Configuration Guide - Security (V100R002C00 - 06) PDF

Quidway S9300 Terabit Routing Switch
V100R002C00
Configuration Guide - Security
Issue
06
Date
20100108
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any
assistance, please contact our local office or company headquarters.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are the property of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.


Contents
Contents
About This Document.....................................................................................................................1
1 AAA and User Management Configuration.........................................................................1-1
1.1 Introduction to AAA and User Management..................................................................................................1-2
1.2 AAA and User Management Features Supported by the S9300.....................................................................1-2
1.3 Configuring AAA Schemes............................................................................................................................1-4
1.3.1 Establishing the Configuration Task......................................................................................................1-4
1.3.2 Configuring an Authentication Scheme.................................................................................................1-5
1.3.3 Configuring an Authorization Scheme...................................................................................................1-6
1.3.4 Configuring an Accounting Scheme......................................................................................................1-8
1.3.5 (Optional) Configuring a Recording Scheme.........................................................................................1-9
1.3.6 Checking the Configuration.................................................................................................................1-10
1.4 Configuring a RADIUS Server Template.....................................................................................................1-10
1.4.1 Establishing the Configuration Task....................................................................................................1-11
1.4.2 Creating a RADIUS Server Template..................................................................................................1-12
1.4.3 Configuring a RADIUS Authentication Server...................................................................................1-12
1.4.4 Configuring the RADIUS Accounting Server.....................................................................................1-12
1.4.5 Configuring a RADIUS Authorization Server.....................................................................................1-13
1.4.6 (Optional) Setting a Shared Key for a RADIUS Server.......................................................................1-13
1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server.......................................1-14
1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server...................................................................1-15
1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server.................................................1-15
1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server.........................................................1-16
1.4.11 Checking the Configuration...............................................................................................................1-17
1.5 Configuring an HWTACACS Server Template............................................................................................1-18
1.5.2 Creating an HWTACACS Server Template........................................................................................1-19
1.5.3 Configuring an HWTACACS Authentication Server..........................................................................1-19
1.5.4 Configuring the HWTACACS Accounting Server..............................................................................1-20
1.5.5 Configuring an HWTACACS Authorization Server...........................................................................1-20
1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets...........................................1-21
1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server...........................................................1-21
1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server..............................................1-22
1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server..........................................................1-23
Issue 06 (20100108)

Contents

1.5.10 (Optional) Setting HWTACACS Timers...........................................................................................1-23
1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet.................................................1-24
1.6 Configuring a Service Scheme......................................................................................................................1-25

1.6.2 Creating a Service Scheme...................................................................................................................1-26
1.6.3 Setting the Administrator Level...........................................................................................................1-26
1.6.4 Configuring a DHCP Server Group.....................................................................................................1-27
1.6.5 Configuring an Address Pool...............................................................................................................1-27
1.6.6 Configure Primary and Secondary DNS Servers.................................................................................1-28
1.7 Configuring a Domain...................................................................................................................................1-29
1.7.2 Creating a Domain...............................................................................................................................1-30
1.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain........................1-31
1.7.4 Configuring a RADIUS Server Template for a Domain......................................................................1-32
1.7.5 Configuring an HWTACACS Server Template for a Domain............................................................1-32
1.7.6 (Optional) Configuring a Service Scheme for a Domain.....................................................................1-33
1.7.7 (Optional) Setting the Status of a Domain...........................................................................................1-33
1.7.8 (Optional) Configuring the Domain Name Delimiter..........................................................................1-34
1.8 Configuring Local User Management...........................................................................................................1-35
1.8.2 Creating a Local User...........................................................................................................................1-36
1.8.3 (Optional) Setting the Access Type of the Local User.........................................................................1-37
1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access.........................................1-37
1.8.5 (Optional) Setting the Status of a Local User......................................................................................1-38
1.8.6 (Optional) Setting the Level of a Local User.......................................................................................1-38
1.8.7 (Optional) Setting the Access Limit for a Local User..........................................................................1-39
1.9 Maintaining AAA and User Management....................................................................................................1-40
1.9.1 Clearing the Statistics...........................................................................................................................1-40
1.9.2 Monitoring the Running Status of AAA..............................................................................................1-40
1.9.3 Debugging............................................................................................................................................1-41
1.10 Configuration Examples..............................................................................................................................1-41
1.10.1 Example for Configuring RADIUS Authentication and Accounting................................................1-41
1.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization................1-44
2 NAC Configuration................................................................................................................... 2-1

2.1 Introduction to NAC........................................................................................................................................2-2
2.1.1 Web Authentication................................................................................................................................2-2
2.1.2 802.1x Authentication............................................................................................................................2-3
2.1.3 MAC Address Authentication................................................................................................................2-3
ii

Issue 06 (20100108)

Contents
2.2 NAC Features Supported by the S9300..........................................................................................................2-4

2.3 Configuring Web Authentication....................................................................................................................2-4
2.3.2 Configuring the Web Authentication Server..........................................................................................2-5
2.3.3 Binding the Web Authentication Server to the Interface.......................................................................2-5
2.3.4 Configuring the Free Rule for Web Authentication...............................................................................2-6
2.3.5 (Optional) Configuring the Web Authentication Policy........................................................................2-6
2.3.6 (Optional) Setting the Port that Listens to the Portal Packets................................................................2-7
2.3.7 (Optional) Setting the Version of the Portal Protocol Packets...............................................................2-7
2.3.8 Checking the Configuration...................................................................................................................2-8
2.4 Configuring 802.1x Authentication.................................................................................................................2-8
2.4.2 Enabling Global 802.1x Authentication.................................................................................................2-9
2.4.3 Enabling 802.1x Authentication on an Interface..................................................................................2-10
2.4.4 (Optional) Enabling MAC Bypass Authentication..............................................................................2-11
2.4.5 Setting the Authentication Method for the 802.1x User......................................................................2-12
2.4.6 (Optional) Configuring the Interface Access Mode.............................................................................2-13
2.4.7 (Optional) Configuring the Authorization Status of an Interface.........................................................2-14
2.4.8 (Optional) Setting the Maximum Number of Concurrent Access Users..............................................2-15
2.4.9 (Optional) Enabling DHCP Packets to Trigger Authentication...........................................................2-16
2.4.10 (Optional) Configuring 802.1x Timers..............................................................................................2-16
2.4.11 (Optional) Configuring the Quiet Timer Function.............................................................................2-17
2.4.12 (Optional) Configuring the 802.1x Re-authentication.......................................................................2-18
2.4.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication................................................2-18
2.4.14 (Optional) Enabling the S9300 to Send Handshake Packets to Online Users....................................2-19
2.4.15 (Optional) Setting the Retransmission Count of the Authentication Request....................................2-20
2.5 Configuring MAC Address Authentication..................................................................................................2-21
2.5.2 Enabling Global MAC Address Authentication...................................................................................2-22
2.5.3 Enabling MAC Address Authentication on an Interface......................................................................2-23
2.5.4 (Optional) Enabling Direct Authentication..........................................................................................2-24
2.5.5 Configuring the User Name for MAC Address Authentication...........................................................2-25
2.5.6 (Optional) Configuring the Domain for MAC Address Authentication..............................................2-26
2.5.7 (Optional) Setting the Timers of MAC Address Authentication.........................................................2-27
2.5.8 (Optional) Configuring the Guest VLAN for MAC Address Authentication......................................2-28
2.5.9 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication
.......................................................................................................................................................................2-28
2.5.10 (Optional) Re-Authenticating a User with the Specific MAC Address.............................................2-29
2.6 Maintaining NAC..........................................................................................................................................2-30
2.6.1 Clearing the Statistics About 802.1x Authentication...........................................................................2-31
2.6.2 Clearing Statistics About MAC Address Authentication.....................................................................2-31
Issue 06 (20100108)

iii
Contents

2.6.3 Debugging 802.1x Authentication.......................................................................................................2-31
2.6.4 Debugging MAC Address Authentication...........................................................................................2-32
2.7 Configuration Examples................................................................................................................................2-32

2.7.1 Example for Configuring Web Authentication....................................................................................2-32
2.7.2 Example for Configuring 802.1x Authentication.................................................................................2-35
2.7.3 Example for Configuring MAC Address Authentication....................................................................2-38
3 DHCP Snooping Configuration..............................................................................................3-1

3.1 Introduction to DHCP Snooping.....................................................................................................................3-3
3.2 DHCP Snooping Features Supported by the S9300........................................................................................3-3
3.3 Preventing the Bogus DHCP Server Attack....................................................................................................3-5
3.3.2 Enabling DHCP Snooping..................................................................................................................... 3-6
3.3.3 Configuring an Interface as a Trusted Interface.....................................................................................3-8
3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers.......................................................................3-8
3.4 Preventing the DoS Attack by Changing the CHADDR Field....................................................................... 3-9
3.4.2 Enabling DHCP Snooping...................................................................................................................3-10
3.4.3 Checking the CHADDR Field in DHCP Request Messages...............................................................3-12
3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases.............3-13
3.5.3 Enabling the Checking of DHCP Request Messages...........................................................................3-15
3.5.4 (Optional) Configuring the Option 82 Function..................................................................................3-16
3.6 Setting the Maximum Number of DHCP Snooping Users...........................................................................3-18
3.6.3 Setting the Maximum Number of DHCP Snooping Users..................................................................3-20
3.6.4 (Optional) Configuring MAC Address Security on an Interface.........................................................3-20
3.7 Limiting the Rate of Sending DHCP Messages............................................................................................3-22
3.7.3 Limiting the Rate of Sending DHCP Messages...................................................................................3-24
3.8 Configuring the Packet Discarding Alarm Function.....................................................................................3-25
3.8.3 Enabling the Checking of DHCP Messages.........................................................................................3-27
3.8.4 Configuring the Packet Discarding Alarm Function............................................................................3-28
iv

Issue 06 (20100108)

Contents

3.9 Maintaining DHCP Snooping.......................................................................................................................3-30
3.9.1 Clearing DHCP Snooping Statistics.....................................................................................................3-30
3.9.2 Resetting the DHCP Snooping Binding Table.....................................................................................3-30
3.9.3 Backing Up the DHCP Snooping Binding Table.................................................................................3-30
3.10.1 Example for Preventing the Bogus DHCP Server Attack..................................................................3-31
3.10.2 Example for Preventing the DoS Attack by Changing the CHADDR Field.....................................3-34
3.10.3 Example for Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address
Leases............................................................................................................................................................3-36
3.10.4 Example for Limiting the Rate of Sending DHCP Messages............................................................3-39
3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network........................................................3-42
3.10.6 Example for Enabling DHCP Snooping on the DHCP Relay Agent.................................................3-46
3.10.7 Example for Configuring DHCP Snooping on a VPLS Network......................................................3-51
4 ARP Security Configuration....................................................................................................4-1

4.1 Introduction to ARP Security..........................................................................................................................4-2
4.2 ARP Security Supported by the S9300...........................................................................................................4-2
4.3 Limiting ARP Entry Learning.........................................................................................................................4-4
4.3.2 Enabling Strict ARP Entry Learning......................................................................................................4-5
4.3.3 Configuring Interface-based ARP Entry Limitation..............................................................................4-7
4.4 Configuring ARP Anti-Attack........................................................................................................................4-8
4.4.2 Preventing the ARP Address Spoofing Attack......................................................................................4-9
4.4.3 Preventing the ARP Gateway Duplicate Attack.....................................................................................4-9
4.4.4 Preventing the Man-in-the-Middle Attack...........................................................................................4-10
4.4.5 Configuring ARP Proxy on a VPLS Network.....................................................................................4-11
4.4.6 Configuring DHCP to Trigger ARP Learning.....................................................................................4-12
4.4.7 (Optional) Configuring the S9300 to Discard Gratuitous ARP Packets..............................................4-13
4.4.8 Enabling Log and Alarm Functions for Potential Attacks...................................................................4-13
4.5 Suppressing Transmission Rate of ARP Packets..........................................................................................4-15
4.5.2 Configuring Source-based ARP Suppression......................................................................................4-16
4.5.3 Configuring Source-based ARP Miss Suppression..............................................................................4-17
4.5.4 Setting the Suppression Time of ARP Miss Messages........................................................................4-17
4.5.5 Suppressing Transmission Rate of ARP Packets.................................................................................4-18
4.6 Maintaining ARP Security............................................................................................................................4-19
4.6.1 Displaying the Statistics About ARP Packets......................................................................................4-20
4.6.2 Clearing the Statistics on ARP Packets................................................................................................4-20
Issue 06 (20100108)

Contents

4.6.3 Clearing the Statistics on Discarded ARP Packets...............................................................................4-20
4.6.4 Debugging ARP Packets......................................................................................................................4-21

4.7.1 Example for Configuring ARP Security Functions..............................................................................4-22
4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks..........................4-25
5 Source IP Attack Defense Configuration..............................................................................5-1

5.1 Overview of IP Source Guard.........................................................................................................................5-2
5.2 IP Source Guard Features Supported by the S9300........................................................................................5-3
5.3 Configuring IP Source Guard..........................................................................................................................5-5
5.3.2 (Optional) Configuring a Static User Binding Entry............................................................................. 5-5
5.3.3 Enabling IP Source Guard......................................................................................................................5-6
5.3.4 Configuring the Check Items of IP Packets...........................................................................................5-6
5.4 Configuring IP Source Trail............................................................................................................................5-8
5.4.2 Configuring IP Source Trail Based on the Destination IP Address.......................................................5-9
5.5 Configuring URPF........................................................................................................................................5-10
5.5.2 Enabling URPF....................................................................................................................................5-10
5.5.3 Setting the URPF Check Mode on an Interface...................................................................................5-11
5.5.4 (Optional) Disabling URPF for the Specified Traffic..........................................................................5-12
5.6 Maintaining Source IP Attack Defense.........................................................................................................5-13
5.6.1 Clearing the Statistics on IP Source Trail............................................................................................5-13
5.7.1 Example for Configuring IP Source Guard..........................................................................................5-14
5.7.2 Example for Configuring IP Source Trail............................................................................................5-15
5.7.3 Example for Configuring URPF..........................................................................................................5-17
6 Local Attack Defense Configuration......................................................................................6-1

6.1 Overview of Local Attack Defense.................................................................................................................6-2
6.2 Local Attack Defense Features Supported by the S9300................................................................................6-2
6.3 Configuring the Attack Defense Policy.......................................................................................................... 6-3
6.3.2 Creating an Attack Defense Policy........................................................................................................ 6-4
6.3.3 Configuring the Whitelist.......................................................................................................................6-4
6.3.4 Configuring the Blacklist.......................................................................................................................6-4
6.3.5 Configuring User-Defined Flows...........................................................................................................6-5
6.3.6 Configuring the Rule for Sending Packets to the CPU..........................................................................6-6
6.3.7 Applying the Attack Defense Policy......................................................................................................6-6
vi

Issue 06 (20100108)

Contents
6.4 Configuring Attack Source Tracing................................................................................................................6-8

6.4.2 Creating an Attack Defense Policy........................................................................................................6-9
6.4.3 Enabling the Automatic Attack Source Tracing.....................................................................................6-9
6.4.4 Configuring the Threshold of Attack Source Tracing..........................................................................6-10
6.4.5 (Optional) Configuring the Attack Source Alarm Function.................................................................6-10
6.4.6 Applying the Attack Defense Policy....................................................................................................6-11
6.5 Maintaining the Attack Defense Policy........................................................................................................6-13
6.5.1 Clearing Statistics About Packets Destined for the CPU.....................................................................6-13
6.5.2 Clearing Statistics About Attack Sources............................................................................................6-13
6.6.1 Example for Configuring the Attack Defense Policy...........................................................................6-14
7 PPPoE+ Configuration..............................................................................................................7-1
7.1 PPPoE+ Overview...........................................................................................................................................7-2
7.2 PPPoE+ Features Supported by the S9300.....................................................................................................7-2
7.3 Configuring PPPoE+.......................................................................................................................................7-2
7.3.2 Enabling PPPoE+ Globally....................................................................................................................7-3
7.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets.................................7-3
7.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets............................................7-4
7.3.5 Configuring the PPPoE Trusted Interface..............................................................................................7-4
7.4 Configuration Examples..................................................................................................................................7-5
7.4.1 Example for Configuring PPPoE+.........................................................................................................7-5
8 MFF Configuration....................................................................................................................8-1
8.1 MFF Overview................................................................................................................................................8-2
8.2 MFF Features Supported by the S9300...........................................................................................................8-3
8.3 Configuring MFF............................................................................................................................................8-4
8.3.2 Enabling Global MFF.............................................................................................................................8-5
8.3.3 Configuring the MFF Network Interface...............................................................................................8-5
8.3.4 Enabling MFF in a VLAN.....................................................................................................................8-6
8.3.5 (Optional) Configuring the Static Gateway Address.............................................................................8-6
8.3.6 (Optional) Enabling Timed Gateway Address Detection.......................................................................8-7
8.3.7 (Optional) Setting the Server Address...................................................................................................8-7
8.4.1 Example for Configuring MFF..............................................................................................................8-8
9 Interface Security Configuration............................................................................................9-1

9.1 Interface Security Overview............................................................................................................................9-2
Issue 06 (20100108)

vii
Contents

9.2 Interface Security Features Supported by the S9300......................................................................................9-2

9.3 Configuring Interface Security........................................................................................................................9-2
9.3.2 Enabling the Interface Security Function...............................................................................................9-3
9.3.3 (Optional) Configuring the Protection Action in Interface Security......................................................9-4
9.3.4 Setting the Maximum Number of MAC Addresses Learned by an Interface........................................9-4
9.3.5 Enabling Sticky MAC on an Interface...................................................................................................9-5
9.4.1 Example for Configuring Interface Security..........................................................................................9-6
10 Traffic Suppression Configuration....................................................................................10-1

10.1 Introduction to Traffic Suppression............................................................................................................10-2
10.2 Traffic Suppression Features Supported by the S9300...............................................................................10-2
10.3 Configuring Traffic Suppression.................................................................................................................10-2
10.3.1 Establishing the Configuration Task..................................................................................................10-2
10.3.2 Configuring Traffic Suppression on an Interface...............................................................................10-3
10.4.1 Example for Configuring Traffic Suppression...................................................................................10-4
11 ACL Configuration................................................................................................................11-1
11.1 Introduction to the ACL..............................................................................................................................11-2
11.2 Classification of ACLs Supported by the S9300........................................................................................11-2
11.3 Configuring an ACL....................................................................................................................................11-3
11.3.2 Creating an ACL................................................................................................................................11-4
11.3.3 (Optional) Setting the Time Range When an ACL Takes Effect.......................................................11-5
11.3.4 (Optional) Configuring the Description of an ACL...........................................................................11-5
11.3.5 Configuring a Basic ACL...................................................................................................................11-6
11.3.6 Configuring an Advanced ACL.........................................................................................................11-6
11.3.7 Configuring a Layer 2 ACL...............................................................................................................11-7
11.3.8 (Optional) Setting the Step of an ACL...............................................................................................11-8
11.4 Configuring ACL6......................................................................................................................................11-9
11.4.2 Creating an ACL6............................................................................................................................11-10
11.4.3 (Optional) Creating the Time Range of the ACL6...........................................................................11-10
11.4.4 Configuring a Basic ACL6...............................................................................................................11-11
11.4.5 Configuring an Advanced ACL6.....................................................................................................11-11
11.4.6 Checking the Configuration.............................................................................................................11-12
11.5 Configuration Examples............................................................................................................................11-13
11.5.1 Example for Configuring a Basic ACL............................................................................................11-13
11.5.2 Example for Configuring an Advanced ACL..................................................................................11-16
viii

Issue 06 (20100108)

Contents
11.5.3 Example for Configuring a Layer 2 ACL........................................................................................11-20

11.5.4 Example for Configuring an ACL6..................................................................................................11-22
Issue 06 (20100108)

ix

Figures
Figures
Figure 1-1 Networking diagram of RADIUS authentication and accounting....................................................1-42
Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization....................1-45
Figure 2-1 Typical networking of NAC...............................................................................................................2-2
Figure 2-2 Network diagram for configuring Web authentication.....................................................................2-33
Figure 2-3 Networking diagram for configuring 802.1x authentication............................................................2-36
Figure 2-4 Networking diagram for configuring MAC address authentication.................................................2-38
Figure 3-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2 network..................3-4
Figure 3-2 Networking diagram for applying DHCP snooping on the S9300 that functions as the DHCP relay agent
...............................................................................................................................................................................3-4
Figure 3-3 Networking diagram for preventing the bogus DHCP server attack................................................3-32
Figure 3-4 Networking diagram for preventing the DoS attack by changing the CHADDR field....................3-34
Figure 3-5 Networking diagram for preventing the attacker from sending bogus DHCP messages for extending IP
address leases......................................................................................................................................................3-37
Figure 3-6 Networking diagram for limiting the rate for sending DHCP messages..........................................3-40
Figure 3-7 Networking diagram for configuring DHCP snooping....................................................................3-42
Figure 3-8 Networking diagram for enabling DHCP snooping on the DHCP relay agent................................3-47
Figure 3-9 Networking diagram for configuring DHCP snooping on a VPLS network....................................3-51
Figure 4-1 Networking diagram for configuring ARP security functions.........................................................4-22
Figure 4-2 Networking diagram for prevent man-in-the-middle attacks...........................................................4-26
Figure 5-1 Diagram of IP/MAC spoofing attack..................................................................................................5-2
Figure 5-2 Diagram of the URPF function...........................................................................................................5-3
Figure 5-3 Networking diagram for configuring IP source guard......................................................................5-14
Figure 5-4 Networking diagram for configuring IP source trail........................................................................5-16
Figure 5-5 Networking diagram for configuring URPF.....................................................................................5-17
Figure 6-1 Networking diagram for Configuring the attack defense policy......................................................6-14
Figure 7-1 Networking diagram for configuring PPPoE+................................................................................... 7-6
Figure 8-1 Networking diagram for configuring MFF.........................................................................................8-9
Figure 9-1 Networking diagram for configuring interface security.....................................................................9-6
Figure 10-1 Networking diagram for configuring traffic suppression...............................................................10-5
Figure 11-1 Networking diagram for disabling URPF for the specified traffic...............................................11-13
Figure 11-2 Networking diagram for configuring IPv4 ACLs.........................................................................11-16
Figure 11-3 Networking diagram for configuring layer 2 ACLs.....................................................................11-20
Figure 11-4 Networking diagram for configuring ACL6 and filtering IPv6 packets.......................................11-23
Issue 06 (20100108)

xi

Tables
Tables
Table 3-1 Matching table between type of attacks and DHCP snooping operation modes.................................3-5
Table 3-2 Relation between the type of attacks and the type of discarded packets............................................3-25
Issue 06 (20100108)

xiii

About This Document
About This Document

Purpose
This document describes security features of the S9300 including AAA and user management,
Network Access Control (NAC), DHCP snooping, ARP security, IP source guard, IP source
trail, Unicast Reverse Path Forwarding (URPF), local attack defense, PPPoE+, MAC-forced
forwarding (MFF), interface security, traffic suppression, and ACL from function introduction,
configuration methods, maintenance and configuration examples.
This document guides you through the principle and configuration of security features.
Related Versions
The following table lists the product versions related to this document.
Product Name
Version
S9300
V100R002C00
Intended Audience
This document is intended for:
l
Data configuration engineer
Commissioning engineer
Network monitoring engineer
System maintenance engineer
Organization
This document is organized as follows.
Issue 06 (20100108)


About This Document
Chapter
Description
1 AAA and User Management

Configuration
Describes basic concepts of AAA and user

management, and provides configuration
methods and configuration examples.
2 NAC Configuration
Describes basic concepts of Network Access

Control (NAC), and provides configuration
3 DHCP Snooping Configuration
Describes basic concepts of DHCP snooping,

and provides configuration methods and
configuration examples.
4 ARP Security Configuration
Describes basic concepts of ARP security, and

provides configuration methods and
5 Source IP Attack Defense

Configuration
Describes basic concepts of source IP attack

defense, and provides configuration methods and
6 Local Attack Defense Configuration
Describes basic concepts of local attack defense,

7 PPPoE+ Configuration
Describes basic concepts of PPPoE+, and

provides configuration methods and
8 MFF Configuration
Describes basic concepts of MAC-Forced

Forwarding (MFF), and provides configuration
9 Interface Security Configuration
Describes basic concepts of interface security,

10 Traffic Suppression Configuration
Describes basic concepts of traffic suppression,

11 ACL Configuration
Describes basic concepts of ACL, and provides

configuration methods and configuration
examples.
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.

Issue 06 (20100108)

Symbol
About This Document
Description
DANGER
WARNING
CAUTION
Indicates a hazard with a high level of risk, which if not

avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
TIP
Indicates a tip that may help you solve a problem or save

time.
NOTE
Provides additional information to emphasize or supplement

important points of the main text.
General Conventions
The general conventions that may be found in this document are defined as follows.
Convention
Description
Times New Roman
Normal paragraphs are in Times New Roman.
Boldface
Names of files, directories, folders, and users are in

boldface. For example, log in as user root.
Italic
Book titles are in italics.
Courier New
Examples of information displayed on the screen are in

Courier New.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by

vertical bars. One item is selected.
Issue 06 (20100108)


About This Document
Convention
Description
[ x | y | ... ]
Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n>
The parameter before the & sign can be repeated 1 to n times.
A line starting with the # sign is comments.
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Buttons, menus, parameters, tabs, window, and dialog titles

are in boldface. For example, click OK.
>
Multi-level menus are in boldface and separated by the ">"

signs. For example, choose File > Create > Folder.
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows.
Format
Description
Key
Press the key. For example, press Enter and press Tab.
Key 1+Key 2
Press the keys concurrently. For example, pressing Ctrl+Alt

+A means the three keys should be pressed concurrently.
Key 1, Key 2
Press the keys in turn. For example, pressing Alt, A means

the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows.

Issue 06 (20100108)

About This Document
Action
Description
Click
Select and release the primary mouse button without moving

the pointer.
Double-click
Press the primary mouse button twice continuously and

quickly without moving the pointer.
Drag
Press and hold the primary mouse button and move the
pointer to a certain position.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Updates in Issue 06 (2010-01-08)

Based on issue 05 (2009-11-10), the document is updated as follows:
The following information is modified:
l
The background information of configuring whitelist is modified6.3.3 Configuring the

Whitelist
The background information of configuring blacklist is modified6.3.4 Configuring the

Blacklist
The background information of configuring user-defined flows is modified6.3.5

Configuring User-Defined Flows
The enabling strict ARP entry learning is modified: 4.3.2 Enabling Strict ARP Entry
Learning
The example for configuring interface security is modified: 9.4.1 Example for
Configuring Interface Security

l
ACL Configuration:11.2 Classification of ACLs Supported by the S9300

l
Issue 06 (20100108)
ARP Security Configuration: The configuration commands


About This Document

l
DHCP Snooping Configuration: The configuration commands

The following information is added:
l
3.6 Setting the Maximum Number of DHCP Snooping Users and 3.10.7 Example for
Configuring DHCP Snooping on a VPLS Network in "DHCP Snooping Configuration"
6.3.3 Configuring the Whitelist in "Local Attack Defense Configuration"

l
DHCP Snooping Configuration: The configuration commands
Local Attack Defense Configuration: The configuration commands and configuration

example

Initial commercial release.

Issue 06 (20100108)

1 AAA and User Management Configuration
AAA and User Management Configuration
About This Chapter

This chapter describes the principle and configuration of Authentication, Authorization, and
Accounting (AAA), local user management, Remote Authentication Dial in User Service
(RADIUS), HUAWEI Terminal Access Controller Access Control System (HWTACACS), and
domain.
1.1 Introduction to AAA and User Management
This section describes the knowledge of AAA and user management.
1.2 AAA and User Management Features Supported by the S9300
This section describes the AAA and user management features supported by the S9300.
1.3 Configuring AAA Schemes
This section describes how to configure an authentication scheme, an authorization scheme, and
a recording scheme on the S9300.
1.4 Configuring a RADIUS Server Template
This section describes how to configure a RADIUS server template on the S9300.
1.5 Configuring an HWTACACS Server Template
This section describes how to configure an HWTACACS server template on the S9300.
1.6 Configuring a Service Scheme
This section describes how to configure a service scheme in the S9300 to store authorization
information about users.
1.7 Configuring a Domain
This section describes how to configure a domain on the S9300.
1.8 Configuring Local User Management
This section describes how to configure local user management on the S9300.
1.9 Maintaining AAA and User Management
This section describes how to maintain AAA and user management.
1.10 Configuration Examples
This section provides several configuration examples of AAA and user management.
Issue 06 (20100108)

1-1

1.1 Introduction to AAA and User Management

This section describes the knowledge of AAA and user management.
AAA
AAA provides the following types of services:
l
Authentication: determines the user who can access the network.
Authorization: authorizes the user to use certain services.
Accounting: records network resource usage of the user.
AAA adopts the client/server model, which features good extensibility and facilitates
concentrated management over user information.
Domain-based User Management

User authentication, authorization, and accounting are performed in the domain view. Users can
be managed based on the domain. You can configure authorization, create authentication and
accounting schemes, and create RADIUS or HWTACACS templates in the domain.
Local User Management

To perform local user management, you need to set up the local user database, maintain user
information, and manage users on the local S9300.
1.2 AAA and User Management Features Supported by the

S9300
This section describes the AAA and user management features supported by the S9300.
AAA
The S9300 provides authentication schemes in the following modes:
l
Non-authentication: completely trusts users and does not check their validity. This mode
is seldom used.
Local authentication: configures user information including the user name, password, and
attributes of the local user on the S9300. In local authentication mode, the processing speed
is fast, but the capacity of information storage is restricted by the hardware.
Remote authentication: configures user information including the user name, password,
and attributes of the local user on an authentication server. The S9300 functions as the client
to communicate with the authentication server. Thus, the user is remotely authenticated
through the RADIUS or HWTACACS protocol.
The S9300 provides authorization schemes in the following modes:

l
1-2
Non-authorization: completely trusts users and directly authorizes them.

Issue 06 (20100108)

Local authorization: authorizes users according to the configured attributes of local user
accounts on the S9300.
Remote authorization: authorizes users remotely through HWTACACS. The S9300

functions as the client to communicate with the authorization server.
If-authenticated authorization: authorizes users after the users pass authentication in local
or remote authentication mode.
The S9300 provides the following accounting modes:

l
None: Users are not charged.
RADIUS accounting: The S9300 sends the accounting packets to the RADIUS server. Then
the RADIUS server performs accounting.
HWTACACS accounting: The S9300 sends the accounting packets to the HWTACACS
server. Then the HWTACACS server performs accounting.
In the RADIUS and HWTACACS accounting modes, the S9300 generates accounting packets
when a user goes online or goes offline, and then sends them to the RADIUS or HWTACACS
server. The server then performs accounting based on the information in the packets, such as
login time, logout time and traffic volume.
The S9300 supports interim accounting. It means that the S9300 generates accounting packets
periodically and sends the accounting packets to the accounting server when a user is online. In
this way, the duration of abnormal accounting can be minimized when the communication
between the S9300 and the accounting server is interrupted.
Local User Management

To perform local user management, you need to set up the local user database, maintain user
information, and manage users on the local S9300.
In local authentication or local authorization mode, you need to perform the task of 1.8
Configuring Local User Management.
Domain-based User Management

The S9300 manages users based on the domain. You can configure authentication and
authorization schemes in a domain. Then, the specified schemes are adopted to perform
authentication and authorization for users that belong to the domain.
All the users of the S9300 belong to a domain. The domain that a user belongs to depends on
the character string that follows the domain name delimiter. The domain name delimiter can be
@,|, or %.. For example, the user of "user@huawei" belongs to the domain "huawei". If there is
no "@" in the user name, the user belongs to the domain default.
By default, there are two domains named default and default-admin in the S9300, which cannot
be deleted but can be modified. If the domain of an access user cannot be obtained, the default
domain is used.
l
Domain default is used for common access user. By default, local authentication is
performed for the users in domain default.
Domain default_admin is used for administrators. By default, local authentication is

performed for the users in domain default_admin.
The S9300 supports up to 128 domains, including the two default domains.
The priority of authorization configured in a domain is lower than the priority configured on an
AAA server. That is, the authorization attribute sent by the AAA server is used preferentially.
Issue 06 (20100108)

1-3

The authorization attribute in the domain takes effect only when the AAA server does not have
or provide this authorization. In this manner, you can add services flexibly based on the domain
management, regardless of the attributes provided by the AAA server.
RADIUS and HWTACACS Server Templates

When RADIUS or HWTACACS is specified in an authentication or an authorization scheme
for communication between the client and the server, you must configure a RADIUS or an
HWTACACS server template.
l
In a RADIUS server template, you can set the attributes such as the IP addresses, port
number, and key of the authentication server and accounting server.
In an HWTACACS template, you can set the attributes such as the IP addresses, port
number, and key of the authentication server, accounting server, and authorization server.
NOTE
Authentication and authorization are used together in RADIUS; therefore, you cannot use RADIUS alone
to perform authorization.
1.3 Configuring AAA Schemes

This section describes how to configure an authentication scheme, an authorization scheme, and
a recording scheme on the S9300.
1.3.1 Establishing the Configuration Task
1.3.2 Configuring an Authentication Scheme
1.3.3 Configuring an Authorization Scheme
1.3.4 Configuring an Accounting Scheme
1.3.5 (Optional) Configuring a Recording Scheme
1.3.6 Checking the Configuration

Applicable Environment
An AAA scheme of the S9300 consists of the authentication scheme, authorization scheme,
accounting scheme, and recording scheme. The S9300 chooses the authentication, authorization,
accounting, and recording modes (local processing, remote processing, or no processing) and
relevant parameters for users according to the AAA scheme.
After an AAA scheme is configured, you can apply this AAA scheme (excluding the recording
scheme) to a domain. The S9300 then uses the scheme to perform authentication, authorization,
and accounting for users in the domain. You can configure different recording schemes for
different transactions in the AAA view.
Pre-configuration Tasks
None
1-4

Issue 06 (20100108)

Data Preparation
To configure AAA schemes, you need the following data.
No.
Data
Name of the authentication scheme and

authentication mode
Name of the authorization scheme,

authorization mode, (optional) user level in
command-line-based authorization mode on
the HWTACACS server, and (optional)
timeout interval for command-line-based
authorization
Name of the accounting scheme and

accounting mode
(Optional) Name of the recording scheme,

name of the HWTACACS server template
associated with the recording scheme, and
recording policy used to record events
1.3.2 Configuring an Authentication Scheme

Context
NOTE
By default, the local authentication mode is used. If users are not authenticated, you must create an
authentication scheme or modify the default authentication scheme by setting the authentication mode to
none. Then, you apply this authentication scheme to the domain that users belong to.
You need to set the authentication modes for a user logging in to the S9300 and upgrading user levels
separately.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
aaa
The AAA view is displayed.

Step 3 Run:
authentication-scheme authentication-scheme-name
An authentication scheme is created and the authentication scheme view is displayed.

Issue 06 (20100108)

1-5

By default, there is an authentication scheme named default on the S9300. This scheme can be
modified but cannot be deleted.
Step 4 Run:
authentication-mode { hwtacacs | radius | local }*[ none ]
Or
authentication-mode none
The authentication mode is set.

none indicates the non-authentication mode. By default, the local authentication mode is used.
If multiple authentication modes are used in an authentication scheme, the non-authentication
mode must be used as the last authentication mode.
If the authentication mode is set to RADIUS or HWTACACS, you must configure a RADIUS
or an HWTACACS server template and apply the template in the view of the domain that the
user belongs to.
NOTE
If multiple authentication modes are used in an authentication scheme, the authentication modes take effect
according to their configuration sequence. The S9300 adopts the next authorization mode only when the
current authorization mode is invalid. The S9300, however, does not adopt any other authorization mode
when users are not authorized in the current authorization mode.
Step 5 Run:
authentication-super { hwtacacs | super }* [ none ]
Or,
authentication-super none
The authentication mode for upgrading user levels is set.

The none parameter indicates that the non-authentication mode is used. That is, user levels are
changed by users. By default, the local authentication mode is used for upgrading user levels.
When the local authentication mode is used for upgrading user levels, you need to run the super
password command in the system view to set the password for upgrading user levels. For details
on the super password command, see the Quidway S9300 Terabit Routing Switch Command
Reference - Basic Configurations.
----End
1.3.3 Configuring an Authorization Scheme

Context
NOTE
You can configure command-line-based authorization only when HWTACACS is adopted.
Procedure
Step 1 Run:
system-view
1-6

Issue 06 (20100108)


Step 2 Run:
aaa

Step 3 Run:
authorization-scheme authorization-scheme-name
An authorization scheme is created and the authorization scheme view is displayed.

By default, an authorization scheme named default exists on the S9300. This scheme can be
Step 4 Run:
authorization-mode { hwtacacs | if-authenticated | local }*[ none ] or
authorization-mode none
The authorization mode is set.

By default, the local authorization mode is used.
If multiple authorization modes are used in an authorization scheme, the non-authorization mode
must be used as the last authorization mode.
When using the HWTACACS authorization mode, you must create an HWTACACS server
template and apply the template to the domain that the user belongs to.
NOTE
If multiple authorization modes are used in an authorization scheme, the authentication modes take effect
according to their configuration sequence. The S9300 adopts the next authorization mode only when the
current authorization mode is invalid. The S9300, however, does not adopt any other authorization mode
when users are not authorized in the current authorization mode.
Step 5 (Optional) Run:

authorization-cmd privilege-level hwtacacs [ local ]
The command-line-based authorization function is configured for users at a level.

By default, the command-line-based authorization function is not configured for users at levels
0 to 15.
If command-line authorization is enabled, you must create an HWTACACS server template and
apply the template in the view of the domain that the user belongs to.
authorization-cmd no-response-policy { online | offline [ max-times max-timesvalue ] }
A policy is configured for command-line-based authorization failure.

By default, a policy is used to keep the user online when command-line-based authorization
fails.
The policy for command-line-based authorization failure is used only when the HWTACACS
server fails or the local user is not configured. The policy for command-line-based authorization
failure cannot be triggered in the following situations:
l
Issue 06 (20100108)
The server works normally but the input command line fails to pass authorization on the
HWTACACS server.
1-7

l

When the HWTACACS server fails, the command-line-based authorization mode changes
to the local authorization mode. Authorization fails because the level of the input command
is higher than the level set on the local end.
----End
1.3.4 Configuring an Accounting Scheme

Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
accounting-scheme accounting-scheme-name
An accounting scheme is created and the accounting scheme view is displayed.

By default, the S9300 provides an accounting scheme named default. This scheme can be
Step 4 Run:
accounting-mode { hwtacacs | radius | none }
The accounting mode is set.

By default, the accounting mode is none.
If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS or
HWTACACS server template and apply the template to the corresponding user domain.
accounting realtime interval
Interim accounting is enabled and the accounting interval is set.

By default, interim accounting is enabled and the accounting interval is 5 minutes.
The accounting interval depends on network situations. A short interval increases the traffic on
the network and burdens the device that receive interim accounting packets. A long interval
increases the errors of accounting when the communication between accounting server and the
S9300 fails.
accounting start-fail { online | offline }
The policy for remote accounting-start failure is set.

If accounting start fails when a user logs in, the S9300 processes the user according to the policy
for accounting start failure.
By default, the S9300 forbids a user to get online when accounting start fails.
1-8

Issue 06 (20100108)


accounting interim-fail [ max-times times ] { online | offline }
The policy for remote interim accounting-start failure is set.

If the accounting fails after a user goes online, the S9300 processes the user according to the
policy for interim accounting failure.
By default, the number of interim accounting failures is set to 3 and the policy keeps the user
online.
----End
1.3.5 (Optional) Configuring a Recording Scheme

Context
To monitor the device and locate faults, you can configure a recording scheme to record the
following:
l
Commands that are run on the S9300
Information about connections
System events
NOTE
You can configure the recording function only when HWTACACS is adopted.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
recording-scheme recording-scheme-name
A recording scheme is created and the recording scheme view is displayed.

By default, no recording scheme exists on the S9300.
Step 4 Run:
recording-mode hwtacacs template-name
An HWTACACS server template that is associated with the recording scheme is configured.
By default, a recording scheme is not associated with an HWTACACS server template.
Step 5 Run:
quit
Return to the AAA view.

Issue 06 (20100108)

1-9

Step 6 Run:
cmd recording-scheme recording-scheme-name
The commands that are used on the S9300 are recorded.

By default, the commands that are used on the S9300 are not recorded.
Step 7 Run:
outbound recording-scheme recording-scheme-name
The information about connections is recorded.

By default, information about connections is not recorded.
Step 8 Run:
system recording-scheme recording-scheme-name
System events are recorded.

By default, system events are not recorded.
----End

Prerequisite
The configurations of AAA schemes are complete.
Procedure
l
Run the display aaa configuration command to check the summary of AAA.
Run the display authentication-scheme [ authentication-scheme-name ] command to

check the configuration of the authentication scheme.
Run the display authorization-scheme [ authorization-scheme-name ] command to check

the configuration of the authorization scheme.
Run the display recording-scheme [ recording-scheme-name ] command to check the

configuration of the recording scheme.
Run the display access-user command to check the summary of all online users.
----End
1.4 Configuring a RADIUS Server Template

This section describes how to configure a RADIUS server template on the S9300.
1.4.2 Creating a RADIUS Server Template
1.4.3 Configuring a RADIUS Authentication Server
1.4.4 Configuring the RADIUS Accounting Server
1.4.5 Configuring a RADIUS Authorization Server
1-10

Issue 06 (20100108)

1.4.6 (Optional) Setting a Shared Key for a RADIUS Server

1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server
1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server
1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server
1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server

In remote authentication or authorization mode, you need to configure a server template as
required. You need to configure a RADIUS server template if RADIUS is used in the
authentication scheme.
NOTE
There are default parameters of a RADIUS server template, and the default parameters can be changed
according to the networking. You can modify the RADIUS configuration only when the RADIUS server
template is not in use.
None
Data Preparation
To configure a RADIUS server template, you need the following data.
No.
Data
IP address of the RADIUS authentication

server
IP address of the RADIUS accounting server
(Optional) Shared key of the RADIUS server
(Optional) User name format supported by

the RADIUS server
(Optional) Traffic unit of the RADIUS server
(Optional) Timeout interval for a RADIUS

server to send response packets and number
of times for retransmitting request packets on
a RADIUS server
(Optional) Format of the NAS port attribute

of the RADIUS server
Issue 06 (20100108)

1-11

1.4.2 Creating a RADIUS Server Template

Procedure
Step 1 Run:
system-view

Step 2 Run:
radius-server template template-name
A RADIUS server template is created and the RADIUS server template view is displayed.
----End
1.4.3 Configuring a RADIUS Authentication Server

Procedure
Step 1 Run:
system-view

Step 2 Run:
The RADIUS server template view is displayed.

Step 3 Run:
radius-server authentication ip-address port [ source loopback interface-number ]
The primary RADIUS authentication server is configured.

By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the port
number is 0.
radius-server authentication ip-address port [ source loopback interface-number ]
secondary
The secondary RADIUS authentication server is configured.

By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the port
number is 0.
----End
1.4.4 Configuring the RADIUS Accounting Server

Procedure
Step 1 Run:
system-view
1-12

Issue 06 (20100108)


Step 2 Run:

Step 3 Run:
radius-server accounting ip-address port [ source loopback interface-number ]
The primary RADIUS accounting server is configured.

By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the port
number is 0.
radius-server accounting ip-address port [ source loopback interface-number ]
secondary
The secondary RADIUS accounting server is configured.

By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the port
number is 0.
----End
1.4.5 Configuring a RADIUS Authorization Server

Context
The RADIUS authorization server is mainly used to dynamically authorize users during service
selection.
Procedure
Step 1 Run:
system-view

Step 2 Run:
radius-server authorization ip-address { server-group group-name | shared-key
{ cipher | simple } key-string } * [ ack-reserved-interval interval ]
The RADIUS authorization server is configured.

By default, no RADIUS authorization server is configured in the S9300.
----End
1.4.6 (Optional) Setting a Shared Key for a RADIUS Server

Context
When exchanging authentication packets, the S9300 and the RADIUS server encrypt important
information such as the password by using the Message Digest 5 (MD5) algorithm to ensure the
Issue 06 (20100108)

1-13

security of information transmitted over a network. To guarantee the validity of the authenticator
and the authenticated, the keys on the S9300 and the RADIUS server must be the same.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
radius-server shared-key { cipher | simple } key-string
The shared key is set for a RADIUS server.

By default, the shared key of a RADIUS server is huawei.
----End
1.4.7 (Optional) Setting the User Name Format Supported by a

RADIUS Server
Context
NOTE
A user name is in the user name@domain name format and the characters after @ refer to the domain name.
In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the
following symbols: \ / : < > | ' %
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
radius-server user-name domain-included
The user name format supported by a RADIUS server is set.

By default, a user name supported by a RADIUS server contains the domain name. That is, the
S9300 sends the user name, domain name, and domain name delimiter to the RADIUS server
for authentication.
1-14

Issue 06 (20100108)

When the RADIUS server does not accept the user name that contains the domain name, you
can run the undo radius-server user-name domain-included command to delete the domain
name before sending it to the RADIUS server.
----End
1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit is set for a RADIUS server.

By default, the traffic is expressed in bytes on the S9300.
----End
1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS

Server
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
radius-server timeout seconds
The timeout interval for a RADIUS server to send response packets is set.
By default, the timeout interval for a RADIUS server to send response packets is five seconds.
To check whether a RADIUS server is available, the S9300 periodically sends request packets
to the RADIUS server. If no response is received from the RADIUS server within the timeout
interval, the S9300 retransmits the request packets.
Step 4 Run:
Issue 06 (20100108)

1-15

radius-server retransmit retry-times
The number of times for retransmitting request packets on a RADIUS server is set.
By default, the number of times for retransmitting request packets on a RADIUS server is 3.
After retransmitting request packets to a RADIUS server for the set number of times, the
S9300 considers that the RADIUS server is unavailable.
----End
1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server

Context
The NAS port format and the NAS port ID format are developed by Huawei, which are used to
maintain connectivity and service cooperation among devices of Huawei. The NAS port format
and NAS port ID format have new and old forms respectively. The ID format of the physical
port that access users belong to depends on the format of the NAS port attribute.
For Ethernet access users:
l
NAS port
New NAS port format: slot number (8 bits) + subslot number (4 bits) + port number (8
bits) + VLAN ID (12 bits).
Old NAS port format: slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits).
NAS port ID
New format of NAS port ID: slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx. Where
slot ranges from 0 to 15, subslot 0 to 15, port 0 to 255, and VLAN ID 1 to 4094.
Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) +
card number (3 bytes) + VLANID (9 characters)
For ADSL access users:

l
NAS port format: slot number (4 bits) + subslot number (2 bits) + port number (2 bits) +
VPI (8 bits) + VCI (16 bits).
NAS port ID
New format of NAS port ID: slot=xx; subslot=x; VPI=xxx; VCI=xxxxx, in which
slot ranges from 0 to 15, subslot ranges from 0 to 9, port 0 to 9, VPI 0 to 255, and
VCI 0 to 65535.
Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) +
card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixed
with 0s if they contain less bytes than specified.
Procedure
Step 1 Run:
system-view

Step 2 Run:
1-16

Issue 06 (20100108)


Step 3 Run:
radius-server nas-port-format { new | old }
The format of NAS port used by the RADIUS server is specified.

By default, the new format of NAS port is used.
Step 4 Run:
radius-server nas-port-id-format { new | old }
The format of the NAS port ID used by the RADIUS server is specified.
By default, the new format of the NAS port ID is used.
----End

Prerequisite
The configurations of the RADIUS server template are complete.
Procedure
l
Run the display radius-server configuration [ template template-name ] command to

check the configuration of the RADIUS server template.
----End
Example
After completing the configurations of the RADIUS server template, you can run the display
radius-server configuration command to check the configuration of all templates.
<Quidway> display radius-server configuration
------------------------------------------------------------------Server-template-name
: radius
Protocol-version
: standard
Traffic-unit
: B
Shared-secret-key
: huawei
Timeout-interval(in second)
: 5
Primary-authentication-server
: 0.0.0.0;
0; LoopBack:NULL
Primary-accounting-server
: 0.0.0.0;
0; LoopBack:NULL
Secondary-authentication-server : 0.0.0.0;
0; LoopBack:NULL
Secondary-accounting-server
: 0.0.0.0;
0; LoopBack:NULL
Retransmission
: 3
Domain-included
: YES
-------------------------------------------------------------------------------------------------------------------------------------
Issue 06 (20100108)
Server-template-name
Protocol-version
Traffic-unit
Shared-secret-key
:
:
:
:
:
:
test
standard
B
hello
5
10.1.1.2;
1812;
LoopBack:NULL
10.1.1.2;
1812;
LoopBack:NULL

1-17

Secondary-authentication-server : 0.0.0.0;
0; LoopBack:NULL
: 0.0.0.0;
0; LoopBack:NULL
Retransmission
: 5
Domain-included
: YES
------------------------------------------------------------------Total of radius template :2
1.5 Configuring an HWTACACS Server Template

This section describes how to configure an HWTACACS server template on the S9300.
1.5.2 Creating an HWTACACS Server Template
1.5.3 Configuring an HWTACACS Authentication Server
1.5.4 Configuring the HWTACACS Accounting Server
1.5.5 Configuring an HWTACACS Authorization Server
1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets
1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server
1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server
1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server
1.5.10 (Optional) Setting HWTACACS Timers
1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet

In remote authentication or authorization mode, you need to configure a server template as
required. You need to configure an HWTACACS server template if HWTACACS is used in an
authentication or an authorization scheme.
NOTE
The S9300 does not check whether the HWTACACS template is in use when you modify attributes of the
HWTACACS server except for deleting the configuration of the server.
None
Data Preparation
To configure an HWTACACS server template, you need the following data.
1-18

Issue 06 (20100108)

No.
Data
Name of the HWTACACS server template
IP addresses of HWTACACS authentication

authorization, and accounting servers
(Optional) Source IP address of the

HWTACACS server
(Optional) Shared key of the HWTACACS

server
(Optional) User name format supported by

the HWTACACS server
(Optional) Traffic unit of the HWTACACS

server
(Optional) Timeout interval for the

HWTACACS server to send response
packets and time when the primary
HWTACACS server is restored to the active
state
1.5.2 Creating an HWTACACS Server Template

Procedure
Step 1 Run:
system-view

Step 2 Run:
hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template view is
displayed.
----End
1.5.3 Configuring an HWTACACS Authentication Server

Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 06 (20100108)

1-19

The HWTACACS server template view is displayed.

Step 3 Run:
hwtacacs-server authentication ip-address [ port ]
The IP address of the primary HWTACACS authentication server is configured.

By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0 and the
port number is 0.
hwtacacs-server authentication ip-address [ port ] secondary
The IP address of the secondary HWTACACS authentication server is configured.

By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0 and
the port number is 0.
----End
1.5.4 Configuring the HWTACACS Accounting Server

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
hwtacacs-server accounting ip-address [ port ]
The primary HWTACACS accounting server is configured.

By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0 and the port
number is 0.
Step 4 Run:
hwtacacs-server accounting ip-address [ port ] secondary
The secondary HWTACACS accounting server is configured.

By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0 and the
port number is 0.
----End
1.5.5 Configuring an HWTACACS Authorization Server

Procedure
Step 1 Run:
1-20

Issue 06 (20100108)

system-view

Step 2 Run:

Step 3 Run:
hwtacacs-server authorization ip-address [ port ]
The IP address of the primary HWTACACS authorization server is configured.

By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0 and the
port number is 0.
hwtacacs-server authorization ip-address [ port ] secondary
The IP address of the secondary HWTACACS authorization server is configured.

By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0 and the
port number is 0.
----End
1.5.6 (Optional) Configuring the Source IP Address of HWTACACS

Packets
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
hwtacacs-server source-ip ip-address
The source IP address of HWTACACS packets is configured.

By default, the source IP address of an HWTACACS packet is 0.0.0.0. In this case, the S9300
uses the IP address of the outgoing interface as the source IP address of the HWTACACS packet.
After you specify the source IP address of HWTACACS packets, the specified address is used
for the communication between the S9300 and the HWTACACS server. In this case, the
HWTACACS server uses the specified IP address to communicate with the S9300.
----End
1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server

Issue 06 (20100108)

1-21

Context
Setting the shared key ensures the security of communication between the S9300 and an
HWTACACS server. To ensure the validity of the authenticator and the authenticated, the shared
keys set on the S9300 and the HWTACACS server must be the same.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
hwtacacs-server shared-key { cipher | simple } key-string
The shared key is set for the HWTACACS server.

By default, no shared key is set for the HWTACACS server.
----End
1.5.8 (Optional) Setting the User Name Format for an HWTACACS

Server
Context
NOTE
A user name is in the user name@domain name format and the character string after "@" refers to the
domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be
any of the following symbols: \ / : < > | ' %
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
hwtacacs-server user-name domain-included
The user name format is set for an HWTACACS server.

By default, a user name supported by an HWTACACS server contains the domain name. That
is, the S9300 sends the user name, domain name, and domain name delimiter to the RADIUS
server for authentication.
1-22

Issue 06 (20100108)

If an HWTACACS server does not accept the user name that contains the domain name, you
can use the undo hwtacacs-server user-name domain-included command to delete the domain
name before sending it to the HWTACACS server.
----End
1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit is set for an HWTACACS server.

By default, the traffic is expressed in bytes on the S9300.
----End
1.5.10 (Optional) Setting HWTACACS Timers

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
hwtacacs-server timer response-timeout
The timeout interval for an HWTACACS server to send response packets is set.
By default, the timeout interval for an HWTACACS server to send response packets is five
seconds.
If the S9300 receives no response from an HWTACACS server during the timeout interval, it
considers the HWTACACS server as unavailable. In this case, the S9300 performs
authentication or authorization in other modes.
Step 4 Run:
hwtacacs-server timer quiet value
Issue 06 (20100108)

1-23

The time taken to restore an HWTACACS server to the active state is set.
By default, the time taken by the primary HWTACACS server to restore to the active state is
five minutes.
----End
1.5.11 (Optional) Configuring Retransmission of Accounting-Stop

Packet
Context
If the HWTACACS accounting mode is used, the S9300 sends an Accounting-Stop packet to
the HWTACACS server after a user goes offline. If the connectivity of the network is not
desirable, you can enable the function of retransmitting the Accounting-Stop packet to prevent
the loss of accounting information.
Procedure
Step 1 Run:
system-view

Step 2 Run:
hwtacacs-server accounting-stop-packet resend { disable | enable number }
The function of retransmitting the Accounting-Stop packet is configured.

You can enable the function of retransmitting the Accounting-Stop packet and set the
retransmission count, or disable the function. By default, the retransmission function is enabled
and the retransmission count is 10.
----End

Prerequisite
The configurations of the HWTACACS server template are complete.
Procedure
l
Run the display hwtacacs-server template [ template-name ] command to check the

configuration of the HWTACACS server template.
----End
Example
After completing the configurations of the HWTACACS server template, you can run the
display hwtacacs-server template [ template-name ] command to view the configuration of
the template.
1-24

Issue 06 (20100108)

<Quidway> display hwtacacs-server template hhh

--------------------------------------------------------------------HWTACACS-server template name
: hhh
: 100.1.1.2:26
Primary-authorization-server
: 100.1.1.3:26
: 0.0.0.0:0
Secondary-authentication-server : 0.0.0.0:0
Secondary-authorization-server : 0.0.0.0:0
: 0.0.0.0:0
Current-authentication-server
: 100.1.1.2:26
Current-authorization-server
: 100.1.1.3:26
Current-accounting-server
: 0.0.0.0:0
Source-IP-address
: 0.0.0.0
Shared-key
: lsj
Quiet-interval(min)
: 5
Response-timeout-Interval(sec) : 20
Domain-included
: Yes
Traffic-unit
: B
--------------------------------------------------------------------Total 1,1 printed
1.6 Configuring a Service Scheme

This section describes how to configure a service scheme in the S9300 to store authorization
information about users.
1.6.2 Creating a Service Scheme
1.6.3 Setting the Administrator Level
1.6.4 Configuring a DHCP Server Group
1.6.5 Configuring an Address Pool
1.6.6 Configure Primary and Secondary DNS Servers

Access users must acquire authorization information before getting online. Authorization
information about users can be managed through the service scheme.
Before configuring a service scheme, complete the following tasks:
l
Creating a DHCP server group
Creating an address pool
Data Preparation
To configure a service scheme, you need the following data.
Issue 06 (20100108)

1-25

No.
Data
Service scheme
Administrator level
User priority
Name of the DHCP server group
Name and position of the address pool
IP address of the primary and secondary DNS

servers
1.6.2 Creating a Service Scheme

Context
The service scheme is the aggregation of authorization information about users. After a service
scheme is created, you can set attributes of users in the service scheme view.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
service-scheme service-scheme-name
A service scheme is created.

service-scheme-name is a string of 1 to 32 characters, excluding /, :, *, ?, <, >, and @.
By default, no service scheme is configured in the S9300.
----End
1.6.3 Setting the Administrator Level

Procedure
Step 1 Run:
system-view

1-26

Issue 06 (20100108)

Step 2 Run:
aaa

Step 3 Run:
The service scheme view is displayed.

Step 4 Run:
adminuser-priority level
The administrator is enabled to log in to the S9300 and the administrator level is set.
The value of level ranges from 0 to 15. If this command is not run, the administrator level is
displayed as 16, which is invalid.
----End
1.6.4 Configuring a DHCP Server Group

Prerequisite
A DHCP server group is configured. For the procedure for configuring the DHCP server group,
see the Quidway S9300 Terabit Routing Switch Configuration Guide - IP Services.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:

Step 4 Run:
dhcp-server group group-name
A DHCP server group is configured.

----End
1.6.5 Configuring an Address Pool

Prerequisite
An IP address pool is configured. For the procedure for configuring the DHCP server group, see
the Quidway S9300 Terabit Routing Switch Configuration Guide - IP Services.
Issue 06 (20100108)

1-27

Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:

Step 4 Run:
ip-pool pool-name [ move-to new-position ]
An IP address pool is configured or the position of a configured address pool is moved.

----End
1.6.6 Configure Primary and Secondary DNS Servers

Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:

Step 4 Run:
dns ip-address
The IP address of the primary DNS server is configured.

Step 5 Run:
dns ip-address secondary
The IP address of the secondary DNS server is configured.

----End

1-28

Issue 06 (20100108)

Procedure
Step 1 Run the display service-scheme [ name name ] command to view the configuration of a service
scheme.
----End
Example
Run the display service-scheme command to view all the information about the service scheme.
<Quidway> display service-scheme
------------------------------------------------------------------service-scheme-name
scheme-index
------------------------------------------------------------------svcscheme1
0
svcscheme2
1
------------------------------------------------------------------Total of service scheme: 2
Run the display service-scheme name svcscheme1 command to view the configuration of
service scheme svcscheme1.
<Quidway> display service-scheme name svcscheme1
service-scheme-name
: svcscheme1
service-scheme-primary-dns
: service-scheme-secondry-dns : service-scheme-uppriority
: 0
service-scheme-downpriority : 0
service-scheme-adminlevel
: 16
service-scheme-dhcpgroup
: service-scheme-flowstatup
: false
service-scheme-flowstatdown : false
Idle-data-attribute(time,rate): <0,60>
1.7 Configuring a Domain

This section describes how to configure a domain on the S9300.
1.7.2 Creating a Domain
1.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain
1.7.4 Configuring a RADIUS Server Template for a Domain
1.7.5 Configuring an HWTACACS Server Template for a Domain
1.7.6 (Optional) Configuring a Service Scheme for a Domain
1.7.7 (Optional) Setting the Status of a Domain
1.7.8 (Optional) Configuring the Domain Name Delimiter

Issue 06 (20100108)

1-29

To perform authentication and authorization for a user logging in to the S9300, you need to
configure a domain.
NOTE
The modification of a domain takes effect next time a user logs in.
Before configuring a domain, complete the following tasks:
l
Configuring authentication and authorization schemes
Configuring a RADIUS server template if RADIUS is used in an authentication scheme
Configuring an HWTACACS server template if HWTACACS is used in an authentication

or an authorization scheme
Configuring local user management in local authentication or authorization mode
Data Preparation
To configure a domain, you need the following data.
No.
Data
Name of the domain
Names of authentication and authorization

schemes of the domain
(Optional) Name of the RADIUS server

template or the HWTACACS server template
of the domain
(Optional) Status of the domain
1.7.2 Creating a Domain

Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain domain-name
A domain is created and the domain view is displayed.

1-30

Issue 06 (20100108)

The S9300 has two default domains: default and default_admin. Domain default is used for
common access users, and domain default_admin is used for administrators.
The S9300 supports up to 128 domains, including the two default domains.
----End
Postrequisite
After creating a domain, you can run the domain domain-name [ admin ] command in the system
view to configure the domain as the global default domain. The access users whose domain
names cannot be obtained are added to this domain.
If you do not run the domain domain-name [ admin ] command, the S9300 adds the common
users and administrators whose domain names cannot be obtained to domains default and
default_admin respectively.
1.7.3 Configuring Authentication , Authorization and Accounting

Schemes for a Domain
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain domain-name
The domain view is displayed.

Step 4 Run:
authentication-scheme authentication-scheme-name
An authentication scheme is configured for the domain.

By default, the authentication scheme named default is used for a domain.
Step 5 Run:
authorization-scheme authorization-scheme-name
An authorization scheme is configured for the domain.

By default, no authorization scheme is bound to a domain.
Step 6 Run:
accounting-scheme accounting-scheme-name
An accounting scheme is configured for the domain.

By default, the accounting scheme named default is used for a domain.
----End
Issue 06 (20100108)

1-31

1.7.4 Configuring a RADIUS Server Template for a Domain

Context
If a remote RADIUS authentication scheme is used in a domain, you must apply a RADIUS
server template to the domain.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain domain-name

Step 4 Run:
radius-server template-name
A RADIUS server template is configured for the domain.

By default, no RADIUS server template is configured for a domain.
----End
1.7.5 Configuring an HWTACACS Server Template for a Domain

Context
If the remote HWTACACS authentication or authorization mode is used in a domain, you need
to apply an HWTACACS server template to the domain.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain domain-name
1-32

Issue 06 (20100108)


Step 4 Run:
hwtacacs-server template-name
An HWTACACS server template is configured for the domain.

By default, no HWTACACS server template is configured for a domain.
----End
1.7.6 (Optional) Configuring a Service Scheme for a Domain

Context
Configuring a service scheme for a domain is to bind a service scheme to a domain. Users in the
domain obtain service information, such as the IP address and DNS server, from the service
scheme.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain domain-name

Step 4 Run:
A service scheme is bound to the domain.

By default, no service scheme is bound to the domain.
Before binding a service scheme to a domain, you must create the service scheme.
----End
1.7.7 (Optional) Setting the Status of a Domain

Procedure
Step 1 Run:
system-view

Issue 06 (20100108)

1-33

Step 2 Run:
aaa

Step 3 Run:
domain domain-name

Step 4 Run:
state { active | block }
The status of the domain is set.

When a domain is in blocking state, users that belong to this domain cannot log in. By default,
the domain is in active state after being created.
----End
1.7.8 (Optional) Configuring the Domain Name Delimiter

Context
A user account on the S9300 consists of a user name and a domain name. The user name and
domain name are separated by the domain name delimiter. For example, if the defined domain
name delimiter is @, the user account of user1 in domain dom1 is user1@dom1.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
domain-name-delimiter delimiter
The domain name delimiter is configured.

delimiter can be set to anyone of \, /, :, <, >, |, @, ', and %.
By default, the domain name delimiter is @.
----End

Prerequisite
The configurations of the domain are complete.
1-34

Issue 06 (20100108)

Procedure
l
Run the display domain [ name domain-name ] command to check the configuration of
the domain.
----End
Example
After the configuration, you can run the display domain command to view the summary of all
domains.
<Quidway> display domain
------------------------------------------------------------------------DomainName
index
------------------------------------------------------------------------default
0
default_admin
1
huawei
2
------------------------------------------------------------------------Total: 3
Run the display domain [ name domain-name ] command, and you can view the configuration
of a specified domain.
<Quidway> display domain name huawei
Domain-name
: huawei
Domain-state
: Active
Authentication-scheme-name
: scheme0
Accounting-scheme-name
: default
Authorization-scheme-name
: Service-scheme-name
: RADIUS-server-group
: Accounting-copy-RADIUS-group
: Hwtacacs-server-template
: -
1.8 Configuring Local User Management

This section describes how to configure local user management on the S9300.
1.8.2 Creating a Local User
1.8.3 (Optional) Setting the Access Type of the Local User
1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access
1.8.5 (Optional) Setting the Status of a Local User
1.8.6 (Optional) Setting the Level of a Local User
1.8.7 (Optional) Setting the Access Limit for a Local User

Issue 06 (20100108)

1-35

You can create a local user on the S9300, configure attributes of the local user, and perform
authentication and authorization for users logging in to the S9300 according to information about
the local user.
None
Data Preparation
To configure local user management, you need the following data.
No.
Data
User name and password
Access type of the local user
Name of the FTP directory that the local user

can access
Status of the local user
Level of the local user
Maximum number of local access users
1.8.2 Creating a Local User

Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
local-user user-name password { simple | cipher } password
A local user is created.

If the user name contains the domain name delimiter, such as @, |, and %, the character string
before @ refers to the user name and the character string after @ refers to the domain name. If
the user name does not contain domain name delimiter, the entire character string represents the
user name and the domain name is default.
----End
1-36

Issue 06 (20100108)

1.8.3 (Optional) Setting the Access Type of the Local User

Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
local-user user-name service-type { 8021x | bind | ftp | ssh | telnet | web }*
The access type of the local user is set.

By default, a local user can use all access types.
A user can successfully log in only when its access type matches the specified access type.
----End
1.8.4 (Optional) Configuring the FTP Directory That a Local User

Can Access
Context
NOTE
If the access type of a local user is set to FTP, you must configure the FTP directory that the local user can
access; otherwise, the FTP user cannot log in.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
local-user user-name ftp-directory directory
The FTP directory that a local user can access is configured.

By default, the FTP directory that a local user can access is null.
----End
Issue 06 (20100108)

1-37

1.8.5 (Optional) Setting the Status of a Local User

Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
local-user user-name state { active | block }
The status of a local user is set.

By default, a local user is in active state.
The S9300 processes a local user in active or blocking state as follows:
l
If the local user is in active state, the S9300 receives the authentication request of this user
for further processing.
If the local user is in blocking state, the S9300 rejects the authentication request of this user.
----End
1.8.6 (Optional) Setting the Level of a Local User

Context
After the level of a local user is set, the login user can run the command only when the level is
equal to or higher than the command level.
Similar to the command levels, users are classified into 16 levels numbered 0 to 15. The greater
the number, the higher the user level.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
local-user user-name level level
The level of a local user is set.

1-38

Issue 06 (20100108)

By default, the level of a local user is determined by the management module. For example,
there is a user level in the user interface view. If a user level is not set, the user level is 0.
NOTE
You can run the user-interface command in the system view to enter the user interface view. For details
on the user-interface command, see "Basic Configuration Commands" in the Quidway S9300 Terabit
Routing Switch Command Reference.
----End
1.8.7 (Optional) Setting the Access Limit for a Local User

Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
local-user user-name access-limit max-number
The maximum number of online local users is set.

By default, the number of access users with the same user name is not restricted on the S9300.
----End

Prerequisite
The configurations of the local user are complete.
Procedure
l
Run the display local-user [ username user-name ] command to check the attributes of
the local user.
----End
Example
After completing the configuration of local user management, you can run the display localuser command to view brief information about attributes of the local user.
<Quidway> display local-user
---------------------------------------------------------------------------No. User-Name
State AuthMask AdminLevel
---------------------------------------------------------------------------0
lsj
A
A
-
Issue 06 (20100108)

1-39

---------------------------------------------------------------------------Total 1 user(s)
Run the display local-user [ username user-name ] command, and you can view detailed
information about a specified user.
<Quidway> display local-user username lsj
The contents of local user :
Password
: hello
State
: Active
Auth-Type-Mask
: A
Admin-level
: Idle-Cut
: No
FTP-directory
: Access-Limit :No
Accessed-Num
:0
1.9 Maintaining AAA and User Management

This section describes how to maintain AAA and user management.
1.9.1 Clearing the Statistics
1.9.2 Monitoring the Running Status of AAA
1.9.3 Debugging
1.9.1 Clearing the Statistics

Context
CAUTION
Statistics cannot be restored after you clear them. So, confirm the action before you use the
command.
Run the following command in the user view to clear the statistics.
Procedure
l
Run the reset hwtacacs-server statistics { all | accounting | authentication |

authorization } command to clear the statistics on the HWTACACS server.
----End
1.9.2 Monitoring the Running Status of AAA

Procedure
Step 1 Run the display aaa configuration command to view AAA running information.
----End
1-40

Issue 06 (20100108)

Example
Run the display aaa configuration command to view AAA running information.
<Quidway> display aaa configuration
Domain Name Delimiter
Domain
Authentication-scheme
Accounting-scheme
Authorization-scheme
Service-scheme
:
:
:
:
:
:
@
total:
total:
total:
total:
total:
128
128
128
128
128
used:
used:
used:
used:
used:
5
1
3
1
0
1.9.3 Debugging
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
When a running fault occurs on the RADIUS or HWTACACS server, run the debugging
commands in the user view to locate the fault.
Procedure
l
Run the debugging radius packet command to debug RADIUS packets.
Run the debugging hwtacacs { all | error | event | message | receive-packet | sendpacket } command to debug HWTACACS.
----End

This section provides several configuration examples of AAA and user management.
1.10.1 Example for Configuring RADIUS Authentication and Accounting
1.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization
1.10.1 Example for Configuring RADIUS Authentication and

Accounting
Networking Requirements
As shown in Figure 1-1, users access the network through S9300-A and are located in the domain
huawei. S9300-B acts as the network access server of the destination network. The access
request of the user needs to pass the network of S9300-A andS9300-B to reach the authentication
server. The user can access the destination network through S9300-B after passing the remote
authentication. The remote authentication mode on S9300-B is as follows:
Issue 06 (20100108)

1-41


l
The RADIUS server performs authentication and accounting for access users.
The RADIUS server 129.7.66.66/24 functions as the primary authentication and accounting
server. The RADIUS server 129.7.66.67/24 functions as the secondary authentication and
accounting server. The default authentication port and accounting port are 1812 and 1813
respectively.
Figure 1-1 Networking diagram of RADIUS authentication and accounting

Domain Huawei
S9300-B
S9300-A
Network
129.7.66.66/24
129.7.66.67/24
Destination
Network
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure a RADIUS server template.
2.
Configure the authentication and accounting schemes.
3.
Apply the RADIUS server template, the authentication and accounting schemes to the
domain.
Data Preparation
To complete the configuration, you need the following data:
1-42
Name of the domain that a user belongs to
Name of the RADIUS server template
Name of the authentication scheme, authentication mode, name of the accounting scheme,
and accounting mode
IP addresses, authentication and accounting port numbers of the primary and secondary
RADIUS servers
Key and retransmission times of the RADIUS server

Issue 06 (20100108)

NOTE
The following configurations are performed on S9300-B.
Procedure
Step 1 Configure a RADIUS server template.
# Configure the RADIUS template named shiva.
<Quidway> system-view
[Quidway] radius-server template shiva
# Configure the IP addresses and port numbers of the primary RADIUS authentication and
accounting servers.
[Quidway-radius-shiva] radius-server authentication 129.7.66.66 1812
[Quidway-radius-shiva] radius-server accounting 129.7.66.66 1813
# Set the IP addresses and port numbers of the secondary RADIUS authentication and accounting
servers.
[Quidway-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary
[Quidway-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Set the key and retransmission count for the RADIUS server.
[Quidway-radius-shiva] radius-server shared-key cipher hello
[Quidway-radius-shiva] radius-server retransmit 2
[Quidway-radius-shiva] quit
Step 2 Configure the authentication and accounting schemes.

# Configure authentication scheme1, with the authentication mode being RADIUS.
[Quidway] aaa
[Quidway-aaa] authentication-scheme 1
[Quidway-aaa-authen-1] authentication-mode radius
[Quidway-aaa-authen-1] quit
# Configure the accounting scheme1, with the accounting mode being RADIUS.
[Quidway-aaa] accounting-scheme 1
[Quidway-aaa-accounting-1] accounting-mode radius
[Quidway-aaa-accounting-1] quit
Step 3 Configure the domain huawei and apply authentication scheme1, accounting scheme1, and
RADIUS template shiva to the domain.
[Quidway-aaa] domain huawei
[Quidway-aaa-domain-huawei] authentication-scheme 1
[Quidway-aaa-domain-huawei] accounting-scheme 1
[Quidway-aaa-domain-huawei] radius-server shiva
Step 4 Verify the configuration.

After running the display radius-server configuration template command on S9300-B, you
can view that the configuration of the RADIUS server template meets the requirements.
<Quidway> display radius-server configuration template shiva
------------------------------------------------------------------Server-template-name
Protocol-version
Traffic-unit
Shared-secret-key
Issue 06 (20100108)
:
:
:
:
:
shiva
standard
B
3MQ*TZ,O3KCQ=^Q`MAF4<1!!
5

1-43


129.7.66.66;
1812;
LoopBack:NULL
129.7.66.66;
1813;
LoopBack:NULL
Secondary-authentication-server
129.7.66.67;
1812;
LoopBack:NULL
129.7.66.67;
1813;
LoopBack:NULL
Retransmission
: 2
Domain-included
: YES
-------------------------------------------------------------------
----End
Configuration Files
#
sysname Quidway
#
radius-server template shiva
radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
radius-server authentication 129.7.66.66 1812
radius-server authentication 129.7.66.67 1812 secondary
radius-server accounting 129.7.66.66 1813
radius-server accounting 129.7.66.67 1813 secondary
radius-server retransmit 2
#
aaa
authentication-scheme default
authentication-scheme 1
authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme 1
accounting-mode radius
domain default
domain default_admin
domain huawei
authentication-scheme 1
accounting-scheme 1
radius-server shiva
#
return
1.10.2 Example for Configuring HWTACACS Authentication,

Accounting, and Authorization
As shown in Figure 1-2:
1-44
Access users are first authenticated locally. If local authentication fails, the HWTACACS
server is adopted to authenticate access users.
HWTACACS authentication is required before the level of access users is promoted. If the
HWTACACS authentication is not responded, local authentication is performed.
HWTACACS authorization is performed to access users.
All access users need to be charged.
Interim accounting is performed every 3 minutes.

Issue 06 (20100108)

The primary HWTACACS server is 129.7.66.66/24, and the IP address of the secondary
HWTACACS server is 129.7.66.67/24. The port number of the server for authentication,
accounting, and authorization is 49.
Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization

Domain Huawei
S9300-B
S9300-A
Network
129.7.66.66/24
129.7.66.67/24
Destination
Network
1.
Configure an HWTACACS server template.
2.
Configure the authentication, authorization, and accounting schemes.
3.
Apply the HWTACACS server template, authentication, authorization, and accounting

schemes to the domain.
Data Preparation
l
Name of the domain that the user belongs to
Name of the HWTACACS server template
Name of the authentication scheme, authentication mode, name of the authorization

scheme, authorization mode, name of the accounting scheme, and accounting mode
IP addresses, authentication port numbers, authorization port numbers, and accounting port
numbers of the primary and secondary HWTACACS servers
Key of the HWTACACS server

NOTE
The following configurations are performed on S9300-B.
Issue 06 (20100108)

1-45

Procedure
Step 1 Configure an HWTACACS server template.
# Configure an HWTACACS server template named ht.
[Quidway] hwtacacs-server template ht
# Configure the IP address and port number of the primary HWTACACS server for
authentication, authorization, and accounting.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49
[Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49
[Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP address and port number of the secondary HWTACACS server for
authentication, authorization, and accounting.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary
[Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary
[Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Configure the key of the TACACS server.

[Quidway-hwtacacs-ht] hwtacacs-server shared-key cipher hello
[Quidway-hwtacacs-ht] quit
Step 2 Configure the authentication, authorization, and accounting schemes.

# Create an authentication scheme 1-h and set the authentication mode to local-HWTACACS,
that is, the system performs the local authentication first and then the HWTACACS
authentication. The HWTACACS authentication supersedes the local authentication when the
level of a user is promoted.
[Quidway] aaa
[Quidway-aaa] authentication-scheme l-h
[Quidway-aaa-authen-l-h] authentication-mode local hwtacacs
[Quidway-aaa-authen-l-h] authentication-super hwtacacs super
[Quidway-aaa-authen-l-h] quit
# Create an authorization scheme hwtacacs, and set the authorization mode to HWTACACS.
[Quidway-aaa] authorization-scheme hwtacacs
[Quidway-aaa-author-hwtacacs] authorization-mode hwtacacs
[Quidway-aaa-author-hwtacacs] quit
# Create an accounting scheme hwtacacs, and set the accounting mode to HWTACACS.
[Quidway-aaa] accounting-scheme hwtacacs
[Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs
# Set the interval of interim accounting to 3 minutes.

[Quidway-aaa-accounting-hwtacacs] accounting realtime 3
[Quidway-aaa-accounting-hwtacacs] quit
Step 3 Create a domain Huawei and apply the authentication scheme 1-h, the HWTACACS
authentication scheme, the HWTACACS accounting scheme, and the HWTACACS template
of ht to the domain.
[Quidway-aaa] domain huawei
[Quidway-aaa-domain-huawei]
1-46
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht

Issue 06 (20100108)

[Quidway-aaa-domain-huawei] quit
[Quidway-aaa] quit

Run the display hwtacacs-server template command on S9300-B, and you can see that the
configuration of the HWTACACS server template meets the requirements.
<Quidway> display hwtacacs-server template ht
--------------------------------------------------------------------------HWTACACS-server template index : 0
HWTACACS-server template name
: ht
: 129.7.66.66:49
Primary-authorization-server
: 129.7.66.66:49
: 129.7.66.66:49
Secondary-authentication-server : 129.7.66.67:49
Secondary-authorization-server : 129.7.66.67:49
: 129.7.66.67:49
Current-authentication-server
: 129.7.66.66:49
Current-authorization-server
: 129.7.66.66:49
Current-accounting-server
: 129.7.66.66:49
Source-IP-address
: 0.0.0.0
Shared-key
: 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
Quiet-interval(min)
: 5
Response-timeout-Interval(sec) : 5
Domain-included
: Yes
Traffic-unit
: B
---------------------------------------------------------------------------
Run the display domain command on S9300-B, and you can see that the configuration of the
domain meets the requirements.
<Quidway> display domain name huawei
Domain-name
Domain-state
Authentication-scheme-name
Accounting-scheme-name
Authorization-scheme-name
Service-scheme-name
RADIUS-server-group
Accounting-copy-RADIUS-group
Hwtacacs-server-template
:
:
:
:
:
:
:
:
:
huawei
Active
l-h
hwtacacs
hwtacacs
ht
----End
Configuration Files
#
sysname Quidway
#
hwtacacs-server template ht
hwtacacs-server authentication 129.7.66.66
hwtacacs-server authentication 129.7.66.67 secondary
hwtacacs-server authorization 129.7.66.66
hwtacacs-server authorization 129.7.66.67 secondary
hwtacacs-server accounting 129.7.66.66
hwtacacs-server accounting 129.7.66.67 secondary
hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
#
aaa
authentication-scheme default
authentication-mode local hwtacacs
authentication-super hwtacacs super
authorization-scheme default
authorization-mode hwtacacs
Issue 06 (20100108)

1-47

accounting-scheme default
accounting-mode hwtacacs
accounting realtime 3
domain default
domain default_admin
domain huawei
hwtacacs-server ht
#
return
1-48

Issue 06 (20100108)

2 NAC Configuration
NAC Configuration
About This Chapter

This chapter describes the working principle and configuration of network access control (NAC).
2.1 Introduction to NAC
This section describes the working principle of NAC.
2.2 NAC Features Supported by the S9300
This section describes the NAC features supported by the S9300.
2.3 Configuring Web Authentication
This section describes how to configure the Web authentication function.
2.4 Configuring 802.1x Authentication
This section describes how to configure the 802.1x authentication function.
2.5 Configuring MAC Address Authentication
This section describes how to configure the MAC address authentication function.
2.6 Maintaining NAC
This section describes how to clear statistics about NAC and debug NAC.
This section provides several configuration examples of NAC.
Issue 06 (20100108)

2-1

2 NAC Configuration
2.1 Introduction to NAC

This section describes the working principle of NAC.
Traditional network security technologies focus on the threat brought by external computers,
rather than the threat brought by internal computers. In addition, the current network devices
cannot prevent the attacks initiated by the internal devices on the network. Network Access
Control (NAC) is an architecture of secure access, with the end-to-end security concept. NAC
considers the internal network security from the perspective of user terminals, rather than
network devices.
Figure 2-1 Typical networking of NAC
User
NAD
ACS
Remediation
server
AAA server
Directory
server
S9300
PVS & Aduit
server
As shown in Figure 2-1, NAC, as a controlling scheme for network security access, includes
the following parts:
l
User: Access users who need to be authenticated. If 802.1x is adopted for user
authentication, users need to install client software.
NAD: Network access devices, including routers and switches (hereinafter referred to as
the S9300), which are used to authenticate and authorize users. The NAD needs to work
with the AAA server to prevent unauthorized terminals from accessing the network,
minimize the threat brought by insecure terminals, prevent unauthorized access requests
from authorized terminals, and thus protect core resources.
ACS: Access control server that is used to check terminal security and health, manage
policies and user behaviors, audit rule violations, strengthen behavior audit, and prevent
malicious damages from terminals.
2.1.1 Web Authentication

2.1.2 802.1x Authentication
2.1.3 MAC Address Authentication
2.1.1 Web Authentication

Web authentication is also called Portal authentication. When opening a browser for the first
time and entering a URL, users are forcibly re-directed to the authentication page of the Web
2-2

Issue 06 (20100108)

2 NAC Configuration
server. Users can access network resources only after passing the authentication. Users that do
not pass the authentication can only access the specified site server. When a user enters its user
name and password on the Web page, the Portal protocol is used to authenticate the user. This
process is Web authentication.
The Portal protocol enables Web servers to communicate with other devices. The portal protocol
is based on client/server model and uses the User Datagram Protocol (UDP) as the transmission
protocol. In Web authentication, the Web authentication server and the S9300 communicate
with each other through the portal protocol. In this case, the S9300 functions as the client. When
obtaining the user name and password entered by the user on the authentication page, the Web
authentication server transfers them to the S9300 through the portal protocol.
2.1.2 802.1x Authentication

The IEEE 802.1x standard (hereinafter referred to as 802.1x), is an interface-based network
access control protocol. Interface-based network access control is used to authenticate and
control access devices on an interface of a LAN access control device. User devices connected
to the interface can access the sources on the LAN only after they pass the authentication.
802.1x focuses on the status of the access interface only. When an authorized user accesses the
network by sending the user name and password, the interface is open. When an unauthorized
user or no user accesses the network, the interface is closed. The authentication result is reflected
by the status of the interface. The IP address negotiation and allocation that are considered in
common authentication technologies are not involved. Therefore, 802.1x authentication is the
simplest implementation scheme among the authentication technologies.
802.1x supports the authentication mode based on the access interface and the MAC address.
l
Authentication mode based on the access interface: Other users can access network
resources without authentication when the first user under the interface is successfully
authenticated. But other users are disconnected when the first user goes offline.
Authentication mode based on the MAC address: Access users under this interface need
be authenticated.
802.1x supports the following authentication modes:

l
EAP termination mode: The network access device terminates EAP packets, obtains the
user name and password from the packets, encrypts the password, and sends the user name
and password to the AAA server for authentication.
EAP transparent transmission authentication: Also called EAP relay authentication. The
network access device directly encapsulates authentication information about 802.1x users
and EAP packets into the attribute field of RADIUS packets and sends them to the RADIUS
server. Therefore, the EAP packets do not need to be converted to the RADIUS packets
before they are sent to the RADIUS server.
2.1.3 MAC Address Authentication

MAC address authentication is an authentication method that controls the network access
authority of a user based on the interface and MAC address. No client software needs to be
installed. The user name and password are the MAC address of the user device. After detecting
the MAC address of a user for the first time, the device starts authenticating the user.
In the MAC bypass authentication, the device first triggers the 802.1x authentication to
authenticate the user. If the 802.1x authentication is not performed for a long time, the device
Issue 06 (20100108)

2-3

2 NAC Configuration
sends the MAC address of the user, which is considered to be the user name and password of
the user, to the AAA server for authentication.
2.2 NAC Features Supported by the S9300

This section describes the NAC features supported by the S9300.
Functioning as the network access device (NAD), the S9300 supports the following NAC
features:
l
802.1x authentication based on the port
802.1x authentication based on the MAC address
EAPOL termination authentication
EAPOL transparent transmission authentication
MAC address authentication
MAC bypass authentication
Web authentication
2.3 Configuring Web Authentication

This section describes how to configure the Web authentication function.
2.3.2 Configuring the Web Authentication Server
2.3.3 Binding the Web Authentication Server to the Interface
2.3.4 Configuring the Free Rule for Web Authentication
2.3.5 (Optional) Configuring the Web Authentication Policy
2.3.6 (Optional) Setting the Port that Listens to the Portal Packets
2.3.7 (Optional) Setting the Version of the Portal Protocol Packets

The Web authentication can be configured for users who cannot install client software. Such
users can enter the user names and passwords in the Internet Web Browser for authentication.
Web authentication is only an implementation scheme to authenticate the user identity. To
complete the user identity authentication, you need to select the RADIUS or local authentication
method. Before configuring Web authentication, complete the following tasks:
2-4

Issue 06 (20100108)

2 NAC Configuration
Configuring the Internet Service Provider (ISP) authentication domain and AAA schemes,
that is, RADIUS or local authentication schemes, for the user
Configuring the user name and password on the RADIUS server if RADIUS authentication
is used
Adding the user name and password manually on the S9300 if local authentication is used
Data Preparation
To configure Web authentication, you need the following data.
No.
Data
Name, IP address, and URL of the Web Server
Version number and interface number of the Portal protocol
Authentication-free rule ID
2.3.2 Configuring the Web Authentication Server

Context
To perform Web authentication for users, you must configure the Web authentication server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
web-auth-server server-name ip-address [ port port-number [ all ] ] [ shared-key
{ cipher | simple } key-string ] [ url url-string ]
The Web authentication server is configured.

Up to 16 Web authentication servers can be configured.
----End
2.3.3 Binding the Web Authentication Server to the Interface

Context
After the Web authentication server is bound to the VLANIF interface, the Web authentication
can be performed for all the access users under the VLANIF interface.
Issue 06 (20100108)

2-5

2 NAC Configuration
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface interface-type interface-number
The interface view is displayed.

Currently, the S9300 can perform Web authentication for users only through VLANIF interfaces.
Step 3 Run:
web-auth-server server-name
The Web authentication server is bound to the VLANIF interface.

You must configure a Web authentication server in the system view first and then bind the server
to the interface according to the server name in the interface view.
----End
2.3.4 Configuring the Free Rule for Web Authentication

Context
You need to configure the free rule in the following situations:
l
After opening the HTTP browser, the user is forcibly re-directed to the authentication page
of the Web authentication server. The free rule is mandatory if the Web authentication is
adopted.
Some special users need to access certain resources when they fail to pass the
authentication.
Procedure
Step 1 Run:
system-view

Step 2 Run:
portal free-rule rule-id { destination { any | ip { ip-address mask { mask-length
| ip-mask } | any } } | source { any | { interface interface-type interface-number
| ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id }* } }*
The free rule is configured.

When the free rule is configured for Web authentication users, user packets matching the rule
can be forwarded before the Web authentication. Therefore, users without the Web
authentication possess certain access authority.
----End
2.3.5 (Optional) Configuring the Web Authentication Policy

2-6

Issue 06 (20100108)

2 NAC Configuration
Context
When the RADIUS server is adopted to authenticate users, do as follows if the user authentication
information returned by the RADIUS server needs to be sent to the Web authentication server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
web-auth-server reply-message
The device is configured to send the reply message for user authentication to the Web
authentication server.
By default, the S9300 sends the reply message for user authentication to the Web authentication
server.
----End
2.3.6 (Optional) Setting the Port that Listens to the Portal Packets
Context
Do as follows to configure the port number for the S9300 to receive portal packets when the
S9300 communicates with the Web server. The port number must be consistent with the
destination port number contained in the packets sent by the Web authentication server and is
globally unique.
Procedure
Step 1 Run:
system-view

Step 2 Run:
web-auth-server listening-port
The number of the port number that listens to Portal packets is configured.
By default, the port number that listens to portal packets is 2000.
----End
2.3.7 (Optional) Setting the Version of the Portal Protocol Packets

Context
When the S9300 communicates with the Web authentication server by using the Portal protocol,
version numbers of the portal protocols used by the S9300 and the Web authentication server
must be the same.
Issue 06 (20100108)

2-7

2 NAC Configuration
Procedure
Step 1 Run:
system-view

Step 2 Run:
web-auth-server version v2 [ v1 ]
The version of the portal protocol is set.

By default, two versions coexist. If version 1 is not selected, only version 2 is in use.
----End

Context
The configurations of Web authentication are complete.
Procedure
l
Run the display web-auth-server configuration command to view the configuration of a

Web authentication server.
----End
Example
# View the configuration of the Web authentication server.
<Quidway> display web-auth-server configuration
Listening port
: 2000
Portal
: version 1, version 2
Include reply message : enabled
-----------------------------------------------------------------------Web-auth-server Name : servera
IP-address
: 100.1.1.114
Shared-key
:
Port / PortFlag
: 10 / NO
URL
:
-----------------------------------------------------------------------1 Web authentication server(s) in total
2.4 Configuring 802.1x Authentication

This section describes how to configure the 802.1x authentication function.
2.4.2 Enabling Global 802.1x Authentication
2.4.3 Enabling 802.1x Authentication on an Interface
2.4.4 (Optional) Enabling MAC Bypass Authentication
2.4.5 Setting the Authentication Method for the 802.1x User
2-8

Issue 06 (20100108)

2 NAC Configuration
2.4.6 (Optional) Configuring the Interface Access Mode

2.4.7 (Optional) Configuring the Authorization Status of an Interface
2.4.8 (Optional) Setting the Maximum Number of Concurrent Access Users
2.4.9 (Optional) Enabling DHCP Packets to Trigger Authentication
2.4.10 (Optional) Configuring 802.1x Timers
2.4.11 (Optional) Configuring the Quiet Timer Function
2.4.12 (Optional) Configuring the 802.1x Re-authentication
2.4.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication
2.4.14 (Optional) Enabling the S9300 to Send Handshake Packets to Online Users
2.4.15 (Optional) Setting the Retransmission Count of the Authentication Request

You can configure 802.1x to implement port-based network access control, that is, to
authenticate and control access devices on an interface of a LAN access control device.
802.1x authentication is only an implementation scheme to authenticate the user identity. To
complete the user identity authentication, you need to select the RADIUS or local authentication
method. Before configuring 802.1x authentication, complete the following tasks:
l
Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local
authentication schemes, for the 1x user
is used
Adding the user name and password manually on the S9300 if local authentication is used
Data Preparation
None.
2.4.2 Enabling Global 802.1x Authentication

Context
Before the configuration of 802.1x authentication, 802.1x needs to be globally enabled first.
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)

2-9

2 NAC Configuration

Step 2 Run:
dot1x
802.1x authentication is globally enabled.

Running this command is equivalent to enabling 802.1x authentication globally. Related
configurations of 802.1x authentication take effect only after 802.1x authentication is enabled.
By default, 802.1x authentication is disabled.
----End
2.4.3 Enabling 802.1x Authentication on an Interface

Context
CAUTION
If 802.1x is enabled on the interface, MAC address authentication or direct authentication cannot
be enabled on the interface. If MAC address authentication or direct authentication is enabled
on the interface, 802.1x cannot be enabled on the interface.
You can enable 802.1x on an interface in the following ways.
Procedure
l
In the system view:

1.
Run:
system-view

2.
Run:
dot1x interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
802.1x authentication is enabled on the interfaces.

You can enable the 802.1x function on interfaces in batches by specifying the interface
list in the dot1x command in the system view.
l
In the interface view:

1.
Run:
system-view

2.
Run:
interface { ethernet | gigabitethernet } interface-number

3.
Run:
dot1x
2-10

Issue 06 (20100108)

2 NAC Configuration
802.1x authentication is enabled on the interface.

You can run the undo dot1x command only when no online user exists.
----End
2.4.4 (Optional) Enabling MAC Bypass Authentication

Context
The 802.1x client software cannot be installed or used on some special terminals, such as printers.
In this case, the MAC bypass authentication can be adopted.
If 802.1x authentication on the terminal fails, the access device sends the user name and
password, namely, the MAC address of the terminal, to the RADIUS server for authentication.
This process is MAC address bypass authentication.
You can configure MAC address bypass authentication in the following ways.
Procedure
l
In the system view:

1.
Run:
system-view

2.
Run:
dot1x mac-bypass interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
MAC bypass authentication is enabled on interfaces.

You can configure MAC address bypass authentication on interfaces in batches by
specifying the interface list in the dot1x mac-bypass command in the system view.
l

1.
Run:
system-view

2.
Run:

3.
Run:
dot1x mac-bypass enable
MAC address bypass authentication is enabled on the interface.

After you run the dot1x mac-bypass enable command, the commands of enabling 802.1x
authentication on the interface are overwritten. The details are as follows:
Issue 06 (20100108)
If 802.1x authentication is disabled on the interface, 802.1x authentication is enabled

after you run the dot1x mac-bypass enable command.
2-11

2 NAC Configuration
If 802.1x authentication has been enabled, the authentication mode is changed from
802.1x authentication to MAC address bypass authentication on the interface after you
run the dot1x mac-bypass enable command.
To disable MAC address bypass authentication, run the undo dot1x command. Note that
802.1x functions are disabled.
----End
2.4.5 Setting the Authentication Method for the 802.1x User

Context
The authentication method for the 802.1x user can be set according to the actual networking
environment and security requirement.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x authentication-method { chap | eap | pap }
The authentication method is set for the 802.1x user.

By default, CHAP authentication is used for an 802.1x user. If you run the dot1x authenticationmethod command repeatedly, the latest configuration takes effect.
l
The Password Authentication Protocol (PAP) uses the two-way handshake mechanism and
sends the password in plain text.
The Challenge Handshake Authentication Protocol (CHAP) uses the three-way handshake
mechanism. It transmits only the user name but not the password on the network; therefore,
compared with PAP authentication, CHAP authentication is more secure and reliable and
protects user privacy better.
In Extensible Authentication Protocol (EAP) authentication, the S9300 sends the

authentication information of an 802.1x user to the RADIUS server through EAP packets
without converting EAP packets into RADIUS packets. To use the PEAP, EAP-TLS, EAPTTLS, or EAP-MD5 authentication, you only need to enable the EAP authentication.
PAP authentication and CHAP authentication are two kinds of termination authentication
methods and EAP authentication is a kind of relay authentication method.
CAUTION
If local authentication is adopted, you cannot use the EAP authentication for 802.1x users.
----End
2-12

Issue 06 (20100108)

2 NAC Configuration
2.4.6 (Optional) Configuring the Interface Access Mode

Context
The 802.1x protocol can work in the following modes:
l
Interface mode: If the MAC address of a device connected to an interface passes

authentication, all the MAC addresses of other devices connected to the interface can access
the network without authentication.
MAC mode: The MAC address of each device connected to the interface must pass
authentication to access the network.
You can configure the access mode of an interface in the following ways.
Procedure
l
In the system view:

1.
Run:
system-view

2.
Run:
dot1x port-method { mac | port interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10> }
The access mode of interfaces is configured.

You can configure the access mode of interfaces in batches by specifying the interface
list in the dot1x port-method command in the system view.
l

1.
Run:
system-view

2.
Run:

3.
Run:
dot1x port-method { mac | port }
The access mode of the interface is configured.

By default, the access mode of an interface is MAC mode.
CAUTION
If the dot1x port-method { mac | port } command is run to change the access control
mode of an interface when an online 802.1x user exists, the online user is disconnected
forcibly.
----End
Issue 06 (20100108)

2-13

2 NAC Configuration
2.4.7 (Optional) Configuring the Authorization Status of an

Interface
Context
Do as follows to authorize users and control their access scope after users pass authentication.
You can configure the authorization status of an interface in the following ways.
Procedure
l
In the system view:

1.
Run:
system-view

2.
Run:
dot1x port-control { auto | authorized-force | unauthorized-force }
interface { interface-type interface-number1 [ to interface-number2 ] }
&<1-10>
The authorization status of interfaces is set.

You can configure the authorization status of interfaces in batches by specifying the
interface list in the dot1x port-control command in the system view.
l

1.
Run:
system-view

2.
Run:

3.
Run:
dot1x port-control { auto | authorized-force | unauthorized-force }
The authorization status of the interface is configured.

By default, the authorization status of an interface is auto.
auto: An interface is initially in unauthorized state and sends and receives only EAPoL
packets. Therefore, users cannot access network resources. If a user passes the
authentication, the interface is in authorized state and allows users to access network
resources.
authorized-force: An interface is always in authorized state and allows users to access

network resources without authentication.
unauthorized-force: An interface is always in unauthorized state and does not users to

access network resources.
----End
2-14

Issue 06 (20100108)

2 NAC Configuration
2.4.8 (Optional) Setting the Maximum Number of Concurrent

Access Users
Context
When the number of access users on interfaces reaches the maximum value, the S9300 does not
trigger authentication for subsequent access users. These subsequent access users thus cannot
access the network.
You can set the maximum number of access users on interfaces in the following ways.
Procedure
l
In the system view:

1.
Run:
system-view

2.
Run:
dot1x max-user user-number interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10>
The maximum number of concurrent access users is set on the interfaces.

You can configure the maximum number of concurrent access users on interfaces in
batches by specifying the interface list in the dot1x max-user command in the system
view.
l

1.
Run:
system-view

2.
Run:

3.
Run:
dot1x max-user user-number
The maximum number of concurrent access users is set on the interface.

By default, each interface allows up to 8192 concurrent access users.
This command takes effect only to the interface where users are authenticated based on
MAC addresses If users are authenticated based on the interface, the maximum number of
access users is automatically set to 1. Therefore, only one user needs to be authenticated
on the interface, and other users can access the network after the first user passes the
authentication.
Issue 06 (20100108)

2-15

2 NAC Configuration
CAUTION
If the number of users already existing on the interface is greater than the maximum number
that you set, all the users are disconnected from the interface.
The maximum number of NAC access users allowed by the S9300 depends on the models
of the S9300. The specification is 8192 multiplied by number of slots of the LPU.
----End
2.4.9 (Optional) Enabling DHCP Packets to Trigger Authentication

Context
After DHCP packets are enabled to trigger authentication, 802.1x allows the S9300 to trigger
the user identity authentication when the access user runs DHCP to apply for the IP address. In
this case, an 802.1x user is authenticated without dial-up by using the client software. This speeds
up network deployment.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x dhcp-trigger enable
Dynamic Host Configuration Protocol (DHCP) packets are enabled to trigger user
authentication.
By default, DHCP packets do not trigger authentication.
After you run the dot1x dhcp-trigger enable command, users cannot obtain IP addresses
through DHCP if they do not pass the authentication.
----End
2.4.10 (Optional) Configuring 802.1x Timers

Context
When enabled, 802.1x starts many timers to ensure the reasonable and ordered exchanges
between supplicants, the authenticator, and the authentication server.
To adjust the exchange process, you can run some commands to change values of some timers,
but some timers cannot be adjusted. It may be necessary in certain cases or in poor networking
environment. Normally, it is recommended that you retain the default settings of the timers.
2-16

Issue 06 (20100108)

2 NAC Configuration
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x timer { client-timeout client-timeout-value | handshake-period handshakeperiod-value | quiet-period quiet-period-value | reauthenticate-period
reauthenticate-period-value | server-timeout server-timeout-value | tx-period txperiod-value }
The timers of 802.1x authentication are set.

l
client-timeout: Authentication timeout timer of the client. By default, the timeout timer is
30s.
handshake-period: Interval of handshake packets from the S9300 to the 802.1X client. By
default, the handshake interval is 15s.
quiet-period: Period of the quiet timer. By default, the quiet timer is 60s.
reauthenticate-period: Re-authentication interval. By default, the re-authentication interval

is 3600s.
server-timeout: Timeout timer of the authentication server. By default, the timeout timer of
the authentication server is 30s.
tx-period: Interval for sending authentication requests. By default, the interval for sending
the authentication request packets is 30s.
The dot1x timer command only sets the values of the timers, and you need to enable the
corresponding timers by running commands or adopting the default settings.
----End
2.4.11 (Optional) Configuring the Quiet Timer Function

Context
If a user fails the 802.1x authentication after the quiet timer function is enabled, the S9300
considers the user quiet for a period and does not process the authentication requests from the
user in this period. In this manner, the impact caused by frequent authentication is prevented.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x quiet-period
The quiet timer function is enabled.

By default, the quiet timer function is disabled.
Issue 06 (20100108)

2-17

2 NAC Configuration
During the quite period, the S9300 discards the 802.1x authentication request packets from the
user. You can run the dot1x timer command to set the quiet period. For details, see .
----End
2.4.12 (Optional) Configuring the 802.1x Re-authentication

Context
When the 802.1x authentication is not complete when the session times out, the S9300
disconnects the session and initiates re-authentication.
You can configure 802.1x re-authentication in the following ways.
Procedure
l
In the system view:

1.
Run:
system-view

2.
Run:
dot1x reauthenticate interface { interface-type interface-number1 [ to
interface-number2 ] } &<1-10>
Re-authentication is enabled on interfaces.

You can configure 802.1x re-authentication on interfaces in batches by specifying the
interface list in the dot1x reauthenticate command in the system view.
l

1.
Run:
system-view

2.
Run:

3.
Run:
dot1x reauthenticate enable
Re-authentication is enabled on the interface.

By default, 802.1x re-authentication is disabled on an interface.
You can run the dot1x timer command to set the timeout timer of the re-authentication.
For details, see .
----End
2.4.13 (Optional) Configuring the Guest VLAN for 802.1x

Authentication
2-18

Issue 06 (20100108)

2 NAC Configuration
Context
When the guest VLAN is enabled, the S9300 sends authentication request packets to all the
interface on which 802.1x is enabled. If an interface does not return a response when the
maximum number of times for re-authentication is reached, the S9300 adds this interface to the
guest VLAN. Then users in the guest VLAN can access resources in the guest VLAN without
802.1x authentication. Authentication, however, is required when such users access external
resources. Thus certain resources are available for users without authentication.
NOTE
The configured guest VLAN cannot be the default VLAN of the interface.
You can configure the guest VLAN in the following ways.
Procedure
l
In the system view:

1.
Run:
system-view

2.
Run:
dot1x guest-vlan vlan-id interface { interface-type interface-number1
[ to interface-number2 ] } &<1-10>
The guest VLAN is configured on interfaces.

You can configure the guest VLAN on interfaces in batches by specifying the interface
list in the dot1x guest-vlan command in the system view.
l

1.
Run:
system-view

2.
Run:

3.
Run:
dot1x guest-vlan vlan-id
The guest VLAN is configured on the interface.

By default, no guest VLAN is configured on an interface.
----End
2.4.14 (Optional) Enabling the S9300 to Send Handshake Packets to

Online Users
Context
The S9300 can send handshake packets to a Huawei client to detect whether the user is online.
Issue 06 (20100108)

2-19

2 NAC Configuration
If the client does not support the handshake function, the S9300 will not receive handshake
response packets within the handshake interval. In this case, you need to disable the user
handshake function to prevent the S9300 from disconnecting users by mistake.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x handshake
The handshake with 802.1x users is enabled.

By default, the S9300 is enabled to send handshake packets to online users.
You can run the dot1x timer command to set the handshake interval. For details, see .
----End
2.4.15 (Optional) Setting the Retransmission Count of the

Authentication Request
Context
If the S9300 does not receive a response after sending an authentication request to a user, the
The S9300 retransmits the authentication request to the user. When no response is received when
the authentication request has been sent for the maximum number of times, the S9300 does not
retransmit the authentication request to the user.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dot1x retry max-retry-value
The retransmission count of the authentication request is set.

By default, the S9300 retransmits an authentication request to an access user twice.
----End

Prerequisite
The configurations of 802.1x authentication are complete.
2-20

Issue 06 (20100108)

2 NAC Configuration
Procedure
l
Run the display dot1x [ sessions | statistics ] [ interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10> ] command to view the configuration of
802.1x authentication.
----End
Example
View the information about 802.1x authentication on GE 1/0/0.
<Quidway> display dot1x interface GigabitEthernet 1/0/0
GigabitEthernet1/0/0 current state : UP
802.1x protocol is Enabled[mac-bypass]
Port control type is Auto
Authentication method is MAC-based
Reauthentication is disabled
Max online user is 8192
Current online user is 2
Guest VLAN is disabled
Authentication Success: 1
Failure:
EAPOL Packets: TX
: 24
RX
:
Sent
EAPOL Request/Identity Packets :
EAPOL Request/Challenge Packets :
Multicast Trigger Packets
:
DHCP Trigger Packets
:
EAPOL Success Packets
:
EAPOL Failure Packets
:
Received EAPOL Start Packets
:
EAPOL LogOff Packets
:
EAPOL Response/Identity Packets :
EAPOL Response/Challenge Packets:
11
4
11
1
0
0
1
11
2
0
1
1
Index
MAC/VLAN
UserOnlineTime
UserName
16514
0000-0002-2347/800 2009-06-09 19:10:40 000000022347
16523
001e-90aa-e855/800 2009-06-09 19:14:43 abc@huawei
Controlled User(s) amount to 2 , print number:2.
2.5 Configuring MAC Address Authentication

This section describes how to configure the MAC address authentication function.
2.5.2 Enabling Global MAC Address Authentication
2.5.3 Enabling MAC Address Authentication on an Interface
2.5.4 (Optional) Enabling Direct Authentication
2.5.5 Configuring the User Name for MAC Address Authentication
2.5.6 (Optional) Configuring the Domain for MAC Address Authentication
2.5.7 (Optional) Setting the Timers of MAC Address Authentication
2.5.8 (Optional) Configuring the Guest VLAN for MAC Address Authentication
2.5.9 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address
Authentication
Issue 06 (20100108)

2-21

2 NAC Configuration
2.5.10 (Optional) Re-Authenticating a User with the Specific MAC Address


MAC address authentication can be configured to authenticate terminals on which client
software cannot be installed, such as faxes and printers.
MAC address authentication is only an implementation scheme to authenticate the user identity.
To complete the user identity authentication, you need to select the RADIUS or local
authentication method. Before configuring MAC address authentication, complete the following
tasks:
l
Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local
authentication schemes, for the 802.1x user.
is used.
Adding the user name and password manually on the S9300 if local authentication is used.
Data Preparation
To configure MAC address authentication, you need the following data.
No.
Data
Number of the interface on which MAC address authentication is enabled
2.5.2 Enabling Global MAC Address Authentication

Context
Before the configuration of MAC address authentication, enable MAC address authentication
globally.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-authen
MAC address authentication is enabled globally.

2-22

Issue 06 (20100108)

2 NAC Configuration
Running this command is equivalent to enabling global MAC address authentication. Related
configurations of MAC address authentication take effect only after MAC address authentication
is enabled.
By default, MAC address authentication is disabled globally.
----End
2.5.3 Enabling MAC Address Authentication on an Interface

Context
CAUTION
If MAC address authentication is enabled on the interface, 802.1x authentication or direct
authentication cannot be enabled on the interface. If 802.1x or direct authentication is enabled
on the interface, MAC address authentication cannot be enabled on the interface.
You can enable the MAC address authorization on an interface in the following ways.
Procedure
l
In the system view:

1.
Run:
system-view

2.
Run:
mac-authen interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
MAC Address authentication is enabled on the interfaces.

You can enable the MAC address authorization on interfaces in batches by specifying
the interface list in the mac-authen command in the system view.
l

1.
Run:
system-view

2.
Run:

3.
Run:
mac-authen
MAC Address authentication is enabled on the interface.

Issue 06 (20100108)

2-23

2 NAC Configuration
You must ensure that no online user exists before disabling MAC address authentication
by the undo mac-authen command.
----End
2.5.4 (Optional) Enabling Direct Authentication

Context
After direct authentication is enabled, users who connect to the network through this interface
pass the authentication directly.
CAUTION
If direct authentication is enabled on an interface, 802.1x authentication and MAC address
authentication cannot be enabled on the interface. If 802.1x authentication or MAC address
authentication is enabled on the interface, direct authentication cannot be enabled on the
interface.
You can enable direct authentication in the following ways.
Procedure
Step 1 In the system view:
1.
Run:
system-view

2.
Run:
direct-authen interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
Direct authentication is enabled on interfaces.

You can configure direct authentication of interfaces in batches by specifying the interface
list in the direct-authen command in the system view.
Step 2 In the interface view:
1.
Run:
system-view

2.
Run:

3.
Run:
direct-authen enable
Direct authentication is enabled on the interface.

2-24

Issue 06 (20100108)

2 NAC Configuration
By default, direct authentication is disabled on an interface.

----End
2.5.5 Configuring the User Name for MAC Address Authentication

Context
A user can use a fixed user name or the MAC address as the user name.
The user name for which MAC address authentication is used can be configured globally and
on an interface.
l
The global configuration is valid for all interfaces.
The configuration on an interface is valid only for the specified interface. The user name
configured on an interface takes precedence over the user name configured globally. If the
user name is not configured on an interface, the globally configured user name is used.
Configuring a fixed user name for a user that uses MAC address authentication
Procedure
1.
Run:
system-view

2.
Run:
mac-authen username fixed
The S9300 is configured to use a fixed user name for a user that uses MAC address
authentication.
3.
Run:
mac-authen username username
A fixed user name is configured for the user.

4.
Run:
mac-authen password password
The password is set.

l
Configuring a MAC address as a user name for a user that uses MAC address authentication
1.
Run:
system-view

2.
Run:
mac-authen username macaddress
Users that use MAC address authentication are configured to use their MAC addresses
as their user names.
3.
(Optional) Run:
mac-authen username macaddress [ format { with-hyphen | without-hyphen } ]
The format of the user name is set.

There are two formats for a MAC address used as the user name, that is, the hyphenated
MAC address (such as 0010-8300-0011) and the MAC address without hyphens (such
Issue 06 (20100108)

2-25

2 NAC Configuration
as 001083000011). By default, a MAC address without hyphens is used as the user

name for a user that uses MAC address authentication.
After you run the mac-authen username macaddress command, the access users are
authenticated by using their MAC addresses as the user names and passwords.
l
Configuring the format of the user name in the interface view

1.
Run:
system-view

2.
Run:

3.
Run:
mac-authen username { fixed user-name [ password password ] | macaddress
format { with-hyphen | without-hyphen } }
The format of the user name for which MAC address authentication is used is
configured.
----End
2.5.6 (Optional) Configuring the Domain for MAC Address

Authentication
Context
If the user authenticates the format of the user name through MAC address authentication or the
format of the user name does not contain the domain name, you must configure the authentication
domain. If the authentication domain is specified in the user name of a fixed format, the
authentication domain of the user is used.
NOTE
Before configuring the authentication domain for the user who uses MAC address authentication, you need
to confirm that a domain is available. Otherwise, the system displays an error message during the
configuration.
The domain for which MAC address authentication is used can be configured globally and on
an interface.
l
The global configuration is valid for all interfaces.
The configuration on an interface is valid only for the specified interface. The domain
configured on an interface takes precedence over the domain configured globally. If the
domain is not configured on an interface, the globally configured domain is used.
In the system view:
Procedure
1.
Run:
system-view

2-26

Issue 06 (20100108)

2.
2 NAC Configuration
Run:
mac-authen domain isp-name
A domain name is configured for a user who uses MAC address authentication.
l

1.
Run:
system-view

2.
Run:

3.
Run:
mac-authen domain isp-name
A domain name is configured for a user who uses MAC address authentication.
The default authentication domain is domain default.
----End
2.5.7 (Optional) Setting the Timers of MAC Address Authentication

Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-authen timer { guest-vlan reauthenticate-period interval | offline-detect
offline-detect-value | quiet-period quiet-value | server-timeout server-timeoutvalue }
Parameters of timers for MAC address authentication are set.

l
guest-vlan reauthenticate-period: Interval for re-authenticating users in a guest VLAN. By

default, the re-authentication interval is 30s.
offline-detect: Offline-detect timer used to set the interval for the S9300 to check whether
a user goes offline. By default, the offline timer is 300s.
quiet-period: Quiet timer. After the user authentication fails, the S9300 waits for a certain
period before processing authentication requests of the user. During the quiet period, the
S9300 does not process authentication requests from the user. By default, the quiet timer is
60s.
server-timeout: Server timeout timer. In the user authentication process, if the connection
between the S9300 and the RADIUS server times out, the authentication fails. By default,
the time interval of the authentication server is 30s.
----End
Issue 06 (20100108)

2-27

2 NAC Configuration
2.5.8 (Optional) Configuring the Guest VLAN for MAC Address

Authentication
Context
If the MAC authentication fails after the guest VLAN function is enabled, the S9300 adds the
access interface of the user to the guest VLAN. Then users in the guest VLAN can access
resources in the guest VLAN without MAC address authentication. Authentication, however, is
required when such users access external resources. Thus certain resources are available for
users without authentication.
NOTE
The VLAN to be configured as the guest VLAN must exist in the system and cannot be the default VLAN
of the interface.
You can configure the guest VLAN in the following ways.
Procedure
l
In the system view:

1.
Run:
system-view

2.
Run:
mac-authen guest-vlan vlan-id interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
The guest VLAN of interfaces is configured.

You can configure the guest VLAN of interfaces in batches by specifying the interface
list in the mac-authen guest-vlan command in the system view.
l

1.
Run:
system-view

2.
Run:

3.
Run:
mac-authen guest-vlan vlan-id
The guest VLAN of the interface is configured.

By default, no guest VLAN is configured on an interface.
----End
2.5.9 (Optional) Setting the Maximum Number of Access Users

Who Adopt MAC Address Authentication
2-28

Issue 06 (20100108)

2 NAC Configuration
Context
When the number of access users on an interface reaches the limit, the S9300 does not trigger
the authentication for the users connecting to the interface later; therefore, these users cannot
access the network.
You can configure the maximum number of access users who adopt MAC address authentication
in the following ways.
Procedure
l
In the system view:

1.
Run:
system-view

2.
Run:
mac-authen max-user user-number interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
The maximum number of access users who adopt MAC address authentication is set
on interfaces.
You can configure the maximum number of access users of interfaces in batches by
specifying the interface list in the mac-authen max-user command in the system
view.
l

1.
Run:
system-view

2.
Run:

3.
Run:
mac-authen max-user user-number
The maximum number of access users who adopt MAC address authentication on the
interface is set.
By default, the maximum number of access users who adopt MAC address authentication
on an interface of the S9300 is 8192.
The maximum number of NAC access users allowed by the S9300 depends on the models
of the S9300. The specification is 8192 multiplied by number of slots of the LPU.
----End
2.5.10 (Optional) Re-Authenticating a User with the Specific MAC

Address
Issue 06 (20100108)

2-29

2 NAC Configuration
Context
If re-authentication of a user with the specific MAC address is enabled, the online user is reauthenticated periodically. If a user passes the authentication, the user needs to be re-authorized;
otherwise, the user goes offline.
You can run the mac-authen timer command to set the interval of re-authentication. For details,
see 2.5.7 (Optional) Setting the Timers of MAC Address Authentication.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-authen reauthenticate mac-address mac-address
A specified user that passes MAC address authentication is re-authenticated.

If the user does not pass the MAC authentication, the user is not authenticated again.
----End

Prerequisite
The configurations of MAC address authentication are complete.
Procedure
l
Run the display mac-authen [ interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10> ] command to view the configuration of MAC address authentication.
----End
Example
View information about MAC address authentication on GE 1/0/1.
<Quidway> display mac-authen interface gigabitethernet 1/0/1
MAC address authentication is Enabled
Authentication Success: 1, Failure: 0
Index
MAC/VLAN
UserOnlineTime
16400
00e0-fc33-0011/15
2009-05-18 09:21:55
Controlled User(s) amount to 1
2.6 Maintaining NAC

This section describes how to clear statistics about NAC and debug NAC.
2-30

Issue 06 (20100108)

2 NAC Configuration
2.6.1 Clearing the Statistics About 802.1x Authentication

2.6.2 Clearing Statistics About MAC Address Authentication
2.6.3 Debugging 802.1x Authentication
2.6.4 Debugging MAC Address Authentication
2.6.1 Clearing the Statistics About 802.1x Authentication

Context
CAUTION
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run
the following commands.
After you confirm to reset the statistics, do as follows in user view.
Procedure
l
Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interfacenumber2 ] } ] command to clear the statistics about 802.1x authentication.
----End
2.6.2 Clearing Statistics About MAC Address Authentication

Context
CAUTION
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run
the following commands.
After you confirm to reset the statistics, do as follows in user view.
Procedure
l
Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to

interface-number2 ] } ] command to clear the statistics about MAC address authentication.
----End
2.6.3 Debugging 802.1x Authentication

Issue 06 (20100108)

2-31

2 NAC Configuration
Context
CAUTION
When a fault occurs during 802.1x authentication, run the following debugging commands in
the user view to locate the fault.
Procedure
l
Run the debugging dot1x { all | error | event | info | message | packet } command to
enable debugging of 802.1x authentication packets.
----End
2.6.4 Debugging MAC Address Authentication

Context
CAUTION
When a fault occurs during MAC address authentication, run the following debugging
commands in the user view to locate the fault.
Procedure
l
Run the debugging mac-auten { all | error | event | info | message | packet } command
to enable debugging of MAC address authentication packets.
----End

This section provides several configuration examples of NAC.
2.7.1 Example for Configuring Web Authentication
2.7.2 Example for Configuring 802.1x Authentication
2.7.3 Example for Configuring MAC Address Authentication
2.7.1 Example for Configuring Web Authentication

2-32

Issue 06 (20100108)

2 NAC Configuration
As shown in Figure 2-2, the requirements are as follows:
l
The user interacts with the Web authentication server through the S9300.
The authentication is performed by the RADIUS server.
The user can access only the Web authentication server before authentication.
After passing the Web authentication, the user can access the external network.
Figure 2-2 Network diagram for configuring Web authentication

Web server
192.168.2.20
RADIUS server
192.168.2.30
GE 1/0/2
GE 1/0/1
VLAN 20
VLANIF 20
192.168.2.10
GE1/0/0
User
VLANIF 10
192.168.1.10
Internet
GE 2/0/0
S9300
1.
Set the IP address of the Layer 3 interface connected to the user.
2.
3.
Configure an AAA authentication template.
4.
Configure a domain.
5.
Configure the Web authentication function.
Data Preparation
l
IP address and URL of the Web authentication server
IP address of the Layer 3 interface connected to the authentication terminal
IP address and port number of the RADIUS authentication server
Key of the RADIUS server (hello) and the retransmission count (2)
Name of the AAA authentication scheme (web1)
Name of the RADIUS server template (rd1)
Name of the user domain (isp1)
Issue 06 (20100108)

2-33

2 NAC Configuration
NOTE
In this example, only the configuration of the S9300 is provided, and the configurations of the Web server
and RADIUS server are omitted.
Procedure
Step 1 Set the IP address of the Layer 3 interface connected to the user.
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface gigabitethernet1/0/0
[Quidway-GigabitEthernet1/0/0] port link-type access
[Quidway-GigabitEthernet1/0/0] port default vlan 10
[Quidway-GigabitEthernet1/0/0] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 192.168.1.10 24
[Quidway-Vlanif10] quit

# Configure a RADIUS server template rd1.
[Quidway] radius-server template rd1
# Set the IP address and port number of the primary RADIUS authentication server.
[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812
# Set the key and retransmission count of the RADIUS server.

[Quidway-radius-rd1] radius-server shared-key cipher hello
[Quidway-radius-rd1] radius-server retransmit 2
[Quidway-radius-rd1] quit
Step 3 Create an authentication scheme web1 and set the authentication method to RADIUS
authentication.
[Quidway] aaa
[Quidway-aaa] authentication-scheme web1
Step 4 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the
domain.
[Quidway-aaa] domain isp
[Quidway-aaa-domain-isp1] authentication-scheme web1
[Quidway-aaa-domain-isp1] radius-server rd1
Step 5 Configure the Web authentication function.

# Set the IP address and URL of the Web authentication server
[Quidway] web-auth-serer isp1 192.168.2.20 url www.isp1.com
# Bind the Web authentication server to the Layer 3 interface.

[Quidway-Vlanif10] web-auth-server isp1
# Configure a free rule to redirect the user to the Web authentication page when the user starts
the Web browser.
[Quidway] portal free-rule 20 destination ip 192.168.2.20 mask 24
source any

2-34

Issue 06 (20100108)

2 NAC Configuration
Run the display web-auth-server configuration command on the S9300, and you can view the
configuration of the Web authentication server.
<Quidway> display web-auth-server configuration
Listening port
: 2000
Portal
: version 1, version 2
Include reply message : enabled
-----------------------------------------------------------------------Web-auth-server Name : isp1
IP-address
: 192.168.1.10
Shared-key
: 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
Port / PortFlag
: 50100 / NO
URL
: www.isp1.com
-----------------------------------------------------------------------1 Web authentication server(s) in total
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
web-auth-server isp1 192.168.2.20 port 50100 url www.isp1.com
portal free-rule 20 destination ip 192.168.2.20 mask 255.255.255.0 source any
#
radius-server template rd1
#
aaa
authentication-scheme web1
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
web-auth-server web
#
interface GigabitEthernet1/0/0
port link-type access
port default vlan 10
#
return
2.7.2 Example for Configuring 802.1x Authentication

l
802.1x authentication is performed for the user connected to GE 1/0/0 to control the user's
access to the Internet. The default access control mode is adopted, that is, the S9300 controls
access of the user based on the MAC address of the user.
The maximum number of users on GE 1/0/0 is 100.
Issue 06 (20100108)

2-35

2 NAC Configuration
MAC address bypass authentication is performed for the printer connected to GE 1/0/0.
Figure 2-3 Networking diagram for configuring 802.1x authentication

RADIUS server
192.168.2.30
User
GE 2/0/1
VLANIF 20
192.168.2.10
GE 1/0/0
Internet
GE 2/0/0
S9300
Printer
1.
2.
3.
Configure a domain.
4.
Configure the 802.1x authentication function.
Data Preparation
l

NOTE
In this example, only the configuration of the S9300 is provided, and the configuration of RADIUS server
is omitted.
Procedure
2-36

Issue 06 (20100108)

2 NAC Configuration

authentication.
[Quidway] aaa
domain.
Step 4 Configure the 802.1x authentication function.

# Enable 802.1x authentication globally and on GE 1/0/0.
[Quidway] dot1x
[Quidway-GigabitEthernet1/0/0] dot1x
# Set the maximum number of access users on GE 1/0/0.

[Quidway-GigabitEthernet1/0/0] dot1x max-user 100
# Configure MAC address bypass authentication.

[Quidway-GigabitEthernet1/0/0] dot1x mac-bypass

Run the display dot1x interface command on the S9300, and you can view the configuration
and statistics of 802.1x authentication.
<Quidway> display dot1x interface GigabitEthernet 1/0/0
802.1x protocol is Enabled[mac-bypass]
The port is an authenticator
Port control type is Auto
Authentication method is MAC-based
Reauthentication is disabled
Authentication Success: 4
Failure:
EAPOL Packets: TX
: 8
RX
:
Sent
EAPOL Request/Identity Packets :
EAPOL Request/Challenge Packets :
Multicast Trigger Packets
:
DHCP Trigger Packets
:
EAPOL Success Packets
:
EAPOL Failure Packets
:
Received EAPOL Start Packets
:
EAPOL LogOff Packets
:
EAPOL Response/Identity Packets :
EAPOL Response/Challenge Packets:
Issue 06 (20100108)
0
16
4
4
0
0
4
0
4
3
4
4

2-37

2 NAC Configuration
Controlled User(s) amount to 1,
print number:1
----End
Configuration Files
#
sysname Quidway
#
dot1x
#
#
aaa
domain isp1
radius-server rd1
#
dot1x mac-bypass
dot1x max-user 100
#
return
2.7.3 Example for Configuring MAC Address Authentication

l
Authentication is performed for the user connected to GE 1/0/0 to control the users access
to the Internet.
The default authentication method is used, that is, the MAC address without hyphens is
used as the user name in authentication.
The maximum number of users on GE 1/0/0 is 100.
Figure 2-4 Networking diagram for configuring MAC address authentication

RADIUS server
192.168.2.30
GE 2/0/1
VLANIF 20
192.168.2.10
GE 1/0/0
Internet
GE 2/0/0
User
2-38
S9300

Issue 06 (20100108)

2 NAC Configuration
1.
2.
3.
Configure the domain of the users that use MAC address authentication.
4.
Configure the MAC address authentication.
Data Preparation
l

NOTE
In this example, only the configuration of the S9300 is provided, and the configuration of RADIUS server
is omitted.
Procedure

authentication.
[Quidway] aaa
domain.
Step 4 Configure the MAC address authentication function.

Issue 06 (20100108)

2-39

2 NAC Configuration
# Enable MAC address authentication globally and on GE 1/0/0.

[Quidway] mac-authen
[Quidway-GigabitEthernet1/0/0] mac-authen
# Set the maximum number of access users on GE 1/0/0.

[Quidway-GigabitEthernet1/0/0] mac-authen max-user 100
# Specify domain isp1 as the domain of the users that use MAC address authentication.
[Quidway] mac-authen domain isp1

Run the display mac-authen interface command on the S9300, and you can view the
configuration of MAC address authentication.
<Quidway> display mac-authen interface GigabitEthernet 1/0/0
MAC address authentication is Enabled
Authentication Success: 2, Failure: 1
Controlled User(s) amount to 2 , print number:2
----End
Configuration Files
#
sysname Quidway
#
mac-authen
mac-authen domain isp
#
#
aaa
domain isp1
radius-server rd1
#
mac-authen
mac-authen max-user 100
#
return
2-40

Issue 06 (20100108)

DHCP Snooping Configuration
About This Chapter

This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP)
snooping on the S9300 to defend against DHCP attacks.
3.1 Introduction to DHCP Snooping
This section describes the principle of DHCP snooping.
3.2 DHCP Snooping Features Supported by the S9300
This section describes the DHCP snooping features supported by the S9300.
3.3 Preventing the Bogus DHCP Server Attack
This section describes how to prevent the attackers from attacking the DHCP server through the
S9300 by forging the DHCP server.
3.4 Preventing the DoS Attack by Changing the CHADDR Field
This section describes how to prevent the attackers from attacking the DHCP server by
modifying the CHADDR.
3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address
Leases
This section describes how to prevent the attackers from attacking the DHCP server by forging
the DHCP messages for extending IP address leases.
3.6 Setting the Maximum Number of DHCP Snooping Users
This section describes how to set the maximum number of DHCP snooping users. This is because
authorized users cannot access the network when an attacker applies for IP addresses
continuously.
3.7 Limiting the Rate of Sending DHCP Messages
This section describes how to prevent attackers from sending a large number of DHCP Request
messages to attack the S9300.
3.8 Configuring the Packet Discarding Alarm Function
An alarm is generated when the number of discarded packets exceeds the threshold.
3.9 Maintaining DHCP Snooping
This section describes how to maintain DHCP snooping.
Issue 06 (20100108)

3-1


This section provides several configuration examples of DHCP snooping.
3-2

Issue 06 (20100108)

3.1 Introduction to DHCP Snooping

This section describes the principle of DHCP snooping.
DHCP snooping intercepts and analyzes DHCP messages transmitted between DHCP clients
and a DHCP server. In this manner, DHCP snooping creates and maintains a DHCP snooping
binding table, and filters untrusted DHCP messages according to the table. The binding table
contains the MAC address, IP address, lease, binding type, VLAN ID, and interface information.
DHCP snooping ensures that authorized users can access the network by recording the mapping
between IP addresses and MAC addresses of clients. In this manner, DHCP snooping acts as a
firewall between DHCP clients and a DHCP server.
DHCP snooping prevents attacks including DHCP Denial of Service (DoS) attacks, bogus DHCP
server attacks, and bogus DHCP messages for extending IP address leases.
3.2 DHCP Snooping Features Supported by the S9300

This section describes the DHCP snooping features supported by the S9300.
The S9300 supports security features such as the trusted interface, DHCP snooping binding
table, binding of the IP address, MAC address, and interface, and Option 82. In this manner,
security of the device enabled with DHCP is ensured.
As the Terabit Routing Switch, the S9300 supports Layer 2 switching functions and Layer 3
routing functions. DHCP snooping can be used in the applications of Layer 2 switching functions
and Layer 3 routing features.
Applying DHCP Snooping on the S9300 on a Layer 2 Network

When being deployed on a Layer 2 network, the S9300 is located between the DHCP relay and
the Layer 2 user network. Figure 3-1 shows the DHCP snooping application on the S9300 where
DHCP snooping is enabled.
Issue 06 (20100108)

3-3

Figure 3-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2
network
L3 network
Trusted
DHCP relay
Untrusted
S9300
DHCP server
L2 network
User network
Applying DHCP Snooping on the S9300 That Functions as the DHCP Relay Agent
The S9300 provides Layer 3 routing functions, and can function as the DHCP relay agent on a
network. As shown in Figure 3-2, the S9300 that is enabled with DHCP snooping function as
the DHCP relay agent.
Figure 3-2 Networking diagram for applying DHCP snooping on the S9300 that functions as
the DHCP relay agent
L3 network
Trusted
Untrusted
L2 network
S9300
DHCP relay
DHCP server
User network
3-4

Issue 06 (20100108)

NOTE
When the S9300 is deployed on a Layer 2 network or functions as the DHCP relay agent, DHCP snooping
is enabled. In this manner, the S9300 can defend against attacks shown in Table 3-1.
The difference is that: when the S9300 functions as the DHCP relay agent, it supports the association
function between ARP and DHCP snooping. The S9300, however, does not support the association function
when it is deployed on a Layer 2 network.
DHCPv6 Snooping
The S9300 supports DHCPv6 snooping. That is, after DHCP snooping is enabled, binding entries
are also created for the users using IPv6 addresses. A DHCPv6 snooping binding entry consists
of the IPv6 address, MAC address, interface number, and VLAN ID of a user.
DHCP Snooping over VPLS

When the S9300 is deployed on the VPLS network and DHCP snooping over VPLS is enabled,
DHCP over VPLS messages are sent to the CPU of the main control board for processing. In
this case, if you set related parameters of DHCP snooping on the interface, the S9300 can process
DHCP messages on the VPLS network.
NOTE
The master physical interface of the S9300 do not support DHCP snooping over VPLS.
Type of Attacks Defended Against by DHCP Snooping

DHCP snooping provides different operation modes according to the type of attacks, as shown
in Table 3-1.
Table 3-1 Matching table between type of attacks and DHCP snooping operation modes
Type of Attacks
DHCP Snooping Operation Mode
Bogus DHCP server attack
Setting an interface to trusted or untrusted
DoS attack by changing the value of the

CHADDR field
Checking the CHADDR field in DHCP

messages
Attack by sending bogus messages to

extend IP address leases
Checking whether DHCP request messages

match entries in the DHCP snooping binding
table
DHCP flooding attack
Limiting the rate of sending DHCP messages
3.3 Preventing the Bogus DHCP Server Attack

This section describes how to prevent the attackers from attacking the DHCP server through the
S9300 by forging the DHCP server.
3.3.2 Enabling DHCP Snooping
3.3.3 Configuring an Interface as a Trusted Interface
Issue 06 (20100108)

3-5

3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers


When a bogus DHCP server exists on a network, the bogus DHCP server on the network replies
with incorrect messages such as the incorrect IP address of the gateway, incorrect domain name
server (DNS) server, and incorrect IP address to the DHCP client. As a result, the DHCP client
cannot access the network or cannot access the correct destination network.
To prevent a bogus DHCP server attack, you can configure DHCP snooping on the S9300,
configure the network-side interface to be trusted and the user-side interface to be untrusted, and
discard DHCP Reply messages received from untrusted interfaces.
To locate a bogus DHCP server, you can configure detection of bogus DHCP servers on the
S9300. In this case, the S9300 obtains related information about DHCP servers by checking
DHCP Reply messages, and records the information in the log. This facilitates network
maintenance.
Before preventing the bogus DHCP server attack, complete the following tasks:
l
Configuring the DHCP server
Data Preparation
To prevent the bogus DHCP server attack, you need the following data.
No.
Data
Type and number of the interface that needs

to be set to be trusted

Context
You need to enable DHCP snooping globally before enabling DHCP snooping on an
interfaceor in a VLAN. By default, DHCP snooping is disabled globally and on an interfaceor
in a VLAN.
Before enabling DHCP snooping, enable DHCP globally.
Procedure
Step 1 Run:
3-6

Issue 06 (20100108)

system-view

Step 2 Run:
dhcp enable
DHCP is enabled globally.

Step 3 Run:
dhcp snooping enable
DHCP snooping is enabled globally.

Step 4 Run:

The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface.
Or, run:
vlan vlan-id
The VLAN view is displayed.

Step 5 Run:
DHCP snooping is enabled on the interfaceor in a VLAN.

DHCP snooping must be enabled on all the user-side interfaces of the S9300. Otherwise,
configurations related to DHCP snooping do not take effect on the interfaces. This restriction
does not apply to a network-side interface.
quit
Return to the system view.

dhcp snooping over-vpls enable
DHCP snooping is enabled on the S9300 of the VPLS network.

On the VPLS network, after the dhcp snooping over-vpls enable command is run on the
S9300, DHCP over VPLS messages are sent to the CPU of the main control board for processing.
In this case, if you set related parameters of DHCP snooping on the interface, the S9300 can
process DHCP messages on the VPLS network. The dhcp snooping over-vpls enable command
takes effect only after DHCP snooping is enabled globally and on the interface.
DHCP snooping over VPLS is often deployed on the PE of the VPLS network to control DHCP
messages sent to the VPLS network from the user side. The dhcp snooping over-vpls enable
command is run in the system view. Other configurations of DHCP snooping over VPLS are
the same as configurations of DHCP snooping.
NOTE
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
Issue 06 (20100108)

3-7

3.3.3 Configuring an Interface as a Trusted Interface

Context
Generally, the interface connected to the DHCP server is configured as trusted and other
interfaces are configured as untrusted.
After DHCP snooping is enabled on an interface, the interface is an untrusted interface by default.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface is the network-side interface connected to the DHCP server.
Or, run:
vlan vlan-id

Step 3 In the interface viewRun:
dhcp snooping trusted [ no-user-binding ]
Or, in the VLAN view, run: dhcp snooping trusted interface interface-type interfacenumber [ no-user-binding ]
The interface is configured as a trusted interface.
DHCP Reply messages sent from a trusted interface are forwarded and DHCP Request messages
sent from the trusted interface are discarded; DHCP Discover messages sent from an untrusted
interface are discarded.
If the no-user-binding keyword is not used in the command, a binding entry is created when
the interface receives a DHCP Ack message sent to a user who does not go online through the
local device. If this keyword is used in the command, no binding entry is created in this case.
When running the dhcp snooping trusted command in the VLAN view, the specified interface
must belong to the VLAN. Compared with the dhcp snooping trusted command run in the
interface view, the dhcp snooping trusted command run in the VLAN view is more accurate
because a specified interface in a specified VLAN can be configured as a trusted interface.
----End
3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers

Context
After detection of bogus DHCP servers is enabled, the S9300 records IP addresses of the DHCP
servers contained in all DHCP Reply messages. If a DHCP Reply message is sent from an
3-8

Issue 06 (20100108)

untrusted interface, the S9300 considers the DHCP server as a bogus server and records it into
the log. The network administrator can then maintain the network according to the log.
NOTE
Before enabling detection of bogus DHCP servers, ensure that DHCP snooping is enabled globally and on
the interface. Otherwise, the detection function does not take effect.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server detect
Detection of bogus DHCP servers is enabled.

By default, detection of bogus DHCP servers is disabled on the S9300.
----End

Prerequisite
The configurations of preventing the bogus DHCP server attack are complete.
Procedure
l
Run the display dhcp snooping global command to check information about global DHCP
snooping.
Run the display dhcp snooping interface interface-type interface-number command to

check information about DHCP snooping on the interface.
Run the display dhcp snooping user-bind { all | ip-address ip-address | ipv6-address
ipv6-address | mac-address mac-address | interface interface-type interface-number |
vlan vlan-id [ interface interface-type interface-number ] } command to check the
information about DHCP Snooping bind-table.
Run the display this command in the system view to check the configuration of detection
of bogus DHCP servers.
You can only check whether detection of bogus DHCP servers is enabled through the
display this command. The detection information is recorded in the log, and you can obtain
related information by viewing the log.
----End
3.4 Preventing the DoS Attack by Changing the CHADDR

Field
This section describes how to prevent the attackers from attacking the DHCP server by
modifying the CHADDR.
Issue 06 (20100108)

3-9


3.4.3 Checking the CHADDR Field in DHCP Request Messages

The attacker may change the client hardware address (CHADDR) carried in DHCP messages
instead of the source MAC address in the frame header to apply for IP addresses continuously.
The S9300, however, only checks the validity of packets based on the source MAC address in
the frame header. The attack packets can still be forwarded normally. The MAC address limit
cannot take effect in this manner.
To prevent the attacker from changing the CHADDR field, you can configure DHCP snooping
on the S9300 to check the CHADDR field carried in DHCP Request messages. If the CHADDR
field matches the source MAC address in the frame header, the message is forwarded. Otherwise,
the message is discarded.
Before preventing the DoS attack by changing the CHADDR field, complete the following tasks:
l
Configuring the DHCP relay agent
Data Preparation
To prevent the DoS attack by changing the CHADDR field, you need the following data.
No.
Data
Type and number of the interface enabled

with the check function

Context
in a VLAN.
3-10

Issue 06 (20100108)

Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable

Step 3 Run:

Step 4 Run:

Or, run:
vlan vlan-id

Step 5 Run:

quit


Issue 06 (20100108)

3-11


NOTE
----End
3.4.3 Checking the CHADDR Field in DHCP Request Messages

Context
If the CHADDR field in DHCP Request messages matches the source MAC address in the
Ethernet frame header, the messages are forwarded. Otherwise, the messages are discarded.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface is the user-side interface.
Or, run:
vlan vlan-id

Step 3 Run:
dhcp snooping check mac-address enable
The interface or the interface in a VLANis configured to check the CHADDR field in DHCP
Request messages.
By default, an interface or the interface in a VLANdoes not check the CHADDR field in DHCP
Request messages on the S9300.
----End

Prerequisite
The configurations of preventing the DoS attack by changing the CHADDR field are complete.
Procedure
l
3-12
snooping.
Issue 06 (20100108)


----End
3.5 Preventing the Attacker from Sending Bogus DHCP

Messages for Extending IP Address Leases
This section describes how to prevent the attackers from attacking the DHCP server by forging
the DHCP messages for extending IP address leases.
3.5.3 Enabling the Checking of DHCP Request Messages
3.5.4 (Optional) Configuring the Option 82 Function

The attacker pretends to be a valid user and continuously sends DHCP Request messages
intending to extend the IP address lease. As a result, certain expired IP addresses cannot be
reused.
To prevent the attacker from sending bogus DHCP messages to extend IP address leases, you
can create the DHCP snooping binding table on the S9300 to check DHCP Request messages.
If the source IP address, source MAC address, VLAN, and interface of the DHCP Request
messages match entries in the binding table, the DHCP Request messages are then forwarded.
Otherwise, the DHCP Request messages are discarded.
NOTE
IP addresses are classified in to IPv4 addresses and IPv6 addresses. The S9300 checks the source IP
addresses of DHCP Request messages, including IPv4 addresses and IPv6 addresses.
The S9300 checks DHCP Request messages as follows:

1.
Checks whether the destination MAC address is all-f. If the destination MAC address is
all-f, the S9300 considers that the DHCP Request message is a broadcast message that a
user sends to goes online for the first time and does not check the DHCP Request message
against the binding table. Otherwise, the S9300 considers that the user sends the DHCP
Request message is renew lease of the IP address and checks the DHCP Request message
against the binding table.
2.
Checks whether the CIADDR field in the DHCP Request message matches an entry in the
binding table. If not, the S9300 forwards the message directly. If yes, the S9300 checks
whether the VLAN ID, IP address, and interface information of the message match the
binding table. If all these fields match the binding table, the S9300 forwards the message;
otherwise, the S9300 discards the message.
Issue 06 (20100108)

3-13

Before preventing the attacker from sending bogus DHCP messages for extending IP address
leases, complete the following tasks:
l
Data Preparation
To prevent the attacker from sending bogus DHCP messages for extending IP address leases,
you need the following data.
No.
Data

with detection of bogus DHCP servers
Static IP addresses from which packets are

forwarded

Context
in a VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable

Step 3 Run:

Step 4 Run:

3-14

Issue 06 (20100108)

Or, run:
vlan vlan-id

Step 5 Run:

quit


NOTE
----End
3.5.3 Enabling the Checking of DHCP Request Messages

Procedure
Step 1 Run:
system-view

Step 2 Run:

Or, run:
Issue 06 (20100108)

3-15


vlan vlan-id

Step 3 Run:
dhcp snooping check user-bind enable
The interface or the interface in a VLANis enabled to check DHCP Request messages.
By default, an interface or the interface in a VLANis disabled from checking DHCP Request
messages.
NOTE
The dhcp snooping check user-bind enable command can also check whether the Release packet match
the binding table, thus preventing unauthorized users from releasing the IP addresses of authorized users.
----End
3.5.4 (Optional) Configuring the Option 82 Function

Context
After the Option 82 function is enabled, the S9300 can generate binding entries for users on
different interfaces according to the Option 82 field in DHCP messages.
When the Option 82 function is used on the DHCP relay agent, the generated binding table does
not contain information about the interface if the set Option 82 field does not contain information
about the interface. The following situations are caused:
l
The DHCP Reply messages of the DHCP server are listened to by users on other interfaces
in a VLAN.
After a user logs in, this valid user is forged if users on other interfaces in a VLAN forge
the IP address and MAC address.
When DHCP snooping is used at Layer 2, the S9300 can obtain information about the interface
required by the binding table even if the Option 82 function is not configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Or, run:
vlan vlan-id

Step 3 Run:
dhcp option82 insert enable
3-16

Issue 06 (20100108)

The Option 82 is appended to DHCP messages.

Or, run:
dhcp option82 rebuild enable
The Option 82 is forcibly appended to DHCP messages.

l
After the dhcp option82 insert enable command is used, the Option 82 is appended to DHCP
messages if original DHCP messages do not carry the Option 82 field; If the DHCP message
contains an Option 82 field previously, the S9300 checks whether the Option 82 field contains
the Remote-id. If the Option 82 field contains the Remote-id, the S9300 retains the original
Option 82 field. If not, the S9300 inserts the Remote-id to the Option 82 field. By default,
the Remote-id is the MAC address of the S9300.
After the dhcp option82 rebuild enable command is used, the Option 82 field is appended
to DHCP messages if original DHCP messages do not carry the Option 82 field; the original
Option 82 field is removed and a new one is appended if the original DHCP messages carry
the Option 82 field.
Step 4 Run:
quit

dhcp option82 [ circuit-id | remote-id ] format { default | common | extend | userdefined text }
The format of the Option 82 field is set.

NOTE
If the user-defined format of the Option 82 field is used, it is recommended that you specify the interface
type, interface number, and slot ID in text.
----End

Prerequisite
The configurations of preventing the attacker from sending bogus DHCP messages for extending
IP address leases are complete.
Procedure
l
snooping.

Run the display dhcp snooping user-bind{ all | ip-address ip-address | ipv6-address
ipv6-address | mac-address mac-address | interface interface-type interface-number |
vlan vlan-id [ interface interface-type interface-number ] } command to check the DHCP
snooping binding table.
Issue 06 (20100108)

3-17

Run the display dhcp option82 interface interface-type interface-number command to

check the status of the Option 82 field.
----End
3.6 Setting the Maximum Number of DHCP Snooping Users

This section describes how to set the maximum number of DHCP snooping users. This is because
authorized users cannot access the network when an attacker applies for IP addresses
continuously.
3.6.3 Setting the Maximum Number of DHCP Snooping Users
3.6.4 (Optional) Configuring MAC Address Security on an Interface

To prevent malicious users from applying for IP addresses, you can set the maximum number
of DHDCP snooping users.
When the number of DHCP snooping users reaches the maximum value, users cannot
successfully apply for IP addresses.
Before setting the maximum number of DHCP snooping users, complete the following tasks:
l
Enabling DHCP snooping globally
Enabling check of the DHCP snooping binding table
Data Preparation
To set the maximum number of DHCP snooping users, you need the following data.
No.
Data
Type and number of the interface, VLAN ID,

and maximum number of DHCP snooping
users

3-18

Issue 06 (20100108)

Context
in a VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable

Step 3 Run:

Step 4 Run:

Or, run:
vlan vlan-id

Step 5 Run:

quit


Issue 06 (20100108)

3-19

NOTE
----End
3.6.3 Setting the Maximum Number of DHCP Snooping Users

Context
If an unauthorized user applies for IP addresses maliciously, authorized users cannot access the
network. To address this problem, you can set the maximum number of access users.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Or, run:
vlan vlan-id

Step 3 Run:
dhcp snooping max-user-number max-user-number
The maximum number of DHCP snooping users allowed on an interface or in a VLAN is set.
By default, a maximum of 4096 users can access an interface of the S9300 or a VLAN
This command takes effect only when DHCP snooping is enabled globally and on the interface
and is valid only for DHCP users. When the number of DHCP snooping users on an interface
or in a VLAN reaches the maximum value set through the dhcp snooping max-user-number
command, no more users can access the interface.
----End
3.6.4 (Optional) Configuring MAC Address Security on an Interface

3-20

Issue 06 (20100108)

Context
When MAC address security of DHCP snooping is enabled, packets are processed as follows
for a non-DHCP user:
l
If a static MAC address is not configured, the packets are discarded after reaching the
interface where the dhcp snooping sticky-mac command is run.
If a static MAC address is configured, the packets are forwarded normally.
MAC addresses of DHCP users in the dynamic binding table can be converted to static MAC
addresses, and packets of these users can be forwarded normally. MAC addresses of static users
in the static binding table cannot be converted to static MAC addresses. Therefore, you need to
configure static MAC addresses for the static users to have the packets forwarded normally.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface is a user-side interface.
Step 3 Run:
dhcp snooping sticky-mac
MAC address security of DHCP snooping is enabled on the interface.

By default, MAC address security of DHCP snooping is disabled on the S9300.
The dhcp snooping sticky-mac command takes effect only after DHCP snooping is enabled
globally.
If the dhcp snooping sticky-mac command is run, the interface neither learns the MAC address
of the received IP packet nor forwards or sends the received IP packet. The DHCP messages
received by the interface are sent to the CPU of the main control board, and then a dynamic
binding table is generated. After the dynamic binding table is generated, static MAC addresses
are sent to the corresponding interface. That is, dynamic MAC addresses are converted to static
MAC addresses. The static MAC address entry includes information about the MAC address
and VLAN ID of the user. Subsequently, only the packets whose source MAC address matches
the static MAC address can pass through the interface; otherwise, the packets are discarded.
MAC addresses of static users in the static binding table cannot be converted to static MAC
addresses. You need to configure static MAC addresses for the static users to have the packets
forwarded normally.
----End

Issue 06 (20100108)

3-21

Prerequisite
The configurations of setting the maximum number of users are complete.
Procedure
l
snooping.

check information about DHCP snooping on an interface.
----End
3.7 Limiting the Rate of Sending DHCP Messages

This section describes how to prevent attackers from sending a large number of DHCP Request
messages to attack the S9300.
3.7.3 Limiting the Rate of Sending DHCP Messages

If an attacker sends DHCP Request messages continuously on a network, the DHCP protocol
stack of the S9300 is affected.
To prevent an attacker from sending a large number of DHCP Request messages, you can
configure DHCP snooping on the S9300 to check DHCP Request messages and limit the rate
of sending DHCP Request messages. Only a certain number of DHCP Request messages can
be sent to the protocol stack during a certain period. Excessive DHCP Request messages are
discarded.
Before limiting the rate of sending packets, complete the following tasks:
l
Data Preparation
To limit the rate of sending packets, you need the following data.
3-22

Issue 06 (20100108)

No.
Data
Rate at which DHCP messages are sent to the

protocol stack

Context
in a VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable

Step 3 Run:

Step 4 Run:

Or, run:
vlan vlan-id

Step 5 Run:

quit
Issue 06 (20100108)

3-23



NOTE
----End
3.7.3 Limiting the Rate of Sending DHCP Messages

Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp snooping check dhcp-rate enable
The S9300 is enabled to check the rate of sending DHCP messages.

By default, the S9300 is disabled from checking the rate of sending DHCP messages.
Step 3 Run:
dhcp snooping check dhcp-rate rate
The rate of sending DHCP messages is set.

By default, the maximum rate of sending DHCP messages is 100 pps. The DHCP packets
exceeding the rate are discarded.
Step 4 Run:
dhcp snooping check dhcp-rate alarm enable
The alarm function is enabled for the DHCP packets discarded because they exceed the
transmission rate.
dhcp snooping check dhcp-rate alarm threshold threshold
The alarm threshold of the number of DHCP packets discarded because they exceed the
transmission rate is set.
3-24

Issue 06 (20100108)

By default, the alarm threshold of discarded DHCP packets is 100 pps. An alarm is generated
when the number of discarded DHCP packets exceeds the threshold.
----End

Prerequisite
The configurations of limiting the rate of sending DHCP messages are complete.
Procedure
l
snooping.
----End
3.8 Configuring the Packet Discarding Alarm Function

An alarm is generated when the number of discarded packets exceeds the threshold.
3.8.3 Enabling the Checking of DHCP Messages
3.8.4 Configuring the Packet Discarding Alarm Function

With DHCP snooping configured, the S9300 discards packets sent from an attacker. Table
3-2 shows the relation between the type of attacks and the type of discarded packets.
Table 3-2 Relation between the type of attacks and the type of discarded packets
Type of Attacks
Type of Discarded Packets
Bogus attack
DHCP Reply messages received from

untrusted interfaces
DoS attack by changing the CHADDR field
DHCP Request messages whose CHADDR

field does not match the source MAC address
in the frame header
Attack by sending bogus messages to extend

IP address leases
DHCP Request messages that do not match

entries in the binding table
Issue 06 (20100108)

3-25

Type of Attacks
Type of Discarded Packets
Attack by sending a large number of DHCP

Request messages and ARP packets
Messages exceeding the rate limit
After the packet discarding alarm function is enabled, an alarm is generated when the number
of discarded packets on the S9300 reaches the alarm threshold.
Before configuring the packet discarding alarm function, complete the following tasks:
l
Configuring the S9300 to discard DHCP Reply messages on the untrusted interface at the
user side
Configuring the checking of DHCP messages
Configuring the checking of the CHADDR field in DHCP Request messages
Configuring the checking of the rate of sending DHCP messages
Data Preparation
To configure the packet discarding alarm function, you need the following data.
No.
Data
Alarm threshold for the number of discarded

packets

Context
in a VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
3-26

Issue 06 (20100108)


Step 3 Run:

Step 4 Run:

Or, run:
vlan vlan-id

Step 5 Run:

quit


NOTE
----End
3.8.3 Enabling the Checking of DHCP Messages

Issue 06 (20100108)

3-27

Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface is a user-side interface.
Or, run:
vlan vlan-id

Step 3 Run:
dhcp snooping check
{ mac-address | user-bind } enable
The function of checking DHCP messages is enabled.

l
After you run the mac-address command, the S9300 checks whether the MAC address in
the header of a DHCP Request message is the same as the value of the CHADDR field in
the message. If the MAC address is different from of the value of the CHADDR field, the
DHCP Request message is discarded.
After you run the user-bind command, the S9300 checks whether the DHCP Request or
Release message matches the binding table; the unmatched message is discarded.
By default, the S9300 does not check DHCP messages.

----End
3.8.4 Configuring the Packet Discarding Alarm Function

Context
The packet discarding alarm function can be configured globally and on the interface.
l
The packet discarding alarm function configured globally takes effect for all interfaces.
The packet discarding alarm function configured on an interface takes effect for a specified
interface. If the packet discarding alarm function is not configured on an interface, the
global configuration is used.
NOTE
If you need to configure the alarm function for the DHCP messages that are discarded because they exceed
the transmission rate, see 3.7.3 Limiting the Rate of Sending DHCP Messages.
Procedure
l
Configuring the packet discarding alarm function globally

1.
Run:
system-view
3-28

Issue 06 (20100108)


2.
Run:
dhcp snooping alarm threshold threshold
The alarm threshold of the number of globally discarded packets is set.

By default, the global alarm threshold of the number of discarded DHCP messages is
100 pps.
l
Configuring the packet discarding alarm function on an interface

1.
Run:
system-view

2.
Run:

3.
Run:
dhcp snooping alarm { mac-address | user-bind | untrust-reply } enable
The packet discarding alarm function is enabled on the interface.
mac-address: If the MAC address in the packet header is different from the MAC
address of the DHCP message, the message is discarded.
user-bind: If the DHCP message does not match the binding table, the message
is discarded. The DHCP message refers to the DHCP Request message except for
the Discover message.
untrust-reply: If an untrusted interface receives a Reply message sent by the

DHCP server, the message is discarded.
By default, the packet discarding alarm function is disabled on an interface.

4.
Run:
dhcp snooping alarm { mac-address | user-bind | untrust-reply } threshold
threshold
The alarm threshold of the number of discarded packets is set on the interface.
By default, an interface uses the threshold set in the dhcp snooping alarm
threshold command. If the command is not run in the system view, the interface uses
the default threshold, 100 pps.
----End

Prerequisite
The configurations of the packet discarding alarm function are complete.
Procedure
l
Issue 06 (20100108)
snooping.
3-29


----End
3.9 Maintaining DHCP Snooping

This section describes how to maintain DHCP snooping.
3.9.1 Clearing DHCP Snooping Statistics
3.9.2 Resetting the DHCP Snooping Binding Table
3.9.3 Backing Up the DHCP Snooping Binding Table
3.9.1 Clearing DHCP Snooping Statistics

Context
To clear the statistics on DHCP snooping discarded packets, run the following commands in the
system view.
Procedure
l
Run the reset dhcp snooping statistics global command to clear the statistics on globally
discarded packets.
Run the reset dhcp snooping statistics interface interface-type interface-number

command to clear the statistics on discarded packets on the interface.
----End
3.9.2 Resetting the DHCP Snooping Binding Table

Context
To clear entries in the DHCP snooping binding table, run the following command in the user
view or system view.
Procedure
l
Run the reset dhcp snooping user-bind [ [ vlan vlan-id | interface interface-type interfacenumber ]* | ip-address ip-address | ipv6-address ipv6-address ] command to reset the
DHCP snooping binding table.
----End
3.9.3 Backing Up the DHCP Snooping Binding Table

Context
To back up the DHCP snooping binding table, run the following command in the system view.
3-30

Issue 06 (20100108)

Procedure
l
Run the dhcp snooping user-bind autosave file-name command to back up the DHCP
snooping binding table.
If the binding table is backed up, the system automatically backs up the binding table
to a specified path every one hour or after 300 dynamic binding entries are generated.
If the binding table is not backed up, the dynamic DHCP snooping binding table is lost
after the S9300 restarts. As a result, users that obtain IP addresses dynamically from
the DHCP server cannot communicate normally. Then, the users need to log in again.
----End

This section provides several configuration examples of DHCP snooping.
3.10.1 Example for Preventing the Bogus DHCP Server Attack
3.10.2 Example for Preventing the DoS Attack by Changing the CHADDR Field
3.10.3 Example for Preventing the Attacker from Sending Bogus DHCP Messages for Extending
IP Address Leases
3.10.4 Example for Limiting the Rate of Sending DHCP Messages
3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network
3.10.6 Example for Enabling DHCP Snooping on the DHCP Relay Agent
3.10.7 Example for Configuring DHCP Snooping on a VPLS Network
3.10.1 Example for Preventing the Bogus DHCP Server Attack

As shown in Figure 3-3, the S9300 is deployed between the user network and the Layer 2
network of the ISP. To prevent the bogus DHCP server attack, it is required that DHCP snooping
be configured on the S9300, the user-side interface be configured as untrusted, the network-side
interface be configured as trusted, and the packet discarding alarm function be configured.
Issue 06 (20100108)

3-31

Figure 3-3 Networking diagram for preventing the bogus DHCP server attack
ISP network
L3 network
L2 network
DHCP relay
GE1/0/0
DHCP server
S9300
GE2/0/0
User network
The configuration roadmap is as follows: (Assume that the DHCP server has been configured.)
1.
Enable DHCP snooping globally and on the interface.
2.
Configure the interface connected to the DHCP server as a trusted interface.
3.
Configure the user-side interface as an untrusted interface. The DHCP Request messages
including Offer, ACK, and NAK messages received from the untrusted interface are
discarded.
4.
Configure the packet discarding alarm function.
Data Preparation
l
GE 1/0/0 being the trusted interface and GE 2/0/0 being the untrusted interface
Alarm threshold being 120

NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally.
[Quidway] dhcp enable
[Quidway] dhcp snooping enable
3-32

Issue 06 (20100108)

# Enable DHCP snooping on the user-side interface.

Step 2 Configure the interface as trusted or untrusted.
# Configure the interface at the DHCP server side as trusted.
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] dhcp snooping trusted
# Configure the interface at the user side as untrusted.

After DHCP snooping is enabled on GE 2/0/0, the mode of GE 2/0/0 is untrusted by default.
Step 3 Configure the packet discarding alarm function.
# Configure the S9300 to discard the Reply messages received by the untrusted interfaces.
[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm untrust-reply enable
# Set the alarm threshold.

[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm untrust-reply threshold 120

Run the display dhcp snooping command on the S9300, and you can view that DHCP snooping
is enabled globally and in the interface view.
<Quidway> display dhcp snooping global
Dhcp snooping enable is configured at these vlan :NULL
Dhcp snooping enable is configured at these interface :
GigabitEthernet2/0/0
Dhcp snooping trusted is configured at these interface :
Dhcp option82 insert is configured at these interface :NULL
Dhcp option82 rebuild is configured at these interface :NULL
dhcp packet drop count within alarm range : 0
dhcp packet drop count total : 60
<Quidway> display dhcp snooping interface gigabitethernet 1/0/0
dhcp snooping trusted
dhcp snooping alarm untrust-reply enable
dhcp snooping alarm untrust-reply threshold 120
dhcp packet dropped by untrust-reply checking = 60
----End
Configuration Files
#
sysname Quidway
#
dhcp enable
Issue 06 (20100108)

3-33


#
#
#
return
3.10.2 Example for Preventing the DoS Attack by Changing the

CHADDR Field
As shown in Figure 3-4, the S9300 is deployed between the user network and the ISP Layer 2
network. To prevent the DoS attack by changing the CHADDR field, it is required that DHCP
snooping be configured on the S9300. The CHADDR field of DHCP Request messages is
checked. If the CHADDR field of DHCP Request messages matches the source MAC address
in the frame header, the messages are forwarded. Otherwise, the messages are discarded. The
packet discarding alarm function is configured.
Figure 3-4 Networking diagram for preventing the DoS attack by changing the CHADDR field
ISP network
L3 network
L2 network
DHCP relay
GE1/0/0
DHCP server
S9300
GE2/0/0
User network
1.
3-34

Issue 06 (20100108)

2.
Enable the checking of the CHADDR field of DHCP Request messages on the user-side
interface.
3.
Data Preparation
l
Alarm threshold
NOTE
Procedure

[Quidway-GigabitEthernet2/0/0] dhcp snooping enable
Step 2 Enable the checking of the CHADDR field of DHCP Request messages on the user-side
interface.
[Quidway-GigabitEthernet2/0/0] dhcp snooping check mac-address enable

# Enable the packet discarding alarm function.
[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm mac-address enable

[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm mac-address threshold 120

is enabled globally and in the interface view.
Dhcp snooping trusted is configured at these interface :NULL
Issue 06 (20100108)

3-35



dhcp snooping check mac-address
dhcp snooping alarm mac-address enable
dhcp snooping alarm mac-address threshold 120
dhcp packet dropped by mac-address checking = 25
----End
Configuration Files
#
sysname Quidway
#
dhcp enable
#
#
return
3.10.3 Example for Preventing the Attacker from Sending Bogus

DHCP Messages for Extending IP Address Leases
As shown in Figure 3-5, the S9300 is deployed between the user network and the ISP Layer 2
network. To prevent the attacker from sending bogus DHCP messages for extending IP address
leases, it is required that DHCP snooping be configured on the S9300 and the DHCP snooping
binding table be created. If the received DHCP Request messages match entries in the binding
table, they are forwarded; otherwise, they are discarded. The packet discarding alarm function
is configured.
3-36

Issue 06 (20100108)

Figure 3-5 Networking diagram for preventing the attacker from sending bogus DHCP messages
for extending IP address leases
ISP network
L3 network
L2 network
DHCP relay
GE1/0/0
DHCP server
S9300
GE2/0/0
User network
1.
2.
Use the operation mode of the DHCP snooping binding table to check DHCP Request
messages.
3.
4.
Configure the Option 82 function and create a binding table that contains information about
the interface.
Data Preparation
l
ID of the VLAN that each interface belongs to
Static IP addresses from which packets are forwarded
Alarm threshold
NOTE
Procedure
Issue 06 (20100108)

3-37



Step 2 Configure the checking of packets.

# Configure the checking of DHCP Request messages on the user-side interface.
[Quidway-GigabitEthernet2/0/0] dhcp snooping check user-bind enable
Step 3 Configure static binding entries.

# Configure static binding entries assigned to the user side.
[Quidway] user-bind static ip-address 10.1.1.3 mac-address 0000-005e-008a
interface gigabitethernet 2/0/0 vlan 3

[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm user-bind enable

[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm user-bind threshold 120
Step 5 Configure the Option 82 function.

# Configure the user-side interface to append the Option 82 field to DHCP messages.
[Quidway-GigabitEthernet2/0/0] dhcp option82 insert enable

is enabled globally and on the interface.
Dhcp option82 insert is configured at these interface :
3-38

Issue 06 (20100108)

dhcp
dhcp
dhcp
dhcp
dhcp
option82 insert enable

snooping check user-bind
snooping alarm check user-bind enable
snooping alarm user-bind threshold 120
packet dropped by user-bind checking = 45
Run the display user-bind all command, and you can view all the static binding entries of users.
<Quidway> display user-bind all
bind-table:
ifname
O/I-vlan mac-address
ip-address
tp lease vsi
------------------------------------------------------------------------------GE2/0/0
3/ -- 0000-005e-008a 10.1.1.3
S 0
-------------------------------------------------------------------------------Static binditem count:
1
Static binditem total count:
1
Run the display dhcp option82 interface command, and you can find that the function of
inserting the Option 82 field into packets is enabled on the interface.
<Quidway> display dhcp option82 interface gigabitethernet 2/0/0
----End
Configuration Files
#
sysname Quidway
#
dhcp enable
#
user-bind static ip-address 10.1.1.3 mac-address 0000-005e-008a interface
gigabitethernet 2/0/0 vlan 3
#
interface gigabitethernet 2/0/0
dhcp snooping alarm user-bind enable
dhcp snooping alarm user-bind threshold 120
#
return
3.10.4 Example for Limiting the Rate of Sending DHCP Messages

As shown in Figure 3-6, to prevent the attacker from sending a large number of DHCP Request
messages, it is required that DHCP snooping be enabled on the S9300 to control the rate of
sending DHCP Request messages to the protocol stack. At the same time, the packet discarding
alarm function is enabled.
Issue 06 (20100108)

3-39

Figure 3-6 Networking diagram for limiting the rate for sending DHCP messages
Attacker
L2 network
GE1/0/1
L3 network
L2 network
GE2/0/1
GE1/0/2
DHCP client
S9300
DHCP relay
DHCP server
1.
Enable DHCP snooping globally and in the interface view.
2.
Set the rate of sending DHCP Request messages to the protocol stack.
3.
Data Preparation
l
Rate of sending DHCP Request messages
Alarm threshold
NOTE
Procedure
# Enable DHCP snooping on the user-side interface. The configuration procedure of GE 1/0/2
is the same as the configuration procedure of GE 1/0/1, and is not mentioned here.
3-40

Issue 06 (20100108)

Step 2 Limit the rate for sending DHCP messages.

# Enable the checking of the rate of sending DHCP Request messages.
[Quidway] dhcp snooping check dhcp-rate enable
# Set the rate of sending DHCP Request messages.

[Quidway] dhcp snooping check dhcp-rate 90

[Quidway] dhcp snooping check dhcp-rate alarm enable

[Quidway] dhcp snooping check dhcp-rate alarm threshold 120

Run the display dhcp snooping global command on the S9300, and you can view that DHCP
snooping is enabled globally, and packet discarding alarm is enabled.
[Quidway] display dhcp snooping global
dhcp snooping check dhcp-rate 90
dhcp snooping check dhcp-rate alarm threshold 80
GigabitEthernet1/0/1 GigabitEthernet1/0/2
----End
Configuration Files
#
sysname Quidway
#
dhcp enable
dhcp snooping check dhcp-rate
#
#
#
return
Issue 06 (20100108)
enable
alarm enable
90
alarm threshold 80

3-41

3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network

As shown in Figure 3-7, DHCP clients are connected to the S9300 through VLAN 10. DHCP
client1 uses the dynamically allocated IP address and DHCP client2 uses the statically configured
IP address. It is required that DHCP snooping be configured on user-side interfaces GE 1/0/0
and GE 1/0/1 of the S9300 to prevent the following type of attacks:
l
DoS attack by changing the value of the CHADDR field
Attack by sending bogus messages to extend IP address leases
Attack by sending a large number of DHCP Request messages
Figure 3-7 Networking diagram for configuring DHCP snooping

DHCP relay
DHCP server
GE2/0/0
S9300
GE1/0/0
DHCP client1
GE1/0/1
DHCP client2
IP:10.1.1.1/24
MAC:0001-0002-0003
3-42
1.
2.
Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.
3.
Configure the DHCP snooping binding table and check DHCP Request messages by
matching them with entries in the binding table to prevent attackers from sending bogus
DHCP messages for extending IP address leases.
4.
Configure the checking of the CHADDR field in DHCP Request messages to prevent
attackers from changing the CHADDR field in DHCP Request messages.
5.
Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers
from sending a large number of DHCP Request messages.
Issue 06 (20100108)

6.
Configure the Option 82 function and create the binding table that contains information
about the interface.
7.
Configure the packet discarding alarm function and the alarm function for checking the
rate of sending packets.
Data Preparation
l
VLAN that the interface belongs to being 10
GE 1/0/0 and GE 1/0/1 configured as untrusted and GE 2/0/0 configured as trusted
Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding
MAC address being 0001-0002-0003
Rate of sending DHCP messages to the protocol stack being 90
Mode of the Option 82 function being insert
Alarm threshold of the number of discarded packets being 120
Alarm threshold for checking the rate of sending packets being 80

NOTE
Procedure
# Enable DHCP snooping on the interface at the user side. The configuration procedure of GE
1/0/1 is the same as the configuration procedure of GE 1/0/0, and is not mentioned here.
Step 2 Configure the interface as trusted.

# Configure the interface connecting to the DHCP server as trusted and enable DHCP snooping
on all the interfaces connecting to the DHCP client. If the interface on the client side is not
configured as trusted, the default mode of the interface is untrusted after DHCP snooping is
enabled on the interface. This prevents bogus DHCP server attacks.
Step 3 Configure the checking for certain types of packets.

# Enable the checking of DHCP Request messages on the interfaces at the DHCP client side to
prevent attackers from sending bogus DHCP messages for extending IP address leases. The
configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned
here.
Issue 06 (20100108)

3-43


# Enable the checking of the CHADDR field on the interfaces at the DHCP client side to prevent
attackers from changing the CHADDR field in DHCP Request messages. The configuration of
GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here.
Step 4 Configure the DHCP snooping binding table.

# If you use the static IP address, configuring DHCP snooping static entries is required.
[Quidway] user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003
Step 5 Limit the rate of sending DHCP messages.

# Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request
messages.

# Configure the user-side interface to append the Option 82 field to DHCP messages. The
configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned
here.

# Enable the packet discarding alarm function, and set the alarm threshold of the number of
discarded packets. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0,
and is not mentioned here.
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet1/0/0] dhcp
1/0/0
snooping
snooping
snooping
snooping
snooping
snooping
alarm
alarm
alarm
alarm
alarm
alarm
mac-address enable
user-bind enable
untrust-reply enable
mac-address threshold 120
user-bind threshold 120
untrust-reply threshold 120
# Enable the alarm function for checking the rate of sending packets, and set the alarm threshold
for checking the rate of sending packets.

snooping is enabled globally. You can also view the statistics on alarms.
3-44

Issue 06 (20100108)


Run the display dhcp snooping interface command, and you can view information about DHCP
snooping on the interface.
[Quidway] display dhcp snooping interface gigabitethernet 1/0/0
dhcp snooping check user-bind
dhcp snooping alarm check user-bind enable
dhcp packet dropped by user-bind checking = 0
Run the display user-bind all command, and you can view the static binding entries of users.
[Quidway] display user-bind all
bind-table:
ifname
ip-address
tp lease vsi
------------------------------------------------------------------------------GE1/0/1
10/ -- 0001-0002-0003 10.1.1.1
S 0
1
1
Run the display dhcp option82 interface command, and you can view the configuration of
Option 82 on the interface.
[Quidway] display dhcp option82 interface gigabitethernet 1/0/0
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
dhcp enable
Issue 06 (20100108)

3-45


#
user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface
#
#
#
#
return
3.10.6 Example for Enabling DHCP Snooping on the DHCP Relay

Agent
As shown in Figure 3-8, the S9300 is connected to the DHCP server and DHCP client; the
DHCP relay function is enabled; DHCP client1 uses the dynamically allocated IP address and
DHCP client2 uses the statically configured IP address. It is required that DHCP snooping be
configured on the S9300 to prevent the following types of attacks:
l
DoS attack by changing the value of the CHADDR field
Attack by sending bogus messages for extending IP address leases
Attack by sending a large number of DHCP Request messages
When users log out abnormally after requesting for IP addresses, the system detects this failure
automatically, and then deletes the binding in the DHCP binding table, and notifies the DHCP
server to release IP addresses.
3-46

Issue 06 (20100108)

Figure 3-8 Networking diagram for enabling DHCP snooping on the DHCP relay agent
GE2/0/0
DHCP server
S9300
DHCP relay
GE1/0/0
DHCP client1
DHCP client2
IP:10.1.1.1/24
MAC:0001-0002-0003
1.
2.
Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.
3.
Configure the DHCP snooping binding table and check DHCP Request messages by
matching them with entries in the binding table to prevent attackers from sending bogus
DHCP messages for extending IP address leases.
4.
Configure the checking of the CHADDR field in DHCP Request messages to prevent
5.
Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers
from sending a large number of DHCP Request messages.
6.
Configure the Option 82 function and create the binding table that contains information
about the interface.
7.
Configure the packet discarding alarm function and the alarm function for checking the
rate of sending packets.
Data Preparation
l
GE 1/0/0 belonging to VLAN 10 and GE 2/0/0 belonging to VLAN 20
Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding
MAC address being 0001-0002-0003
GE 1/0/0 configured as untrusted and GE 2/0/0 configured as trusted
Rate of sending DHCP messages to the CPU being 90
Mode of the Option 82 function being insert
Issue 06 (20100108)

3-47


l
Alarm threshold of the number of discarded packets being 120
Alarm threshold for checking the rate of sending packets being 80

NOTE
For the configuration of DHCP Relay, see Configuring the DHCP Relay Agent in Quidway S9300 Terabit
Routing Switch Configuration Guide - IP Service.
Procedure
# Enable DHCP snooping on the interface at the user side.

Step 2 Configure the interface as trusted.

# Configure the interface connecting to the DHCP server as trusted and enable DHCP snooping
on the interfaces connecting to the DHCP client. If the interface on the client side is not
configured as trusted, the default mode of the interface is untrusted after DHCP snooping is
enabled on the interface. This prevents bogus DHCP server attacks.
Step 3 Enable the checking for certain types of packets and configure the DHCP snooping binding table.
# Enable the checking of DHCP Request messages on the interface at the DHCP client side to
prevent attackers from sending bogus DHCP messages for extending IP address leases.
# Enable the checking of the CHADDR field on the interface at the DHCP client side to prevent
Step 4 Configure the DHCP snooping binding table.

# If you use the static IP address, configuring DHCP snooping static entries is required.
Step 5 Limit the rate of sending DHCP messages

# Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request
messages.
3-48

Issue 06 (20100108)



# Configure the user-side interface to append the Option 82 field to DHCP messages.

# Enable the packet discarding alarm function, and set the alarm threshold of the number of
discarded packets.
1/0/0
snooping
snooping
snooping
snooping
snooping
snooping
alarm
alarm
alarm
alarm
alarm
alarm
user-bind enable
mac-address enable
# Enable the alarm function for checking the rate of sending packets and set the alarm threshold
for checking the rate of sending packets.
Step 8 Associate ARP with DHCP snooping.

# The system sends the ARP packet to probe the IP address that expires within the aging time
in the DHCP snooping entry and does not exist in the ARP entry. If no user is detected within
the specified number of detection times, the system deletes the binding relation in the DHCP
binding table and notifies the DHCP server to release the IP address.
[Quidway] arp dhcp-snooping-detect enable

snooping is enabled globally. You can also view the statistics on alarms.
Issue 06 (20100108)

3-49

Run the display dhcp snooping interface command, and you can view information about DHCP
snooping on the interface.
dhcp snooping check user-bind
dhcp snooping alarm check user-bind enable
dhcp packet dropped by user-bind checking = 0
Run the display user-bind all command, and you can view the static binding entries of users.
[Quidway] display user-bind all
bind-table:
ifname
ip-address
tp lease vsi
------------------------------------------------------------------------------GE1/0/0
10/ -- 0001-0002-0003 10.1.1.1
S 0
1
1
Run the display dhcp option82 interface command, and you can view the configuration of
Option 82 on the interface.
[Quidway] display dhcp option82 interface gigabitethernet 1/0/0
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
dhcp enable
#
#
#
3-50

Issue 06 (20100108)

#
arp dhcp-snooping-detect enable
#
return
3.10.7 Example for Configuring DHCP Snooping on a VPLS

Network
As shown in Figure 3-9, the DHCP client is connected to the VPLS network through the LAN
switch; PE1 and PE2 are connected through a VPLS public network. DHCP snooping is enable
on PE1; the interface at the DHCP client side is configured as untrusted and the interface at the
DHCP server side is configured as trusted.
In addition, PE1 can prevent the following attacks:
l
Bogus DHCP server attacks
DoS attacks by changing the value of the CHADDR field
Attacks by sending bogus messages for extending IP address leases
Attacks by sending a large number of DHCP Request messages
DHCP client 1 uses the dynamically allocated IP address and DHCP client 2 uses the statically
configured IP address.
Figure 3-9 Networking diagram for configuring DHCP snooping on a VPLS network
Loopback1
Loopback1
1.1.1.9/32
2.2.2.9/32
GE2/0/0
VLANIF10
PE1
100.1.1.1/24
GE2/0/0
VLANIF10
GE3/0/0
100.1.1.2/24
GE1/0/0
PE2
GE1/0/0
DHCP server
LAN Switch
GE2/0/0
GE2/0/1
DHCP client1
DHCP client2
IP:10.1.1.1/24
MAC:0001-0002-0003
NOTE
Users apply to the DHCP server for IP addresses through the Layer 2 network; therefore, DHCP relay
devices are not required in the preceding networking.
Issue 06 (20100108)

3-51

1.
Configure the VPLS, which involves the following:
2.
Configure the routing protocol on the backbone network to ensure the connectivity of
routers.
Configure basic MPLS functions and establish an LSP between PEs.
Enable MPLS L2VPN on PEs.
Create a VSI on the PEs and specify LDP as the signaling protocol, and then bind the
VSI to the AC interfaces.
Configure DHCP snooping, which involves the following:

l
Enable DHCP snooping in the system view and in the interface view, and enable DHCP
snooping over VPLS.
Configure interfaces as trusted or untrusted to prevent bogus DHCP server attacks.
Set the maximum number of DHCP snooping users to prevent malicious IP address
application. Malicious IP address application prevents authorized users applying for IP
addresses.
Configure the checking of the CHADDR value to prevent DoS attacks by changing the
value of the CHADDR field.
Configure the checking of DHCP Request messages against the DHCP snooping
binding table to prevent attacks by sending bogus messages for extending IP address
leases.
Configure Option 82 and create a binding table covering accurate interface information.
Configure the alarm function.
Data Preparation
l
Static IP address from which packets are forwarded
Maximum number of users
Alarm threshold
VSI name and VSI ID
IP address of the peer and tunnel policy used for setting up the peer relation
Interface bound to a VSI

NOTE
The following example only provides the configuration procedure of the S9300. For details on the
configuration of other devices, see the related operation guides.
Procedure
Step 1 Configure the VPLS.
1.
Configure an IGP on the MPLS backbone network. In this example, OSPF is adopted to
advertise routes.
Assign an IP address to each interface on PEs as shown in Figure 3-9.
3-52

Issue 06 (20100108)

# Configure PE1.
<PE1> system-view
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip address 100.1.1.1 24
[PE1-Vlanif10] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure PE2.
<PE1> system-view
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.9 32
[PE2-LoopBack1] quit
[PE2-GigabitEthernet2/0/0] port link-type trunk
[PE2-Vlanif10] ip address 100.1.1.2 24
[PE2-Vlanif10] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration, run the display ip routing-table command on PE1 and PE2. You
can view that PEs can learn routes and ping each other.
Take the display on PE1 as an example.
<PE1> display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 6
Routes : 6
Destination/Mask
Interface
Proto
Pre
Cost
Flags NextHop
1.1.1.9/32
Direct 0
0
D 127.0.0.1
InLoopBack0
2.2.2.9/32
OSPF
10
1
D 100.1.1.2
100.1.1.0/24
Direct 0
0
D 100.1.1.1
100.1.1.1/32
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32
Direct 0
0
D 127.0.0.1
InLoopBack0
<PE1> ping 100.1.1.2
PING 100.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=255 time=2 ms
Issue 06 (20100108)

Vlanif10
vlanif10
3-53


--- 100.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms
2.
Enable basic MPLS functions and LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif10] mpls
[PE1-Vlanif10] mpls ldp
[PE1-Vlanif10] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif10] mpls
[PE2-Vlanif10] mpls ldp
[PE2-Vlanif10] quit
After the configuration, run the display mpls ldp session command on PE1 or PE2. You
can view that the Status item of the peer between PE1 and PE2 is Operational, which
indicates that the peer relation is established. Run the display mpls lsp command, and you
can view the establishment of the LSP.
Take the display on PE1 as an example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU
Passive 000:00:01
7/6
-----------------------------------------------------------------------------TOTAL: 1 session(s) Found.
LAM : Label Advertisement Mode
SsnAge Unit : DDD:HH:MM
<PE1> display mpls ldp lsp
LDP LSP Information
-----------------------------------------------------------------------------SN
DestAddress/Mask
In/OutLabel
Next-Hop
In/OutInterface
-----------------------------------------------------------------------------1
1.1.1.9/32
3/NULL
127.0.0.1
Vlanif10/
InLoop0
2
2.2.2.9/32
NULL/3
100.1.1.2
-------/
Vlanif10
3-54

Issue 06 (20100108)

-----------------------------------------------------------------------------TOTAL: 2 Normal LSP(s) Found.

TOTAL: 0 Liberal LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
3.
Enable MPLS L2VPN on PEs.

# Configure PE1.
[PE1] mpls l2vpn
[PE1] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2] quit
4.
Create VSIs and specify LDP as the signaling protocol of VSIs.

# Configure PE1.
[PE1] vsi v123 static
[PE1-vsi-v123] pwsignal ldp
[PE1-vsi-v123-ldp] vsi-id 2
[PE1-vsi-v123-ldp] peer 2.2.2.9
[PE1-vsi-v123-ldp] quit
[PE1-vsi-v123] quit
# Configure PE2.
[PE1] vsi v123 static
[PE2-vsi-v123] pwsignal ldp
[PE2-vsi-v123-ldp] vsi-id 2
[PE2-vsi-v123-ldp] peer 1.1.1.9
[PE2-vsi-v123-ldp] quit
[PE2-vsi-v123] quit
5.
Bind the VSI to the interfaces on the PEs.

# Configure PE1.
[PE1-GigabitEthernet1/0/0] port link-typ trunk
[PE1-Vlanif20] l2 binding vsi v123
[PE1-Vlanif20] quit
# Configure PE2.
[PE1-GigabitEthernet3/0/0] port link-typ trunk
[PE1-Vlanif30] l2 binding vsi v123
[PE1-Vlanif30] quit
After the configuration, run the display vsi name a2 verbose command on PE1, and you
can find that VSI v123 sets up a PW to PE2, and the status of the VSI is Up.
<PE1> display vsi name v123 verbose
***VSI Name
Administrator VSI
Isolate Spoken
VSI Index
PW Signaling
Member Discovery Style
Issue 06 (20100108)
:
:
:
:
:
:
v123
no
disable
0
ldp
static

3-55


PW MAC Learn Style
Encapsulation Type
MTU
Diffserv Mode
Mpls Exp
DomainId
Domain Name
VSI State
VSI ID
*Peer Router ID
VC Label
Peer Type
Session
Tunnel ID
Interface Name
State
:
:
:
:
:
:
:
:
unqualify
vlan
1500
uniform
-255
:
:
:
:
:
:
2
2.2.2.9
27648
dynamic
up
0x802000
up
: Vlanif20
: up
**PW Information:
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
FIB Link-ID
: 2.2.2.9
up
21504
21504
label
0x802000
1
:
:
:
:
:
:
Step 2 Configure DHCP snooping.

1.
Enable DHCP snooping.

# Configure PE1.
[PE1] dhcp enable
[PE1] dhcp snooping enable
[PE1] interface gigabitethernet
[PE1-GigabitEthernet1/0/0] dhcp
1/0/0
snooping enable
2/0/0
snooping enable
Enable DHCP snooping over VPLS.

# Configure PE1.
[PE1] dhcp snooping over-vpls enable
2.
Configure the trusted interface.

# Configure PE1.
Configure the interface connecting to the DHCP server as a trusted interface and enable
DHCP snooping on all the interfaces connected to the DHCP client. If the interface at the
client side is not configured with "Trusted", the default interface mode is "Untrusted" after
DHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks.
[PE1-GigabitEthernet2/0/0] dhcp snooping trusted
3.
Configure the DHCP snooping binding table.

# Configure PE1.
3-56

Issue 06 (20100108)

Set the maximum number of DHCP snooping users on interfaces at the DHCP client side.
In this manner, malicious IP address application can be prevented and authorized users can
successfully apply for IP addresses.
[PE1-GigabitEthernet1/0/0] dhcp snooping max-user-number 3000
Configure static binding entries. If users adopt static IP addresses, you need to manually
configure static DHCP snooping entries.
[PE1] user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003
4.
Configure the checking of specific packets.

# Configure PE1.
# Check DHCP Request messages on the interfaces at the DHCP client side to prevent
attacks by sending bogus DHCP messages to extend IP address leases.
[PE1-GigabitEthernet1/0/0] dhcp snooping check user-bind enable
# Check the CHADDR field on the interfaces at the DHCP client side to prevent attacks
by changing the value of the CHADDR field.
[PE1-GigabitEthernet1/0/0] dhcp snooping check mac-address enable
5.
Configure Option 82.

# Configure PE1.
# Configure DHCP messages to carry interface information; therefore, the binding table
covers more accurate interface information.
[PE1-GigabitEthernet1/0/0] dhcp option82 insert enable
6.
Configure the alarm function.

# Configure PE1.
Enable the alarm function of discarding packets and set the alarm threshold for discarding
packets.
1/0/0
snooping
snooping
snooping
snooping
snooping
snooping
alarm
alarm
alarm
alarm
alarm
alarm
user-bind enable
mac-address enable
Enable the alarm function of limiting the rate of packets and set the alarm threshold for
limiting the rate of packets.
[PE1] dhcp snooping check dhcp-rate enable
[PE1] dhcp snooping check dhcp-rate alarm enable
[PE1] dhcp snooping check dhcp-rate alarm threshold 80

After the configuration, users can dynamically apply for IP addresses.
Issue 06 (20100108)

3-57

Run the display dhcp snooping global command on PE1. You can view that DHCP snooping
is enabled globally and in the interface view. You can also view the statistics on the alarms sent
to the NMS.
<PE1>
dhcp
dhcp
dhcp
dhcp
display dhcp snooping global

snooping enable
snooping check dhcp-rate enable
snooping check dhcp-rate alarm enable
snooping check dhcp-rate alarm threshold 80

Run the display dhcp snooping interface command on PE1, and you can view information
about DHCP snooping on the interface.
<PE1>
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
dhcp
<PE1>
dhcp
dhcp
dhcp
display dhcp snooping interface gigabitethernet 1/0/0

snooping enable
option82 insert enable
snooping check user-bind
snooping alarm check user-bind enable
snooping alarm user-bind threshold 120
packet dropped by user-bind checking = 0
snooping check mac-address
snooping alarm mac-address enable
snooping alarm mac-address threshold 120
packet dropped by mac-address checking = 0
snooping alarm untrust-reply enable
snooping alarm untrust-reply threshold 120
packet dropped by untrust-reply checking = 0
snooping max-user-number 3000
display dhcp snooping interface gigabitethernet 2/0/0
snooping enable
snooping trusted
packet dropped by untrust-reply checking = 0
Run the display user-bind all command on PE1, and you can view static binding entries of
users.
<PE1> display user-bind all
bind-table:
ifname
ip-address
tp lease vsi
------------------------------------------------------------------------------GE1/0/0
20/ -- 0001-0002-0003 10.1.1.1
S 0
1
1
----End
Configuration Files
l
Configuration file of PE1

#
sysname PE1
3-58

Issue 06 (20100108)

#
vlan batch 10 20
#
dhcp enable
Gigab
itEthernet1/0/0 vlan 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi v123 static
pwsignal ldp
vsi-id 2
peer 2.2.2.9
#
mpls ldp
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
l2 binding vsi v123
#
port link-type trunk
port trunk allow-pass vlan 20
dhcp snooping max-user-number 3000
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
#
return
l
Configuration file of PE2

#
sysname PE2
#
vlan batch 10 30
Issue 06 (20100108)

3-59


#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi v123 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#
mpls ldp
#
interface Vlanif10
ip address 100.10.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
l2 binding vsi v123
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.255
#
return
3-60

Issue 06 (20100108)

ARP Security Configuration
About This Chapter

This chapter describes the principle and configuration of ARP security features.
4.1 Introduction to ARP Security
This section describes the principle of ARP security.
4.2 ARP Security Supported by the S9300
This section describes the ARP security features supported by the S9300.
4.3 Limiting ARP Entry Learning
This section describes how to limit the learning of ARP entries.
4.4 Configuring ARP Anti-Attack
This section describes how to configure the ARP anti-attack function.
4.5 Suppressing Transmission Rate of ARP Packets
This section describes how to suppress the transmission rate of the ARP packets.
4.6 Maintaining ARP Security
This section describes how to maintain ARP security.
This section provides several configuration examples of ARP security.
Issue 06 (20100108)

4-1

4.1 Introduction to ARP Security

This section describes the principle of ARP security.
ARP Attack
On a network, ARP entries are easily attacked. Attackers send a large number of ARP Request
and Response packets to attack network devices. Attacks are classified into ARP buffer overflow
attacks and ARP Denial of Service (DoS) attacks.
l
ARP buffer overflow attacks: Attackers send a large number of bogus ARP request packets
and gratuitous ARP packets, which results in ARP buffer overflow. Therefore, normal ARP
entries cannot be cached and packet forwarding is interrupted.
ARP DoS attacks: Attackers send a large number of ARP request and response packets or
other packets that can trigger the ARP processing. The device is then busy with ARP
processing during a long period and ignores other services. Normal packet forwarding is
thus interrupted.
Attackers scan hosts on the local network segment or hosts on other network segments through
tools. Before returning response packets, the S9300 searches for ARP entries. If the MAC address
corresponding to the destination IP address does not exist, the ARP module on the S9300 sends
ARP Miss messages to the upper-layer software and requires the upper-layer software to send
ARP request packets to obtain the destination MAC address. A large number of scanning packets
generate a large number of ARP Miss packets. The resources of the system are then wasted in
processing ARP Miss packets. This affects the processing of other services and hence is called
scanning attack.
ARP Security
ARP security is used to filter out untrusted ARP packets and enable timestamp suppression for
certain ARP packets to guarantee the security and robustness of network devices.
4.2 ARP Security Supported by the S9300

This section describes the ARP security features supported by the S9300.
The S9300 supports the following ARP security features.
Limitation on ARP Entry Learning

You can configure the strict ARP entry learning so that the S9300 can learn only the response
messages of the ARP requests sent locally.
You can set the maximum number of ARP entries that can be dynamically learned by an
interface. This prevents malicious use of ARP entries and ensures that the S9300 can learn the
ARP entries of authorized users.
ARP Anti-Spoofing
ARP spoofing means that attackers use ARP packets sent by other users to construct bogus ARP
packets and modify ARP entries on the gateway. As a result, the authorized users are
disconnected from the network.
4-2

Issue 06 (20100108)

The S9300 can prevent ARP spoofing by using the following methods:
l
Fixed MAC address: After learning an ARP entry, the S9300 does not allow the
modification on the MAC address that is performed through ARP entry learning until this
ARP entry ages. Thus the S9300 prevents the ARP entries of authorized users from being
modified without permission.
The fixed MAC address methods have two modes: fixed-mac and fixed-all. In fixed-mac
mode, the MAC addresses cannot be modified, but the VLANs and interfaces can be
modified; in fixed-all mode, the MAC addresses, VLANs, and interfaces cannot be
modified.
Send-ack: The S9300 does not modify the ARP entry immediately when it receives an ARP
packet requesting for modifying a MAC address. Instead, the S9300 sends a unicast packet
for acknowledgement to the user matching this MAC address in the original ARP table.
Preventing ARP Gateway Attack

ARP gateway attack means that an attacker sends gratuitous ARP packets with the source IP
address as the bogus gateway address on a local area network (LAN). After receiving these
packets, the host replaces its gateway address with the address of the attacker. As a result, none
of the hosts on a LAN can access the network.
When the S9300 receives ARP packets with the bogus gateway address, there are the following
situations:
l
The source IP address in the ARP packets is the same as the IP address of the interface that
receives the packets.
The source IP address in the ARP packets is the virtual IP address of the incoming interface
but the source MAC address of ARP packets is not the virtual MAC address of the Virtual
Router Redundancy Protocol (VRRP) group when the VRRP group is in virtual MAC
address mode.
In one of the preceding situation, the S9300 generates ARP anti-attack entries and discards the
packets with the same source MAC address in the Ethernet header in a period (the default value
is three minutes). This can prevent ARP packets with the bogus gateway address from being
broadcast on a VLAN.
Suppressing ARP Packet Source

When a large number of packets are sent from a source IP address, the CPU resources of the
device and the bandwidth reserved for sending ARP packets are occupied.
The S9300 can suppress the transmission rate of the ARP packets with a specified source IP
address. If the number of ARP packets with a specified source IP address received by the
S9300 within a specified period exceeds the set threshold, the S9300 does not process the
excessive ARP request packets.
Suppressing ARP Miss Packet Source

When a host sends a large number of IP packets whose destination IP address cannot be resolved
to attack the device,
the S9300 suppresses the ARP Miss packets that have the specified source IP address. If a large
number of IP packets whose destination IP address cannot be resolved are sent to the S9300
from a source IP address, the ARP Miss packets are triggered. The S9300 takes statistics on the
ARP Miss packets. If a source IP address triggers the ARP Miss packets continuously in a period
Issue 06 (20100108)

4-3

and the triggered rate exceeds the set threshold, the S9300 considers that an attack occurs. In
this case, the S9300 delivers ACL rules to discard the IP packets sent from this address in a
period (the default value is 50 seconds).
Preventing ARP Man-in-the-Middle Attack

A man-in-the-middle on the network may send a packet carrying its own MAC address and the
IP address of the server to the client. The client learns the MAC address and IP address contained
in the packet and considers the man-in-the-middle as the server. Then, the man-in-the-middle
sends a packet carrying its own MAC address and the IP address of the client to the server. The
server can learn the IP address and MAC address of the man-in-the-middle and consider the
man-in-the-middle as the client. In this way, the man-in-the-middle obtains the data exchanged
between the server and the client.
To prevent the man-in-the-middle attacks, you can configure the S9300 to check the ARP packets
according to the binding table. Only the packets that match the content of the binding table can
be forwarded; the other packets are discarded.
Limitation on the Transmission Rate of ARP Packets

The transmission rate of the ARP packets on the S9300 can be limited. This prevents the
excessive ARP packets from being transmitted to the security module and degrading system
performance.
ARP Proxy on a VPLS Network

On the VPLS network, the S9300 can process ARP packets on the PW. If the ARP packets are
ARP request packets and the destination IP address of the packets matches an entry in the DHCP
snooping binding table, the S9300 constructs ARP reply packets before sending them to the
requester of the PW. The attacks caused by PW-side ARP packets broadcast to the AC on a
VPLS network are thus prevented.
4.3 Limiting ARP Entry Learning

This section describes how to limit the learning of ARP entries.
4.3.2 Enabling Strict ARP Entry Learning
4.3.3 Configuring Interface-based ARP Entry Limitation

After the strict ARP entry learning is enabled, the S9300 learns only the response messages of
the ARP request messages sent locally.
You can configure the limitation on ARP entry learning based on interfaces to limit the number
of ARP entries dynamically learned by the interfaces.
4-4

Issue 06 (20100108)

Before configuring the limitation on ARP entry learning, complete the following task:
l
Setting the parameters of the link layer protocol and the IP address of the interface and
enabling the link-layer protocol
Data Preparation
To configure the limitation on ARP entry learning, you need the following data.
No.
Data
Type and number of the interface where you

need to configure the limitation on ARP entry
learning
4.3.2 Enabling Strict ARP Entry Learning

Context
Strict ARP entry learning means that the S9300 learns only the response packets of the locally
sent ARP Request packets.
Procedure
l
Configuring strict ARP entry learning globally

1.
Run:
system-view

2.
Run:
arp learning strict
Strict ARP learning is enabled.

By default, strict ARP learning is disabled on the S9300.
l
Configuring strict ARP entry learning on an interface

1.
Run:
system-view

2.
Run:

The interface is a VLANIF interface.
3.
Run:
arp learning strict { force-enable | force-disable | trust }
The strict ARP entry learning function is enabled on the interface.

Issue 06 (20100108)

4-5

force-enable: enables strict ARP entry learning on an interface.
force-disable: disables strict ARP entry learning on an interface.
trust: indicates that the configuration of strict ARP entry learning on an interface
is the same as that configured globally.
By default, the configuration of strict ARP entry learning on an interface is the same
as that configured globally.
l
Configuring strict ARP entry learning on an GE or Ethernet subinterface

1.
Run:
system-view

2.
Run:
interface interface-type interface-number [.subnumber ]
The GE or Ethernet subinterface view is displayed.

3.
Run:
The strict ARP entry learning function is enabled on the GE or Ethernet subinterface.
force-enable: enables strict ARP entry learning on an GE or Ethernet subinterface.
force-disable: disables strict ARP entry learning on an GE or Ethernet

subinterface.
trust: indicates that the configuration of strict ARP entry learning on an GE or

Ethernet subinterface is the same as that configured globally.
By default, the configuration of strict ARP entry learning on an GE or Ethernet

subinterface is the same as that configured globally.
l
Configuring strict ARP entry learning on an Eth-trunk subinterface

1.
Run:
system-view

2.
Run:
interface eth-trunk trunk-id [.subnumber ]
The Eth-trunk subinterface view is displayed.

3.
Run:
The strict ARP entry learning function is enabled on the Eth-trunk subinterface.
force-enable: enables strict ARP entry learning on an Eth-trunk subinterface.
force-disable: disables strict ARP entry learning on an Eth-trunk subinterface.
trust: indicates that the configuration of strict ARP entry learning on an Eth-trunk
subinterface is the same as that configured globally.
By default, the configuration of strict ARP entry learning on an Eth-trunk subinterface

is the same as that configured globally.
----End
4-6

Issue 06 (20100108)

4.3.3 Configuring Interface-based ARP Entry Limitation

Context
If attackers occupy a large number of ARP entries, the S9300 cannot learn the ARP entries of
authorized users. To prevent such attacks, you can set the maximum number of ARP entries that
can be dynamically learned by an interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface can be a GE interface, an Ethernet interface, an Eth-Trunk, or a VLANIF interface.
Step 3 Run:
arp-limit [ vlan vlan-id [ to vlan-id2 ]] maximum maximum
Interface-based ARP entry limitation is configured.

The vlan parameter can be only used on GE interfaces, Ethernet interfaces, or Eth-Trunks.
----End

Prerequisite
The configurations of ARP entry limitation are complete.
Procedure
l
Run the display arp learning strict command to view the configuration of strict ARP entry
learning.
Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ]

command to view the maximum number of ARP entries that can be learned by an interface
or a VLAN.
----End
Example
Run the display arp learning strict command, and you can view the configuration of strict ARP
entry learning.
<Quidway> display arp learning strict
The global configuration:arp learning strict
interface
LearningStrictState
------------------------------------------------------------
Issue 06 (20100108)

4-7

Vlanif100
force-disable
Vlanif200
force-enable
-----------------------------------------------------------Total:2
force-enable:1
force-disable:1
Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ]

command, and you can view the maximum number of ARP entries that can be learned by an
interface or a VLAN.
<Quidway> display arp-limit interface GigabitEthernet 1/0/10
interface
LimitNum
VlanID
LearnedNum(Mainboard)
--------------------------------------------------------------------------GigabitEthernet1/0/10
1000
3
0
1000
4
0
1000
5
0
1000
6
0
1000
7
0
1000
8
0
1000
9
0
1000
10
0
--------------------------------------------------------------------------Total:8
<Quidway> display arp-limit vlan 3
interface
LimitNum
VlanID
1000
3
0
--------------------------------------------------------------------------Total:1
4.4 Configuring ARP Anti-Attack

This section describes how to configure the ARP anti-attack function.
4.4.2 Preventing the ARP Address Spoofing Attack
4.4.3 Preventing the ARP Gateway Duplicate Attack
4.4.4 Preventing the Man-in-the-Middle Attack
4.4.5 Configuring ARP Proxy on a VPLS Network
4.4.6 Configuring DHCP to Trigger ARP Learning
4.4.7 (Optional) Configuring the S9300 to Discard Gratuitous ARP Packets
4.4.8 Enabling Log and Alarm Functions for Potential Attacks

On an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked; therefore,
it is required to configure the ARP anti-attack function on the access layer or convergence layer
to ensure network security.
4-8

Issue 06 (20100108)

To prevent attackers from forging the ARP packets of authorized users and modifying the
ARP entries on the gateway, you can configure the ARP address anti-spoofing function.
To prevent attackers from forging the gateway address, sending gratuitous ARP packets
whose source IP addresses are the gateway address on the LAN, and thus making the host
change the gateway address into the address of the attacker, you can configure the ARP
gateway anti-collision function.
To prevent unauthorized users from accessing external networks by sending ARP packets
to the S9300, you can configure the ARP packet checking function.
Before configuring ARP anti-attack, complete the following task:
l
Data Preparation
To configure ARP anti-attack, you need the following data.
No.
Data
(Optional) Alarm threshold of the ARP

packets discarded because they do not match
the binding table.
4.4.2 Preventing the ARP Address Spoofing Attack

Procedure
Step 1 Run:
system-view

Step 2 Run:
arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable
The ARP anti-spoofing function is enabled.

You can use only one ARP anti-spoofing mode. If an ARP anti-spoofing mode is already used,
the latest configuration overrides the previous configuration.
By default, the ARP anti-spoofing function is disabled on the S9300.
----End
4.4.3 Preventing the ARP Gateway Duplicate Attack

Issue 06 (20100108)

4-9

Procedure
Step 1 Run:
system-view

Step 2 Run:
arp anti-attack gateway-duplicate enable
The ARP anti-attack function for preventing ARP packets with the bogus gateway address is
enabled.
After this function is enabled, the ARP packets with the bogus gateway address on an interface
of the S9300 are not broadcast to other interfaces. By default, this function is disabled on the
S9300.
----End
4.4.4 Preventing the Man-in-the-Middle Attack

Context
To prevent man-in-the-middle attacks, you can configure the S9300 to check ARP packets. If
the packets received on the interface or the interface in a VLAN match the binding table, the
packets are forwarded; otherwise, the packets are discarded.
In addition, you can configure the alarm function. When the number of discarded packets exceeds
the threshold, an alarm is generated.
NOTE
Binding entries of DHCP users are created automatically after DHCP snooping is enabled. If a user uses
a static IP address, you need to configure the binding entry of the user manually. A DHCP snooping binding
entry consists of the IP address, MAC address, interface number, and VLAN ID of a user.
For the configuration of DHCP snooping, see 3.3.2 Enabling DHCP Snooping. For the configuration of
a static binding entry, see 5.3.2 (Optional) Configuring a Static User Binding Entry.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Or, run:
vlan vlan-id

Step 3 Run:
arp anti-attack check user-bind enable
4-10

Issue 06 (20100108)

The IP source guard function is enabled on the interface.

By default, the interfaces or the interfaces in a VLAN are not enabled with the IP source guard
function.
Step 4 In the interface view, run :
arp anti-attack check user-bind check-item { ip-address | mac-address | vlan }*
Or in the VLAN view, run:

arp anti-attack check user-bind check-item { ip-address | mac-address | interface }
*
The check items of ARP packets are configured.

By default, the check items consist of IP address, MAC address, VLAN, and interface. The
packets that do not match the binding table are discarded.
Step 5 (Optional)In the interface view, run :
arp anti-attack check user-bind alarm enable
The alarm function for the discarded ARP packets is enabled.

By default, the alarm function is disabled.
Step 6 (Optional) In the interface view, run :
arp anti-attack check user-bind alarm threshold threshold
The alarm threshold of the number of ARP packets discarded because they do not match the
binding table is set.
By default, the alarm threshold is the same as the threshold set in arp anti-attack check userbind alarm threshold that is run in the system view. If the alarm threshold is not set in the
system view, the default threshold on the interface is 100.
----End
4.4.5 Configuring ARP Proxy on a VPLS Network

Context
To prevent attacks caused by PW-side ARP packets broadcast to the AC on a VPLS network,
you can configure ARP proxy on the S9300 to process the PW-side ARP packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp over-vpls enable
ARP proxy is enabled on the S9300 of a VPLS network.

By default, ARP proxy is disabled on the S9300 of a VPLS network.
On a VPLS network, after the arp over-vpls enable command is run on the S9300, ARP packets
on the PW are sent to the main control board for processing.
Issue 06 (20100108)

4-11


l
If the ARP packets are ARP request packets and the destination IP address of the packets
match an entry in the DHCP snooping binding table, the S9300 constructs ARP reply packets
before sending them to the requester of the PW. The attacks caused by PW-side ARP packets
broadcast to the AC on a VPLS network are thus prevented.
If the ARP packets are not ARP request packets, or the packets are ARP request packets but
the destination IP address of the packets do not match entries in the DHCP snooping binding
table, the ARP packets are forwarded normally.
The arp over-vpls enable command needs to be used with DHCP snooping over VPLS because
the DHCP snooping binding table is used. For the configuration of DHCP snooping over VPLS,
see 3.3.2 Enabling DHCP Snooping.
----End
4.4.6 Configuring DHCP to Trigger ARP Learning

Context
This task is performed to enable DHCP-triggered ARP learning. When the DHCP server assigns
an IP address to the user, the S9300 obtains the MAC address of the user and generates the ARP
entry corresponding to the IP address after responding to DHCP ACK messages. In this manner,
the S9300 does not need to learn ARP entries of the user hosts.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface vlanif interface-number
The VLANIF interface view is displayed.

Step 3 Run:
arp learning dhcp-trigger
The S9300 is configured to learn ARP entries according to the DHCP ACK message received
on the VLANIF interface, and to discard ARP request packets for querying the destination host
of the network segment of the interface.
By default, the S9300 does not learn ARP entries when receiving DHCP ACK messages. When
the traffic passes, ARP learning is triggered.
NOTE
To use the arp learning dhcp-trigger command, ensure that the DHCP relay function is enabled on
the VLANIF interface.
If the DHCP user and DHCP server are located on the same network segment, you cannot use the arp
learning dhcp-trigger command.
----End
4-12

Issue 06 (20100108)

4.4.7 (Optional) Configuring the S9300 to Discard Gratuitous ARP

Packets
Context
If a large number of gratuitous ARP packets are sent to attack the S9300, the S9300 cannot
process valid ARP packets. You can configure the S9300 to discard the gratuitous ARP packets.
The function of discarding gratuitous ARP packets can be enabled in the system view or the
VLANIF interface view.
l
If the function is enabled in the system view, all the interfaces of the S9300 discard the
gratuitous ARP packets.
If the function is enabled in the VLANIF interface view, the VLANIF interface discards
the gratuitous ARP packets.
Before enabling an interface to discard gratuitous ARP packets, you do not need to enable
the function globally.
Enabling the function of discarding gratuitous ARP packets globally
Procedure
1.
Run:
system-view

2.
Run:
arp anti-attack gratuitous-arp drop
The S9300 is enabled to discard gratuitous ARP packets.

By default, the S9300 does not discard gratuitous ARP packets.
l
Enabling the function of discarding gratuitous ARP packets on an VLANIF interface

1.
Run:
system-view

2.
Run:

Generally, this function is enabled on the user-side interface.
3.
Run:
arp anti-attack gratuitous-arp drop
The interface is enabled to discard gratuitous ARP packets.

By default, the interfaces of the S9300 do not discard gratuitous ARP packets.
----End
4.4.8 Enabling Log and Alarm Functions for Potential Attacks

Issue 06 (20100108)

4-13

Procedure
Step 1 Run:
system-view

Step 2 Run:
arp anti-attack log-trap-timer time
Log and alarm functions are enabled for potential attacks.

time specifies the interval for writing an ARP log and sending an alarm. By default, the value is
0, indicating that log and alarm functions are disabled.
----End

Prerequisite
The configurations of ARP anti-attack are complete.
Procedure
l
Run the display arp anti-attack configuration { entry-check | gateway-duplicate | logtrap-timer | all } command to check the configuration of ARP anti-attack.
Run the display arp anti-attack gateway-duplicate item command to check information
about bogus gateway address attack on the network.
Run the display arp anti-attack check user-bind interface interface-type interfacenumber command to check the configuration of the binding table for checking ARP packets.
----End
Example
Run the display arp anti-attack configuration all command, and you can view the
configuration of ARP anti-attack.
<Quidway> display arp anti-attack configuration all
ARP anti-attack entry-check mode: fixed-MAC
ARP gateway-duplicate anti-attack function: enabled
ARP anti-attack log-trap-timer: 30seconds
(The log and trap timer of speed-limit, default is 0 and means disabled.)
Run the display arp anti-attack gateway-duplicate item command, and you can view
information about bogus gateway address attack on the network.
<Quidway> display arp anti-attack gateway-duplicate item
interface
IP address
MAC address
VLANID
aging time
------------------------------------------------------------------------------GigabitEthernet1/0/1
2.1.1.1
0000-0000-0002 2
153
2.1.1.1
0000-0000-0004 2
179
------------------------------------------------------------------------------There are 2 records in gateway conflict table
Run the display arp anti-attack check user-bind interface interface-type interface-number
command, and you can view the configuration of the binding table for checking ARP packets.
4-14

Issue 06 (20100108)

<Quidway> display arp anti-attack check user-bind interface GigabitEthernet 1/0/0

arp anti-attack check user-bind alarm threshold 50
ARP packet drop count = 10
4.5 Suppressing Transmission Rate of ARP Packets

This section describes how to suppress the transmission rate of the ARP packets.
4.5.2 Configuring Source-based ARP Suppression
4.5.3 Configuring Source-based ARP Miss Suppression
4.5.4 Setting the Suppression Time of ARP Miss Messages
4.5.5 Suppressing Transmission Rate of ARP Packets

On an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked; therefore,
it is required to configure ARP suppression features on the access layer or convergence layer to
ensure network security.
l
To prevent excessive ARP packets from increasing the CPU workload and occupying
excessive ARP entries, you can suppress the transmission rate of ARP packets. Then the
transmission rate of the ARP packets transmitted to the main control board is limited.
To prevent a host from sending excessive IP packets whose destination IP addresses cannot
be resolved, you can suppress the source IP address that sends the packets, that is, configure
the suppression on ARP Miss source. Then these IP packets are discarded.
After the IP source guard function is enabled on an interface, all the ARP packets passing
through the interface are forwarded to the security module for check. If excessive ARP
packets are sent to the security module, the security module will be impacted. In this case,
you can suppress the transmission rate of the ARP packets; the packets that exceed the
transmission rate are discarded.
Before configuring ARP suppression, complete the following task:
l
Data Preparation
To configure ARP suppression, you need the following data.
Issue 06 (20100108)

4-15

No.
Data
Maximum transmission rate of the ARP

packets sent by a specified source IP address
(Optional) Source IP address and maximum
transmission rate of the ARP packets sent by
a specified source IP address
Maximum transmission rate of the ARP Miss

packets sent by a specified source IP address
(Optional) Source IP address and maximum
transmission rate of the ARP Miss packets
sent by a specified source IP address
Maximum transmission rate of the ARP

packets sent to the security module
(Optional) Alarm threshold of the number of
ARP packets discarded because they exceed
the transmission rate.
4.5.2 Configuring Source-based ARP Suppression

Context
A user may have special requirements; therefore, you can set the suppression rate for ARP
packets with a specified source IP address different from packets with other source IP addresses.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp speed-limit source-ip maximum maximum
The suppression rate of ARP packets is set.

arp speed-limit source-ip ip-address maximum maximum
The suppression rate of ARP packets with a specified source IP address is set.
After the preceding configurations are complete, the suppression rate of ARP packets with a
specified source IP address is the value specified by maximum in step 3, and the suppression
rate of ARP packets with other source IP addresses is the value specified by maximum in step
2.
If the suppression rate of ARP packets is set to 0, it indicates that ARP packets are not suppressed.
By default, the suppression rate of ARP packets is 5 pps.
----End
4-16

Issue 06 (20100108)

4.5.3 Configuring Source-based ARP Miss Suppression

Context
A user may have special requirements; therefore, you can set the timestamp suppression rate for
ARP Miss packets with a specified source IP address different from ARP Miss packets with
other source IP addresses.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp speed-limit source-ip maximum maximum
The suppression rate of ARP Miss packets is set.

arp speed-limit source-ip ip-address maximum maximum
The suppression rate of ARP Miss packets with a specified source IP address is set.
After the preceding configurations are complete, the suppression rate of ARP Miss packets with
a specified source IP address is the value specified by maximum in step 3, and the suppression
rate of ARP Miss packets with other source IP addresses is the value specified by maximum in
step 2.
If the suppression rate of ARP packets is set to 0, it indicates that ARP Miss packets are not
suppressed. By default, the suppression rate of ARP Miss packets is 5 pps.
----End
4.5.4 Setting the Suppression Time of ARP Miss Messages

Context
After the VLANIF interface receives unreachable IP unicast packets, the packets are sent to the
CPU of the main control board because the ARP entries corresponding to the packets are not
found in the forwarding table. Then, the main control board is triggered to learn ARP entries.
When the main control board learns ARP entries, it sends ARP broadcast request packets and
generates fake ARP entries. The main control board sends the fake ARP entries to the LPU. The
LPU does not send ARP Miss messages after receiving the fake ARP entry. If the main control
board does not learn valid ARP entries, it deletes fake ARP entries. Then, ARP Miss messages
are sent continuously and ARP learning is triggered again.
The fake ARP entry is aged within five seconds and thus deleted by default. That is, ARP Miss
messages are not sent to the CPU of the main control board within five seconds by default. When
a large number of fake ARP entries are generated on the S9300, the S9300 is attacked by
unknown packets. In this case, you can adjust the interval for sending unknown packets to reduce
the sent unknown unicast packets and the CPU usage of the main control board.
Issue 06 (20100108)

4-17

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
arp-miss suppress suppress-time
The suppression time for the S9300 to send ARP Miss messages is set.
By default, the suppression time for the S9300 to send ARP Miss messages is 5 seconds.
----End
4.5.5 Suppressing Transmission Rate of ARP Packets

Context
Before configuring the global ARP suppression, ensure that the IP source guard function is
enabled on the interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp anti-attack rate-limit enable
The transmission rate of ARP packets is limited.

By default, ARP suppression is disabled globally.
Step 3 Run:
arp anti-attack rate-limit limit
The threshold for transmission rate of ARP packets is set.

After the threshold is set, the excessive packets are discarded. By default, the threshold for the
transmission rate of ARP packets is 100 pps.
arp anti-attack rate-limit alarm enable
The alarm function for the ARP packets discarded because the transmission rate is exceeded is
enabled.
By default, the alarm function is disabled.
4-18

Issue 06 (20100108)


arp anti-attack rate-limit alarm threshold threshold
The alarm threshold of the number of ARP packets discarded because the transmission rate is
exceeded is set.
By default, the alarm threshold of discarded ARP packets is 5.
----End

Prerequisite
The configurations of the limitation on ARP transmission rate are complete.
Procedure
l
Run the display arp anti-attack configuration { arp-speed-limit | arpmiss-speedlimit | all } command to view the configuration of ARP source suppression.
----End
Example
Run the display arp anti-attack configuration all command, and you can view the
configuration of ARP anti-attack.
ARP speed-limit for source-IP configuration:
IP-address
suppress-rate(pps)(rate=0 means function disabled)
-----------------------------------------------------------------------10.0.0.1
200
10.0.0.3
300
10.0.0.8
0
2.1.1.10
1000
Others
500
-----------------------------------------------------------------------4 specified IP addresses are configured, spec is 1024 items.
ARP miss speed-limit for source-IP configuration:
IP-address
-----------------------------------------------------------------------10.0.0.1
200
10.0.0.2
300
10.0.0.8
0
2.1.1.10
1000
Others
500
4.6 Maintaining ARP Security

This section describes how to maintain ARP security.
Issue 06 (20100108)

4-19

4.6.1 Displaying the Statistics About ARP Packets

4.6.2 Clearing the Statistics on ARP Packets
4.6.3 Clearing the Statistics on Discarded ARP Packets
4.6.4 Debugging ARP Packets
4.6.1 Displaying the Statistics About ARP Packets

Procedure
l
Run the display arp packet statistics [ slot slot-id ] command to view the statistics on
ARP packets.
----End
Example
Run the display arp packet statistics command, and you can view the statistics on ARP packets.
<Quidway> display arp packet statistics
ARP Pkt Received:
sum 25959
ARP Learnt Count:
sum
3
ARP Pkt Discard For Limit:
sum
0
ARP Pkt Discard For SpeedLimit:
sum
ARP Pkt Discard For Other:
sum
23
4.6.2 Clearing the Statistics on ARP Packets

Context
CAUTION
Statistics cannot be restored after you clear them. So, confirm the action before you use the
command.
Run the following command in the user view to clear the statistics.
Procedure
l
Run the reset arp packet statistics [ slot slot-id ] command to clear the statistics on ARP
packets.
----End
4.6.3 Clearing the Statistics on Discarded ARP Packets

4-20

Issue 06 (20100108)

Context
CAUTION
Statistics cannot be restored after being cleared. So, confirm the action before you run the
command.
To clear the statistics on discarded ARP packets, run the following commands in the user view.
Procedure
l
Run the reset arp anti-attack statistics check user-bind { global | interface interfacetype interface-number } command to clear the statistics on the packets discarded because
they do not match the binding table.
Run the reset arp anti-attack statistics rate-limit command to clear the statistics on the
ARP packets discarded because the transmission rate exceeds the limit.
----End
4.6.4 Debugging ARP Packets

Context
CAUTION
If a running fault occurs, run the following debugging commands in the user view to locate the
fault.
Procedure
l
Run the debugging arp packet [ slot slot-id | interface interface-type interface-number ]
command to debug ARP packets.
Run the debugging arp process [ slot slot-id | interface interface-type interfacenumber ] command to debug the processing of ARP packets.
----End

This section provides several configuration examples of ARP security.
4.7.1 Example for Configuring ARP Security Functions
4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks
Issue 06 (20100108)

4-21

4.7.1 Example for Configuring ARP Security Functions

As shown in Figure 4-1, the S9300 is connected to a server through GE 1/0/3 and is connected
to four users in VLAN 10 and VLAN 20 through GE 1/0/1 and GE 1/0/2. There are the following
ARP attacks on the network:
l
The server may send several packets with an unreachable destination IP address, and the
number of these packets is larger than the number of packets from common users.
After virus attacks occur on User 1, a large number of ARP packets are sent. Among these
packets, the source IP address of certain ARP packets changes on the local network segment
and the source IP address of certain ARP packets is the same as the IP address of the
gateway.
User 3 constructs a large number of ARP packets with a fixed IP address to attack the
network.
User 4 constructs a large number of ARP packets with an unreachable destination IP address
to attack the network.
It is required that ARP security functions be configured on the S9300 to prevent the preceding
attacks. The suppression rate of ARP Miss packets set on the server should be greater than the
suppression rate of other users.
Figure 4-1 Networking diagram for configuring ARP security functions
S9300
GE1/0/3
Server
GE1/0/1
VLAN10
User1
GE1/0/2
VLAN20
User2
User3
User4
4-22
1.
Enable strict ARP learning.
2.
Enable interface-based ARP entry restriction.

Issue 06 (20100108)

3.
Enable the ARP anti-spoofing function.
4.
Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway
address.
5.
Configure the rate suppression function for ARP packets.
6.
Configure the rate suppression function for ARP Miss packets.
7.
Enable log and alarm functions for potential attacks.
Data Preparation
l
Number of limited ARP entries on the interface being 20
Anti-spoofing mode used to prevent attacks that is initiated by User 1 being fixed-mac
IP address of the server being 2.2.2.2/24
IP address of User 4 that sends a large number of ARP packets being 2.2.4.2/24
Maximum suppression rate for ARP packets of User 4 being 200 pps and maximum
suppression rate for ARP packets of other users being 300 pps
Maximum suppression rate for ARP Miss packets of common users being 400 pps and
maximum suppression rate for ARP Miss packets on the server being 1000 pps
Interval for writing an ARP log and sending an alarm being 30 seconds
Procedure
Step 1 Enable strict ARP learning.
[Quidway] arp learning strict
Step 2 Configure interface-based ARP entry restriction.

# The number of limited ARP entries on each interface is 20. The following lists the configuration
of GE 1/0/1, and the configurations of other interfaces are the same as the configuration of GE
1/0/1.
[Quidway-GigabitEthernet1/0/1] arp-limit vlan 10 maximum 20
Step 3 Enable the ARP anti-spoofing function.

# Set the ARP anti-spoofing mode to fixed-mac to prevent ARP spoofing attacks initiated by
User 1.
[Quidway] arp anti-attack entry-check fixed-mac enable
Step 4 Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway
address.
# Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway
address to prevent User 1 from sending ARP packets with the bogus gateway address.
[Quidway] arp anti-attack gateway-duplicate enable
Step 5 Configure the rate suppression function for ARP packets.

Issue 06 (20100108)

4-23

# Set the suppression rate for ARP packets sent by User 4 to 200 pps. To prevent all users from
sending a large number of ARP packets incorrectly, set the suppression rate for ARP packets of
the system to 300 pps.
[Quidway] arp speed-limit source-ip maximum 300
[Quidway] arp speed-limit source-ip 2.2.2.4 maximum 200
Step 6 Configure the rate suppression function for ARP Miss packets.
# Set the suppression rate for ARP Miss packets of the system to 400 pps to prevent users from
sending a large number of IP packets with an unreachable destination IP address.
[Quidway] arp-miss speed-limit source-ip maximum 400
# Set the suppression rate for ARP Miss packets on the server to 1000 pps to prevent the server
from sending a large number of IP packets with an unreachable destination IP address, and to
prevent communication on the network when the rate for the server to send IP packets with an
unreachable destination IP address is not as required.
[Quidway] arp-miss speed-limit source-ip 2.2.2.2 maximum 1000
Step 7 Enable log and alarm functions for potential attacks.

[Quidway] arp anti-attack log-trap-timer 30

After the configuration, run the display arp learning strict command, and you can view
information about strict ARP learning.
<Quidway> display arp learning strict
The global configuration:arp learning strict
interface
LearningStrictState
----------------------------------------------------------------------------------------------------------------------Total:0
force-enable:0
force-disable:0
You can use the display arp-limit command to check the maximum number of ARP entries
learned by the interface.
<Quidway> display arp-limit interface GigabitEthernet1/0/1
interface
LimitNum
VlanID
20
10
0
--------------------------------------------------------------------------Total:1
You can use the display arp anti-attack configuration all command to check the configuration
of ARP anti-attack.
ARP speed-limit for source-IP configuration:
IP-address
-----------------------------------------------------------------------2.2.4.2
200
Others
300
4-24

Issue 06 (20100108)

ARP miss speed-limit for source-IP configuration:

IP-address
-----------------------------------------------------------------------2.2.2.2
1000
Others
400
You can use the display arp packet statistics command to view the number of discarded ARP
packets and the number of learned ARP entries. In addition, you can also use the display arp
anti-attack gateway-duplicate item command to view information about attacks from the
packets with the forged gateway address on the current network.
<Quidway> display arp packet statistics
ARP Pkt Received:
sum
167
ARP Learnt Count:
sum
8
ARP Pkt Discard For Limit:
sum
5
ARP Pkt Discard For SpeedLimit:
sum
ARP Pkt Discard For Other:
sum
3
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10 20 30
#
arp speed-limit source-ip maximum 300
arp-miss speed-limit source-ip maximum 400
arp learning strict
arp anti-attack log-trap-timer 30
#
arp anti-attack entry-check fixed-mac enable
arp anti-attack gateway-duplicate enable
arp-miss speed-limit source-ip 2.2.2.2 maximum 1000
arp speed-limit source-ip 2.2.4.2 maximum 200
#
interface GigabitEthernet 1/0/1
port hybrid pvid vlan 10
port hybrid tagged vlan 10
arp-limit vlan 10 maximum 20
#
port hybrid tagged vlan 20
#
port hybrid untagged vlan 30
#
return
4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-inthe-Middle Attacks

As shown in Figure 4-2, two users are connected to the S9300 through GE 1/0/1 and GE 1/0/2
respectively. Assume that the user connected to GE 1/0/2 is an attacker. To prevent the man-inIssue 06 (20100108)

4-25

the-middle attacks, you can configure the IP source guard function. After the IP source guard
function is configured on the S9300, the S9300 checks the IP packets according to the binding
table. Only the IP packets that match the content of the binding table can be forwarded; the other
IP packets are discarded. In addition, you can enable the alarm function for discarded packets.
Figure 4-2 Networking diagram for prevent man-in-the-middle attacks
Attacker
GE1/0/2
S9300
GE1/0/1
Server
Client
IP:10.0.0.1/24
MAC:1-1-1
VLAN ID:10
1.
Enable the IP source guard function.
2.
Configure the check items for ARP packets.
3.
Configure a static binding table.
4.
Enable the alarm function for discarded packets.
Data Preparation
l
Interfaces enabled with IP source guard: GE 1/0/1 and GE 1/0/2
Check items: IP address + MAC address
Alarm threshold of the number of discarded ARP packets: 80
IP address of the client configured in the static binding table: 10.0.0.1/2; MAC address:
1-1-1; VLAN ID: 10
Procedure
Step 1 Configure the IP source guard function.
# Enable the IP source guard function on GE 1/0/1 connected to the client.
[Quidway-GigabitEthernet1/0/1] arp anti-attack check user-bind enable
[Quidway-GigabitEthernet1/0/1] arp anti-attack check user-bind check-item ipaddress mac-address
4-26

Issue 06 (20100108)

# Enable the IP source guard function on GE 1/0/2 connected to the attacker.

[Quidway-GigabitEthernet1/0/2] arp anti-attack check user-bind enable
[Quidway-GigabitEthernet1/0/2] arp anti-attack check user-bind check-item ipaddress mac-address
Step 2 Configure the check items of the static binding table.

# Configure Client in the static binding table.
Step 3 Configure the alarm function for discarded packets.

# Set the alarm threshold of the ARP packets discarded because they do not match the binding
table.
[Quidway] arp anti-attack check user-bind alarm threshold 80

Run the display this command, and you can view the global alarm threshold set for the ARP
packets discarded because they do not match the binding table. The alarm threshold takes effect
on all interfaces.
<Quidway> display this
#
Run the display arp anti-attack check user-bind interface command, and you can view the
configuration of the IP source guard function on the interface.
<Quidway> display arp anti-attack check user-bind interface gigabitethernet 1/0/1
<Quidway> display arp anti-attack check user-bind interface gigabitethernet 1/0/2
The preceding information indicates that GE 1/0/1 does not discard ARP packets, whereas GE
1/0/2 has discarded ARP packets. It indicates that the anti-attack function takes effect.
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
#
#
arp anti-attack check user-bind check-item ip-address mac-address
#
Issue 06 (20100108)

4-27


arp anti-attack check user-bind check-item ip-address mac-address
#
return
4-28

Issue 06 (20100108)

5 Source IP Attack Defense Configuration
Source IP Attack Defense Configuration
About This Chapter

This chapter describes the principle and configuration of attacking IP source addresses.
5.1 Overview of IP Source Guard
This section describes the principle of the IP source Guard.
5.2 IP Source Guard Features Supported by the S9300
This section describes how the IP Source Guard feature is supported in the S9300.
5.3 Configuring IP Source Guard
This section describes how to configure IP source guard.
5.4 Configuring IP Source Trail
This section describes how to configure IP source trail.
5.5 Configuring URPF
This section describes how to configure URPF.
5.6 Maintaining Source IP Attack Defense
This section describes how to maintain source IP source attack defense.
This section provides a configuration example of IP source guard.
Issue 06 (20100108)

5-1

5.1 Overview of IP Source Guard

This section describes the principle of the IP source Guard.
The source IP address spoofing is a common attack on the network, for example, the attacker
forges a valid user and sends IP packets to the server or forges the source IP address of users for
communication. As a result, valid users cannot acquire normal network services. To tackle such
attacks, the S9300 provides the following methods:
l
IP Source Guard
IP Source Trail
URPF (Unicast Reverse Path Forwarding)
IP Source Guard
IP source guard is a measure to filter the IP packets on interfaces. Thus the invalid packets cannot
pass through the interfaces and the security of the interfaces is improved.
The attacker sends a packet carrying the IP address and MAC address of an authorized user to
the server. The server considers the attacker as an authorized user and learns the IP address and
MAC address. The actual user, however, cannot obtain service from the server. Figure 5-1 shows
the diagram of IP/MAC spoofing attack.
Figure 5-1 Diagram of IP/MAC spoofing attack
DHCP server
IP:1.1.1.1/24
MAC:1-1-1
S9300
IP:1.1.1.3/24
MAC:3-3-3
IP:1.1.1.2/24
MAC:2-2-2
Attacker
IP:1.1.1.3/24
MAC:3-3-3
DHCP client
To prevent the IP/MAC spoofing attack, you can configure the IP source guard function on the
S9300. Then the S9300 matches the IP packets reaching an interface with the entries in the
binding table. If the packets match entries in the binding table, the packets can pass through the
interface; otherwise, the packets are discarded.
IP Source Trail
The IP source trail function is a policy defending against the DoS attack, which traces the source
of the attack and take corresponding measures after considering it as an attack. In the tracing of
5-2

Issue 06 (20100108)

the attack sources, the attack sources are judged according to traffic statistics that are collected
based on the destination IP address (victim), source IP address, and inbound interface of packets.
The main process of the IP Source Trail function is as follows:
1.
After confirming that a user is attacked, configure the IP Source Trail function based on
the IP address of the user.
2.
The CPU of the LPU collects statistics about packets with the destination address being the
victim IP address. Such information is regularly sent to the CPU of the main control board
or available upon the request of the main control board.
3.
The main control board confirms the attack source based on the received statistics. The
administrator configures the ACL on the interface directly connected to the possible attack
source and set the ACL action to deny.
URPF
Unicast Reverse Path Forwarding (URPF) is mainly used to prevent network attacks by blocking
packets from bogus source addresses.
As shown in Figure 5-2, S9300-A forges the packets with the source address being 2.1.1.1 and
send a request to S9300-B. S9300-B sends a packet to the real source address 2.1.1.1 to respond
to the request. In this way, S9300-A attacks S9300-B and S9300-C by sending the illegal packet.
Figure 5-2 Diagram of the URPF function
1.1.1.1/24
2.1.1.1/24
2.1.1.1/24
Source address
S9300-A
S9300-B
S9300-C
When a packet is sent to a URPF-enabled interface, URPF obtains the source address and
inbound interface of the packet. URPF searches for the entry corresponding to the source address
in the forwarding table. If the enry is found, URPF checks whether the outbound interface is the
same as the inbound interface of the packets. If the actual inbound interface is different from the
inbound interface found in the forwarding table, the packet is discarded. In this way, URPF can
protect the network against vicious attacks initiated by modifying the source address.
5.2 IP Source Guard Features Supported by the S9300

This section describes how the IP Source Guard feature is supported in the S9300.
IP Source Guard
The IP Source Guard feature is used to check the IP packets according to the binding table,
including source IP addresses, source MAC addresses, and VLAN. In addition, the S9300 can
check IP packets based on:
l
Issue 06 (20100108)
IP+MAC
5-3

l
IP+VLAN
IP+MAC+VLAN
...

NOTE
IP addresses here include IPv4 addresses and IPv6 addresses. That is, after the IP Source Guard feature is
enabled, the S9300 checks both the source IPv4 addresses and source IPv6 addresses of IP packets from
users.
The S9300 provides two binding mechanisms:

l
After the DHCP snooping function is enabled for DHCP users, the binding table is
dynamically generated for the DHCP users.
When users use static IP addresses, you need to configure the binding table by running
commands.
NOTE
For the configurations of DHCP snooping, see 3 DHCP Snooping Configuration.
IP Source Trail
NOTE
Currently, only IPv4 addresses can be traced when the IP Source Trail feature is enabled on the S9300.
l
The IP source trail feature of the S9300 is based on the destination IP addresses.
The IP Source Trail feature is configured according to the IP address of the attacked user.
The CPU of the LPU collects statistics about packets with the user IP address as the
destination address. Such information is regularly sent to the CPU of the main control board
or available when required by the main control board.
Querying statistics about the IP Source Trail is supported globally.

The global query of the statistics provides the brief mode and detailed mode:
In brief mode, information about the source address, source interface, total traffic (the
number of bytes and packets), and the average rate (bbp and pps) of the traffic in a period
of time is exported.
In detailed mode, information about the current rate of the traffic, the maximum rate,
and the start time and end time of the traffic (the query time is displayed if the traffic
does not end when the traffic is queried) is exported besides the information exported
in brief mode.
Querying statistics about the IP Source Trail based on board is supported.

When the statistics are queried based on board, the main control board finds the cached
statistics result according to the destination IP address and displays records from the
specified board in brief mode.
URPF
URPF only functions at the inbound interface of the S9300. If URPF is enabled on an interface,
the URPF check is conducted to packets received by the interface.
The S9300 supports two kinds of URPF check modes: strict check and loose check.
l
5-4
Strict check: The source addresses of packets must exist in the FIB table of the S9300.
Packets can be forwarded only when the outbound interface is the same as the inbound
interface of the packets. Otherwise, packets are dropped.
Issue 06 (20100108)

Loose check: Regardless whether the source addresses of packets exist in the FIB table of
the S9300, or whether the corresponding outbound interfaces match the inbound interfaces
of the packets, packets are forwarded.
NOTE
The S9300 supports the checking of the source IPv4 addresses and source IPv6 addresses of the packets
passing the inbound interface.
5.3 Configuring IP Source Guard

This section describes how to configure IP source guard.
5.3.2 (Optional) Configuring a Static User Binding Entry
5.3.3 Enabling IP Source Guard
5.3.4 Configuring the Check Items of IP Packets

After the IP source guard function is configured on the S9300, the S9300 checks the IP packets
according to the binding table. Only the IP packets that match the content of the binding table
can be forwarded; the other IP packets are discarded.
Before configuring IP source guard, complete the following tasks:
l
3.3.2 Enabling DHCP Snooping if there are DHCP users
Data Preparation
To configure IP source guard, you need the following data.
No.
Data
(Optional) User information in a static

binding entry, including the IPv4 or IPv6
address, MAC address, VLAN ID, and
interface number of the user

with the IP source guard function
5.3.2 (Optional) Configuring a Static User Binding Entry

Issue 06 (20100108)

5-5

Context
Before forwarding the data of the users who assigned IP addresses statically, the S9300 cannot
automatically learn the MAC addresses of the users or generate binding table entries for these
users. You need to create the binding table manually.
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-bind static { [ ip-address ip-address | ipv6-address ipv6-address ] | macaddress mac-address }* [ interface interface-type interface-number | vlan vlan-id
[ cevlan vlan-id ] ]*
A static user binding entry is configured.

----End
5.3.3 Enabling IP Source Guard

Procedure
Step 1 Run:
system-view

Step 2 Run:

This is a user-side interface. The interface can be an Ethernet interface, a GE interface, or an
Eth-Trunk interface.
Or, run:
vlan vlan-id

Step 3 Run:
ip source check user-bind enable
The IP source guard function is enabled on the interfaceor in a VLAN.

By default, the interfaces or interfaces in a VLANof an S9300 are not enabled with the IP source
guard function.
----End
5.3.4 Configuring the Check Items of IP Packets

5-6

Issue 06 (20100108)

Context
After the function of checking IP packets is enabled, the S9300 checks the received IP packets
against the binding table. The check items include the source IPv4 address, source IPv6 address,
source MAC address, VLAN ID, and interface number.
Procedure
Step 1 Run:
system-view

Step 2 Run:

This is a user-side interface. The interface can be an Ethernet interface, a GE interface, or an
Eth-Trunk interface.
Or, run:
vlan vlan-id

Step 3 In the interface view, run:
ip source check user-bind check-item { [ ip-address | ipv6-address ] | mac-address
| vlan }*
Or in the VLAN view, run:

ip source check user-bind check-item { [ ip-address | ipv6-address ] | mac-address
| interface }*
The check items of IP packets are configured.

When receiving an IP packet, the interface checks the IP packet according to the check items,
including the source IPv4 or IPv6 address, source MAC address, VLAN, or the combination of
these three items. If the IP packet matches the binding table according to the check items, the
packet is forwarded; otherwise, the packet is discarded.
By default, the check items consist of the IPv4 address, IPv6 address, MAC address, VLAN ID,
and interface number.
NOTE
This command is valid only for dynamic binding entries.
----End

Prerequisite
The configurations of IP source guard are complete.
Issue 06 (20100108)

5-7

Procedure
Step 1 Run the display user-bind { all | { [ ip-address ip-address | ipv6-address ipv6-address ] | macaddress mac-address | vlan vlan-id | interface interface-type interface-number } * } command
to view information about the binding table.
Step 2 Run the display ip source check user-bind interface interface-type interface-number
command to view the configuration of the IP source guard function on the interface.
----End
5.4 Configuring IP Source Trail

This section describes how to configure IP source trail.
5.4.2 Configuring IP Source Trail Based on the Destination IP Address

When a user host is under attack, you can configure IP source trail on the S9300 connected to
the host to trace the attack source and take defense measures after confirming the attack source.
CAUTION
If the NetStream function is enabled on the S9300, the IP source trail function cannot be
configured. To enable the IP source trail function, you must disable the NetStream function first.
If the IP source trail function is enabled, the NetStream function cannot be enabled.
For the configuration of the NetStream function, see NetStream Configuration in the Quidway
S9300 Terabit Routing Switch Configuration Guide - Network Management.
Before configuring IP source trail, complete the following task:
l
Setting parameters of the link layer protocol and IP addresses for the interfaces to ensure
that the link layer protocol is in Up state on the interfaces
Ensuring that the NetStream function is disabled on the S9300
Data Preparation
To configure IP source trail, you need the following data.
5-8

Issue 06 (20100108)

No.
Data
Destination IP address of the attacked user

host
5.4.2 Configuring IP Source Trail Based on the Destination IP

Address
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip source-trail ip-address ip-address
IP source trail based on the destination IP address is configured.

----End

Prerequisite
The configurations of IP source trail are complete.
Procedure
l
Run the display ip source-trail [ ip-address ip-address ] command to check the statistics
on IP source trail.
----End
Example
Run the display ip source-trail command, and you can view the statistics on IP source trail.
<Quidway> display ip source-trail ip-address 10.0.0.1
Destination Address: 10.0.0.1
SrcAddr
SrcIF
Bytes
Pkts
Bits/s
Pkts/s
---------------------------------------------------------------------198.19.1.8
GE2/0/1
5.151M
114.681K
5.222M
14.534K
198.19.1.11
GE2/0/1
4.825M
107.420K
5.223M
14.535K
198.19.1.7
GE2/0/1
4.433M
98.708K
5.223M
14.537K
198.19.1.5
GE2/0/1
2.868M
63.861K
5.227M
14.546K
198.19.1.9
GE2/0/1
2.215M
49.339K
5.230M
14.553K
198.19.1.3
GE2/0/1
1001.083K 21.762K
5.248M
14.605K
Issue 06 (20100108)

5-9

5.5 Configuring URPF

This section describes how to configure URPF.
5.5.2 Enabling URPF
5.5.3 Setting the URPF Check Mode on an Interface
5.5.4 (Optional) Disabling URPF for the Specified Traffic

To prevent source address spoofing attacks on a network, you can configure URPF to check
whether the source IP address of a packet matches the incoming interface. If the source IP address
matches the incoming interface, the source IP address is considered as valid and the packets are
allowed to pass; otherwise, the source IP address is considered as pseudo and the packets are
discarded.
Before configuring URPF, complete the following task:
l
Setting parameters of the link layer protocol and IP addresses for the interfaces to ensure
that the link layer protocol is in Up state on the interfaces
Data Preparation
To configure URPF, you need the following data.
No.
Data
Slot number of the LPU where URPF needs

to be enabled
Type and number of the interface
URPF check mode
5.5.2 Enabling URPF

Context
You can perform URPF configurations on an interface only after enabling global URPF on an
LPU.
5-10

Issue 06 (20100108)

Procedure
Step 1 Run:
system-view

Step 2 Run:
urpf slot slot-number
URPF is enabled on an LPU.

By default, URPF is disabled on an LPU.
----End
5.5.3 Setting the URPF Check Mode on an Interface

Procedure
Step 1 Run:
system-view

Step 2 Run:

The URPF check function can be configured on GE interfaces and Eth-Trunks of the S9300.
NOTE
URPF needs to be configured on the physical interface. This is because URPF is implemented on the
physical interface.
Step 3 Run:
urpf { loose | strict } [ allow-default-route ]
The URPF check mode is configured on the interface.

URPF determines the mode for processing a default route according to the value of allowdefault-route.
l
When neither the allow-default-route parameter is specified nor the source address of
packets exists in the FIB table, the packets are discarded in URPF strict or loose check mode
even if a corresponding default route is found.
When the allow-default-route parameter is specified and the source address of a packet does
not exist in the FIB table,
Issue 06 (20100108)
Packets pass URPF check and are forwarded in URPF strict check mode if the outgoing
interface of a default route is the same as the incoming interface of the packets. Packets
are discarded if the outgoing interface of a default route is different from the incoming
interface of the packets.
5-11

Packets pass URPF check and are forwarded in URPF loose check mode regardless of
whether the outgoing interface of a default route is the same as the incoming interface of
the packets.
----End
5.5.4 (Optional) Disabling URPF for the Specified Traffic

Context
After the URPF function is enabled on an interface, the S9300 performs the URPF check on all
traffic passing through the interface. To prevent the packets of a certain type from being
discarded, you can disable the URPF check for these packets. For example, if the S9300 is
configured to trust all the packets from a certain server, the S9300 does not check these packets.
NOTE
Only the S9300 installed with an EA/EC/ED LPU supports this function.
To disable the URPF function, you need to run commands in the traffic behavior view and
associate the traffic behavior and a traffic classifier with a traffic policy.
Procedure
Step 1 Run:
system-view

Step 2 Run:
traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed.

Step 3 Run:
ip urpf disable
The URPF function is disabled.

By default, the RUPF function is enabled in a traffic behavior.
After the URPF function is enabled on an interface, the S9300 performs the URPF check on all
traffic passing through the interface. If you need to disable the URPF function, you can run
commands in the traffic behavior view and associate the traffic behavior and a traffic classifier
with a traffic policy. When the traffic policy is applied globally or applied to a board, an interface,
or a VLAN, the S9300 does not perform URPF check on the traffic that match the traffic classifier
rules.
For the configuration procedures of traffic classifier and traffic policy, see Class-based QoS
Configuration in the Quidway S9300 Terabit Routing Switch Configuration Guide - QoS.
----End

5-12

Issue 06 (20100108)

Prerequisite
The configurations of URPF are complete.
Procedure
l
Run the display this command in the interface view to check whether URPF is enabled on
the current interface.
----End
Example
Run the display this command to check whether URPF is enabled on GE 1/0/0.
[Quidway-GigabitEthernet1/0/0] display this
#
urpf loose allow-default-route
#
return
5.6 Maintaining Source IP Attack Defense

This section describes how to maintain source IP source attack defense.
5.6.1 Clearing the Statistics on IP Source Trail
5.6.1 Clearing the Statistics on IP Source Trail

Context
All the statistical entries on IP source trail are null upon query after the reset command is run to
clear the statistics on IP source trail.
Procedure
l
Run the reset ip source-trail command to clear all the statistics on IP source trail.
Run the reset ip source-trail ip-address ip-address command to clear the statistics on IP
source trail based on a tracing instance.
----End

This section provides a configuration example of IP source guard.
5.7.1 Example for Configuring IP Source Guard
5.7.2 Example for Configuring IP Source Trail
5.7.3 Example for Configuring URPF
Issue 06 (20100108)

5-13

5.7.1 Example for Configuring IP Source Guard

As shown in Figure 5-3, Host A is connected to the S9300through GE 1/0/1 and Host B is
connected to the S9300 through GE 1/0/2. You need to configure the IP source guard function
on the S9300 so that Host B cannot forge the IP address and MAC address on Host A and the
IP packets from Host A can be sent to the server.
Figure 5-3 Networking diagram for configuring IP source guard
Server
S9300
GE1/0/1
GE1/0/2
Packets:
SIP:10.0.0.1/24
SMAC:2-2-2
Host A
IP:10.0.0.1/24
MAC:1-1-1
Host B (Attacker)
IP:10.0.0.2/24
MAC:2-2-2
Assume that the user is configured with an IP address statically. The configuration roadmap is
as follows:
1.
Enable the IP source guard function on the interfaces connected to Host A and Host B.
2.
Configure the check items of IP packets.
3.
Configure a static binding table.
Data Preparation
l
Interface connected to Host A: GE 1/0/1; interface connected to Host B: GE 1/0/2
Check items: IP address and MAC address
IP address of Host A: 10.0.0.1/24; MAC address of Host A: 1-1-1
VLAN where Host A resides: VLAN 10

NOTE
This configuration example provides only the commands related to the IP Source Guard configuration.
5-14

Issue 06 (20100108)

Procedure
Step 1 Enable the IP source guard function.
# Enable the IP source guard function on GE 1/0/1 connected to Host A.
[Quidway-GigabitEthernet1/0/1] ip source check user-bind enable
[Quidway-GigabitEthernet1/0/1] ip source check user-bind check-item ip-address macaddress
# Enable the IP source guard function on GE 1/0/2 connected to Host B.

[Quidway-GigabitEthernet1/0/2] ip source check user-bind enable
[Quidway-GigabitEthernet1/0/2] ip source check user-bind check-item ip-address macaddress
Step 2 Configure the check items of the static binding table.

# Configure Host A in the static binding table.

Run the display user-bind all command on the S9300 to view information about the binding
table.
<Quidway> display user-bind all
bind-table:
ifname
vsi O/I-vlan mac-address
ip-address
tp lease
------------------------------------------------------------------------------GE1/0/1
-10/ -- 0001-0001-0001 10.0.0.1
S 0
------------------------------------------------------------------------------Static binditem count:
1
1
The preceding information indicates that Host A exists in the static binding table, whereas Host
B does not exist.
----End
Configuration Files
#
sysname Quidway
#
GigabitEthernet 1/0/1 vlan 10
#
ip source check user-bind check-item ip-address mac-address
#
ip source check user-bind check-item ip-address mac-address
#
return
5.7.2 Example for Configuring IP Source Trail

Issue 06 (20100108)

5-15

As shown in Figure 5-4, User A is connected to GE 1/0/1 on the S9300. It is required that IP
source trail be enabled on the S9300 so that the attack source can be traced after User A suffers
from DoS attacks.
Figure 5-4 Networking diagram for configuring IP source trail
GE1/0/1
ISP
S9300
UserA
10.0.0.3
Configure IP source trail in the system view of the S9300.
Data Preparation
l
Interface connecting the S9300 and the user host: GE 1/0/1
IP address of the attacked user host: 10.0.0.3
Procedure
Step 1 Configure IP source trail based on the destination IP address.
[Quidway] ip source-trail ip-address 10.0.0.3

Run the display ip source-trail ip-address ip-address command, and you can view the trace
result of 10.0.0.3.
<Quidway> display ip source-trail ip-address 10.0.0.3
Destination Address: 10.0.0.3
SrcAddr
SrcIF
Bytes
Pkts
Bits/s
Pkts/s
---------------------------------------------------------------------192.10.1.11
GE1/0/2
4.825M
107.420K
5.223M
14.535K
101.1.1.17
GE2/0/1
4.433M
98.708K
5.223M
14.537K
101.1.1.5
GE2/0/1
2.868M
63.861K
5.227M
14.546K
198.19.1.9
GE3/0/1
2.215M
49.339K
5.230M
14.553K
198.19.1.3
GE3/0/1
1001.083K 21.762K
5.248M
14.605K
----End
Configuration Files
#
sysname Quidway
#
5-16

Issue 06 (20100108)

ip source-trail ip-address 10.0.0.3

#
return
5.7.3 Example for Configuring URPF

As shown in Figure 5-5, the S9300 is connected to the router of the ISP through GE 1/0/0 and
is connected to the user network through GE 2/0/0. To protect the S9300 against the attack based
on the source address at the user side, you need to enable the URPF check function and matching
of the default route on the S9300.
Figure 5-5 Networking diagram for configuring URPF
GE2/0/0
GE1/0/0
User network
ISP
S9300
Enable URPF on user side interface GE 2/0/0 of the S9300.
Data Preparation
l
URPF strict check mode

NOTE
As shown in Figure 5-5, the networking of symmetric routes is adopted. URPF strict check is recommended
in the case of symmetric routes.
The URPF takes effect when the unicast route functions normally. The following configuration
procedure lists only URPF-related configurations, and the configurations of IP addresses and
unicast route are not mentioned.
Procedure
Step 1 Enable URPF on an LPU.
[Quidway] urpf slot 2
Step 2 Set the URPF check mode on an interface.

[Quidway-GigabitEthernet2/0/0] urpf strict allow-default-route

Run the display this command in the view of GE 2/0/0 to view the URPF configuration.
Issue 06 (20100108)

5-17

[Quidway-GigabitEthernet2/0/0] display this

#
urpf strict allow-default-route
#
return
----End
Configuration Files
#
sysname Quidway
#
urpf slot 2
#
urpf strict allow-default-route
#
return
5-18

Issue 06 (20100108)

Local Attack Defense Configuration
About This Chapter

This chapter describes the principle and configuration of local attack defense.
6.1 Overview of Local Attack Defense
This section describes the principle of the local attack defense.
6.2 Local Attack Defense Features Supported by the S9300
This section describes how the local attack defense feature is supported in the S9300.
6.3 Configuring the Attack Defense Policy
This section describes how to configure the attack defense policy.
6.4 Configuring Attack Source Tracing
After the attack source tracing function is configured, the system can actively defend against
possible attack packets by analyzing whether packets directing at the CPU attack the CPU.
6.5 Maintaining the Attack Defense Policy
This section describes how to clear statistics about the attack sources and the packets sent to the
CPU.
This section provides several configuration examples of attack defense policy.
Issue 06 (20100108)

6-1

6.1 Overview of Local Attack Defense

This section describes the principle of the local attack defense.
With the development and wide application of the network, users poses higher requirement for
security of the network and network devices. On the network, a large number of packets including
the malicious attack packets are sent to the Central Processing Unit (CPU). These packets cause
high CPU usage, degrade the system performance, and affect service provisioning. The
malicious packets that aim at attacking the CPU busy the CPU in processing the attack packets
during a long period. Therefore, other normal services are interrupted and even the system fails.
To protect the CPU and enable the CPU to process and respond to normal services, the packets
to be sent to the CPU need to be limited. For example, filtering and classifying packets to be
sent to the CPU, limiting the number of such packets and their rate, and setting the priority of
such packets. Packets that do not conform to certain rules are directly discarded to ensure that
the CPU can process normal services.
The local attack defense feature of the S9300 is specially designed for packets directing at the
CPU and mainly used to protect the S9300 from attacks and ensure that the existing services run
normally upon attacks.
6.2 Local Attack Defense Features Supported by the S9300

This section describes how the local attack defense feature is supported in the S9300.
The S9300 implements the local attack defense feature through the following methods:
l
Whitelist
A whitelist refers to a group of valid users or users with high priorities. You can set the
whitelist by defining ACLs. Then packets matching the whitelist are sent first. In addition,
existing services and user services with high priority are protected. Valid users that
normally access the system and the users with the high priority can be added to the whitelist.
Blacklist
A blacklist refers to a group of invalid users. You can define the blacklist through ACL
rules. Then, the packets matching the blacklist are discarded. The invalid users that are
involved in attacks can be added to the blacklist.
User-defined flows
Users can define ACL rules for the user-defined flows. When unknown attacks occur on
the network, you can flexibly specify the characteristics of the attack data flows and limit
the data flows that match the specified characteristic.
CAR
CAR is used to set the rate of sending the classified packets to the CPU. You can set the
committed information rate (CIR, also called the average rate) and the committed burst size
(CBS). By setting different CAR rules for different packets, you can reduce the intervention
between different packets to prevent the CPU. CAR can also be used to set the total rate of
packets sent to the CPU. When the total rate exceeds the upper limit, the system discards
the packets, avoiding the CPU overload.
6-2

Issue 06 (20100108)

6.3 Configuring the Attack Defense Policy

This section describes how to configure the attack defense policy.
6.3.2 Creating an Attack Defense Policy
6.3.3 Configuring the Whitelist
6.3.4 Configuring the Blacklist
6.3.5 Configuring User-Defined Flows
6.3.6 Configuring the Rule for Sending Packets to the CPU
6.3.7 Applying the Attack Defense Policy

When a large number of users access the S9300, the CPU of the S9300 may be attacked by the
packets sent by attackers or the CPU needs to process a large number of packets.
Before configuring an attack defense policy, complete the following tasks.
l
Connecting interfaces and setting the physical parameters of each interface to make the
physical layer in Up state
(Optional) If the attack defense policy needs to be applied to the main control board, install
a flexible plug-in card to the main control board
Data Preparation
To configure an attack defense policy, you need the following data.
No.
Data
Number and description of the attack defense policy
Number and rules of the ACL for blacklisted users
Number of the user-defined flow
CIR and CBS of the packets sent to the CPU
Number of the LPU to which the attack defense policy is applied
Issue 06 (20100108)

6-3


Procedure
Step 1 Run:
system-view

Step 2 Run:
cpu-defend policy policy-number
An attack defense policy is created.

description text
The description of the attack defense policy is set.

----End
6.3.3 Configuring the Whitelist

Context
You can create a whitelist and add users matching the specific characteristic to the whitelist.
The system allows the packets of whitelist users to pass through and first forwards the packets
of whitelist users. The CAR and deny cannot be configured for the packets of whitelist users.
The S9300 supports the flexible setting of the whitelist through ACLs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The attack defense policy view is displayed.

Step 3 Run:
whitelist whitelist-id acl acl-number
The user-defined whitelist is created.

The ACL used by the whitelist can be a basic ACL, an advanced ACL, or a layer 2 ACL. For
details on ACL configuration, see 11.3 Configuring an ACL.
By default, no whitelist is configured on the S9300.
----End
6.3.4 Configuring the Blacklist

6-4

Issue 06 (20100108)

Context
You can create a blacklist and add users matching the specific characteristic into the blacklist.
The packets sent from the users in the blacklist are discarded by default. The S9300 supports
the flexible setting of the blacklist through ACLs.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
blacklist blacklist-id acl acl-number
A customized blacklist is created.

The ACL used by the blacklist can be a basic ACL, an advanced ACL, or a layer 2 ACL. For
the configuration procedure, see 11.3 Configuring an ACL.
By default, no blacklist is configured on the S9300.
----End
6.3.5 Configuring User-Defined Flows

Context
The S9300 supports the binding of the user-defined flow to the ACL rule. When unknown attacks
emerge on the network, the S9300 can flexibly identify the characteristics of the attack data
flows and limit the data flows that match the specified characteristic.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
user-defined-flow flow-id acl acl-number
The ACL rule of the user-defined flow is set.

The S9300 has eight user-defined flows. By default, no ACL rule is configured for user-defined
flows.
Issue 06 (20100108)

6-5

The ACL applied to the user-defined flows can be a basic ACL, an advanced ACL, or a layer 2
ACL. For the configuration procedure, see 11.3 Configuring an ACL.
----End
6.3.6 Configuring the Rule for Sending Packets to the CPU

Context
NOTE
The rule applied to the same packet sent to the CPU can be car or deny. If both car and deny are set, the
latest setting takes effect.
Procedure
Step 1 Run:
system-view

Step 2 Run:

car { packet-type | user-defined-flow flow-id } cir cir-value [ cbs cbs-value ]
CAR is configured for packets destined for the CPU and the rate threshold is set.
deny { packet-type packet-type | user-defined-flow flow-id }
The action performed for the packets destined for the CPU is set to deny.
By default, the CAR is set on the S9300 for packets destined for the CPU. The default CAR can
be viewed through the display cpu-defend configuration command.
----End

Context
The attack defense policy can be applied to the main control board or all the LPUs in the system
view or to the specified LPU in the slot view.
NOTE
When the attack defense policy is applied on the LPU, the cpu-defend-policy command is run in either
the system view or the slot view. That is, if the cpu-defend-policy command is run in the system view and
global is specified, the cpu-defend-policy command cannot be run in the slot view. In a similar manner,
if the cpu-defend-policy command is run in the slot view, the cpu-defend-policy command with specified
global cannot be run in the system view.
6-6

Issue 06 (20100108)

Procedure
l
Applying the attack defense policy in the system view

1.
Run:
system-view

2.
Run:
cpu-defend-policy policy-number [ global ]
An attack defense policy is applied.
If you do not specify global in the command, the attack defense policy is applied
on the main control board. A flexible plug-in card needs to be installed on the main
control board to support the application.
If you specify global in the command, the attack defense policy is applied on all
the LPUs.
Applying the attack defense policy in the slot view

1.
Run:
system-view

2.
Run:
slot slot-id
The slot view is displayed.

3.
Run:
cpu-defend-policy policy-number

The attack defense policy applied in the slot view takes effect only to the LPU in this
slot.
----End

Procedure
l
Run the display cpu-defend policy command to view the information about the attack
defense policy.
Run the display cpu-defend [ packet-type ] statistics [ all | slot slot-id ] command to view
statistics about packets directing at the CPU.
----End
Example
Run the display cpu-defend policy 8 command to view the information about attack defense
policy 8.
<Quidway> display cpu-defend policy 8
Number : 8
Description : arp defend attack
Issue 06 (20100108)

6-7


Related slot : <4>
Configuration :
Car user-defined-flow
1
2
3
4
5
6
7
8
:
:
:
:
:
:
:
:
CIR(64)
CIR(64)
CIR(64)
CIR(64)
CIR(64)
CIR(64)
CIR(64)
CIR(64)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
Run the display cpu-defend tcp statistics slot 4 to view statistics about TCP packets directing
at the CPU.
<Quidway> display cpu-defend tcp statistics slot 4
CPCAR on slot 4
------------------------------------------------------------------------------Packet Type
Pass(Bytes) Drop(Bytes)
Pass(Packets)
Drop(Packets)
tcp
0
0
0
0
-------------------------------------------------------------------------------
6.4 Configuring Attack Source Tracing

After the attack source tracing function is configured, the system can actively defend against
possible attack packets by analyzing whether packets directing at the CPU attack the CPU.
6.4.3 Enabling the Automatic Attack Source Tracing
6.4.4 Configuring the Threshold of Attack Source Tracing
6.4.5 (Optional) Configuring the Attack Source Alarm Function

A large number of attack packets may attack the CPUs of devices on the network. Attack source
tracing, as a means of proactive attack defense, actively defend against possible attack packets
by analyzing whether packets directing at the CPU may attack the CPU.
Before configuring attack source tracing, complete the following task.
6-8
Connecting interfaces and setting the physical parameters of each interface to make the
physical layer in Up state
(Optional) If the attack defense policy needs to be applied to the main control board, install
a flexible service unit to the main control board.
Issue 06 (20100108)

Data Preparation
To configure attack source tracing, you need the following data.
No.
Data
Number and description of the attack defense policy
Rate checking threshold in attack source tracing
Rate alarm threshold in attack source tracing
Number of the LPU to which the attack defense policy is applied

Procedure
Step 1 Run:
system-view

Step 2 Run:
An attack defense policy is created.

description text
The description of the attack defense policy is set.

----End
6.4.3 Enabling the Automatic Attack Source Tracing

Context
Configurations relating to other attack source tracing features, such as checking threshold and
alarm threshold in attack source tracing, can be conducted after the automatic attack source
tracing function is enabled.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 06 (20100108)

6-9


Step 3 Run:
auto-defend enable
The automatic attack source tracing function is enabled.

----End
6.4.4 Configuring the Threshold of Attack Source Tracing

Context
After the threshold of attack source tracing is configured, a log is recorded when the number of
packets sent by the possible attack source in a given period exceeds the threshold. The
S9300supports the source tracing of ARP packets, DHCP packets, and IGMP packets to be sent
to the CPU.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
auto-defend threshold threshold-value
The threshold of attack source tracing is configured.

By default, the threshold of attack source tracing is set to 128 pps.
----End
6.4.5 (Optional) Configuring the Attack Source Alarm Function

Context
After the attack source alarm function is enabled, a trap is sent to the Network Management
System (NMS) when the number of packets sent by the possible attack source in a given period
exceeds the alarm threshold.
Procedure
Step 1 Run:
system-view

Step 2 Run:
6-10

Issue 06 (20100108)


Step 3 Run:
auto-defend alarm enable
The attack source alarm function is enabled.

Step 4 Run:
auto-defend alarm threshold threshold-value
The threshold of the attack source alarm function is set.

By default, the threshold of the attack source alarm function is set to 128 pps.
----End

Context
The attack defense policy can be applied to the main control board or all the LPUs in the system
view or to the specified LPU in the slot view.
NOTE
When the attack defense policy is applied on the LPU, the cpu-defend-policy command is run in either
the system view or the slot view. That is, if the cpu-defend-policy command is run in the system view and
global is specified, the cpu-defend-policy command cannot be run in the slot view. In a similar manner,
if the cpu-defend-policy command is run in the slot view, the cpu-defend-policy command with specified
global cannot be run in the system view.
Procedure
l
Applying the attack defense policy in the system view

1.
Run:
system-view

2.
Run:
cpu-defend-policy policy-number [ global ]
If you do not specify global in the command, the attack defense policy is applied
on the main control board. A flexible plug-in card needs to be installed on the main
control board to support the application.
If you specify global in the command, the attack defense policy is applied on all
the LPUs.
Applying the attack defense policy in the slot view

1.
Run:
system-view

2.
Issue 06 (20100108)
Run:
6-11


slot slot-id
The slot view is displayed.

3.
Run:
cpu-defend-policy policy-number

The attack defense policy applied in the slot view takes effect only to the LPU in this
slot.
----End

Procedure
l
Run the display cpu-defend policy policy-number command to view the attack defense
policy.
Run the display auto-defend attack-source [ slot slot-id ] command to view the list of
attack sources configured globally or in a specified slot.
----End
Example
Run the display cpu-defend policy 8 command to view the information about attack defense
policy 8.
Number : 8
Description : arp defend attack
Related slot : <4>
Configuration :
Car user-defined-flow 1 : CIR(64)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
CBS(10000)
Run the display auto-defend attack-source slot 4 command to view the attack source of the
LPU in slot 4.
<Quidway> display auto-defend attack-source slot 4
-- Attack Source Port Table (LPU4) ---------InterfaceName
Vlan:Outer/Inner TOTAL
-------------------------------------------GigabitEthernet3/0/0
199/299
156464
--------------------------------------------- Attack Source User Table (LPU4) -------------------------------------------InterfaceName
Vlan:Outer/Inner MacAddress
ARP
DHCP
IGMP
TOTAL
-----------------------------------------------------------------------------GigabitEthernet3/0/0
199/299 0003-5556-3244 143111
0
0
143111
------------------------------------------------------------------------------
6-12

Issue 06 (20100108)

6.5 Maintaining the Attack Defense Policy

This section describes how to clear statistics about the attack sources and the packets sent to the
CPU.
6.5.1 Clearing Statistics About Packets Destined for the CPU
6.5.2 Clearing Statistics About Attack Sources
6.5.1 Clearing Statistics About Packets Destined for the CPU

Context
CAUTION
Statistics about ARP packets cannot be restored being cleared. So, confirm the action before you
use the command.
Procedure
Step 1 Run the reset cpcar [ packet-type ] statistics [ all | slot slot-id ] command to clear statistics
about packets directing at the CPU.
----End
6.5.2 Clearing Statistics About Attack Sources

Context
CAUTION
Statistics about ARP packets cannot be restored after being cleared. So, confirm the action before
you use the command.
Procedure
Step 1 Run the reset auto-defend attack-source [ slot slot-id ] command to clear statistics about attack
sources.
----End
Issue 06 (20100108)

6-13


This section provides several configuration examples of attack defense policy.
6.6.1 Example for Configuring the Attack Defense Policy
6.6.1 Example for Configuring the Attack Defense Policy

As shown in Figure 6-1, three local user networks net1, net2 and net3 access the Internet through
the S9300. The S9300 is connected to a large number of users, and receives many packets to be
sent to the CPU. In this case, the CPU of the S9300 may be attacked by packets directing at the
CPU. To protect the CPU and enable the S9300 to process services normally, you need to
configure local attack defense.
You need to configure the following attack defense features on the S9300:
l
Users on net1 are authorized users; therefore, they are added to the whitelist so that their
packets can be always forwarded.
As the users on net2 are authorized but unfixed users, you need to separately define the
rules for sending the packets of net2 users to the CPU and limit the CIR to 5 Mbit/s.
Uses on net3 often attack the network; therefore, they are added to the blacklist. In this
manner, they cannot access the network.
Figure 6-1 Networking diagram for Configuring the attack defense policy
GE1/0/1
GE2/0/1
Net1: 1.1.1.0/24
Internet
GE1/0/2
S9300
Net2: 2.2.2.0/24
GE1/0/3
Net3: 3.3.3.0/24
6-14
1.
Configure the ACL and define rules for filtering the packets to be sent to the CPU.
2.
Create an attack defense policy and configure the whitelist, blacklist and user-defined flow.
Issue 06 (20100108)

3.
Configure the rule for sending packets to the CPU.
4.
Apply the attack defense policy.
Data Preparation
l
Number of the attack defense policy
IDs of the whitelist, blacklist, and user-defined flows
ACL rule and number
Slot number of the LPU on which the attack defense policy is applied
NOTE
The following provides only the configuration procedure of the local attack defense feature supported by
the S9300. For details on the routing configuration, see the Quidway S9300Terabit Routing Switch
Configuration Guide - IP Routing.
Procedure
Step 1 Configure the rule for filtering packets to be sent to the CPU.
# Define the ACL rules.
[Quidway] acl number 2001
[Quidway-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255
[Quidway-acl-basic-2001] quit
Step 2 Create an attack defense policy.

# Create an attack defense policy and configure the whitelist, blacklist and user-defined flow.
[Quidway] cpu-defend policy 6
[Quidway-cpu-defend-policy-6] whitelist 1 acl 2001
[Quidway-cpu-defend-policy-6] user-defined-flow 1 acl 2002
[Quidway-cpu-defend-policy-6] blacklist 1 acl 2003
Step 3 Configure the rule for sending packets to the CPU.

# Set the CIR for the user-defined flow.
[Quidway-cpu-defend-policy-6] car user-defined-flow 1 cir 5000
[Quidway-cpu-defend-policy-6] quit
Step 4 Apply the attack defense policy.

# Apply the attack defense policy to LPU 1.
[Quidway] slot 1
[Quidway-slot-1] cpu-defend-policy 6
[Quidway-slot-1] quit
# Apply the attack defense policy to LPU 2.

Issue 06 (20100108)

6-15

[Quidway] slot 2
[Quidway-slot-2] cpu-defend-policy 6
[Quidway-slot-2] quit

# View information about the configured attack defense policy.
Number : 6
Related slot : <1,2>
Configuration :
Whitelist 1 ACL number : 2001
Blacklist 1 ACL number : 2003
User-defined-flow 1 ACL number : 2002
Car user-defined-flow 1 : CIR(5000) CBS(940000)
----End
Configuration Files
#
sysname Quidway
#
acl number 2001
rule 5 permit source 1.1.1.0 0.0.0.255
#
acl number 2002
#
acl number 2003
#
cpu-defend policy 6
whitelist 1 acl 2001
blacklist 1 acl 2003
user-defined-flow 1 acl 2002
car user-defined-flow 1 cir 5000 cbs 940000
#
slot 1
cpu-defend-policy 6
#
slot 2
cpu-defend-policy 6
#
return
6-16

Issue 06 (20100108)

PPPoE+ Configuration
About This Chapter

This chapter describes how to configure PPPoE+.
7.1 PPPoE+ Overview
This section describes the principle of PPPoE+.
7.2 PPPoE+ Features Supported by the S9300
This section describes the PPPoE+ features supported by the S9300.
7.3 Configuring PPPoE+
This section describes how to configure PPPoE+.
This section provides several configuration examples of PPPoE+.
Issue 06 (20100108)

7-1

7.1 PPPoE+ Overview

This section describes the principle of PPPoE+.
Currently, PPPoE provides good authentication and security mechanism, but still has certain
disadvantages, for example, account embezzlement.
In common PPPoE dialup mode, when users dial up through PPPoE from different interfaces of
devices, they can access the newtork as long as their accounts are authenticated successfully on
the same RADIUS server. After PPPoE+ is enabled, you need to enter the user name and
password in authentication and the authentication packet carries information including the
interface. If the port number identified by the RADIUS server is different from the configured
one, the authentication fails. In this manner, unauthorized users cannot embezzle the accounts
of authorized users (mainly the company) to access the Internet.
7.2 PPPoE+ Features Supported by the S9300

This section describes the PPPoE+ features supported by the S9300.
The S9300 can add the device type and interface number to the received PPPoE packets. In this
manner, the PPPoE server can perform policy control flexibly for the client according to the
information in the received PPPoE packets, for example, IP address allocation control and
flexible accounting.
7.3 Configuring PPPoE+

This section describes how to configure PPPoE+.
7.3.2 Enabling PPPoE+ Globally
7.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets
7.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets
7.3.5 Configuring the PPPoE Trusted Interface

To prevent the access of unauthorized users during PPPoE authentication, you need to configure
PPPoE+ on the S9300. In this case, interface information is added to the PPPoE packets. The
security of the network is thus ensured.
None.
7-2

Issue 06 (20100108)

Data Preparation
To configure PPPoE+, you need the following data.
No.
Data
Interface number related to PPPoE authentication
Format and contents of the fields to be added to PPPoE packets
7.3.2 Enabling PPPoE+ Globally

Procedure
Step 1 Run:
system-view

Step 2 Run:
pppoe intermediate-agent information enable
PPPoE+ is enabled globally.

After the pppoe intermediate-agent information enable command is run in the system view,
PPPoE+ is enabled on all the interfaces.
By default, PPPoE+ is disabled globally.
----End
7.3.3 Configuring the Format and Contents of Fields to Be Added

To PPPoE Packets
Context
After PPPoE+ is enabled globally, the user-side interface on the S9300 adds information in
common format to the received PPPoE packets. You can modify the format of the field to be
appended through this task.
Procedure
Step 1 Run:
system-view

Step 2 Run:
pppoe intermediate-agent information format { circuit-id | remote-id } { common |
extend | user-defined text }
The format and contents of fields to be added to PPPoE packets are set.
Issue 06 (20100108)

7-3

After the pppoe intermediate-agent information format command is run in the system view,
all the interfaces add fields in specified format to the received PPPoE packets.
----End
7.3.4 Configuring the Action for Processing Original Fields in

PPPoE Packets
Context
You can configure the action for processing original fields in PPPoE packets in the system view
and in the interface view. The configuration in the system view is valid for all the interfaces. To
adopt a different action on an interface, run the pppoe intermediate-agent information
policy command in the interface view. In this case, the action for processing packets on the
interface depends on the configuration of the interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
pppoe intermediate-agent information policy { drop | keep | replace }
The action for all the interfaces to process original fields in PPPoE packets is configured.
l
drop: removes the original fields from PPPoE packets.
keep: reserves the contents and format of original fields in PPPoE packets.
replace: replaces the original fields in PPPoE packets according to the set field format
regardless of whether the packets carry the fields.
By default, the user-side interface on the S9300 replaces the original fields in the received PPPoE
packets after PPPoE+ is enabled globally.
The Ethernet interface view is displayed.

Then run:
pppoe intermediate-agent information policy { drop | keep | replace }
The action for all the interfaces to process original fields in PPPoE packets is configured.
----End
7.3.5 Configuring the PPPoE Trusted Interface

Context
To prevent bogus PPPoE servers and the security risk caused by PPPoE packets forwarded to
non-PPPoE service interfaces, you can configure the interface connecting the S9300 and the
PPPoE server as the trusted interface. After the trusted interface is configured, PPPoE packets
7-4

Issue 06 (20100108)

sent from the PPPoE client to the PPPoE server are forwarded through the trusted interface only.
In addition, only the PPPoE packets received from the trusted interface are forwarded to the
PPPoE client.
NOTE
The trusted interface only controls protocol packets in PPPoE discovery period, and does not control service
packets in PPPoE session period.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The Ethernet interface view is displayed.

Step 3 Run:
pppoe uplink-port trusted
The interface is configured as the trusted interface.

----End

Procedure
l
Run the display pppoe intermediate-agent information format command to check

information about the circuit ID and remote ID that are globally set.
Run the display pppoe intermediate-agent information policy command to check the
globally set action for processing original fields in PPPoE packets.
----End

This section provides several configuration examples of PPPoE+.
7.4.1 Example for Configuring PPPoE+
7.4.1 Example for Configuring PPPoE+

As shown in Figure 7-1, the S9300 is connected to the upstream device BRAS and the
downstream device PC; the PPPoE server is configured on the BRAS device. PPPoE+ is enabled
on the S9300 to control and monitor dialup users.
Issue 06 (20100108)

7-5

Figure 7-1 Networking diagram for configuring PPPoE+
IP network
BRAS
PPPoE server
GE1/0/0
PPPoE+
S9300
GE2/0/1
GE2/0/2
PPPoE client
PPPoE client
1.
Enable PPPoE+ globally.

NOTE
After PPPoE+ is enabled globally, PPPoE+ is enabled on all the interfaces.
2.
Configure the contents and format of fields to be added to PPPoE packets on the S9300.
3.
Configure the action for the S9300 to process PPPoE packets.
4.
Configure the interface connecting the S9300 and the PPPoE server as the trusted interface.
Data Preparation
None.
Procedure
Step 1 Enable PPPoE+.
[Quidway] pppoe intermediate-agent information enable
Step 2 Configure the format of information fields.

Configure the S9300 to add the circuit ID in extend format to PPPoE packets, that is, the format
in hexadecimal notation is used.
[Quidway] pppoe intermediate-agent information format circuit-id extend
7-6

Issue 06 (20100108)

Step 3 Configure the action for processing original fields in PPPoE packets.
Configure all the interfaces to replace original fields in PPPoE packets with the circuit ID of the
S9300.
[Quidway] pppoe intermediate-agent information policy replace
Step 4 Configure the trusted interface.

Configure GE 1/0/0 as the trusted interface.
[Quidway-GigabitEthernet1/0/0] pppoe uplink-port trusted
----End
Configuration Files
#
sysname Quidway
#
pppoe intermediate-agent information enable
pppoe intermediate-agent information format circuit-id extend
#
pppoe uplink-port trusted
#
return
Issue 06 (20100108)

7-7

8 MFF Configuration
MFF Configuration
About This Chapter

This section describes the principle and configuration of the MAC-Forced Forwarding (MFF)
function.
8.1 MFF Overview
This section describes the principle of the MFF function.
8.2 MFF Features Supported by the S9300
This section describes the MFF features supported by the S9300.
8.3 Configuring MFF
The MFF function isolates users at Layer 2 and forwards traffic through the gateway.
This section provides a configuration example of MFF.
Issue 06 (20100108)

8-1

8 MFF Configuration
8.1 MFF Overview

This section describes the principle of the MFF function.
Background
In traditional Ethernet solutions, VLANs are usually configured on switches to implement Layer
2 isolation and Layer 3 interconnection between clients. When many users need to be isolated
on Layer 2, a large number of VLANs are required. In addition, to enable the clients to
communicate on Layer 3, each VLAN must be assigned an IP network segment and each
VLANIF interface needs an IP address. This wastes IP addresses. In addition, the network is
easy to attack and the malicious attacks from users on the network cannot be prevented.
The MFF function provides a solution to this problem and implements Layer 2 isolation and
Layer 3 interconnection between the clients in a broadcast domain. The MFF intercepts the ARP
requests from users and replies with ARP responses containing the MAC address of the gateway
through the ARP proxy. In this manner, the MFF forces users to send all traffic, including the
traffic on the same subnet, to the gateway so that the gateway can monitor data traffic. This
prevents malicious attacks and improves network security.
MFF Interface Role

Two types of interfaces are involved in the MFF function: network interface and user interface.
l
User interface
A user interface is an interface directly connected to users.
MFF processes packets on a user interface as follows:
Allows protocol packets to pass through.
Sends ARP and DHCP packets to the CPU.
If the interface has learned the MAC address of the gateway, MFF allows the unicast
packets whose destination MAC address is the MAC address of the gateway to pass
through and discards other packets. If the interface has not learned the MAC address of
the gateway, MFF discards all packets.
Rejects multicast packets and broadcast packets.
Network interface
A network interface is an interface connected to another network device, for example, an
access switch, an aggregate switch, or a gateway.
MFF processes packets on a network interface as follows:
8-2
Allows multicast and DHCP packets to pass through.
Sends ARP packets to the CPU.
Rejects broadcast packets.

Issue 06 (20100108)

8 MFF Configuration
NOTE
The network interfaces include:

l
Uplink interfaces connected to the gateway
Interfaces connected to other MFF devices when multiple MFF devices are deployed on the
network
Interfaces between the MFF devices on a ring network
The interface role is irrelevant to the position of the interface on a network.
On a VLAN where MFF is enabled, an interface must be a network interface or a user interface.
8.2 MFF Features Supported by the S9300

This section describes the MFF features supported by the S9300.
Static Gateway
The static gateway is applicable to the scenario where the IP addresses are set statically. When
users are assigned IP addresses statically, the users cannot obtain the gateway information
through the DHCP packets. In this case, a static gateway address needs to be configured for each
VLAN. If the static gateway address is not configured, all the users cannot communicate with
each other except for the DHCP users.
Gateway Address Detection and Maintenance

If the function of timed gateway address detection is enabled, MFF sends detection packets
periodically to check whether the gateway address needs to be updated.
The detection packet is a forged ARP packet whose source IP address and MAC address are the
addresses of the first user in the MFF user list. If the first user entry is deleted, the MFF selects
another user entry to forge the ARP packet. If the gateway does not have any matching user
information after the user entry is deleted, the MFF deletes the probe information.
ARP Proxy
The Layer 3 communication between users is implemented through the ARP proxy. The ARP
proxy reduces the number of broadcast packets at the network side and user side.
The MFF processes ARP packets as follows:
l
Responds to the ARP requests of users.

The MFF substitutes for the gateway to respond to the ARP requests of users. Therefore,
all the packets of users are forwarded at Layer 3 by the gateway. The ARP packet of a user
may be the request for the gateway address or the request for the IP addresses of other users.
Responds to the ARP requests of the gateway.

The MFF substitutes for user hosts to respond to the ARP requests of the gateway. If the
ARP entry mapping the request of the gateway exists on the MFF, the MFF returns a
response with the requested address to the gateway. If the entry does not exist, the MFF
forwards the request. In this way, the number of broadcast packets is reduced.
Issue 06 (20100108)
Monitors the ARP packets on the network and updates the IP address and MAC address of
the gateway.
8-3

8 MFF Configuration
Server Deployment on the Network

The IP address of the server can be the IP address of the DHCP server, the IP address of another
server, or the virtual IP address of the VRRP group.
If a network interface receives an ARP request whose source IP address is the IP address of the
server, the interface responds to the ARP request as a gateway. That is, the packets sent from
users are forwarded to the gateway, and then sent to the server. The packets sent by the server,
however, are not forwarded to the gateway.
8.3 Configuring MFF

The MFF function isolates users at Layer 2 and forwards traffic through the gateway.
8.3.2 Enabling Global MFF
8.3.3 Configuring the MFF Network Interface
8.3.4 Enabling MFF in a VLAN
8.3.5 (Optional) Configuring the Static Gateway Address
8.3.6 (Optional) Enabling Timed Gateway Address Detection
8.3.7 (Optional) Setting the Server Address

At the access layer of the Metro Ethernet, you can configure the MFF function to implement the
Layer 2 isolation between access users. The traffic between users is forwarded by the gateway
at the Layer 3. In this way, you can filter the user traffic, perform traffic scheduling based on
policies, and charge users.
Before configuring basic MFF functions, complete the following tasks.
If DHCP users exist, you need to perform the following operations:
l
Enabling DHCP snooping
Configuring the trusted interface of DHCP snooping
Data Preparation
To configure the MFF function, you need the following data.
8-4

Issue 06 (20100108)

No.
Data
VLAN ID of the MFF device
Type and number of the network interface to be configured
(Optional) IP address of the static gateway to be configured
(Optional) IP address of the server to be configured
8 MFF Configuration
8.3.2 Enabling Global MFF

Context
You can perform other MFF configurations only after enabling the global MFF.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-forced-forwarding enable
The global MFF is enabled.

By default, the global MFF is disabled.
----End
8.3.3 Configuring the MFF Network Interface

Context
The MFF function of a VLAN takes effect after you configure at least one network interface on
the VLAN.
NOTE
This task can be performed before the global MFF is enabled; however, it takes effect only after the global
MFF is enabled.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 06 (20100108)

8-5

8 MFF Configuration

Step 3 Run:
mac-forced-forwarding network-port
The interface is configured as a network interface.

By default, the interface is a user interface.
----End
8.3.4 Enabling MFF in a VLAN

Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
The MFF function is enabled for the VLAN.

By default, the MFF function is disabled in a VLAN.
----End
8.3.5 (Optional) Configuring the Static Gateway Address

Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
mac-forced-forwarding static-gateway ip-address
The IP address of the static gateway is set.

----End
8-6

Issue 06 (20100108)

8 MFF Configuration
8.3.6 (Optional) Enabling Timed Gateway Address Detection

Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
mac-forced-forwarding gateway-detect
The timed gateway address detection is enabled.

After the timed gateway address detection is enabled, the S9300 sends ARP packets periodically
to detect the gateway.
By default, the timed gateway address detection is disabled.
----End
8.3.7 (Optional) Setting the Server Address

Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Step 3 Run:
mac-forced-forwarding server ip-address &<1~10>
The IP address of the server deployed on the network is set.

----End

Procedure
l
Issue 06 (20100108)
Run the display mac-forced-forwarding network-port command to view the MFF

network interface.
8-7

8 MFF Configuration
Run the display mac-forced-forwarding vlan vlan-id command to view information about
MFF users and gateway on the VLAN.
----End
Example
Run the display mac-forced-forwarding network-port command, and you can see information
about the network-side interface matching the MFF VLAN.
<Quidway> display mac-forced-forwarding network-port
-------------------------------------------------------------------------------VLAN ID
Network-ports
-------------------------------------------------------------------------------VLAN 10
VLAN 100
Run the display mac-forced-forwarding vlan vlan-id command, and you can see information
about MFF users and gateway on the VLAN.
<Quidway> display mac-forced-forwarding vlan 100
Servers:
192.168.1.2
192.168.1.3
-------------------------------------------------------------------User IP
User MAC
Gateway IP
Gateway MAC
-------------------------------------------------------------------192.168.1.10
00-01-00-01-00-01
192.168.1.254
00-02-00-02-00-01
192.168.1.11
00-01-00-01-00-02
192.168.1.254
00-02-00-02-00-01
192.168.1.12
00-01-00-01-00-03
192.168.1.252
00-02-00-02-00-03
-------------------------------------------------------------------[Vlan 100] MFF host total count = 3

This section provides a configuration example of MFF.
8.4.1 Example for Configuring MFF
8.4.1 Example for Configuring MFF

As shown in Figure 8-1, all the user hosts obtain IP addresses through the DHCP server and all
the devices are located in VLAN 10. To implement Layer 2 isolation and Layer 3 interconnection
between the hosts, you need to configure the MFF function on S9300-A and S9300-B.
8-8

Issue 06 (20100108)

8 MFF Configuration
Figure 8-1 Networking diagram for configuring MFF

DHCP server
AR
GE1/0/0
10.10.10.1/24
GE2/0/2
S9300-B
GE2/0/1
GE2/0/1
S9300-A
GE1/0/1
GE1/0/3
GE1/0/2
1.
Configure DHCP snooping.
2.
Enable global MFF.
3.
Configure the MFF network interfaces.
4.
Enable MFF for the VLAN.
5.
(Optional) Enable the function of timed gateway address detection.
6.
(Optional) Configure the server.
Data Preparation
l
VLAN ID of the MFF device
Type and number of the network interface to be configured
(Optional) IP address of the server to be configured
Procedure
Step 1 Configure DHCP snooping.
# Enable global DHCP snooping on S9300-A.
<Quidway>
[Quidway]
[S9300-A]
[S9300-A]
Issue 06 (20100108)
system-view
sysname S9300-A
dhcp enable

8-9

8 MFF Configuration
# Enable DHCP snooping on the interfaces of the S9300-A. Take the configuration on GE 1/0/1
as an example. The configurations on GE 1/0/2, GE 1/0/3, and GE 2/0/1 are similar to the
configuration on GE 1/0/1 and are not mentioned here.
[S9300-A] interface gigabitethernet 1/0/1
[S9300-A-GigabitEthernet1/0/1] dhcp snooping enable
[S9300-A-GigabitEthernet1/0/1] quit
# Set the status of interface GE 2/0/1 on S9300-A to Trusted.

[S9300-A-GigabitEthernet2/0/1] dhcp snooping trusted
# Enable global DHCP snooping on S9300-B.

<Quidway>
[Quidway]
[S9300-B]
[S9300-B]
system-view
sysname S9300-B
dhcp enable
# Enable DHCP snooping on the interfaces of the S9300-B. Take the configuration on GE 1/0/0
as an example. The configurations on GE 2/0/1 and GE 2/0/2 are similar to the configuration on
GE 1/0/0 and are not mentioned here.
[S9300-B] interface gigabitethernet 1/0/0
[S9300-B-GigabitEthernet1/0/0] dhcp snooping enable
[S9300-B-GigabitEthernet1/0/0] quit
# Set the status of interface GE 1/0/0 on S9300-B to Trusted.

[S9300-B-GigabitEthernet1/0/0] dhcp snooping trusted
Step 2 Enable global MFF.

# Enable global MFF on S9300-A.
[S9300-A] mac-forced-forwarding enable
# Enable global MFF on S9300-B.

[S9300-B] mac-forced-forwarding enable
Step 3 Configure the MFF network interfaces.

# Configure GE 2/0/1 of S9300-A as the network interface.
[S9300-A-GigabitEthernet2/0/1] mac-forced-forwarding network-port
# Configure GE 1/0/0 and GE 2/0/1 of S9300-B as the network interfaces.

[S9300-B-GigabitEthernet1/0/0] mac-forced-forwarding network-port
[S9300-B-GigabitEthernet2/0/1] mac-forced-forwarding network-port
Step 4 Enable MFF for the VLAN.

# Enable MFF for VLAN 10 on S9300-A.
[S9300-A] vlan 10
[S9300-A-vlan10] mac-forced-forwarding enable
8-10

Issue 06 (20100108)

8 MFF Configuration
# Enable MFF for VLAN 10 on S9300-B.

[S9300-B] vlan 10
[S9300-B-vlan10] mac-forced-forwarding enable
Step 5 (Optional) Enable the function of timed gateway address detection.

# Enable the function of timed gateway address detection on S9300-A.
[S9300-A-vlan10] mac-forced-forwarding gateway-detect
# Enable the function of timed gateway address detection on S9300-B.

[S9300-B-vlan10] mac-forced-forwarding gateway-detect
Step 6 (Optional) Configure the server.

# Configure the server on S9300-A.
[S9300-A-vlan10] mac-forced-forwarding server 10.10.10.1
# Configure the server on S9300-B.

[S9300-B-vlan10] mac-forced-forwarding server 10.10.10.1
----End
Configuration Files
l
Configuration file of S9300-A
#
sysname S9300-A
#
vlan batch 10
#
dhcp enable
#
vlan 10
mac-forced-forwarding server 10.10.10.1
#
interface gigabitethernet1/0/1
#
#
#
#
return
Issue 06 (20100108)

8-11

8 MFF Configuration
l
Configuration file of S9300-B
#
sysname S9300-B
#
vlan batch 10
#
dhcp enable
#
vlan 10
mac-forced-forwarding server 10.10.10.1
#
#
#
#
return
8-12

Issue 06 (20100108)

Interface Security Configuration
About This Chapter

This chapter describes the principle and configuration of interface security.
9.1 Interface Security Overview
This section describes the principle of the interface security function.
9.2 Interface Security Features Supported by the S9300
This section describes the interface security features supported by the S9300.
9.3 Configuring Interface Security
This section describes how to configure the interface security function.
This section provides a configuration example of interface security.
Issue 06 (20100108)

9-1

9.1 Interface Security Overview

This section describes the principle of the interface security function.
The interface security function is a security protection mechanism that controls the access to the
network.
The interface security function records the MAC address of the host connected to an interface
of the S9300, that is, the network adapter ID of the host. Only the host with the specified MAC
address can communicate with this interface. Hosts with other MAC addresses are prevented
form communicating with the interface. The interface security function prevents certain devices
from accessing the network, thus enhancing network security.
9.2 Interface Security Features Supported by the S9300

This section describes the interface security features supported by the S9300.
The Ethernet and GE interfaces on the S9300 support the interface security function. After
interface security is configured on an Ethernet interface or a GE interface, the S9300 considers
the following types of MAC addresses authorized:
l
Static MAC addresses that are manually configured
Dynamic MAC addresses learned before the number of MAC addresses reaches the upper
limit
Dynamic or static MAC addresses in a DHCP snooping table
The S9300 considers other types of MAC addresses unauthorized. When an interface receives
the packets sent from unauthorized MAC addresses, the interface security function takes effect.
Currently, the S9300 supports the following protection actions in interface security:
l
protect: When an interface receives the packets sent from unauthorized MAC addresses, it
does not learn the source MAC addresses of the packets or forward the packets. Instead,
the interface directly discards them.
restrict: When an interface receives the packets sent from unauthorized MAC addresses, it
does not learn the source MAC addresses of the packets or forward the packets. Instead,
the interface directly discards them and sends a trap to the Network Management System
(NMS).
9.3 Configuring Interface Security

This section describes how to configure the interface security function.
9.3.2 Enabling the Interface Security Function
9.3.3 (Optional) Configuring the Protection Action in Interface Security
9.3.4 Setting the Maximum Number of MAC Addresses Learned by an Interface
9.3.5 Enabling Sticky MAC on an Interface
9-2

Issue 06 (20100108)


The interface security function records the MAC address of the host connected to an interface
of the S9300, that is, the network adapter ID of the host. Only the host with the specified MAC
address can communicate with this interface. Hosts with other MAC addresses are prevented
form communicating with the interface. The interface security function prevents certain devices
from accessing the network, thus enhancing network security.
None.
Data Preparation
Before configuring interface security, you need the following data.
No.
Data
Interface type and number
Maximum number of MAC addresses that can be learned by an interface
9.3.2 Enabling the Interface Security Function

Context
You can perform other configurations of interface security, for example, configuring protection
actions, setting the maximum number of MAC addresses that can be learned, and configuring
the sticky MAC address only after the interface security function is enabled.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface can be an Ethernet interface or a GE interface.
Step 3 Run:
port-security enable
The interface security function is enabled.

Issue 06 (20100108)

9-3

By default, the interface security function is disabled on interfaces of the S9300.

----End
9.3.3 (Optional) Configuring the Protection Action in Interface

Security
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
port-security protect-action { protect | restrict }
The protection action in interface security is configured.

By default, the protection action is restrict.
----End
9.3.4 Setting the Maximum Number of MAC Addresses Learned by

an Interface
Context
NOTE
If the sticky MAC function is disabled, this task can limit the maximum number of MAC addresses
dynamically learned by an interface.
If the sticky MAC function is enabled, this task can limit the maximum number of sticky MAC
addresses learned by an interface.
For the sticky MAC function, see 9.3.5 Enabling Sticky MAC on an Interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

9-4

Issue 06 (20100108)


Step 3 Run:
port-security maximum max-number
The maximum number of MAC addresses learned by an interface is set.

After the interface security function is enabled, the maximum number of MAC addresses learned
by an interface is 1 by default.
----End
9.3.5 Enabling Sticky MAC on an Interface

Context
The sticky MAC function converts a dynamic MAC address learned by an interface into a static
MAC address. It seems that the MAC address is stuck to the interface. When the number of
MAC addresses learned by an interface reaches the maximum, the interface cannot learn new
MAC addresses. The interface converts the dynamic MAC addresses to sticky MAC addresses,
and only the hosts with the sticky MAC addresses are allowed to communicate with the
S9300.
After this function is enabled, the S9300 does not need to learn the MAC addresses again after
restart. In addition, hosts using untrusted MAC addresses are prevented from communicating
with the S9300 through this interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
port-security mac-address sticky
The sticky MAC function is enabled on the interface.

By default, the sticky MAC function is disabled on an interface.
----End

Procedure
l
Issue 06 (20100108)
Run the display current-configuration interface interface-type interface-number

command to check the current configuration of the interface.
9-5

Run the display sticky-mac command to view the sticky MAC entries.
----End
Example
Run the display sticky-mac command, and you can view the sticky MAC address entries.
<Quidway> display sticky-mac interface GigabitEthernet 2/0/1
MAC Address
VLAN/VSI
Port
Type
---------------------------------------------------------------------0018-2000-0083
1
sticky mac
Total 1 printed

This section provides a configuration example of interface security.
9.4.1 Example for Configuring Interface Security
9.4.1 Example for Configuring Interface Security

As shown in Figure 9-1, a company wants to prevent the computers of non-employees from
accessing the intranet of the company to protect information security. To achieve this goal, the
company needs to enable the sticky MAC function on the interfaces connected to computers of
employees and set the maximum number of MAC addresses learned by the interfaces to be the
same as the number of trusted computers.
Figure 9-1 Networking diagram for configuring interface security
Internet
S9300
GE1/0/1
LAN switch
PC
1
9-6
PC
2
PC
3
VLAN 10

Issue 06 (20100108)

1.
Create a VLAN and set the VALN attribute of the interface to trunk.
2.
Enable the interface security function.
3.
Configure the protection action.
4.
Set the maximum number of MAC addresses that can be learned by the interfaces.
5.
Enable the sticky MAC function on the interfaces.
Data Preparation
l
VLAN ID carried in packets that the interface allows to pass through.
Types and numbers of the interfaces connected to the computers
Protection action
Maximum number of MAC addresses learned by interfaces
Procedure
Step 1 Create a VLAN and set the VALN attribute of the interface.
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway-GigabitEthernet1/0/1] port link-type trunk
[Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
Step 2 Configure the interface security function.

# Enable the interface security function.
[Quidway-GigabitEthernet1/0/1] port-security enable
# Configure the protection action.

[Quidway-GigabitEthernet1/0/1] port-security protect-action protect
# Set the maximum number of MAC addresses that can be learned by the interface.
[Quidway-GigabitEthernet1/0/1] port-security maximum 4
# Enable the sticky MAC function on the interface.

[Quidway-GigabitEthernet1/0/1] port-security mac-address sticky
To enable the interface security function on other interfaces, repeat the preceding steps.
If PC1 is replaced by another PC, this PC cannot access the intranet of the company.
----End
Issue 06 (20100108)

9-7

Configuration Files
The following lists the configuration files of the S9300.
#
sysname Quidway
#
port-security enable
port-security protect-action protect
port-security mac-address sticky
port-security maximum 4
#
return
9-8

Issue 06 (20100108)

10
Traffic Suppression Configuration
About This Chapter

This chapter describes the principle and configuration of traffic suppression .
10.1 Introduction to Traffic Suppression
This section describes the principle of traffic suppression.
10.2 Traffic Suppression Features Supported by the S9300
This section describes the traffic suppression features supported by the S9300.
10.3 Configuring Traffic Suppression
This section describes how to configure traffic suppression on a specified interface.
This section provides several configuration examples of traffic suppression.
Issue 06 (20100108)

10-1

10.1 Introduction to Traffic Suppression

This section describes the principle of traffic suppression.
Broadcast packets entering the S9300 are forwarded on all the interfaces in a VLAN, and
multicast packets are also forwarded on interfaces of the multicast group. After unknown unicast
packets enter the S9300, the S9300 broadcast the packets to all the interfaces. These three types
of packets consume great bandwidth, reduces available bandwidth of the system, and affects
normal forwarding and processing capabilities.
The traffic suppression function can be used to limit the traffic entering the interface, and to
protect the S9300 against the three types of traffic. It also guarantees available bandwidth and
processing capabilities of the S9300 when the traffic is abnormal.
10.2 Traffic Suppression Features Supported by the S9300

This section describes the traffic suppression features supported by the S9300.
The traffic suppression function can be configured on Ethernet interfaces of the S9300 .
10.3 Configuring Traffic Suppression

This section describes how to configure traffic suppression on a specified interface.
10.3.2 Configuring Traffic Suppression on an Interface

To limit the rate of incoming broadcast, multicast, and unknown unicast packets on an interface
and protect the device against traffic attacks, you can configure traffic suppression on the
interface.
None
Data Preparation
To configure traffic suppression, you need the following data.
10-2

Issue 06 (20100108)

No.
Data
Type and number of the interface where

traffic suppression needs to be configured
Type of traffic (broadcast, multicast, or

unknown unicast traffic) that needs to be
suppressed
Mode in which traffic is suppressed (packet

rate, bit rate, or rate percentage on a physical
interface)
Limited rate, including packet rate,

committed information rate (CIR),
committed burst size (CBS), and bandwidth
percentage
10.3.2 Configuring Traffic Suppression on an Interface

Context
Do as follows on the S9300 where traffic suppression needs to be configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Traffic suppression can be configured on Ethernet interfaces or GE interfaces of the S9300.
Step 3 Run:
{ broadcast-suppression | multicast-suppression | unicast-suppression } { percentvalue | cir cir-value [ cbs cbs-value ] | packets packets-per-second }
Traffic suppression is configured.

Traffic suppression for three types of traffic can be configured on an interface of the S9300.
Select one of the following traffic suppression mode for the traffic on an interface:
l
To configure traffic suppression based on the packet rate, you must select the packets
parameter.
To configure traffic suppression based on the bit rate, you must select the cir and cbs
parameters.
To configure traffic suppression based on the bandwidth percentage, you must select the
percent-value parameter.
Issue 06 (20100108)

10-3


NOTE
The suppression based on bandwidth percentage equals to the suppression based on packet rate.
Assume the bandwidth on an interface is bandwidth (kbit/s). The percent-value parameter equals
to the packets keyword. That is, (bandwidth x percent x 1000 x 1000/(84 x 8)). Here, 84 indicates
the average packet length (including the 64-byte packet body and 20-byte frame spacing and check
information), and 8 indicates the number of bits in a byte.
If traffic suppression based on the bit rate is set for a type of traffic on an interface, the bandwidth
percentage set for other types of traffic is converted to the bit rate through the following formula:
Bit rate = Bandwidth of the interface x Percentage.
The traffic limit (pps) for a type of packets cannot be set together with the traffic limit based on bit
rate for other types of packets on the same interface. For example, if the bit rate for multicast packets
is set on an interface, you cannot set the traffic limit (pps) for broadcast packets.
If traffic suppression is configured for a type of traffic on an interface, the latest configuration
overrides the previous configuration when the configuration of traffic suppression for this type of
traffic at different rate is sent.
----End

Prerequisite
The configurations of traffic suppression are complete.
Procedure
l
Run the display flow-suppression interface interface-type interface-number command to

check the configuration of traffic suppression.
----End
Example
Run the display flow-suppression interface interface-type interface-number command, and
you can view the configuration of traffic suppression on a specified interface.
<Quidway> display flow-suppression interface gigabitethernet 1/0/0
storm type
rate mode
set rate value
------------------------------------------------------------------------------unknown-unicast
bps
cir: 1000(kbit/s), cbs: 188000(byte)
multicast
bps
broadcast
bps
-------------------------------------------------------------------------------

This section provides several configuration examples of traffic suppression.
10.4.1 Example for Configuring Traffic Suppression
10.4.1 Example for Configuring Traffic Suppression

10-4

Issue 06 (20100108)

As shown in Figure 10-1, the S9300 is connected to the Layer 2 network and Layer 3 router.
To limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer
2 network, you can configure traffic suppression on GE 1/0/2.
Figure 10-1 Networking diagram for configuring traffic suppression
L2 network
GE1/0/3
GE1/0/2
L3 network
S9300
Configure traffic suppression in the interface view of GE 1/0/2.
Data Preparation
l
GE 1/0/2 where traffic suppression is configured
Traffic suppression for broadcast and unknown unicast packets based on the bit rate
Traffic suppression for multicast packets based on the rate percentage
Maximum rate of broadcast and unknown unicast packets being 100 kbit/s after traffic
suppression is configured
Maximum rate of multicast packets being 80 percent of the interface rate after traffic
suppression is configured
Procedure
Step 1 Enter the interface view.
Step 2 Configure traffic suppression for broadcast packets.

[Quidway-GigabitEthernet1/0/2] broadcast-suppression cir 100
Step 3 Configure traffic suppression for multicast packets.

[Quidway-GigabitEthernet1/0/2] multicast-suppression 80
Step 4 Configure traffic suppression for unknown unicast packets.

[Quidway-GigabitEthernet1/0/2] unicast-suppression cir 100

Run the display flow-suppression interface command, and you can view the configuration of
traffic suppression on GE 1/0/2.
<Quidway> display flow-suppression interface gigabitethernet 1/0/2
storm type
rate mode
set rate value
Issue 06 (20100108)

10-5

------------------------------------------------------------------------------unknown-unicast
bps
multicast
percent
percent: 80%
broadcast
bps
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Quidway
#
unicast-suppression cir 100 cbs 18800
multicast-suppression percent 80
broadcast-suppression cir 100 cbs 18800
#
return
10-6

Issue 06 (20100108)

11
ACL Configuration
About This Chapter

This chapter describes how to configure the Access Control List (ACL).
11.1 Introduction to the ACL
This section describes the basic concepts and parameters of an ACL.
11.2 Classification of ACLs Supported by the S9300
This section describes the classification of ACLs supported by the S9300.
11.3 Configuring an ACL
This section describes how to create an ACL, set the time range, configure the description of an
ACL, configure basic ACLs, advanced ACLs, and Ethernet frame header ACLs, and set the step
of an ACL.
11.4 Configuring ACL6
This section describes how to configure basic ACL6 and advanced ACL6.
This section provides configuration examples of the ACL.
Issue 06 (20100108)

11-1

11.1 Introduction to the ACL

This section describes the basic concepts and parameters of an ACL.
To filter packets, a set of rules needs to be configured on the S9300 to determine the data packets
that can pass through. These rules are defined in an ACL.
An ACL is a series of orderly rules composed of permit and deny clauses. The clauses are
described based on the source address, destination address, and port number of a packet, and so
on. The ACL classifies packets according to the rules. After these rules are applied to the
interfaces on the S9300, the S9300 can determine packets that are received and rejected.
11.2 Classification of ACLs Supported by the S9300

This section describes the classification of ACLs supported by the S9300.
NOTE
In this manual, the ACL refers to the access control list that is used filter IPv4 packets, and the ACL6 refers
to the access control list that is used to filter IPv6 packets.
Classification of ACLs
The S9300 supports basic ACLs, advanced ACLs, and Ethernet frame header ACLs for IPv4
packets.
l
Basic ACLs: classify and define data packets according to their source addresses,
fragmentation flag, and effective time range.
Advanced ACLs: classify and define data packets more refinedly according to the source
address, destination address, source port number, destination port number, protocol type,
precedence, and effective time range.
Frame header-based ACLs: classify and define data packets according to the source MAC
address, destination MAC address, and protocol type.
The S9300 supports basic ACL6s and advanced ACL6s for IPv6 packets.
l
A basic ACL6 can use the source IP address, fragmentation flag, and effective time range
as the elements of rules.
An advanced ACL6 can use the source IP address and destination IP address of data packets,
protocol type supported by IP, features of the protocol such as the source port number and
destination port number, ICMPv6 protocol, and ICMPv6 Code as the elements of rules.
Application of ACLs
ACLs defined on the S9300 can be applied in the following scenarios:
l
11-2
Hardware-based application: The ACL is sent to the hardware. For example, when QoS is
configured, the ACL is imported to classify packets. Note that when the ACL is imported
by QoS, the packets matching the ACL rule in deny mode are discarded. If the action in
the ACL is set to be in permit mode, the packets matching the ACL are processed by the
S9300 according to the action defined by the traffic behavior in QoS. For details on the
traffic behavior, see the Quidway S9300 Terabit Routing Switch Configuration Guide QoS.
Issue 06 (20100108)

l
Software-based application: When the ACL is imported by the upper-layer software, for
example, the ACL is imported when the control function is configured for login users, you
can use the ACL to control FTP, Telnet and SSH users. When the S9300 functions as a
TFTP client, you can configure an ACL to specify the TFTP servers that the S9300 can
access through TFTP.
When the ACL is imported by the upper-layer software, the packets matching the ACL are
processed by the S9300 according to the action deny or permit defined in the ACL. For
details on login user control, see the Quidway S9300 Terabit Routing Switch Configuration
Guide - Basic Configurations.
NOTE
When the ACL is sent to the hardware and is imported by QoS to classify packets, the S9300 does not
process packets according to the action defined in the traffic behavior, if the packets does not match
the ACL rule.
When the ACL is imported by the upper-layer software and is used to control FTP , Telnet or SSH
login users, the S9300 discards the packets, if the packets does not match the ACL rule.
11.3 Configuring an ACL

This section describes how to create an ACL, set the time range, configure the description of an
ACL, configure basic ACLs, advanced ACLs, and Ethernet frame header ACLs, and set the step
of an ACL.
Context
NOTE
11.3.5 Configuring a Basic ACL, 11.3.6 Configuring an Advanced ACL, and 11.3.7 Configuring a
Layer 2 ACL are optional and can be configured as required.

11.3.2 Creating an ACL
11.3.3 (Optional) Setting the Time Range When an ACL Takes Effect
11.3.4 (Optional) Configuring the Description of an ACL
11.3.5 Configuring a Basic ACL
11.3.6 Configuring an Advanced ACL
11.3.7 Configuring a Layer 2 ACL
11.3.8 (Optional) Setting the Step of an ACL

ACLs can be used in multiple services, such as routing policies and packet filtering, to distinguish
the types of packets and process them accordingly.
Issue 06 (20100108)

11-3

None.
Data Preparation
To configure an ACL, you need the following data.
No.
Data
Name of the time range when the ACL takes effect, start time, and end time
Number of the ACL
Number of ACL rule and the rule that identifies the type of packets, including
protocol, source address, source port, destination address, destination port, the type
and code of Internet Control Message Protocol (ICMP), IP precedence, and Type of
Service (ToS) value
Description of the ACL
Step of the ACL
11.3.2 Creating an ACL

Context
An ACL consists of a series of rules defined by multiple permit or deny clauses. You need to
create an ACL before configuring the rules of the ACL.
To create an ACL, you need to:
l
Specify the number of the ACL. For example, the ACL with the number ranging from 2000
to 2999 is a basic ACL, and the ACL with the number ranging from 3000 to 3999 is an
advanced ACL.
Set the match order of the ACL rules. This parameter is optional. By default, the matchorder is config.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl [ number ] acl-number
An ACL is created.
11-4
To create a basic ACL, you can set the value of acl-number ranging from 2000 to 2999.
To create an advanced ACL, you can set the value of acl-number ranging from 3000 to 3999.
Issue 06 (20100108)

l
To create a layer 2 ACL, you can set the value of acl-number ranging from 4000 to 4999.
----End
11.3.3 (Optional) Setting the Time Range When an ACL Takes Effect
Procedure
Step 1 Run:
system-view

Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
A time range is set.

You can set the same name for multiple time ranges to describe a special period. For example,
three time ranges are set with the same name test:
l
Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59, a definite time range
Time range 2: 8:00-18:00 on Monday to Friday, a periodic time range
Time range 3: 14:00-18:00 on Saturday and Sunday, a periodic time range
The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and
Sunday in the year 2009.
----End
Postrequisite
When a time range is specified for an ACL, the ACL takes effect only in this time range. If no
time range is specified for the ACL, the ACL is always effective until it is deleted or the rules
of the ACL are deleted.
11.3.4 (Optional) Configuring the Description of an ACL

Procedure
Step 1 Run:
system-view

Step 2 Run:
acl as-number
The ACL view is displayed.

Step 3 Run:
description text
The description of the ACL is configured.

Issue 06 (20100108)

11-5

The description of an ACL is a string of up to 127 characters, describing the usage of the ACL.
By default, no description is configured for an ACL.
----End
11.3.5 Configuring a Basic ACL

Context
Do as follows on the S9300.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
A basic ACL is created.

To create a basic ACL, you can set the value of acl-number ranging from 2000 to 2999.
match-order indicates the match order of ACL rules.
l
auto: indicates that the ACL rules are matched on the basis of depth first principle.
config: indicates that the rules are matched on the basis of the configuration order.
If match-order is not used, the match order is config.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | source { source-address sourcewildcard | any } | time-range time-name ] *
An ACL rule is created.

----End
11.3.6 Configuring an Advanced ACL

Procedure
Step 1 Run:
system-view

Step 2 Run:
An advanced ACL is created.

To create an advanced ACL, the value of acl-number ranges from 3000 to 3999.
11-6

Issue 06 (20100108)


Step 3 Run the following command as required:
l
When protocol is specified as the Transmission Control Protocol (TCP) or the User Datagram
Protocol (UDP), run:
rule [ rule-id ] { deny | permit } { tcp | udp } [ destination { destinationaddress destination-wildcard | any } | destination-port eq port | dscp dscp |
fragment | precedence precedence | source { source-address source-wildcard |
any } | source-port eq port | time-range time-name | tos tos ] *

l
When protocol is specified as ICMP, run:

rule [ rule-id ] { deny | permit } icmp [ destination { destination-address
destination-wildcard | any } | fragment | icmp-type { icmp-name | icmp-type icmpcode } | precedence precedence | source { source-address source-wildcard | any }
| time-range time-name ] *

l
When protocol is specified as another protocol rather than TCP, UDP, or ICMP, run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip
| ospf } [ destination { destination-address destination-wildcard | any } |
dscp dscp | fragment | precedence precedence | source { source-address sourcewildcard | any } | time-range time-name | tos tos ] *

You can configure different advanced ACLs on the S9300 according to the protocol carried by
IP. Different parameter combinations are available for different protocol types.
NOTE
dscp dscp and precedence precedence cannot be specified at the same time.
----End
11.3.7 Configuring a Layer 2 ACL

Procedure
Step 1 Run:
system-view

Step 2 Run:
A layer 2 ACL is created.

To create a layer 2 ACL, the value of acl-number ranges from 4000 to 4999.
l
Issue 06 (20100108)

11-7


Step 3 Run:
rule [ rule-id ] { deny | permit } [ source-mac source-mac-address source-macmask ] [ dest-mac dest-mac-address dest-mac-mask | type protocol-type protocol-typemask ]

----End
11.3.8 (Optional) Setting the Step of an ACL

Procedure
Step 1 Run:
system-view

Step 2 Run:
acl [ number ] acl-number
The ACL view is displayed.

Step 3 Run:
step step-value
The step of an ACL is set.

When changing ACL configurations, note the following:
l
The undo step command sets the default step of an ACL and re-arranges the numbers of
ACL rules.
By default, the value of step-value is 5.
----End

Prerequisite
The configurations of the ACL are complete.
Procedure
l
Run the display acl { acl-number | all } command to check the configured ACL.
Run the display time-range { all | time-name } command to check the time range.
----End
Example
# Run the display acl command, and you can view the ACL number, number of rules, and step,
and details of ACL rules.
11-8

Issue 06 (20100108)

<Quidway> display acl 3000

Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 deny ip source 10.1.1.1 0 (0 times matched)
# Run the display time-range command, and you can view the configuration and status of the
current time range.
<Quidway> display time-range all
Current time is 14:19:16 12-4-2008 Tuesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
from 09:09 2008/9/9 to 23:59 2099/12/31
11.4 Configuring ACL6

This section describes how to configure basic ACL6 and advanced ACL6.
11.4.2 Creating an ACL6
11.4.3 (Optional) Creating the Time Range of the ACL6
11.4.4 Configuring a Basic ACL6
11.4.5 Configuring an Advanced ACL6

An ACL6 can be applied to the following tasks:
l
Configuring the packet filtering policy
Configuring policy-based routing
Configuring a routing policy
None
Data Preparation
To configure an ACL6, you need the following data.
No.
Data
Number of the ACL6
(Optional) Name of the time range during which the ACL6 is valid and the start time
and end time of the time range
Issue 06 (20100108)

11-9

No.
Data
Number of the ACL6 and the rule of identifying the packet type, including protocol
type, source address and source interface, destination address and destination
interface, ICMPv6 type and code, precedence, and ToS
11.4.2 Creating an ACL6

Context
To create an ACL6, you need to:
l
Specify a number to identify the ACL6 type. For example, the ACL6 with the number
ranging from 2000 to 2999 is a basic ACL6 and the ACL6 with the number ranging from
3000 to 3999 is an advanced ACL6.
Set the match order of the ACL6. This parameter is optional. By default, the match order
is config.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
An ACL6 is created.
l
The acl6-number value of a basic ACL6 ranges from 2000 to 2999.
The acl6-number value of an advanced ACL6 ranges from 3000 to 3999.
----End
11.4.3 (Optional) Creating the Time Range of the ACL6

Procedure
Step 1 Run:
system-view

Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
The time range is created.

You can set the same name for multiple time ranges to describe a special period. For example,
three time ranges are set with the same name, that is, test.
11-10

Issue 06 (20100108)

l
Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59
Time range 2: 8:00-18:00 on Monday to Friday
Time range 3: 14:00-18:00 on Saturday and Sunday
The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and
Sunday in the year 2009.
----End
Postrequisite
When a time range is specified for the ACL6, the ACL6 takes effect only in this time range. If
no time range is specified for the ACL6, the ACL6 is always effective until it is deleted or the
rules of the ACL6 are deleted.
11.4.4 Configuring a Basic ACL6

Procedure
Step 1 Run:
system-view

Step 2 Run:
An ACL6 is created.
The acl6-number value of a basic ACL6 ranges from 2000 to 2999.
match-order indicates the match order of ACL6 rules.
l
auto indicates that the ACL rules are matched on the basis of depth first principle.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | source { source-ipv6-address prefixlength | source-ipv6-address/prefix-length | any } | time-range time-name ] *
The rule of the ACL6 is configured.

----End
11.4.5 Configuring an Advanced ACL6

Procedure
Step 1 Run:
system-view

Issue 06 (20100108)

11-11

Step 2 Run:
An advanced ACL6 is created.

The acl6-number value of an advanced ACL6 ranges from 3000 to 3999.
match-order indicates the match order of ACL6 rules.
l
auto indicates that the ACL rules are matched on the basis of depth first principle.

Step 3 Perform the following steps as required to configure rules for the ACL6:
You can configure the advanced ACL6 on the S9300 according to the type of the protocol carried
by IP. The parameters vary according to the protocol type.
l
When protocol is TCP or UDP, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | destination-port operator port |
fragment | precedence precedence | source { source-ipv6-address prefix-length | sourceipv6-address/prefix-length | any } | source-port operator port | time-range time-name |
tos tos ]*
When protocol is ICMPv6, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | fragment | icmpv6-type { icmp6type-name | icmp6-type icmp6-code | precedence precedence | source { source-ipv6address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name |
tos tos ]*
When protocol is not TCP, UDP, or ICMPv6, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | fragment | precedence
precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefixlength | any } | time-range time-name | tos tos ]*
----End

Prerequisite
The configurations of the ACL6 are complete.
Procedure
l
Run the display acl ipv6 { acl6-number | all } command to view the rules of the ACL6.
Run the display time-range { all | time-name } command to view information about the
time range.
----End
11-12

Issue 06 (20100108)

Example
# Run the display acl ipv6 command, and you can see the ACL number, the number of rules,
and content of the rules.
<Quidway> display acl ipv6 2002
Basic IPv6 ACL 2002, 2 rules
rule 0 permit time-range time1 (0 times matched) (Inactive)
rule 1 permit (0 times matched)
# Run the display time-range command, and you can see the configuration and status of the
current time range.
<Quidway> display time-range all
Current time is 09:33:31 5-21-2009 Thursday
Time-range : time1 ( Inactive )
12:00 to 23:00 working-day

This section provides configuration examples of the ACL.
11.5.1 Example for Configuring a Basic ACL
11.5.2 Example for Configuring an Advanced ACL
11.5.3 Example for Configuring a Layer 2 ACL
11.5.4 Example for Configuring an ACL6
11.5.1 Example for Configuring a Basic ACL

As shown in Figure 11-1, GE 1/0/1 of the S9300 is connected to the user, and GE 2/0/1 is
connected to the upstream router. To prevent source address spoofing, you need to configure
strict URPF check on GE 1/0/1 and GE 2/0/1. In addition, it is required that the S9300 trusts the
packets from user A whose IP address is 10.0.0.2/24. In this case, you also need to disable URPF
check for the packets sent by user A.
Figure 11-1 Networking diagram for disabling URPF for the specified traffic
PC A
IP:10.0.0.2/24
GE1/0/1
GE2/0/1
S9300
PC B
Issue 06 (20100108)

11-13

1.
Configure the URPF function.
2.
Configure the ACL.
3.
Configure the traffic classifier.
4.
Configure the traffic behavior.
5.
Configure the traffic policy.
6.
Apply the traffic policy to an interface.
Data Preparation
l
Interfaces enabled with URPF: GE 1/0/1 and GE 2/0/1
ACL number: 2000
IP address of user A: 10.0.0.2/24
Names of traffic classifier, traffic behavior, and traffic policy: tc1, tb1, and tp1
Interface where the traffic policy is applied: GE 1/0/1
Procedure
Step 1 Configure the URPF function.
# Enable the URPF function on the LPU.
# Configure the URPF mode on the interface.

[Quidway-GigabitEthernet1/0/1] urpf
[Quidway-GigabitEthernet2/0/1] urpf
1/0/1
strict
2/0/1
strict
Step 2 Configure the traffic classifier that is based on the ACL rules.
# Define the ACL rules.
[Quidway] acl 2000
# Configure the traffic classifier and define the ACL rules.

[Quidway] traffic classifier tc1
[Quidway-classifier-tc1] if-match acl 2000
[Quidway-classifier-tc1] quit
Step 3 Configure the traffic behavior.

11-14

Issue 06 (20100108)

# Define the traffic behavior and disable the URPF function in the traffic behavior view.
[Quidway] traffic behavior tb1
[Quidway-behavior-tb1] ip uprf disable
[Quidway-behavior-tb1] quit
Step 4 Configure the traffic policy.

# Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic
policy.
[Quidway] traffic policy tp1
[Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1
[Quidway-trafficpolicy-tp1] quit
# Apply the traffic policy to GE 1/0/1.

[Quidway-GigabitEthernet1/0/1] traffic-policy tp1 inbound

# Check the configuration of the ACL rules.
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 permit source 10.0.0.0 0.0.0.255 (0 times matched)
# Check the configuration of the traffic classifier.

<Quidway> display traffic classifier user-defined
User Defined Classifier Information:
Classifier: tc1
Precedence: 20
Operator: OR
Rule(s) : if-match acl 2000
# Check the configuration of the traffic policy.

<Quidway> display traffic policy user-defined tp1
User Defined Traffic Policy Information:
Policy: tp1
Classifier: default-class
Behavior: be
-noneClassifier: tc1
Behavior: tb1
urpf switch: off
----End
Configuration Files
#
sysname Quidway
#
urpf slot 1
urpf slot 2
#
acl number 2000
#
traffic classifier tc1 operator or precedence 20
if-match acl 2000
#
Issue 06 (20100108)

11-15

traffic behavior tb1
ip urpf disable
#
traffic policy tp1
classifier tc1 behavior tb1
#
urpf strict
traffic-policy tp1 inbound
#
urpf strict
#
return
11.5.2 Example for Configuring an Advanced ACL

As shown in Figure 11-2, the departments of the company are connected through the S9300s.
It is required that the IPv4 ACL be configured correctly. The personnel of the R&D department
and marketing department cannot access the salary query server at 10.164.9.9 from 8:00 to 17:30,
whereas the personnel of the president's office can access the server at any time.
Figure 11-2 Networking diagram for configuring IPv4 ACLs
Salary query server
10.164.9.9
GE2/0/1
GE1/0/2
GE1/0/1
GE1/0/3
Marketing department
10.164.2.0/24
President's office
10.164.1.0/24
R&D department
10.164.3.0/24
11-16
1.
Assign IP addresses to interfaces.
2.
Configure the time range.
3.
Configure the ACL.
4.

Issue 06 (20100108)

5.
6.
7.
Data Preparation
l
VLAN that the interface belongs to
Name of the time range
ACL ID and rules
Name of the traffic classifier and classification rules
Name of the traffic behavior and actions
Name of the traffic policy, and traffic classifier and traffic behavior associated with the
traffic policy
Interface that a traffic policy is applied to
Procedure
Step 1 Assign IP addresses to interfaces.
# Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces.
Add GE 1/0/1, GE 2/0/1, and GE 3/0/1 to VLAN 10, VLAN 20, and VLAN 30 respectively,
and add GE 2/0/1 to VLAN 100. The first IP address of the network segment is taken as the
address of the VLANIF interface. Take GE 1/0/1 as an example. The configurations of other
interfaces are similar to the configuration of GE 1/0/1, and are not mentioned here.
[Quidway] vlan batch 10 20 30 100
[Quidway-GigabitEthernet1/0/1] port link-type access
[Quidway-GigabitEthernet1/0/1] port default vlan 10
[Quidway-Vlanif10] ip address 10.164.1.1 255.255.255.0
Step 2 Configure the time range.

# Configure the time range from 8:00 to 17:30.
[Quidway] time-range satime 8:00 to 17:30 working-day
Step 3 Configure ACLs.

# Configure the ACL for the personnel of the marketing department to access the salary query
server.
[Quidway] acl 3002
[Quidway-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination
10.164.9.9 0.0.0.0 time-range satime
[Quidway-acl-adv-3002] quit
# Configure the ACL for the personnel of the R&D department to access the salary query server.
[Quidway] acl 3003
[Quidway-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination
Issue 06 (20100108)

11-17

10.164.9.9 0.0.0.0 time-range satime
[Quidway-acl-adv-3003] quit
Step 4 Configure ACL-based traffic classifiers.

# Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[Quidway] traffic classifier c_market
[Quidway-classifier-c_market] if-match acl 3002
[Quidway-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Quidway] traffic classifier c_rd
[Quidway-classifier-c_rd] if-match acl 3003
[Quidway-classifier-c_rd] quit
Step 5 Configure traffic behaviors.

# Configure the traffic behavior b_market to reject packets.
[Quidway] traffic behavior b_market
[Quidway-behavior-b_market] deny
[Quidway-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.

[Quidway] traffic behavior b_rd
[Quidway-behavior-b_rd] deny
[Quidway-behavior-b_rd] quit
Step 6 Configure traffic policies.

# Configure the traffic policy p_market and associate the traffic classifier c_market and the
traffic behavior b_market with the traffic policy.
[Quidway] traffic policy p_market
[Quidway-trafficpolicy-p_market] classifier c_market behavior b_market
[Quidway-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic
behavior b_rd with the traffic policy.
[Quidway] traffic policy p_rd
[Quidway-trafficpolicy-p_rd] classifier c_rd behavior b_rd
[Quidway-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy.

# Apply the traffic policy p_market to GE 1/0/2.
[Quidway-GigabitEthernet1/0/2] traffic-policy p_market inbound
# Apply the traffic policy p_rd to GE 1/0/3.

[Quidway-GigabitEthernet1/0/3] traffic-policy p_rd inbound

# Check the configuration of ACL rules.
<Quidway> display acl all
Total nonempty ACL number is 2
11-18

Issue 06 (20100108)

Acl's step is 5
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime (0 times matched)(Active)
Acl's step is 5
satime (0 times matched)(Active)

Classifier: c_market
Precedence: 5
Operator: OR
Classifier: c_rd
Precedence: 10
Operator: OR

Policy: p_market
Behavior: be
-noneClassifier: c_market
Behavior: b_market
Deny
Policy: p_rd
Classifier:
Behavior:
-noneClassifier:
Behavior:
Deny
default-class
be
c_rd
b_rd
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10 20 30 40 100
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
satime
#
acl number 3003
satime
#
traffic classifier c_market operator or precedence 5
if-match acl 3002
traffic classifier c_rd operator or precedence 10
if-match acl 3003
#
traffic behavior b_market
Issue 06 (20100108)

11-19

deny
traffic behavior b_rd
deny
#
traffic policy p_market
classifier c_market behavior b_market
traffic policy p_rd
classifier c_rd behavior b_rd
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.9.1 255.255.255.0
#
#
traffic-policy p_rd inbound
#
traffic-policy p_rd inbound
#
#
return
11.5.3 Example for Configuring a Layer 2 ACL

As shown in Figure 11-3, the S9300 that functions as the gateway is connected to the PC. It is
required that the ACL configured to prevent the packets with the source MAC address as 00e0f201-0101 and the destination MAC address as 0260-e207-0002 from passing through.
Figure 11-3 Networking diagram for configuring layer 2 ACLs
GE2/0/1
GE1/0/1
IP network
00e0-f201-0101
11-20

Issue 06 (20100108)

1.
Configure the ACL.
2.
3.
4.
5.
Data Preparation
l
ACL ID and rules
Name of the traffic classifier and classification rules
Name of the traffic behavior and actions
Name of the traffic policy, and traffic classifier and traffic behavior associated with the
traffic policy
Interface that a traffic policy is applied to
Procedure
Step 1 Configure an ACL.
# Configure the required layer 2 ACL.
[Quidway] acl 4000
[Quidway-acl-ethernetframe-4000] rule deny source-mac 00e0-f201-0101 ffff-ffffffff dest-mac 0260-e207-0002 ffff-ffff-ffff
[Quidway-acl-ethernetframe-4000] quit
Step 2 Configure the traffic classifier that is based on the ACL.

# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Quidway] traffic classifier tc1
[Quidway-classifier-tc1] if-match acl 4000
[Quidway-classifier-tc1] quit
Step 3 Configure the traffic behavior.

# Configure the traffic behavior tb1 to reject packets.
[Quidway] traffic behavior tb1
[Quidway-behavior-tb1] deny
[Quidway-behavior-tb1] quit
Step 4 Configure the traffic policy.

# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Quidway] traffic policy tp1
[Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1
[Quidway-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy.

# Apply the traffic policy tp1 to GE 2/0/1.
Issue 06 (20100108)

11-21


[Quidway-GigabitEthernet2/0/1] traffic-policy tp1 inbound

# Check the configuration of ACL rules.
Ethernet frame ACL 4000, 1 rule
Acl's step is 5
rule 5 deny source-mac 00e0-f201-0101 ffff-ffff-ffff dest-mac 0260-e207-0002 ff
ff-ffff-ffff(0 times matched)

Classifier: tc1
Precedence: 15
Operator: OR

Policy: tp1
Behavior: be
-noneClassifier: tc1
Behavior: tb1
Deny
----End
Configuration Files
#
sysname Quidway
#
acl number 4000
rule 5 deny source-mac 00e0-f201-0101 ffff-ffff-ffff dest-mac 0260-e207-0002 ff
ff-ffff-ffff
#
traffic classifier tc1 operator or precedence 15
if-match acl 4000
#
traffic behavior tb1
deny
#
traffic policy tp1
classifier tc1 behavior tb1
#
traffic-policy tp1 inbound
#
return
11.5.4 Example for Configuring an ACL6
11-22

Issue 06 (20100108)

As shown in Figure 11-4, S9300-A and S9300-B are connected through GE interfaces. You
need to configure an ACL6 rule on S9300-A to prevent the IPv6 packets with the source IP
address 3001::2 from entering GE 1/0/0 of S9300-A.
Figure 11-4 Networking diagram for configuring ACL6 and filtering IPv6 packets
S9300-A GE1/0/0
3001::1/64
VLAN 10
S9300-B
GE1/0/0
3001::2/64
Loopback2
3002::2/64
1.
Set the number of the ACL6.
2.
Configure the rules in the ACL6.
3.
Define the classification, action, and policy to be performed on the packets.
Data Preparation
l
ACL6 number
Source IPv6 address permitted by the ACL6 rule
Names of traffic classifier, traffic behavior, and traffic policy
Interface where the traffic policy is applied
Procedure
Step 1 Enable IPv6 forwarding capability on S9300-A and S9300-B, set the parameters for the
interfaces, and check the connectivity.
# Configure S9300-A.
[Quidway] sysname S9300-A
[S9300-A] ipv6
[S9300-A-GigabitEthernet1/0/0] port link-type trunk
[S9300-A-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[S9300-A] interface vlanif 10
[S9300-A-Vlanif10] ipv6 enable
[S9300-A-Vlanif10] ipv6 address 3001::1 64
[S9300-A-Vlanif10] quit
# Configure a static route on S9300-A.

[S9300-A] ipv6 route-static 3002:: 64 3001::2
# Configure S9300-B.
Issue 06 (20100108)

11-23

[Quidway] sysname S9300-B
[S9300-B] ipv6
[S9300-B] interface loopback 2
[S9300-B-LoopBack2] ipv6 enable
[S9300-B-LoopBack2] ipv6 address 3002::2 64
[S9300-B-LoopBack2] quit
[S9300-B-GigabitEthernet1/0/0] port link-type trunk
[S9300-B-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[S9300-B] interface vlanif 10
[S9300-B-Vlanif10] ipv6 enable
[S9300-B-Vlanif10] ipv6 address 3001::2 64
[S9300-B-Vlanif10] quit
# Ping interface VLANIF 10 of S9300-A from VLANIF 10 of S9300-B.

[S9300-B] ping ipv6 -a 3001::2 3001::1
PING 3001::1 : 56 data bytes, press CTRL_C to break
Reply from 3001::1
bytes=56 Sequence=1 hop limit=64 time = 80 ms
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
--- 3001::1 ping statistics --5 packet(s) transmitted
0.00% packet loss
The ping succeeds without timeout or abnormal delay.

# Ping interface VLANIF 10 of S9300-A from loopback2 of S9300-B.
[S9300-B] ping ipv6 -a 3002::2 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
0.00% packet loss

Step 2 Create an ACL6 rule and apply the rule to the interface to reject the IPv6 packets from 3001::2.
# Configure S9300-A.
[S9300-A] acl ipv6 number 3001
[S9300-A-acl6-adv-3001] rule deny ipv6 source 3001::2/128
[S9300-A-acl6-adv-3001] quit
[S9300-A] traffic classifier class1
11-24

Issue 06 (20100108)

[S9300-A-classifier-class1] if-match ipv6 acl 3001

[S9300-A-classifier-class1] quit
[S9300-A] traffic behavior behav1
[S9300-A-behavior-behav1] deny
[S9300-A-behavior-behav1] quit
[S9300-A] traffic policy policy1
[S9300-A-trafficpolicy-policy1] classifier class1 behavior behav1
[S9300-A-trafficpolicy-policy1] quit
[S9300-A-GigabitEthernet1/0/0] traffic-policy policy1 inbound

# Ping interface VLANIF 10 of S9300-A from VLANIF 10 of S9300-B.
[S9300-B] ping ipv6 -a 3001::2 3001::1
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
The ping fails.

# Ping interface VLANIF 10 of S9300-A from loopback2 of S9300-B.
[S9300-B] ping ipv6 -a 3002::2 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
0.00% packet loss

----End
Configuration Files
l
Configuration file of S9300-A

#
sysname S9300-A
#
ipv6
#
acl ipv6 number 3001
rule 0 deny ipv6 source 3001::2/128
#
Issue 06 (20100108)

11-25

traffic classifier class1 operator or
if-match ipv6 acl 3001
#
traffic behavior behav1
deny
#
traffic policy policy1
classifier class1 behavior behav1
#
traffic-policy policy1 inbound
#
interface Vlanif10
ipv6 enable
ipv6 address 3001::1/64
#
ipv6 route-static 3002:: 64 3001::2
#
return
l
Configuration file of S9300-B

#
sysname S9300-B
#
ipv6
#
#
interface Vlanif 10
ipv6 enable
#
interface LoopBack2
ipv6 enable
#
return
11-26

Issue 06 (20100108)

Configuration Guide - Security (V100R002C00 - 06) PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Configuration Guide - Security (V100R002C00 - 06) PDF

Загружено:

Авторское право:

Доступные форматы

Quidway S9300 Terabit Routing Switch