Академический Документы
Профессиональный Документы
Культура Документы
V100R002C00
Issue
06
Date
20100108
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any
assistance, please contact our local office or company headquarters.
Website:
http://www.huawei.com
Email:
support@huawei.com
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Contents
Contents
About This Document.....................................................................................................................1
1 AAA and User Management Configuration.........................................................................1-1
1.1 Introduction to AAA and User Management..................................................................................................1-2
1.2 AAA and User Management Features Supported by the S9300.....................................................................1-2
1.3 Configuring AAA Schemes............................................................................................................................1-4
1.3.1 Establishing the Configuration Task......................................................................................................1-4
1.3.2 Configuring an Authentication Scheme.................................................................................................1-5
1.3.3 Configuring an Authorization Scheme...................................................................................................1-6
1.3.4 Configuring an Accounting Scheme......................................................................................................1-8
1.3.5 (Optional) Configuring a Recording Scheme.........................................................................................1-9
1.3.6 Checking the Configuration.................................................................................................................1-10
1.4 Configuring a RADIUS Server Template.....................................................................................................1-10
1.4.1 Establishing the Configuration Task....................................................................................................1-11
1.4.2 Creating a RADIUS Server Template..................................................................................................1-12
1.4.3 Configuring a RADIUS Authentication Server...................................................................................1-12
1.4.4 Configuring the RADIUS Accounting Server.....................................................................................1-12
1.4.5 Configuring a RADIUS Authorization Server.....................................................................................1-13
1.4.6 (Optional) Setting a Shared Key for a RADIUS Server.......................................................................1-13
1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server.......................................1-14
1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server...................................................................1-15
1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server.................................................1-15
1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server.........................................................1-16
1.4.11 Checking the Configuration...............................................................................................................1-17
1.5 Configuring an HWTACACS Server Template............................................................................................1-18
1.5.1 Establishing the Configuration Task....................................................................................................1-18
1.5.2 Creating an HWTACACS Server Template........................................................................................1-19
1.5.3 Configuring an HWTACACS Authentication Server..........................................................................1-19
1.5.4 Configuring the HWTACACS Accounting Server..............................................................................1-20
1.5.5 Configuring an HWTACACS Authorization Server...........................................................................1-20
1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets...........................................1-21
1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server...........................................................1-21
1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server..............................................1-22
1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server..........................................................1-23
Issue 06 (20100108)
Contents
Issue 06 (20100108)
Contents
iii
Contents
Issue 06 (20100108)
Contents
Contents
Issue 06 (20100108)
Contents
7 PPPoE+ Configuration..............................................................................................................7-1
7.1 PPPoE+ Overview...........................................................................................................................................7-2
7.2 PPPoE+ Features Supported by the S9300.....................................................................................................7-2
7.3 Configuring PPPoE+.......................................................................................................................................7-2
7.3.1 Establishing the Configuration Task......................................................................................................7-2
7.3.2 Enabling PPPoE+ Globally....................................................................................................................7-3
7.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets.................................7-3
7.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets............................................7-4
7.3.5 Configuring the PPPoE Trusted Interface..............................................................................................7-4
7.3.6 Checking the Configuration...................................................................................................................7-5
7.4 Configuration Examples..................................................................................................................................7-5
7.4.1 Example for Configuring PPPoE+.........................................................................................................7-5
8 MFF Configuration....................................................................................................................8-1
8.1 MFF Overview................................................................................................................................................8-2
8.2 MFF Features Supported by the S9300...........................................................................................................8-3
8.3 Configuring MFF............................................................................................................................................8-4
8.3.1 Establishing the Configuration Task......................................................................................................8-4
8.3.2 Enabling Global MFF.............................................................................................................................8-5
8.3.3 Configuring the MFF Network Interface...............................................................................................8-5
8.3.4 Enabling MFF in a VLAN.....................................................................................................................8-6
8.3.5 (Optional) Configuring the Static Gateway Address.............................................................................8-6
8.3.6 (Optional) Enabling Timed Gateway Address Detection.......................................................................8-7
8.3.7 (Optional) Setting the Server Address...................................................................................................8-7
8.3.8 Checking the Configuration...................................................................................................................8-7
8.4 Configuration Examples..................................................................................................................................8-8
8.4.1 Example for Configuring MFF..............................................................................................................8-8
vii
Contents
11 ACL Configuration................................................................................................................11-1
11.1 Introduction to the ACL..............................................................................................................................11-2
11.2 Classification of ACLs Supported by the S9300........................................................................................11-2
11.3 Configuring an ACL....................................................................................................................................11-3
11.3.1 Establishing the Configuration Task..................................................................................................11-3
11.3.2 Creating an ACL................................................................................................................................11-4
11.3.3 (Optional) Setting the Time Range When an ACL Takes Effect.......................................................11-5
11.3.4 (Optional) Configuring the Description of an ACL...........................................................................11-5
11.3.5 Configuring a Basic ACL...................................................................................................................11-6
11.3.6 Configuring an Advanced ACL.........................................................................................................11-6
11.3.7 Configuring a Layer 2 ACL...............................................................................................................11-7
11.3.8 (Optional) Setting the Step of an ACL...............................................................................................11-8
11.3.9 Checking the Configuration...............................................................................................................11-8
11.4 Configuring ACL6......................................................................................................................................11-9
11.4.1 Establishing the Configuration Task..................................................................................................11-9
11.4.2 Creating an ACL6............................................................................................................................11-10
11.4.3 (Optional) Creating the Time Range of the ACL6...........................................................................11-10
11.4.4 Configuring a Basic ACL6...............................................................................................................11-11
11.4.5 Configuring an Advanced ACL6.....................................................................................................11-11
11.4.6 Checking the Configuration.............................................................................................................11-12
11.5 Configuration Examples............................................................................................................................11-13
11.5.1 Example for Configuring a Basic ACL............................................................................................11-13
11.5.2 Example for Configuring an Advanced ACL..................................................................................11-16
viii
Issue 06 (20100108)
Contents
Issue 06 (20100108)
ix
Figures
Figures
Figure 1-1 Networking diagram of RADIUS authentication and accounting....................................................1-42
Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization....................1-45
Figure 2-1 Typical networking of NAC...............................................................................................................2-2
Figure 2-2 Network diagram for configuring Web authentication.....................................................................2-33
Figure 2-3 Networking diagram for configuring 802.1x authentication............................................................2-36
Figure 2-4 Networking diagram for configuring MAC address authentication.................................................2-38
Figure 3-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2 network..................3-4
Figure 3-2 Networking diagram for applying DHCP snooping on the S9300 that functions as the DHCP relay agent
...............................................................................................................................................................................3-4
Figure 3-3 Networking diagram for preventing the bogus DHCP server attack................................................3-32
Figure 3-4 Networking diagram for preventing the DoS attack by changing the CHADDR field....................3-34
Figure 3-5 Networking diagram for preventing the attacker from sending bogus DHCP messages for extending IP
address leases......................................................................................................................................................3-37
Figure 3-6 Networking diagram for limiting the rate for sending DHCP messages..........................................3-40
Figure 3-7 Networking diagram for configuring DHCP snooping....................................................................3-42
Figure 3-8 Networking diagram for enabling DHCP snooping on the DHCP relay agent................................3-47
Figure 3-9 Networking diagram for configuring DHCP snooping on a VPLS network....................................3-51
Figure 4-1 Networking diagram for configuring ARP security functions.........................................................4-22
Figure 4-2 Networking diagram for prevent man-in-the-middle attacks...........................................................4-26
Figure 5-1 Diagram of IP/MAC spoofing attack..................................................................................................5-2
Figure 5-2 Diagram of the URPF function...........................................................................................................5-3
Figure 5-3 Networking diagram for configuring IP source guard......................................................................5-14
Figure 5-4 Networking diagram for configuring IP source trail........................................................................5-16
Figure 5-5 Networking diagram for configuring URPF.....................................................................................5-17
Figure 6-1 Networking diagram for Configuring the attack defense policy......................................................6-14
Figure 7-1 Networking diagram for configuring PPPoE+................................................................................... 7-6
Figure 8-1 Networking diagram for configuring MFF.........................................................................................8-9
Figure 9-1 Networking diagram for configuring interface security.....................................................................9-6
Figure 10-1 Networking diagram for configuring traffic suppression...............................................................10-5
Figure 11-1 Networking diagram for disabling URPF for the specified traffic...............................................11-13
Figure 11-2 Networking diagram for configuring IPv4 ACLs.........................................................................11-16
Figure 11-3 Networking diagram for configuring layer 2 ACLs.....................................................................11-20
Figure 11-4 Networking diagram for configuring ACL6 and filtering IPv6 packets.......................................11-23
Issue 06 (20100108)
xi
Tables
Tables
Table 3-1 Matching table between type of attacks and DHCP snooping operation modes.................................3-5
Table 3-2 Relation between the type of attacks and the type of discarded packets............................................3-25
Issue 06 (20100108)
xiii
Related Versions
The following table lists the product versions related to this document.
Product Name
Version
S9300
V100R002C00
Intended Audience
This document is intended for:
l
Commissioning engineer
Organization
This document is organized as follows.
Issue 06 (20100108)
Chapter
Description
2 NAC Configuration
7 PPPoE+ Configuration
8 MFF Configuration
11 ACL Configuration
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Issue 06 (20100108)
Symbol
Description
DANGER
WARNING
CAUTION
TIP
NOTE
General Conventions
The general conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
Courier New
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
Issue 06 (20100108)
Convention
Description
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
>
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows.
Format
Description
Key
Press the key. For example, press Enter and press Tab.
Key 1+Key 2
Key 1, Key 2
Mouse Operations
The mouse operations that may be found in this document are defined as follows.
Issue 06 (20100108)
Action
Description
Click
Double-click
Drag
Press and hold the primary mouse button and move the
pointer to a certain position.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
The enabling strict ARP entry learning is modified: 4.3.2 Enabling Strict ARP Entry
Learning
The example for configuring interface security is modified: 9.4.1 Example for
Configuring Interface Security
Issue 06 (20100108)
7 PPPoE+ Configuration
3.6 Setting the Maximum Number of DHCP Snooping Users and 3.10.7 Example for
Configuring DHCP Snooping on a VPLS Network in "DHCP Snooping Configuration"
Issue 06 (20100108)
Issue 06 (20100108)
1-1
AAA
AAA provides the following types of services:
l
AAA adopts the client/server model, which features good extensibility and facilitates
concentrated management over user information.
AAA
The S9300 provides authentication schemes in the following modes:
l
Non-authentication: completely trusts users and does not check their validity. This mode
is seldom used.
Local authentication: configures user information including the user name, password, and
attributes of the local user on the S9300. In local authentication mode, the processing speed
is fast, but the capacity of information storage is restricted by the hardware.
Remote authentication: configures user information including the user name, password,
and attributes of the local user on an authentication server. The S9300 functions as the client
to communicate with the authentication server. Thus, the user is remotely authenticated
through the RADIUS or HWTACACS protocol.
1-2
Issue 06 (20100108)
Local authorization: authorizes users according to the configured attributes of local user
accounts on the S9300.
If-authenticated authorization: authorizes users after the users pass authentication in local
or remote authentication mode.
RADIUS accounting: The S9300 sends the accounting packets to the RADIUS server. Then
the RADIUS server performs accounting.
HWTACACS accounting: The S9300 sends the accounting packets to the HWTACACS
server. Then the HWTACACS server performs accounting.
In the RADIUS and HWTACACS accounting modes, the S9300 generates accounting packets
when a user goes online or goes offline, and then sends them to the RADIUS or HWTACACS
server. The server then performs accounting based on the information in the packets, such as
login time, logout time and traffic volume.
The S9300 supports interim accounting. It means that the S9300 generates accounting packets
periodically and sends the accounting packets to the accounting server when a user is online. In
this way, the duration of abnormal accounting can be minimized when the communication
between the S9300 and the accounting server is interrupted.
Domain default is used for common access user. By default, local authentication is
performed for the users in domain default.
The S9300 supports up to 128 domains, including the two default domains.
The priority of authorization configured in a domain is lower than the priority configured on an
AAA server. That is, the authorization attribute sent by the AAA server is used preferentially.
Issue 06 (20100108)
1-3
The authorization attribute in the domain takes effect only when the AAA server does not have
or provide this authorization. In this manner, you can add services flexibly based on the domain
management, regardless of the attributes provided by the AAA server.
In a RADIUS server template, you can set the attributes such as the IP addresses, port
number, and key of the authentication server and accounting server.
In an HWTACACS template, you can set the attributes such as the IP addresses, port
number, and key of the authentication server, accounting server, and authorization server.
NOTE
Authentication and authorization are used together in RADIUS; therefore, you cannot use RADIUS alone
to perform authorization.
Pre-configuration Tasks
None
1-4
Issue 06 (20100108)
Data Preparation
To configure AAA schemes, you need the following data.
No.
Data
By default, the local authentication mode is used. If users are not authenticated, you must create an
authentication scheme or modify the default authentication scheme by setting the authentication mode to
none. Then, you apply this authentication scheme to the domain that users belong to.
You need to set the authentication modes for a user logging in to the S9300 and upgrading user levels
separately.
Procedure
Step 1 Run:
system-view
1-5
By default, there is an authentication scheme named default on the S9300. This scheme can be
modified but cannot be deleted.
Step 4 Run:
authentication-mode { hwtacacs | radius | local }*[ none ]
Or
authentication-mode none
If multiple authentication modes are used in an authentication scheme, the authentication modes take effect
according to their configuration sequence. The S9300 adopts the next authorization mode only when the
current authorization mode is invalid. The S9300, however, does not adopt any other authorization mode
when users are not authorized in the current authorization mode.
Step 5 Run:
authentication-super { hwtacacs | super }* [ none ]
Or,
authentication-super none
Procedure
Step 1 Run:
system-view
1-6
Issue 06 (20100108)
If multiple authorization modes are used in an authorization scheme, the authentication modes take effect
according to their configuration sequence. The S9300 adopts the next authorization mode only when the
current authorization mode is invalid. The S9300, however, does not adopt any other authorization mode
when users are not authorized in the current authorization mode.
Issue 06 (20100108)
The server works normally but the input command line fails to pass authorization on the
HWTACACS server.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
1-7
When the HWTACACS server fails, the command-line-based authorization mode changes
to the local authorization mode. Authorization fails because the level of the input command
is higher than the level set on the local end.
----End
Issue 06 (20100108)
System events
NOTE
You can configure the recording function only when HWTACACS is adopted.
Procedure
Step 1 Run:
system-view
An HWTACACS server template that is associated with the recording scheme is configured.
By default, a recording scheme is not associated with an HWTACACS server template.
Step 5 Run:
quit
1-9
Step 6 Run:
cmd recording-scheme recording-scheme-name
Procedure
l
Run the display aaa configuration command to check the summary of AAA.
Run the display access-user command to check the summary of all online users.
----End
Issue 06 (20100108)
There are default parameters of a RADIUS server template, and the default parameters can be changed
according to the networking. You can modify the RADIUS configuration only when the RADIUS server
template is not in use.
Pre-configuration Tasks
None
Data Preparation
To configure a RADIUS server template, you need the following data.
No.
Data
Issue 06 (20100108)
1-11
A RADIUS server template is created and the RADIUS server template view is displayed.
----End
1-12
Issue 06 (20100108)
Procedure
Step 1 Run:
system-view
1-13
security of information transmitted over a network. To guarantee the validity of the authenticator
and the authenticated, the keys on the S9300 and the RADIUS server must be the same.
Procedure
Step 1 Run:
system-view
A user name is in the user name@domain name format and the characters after @ refer to the domain name.
In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the
following symbols: \ / : < > | ' %
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
When the RADIUS server does not accept the user name that contains the domain name, you
can run the undo radius-server user-name domain-included command to delete the domain
name before sending it to the RADIUS server.
----End
The timeout interval for a RADIUS server to send response packets is set.
By default, the timeout interval for a RADIUS server to send response packets is five seconds.
To check whether a RADIUS server is available, the S9300 periodically sends request packets
to the RADIUS server. If no response is received from the RADIUS server within the timeout
interval, the S9300 retransmits the request packets.
Step 4 Run:
Issue 06 (20100108)
1-15
The number of times for retransmitting request packets on a RADIUS server is set.
By default, the number of times for retransmitting request packets on a RADIUS server is 3.
After retransmitting request packets to a RADIUS server for the set number of times, the
S9300 considers that the RADIUS server is unavailable.
----End
NAS port
New NAS port format: slot number (8 bits) + subslot number (4 bits) + port number (8
bits) + VLAN ID (12 bits).
Old NAS port format: slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits).
NAS port ID
New format of NAS port ID: slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx. Where
slot ranges from 0 to 15, subslot 0 to 15, port 0 to 255, and VLAN ID 1 to 4094.
Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) +
card number (3 bytes) + VLANID (9 characters)
NAS port format: slot number (4 bits) + subslot number (2 bits) + port number (2 bits) +
VPI (8 bits) + VCI (16 bits).
NAS port ID
New format of NAS port ID: slot=xx; subslot=x; VPI=xxx; VCI=xxxxx, in which
slot ranges from 0 to 15, subslot ranges from 0 to 9, port 0 to 9, VPI 0 to 255, and
VCI 0 to 65535.
Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) +
card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixed
with 0s if they contain less bytes than specified.
Procedure
Step 1 Run:
system-view
1-16
Issue 06 (20100108)
The format of the NAS port ID used by the RADIUS server is specified.
By default, the new format of the NAS port ID is used.
----End
Procedure
l
----End
Example
After completing the configurations of the RADIUS server template, you can run the display
radius-server configuration command to check the configuration of all templates.
<Quidway> display radius-server configuration
------------------------------------------------------------------Server-template-name
: radius
Protocol-version
: standard
Traffic-unit
: B
Shared-secret-key
: huawei
Timeout-interval(in second)
: 5
Primary-authentication-server
: 0.0.0.0;
0; LoopBack:NULL
Primary-accounting-server
: 0.0.0.0;
0; LoopBack:NULL
Secondary-authentication-server : 0.0.0.0;
0; LoopBack:NULL
Secondary-accounting-server
: 0.0.0.0;
0; LoopBack:NULL
Retransmission
: 3
Domain-included
: YES
-------------------------------------------------------------------------------------------------------------------------------------
Issue 06 (20100108)
Server-template-name
Protocol-version
Traffic-unit
Shared-secret-key
Timeout-interval(in second)
Primary-authentication-server
:
:
:
:
:
:
test
standard
B
hello
5
10.1.1.2;
1812;
LoopBack:NULL
Primary-accounting-server
10.1.1.2;
1812;
LoopBack:NULL
1-17
Secondary-authentication-server : 0.0.0.0;
0; LoopBack:NULL
Secondary-accounting-server
: 0.0.0.0;
0; LoopBack:NULL
Retransmission
: 5
Domain-included
: YES
------------------------------------------------------------------Total of radius template :2
The S9300 does not check whether the HWTACACS template is in use when you modify attributes of the
HWTACACS server except for deleting the configuration of the server.
Pre-configuration Tasks
None
Data Preparation
To configure an HWTACACS server template, you need the following data.
1-18
Issue 06 (20100108)
No.
Data
An HWTACACS server template is created and the HWTACACS server template view is
displayed.
----End
Issue 06 (20100108)
1-19
Issue 06 (20100108)
system-view
1-21
Context
Setting the shared key ensures the security of communication between the S9300 and an
HWTACACS server. To ensure the validity of the authenticator and the authenticated, the shared
keys set on the S9300 and the HWTACACS server must be the same.
Procedure
Step 1 Run:
system-view
A user name is in the user name@domain name format and the character string after "@" refers to the
domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be
any of the following symbols: \ / : < > | ' %
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
If an HWTACACS server does not accept the user name that contains the domain name, you
can use the undo hwtacacs-server user-name domain-included command to delete the domain
name before sending it to the HWTACACS server.
----End
The timeout interval for an HWTACACS server to send response packets is set.
By default, the timeout interval for an HWTACACS server to send response packets is five
seconds.
If the S9300 receives no response from an HWTACACS server during the timeout interval, it
considers the HWTACACS server as unavailable. In this case, the S9300 performs
authentication or authorization in other modes.
Step 4 Run:
hwtacacs-server timer quiet value
Issue 06 (20100108)
1-23
The time taken to restore an HWTACACS server to the active state is set.
By default, the time taken by the primary HWTACACS server to restore to the active state is
five minutes.
----End
Procedure
Step 1 Run:
system-view
Procedure
l
----End
Example
After completing the configurations of the HWTACACS server template, you can run the
display hwtacacs-server template [ template-name ] command to view the configuration of
the template.
1-24
Issue 06 (20100108)
Pre-configuration Tasks
Before configuring a service scheme, complete the following tasks:
l
Data Preparation
To configure a service scheme, you need the following data.
Issue 06 (20100108)
1-25
No.
Data
Service scheme
Administrator level
User priority
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
Step 2 Run:
aaa
The administrator is enabled to log in to the S9300 and the administrator level is set.
The value of level ranges from 0 to 15. If this command is not run, the administrator level is
displayed as 16, which is invalid.
----End
Procedure
Step 1 Run:
system-view
1-27
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
Procedure
Step 1 Run the display service-scheme [ name name ] command to view the configuration of a service
scheme.
----End
Example
Run the display service-scheme command to view all the information about the service scheme.
<Quidway> display service-scheme
------------------------------------------------------------------service-scheme-name
scheme-index
------------------------------------------------------------------svcscheme1
0
svcscheme2
1
------------------------------------------------------------------Total of service scheme: 2
Run the display service-scheme name svcscheme1 command to view the configuration of
service scheme svcscheme1.
<Quidway> display service-scheme name svcscheme1
service-scheme-name
: svcscheme1
service-scheme-primary-dns
: service-scheme-secondry-dns : service-scheme-uppriority
: 0
service-scheme-downpriority : 0
service-scheme-adminlevel
: 16
service-scheme-dhcpgroup
: service-scheme-flowstatup
: false
service-scheme-flowstatdown : false
Idle-data-attribute(time,rate): <0,60>
1-29
Applicable Environment
To perform authentication and authorization for a user logging in to the S9300, you need to
configure a domain.
NOTE
The modification of a domain takes effect next time a user logs in.
Pre-configuration Tasks
Before configuring a domain, complete the following tasks:
l
Data Preparation
To configure a domain, you need the following data.
No.
Data
Issue 06 (20100108)
The S9300 has two default domains: default and default_admin. Domain default is used for
common access users, and domain default_admin is used for administrators.
The S9300 supports up to 128 domains, including the two default domains.
----End
Postrequisite
After creating a domain, you can run the domain domain-name [ admin ] command in the system
view to configure the domain as the global default domain. The access users whose domain
names cannot be obtained are added to this domain.
If you do not run the domain domain-name [ admin ] command, the S9300 adds the common
users and administrators whose domain names cannot be obtained to domains default and
default_admin respectively.
1-31
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
1-32
Issue 06 (20100108)
Procedure
Step 1 Run:
system-view
1-33
Step 2 Run:
aaa
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
Procedure
l
Run the display domain [ name domain-name ] command to check the configuration of
the domain.
----End
Example
After the configuration, you can run the display domain command to view the summary of all
domains.
<Quidway> display domain
------------------------------------------------------------------------DomainName
index
------------------------------------------------------------------------default
0
default_admin
1
huawei
2
------------------------------------------------------------------------Total: 3
Run the display domain [ name domain-name ] command, and you can view the configuration
of a specified domain.
<Quidway> display domain name huawei
Domain-name
: huawei
Domain-state
: Active
Authentication-scheme-name
: scheme0
Accounting-scheme-name
: default
Authorization-scheme-name
: Service-scheme-name
: RADIUS-server-group
: Accounting-copy-RADIUS-group
: Hwtacacs-server-template
: -
1-35
Applicable Environment
You can create a local user on the S9300, configure attributes of the local user, and perform
authentication and authorization for users logging in to the S9300 according to information about
the local user.
Pre-configuration Tasks
None
Data Preparation
To configure local user management, you need the following data.
No.
Data
Issue 06 (20100108)
If the access type of a local user is set to FTP, you must configure the FTP directory that the local user can
access; otherwise, the FTP user cannot log in.
Procedure
Step 1 Run:
system-view
1-37
If the local user is in active state, the S9300 receives the authentication request of this user
for further processing.
If the local user is in blocking state, the S9300 rejects the authentication request of this user.
----End
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
By default, the level of a local user is determined by the management module. For example,
there is a user level in the user interface view. If a user level is not set, the user level is 0.
NOTE
You can run the user-interface command in the system view to enter the user interface view. For details
on the user-interface command, see "Basic Configuration Commands" in the Quidway S9300 Terabit
Routing Switch Command Reference.
----End
Procedure
l
Run the display local-user [ username user-name ] command to check the attributes of
the local user.
----End
Example
After completing the configuration of local user management, you can run the display localuser command to view brief information about attributes of the local user.
<Quidway> display local-user
---------------------------------------------------------------------------No. User-Name
State AuthMask AdminLevel
---------------------------------------------------------------------------0
lsj
A
A
-
Issue 06 (20100108)
1-39
---------------------------------------------------------------------------Total 1 user(s)
Run the display local-user [ username user-name ] command, and you can view detailed
information about a specified user.
<Quidway> display local-user username lsj
The contents of local user :
Password
: hello
State
: Active
Auth-Type-Mask
: A
Admin-level
: Idle-Cut
: No
FTP-directory
: Access-Limit :No
Accessed-Num
:0
CAUTION
Statistics cannot be restored after you clear them. So, confirm the action before you use the
command.
Run the following command in the user view to clear the statistics.
Procedure
l
----End
Issue 06 (20100108)
Example
Run the display aaa configuration command to view AAA running information.
<Quidway> display aaa configuration
Domain Name Delimiter
Domain
Authentication-scheme
Accounting-scheme
Authorization-scheme
Service-scheme
:
:
:
:
:
:
@
total:
total:
total:
total:
total:
128
128
128
128
128
used:
used:
used:
used:
used:
5
1
3
1
0
1.9.3 Debugging
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
When a running fault occurs on the RADIUS or HWTACACS server, run the debugging
commands in the user view to locate the fault.
Procedure
l
Run the debugging hwtacacs { all | error | event | message | receive-packet | sendpacket } command to debug HWTACACS.
----End
1-41
The RADIUS server performs authentication and accounting for access users.
The RADIUS server 129.7.66.66/24 functions as the primary authentication and accounting
server. The RADIUS server 129.7.66.67/24 functions as the secondary authentication and
accounting server. The default authentication port and accounting port are 1812 and 1813
respectively.
S9300-B
S9300-A
Network
129.7.66.66/24
129.7.66.67/24
Destination
Network
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Apply the RADIUS server template, the authentication and accounting schemes to the
domain.
Data Preparation
To complete the configuration, you need the following data:
1-42
Name of the authentication scheme, authentication mode, name of the accounting scheme,
and accounting mode
IP addresses, authentication and accounting port numbers of the primary and secondary
RADIUS servers
Issue 06 (20100108)
NOTE
Procedure
Step 1 Configure a RADIUS server template.
# Configure the RADIUS template named shiva.
<Quidway> system-view
[Quidway] radius-server template shiva
# Configure the IP addresses and port numbers of the primary RADIUS authentication and
accounting servers.
[Quidway-radius-shiva] radius-server authentication 129.7.66.66 1812
[Quidway-radius-shiva] radius-server accounting 129.7.66.66 1813
# Set the IP addresses and port numbers of the secondary RADIUS authentication and accounting
servers.
[Quidway-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary
[Quidway-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Set the key and retransmission count for the RADIUS server.
[Quidway-radius-shiva] radius-server shared-key cipher hello
[Quidway-radius-shiva] radius-server retransmit 2
[Quidway-radius-shiva] quit
# Configure the accounting scheme1, with the accounting mode being RADIUS.
[Quidway-aaa] accounting-scheme 1
[Quidway-aaa-accounting-1] accounting-mode radius
[Quidway-aaa-accounting-1] quit
Step 3 Configure the domain huawei and apply authentication scheme1, accounting scheme1, and
RADIUS template shiva to the domain.
[Quidway-aaa] domain huawei
[Quidway-aaa-domain-huawei] authentication-scheme 1
[Quidway-aaa-domain-huawei] accounting-scheme 1
[Quidway-aaa-domain-huawei] radius-server shiva
Issue 06 (20100108)
:
:
:
:
:
shiva
standard
B
3MQ*TZ,O3KCQ=^Q`MAF4<1!!
5
1-43
129.7.66.66;
1812;
LoopBack:NULL
Primary-accounting-server
129.7.66.66;
1813;
LoopBack:NULL
Secondary-authentication-server
129.7.66.67;
1812;
LoopBack:NULL
Secondary-accounting-server
129.7.66.67;
1813;
LoopBack:NULL
Retransmission
: 2
Domain-included
: YES
-------------------------------------------------------------------
----End
Configuration Files
#
sysname Quidway
#
radius-server template shiva
radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
radius-server authentication 129.7.66.66 1812
radius-server authentication 129.7.66.67 1812 secondary
radius-server accounting 129.7.66.66 1813
radius-server accounting 129.7.66.67 1813 secondary
radius-server retransmit 2
#
aaa
authentication-scheme default
authentication-scheme 1
authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme 1
accounting-mode radius
domain default
domain default_admin
domain huawei
authentication-scheme 1
accounting-scheme 1
radius-server shiva
#
return
1-44
Access users are first authenticated locally. If local authentication fails, the HWTACACS
server is adopted to authenticate access users.
HWTACACS authentication is required before the level of access users is promoted. If the
HWTACACS authentication is not responded, local authentication is performed.
Issue 06 (20100108)
The primary HWTACACS server is 129.7.66.66/24, and the IP address of the secondary
HWTACACS server is 129.7.66.67/24. The port number of the server for authentication,
accounting, and authorization is 49.
S9300-B
S9300-A
Network
129.7.66.66/24
129.7.66.67/24
Destination
Network
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
IP addresses, authentication port numbers, authorization port numbers, and accounting port
numbers of the primary and secondary HWTACACS servers
Issue 06 (20100108)
1-45
Procedure
Step 1 Configure an HWTACACS server template.
# Configure an HWTACACS server template named ht.
<Quidway> system-view
[Quidway] hwtacacs-server template ht
# Configure the IP address and port number of the primary HWTACACS server for
authentication, authorization, and accounting.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49
[Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49
[Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP address and port number of the secondary HWTACACS server for
authentication, authorization, and accounting.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary
[Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary
[Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Create an authorization scheme hwtacacs, and set the authorization mode to HWTACACS.
[Quidway-aaa] authorization-scheme hwtacacs
[Quidway-aaa-author-hwtacacs] authorization-mode hwtacacs
[Quidway-aaa-author-hwtacacs] quit
# Create an accounting scheme hwtacacs, and set the accounting mode to HWTACACS.
[Quidway-aaa] accounting-scheme hwtacacs
[Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs
Step 3 Create a domain Huawei and apply the authentication scheme 1-h, the HWTACACS
authentication scheme, the HWTACACS accounting scheme, and the HWTACACS template
of ht to the domain.
[Quidway-aaa] domain huawei
[Quidway-aaa-domain-huawei]
[Quidway-aaa-domain-huawei]
[Quidway-aaa-domain-huawei]
[Quidway-aaa-domain-huawei]
1-46
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
Issue 06 (20100108)
[Quidway-aaa-domain-huawei] quit
[Quidway-aaa] quit
Run the display domain command on S9300-B, and you can see that the configuration of the
domain meets the requirements.
<Quidway> display domain name huawei
Domain-name
Domain-state
Authentication-scheme-name
Accounting-scheme-name
Authorization-scheme-name
Service-scheme-name
RADIUS-server-group
Accounting-copy-RADIUS-group
Hwtacacs-server-template
:
:
:
:
:
:
:
:
:
huawei
Active
l-h
hwtacacs
hwtacacs
ht
----End
Configuration Files
#
sysname Quidway
#
hwtacacs-server template ht
hwtacacs-server authentication 129.7.66.66
hwtacacs-server authentication 129.7.66.67 secondary
hwtacacs-server authorization 129.7.66.66
hwtacacs-server authorization 129.7.66.67 secondary
hwtacacs-server accounting 129.7.66.66
hwtacacs-server accounting 129.7.66.67 secondary
hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
#
aaa
authentication-scheme default
authentication-scheme l-h
authentication-mode local hwtacacs
authentication-super hwtacacs super
authorization-scheme default
authorization-scheme hwtacacs
authorization-mode hwtacacs
Issue 06 (20100108)
1-47
accounting-scheme default
accounting-scheme hwtacacs
accounting-mode hwtacacs
accounting realtime 3
domain default
domain default_admin
domain huawei
authentication-scheme l-h
accounting-scheme hwtacacs
authorization-scheme hwtacacs
hwtacacs-server ht
#
return
1-48
Issue 06 (20100108)
2 NAC Configuration
NAC Configuration
Issue 06 (20100108)
2-1
2 NAC Configuration
NAD
ACS
Remediation
server
AAA server
Directory
server
S9300
PVS & Aduit
server
As shown in Figure 2-1, NAC, as a controlling scheme for network security access, includes
the following parts:
l
User: Access users who need to be authenticated. If 802.1x is adopted for user
authentication, users need to install client software.
NAD: Network access devices, including routers and switches (hereinafter referred to as
the S9300), which are used to authenticate and authorize users. The NAD needs to work
with the AAA server to prevent unauthorized terminals from accessing the network,
minimize the threat brought by insecure terminals, prevent unauthorized access requests
from authorized terminals, and thus protect core resources.
ACS: Access control server that is used to check terminal security and health, manage
policies and user behaviors, audit rule violations, strengthen behavior audit, and prevent
malicious damages from terminals.
Issue 06 (20100108)
2 NAC Configuration
server. Users can access network resources only after passing the authentication. Users that do
not pass the authentication can only access the specified site server. When a user enters its user
name and password on the Web page, the Portal protocol is used to authenticate the user. This
process is Web authentication.
The Portal protocol enables Web servers to communicate with other devices. The portal protocol
is based on client/server model and uses the User Datagram Protocol (UDP) as the transmission
protocol. In Web authentication, the Web authentication server and the S9300 communicate
with each other through the portal protocol. In this case, the S9300 functions as the client. When
obtaining the user name and password entered by the user on the authentication page, the Web
authentication server transfers them to the S9300 through the portal protocol.
Authentication mode based on the access interface: Other users can access network
resources without authentication when the first user under the interface is successfully
authenticated. But other users are disconnected when the first user goes offline.
Authentication mode based on the MAC address: Access users under this interface need
be authenticated.
EAP termination mode: The network access device terminates EAP packets, obtains the
user name and password from the packets, encrypts the password, and sends the user name
and password to the AAA server for authentication.
EAP transparent transmission authentication: Also called EAP relay authentication. The
network access device directly encapsulates authentication information about 802.1x users
and EAP packets into the attribute field of RADIUS packets and sends them to the RADIUS
server. Therefore, the EAP packets do not need to be converted to the RADIUS packets
before they are sent to the RADIUS server.
2-3
2 NAC Configuration
sends the MAC address of the user, which is considered to be the user name and password of
the user, to the AAA server for authentication.
Web authentication
Pre-configuration Tasks
Web authentication is only an implementation scheme to authenticate the user identity. To
complete the user identity authentication, you need to select the RADIUS or local authentication
method. Before configuring Web authentication, complete the following tasks:
2-4
Issue 06 (20100108)
2 NAC Configuration
Configuring the Internet Service Provider (ISP) authentication domain and AAA schemes,
that is, RADIUS or local authentication schemes, for the user
Configuring the user name and password on the RADIUS server if RADIUS authentication
is used
Adding the user name and password manually on the S9300 if local authentication is used
Data Preparation
To configure Web authentication, you need the following data.
No.
Data
Authentication-free rule ID
Procedure
Step 1 Run:
system-view
2-5
2 NAC Configuration
Procedure
Step 1 Run:
system-view
After opening the HTTP browser, the user is forcibly re-directed to the authentication page
of the Web authentication server. The free rule is mandatory if the Web authentication is
adopted.
Some special users need to access certain resources when they fail to pass the
authentication.
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
2 NAC Configuration
Context
When the RADIUS server is adopted to authenticate users, do as follows if the user authentication
information returned by the RADIUS server needs to be sent to the Web authentication server.
Procedure
Step 1 Run:
system-view
The device is configured to send the reply message for user authentication to the Web
authentication server.
By default, the S9300 sends the reply message for user authentication to the Web authentication
server.
----End
2.3.6 (Optional) Setting the Port that Listens to the Portal Packets
Context
Do as follows to configure the port number for the S9300 to receive portal packets when the
S9300 communicates with the Web server. The port number must be consistent with the
destination port number contained in the packets sent by the Web authentication server and is
globally unique.
Procedure
Step 1 Run:
system-view
The number of the port number that listens to Portal packets is configured.
By default, the port number that listens to portal packets is 2000.
----End
2-7
2 NAC Configuration
Procedure
Step 1 Run:
system-view
Procedure
l
----End
Example
# View the configuration of the Web authentication server.
<Quidway> display web-auth-server configuration
Listening port
: 2000
Portal
: version 1, version 2
Include reply message : enabled
-----------------------------------------------------------------------Web-auth-server Name : servera
IP-address
: 100.1.1.114
Shared-key
:
Port / PortFlag
: 10 / NO
URL
:
-----------------------------------------------------------------------1 Web authentication server(s) in total
Issue 06 (20100108)
2 NAC Configuration
Pre-configuration Tasks
802.1x authentication is only an implementation scheme to authenticate the user identity. To
complete the user identity authentication, you need to select the RADIUS or local authentication
method. Before configuring 802.1x authentication, complete the following tasks:
l
Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local
authentication schemes, for the 1x user
Configuring the user name and password on the RADIUS server if RADIUS authentication
is used
Adding the user name and password manually on the S9300 if local authentication is used
Data Preparation
None.
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
2-9
2 NAC Configuration
CAUTION
If 802.1x is enabled on the interface, MAC address authentication or direct authentication cannot
be enabled on the interface. If MAC address authentication or direct authentication is enabled
on the interface, 802.1x cannot be enabled on the interface.
You can enable 802.1x on an interface in the following ways.
Procedure
l
Run:
system-view
Run:
dot1x interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
dot1x
2-10
Issue 06 (20100108)
2 NAC Configuration
Procedure
l
Run:
system-view
Run:
dot1x mac-bypass interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
dot1x mac-bypass enable
Issue 06 (20100108)
2-11
2 NAC Configuration
If 802.1x authentication has been enabled, the authentication mode is changed from
802.1x authentication to MAC address bypass authentication on the interface after you
run the dot1x mac-bypass enable command.
To disable MAC address bypass authentication, run the undo dot1x command. Note that
802.1x functions are disabled.
----End
Procedure
Step 1 Run:
system-view
The Password Authentication Protocol (PAP) uses the two-way handshake mechanism and
sends the password in plain text.
The Challenge Handshake Authentication Protocol (CHAP) uses the three-way handshake
mechanism. It transmits only the user name but not the password on the network; therefore,
compared with PAP authentication, CHAP authentication is more secure and reliable and
protects user privacy better.
PAP authentication and CHAP authentication are two kinds of termination authentication
methods and EAP authentication is a kind of relay authentication method.
CAUTION
If local authentication is adopted, you cannot use the EAP authentication for 802.1x users.
----End
2-12
Issue 06 (20100108)
2 NAC Configuration
MAC mode: The MAC address of each device connected to the interface must pass
authentication to access the network.
You can configure the access mode of an interface in the following ways.
Procedure
l
Run:
system-view
Run:
dot1x port-method { mac | port interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10> }
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
dot1x port-method { mac | port }
CAUTION
If the dot1x port-method { mac | port } command is run to change the access control
mode of an interface when an online 802.1x user exists, the online user is disconnected
forcibly.
----End
Issue 06 (20100108)
2-13
2 NAC Configuration
Procedure
l
Run:
system-view
Run:
dot1x port-control { auto | authorized-force | unauthorized-force }
interface { interface-type interface-number1 [ to interface-number2 ] }
&<1-10>
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
dot1x port-control { auto | authorized-force | unauthorized-force }
auto: An interface is initially in unauthorized state and sends and receives only EAPoL
packets. Therefore, users cannot access network resources. If a user passes the
authentication, the interface is in authorized state and allows users to access network
resources.
----End
2-14
Issue 06 (20100108)
2 NAC Configuration
Procedure
l
Run:
system-view
Run:
dot1x max-user user-number interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10>
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
dot1x max-user user-number
Issue 06 (20100108)
2-15
2 NAC Configuration
CAUTION
If the number of users already existing on the interface is greater than the maximum number
that you set, all the users are disconnected from the interface.
The maximum number of NAC access users allowed by the S9300 depends on the models
of the S9300. The specification is 8192 multiplied by number of slots of the LPU.
----End
Procedure
Step 1 Run:
system-view
Dynamic Host Configuration Protocol (DHCP) packets are enabled to trigger user
authentication.
By default, DHCP packets do not trigger authentication.
After you run the dot1x dhcp-trigger enable command, users cannot obtain IP addresses
through DHCP if they do not pass the authentication.
----End
Issue 06 (20100108)
2 NAC Configuration
Procedure
Step 1 Run:
system-view
client-timeout: Authentication timeout timer of the client. By default, the timeout timer is
30s.
handshake-period: Interval of handshake packets from the S9300 to the 802.1X client. By
default, the handshake interval is 15s.
quiet-period: Period of the quiet timer. By default, the quiet timer is 60s.
server-timeout: Timeout timer of the authentication server. By default, the timeout timer of
the authentication server is 30s.
tx-period: Interval for sending authentication requests. By default, the interval for sending
the authentication request packets is 30s.
The dot1x timer command only sets the values of the timers, and you need to enable the
corresponding timers by running commands or adopting the default settings.
----End
Procedure
Step 1 Run:
system-view
2-17
2 NAC Configuration
During the quite period, the S9300 discards the 802.1x authentication request packets from the
user. You can run the dot1x timer command to set the quiet period. For details, see .
----End
Procedure
l
Run:
system-view
Run:
dot1x reauthenticate interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
dot1x reauthenticate enable
Issue 06 (20100108)
2 NAC Configuration
Context
When the guest VLAN is enabled, the S9300 sends authentication request packets to all the
interface on which 802.1x is enabled. If an interface does not return a response when the
maximum number of times for re-authentication is reached, the S9300 adds this interface to the
guest VLAN. Then users in the guest VLAN can access resources in the guest VLAN without
802.1x authentication. Authentication, however, is required when such users access external
resources. Thus certain resources are available for users without authentication.
NOTE
The configured guest VLAN cannot be the default VLAN of the interface.
Procedure
l
Run:
system-view
Run:
dot1x guest-vlan vlan-id interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10>
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
dot1x guest-vlan vlan-id
2-19
2 NAC Configuration
If the client does not support the handshake function, the S9300 will not receive handshake
response packets within the handshake interval. In this case, you need to disable the user
handshake function to prevent the S9300 from disconnecting users by mistake.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
2 NAC Configuration
Procedure
l
Run the display dot1x [ sessions | statistics ] [ interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10> ] command to view the configuration of
802.1x authentication.
----End
Example
View the information about 802.1x authentication on GE 1/0/0.
<Quidway> display dot1x interface GigabitEthernet 1/0/0
GigabitEthernet1/0/0 current state : UP
802.1x protocol is Enabled[mac-bypass]
Port control type is Auto
Authentication method is MAC-based
Reauthentication is disabled
Max online user is 8192
Current online user is 2
Guest VLAN is disabled
Authentication Success: 1
Failure:
EAPOL Packets: TX
: 24
RX
:
Sent
EAPOL Request/Identity Packets :
EAPOL Request/Challenge Packets :
Multicast Trigger Packets
:
DHCP Trigger Packets
:
EAPOL Success Packets
:
EAPOL Failure Packets
:
Received EAPOL Start Packets
:
EAPOL LogOff Packets
:
EAPOL Response/Identity Packets :
EAPOL Response/Challenge Packets:
11
4
11
1
0
0
1
11
2
0
1
1
Index
MAC/VLAN
UserOnlineTime
UserName
16514
0000-0002-2347/800 2009-06-09 19:10:40 000000022347
16523
001e-90aa-e855/800 2009-06-09 19:14:43 abc@huawei
Controlled User(s) amount to 2 , print number:2.
2-21
2 NAC Configuration
Pre-configuration Tasks
MAC address authentication is only an implementation scheme to authenticate the user identity.
To complete the user identity authentication, you need to select the RADIUS or local
authentication method. Before configuring MAC address authentication, complete the following
tasks:
l
Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local
authentication schemes, for the 802.1x user.
Configuring the user name and password on the RADIUS server if RADIUS authentication
is used.
Adding the user name and password manually on the S9300 if local authentication is used.
Data Preparation
To configure MAC address authentication, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
2 NAC Configuration
Running this command is equivalent to enabling global MAC address authentication. Related
configurations of MAC address authentication take effect only after MAC address authentication
is enabled.
By default, MAC address authentication is disabled globally.
----End
CAUTION
If MAC address authentication is enabled on the interface, 802.1x authentication or direct
authentication cannot be enabled on the interface. If 802.1x or direct authentication is enabled
on the interface, MAC address authentication cannot be enabled on the interface.
You can enable the MAC address authorization on an interface in the following ways.
Procedure
l
Run:
system-view
Run:
mac-authen interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
mac-authen
2-23
2 NAC Configuration
You must ensure that no online user exists before disabling MAC address authentication
by the undo mac-authen command.
----End
CAUTION
If direct authentication is enabled on an interface, 802.1x authentication and MAC address
authentication cannot be enabled on the interface. If 802.1x authentication or MAC address
authentication is enabled on the interface, direct authentication cannot be enabled on the
interface.
You can enable direct authentication in the following ways.
Procedure
Step 1 In the system view:
1.
Run:
system-view
Run:
direct-authen interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
direct-authen enable
Issue 06 (20100108)
2 NAC Configuration
The configuration on an interface is valid only for the specified interface. The user name
configured on an interface takes precedence over the user name configured globally. If the
user name is not configured on an interface, the globally configured user name is used.
Configuring a fixed user name for a user that uses MAC address authentication
Procedure
1.
Run:
system-view
Run:
mac-authen username fixed
The S9300 is configured to use a fixed user name for a user that uses MAC address
authentication.
3.
Run:
mac-authen username username
Run:
mac-authen password password
Configuring a MAC address as a user name for a user that uses MAC address authentication
1.
Run:
system-view
Run:
mac-authen username macaddress
Users that use MAC address authentication are configured to use their MAC addresses
as their user names.
3.
(Optional) Run:
mac-authen username macaddress [ format { with-hyphen | without-hyphen } ]
2-25
2 NAC Configuration
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
mac-authen username { fixed user-name [ password password ] | macaddress
format { with-hyphen | without-hyphen } }
The format of the user name for which MAC address authentication is used is
configured.
----End
Before configuring the authentication domain for the user who uses MAC address authentication, you need
to confirm that a domain is available. Otherwise, the system displays an error message during the
configuration.
The domain for which MAC address authentication is used can be configured globally and on
an interface.
l
The configuration on an interface is valid only for the specified interface. The domain
configured on an interface takes precedence over the domain configured globally. If the
domain is not configured on an interface, the globally configured domain is used.
Procedure
1.
Run:
system-view
Issue 06 (20100108)
2.
2 NAC Configuration
Run:
mac-authen domain isp-name
A domain name is configured for a user who uses MAC address authentication.
l
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
mac-authen domain isp-name
A domain name is configured for a user who uses MAC address authentication.
The default authentication domain is domain default.
----End
offline-detect: Offline-detect timer used to set the interval for the S9300 to check whether
a user goes offline. By default, the offline timer is 300s.
quiet-period: Quiet timer. After the user authentication fails, the S9300 waits for a certain
period before processing authentication requests of the user. During the quiet period, the
S9300 does not process authentication requests from the user. By default, the quiet timer is
60s.
server-timeout: Server timeout timer. In the user authentication process, if the connection
between the S9300 and the RADIUS server times out, the authentication fails. By default,
the time interval of the authentication server is 30s.
----End
Issue 06 (20100108)
2-27
2 NAC Configuration
The VLAN to be configured as the guest VLAN must exist in the system and cannot be the default VLAN
of the interface.
Procedure
l
Run:
system-view
Run:
mac-authen guest-vlan vlan-id interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
mac-authen guest-vlan vlan-id
Issue 06 (20100108)
2 NAC Configuration
Context
When the number of access users on an interface reaches the limit, the S9300 does not trigger
the authentication for the users connecting to the interface later; therefore, these users cannot
access the network.
You can configure the maximum number of access users who adopt MAC address authentication
in the following ways.
Procedure
l
Run:
system-view
Run:
mac-authen max-user user-number interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
The maximum number of access users who adopt MAC address authentication is set
on interfaces.
You can configure the maximum number of access users of interfaces in batches by
specifying the interface list in the mac-authen max-user command in the system
view.
l
Run:
system-view
Run:
interface { ethernet | gigabitethernet } interface-number
Run:
mac-authen max-user user-number
The maximum number of access users who adopt MAC address authentication on the
interface is set.
By default, the maximum number of access users who adopt MAC address authentication
on an interface of the S9300 is 8192.
The maximum number of NAC access users allowed by the S9300 depends on the models
of the S9300. The specification is 8192 multiplied by number of slots of the LPU.
----End
2-29
2 NAC Configuration
Context
If re-authentication of a user with the specific MAC address is enabled, the online user is reauthenticated periodically. If a user passes the authentication, the user needs to be re-authorized;
otherwise, the user goes offline.
You can run the mac-authen timer command to set the interval of re-authentication. For details,
see 2.5.7 (Optional) Setting the Timers of MAC Address Authentication.
Procedure
Step 1 Run:
system-view
Procedure
l
Run the display mac-authen [ interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10> ] command to view the configuration of MAC address authentication.
----End
Example
View information about MAC address authentication on GE 1/0/1.
<Quidway> display mac-authen interface gigabitethernet 1/0/1
GigabitEthernet1/0/1 current state : UP
MAC address authentication is Enabled
Max online user is 8192
Current online user is 1
Guest VLAN is disabled
Authentication Success: 1, Failure: 0
Index
MAC/VLAN
UserOnlineTime
16400
00e0-fc33-0011/15
2009-05-18 09:21:55
Controlled User(s) amount to 1
Issue 06 (20100108)
2 NAC Configuration
CAUTION
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run
the following commands.
After you confirm to reset the statistics, do as follows in user view.
Procedure
l
Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interfacenumber2 ] } ] command to clear the statistics about 802.1x authentication.
----End
CAUTION
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run
the following commands.
After you confirm to reset the statistics, do as follows in user view.
Procedure
l
----End
2-31
2 NAC Configuration
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
When a fault occurs during 802.1x authentication, run the following debugging commands in
the user view to locate the fault.
Procedure
l
Run the debugging dot1x { all | error | event | info | message | packet } command to
enable debugging of 802.1x authentication packets.
----End
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
When a fault occurs during MAC address authentication, run the following debugging
commands in the user view to locate the fault.
Procedure
l
Run the debugging mac-auten { all | error | event | info | message | packet } command
to enable debugging of MAC address authentication packets.
----End
Issue 06 (20100108)
2 NAC Configuration
Networking Requirements
As shown in Figure 2-2, the requirements are as follows:
l
The user interacts with the Web authentication server through the S9300.
The user can access only the Web authentication server before authentication.
After passing the Web authentication, the user can access the external network.
RADIUS server
192.168.2.30
GE 1/0/2
GE 1/0/1
VLAN 20
VLANIF 20
192.168.2.10
GE1/0/0
User
VLANIF 10
192.168.1.10
Internet
GE 2/0/0
S9300
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Configure a domain.
5.
Data Preparation
To complete the configuration, you need the following data:
l
Key of the RADIUS server (hello) and the retransmission count (2)
Issue 06 (20100108)
2-33
2 NAC Configuration
NOTE
In this example, only the configuration of the S9300 is provided, and the configurations of the Web server
and RADIUS server are omitted.
Procedure
Step 1 Set the IP address of the Layer 3 interface connected to the user.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface gigabitethernet1/0/0
[Quidway-GigabitEthernet1/0/0] port link-type access
[Quidway-GigabitEthernet1/0/0] port default vlan 10
[Quidway-GigabitEthernet1/0/0] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 192.168.1.10 24
[Quidway-Vlanif10] quit
# Set the IP address and port number of the primary RADIUS authentication server.
[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812
Step 3 Create an authentication scheme web1 and set the authentication method to RADIUS
authentication.
[Quidway] aaa
[Quidway-aaa] authentication-scheme web1
[Quidway-aaa-authen-1] authentication-mode radius
[Quidway-aaa-authen-1] quit
Step 4 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the
domain.
[Quidway-aaa] domain isp
[Quidway-aaa-domain-isp1] authentication-scheme web1
[Quidway-aaa-domain-isp1] radius-server rd1
# Configure a free rule to redirect the user to the Web authentication page when the user starts
the Web browser.
[Quidway] portal free-rule 20 destination ip 192.168.2.20 mask 24
source any
Issue 06 (20100108)
2 NAC Configuration
Run the display web-auth-server configuration command on the S9300, and you can view the
configuration of the Web authentication server.
<Quidway> display web-auth-server configuration
Listening port
: 2000
Portal
: version 1, version 2
Include reply message : enabled
-----------------------------------------------------------------------Web-auth-server Name : isp1
IP-address
: 192.168.1.10
Shared-key
: 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
Port / PortFlag
: 50100 / NO
URL
: www.isp1.com
-----------------------------------------------------------------------1 Web authentication server(s) in total
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
web-auth-server isp1 192.168.2.20 port 50100 url www.isp1.com
portal free-rule 20 destination ip 192.168.2.20 mask 255.255.255.0 source any
#
radius-server template rd1
radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
radius-server authentication 192.168.2.30 1812
radius-server retransmit 2
#
aaa
authentication-scheme web1
authentication-mode radius
domain isp1
authentication-scheme web1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
web-auth-server web
#
interface GigabitEthernet1/0/0
port link-type access
port default vlan 10
#
return
802.1x authentication is performed for the user connected to GE 1/0/0 to control the user's
access to the Internet. The default access control mode is adopted, that is, the S9300 controls
access of the user based on the MAC address of the user.
Issue 06 (20100108)
2-35
2 NAC Configuration
MAC address bypass authentication is performed for the printer connected to GE 1/0/0.
User
GE 2/0/1
VLANIF 20
192.168.2.10
GE 1/0/0
Internet
GE 2/0/0
S9300
Printer
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Configure a domain.
4.
Data Preparation
To complete the configuration, you need the following data:
l
Key of the RADIUS server (hello) and the retransmission count (2)
In this example, only the configuration of the S9300 is provided, and the configuration of RADIUS server
is omitted.
Procedure
Step 1 Configure a RADIUS server template.
# Configure a RADIUS server template rd1.
[Quidway] radius-server template rd1
2-36
Issue 06 (20100108)
2 NAC Configuration
# Set the IP address and port number of the primary RADIUS authentication server.
[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812
Step 2 Create an authentication scheme web1 and set the authentication method to RADIUS
authentication.
[Quidway] aaa
[Quidway-aaa] authentication-scheme web1
[Quidway-aaa-authen-1] authentication-mode radius
[Quidway-aaa-authen-1] quit
Step 3 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the
domain.
[Quidway-aaa] domain isp
[Quidway-aaa-domain-isp1] authentication-scheme web1
[Quidway-aaa-domain-isp1] radius-server rd1
Issue 06 (20100108)
0
16
4
4
0
0
4
0
4
3
4
4
2-37
2 NAC Configuration
print number:1
----End
Configuration Files
#
sysname Quidway
#
dot1x
#
radius-server template rd1
radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
radius-server authentication 192.168.2.30 1812
radius-server retransmit 2
#
aaa
authentication-scheme web1
authentication-mode radius
domain isp1
authentication-scheme web1
radius-server rd1
#
interface GigabitEthernet1/0/0
dot1x mac-bypass
dot1x max-user 100
#
return
Authentication is performed for the user connected to GE 1/0/0 to control the users access
to the Internet.
The default authentication method is used, that is, the MAC address without hyphens is
used as the user name in authentication.
GE 2/0/1
VLANIF 20
192.168.2.10
GE 1/0/0
Internet
GE 2/0/0
User
2-38
S9300
Issue 06 (20100108)
2 NAC Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Configure the domain of the users that use MAC address authentication.
4.
Data Preparation
To complete the configuration, you need the following data:
l
Key of the RADIUS server (hello) and the retransmission count (2)
In this example, only the configuration of the S9300 is provided, and the configuration of RADIUS server
is omitted.
Procedure
Step 1 Configure a RADIUS server template.
# Configure a RADIUS server template rd1.
[Quidway] radius-server template rd1
# Set the IP address and port number of the primary RADIUS authentication server.
[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812
Step 2 Create an authentication scheme web1 and set the authentication method to RADIUS
authentication.
[Quidway] aaa
[Quidway-aaa] authentication-scheme web1
[Quidway-aaa-authen-1] authentication-mode radius
[Quidway-aaa-authen-1] quit
Step 3 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the
domain.
[Quidway-aaa] domain isp
[Quidway-aaa-domain-isp1] authentication-scheme web1
[Quidway-aaa-domain-isp1] radius-server rd1
2-39
2 NAC Configuration
# Specify domain isp1 as the domain of the users that use MAC address authentication.
[Quidway] mac-authen domain isp1
----End
Configuration Files
#
sysname Quidway
#
mac-authen
mac-authen domain isp
#
radius-server template rd1
radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
radius-server authentication 192.168.2.30 1812
radius-server retransmit 2
#
aaa
authentication-scheme web1
authentication-mode radius
domain isp1
authentication-scheme web1
radius-server rd1
#
interface GigabitEthernet1/0/0
mac-authen
mac-authen max-user 100
#
return
2-40
Issue 06 (20100108)
3-1
3-2
Issue 06 (20100108)
Issue 06 (20100108)
3-3
Figure 3-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2
network
L3 network
Trusted
DHCP relay
Untrusted
S9300
DHCP server
L2 network
User network
Applying DHCP Snooping on the S9300 That Functions as the DHCP Relay Agent
The S9300 provides Layer 3 routing functions, and can function as the DHCP relay agent on a
network. As shown in Figure 3-2, the S9300 that is enabled with DHCP snooping function as
the DHCP relay agent.
Figure 3-2 Networking diagram for applying DHCP snooping on the S9300 that functions as
the DHCP relay agent
L3 network
Trusted
Untrusted
L2 network
S9300
DHCP relay
DHCP server
User network
3-4
Issue 06 (20100108)
NOTE
When the S9300 is deployed on a Layer 2 network or functions as the DHCP relay agent, DHCP snooping
is enabled. In this manner, the S9300 can defend against attacks shown in Table 3-1.
The difference is that: when the S9300 functions as the DHCP relay agent, it supports the association
function between ARP and DHCP snooping. The S9300, however, does not support the association function
when it is deployed on a Layer 2 network.
DHCPv6 Snooping
The S9300 supports DHCPv6 snooping. That is, after DHCP snooping is enabled, binding entries
are also created for the users using IPv6 addresses. A DHCPv6 snooping binding entry consists
of the IPv6 address, MAC address, interface number, and VLAN ID of a user.
The master physical interface of the S9300 do not support DHCP snooping over VPLS.
3-5
Pre-configuration Tasks
Before preventing the bogus DHCP server attack, complete the following tasks:
l
Data Preparation
To prevent the bogus DHCP server attack, you need the following data.
No.
Data
Procedure
Step 1 Run:
3-6
Issue 06 (20100108)
system-view
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
Issue 06 (20100108)
3-7
Procedure
Step 1 Run:
system-view
Or, in the VLAN view, run: dhcp snooping trusted interface interface-type interfacenumber [ no-user-binding ]
The interface is configured as a trusted interface.
DHCP Reply messages sent from a trusted interface are forwarded and DHCP Request messages
sent from the trusted interface are discarded; DHCP Discover messages sent from an untrusted
interface are discarded.
If the no-user-binding keyword is not used in the command, a binding entry is created when
the interface receives a DHCP Ack message sent to a user who does not go online through the
local device. If this keyword is used in the command, no binding entry is created in this case.
When running the dhcp snooping trusted command in the VLAN view, the specified interface
must belong to the VLAN. Compared with the dhcp snooping trusted command run in the
interface view, the dhcp snooping trusted command run in the VLAN view is more accurate
because a specified interface in a specified VLAN can be configured as a trusted interface.
----End
Issue 06 (20100108)
untrusted interface, the S9300 considers the DHCP server as a bogus server and records it into
the log. The network administrator can then maintain the network according to the log.
NOTE
Before enabling detection of bogus DHCP servers, ensure that DHCP snooping is enabled globally and on
the interface. Otherwise, the detection function does not take effect.
Procedure
Step 1 Run:
system-view
Procedure
l
Run the display dhcp snooping global command to check information about global DHCP
snooping.
Run the display dhcp snooping user-bind { all | ip-address ip-address | ipv6-address
ipv6-address | mac-address mac-address | interface interface-type interface-number |
vlan vlan-id [ interface interface-type interface-number ] } command to check the
information about DHCP Snooping bind-table.
Run the display this command in the system view to check the configuration of detection
of bogus DHCP servers.
You can only check whether detection of bogus DHCP servers is enabled through the
display this command. The detection information is recorded in the log, and you can obtain
related information by viewing the log.
----End
3-9
Pre-configuration Tasks
Before preventing the DoS attack by changing the CHADDR field, complete the following tasks:
l
Data Preparation
To prevent the DoS attack by changing the CHADDR field, you need the following data.
No.
Data
Issue 06 (20100108)
Procedure
Step 1 Run:
system-view
3-11
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
Procedure
Step 1 Run:
system-view
The interface or the interface in a VLANis configured to check the CHADDR field in DHCP
Request messages.
By default, an interface or the interface in a VLANdoes not check the CHADDR field in DHCP
Request messages on the S9300.
----End
Procedure
l
3-12
Run the display dhcp snooping global command to check information about global DHCP
snooping.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 06 (20100108)
----End
IP addresses are classified in to IPv4 addresses and IPv6 addresses. The S9300 checks the source IP
addresses of DHCP Request messages, including IPv4 addresses and IPv6 addresses.
Checks whether the destination MAC address is all-f. If the destination MAC address is
all-f, the S9300 considers that the DHCP Request message is a broadcast message that a
user sends to goes online for the first time and does not check the DHCP Request message
against the binding table. Otherwise, the S9300 considers that the user sends the DHCP
Request message is renew lease of the IP address and checks the DHCP Request message
against the binding table.
2.
Checks whether the CIADDR field in the DHCP Request message matches an entry in the
binding table. If not, the S9300 forwards the message directly. If yes, the S9300 checks
whether the VLAN ID, IP address, and interface information of the message match the
binding table. If all these fields match the binding table, the S9300 forwards the message;
otherwise, the S9300 discards the message.
Issue 06 (20100108)
3-13
Pre-configuration Tasks
Before preventing the attacker from sending bogus DHCP messages for extending IP address
leases, complete the following tasks:
l
Data Preparation
To prevent the attacker from sending bogus DHCP messages for extending IP address leases,
you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
Or, run:
vlan vlan-id
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
3-15
The interface or the interface in a VLANis enabled to check DHCP Request messages.
By default, an interface or the interface in a VLANis disabled from checking DHCP Request
messages.
NOTE
The dhcp snooping check user-bind enable command can also check whether the Release packet match
the binding table, thus preventing unauthorized users from releasing the IP addresses of authorized users.
----End
The DHCP Reply messages of the DHCP server are listened to by users on other interfaces
in a VLAN.
After a user logs in, this valid user is forged if users on other interfaces in a VLAN forge
the IP address and MAC address.
When DHCP snooping is used at Layer 2, the S9300 can obtain information about the interface
required by the binding table even if the Option 82 function is not configured.
Procedure
Step 1 Run:
system-view
3-16
Issue 06 (20100108)
After the dhcp option82 insert enable command is used, the Option 82 is appended to DHCP
messages if original DHCP messages do not carry the Option 82 field; If the DHCP message
contains an Option 82 field previously, the S9300 checks whether the Option 82 field contains
the Remote-id. If the Option 82 field contains the Remote-id, the S9300 retains the original
Option 82 field. If not, the S9300 inserts the Remote-id to the Option 82 field. By default,
the Remote-id is the MAC address of the S9300.
After the dhcp option82 rebuild enable command is used, the Option 82 field is appended
to DHCP messages if original DHCP messages do not carry the Option 82 field; the original
Option 82 field is removed and a new one is appended if the original DHCP messages carry
the Option 82 field.
Step 4 Run:
quit
If the user-defined format of the Option 82 field is used, it is recommended that you specify the interface
type, interface number, and slot ID in text.
----End
Procedure
l
Run the display dhcp snooping global command to check information about global DHCP
snooping.
Run the display dhcp snooping user-bind{ all | ip-address ip-address | ipv6-address
ipv6-address | mac-address mac-address | interface interface-type interface-number |
vlan vlan-id [ interface interface-type interface-number ] } command to check the DHCP
snooping binding table.
Issue 06 (20100108)
3-17
----End
Pre-configuration Tasks
Before setting the maximum number of DHCP snooping users, complete the following tasks:
l
Data Preparation
To set the maximum number of DHCP snooping users, you need the following data.
No.
Data
Issue 06 (20100108)
Context
You need to enable DHCP snooping globally before enabling DHCP snooping on an
interfaceor in a VLAN. By default, DHCP snooping is disabled globally and on an interfaceor
in a VLAN.
Before enabling DHCP snooping, enable DHCP globally.
Procedure
Step 1 Run:
system-view
3-19
process DHCP messages on the VPLS network. The dhcp snooping over-vpls enable command
takes effect only after DHCP snooping is enabled globally and on the interface.
DHCP snooping over VPLS is often deployed on the PE of the VPLS network to control DHCP
messages sent to the VPLS network from the user side. The dhcp snooping over-vpls enable
command is run in the system view. Other configurations of DHCP snooping over VPLS are
the same as configurations of DHCP snooping.
NOTE
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
Procedure
Step 1 Run:
system-view
The maximum number of DHCP snooping users allowed on an interface or in a VLAN is set.
By default, a maximum of 4096 users can access an interface of the S9300 or a VLAN
This command takes effect only when DHCP snooping is enabled globally and on the interface
and is valid only for DHCP users. When the number of DHCP snooping users on an interface
or in a VLAN reaches the maximum value set through the dhcp snooping max-user-number
command, no more users can access the interface.
----End
Issue 06 (20100108)
Context
When MAC address security of DHCP snooping is enabled, packets are processed as follows
for a non-DHCP user:
l
If a static MAC address is not configured, the packets are discarded after reaching the
interface where the dhcp snooping sticky-mac command is run.
MAC addresses of DHCP users in the dynamic binding table can be converted to static MAC
addresses, and packets of these users can be forwarded normally. MAC addresses of static users
in the static binding table cannot be converted to static MAC addresses. Therefore, you need to
configure static MAC addresses for the static users to have the packets forwarded normally.
Procedure
Step 1 Run:
system-view
3-21
Prerequisite
The configurations of setting the maximum number of users are complete.
Procedure
l
Run the display dhcp snooping global command to check information about global DHCP
snooping.
----End
Pre-configuration Tasks
Before limiting the rate of sending packets, complete the following tasks:
l
Data Preparation
To limit the rate of sending packets, you need the following data.
3-22
Issue 06 (20100108)
No.
Data
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
3-23
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
The alarm function is enabled for the DHCP packets discarded because they exceed the
transmission rate.
Step 5 (Optional) Run:
dhcp snooping check dhcp-rate alarm threshold threshold
The alarm threshold of the number of DHCP packets discarded because they exceed the
transmission rate is set.
3-24
Issue 06 (20100108)
By default, the alarm threshold of discarded DHCP packets is 100 pps. An alarm is generated
when the number of discarded DHCP packets exceeds the threshold.
----End
Procedure
l
Run the display dhcp snooping global command to check information about global DHCP
snooping.
----End
Bogus attack
Issue 06 (20100108)
3-25
Type of Attacks
After the packet discarding alarm function is enabled, an alarm is generated when the number
of discarded packets on the S9300 reaches the alarm threshold.
Pre-configuration Tasks
Before configuring the packet discarding alarm function, complete the following tasks:
l
Configuring the S9300 to discard DHCP Reply messages on the untrusted interface at the
user side
Data Preparation
To configure the packet discarding alarm function, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
3-26
Issue 06 (20100108)
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
3-27
Procedure
Step 1 Run:
system-view
After you run the mac-address command, the S9300 checks whether the MAC address in
the header of a DHCP Request message is the same as the value of the CHADDR field in
the message. If the MAC address is different from of the value of the CHADDR field, the
DHCP Request message is discarded.
After you run the user-bind command, the S9300 checks whether the DHCP Request or
Release message matches the binding table; the unmatched message is discarded.
The packet discarding alarm function configured globally takes effect for all interfaces.
The packet discarding alarm function configured on an interface takes effect for a specified
interface. If the packet discarding alarm function is not configured on an interface, the
global configuration is used.
NOTE
If you need to configure the alarm function for the DHCP messages that are discarded because they exceed
the transmission rate, see 3.7.3 Limiting the Rate of Sending DHCP Messages.
Procedure
l
Run:
system-view
3-28
Issue 06 (20100108)
Run:
dhcp snooping alarm threshold threshold
Run:
system-view
Run:
interface interface-type interface-number
Run:
dhcp snooping alarm { mac-address | user-bind | untrust-reply } enable
mac-address: If the MAC address in the packet header is different from the MAC
address of the DHCP message, the message is discarded.
user-bind: If the DHCP message does not match the binding table, the message
is discarded. The DHCP message refers to the DHCP Request message except for
the Discover message.
Run:
dhcp snooping alarm { mac-address | user-bind | untrust-reply } threshold
threshold
The alarm threshold of the number of discarded packets is set on the interface.
By default, an interface uses the threshold set in the dhcp snooping alarm
threshold command. If the command is not run in the system view, the interface uses
the default threshold, 100 pps.
----End
Procedure
l
Issue 06 (20100108)
Run the display dhcp snooping global command to check information about global DHCP
snooping.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
3-29
----End
Procedure
l
Run the reset dhcp snooping statistics global command to clear the statistics on globally
discarded packets.
----End
Procedure
l
Run the reset dhcp snooping user-bind [ [ vlan vlan-id | interface interface-type interfacenumber ]* | ip-address ip-address | ipv6-address ipv6-address ] command to reset the
DHCP snooping binding table.
----End
Issue 06 (20100108)
Procedure
l
Run the dhcp snooping user-bind autosave file-name command to back up the DHCP
snooping binding table.
If the binding table is backed up, the system automatically backs up the binding table
to a specified path every one hour or after 300 dynamic binding entries are generated.
If the binding table is not backed up, the dynamic DHCP snooping binding table is lost
after the S9300 restarts. As a result, users that obtain IP addresses dynamically from
the DHCP server cannot communicate normally. Then, the users need to log in again.
----End
Issue 06 (20100108)
3-31
Figure 3-3 Networking diagram for preventing the bogus DHCP server attack
ISP network
L3 network
L2 network
DHCP relay
GE1/0/0
DHCP server
S9300
GE2/0/0
User network
Configuration Roadmap
The configuration roadmap is as follows: (Assume that the DHCP server has been configured.)
1.
2.
3.
Configure the user-side interface as an untrusted interface. The DHCP Request messages
including Offer, ACK, and NAK messages received from the untrusted interface are
discarded.
4.
Data Preparation
To complete the configuration, you need the following data:
l
GE 1/0/0 being the trusted interface and GE 2/0/0 being the untrusted interface
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally.
<Quidway> system-view
[Quidway] dhcp enable
[Quidway] dhcp snooping enable
3-32
Issue 06 (20100108)
----End
Configuration Files
#
sysname Quidway
#
dhcp enable
Issue 06 (20100108)
3-33
ISP network
L3 network
L2 network
DHCP relay
GE1/0/0
DHCP server
S9300
GE2/0/0
User network
Configuration Roadmap
The configuration roadmap is as follows:
1.
3-34
Issue 06 (20100108)
2.
Enable the checking of the CHADDR field of DHCP Request messages on the user-side
interface.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Alarm threshold
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally.
<Quidway> system-view
[Quidway] dhcp enable
[Quidway] dhcp snooping enable
Step 2 Enable the checking of the CHADDR field of DHCP Request messages on the user-side
interface.
[Quidway] interface gigabitethernet 2/0/0
[Quidway-GigabitEthernet2/0/0] dhcp snooping check mac-address enable
Issue 06 (20100108)
3-35
----End
Configuration Files
#
sysname Quidway
#
dhcp enable
dhcp snooping enable
#
interface GigabitEthernet2/0/0
dhcp snooping enable
dhcp snooping check mac-address enable
dhcp snooping alarm mac-address enable
dhcp snooping alarm mac-address threshold 120
#
return
3-36
Issue 06 (20100108)
Figure 3-5 Networking diagram for preventing the attacker from sending bogus DHCP messages
for extending IP address leases
ISP network
L3 network
L2 network
DHCP relay
GE1/0/0
DHCP server
S9300
GE2/0/0
User network
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Use the operation mode of the DHCP snooping binding table to check DHCP Request
messages.
3.
4.
Configure the Option 82 function and create a binding table that contains information about
the interface.
Data Preparation
To complete the configuration, you need the following data:
l
Alarm threshold
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally.
Issue 06 (20100108)
3-37
3-38
Issue 06 (20100108)
Run the display user-bind all command, and you can view all the static binding entries of users.
<Quidway> display user-bind all
bind-table:
ifname
O/I-vlan mac-address
ip-address
tp lease vsi
------------------------------------------------------------------------------GE2/0/0
3/ -- 0000-005e-008a 10.1.1.3
S 0
-------------------------------------------------------------------------------Static binditem count:
1
Static binditem total count:
1
Run the display dhcp option82 interface command, and you can find that the function of
inserting the Option 82 field into packets is enabled on the interface.
<Quidway> display dhcp option82 interface gigabitethernet 2/0/0
dhcp option82 insert enable
----End
Configuration Files
#
sysname Quidway
#
dhcp enable
dhcp snooping enable
#
user-bind static ip-address 10.1.1.3 mac-address 0000-005e-008a interface
gigabitethernet 2/0/0 vlan 3
#
interface gigabitethernet 2/0/0
dhcp snooping enable
dhcp snooping check user-bind enable
dhcp snooping alarm user-bind enable
dhcp snooping alarm user-bind threshold 120
dhcp option82 insert enable
#
return
Issue 06 (20100108)
3-39
Figure 3-6 Networking diagram for limiting the rate for sending DHCP messages
Attacker
L2 network
GE1/0/1
L3 network
L2 network
GE2/0/1
GE1/0/2
DHCP client
S9300
DHCP relay
DHCP server
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Set the rate of sending DHCP Request messages to the protocol stack.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Alarm threshold
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally.
<Quidway> system-view
[Quidway] dhcp enable
[Quidway] dhcp snooping enable
# Enable DHCP snooping on the user-side interface. The configuration procedure of GE 1/0/2
is the same as the configuration procedure of GE 1/0/1, and is not mentioned here.
[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] dhcp snooping enable
[Quidway-GigabitEthernet1/0/1] quit
3-40
Issue 06 (20100108)
----End
Configuration Files
#
sysname Quidway
#
dhcp enable
dhcp snooping enable
dhcp snooping check dhcp-rate
dhcp snooping check dhcp-rate
dhcp snooping check dhcp-rate
dhcp snooping check dhcp-rate
#
interface GigabitEthernet1/0/1
dhcp snooping enable
#
interface GigabitEthernet1/0/2
dhcp snooping enable
#
return
Issue 06 (20100108)
enable
alarm enable
90
alarm threshold 80
3-41
DHCP server
GE2/0/0
S9300
GE1/0/0
DHCP client1
GE1/0/1
DHCP client2
IP:10.1.1.1/24
MAC:0001-0002-0003
Configuration Roadmap
The configuration roadmap is as follows:
3-42
1.
2.
3.
Configure the DHCP snooping binding table and check DHCP Request messages by
matching them with entries in the binding table to prevent attackers from sending bogus
DHCP messages for extending IP address leases.
4.
Configure the checking of the CHADDR field in DHCP Request messages to prevent
attackers from changing the CHADDR field in DHCP Request messages.
5.
Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers
from sending a large number of DHCP Request messages.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 06 (20100108)
6.
Configure the Option 82 function and create the binding table that contains information
about the interface.
7.
Configure the packet discarding alarm function and the alarm function for checking the
rate of sending packets.
Data Preparation
To complete the configuration, you need the following data:
l
Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding
MAC address being 0001-0002-0003
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally.
<Quidway> system-view
[Quidway] dhcp enable
[Quidway] dhcp snooping enable
# Enable DHCP snooping on the interface at the user side. The configuration procedure of GE
1/0/1 is the same as the configuration procedure of GE 1/0/0, and is not mentioned here.
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] dhcp snooping enable
[Quidway-GigabitEthernet1/0/0] quit
3-43
# Enable the checking of the CHADDR field on the interfaces at the DHCP client side to prevent
attackers from changing the CHADDR field in DHCP Request messages. The configuration of
GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here.
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable
[Quidway-GigabitEthernet1/0/0] quit
1/0/0
snooping
snooping
snooping
snooping
snooping
snooping
alarm
alarm
alarm
alarm
alarm
alarm
mac-address enable
user-bind enable
untrust-reply enable
mac-address threshold 120
user-bind threshold 120
untrust-reply threshold 120
# Enable the alarm function for checking the rate of sending packets, and set the alarm threshold
for checking the rate of sending packets.
[Quidway] dhcp snooping check dhcp-rate alarm enable
[Quidway] dhcp snooping check dhcp-rate alarm threshold 80
3-44
Issue 06 (20100108)
Run the display dhcp snooping interface command, and you can view information about DHCP
snooping on the interface.
[Quidway] display dhcp snooping interface gigabitethernet 1/0/0
dhcp snooping enable
dhcp option82 insert enable
dhcp snooping check user-bind
dhcp snooping alarm check user-bind enable
dhcp snooping alarm user-bind threshold 120
dhcp packet dropped by user-bind checking = 0
dhcp snooping check mac-address
dhcp snooping alarm mac-address enable
dhcp snooping alarm mac-address threshold 120
dhcp packet dropped by mac-address checking = 0
dhcp snooping alarm untrust-reply enable
dhcp snooping alarm untrust-reply threshold 120
dhcp packet dropped by untrust-reply checking = 0
[Quidway] display dhcp snooping interface gigabitethernet 2/0/0
dhcp snooping trusted
Run the display user-bind all command, and you can view the static binding entries of users.
[Quidway] display user-bind all
bind-table:
ifname
O/I-vlan mac-address
ip-address
tp lease vsi
------------------------------------------------------------------------------GE1/0/1
10/ -- 0001-0002-0003 10.1.1.1
S 0
-------------------------------------------------------------------------------Static binditem count:
1
Static binditem total count:
1
Run the display dhcp option82 interface command, and you can view the configuration of
Option 82 on the interface.
[Quidway] display dhcp option82 interface gigabitethernet 1/0/0
dhcp option82 insert enable
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
dhcp enable
dhcp snooping enable
dhcp snooping check dhcp-rate enable
Issue 06 (20100108)
3-45
When users log out abnormally after requesting for IP addresses, the system detects this failure
automatically, and then deletes the binding in the DHCP binding table, and notifies the DHCP
server to release IP addresses.
3-46
Issue 06 (20100108)
Figure 3-8 Networking diagram for enabling DHCP snooping on the DHCP relay agent
GE2/0/0
DHCP server
S9300
DHCP relay
GE1/0/0
DHCP client1
DHCP client2
IP:10.1.1.1/24
MAC:0001-0002-0003
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Configure the DHCP snooping binding table and check DHCP Request messages by
matching them with entries in the binding table to prevent attackers from sending bogus
DHCP messages for extending IP address leases.
4.
Configure the checking of the CHADDR field in DHCP Request messages to prevent
attackers from changing the CHADDR field in DHCP Request messages.
5.
Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers
from sending a large number of DHCP Request messages.
6.
Configure the Option 82 function and create the binding table that contains information
about the interface.
7.
Configure the packet discarding alarm function and the alarm function for checking the
rate of sending packets.
Data Preparation
To complete the configuration, you need the following data:
l
Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding
MAC address being 0001-0002-0003
Issue 06 (20100108)
3-47
This configuration example provides only the commands related to the DHCP snooping configuration.
For the configuration of DHCP Relay, see Configuring the DHCP Relay Agent in Quidway S9300 Terabit
Routing Switch Configuration Guide - IP Service.
Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally.
<Quidway> system-view
[Quidway] dhcp enable
[Quidway] dhcp snooping enable
Step 3 Enable the checking for certain types of packets and configure the DHCP snooping binding table.
# Enable the checking of DHCP Request messages on the interface at the DHCP client side to
prevent attackers from sending bogus DHCP messages for extending IP address leases.
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] dhcp snooping check user-bind enable
[Quidway-GigabitEthernet1/0/0] quit
# Enable the checking of the CHADDR field on the interface at the DHCP client side to prevent
attackers from changing the CHADDR field in DHCP Request messages.
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable
[Quidway-GigabitEthernet1/0/0] quit
Issue 06 (20100108)
1/0/0
snooping
snooping
snooping
snooping
snooping
snooping
alarm
alarm
alarm
alarm
alarm
alarm
user-bind enable
mac-address enable
untrust-reply enable
user-bind threshold 120
mac-address threshold 120
untrust-reply threshold 120
# Enable the alarm function for checking the rate of sending packets and set the alarm threshold
for checking the rate of sending packets.
[Quidway] dhcp snooping check dhcp-rate alarm enable
[Quidway] dhcp snooping check dhcp-rate alarm threshold 80
Issue 06 (20100108)
3-49
Run the display dhcp snooping interface command, and you can view information about DHCP
snooping on the interface.
[Quidway] display dhcp snooping interface gigabitethernet 1/0/0
dhcp snooping enable
dhcp option82 insert enable
dhcp snooping check user-bind
dhcp snooping alarm check user-bind enable
dhcp snooping alarm user-bind threshold 120
dhcp packet dropped by user-bind checking = 0
dhcp snooping check mac-address
dhcp snooping alarm mac-address enable
dhcp snooping alarm mac-address threshold 120
dhcp packet dropped by mac-address checking = 0
dhcp snooping alarm untrust-reply enable
dhcp snooping alarm untrust-reply threshold 120
dhcp packet dropped by untrust-reply checking = 0
[Quidway] display dhcp snooping interface gigabitethernet 2/0/0
dhcp snooping trusted
Run the display user-bind all command, and you can view the static binding entries of users.
[Quidway] display user-bind all
bind-table:
ifname
O/I-vlan mac-address
ip-address
tp lease vsi
------------------------------------------------------------------------------GE1/0/0
10/ -- 0001-0002-0003 10.1.1.1
S 0
-------------------------------------------------------------------------------Static binditem count:
1
Static binditem total count:
1
Run the display dhcp option82 interface command, and you can view the configuration of
Option 82 on the interface.
[Quidway] display dhcp option82 interface gigabitethernet 1/0/0
dhcp option82 insert enable
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
dhcp enable
dhcp snooping enable
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate alarm enable
dhcp snooping check dhcp-rate 90
dhcp snooping check dhcp-rate alarm threshold 80
#
user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface
gigabitethernet 1/0/0 vlan 10
#
interface GigabitEthernet1/0/0
dhcp snooping enable
dhcp snooping alarm untrust-reply enable
dhcp snooping alarm untrust-reply threshold 120
dhcp snooping check mac-address enable
dhcp snooping alarm mac-address enable
dhcp snooping alarm mac-address threshold 120
dhcp snooping check user-bind enable
dhcp snooping alarm user-bind enable
dhcp snooping alarm user-bind threshold 120
dhcp option82 insert enable
#
3-50
Issue 06 (20100108)
interface GigabitEthernet2/0/0
dhcp snooping trusted
#
arp dhcp-snooping-detect enable
#
return
DHCP client 1 uses the dynamically allocated IP address and DHCP client 2 uses the statically
configured IP address.
Figure 3-9 Networking diagram for configuring DHCP snooping on a VPLS network
Loopback1
Loopback1
1.1.1.9/32
2.2.2.9/32
GE2/0/0
VLANIF10
PE1
100.1.1.1/24
GE2/0/0
VLANIF10
GE3/0/0
100.1.1.2/24
GE1/0/0
PE2
GE1/0/0
DHCP server
LAN Switch
GE2/0/0
GE2/0/1
DHCP client1
DHCP client2
IP:10.1.1.1/24
MAC:0001-0002-0003
NOTE
Users apply to the DHCP server for IP addresses through the Layer 2 network; therefore, DHCP relay
devices are not required in the preceding networking.
Issue 06 (20100108)
3-51
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure the routing protocol on the backbone network to ensure the connectivity of
routers.
Create a VSI on the PEs and specify LDP as the signaling protocol, and then bind the
VSI to the AC interfaces.
Enable DHCP snooping in the system view and in the interface view, and enable DHCP
snooping over VPLS.
Set the maximum number of DHCP snooping users to prevent malicious IP address
application. Malicious IP address application prevents authorized users applying for IP
addresses.
Configure the checking of the CHADDR value to prevent DoS attacks by changing the
value of the CHADDR field.
Configure the checking of DHCP Request messages against the DHCP snooping
binding table to prevent attacks by sending bogus messages for extending IP address
leases.
Configure Option 82 and create a binding table covering accurate interface information.
Data Preparation
To complete the configuration, you need the following data:
l
Alarm threshold
IP address of the peer and tunnel policy used for setting up the peer relation
The following example only provides the configuration procedure of the S9300. For details on the
configuration of other devices, see the related operation guides.
Procedure
Step 1 Configure the VPLS.
1.
Configure an IGP on the MPLS backbone network. In this example, OSPF is adopted to
advertise routes.
Assign an IP address to each interface on PEs as shown in Figure 3-9.
3-52
Issue 06 (20100108)
# Configure PE1.
<PE1> system-view
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip address 100.1.1.1 24
[PE1-Vlanif10] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure PE2.
<PE1> system-view
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.9 32
[PE2-LoopBack1] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type trunk
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 10
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface vlanif 10
[PE2-Vlanif10] ip address 100.1.1.2 24
[PE2-Vlanif10] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration, run the display ip routing-table command on PE1 and PE2. You
can view that PEs can learn routes and ping each other.
Take the display on PE1 as an example.
<PE1> display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 6
Routes : 6
Destination/Mask
Interface
Proto
Pre
Cost
Flags NextHop
1.1.1.9/32
Direct 0
0
D 127.0.0.1
InLoopBack0
2.2.2.9/32
OSPF
10
1
D 100.1.1.2
100.1.1.0/24
Direct 0
0
D 100.1.1.1
100.1.1.1/32
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32
Direct 0
0
D 127.0.0.1
InLoopBack0
<PE1> ping 100.1.1.2
PING 100.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=255 time=2 ms
Reply from 100.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms
Issue 06 (20100108)
Vlanif10
vlanif10
3-53
2.
Enable basic MPLS functions and LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] mpls
[PE1-Vlanif10] mpls ldp
[PE1-Vlanif10] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 10
[PE2-Vlanif10] mpls
[PE2-Vlanif10] mpls ldp
[PE2-Vlanif10] quit
After the configuration, run the display mpls ldp session command on PE1 or PE2. You
can view that the Status item of the peer between PE1 and PE2 is Operational, which
indicates that the peer relation is established. Run the display mpls lsp command, and you
can view the establishment of the LSP.
Take the display on PE1 as an example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU
Passive 000:00:01
7/6
-----------------------------------------------------------------------------TOTAL: 1 session(s) Found.
LAM : Label Advertisement Mode
SsnAge Unit : DDD:HH:MM
<PE1> display mpls ldp lsp
LDP LSP Information
-----------------------------------------------------------------------------SN
DestAddress/Mask
In/OutLabel
Next-Hop
In/OutInterface
-----------------------------------------------------------------------------1
1.1.1.9/32
3/NULL
127.0.0.1
Vlanif10/
InLoop0
2
2.2.2.9/32
NULL/3
100.1.1.2
-------/
Vlanif10
3-54
Issue 06 (20100108)
3.
# Configure PE2.
[PE2] mpls l2vpn
[PE2] quit
4.
# Configure PE2.
[PE1] vsi v123 static
[PE2-vsi-v123] pwsignal ldp
[PE2-vsi-v123-ldp] vsi-id 2
[PE2-vsi-v123-ldp] peer 1.1.1.9
[PE2-vsi-v123-ldp] quit
[PE2-vsi-v123] quit
5.
# Configure PE2.
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] port link-typ trunk
[PE1-GigabitEthernet3/0/0] port trunk allow-pass vlan 30
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] l2 binding vsi v123
[PE1-Vlanif30] quit
After the configuration, run the display vsi name a2 verbose command on PE1, and you
can find that VSI v123 sets up a PW to PE2, and the status of the VSI is Up.
<PE1> display vsi name v123 verbose
***VSI Name
Administrator VSI
Isolate Spoken
VSI Index
PW Signaling
Member Discovery Style
Issue 06 (20100108)
:
:
:
:
:
:
v123
no
disable
0
ldp
static
3-55
:
:
:
:
:
:
:
:
unqualify
vlan
1500
uniform
-255
:
:
:
:
:
:
2
2.2.2.9
27648
dynamic
up
0x802000
up
: Vlanif20
: up
**PW Information:
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
FIB Link-ID
: 2.2.2.9
up
21504
21504
label
0x802000
1
:
:
:
:
:
:
1/0/0
snooping enable
2/0/0
snooping enable
2.
3.
3-56
Issue 06 (20100108)
Set the maximum number of DHCP snooping users on interfaces at the DHCP client side.
In this manner, malicious IP address application can be prevented and authorized users can
successfully apply for IP addresses.
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] dhcp snooping max-user-number 3000
[PE1-GigabitEthernet1/0/0] quit
Configure static binding entries. If users adopt static IP addresses, you need to manually
configure static DHCP snooping entries.
[PE1] user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003
interface gigabitethernet 1/0/0 vlan 20
4.
# Check the CHADDR field on the interfaces at the DHCP client side to prevent attacks
by changing the value of the CHADDR field.
[PE1-GigabitEthernet1/0/0] dhcp snooping check mac-address enable
[PE1-GigabitEthernet1/0/0] quit
5.
6.
1/0/0
snooping
snooping
snooping
snooping
snooping
snooping
alarm
alarm
alarm
alarm
alarm
alarm
user-bind enable
mac-address enable
untrust-reply enable
user-bind threshold 120
mac-address threshold 120
untrust-reply threshold 120
Enable the alarm function of limiting the rate of packets and set the alarm threshold for
limiting the rate of packets.
[PE1] dhcp snooping check dhcp-rate enable
[PE1] dhcp snooping check dhcp-rate alarm enable
[PE1] dhcp snooping check dhcp-rate alarm threshold 80
3-57
Run the display dhcp snooping global command on PE1. You can view that DHCP snooping
is enabled globally and in the interface view. You can also view the statistics on the alarms sent
to the NMS.
<PE1>
dhcp
dhcp
dhcp
dhcp
Run the display dhcp snooping interface command on PE1, and you can view information
about DHCP snooping on the interface.
<PE1>
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
<PE1>
dhcp
dhcp
dhcp
Run the display user-bind all command on PE1, and you can view static binding entries of
users.
<PE1> display user-bind all
bind-table:
ifname
O/I-vlan mac-address
ip-address
tp lease vsi
------------------------------------------------------------------------------GE1/0/0
20/ -- 0001-0002-0003 10.1.1.1
S 0
-------------------------------------------------------------------------------Static binditem count:
1
Static binditem total count:
1
----End
Configuration Files
l
3-58
Issue 06 (20100108)
#
vlan batch 10 20
#
dhcp enable
dhcp snooping enable
dhcp snooping over-vpls enable
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate alarm enable
dhcp snooping check dhcp-rate alarm threshold 80
user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface
Gigab
itEthernet1/0/0 vlan 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi v123 static
pwsignal ldp
vsi-id 2
peer 2.2.2.9
#
mpls ldp
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
l2 binding vsi v123
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 20
dhcp snooping enable
dhcp option82 insert enable
dhcp snooping check user-bind enable
dhcp snooping alarm user-bind enable
dhcp snooping alarm user-bind threshold 120
dhcp snooping check mac-address enable
dhcp snooping alarm mac-address enable
dhcp snooping alarm mac-address threshold 120
dhcp snooping alarm untrust-reply enable
dhcp snooping alarm untrust-reply threshold 120
dhcp snooping max-user-number 3000
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 10
dhcp snooping enable
dhcp snooping trusted
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
#
return
l
Issue 06 (20100108)
3-59
3-60
Issue 06 (20100108)
Issue 06 (20100108)
4-1
ARP Attack
On a network, ARP entries are easily attacked. Attackers send a large number of ARP Request
and Response packets to attack network devices. Attacks are classified into ARP buffer overflow
attacks and ARP Denial of Service (DoS) attacks.
l
ARP buffer overflow attacks: Attackers send a large number of bogus ARP request packets
and gratuitous ARP packets, which results in ARP buffer overflow. Therefore, normal ARP
entries cannot be cached and packet forwarding is interrupted.
ARP DoS attacks: Attackers send a large number of ARP request and response packets or
other packets that can trigger the ARP processing. The device is then busy with ARP
processing during a long period and ignores other services. Normal packet forwarding is
thus interrupted.
Attackers scan hosts on the local network segment or hosts on other network segments through
tools. Before returning response packets, the S9300 searches for ARP entries. If the MAC address
corresponding to the destination IP address does not exist, the ARP module on the S9300 sends
ARP Miss messages to the upper-layer software and requires the upper-layer software to send
ARP request packets to obtain the destination MAC address. A large number of scanning packets
generate a large number of ARP Miss packets. The resources of the system are then wasted in
processing ARP Miss packets. This affects the processing of other services and hence is called
scanning attack.
ARP Security
ARP security is used to filter out untrusted ARP packets and enable timestamp suppression for
certain ARP packets to guarantee the security and robustness of network devices.
ARP Anti-Spoofing
ARP spoofing means that attackers use ARP packets sent by other users to construct bogus ARP
packets and modify ARP entries on the gateway. As a result, the authorized users are
disconnected from the network.
4-2
Issue 06 (20100108)
The S9300 can prevent ARP spoofing by using the following methods:
l
Fixed MAC address: After learning an ARP entry, the S9300 does not allow the
modification on the MAC address that is performed through ARP entry learning until this
ARP entry ages. Thus the S9300 prevents the ARP entries of authorized users from being
modified without permission.
The fixed MAC address methods have two modes: fixed-mac and fixed-all. In fixed-mac
mode, the MAC addresses cannot be modified, but the VLANs and interfaces can be
modified; in fixed-all mode, the MAC addresses, VLANs, and interfaces cannot be
modified.
Send-ack: The S9300 does not modify the ARP entry immediately when it receives an ARP
packet requesting for modifying a MAC address. Instead, the S9300 sends a unicast packet
for acknowledgement to the user matching this MAC address in the original ARP table.
The source IP address in the ARP packets is the same as the IP address of the interface that
receives the packets.
The source IP address in the ARP packets is the virtual IP address of the incoming interface
but the source MAC address of ARP packets is not the virtual MAC address of the Virtual
Router Redundancy Protocol (VRRP) group when the VRRP group is in virtual MAC
address mode.
In one of the preceding situation, the S9300 generates ARP anti-attack entries and discards the
packets with the same source MAC address in the Ethernet header in a period (the default value
is three minutes). This can prevent ARP packets with the bogus gateway address from being
broadcast on a VLAN.
4-3
and the triggered rate exceeds the set threshold, the S9300 considers that an attack occurs. In
this case, the S9300 delivers ACL rules to discard the IP packets sent from this address in a
period (the default value is 50 seconds).
Issue 06 (20100108)
Pre-configuration Tasks
Before configuring the limitation on ARP entry learning, complete the following task:
l
Setting the parameters of the link layer protocol and the IP address of the interface and
enabling the link-layer protocol
Data Preparation
To configure the limitation on ARP entry learning, you need the following data.
No.
Data
Procedure
l
Run:
system-view
Run:
arp learning strict
Run:
system-view
Run:
interface interface-type interface-number
Run:
arp learning strict { force-enable | force-disable | trust }
4-5
trust: indicates that the configuration of strict ARP entry learning on an interface
is the same as that configured globally.
By default, the configuration of strict ARP entry learning on an interface is the same
as that configured globally.
l
Run:
system-view
Run:
interface interface-type interface-number [.subnumber ]
Run:
arp learning strict { force-enable | force-disable | trust }
The strict ARP entry learning function is enabled on the GE or Ethernet subinterface.
Run:
system-view
Run:
interface eth-trunk trunk-id [.subnumber ]
Run:
arp learning strict { force-enable | force-disable | trust }
The strict ARP entry learning function is enabled on the Eth-trunk subinterface.
trust: indicates that the configuration of strict ARP entry learning on an Eth-trunk
subinterface is the same as that configured globally.
Issue 06 (20100108)
Procedure
Step 1 Run:
system-view
Procedure
l
Run the display arp learning strict command to view the configuration of strict ARP entry
learning.
----End
Example
Run the display arp learning strict command, and you can view the configuration of strict ARP
entry learning.
<Quidway> display arp learning strict
The global configuration:arp learning strict
interface
LearningStrictState
------------------------------------------------------------
Issue 06 (20100108)
4-7
Vlanif100
force-disable
Vlanif200
force-enable
-----------------------------------------------------------Total:2
force-enable:1
force-disable:1
Issue 06 (20100108)
To prevent attackers from forging the ARP packets of authorized users and modifying the
ARP entries on the gateway, you can configure the ARP address anti-spoofing function.
To prevent attackers from forging the gateway address, sending gratuitous ARP packets
whose source IP addresses are the gateway address on the LAN, and thus making the host
change the gateway address into the address of the attacker, you can configure the ARP
gateway anti-collision function.
To prevent unauthorized users from accessing external networks by sending ARP packets
to the S9300, you can configure the ARP packet checking function.
Pre-configuration Tasks
Before configuring ARP anti-attack, complete the following task:
l
Setting the parameters of the link layer protocol and the IP address of the interface and
enabling the link-layer protocol
Data Preparation
To configure ARP anti-attack, you need the following data.
No.
Data
4-9
Procedure
Step 1 Run:
system-view
The ARP anti-attack function for preventing ARP packets with the bogus gateway address is
enabled.
After this function is enabled, the ARP packets with the bogus gateway address on an interface
of the S9300 are not broadcast to other interfaces. By default, this function is disabled on the
S9300.
----End
Binding entries of DHCP users are created automatically after DHCP snooping is enabled. If a user uses
a static IP address, you need to configure the binding entry of the user manually. A DHCP snooping binding
entry consists of the IP address, MAC address, interface number, and VLAN ID of a user.
For the configuration of DHCP snooping, see 3.3.2 Enabling DHCP Snooping. For the configuration of
a static binding entry, see 5.3.2 (Optional) Configuring a Static User Binding Entry.
Procedure
Step 1 Run:
system-view
4-10
Issue 06 (20100108)
The alarm threshold of the number of ARP packets discarded because they do not match the
binding table is set.
By default, the alarm threshold is the same as the threshold set in arp anti-attack check userbind alarm threshold that is run in the system view. If the alarm threshold is not set in the
system view, the default threshold on the interface is 100.
----End
Procedure
Step 1 Run:
system-view
4-11
If the ARP packets are ARP request packets and the destination IP address of the packets
match an entry in the DHCP snooping binding table, the S9300 constructs ARP reply packets
before sending them to the requester of the PW. The attacks caused by PW-side ARP packets
broadcast to the AC on a VPLS network are thus prevented.
If the ARP packets are not ARP request packets, or the packets are ARP request packets but
the destination IP address of the packets do not match entries in the DHCP snooping binding
table, the ARP packets are forwarded normally.
The arp over-vpls enable command needs to be used with DHCP snooping over VPLS because
the DHCP snooping binding table is used. For the configuration of DHCP snooping over VPLS,
see 3.3.2 Enabling DHCP Snooping.
----End
Procedure
Step 1 Run:
system-view
The S9300 is configured to learn ARP entries according to the DHCP ACK message received
on the VLANIF interface, and to discard ARP request packets for querying the destination host
of the network segment of the interface.
By default, the S9300 does not learn ARP entries when receiving DHCP ACK messages. When
the traffic passes, ARP learning is triggered.
NOTE
To use the arp learning dhcp-trigger command, ensure that the DHCP relay function is enabled on
the VLANIF interface.
If the DHCP user and DHCP server are located on the same network segment, you cannot use the arp
learning dhcp-trigger command.
----End
4-12
Issue 06 (20100108)
If the function is enabled in the system view, all the interfaces of the S9300 discard the
gratuitous ARP packets.
If the function is enabled in the VLANIF interface view, the VLANIF interface discards
the gratuitous ARP packets.
Before enabling an interface to discard gratuitous ARP packets, you do not need to enable
the function globally.
Procedure
1.
Run:
system-view
Run:
arp anti-attack gratuitous-arp drop
Run:
system-view
Run:
interface vlanif interface-number
Run:
arp anti-attack gratuitous-arp drop
4-13
Procedure
Step 1 Run:
system-view
Procedure
l
Run the display arp anti-attack configuration { entry-check | gateway-duplicate | logtrap-timer | all } command to check the configuration of ARP anti-attack.
Run the display arp anti-attack gateway-duplicate item command to check information
about bogus gateway address attack on the network.
Run the display arp anti-attack check user-bind interface interface-type interfacenumber command to check the configuration of the binding table for checking ARP packets.
----End
Example
Run the display arp anti-attack configuration all command, and you can view the
configuration of ARP anti-attack.
<Quidway> display arp anti-attack configuration all
ARP anti-attack entry-check mode: fixed-MAC
ARP gateway-duplicate anti-attack function: enabled
ARP anti-attack log-trap-timer: 30seconds
(The log and trap timer of speed-limit, default is 0 and means disabled.)
Run the display arp anti-attack gateway-duplicate item command, and you can view
information about bogus gateway address attack on the network.
<Quidway> display arp anti-attack gateway-duplicate item
interface
IP address
MAC address
VLANID
aging time
------------------------------------------------------------------------------GigabitEthernet1/0/1
2.1.1.1
0000-0000-0002 2
153
GigabitEthernet1/0/1
2.1.1.1
0000-0000-0004 2
179
------------------------------------------------------------------------------There are 2 records in gateway conflict table
Run the display arp anti-attack check user-bind interface interface-type interface-number
command, and you can view the configuration of the binding table for checking ARP packets.
4-14
Issue 06 (20100108)
To prevent excessive ARP packets from increasing the CPU workload and occupying
excessive ARP entries, you can suppress the transmission rate of ARP packets. Then the
transmission rate of the ARP packets transmitted to the main control board is limited.
To prevent a host from sending excessive IP packets whose destination IP addresses cannot
be resolved, you can suppress the source IP address that sends the packets, that is, configure
the suppression on ARP Miss source. Then these IP packets are discarded.
After the IP source guard function is enabled on an interface, all the ARP packets passing
through the interface are forwarded to the security module for check. If excessive ARP
packets are sent to the security module, the security module will be impacted. In this case,
you can suppress the transmission rate of the ARP packets; the packets that exceed the
transmission rate are discarded.
Pre-configuration Tasks
Before configuring ARP suppression, complete the following task:
l
Setting the parameters of the link layer protocol and the IP address of the interface and
enabling the link-layer protocol
Data Preparation
To configure ARP suppression, you need the following data.
Issue 06 (20100108)
4-15
No.
Data
Procedure
Step 1 Run:
system-view
The suppression rate of ARP packets with a specified source IP address is set.
After the preceding configurations are complete, the suppression rate of ARP packets with a
specified source IP address is the value specified by maximum in step 3, and the suppression
rate of ARP packets with other source IP addresses is the value specified by maximum in step
2.
If the suppression rate of ARP packets is set to 0, it indicates that ARP packets are not suppressed.
By default, the suppression rate of ARP packets is 5 pps.
----End
4-16
Issue 06 (20100108)
Procedure
Step 1 Run:
system-view
The suppression rate of ARP Miss packets with a specified source IP address is set.
After the preceding configurations are complete, the suppression rate of ARP Miss packets with
a specified source IP address is the value specified by maximum in step 3, and the suppression
rate of ARP Miss packets with other source IP addresses is the value specified by maximum in
step 2.
If the suppression rate of ARP packets is set to 0, it indicates that ARP Miss packets are not
suppressed. By default, the suppression rate of ARP Miss packets is 5 pps.
----End
4-17
Procedure
Step 1 Run:
system-view
The suppression time for the S9300 to send ARP Miss messages is set.
By default, the suppression time for the S9300 to send ARP Miss messages is 5 seconds.
----End
Procedure
Step 1 Run:
system-view
The alarm function for the ARP packets discarded because the transmission rate is exceeded is
enabled.
By default, the alarm function is disabled.
4-18
Issue 06 (20100108)
The alarm threshold of the number of ARP packets discarded because the transmission rate is
exceeded is set.
By default, the alarm threshold of discarded ARP packets is 5.
----End
Procedure
l
Run the display arp anti-attack configuration { arp-speed-limit | arpmiss-speedlimit | all } command to view the configuration of ARP source suppression.
----End
Example
Run the display arp anti-attack configuration all command, and you can view the
configuration of ARP anti-attack.
<Quidway> display arp anti-attack configuration all
ARP anti-attack entry-check mode: fixed-MAC
ARP gateway-duplicate anti-attack function: enabled
ARP anti-attack log-trap-timer: 30seconds
(The log and trap timer of speed-limit, default is 0 and means disabled.)
ARP speed-limit for source-IP configuration:
IP-address
suppress-rate(pps)(rate=0 means function disabled)
-----------------------------------------------------------------------10.0.0.1
200
10.0.0.3
300
10.0.0.8
0
2.1.1.10
1000
Others
500
-----------------------------------------------------------------------4 specified IP addresses are configured, spec is 1024 items.
ARP miss speed-limit for source-IP configuration:
IP-address
suppress-rate(pps)(rate=0 means function disabled)
-----------------------------------------------------------------------10.0.0.1
200
10.0.0.2
300
10.0.0.8
0
2.1.1.10
1000
Others
500
-----------------------------------------------------------------------4 specified IP addresses are configured, spec is 1024 items.
4-19
Run the display arp packet statistics [ slot slot-id ] command to view the statistics on
ARP packets.
----End
Example
Run the display arp packet statistics command, and you can view the statistics on ARP packets.
<Quidway> display arp packet statistics
ARP Pkt Received:
sum 25959
ARP Learnt Count:
sum
3
ARP Pkt Discard For Limit:
sum
0
ARP Pkt Discard For SpeedLimit:
sum
ARP Pkt Discard For Other:
sum
23
CAUTION
Statistics cannot be restored after you clear them. So, confirm the action before you use the
command.
Run the following command in the user view to clear the statistics.
Procedure
l
Run the reset arp packet statistics [ slot slot-id ] command to clear the statistics on ARP
packets.
----End
Issue 06 (20100108)
Context
CAUTION
Statistics cannot be restored after being cleared. So, confirm the action before you run the
command.
To clear the statistics on discarded ARP packets, run the following commands in the user view.
Procedure
l
Run the reset arp anti-attack statistics check user-bind { global | interface interfacetype interface-number } command to clear the statistics on the packets discarded because
they do not match the binding table.
Run the reset arp anti-attack statistics rate-limit command to clear the statistics on the
ARP packets discarded because the transmission rate exceeds the limit.
----End
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
If a running fault occurs, run the following debugging commands in the user view to locate the
fault.
Procedure
l
Run the debugging arp packet [ slot slot-id | interface interface-type interface-number ]
command to debug ARP packets.
Run the debugging arp process [ slot slot-id | interface interface-type interfacenumber ] command to debug the processing of ARP packets.
----End
4-21
The server may send several packets with an unreachable destination IP address, and the
number of these packets is larger than the number of packets from common users.
After virus attacks occur on User 1, a large number of ARP packets are sent. Among these
packets, the source IP address of certain ARP packets changes on the local network segment
and the source IP address of certain ARP packets is the same as the IP address of the
gateway.
User 3 constructs a large number of ARP packets with a fixed IP address to attack the
network.
User 4 constructs a large number of ARP packets with an unreachable destination IP address
to attack the network.
It is required that ARP security functions be configured on the S9300 to prevent the preceding
attacks. The suppression rate of ARP Miss packets set on the server should be greater than the
suppression rate of other users.
Figure 4-1 Networking diagram for configuring ARP security functions
S9300
GE1/0/3
Server
GE1/0/1
VLAN10
User1
GE1/0/2
VLAN20
User2
User3
User4
Configuration Roadmap
The configuration roadmap is as follows:
4-22
1.
2.
Issue 06 (20100108)
3.
4.
Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway
address.
5.
6.
7.
Data Preparation
To complete the configuration, you need the following data:
l
Anti-spoofing mode used to prevent attacks that is initiated by User 1 being fixed-mac
IP address of User 4 that sends a large number of ARP packets being 2.2.4.2/24
Maximum suppression rate for ARP packets of User 4 being 200 pps and maximum
suppression rate for ARP packets of other users being 300 pps
Maximum suppression rate for ARP Miss packets of common users being 400 pps and
maximum suppression rate for ARP Miss packets on the server being 1000 pps
Interval for writing an ARP log and sending an alarm being 30 seconds
Procedure
Step 1 Enable strict ARP learning.
<Quidway> system-view
[Quidway] arp learning strict
Step 4 Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway
address.
# Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway
address to prevent User 1 from sending ARP packets with the bogus gateway address.
[Quidway] arp anti-attack gateway-duplicate enable
4-23
# Set the suppression rate for ARP packets sent by User 4 to 200 pps. To prevent all users from
sending a large number of ARP packets incorrectly, set the suppression rate for ARP packets of
the system to 300 pps.
[Quidway] arp speed-limit source-ip maximum 300
[Quidway] arp speed-limit source-ip 2.2.2.4 maximum 200
Step 6 Configure the rate suppression function for ARP Miss packets.
# Set the suppression rate for ARP Miss packets of the system to 400 pps to prevent users from
sending a large number of IP packets with an unreachable destination IP address.
[Quidway] arp-miss speed-limit source-ip maximum 400
# Set the suppression rate for ARP Miss packets on the server to 1000 pps to prevent the server
from sending a large number of IP packets with an unreachable destination IP address, and to
prevent communication on the network when the rate for the server to send IP packets with an
unreachable destination IP address is not as required.
[Quidway] arp-miss speed-limit source-ip 2.2.2.2 maximum 1000
You can use the display arp-limit command to check the maximum number of ARP entries
learned by the interface.
<Quidway> display arp-limit interface GigabitEthernet1/0/1
interface
LimitNum
VlanID
LearnedNum(Mainboard)
--------------------------------------------------------------------------GigabitEthernet1/0/1
20
10
0
--------------------------------------------------------------------------Total:1
You can use the display arp anti-attack configuration all command to check the configuration
of ARP anti-attack.
<Quidway> display arp anti-attack configuration all
ARP anti-attack entry-check mode: fixed-MAC
ARP gateway-duplicate anti-attack function: enabled
ARP anti-attack log-trap-timer: 30seconds
(The log and trap timer of speed-limit, default is 0 and means disabled.)
ARP speed-limit for source-IP configuration:
IP-address
suppress-rate(pps)(rate=0 means function disabled)
-----------------------------------------------------------------------2.2.4.2
200
Others
300
-----------------------------------------------------------------------1 specified IP addresses are configured, spec is 1024 items.
4-24
Issue 06 (20100108)
You can use the display arp packet statistics command to view the number of discarded ARP
packets and the number of learned ARP entries. In addition, you can also use the display arp
anti-attack gateway-duplicate item command to view information about attacks from the
packets with the forged gateway address on the current network.
<Quidway> display arp packet statistics
ARP Pkt Received:
sum
167
ARP Learnt Count:
sum
8
ARP Pkt Discard For Limit:
sum
5
ARP Pkt Discard For SpeedLimit:
sum
ARP Pkt Discard For Other:
sum
3
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10 20 30
#
arp speed-limit source-ip maximum 300
arp-miss speed-limit source-ip maximum 400
arp learning strict
arp anti-attack log-trap-timer 30
#
arp anti-attack entry-check fixed-mac enable
arp anti-attack gateway-duplicate enable
arp-miss speed-limit source-ip 2.2.2.2 maximum 1000
arp speed-limit source-ip 2.2.4.2 maximum 200
#
interface GigabitEthernet 1/0/1
port hybrid pvid vlan 10
port hybrid tagged vlan 10
arp-limit vlan 10 maximum 20
#
interface GigabitEthernet 1/0/2
port hybrid pvid vlan 20
port hybrid tagged vlan 20
arp-limit vlan 20 maximum 20
#
interface GigabitEthernet 1/0/3
port hybrid pvid vlan 30
port hybrid untagged vlan 30
arp-limit vlan 30 maximum 20
#
return
4-25
the-middle attacks, you can configure the IP source guard function. After the IP source guard
function is configured on the S9300, the S9300 checks the IP packets according to the binding
table. Only the IP packets that match the content of the binding table can be forwarded; the other
IP packets are discarded. In addition, you can enable the alarm function for discarded packets.
Figure 4-2 Networking diagram for prevent man-in-the-middle attacks
Attacker
GE1/0/2
S9300
GE1/0/1
Server
Client
IP:10.0.0.1/24
MAC:1-1-1
VLAN ID:10
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
IP address of the client configured in the static binding table: 10.0.0.1/2; MAC address:
1-1-1; VLAN ID: 10
Procedure
Step 1 Configure the IP source guard function.
# Enable the IP source guard function on GE 1/0/1 connected to the client.
[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] arp anti-attack check user-bind enable
[Quidway-GigabitEthernet1/0/1] arp anti-attack check user-bind check-item ipaddress mac-address
[Quidway-GigabitEthernet1/0/1] quit
4-26
Issue 06 (20100108)
Run the display arp anti-attack check user-bind interface command, and you can view the
configuration of the IP source guard function on the interface.
<Quidway> display arp anti-attack check user-bind interface gigabitethernet 1/0/1
arp anti-attack check user-bind enable
arp anti-attack check user-bind alarm enable
ARP packet drop count = 0
<Quidway> display arp anti-attack check user-bind interface gigabitethernet 1/0/2
arp anti-attack check user-bind enable
arp anti-attack check user-bind alarm enable
ARP packet drop count = 20
The preceding information indicates that GE 1/0/1 does not discard ARP packets, whereas GE
1/0/2 has discarded ARP packets. It indicates that the anti-attack function takes effect.
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
arp anti-attack check user-bind alarm threshold 80
#
user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface
gigabitethernet 1/0/1 vlan 10
#
interface gigabitethernet 1/0/1
arp anti-attack check user-bind enable
arp anti-attack check user-bind check-item ip-address mac-address
#
interface gigabitethernet 1/0/2
Issue 06 (20100108)
4-27
4-28
Issue 06 (20100108)
Issue 06 (20100108)
5-1
IP Source Guard
IP Source Trail
IP Source Guard
IP source guard is a measure to filter the IP packets on interfaces. Thus the invalid packets cannot
pass through the interfaces and the security of the interfaces is improved.
The attacker sends a packet carrying the IP address and MAC address of an authorized user to
the server. The server considers the attacker as an authorized user and learns the IP address and
MAC address. The actual user, however, cannot obtain service from the server. Figure 5-1 shows
the diagram of IP/MAC spoofing attack.
Figure 5-1 Diagram of IP/MAC spoofing attack
DHCP server
IP:1.1.1.1/24
MAC:1-1-1
S9300
IP:1.1.1.3/24
MAC:3-3-3
IP:1.1.1.2/24
MAC:2-2-2
Attacker
IP:1.1.1.3/24
MAC:3-3-3
DHCP client
To prevent the IP/MAC spoofing attack, you can configure the IP source guard function on the
S9300. Then the S9300 matches the IP packets reaching an interface with the entries in the
binding table. If the packets match entries in the binding table, the packets can pass through the
interface; otherwise, the packets are discarded.
IP Source Trail
The IP source trail function is a policy defending against the DoS attack, which traces the source
of the attack and take corresponding measures after considering it as an attack. In the tracing of
5-2
Issue 06 (20100108)
the attack sources, the attack sources are judged according to traffic statistics that are collected
based on the destination IP address (victim), source IP address, and inbound interface of packets.
The main process of the IP Source Trail function is as follows:
1.
After confirming that a user is attacked, configure the IP Source Trail function based on
the IP address of the user.
2.
The CPU of the LPU collects statistics about packets with the destination address being the
victim IP address. Such information is regularly sent to the CPU of the main control board
or available upon the request of the main control board.
3.
The main control board confirms the attack source based on the received statistics. The
administrator configures the ACL on the interface directly connected to the possible attack
source and set the ACL action to deny.
URPF
Unicast Reverse Path Forwarding (URPF) is mainly used to prevent network attacks by blocking
packets from bogus source addresses.
As shown in Figure 5-2, S9300-A forges the packets with the source address being 2.1.1.1 and
send a request to S9300-B. S9300-B sends a packet to the real source address 2.1.1.1 to respond
to the request. In this way, S9300-A attacks S9300-B and S9300-C by sending the illegal packet.
Figure 5-2 Diagram of the URPF function
1.1.1.1/24
2.1.1.1/24
2.1.1.1/24
Source address
S9300-A
S9300-B
S9300-C
When a packet is sent to a URPF-enabled interface, URPF obtains the source address and
inbound interface of the packet. URPF searches for the entry corresponding to the source address
in the forwarding table. If the enry is found, URPF checks whether the outbound interface is the
same as the inbound interface of the packets. If the actual inbound interface is different from the
inbound interface found in the forwarding table, the packet is discarded. In this way, URPF can
protect the network against vicious attacks initiated by modifying the source address.
IP Source Guard
The IP Source Guard feature is used to check the IP packets according to the binding table,
including source IP addresses, source MAC addresses, and VLAN. In addition, the S9300 can
check IP packets based on:
l
Issue 06 (20100108)
IP+MAC
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
5-3
IP+VLAN
IP+MAC+VLAN
...
NOTE
IP addresses here include IPv4 addresses and IPv6 addresses. That is, after the IP Source Guard feature is
enabled, the S9300 checks both the source IPv4 addresses and source IPv6 addresses of IP packets from
users.
After the DHCP snooping function is enabled for DHCP users, the binding table is
dynamically generated for the DHCP users.
When users use static IP addresses, you need to configure the binding table by running
commands.
NOTE
IP Source Trail
NOTE
Currently, only IPv4 addresses can be traced when the IP Source Trail feature is enabled on the S9300.
l
The IP source trail feature of the S9300 is based on the destination IP addresses.
The IP Source Trail feature is configured according to the IP address of the attacked user.
The CPU of the LPU collects statistics about packets with the user IP address as the
destination address. Such information is regularly sent to the CPU of the main control board
or available when required by the main control board.
In brief mode, information about the source address, source interface, total traffic (the
number of bytes and packets), and the average rate (bbp and pps) of the traffic in a period
of time is exported.
In detailed mode, information about the current rate of the traffic, the maximum rate,
and the start time and end time of the traffic (the query time is displayed if the traffic
does not end when the traffic is queried) is exported besides the information exported
in brief mode.
URPF
URPF only functions at the inbound interface of the S9300. If URPF is enabled on an interface,
the URPF check is conducted to packets received by the interface.
The S9300 supports two kinds of URPF check modes: strict check and loose check.
l
5-4
Strict check: The source addresses of packets must exist in the FIB table of the S9300.
Packets can be forwarded only when the outbound interface is the same as the inbound
interface of the packets. Otherwise, packets are dropped.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 06 (20100108)
Loose check: Regardless whether the source addresses of packets exist in the FIB table of
the S9300, or whether the corresponding outbound interfaces match the inbound interfaces
of the packets, packets are forwarded.
NOTE
The S9300 supports the checking of the source IPv4 addresses and source IPv6 addresses of the packets
passing the inbound interface.
Pre-configuration Tasks
Before configuring IP source guard, complete the following tasks:
l
Data Preparation
To configure IP source guard, you need the following data.
No.
Data
5-5
Context
Before forwarding the data of the users who assigned IP addresses statically, the S9300 cannot
automatically learn the MAC addresses of the users or generate binding table entries for these
users. You need to create the binding table manually.
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
Context
After the function of checking IP packets is enabled, the S9300 checks the received IP packets
against the binding table. The check items include the source IPv4 address, source IPv6 address,
source MAC address, VLAN ID, and interface number.
Procedure
Step 1 Run:
system-view
----End
5-7
Procedure
Step 1 Run the display user-bind { all | { [ ip-address ip-address | ipv6-address ipv6-address ] | macaddress mac-address | vlan vlan-id | interface interface-type interface-number } * } command
to view information about the binding table.
Step 2 Run the display ip source check user-bind interface interface-type interface-number
command to view the configuration of the IP source guard function on the interface.
----End
CAUTION
If the NetStream function is enabled on the S9300, the IP source trail function cannot be
configured. To enable the IP source trail function, you must disable the NetStream function first.
If the IP source trail function is enabled, the NetStream function cannot be enabled.
For the configuration of the NetStream function, see NetStream Configuration in the Quidway
S9300 Terabit Routing Switch Configuration Guide - Network Management.
Pre-configuration Tasks
Before configuring IP source trail, complete the following task:
l
Setting parameters of the link layer protocol and IP addresses for the interfaces to ensure
that the link layer protocol is in Up state on the interfaces
Data Preparation
To configure IP source trail, you need the following data.
5-8
Issue 06 (20100108)
No.
Data
Procedure
l
Run the display ip source-trail [ ip-address ip-address ] command to check the statistics
on IP source trail.
----End
Example
Run the display ip source-trail command, and you can view the statistics on IP source trail.
<Quidway> display ip source-trail ip-address 10.0.0.1
Destination Address: 10.0.0.1
SrcAddr
SrcIF
Bytes
Pkts
Bits/s
Pkts/s
---------------------------------------------------------------------198.19.1.8
GE2/0/1
5.151M
114.681K
5.222M
14.534K
198.19.1.11
GE2/0/1
4.825M
107.420K
5.223M
14.535K
198.19.1.7
GE2/0/1
4.433M
98.708K
5.223M
14.537K
198.19.1.5
GE2/0/1
2.868M
63.861K
5.227M
14.546K
198.19.1.9
GE2/0/1
2.215M
49.339K
5.230M
14.553K
198.19.1.3
GE2/0/1
1001.083K 21.762K
5.248M
14.605K
Issue 06 (20100108)
5-9
Pre-configuration Tasks
Before configuring URPF, complete the following task:
l
Setting parameters of the link layer protocol and IP addresses for the interfaces to ensure
that the link layer protocol is in Up state on the interfaces
Data Preparation
To configure URPF, you need the following data.
No.
Data
Issue 06 (20100108)
Procedure
Step 1 Run:
system-view
URPF needs to be configured on the physical interface. This is because URPF is implemented on the
physical interface.
Step 3 Run:
urpf { loose | strict } [ allow-default-route ]
When neither the allow-default-route parameter is specified nor the source address of
packets exists in the FIB table, the packets are discarded in URPF strict or loose check mode
even if a corresponding default route is found.
When the allow-default-route parameter is specified and the source address of a packet does
not exist in the FIB table,
Issue 06 (20100108)
Packets pass URPF check and are forwarded in URPF strict check mode if the outgoing
interface of a default route is the same as the incoming interface of the packets. Packets
are discarded if the outgoing interface of a default route is different from the incoming
interface of the packets.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
5-11
Packets pass URPF check and are forwarded in URPF loose check mode regardless of
whether the outgoing interface of a default route is the same as the incoming interface of
the packets.
----End
Only the S9300 installed with an EA/EC/ED LPU supports this function.
To disable the URPF function, you need to run commands in the traffic behavior view and
associate the traffic behavior and a traffic classifier with a traffic policy.
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
Prerequisite
The configurations of URPF are complete.
Procedure
l
Run the display this command in the interface view to check whether URPF is enabled on
the current interface.
----End
Example
Run the display this command to check whether URPF is enabled on GE 1/0/0.
[Quidway-GigabitEthernet1/0/0] display this
#
interface GigabitEthernet1/0/0
urpf loose allow-default-route
#
return
Procedure
l
Run the reset ip source-trail command to clear all the statistics on IP source trail.
Run the reset ip source-trail ip-address ip-address command to clear the statistics on IP
source trail based on a tracing instance.
----End
5-13
S9300
GE1/0/1
GE1/0/2
Packets:
SIP:10.0.0.1/24
SMAC:2-2-2
Host A
IP:10.0.0.1/24
MAC:1-1-1
Host B (Attacker)
IP:10.0.0.2/24
MAC:2-2-2
Configuration Roadmap
Assume that the user is configured with an IP address statically. The configuration roadmap is
as follows:
1.
Enable the IP source guard function on the interfaces connected to Host A and Host B.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
This configuration example provides only the commands related to the IP Source Guard configuration.
5-14
Issue 06 (20100108)
Procedure
Step 1 Enable the IP source guard function.
# Enable the IP source guard function on GE 1/0/1 connected to Host A.
[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] ip source check user-bind enable
[Quidway-GigabitEthernet1/0/1] ip source check user-bind check-item ip-address macaddress
[Quidway-GigabitEthernet1/0/1] quit
The preceding information indicates that Host A exists in the static binding table, whereas Host
B does not exist.
----End
Configuration Files
#
sysname Quidway
#
user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface
GigabitEthernet 1/0/1 vlan 10
#
interface GigabitEthernet 1/0/1
ip source check user-bind enable
ip source check user-bind check-item ip-address mac-address
#
interface GigabitEthernet 1/0/2
ip source check user-bind enable
ip source check user-bind check-item ip-address mac-address
#
return
5-15
Networking Requirements
As shown in Figure 5-4, User A is connected to GE 1/0/1 on the S9300. It is required that IP
source trail be enabled on the S9300 so that the attack source can be traced after User A suffers
from DoS attacks.
Figure 5-4 Networking diagram for configuring IP source trail
GE1/0/1
ISP
S9300
UserA
10.0.0.3
Configuration Roadmap
Configure IP source trail in the system view of the S9300.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure IP source trail based on the destination IP address.
<Quidway> system-view
[Quidway] ip source-trail ip-address 10.0.0.3
----End
Configuration Files
#
sysname Quidway
#
5-16
Issue 06 (20100108)
GE2/0/0
GE1/0/0
User network
ISP
S9300
Configuration Roadmap
Enable URPF on user side interface GE 2/0/0 of the S9300.
Data Preparation
To complete the configuration, you need the following data:
l
As shown in Figure 5-5, the networking of symmetric routes is adopted. URPF strict check is recommended
in the case of symmetric routes.
The URPF takes effect when the unicast route functions normally. The following configuration
procedure lists only URPF-related configurations, and the configurations of IP addresses and
unicast route are not mentioned.
Procedure
Step 1 Enable URPF on an LPU.
<Quidway> system-view
[Quidway] urpf slot 2
5-17
----End
Configuration Files
#
sysname Quidway
#
urpf slot 2
#
interface GigabitEthernet2/0/0
urpf strict allow-default-route
#
return
5-18
Issue 06 (20100108)
Issue 06 (20100108)
6-1
Whitelist
A whitelist refers to a group of valid users or users with high priorities. You can set the
whitelist by defining ACLs. Then packets matching the whitelist are sent first. In addition,
existing services and user services with high priority are protected. Valid users that
normally access the system and the users with the high priority can be added to the whitelist.
Blacklist
A blacklist refers to a group of invalid users. You can define the blacklist through ACL
rules. Then, the packets matching the blacklist are discarded. The invalid users that are
involved in attacks can be added to the blacklist.
User-defined flows
Users can define ACL rules for the user-defined flows. When unknown attacks occur on
the network, you can flexibly specify the characteristics of the attack data flows and limit
the data flows that match the specified characteristic.
CAR
CAR is used to set the rate of sending the classified packets to the CPU. You can set the
committed information rate (CIR, also called the average rate) and the committed burst size
(CBS). By setting different CAR rules for different packets, you can reduce the intervention
between different packets to prevent the CPU. CAR can also be used to set the total rate of
packets sent to the CPU. When the total rate exceeds the upper limit, the system discards
the packets, avoiding the CPU overload.
6-2
Issue 06 (20100108)
Pre-configuration Tasks
Before configuring an attack defense policy, complete the following tasks.
l
Connecting interfaces and setting the physical parameters of each interface to make the
physical layer in Up state
(Optional) If the attack defense policy needs to be applied to the main control board, install
a flexible plug-in card to the main control board
Data Preparation
To configure an attack defense policy, you need the following data.
No.
Data
Issue 06 (20100108)
6-3
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
Context
You can create a blacklist and add users matching the specific characteristic into the blacklist.
The packets sent from the users in the blacklist are discarded by default. The S9300 supports
the flexible setting of the blacklist through ACLs.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
6-5
The ACL applied to the user-defined flows can be a basic ACL, an advanced ACL, or a layer 2
ACL. For the configuration procedure, see 11.3 Configuring an ACL.
----End
The rule applied to the same packet sent to the CPU can be car or deny. If both car and deny are set, the
latest setting takes effect.
Procedure
Step 1 Run:
system-view
CAR is configured for packets destined for the CPU and the rate threshold is set.
Step 4 (Optional) Run:
deny { packet-type packet-type | user-defined-flow flow-id }
The action performed for the packets destined for the CPU is set to deny.
By default, the CAR is set on the S9300 for packets destined for the CPU. The default CAR can
be viewed through the display cpu-defend configuration command.
----End
When the attack defense policy is applied on the LPU, the cpu-defend-policy command is run in either
the system view or the slot view. That is, if the cpu-defend-policy command is run in the system view and
global is specified, the cpu-defend-policy command cannot be run in the slot view. In a similar manner,
if the cpu-defend-policy command is run in the slot view, the cpu-defend-policy command with specified
global cannot be run in the system view.
6-6
Issue 06 (20100108)
Procedure
l
Run:
system-view
Run:
cpu-defend-policy policy-number [ global ]
If you do not specify global in the command, the attack defense policy is applied
on the main control board. A flexible plug-in card needs to be installed on the main
control board to support the application.
If you specify global in the command, the attack defense policy is applied on all
the LPUs.
Run:
system-view
Run:
slot slot-id
Run:
cpu-defend-policy policy-number
Run the display cpu-defend policy command to view the information about the attack
defense policy.
Run the display cpu-defend [ packet-type ] statistics [ all | slot slot-id ] command to view
statistics about packets directing at the CPU.
----End
Example
Run the display cpu-defend policy 8 command to view the information about attack defense
policy 8.
<Quidway> display cpu-defend policy 8
Number : 8
Description : arp defend attack
Issue 06 (20100108)
6-7
1
2
3
4
5
6
7
8
:
:
:
:
:
:
:
:
CIR(64)
CIR(64)
CIR(64)
CIR(64)
CIR(64)
CIR(64)
CIR(64)
CIR(64)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
Run the display cpu-defend tcp statistics slot 4 to view statistics about TCP packets directing
at the CPU.
<Quidway> display cpu-defend tcp statistics slot 4
CPCAR on slot 4
------------------------------------------------------------------------------Packet Type
Pass(Bytes) Drop(Bytes)
Pass(Packets)
Drop(Packets)
tcp
0
0
0
0
-------------------------------------------------------------------------------
Pre-configuration Tasks
Before configuring attack source tracing, complete the following task.
6-8
Connecting interfaces and setting the physical parameters of each interface to make the
physical layer in Up state
(Optional) If the attack defense policy needs to be applied to the main control board, install
a flexible service unit to the main control board.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 06 (20100108)
Data Preparation
To configure attack source tracing, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
6-9
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
When the attack defense policy is applied on the LPU, the cpu-defend-policy command is run in either
the system view or the slot view. That is, if the cpu-defend-policy command is run in the system view and
global is specified, the cpu-defend-policy command cannot be run in the slot view. In a similar manner,
if the cpu-defend-policy command is run in the slot view, the cpu-defend-policy command with specified
global cannot be run in the system view.
Procedure
l
Run:
system-view
Run:
cpu-defend-policy policy-number [ global ]
If you do not specify global in the command, the attack defense policy is applied
on the main control board. A flexible plug-in card needs to be installed on the main
control board to support the application.
If you specify global in the command, the attack defense policy is applied on all
the LPUs.
Run:
system-view
Run:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
6-11
Run:
cpu-defend-policy policy-number
Run the display cpu-defend policy policy-number command to view the attack defense
policy.
Run the display auto-defend attack-source [ slot slot-id ] command to view the list of
attack sources configured globally or in a specified slot.
----End
Example
Run the display cpu-defend policy 8 command to view the information about attack defense
policy 8.
<Quidway> display cpu-defend policy 8
Number : 8
Description : arp defend attack
Related slot : <4>
Configuration :
Car user-defined-flow 1 : CIR(64)
Car user-defined-flow 2 : CIR(64)
Car user-defined-flow 3 : CIR(64)
Car user-defined-flow 4 : CIR(64)
Car user-defined-flow 5 : CIR(64)
Car user-defined-flow 6 : CIR(64)
Car user-defined-flow 7 : CIR(64)
Car user-defined-flow 8 : CIR(64)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
Run the display auto-defend attack-source slot 4 command to view the attack source of the
LPU in slot 4.
<Quidway> display auto-defend attack-source slot 4
-- Attack Source Port Table (LPU4) ---------InterfaceName
Vlan:Outer/Inner TOTAL
-------------------------------------------GigabitEthernet3/0/0
199/299
156464
--------------------------------------------- Attack Source User Table (LPU4) -------------------------------------------InterfaceName
Vlan:Outer/Inner MacAddress
ARP
DHCP
IGMP
TOTAL
-----------------------------------------------------------------------------GigabitEthernet3/0/0
199/299 0003-5556-3244 143111
0
0
143111
------------------------------------------------------------------------------
6-12
Issue 06 (20100108)
CAUTION
Statistics about ARP packets cannot be restored being cleared. So, confirm the action before you
use the command.
Procedure
Step 1 Run the reset cpcar [ packet-type ] statistics [ all | slot slot-id ] command to clear statistics
about packets directing at the CPU.
----End
CAUTION
Statistics about ARP packets cannot be restored after being cleared. So, confirm the action before
you use the command.
Procedure
Step 1 Run the reset auto-defend attack-source [ slot slot-id ] command to clear statistics about attack
sources.
----End
Issue 06 (20100108)
6-13
Users on net1 are authorized users; therefore, they are added to the whitelist so that their
packets can be always forwarded.
As the users on net2 are authorized but unfixed users, you need to separately define the
rules for sending the packets of net2 users to the CPU and limit the CIR to 5 Mbit/s.
Uses on net3 often attack the network; therefore, they are added to the blacklist. In this
manner, they cannot access the network.
Figure 6-1 Networking diagram for Configuring the attack defense policy
GE1/0/1
GE2/0/1
Net1: 1.1.1.0/24
Internet
GE1/0/2
S9300
Net2: 2.2.2.0/24
GE1/0/3
Net3: 3.3.3.0/24
Configuration Roadmap
The configuration roadmap is as follows:
6-14
1.
Configure the ACL and define rules for filtering the packets to be sent to the CPU.
2.
Create an attack defense policy and configure the whitelist, blacklist and user-defined flow.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 06 (20100108)
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
Slot number of the LPU on which the attack defense policy is applied
NOTE
The following provides only the configuration procedure of the local attack defense feature supported by
the S9300. For details on the routing configuration, see the Quidway S9300Terabit Routing Switch
Configuration Guide - IP Routing.
Procedure
Step 1 Configure the rule for filtering packets to be sent to the CPU.
# Define the ACL rules.
<Quidway> system-view
[Quidway] acl number 2001
[Quidway-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255
[Quidway-acl-basic-2001] quit
[Quidway] acl number 2002
[Quidway-acl-basic-2002] rule permit source 2.2.2.0 0.0.0.255
[Quidway-acl-basic-2002] quit
[Quidway] acl number 2003
[Quidway-acl-basic-2003] rule permit source 3.3.3.0 0.0.0.255
[Quidway-acl-basic-2003] quit
6-15
[Quidway] slot 2
[Quidway-slot-2] cpu-defend-policy 6
[Quidway-slot-2] quit
----End
Configuration Files
#
sysname Quidway
#
acl number 2001
rule 5 permit source 1.1.1.0 0.0.0.255
#
acl number 2002
rule 5 permit source 2.2.2.0 0.0.0.255
#
acl number 2003
rule 5 permit source 3.3.3.0 0.0.0.255
#
cpu-defend policy 6
whitelist 1 acl 2001
blacklist 1 acl 2003
user-defined-flow 1 acl 2002
car user-defined-flow 1 cir 5000 cbs 940000
#
slot 1
cpu-defend-policy 6
#
slot 2
cpu-defend-policy 6
#
return
6-16
Issue 06 (20100108)
7 PPPoE+ Configuration
PPPoE+ Configuration
Issue 06 (20100108)
7-1
7 PPPoE+ Configuration
Pre-configuration Tasks
None.
7-2
Issue 06 (20100108)
7 PPPoE+ Configuration
Data Preparation
To configure PPPoE+, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
The format and contents of fields to be added to PPPoE packets are set.
Issue 06 (20100108)
7-3
7 PPPoE+ Configuration
After the pppoe intermediate-agent information format command is run in the system view,
all the interfaces add fields in specified format to the received PPPoE packets.
----End
Procedure
Step 1 Run:
system-view
The action for all the interfaces to process original fields in PPPoE packets is configured.
l
keep: reserves the contents and format of original fields in PPPoE packets.
replace: replaces the original fields in PPPoE packets according to the set field format
regardless of whether the packets carry the fields.
By default, the user-side interface on the S9300 replaces the original fields in the received PPPoE
packets after PPPoE+ is enabled globally.
Step 3 (Optional) Run:
interface interface-type interface-number
The action for all the interfaces to process original fields in PPPoE packets is configured.
----End
Issue 06 (20100108)
7 PPPoE+ Configuration
sent from the PPPoE client to the PPPoE server are forwarded through the trusted interface only.
In addition, only the PPPoE packets received from the trusted interface are forwarded to the
PPPoE client.
NOTE
The trusted interface only controls protocol packets in PPPoE discovery period, and does not control service
packets in PPPoE session period.
Procedure
Step 1 Run:
system-view
Run the display pppoe intermediate-agent information policy command to check the
globally set action for processing original fields in PPPoE packets.
----End
7-5
7 PPPoE+ Configuration
IP network
BRAS
PPPoE server
GE1/0/0
PPPoE+
S9300
GE2/0/1
GE2/0/2
PPPoE client
PPPoE client
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure the contents and format of fields to be added to PPPoE packets on the S9300.
3.
4.
Configure the interface connecting the S9300 and the PPPoE server as the trusted interface.
Data Preparation
None.
Procedure
Step 1 Enable PPPoE+.
<Quidway> system-view
[Quidway] pppoe intermediate-agent information enable
7-6
Issue 06 (20100108)
7 PPPoE+ Configuration
Step 3 Configure the action for processing original fields in PPPoE packets.
Configure all the interfaces to replace original fields in PPPoE packets with the circuit ID of the
S9300.
[Quidway] pppoe intermediate-agent information policy replace
----End
Configuration Files
#
sysname Quidway
#
pppoe intermediate-agent information enable
pppoe intermediate-agent information format circuit-id extend
#
interface GigabitEthernet1/0/0
pppoe uplink-port trusted
#
return
Issue 06 (20100108)
7-7
8 MFF Configuration
MFF Configuration
Issue 06 (20100108)
8-1
8 MFF Configuration
Background
In traditional Ethernet solutions, VLANs are usually configured on switches to implement Layer
2 isolation and Layer 3 interconnection between clients. When many users need to be isolated
on Layer 2, a large number of VLANs are required. In addition, to enable the clients to
communicate on Layer 3, each VLAN must be assigned an IP network segment and each
VLANIF interface needs an IP address. This wastes IP addresses. In addition, the network is
easy to attack and the malicious attacks from users on the network cannot be prevented.
The MFF function provides a solution to this problem and implements Layer 2 isolation and
Layer 3 interconnection between the clients in a broadcast domain. The MFF intercepts the ARP
requests from users and replies with ARP responses containing the MAC address of the gateway
through the ARP proxy. In this manner, the MFF forces users to send all traffic, including the
traffic on the same subnet, to the gateway so that the gateway can monitor data traffic. This
prevents malicious attacks and improves network security.
User interface
A user interface is an interface directly connected to users.
MFF processes packets on a user interface as follows:
If the interface has learned the MAC address of the gateway, MFF allows the unicast
packets whose destination MAC address is the MAC address of the gateway to pass
through and discards other packets. If the interface has not learned the MAC address of
the gateway, MFF discards all packets.
Network interface
A network interface is an interface connected to another network device, for example, an
access switch, an aggregate switch, or a gateway.
MFF processes packets on a network interface as follows:
8-2
Issue 06 (20100108)
8 MFF Configuration
NOTE
Interfaces connected to other MFF devices when multiple MFF devices are deployed on the
network
On a VLAN where MFF is enabled, an interface must be a network interface or a user interface.
Static Gateway
The static gateway is applicable to the scenario where the IP addresses are set statically. When
users are assigned IP addresses statically, the users cannot obtain the gateway information
through the DHCP packets. In this case, a static gateway address needs to be configured for each
VLAN. If the static gateway address is not configured, all the users cannot communicate with
each other except for the DHCP users.
ARP Proxy
The Layer 3 communication between users is implemented through the ARP proxy. The ARP
proxy reduces the number of broadcast packets at the network side and user side.
The MFF processes ARP packets as follows:
l
Issue 06 (20100108)
Monitors the ARP packets on the network and updates the IP address and MAC address of
the gateway.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
8-3
8 MFF Configuration
Pre-configuration Tasks
Before configuring basic MFF functions, complete the following tasks.
If DHCP users exist, you need to perform the following operations:
l
Data Preparation
To configure the MFF function, you need the following data.
8-4
Issue 06 (20100108)
No.
Data
8 MFF Configuration
Procedure
Step 1 Run:
system-view
This task can be performed before the global MFF is enabled; however, it takes effect only after the global
MFF is enabled.
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
8-5
8 MFF Configuration
Issue 06 (20100108)
8 MFF Configuration
Issue 06 (20100108)
8-7
8 MFF Configuration
Run the display mac-forced-forwarding vlan vlan-id command to view information about
MFF users and gateway on the VLAN.
----End
Example
Run the display mac-forced-forwarding network-port command, and you can see information
about the network-side interface matching the MFF VLAN.
<Quidway> display mac-forced-forwarding network-port
-------------------------------------------------------------------------------VLAN ID
Network-ports
-------------------------------------------------------------------------------VLAN 10
GigabitEthernet2/0/0
GigabitEthernet2/0/1
GigabitEthernet2/0/2
GigabitEthernet2/0/3
VLAN 100
GigabitEthernet1/0/10
GigabitEthernet1/0/15
Run the display mac-forced-forwarding vlan vlan-id command, and you can see information
about MFF users and gateway on the VLAN.
<Quidway> display mac-forced-forwarding vlan 100
Servers:
192.168.1.2
192.168.1.3
-------------------------------------------------------------------User IP
User MAC
Gateway IP
Gateway MAC
-------------------------------------------------------------------192.168.1.10
00-01-00-01-00-01
192.168.1.254
00-02-00-02-00-01
192.168.1.11
00-01-00-01-00-02
192.168.1.254
00-02-00-02-00-01
192.168.1.12
00-01-00-01-00-03
192.168.1.252
00-02-00-02-00-03
-------------------------------------------------------------------[Vlan 100] MFF host total count = 3
8-8
Issue 06 (20100108)
8 MFF Configuration
GE1/0/0
10.10.10.1/24
GE2/0/2
S9300-B
GE2/0/1
GE2/0/1
S9300-A
GE1/0/1
GE1/0/3
GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
6.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure DHCP snooping.
# Enable global DHCP snooping on S9300-A.
<Quidway>
[Quidway]
[S9300-A]
[S9300-A]
Issue 06 (20100108)
system-view
sysname S9300-A
dhcp enable
dhcp snooping enable
8-9
8 MFF Configuration
# Enable DHCP snooping on the interfaces of the S9300-A. Take the configuration on GE 1/0/1
as an example. The configurations on GE 1/0/2, GE 1/0/3, and GE 2/0/1 are similar to the
configuration on GE 1/0/1 and are not mentioned here.
[S9300-A] interface gigabitethernet 1/0/1
[S9300-A-GigabitEthernet1/0/1] dhcp snooping enable
[S9300-A-GigabitEthernet1/0/1] quit
system-view
sysname S9300-B
dhcp enable
dhcp snooping enable
# Enable DHCP snooping on the interfaces of the S9300-B. Take the configuration on GE 1/0/0
as an example. The configurations on GE 2/0/1 and GE 2/0/2 are similar to the configuration on
GE 1/0/0 and are not mentioned here.
[S9300-B] interface gigabitethernet 1/0/0
[S9300-B-GigabitEthernet1/0/0] dhcp snooping enable
[S9300-B-GigabitEthernet1/0/0] quit
8-10
Issue 06 (20100108)
8 MFF Configuration
----End
Configuration Files
l
#
sysname S9300-A
#
vlan batch 10
#
dhcp enable
dhcp snooping enable
mac-forced-forwarding enable
#
vlan 10
mac-forced-forwarding enable
mac-forced-forwarding gateway-detect
mac-forced-forwarding server 10.10.10.1
#
interface gigabitethernet1/0/1
port link-type access
port default vlan 10
dhcp snooping enable
#
interface gigabitethernet1/0/2
port link-type access
port default vlan 10
dhcp snooping enable
#
interface gigabitethernet1/0/3
port link-type access
port default vlan 10
dhcp snooping enable
#
interface gigabitethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
dhcp snooping enable
dhcp snooping trusted
mac-forced-forwarding network-port
#
return
Issue 06 (20100108)
8-11
8 MFF Configuration
l
#
sysname S9300-B
#
vlan batch 10
#
dhcp enable
dhcp snooping enable
mac-forced-forwarding enable
#
vlan 10
mac-forced-forwarding enable
mac-forced-forwarding gateway-detect
mac-forced-forwarding server 10.10.10.1
#
interface gigabitethernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
dhcp snooping enable
dhcp snooping trusted
mac-forced-forwarding network-port
#
interface gigabitethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
dhcp snooping enable
mac-forced-forwarding network-port
#
interface gigabitethernet2/0/2
port link-type access
port default vlan 10
dhcp snooping enable
#
return
8-12
Issue 06 (20100108)
Issue 06 (20100108)
9-1
Dynamic MAC addresses learned before the number of MAC addresses reaches the upper
limit
The S9300 considers other types of MAC addresses unauthorized. When an interface receives
the packets sent from unauthorized MAC addresses, the interface security function takes effect.
Currently, the S9300 supports the following protection actions in interface security:
l
protect: When an interface receives the packets sent from unauthorized MAC addresses, it
does not learn the source MAC addresses of the packets or forward the packets. Instead,
the interface directly discards them.
restrict: When an interface receives the packets sent from unauthorized MAC addresses, it
does not learn the source MAC addresses of the packets or forward the packets. Instead,
the interface directly discards them and sends a trap to the Network Management System
(NMS).
Issue 06 (20100108)
Pre-configuration Tasks
None.
Data Preparation
Before configuring interface security, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
9-3
If the sticky MAC function is disabled, this task can limit the maximum number of MAC addresses
dynamically learned by an interface.
If the sticky MAC function is enabled, this task can limit the maximum number of sticky MAC
addresses learned by an interface.
For the sticky MAC function, see 9.3.5 Enabling Sticky MAC on an Interface.
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
9-5
Run the display sticky-mac command to view the sticky MAC entries.
----End
Example
Run the display sticky-mac command, and you can view the sticky MAC address entries.
<Quidway> display sticky-mac interface GigabitEthernet 2/0/1
MAC Address
VLAN/VSI
Port
Type
---------------------------------------------------------------------0018-2000-0083
1
GigabitEthernet2/0/1
sticky mac
Total 1 printed
Internet
S9300
GE1/0/1
LAN switch
PC
1
9-6
PC
2
PC
3
VLAN 10
Issue 06 (20100108)
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a VLAN and set the VALN attribute of the interface to trunk.
2.
3.
4.
Set the maximum number of MAC addresses that can be learned by the interfaces.
5.
Data Preparation
To complete the configuration, you need the following data:
l
Protection action
Procedure
Step 1 Create a VLAN and set the VALN attribute of the interface.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] port link-type trunk
[Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
# Set the maximum number of MAC addresses that can be learned by the interface.
[Quidway-GigabitEthernet1/0/1] port-security maximum 4
To enable the interface security function on other interfaces, repeat the preceding steps.
Step 3 Verify the configuration.
If PC1 is replaced by another PC, this PC cannot access the intranet of the company.
----End
Issue 06 (20100108)
9-7
Configuration Files
The following lists the configuration files of the S9300.
#
sysname Quidway
#
interface GigabitEthernet1/0/1
port-security enable
port-security protect-action protect
port-security mac-address sticky
port-security maximum 4
#
return
9-8
Issue 06 (20100108)
10
Issue 06 (20100108)
10-1
Pre-configuration Tasks
None
Data Preparation
To configure traffic suppression, you need the following data.
10-2
Issue 06 (20100108)
No.
Data
Procedure
Step 1 Run:
system-view
To configure traffic suppression based on the packet rate, you must select the packets
parameter.
To configure traffic suppression based on the bit rate, you must select the cir and cbs
parameters.
To configure traffic suppression based on the bandwidth percentage, you must select the
percent-value parameter.
Issue 06 (20100108)
10-3
The suppression based on bandwidth percentage equals to the suppression based on packet rate.
Assume the bandwidth on an interface is bandwidth (kbit/s). The percent-value parameter equals
to the packets keyword. That is, (bandwidth x percent x 1000 x 1000/(84 x 8)). Here, 84 indicates
the average packet length (including the 64-byte packet body and 20-byte frame spacing and check
information), and 8 indicates the number of bits in a byte.
If traffic suppression based on the bit rate is set for a type of traffic on an interface, the bandwidth
percentage set for other types of traffic is converted to the bit rate through the following formula:
Bit rate = Bandwidth of the interface x Percentage.
The traffic limit (pps) for a type of packets cannot be set together with the traffic limit based on bit
rate for other types of packets on the same interface. For example, if the bit rate for multicast packets
is set on an interface, you cannot set the traffic limit (pps) for broadcast packets.
If traffic suppression is configured for a type of traffic on an interface, the latest configuration
overrides the previous configuration when the configuration of traffic suppression for this type of
traffic at different rate is sent.
----End
Procedure
l
----End
Example
Run the display flow-suppression interface interface-type interface-number command, and
you can view the configuration of traffic suppression on a specified interface.
<Quidway> display flow-suppression interface gigabitethernet 1/0/0
storm type
rate mode
set rate value
------------------------------------------------------------------------------unknown-unicast
bps
cir: 1000(kbit/s), cbs: 188000(byte)
multicast
bps
cir: 1000(kbit/s), cbs: 188000(byte)
broadcast
bps
cir: 1000(kbit/s), cbs: 188000(byte)
-------------------------------------------------------------------------------
Issue 06 (20100108)
Networking Requirements
As shown in Figure 10-1, the S9300 is connected to the Layer 2 network and Layer 3 router.
To limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer
2 network, you can configure traffic suppression on GE 1/0/2.
Figure 10-1 Networking diagram for configuring traffic suppression
L2 network
GE1/0/3
GE1/0/2
L3 network
S9300
Configuration Roadmap
Configure traffic suppression in the interface view of GE 1/0/2.
Data Preparation
To complete the configuration, you need the following data:
l
Traffic suppression for broadcast and unknown unicast packets based on the bit rate
Maximum rate of broadcast and unknown unicast packets being 100 kbit/s after traffic
suppression is configured
Maximum rate of multicast packets being 80 percent of the interface rate after traffic
suppression is configured
Procedure
Step 1 Enter the interface view.
<Quidway> system-view
[Quidway] interface gigabitethernet 1/0/2
Issue 06 (20100108)
10-5
------------------------------------------------------------------------------unknown-unicast
bps
cir: 100(kbit/s), cbs: 18800(byte)
multicast
percent
percent: 80%
broadcast
bps
cir: 100(kbit/s), cbs: 18800(byte)
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Quidway
#
interface gigabitethernet 1/0/2
unicast-suppression cir 100 cbs 18800
multicast-suppression percent 80
broadcast-suppression cir 100 cbs 18800
#
return
10-6
Issue 06 (20100108)
11 ACL Configuration
11
ACL Configuration
Issue 06 (20100108)
11-1
11 ACL Configuration
In this manual, the ACL refers to the access control list that is used filter IPv4 packets, and the ACL6 refers
to the access control list that is used to filter IPv6 packets.
Classification of ACLs
The S9300 supports basic ACLs, advanced ACLs, and Ethernet frame header ACLs for IPv4
packets.
l
Basic ACLs: classify and define data packets according to their source addresses,
fragmentation flag, and effective time range.
Advanced ACLs: classify and define data packets more refinedly according to the source
address, destination address, source port number, destination port number, protocol type,
precedence, and effective time range.
Frame header-based ACLs: classify and define data packets according to the source MAC
address, destination MAC address, and protocol type.
The S9300 supports basic ACL6s and advanced ACL6s for IPv6 packets.
l
A basic ACL6 can use the source IP address, fragmentation flag, and effective time range
as the elements of rules.
An advanced ACL6 can use the source IP address and destination IP address of data packets,
protocol type supported by IP, features of the protocol such as the source port number and
destination port number, ICMPv6 protocol, and ICMPv6 Code as the elements of rules.
Application of ACLs
ACLs defined on the S9300 can be applied in the following scenarios:
l
11-2
Hardware-based application: The ACL is sent to the hardware. For example, when QoS is
configured, the ACL is imported to classify packets. Note that when the ACL is imported
by QoS, the packets matching the ACL rule in deny mode are discarded. If the action in
the ACL is set to be in permit mode, the packets matching the ACL are processed by the
S9300 according to the action defined by the traffic behavior in QoS. For details on the
traffic behavior, see the Quidway S9300 Terabit Routing Switch Configuration Guide QoS.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 06 (20100108)
11 ACL Configuration
Software-based application: When the ACL is imported by the upper-layer software, for
example, the ACL is imported when the control function is configured for login users, you
can use the ACL to control FTP, Telnet and SSH users. When the S9300 functions as a
TFTP client, you can configure an ACL to specify the TFTP servers that the S9300 can
access through TFTP.
When the ACL is imported by the upper-layer software, the packets matching the ACL are
processed by the S9300 according to the action deny or permit defined in the ACL. For
details on login user control, see the Quidway S9300 Terabit Routing Switch Configuration
Guide - Basic Configurations.
NOTE
When the ACL is sent to the hardware and is imported by QoS to classify packets, the S9300 does not
process packets according to the action defined in the traffic behavior, if the packets does not match
the ACL rule.
When the ACL is imported by the upper-layer software and is used to control FTP , Telnet or SSH
login users, the S9300 discards the packets, if the packets does not match the ACL rule.
Context
NOTE
11.3.5 Configuring a Basic ACL, 11.3.6 Configuring an Advanced ACL, and 11.3.7 Configuring a
Layer 2 ACL are optional and can be configured as required.
11-3
11 ACL Configuration
Pre-configuration Tasks
None.
Data Preparation
To configure an ACL, you need the following data.
No.
Data
Name of the time range when the ACL takes effect, start time, and end time
Number of ACL rule and the rule that identifies the type of packets, including
protocol, source address, source port, destination address, destination port, the type
and code of Internet Control Message Protocol (ICMP), IP precedence, and Type of
Service (ToS) value
Specify the number of the ACL. For example, the ACL with the number ranging from 2000
to 2999 is a basic ACL, and the ACL with the number ranging from 3000 to 3999 is an
advanced ACL.
Set the match order of the ACL rules. This parameter is optional. By default, the matchorder is config.
Procedure
Step 1 Run:
system-view
An ACL is created.
11-4
To create a basic ACL, you can set the value of acl-number ranging from 2000 to 2999.
To create an advanced ACL, you can set the value of acl-number ranging from 3000 to 3999.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
Issue 06 (20100108)
11 ACL Configuration
To create a layer 2 ACL, you can set the value of acl-number ranging from 4000 to 4999.
----End
11.3.3 (Optional) Setting the Time Range When an ACL Takes Effect
Procedure
Step 1 Run:
system-view
The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and
Sunday in the year 2009.
----End
Postrequisite
When a time range is specified for an ACL, the ACL takes effect only in this time range. If no
time range is specified for the ACL, the ACL is always effective until it is deleted or the rules
of the ACL are deleted.
11-5
11 ACL Configuration
The description of an ACL is a string of up to 127 characters, describing the usage of the ACL.
By default, no description is configured for an ACL.
----End
Procedure
Step 1 Run:
system-view
auto: indicates that the ACL rules are matched on the basis of depth first principle.
config: indicates that the rules are matched on the basis of the configuration order.
Issue 06 (20100108)
11 ACL Configuration
auto: indicates that the ACL rules are matched on the basis of depth first principle.
config: indicates that the rules are matched on the basis of the configuration order.
When protocol is specified as the Transmission Control Protocol (TCP) or the User Datagram
Protocol (UDP), run:
rule [ rule-id ] { deny | permit } { tcp | udp } [ destination { destinationaddress destination-wildcard | any } | destination-port eq port | dscp dscp |
fragment | precedence precedence | source { source-address source-wildcard |
any } | source-port eq port | time-range time-name | tos tos ] *
When protocol is specified as another protocol rather than TCP, UDP, or ICMP, run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip
| ospf } [ destination { destination-address destination-wildcard | any } |
dscp dscp | fragment | precedence precedence | source { source-address sourcewildcard | any } | time-range time-name | tos tos ] *
dscp dscp and precedence precedence cannot be specified at the same time.
----End
auto: indicates that the ACL rules are matched on the basis of depth first principle.
config: indicates that the rules are matched on the basis of the configuration order.
Issue 06 (20100108)
11-7
11 ACL Configuration
The undo step command sets the default step of an ACL and re-arranges the numbers of
ACL rules.
----End
Procedure
l
Run the display acl { acl-number | all } command to check the configured ACL.
Run the display time-range { all | time-name } command to check the time range.
----End
Example
# Run the display acl command, and you can view the ACL number, number of rules, and step,
and details of ACL rules.
11-8
Issue 06 (20100108)
11 ACL Configuration
# Run the display time-range command, and you can view the configuration and status of the
current time range.
<Quidway> display time-range all
Current time is 14:19:16 12-4-2008 Tuesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
from 09:09 2008/9/9 to 23:59 2099/12/31
Pre-configuration Tasks
None
Data Preparation
To configure an ACL6, you need the following data.
No.
Data
(Optional) Name of the time range during which the ACL6 is valid and the start time
and end time of the time range
Issue 06 (20100108)
11-9
11 ACL Configuration
No.
Data
Number of the ACL6 and the rule of identifying the packet type, including protocol
type, source address and source interface, destination address and destination
interface, ICMPv6 type and code, precedence, and ToS
Specify a number to identify the ACL6 type. For example, the ACL6 with the number
ranging from 2000 to 2999 is a basic ACL6 and the ACL6 with the number ranging from
3000 to 3999 is an advanced ACL6.
Set the match order of the ACL6. This parameter is optional. By default, the match order
is config.
Procedure
Step 1 Run:
system-view
An ACL6 is created.
l
----End
Issue 06 (20100108)
11 ACL Configuration
The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and
Sunday in the year 2009.
----End
Postrequisite
When a time range is specified for the ACL6, the ACL6 takes effect only in this time range. If
no time range is specified for the ACL6, the ACL6 is always effective until it is deleted or the
rules of the ACL6 are deleted.
An ACL6 is created.
The acl6-number value of a basic ACL6 ranges from 2000 to 2999.
match-order indicates the match order of ACL6 rules.
l
auto indicates that the ACL rules are matched on the basis of depth first principle.
config: indicates that the rules are matched on the basis of the configuration order.
11-11
11 ACL Configuration
Step 2 Run:
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
auto indicates that the ACL rules are matched on the basis of depth first principle.
config: indicates that the rules are matched on the basis of the configuration order.
----End
Procedure
l
Run the display acl ipv6 { acl6-number | all } command to view the rules of the ACL6.
Run the display time-range { all | time-name } command to view information about the
time range.
----End
11-12
Issue 06 (20100108)
11 ACL Configuration
Example
# Run the display acl ipv6 command, and you can see the ACL number, the number of rules,
and content of the rules.
<Quidway> display acl ipv6 2002
Basic IPv6 ACL 2002, 2 rules
rule 0 permit time-range time1 (0 times matched) (Inactive)
rule 1 permit (0 times matched)
# Run the display time-range command, and you can see the configuration and status of the
current time range.
<Quidway> display time-range all
Current time is 09:33:31 5-21-2009 Thursday
Time-range : time1 ( Inactive )
12:00 to 23:00 working-day
GE1/0/1
GE2/0/1
S9300
PC B
Issue 06 (20100108)
11-13
11 ACL Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
6.
Data Preparation
To complete the configuration, you need the following data:
l
Names of traffic classifier, traffic behavior, and traffic policy: tc1, tb1, and tp1
Procedure
Step 1 Configure the URPF function.
# Enable the URPF function on the LPU.
<Quidway> system-view
[Quidway] urpf slot 1
[Quidway] urpf slot 2
1/0/1
strict
2/0/1
strict
Step 2 Configure the traffic classifier that is based on the ACL rules.
# Define the ACL rules.
[Quidway] acl 2000
[Quidway-acl-basic-2000] rule permit source 10.0.0.2 0.0.0.255
[Quidway-acl-basic-2000] quit
Issue 06 (20100108)
11 ACL Configuration
# Define the traffic behavior and disable the URPF function in the traffic behavior view.
[Quidway] traffic behavior tb1
[Quidway-behavior-tb1] ip uprf disable
[Quidway-behavior-tb1] quit
----End
Configuration Files
#
sysname Quidway
#
urpf slot 1
urpf slot 2
#
acl number 2000
rule 5 permit source 10.0.0.0 0.0.0.255
#
traffic classifier tc1 operator or precedence 20
if-match acl 2000
#
Issue 06 (20100108)
11-15
11 ACL Configuration
traffic behavior tb1
ip urpf disable
#
traffic policy tp1
classifier tc1 behavior tb1
#
interface GigabitEthernet1/0/1
urpf strict
traffic-policy tp1 inbound
#
interface GigabitEthernet2/0/1
urpf strict
#
return
GE2/0/1
GE1/0/2
GE1/0/1
GE1/0/3
Marketing department
10.164.2.0/24
President's office
10.164.1.0/24
R&D department
10.164.3.0/24
Configuration Roadmap
The configuration roadmap is as follows:
11-16
1.
2.
3.
4.
Issue 06 (20100108)
5.
6.
7.
11 ACL Configuration
Data Preparation
To complete the configuration, you need the following data:
l
Name of the traffic policy, and traffic classifier and traffic behavior associated with the
traffic policy
Procedure
Step 1 Assign IP addresses to interfaces.
# Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces.
Add GE 1/0/1, GE 2/0/1, and GE 3/0/1 to VLAN 10, VLAN 20, and VLAN 30 respectively,
and add GE 2/0/1 to VLAN 100. The first IP address of the network segment is taken as the
address of the VLANIF interface. Take GE 1/0/1 as an example. The configurations of other
interfaces are similar to the configuration of GE 1/0/1, and are not mentioned here.
<Quidway> system-view
[Quidway] vlan batch 10 20 30 100
[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] port link-type access
[Quidway-GigabitEthernet1/0/1] port default vlan 10
[Quidway-GigabitEthernet1/0/1] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.164.1.1 255.255.255.0
[Quidway-Vlanif10] quit
# Configure the ACL for the personnel of the R&D department to access the salary query server.
[Quidway] acl 3003
[Quidway-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination
Issue 06 (20100108)
11-17
11 ACL Configuration
10.164.9.9 0.0.0.0 time-range satime
[Quidway-acl-adv-3003] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Quidway] traffic classifier c_rd
[Quidway-classifier-c_rd] if-match acl 3003
[Quidway-classifier-c_rd] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic
behavior b_rd with the traffic policy.
[Quidway] traffic policy p_rd
[Quidway-trafficpolicy-p_rd] classifier c_rd behavior b_rd
[Quidway-trafficpolicy-p_rd] quit
11-18
Issue 06 (20100108)
11 ACL Configuration
Acl's step is 5
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime (0 times matched)(Active)
Advanced ACL 3003, 1 rule
Acl's step is 5
rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime (0 times matched)(Active)
default-class
be
c_rd
b_rd
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10 20 30 40 100
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime
#
acl number 3003
rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime
#
traffic classifier c_market operator or precedence 5
if-match acl 3002
traffic classifier c_rd operator or precedence 10
if-match acl 3003
#
traffic behavior b_market
Issue 06 (20100108)
11-19
11 ACL Configuration
deny
traffic behavior b_rd
deny
#
traffic policy p_market
classifier c_market behavior b_market
traffic policy p_rd
classifier c_rd behavior b_rd
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.9.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
traffic-policy p_rd inbound
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 30
traffic-policy p_rd inbound
#
interface GigabitEthernet2/0/1
port link-type access
port default vlan 100
#
return
GE2/0/1
GE1/0/1
IP network
00e0-f201-0101
11-20
Issue 06 (20100108)
11 ACL Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Data Preparation
To complete the configuration, you need the following data:
l
Name of the traffic policy, and traffic classifier and traffic behavior associated with the
traffic policy
Procedure
Step 1 Configure an ACL.
# Configure the required layer 2 ACL.
[Quidway] acl 4000
[Quidway-acl-ethernetframe-4000] rule deny source-mac 00e0-f201-0101 ffff-ffffffff dest-mac 0260-e207-0002 ffff-ffff-ffff
[Quidway-acl-ethernetframe-4000] quit
11-21
11 ACL Configuration
----End
Configuration Files
#
sysname Quidway
#
acl number 4000
rule 5 deny source-mac 00e0-f201-0101 ffff-ffff-ffff dest-mac 0260-e207-0002 ff
ff-ffff-ffff
#
traffic classifier tc1 operator or precedence 15
if-match acl 4000
#
traffic behavior tb1
deny
#
traffic policy tp1
classifier tc1 behavior tb1
#
interface GigabitEthernet2/0/1
traffic-policy tp1 inbound
#
return
11-22
Issue 06 (20100108)
11 ACL Configuration
Networking Requirements
As shown in Figure 11-4, S9300-A and S9300-B are connected through GE interfaces. You
need to configure an ACL6 rule on S9300-A to prevent the IPv6 packets with the source IP
address 3001::2 from entering GE 1/0/0 of S9300-A.
Figure 11-4 Networking diagram for configuring ACL6 and filtering IPv6 packets
S9300-A GE1/0/0
3001::1/64
VLAN 10
S9300-B
GE1/0/0
3001::2/64
Loopback2
3002::2/64
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
ACL6 number
Procedure
Step 1 Enable IPv6 forwarding capability on S9300-A and S9300-B, set the parameters for the
interfaces, and check the connectivity.
# Configure S9300-A.
<Quidway> system-view
[Quidway] sysname S9300-A
[S9300-A] ipv6
[S9300-A] interface gigabitethernet 1/0/0
[S9300-A-GigabitEthernet1/0/0] port link-type trunk
[S9300-A-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[S9300-A-GigabitEthernet1/0/0] quit
[S9300-A] interface vlanif 10
[S9300-A-Vlanif10] ipv6 enable
[S9300-A-Vlanif10] ipv6 address 3001::1 64
[S9300-A-Vlanif10] quit
# Configure S9300-B.
Issue 06 (20100108)
11-23
11 ACL Configuration
<Quidway> system-view
[Quidway] sysname S9300-B
[S9300-B] ipv6
[S9300-B] interface loopback 2
[S9300-B-LoopBack2] ipv6 enable
[S9300-B-LoopBack2] ipv6 address 3002::2 64
[S9300-B-LoopBack2] quit
[S9300-B] interface gigabitethernet 1/0/0
[S9300-B-GigabitEthernet1/0/0] port link-type trunk
[S9300-B-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[S9300-B-GigabitEthernet1/0/0] quit
[S9300-B] interface vlanif 10
[S9300-B-Vlanif10] ipv6 enable
[S9300-B-Vlanif10] ipv6 address 3001::2 64
[S9300-B-Vlanif10] quit
11-24
Issue 06 (20100108)
11 ACL Configuration
Configuration Files
l
Issue 06 (20100108)
11-25
11 ACL Configuration
traffic classifier class1 operator or
if-match ipv6 acl 3001
#
traffic behavior behav1
deny
#
traffic policy policy1
classifier class1 behavior behav1
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
traffic-policy policy1 inbound
#
interface Vlanif10
ipv6 enable
ipv6 address 3001::1/64
#
ipv6 route-static 3002:: 64 3001::2
#
return
l
11-26
Issue 06 (20100108)