View
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipsec proposalproposal-name
An IPSec proposal is created and the IPSec proposal view is displayed.
NOTE
You can configure up to 50 IPSec proposals.
----End
6.3.3 Configuring the IPSec Protocol
Context
6-9
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipsec proposal proposal-name
The IPSec proposal view is displayed.
Step 3 Run:
transform { ah | ah-esp | esp }
The IPSec proposal is configured.
NOTE
The default security protocol is ESP, that is, the ESP protocol defined in RFC 2406.
----End
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
ah authentication-algorithm { md5 | sha1 }
The authentication algorithm adopted by AH is configured.
Or run:
undo ah authentication-algorithm
The default authentication algorithm is adopted for the AN protocol.
Step 4 Run:
esp authentication-algorithm { md5 | sha1 }
The authentication algorithm adopted by ESP is configured.
Or run:
undo esp authentication-algorithm
Issue 03 (2009-07-01)
The default authentication algorithm is adopted for the ESP protocol.
NOTE
l By default, both ESP and AH adopt the MD5 authentication algorithm.
l You can configure the authentication algorithm only after selecting a corresponding IPSec protocol by
running the transform command. For example, if ESP is selected, you can only configure the
authentication algorithm required for ESP.
----End
6.3.5 Configuring the Encryption Algorithm
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
esp encryption-algorithm { 3des | des }
The encryption algorithm adopted by ESP is configured.
Or run:
undo esp encryption-algorithm
The default encryption algorithm is adopted for the ESP protocol.
NOTE
By default, both ESP and AH adopt the MD5 encryption algorithm.
----End
6.3.6 Configuring the Encapsulation Mode
Context
Procedure
Step 1 Run:
system-view
6-11
Step 2 Run:
Step 3 Run:
encapsulation-mode { transport | tunnel }
The encapsulation mode is configured.
NOTE
l By default, the tunnel mode is adopted.
l When the transport mode is adopted, the data flow is not protected. If you want to protect the data flow
in this case, then the two ends of the data flow must be the same as those of the security tunnel.
----End
Action Command
Check information about the
IPSec proposal.
display ipsec proposal [ name proposal-name ]

6.4 Configuring an IPSec Policy
This section describes how to configure an IPSec policy.
NOTE
This section describes configuration of the IPSec policy in the manual negotiation mode and the IKE
negotiation mode. The configuration is needed in both manual mode and IKE mode unless otherwise
specified.
6.4.2 Creating an IPSec Policy and Entering the IPSec Policy View
6.4.3 Configuring the ACL Used in the IPSec Policy
6.4.4 Applying the IPSec Proposal to the IPSec Policy
6.4.5 Configuring the SA Duration
6.4.6 Configuring the Local and Remote IP Addresses of the Tunnel (for Manual Mode)
6.4.7 Configuring the SPI for an SA (for Manual Mode)
6.4.8 Configuring Key for an SA (for Manual Mode)
6.4.9 Configuring the IKE Peer for the IPSec Policy (for IKE Negotiation Mode)
6.4.10 Configuring the PFS Feature Used in the IKE Negotiation
6.4.11 Configuring the Global SA Duration
Issue 03 (2009-07-01)
The IPSec policy needs to be configured during configuring IPSec.
Before configuring an IPSec policy, complete the following tasks:
l 6.2 Defining Data Flows to Be Protected
l 6.3 Configuring an IPSec Proposal
l Crating an IKE peer if IKE negotiation mode is adopted (See chapter 7 "IKE
Configuration.")
Data Preparation
To configure an IPSec policy, you need the following data.
No. Data
1 Name and sequence number of the IPSec policy
2 Negotiation mode, manual mode or IKE mode
3 SA duration or global duration of an SA, time-based or traffic-based
4 For manual mode, you need: local and remote IP addresses of the tunnel (only used
for the policies based on interface applications), SPI of an SA, inbound or outbound
direction, IPSec protocol adopted, authentication key used by an SA, and encryption
key (if ESP is adopted)
5 For IKE negotiation mode, you need: IKE peer name, and DH group used by Perfect
Forward Secrecy (PFS)

6.4.2 Creating an IPSec Policy and Entering the IPSec Policy View
Context
Procedure
Step 1 Run:
system-view
6-13
Step 2 Run:
ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ]
An IPSec policy is created and the IPSec policy view is displayed.
NOTE
l Up to 100 IPSec policies can be created in the system.
l By default, no IPSec policy is configured.
----End
6.4.3 Configuring the ACL Used in the IPSec Policy
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
The IPSec policy view is displayed.
Step 3 Run:
security acl acl-number
The ACL used in the IPSec policy is configured.
NOTE
An IPSec policy can use only one ACL. If multiple ACLs are configured to an IPSec policy, the latest one
takes effect.
----End
6.4.4 Applying the IPSec Proposal to the IPSec Policy
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Issue 03 (2009-07-01)
Step 3 Run:
proposal proposal-name &<1-6>
The IPSec proposal is adopted by the IPSec policy.
NOTE
l When you set up an SA manually, an IPSec policy can apply only one IPSec proposal. You should
remove the old IPSec proposal before setting up a new one. In addition, the IPSec proposals applied
on the two ends of a tunnel should be configured with the same security protocol, algorithm and packet
encapsulation mode.
l When you set up an SA by IKE negotiation (isakmp), an IPSec policy can apply up to six IPSec
proposals. IKE negotiation searches for completely matched IPSec proposals on the two ends of the
tunnel. If no completely matched IPSec proposal is found, the SA cannot be set up and the packets that
need protection are discarded.
----End
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
sa duration { traffic-based kilobytes | time-based seconds }
The SA duration is configured.
NOTE
l The default time-based duration of an SA is 3600 seconds; the default traffic-based duration of an SA
is 1843200 kilobytes. If the duration is set for an SA, the global duration is adopted. For details about
the global SA duration, see "6.4.11 Configuring the Global SA Duration".
l When IKE negotiates a new SA for IPSec, the shorter one between the local set duration and the peer
proposed duration is used.
l The modification of duration does not influence the existing SAs. The modified duration is used when
new SAs are set up through IKE negotiation.
l Configuring SA duration is effective on IKE negotiation mode and not on manual negotiation mode.
----End
6-15
6.4.6 Configuring the Local and Remote IP Addresses of the Tunnel
(for Manual Mode)
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
tunnel local ip-address
The local IP address of the tunnel is configured.
Step 4 Run:
tunnel remote ip-address
The remote IP address of the tunnel is configured.
NOTE
l This configuration is actually to specify the IPSec peers.
l You must configure the local address to set up the SA when implementing a manually created IPSec
policy. In addition, the security tunnel can be set up only when the local address and the remote address
are configured correctly.
----End
6.4.7 Configuring the SPI for an SA (for Manual Mode)
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Issue 03 (2009-07-01)
Step 3 Run:
sa spi { inbound | outbound } { ah | esp } spi-number
The SPI of the SA is configured.
NOTE
l When setting up an SA, you must set the inbound and outbound parameters for the SA.
l SA parameters set on the two ends of a tunnel must match with each other. The inbound SPI of the
local end must the same as the outbound SPI of the remote end, and the outbound SPI of the local end
must be the same as the inbound SPI of the remote end.
----End
6.4.8 Configuring Key for an SA (for Manual Mode)
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
sa authentication-hex { inbound | outbound } { ah | esp } hex-key
The authentication key (in the format of hexadecimal numerals) of the protocol is configured.
Step 4 Run:
sa string-key { inbound | outbound } { ah | esp } string-key
The authentication key (in the format of a character string) of the protocol is configured.
If you enter a string, the sa string-key command generates an authentication key for the AH
protocol. For the ESP protocol, this command generates an authentication key and an encrypted
key.
Step 5 Run:
sa encryption-hex { inbound | outbound } esp hex-key
The encryption key (in the format of hexadecimal numerals) used in ESP is configured.
6-17
NOTE
l SA parameters set on the two ends of a tunnel must match with each other. The inbound key of the
local end must the same as the outbound key of the remote end, and the outbound key of the local end
must be the same as the inbound key of the remote end.
l If the character string key and the hexadecimal key are both configured, the latest configured one is
adopted.
l On both ends of a security tunnel, the key should be input in the same format. If the key is input in
character string on one end and in hexadecimal on the other end, the security tunnel cannot be
established.
----End
6.4.9 Configuring the IKE Peer for the IPSec Policy (for IKE
Negotiation Mode)
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
ike-peer peer-name
The IKE peer adopted in the IPSec policy is configured.
NOTE
This chapter only describes how to apply IKE peer to IPSec. In practice, you should configure certain IKE
parameters in the IKE peer view, such as the negotiation mode of IKE, ID type, NAT traversal, shared key,
peer address, and peer name. For more information, refer to chapter 7 "IKE Configuration."
----End
Context
Procedure
Step 1 Run:
system-view
Issue 03 (2009-07-01)
Step 2 Run:
Step 3 Run:
pfs { dh-group1 | dh-group2 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.
PFS is a security feature. If a key is decoded, security of other keys is not affected, because these
keys have no derivative relations. For details, see chapter 7 "IKE Configuration."
NOTE
l PFS exchange is performed when IPSec uses this IPSec policy to initiate a negotiation. If the local end
uses PFS, the peer must adopt PFS during negotiation. The DH groups specified on the local end and
the peer must be the same; otherwise, the negotiation fails.
l 1024-bit Diffie-Hellman group (dh-group2) provides a higher-level security than 768-bit Diffie-
Hellman group (dh-group1), but dh-group2 needs longer time for calculation.
l By default, the PFS feature is disabled.
----End
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipsec sa global-duration { traffic-based kilobytes | time-based seconds }
The global SA duration is configured.
NOTE
l Changing the global duration does not influence the existing IPSec policies that have their own duration
or the established SAs. The changed duration is used when a new SA is set up by IKE negotiation.
l The default time-based global duration is 3600 seconds; the default traffic-based global duration is
1843200 kilobytes.
----End
6-19
Action Command
IPSec policy.
display ipsec policy [ brief | name policy-name [ seq-
number ] ]
Check the IPSec statistics. display ipsec statistics
SA.
display ipsec sa [ brief | remote ip-address | policy policy-
name [ seq-number ] | duration ]

6.5 Configuring IPSec Policies by Using the IPSec Policy
Template
This section describes how use the IPSec template to configure IPSec policies.
NOTE
This configuration is optional. If the IPSec policy template is not used, you can skip this section.
6.5.2 Creating an IPSec Policy Template and Entering the IPSec Policy Template View
6.5.3 Configuring the ACL Used in the IPSec Policy Template
6.5.4 Applying the IPSec Proposal to the IPSec Policy Template
6.5.6 Configuring the IKE Peer for the IPSec Policy Template
6.5.9 Applying the IPSec Policy Template
Indefinite factors may exist in networks. For example, the IP address assigned for a dial-up
mobile user is not fixed. In such cases, the endpoint addresses of an IPSec tunnel and the data
flow to be protected cannot be decided.
In this case, you can configure an IPSec policy template on the receiver side. The security policy
template is a template with certain parameters specified. For the unspecified parameters,
parameters, the values set on the initiator side are adopted.
Issue 03 (2009-07-01)
NOTE
l The configured parameters must be consistent on both ends during negotiation.
l To enable the template to receive negotiation requests from various peers in pre-shared key mode, you
can specify a peer address range. You can also choose not to specify any peer address with the ike-
peer command, thus allowing access by different dial-up users.
l The IPSec policy is necessary on the user side. ACL rules defined through the IPSec policy must be
configured with the source address range so that the server can exactly send back the encrypted response
data.
Before configuring IPSec policies by using the IPSec policy template, complete the following
tasks:
l Creating the IKE peer
Data Preparation
To configure IPSec policies by using the IPSec policy template, you need the following data.
No. Data
1 Name and sequence number of the IPSec policy template
2 SA duration or global duration of an SA, time-based or traffic-based
3 Name of the IKE peer and DH groups used by PFS

6.5.2 Creating an IPSec Policy Template and Entering the IPSec
Policy Template View
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipsec policy-template template-name seq-number
An IPSec policy template is created or modified and the IPSec policy template view is displayed.
----End
6-21
6.5.3 Configuring the ACL Used in the IPSec Policy Template
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
The IPSec policy template view is displayed.
Step 3 Run:
security acl acl-number
The ACL used in the IPSec policy template is configured.
----End
6.5.4 Applying the IPSec Proposal to the IPSec Policy Template
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
proposal proposal-name1 [ proposal-name2... proposal-name6 ]
The IPSec proposal is adopted by the IPSec policy template.
----End
Context
Issue 03 (2009-07-01)
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
sa duration { traffic-based kilobytes | time-based seconds }
The SA duration is configured.
----End
6.5.6 Configuring the IKE Peer for the IPSec Policy Template
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
ike-peer peer-name
The IKE peer adopted in the IPSec policy template is configured.
----End
Context
Procedure
Step 1 Run:
system-view
6-23
Step 2 Run:
Step 3 Run:
pfs { dh-group1 | dh-group2 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.
----End
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipsec sa global-duration { traffic-based kilobytes | time-based seconds }
The global SA duration is configured.
----End
6.5.9 Applying the IPSec Policy Template
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipsec policy policy-name seq-number isakmp template template-name
The IPSec policy template is adopted.
Issue 03 (2009-07-01)
NOTE
The policy created through an IPSec policy template cannot initiate negotiation of an SA, but it can respond
to a negotiation.
----End
Action Command
Check information about the IPSec
policy template.
display ipsec policy-template [ brief | name policy-
name [ seq-number ] ]
Check the IPSec statistics. display ipsec statistics
Check information about the SA. display ipsec sa [ brief | remote ip-address | policy
policy-name [ seq-number ] | duration ]

6.6 Applying an IPSec Policy or an IPSec Policy Group to an
Interface
This section describes how to apply an IPSec policy or an IPSec policy group to an interface.
6.6.2 Configuring the IPSec Behavior in the Traffic Policy
6.6.3 Applying an IPSec Policy or an IPSec Policy Group to an Interface
To protect security of different flows, you need to apply the QoS traffic policy configured with
the IPSec behavior to the entire equipment or the incoming interface of packets, and then apply
the IPSec policy or IPSec policy group to the outgoing interface.
If the SA is established manually, the SA is created immediately after the IPSec policy is applied.
If the SA is established through auto negotiation, the IKE peers negotiate the SA only when the
flow that conforms to the IPSec policy passes through the outgoing interface.
Before applying an IPSec policy or an IPSec policy group to an interface, complete the following
tasks:
l 6.4 Configuring an IPSec Policy
6-25
Data Preparation
To apply an IPSec policy or an IPSec policy group to an interface, you need the following data.
No. Data
1 Name of the QoS behavior
2 Type and number of the interface
3 Name of the IPSec policy

6.6.2 Configuring the IPSec Behavior in the Traffic Policy
Context
To configure the ME60 to encrypt packets through IPSec, you need to configure a traffic policy,
configure the traffic behavior in the traffic policy, and then apply the traffic policy.
Procedure
Step 1 Run:
system-view
Step 2 Run:
traffic behavior behavior-name
The behavior view is displayed.
Step 3 Run:
ipsec
The traffic behavior is configured to IPSec.
NOTE
Here, only the configuration of the traffic behavior is described. To configure the ME60 to encrypt user
packets through IPSec, you need to configure a complete traffic policy and apply the traffic policy to the
entire system or an interface. For the configuration and application of the traffic policy, see chapter 2 "Class-
based QoS Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide -
QoS.
----End
6.6.3 Applying an IPSec Policy or an IPSec Policy Group to an
Interface
Context
Issue 03 (2009-07-01)
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
ipsec policy policy-name
The IPSec policy or the IPSec policy group is applied to the interface.
Only one IPSec policy group can be applied to an interface. An IPSec policy group can be applied
to multiple interfaces. A manually configured IPSec policy can be applied to only one interface.
After the IPSec policy group is applied to an interface, the ME60 matches the packets sent from
this interface with the IPSec policies according to the sequence numbers in a descending order.
If a packet matches the ACL referenced by an IPSec policy, the ME60 processes the packet
according to this IPSec policy. If a packet does not match any ACL referenced by the IPSec
policies, the ME60 sends the packet directly, without encrypting the packet through IPSec.
NOTE
l When you change certain parameters of IPSec and IKE, such as the parameters of an IKE proposal,
IKE peer and IPSec proposal, you must re-apply the IPSec policy to the corresponding interface to
make the changes take effect.
l If the IPSec policies are configured manually, IPSec configuration is completed after the preceding
procedures. If the IPSec policies are configured in IKE negotiation mode, additional IKE configurations
are needed. For details, see chapter 7 "IKE Configuration".
----End
6.7 Maintaining IPSec
This section provides the commands clearing the IPSec statistics and debugging IPSec.
6.7.1 Clearing IPSec Packet Statistics
6.7.2 Debugging IPSec
6.7.1 Clearing IPSec Packet Statistics
CAUTION
IPSec statistics cannot be restored after you clear them. So, confirm the action before you use
the command.
To clear the IPSec statistics, run the following commands in the user view.
6-27
Action Command
Clear IPSec packet statistics. reset ipsec statistics
Clear the SA. reset ipsec sa [ remote ip-address | policy policy-name
[ seq-number ] | parameters dest-address protocol spi ]

6.7.2 Debugging IPSec
CAUTION
Debugging affects the system performance. So, after debugging, run the undo debugging all
command to disable it immediately.
When a fault occurs during the application of IPSec, run the following debugging command in
the user view to locate the fault. For the procedure for displaying the debugging information,
refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System
Management.
Action Command
Enable IPSec debugging. debugging ipsec { all | sa | packet [ policy policy-name
[ seq-number ] | parameters ip-address protocol spi-
number ] | misc }

This section provides an configuration example of IPSec.
6.8.1 Example for Establishing an SA Manually
6.8.1 Example for Establishing an SA Manually
As shown in Figure 6-3, a security tunnel is configured between ME60 A and ME60 B. Data
flow transmitted between subnet 10.1.1.x represented by PC A and subnet 10.1.2.x represented
by PC B are under protection. The security protocol is ESP; the encryption algorithm is DES;
the authentication algorithm is SHA-1.
Issue 03 (2009-07-01)
Figure 6-3 Networking of IPSec configuration
Pos1/0/1
202.38.163.1/24
Pos2/0/1
202.38.162.1/24
ME60B
10.1.2.1/24
PC B
10.1.2.2/24
10.1.1.2/24
10.1.1.1/24
PC A
ME60A
Internet

1. Configure ACL rules to define the data flows to be protected. Configure an IPSec proposal.
2. Configure an IPSec policy and apply the ACL and the IPSec proposal to the IPSec policy.
3. Apply the IPSec policy to the interface.
4. Configure the QoS traffic policy to encrypt user packets.
Data Preparation
l Data flows to be protected (defined in the ACL)
l Security protocol, encryption algorithm, authentication algorithm, and encapsulation mode
l IP addresses of the local end and peer end of the tunnel
l Interface where IPSec is enabled
1. Configure ACLs on ME60 A and ME60 B and define the data flows to be protected.
# Configure an ACL on ME60 A.
<ME60A> system-view
[ME60A] acl number 3101
[ME60A-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination
10.1.2.0 0.0.0.255
[ME60A-acl-adv-3101] quit
# Configure an ACL on ME60 B.
<ME60B> system-view
[ME60B] acl number 3101
[ME60B-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination
10.1.1.0 0.0.0.255
[ME60B-acl-adv-3101] quit
2. On ME60 A and ME60 B, configure static routes to the peer respectively.
# Configure a static route from ME60 A to ME60 B.
[ME60A] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
6-29
# Configure a static route from ME60 B to ME60 A.
[ME60B] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
Run the ping command on PC A to ping PC B. The ping succeeds.
3. Create IPSec proposals on ME60 A and ME60 B.
# Create an IPSec proposal on ME60 A.
[ME60A] ipsec proposal tran1
[ME60A-ipsec-proposal-tran1] encapsulation-mode tunnel
[ME60A-ipsec-proposal-tran1] transform esp
[ME60A-ipsec-proposal-tran1] esp encryption-algorithm des
[ME60A-ipsec-proposal-tran1] esp authentication-algorithm sha1
[Quidway-ipsec-proposal-tran1] quit
# Create an IPSec proposal on ME60 B.
[ME60B] ipsec proposal tran1
[ME60B-ipsec-proposal-tran1] encapsulation-mode tunnel
[ME60B-ipsec-proposal-tran1] transform esp
[ME60B-ipsec-proposal-tran1] esp encryption-algorithm des
[ME60B-ipsec-proposal-tran1] esp authentication-algorithm sha1
[ME60B-ipsec-proposal-tran1] quit
Run the display ipsec proposal command on ME60 A and ME60 B to display the
configuration. Take ME60 A for example.
[ME60A]display ipsec proposal
IPsec proposal name: tran1
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication sha1-hmac-96, encryption des
4. Create IPSec policies on ME60 A and ME60 B.
# Create an IPSec policy on ME60 A.
[ME60A] ipsec policy map1 10 manual
[ME60A-ipsec-policy-manual-map1-10] security acl 3101
[ME60A-ipsec-policy-manual-map1-10] proposal tran1
[ME60A-ipsec-policy-manual-map1-10] tunnel local 202.38.163.1
[ME60A-ipsec-policy-manual-map1-10] tunnel remote 202.38.162.1
[ME60A-ipsec-policy-manual-map1-10] sa spi outbound esp 12345
[ME60A-ipsec-policy-manual-map1-10] sa spi inbound esp 54321
[ME60A-ipsec-policy-manual-map1-10] sa string-key outbound esp abcdefg
[ME60A-ipsec-policy-manual-map1-10] sa string-key inbound esp gfedcba
[ME60A-ipsec-policy-manual-map1-10] quit
# Create an IPSec policy on ME60 B.
[ME60B] ipsec policy use1 10 manual
[ME60B-ipsec-policyl-manual-use1-10] security acl 3101
[ME60B-ipsec-policyl-manual-use1-10] proposal tran1
[ME60B-ipsec-policyl-manual-use1-10] tunnel local 202.38.162.1
[ME60B-ipsec-policyl-manual-use1-10] tunnel remote 202.38.163.1
[ME60B-ipsec-policyl-manual-use1-10] sa spi outbound esp 54321
[ME60B-ipsec-policyl-manual-use1-10] sa spi inbound esp 12345
[ME60B-ipsec-policyl-manual-use1-10] sa string-key outbound esp gfedcba
[ME60B-ipsec-policyl-manual-use1-10] sa string-key inbound esp abcdefg
[ME60B-ipsec-policyl-manual-use1-10] quit
Run the display ipsec policy command on ME60 A and ME60 B to display the
[ME60A] display ipsec policy
===========================================
IPsec Policy Group: "map1"
Using interface: {}
===========================================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: manual
-----------------------------
Issue 03 (2009-07-01)
security data flow : 3101
tunnel local address: 202.38.163.1
tunnel remote address: 202.38.162.1
proposal name:tran1
inbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
inbound ESP setting:
ESP spi: 54321 (0xd431)
ESP string-key: gfedcba
ESP encryption hex key:
ESP authentication hex key:
outbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
outbound ESP setting:
ESP spi: 12345 (0x3039)
ESP string-key: abcdefg
ESP encryption hex key:
ESP authentication hex key:
5. Apply the IPSec policies to the interfaces of ME60 A and ME60 B.
Apply the IPSec policy to the interface of ME60 A.
[ME60A] interface pos1/0/1
[ME60A-Pos1/0/1] ip address 202.38.163.1 255.255.255.0
[ME60A-Pos1/0/1] ipsec policy map1
[ME60A-Pos1/0/1] undo shutdown
[ME60A-Pos1/0/1] quit
# Apply the IPSec policy to the interface of ME60 A.
[ME60B] interface pos2/0/1
[ME60B-Pos2/0/1] ip address 202.38.162.1 255.255.255.0
[ME60B-Pos2/0/1] ipsec policy use1
[ME60B-Pos2/0/1] undo shutdown
[ME60B-Pos2/0/1] quit
Run the display ipsec sa command on ME60 A and ME60 B to display the configuration.
Take ME60 A for example.
[ME60A]display ipsec sa
===============================
Interface: pos1/0/1
path MTU: 1500
===============================
-----------------------------
sequence number: 10
mode: manual
-----------------------------
tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1
[inbound ESP SAs]
spi: 54321 (0xd431)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
No duration limit for this sa
[outbound ESP SAs]
spi: 12345 (0x3039)
6. Configure the QoS traffic policy on ME60 A and ME60 B so that the ME60s encrypt user
packets.
NOTE
For the configuration of the QoS policy, see chapter 2 "Class-based QoS Configuration" of the
Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
6-31
# Configure the QoS policy on ME60 A.
[ME60A] traffic classifier ipsec-using
[ME60A-classifier-ipsec-using] if-match acl 3101
[ME60A-classifier-ipsec-using] quit
[ME60A] traffic behavior ipsec-using
[ME60A-behavior-ipsec-using] ipsec
[ME60A-behavior-ipsec-using] quit
[ME60A] traffic policy ipsec-using
[ME60A-trafficpolicy-ipsec-using] classifier ipsec-using behavior ipsec-using
[ME60A-trafficpolicy-ipsec-using] quit
# Configure the QoS policy on ME60 B.
[ME60B] traffic classifier ipsec-using
[ME60B-classifier-ipsec-using] if-match acl 3101
[ME60B-classifier-ipsec-using] quit
[ME60B] traffic behavior ipsec-using
[ME60B-behavior-ipsec-using] ipsec
[ME60B-behavior-ipsec-using] quit
[ME60B] traffic policy ipsec-using
[ME60B-trafficpolicy-ipsec-using] classifier ipsec-using behavior ipsec-using
[ME60B-trafficpolicy-ipsec-using] quit
# Apply the QoS policy to ME60 A globally.
[ME60A] traffic-policy ipsec-using inbound
[ME60A] traffic-policy ipsec-using outbound
# Apply the QoS policy to ME60 B globally.
[ME60B] traffic-policy ipsec-using inbound
[ME60B] traffic-policy ipsec-using outbound
7. Verify the configuration.
After the configuration is complete, PC A can still ping through PC B. The data transmitted
between them is encrypted.
Configuration Files
The following are configuration files of the ME60s.
l Configuration file of ME60 A
#
sysname ME60A
#
acl number 3101
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha1
#
ipsec policy map1 10 manual
security acl 3101
proposal tran1
tunnel local 202.38.163.1
tunnel remote 202.38.162.1
sa spi inbound esp 54321
sa string-key inbound esp gfedcba
sa spi outbound esp 12345
sa string-key outbound esp abcdefg
#
traffic classifier ipsec-using operator or
if-match acl 3101
#
traffic behavior ipsec-using
ipsec
#
traffic policy ipsec-using
classifier ipsec-using behavior ipsec-using
Issue 03 (2009-07-01)
traffic-policy ipsec-using inbound
traffic-policy ipsec-using outbound
#
interface Pos1/0/1
undo shutdown
ip address 202.38.163.1 255.255.255.0
ipsec policy map1
#
ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
#
return
l Configuration file of ME60 B
#
sysname ME60B
#
acl number 3101
#
#
ipsec policy use1 10 manual
security acl 3101
proposal tran1
tunnel local 202.38.162.1
tunnel remote 202.38.163.1
sa spi inbound esp 12345
sa string-key inbound esp abcdefg
sa spi outbound esp 54321
sa string-key outbound esp gfedcba
#
if-match acl 3101
#
ipsec
#
classifier ipsec-using behavior ipsec-using
#
interface Pos2/0/1
undo shutdown
ip address 202.38.162.1 255.255.255.0
ipsec policy use1
#
ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
#
return
6-33
7 IKE Configuration
About This Chapter
This chapter describes the fundamentals, implementation, and configuration of IKE.
7.1 Introduction
This section describes the concept and fundamentals of IKE.
7.2 Setting the Local ID Used in IKE Negotiation
This section describes how to set the local ID used in IKE negotiation.
7.3 Configuring an IKE Security Proposal
This section describes how to configure an IKE security proposal.
7.4 Configuring Attributes of the IKE Peer
This section describes how to configure the attributes of the IKE peer.
7.5 Tuning the IKE Configuration
This section describe how to fine tune the configuration of IKE.
7.6 Maintaining IKE
This section provides the commands for displaying and clearing the IKE information and
debugging IKE.
This section provides a configuration example of IKE.
Configuration Guide - Security 7 IKE Configuration
7-1
7.1 Introduction
This section describes the concept and fundamentals of IKE.
7.1.1 Overview of IKE
7.1.2 NAT Traversal in IPSec
7.1.3 IKE Features of the ME60
7.1.1 Overview of IKE
IKE Protocol
IPSec security association (SA) can be set up manually. If the number of nodes on the network
increases, it is difficult to perform manual configuration and ensure network security. In such
cases, you can use the Internet Key Exchange (IKE) protocol to automatically set up an SA and
perform key exchange.
IKE is based on the framework defined by the Internet Security Association and Key
Management Protocol (ISAKMP). It simplifies the use and management of IPSec by
automatically negotiating the key exchange and setting up SA for IPSec.
IKE has a self-protection mechanism to safely distribute keys, authenticate IDs, and establish
IPSec SAs even on insecure networks.
Security Mechanism of IKE
l Diffie-Hellman (DH) exchange and shared key distribution
The DF algorithm is a common key algorithm. The parties in communication can exchange
data without transmitting the shared key but calculate the shared key. The condition for
encryption is that both the parties have a shared key. The merit of IKE is that it never
transmits the shared key directly on insecure networks, but calculates the shared key by
exchanging a series of data. Even if a third party (a hacker for example) captures all the
exchanged data used to calculate the shared key, the third party cannot figure out the real
shared key.
l PFS
In Perfect Forward Secrecy (PFS), the decryption of a key has no impact on the security of
other keys, because the keys do not have a derivative relationship. PFS feature is
implemented by performing key exchange during IKE Phase 2 negotiation. PFS is ensured
by the DH algorithm.
l Identity authentication
Identity authentication is the process of authenticating both parties in communication. In
the pre-shared key authentication method, an authenticator is used to generate a shared key.
It is impossible for different authenticators to generate the same shared key between the
two parties. The authenticator is, therefore, the key in identity authentication for both
parties.
l Identity protection
Once the shared key is generated, the identity data is sent in encrypted mode, thus protecting
the identity data.
7 IKE Configuration
Issue 03 (2009-07-01)
IKE Exchange Phases
IKE undergoes the following two phases to implement IPSec shared key negotiation and SA
setup:
1. Parties in communication establish a channel that passes the identity authentication and
security protection. An ISAKMP security association (ISAKMP SA or IKE SA) is
established through exchange in this phase.
2. The IKE SA established in phase 1 serves IPSec negotiation security, that is, to negotiate
a specific SA for IPSec and establish an IPSec SA. The IPSec SA is used for secure
transmission of final IP data.
The process of setting up an SA is as follows.
Figure 7-1 Process of setting up an SA
Matched data streams are forwarded
over the interface applying IPSec
Step 1
Step 2
Step 3
Step 4
Communicate under the
protection of SA in phase2
Negotiate IPSec SA in phase2 of IKE negotiation under
the protection of SA in phase1
Trigger SA in phase1 of IKE
negotiation
Router A Router B

If an interface is enabled with IPSec, packets sent from this interface are matched with IPSec
policies.
1. If a packet matches an IPSec policy, the corresponding SA is searched. If the SA has not
been set up, IKE is triggered to negotiate an SA in phase 1 , that is, IKE SA.
2. Under the protection of IKE SA, IKE continues to negotiate the SA in phase 2, that is, IPSec
SA.
3. IPSec SA is used to protect the data in communication.
IKE Negotiation Modes
As defined in RFC 2409 (The Internet Key Exchange), in phase 1 of IKE, the two negotiation
modes that can be adopted are the main mode and the aggressive mode.
l In the main mode, information to be exchanged is separated from the identity and
authentication information to protect the identity information. The generated DF shared
key protects the exchanged identity information; however, it takes three extra messages to
complete the process.
7-3
l In the aggressive mode, payloads associated with SA, key exchanges, and authentication
can be carried in a single message to transmit, which reduces the message round-trip times
but cannot provide identity protection.
Despite the limitations of the aggressive mode, it meets the demands in a specific networking
environment. For example, in remote access, the responder (the server) cannot predict the
address of the initiator (the terminal user); or the address of the initiator is always changing, and
both parties wish to create an IKE SA through the pre-shared key authentication. In this case,
the aggressive mode without identity protection is the only available exchange method. In
addition, if the initiator has learned about the responder's policy or has a comprehensive
understanding of it, the aggressive mode can create the IKE SA faster.
7.1.2 NAT Traversal in IPSec
NAT Traversal
One of the main applications of IPSec is to create VPNs. In actual networking, if the initiator
resides on a private network and intends to create an IPSec tunnel directly with the remote
responder, the initiator requires IPSec and NAT. The main problem is that IKE has to discover
where a NAT gateway between the two endpoints during negotiation is and that IKE can make
ESP packets normally traverse the NAT gateway.
In the first step, the two ends between which the IPSec tunnel is created need to negotiate the
NAT traversal capability. This is done in the first two messages of IKE negotiation by identifying
a set of data indicated by vendor ID payload. The definition of the payload data caries according
to the adopted draft version.
The NAT gateway discovery is implemented through the NAT-D payload. The payload is used
to discover the NAT gateway between IKE peers and also to determine which side of the peer
the NAT device resides. As the initiator, the peer on NAT side needs to send NAT keepalive
packets periodically so that the NAT gateway can ensure the security tunnel is in active state.
NAT Traversal in IPSec
NAT traversal in IPSec is to add a standard UDP header between the IP and ESP headers of the
original packet (regardless of the AH mode). When an ESP packet traverses the NAT gateway,
NAT translates the address and port number in the external layer IP header of the packet and the
added UDP header. When the translated packet reaches the remote end of the IPSec tunnel, it is
processed in the same method as that of the common IPSec. A UDP header, however, also needs
to be added between the IP and ESP headers when the response packet is sent.
7.1.3 IKE Features of the ME60
The ME60 supports the main mode and the aggressive mode of IKE and implements them based
on RFC 2408 and RFC 2409; therefore, the ME60 can work with the equipment of other major
vendors.
To implement the NAT traversal of IPSec on the ME60, you should use the aggressive mode
during the first phase of the IKE negotiation and the peer ID type is the peer name. In addition,
you should also adopt ESP and encapsulate packets in tunnel mode when configuring the IPSec
proposal.
On the ME60, do as follows to implement IKE:
7 IKE Configuration
Issue 03 (2009-07-01)
1. Set the local ID used in the IKE negotiation.
2. Set attributes for the IKE peer, including the IKE negotiation mode, pre-shared key value,
peer address or peer ID, and NAT traversal, to ensure the correctness of the IKE negotiation.
3. Create an IKE proposal to determine the algorithm intension during the IKE exchange, that
is, the intension of security protection (including identity authentication method, encryption
algorithm, authentication algorithm, and DH group). It is difficult to decrypt the protected
data if the algorithm has a higher intension; however, more calculation resources are
consumed. The longer the shared key, the higher the algorithm strength.
4. Apart from these basic procedures, IKE also has the keepalive mechanism to determine
whether the peer can communicate normally. You can, therefore, also configure interval
and timeout of the keepalive packets. When the NAT traversal of IPSec is configured, you
can also configure the interval for sending NAT update packets.
NOTE
After the preceding configuration is complete, you need to reference the IKE peer in the IPSec policy view
to complete the IPSec configuration through auto-negotiation. For more information on IPSec adopting
the IKE peer, see chapter 6 "IKE Configuration."
7.2 Setting the Local ID Used in IKE Negotiation
This section describes how to set the local ID used in IKE negotiation.
7.2.2 Setting the Local ID Used in IKE Negotiation
The local router ID needs to be configured in the IKE negotiation when aggressive mode is
adopted. It is not necessary when the main mode is adopted.
None.
Data Preparation
To configure the local ID used in IKE negotiation, you need the following data.
No. Data
1 ID of the local router

7.2.2 Setting the Local ID Used in IKE Negotiation
7-5
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ike local-name router-name
The local ID used in the IKE negotiation is specified.
----End
7.3 Configuring an IKE Security Proposal
This section describes how to configure an IKE security proposal.
7.3.2 Creating the IKE Security Proposal and Entering the IKE Security Proposal View
7.3.3 Specifying an Encryption Algorithm
7.3.4 Specifying an Authentication Method
7.3.6 Specifying a DF Group
7.3.7 Configuring the Duration of ISAKMP SA
An IKE security proposal needs to be configured in the IKE negotiation. The IKE security
proposal is used to establish a security channel. Users can create multiple IKE security proposals
based on priority, but the two parties in negotiation must have at least one matched IKE security
proposal to ensure successful negotiation.
None.
Data Preparation
To configure an IKE security proposal, you need the following data.
7 IKE Configuration
Issue 03 (2009-07-01)
No. Data
1 Priority of the IKE security proposal
2 Encryption algorithm, DES or 3DEs
3 Authentication algorithm, MD5 or SHA
4 DH group ID, selected from group 1 (768 bits) or group 2 (1024 bit)
5 Duration of ISAKMP SA (ranging from 60 seconds to 604800 seconds)

7.3.2 Creating the IKE Security Proposal and Entering the IKE
Security Proposal View
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ike proposal priority-level
An IKE security proposal is created and the IKE security proposal view is displayed.
l Multiple IKE proposals can be created for each party of IKE negotiation. During the
negotiation, a proposal of the highest priority owned by both the parties is matched first. The
matching rule is that both parties in negotiation must have the same encryption algorithm,
authentication algorithm, authentication method, and DF group ID.
l The system provides a default IKE proposal default. The default IKE proposal has the lowest
priority. By default, the authentication algorithm is SHA1; the authentication is based on the
shared key; the encryption algorithm is DES-CBC; the DH group ID is MODP_768; the
duration of the SA is 86400 seconds.
----End
7.3.3 Specifying an Encryption Algorithm
Context
7-7
Procedure
Step 1 Run:
system-view
Step 2 Run:
The IKE security proposal view is displayed.
Step 3 Run:
encryption-algorithm { des-cbc | 3des-cbc }
The encryption algorithm is specified.
Currently, the available algorithms are DES and 3DES in CBC mode.
By default, the IKE proposal adopts the DES encryption algorithm in CBC mode.
----End
7.3.4 Specifying an Authentication Method
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
authentication-method pre-share
The authentication algorithm is specified.
The ME60 can use only the pre-shared key authentication. By default, the IKE proposal uses
the pre-shared key authentication.
----End
Context
7 IKE Configuration
Issue 03 (2009-07-01)
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
authentication-algorithm { md5 | sha }
The authentication algorithm is specified.
By default, the SHA-1 authentication algorithm is adopted.
----End
7.3.6 Specifying a DF Group
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
dh { group1 | group2 }
The DF group is specified.
By default, the 768-bit DF group (group1) is specified.
----End
7.3.7 Configuring the Duration of ISAKMP SA
Context
7-9
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
sa duration seconds
The duration of the ISAKMP SA is configured.
l If the during expires, the ISAKMP SA is updated automatically. The duration can be set to
a value ranging from 60 to 604800, in seconds. DH calculation is performed during IKE
negotiation, and hence, it takes a longer period. To avoid impacts on the secure
communication caused by the update of ISAKMP SA, set the duration to a value larger than
10 minutes.
l A new SA is negotiated before the old one expires. The old SA is still in use before the new
SA is set up. The new SA takes effect as soon as it is established and the old one is
automatically deleted after its duration expires.
l By default, the duration of ISAKMP SA is 86400 seconds (a day).
----End
Action Command
Check the parameter of IKE
proposals.
display ike proposal

7.4 Configuring Attributes of the IKE Peer
This section describes how to configure the attributes of the IKE peer.
7.4.2 Creating an IKE Peer and Entering the IKE Peer View
7.4.3 Configuring the IKE Negotiation Mode
7.4.4 Configuring the IKE Security Proposal
7.4.5 Configuring the Local ID Type
7.4.6 Configuring NAT Traversal in IPSec
7.4.7 Configuring the Identity Authenticator
7 IKE Configuration
Issue 03 (2009-07-01)
7.4.8 Configuring the Peer IP Address or Address Segment
7.4.9 Configuring the Peer Name
The attributes of the IKE peer to be configured before the IKE negotiation.
Before configuring the attributes of the IKE peer, complete the following tasks:
l Configuring the IKE Security Proposal
l Configuring the local ID used in the IKE negotiation when aggressive mode is adopted
Data Preparation
To configure the attribute of the IKE peer, you need the following data.
No. Data
1 Name of the IKE peer
2 IKE negotiation mode
3 Number of the IKE proposal, ranging from 1 to 100
4 Type of the local ID: IP address or name of the local router
5 Whether NAT traversal is required for IPSec
6 Authenticator (a string of 1-127 characters)
7 IP address of the peer, in dotted decimal notation
8 Name of the peer (a string of 1 to 15 characters)

7.4.2 Creating an IKE Peer and Entering the IKE Peer View
Context
Procedure
Step 1 Run:
system-view
7-11
Step 2 Run:
ike peer peer-name
An IKE peer is created and the IKE peer view is displayed.
----End
7.4.3 Configuring the IKE Negotiation Mode
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ike peer peer-name
The IKE peer view is displayed.
Step 3 Run:
exchange-mode { main | aggressive }
The IKE negotiation mode is specified.
By default, the main mode is used in the IKE negotiation.
----End
7.4.4 Configuring the IKE Security Proposal
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ike peer peer-name
Step 3 Run:
ike-proposal proposal-number
7 IKE Configuration
Issue 03 (2009-07-01)
The IKE proposal is configured.
In the aggressive mode, by default, the first configured IKE proposal is used in the negotiation;
in the main mode, all the IKE proposals are used in the negotiation.
----End
7.4.5 Configuring the Local ID Type
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ike peer peer-name
Step 3 Run:
local-id-type { ip | name }
The type of the local ID is configured.
The IP address or name of the local router can be used as ID in the IKE negotiation. By default,
the IP address is used as the local ID.
If the aggressive mode, the name is used as the local ID. In the main mode, the local ID is not
necessarily configured, but the name cannot be used as the local ID.
----End
7.4.6 Configuring NAT Traversal in IPSec
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ike peer peer-name
7-13
Step 3 Run:
nat traversal
The NAT traversal is enabled for IPSec.
By default, NAT traversal is disabled.
----End
7.4.7 Configuring the Identity Authenticator
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ike peer peer-name
Step 3 Run:
pre-shared-key key
The identity authenticator is configured.
If the pre-shared key authentication is selected, the pre-shared key needs to be configured for
each peer. The same pre-shared key must be configured for the peers, which create security
connection.
----End
7.4.8 Configuring the Peer IP Address or Address Segment
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ike peer peer-name
7 IKE Configuration
Issue 03 (2009-07-01)
Step 3 Run:
remote-address low-ip-address [ high-ip-address ]
The IP address or the address segment of the peer is configured.
NOTE
When the address segment is configured, only the IPSec policy template can adopt this IKE peer.
----End
7.4.9 Configuring the Peer Name
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ike peer peer-name
Step 3 Run:
remote-name name
The name of the peer is configured.
----End
Action Command
Check the configuration of the IKE
peer.
display ike peer [ name peer-name ]

7.5 Tuning the IKE Configuration
This section describe how to fine tune the configuration of IKE.
7.5.2 Setting the Interval of Keepalive Packets
7.5.3 Setting the Timeout Time of Keepalive Packets
7.5.4 Setting the Interval of NAT Update Packets
7-15
IKE maintains the ISAKMP SA link state by sending keepalive packets at a certain interval. If
you set the timeout time of keepalive packets on the peer, you must set the interval of keepalive
packets on the local end. If the peer does not receive the keepalive packet within the timeout
time, the ISAKMP SA with a timeout tag is deleted along with its corresponding IPSec SA. If
the ISAKMP SA does not have a timeout tag, it is marked timeout. The timeout time, therefore,
must be longer than the interval of keepalive packets.
You need to set the interval for sending NAT update packets from an ISAKMP SA. As the
initiator, the peer on the NAT side needs to send NAT keepalive packets periodically to ensure
that the security tunnel is in active state.
CAUTION
l The interval of keepalive packets and the timeout time of the keepalive packets must be set
on the ME60 simultaneously.
l The interval and timeout must match on the two ends. That is, if you set the timeout time of
the keepalive packets on one ME60, you must set the interval of keepalive packets on the
peer ME60.
l The interval of keepalive packets on one end must be shorter than the timeout time set on
the peer.
Before tuning the IKE configuration, complete the following tasks:
l Setting the Local ID Used in IKE Negotiation
l Configuring the IKE Security Proposal
l Configuring Attributes of the IKE Peer
Data Preparation
To tune the IKE configuration, you need the following data.
No. Data
1 Interval of keepalive packets
2 Timeout time of keepalive packets
3 Interval of NAT update packets

7.5.2 Setting the Interval of Keepalive Packets
7 IKE Configuration
Issue 03 (2009-07-01)
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ike sa keepalive-timer interval seconds
The interval for sending keepalive packets from the ISAKMP SA is set.
By default, this function is unavailable.
----End
7.5.3 Setting the Timeout Time of Keepalive Packets
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ike sa keepalive-timer timeout seconds
The timeout time of the keepalive packet is configured.
l On a network, packet loss rarely occurs consecutively more than three times, so the timeout
time can be set to be three times the interval of keepalive packets on the peer.
l By default, this function is unavailable.
----End
7.5.4 Setting the Interval of NAT Update Packets
Context
Procedure
Step 1 Run:
system-view
7-17
Step 2 Run:
ike sa nat-keepalive-timer interval seconds
The interval for sending NAT update packets from the ISAKMP SA is set.
By default, the ISAKMP SA sends NAT update packets every 20 seconds when NAT traversal
is enabled.
----End
7.6 Maintaining IKE
This section provides the commands for displaying and clearing the IKE information and
debugging IKE.
7.6.1 Displaying the IKE Configuration
7.6.2 Clearing the Security Tunnel
7.6.3 Debugging IKE
7.6.1 Displaying the IKE Configuration
To check the configuration of IKE, run the following command in any view.
Action Command
Display information about the
established security channel.
display ike sa

7.6.2 Clearing the Security Tunnel
CAUTION
Clearing the security channel allows data transmission without protection. Confirm the action
before you run the command.
To clear the established security tunnel, run the following command in the user view.
Action Command
Clear established security
channel.
reset ike sa [ connection-id ]

To delete a specified security channel, you need to specify connection-id of the SA. Run the
display ike sa command to view the connection-id of the current SA. Information about the
7 IKE Configuration
Issue 03 (2009-07-01)
same security channel (namely, with the same peer) consists information generated in phase 1
and phase 2.
After the local SA is deleted, if ISAKMP SA of phase 1 still exists, the local end sends a deletion
message to the peer under the protection of the ISAKMP SA so that the peer can clear the SA
database.
If connection-id is not specified, all SAs of phase 1 are deleted.
NOTE
Security channel is completely different from security association. A security channel is a channel whose
two ends can interoperate with each other. An SA is a unidirectional connection.
7.6.3 Debugging IKE
CAUTION
When a fault occurs during the application of IKE, run the following debugging command in
the user view to locate the fault. For the procedure for displaying the debugging information,
refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - System
Management.
Action Command
Enable debugging of IKE. debugging ike { all | error | exchange | message | misc |
transport }

This section provides a configuration example of IKE.
7.7.1 Example for Establishing an SA Through IKE Negotiation
7.7.1 Example for Establishing an SA Through IKE Negotiation
As shown in Figure 7-2, a security tunnel is configured between ME60 A and ME60 B. Data
flow transmitted between subnet 10.1.1.x represented by PC A and subnet 10.1.2.x represented
by PC B are under protection. The security protocol is ESP; the encryption algorithm is DES;
the authentication algorithm is SHA-1.
7-19
Figure 7-2 Networking of IKE configuration
Pos1/0/1
202.38.163.1/24
Pos2/0/1
202.38.162.1/24
ME60B
10.1.2.1/24
PC B
10.1.2.2/24
10.1.1.2/24
10.1.1.1/24
PC A
ME60A
Internet

1. Configure the local host ID, IKE proposal, and IKE peer.
2. Configure ACL rules to specify the data flow to be protected.
3. Configure an IPSec proposal.
4. Configure an IPSec policy and apply the ACL and the IPSec proposal to the IPSec policy.
5. Apply the IPSec policy to the interface.
6. Configure the QoS traffic policy to encrypt user packets.
Data Preparation
l ID of the local device
l Encryption algorithm and authentication algorithm used in IKE negotiation
l IP address and name of the peer device
l Interface where IPSec is enabled
1. Configure the local host ID, IKE proposal, and IKE peer on ME60 A and ME60 B.
# Configure the local ID used by ME60 A in IKE negotiation.
<ME60A> system-view
[ME60A] ike local-name huawei01
# Configure the IKE proposal of ME60 A.
[ME60A] ike proposal 1
[ME60A-ike-proposal-1] encryption-algorithm 3des-cbc
[ME60A-ike-proposal-1] dh group1
[ME60A-ike-proposal-1] sa duration 43200
[ME60A-ike-proposal-1] quit
# Configure the IKE peer of ME60 A.
[ME60A] ike peer ME60B
[ME60A-ike-peer-ME60B] exchange-mode aggressive
7 IKE Configuration
Issue 03 (2009-07-01)
[ME60A-ike-peer-ME60B] ike-proposal 1
[ME60A-ike-peer-ME60B] local-id-type name
[ME60A-ike-peer-ME60B] pre-shared-key huawei
[ME60A-ike-peer-ME60B] remote-name huawei02
[ME60A-ike-peer-ME60B] remote-address 202.38.162.1
[ME60A-ike-peer-ME60B] quit
NOTE
In the aggressive mode, you need to configure remote-address on the negotiation initiator.
# Configure the local ID used by ME60 B in IKE negotiation.
<ME60B> system-view
[ME60B] ike local-name huawei02
# Configure the IKE proposal of ME60 B.
[ME60B] ike proposal 1
[ME60B-ike-proposal-1] encryption-algorithm 3des-cbc
[ME60B-ike-proposal-1] dh group1
[ME60B-ike-proposal-1] sa duration 43200
[ME60B-ike-proposal-1] quit
# Configure the IKE peer of ME60 B.
[ME60B] ike peer ME60A
[ME60B-ike-peer-ME60A] exchange-mode aggressive
[ME60B-ike-peer-ME60A] ike-proposal 1
[ME60B-ike-peer-ME60A] local-id-type name
[ME60B-ike-peer-ME60A] pre-shared-key huawei
[ME60B-ike-peer-ME60A] remote-name huawei01
[ME60B-ike-peer-ME60A] remote-address 202.38.163.1
[ME60B-ike-peer-ME60A] quit
Run the display ike peer command on ME60 A and ME60 B to display the configuration.
[ME60A] display ike peer
---------------------------
IKE Peer: ME60b
exchange mode: aggressive on phase 1
pre-shared-key: huawei
proposal: 1
local id type: name
peer ip address: 202.38.162.1
peer name: huawei02
nat traversal: disable
---------------------------
2. Configure ACLs on ME60 A and ME60 B and define the data flows to be protected.
# Configure an ACL on ME60 A.
[ME60A] acl number 3101
10.1.2.0 0.0.0.255
# Configure an ACL on ME60 B.
[ME60B] acl number 3101
[ME60B-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination
10.1.1.0 0.0.0.255
[ME60B-acl-adv-3101] quit
3. On ME60 A and ME60 B, configure static routes to the peer respectively.
# Configure a static route from ME60 A to ME60 B.
[ME60A] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
# Configure a static route from ME60 B to ME60 A.
[ME60B] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
7-21
# Create an IPSec proposal on ME60 A.
[ME60A] ipsec proposal tran1
[ME60A-ipsec-proposal-tran1] encapsulation-mode tunnel
[ME60A-ipsec-proposal-tran1] transform esp
[ME60A-ipsec-proposal-tran1] esp encryption-algorithm des
[ME60A-ipsec-proposal-tran1] esp authentication-algorithm sha1
[ME60A-ipsec-proposal-tran1] quit
# Create an IPSec proposal on ME60 B.
[ME60B] ipsec proposal tran1
[ME60B-ipsec-proposal-tran1] encapsulation-mode tunnel
[ME60B-ipsec-proposal-tran1] transform esp
[ME60B-ipsec-proposal-tran1] esp encryption-algorithm des
[ME60B-ipsec-proposal-tran1] esp authentication-algorithm sha1
[ME60B-ipsec-proposal-tran1] quit
Run the display ipsec proposal command on ME60 A and ME60 B to display the
[ME60A] display ipsec proposal
IPsec proposal name: tran1
transform: esp-new
ESP protocol: authentication sha1-hmac-96, encryption des
# Create an IPSec policy on ME60 A.
[ME60A] ipsec policy map1 10 isakmp
[ME60A-ipsec-policy-isakmp-map1-10] ike-peer ME60B
[ME60A-ipsec-policy-isakmp-map1-10] proposal tran1
[ME60A-ipsec-policy-isakmp-map1-10] security acl 3101
[ME60A-ipsec-policy-isakmp-map1-10] quit
# Create an IPSec policy on ME60 B.
[ME60B] ipsec policy use1 10 isakmp
[ME60B-ipsec-policy-isakmp-use1-10] ike-peer ME60A
[ME60B-ipsec-policy-isakmp-use1-10] proposal tran1
[ME60B-ipsec-policy-isakmp-use1-10] security acl 3101
[ME60B-ipsec-policy-isakmp-use1-10] quit
Run the display ipsec policy command on ME60 A and ME60 B to display the
[ME60A] display ipsec policy
===========================================
IPsec Policy Group: "map1"
Using interface: {}
===========================================
-----------------------------
sequence number: 10
mode: isakmp
-----------------------------
security data flow : 3101
ike-peer name: ME60B
perfect forward secrecy: None
proposal name: tran1
IPsec sa local duration(time based): 3600 seconds
IPsec sa local duration(traffic based): 1843200 kilobytes
6. Apply the IPSec policies to the interfaces of ME60 A and ME60 B.
Apply the IPSec policy to the interface of ME60 A.
[ME60A] interface pos1/0/1
[ME60A-Pos1/0/1] ip address 202.38.163.1 255.255.255.0
[ME60A-Pos1/0/1] ipsec policy map1
[ME60A-Pos1/0/1] undo shutdown
[ME60A-Pos1/0/1] quit
# Apply the IPSec policy to the interface of ME60 A.
7 IKE Configuration
Issue 03 (2009-07-01)
[ME60B] interface pos2/0/1
[ME60B-Pos2/0/1] ip address 202.38.162.1 255.255.255.0
[ME60B-Pos2/0/1] ipsec policy use1
[ME60B-Pos2/0/1] undo shutdown
[ME60B-Pos2/0/1] quit
Run the display ipsec sa command on ME60 A and ME60 B to display the configuration.
[ME60A] display ipsec sa
===============================
Interface: pos1/0/1
path MTU: 1500
===============================
-----------------------------
sequence number: 10
mode: manual
-----------------------------
tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1
[inbound ESP SAs]
spi: 54321 (0xd431)
[outbound ESP SAs]
spi: 12345 (0x3039)
7. Configure the QoS traffic policy on ME60 A and ME60 B so that the ME60s encrypt user
packets.
NOTE
For the configuration of the QoS policy, see chapter 2 "Class-based QoS Configuration" of the
# Configure the QoS policy on ME60 A.
[ME60A] traffic classifier ipsec-using
[ME60A-classifier-ipsec-using] if-match acl 3101
[ME60A-classifier-ipsec-using] quit
[ME60A] traffic behavior ipsec-using
[ME60A-behavior-ipsec-using] ipsec
[ME60A-behavior-ipsec-using] quit
[ME60A] traffic policy ipsec-using
[ME60A-trafficpolicy-ipsec-using] classifier ipsec-using behavior ipsec-using
[ME60A-trafficpolicy-ipsec-using] quit
# Configure the QoS policy on ME60 B.
[ME60B] traffic classifier ipsec-using
[ME60B-classifier-ipsec-using] if-match acl 3101
[ME60B-classifier-ipsec-using] quit
[ME60B] traffic behavior ipsec-using
[ME60B-behavior-ipsec-using] ipsec
[ME60B-behavior-ipsec-using] quit
[ME60B] traffic policy ipsec-using
[ME60B-trafficpolicy-ipsec-using] classifier ipsec-using behavior ipsec-using
[ME60B-trafficpolicy-ipsec-using] quit
# Apply the QoS policy to ME60 A globally.
[ME60A] traffic-policy ipsec-using inbound
[ME60A] traffic-policy ipsec-using outbound
# Apply the QoS policy to ME60 B globally.
[ME60B] traffic-policy ipsec-using inbound
[ME60B] traffic-policy ipsec-using outbound
8. Verify the configuration.
7-23
After the configuration is complete, PC A can still ping through PC B. The data transmitted
between them is encrypted.
Run the display ike sa command on ME60 A. The display is as follows:
[ME60A] display ike sa
connection-id peer vpn flag phase doi
--------------------------------------------------------------
14 202.38.162.1 0 RD|ST 1 IPSEC
16 202.38.162.1 0 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TOTIMEOUT
Configuration Files
The following are the configuration files of the ME60s.
#
sysname ME60A
#
ike local-name huawei01
#
acl number 3101
#
ike proposal 1
encryption-algorithm 3des-cbc
sa duration 43200
#
ike peer ME60B
exchange-mode aggressive
pre-shared-key huawei
ike-proposal 1
local-id-type name
remote-name huawei02
remote-address 202.38.162.1
#
#
ipsec policy map1 10 isakmp
security acl 3101
ike-peer ME60B
proposal tran1
#
if-match acl 3101
#
ipsec
#
classifier ipsec-using behavior ipsec
#
interface Pos1/0/1
undo shutdown
ip address 202.38.163.1 255.255.255.0
ipsec policy map1
#
ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
#
return
#
7 IKE Configuration
Issue 03 (2009-07-01)
sysname ME60B
#
ike local-name huawei02
#
acl number 3101
#
ike proposal 1
encryption-algorithm 3des-cbc
sa duration 43200
#
ike peer ME60A
exchange-mode aggressive
pre-shared-key huawei
ike-proposal 1
local-id-type name
remote-name huawei01
remote-address 202.38.163.1
#
#
ipsec policy use1 10 isakmp
security acl 3101
ike-peer ME60A
proposal tran1
#
if-match acl 3101
#
ipsec
#
classifier ipsec-using behavior ipsec
#
interface Pos2/0/1
undo shutdown
ip address 202.38.162.1 255.255.255.0
ipsec policy use1
#
ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
#
return
7-25
8 URPF Configuration
About This Chapter
This chapter describes the fundamentals, implementation, and configuration of URPF.
8.1 Introduction
This section describes the fundamentals of Unicast Reverse Path Forwarding (URPF).
8.2 Configuring URPF
This section describes how to configure the URPF function.
This section provides a configuration example of URPF.
Configuration Guide - Security 8 URPF Configuration
8-1
8.1 Introduction
This section describes the fundamentals of Unicast Reverse Path Forwarding (URPF).
8.1.1 Overview of URPF
8.1.2 URPF Features of the ME60
8.1.1 Overview of URPF
URPF is used to prevent attacks against IP address spoofing.
Generally, when a router receives a packet, it searches for the route according to the destination
address of the packet. If the matching route is found, the router forwards the packet; otherwise,
the router discards the packet. Unlike general routing process, URPF obtains the source address
and incoming interface of the packet. Taking the source address as the destination address, URPF
checks whether the interface corresponding to the source address in the forwarding table is the
incoming interface of the packet. If not, the source address is taken as spoofing and the packet
is discarded. In this way, URPF can keep the network away from vicious attacks initiated by
modifying the source address. The model of source address spoofing attack is as follows.
Figure 8-1 Schematic diagram of the source address spoofing attack
RouterA
Source Address
1.1.1.1/24
RouterC
2.1.1.1/24 2.1.1.1/24
RouterB

A host connected to Router A (customer network) generates a packet with a pseudo source IP
address 2.1.1.1 and sends the packet to Router B. Router B sends a response packet to Router C
whose IP address is 2.1.1.1. In this way, Router A attacks Router B and Router C by sending
such packets.
URPF can be applied on the upstream incoming interfaces of the router in two application
environments: single-homed client and multi-homed client.
l Single-homed client
l Figure 8-2 shows the connection between the client and the convergence router of the ISP.
URPF is enabled on GE 1/0/0 of the ISP router to protect the router and Internet against
source address spoofing attacks from the client network.
Issue 03 (2009-07-01)
Figure 8-2 URPF applied on a single-homed client
URPF
GE1/0/0
GE2/0/0
GE3/0/0
Aggregation
Source
address
169.1.1.1/24
ISP
169.1.1.1/24

l Multi-homed client
l URPF can be applied in the networking where multiple connections are set up between the
client and the ISP, as shown in Figure 8-3. To make URPF work normally, ensure that the
packet from the client to the host on the Internet passes through the same link (between the
client and the ISP router) with the packet from this host to the client. That is, route symmetry
must be ensured; otherwise, URPF discards some normal packets because of mismatched
interfaces.
Figure 8-3 URPF applied on a multi-homed client
route
path
URPF
URPF
RouterC
RouterA
RouterB
URPF
packet
path
Enterprise
ISP

l Multi-homed client with multiple ISPs
URPF can be applied in the networking where a client is connected to multiple ISPs, as shown
in Figure 8-4. In this case, route symmetry must be ensured.
8-3
Figure 8-4 URPF applied on a multi-homed client with multiple ISPs
ISP B
URPF
URPF
RouterA
RouterB
URPF
Internet
RouterC
Enterprise
ISP A

8.1.2 URPF Features of the ME60
The ME60 performs URPF check for all the IP packets on an interface in any of the following
modes:
l Loose check
For the IP packets arriving at the interface, the ME60 checks whether the forwarding table
contains the entry with the source address of the IP packets. If the entry exists, the IP packets
pass the URPF check.
l Strict check
For the IP packets arriving at the interface, the ME60 checks whether the forwarding table
contains the entry with the source address of the IP packets. If the entry does not exist, the
IP packets cannot pass the URPF check. If the entry exists, the ME60 checks whether the
outgoing interface specified in this entry is the incoming interface of the IP packets. If the
outgoing interface specified in the entry is the incoming interface of the IP packets, the IP
packets pass the URPF check.
The ME60 can also perform URPF check for the packets that meet certain conditions. This
function is implemented through the class-based QoS. The procedure for configuring the
ME60 to perform URPF check for the packets meeting certain conditions is as follows:
1. Create a traffic classifier on the ME60. Configure the traffic classifier to identify the packets
that meet certain conditions.
2. Create a traffic behavior on the ME60 and configure the traffic behavior to URPF check.
For details, see "8.2.3 (Optional) Configuring URPF Check for Certain Type of
Packets."
3. Create a traffic policy on the ME60. Configure the ME60 to perform URPF check for a
certain type of packets.
4. Apply the traffic policy to an interface or a service policy. The traffic policy can also be
applied to the entire equipment. In this case, the ME60 performs URPF check for all packets
that meet the conditions.
For details, see chapter 2 "Class-based QoS Configuration" of the Quidway ME60
Multiservice Control Gateway Configuration Guide - QoS.
Issue 03 (2009-07-01)
8.2 Configuring URPF
This section describes how to configure the URPF function.
8.2.2 Enabling URPF on an Interface
8.2.3 (Optional) Configuring URPF Check for Certain Type of Packets
To prevent source address spoofing attacks on the network, configure URPF to check whether
source IP addresses of packets match the incoming interfaces. If the source IP address of a packet
matches the incoming interface, the source IP address is considered as legal and the packet is
allowed to pass; otherwise, the source IP address is considered as a pseudo one and the packet
is discarded.
Before configuring the URPF function, complete the following tasks:
l Configuring the link-layer parameters of the interface
l Configuring an IP address for the interface
Data Preparation
To configure the URPF function, you need the following data.
No. Data
1 Number of the interface where URPF is to be enabled
2 (Optional) Name of the traffic behavior

8.2.2 Enabling URPF on an Interface
Context
Procedure
Step 1 Run:
system-view
8-5
Step 2 Run:
Step 3 Run:
ip urpf { loose | strict }
URPF is enabled on the interface.
If the loose keyword is selected, the ME60 performs loose URPF check. That is, if the forwarding
table contains the entry of a packet, the packet passes the URPF check, regardless of whether
the interface mapping the source address in the forwarding table is the incoming interface of the
packet.
If the strict keyword is selected, the ME60 performs strict URPF check. That is, a packet passes
the URPF check only if the forwarding table contains the related entry and the interface mapping
the source address of the packet is the incoming interface.
----End
8.2.3 (Optional) Configuring URPF Check for Certain Type of
Packets
Context
To configure the ME60 to perform URPF check for packets of a certain type, you need to
configure a traffic policy, configure the traffic behavior in the traffic policy, and then apply the
traffic policy.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The behavior view is displayed.
Step 3 Run:
ip urpf { strict | loose }
The traffic behavior is configured to URPF check.
NOTE
For the complete procedure, see "8.2.3 (Optional) Configuring URPF Check for Certain Type of
Packets." For the configuration and application of the traffic policy, refer to chapter 2 "Class-based QoS
Configuration" of the Quidway ME60 Multiservice Control Gateway Configuration Guide - QoS.
----End
Issue 03 (2009-07-01)
This section provides a configuration example of URPF.
8.3.1 Example for Configuring URPF
8.3.1 Example for Configuring URPF
You need to enable URPF on the ISP router, namely, ME60 B. As shown in Figure 8-5, ME60
A and ME60 B are directly connected. Enable URPF on interface GE1/0/0 of ME60 B. Loose
URPF check is required for the IP packets arriving at this interface. Enable URPF on interface
GE1/0/0 of ME60 A. Strict URPF check is required for the IP packets arriving at this interface.
Figure 8-5 Networking of URPF configuration
ME60A
ISP
ME60B
GE1/0/0
172.19.139.1/30
GE1/0/0
172.19.139.2/30

l Configure strict URPF check for the IP packets arriving at GE1/0/0 of ME60 A.
l Configure loose URPF check for the IP packets arriving at GE1/0/0 of ME60 B.
Data Preparation
IP addresses of the interfaces
1. Configure ME60 A.
# Configure the IP address of GE 1/0/0.
<ME60A> system-view
[ME60A] interface gigabitethernet 1/0/0
[ME60A-GigabitEthernet1/0/0] ip address 172.19.139.1 255.255.255.252
[ME60A-GigabitEthernet1/0/0] undo shutdown
# Enable strict URPF on GE1/0/0.
[RouterA-GigabitEthernet1/0/0] ip urpf strict
2. Configure ME60 B.
8-7
# Configure the IP address of GE 1/0/0.
<ME60B> system-view
[ME60B] interface gigabitethernet 1/0/0
[ME60B-GigabitEthernet1/0/0] ip address 172.19.139.2 255.255.255.252
[ME60B-GigabitEthernet1/0/0] undo shutdown
# Enable strict loose on GE1/0/0.
[ME60B-GigabitEthernet1/0/0] ip urpf loose
Configuration Files
#
sysname ME60A
#
undo shutdown
ip address 172.19.139.1 255.255.255.252
ip urpf strict
#
return
#
sysname ME60B
#
undo shutdown
ip address 172.19.139.2 255.255.255.252
ip urpf loose
#
return
Issue 03 (2009-07-01)
9 SBC Configuration
About This Chapter
This section describes how to configure functions of a Session Border Controller (SBC) and
maintain an SBC, and provides several configuration examples.
9.1 Introduction
This section describes the concept and fundamentals of SBC.
9.2 Configuring Basic SBC Information
This section describes how to configure the basic information of the SBC.
9.3 Configuring an SBC Backup Group
This section describes how to configure backup groups. See Example for Configuring the IMS
Networking.
9.4 Configuring IMS Architecture-based SBC Functions
This section describes how to configure IMS architecture-based SBC functions on the ME60.
9.5 Configuring the NGN Architecture-based Signaling and Media Address Mapping
This section describes how to configure the NGN architecture-based signaling and media address
mapping on the ME60.
9.6 Configuring the IADMS Proxy
This section describes how to configure the IAD Management System (IADMS) proxy.
9.7 Configuring Signaling Attack Defense
This section describes how to configure signaling attack defense.
9.8 Configuring the CAC Function
This section describes how to configure the CAC function.
9.9 Configuring the Session-based CAR
This section describes how to configure the session-based CAR.
9.10 Configuring Signaling NAT
This section describes how to configure signaling NAT. See Example for Configuring the IMS
Networking.
9.11 Configuring SBC Lawful Interception
This section describes how to configure the lawful interception feature of the SBC.
Configuration Guide - Security 9 SBC Configuration
9-1
9.12 Configuring SBC Attack Defense
This section describes how to configure the attack defense feature of the SBC.
9.13 Maintaining the SBC
This section provides the commands for debugging the SBC and clearing information about the
SBC.
This section provides several examples for configuring the security features.
9 SBC Configuration
Issue 03 (2009-07-01)
9.1 Introduction
This section describes the concept and fundamentals of SBC.
9.1.1 Background of an SBC
9.1.2 SBC Functions Supported by the ME60
9.1.3 References
9.1.1 Background of an SBC
Currently, SBC functions can be implemented based on the following architectures:
l IMS architecture
l NGN architecture
Overview of the IMS
With the rapid popularization of broadband services, multimedia communications over IP
networks are becoming a popular demand. To meet this demand, the 3rd Generation Partnership
Project (3GPP) puts forward the IP Multimedia Subsystem (IMS) on the basis of packet domains,
after the specification at the stage of R4 is defined.
The IMS is standardized by the 3GPP at the stage of R5. It is a subsystem used for multimedia
communications in packet domains.
The IMS uses the Session Initiation Protocol (SIP) to control sessions. The adaptability of the
IMS will be improved in the future because SIP is simple, flexible, easy to expand, and
convenient to negotiate among multimedia.
In the IMS, not only session control, service provision, service triggering, mobility, and
accounting and addressing modes are considered, but also Quality of Service (QoS), security,
Network Address Translation (NAT) traversal, interworking between the Public Switched
Telephony Network (PSTN) and Public Land Mobile Network (PLMN), and fixed-mobile
convergence are taken into account. Therefore, the IMS is a complete solution to multimedia
communications over IP networks, which is operable, manageable, and value-added.
Overview of the NGN
The rapid growth of IP technologies have lead to the convergence of the telecom network, the
data communications network, and the cable TV network. That is, the public IP network tends
to uniformly bear services such as voice, video, and data services. The Next Generation Network
(NGN) based on the softswitch technologies plays a crucial role in such a scenario to meet the
requirements for network convergence.
The NGN is a concept in a broad sense. In general, the NGN implies the network architecture
of an open and integrated network that provides various services such as voice, video, and data
services. Table 9-1 shows the main characteristics of the NGN.
9-3
Table 9-1 Characteristics of the NGN
Characteristic Description
Packet-based transfer
mode and unified
protocols
Function modules of a traditional switch turn into separate network
components. Components interoperate with each other through
standard open interfaces. This characteristic makes the existing
telecom network open.
Services independent
of networks
Services are separated from the call control and the call control is
separated from the bearer network. In this manner, the relatively
independent service system is implemented. This characteristic
allows independent development of services and the network. Users
can change their services flexibly, and the network scalability is
enhanced.
Diversified access
modes
The PSTN, Global System for Mobile Communications (GSM), and
Integrated Services Digital Network (ISDN) interoperate with each
other through gateways. The NGN allows the access of terminals
and IP intelligent terminals such as telephones, mobile phones, SIP
terminals, Media Gateway Control Protocol (MGCP) terminals, and
H.323 terminals.

9.1.2 SBC Functions Supported by the ME60
This section describes the SBC functions supported by the ME60.
NOTE
On the ME60, SBC functions are controlled by the license. To use the SBC functions, you need to buy the
SBC license and activate the license. For details about the license for the SBC, refer to the Quidway
ME60 Multiservice Control Gateway Configuration Guide - System Management.
Signaling Proxy and Media Proxy
An SBC is deployed at the edge or the convergence layer of an IP network. The SBC is an
aggregation point of signaling and media streams in a session and supports signaling proxy and
media proxy. The SBC also provides proxy services for multiple softswitches.
SBC Multi-instance Group
The ME60 supports an SBC multi-instance group. An SBC instance group is equal to an SBC
device, which can process signaling and media packets.
Hosted NAT Traversal
If a NAT device is connected to the ME60, the ME60 SBC processes and forwards the media
packets sent from the User Equipment (UE) and translated by the NAT device. Thus, the UE
can communicate with each other.
Hot Backup
On the ME60, the sessions delivered through the Ia interface can be backed up in real time
between SBC boards. An SBC board works normally and supports hot backup only after it is
9 SBC Configuration
Issue 03 (2009-07-01)
added to a backup group. The boards in the backup group work in 1:1 backup mode to back up
the established signaling sessions and media sessions in real time.
NOTE
The ME60 supports a maximum of 15 backup groups.
Idle Cut of Media Streams
ME60 The ME60 SBC provides the idle cut function for media streams to prevent media
resources from being occupied when no traffic is generated. The ME60 terminates a media
stream if the media stream is interrupted for a certain period in one or two directions.
Output of MG Logs
The ME60 generates logs that record information about MG connections. An MG log records
the terminated traffic, change of the MG connection (Up or Down), and added or deleted media
sessions.
Lawful Interception
Lawful interception is a law enforcement behavior carried out to monitor the communications
services on the public communications network, according to the related law and the norm for
the public communications network.
Attack Defense
By providing the attack defense function, the ME60 checks the signaling packets sent to the Call
Session Control Function (CSCF) and the Ia packets sent to the loopback interface of the
ME60 to prevent flood attacks and single packet attacks.
9.1.3 References
For more information about the SBC, refer to the following documents:
l H.248: Gateway control protocol
l H.323: Packet-Based Multimedia Communications Systems
l Q.765.5: Application transport mechanism - Bearer independent call control (BICC)
l RFC 1157: Simple Network Management Protocol (SNMP)
l RFC 1305: Network Time Protocol (Version 3) Specification, Implementation
l RFC 3261: SIP: Session Initiation Protocol
l RFC 3435: Media Gateway Control Protocol (MGCP) Version 1.0
l RFC 3530: RTP: A Transport Protocol for Real-Time Applications
l RFC 3605: Real Time Control Protocol (RTCP) attribute in Session Description Protocol
(SDP)
9.2 Configuring Basic SBC Information
This section describes how to configure the basic information of the SBC.
9-5
9.2.2 Configuring the Operation Mode of the VSU to SBC
9.2.3 Configuring the Application Mode
To solve the problems of NAT traversal, session QoS guarantee, and network security, you must
install the Versatile Service Unit (VSU) on the ME60. Then, you need to configure the operation
mode of the VSU to SBC and configure the basic SBC information.
NOTE
l Before configuring the SBC function, you must install the VSU. The ME60 can process the SBC service
after the operation mode of the VSU is set to SBC. For the functions that the VSU provides after it is
set to the SBC, refer to the Quidway ME60 Multiservice Control Gateway Product Description.
l You can use the set lpu-work-mode { dpi | sbc | nsu | ssu | tsu } slot slot-id command to set the
operation mode of the VSU. Working in different modes, the VSU provides different functions.
l In this chapter, the VSU working in SBC mode is called the SBC board.
Pre-configuration Tasks
Before configuring the basic SBC information, complete the following task:
Data Preparation
To configure the basic SBC information, you need the following data.
No. Data
1 Slot number of the SBC board
2 Application of the SBC, namely, single-domain mode or multi-domain mode

9.2.2 Configuring the Operation Mode of the VSU to SBC
Context
Do as follows on the ME60:
Procedure
Step 1 Run:
system-view
9 SBC Configuration
Issue 03 (2009-07-01)
Step 2 Run:
set lpu-work-mode sbc slot slot-id
The operation mode of the VSU is configured to SBC.
NOTE
l After configuring the operation mode of the VSU, restart the board to validate the configuration.
l The command used to configure the operation mode of the VSU is not recorded in the configuration
files. To view the operation mode of the VSU, run the display device or display lpu-work-mode
command. If the operation mode is correct, you do not need to configure it again.
----End
9.2.3 Configuring the Application Mode
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc appmode { single-domain | multi-domain }
The application mode of the SBC is configured.
Select the application mode based on the networking. If the SBC is connected to a NAT device
at the user side, select the multi-domain mode. If the SBC is not connected to a NAT device,
both the single-domain mode and multi-domain mode can be selected.
By default, the SBC operates in multi-domain mode.
----End
Action Command
Check the operation mode of the
LPU.
display lpu-work-mode

Run the display lpu-work-mode command in the system view to view the operation mode of
the VSU.
[Quidway] display lpu-work-mode
Show lpu-mode of all boards:
LPU 3: Online
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Slot# Online Curr_Type Status Next_Type Primary
3 Present SBC Normal NA NA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LPU 5: Online
9-7
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Present BSU Normal NA NA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LPU 7: Online
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 Present SBC Normal NA NA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9.3 Configuring an SBC Backup Group
This section describes how to configure backup groups. See Example for Configuring the IMS
Networking.
9.3.2 Configuring a Backup Group
To enable the normal operation of the SBC, you must configure the backup groups.
To implement hot backup of signaling sessions and media sessions, you can configure a master
SBC board and a backup SBC board in a backup group.
Before configuring SBC backup group, complete the following task:
l Configuring Basic SBC Information
Data Preparation
To configure SBC backup group, you need the following data.
No. Data
1 Slot numbers of the master and backup SBC boards in the backup group

9.3.2 Configuring a Backup Group
Context
Procedure
Step 1 Run:
system-view
9 SBC Configuration
Issue 03 (2009-07-01)
Step 2 Run:
sbc instance-name
The SBC instance group view is displayed.
Step 3 Run:
sbc backup-group group-id
A backup group is created and the backup group view is displayed.
Step 4 Run:
add slot slot-id master
An SBC board is added to the backup group and is configured as the master SBC board.
add slot slot-id slave
An SBC board is added to the backup group and is configured as the backup SBC board.
The SBC functions only after the backup group is configured. On the ME60, the backup group
can contain only one master SBC board and one slave SBC board.
If the specified SBC board is not in the slot, you can also add the slot number to the backup
group. The specified slot number cannot be the same as the slot number of the board in another
backup group.
----End
Run the following command in any view to check the previous configuration.
Action Command
Check information about a backup
group.
display sbc backup-group [ group-id ]
Check information about an SBC
instance group.
display sbc instance

Display information about backup group 0.
<Quidway> display sbc backup-group 0
------------------------------------
Backupgroup 0 information
------------------------------------
Instance : default
Slot : 3
CfgFlag : master
CurFlag : active
Slot : 5
CfgFlag : slave
CurFlag : standby
9-9
9.4 Configuring IMS Architecture-based SBC Functions
This section describes how to configure IMS architecture-based SBC functions on the ME60.
9.4.2 Configuring a Media Address Mapping Group
9.4.3 Configuring the Ia Interface
9.4.4 (Optional) Configuring the MG Timer and Idle Cut Attributes
9.4.5 (Optional) Configuring the Validity Check of Media Streams
9.4.6 (Optional) Configuring the Maximum Number of Sessions Supported by a Mapping Group
9.4.7 (Optional) Setting the Total Bandwidth Supported by an SBC Board
9.4.8 (Optional) Enabling the QoS Report Function
9.4.9 Enabling the Media Address Mapping Group
In the IMS Border Gateway Function (BGF) networking, the media address mapping is
configured when an SBC needs to forward RTP or RTCP multimedia streams.
The ME60 functions as an MG and the Service-based Policy Decision Function (SPDF)
functions as a Media Gateway Controller (MGC). The MG and MGC exchange protocol
messages through the Ia interface. To prevent non-Session Description Protocol (SDP)
negotiation packets from passing through the ME60, the ME60 checks the specified validity of
media streams and filters out media streams that do not meet the requirements.
When the SPDF delivers a session request to the Ia interface, the ME60 limits the number of
sessions based on a mapping group; when the number of sessions in a mapping group reaches
the limit, no new session can be established. In addition, the SBC board of the ME60 checks the
bandwidth based on the remaining bandiwidth and bandwidth information carried in a session
to determine whether the session can be established. If no bandwidth information is carried in
the session, the default bandwidth is assigned.
If information such as the delay, jitter, and the packet drop ratio of RTP media streams needs to
be obtained, you can configure the QoS report function.
Before configuring IMS architecture-based SBC functions, complete the following tasks:
l Configuring basic information about the SBC
l Configuring the IP address of the loopback interface used by a media address mapping
group
9 SBC Configuration
Issue 03 (2009-07-01)
NOTE
For loopback interface configurations, refer to the Quidway ME60 Multiservice Control Gateway
Configuration Guide - Interfaces and Links.
Data Preparation
To configure IMS architecture-based SBC functions, you need the following data.
No. Data
1 Slot number of the active SBC board that is bound to a media address
2 Loopback interface used by a media address mapping group
3 Bearer protocol used by an MG connection
4 Loopback interface and port number of an MG connection on the Ia interface of the
ME60
5 Address and port number of the SPDF
6 Message identifier of an MG connection
7 Internal domain name and external domain name of an MG connection and the index
of the bound media address mapping group
8 Time intervals at which the MG reregisters on the MGC
9 Aging time of an MG connection and an MG session
10 Threshold of the length of media streams that are allowed to pass through
11 Maximum number of sessions supported by a mapping group
12 Total bandwidth supported by an SBC board

9.4.2 Configuring a Media Address Mapping Group
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc instance-name
Step 3 Run:
sbc mapgroup bgf mapgroup-index
9-11
A media address mapping group is created and its view is displayed.
description mapgroup-description
The description of the media address mapping group is configured.
Step 5 Run:
media-clientaddr [ vpn-instance vpn-instance-name ] { loopback interface-number }
[ loopback interface-number ]
A client media address is configured and is bound to the master SBC board.
You can configure up to four client media addresses in the system. The loopback interface bound
to a client media address cannot be used for other purposes. A loopback interface cannot be
bound to a client media address and a server media address at the same time. If a client media
address is bound to a VPN instance, the mapping loopback interface must be bound to the same
VPN instance.
Step 6 Run:
media-serveraddr [ vpn-instance vpn-instance-name ] { loopback interface-number }
[ loopback interface-number ]
A server media address is configured and is bound to the master SBC board.
You can configure up to four server media addresses in the system. The loopback interface bound
to a server media address cannot be used for other purposes. A loopback interface cannot be
bound to a client media address and a server media address at the same time. If a server media
address is bound to a VPN instance, the mapping loopback interface must be bound to the same
VPN instance.
A VPN user may use different mapping groups in a session. In this case, the client media
addresses and server media addresses in the mapping groups used by the user must be bound to
the same master SBC board.
By default, no media address mapping group is configured on the ME60.
----End
9.4.3 Configuring the Ia Interface
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc sctp enable
SCTP is enabled.
The User Datagram Protocol (UDP) or the SCTP protocol can be used as the bearer protocol of
the H.248 protocol running on MG connections. If the SCTP protocol is used as the bearer
9 SBC Configuration
Issue 03 (2009-07-01)
protocol, you must enable SCTP first. If the UDP protocol is used as the bearer protocol, the
SCTP protocol does not need to be enabled.
By default, the SCTP protocol is disabled.
Step 3 Run:
sbc traffic-statistic enable
The SBC traffic statistics function is enabled.
The ME60 can count received and sent packets and bytes through sessions established through
the Ia interface only after the MG function is enabled.
By default, the SBC traffic statistics function is disabled.
Step 4 Run:
sbc mg enable
The MG function of an SBC instance group is enabled.
Ia interface connections can be established only after the MG function is enabled.
By default, the MG function of an SBC instance group is disabled.
Step 5 Run:
sbc instance-name
Step 6 Run:
sbc mg connect-index
The MG connection view is displayed.
Step 7 Run:
mg ip loopback interface-number port port-number
The address and port number of an MG are configured.
NOTE
An MG borrows the IP address of a loopback interface. Therefore, before the mg ip loopback interface-
number port port-number command is run, the IP address of the corresponding loopback interface must
be configured.
Step 8 Run:
mgc ip mgc-ip port port-number
The IP address and port number of an MGC are configured.
description mg-description
The description of an MG connection is configured.
Step 10 Run:
mg mid message-identifier
The message identifier of an MG connection is configured.
An MGC identifies an MG connection through the message identifier.
9-13
Step 11 Run:
domain inner domain-name mapgroup mapgroup-index
The name of the internal domain and the index number of the corresponding media address
mapping group are configured.
Step 12 Run:
domain outer domain-name mapgroup mapgroup-index
The name of the external domain and the index number of the corresponding media address
mapping group are configured.
NOTE
Names of the internal domain and the external domain must be the same as the domain names configured
on the SPDF.
Step 13 Run:
protocol { udp | sctp | tcp }
The type of the protocol used in MG connections is configured.
The default protocol type is UDP. The SCTP protocol is recommended.
Step 14 Run:
enable
The MG connection is enabled.
Other steps except for optional Step 6 must be performed; otherwise, an MG connection fails to
be enabled. When enabling an MG connection, the ME60 checks whether the configuration of
the MG connection is complete. If the configuration of the MG connection is incomplete, the
MG connection fails to be enabled.
After an MG connection is enabled, other configurations except for the description of the MG
connection cannot be modified.
When configuring the mapping between the internal domain and the media address mapping
group or between the external domain and the media address mapping group, ensure that the
media address mapping groups corresponding to the internal domain and the external domain
are bound to the same SBC board. Otherwise, sessions may not be correctly established. For
example, if the internal domain is bound to media address mapping group A and the user-side
media address of media address mapping group A is bound to the active SBC board of slot 7,
the server-side media address of media address mapping group B that is bound to the external
domain must also be bound to the active SBC board of slot 7.
When receiving a media packet of the SPDF, the ME60 assigns the user-side media address and
port number of the corresponding media address mapping group to the packet, if the domain
name contained in the packet is the internal domain; the ME60 assigns the server-side media
address and port number of the corresponding media address mapping group to the packet, if
the domain name contained in the packet is the external domain.
----End
9.4.4 (Optional) Configuring the MG Timer and Idle Cut Attributes
Context
9 SBC Configuration
Issue 03 (2009-07-01)
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc timer mg connect interval
The interval is set at which the MG re-registers to the MGC after the MG connection is
disconnected. The default interval is 5000 milliseconds.
Step 3 Run:
sbc timer mg aging-time aging-time
The aging time of the MG connection is set. The default aging time of the MG connection is
120 seconds.
After the MG connection is set up, the MG and MGC exchange keepalive packets. If the MG
does not receive the keepalive packets from the MGC within the aging time, the MG considers
that the MG connection is disconnected. After the MG connection is disconnected, the existing
call sessions are kept within the aging time of MG sessions, whereas new call sessions cannot
be set up.
Step 4 Run:
sbc timer mg callsessiontime session-time
The aging time of MG sessions is set. The default aging time of MG sessions is 60 minutes.
NOTE
l The aging time of MG sessions ensures that sessions are terminated if they are exceptional. When the
aging time of an MG session expires, the ME60 deletes the MG session and ends the call. The aging
timer is used in exceptional conditions. Therefore, the timer may have a deviation.
l During a session, the ME60 updates the aging time of the MG session after receiving the audit command
of this session from the SPDF. Therefore, the call is not forcibly ended when the aging time expires.
Step 5 Run:
sbc timer media-detect { rtp | rtcp } idle-time-length
The idle cut duration of RTP streams or RTCP streams in media streams is set.
By default, the idle cut duration of RTP streams is 30 seconds and the idle cut duration of RTCP
streams is 300 seconds.
Step 6 Run:
sbc timer media-aging media-aging-time
The aging time of idle RTP streams or RTCP streams in media streams is set.
By default, the aging time of idle RTP streams or RTCP streams is 300 seconds.
Step 7 Run:
sbc media-detect [ one-way ] enable
The function of cutting off media streams is enabled.
After the idle cut function is enabled, the ME60 notifies the CSCF when a media stream is
interrupted in both directions for a period that is specified by idle-time-length. The CSCF
determines whether to cut off the media stream session. If the CSCF does not respond within a
9-15
period that is specified by media-aging-time, the ME60 automatically cuts off the media stream
session. If the one-way keyword is used in the command, the ME60 notifies the CSCF when a
media stream is interrupted in any direction for a period that is specified by idle-time-length.
By default, the function of cutting off media streams is not enabled.
Step 8 Run:
sbc syslog module mg enable
The ME60 displays MG logs.
By default, the ME60 does not display MG logs.
----End
9.4.5 (Optional) Configuring the Validity Check of Media Streams
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc media detect { validity | ssrc} enable
The function of checking the validity of media streams is enabled.
Step 3 Run:
sbc media detect packet-length packet-length
The threshold of the packet length of media streams is set.
Do as follows to check the validity of media streams:
l Check whether the protocol type of media streams is RTP, RTCP, or Facsimile UDP
Transport Layer (UDPTL).
l Check whether the version of RTP packets is v2.
l Check whether the coding type of RTP packets is correct.
l Check whether the RTP packet length is within the set range.
----End
9.4.6 (Optional) Configuring the Maximum Number of Sessions
Supported by a Mapping Group
Context
9 SBC Configuration
Issue 03 (2009-07-01)
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc instance-name
The instance group view is displayed.
Step 3 Run:
sbc mapgroup bgf mapgroup-number
The mapping group view is displayed.
Step 4 Run:
session-limit count
The maximum number of sessions supported by the mapping group is configured.
----End
9.4.7 (Optional) Setting the Total Bandwidth Supported by an SBC
Board
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc bandwidth-limit bandwidth-value
The total bandwidth supported by an SBC board is set.
----End
9.4.8 (Optional) Enabling the QoS Report Function
Context
Procedure
Step 1 Run:
system-view
9-17
Step 2 Run:
sbc qos-report enable
The QoS report function is enabled.
----End
9.4.9 Enabling the Media Address Mapping Group
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc instance-name
Step 3 Run:
sbc mapgroup bgf mapgroup-index
A media address mapping group is created and its view is displayed.
Step 4 Run:
enable
The media address mapping group is enabled.
A media address mapping group can be enabled only after the client media address and server
media addresses are configured.
NOTE
If sessions exist on the SBC board, new sessions may not be established when you change the media
addresses in the mapping group or run the undo enable command to disable the mapping group.
----End
Action Command
Check the configuration of a media
address mapping group.
display sbc mapgroup bgf [ mapgroup-index ]
Check all the configuration related
to an MG.
display sbc mg configuration
9 SBC Configuration
Issue 03 (2009-07-01)
Action Command
Check the configuration and status
of a specified MG connection.
diplay sbc mg connect-index
Check statistics about an MG
connection of a specified slot.
display sbc mg statistic [ connect-index ] slot slot-id
validity of SBC media streams.
display sbc media detect configuration
Check related information about
the session limit in a mapping
group.
display sbc session-limit [ mapgroup mapgroup-id ]
Check related information about
the bandwidth limit.
display sbc bandwidth-limit [ instance instance-
name ]
Check whether the QoS report
function is enabled.
display sbc qos-report enable

# Display the configuration of the media address mapping group with the index as 2501.
<Quidway> display sbc mapgroup bgf 2501
sbc mapgroup bgf 2501
description huawei
media-clientaddr vpn-instance vpn-a ip:9.9.9.17 slot:11 ip:9.9.9.19 slot:11
media-serveraddr vpn-instance vpn-b ip:9.9.9.18 slot:11 ip:9.9.9.20 slot:11
enable
# Display the configuration and status of the MG connection with the index as 0.
<Quidway> display sbc mg 0
sbc mg 0
description huanwei
mg ip 111.1.1.1 port 2944
mgc ip 192.166.1.111 port 2944
mg mid spdf1.com
domain inner inner1.bgf.com mapgroup 2501
domain outer outer1.bgf.com mapgroup 2501
protocol sctp
enable
state :
connect status : registered
sctp link state : linked
# Display statistics about packets of MG 0 on the active SBC board in slot 6.
<Quidway> display sbc mg statistic 0 slot 6
---------------------------------------------------
Statistic Information of MG 0
---------------------------------------------------
Received request transactions : 63
Received response transactions : 386
Sent request transactions : 231
Sent response transactions : 45
Received ADD commands : 42
Received MOD commands : 12
Received SUB commands : 6
Received AuditValue commands : 0
Sent ServiceChange commands : 8
Sent Notify commands : 200
Succeed to receive ADD commands : 27
9-19
Succeed to receive MOD commands : 12
Succeed to receive SUB commands : 6
Succeed to receive AuditValue commands : 0
Succeed to send ServiceChange commands : 4
Succeed to send Notify commands : 189
Fail to receive ADD commands : 15
Fail to receive MOD commands : 0
Fail to receive SUB commands : 0
Fail to receive AuditValue commands : 0
Fail to send ServiceChange commands : 0
Fail to send Notify commands : 0
Fail to receive messages : 0
Fail to send messages : 0
Successful calls : 4
Failing calls : 15
# Display checking information about the validity of SBC media streams.
<Quidway> display sbc media detect configuration
sbc media detect validity enable
sbc media detect ssrc enable
sbc media detect packet-length 1000
# Display related information about the session limit in a mapping group.
<Quidway> display sbc session-limit mapgroup 2501
------------------------------------------------------------
Mapgroup: 2501:
Configured session limit: 20000
Used session count: 400
Remain session count: 19600
------------------------------------------------------------
# Display related information about the bandwidth limit.
<Quidway> display sbc bandwidth-limit instance default
------------------------------------------------------------
Instance: default:
Configured bandwidth limit: 1000 kbyte(s)
Used bandwidth: 576 kbyte(s)
Remain bandwidth: 424 kbyte(s)
Bandwidth usage: 57%
------------------------------------------------------------
# Display whether the QoS report function is enabled.
<Quidway> display sbc qos-report enable
sbc qos-report is enable
9.5 Configuring the NGN Architecture-based Signaling and
Media Address Mapping
This section describes how to configure the NGN architecture-based signaling and media address
mapping on the ME60.
9.5.2 Configuring a Mapping Group for Signaling and Media Addresses
9.5.3 Enabling a Mapping Group for Signaling and Media Addresses
9.5.4 (Optional) Enabling Dual-homing
9 SBC Configuration
Issue 03 (2009-07-01)
When an SBC needs to forward call requests from a voice or video terminal to the public network
call control center, you need to configure the signaling proxy. When an SBC needs to forward
the Real Time Protocol (RTP) or Real Time Control Protocol (RTCP) multimedia streams, you
need to configure the media proxy.
The device needs to be configured to support the dual-homing function of the softswitch to
prevent any communications fault in the case of softswitch failures.
Before configuring the NGN architecture-based media address mapping, complete the following
tasks:
l Configuring basic information about the SBC
l Configuring the IP addresses of loopback interfaces used by a mapping group for signaling
and media addresses
NOTE
For the loopback interface configurations, refer to the Quidway ME60 Multiservice Control Gateway
Configuration Guide - Interfaces and Links.
Data Preparation
To configure the signaling proxy and media proxy, you need the following data.
No. Data
1 Slot number of the active SBC board that is bound to a signaling address and a media
address
2 Loopback interfaces used by a mapping group for signaling and media addresses
3 Interval for detecting the softswitch status

9.5.2 Configuring a Mapping Group for Signaling and Media
Addresses
Context
Procedure
Step 1 Run:
system-view
9-21
Step 2 Run:
sbc instance-name
Step 3 Run:
sbc mapgroup proxy mapgroup-index
A mapping group for signaling and media addresses is created and the mapping group view is
displayed.
Step 4 Run:
softxaddr [ vpn-instance vpn-instance-name ] softx-address &<1-4>
The IP address of the signaling mapping on the Softswitch is configured.
description mapgroup-description
The description of the mapping group is configured.
Step 6 Run:
clientaddr { loopback interface-number } &<1-4>
A signaling address at the user side is configured and the signaling address is bound to the active
SBC board.
Up to four signaling addresses at the user side can be configured in the system. The loopback
interface that is bound to a signaling address at the user side cannot be used in other
configurations. The same loopback interface cannot be bound to a signaling address at the user
side and a signaling address at the server side at the same time.
Step 7 Run:
serveraddr [ vpn-instance vpn-instance-name ] { loopback interface-number } &<1-4>
A signaling address at the server side is configured and the signaling address is bound to the
active SBC board.
Up to four signaling addresses at the server side can be configured in the system. The loopback
interface that is bound to a signaling address at the server side cannot be used in other
configurations and the same loopback interface cannot be bound to a signaling address at the
user side and a signaling address at the server side at the same time.
Step 8 Run:
media-clientaddr [ vpn-instance vpn-instance-name ] { loopback interface-number }
&<1-4>
A media address at the user side is configured and the media address is bound to the active SBC
board.
Up to four media addresses at the user side can be configured in the system. The loopback
interface that is bound to a media address at the user side cannot be used in other configurations.
The same loopback interface cannot be bound to a media address at the user side and a media
address at the server side at the same time.
Step 9 Run:
media-serveraddr [ vpn-instance vpn-instance-name ] { loopback interface-number }
&<1-4>
A media address at the server side is configured and the media address is bound to the active
SBC board.
9 SBC Configuration
Issue 03 (2009-07-01)
Up to four media addresses at the server side can be configured in the system. The loopback
interface that is bound to a media address at the server side cannot be used in other configurations
and the same loopback interface cannot be bound to a media address at the user side and a media
address at the server side at the same time.
VPN users may use different mapping groups during sessions. In this case, ensure that media
addresses at the user side and media addresses at the server side of different mapping groups
that are used by VPN users are bound to the same active SBC board.
By default, no media address mapping group is configured on the ME60.
----End
9.5.3 Enabling a Mapping Group for Signaling and Media
Addresses
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc instance-name
Step 3 Run:
sbc mapgroup proxy mapgroup-index
A mapping group for signaling and media addresses is created and the mapping group view is
displayed.
Step 4 Run:
enable
The mapping group for signaling and media addresses is enabled.
A mapping group for signaling and media addresses can be enabled only after signaling and
media addresses at the user side and the server side are configured.
NOTE
When sessions exist on SBC boards, new sessions may fail to be established, if signaling and media
addresses of a mapping group are changed or the undo enable command is run to disable the mapping
group.
----End
9.5.4 (Optional) Enabling Dual-homing
9-23
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc dual-homing sip-detect enable
A mapping group is created and the view of the mapping group is displayed.
Step 3 Run:
sbc timer dual-homing sip-detect interval
The interval for detecting the softswitch status is configured.
Step 4 Run:
sbc sip register-reduce enable
Refreshing SIP registration is enabled and the configuration of the interval for detecting the
softswitch status takes effect.
----End
Action Command
Check the configuration of a media
address mapping group.
display sbc mapgroup proxy [ mapgroup-index ]

# Display the configuration of a media address mapping group with the index as 1.
<Quidway> display sbc mapgroup proxy 1
sbc mapgroup proxy 1
description huawei
clientaddr ip:9.9.9.17 slot:11 ip:9.9.9.19 slot:11
serveraddr ip:9.9.9.18 slot:11 ip:9.9.9.20 slot:11
media-clientaddr ip:9.9.9.17 slot:11 ip:9.9.9.19 slot:11
media-serveraddr ip:9.9.9.18 slot:11 ip:9.9.9.20 slot:11
enable
9.6 Configuring the IADMS Proxy
This section describes how to configure the IAD Management System (IADMS) proxy.
9.6.2 Enabling the IADMS Proxy
9.6.3 Loading the IADMS MIB
9 SBC Configuration
Issue 03 (2009-07-01)
9.6.4 Configuring the Port Numbers
9.6.5 (Optional) Configuring the IADMS Timer and Other Optional Functions
The IADMS is always overloaded because it directly manages a great number of IADs. To reduce
the load of the IADMS or enable packets exchanged between IADs and the IADMS to traverse
the NAT device, you can configure the IADMS proxy.
Before configuring the IADMS proxy, complete the following tasks:
l Configuring Basic Information About the SBC
Data Preparation
To configure the IADMS proxy, you need the following data.
No. Data
1 (Optional) MIB version
2 ClientAddress, ServerAddress, and IADMSAddress
3 Well-known port numbers at the user side, the range of the dynamic ports at the server
side, and a well-known port of the IADMS
4 (Optional) Value of the IADMS timer

9.6.2 Enabling the IADMS Proxy
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc iadms enable
The IADMS proxy is enabled.
9-25
By default, the IADMS proxy is enabled.
----End
9.6.3 Loading the IADMS MIB
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc iadms mib register { v150 |v152 |v160 | v210 | amend | all }
The IADMS MIB is loaded.
The SBC communicates with the IADMS through SNMP. So, you need to load the IADMS
MIB. The IADMS MIB has several versions, and you can load the proper version as required.
By default, the MIB is not loaded.
----End
9.6.4 Configuring the Port Numbers
Context
Procedure
Step 1 Run:
system-view
Step 2 Configure the SNMP well-known port numbers for the user side (IAD) and the IADMS.
l Run the sbc wellknownport clientaddr client-address snmp client-port command to
configure the well-known port number for the IAD (user side).
l Run the sbc wellknownport iadmsaddr iadms-address snmp iadms-port command to
configure the well-known port number for the IADMS.
Step 3 Run:
sbc portrange { signal | media } begin begin-port end end-port
The range of the dynamic port numbers at the server side is set.
9 SBC Configuration
Issue 03 (2009-07-01)
The IADMS proxy implementation involves three types of port numbers: well-known port
numbers at the user side, dynamic port numbers at the IADMS side, and well-known port
numbers provided by the IADMS.
By default, the well-known SNMP port number at the user side and well-known port number of
the IADMS are both 162. For the signaling proxy, the port number at the server side ranges from
10001 to 29999. For the media proxy, the port number at the server side ranges from 30000 to
49999.
----End
9.6.5 (Optional) Configuring the IADMS Timer and Other Optional
Functions
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc timer iadms period
The IADMS timer is configured.
Step 3 Run:
sbc iadms register refresh enable
The address refresh function is enabled for IADMS users.
Step 4 Run:
sbc iadms easy-check enable
The fuzzy match is enabled for IADMS related packets.
After the address refresh function is enabled for IADMS users and the IP address of the client
(NAT or IAD) connected to the SBC is changed, the SBC can detect the registration packet or
heartbeat packet sent by the terminal, and the SBC can also update the IP address of the user.
The registration packet and heartbeat packet vary in IADs. The fuzzy match function matches
the OID of the registration packet from the IAD with the OID of the heartbeat packet. If the two
OIDs match, the registration packet can pass the SBC.
By default, the IADMS timer is set to 20 minutes, and the address refresh function and the fuzzy
match are disabled.
----End
9-27
Action Command
Check the brief information about
the SBC.
display sbc brief
Check the registration information
of all IADs.
display sbc reginfo snmp
Check information about the user
group.
display sbc user-group group-number
Check the configuration of the
IADMS proxy.
display sbc iadms configuration
Check the well-known port
numbers.
display sbc wellknownport { sip | mgcp | h248 |
h323 | upath | snmp | { clientaddr | iadmsaddr |
softxaddr } ip-address }

9.7 Configuring Signaling Attack Defense
This section describes how to configure signaling attack defense.
9.7.2 Enabling Signaling Attack Defense
9.7.3 Configuring the Defense Mode
9.7.4 (Optional) Configuring the Threshold and Security Factor for Access Rate
9.7.5 (Optional) Configuring Other Optional Parameters
To protect the SBC against malicious signaling attacks, configure the signaling attack defense
on the SBC.
Before configuring signaling attack defense, complete the following tasks:
l Configuring the signaling proxy and media proxy
Data Preparation
To configure signaling attack defense, you need the following data.
9 SBC Configuration
Issue 03 (2009-07-01)
No. Data
1 Defense mode, manual or automatic
2 (Optional) Threshold and security factor for the access rate
3 (Optional) Queue length and total number of the queues
4 (Optional) Aging time of the statistics table

9.7.2 Enabling Signaling Attack Defense
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc defend signaling-flood enable
The signaling attack defense is enabled.
By default, the signaling attack defense is enabled. This function cannot be disabled when a
signaling attack occurs.
----End
9.7.3 Configuring the Defense Mode
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc defend signaling-flood { automatic-mode | manual-mode }
The defense mode is configured.
The SBC operates in manual mode or automatic mode to provide defense against the signaling
attack. In automatic mode, the SBC detects the access rate. When the SBC detects a signaling
9-29
attack, it handles packets according to strict rules and then forwards them. If the access rate is
normal, the SBC forwards packets as usual. In the manual mode, no matter what the detection
result is, the SBC always handles packets according to strict rules and then forwards them.
By default, the SBC operates in automatic mode to provide defense if the signaling attack defense
is enabled.
----End
9.7.4 (Optional) Configuring the Threshold and Security Factor for
Access Rate
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc defend signaling-flood { sip |mgcp |h323 |signaling } [ per-user ] connection-
rate { threshold threshold|percent percent }
The threshold and security factor of the user access rate are configured.
The SBC judges whether a signaling attack occurs by the access rate. You can configure a
threshold for a single user or for all the users.
The security factor is a percentage by which the SBC judges whether the signaling attack is
suppressed. The SBC stops the attack defense when it finds that the access rate is lower than the
threshold multiplied by the security factor.
NOTE
The configuration is applicable only to the SBC operating in the automatic mode.
Table 9-2 shows the threshold for each signaling protocol. The signaling keyword in the
command indicate the threshold of all the signaling protocols. The security factor for each
signaling protocol is 80%.
Table 9-2 Default thresholds of the access rate for signaling protocols
Signaling
Protocol
Threshold for All Users (pps) Threshold for a Single User
(pps)
SIP 640 32
MGCP 640 32
H.323 640 32
9 SBC Configuration
Issue 03 (2009-07-01)
Signaling
Protocol
Threshold for All Users (pps) Threshold for a Single User
(pps)
All signaling
protocols
1280 64

----End
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc defend signaling-flood queue { length queue-length|number queue-number } *
The length of each queue and the total number of queues are configured.
Step 3 Run:
sbc timer defend signaling-flood statistic-table time
The aging time of the statistics table is configured.
Step 4 Run:
sbc defend signaling-flood action log
The attack information will be recorded in the log.
By default, the values of the preceding parameters are as follows:
l The queue length is 1024; that is, a queue contains a maximum of 1024 packets.
l The total number of queues is 8.
l The lifetime of the statistics table is 120 seconds.
l The attacker is recorded in the suspicious user list.
----End
Run the following commands to check the previous configuration. For the explanation of the
information, refer the Quidway ME60 Multiservice Control Gateway Command Reference.
9-31
Action Command
the SBC.
display sbc brief
group.
Check the configuration of
signaling attack defense.
display sbc defend signaling-flood current-
configuration
Check the record of suspicious
users for signaling attack defense
in the specified range.
display sbc defend signaling-flood gray-list [ record
begin begin-entry end end-entry | user-id user-id | ip
ip-address port port-number ]
Check the information about the
queue for signaling attack defense.
display sbc defend signaling-flood queue
Check the statistics of signaling
attack defense.
display sbc defend signaling-flood statistics

9.8 Configuring the CAC Function
This section describes how to configure the CAC function.
9.8.2 Enabling the CAC Function
9.8.3 (Optional) Configuring the CAC Parameters for a Single User
9.8.4 (Optional) Configuring the CAC Parameters for All Users
To ensure security of the SBC and the softswitch and ensure service provisioning for specified
users, you can configure the CAC function to limit the number of registered users, number of
concurrent session, registration rate, and session rate.
Before configuring the CAC function, complete the following tasks:
9 SBC Configuration
Issue 03 (2009-07-01)
Data Preparation
To configure the CAC function, you need the following data.
No. Data
1 (Optional) Maximum number of times a user can register in a unit of time and the
security factor
2 (Optional) Maximum number of calls that a user can initiate in a unit of time and the
security factor
3 (Optional) Maximum number of users that can register in a unit of time and the
security factor
4 (Optional) Maximum number of sessions that can be initiated in a unit of time and
the security factor
5 (Optional) CAC action, namely permit, deny, or log
6 (Optional) Aging time of the statistics table

9.8.2 Enabling the CAC Function
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc cac enable
The CAC function is enabled.
By default, the CAC function is disabled.
----End
9.8.3 (Optional) Configuring the CAC Parameters for a Single User
Context
9-33
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc cac { sip |mgcp |h323 |signaling } per-user register-rate { threshold
threshold|percent percent } *
The maximum number of time a user can register in a unit of time and the security factor are
configured.
Step 3 Run:
sbc cac { sip |mgcp |h323 |signaling } per-user concurrent-call-rate { threshold
threshold|percent percent } *
The maximum number of calls that a user can initiate in a unit of time and the security factor
are configured.
The SBC rejects a user if the number of time the user registers or the number of calls that the
user initiates in a second is greater than the threshold. The SBC allows the user to register or
initiate calls when the number of time the user registers or the number of calls that the user
initiates in a second falls below threshold multiplied by the security factor.
Table 9-3 shows the default thresholds of registration rate and call rate for a single user when
various signaling protocols are used. The signaling keyword in the preceding command indicates
the threshold of all the signaling protocols. The security factor for each signaling protocol is
80%.
Table 9-3 Default thresholds of registration rate and call rate for a user
Signaling
Protocol
Threshold of Registration
Rate (pps)
Threshold of Call Rate (pps)
SIP 32 32
MGCP 32 32
H.323 32 32
All signaling
protocols
64 64

----End
9.8.4 (Optional) Configuring the CAC Parameters for All Users
Context
9 SBC Configuration
Issue 03 (2009-07-01)
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc cac { sip |mgcp |h323 |signaling } register-total { threshold threshold|percent
percent } *
The threshold of registered users and security factor are set.
NOTE
When the number of registered users exceeds threshold multiplied by security factor, the system displays
the alarm information in the debugging information but does not limit the user registration.
Step 3 Run:
sbc cac { sip |mgcp |h323 |signaling } concurrent-call-total { threshold threshold|
percent percent } *
The threshold of concurrent calls and security factor are set.
If the CAC behavior is permit, the SBC allows users to register when the number of registered
users exceeds the threshold. If the CAC behavior is not permit, the CBC rejects user registration,
until the number of registered users becomes less than the threshold.
Table 9-4 shows the default thresholds of registration rate and call rate for all the users when
various signaling protocols are used. The signaling keyword in the preceding command indicates
the threshold of all the signaling protocols. The security factor for each signaling protocol is
80%.
Table 9-4 Default thresholds for registration rate and call rate for all users
Signaling
Protocol
Threshold of Registration
Rate (pps)
Threshold of Call Rate (pps)
SIP 80000 32000
MGCP 80000 32000
H.323 16000 8000
All signaling
protocols
80000 32000

----End
Context
9-35
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc cac action { permit |deny } [ log ]
The CAC action is configured.
Step 3 Run:
sbc timer cac statistic-table time
The aging time of the statistics table is configured.
By default, the CAC function denies access of a user when the registration rate or call rate of
the user exceeds the threshold. The user is recorded in the list of suspicious users but is not
recorded in the log because ME60 does not support this function.
By default, the aging time of the statistics table is 120 seconds.
----End
Action Command
the SBC.
display sbc brief
group.
Check the configuration of the
CAC function.
display sbc cac current-configuration
Check the record of suspicious
users for CAC in the specified
range.
display sbc cac gray-list [ record begin begin-entry
end end-entry | user-id user-id | ip ip-address port port-
number ]
Check the CAC statistics. display sbc cac statistics

9.9 Configuring the Session-based CAR
This section describes how to configure the session-based CAR.
9.9.2 Enabling the Session-based CAR
9.9.3 Configuring the CAR Level
9.9.4 Configuring the CAR Rule
9 SBC Configuration
Issue 03 (2009-07-01)
To limit the bandwidth allocated to a media stream, configure the session-based CAR.
Before configuring the session-based CAR, complete the following tasks:
Data Preparation
To configure the session-based CAR, you need the following data.
No. Data
1 CAR level and the corresponding bandwidth
2 User name or the domain name

9.9.2 Enabling the Session-based CAR
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc sessioncar enable
The session-based CAR is enabled.
By default, the session-based CAR is not enabled.
----End
9.9.3 Configuring the CAR Level
9-37
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc sessioncar degree degree-id bandwidth bandwidth
The CAR level is configured.
On the SBC, you can define up to 16 CAR levels that represent 16 bandwidth values.
By default, the session-based CAR is not enabled.
----End
9.9.4 Configuring the CAR Rule
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc sessioncar rule rule-id username degree degree-id
The CAR rule is configured.
If the registered user is the calling party, the SBC matches the called party based on the CAR
rules before matching the calling party. In the case of an MGCP/H.248 user, the domain name
is used as username. If the registered user is the called party, the SBC matches only the called
party based on the CAR rules.
The rule ID indicates the priority of the rule. The SBC always uses the rule with a smaller ID.
When the SBC determines that a user matches a rule, it stops matching the subsequent rules with
that user.
By default, no CAR rule is configured.
----End
9 SBC Configuration
Issue 03 (2009-07-01)
Action Command
the SBC.
display sbc brief
group.
Check the level of the session-
based CAR or the rules.
display sbc sessioncar { degree all | degreeid degree-
id | rule all | ruleid rule-id | username username }

9.10 Configuring Signaling NAT
This section describes how to configure signaling NAT. See Example for Configuring the IMS
Networking.
9.10.2 Configuring a NAT Address
9.10.3 Configuring IMS Signaling NAT
9.10.4 Configuring the Traffic Policy for Signaling NAT
9.10.5 Applying the Traffic Policy
9.10.6 (Optional) Configuring the Aging Time of the NAT Session Table
When the UE is located in a private network, you can configure the NAT function on the
ME60 to translate the private address of the UE to a public address. Thus, the ME60 can exchange
signaling packets with the P-CSCF.
Before configuring signaling NAT, complete the following tasks:
l Configuring an SBC Backup Group
NOTE
If the UE and CSCF are located in different VPNs, or one of them is in the public network and the other
is in a VPN, you need to enable mutual access between VPNs on the ME60. For details about mutual access
between VPNs, refer to the Quidway ME60 Multiservice Control Gateway Configuration Guide - VPN.
Data Preparation
To configure signaling NAT, you need the following data.
9-39
No. Data
1 Addresses in the NAT address pool
2 Traffic policy for signaling NAT
3 Aging time of the NAT session table

9.10.2 Configuring a NAT Address
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
nat address-group group-index start-address end-address [ vpn-instance vpn-
instance-name ]
A NAT address pool is created. By default, no NAT address pools are configured.
Here, vpn-instance vpn-instance-name specifies the VPN instance that the NAT address pool
belongs to.
Step 3 Configure the IP address of the outgoing interface that connects the ME60 to the CSCF.
1. Run:
2. Run:
ip address ip-address { mask | mask-length }
The IP address of the interface is configured.
The IP address of this interface must be in the network segment of the NAT address pool.
You must set a proper mask for the IP address so that all the addresses in the address pool
are included in the network segment.
NOTE
l After the IP address of the outgoing interface connected to the CSCF is configured, the route of this
network segment is advertised through the routing protocol. The advertised network segment contains
all the addresses in the NAT address pool, so the route of the NAT address pool can be advertised.
l For the configuration of the routing protocol, refer to the Quidway ME60 Multiservice Control Gateway
Configuration Guide - IP Routing.
----End
9 SBC Configuration
Issue 03 (2009-07-01)
9.10.3 Configuring IMS Signaling NAT
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc instance-name
Step 3 Run:
signaling nat [ src-vpn vpn-instance-name ] address-group group-index
The NAT address pool used for IMS signaling is configured.
If the UE belongs to a VPN, you need to specify src-vpn vpn-instance-name. After the VPN is
specified, the addresses of the IMS signaling packets from the specified VPN are translated to
the addresses in the NAT address pool.
----End
9.10.4 Configuring the Traffic Policy for Signaling NAT
Procedure
Step 1 Run:
system-view
Step 2 Run:
traffic classifier traffice-classifer-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed.
Step 3 Define the rule for matching data packets as follows:
l To match the 802.1p field in a packet, run:
if-match 8021p 8021p-code
l To match the source MAC address of a packet, run:
if-match source-mac mac-address
l To match the destination MAC address of a packet, run:
if-match destination-mac mac-address
l To match packets with an ACL, run:
if-match acl acl-number
l To match the DSCP field of a packet, run:
if-match dscp dscp-value
9-41
l To match the IP precedence of a packet, run:
if-match ip-precedence ip-precedence-value
l To match the TCP SYN flag of a packet, run:
if-match tcp syn-flag flag-value
l To specify that all IPv4 packets are matching, run:
if-match any
NOTE
The ACL-based matching rule is recommended. You can specify that a packet whose destination
address is the address of the CSCF matches the ACL.
Step 4 Run:
quit
The system exits from the traffic classifier view.
Step 5 Run:
A behavior is created and the behavior view is displayed.
Step 6 Run:
sbc-nat slot-id
The NAT function is enabled for the IMS signaling packets.
NOTE
After the traffic behavior is configured to sbc-nat, you cannot configure the behavior to redirect in this
behavior view.
Step 7 Run:
quit
The system exits from the behavior view.
Step 8 Run:
traffic policy traffic-policy-name
The traffic policy view is displayed.
Step 9 Run:
classifier traffic-classifier-name behavior behavior-name
The traffic classifier is associated with the behavior in the traffic policy.
In this step, the value of behavior-name must be the same as the value of behavior-name specified
in Step 5. That is, the behavior must be enabled with the NAT function.
For the configuration of a traffic policy, refer to the Quidway ME60 Multiservice Control
Gateway Configuration Guide - QoS.
----End
9.10.5 Applying the Traffic Policy
Procedure
l Applying the Traffic Policy Globally
9 SBC Configuration
Issue 03 (2009-07-01)
1. Run:
system-view
2. Run:
traffic-policy traffic-policy-name inbound
The traffic policy is applied to the inbound direction.
l Applying the Traffic Policies to an Interface
1. Run:
system-view
2. Run:
This interface must be the incoming interface connected to the UE.
3. Run:
traffic-policy traffic-policy-name { inbound | outbound } [ link-layer ]
The traffic policy is applied to the interface.
----End
9.10.6 (Optional) Configuring the Aging Time of the NAT Session
Table
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc nat session aging-time aging-time
The aging time of the NAT session table is configured.
By default, the aging time of the NAT session table is 20 seconds.
----End
9-43
Action Command
Check information about the NAT
address pool.
display nat { address-group [ group-index ] | all |
outbound | server }
Check the mapping between the
NAT address pool and a VPN
instance.
display sbc nat relation [ instance instance-name |
adderss-group group-index | src-vpn vpn-instance-
name ]
Check the aging time of the NAT
session table.
display sbc nat session aging-time
Check the statistics of the signaling
NAT session.
display sbc nat session statistic slot-id
Check information about the NAT
session.
display sbc nat session slot-id

# Display information about NAT address pool 0.
<Quidway> display nat address-group 0
NAT address-group information:
Group Index : 0
StartAddr : 2.2.2.36 EndAddr : 2.2.2.66
Vpn-instance :
Used Status : Used by SBC Ref-Count : 2
Total 1 address-groups
NAT outbound information:
Total 0 nat outbounds
# Display the mapping between the NAT address pool and the VPN instance in an SBC instance
group.
<Quidway> display sbc nat relation instance default
SBC natpool-vpn relation items:
SBC-INSTANCE POOL-ID SRC-VPN
------------------------------------------------------------------------
default 1 vpn-1
default 0
default 1
default 0 vpn-1
# Display information about the signaling NAT session on the SBC board in slot 5.
<Quidway> display sbc nat session 5
SBC signaling nat session:
------------------------------------------------------------------------------
Protocol: icmp
IP&PORT : 192.166.1.18:2048[8.0.0.4:10240]-->100.99.0.1:512
Src-vpn :
Des-vpn :
9.11 Configuring SBC Lawful Interception
This section describes how to configure the lawful interception feature of the SBC.
9.11.2 Configuring Lawful Interception
9 SBC Configuration
Issue 03 (2009-07-01)
According to the SBC lawful interception configured on the ME60, the SPDF delivers
information about the interception object to the ME60 through the Ia interface on the IMS
network. Thus the specified traffic flows can be intercepted.
Before configuring SBC lawful interception, complete the following tasks:
l Configuring the X3 interface
l Configuring the IP address and port of the LIG
l (Optional) Setting the heartbeat parameters of lawful interception
Data Preparation
To configure SBC lawful interception, you need the following data.
No. Data
1 Loopback interface of the X3 interface
2 IP address and listening port of the LIG
3 (Optional) Heartbeat interval and maximum number of heartbeat retransmission
events of the X3 interface

9.11.2 Configuring Lawful Interception
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc lawful-interception x3-interface Loopback interface-number port port-number
The loopback interface and port number of the X3 interface are configured.
Step 3 Run:
sbc lawful-interception lig ip ip-address port port-number
9-45
The IP address and port number of the LIG are configured.
sbc lawful-interception heartbeat heartbeat-value times times-value
The heartbeat interval and maximum number of transmission events are set. By default, the value
of heartbeat-value is 60 and the value of times-value is 3.
Step 5 Run:
sbc lawful-interception enable
Lawful interception is enabled.
----End
Action Command
Display the information about
lawful interception.
display sbc lawful-interception

# Display the information about lawful interception.
<Quidway> display sbc lawful-interception
Lawful Interception:
Lawful Interception function : Enabled
Lawful Interception X3 interface : LoopBack5
Lawful Interception X3 port : 3666
Lawful Interception X3 LIG address : 7.19.1.250
Lawful Interception X3 LIG port : 2888
Lawful Interception X3 heartbeat : 60 seconds
Lawful Interception X3 heartbeat times : 1
Lawful Interception X3 state : linked
9.12 Configuring SBC Attack Defense
This section describes how to configure the attack defense feature of the SBC.
9.12.3 Configuring Single Packet Attack Defense
On the IMS network, the CSCF equipment is easy to be attacked. You can configure the
ME60 to protect the specified IP addresses against attacks, thus protecting the CSCF equipment
and the ME60.
9 SBC Configuration
Issue 03 (2009-07-01)
Before configuring attack defense, complete the following tasks:
l Installing the SBC board
Data Preparation
To configure attack defense, you need the following data.
No. Data
1 IP address that is protected against flood attack
2 Threshold of flood attack defense

Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc defend ip-flood enable
The flood attack defense is enabled. By default, the flood attack defense is disabled.
Step 3 Run:
sbc defend ip-flood ip ip-address max-rate rate-number [ vpn-instance vpn-instance-
name ]
The flood attack defense is configured for the specified IP address.
NOTE
The rate-number parameter refers to the sum of the rates of the first packet and later packets.
----End
9.12.3 Configuring Single Packet Attack Defense
Context
NOTE
Steps 2 - 7 are optional and can be performed in any sequence. You can select these steps to defend different
types of attacks.
9-47
Procedure
Step 1 Run:
system-view
Step 2 Run:
sbc defend ip-packet fraggle enable
The Fraggle attack defense is enabled.
Step 3 Run:
sbc defend ip-packet ip-fragment enable
The IP-Fragment attack defense is enabled.
Step 4 Run:
sbc defend ip-packet land enable
The Land attack defense is enabled.
Step 5 Run:
sbc defend ip-packet smurf enable
The Smurf attack defense is enabled.
Step 6 Run:
sbc defend ip-packet tcp-flag enable
The TCP flag attack defense is enabled.
Step 7 Run:
sbc defend ip-packet winnuke enable
The WinNuke attack defense is enabled.
----End
Action Command
flood attack defense.
display sbc defend ip-flood current-configuration
single packet attack defense.
display sbc defend ip-packet flag

# Display the information about flood attack defense.
<Quidway> display sbc defend ip-flood current-configuration
defend-flag : disable
-------------------------------------------------------------------------------
9 SBC Configuration
Issue 03 (2009-07-01)
sbc defend ip-flood ip 2.2.2.2 max-rate 22
sbc defend ip-flood ip 30.30.30.3 max-rate 1000
sbc defend ip-flood ip 30.30.30.3 vpn-instance zq max-rate 2000
# Display the information about single packet attack defense.
<Quidway> display sbc defend ip-packet flag
land : disable
smurf : enable
fraggle : enable
winnuke : enable
tcp-flag : enable
ip-fragment : enable
ip-flood : disable
9.13 Maintaining the SBC
This section provides the commands for debugging the SBC and clearing information about the
SBC.
9.13.1 Debugging an SBC
9.13.2 Clearing SBC Operation Information
9.13.1 Debugging an SBC
CAUTION
When a fault occurs on an SBC, run the following debugging commands in the user view to
locate the fault. For the procedure for displaying debugging information, refer to the chapter
"System Maintenance" in the Quidway ME60 Multiservice Control Gateway Configuration
Guide - System Management.
Action Command
Enable debugging of address
management.
debugging sbc am { all |register |call |address |user-
group |roam-limit |backup } { all |error |information
|warning }
Enable debugging of H.248. debugging sbc h248 { all | call | register } { all | error
|information |warning }
Enable debugging of H.323. debugging sbc h323 { all | h245 | q931 | ras } { all |
error | information | warning }
Enable debugging of MGCP. debugging sbc mgcp { all |call |packet |register } { all
|error |information |warning }
Enable debugging of SIP. debugging sbc sip { all |call |packet |register |stack }
{ all |error |information |warning }
9-49
Action Command
Enable debugging of U-Path. debugging sbc upath { all |call |packet |register } { all
|error |information |warning }
Enable debugging of the Integrated
Access Device Management
System (IADMS) proxy.
debugging sbc iadms { all |decode | ftp | packet |
register } { all |error |information |warning }
Enable debugging of signaling
attack defense.
debugging sbc defend signaling-flood { automatic-
mode |manual-mode |gray-list |statistic-table |all }
{ all |error |information |warning }
Enable debugging of Connection
Admission Control (CAC).
debugging sbc cac { sip | mgcp | h323 | signaling | all
| gray-list | statistic-table } { all | error | information
| warning }
Enable debugging of the session-
based Committed Access Rate
(CAR).
debugging sbc sessioncar { all | error | trace }
Enable debugging of NAT. debugging nat { all | error | event }
Enable debugging of the
Administration Module (AM).
debugging sbc am { addr | all | backup | call |
classify | intercom | register | roamlimit | session-
limit | usergroup } { all | error | information |
warning } [ slot-id ]
Enable debugging of the Stream
Control Transmission Protocol
(SCTP) stack.
debugging sbc sctp stack { information | warning |
error }
Enable debugging of upper layer
applications of SCTP.
debugging sbc sctp up-layer { information |
warning | error | all }

9.13.2 Clearing SBC Operation Information
To clear SBC operation information, run the following commands in the system view.
Action Command
Clear the records on the suspicious
user list used for CAC.
delete sbc cac gray-list { record begin begin-entry end
end-entry|user-id user-id|ip ip-address port port-
number |all }
Clear the records on the suspicious
user list used for signaling attack
defense.
delete sbc defend signaling-flood gray-list { record
begin begin-entry end end-entry | user-id user-id | ip
ip-address port port-number | all }
Clear the queue of signaling attack
defense.
clear sbc defend signaling-flood queue
9 SBC Configuration
Issue 03 (2009-07-01)
Action Command
Clear information about a
registered user.
delete sbc reg-user { { sip | mgcp | h248 | h323 |
upath | snmp } { user-name | all } | index user-index |
all }
Clear statistics about Media
Gateway (MG) connections.
reset sbc mg statistic [connect-index ] slot slot-id

This section provides several examples for configuring the security features.
NOTE
In the configuration examples, all protocol port numbers are the default values of the equipment. The
configuration procedures are provided, and you can configure the port number as required in actual
application.
9.14.1 Example for Configuring the SIP Signaling Proxy and Media Proxy
9.14.2 Example for Configuring the U-Path Signaling Proxy and Media Proxy
9.14.3 Example for Controlling User Registration Control
9.14.4 Example for Configuring the IADMS Proxy
9.14.5 Example for Configuring IMS Architecture-based SBC Functions
9.14.1 Example for Configuring the SIP Signaling Proxy and Media
Proxy
As shown in Figure 9-1, IAD1 and IAD2 reside on a private network, and they are connected
to the SBC, namely ME60 A, through the NAT device. IAD3 and IAD4 reside on the public
network, and they are connected to the SBC, namely ME60 B. For the deployment of the NGN
services, the SBCs are required to act as the signaling proxy and media proxy for all the IADs.
Figure 9-1 also shows the IP subnetting and address assignment.
9-51
Figure 9-1 Networking for configuring the SIP signaling proxy and media proxy
Core Network
SoftX3000
NAT
Router
Internal Network
100.100.20.10/16
Router
SBC(ME60B)
IAD4
8587071
8588081
IAD3
100.20.30.60/16
100.20.30.70/16
100.30.60.37/16
LANSwitch
10.10.70.70/16
8585051
8585061
10.10.60.60/16
10.10.30.30/16
100.10.240.1/32
100.10.230.2/32
100.10.240.2/16
100.10.230.1/16
100.20.30.50/32 100.30.60.36/32
SBC(ME60A)
IAD2
IAD1

l Configure the IP address, the link layer protocol, and the routing protocol on the interface
to achieve the IP-interworking.
l Configure the operation mode of the SBC.
l Enable the signaling proxy for SIP.
l Configure the signaling address mapping and the media address mapping.
l Configure the port numbers for SIP.
Data Preparation
l Well-known port of SIP at the user side and on the softswitch, namely 5060
l Well-known port of MGCP at the user side and on the softswitch, namely 2727
l Range of the dynamic ports for signaling and media streams on the server side, 10001 to
49999
9 SBC Configuration
Issue 03 (2009-07-01)
1. Configure ME60 A.
NOTE
This section does not describe the configuration of the IP address, the link layer protocol, and the
routing protocol on the physical interface.
# Configure the VSU to function as the SBC.
<ME60A> system-view
[ME60A] set lpu-work-mode sbc slot 3
[ME60A] quit
<ME60A> reset slot 3
# Configure the IP address for the loopback interface.
<ME60A> system-view
[ME60A] interface LoopBack 0
[ME60A-LoopBack0] ip address 100.10.230.2 255.255.255.255
[ME60A-LoopBack0] quit
[ME60A] interface LoopBack 1
[ME60A-LoopBack1] ip address 100.10.240.1 255.255.255.255
# Configure the operation mode of the SBC.
[ME60A] sbc appmode multi-domain
# Enable the signaling proxy for SIP users.
[ME60A] sbc sip enable
# Configure the signaling address mapping and the media address mapping.
[ME60A] sbc kouki
[ME60A-sbc-kouki] sbc mapgroup proxy 5
[ME60A-sbc-kouki-proxy-5] softxaddr 100.100.20.10
[ME60A-sbc-kouki-proxy-5] clientaddr LoopBack 0
[ME60A-sbc-kouki-proxy-5] serveraddr LoopBack 1
[ME60A-sbc-kouki-proxy-5] media-clientaddr LoopBack 0
[ME60A-sbc-kouki-proxy-5] media-serveraddr LoopBack 1
[ME60A-sbc-kouki-proxy-5] enable
[ME60A-sbc-kouki-proxy-5] quit
[ME60A-sbc-kouki] quit
# Configure the port numbers for SIP.
[ME60A] sbc wellknownport clientaddr 100.10.230.2 sip 5060
[ME60A] sbc wellknownport softxaddr 100.100.20.10 sip 5060
[ME60A] sbc wellknownport clientaddr 100.10.230.2 mgcp 2727
[ME60A] sbc wellknownport softxaddr 100.100.20.10 mgcp 2727
2. Configure ME60 B.
# (Optional) Configure the VSU to function as the SBC.
<ME60B> system-view
[ME60B] set lpu-work-mode sbc slot 3
[ME60B] quit
<ME60B> reset slot 3
<ME60B> system-view
[ME60B] interface LoopBack 0
[ME60B-LoopBack0] ip address 100.20.30.50 255.255.255.255
[ME60B-LoopBack0] quit
[ME60B] interface LoopBack 1
[ME60B-LoopBack1] ip address 100.30.60.36 255.255.255.255
[ME60B-LoopBack1] quit
[ME60B] sbc appmode single-domain
# Enable the signaling proxy for SIP.
9-53
[ME60B] sbc sip enable
[ME60B] sbc kouki
[ME60B-sbc-kouki] sbc mapgroup proxy 5
[ME60B-sbc-kouki-proxy-5] softxaddr 100.100.20.10
[ME60B-sbc-kouki-proxy-5] clientaddr LoopBack 0
[ME60B-sbc-kouki-proxy-5] serveraddr LoopBack 1
[ME60B-sbc-kouki-proxy-5] media-clientaddr LoopBack 0
[ME60B-sbc-kouki-proxy-5] media-serveraddr LoopBack 1
[ME60B-sbc-kouki-proxy-5] enable
[ME60B-sbc-kouki-proxy-5] quit
[ME60B-sbc-kouki] quit
# Configure the port numbers for SIP.
[ME60B] sbc wellknownport clientaddr 100.20.30.50 sip 5060
[ME60B] sbc wellknownport softxaddr 100.30.60.36 sip 5060
3. Configure the IADs (take IAD1 for example).
NOTE
In this step, only the parameters of the IADs are listed. The parameters may vary according to the
type of the IAD. In practice, refer to user manual of the IAD.
Assume that IAD1 registers on ME60 A through MGCP. The registration related packets
need to go through the NAT device. The domain of IAD1 is sbca.net. Connect the IAD1
with a personal computer through the serial interface, and then start the personal computer.
Press Ctrl+C to display the configuration interface, and then modify the configuration as
follows.
Parameter Value
Notify Entity 100.10.230.2:2727
Residential GW sbca.net
IP address 10.10.70.70
Subnet mask 255.255.0.0
Default gateway 10.10.30.30

Configuration Files
#
sysname ME60A
#
interface LoopBack0
ip address 100.10.230.2 255.255.255.255
#
interface LoopBack1
ip address 100.10.240.1 255.255.255.255
#
sbc appmode multi-domain
#
sbc keepalive-packet empty
#
sbc kouki
sbc backup-group 0
add slot 6 master
9 SBC Configuration
Issue 03 (2009-07-01)
softxaddr 100.100.20.10
clientaddr LoopBack0
serveraddr LoopBack1
media-clientaddr LoopBack0
media-serveraddr LoopBack1
enable
#
return
#
sysname ME60B
#
interface LoopBack0
ip address 100.20.30.50 255.255.255.255
#
interface LoopBack1
ip address 100.30.60.36 255.255.255.255
#
sbc appmode single-domain
#
#
sbc kouki
sbc backup-group 0
add slot 6 master
softxaddr 100.100.20.10
enable
#
return
9.14.2 Example for Configuring the U-Path Signaling Proxy and
Media Proxy
As shown in Figure 9-2, U-Path users reside on a private network and get access to the public
network through the NAT device and the SBC. The softswitch, namely the SoftX3000, resides
on the public network and is connected to the SBC through the router. Figure 9-2 also shows
the IP address assignment.
Figure 9-2 Networking for configuring the U-Path signaling proxy and media proxy
Core Network
SoftX3000
NAT/Firewall
Router
SBC
IAD
Internal
Network
172.168.50.16/24
172.168.50.254/24
172.168.50.17/24
1.1.1.1/24
1.1.1.2/32
100.100.30.233/32
100.100.30.10/16
U-Path
100.100.30.230/16
9-55

l Enable the signaling proxy for U-Path.
l Configure the port numbers for U-Path.
l Configure the timer and other optional parameters.
Data Preparation
l Well-known port of U-Path at the user side and on the softswitch, namely 2728
l Range of the dynamic ports for signaling and media streams on the server side, 10001 to
49999
NOTE
This section does not describe the configuration of the IP address, the link layer protocol, and the routing
protocol on the physical interface.
1. Configure the VSU to function as the SBC.
[Quidway] set lpu-work-mode sbc slot 3
[Quidway] quit
2. Configure the IP address for the loopback interface.
[Quidway] interface LoopBack 0
[Quidway-LoopBack0] ip address 1.1.1.2 255.255.255.255
[Quidway-LoopBack0] quit
3. Configure the operation mode of the SBC.
[Quidway] sbc appmode multi-domain
4. Enable the signaling proxy for U-Path users.
[Quidway] sbc upath enable
5. Configure the signaling address mapping and the media address mapping.
[Quidway] sbc kouki
[Quidway-sbc-kouki] sbc mapgroup proxy 5
[Quidway-sbc-kouki-proxy-5] softxaddr 100.100.30.10
[Quidway-sbc-kouki-proxy-5] clientaddr LoopBack 0
[Quidway-sbc-kouki-proxy-5] serveraddr LoopBack 1
[Quidway-sbc-kouki-proxy-5] media-clientaddr LoopBack 0
9 SBC Configuration
Issue 03 (2009-07-01)
[Quidway-sbc-kouki-proxy-5] media-serveraddr LoopBack 1
[Quidway-sbc-kouki-proxy-5] enable
[Quidway-sbc-kouki-proxy-5] quit
[Quidway-sbc-kouki] quit
6. Configure the port numbers for U-Path.
[Quidway] sbc wellknownport clientaddr 1.1.1.2 upath 2728
[Quidway] sbc wellknownport softxaddr 100.100.30.10 upath 2728
7. Configure the timer and other optional parameters.
[Quidway] sbc timer upath session timeout 24
[Quidway] sbc timer upath heartbeat timeout 30
Configuration Files
#
sysname Quidway
#
sbc timer upath session timeout 24
sbc timer upath heartbeat timeout 30
#
interface LoopBack0
ip address 1.1.1.2 255.255.255.255
#
interface LoopBack1
ip address 100.100.30.233 255.255.255.255
#
#
#
sbc kouki
sbc backup-group 0
add slot 3 master
softxaddr 100.100.30.10
enable
#
return
9.14.3 Example for Controlling User Registration Control
When functioning as the media proxy and signaling proxy, the SBC (namely the ME60) restricts
registration of the SIP, MGCP, and H.323 users that use the numbers beginning with 6665. Only
the users whose IP addresses are in the range of 191.176.1.0-191.176.1.15 can be registered on
the SBC.
9-57
Figure 9-3 Networking of user registration control
Core Network
SoftX3000
100.100.20.10/16
Router
SBC(ME60)
IAD2
6665071
6665081
IAD1
191.176.1.1
191.176.1.20
100.30.60.37/16
LANSwitch
191.176.1.100/32 100.30.60.36/32

l Enable the signaling proxy.
l Configure the port numbers of the protocols.
l Configure the user group and rules for registration restriction.
l Configure an ACL.
l Control the user registration permission.
Data Preparation
l User group numbers: 10 and 20
l ACL numbers: 2010 and 2020
l Default policy (deny) for user registration.
9 SBC Configuration
Issue 03 (2009-07-01)
NOTE
protocol on the physical interface. The examples discussed previously show you how to enable the signaling
proxy, and configure the address mapping and port numbers.
[Quidway] quit
2. Configure the user group and rules for registration restriction.
[Quidway] sbc usergroup number 10
[Quidway-usergroup-10] userrule 10 permit 6665*
[Quidway-usergroup-10] quit
[Quidway] sbc usergroup number 20
[Quidway-usergroup-20] userrule 10 permit *
[Quidway-usergroup-20] quit
[Quidway] acl 2010
[Quidway-acl-basic-2010] rule 10 permit source 191.176.1.0 0.0.0.15
[Quidway-acl-basic-2010] rule 20 deny
[Quidway] acl 2020
[Quidway-acl-basic-2020] rule 10 permit
4. Control the user registration permission.
[Quidway] sbc roamlimit enable
[Quidway] sbc roamlimit usergroup 10 acl 2010
[Quidway] sbc roamlimit usergroup 20 acl 2020
[Quidway] sbc roamlimit default deny
Configuration Files
#
sysname Quidway
#
acl number 2010
rule 10 permit source 191.176.1.0 0.0.0.15
rule 20 deny
#
acl number 2020
rule 10 permit
#
sbc usergroup number 10
userrule 10 permit 6665*
sbc usergroup number 20
userrule 10 permit *
#
sbc roamlimit enable
sbc roamlimit usergroup 10 acl 2010
sbc roamlimit usergroup 20 acl 2020
sbc roamlimit default deny
#
return
9.14.4 Example for Configuring the IADMS Proxy
9-59
As shown in Figure 9-4, IAD1 and IAD2 reside on a private network, and they are connected
to the SBC, namely ME60 A, through the NAT device. The SBC functions as not only a signaling
and media proxy but also as an IADMS proxy through which the IADMS manages IADs. Figure
9-4 also shows the IP subnetting and address assignment.
Figure 9-4 Networking for configuring the IADMS proxy
Core Network
SoftX3000
NAT
Router
SBC
IAD1
Internal Network
IAD2
IADMS
100.100.20.10/16
10.10.70.70/16
8585051
8585061
10.10.60.60/16
10.10.30.30/16
100.10.240.1/32 100.10.230.2/32
100.10.240.2/16
100.10.230.1/16
100.100.20.15/16

l Configure the signaling proxy and media proxy so that the SBC can function as the proxy
for calls and media streams.
l Enable the IADMS proxy and load the MIBs for the IADMS proxy.
l Configure the address mapping for the IADMS proxy so that the SBC can function as the
IADMS proxy.
l Configure the IADs.
Data Preparation
l Well-known SNMP port at the user side and well-known port of the IADMS: 162
l Range of the dynamic ports for signaling and media streams on the server side: 10001 to
49999
l All the SNMP versions and all the MIBs that need be loaded for the IADMS proxy
NOTE
protocol on the physical interface.
9 SBC Configuration
Issue 03 (2009-07-01)
[Quidway] quit
2. This section describes how to configure the signaling proxy and media proxy.
[Quidway] sbc appmode multi-domain
# Enable the signaling proxy.
[Quidway] sbc sip enable
[Quidway] sbc kouki
[Quidway-sbc-kouki] sbc mapgroup proxy 5
[Quidway-sbc-kouki-proxy-5] softxaddr 100.100.20.10
[Quidway-sbc-kouki-proxy-5] clientaddr LoopBack 0
[Quidway-sbc-kouki-proxy-5] serveraddr LoopBack 1
[Quidway-sbc-kouki-proxy-5] media-clientaddr LoopBack 0
[Quidway-sbc-kouki-proxy-5] media-serveraddr LoopBack 1
[Quidway-sbc-kouki-proxy-5] enable
[Quidway-sbc-kouki-proxy-5] quit
[Quidway-sbc-kouki] quit
# Configure the port numbers.
[Quidway] sbc wellknownport clientaddr 100.10.230.2 sip 5060
[Quidway] sbc wellknownport softxaddr 100.100.20.10 sip 5060
3. Enable the IADMS proxy.
[Quidway] sbc iadms enable
4. Load the MIBs for the IADMS proxy.
[Quidway] sbc iadms mib register all
5. Configure the SNMP port numbers.
[Quidway] sbc wellknownport clientaddr 100.10.230.2 snmp 162
[Quidway] sbc wellknownport iadmsaddr 100.100.20.15 snmp 162
6. Configure the IADs.
NOTE
In this step, only the parameters of the IADs are listed. The parameters may vary according to the
type of the IAD. In practice, refer to user manual of the IAD.
Connect the IAD1 with a personal computer through the serial interface, and then start the
personal computer. Press Ctrl+C to display the configuration interface, and then modify
the configuration as follows.
Parameter Value
Notify Entity 100.10.230.2:5060
Residential GW sbca.net
IP address 10.10.70.70
9-61
Parameter Value
Subnet mask 255.255.0.0
Default gateway 10.10.30.30
Server Address 100.10.230.2
Server Port 162

Configuration Files
#
sysname Quidway
#
sbc iadms mib register amend
sbc iadms mib register v150
#
interface LoopBack0
ip address 100.10.230.2 255.255.255.255
#
interface LoopBack1
ip address 100.10.240.1 255.255.255.255
#
#
sbc timer nat-refresh 0
#
#
sbc kouki
sbc backup-group 0
add slot 3 master
softxaddr 100.100.20.10
enable
#
return
9.14.5 Example for Configuring IMS Architecture-based SBC
Functions
As shown in Figure 9-5, UE-1 and UE-2 belong to different private networks. UE-1 and UE-2
access the network through ME60A, and UE-3 accesses the network through ME60B. UE-1,
UE-2, and UE-3 need to communicate through voice or video.
NOTE
The UE represents the access user network. UE-1 resides in private network 10.164.0.0/16; UE-2 resides
in private network 10.165.0.0/16.
ME60A adopts 10.10.10.1/32 and 10.12.12.1/32 as the media addresses at the user side, and
adopts 10.11.11.1/32 and 10.13.13.1/32 as the media addresses at the server side. ME60A
9 SBC Configuration
Issue 03 (2009-07-01)
functions as an MG and communicates with SPDF-1 by using the IP addresses 192.168.1.1/32
and 192.168.1.2/32. The IP address of SPDF-1 is 192.168.1.3/32. The IP address of P-CSCF-1
is 192.168.1.4/32.
Figure 9-5 Example for configuring IMS architecture-based SBC functions
IMS
network
P-CSCF-1
SPDF-1
P-CSCF-2
SPDF-2
UE-1
ME60A
ME60B
UE-3
GE1/0/0 GE1/0/0
UE-2

l Configure the IP addresses of related interfaces, the link layer protocol, and the routing
protocol to implement the IP connectivity.
l Configure users to access the network through the ME60.
l Set the operating mode of the Voice-band Signal Unit (VSU) to SBC.
l Configure backup groups.
l Configure media address mapping groups.
l Configure the Ia interface so that ME60A can communicate with SPDF-1.
l Configure signaling NAT to perform NAT on private addresses of users.
l Configure information about the Proxy-Call Session Control Function (P-CSCF).
l Configure the maximum number of sessions that are supported by a mapping group in an
SBC instance group.
l Configure the total bandwidth that is supported by an SBC instance group.
Data Preparation
See the networking requirements.
1. Configure the IP addresses of related interfaces and the unicast routing protocol.
Configure the IP addresses of related interfaces and the unicast routing protocol to
implement network interworking. For details, refer to the Quidway ME60 Multiservice
9-63
Control Gateway Configuration Guide - IP Services and the Quidway ME60 Multiservice
Control Gateway Configuration Guide - IP Routing.
2. Configure the access service.
Configure users to access the network through the ME60. For details, refer to the Quidway
ME60 Multiservice Control Gateway Configuration Guide - BRAS Services.
3. Set the operating mode of the VSU to SBC.
[Quidway] sysname ME60A
[ME60A] quit
4. Configure backup groups.
<ME60A> system-view
[ME60A] sbc instance1
[ME60A-sbc-instance1] sbc backup-group 0
[ME60A-sbc-instance1-backupgroup-0] add slot 5 master
[ME60A-sbc-instance1-backupgroup-0] add slot 7 slave
[ME60A-sbc-instance1-backupgroup-0] quit
[ME60A-sbc-instance1] quit
[ME60A-sbc-instance2] sbc backup-group 1
[ME60A-sbc-instance2-backupgroup-1] add slot 6 master
[ME60A-sbc-instance2-backupgroup-1] add slot 8 slave
[ME60A-sbc-instance2-backupgroup-1] quit
5. Configure media address mapping groups.
# Configure loopback interfaces in media address mapping groups.
[ME60A] interface loopback 1
[ME60A-LoopBack1] ip address 10.10.10.1 32
# Configure media address mapping groups.
[ME60A-sbc-instance1] sbc mapgroup bgf 2501
[ME60A-sbc-instance1-bgf-2501] media-clientaddr loopback 1 loopback 5
[ME60A-sbc-instance1-bgf-2501] media-serveraddr loopback 2 loopback 5
[ME60A-sbc-instance1-bgf-2501] enable
[ME60A-sbc-instance1-bgf-2501] quit
[ME60A-sbc-instance2-bgf-2502] media-clientaddr loopback 3 loopback 6
[ME60A-sbc-instance2-bgf-2502] media-serveraddr loopback 4 loopback 6
[ME60A-sbc-instance2-bgf-2502] enable
6. Configure the Ia interface.
9 SBC Configuration
Issue 03 (2009-07-01)
# Configure loopback interfaces that are used for MG connections.
# Enable the SCTP protocol and the MG function.
[ME60A] sbc sctp enable
[ME60A] sbc mg enable
# Configure MG connections.
[ME60A-sbc-instance1] sbc mg 0
[ME60A-sbc-instance1-mg-0] mg ip loopback 5 port 2944
[ME60A-sbc-instance1-mg-0] mgc ip 192.168.1.3 port 2944
[ME60A-sbc-instance1-mg-0] mg mid spdf1.com
[ME60A-sbc-instance1-mg-0] domain inner inner1.bgf.com mapgroup 2501
[ME60A-sbc-instance1-mg-0] domain outer outer1.bgf.com mapgroup 2501
[ME60A-sbc-instance1-mg-0] protocol sctp
[ME60A-sbc-instance1-mg-0] enable
[ME60A-sbc-instance1-mg-0] quit
[ME60A-sbc-instance2] sbc mg 1
[ME60A-sbc-instance2-mg-1] mg ip loopback 6 port 2945
[ME60A-sbc-instance2-mg-1] mgc ip 192.168.1.3 port 2945
[ME60A-sbc-instance2-mg-1] mg mid spdf2.com
[ME60A-sbc-instance2-mg-1] domain inner inner2.bgf.com mapgroup 2502
[ME60A-sbc-instance2-mg-1] domain outer outer2.bgf.com mapgroup 2502
[ME60A-sbc-instance2-mg-1] protocol sctp
[ME60A-sbc-instance2-mg-1] enable
[ME60A-sbc-instance2-mg-1] quit
7. Configure signaling NAT.
# Configure the IP address of the interface that connects the ME60 to the CSCF.
[ME60A] interface gigabitethernet 1/0/0
[ME60A-GigabitEthernet1/0/0] ip address 2.2.2.1 24
[ME60A-GigabitEthernet1/0/0] quit
# Configure NAT address pools.
[ME60A] nat address-group 0 2.2.2.2 2.2.2.128
[ME60A] nat address-group 1 2.2.2.129 2.2.2.254
# Configure the ME60 SBCs to perform NAT on the packets sent to the CSCF.
[ME60A] acl 3000
192.168.1.4 0.0.0.255
[ME60A] acl 3001
192.168.1.4 0.0.0.255
[ME60A] traffic classifier signal-nat1
[ME60A-classifier-signal-nat1] if-match acl 3000
[ME60A-classifier-signal-nat1] quit
[ME60A] traffic classifier signal-nat2
[ME60A-classifier-signal-nat2] if-match acl 3001
[ME60A-classifier-signal-nat2] quit
[ME60A] traffic behavior signal-nat1
[ME60A-behavior-signal-nat1] sbc-nat 5
[ME60A-behavior-signal-nat1] quit
[ME60A] traffic behavior signal-nat2
[ME60A-behavior-signal-nat2] sbc-nat 6
[ME60A-behavior-signal-nat2] quit
[ME60A] traffic policy signal-nat
[ME60A-trafficpolicy-signal-nat] classifier signal-nat1 behavior signal-nat1
9-65
[ME60A-trafficpolicy-signal-nat] classifier signal-nat2 behavior signal-nat2
[ME60A-trafficpolicy-signal-nat] quit
[ME60A] traffic-policy signal-nat inbound
# Configure the ME60 SBCs to perform NAT on IMS signaling packets.
[ME60A-sbc-instance1] signaling nat address-group 0
[ME60A-sbc-instance2] signaling nat address-group 1
8. Configure information about the P-CSCF.
NOTE
This step lists only part of the P-CSCF configurations. For details about the P-CSCF configurations,
refer to the documents of the P-CSCF.
The following P-CSCF configurations enable the signaling and media packets of different
network segments to be processed on different SBCs:
l Set the MG Message Identification (MID) of network segment 10.164.0.0/16 to
spdf1.com.
l Set the MG MID of network segment 10.165.0.0/16 to spdf2.com.
9. Configure the maximum number of sessions that are supported by a mapping group in an
SBC instance group.
[ME60A-sbc-instance1-bgf-2501] session-limit 1000
10. Configure the total bandwidth that is supported by an SBC instance group.
[ME60A-sbc-instance1] sbc bandwidth-limit 800
Configuration Files
#
sysname ME60A
#
sbc mg enable
#
sbc sctp enable
#
acl number 3000
rule permit ip source 10.164.0.0 0.0.255.255 destination 192.168.1.4 0.0.0.255
#
acl number 3001
rule permit ip source 10.165.0.0 0.0.255.255 destination 192.168.1.4 0.0.0.255
#
traffic classifier signal-nat1 operator or
if-match acl 3000
traffic classifier signal-nat2 operator or
if-match acl 3001
#
traffic behavior signal-nat1
sbc-nat 5
traffic behavior signal-nat2
sbc-nat 6
#
traffic policy signal-nat
classifier signal-nat1 behavior signal-nat1
classifier signal-nat2 behavior signal-nat2
traffic-policy signal-nat inbound
#
9 SBC Configuration
Issue 03 (2009-07-01)
ip address 2.2.2.1 255.255.255.0
#
interface LoopBack1
ip address 10.10.10.1 255.255.255.255
#
interface LoopBack2
ip address 10.11.11.1 255.255.255.255
#
interface LoopBack3
ip address 10.12.12.1 255.255.255.255
#
interface LoopBack4
ip address 10.13.13.1 255.255.255.255
#
interface LoopBack5
ip address 192.168.1.1 255.255.255.255
#
interface LoopBack6
ip address 192.168.1.2 255.255.255.255
#
#
sbc instance1
sbc backup-group 0
add slot 5 master
add slot 7 slave
media-clientaddr loopback 1 5
media-serveraddr loopback 2 5
session-limit 1000
enable
sbc bandwidth-limit 800
sbc mg 0
mgc ip 192.168.1.3 port 2944
mg ip LoopBack5 port 2944
mg mid spdf1.com
protocol sctp
enable
signaling nat address-group 0
#
sbc instance2
sbc backup-group 1
add slot 6 master
add slot 8 slave
media-clientaddr loopback 3 6
media-serveraddr loopback 4 6
enable
sbc mg 0
mgc ip 192.168.1.3 port 2945
mg ip LoopBack6 port 2945
mg mid spdf2.com
protocol sctp
enable
signaling nat address-group 1
#
return
9-67
10 DPI Configuration
About This Chapter
This chapter describes the fundamentals of DPI and how to configure network-side DPI and
user-side DPI.
10.1 Introduction
This section describes the concept and rational of DPI and the DPI features supported by the
ME60.
10.2 Configuring Basic DPI Functions
This section describes how to configure basic DPI functions.
10.3 Configuring Network-side DPI
This section describes how to configure and apply the DPI policy at the network side.
10.4 Configuring User-side DPI
This section describes how to configure and apply the DPI policy at the user side.
This section provides a configuration example of DPI.
Configuration Guide - Security 10 DPI Configuration
10-1
10.1 Introduction
This section describes the concept and rational of DPI and the DPI features supported by the
ME60.
10.1.1 Overview of DPI
10.1.2 DPI Functions Supported by the ME60
10.1.1 Overview of DPI
Background of DPI
With the extensive use of the bandwidth network, more bandwidth-related applications are being
developed, and are maturing. This encourages users to use bandwidth services such as P2P,
online games, and VoIP. These services attract many users; however, they also bring troubles.
For example, many P2P applications maliciously occupy network resources, and thus network
congestion occurs. Carriers need to control the illegal network applications.
Rationale of DPI
The deep packet inspection (DPI) technology can identify network applications so that the carrier
can control and manage the network.
As shown in Figure 10-1, common packet analysis involves only the source address, destination
address, source port, and destination port. Apart from the preceding factors, DPI analyzes the
application-layer information to identify various services and applications.
Figure 10-1 Comparison between DPI and the common packet analysis
Source IP Operation Destination IP Source port Destination port
Source IP Operation Destination IP Source port Destination port
Common packet analysis
DPI
Payload
Payload

Issue 03 (2009-07-01)
DPI Functions
DPI provides the following three functions:
l Service identification
DPI identifies the data flow of a legal service by the quintuple. Take video on demand (VoD)
service for example. The source address of the service flow belongs to a network segment
configured on the VoD server; the source port number is fixed.
Unauthorized users usually hides information about illegal service flows by using some
techniques. For example, the P2P flow may use port 80 of HTTP. Therefore, the VoD server
cannot identify the service type accurately according to the quintuple, such as the address and
port.
To identify an illegal service flow, DPI analyzes the contents of an IP packet to find the
characteristics field or behavior of the service.
l Service control
DPI controls the identified service flow based on a combination that may consist of the user
name, time, bandwidth, and history traffic volume. DPI handles the service flow in the following
ways:
l Forwards packets as usual.
l Blocks the service flow.
l Limits bandwidth of the service flow.
l Re-marks the priorities of packets.
For convenient service operation, all control policies are configured on the policy server. After
a user logs in, the policies are delivered dynamically.
l Service statistics
The statistics of service traffic distribution and usage of a service help to discover the user or
the service that affects the normal operation of the network. According to the statistics, the
following information can be obtained:
l Percentage of traffic from attackers
l Number of online users playing an online game
l Services consuming bandwidth Illegal VoIP users
10-3
DPI Implementation
Figure 10-2 Networking of DPI application
AAA
DPI Box
User
Internet
Policy Server Report Server
BRAS

NOTE
The user in the figure represents the access network.
10.1.2 DPI Functions Supported by the ME60
When the operation mode of the Versatile Service Unit (VSU) is set to DPI, the DPI engine
identifies P2P applications and enforces service policies for the applications. The ME60 can be
equipped with an external DPI box. The DPI box identifies the service type of a packet and the
ME60 controls the service policy. The DPI box can identify various services including the P2P
and VoIP services.
NOTE
The DPI function of the ME60 can be applied in the following cases:
l To control bandwidth of the users connected to the ME60, configure user-side DPI.
l To control bandwidth on the network side, configure network-side DPI.
10.2 Configuring Basic DPI Functions
This section describes how to configure basic DPI functions.
10.2.2 (Optional) Configuring the VSU to Work as the DPI Board
10.2.3 (Optional) Configuring the MAC Address of the DPI Board
10.2.4 Configuring the Packet Inspection Mode
10.2.5 (Optional) Configuring the PTS
Issue 03 (2009-07-01)
To use DPI to detect packets, you must configure the basic DPI functions.
If only some of the P2P applications need to be inspected, DPI can be performed by the DPI box
on the DPI board of the ME60. In this case, you must set the packet inspection mode to Data
Service Unit (DSU). That is, packets are inspected by the DSU, namely, the built-in DPI box.
If many types of applications need to be inspected, the ME60 can be connected to an external
DPI box. The external DPI box for the ME60 is called the Policy Traffic Switch (PTS). In this
case, you must configure the MAC address of the DPI board and information about the
connection between the PTS and the ME60.
NOTE
l The ME60 implements the DPI function after the VSU is configured to the DPI board. Therefore, you
need to install the VSU before configuring the DPI function. For the functions of the VSU in DPU
mode, refer to the Quidway ME60 Multiservice Control Gateway Product Description.
l You can run the set lpu-work-mode { dpi |sbc | ssu | tsu } slot slot-id command to implement different
service functions.
l In this manual, the VSU operating in DPI mode is called the DPI board.
Before configuring basic DPI functions, complete the following tasks:
l (Optional) Connecting the PTS to the ME60 and configuring the PTS
NOTE
The ME60 and the PTS must be directly connected or connected through a layer-2 device and they
cannot be connected through a layer-3 network. It is recommended that you connect the ME60 to the
PTS directly.
l Configuring the ME60 so that it can communicate with other routers
Data Preparation
To configure the basic DPI functions, you need the following data.
No. Data
1 MAC address of the DPI board
2 IP address of the PTS management interface, namely, the interface connected to the
PTS
3 Number of the port for listening the PTS keepalive packets

10.2.2 (Optional) Configuring the VSU to Work as the DPI Board
10-5
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
set lpu-work-mode dpi slot slot-id
The operation mode of the VSU is set to DPI.
NOTE
----End
10.2.3 (Optional) Configuring the MAC Address of the DPI Board
Context
NOTE
You need to configure the MAC address of the DPI board only when the ME60 is connected to a PTS.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dpi dsu-mac
The view for configuring the DSU is displayed.
Step 3 Run:
dsu-slot slot-id mac mac-address
The MAC address of the DPI board is configured.
----End
10.2.4 Configuring the Packet Inspection Mode
Issue 03 (2009-07-01)
Context
CAUTION
If the PTS does not exist or it is disconnected from the ME60, run the undo dpi-check pts
enable command to stop the packet inspection by the PTS. This ensures normal operation of the
DPI function.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dpi-check { dsu |pts }* enable
The packet detection mode is configured.
By default, the packet inspection mode is PTS. That is, packets are inspected by the PTS. The
prerequisite is that the ME60 is connected to the PTS. The PTS can detect various types of
packets, including P2P and VoIP packets.
If the ME60 is not connected to a PTS, you can set the packet inspection mode to DSU. In this
case, packets of certain P2P applications are inspected by the built-in DPI box on the DPI board.
----End
10.2.5 (Optional) Configuring the PTS
Context
NOTE
The parameters of the PTS need to be configured only when the ME60 is connected to a PTS.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dpi pts
The PTS configuration view is displayed.
Step 3 Run:
pts-id pts-id ip-address ip-address port-number subscriber-side interface-type
interface-number [ internet-side interface-type interface-number ]
The parameters for the connection between the ME60 and the PTS are set.
10-7
Step 4 Run:
keep-alive period-value times-value
The interval at which the PTS sends keepalive packets is set.
By default, the PTS sends keepalive packets at a interval of 10 seconds. If the ME60 fails to
receive the keepalive packets consecutively three times, it considers that the PTS is disconnected.
----End
Action Command
Check the packet detection mode. display dpi global-policy
Check the MAC address of the DPI
board.
display dpi dsu-mac
Check the information about the
PTS.
display dpi pts

Run the display dpi global-policy command, and you can view the global configuration of DPI,
including the packet inspection mode.
<Quidway> display dpi global-policy
---------------------------------------------------------------------------
DPI global configration
---------------------------------------------------------------------------
Global policy group status : active
Global policy group type : user first
Inspecting packets device : PTS
---------------------------------------------------------------------------
DPI global policy list
---------------------------------------------------------------------------
No. Policy Name Application type Protocal type
0 huawei p2p --
---------------------------------------------------------------------------
Total 1, 1 printed
10.3 Configuring Network-side DPI
This section describes how to configure and apply the DPI policy at the network side.
CAUTION
To implement network-side DPI, you must configure the global DPI policy group and traffic
policy. Classify traffic according to a certain rule and associate each traffic class with a DPI
behavior, and thus a DPI traffic policy is configured. Then, apply the DPI traffic policy to inspect
network-side packets.
The DPI traffic policy can be applied to the entire system or an interface:
Issue 03 (2009-07-01)
l When the policy is applied to the entire system, the ME60 inspects traffic of a certain service
on all the network-side interfaces.
NOTE
If you enable the DPI traffic policy globally by using the global command, the ME60 performs DPI
on all network-side and user-side interfaces.
l When the policy is applied to an interface, the ME60 inspects traffic of a certain service
only on this interface.
10.3.2 Creating a DPI Policy
10.3.3 Configuring the DPI Policy
10.3.4 Configuring a Global DPI Policy Group
10.3.5 Configuring a DPI Traffic Policy
10.3.6 Applying the Traffic Policy to the Network Side
Large amount of service flows may cause network congestion. To avoid this, you need to
configure the DPI function to identify various services and limit their traffic volumes.
Before configuring the network-side DPI, complete the following tasks:
l 10.2 Configuring Basic DPI Functions
l Determining whether to apply the global DPI policy
Data Preparation
To configure the network-side DPI, you need the following data.
No. Data
1 DPI policy name
2 Services to be inspected through DPI
3 (Optional) Number of the network-side interface

10.3.2 Creating a DPI Policy
10-9
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
dpi policy dpi-policy-name
A DPI policy is created and the DPI policy view is displayed.
----End
10.3.3 Configuring the DPI Policy
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
dpi policy dpi-policy-name
The DPI policy view is displayed.
Step 3 Run:
service-type service-type [ sub-service-type ]
The service type is configured.
Step 4 Configure the behavior for the service as follows:
l To configure the ME60 to control CAR parameters of the service, run car cir cir-value [
pir pir-value ] [ cbs cbs-value pbs pbs-value ] { upstream | downstream }.
l To configure the ME60 to mark the DSCP value, run remark dscp dscp-value { inbound |
outbound }.
l To configure the ME60 to randomly discard packets, run random-drop random-drop-
value. This command is recommended for the VoIP service.
l To configure the ME60 to forward all the packets of the specified service with the speed
lower than the CIR, run permit.
l To configure the ME60 to discard all packets of the specified service, run deny.
Issue 03 (2009-07-01)
You can configure one or more preceding behaviors. The permit and deny behaviors cannot be
configured simultaneously. By default, the behavior in the DPI policy is permit.
----End
10.3.4 Configuring a Global DPI Policy Group
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
dpi global-policy
The global DPI policy group view is displayed.
Step 3 Run:
dpi-policy dpi-policy-name
The DPI policy is configured as a global policy.
global
The DPI policy is applied to the entire system.
NOTE
After you run this command, the ME60 may match the service data with the global DPI policy, instead of
the user-side DPI policy. For details, see "10.3.6 Applying the Traffic Policy to the Network Side."
Step 5 Run:
active
The global DPI policy is activated.
The global DPI policy group is used to inspect packets on a network-side interface. You can
also configure DPI on a user-side interface by using the global command. A common DPI policy
group is used to inspect packets on a user-side interface but cannot be applied to a network-side
interface.
NOTE
For the configuration of a common policy, see "10.4.3 Configuring a Common DPI Policy Group."
By default, the DPI policy is not applied to the entire system, and the global DPI policy is active.
----End
10.3.5 Configuring a DPI Traffic Policy
10-11
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
traffic classifier traffic-classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed.
Step 3 Define the rule for matching data packets as follows:
l To match the 802.1p field in a packet, run the if-match 8021p 8021p-code command.
l To match the source MAC address of a packet, run the if-match source-mac mac-address
command.
l To match the destination MAC address of a packet, run the if-match destination-mac mac-
address command.
l To match packets with an ACL, run the if-match acl acl-number command.
l To match the DSCP field of a packet, run the if-match dscp dscp-value command.
l To match the IP precedence of a packet, run the if-match ip-precedence ip-precedence-
value command.
l To match the TCP SYN flag of a packet, run the if-match tcp syn-flag flag-value command.
l To specify that all IPv4 packets are matching, run the if-match any command.
Step 4 Run:
quit
The system exits from the traffic classifier view.
Step 5 Run:
Step 6 Run:
dpi
DPI is enabled.
NOTE
After the traffic behavior is configured to DPI, you cannot configure the behavior to redirect in this
behavior view.
Step 7 Run:
quit
The system exits from the behavior view.
Step 8 Run:
traffic policy traffic-policy-name
Issue 03 (2009-07-01)
The traffic policy view is displayed.
Step 9 Run:
classifier traffic-classifier-name behavior behavior-name
The traffic classifier is associated with the behavior.
Configure the traffic classifier according to the network requirement so that DPI can be
performed for the specified flow. The behavior name specified in this command must be the
same as behavior-name you specify in step 5.
NOTE
For the configuration of a traffic policy, refer to the Quidway ME60 Multiservice Control Gateway
Configuration Guide - QoS.
----End
10.3.6 Applying the Traffic Policy to the Network Side
Procedure
l Applying the traffic policy globally
1. Run:
system-view
2. Run:
traffic-policy traffic-policy-name inbound
The traffic policy is applied to the inbound direction.
NOTE
A DPI traffic policy cannot be applied to the outbound direction.
If you apply the traffic policy globally and run the global command in the global DPI
policy view at the same time, the DPI policy takes effect on all network-side and user-
side interfaces. The common DPI policies configured on the user-side interfaces
become invalid. If you do not run the global command, the global DPI takes effect
only on all the network-side interfaces.
l Applying the traffic policy to an interface
1. Run:
system-view
2. Run:
3. Run:
traffic-policy traffic-policy-name { inbound | outbound } [ link-layer ]
The traffic policy is applied to the interface.
----End
10-13
Action Command
global DPI policy.
display dpi global-policy [ verbose ]
Check information about the DPI
policy.
display dpi policy [ dpi-policy-name ]

10.4 Configuring User-side DPI
This section describes how to configure and apply the DPI policy at the user side.
NOTE
The user-side DPI policy functions on each user individually. For example, you run the car cir command
to set bandwidth for a user to 1 Mbit/s. The ME60 then checks bandwidth of each user. If bandwidth of a
user exceeds 1 Mbit/s, the ME60 limits traffic volume of this user.
10.4.2 Creating and Configuring a DPI Policy
10.4.3 Configuring a Common DPI Policy Group
10.4.4 Applying the User-side DPI Policy to the Domain
10.4.5 (Optional) Enabling DPI on a BAS Interface
10.4.6 (Optional) Configuring the Restriction Policy
Some applications may malicious occupy the network resource, which causes network
congestion. To avoid network congestion, you need to configure the DPI function to identify
various applications and limit the traffic of these applications.
Use one of the following methods to configure the user-side DPI policy:
l To inspect the users that go online through a BAS interface, configure a restriction policy
on the ME60 and enable DPI on the BAS interface.
l To inspect the users that go online from a domain, configure a common DPI policy group
and bind the policy group to the domain.
l Configure the policy server to deliver the DPI policy for users.
The DPI policy delivered by the policy server has the highest priority, and the DPI policy
configured on a BAS interface has the lowest priority.
If the DPI policy is delivered by the policy server, the ME60 dynamically matches the user
packets with the DPI policy after a user goes online. If the user packets do not match the delivered
Issue 03 (2009-07-01)
policy, the ME60 matches the packets with the DPI policy bound to the domain. If no DPI policy
is bound to the domain, or the user packets do not match the service type specified by the DPI
policy, the ME60 performs DPI according to the restriction DPI policy configured on the BAS
interface.
NOTE
For the method of configuring the policy server to deliver the DPI policy, refer to the Quidway ME60
Multiservice Control Gateway Configuration Guide - BRAS Services.
Before configuring the user-side DPI, complete the following tasks:
l 10.2 Configuring Basic DPI Functions
l Enabling users to connect to the Internet through the ME60
l Enabling the value-added service
NOTE
The DPI service is a value-added service. Therefore, you must enable value-added services before
configuring DPI. For the method of enabling value-added services, refer to the Quidway ME60 Multiservice
Control Gateway Configuration Guide - BRAS Services.
Data Preparation
To configure the user-side DPI, you need the following data.
No. Data
1 DPI policy name
2 Name of the common DPI policy group
3 Domain where the DPI policy is to be configured
4 (Optional) BAS interface where the DPI policy is to be configured

10.4.2 Creating and Configuring a DPI Policy
See "10.3.2 Creating a DPI Policy" and "10.3.3 Configuring the DPI Policy".
10.4.3 Configuring a Common DPI Policy Group
Context
Procedure
Step 1 Run:
system-view
10-15
Step 2 Run:
dpi policy-group policy-group-name
A common DPI policy group is created and the common DPI policy group view is displayed.
Step 3 Run:
dpi-policy dpi-policy-name
A common DPI policy is bound to the policy group.
----End
10.4.4 Applying the User-side DPI Policy to the Domain
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
The AAA view is displayed.
Step 3 Run:
domain domain-name
The domain view is displayed.
Step 4 Run:
dpi-policy-group policy-group-name
A common DPI policy group is applied to the domain.
The common DPI policy group must be an existing one.
When the common DPI policy is applied to the domain, the ME60 can identify whether a domain
user uses the DPI service. The ME60 can then limit the traffic of this user.
----End
10.4.5 (Optional) Enabling DPI on a BAS Interface
Issue 03 (2009-07-01)
Context
CAUTION
After DPI is enabled on a BAS interface, if no DPI policy is bound to the domain, or the user
packets do not match the service type specified by the DPI policy, the ME60 performs DPI
according to the restriction DPI policy configured on the BAS interface. Therefore, you must
configure a restriction DPI policy when enabling DPI on a BAS interface; otherwise, DPI does
not take effect on the BAS interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
bas
The BAS interface view is displayed.
Step 4 Run:
access-type layer2-subscriber [ bas-interface-name name | default-domain { pre-
authentication domain-name | authentication [ force | replace ] domain-name } * |
accounting-copy radius-server radius-name ] *
The access type of the interface is set to layer-2 subscriber.
Or run:
access-type layer2-leased-line user-name username password [ bas-interface-name
name | default-domain authentication domain-name | accounting-copy radius-server
radius-name | nas-port-type type ] *
The access type of the interface is to layer-2 leased line.
Or run:
access-type layer3-leased-line user-name username password [ bas-interface-name
name | default-domain authentication domain-name | accounting-copy radius-server
radius-name | nas-port-type type ] *
The access type of the interface is to layer-3 leased line.
Step 5 Run:
dpi-enable
DPI is enabled.
Step 6 Run:
authentication-method { { ppp | dot1x | { web | fast } } * | bind }
The authentication method of the user is set.
10-17
After DPI is enabled on the BAS interface, the ME60 performs the following:
l If a common DPI policy group is bound to the domain, the ME60 matches packets of the
users going online from the domain with the common DPI policy. If the user packets do not
match any service type specified by the common DPI policy, the ME60 matches the user
packets with the restriction DPI policy.
l If no common DPI policy group is bound to the domain, the ME60 matches the user packets
with the restriction DPI policy directly.
----End
10.4.6 (Optional) Configuring the Restriction Policy
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
dpi restricted-policy
The restriction policy view is displayed.
Step 3 Run:
service-type service-type
The service type is configured.
Step 4 Configure the behavior for the service as follows:
l To configure the ME60 to control the CAR parameters, run car cir cir-value [ pir pir-
value ] [ cbs cbs-value pbs pbs-value ] { upstream | downstream }.
l To configure the ME60 to forward all the packets of the specified service with the speed
lower than the CIR, run permit.
l To configure the ME60 to discard all packets of the specified service, run deny.
You can configure one or more preceding behaviors. The permit and deny behaviors cannot be
configured simultaneously. By default, the behavior in the DPI policy is permit.
The restriction policy is applied to a BAS interface. The ME60 controls traffic of each user on
the DPI-enabled BAS interface according to the restriction policy.
By default, no restricted policy is configured.
----End
Issue 03 (2009-07-01)
Action Command
Check information about the DPI
policy.
display dpi policy [ dpi-policy-name ]
restriction DPI policy.
display dpi restricted-policy
common DPI policy group.
display dpi policy-group [ policy-group-name ]

This section provides a configuration example of DPI.
10.5.1 Example for configuring the DPI Function
10.5.1 Example for configuring the DPI Function
Networking Requirement
As shown in Figure 10-3, the ME60 functions as the broadband access device. The GE1/0/0
interface is connected to the Internet. The GE2/0/0 interface provides the broadband access
service for users. The user in the figure represents the access network. The ME60 is connected
to the PTS through GE3/0/0. The PTS performs DPI for service packets. When the P2P traffic
on GE1/0/0 exceeds 100 Mbit/s, the ME60 limits the traffic. When the P2P traffic of a user in
domain isp1 on GE2/0/0 exceeds 10 Mbit/s, the ME60 limits the traffic.
Figure 10-3 Networking for DPI configuration
ME60
GE1/0/0 GE2/0/0
Internet User
PTS
GE3/0/0

l Configure the basic DPI information.
l Configure the PTS.
l Configure the network-side DPI.
l Configure the user-side DPI.
10-19
Data Preparation
l Slot number and MAC address of the DPI board
l IP address of the PTS, port number used to monitor the keepalive packets, interface
connected to the ME60, interval of keepalive packets, and number of keepalive timeout
events on the PTS
NOTE
This configuration example describes only the commands used to configure DPI.
1. Configure the basic DPI information.
# (Optional) Configure the VSU to function as the DPI board.
[Quidway] set lpu-work-mode dpi slot 3
[Quidway] quit
# Configure the MAC address of the DPI board.
[Quidway] dpi dsu-mac
[Quidway-dpi-dsu-mac] dsu-slot 3 mac 00e0-abcd-abcd
[Quidway-dpi-dsu-mac] quit
# Configure information about the PTS on the DPI board.
[Quidway] dpi pts
[Quidway-dpi-pts] pts-id 1234 ip-address 100.1.1.1 4000 subscriber-side
gigabitethernet 3/0/0
[Quidway-dpi-pts] keep-alive 5 3
2. Configure the PTS.
After the PTS is connected to the ME60, you can log in to the configuration window from
a personal computer to set the following parameters.
Parameter Value
system_id 1234
Servername 100.1.1.1
peer_etherAddress 00e0-abcd-abcd
port_etherAddress MAC address of the PTS interface connected to the ME60
port_ipAddress IP address of the PTS interface connected to the ME60
port_udpPort 4000

NOTE
The preceding parameters may vary on different PTSs. Set the parameters according to the actual
situation.
You need to set other parameters of the PTS, such as the user name and password of the
login user, and service type. For the configuration procedure, refer to documents about the
Issue 03 (2009-07-01)
LIG. The ME60 works with PTSs of other vendors to provide the DPI function for various
services. Huawei does not provide the PTS.
3. Configure the network-side DPI.
# Configure a DPI policy. Specify that the ME60 limits the P2P traffic when the P2P traffic
volume on GE1/0/0 exceeds 100 Mbit/s.
[Quidway] dpi policy dpi1
[Quidway-dpi-policy-dpi1] service-type p2p
[Quidway-dpi-policy-dpi1] car cir 102400 upstream
[Quidway-dpi-policy-dpi1] quit
# Configure the global DPI policy group.
[Quidway] dpi global-policy
[Quidway-dpi-global-policy] dpi-policy dpi1
[Quidway-dpi-global-policy] active
[Quidway-dpi-global-policy] quit
# Configure an ACL.
[Quidway] acl 3000
[Quidway-acl-adv-3000] rule permit ip
# Configure the traffic classifier and define the ACL-based traffic classification rules.
[Quidway] traffic classifier a
[Quidway-classifier-a] if-match acl 3000
[Quidway-classifier-a] quit
# Configure the behavior to DPI.
[Quidway] traffic behavior e
[Quidway-behavior-e] car cir 112640
[Quidway-behavior-e] dpi
[Quidway-behavior-e] quit
# Define a traffic policy and associate the traffic classifier with the behavior.
[Quidway] traffic policy 1
[Quidway-trafficpolicy-1] classifier a behavior e
[Quidway-trafficpolicy-1] quit
# Apply the traffic policy to GE1/0/0.
[Quidway-gigabitethernet1/0/0] traffic-policy 1 inbound
[Quidway-gigabitethernet1/0/0] undo shutdown
[Quidway-gigabitethernet1/0/0] quit
4. Configure the user-side DPI.
# Enable value-added services.
[Quidway] value-added-service enable
# Configure a DPI policy. Specify that the ME60 limits the P2P traffic when the P2P traffic
volume of a user exceeds 10 Mbit/s.
[Quidway] dpi policy dpi2
[Quidway-dpi-policy-dpi2] service-type p2p
[Quidway-dpi-policy-dpi2] car cir 10240 downstream
[Quidway-dpi-policy-dpi2] quit
# Configure a common DPI policy group.
[Quidway] dpi policy-group dpi_user
[Quidway-dpi-policy-group-text] dpi-policy dpi2
[Quidway-dpi-policy-group-text] quit
# Users go online from domain isp1. Bind the DPI policy to domain isp1 to control the P2P
traffic of the users in this domain.
[Quidway] aaa
[Quidway-aaa] domain isp1
[Quidway-aaa-domain-isp1] dpi-policy-group dpi_user
10-21
# Configure the authentication method on the interface to binding authentication.
[Quidway] interface gigabitethernet2/0/0
[Quidway-gigabitethernet2/0/0] undo shutdown
[Quidway-gigabitethernet2/0/0] bas
[Quidway-gigabitethernet2/0/0-bas] access-type layer2-subscriber
[Quidway-gigabitethernet2/0/0-bas] authentication-method bind
Configuration Files
#
sysname Quidway
#
value-added-service enable
#
radius-server group rd1
radius-server authentication 192.168.7.249 1645 weight 0
radius-server accounting 192.168.7.249 1646 weight 0
radius-server shared-key itellin
radius-server type plus11
radius-server traffic-unit kbyte
#
acl number 3000
rule 5 permit ip
#
traffic classifier a operator or
if-match acl 3000
#
traffic behavior e
dpi
car cir 112640 cbs 14080000 pbs 35256320 green pass yellow pass red discard
#
traffic policy 1
classifier a behavior e
#
interface Virtual-Template1
#
interface gigabitethernet1/0/0
undo shutdown
traffic-policy 1 inbound
#
interface gigabitethernet2/0/0
undo shutdown
pppoe-server bind Virtual-Template 1
bas
access-type layer2-subscriber
authentication-method bind
#
ip pool pool1 local
gateway 172.82.0.1 255.255.255.0
section 0 172.82.0.2 172.82.0.200
dns-server 192.168.7.252
#
dpi policy dpi1
service-type p2p
car cir 102400 upstream
#
dpi policy dpi2
service-type p2p
car cir 10240 downstream
#
dpi policy-group dpi_user
dpi-policy dpi2
#
dpi pts
keep-alive 5 3
pts-id 1234 ip-address 100.1.1.1 4000 subscriber-side gigabitethernet 3/0/0
#
dpi global-policy
dpi-policy dpi1
Issue 03 (2009-07-01)
#
dpi dsu-mac
dsu-slot 1 mac 00e0-abcd-abcd
#
aaa
authentication-scheme auth1
accounting-scheme acct1
domain isp1
ip-pool pool1
dpi-policy-group dpi_user
#
return
10-23
11 Lawful Interception Configuration
About This Chapter
This chapter describes the concept, process, and configuration of lawful interception.
11.1 Introduction
This section describes the concept and principle of lawful interception and the lawful interception
function supported by the ME60.
11.2 Configuring Lawful Interception
This section describes how to configure lawful interception.
This section provides a configuration example of lawful interception.
Configuration Guide - Security 11 Lawful Interception Configuration
11-1
11.1 Introduction
This section describes the concept and principle of lawful interception and the lawful interception
function supported by the ME60.
11.1.1 Concept of Lawful Interception
11.1.2 Principle of Lawful Interception
11.1.3 Role of the ME60 in Lawful Interception
11.1.1 Concept of Lawful Interception
Lawful interception is a law enforcement behavior carried out to monitor the communication
services on the public communications network according to the related law and the norm for
the public communications network. Lawful interception must be authorized by the authorization
department of the law enforcement agency.
Lawful interception requires the support of communication service providers (telecom carriers)
and the permission granted by the law enforcement agency. Therefore, lawful interception is
implemented jointly by the service providers and the law enforcement agency.
11.1.2 Principle of Lawful Interception
Intercepted Information
In lawful interception, the following information is intercepted:
l CC: the content of the communication, for example, email, and VoIP packets
l IRI: the information related to the communication, including the address, time, and network
location
The content of communication (CC) and intercepted related information (IRI) can be provided
by the network devices of the carrier. The IRI is generally provided by the AAA server. The CC
is provided by the edge router, for example, the ME60.
Scenario for Lawful Interception
Figure 11-1 shows the scenario for lawful interception.
NOTE
In this scenario, the IRI is provided by the AAA server and the CC is provided by the ME60.
Issue 03 (2009-07-01)
Figure 11-1 Scenario for lawful interception
Carrier
Interception
management center
LIG management system
LIG
L1
HI1
HI2
HI3
X1,X2
X1,X3
AAA server
ME60
Interception
center

Lawful interception involves the following roles:
l Interception center: is the device through which the law enforcement agencies intercept the
activities of online users. The interception center initiates the interception and receives the
interception result. The functions of the interception center are as follows:
Defining the intercepted target
Initiating or terminating the interception
Receiving and recording the interception results
Analyzing the interception result
l Interception management center: is the agent of the interception center. The interception
management center receives interception requests from the interception center and
interprets the requests into identifiers of the location and service in the network. Then it
delivers the interception configuration to the devices of the carrier on the network.
l LIG: functions as the agent between the interception management center and the carrier
device. The functions of the Lawful interception Gateway (LIG) are as follows:
Receiving the interception request from the interception management center through
the L1 and HI1 interfaces
Delivering the configuration of interception to network devices and obtaining
intercepted contents through the X interfaces
Sending the intercepted contents to the interception management center through the HI2
and HI3 interfaces
l LIG management system: receives the interception requests from the interception
management center and delivers them to LIGs. An LIG management system can manage
multiple LIGs.
NOTE
The LIG management system delivers the configuration to the LIG through the L1 interface. The
LIG is located on the network of the carrier, and the LIG management system is managed by the
interception management center.
l The carrier deploys the lawful interception function on the network devices on the carrier
network. The devices that support lawful interception receive the configuration from the
11-3
interception management center, and then send the intercepted traffic to the interception
management center.
Interfaces for Lawful Interception
Lawful interception involves seven interfaces, as shown in Figure 11-1. Table 11-1 provides
the description of these interfaces.
Table 11-1 Description of interfaces for lawful interception
Interface Description
L1 Connects the LIG management system to the LIG. The LI interface delivers
the interception control command from the interception management
center to the LIG.
NOTE
If multiple LIGs are distributed on the carrier network, the interception control
command can be delivered through multiple L1 interfaces so that the LIGs are
controlled uniformly.
HI1 Connects the interception management center to the LIG management
system. The interception management system delivers management
commands to the LIG and receives response through the HI1 interface.
HI2 Connects the interception management center to the LIG. The LIG sends
the IRI to the interception management center through the HI2 interface.
HI3 Connects the interception management center to the LIG. The LIG sends
the CC to the interception management center through the HI3 interface.
X1 Connects the LIG to the signaling interface of the network device of the
carrier. Through the X1 interface, the LIG delivers the interception
configuration, including the intercepted user and the interception task, to
the network devices of the carrier.
X2 Connects the LIG to the data interface of the network device of the carrier.
The network device of the carrier sends the IRI to the LIG through the X2
interface. This interface must guarantee reliability and privacy of the data.
X3 Connects the LIG to the data interface of the network device of the carrier.
The network device of the carrier sends the CC and heartbeat information
to the LIG through the X3 interface.
NOTE
The network device and the LIG send heartbeat messages to each other to check the
connection between them. If the network device does not receive the heartbeat
response message within a certain period, the network device deletes information
about all intercepted targets delivered by the LIG. After the heartbeat connection
recovers, the LIG delivers information about the interception object again.

Issue 03 (2009-07-01)
NOTE
The ME60 provides the X1 and X3 interfaces. The implementation on the two interfaces is as follows:
l The ME60 supports the X1 interface through the Simple Network Management Protocol version 3
(SNMPv3). To create the X1 interface, you must configure the SNMP information on the ME60.
l ME60The ME60 provides the command lines for configuring the X3 interface to set up the connection
with the LIG.
Process of Lawful Interception
Figure 11-2 shows the process of lawful interception.
Figure 11-2 Process of lawful interception
Access
server
ME60
LIG
AAA/DHCP server
3.Sets intercepted
target
User
4.Intercepts user login
information
6. Interception rules are set
on the LIG
7. The user accesses the
Internet
8.Copies user traffic and sents
the traffic to the LIG
Internet
Interception center
Interception
management center
1.Sends lawful interception authorization
2.Delivers interception
configuration
5. Reports target user
information
5.Reports intercepted
traffic

The process of lawful interception is as follows:
1. The law enhancement agency sends the lawful interception authorization to the interception
management center through the electrical interface of the interception center or sends
written authorization.
2. The interception management center finds the location of the target user according to the
interception request, and then sends the location information to the LIG.
3. The LIG sends the required information to the AAA server according to the interception
request. The interception device (such as the IP Probe or Sniffer) of the AAA server sets
the interception object according to the received information.
11-5
4. The interception device of the AAA server intercepts the AAA traffic according to the
interception object. When a target user goes online, the AAA server generates the IRI of
the user and sends the IRI to the LIG.
5. The LIG processes the IRI, and then sends the IRI to the interception center.
6. The LIG sends the information about the interception object and the interception task to
the ME60 to initiate an interception request.
7. The user connects to the Internet through the ME60. The ME60 sends the accounting
information to the AAA server.
8. The ME60 duplicates the upstream traffic of the user, generates the CC, and then sends the
CC to the LIG.
9. The LIG sends the CC to the interception center.
NOTE
When the user logs out, the interception device of the AAA server notifies the LIG. The LIG then
requests the ME60 to delete information about the interception object delivered by the LIG. The
ME60 stops intercepting the traffic.
11.1.3 Role of the ME60 in Lawful Interception
The ME60 functions as the network device of the carrier during lawful interception. It sends
interception information through the X3 interface to the LIG, and at the same time, it receives
the information about the interception objects sent by the LIG through the X1 interface.
The LIG sends the information about the interception objects through the X 1 interface. The
ME60 generates the interception rule according to the information about interception object.
The ME60 copies the data matching the interception rule and encapsulates the data in UDP
packets as the CC, and then sends the CC to the LIG through the X3 interface. When the
information about the target user changes, the ME60 updates the interception rule. When the
LIG stops intercepting the user activities, the ME60 deletes the related interception rule.
NOTE
The interception rules generated by the ME60 are not recorded in the configuration file. When the ME60
is restarted, the LIG must send the information about the interception object to the ME60 again so that the
interception rule can be generated again.
The ME60 intercepts user activities based on the IP address but it does not differentiate services.
During lawful interception, performance of the ME60 may be affected if the intercepted traffic
is too high. Therefore, do not set too many interception objects. The ME60can intercept up to 4
kbit/s one-way traffic or 2 kbit/s two-way traffic.
NOTE
When the ME60 is configured to intercept one-way flows based on the IP address, it intercepts only the
flows with specified source address and destination address. For two-way flows, if the source address of
the intercepted flow is set on the LIG, the ME60 intercepts the flows from this address and the flows to
this address.
An ME60 can be connected to up to 10 LIGs, but the LIGs cannot deliver the same interception
object to the ME60. If multiple LIGs deliver the same interception target, the ME60 sends the
interception information to the first matching LIG.
The availability of the lawful interception function on the ME60 is controlled by the license. To
use this function, you must buy the license for lawful interception and activate the license. For
more information about the license, refer to the Quidway ME60 Multiservice Control Gateway
Configuration Guide - System Management..
Issue 03 (2009-07-01)
11.2 Configuring Lawful Interception
This section describes how to configure lawful interception.
11.2.2 Configuring the IP Address of the X3 Interface
11.2.3 Configuring the Type and Port Number of the X3 Interface
11.2.4 Enabling Lawful Interception
On the IP network, lawful interception must be configured to guarantee network security and
monitor activities of online users.
Before configuring lawful interception, complete the following tasks:
l Connecting the ME60 to the LIG through the X1 interface
l Buying and activating the license for lawful interception
NOTE
The configuration of the X1 interface is delivered to the ME60 through SNMPv3, so you must
configure the SNMP agent on the ME60. For the configuration of the SNMP agent, refer to the
Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
Data Preparation
To configure lawful interception, you need the following data.
No. Data
1 Port number used on the X3 interface
2 IP address of the X3 interface

11.2.2 Configuring the IP Address of the X3 Interface
Context
Do as follows on the router where lawful interception is deployed.
11-7
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface { gigabitethernet | pos | loopback | eth-trunk | ip-trunk } interface-
number
NOTE
Since the loopback interface is always Up, it is recommended that you use a loopback interface improve
the configuration reliability.
Step 3 Run:
ip address ip-address { mask | mask-length }
The IP address of the X3 interface is configured.
----End
11.2.3 Configuring the Type and Port Number of the X3 Interface
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
lawful-interception x3-interface interface-type interface-number port port-number
The type of the X3 interface for lawful interception and the port number used on the X3 interface
are configured.
NOTE
l An ME60 can be connected to a maximum of 10 LIGs. All the LIGs are connected to the same X3
interface based on the IP address of the X3 interface.
l Use a non-well-known port number larger than 2000 for the X3 interface, and thus this port does not
conflict with ports of other programs.
Before configuring the type and port number of the X3 interface, you must configure the IP
address of the X3 interface.
By default, no X3 interface is configured on the ME60.
----End
Issue 03 (2009-07-01)
11.2.4 Enabling Lawful Interception
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
lawful-interception enable
Lawful interception is enabled.
When enabling lawful interception, note the following:
l Before enabling lawful interception, you must configure the X3 interface for lawful
interception.
l After lawful interception is enabled, the IP address of the X3 interface cannot be deleted or
changed. To change the IP address of the X3 interface, run the undo lawful-interception
enable command to disable lawful interception.
l After you run the undo lawful-interception enable command, the ME60 deletes the
information delivered by the LIG, including:
IP address of the LIG
Information about the intercepted user
By default, lawful interception is disabled.
----End
Run the following command in the system view to check the previous configuration.
Action Command
Check the configuration of lawful
interception.
display lawful-interception

The display information of the preceding command is as follows:
[Quidway] display lawful-interception
Lawful Interception:
Lawful Interception function is : Enabled
Lawful Interception X3 interface is Ethernet2/1/5
Lawful Interception X3 port is 3000
11-9
This section provides a configuration example of lawful interception.
11.3.1 Example for Configuring Lawful Interception
11.3.1 Example for Configuring Lawful Interception
NOTE
Only the configuration of lawful interception is provided in this example.
As shown in Figure 11-3, the ME60 functions as the network device of the carrier. Loopback0
is the X3 interface connected to the LIG. Based on this network, the ME60 performs lawful
interception through the X3 interface. The PPPoE user connects to the ME60 through GE8/0/1.
RADIUS authentication and RADIUS accounting are adopted for the user. The RADIUS server
provides the IRI for the LIG.
The LIG delivers information required for lawful interception to the ME60 through the SNMP
protocol. The ME60 sends the interception information to the LIG through the X3 interface.
Figure 11-3 Networking of lawful interception
Internet
Lan switch
ME60
LIG
RADIUS server
User
100.100.100.1/24
Loopback0
100.100.1.100/24
GE8/0/1

NOTE
In this example, the RADIUS server performs authentication and accounting for the user. You need also
to install the interception software, such as IP Probe and Sniffer, to enable the RADIUS server to provide
the IRI for the KIG.
l Configure the SNMP Agent and the LIG to ensure the normal communication between the
ME60 and the LIG.
l Configure the IP address of the X3 interface.
Issue 03 (2009-07-01)
l Configure the address and port number of the X3 interface.
l Enable lawful interception
l Configure user access.
Data Preparation
l User name and password of the SNMP user and the authentication protocol
l IP address and port number of the X3 interface
1. Configure the SNMP agent.
NOTE
In this example, only the basic configuration of SNMP is described. For details, refer to the Quidway
ME60 Multiservice Control Gateway Configuration Guide - System Management.
[Quidway] snmp-agent
[Quidway] snmp-agent sys-info version all
[Quidway] snmp-agent community read public
[Quidway] snmp-agent community write private
[Quidway] snmp-agent group v3 huawei authentication read-view snmpv3 write-
view snmpv3
[Quidway] snmp-agent mib-view included snmpv3 iso
[Quidway] snmp-agent usm-user v3 usera huawei authentication-mode md5 123456789
NOTE
After configuring the SNMP agent, you must configure the LIG so that the ME60 can communicate
with the LIG. You need to configure the SNMP information, addresses of the X2 and X3 interfaces,
port numbers used on the X2 and X3 interfaces, and information about the intercepted flows. For the
configuration procedure, refer to documents about the LIG. The ME60 works with the LIGs of other
vendors to implement lawful interception. Huawei does not provide the LIG.
[Quidway] interface loopback0
[Quidway-LoopBack0] ip address 100.100.100.1 24
3. Configure the address and port number of the X3 interface.
[Quidway] lawful-interception x3-interface loopback0 port 3000
4. Enable lawful interception
[Quidway] lawful-interception enable
5. Configure access of the PPPoE user.
For the configuration procedure, refer to the Quidway ME60 Multiservice Control Gateway
Configuration Guide - BRAS services.
Configuration Files
#
sysname Quidway
#
lawful-interception x3-interface loopback port 3000
lawful-interception enable
#
radius-server authentication 192.168.7.249 1645 weight 0
11-11
radius-server accounting 192.168.7.249 1646 weight 0
radius-server shared-key itellin
radius-server type plus11
radius-server traffic-unit kbyte
#
interface Virtual-Template1
#
pppoe-server bind Virtual-Template 1
bas
access-type layer2-subscriber
#
interface LoopBack0
ip address 100.100.100.1 255.255.255.0
#
ip pool pool1 local
gateway 172.82.0.1 255.255.255.0
section 0 172.82.0.2 172.82.0.200
dns-server 192.168.7.252
#
aaa
domain default0
domain default1
domain default_admin
domain isp1
ip-pool pool1
#
snmp-agent
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version all
snmp-agent group v3 huawei authentication read-view snmpv3 write-view snmpv3
snmp-agent mib-view included snmpv3 iso
snmp-agent usm-user v3 usera huawei authentication-mode md5 F;MZ0<T2Z.R:_-XWOW
W!L1!!
#
return
Issue 03 (2009-07-01)
12 User Log Configuration
About This Chapter
This chapter describes the concept and configuration of user logs.
12.1 Introduction
This section describes the concept and classification of user logs.
12.2 Configuring the User Log
This section describes how to configure the user log.
12.3 Debugging the User Log
This section provides the command for enabling debugging of the user log.
This section provides a configuration example of user log.
Configuration Guide - Security 12 User Log Configuration
12-1
12.1 Introduction
This section describes the concept and classification of user logs.
Most countries have specific requirements for information security. An ISP must have the
capability of recording activities of users, such as login, logout, and access to network resources.
The ME60 provides user logs to record information about user login and logout so that carriers
and security agents can manage and monitor users.
The user log on the ME60 contains the user name, operation type (login and logout), login and
logout time, VLAN/PVC, access interface, IP address, and MAC address of the user.
12.2 Configuring the User Log
This section describes how to configure the user log.
12.2.2 Configuring the User Log Host
12.2.3 Configuring the Version of User Log Packets
12.2.4 Enabling the User Log Function
12.2.5 Applying the User Log
When you need to record the information about user login and logout, you need to configure the
user log.
None.
Data Preparation
To configure the user log, you need the following data.
No. Data
1 IP address and port number of the log host
2 Version of the user log packet

12.2.2 Configuring the User Log Host
Issue 03 (2009-07-01)
Context
NOTE
The user log host receives the user log packets sent by the ME60 and analyzes the packets. Before enabling
the user log function, you must configure the user log host.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip userlog [ access ] export host ip-address udp-port
The user log host is configured.
----End
12.2.3 Configuring the Version of User Log Packets
Context
NOTE
The version configured on the ME60 must be the same as the version configured on the user log host. By
default, the version of user log packets is not configured in the system. Therefore, before enabling the user
log function, you must configure the version of user log packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip userlog [ access ] export version version
The version of the user log packets is configured.
The format of the user log packets has two versions: version 1 and version 2. The two versions
are different in the format of the VLAN/PVC field in the packets, as shown in Table 12-1.
Table 12-1 Difference between the two versions of the user log packets
Versi
on
VLAN PVC
1 A common VLAN number of two bytes A PVC number of two bytes
2 A stack VLAN number of two bytes (0
bytes if there is no stack VLAN number)
and a common VLAN number of two
bytes
A VPI number of two bytes and a VCI
number of two bytes
12-3

----End
12.2.4 Enabling the User Log Function
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip userlog
The user log function is enabled.
----End
12.2.5 Applying the User Log
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
userlog
The user log behavior is defined.
After the version of user log packets and the log host are configured and the log function is
enabled, the system records the information about login and logout activities of each user in the
log.
For the configurations of the traffic classifier, traffic behavior, and traffic policy, refer to the
----End
Issue 03 (2009-07-01)
Action Command
Check the configuration of the user
log.
display ip userlog [ access ] config
Display the statistics of the user log. display ip userlog [ access ] statistic

12.3 Debugging the User Log
This section provides the command for enabling debugging of the user log.
CAUTION
When a fault occurs in the user log function, run the following debugging command in the user
view to locate the fault. For the procedure for displaying the debugging information, refer to the
Quidway ME60 Multiservice Control Gateway Configuration Guide - System Management.
Action Command
Enable the debugging of the user log. debugging ip userlog { access | all |error | packet }

This section provides a configuration example of user log.
12.4.1 Example for Configuring the User Log
12.4.1 Example for Configuring the User Log
As shown in Figure 12-1, users on the local network connect to the Internet through GE1/0/0.1
of the ME60. The information about login and logout of users on the local network 1.1.1.0/24
needs to be recorded. The IP address of the log host is 10.10.10.1; the port number is 1200; the
version number of user log packets is 1.
12-5
Figure 12-1 Networking for configuring the user log
ME60
1.1.1.0
GE1/0/0.1
Userlog Host
10.10.10.1

1. Configure user access.
2. Configure the user log.
3. Define an ACL.
4. Configure the traffic classifier that is based on the ACL rules.
5. Configure the traffic behavior of recording the user log.
6. Configure a traffic policy and associate the traffic behavior with the traffic classifier.
7. Apply the traffic policy to the interface.
Data Preparation
None.
# Configure the user log function.
[Quidway] ip userlog access export version 1
[Quidway] ip userlog access export host 10.10.10.1 1200
[Quidway] ip userlog
# Create a user group.
[Quidway] user-group access
# Configure user access.
The configuration procedure is not mentioned here. For the configuration procedure and
configuration file, refer to the Quidway ME60 Multiservice Control Gateway Configuration
Guide - BRAS Services.
NOTE
When configuring user access, run the user-group group-name command to set the user group name to
access.
# Define an ACL rule to identify the Internet access service with the source IP address.
Issue 03 (2009-07-01)
[Quidway-acl-ucl-6000] rule permit ip source user-group access
[Quidway-acl-ucl-6000] quit
# Configure the traffic classifier that is based on the ACL rule.
[Quidway] traffic classifier class1
[Quidway-classifier-class1] if-match acl 6000
[Quidway-classifier-class1] quit
# Configure the traffic behavior of recording the user log.
[Quidway] traffic behavior behav1
[Quidway-behavior-behav1] userlog
[Quidway-behavior-behav1] quit
# Configure the policy, in which the traffic classifier is associated with the behavior.
[Quidway] traffic policy policy1
[Quidway-trafficpolicy-policy1] classifier class1 behavior behav1
[Quidway-trafficpolicy-policy1] quit
# Apply the traffic policy to the interface.
[Quidway] interface gigabitethernet 1/0/0.1
[Quidway-GigabitEthernet1/0/0.1] traffic-policy policy1 inbound
Configuration Files
#
sysname Quidway
#
user-group access
#
acl number 6000
rule 5 permit ip source user-group access
#
traffic classifier class1 operator or
if-match acl 6000
#
traffic behavior behav1
userlog
#
traffic policy policy1
classifier class1 behavior behav1
#
#
interface GigabitEthernet1/0/0.1
traffic-policy policy1 inbound
#
ip userlog access export version 1
ip userlog access export host 10.10.10.1 1200
ip userlog access
#
return
12-7
A Glossary
This appendix lists the glossary of terms in this manual.
A
attack defense A function of detecting various network attacks and protecting the
intranet against malicious attacks.
authenticate To verify the legality of a user before the user visits the Internet or
accesses the Internet service.

C
CC Contents of communication that the lawful interception device intercepts,
such as the email contents and VoIP voice packets.

D
data juggle A security thread that an attacker selectively changes, deletes, delays,
rearranges system data or message stream and inserts false messages,
thus destroying the consistency of data.
denial of service A security thread that the servers denies the request of a legal user who
wants to get access to the information or resources.
DPI Deep packet inspection, a function of sensing the data application and
providing policies for network control and management through analysis
of the packet application layer.

E
encrypt To transform a readable message to an unreadable text. Unauthorized
users cannot obtain the content of the message even through they obtain
the encrypted signal.

Configuration Guide - Security A Glossary
A-1
F
firewall A system or a group of systems that monitors the channel between the
trusty internal network and the untrusty external networks to prevent the
risks of external networks from affecting the internal network.

I
illegal use A security thread that an unauthorized user uses the network resource.
inbound Pertaining to transmission that data flows from a zone with lower priority
to a zone with higher priority.
information theft A security thread that an attacker obtains important data or information
by wiretapping the network, instead of directly attacking the target
system.
IPSec The floorboard of a set of network security protocols, including security
protocol and encryption protocol, which provides communication parties
with access control, connectionless integrality, data source
authentication, anti-replay, encryption, classification and encryption of
data stream.
IRI User information that the lawful interception device intercepts, such as
the location and login time of a user.

L
lawful
interception
A law enforcement behavior carried out to monitor the communication
services on the public communications network, according to the related
law and the norm for the public communications network.
LIG A device used for transfer and adaptation on the interception command
issuing interface and event report interface. An LIG serves as a core of
the entire interception system and is responsible for settings of
interception services and actual interception.

N
NAT A mechanism for transforming private addresses into globally routable
addresses, which enables private networks to access public networks.
network security
service
The measure taken against security threats on a network.

O
outbound Pertaining to transmission that data flows from a zone with higher priority
to a zone with lower priority.

A Glossary
A-2 Huawei Proprietary and Confidential
Issue 03 (2009-07-01)
P
packet filtering
firewall
A firewall that filters packets by using the ACL. See also firewall.
proxy firewall A firewall working at the application layer. It checks the requests of users
and connects a server and forwards the request if the authentication
succeeds, and then forwards the response of the server to user.

S
security zone A combination of multiple interfaces or user domains with the same
security attributes.
stateful firewall A firewall that monitors the TCP/UDP sessions by using state tables and
forwards the packets associated with the allowed sessions. It also
analyzes the application layer state of the packets in the TCP/UDP
sessions, and filters the unsatisfied data packets.
Configuration Guide - Security A Glossary
A-3
B Acronyms and Abbreviations
This appendix lists the acronyms and abbreviations mentioned in this manual.
Numeric
3DES Triple DES

A
AAA Authentication, Authorization and Accounting
ACL Access Control List
AH Authentication Header
ALG Application Layer Gateway
API Application Program Interface
ASPF Application Specific Packet Filter
ATM Asynchronous Transfer Mode
AUCX Audit Connection
AUEP Audit End Point

B
BICC Bearer Independent Call Control Protocol

C
CAC Call Admission Control
CAR Committed Access Rate
CCB Call Control Block

Configuration Guide - Security B Acronyms and Abbreviations
B-1
D
DES Data Encryption Standard
DF Don't Fragment
DH Diffie-Hellman
DoS Deny of Service
DPI Deep Packet Inspection

E
ESP Encapsulating Security Payload

F
FTP File Transfer Protocol

G
GRE Generic Routing Encapsulation
GSM Global System for Mobile communications

H
HTTP Hyper Text Transport Protocol
HWCC Huawei Conference Control Protocol

I
IAD Integrated Access Device
IADMS IAD Management System
IANA Internet Assigned Number Authority
ICMP Internet Control Message Protocol
IETF Internet Engineering Task Force
IGMP Internet Group Management Protocol
IKE Internet Key Exchange
ILS Internet Location Service
IP Internet Protocol
IPSec IP Security
B-2 Huawei Proprietary and Confidential
Issue 03 (2009-07-01)
ISAKMP Internet Security Association and Key Management
Protocol
ISDN Integrated Services Digital Network
ITU International Telecommunications Union

J
JAIN Java APIs for Integrated Networks

L
L2TP Layer 2 Tunneling Protocol
LI Lawful Interception
LIG Lawful interception Gateway

M
MAC Media Access Control
MD5 Message Digest 5
MF More Fragment
MGCP Media Gateway Control Protocol
MIB Management Information Base
MPLS Multi-Protocol Label Switching

N
NAPT Network Address Port Translation
NAT Network Address Translation
NetBIOS Network Basic Input/Output System
NGN Next Generation Network
NMS Network Management System
NTP Network Time Protocol

O
OID Object ID
OOB Out-of-Band

B-3
P
P2P Point to Point
PAT Port Address Translation
PC Personal Computer
PDU Protocol Data Unit
PFS Perfect Forward Secrecy
POS Packet Over SDH
PPTP Point-to-Point Tunneling Protocol
PSTN Public Switched Telephony Network

Q
QoS Quality of Service

R
RADIUS Remote Authentication Dial in User Service
RAS Registration, Admission and Status
RFC Requirement for Comments
RSA Rivest-Shamir-Adleman cryptographic algorithms
RSTP Real Time Streaming Protocol
RTCP Real-time Transport Control Protocol
RTP Real-time Transport Protocol

S
SA Security Association
SBC Session Border Controller
SDP Session Description Protocol
SHA Secure Hash Algorithm
SIP Session Initiation Protocol
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SPI Security Parameter Index
SSH Secure Shell
B-4 Huawei Proprietary and Confidential
Issue 03 (2009-07-01)
SSL Secure Socket Layer
SSU Security Service Unit

T
TCP Transmission Control Protocol
TTL Time to Live

U
UDP User Datagram Protocol

V
VoIP Voice over IP
VPN Virtual Private Network

W
WWW World Wide Web

B-5

00479814-Configuration Guide - Security (V100R006C05 - 03)

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

00479814-Configuration Guide - Security (V100R006C05 - 03)

Загружено:

Авторское право:

Доступные форматы

Quidway ME60 Multiservice Control Gateway

Вам также может понравиться