Beruflich Dokumente
Kultur Dokumente
Issue Date
06 20100108
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local office or company headquarters.
Website: Email:
Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Contents
Contents
About This Document.....................................................................................................................1 1 AAA and User Management Configuration.........................................................................1-1
1.1 Introduction to AAA and User Management..................................................................................................1-2 1.2 AAA and User Management Features Supported by the S9300.....................................................................1-2 1.3 Configuring AAA Schemes............................................................................................................................1-4 1.3.1 Establishing the Configuration Task......................................................................................................1-4 1.3.2 Configuring an Authentication Scheme.................................................................................................1-5 1.3.3 Configuring an Authorization Scheme...................................................................................................1-6 1.3.4 Configuring an Accounting Scheme......................................................................................................1-8 1.3.5 (Optional) Configuring a Recording Scheme.........................................................................................1-9 1.3.6 Checking the Configuration.................................................................................................................1-10 1.4 Configuring a RADIUS Server Template.....................................................................................................1-10 1.4.1 Establishing the Configuration Task....................................................................................................1-11 1.4.2 Creating a RADIUS Server Template..................................................................................................1-12 1.4.3 Configuring a RADIUS Authentication Server...................................................................................1-12 1.4.4 Configuring the RADIUS Accounting Server.....................................................................................1-12 1.4.5 Configuring a RADIUS Authorization Server.....................................................................................1-13 1.4.6 (Optional) Setting a Shared Key for a RADIUS Server.......................................................................1-13 1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server.......................................1-14 1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server...................................................................1-15 1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server.................................................1-15 1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server.........................................................1-16 1.4.11 Checking the Configuration...............................................................................................................1-17 1.5 Configuring an HWTACACS Server Template............................................................................................1-18 1.5.1 Establishing the Configuration Task....................................................................................................1-18 1.5.2 Creating an HWTACACS Server Template........................................................................................1-19 1.5.3 Configuring an HWTACACS Authentication Server..........................................................................1-19 1.5.4 Configuring the HWTACACS Accounting Server..............................................................................1-20 1.5.5 Configuring an HWTACACS Authorization Server...........................................................................1-20 1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets...........................................1-21 1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server...........................................................1-21 1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server..............................................1-22 1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server..........................................................1-23 Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. i
Contents
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1.5.10 (Optional) Setting HWTACACS Timers...........................................................................................1-23 1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet.................................................1-24 1.5.12 Checking the Configuration...............................................................................................................1-24
1.6 Configuring a Service Scheme......................................................................................................................1-25 1.6.1 Establishing the Configuration Task....................................................................................................1-25 1.6.2 Creating a Service Scheme...................................................................................................................1-26 1.6.3 Setting the Administrator Level...........................................................................................................1-26 1.6.4 Configuring a DHCP Server Group.....................................................................................................1-27 1.6.5 Configuring an Address Pool...............................................................................................................1-27 1.6.6 Configure Primary and Secondary DNS Servers.................................................................................1-28 1.6.7 Checking the Configuration.................................................................................................................1-28 1.7 Configuring a Domain...................................................................................................................................1-29 1.7.1 Establishing the Configuration Task....................................................................................................1-29 1.7.2 Creating a Domain...............................................................................................................................1-30 1.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain........................1-31 1.7.4 Configuring a RADIUS Server Template for a Domain......................................................................1-32 1.7.5 Configuring an HWTACACS Server Template for a Domain............................................................1-32 1.7.6 (Optional) Configuring a Service Scheme for a Domain.....................................................................1-33 1.7.7 (Optional) Setting the Status of a Domain...........................................................................................1-33 1.7.8 (Optional) Configuring the Domain Name Delimiter..........................................................................1-34 1.7.9 Checking the Configuration.................................................................................................................1-34 1.8 Configuring Local User Management...........................................................................................................1-35 1.8.1 Establishing the Configuration Task....................................................................................................1-35 1.8.2 Creating a Local User...........................................................................................................................1-36 1.8.3 (Optional) Setting the Access Type of the Local User.........................................................................1-37 1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access.........................................1-37 1.8.5 (Optional) Setting the Status of a Local User......................................................................................1-38 1.8.6 (Optional) Setting the Level of a Local User.......................................................................................1-38 1.8.7 (Optional) Setting the Access Limit for a Local User..........................................................................1-39 1.8.8 Checking the Configuration.................................................................................................................1-39 1.9 Maintaining AAA and User Management....................................................................................................1-40 1.9.1 Clearing the Statistics...........................................................................................................................1-40 1.9.2 Monitoring the Running Status of AAA..............................................................................................1-40 1.9.3 Debugging............................................................................................................................................1-41 1.10 Configuration Examples..............................................................................................................................1-41 1.10.1 Example for Configuring RADIUS Authentication and Accounting................................................1-41 1.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization................1-44
Contents
2.2 NAC Features Supported by the S9300..........................................................................................................2-4 2.3 Configuring Web Authentication....................................................................................................................2-4 2.3.1 Establishing the Configuration Task......................................................................................................2-4 2.3.2 Configuring the Web Authentication Server..........................................................................................2-5 2.3.3 Binding the Web Authentication Server to the Interface.......................................................................2-5 2.3.4 Configuring the Free Rule for Web Authentication...............................................................................2-6 2.3.5 (Optional) Configuring the Web Authentication Policy........................................................................2-6 2.3.6 (Optional) Setting the Port that Listens to the Portal Packets................................................................2-7 2.3.7 (Optional) Setting the Version of the Portal Protocol Packets...............................................................2-7 2.3.8 Checking the Configuration...................................................................................................................2-8 2.4 Configuring 802.1x Authentication.................................................................................................................2-8 2.4.1 Establishing the Configuration Task......................................................................................................2-9 2.4.2 Enabling Global 802.1x Authentication.................................................................................................2-9 2.4.3 Enabling 802.1x Authentication on an Interface..................................................................................2-10 2.4.4 (Optional) Enabling MAC Bypass Authentication..............................................................................2-11 2.4.5 Setting the Authentication Method for the 802.1x User......................................................................2-12 2.4.6 (Optional) Configuring the Interface Access Mode.............................................................................2-13 2.4.7 (Optional) Configuring the Authorization Status of an Interface.........................................................2-14 2.4.8 (Optional) Setting the Maximum Number of Concurrent Access Users..............................................2-15 2.4.9 (Optional) Enabling DHCP Packets to Trigger Authentication...........................................................2-16 2.4.10 (Optional) Configuring 802.1x Timers..............................................................................................2-16 2.4.11 (Optional) Configuring the Quiet Timer Function.............................................................................2-17 2.4.12 (Optional) Configuring the 802.1x Re-authentication.......................................................................2-18 2.4.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication................................................2-18 2.4.14 (Optional) Enabling the S9300 to Send Handshake Packets to Online Users.................................... 2-19 2.4.15 (Optional) Setting the Retransmission Count of the Authentication Request....................................2-20 2.4.16 Checking the Configuration...............................................................................................................2-20 2.5 Configuring MAC Address Authentication..................................................................................................2-21 2.5.1 Establishing the Configuration Task....................................................................................................2-22 2.5.2 Enabling Global MAC Address Authentication...................................................................................2-22 2.5.3 Enabling MAC Address Authentication on an Interface......................................................................2-23 2.5.4 (Optional) Enabling Direct Authentication..........................................................................................2-24 2.5.5 Configuring the User Name for MAC Address Authentication...........................................................2-25 2.5.6 (Optional) Configuring the Domain for MAC Address Authentication..............................................2-26 2.5.7 (Optional) Setting the Timers of MAC Address Authentication.........................................................2-27 2.5.8 (Optional) Configuring the Guest VLAN for MAC Address Authentication......................................2-28 2.5.9 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication .......................................................................................................................................................................2-28 2.5.10 (Optional) Re-Authenticating a User with the Specific MAC Address.............................................2-29 2.5.11 Checking the Configuration...............................................................................................................2-30 2.6 Maintaining NAC..........................................................................................................................................2-30 2.6.1 Clearing the Statistics About 802.1x Authentication...........................................................................2-31 2.6.2 Clearing Statistics About MAC Address Authentication.....................................................................2-31 Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. iii
Contents
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2.6.3 Debugging 802.1x Authentication.......................................................................................................2-31 2.6.4 Debugging MAC Address Authentication...........................................................................................2-32
2.7 Configuration Examples................................................................................................................................2-32 2.7.1 Example for Configuring Web Authentication....................................................................................2-32 2.7.2 Example for Configuring 802.1x Authentication.................................................................................2-35 2.7.3 Example for Configuring MAC Address Authentication....................................................................2-38
Contents
3.8.5 Checking the Configuration.................................................................................................................3-29 3.9 Maintaining DHCP Snooping.......................................................................................................................3-30 3.9.1 Clearing DHCP Snooping Statistics.....................................................................................................3-30 3.9.2 Resetting the DHCP Snooping Binding Table.....................................................................................3-30 3.9.3 Backing Up the DHCP Snooping Binding Table.................................................................................3-30 3.10 Configuration Examples..............................................................................................................................3-31 3.10.1 Example for Preventing the Bogus DHCP Server Attack..................................................................3-31 3.10.2 Example for Preventing the DoS Attack by Changing the CHADDR Field.....................................3-34 3.10.3 Example for Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases............................................................................................................................................................3-36 3.10.4 Example for Limiting the Rate of Sending DHCP Messages............................................................3-39 3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network........................................................3-42 3.10.6 Example for Enabling DHCP Snooping on the DHCP Relay Agent.................................................3-46 3.10.7 Example for Configuring DHCP Snooping on a VPLS Network......................................................3-51
Contents
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4.6.3 Clearing the Statistics on Discarded ARP Packets...............................................................................4-20 4.6.4 Debugging ARP Packets......................................................................................................................4-21
4.7 Configuration Examples................................................................................................................................4-21 4.7.1 Example for Configuring ARP Security Functions..............................................................................4-22 4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks..........................4-25
Contents
6.4 Configuring Attack Source Tracing................................................................................................................6-8 6.4.1 Establishing the Configuration Task......................................................................................................6-8 6.4.2 Creating an Attack Defense Policy........................................................................................................6-9 6.4.3 Enabling the Automatic Attack Source Tracing.....................................................................................6-9 6.4.4 Configuring the Threshold of Attack Source Tracing..........................................................................6-10 6.4.5 (Optional) Configuring the Attack Source Alarm Function.................................................................6-10 6.4.6 Applying the Attack Defense Policy....................................................................................................6-11 6.4.7 Checking the Configuration.................................................................................................................6-12 6.5 Maintaining the Attack Defense Policy........................................................................................................6-13 6.5.1 Clearing Statistics About Packets Destined for the CPU.....................................................................6-13 6.5.2 Clearing Statistics About Attack Sources............................................................................................6-13 6.6 Configuration Examples................................................................................................................................6-14 6.6.1 Example for Configuring the Attack Defense Policy...........................................................................6-14
7 PPPoE+ Configuration..............................................................................................................7-1
7.1 PPPoE+ Overview...........................................................................................................................................7-2 7.2 PPPoE+ Features Supported by the S9300.....................................................................................................7-2 7.3 Configuring PPPoE+.......................................................................................................................................7-2 7.3.1 Establishing the Configuration Task......................................................................................................7-2 7.3.2 Enabling PPPoE+ Globally....................................................................................................................7-3 7.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets.................................7-3 7.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets............................................7-4 7.3.5 Configuring the PPPoE Trusted Interface..............................................................................................7-4 7.3.6 Checking the Configuration...................................................................................................................7-5 7.4 Configuration Examples..................................................................................................................................7-5 7.4.1 Example for Configuring PPPoE+.........................................................................................................7-5
8 MFF Configuration....................................................................................................................8-1
8.1 MFF Overview................................................................................................................................................8-2 8.2 MFF Features Supported by the S9300...........................................................................................................8-3 8.3 Configuring MFF............................................................................................................................................8-4 8.3.1 Establishing the Configuration Task......................................................................................................8-4 8.3.2 Enabling Global MFF.............................................................................................................................8-5 8.3.3 Configuring the MFF Network Interface...............................................................................................8-5 8.3.4 Enabling MFF in a VLAN.....................................................................................................................8-6 8.3.5 (Optional) Configuring the Static Gateway Address.............................................................................8-6 8.3.6 (Optional) Enabling Timed Gateway Address Detection.......................................................................8-7 8.3.7 (Optional) Setting the Server Address...................................................................................................8-7 8.3.8 Checking the Configuration...................................................................................................................8-7 8.4 Configuration Examples..................................................................................................................................8-8 8.4.1 Example for Configuring MFF..............................................................................................................8-8
Contents
9.2 Interface Security Features Supported by the S9300......................................................................................9-2 9.3 Configuring Interface Security........................................................................................................................9-2 9.3.1 Establishing the Configuration Task......................................................................................................9-3 9.3.2 Enabling the Interface Security Function...............................................................................................9-3 9.3.3 (Optional) Configuring the Protection Action in Interface Security......................................................9-4 9.3.4 Setting the Maximum Number of MAC Addresses Learned by an Interface........................................9-4 9.3.5 Enabling Sticky MAC on an Interface...................................................................................................9-5 9.3.6 Checking the Configuration...................................................................................................................9-5 9.4 Configuration Examples..................................................................................................................................9-6 9.4.1 Example for Configuring Interface Security..........................................................................................9-6
11 ACL Configuration................................................................................................................11-1
11.1 Introduction to the ACL..............................................................................................................................11-2 11.2 Classification of ACLs Supported by the S9300........................................................................................11-2 11.3 Configuring an ACL....................................................................................................................................11-3 11.3.1 Establishing the Configuration Task..................................................................................................11-3 11.3.2 Creating an ACL................................................................................................................................11-4 11.3.3 (Optional) Setting the Time Range When an ACL Takes Effect.......................................................11-5 11.3.4 (Optional) Configuring the Description of an ACL...........................................................................11-5 11.3.5 Configuring a Basic ACL...................................................................................................................11-6 11.3.6 Configuring an Advanced ACL.........................................................................................................11-6 11.3.7 Configuring a Layer 2 ACL...............................................................................................................11-7 11.3.8 (Optional) Setting the Step of an ACL...............................................................................................11-8 11.3.9 Checking the Configuration...............................................................................................................11-8 11.4 Configuring ACL6......................................................................................................................................11-9 11.4.1 Establishing the Configuration Task..................................................................................................11-9 11.4.2 Creating an ACL6............................................................................................................................11-10 11.4.3 (Optional) Creating the Time Range of the ACL6...........................................................................11-10 11.4.4 Configuring a Basic ACL6...............................................................................................................11-11 11.4.5 Configuring an Advanced ACL6.....................................................................................................11-11 11.4.6 Checking the Configuration.............................................................................................................11-12 11.5 Configuration Examples............................................................................................................................11-13 11.5.1 Example for Configuring a Basic ACL............................................................................................11-13 11.5.2 Example for Configuring an Advanced ACL..................................................................................11-16 viii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
Contents
11.5.3 Example for Configuring a Layer 2 ACL........................................................................................11-20 11.5.4 Example for Configuring an ACL6..................................................................................................11-22
Issue 06 (20100108)
ix
Figures
Figures
Figure 1-1 Networking diagram of RADIUS authentication and accounting....................................................1-42 Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization....................1-45 Figure 2-1 Typical networking of NAC...............................................................................................................2-2 Figure 2-2 Network diagram for configuring Web authentication.....................................................................2-33 Figure 2-3 Networking diagram for configuring 802.1x authentication............................................................2-36 Figure 2-4 Networking diagram for configuring MAC address authentication.................................................2-38 Figure 3-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2 network..................3-4 Figure 3-2 Networking diagram for applying DHCP snooping on the S9300 that functions as the DHCP relay agent ...............................................................................................................................................................................3-4 Figure 3-3 Networking diagram for preventing the bogus DHCP server attack................................................3-32 Figure 3-4 Networking diagram for preventing the DoS attack by changing the CHADDR field....................3-34 Figure 3-5 Networking diagram for preventing the attacker from sending bogus DHCP messages for extending IP address leases......................................................................................................................................................3-37 Figure 3-6 Networking diagram for limiting the rate for sending DHCP messages..........................................3-40 Figure 3-7 Networking diagram for configuring DHCP snooping....................................................................3-42 Figure 3-8 Networking diagram for enabling DHCP snooping on the DHCP relay agent................................3-47 Figure 3-9 Networking diagram for configuring DHCP snooping on a VPLS network....................................3-51 Figure 4-1 Networking diagram for configuring ARP security functions.........................................................4-22 Figure 4-2 Networking diagram for prevent man-in-the-middle attacks...........................................................4-26 Figure 5-1 Diagram of IP/MAC spoofing attack..................................................................................................5-2 Figure 5-2 Diagram of the URPF function...........................................................................................................5-3 Figure 5-3 Networking diagram for configuring IP source guard......................................................................5-14 Figure 5-4 Networking diagram for configuring IP source trail........................................................................5-16 Figure 5-5 Networking diagram for configuring URPF.....................................................................................5-17 Figure 6-1 Networking diagram for Configuring the attack defense policy......................................................6-14 Figure 7-1 Networking diagram for configuring PPPoE+................................................................................... 7-6 Figure 8-1 Networking diagram for configuring MFF.........................................................................................8-9 Figure 9-1 Networking diagram for configuring interface security.....................................................................9-6 Figure 10-1 Networking diagram for configuring traffic suppression...............................................................10-5 Figure 11-1 Networking diagram for disabling URPF for the specified traffic...............................................11-13 Figure 11-2 Networking diagram for configuring IPv4 ACLs.........................................................................11-16 Figure 11-3 Networking diagram for configuring layer 2 ACLs.....................................................................11-20 Figure 11-4 Networking diagram for configuring ACL6 and filtering IPv6 packets.......................................11-23
Issue 06 (20100108)
xi
Tables
Tables
Table 3-1 Matching table between type of attacks and DHCP snooping operation modes.................................3-5 Table 3-2 Relation between the type of attacks and the type of discarded packets............................................3-25
Issue 06 (20100108)
xiii
Related Versions
The following table lists the product versions related to this document. Product Name S9300 Version V100R002C00
Intended Audience
This document is intended for:
l l l l
Data configuration engineer Commissioning engineer Network monitoring engineer System maintenance engineer
Organization
This document is organized as follows.
Issue 06 (20100108)
Description Describes basic concepts of AAA and user management, and provides configuration methods and configuration examples. Describes basic concepts of Network Access Control (NAC), and provides configuration methods and configuration examples. Describes basic concepts of DHCP snooping, and provides configuration methods and configuration examples. Describes basic concepts of ARP security, and provides configuration methods and configuration examples. Describes basic concepts of source IP attack defense, and provides configuration methods and configuration examples. Describes basic concepts of local attack defense, and provides configuration methods and configuration examples. Describes basic concepts of PPPoE+, and provides configuration methods and configuration examples. Describes basic concepts of MAC-Forced Forwarding (MFF), and provides configuration methods and configuration examples. Describes basic concepts of interface security, and provides configuration methods and configuration examples. Describes basic concepts of traffic suppression, and provides configuration methods and configuration examples. Describes basic concepts of ACL, and provides configuration methods and configuration examples.
7 PPPoE+ Configuration
8 MFF Configuration
11 ACL Configuration
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Issue 06 (20100108)
Symbol
Description
DANGER
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
General Conventions
The general conventions that may be found in this document are defined as follows. Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Examples of information displayed on the screen are in Courier New.
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected.
Issue 06 (20100108)
Description Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
GUI Conventions
The GUI conventions that may be found in this document are defined as follows. Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows. Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows.
Issue 06 (20100108)
Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
The background information of configuring whitelist is modified6.3.3 Configuring the Whitelist The background information of configuring blacklist is modified6.3.4 Configuring the Blacklist The background information of configuring user-defined flows is modified6.3.5 Configuring User-Defined Flows The enabling strict ARP entry learning is modified: 4.3.2 Enabling Strict ARP Entry Learning The example for configuring interface security is modified: 9.4.1 Example for Configuring Interface Security
Issue 06 (20100108)
7 PPPoE+ Configuration 3.6 Setting the Maximum Number of DHCP Snooping Users and 3.10.7 Example for Configuring DHCP Snooping on a VPLS Network in "DHCP Snooping Configuration" 6.3.3 Configuring the Whitelist in "Local Attack Defense Configuration"
DHCP Snooping Configuration: The configuration commands Local Attack Defense Configuration: The configuration commands and configuration example
Issue 06 (20100108)
Issue 06 (20100108)
1-1
AAA
AAA provides the following types of services:
l l l
Authentication: determines the user who can access the network. Authorization: authorizes the user to use certain services. Accounting: records network resource usage of the user.
AAA adopts the client/server model, which features good extensibility and facilitates concentrated management over user information.
AAA
The S9300 provides authentication schemes in the following modes:
l
Non-authentication: completely trusts users and does not check their validity. This mode is seldom used. Local authentication: configures user information including the user name, password, and attributes of the local user on the S9300. In local authentication mode, the processing speed is fast, but the capacity of information storage is restricted by the hardware. Remote authentication: configures user information including the user name, password, and attributes of the local user on an authentication server. The S9300 functions as the client to communicate with the authentication server. Thus, the user is remotely authenticated through the RADIUS or HWTACACS protocol.
1-2
Local authorization: authorizes users according to the configured attributes of local user accounts on the S9300. Remote authorization: authorizes users remotely through HWTACACS. The S9300 functions as the client to communicate with the authorization server. If-authenticated authorization: authorizes users after the users pass authentication in local or remote authentication mode. None: Users are not charged. RADIUS accounting: The S9300 sends the accounting packets to the RADIUS server. Then the RADIUS server performs accounting. HWTACACS accounting: The S9300 sends the accounting packets to the HWTACACS server. Then the HWTACACS server performs accounting.
In the RADIUS and HWTACACS accounting modes, the S9300 generates accounting packets when a user goes online or goes offline, and then sends them to the RADIUS or HWTACACS server. The server then performs accounting based on the information in the packets, such as login time, logout time and traffic volume. The S9300 supports interim accounting. It means that the S9300 generates accounting packets periodically and sends the accounting packets to the accounting server when a user is online. In this way, the duration of abnormal accounting can be minimized when the communication between the S9300 and the accounting server is interrupted.
Domain default is used for common access user. By default, local authentication is performed for the users in domain default. Domain default_admin is used for administrators. By default, local authentication is performed for the users in domain default_admin.
The S9300 supports up to 128 domains, including the two default domains. The priority of authorization configured in a domain is lower than the priority configured on an AAA server. That is, the authorization attribute sent by the AAA server is used preferentially.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-3
The authorization attribute in the domain takes effect only when the AAA server does not have or provide this authorization. In this manner, you can add services flexibly based on the domain management, regardless of the attributes provided by the AAA server.
In a RADIUS server template, you can set the attributes such as the IP addresses, port number, and key of the authentication server and accounting server. In an HWTACACS template, you can set the attributes such as the IP addresses, port number, and key of the authentication server, accounting server, and authorization server.
NOTE
Authentication and authorization are used together in RADIUS; therefore, you cannot use RADIUS alone to perform authorization.
Pre-configuration Tasks
None
1-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
Data Preparation
To configure AAA schemes, you need the following data. No. 1 2 Data Name of the authentication scheme and authentication mode Name of the authorization scheme, authorization mode, (optional) user level in command-line-based authorization mode on the HWTACACS server, and (optional) timeout interval for command-line-based authorization Name of the accounting scheme and accounting mode (Optional) Name of the recording scheme, name of the HWTACACS server template associated with the recording scheme, and recording policy used to record events
3 4
By default, the local authentication mode is used. If users are not authenticated, you must create an authentication scheme or modify the default authentication scheme by setting the authentication mode to none. Then, you apply this authentication scheme to the domain that users belong to. You need to set the authentication modes for a user logging in to the S9300 and upgrading user levels separately.
Procedure
Step 1 Run:
system-view
By default, there is an authentication scheme named default on the S9300. This scheme can be modified but cannot be deleted. Step 4 Run:
authentication-mode { hwtacacs | radius | local }*[ none ]
Or
authentication-mode none
The authentication mode is set. none indicates the non-authentication mode. By default, the local authentication mode is used. If multiple authentication modes are used in an authentication scheme, the non-authentication mode must be used as the last authentication mode. If the authentication mode is set to RADIUS or HWTACACS, you must configure a RADIUS or an HWTACACS server template and apply the template in the view of the domain that the user belongs to.
NOTE
If multiple authentication modes are used in an authentication scheme, the authentication modes take effect according to their configuration sequence. The S9300 adopts the next authorization mode only when the current authorization mode is invalid. The S9300, however, does not adopt any other authorization mode when users are not authorized in the current authorization mode.
Step 5 Run:
authentication-super { hwtacacs | super }* [ none ]
Or,
authentication-super none
The authentication mode for upgrading user levels is set. The none parameter indicates that the non-authentication mode is used. That is, user levels are changed by users. By default, the local authentication mode is used for upgrading user levels. When the local authentication mode is used for upgrading user levels, you need to run the super password command in the system view to set the password for upgrading user levels. For details on the super password command, see the Quidway S9300 Terabit Routing Switch Command Reference - Basic Configurations. ----End
Procedure
Step 1 Run:
system-view
1-6
Issue 06 (20100108)
An authorization scheme is created and the authorization scheme view is displayed. By default, an authorization scheme named default exists on the S9300. This scheme can be modified but cannot be deleted. Step 4 Run:
authorization-mode { hwtacacs | if-authenticated | local }*[ none ] or authorization-mode none
The authorization mode is set. By default, the local authorization mode is used. If multiple authorization modes are used in an authorization scheme, the non-authorization mode must be used as the last authorization mode. When using the HWTACACS authorization mode, you must create an HWTACACS server template and apply the template to the domain that the user belongs to.
NOTE
If multiple authorization modes are used in an authorization scheme, the authentication modes take effect according to their configuration sequence. The S9300 adopts the next authorization mode only when the current authorization mode is invalid. The S9300, however, does not adopt any other authorization mode when users are not authorized in the current authorization mode.
The command-line-based authorization function is configured for users at a level. By default, the command-line-based authorization function is not configured for users at levels 0 to 15. If command-line authorization is enabled, you must create an HWTACACS server template and apply the template in the view of the domain that the user belongs to. Step 6 (Optional) Run:
authorization-cmd no-response-policy { online | offline [ max-times max-timesvalue ] }
A policy is configured for command-line-based authorization failure. By default, a policy is used to keep the user online when command-line-based authorization fails. The policy for command-line-based authorization failure is used only when the HWTACACS server fails or the local user is not configured. The policy for command-line-based authorization failure cannot be triggered in the following situations:
l
The server works normally but the input command line fails to pass authorization on the HWTACACS server.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-7
Issue 06 (20100108)
When the HWTACACS server fails, the command-line-based authorization mode changes to the local authorization mode. Authorization fails because the level of the input command is higher than the level set on the local end.
----End
An accounting scheme is created and the accounting scheme view is displayed. By default, the S9300 provides an accounting scheme named default. This scheme can be modified but cannot be deleted. Step 4 Run:
accounting-mode { hwtacacs | radius | none }
The accounting mode is set. By default, the accounting mode is none. If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS server template and apply the template to the corresponding user domain. Step 5 (Optional) Run:
accounting realtime interval
Interim accounting is enabled and the accounting interval is set. By default, interim accounting is enabled and the accounting interval is 5 minutes. The accounting interval depends on network situations. A short interval increases the traffic on the network and burdens the device that receive interim accounting packets. A long interval increases the errors of accounting when the communication between accounting server and the S9300 fails. Step 6 (Optional) Run:
accounting start-fail { online | offline }
The policy for remote accounting-start failure is set. If accounting start fails when a user logs in, the S9300 processes the user according to the policy for accounting start failure. By default, the S9300 forbids a user to get online when accounting start fails.
1-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
The policy for remote interim accounting-start failure is set. If the accounting fails after a user goes online, the S9300 processes the user according to the policy for interim accounting failure. By default, the number of interim accounting failures is set to 3 and the policy keeps the user online. ----End
Commands that are run on the S9300 Information about connections System events
NOTE
You can configure the recording function only when HWTACACS is adopted.
Procedure
Step 1 Run:
system-view
A recording scheme is created and the recording scheme view is displayed. By default, no recording scheme exists on the S9300. Step 4 Run:
recording-mode hwtacacs template-name
An HWTACACS server template that is associated with the recording scheme is configured. By default, a recording scheme is not associated with an HWTACACS server template. Step 5 Run:
quit
Step 6 Run:
cmd recording-scheme recording-scheme-name
The commands that are used on the S9300 are recorded. By default, the commands that are used on the S9300 are not recorded. Step 7 Run:
outbound recording-scheme recording-scheme-name
The information about connections is recorded. By default, information about connections is not recorded. Step 8 Run:
system recording-scheme recording-scheme-name
System events are recorded. By default, system events are not recorded. ----End
Procedure
l l l l l Run the display aaa configuration command to check the summary of AAA. Run the display authentication-scheme [ authentication-scheme-name ] command to check the configuration of the authentication scheme. Run the display authorization-scheme [ authorization-scheme-name ] command to check the configuration of the authorization scheme. Run the display recording-scheme [ recording-scheme-name ] command to check the configuration of the recording scheme. Run the display access-user command to check the summary of all online users.
----End
1.4.6 (Optional) Setting a Shared Key for a RADIUS Server 1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server 1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server 1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server 1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server 1.4.11 Checking the Configuration
There are default parameters of a RADIUS server template, and the default parameters can be changed according to the networking. You can modify the RADIUS configuration only when the RADIUS server template is not in use.
Pre-configuration Tasks
None
Data Preparation
To configure a RADIUS server template, you need the following data. No. 1 2 3 4 5 6 Data IP address of the RADIUS authentication server IP address of the RADIUS accounting server (Optional) Shared key of the RADIUS server (Optional) User name format supported by the RADIUS server (Optional) Traffic unit of the RADIUS server (Optional) Timeout interval for a RADIUS server to send response packets and number of times for retransmitting request packets on a RADIUS server (Optional) Format of the NAS port attribute of the RADIUS server
Issue 06 (20100108)
1-11
A RADIUS server template is created and the RADIUS server template view is displayed. ----End
The primary RADIUS authentication server is configured. By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run:
radius-server authentication ip-address port [ source loopback interface-number ] secondary
The secondary RADIUS authentication server is configured. By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the port number is 0. ----End
1-12
Issue 06 (20100108)
The primary RADIUS accounting server is configured. By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run:
radius-server accounting ip-address port [ source loopback interface-number ] secondary
The secondary RADIUS accounting server is configured. By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the port number is 0. ----End
Procedure
Step 1 Run:
system-view
The RADIUS authorization server is configured. By default, no RADIUS authorization server is configured in the S9300. ----End
security of information transmitted over a network. To guarantee the validity of the authenticator and the authenticated, the keys on the S9300 and the RADIUS server must be the same.
Procedure
Step 1 Run:
system-view
The shared key is set for a RADIUS server. By default, the shared key of a RADIUS server is huawei. ----End
1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server
Context
NOTE
A user name is in the user name@domain name format and the characters after @ refer to the domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %
Procedure
Step 1 Run:
system-view
The user name format supported by a RADIUS server is set. By default, a user name supported by a RADIUS server contains the domain name. That is, the S9300 sends the user name, domain name, and domain name delimiter to the RADIUS server for authentication.
1-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
When the RADIUS server does not accept the user name that contains the domain name, you can run the undo radius-server user-name domain-included command to delete the domain name before sending it to the RADIUS server. ----End
The traffic unit is set for a RADIUS server. By default, the traffic is expressed in bytes on the S9300. ----End
The timeout interval for a RADIUS server to send response packets is set. By default, the timeout interval for a RADIUS server to send response packets is five seconds. To check whether a RADIUS server is available, the S9300 periodically sends request packets to the RADIUS server. If no response is received from the RADIUS server within the timeout interval, the S9300 retransmits the request packets. Step 4 Run:
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-15
The number of times for retransmitting request packets on a RADIUS server is set. By default, the number of times for retransmitting request packets on a RADIUS server is 3. After retransmitting request packets to a RADIUS server for the set number of times, the S9300 considers that the RADIUS server is unavailable. ----End
NAS port
New NAS port format: slot number (8 bits) + subslot number (4 bits) + port number (8 bits) + VLAN ID (12 bits). Old NAS port format: slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits). New format of NAS port ID: slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx. Where slot ranges from 0 to 15, subslot 0 to 15, port 0 to 255, and VLAN ID 1 to 4094. Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) + card number (3 bytes) + VLANID (9 characters)
NAS port ID
NAS port format: slot number (4 bits) + subslot number (2 bits) + port number (2 bits) + VPI (8 bits) + VCI (16 bits). NAS port ID
New format of NAS port ID: slot=xx; subslot=x; VPI=xxx; VCI=xxxxx, in which slot ranges from 0 to 15, subslot ranges from 0 to 9, port 0 to 9, VPI 0 to 255, and VCI 0 to 65535. Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) + card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixed with 0s if they contain less bytes than specified.
Procedure
Step 1 Run:
system-view
1-16
Issue 06 (20100108)
The format of NAS port used by the RADIUS server is specified. By default, the new format of NAS port is used. Step 4 Run:
radius-server nas-port-id-format { new | old }
The format of the NAS port ID used by the RADIUS server is specified. By default, the new format of the NAS port ID is used. ----End
Procedure
l Run the display radius-server configuration [ template template-name ] command to check the configuration of the RADIUS server template.
----End
Example
After completing the configurations of the RADIUS server template, you can run the display radius-server configuration command to check the configuration of all templates.
<Quidway> display radius-server configuration ------------------------------------------------------------------Server-template-name : radius Protocol-version : standard Traffic-unit : B Shared-secret-key : huawei Timeout-interval(in second) : 5 Primary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Primary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Secondary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Secondary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Retransmission : 3 Domain-included : YES ------------------------------------------------------------------------------------------------------------------------------------Server-template-name Protocol-version Traffic-unit Shared-secret-key Timeout-interval(in second) Primary-authentication-server Primary-accounting-server : : : : : : : test standard B hello 5 10.1.1.2; 10.1.1.2;
1812; 1812;
LoopBack:NULL LoopBack:NULL
Issue 06 (20100108)
1-17
Secondary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Secondary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Retransmission : 5 Domain-included : YES ------------------------------------------------------------------Total of radius template :2
The S9300 does not check whether the HWTACACS template is in use when you modify attributes of the HWTACACS server except for deleting the configuration of the server.
Pre-configuration Tasks
None
Data Preparation
To configure an HWTACACS server template, you need the following data.
1-18 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
No. 1 2 3 4 5 6 7
Data Name of the HWTACACS server template IP addresses of HWTACACS authentication authorization, and accounting servers (Optional) Source IP address of the HWTACACS server (Optional) Shared key of the HWTACACS server (Optional) User name format supported by the HWTACACS server (Optional) Traffic unit of the HWTACACS server (Optional) Timeout interval for the HWTACACS server to send response packets and time when the primary HWTACACS server is restored to the active state
An HWTACACS server template is created and the HWTACACS server template view is displayed. ----End
Issue 06 (20100108)
1-19
The IP address of the primary HWTACACS authentication server is configured. By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run:
hwtacacs-server authentication ip-address [ port ] secondary
The IP address of the secondary HWTACACS authentication server is configured. By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0 and the port number is 0. ----End
The primary HWTACACS accounting server is configured. By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0 and the port number is 0. Step 4 Run:
hwtacacs-server accounting ip-address [ port ] secondary
The secondary HWTACACS accounting server is configured. By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0 and the port number is 0. ----End
The IP address of the primary HWTACACS authorization server is configured. By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run:
hwtacacs-server authorization ip-address [ port ] secondary
The IP address of the secondary HWTACACS authorization server is configured. By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0 and the port number is 0. ----End
The source IP address of HWTACACS packets is configured. By default, the source IP address of an HWTACACS packet is 0.0.0.0. In this case, the S9300 uses the IP address of the outgoing interface as the source IP address of the HWTACACS packet. After you specify the source IP address of HWTACACS packets, the specified address is used for the communication between the S9300 and the HWTACACS server. In this case, the HWTACACS server uses the specified IP address to communicate with the S9300. ----End
Context
Setting the shared key ensures the security of communication between the S9300 and an HWTACACS server. To ensure the validity of the authenticator and the authenticated, the shared keys set on the S9300 and the HWTACACS server must be the same.
Procedure
Step 1 Run:
system-view
The shared key is set for the HWTACACS server. By default, no shared key is set for the HWTACACS server. ----End
1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server
Context
NOTE
A user name is in the user name@domain name format and the character string after "@" refers to the domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %
Procedure
Step 1 Run:
system-view
The user name format is set for an HWTACACS server. By default, a user name supported by an HWTACACS server contains the domain name. That is, the S9300 sends the user name, domain name, and domain name delimiter to the RADIUS server for authentication.
1-22 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
If an HWTACACS server does not accept the user name that contains the domain name, you can use the undo hwtacacs-server user-name domain-included command to delete the domain name before sending it to the HWTACACS server. ----End
The traffic unit is set for an HWTACACS server. By default, the traffic is expressed in bytes on the S9300. ----End
The timeout interval for an HWTACACS server to send response packets is set. By default, the timeout interval for an HWTACACS server to send response packets is five seconds. If the S9300 receives no response from an HWTACACS server during the timeout interval, it considers the HWTACACS server as unavailable. In this case, the S9300 performs authentication or authorization in other modes. Step 4 Run:
hwtacacs-server timer quiet value
Issue 06 (20100108)
1-23
The time taken to restore an HWTACACS server to the active state is set. By default, the time taken by the primary HWTACACS server to restore to the active state is five minutes. ----End
Procedure
Step 1 Run:
system-view
The function of retransmitting the Accounting-Stop packet is configured. You can enable the function of retransmitting the Accounting-Stop packet and set the retransmission count, or disable the function. By default, the retransmission function is enabled and the retransmission count is 10. ----End
Procedure
l Run the display hwtacacs-server template [ template-name ] command to check the configuration of the HWTACACS server template.
----End
Example
After completing the configurations of the HWTACACS server template, you can run the display hwtacacs-server template [ template-name ] command to view the configuration of the template.
1-24 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
<Quidway> display hwtacacs-server template hhh --------------------------------------------------------------------HWTACACS-server template name : hhh Primary-authentication-server : 100.1.1.2:26 Primary-authorization-server : 100.1.1.3:26 Primary-accounting-server : 0.0.0.0:0 Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 0.0.0.0:0 Secondary-accounting-server : 0.0.0.0:0 Current-authentication-server : 100.1.1.2:26 Current-authorization-server : 100.1.1.3:26 Current-accounting-server : 0.0.0.0:0 Source-IP-address : 0.0.0.0 Shared-key : lsj Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 20 Domain-included : Yes Traffic-unit : B --------------------------------------------------------------------Total 1,1 printed
Pre-configuration Tasks
Before configuring a service scheme, complete the following tasks:
l l
Data Preparation
To configure a service scheme, you need the following data.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-25
No. 1 2 3 4 5 6
Data Service scheme Administrator level User priority Name of the DHCP server group Name and position of the address pool IP address of the primary and secondary DNS servers
Procedure
Step 1 Run:
system-view
A service scheme is created. service-scheme-name is a string of 1 to 32 characters, excluding /, :, *, ?, <, >, and @. By default, no service scheme is configured in the S9300. ----End
Step 2 Run:
aaa
The administrator is enabled to log in to the S9300 and the administrator level is set. The value of level ranges from 0 to 15. If this command is not run, the administrator level is displayed as 16, which is invalid. ----End
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
An IP address pool is configured or the position of a configured address pool is moved. ----End
Procedure
Step 1 Run the display service-scheme [ name name ] command to view the configuration of a service scheme. ----End
Example
Run the display service-scheme command to view all the information about the service scheme.
<Quidway> display service-scheme ------------------------------------------------------------------service-scheme-name scheme-index ------------------------------------------------------------------svcscheme1 0 svcscheme2 1 ------------------------------------------------------------------Total of service scheme: 2
Run the display service-scheme name svcscheme1 command to view the configuration of service scheme svcscheme1.
<Quidway> display service-scheme name svcscheme1 service-scheme-name : svcscheme1 service-scheme-primary-dns : service-scheme-secondry-dns : service-scheme-uppriority : 0 service-scheme-downpriority : 0 service-scheme-adminlevel : 16 service-scheme-dhcpgroup : service-scheme-flowstatup : false service-scheme-flowstatdown : false Idle-data-attribute(time,rate): <0,60>
Applicable Environment
To perform authentication and authorization for a user logging in to the S9300, you need to configure a domain.
NOTE
The modification of a domain takes effect next time a user logs in.
Pre-configuration Tasks
Before configuring a domain, complete the following tasks:
l l l
Configuring authentication and authorization schemes Configuring a RADIUS server template if RADIUS is used in an authentication scheme Configuring an HWTACACS server template if HWTACACS is used in an authentication or an authorization scheme Configuring local user management in local authentication or authorization mode
Data Preparation
To configure a domain, you need the following data. No. 1 2 3 Data Name of the domain Names of authentication and authorization schemes of the domain (Optional) Name of the RADIUS server template or the HWTACACS server template of the domain (Optional) Status of the domain
The S9300 has two default domains: default and default_admin. Domain default is used for common access users, and domain default_admin is used for administrators. The S9300 supports up to 128 domains, including the two default domains. ----End
Postrequisite
After creating a domain, you can run the domain domain-name [ admin ] command in the system view to configure the domain as the global default domain. The access users whose domain names cannot be obtained are added to this domain. If you do not run the domain domain-name [ admin ] command, the S9300 adds the common users and administrators whose domain names cannot be obtained to domains default and default_admin respectively.
An authentication scheme is configured for the domain. By default, the authentication scheme named default is used for a domain. Step 5 Run:
authorization-scheme authorization-scheme-name
An authorization scheme is configured for the domain. By default, no authorization scheme is bound to a domain. Step 6 Run:
accounting-scheme accounting-scheme-name
An accounting scheme is configured for the domain. By default, the accounting scheme named default is used for a domain. ----End
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-31
Procedure
Step 1 Run:
system-view
A RADIUS server template is configured for the domain. By default, no RADIUS server template is configured for a domain. ----End
Procedure
Step 1 Run:
system-view
1-32
Issue 06 (20100108)
An HWTACACS server template is configured for the domain. By default, no HWTACACS server template is configured for a domain. ----End
Procedure
Step 1 Run:
system-view
A service scheme is bound to the domain. By default, no service scheme is bound to the domain. Before binding a service scheme to a domain, you must create the service scheme. ----End
Step 2 Run:
aaa
The status of the domain is set. When a domain is in blocking state, users that belong to this domain cannot log in. By default, the domain is in active state after being created. ----End
Procedure
Step 1 Run:
system-view
The domain name delimiter is configured. delimiter can be set to anyone of \, /, :, <, >, |, @, ', and %. By default, the domain name delimiter is @. ----End
Procedure
l Run the display domain [ name domain-name ] command to check the configuration of the domain.
----End
Example
After the configuration, you can run the display domain command to view the summary of all domains.
<Quidway> display domain ------------------------------------------------------------------------DomainName index ------------------------------------------------------------------------default 0 default_admin 1 huawei 2 ------------------------------------------------------------------------Total: 3
Run the display domain [ name domain-name ] command, and you can view the configuration of a specified domain.
<Quidway> display domain name huawei Domain-name : huawei Domain-state : Active Authentication-scheme-name : scheme0 Accounting-scheme-name : default Authorization-scheme-name : Service-scheme-name : RADIUS-server-group : Accounting-copy-RADIUS-group : Hwtacacs-server-template : -
Applicable Environment
You can create a local user on the S9300, configure attributes of the local user, and perform authentication and authorization for users logging in to the S9300 according to information about the local user.
Pre-configuration Tasks
None
Data Preparation
To configure local user management, you need the following data. No. 1 2 3 4 5 6 Data User name and password Access type of the local user Name of the FTP directory that the local user can access Status of the local user Level of the local user Maximum number of local access users
A local user is created. If the user name contains the domain name delimiter, such as @, |, and %, the character string before @ refers to the user name and the character string after @ refers to the domain name. If the user name does not contain domain name delimiter, the entire character string represents the user name and the domain name is default. ----End
1-36 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
The access type of the local user is set. By default, a local user can use all access types. A user can successfully log in only when its access type matches the specified access type. ----End
1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access
Context
NOTE
If the access type of a local user is set to FTP, you must configure the FTP directory that the local user can access; otherwise, the FTP user cannot log in.
Procedure
Step 1 Run:
system-view
The FTP directory that a local user can access is configured. By default, the FTP directory that a local user can access is null. ----End
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-37
The status of a local user is set. By default, a local user is in active state. The S9300 processes a local user in active or blocking state as follows:
l
If the local user is in active state, the S9300 receives the authentication request of this user for further processing. If the local user is in blocking state, the S9300 rejects the authentication request of this user.
----End
Procedure
Step 1 Run:
system-view
By default, the level of a local user is determined by the management module. For example, there is a user level in the user interface view. If a user level is not set, the user level is 0.
NOTE
You can run the user-interface command in the system view to enter the user interface view. For details on the user-interface command, see "Basic Configuration Commands" in the Quidway S9300 Terabit Routing Switch Command Reference.
----End
The maximum number of online local users is set. By default, the number of access users with the same user name is not restricted on the S9300. ----End
Procedure
l Run the display local-user [ username user-name ] command to check the attributes of the local user.
----End
Example
After completing the configuration of local user management, you can run the display localuser command to view brief information about attributes of the local user.
<Quidway> display local-user ---------------------------------------------------------------------------No. User-Name State AuthMask AdminLevel ---------------------------------------------------------------------------0 lsj A A -
Issue 06 (20100108)
1-39
---------------------------------------------------------------------------Total 1 user(s)
Run the display local-user [ username user-name ] command, and you can view detailed information about a specified user.
<Quidway> display local-user username lsj The contents of local user : Password : hello State : Active Auth-Type-Mask : A Admin-level : Idle-Cut : No FTP-directory : Access-Limit :No Accessed-Num
:0
CAUTION
Statistics cannot be restored after you clear them. So, confirm the action before you use the command. Run the following command in the user view to clear the statistics.
Procedure
l Run the reset hwtacacs-server statistics { all | accounting | authentication | authorization } command to clear the statistics on the HWTACACS server.
----End
Example
Run the display aaa configuration command to view AAA running information.
<Quidway> display aaa configuration Domain Name Delimiter Domain Authentication-scheme Accounting-scheme Authorization-scheme Service-scheme : : : : : : @ total: total: total: total: total: 128 128 128 128 128 used: used: used: used: used: 5 1 3 1 0
1.9.3 Debugging
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When a running fault occurs on the RADIUS or HWTACACS server, run the debugging commands in the user view to locate the fault.
Procedure
l l Run the debugging radius packet command to debug RADIUS packets. Run the debugging hwtacacs { all | error | event | message | receive-packet | sendpacket } command to debug HWTACACS.
----End
The RADIUS server performs authentication and accounting for access users. The RADIUS server 129.7.66.66/24 functions as the primary authentication and accounting server. The RADIUS server 129.7.66.67/24 functions as the secondary authentication and accounting server. The default authentication port and accounting port are 1812 and 1813 respectively.
S9300-A Network
S9300-B 129.7.66.66/24
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a RADIUS server template. Configure the authentication and accounting schemes. Apply the RADIUS server template, the authentication and accounting schemes to the domain.
Data Preparation
To complete the configuration, you need the following data:
l l l
Name of the domain that a user belongs to Name of the RADIUS server template Name of the authentication scheme, authentication mode, name of the accounting scheme, and accounting mode IP addresses, authentication and accounting port numbers of the primary and secondary RADIUS servers Key and retransmission times of the RADIUS server
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
1-42
Procedure
Step 1 Configure a RADIUS server template. # Configure the RADIUS template named shiva.
<Quidway> system-view [Quidway] radius-server template shiva
# Configure the IP addresses and port numbers of the primary RADIUS authentication and accounting servers.
[Quidway-radius-shiva] radius-server authentication 129.7.66.66 1812 [Quidway-radius-shiva] radius-server accounting 129.7.66.66 1813
# Set the IP addresses and port numbers of the secondary RADIUS authentication and accounting servers.
[Quidway-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary [Quidway-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Set the key and retransmission count for the RADIUS server.
[Quidway-radius-shiva] radius-server shared-key cipher hello [Quidway-radius-shiva] radius-server retransmit 2 [Quidway-radius-shiva] quit
Step 2 Configure the authentication and accounting schemes. # Configure authentication scheme1, with the authentication mode being RADIUS.
[Quidway] aaa [Quidway-aaa] authentication-scheme 1 [Quidway-aaa-authen-1] authentication-mode radius [Quidway-aaa-authen-1] quit
# Configure the accounting scheme1, with the accounting mode being RADIUS.
[Quidway-aaa] accounting-scheme 1 [Quidway-aaa-accounting-1] accounting-mode radius [Quidway-aaa-accounting-1] quit
Step 3 Configure the domain huawei and apply authentication scheme1, accounting scheme1, and RADIUS template shiva to the domain.
[Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] authentication-scheme 1 [Quidway-aaa-domain-huawei] accounting-scheme 1 [Quidway-aaa-domain-huawei] radius-server shiva
Step 4 Verify the configuration. After running the display radius-server configuration template command on S9300-B, you can view that the configuration of the RADIUS server template meets the requirements.
<Quidway> display radius-server configuration template shiva ------------------------------------------------------------------Server-template-name Protocol-version Traffic-unit Shared-secret-key Timeout-interval(in second) : : : : : shiva standard B 3MQ*TZ,O3KCQ=^Q`MAF4<1!! 5
Issue 06 (20100108)
1-43
----End
Configuration Files
# sysname Quidway # radius-server template shiva radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary radius-server retransmit 2 # aaa authentication-scheme default authentication-scheme 1 authentication-mode radius authorization-scheme default accounting-scheme default accounting-scheme 1 accounting-mode radius domain default domain default_admin domain huawei authentication-scheme 1 accounting-scheme 1 radius-server shiva # return
Access users are first authenticated locally. If local authentication fails, the HWTACACS server is adopted to authenticate access users. HWTACACS authentication is required before the level of access users is promoted. If the HWTACACS authentication is not responded, local authentication is performed. HWTACACS authorization is performed to access users. All access users need to be charged. Interim accounting is performed every 3 minutes.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
l l l
1-44
The primary HWTACACS server is 129.7.66.66/24, and the IP address of the secondary HWTACACS server is 129.7.66.67/24. The port number of the server for authentication, accounting, and authorization is 49.
S9300-A Network
S9300-B 129.7.66.66/24
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure an HWTACACS server template. Configure the authentication, authorization, and accounting schemes. Apply the HWTACACS server template, authentication, authorization, and accounting schemes to the domain.
Data Preparation
To complete the configuration, you need the following data:
l l l
Name of the domain that the user belongs to Name of the HWTACACS server template Name of the authentication scheme, authentication mode, name of the authorization scheme, authorization mode, name of the accounting scheme, and accounting mode IP addresses, authentication port numbers, authorization port numbers, and accounting port numbers of the primary and secondary HWTACACS servers Key of the HWTACACS server
NOTE
Issue 06 (20100108)
1-45
Procedure
Step 1 Configure an HWTACACS server template. # Configure an HWTACACS server template named ht.
<Quidway> system-view [Quidway] hwtacacs-server template ht
# Configure the IP address and port number of the primary HWTACACS server for authentication, authorization, and accounting.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49 [Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49 [Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP address and port number of the secondary HWTACACS server for authentication, authorization, and accounting.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary [Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary [Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
Step 2 Configure the authentication, authorization, and accounting schemes. # Create an authentication scheme 1-h and set the authentication mode to local-HWTACACS, that is, the system performs the local authentication first and then the HWTACACS authentication. The HWTACACS authentication supersedes the local authentication when the level of a user is promoted.
[Quidway] aaa [Quidway-aaa] authentication-scheme l-h [Quidway-aaa-authen-l-h] authentication-mode local hwtacacs [Quidway-aaa-authen-l-h] authentication-super hwtacacs super [Quidway-aaa-authen-l-h] quit
# Create an authorization scheme hwtacacs, and set the authorization mode to HWTACACS.
[Quidway-aaa] authorization-scheme hwtacacs [Quidway-aaa-author-hwtacacs] authorization-mode hwtacacs [Quidway-aaa-author-hwtacacs] quit
# Create an accounting scheme hwtacacs, and set the accounting mode to HWTACACS.
[Quidway-aaa] accounting-scheme hwtacacs [Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs
Step 3 Create a domain Huawei and apply the authentication scheme 1-h, the HWTACACS authentication scheme, the HWTACACS accounting scheme, and the HWTACACS template of ht to the domain.
[Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] authentication-scheme l-h authorization-scheme hwtacacs accounting-scheme hwtacacs hwtacacs-server ht
1-46
Issue 06 (20100108)
Step 4 Verify the configuration. Run the display hwtacacs-server template command on S9300-B, and you can see that the configuration of the HWTACACS server template meets the requirements.
<Quidway> display hwtacacs-server template ht --------------------------------------------------------------------------HWTACACS-server template index : 0 HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49 Primary-authorization-server : 129.7.66.66:49 Primary-accounting-server : 129.7.66.66:49 Secondary-authentication-server : 129.7.66.67:49 Secondary-authorization-server : 129.7.66.67:49 Secondary-accounting-server : 129.7.66.67:49 Current-authentication-server : 129.7.66.66:49 Current-authorization-server : 129.7.66.66:49 Current-accounting-server : 129.7.66.66:49 Source-IP-address : 0.0.0.0 Shared-key : 3MQ*TZ,O3KCQ=^Q`MAF4<1!! Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------------------------------------------------------------------------
Run the display domain command on S9300-B, and you can see that the configuration of the domain meets the requirements.
<Quidway> display domain name huawei Domain-name Domain-state Authentication-scheme-name Accounting-scheme-name Authorization-scheme-name Service-scheme-name RADIUS-server-group Accounting-copy-RADIUS-group Hwtacacs-server-template : : : : : : : : : huawei Active l-h hwtacacs hwtacacs ht
----End
Configuration Files
# sysname Quidway # hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 hwtacacs-server authentication 129.7.66.67 secondary hwtacacs-server authorization 129.7.66.66 hwtacacs-server authorization 129.7.66.67 secondary hwtacacs-server accounting 129.7.66.66 hwtacacs-server accounting 129.7.66.67 secondary hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! # aaa authentication-scheme default authentication-scheme l-h authentication-mode local hwtacacs authentication-super hwtacacs super authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs
Issue 06 (20100108)
1-47
1-48
Issue 06 (20100108)
2 NAC Configuration
2
About This Chapter
NAC Configuration
This chapter describes the working principle and configuration of network access control (NAC). 2.1 Introduction to NAC This section describes the working principle of NAC. 2.2 NAC Features Supported by the S9300 This section describes the NAC features supported by the S9300. 2.3 Configuring Web Authentication This section describes how to configure the Web authentication function. 2.4 Configuring 802.1x Authentication This section describes how to configure the 802.1x authentication function. 2.5 Configuring MAC Address Authentication This section describes how to configure the MAC address authentication function. 2.6 Maintaining NAC This section describes how to clear statistics about NAC and debug NAC. 2.7 Configuration Examples This section provides several configuration examples of NAC.
Issue 06 (20100108)
2-1
2 NAC Configuration
As shown in Figure 2-1, NAC, as a controlling scheme for network security access, includes the following parts:
l l
User: Access users who need to be authenticated. If 802.1x is adopted for user authentication, users need to install client software. NAD: Network access devices, including routers and switches (hereinafter referred to as the S9300), which are used to authenticate and authorize users. The NAD needs to work with the AAA server to prevent unauthorized terminals from accessing the network, minimize the threat brought by insecure terminals, prevent unauthorized access requests from authorized terminals, and thus protect core resources. ACS: Access control server that is used to check terminal security and health, manage policies and user behaviors, audit rule violations, strengthen behavior audit, and prevent malicious damages from terminals.
2.1.1 Web Authentication 2.1.2 802.1x Authentication 2.1.3 MAC Address Authentication
2 NAC Configuration
server. Users can access network resources only after passing the authentication. Users that do not pass the authentication can only access the specified site server. When a user enters its user name and password on the Web page, the Portal protocol is used to authenticate the user. This process is Web authentication. The Portal protocol enables Web servers to communicate with other devices. The portal protocol is based on client/server model and uses the User Datagram Protocol (UDP) as the transmission protocol. In Web authentication, the Web authentication server and the S9300 communicate with each other through the portal protocol. In this case, the S9300 functions as the client. When obtaining the user name and password entered by the user on the authentication page, the Web authentication server transfers them to the S9300 through the portal protocol.
Authentication mode based on the access interface: Other users can access network resources without authentication when the first user under the interface is successfully authenticated. But other users are disconnected when the first user goes offline. Authentication mode based on the MAC address: Access users under this interface need be authenticated.
EAP termination mode: The network access device terminates EAP packets, obtains the user name and password from the packets, encrypts the password, and sends the user name and password to the AAA server for authentication. EAP transparent transmission authentication: Also called EAP relay authentication. The network access device directly encapsulates authentication information about 802.1x users and EAP packets into the attribute field of RADIUS packets and sends them to the RADIUS server. Therefore, the EAP packets do not need to be converted to the RADIUS packets before they are sent to the RADIUS server.
2 NAC Configuration
sends the MAC address of the user, which is considered to be the user name and password of the user, to the AAA server for authentication.
802.1x authentication based on the port 802.1x authentication based on the MAC address EAPOL termination authentication EAPOL transparent transmission authentication MAC address authentication MAC bypass authentication Web authentication
Pre-configuration Tasks
Web authentication is only an implementation scheme to authenticate the user identity. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring Web authentication, complete the following tasks:
2-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
2 NAC Configuration
Configuring the Internet Service Provider (ISP) authentication domain and AAA schemes, that is, RADIUS or local authentication schemes, for the user Configuring the user name and password on the RADIUS server if RADIUS authentication is used Adding the user name and password manually on the S9300 if local authentication is used
Data Preparation
To configure Web authentication, you need the following data. No. 1 2 3 Data Name, IP address, and URL of the Web Server Version number and interface number of the Portal protocol Authentication-free rule ID
Procedure
Step 1 Run:
system-view
The Web authentication server is configured. Up to 16 Web authentication servers can be configured. ----End
2 NAC Configuration
Procedure
Step 1 Run:
system-view
The interface view is displayed. Currently, the S9300 can perform Web authentication for users only through VLANIF interfaces. Step 3 Run:
web-auth-server server-name
The Web authentication server is bound to the VLANIF interface. You must configure a Web authentication server in the system view first and then bind the server to the interface according to the server name in the interface view. ----End
After opening the HTTP browser, the user is forcibly re-directed to the authentication page of the Web authentication server. The free rule is mandatory if the Web authentication is adopted. Some special users need to access certain resources when they fail to pass the authentication.
Procedure
Step 1 Run:
system-view
The free rule is configured. When the free rule is configured for Web authentication users, user packets matching the rule can be forwarded before the Web authentication. Therefore, users without the Web authentication possess certain access authority. ----End
2 NAC Configuration
Context
When the RADIUS server is adopted to authenticate users, do as follows if the user authentication information returned by the RADIUS server needs to be sent to the Web authentication server.
Procedure
Step 1 Run:
system-view
The device is configured to send the reply message for user authentication to the Web authentication server. By default, the S9300 sends the reply message for user authentication to the Web authentication server. ----End
2.3.6 (Optional) Setting the Port that Listens to the Portal Packets
Context
Do as follows to configure the port number for the S9300 to receive portal packets when the S9300 communicates with the Web server. The port number must be consistent with the destination port number contained in the packets sent by the Web authentication server and is globally unique.
Procedure
Step 1 Run:
system-view
The number of the port number that listens to Portal packets is configured. By default, the port number that listens to portal packets is 2000. ----End
2 NAC Configuration
Procedure
Step 1 Run:
system-view
The version of the portal protocol is set. By default, two versions coexist. If version 1 is not selected, only version 2 is in use. ----End
Procedure
l Run the display web-auth-server configuration command to view the configuration of a Web authentication server.
----End
Example
# View the configuration of the Web authentication server.
<Quidway> display web-auth-server configuration Listening port : 2000 Portal : version 1, version 2 Include reply message : enabled -----------------------------------------------------------------------Web-auth-server Name : servera IP-address : 100.1.1.114 Shared-key : Port / PortFlag : 10 / NO URL : -----------------------------------------------------------------------1 Web authentication server(s) in total
2 NAC Configuration
2.4.6 (Optional) Configuring the Interface Access Mode 2.4.7 (Optional) Configuring the Authorization Status of an Interface 2.4.8 (Optional) Setting the Maximum Number of Concurrent Access Users 2.4.9 (Optional) Enabling DHCP Packets to Trigger Authentication 2.4.10 (Optional) Configuring 802.1x Timers 2.4.11 (Optional) Configuring the Quiet Timer Function 2.4.12 (Optional) Configuring the 802.1x Re-authentication 2.4.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication 2.4.14 (Optional) Enabling the S9300 to Send Handshake Packets to Online Users 2.4.15 (Optional) Setting the Retransmission Count of the Authentication Request 2.4.16 Checking the Configuration
Pre-configuration Tasks
802.1x authentication is only an implementation scheme to authenticate the user identity. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring 802.1x authentication, complete the following tasks:
l
Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local authentication schemes, for the 1x user Configuring the user name and password on the RADIUS server if RADIUS authentication is used Adding the user name and password manually on the S9300 if local authentication is used
Data Preparation
None.
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
2-9
2 NAC Configuration
802.1x authentication is globally enabled. Running this command is equivalent to enabling 802.1x authentication globally. Related configurations of 802.1x authentication take effect only after 802.1x authentication is enabled. By default, 802.1x authentication is disabled. ----End
CAUTION
If 802.1x is enabled on the interface, MAC address authentication or direct authentication cannot be enabled on the interface. If MAC address authentication or direct authentication is enabled on the interface, 802.1x cannot be enabled on the interface. You can enable 802.1x on an interface in the following ways.
Procedure
l In the system view: 1. Run:
system-view
802.1x authentication is enabled on the interfaces. You can enable the 802.1x function on interfaces in batches by specifying the interface list in the dot1x command in the system view. l In the interface view: 1. Run:
system-view
2-10
Issue 06 (20100108)
2 NAC Configuration
802.1x authentication is enabled on the interface. You can run the undo dot1x command only when no online user exists. ----End
Procedure
l In the system view: 1. Run:
system-view
MAC bypass authentication is enabled on interfaces. You can configure MAC address bypass authentication on interfaces in batches by specifying the interface list in the dot1x mac-bypass command in the system view. l In the interface view: 1. Run:
system-view
MAC address bypass authentication is enabled on the interface. After you run the dot1x mac-bypass enable command, the commands of enabling 802.1x authentication on the interface are overwritten. The details are as follows:
If 802.1x authentication is disabled on the interface, 802.1x authentication is enabled after you run the dot1x mac-bypass enable command.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-11
Issue 06 (20100108)
2 NAC Configuration
If 802.1x authentication has been enabled, the authentication mode is changed from 802.1x authentication to MAC address bypass authentication on the interface after you run the dot1x mac-bypass enable command.
To disable MAC address bypass authentication, run the undo dot1x command. Note that 802.1x functions are disabled. ----End
Procedure
Step 1 Run:
system-view
The authentication method is set for the 802.1x user. By default, CHAP authentication is used for an 802.1x user. If you run the dot1x authenticationmethod command repeatedly, the latest configuration takes effect.
l
The Password Authentication Protocol (PAP) uses the two-way handshake mechanism and sends the password in plain text. The Challenge Handshake Authentication Protocol (CHAP) uses the three-way handshake mechanism. It transmits only the user name but not the password on the network; therefore, compared with PAP authentication, CHAP authentication is more secure and reliable and protects user privacy better. In Extensible Authentication Protocol (EAP) authentication, the S9300 sends the authentication information of an 802.1x user to the RADIUS server through EAP packets without converting EAP packets into RADIUS packets. To use the PEAP, EAP-TLS, EAPTTLS, or EAP-MD5 authentication, you only need to enable the EAP authentication.
PAP authentication and CHAP authentication are two kinds of termination authentication methods and EAP authentication is a kind of relay authentication method.
CAUTION
If local authentication is adopted, you cannot use the EAP authentication for 802.1x users. ----End
2-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
2 NAC Configuration
Interface mode: If the MAC address of a device connected to an interface passes authentication, all the MAC addresses of other devices connected to the interface can access the network without authentication. MAC mode: The MAC address of each device connected to the interface must pass authentication to access the network.
You can configure the access mode of an interface in the following ways.
Procedure
l In the system view: 1. Run:
system-view
The access mode of interfaces is configured. You can configure the access mode of interfaces in batches by specifying the interface list in the dot1x port-method command in the system view. l In the interface view: 1. Run:
system-view
The access mode of the interface is configured. By default, the access mode of an interface is MAC mode.
CAUTION
If the dot1x port-method { mac | port } command is run to change the access control mode of an interface when an online 802.1x user exists, the online user is disconnected forcibly. ----End
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-13
2 NAC Configuration
Procedure
l In the system view: 1. Run:
system-view
The authorization status of interfaces is set. You can configure the authorization status of interfaces in batches by specifying the interface list in the dot1x port-control command in the system view. l In the interface view: 1. Run:
system-view
The authorization status of the interface is configured. By default, the authorization status of an interface is auto.
auto: An interface is initially in unauthorized state and sends and receives only EAPoL packets. Therefore, users cannot access network resources. If a user passes the authentication, the interface is in authorized state and allows users to access network resources. authorized-force: An interface is always in authorized state and allows users to access network resources without authentication. unauthorized-force: An interface is always in unauthorized state and does not users to access network resources.
----End
2-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
2 NAC Configuration
Procedure
l In the system view: 1. Run:
system-view
The maximum number of concurrent access users is set on the interfaces. You can configure the maximum number of concurrent access users on interfaces in batches by specifying the interface list in the dot1x max-user command in the system view. l In the interface view: 1. Run:
system-view
The maximum number of concurrent access users is set on the interface. By default, each interface allows up to 8192 concurrent access users. This command takes effect only to the interface where users are authenticated based on MAC addresses If users are authenticated based on the interface, the maximum number of access users is automatically set to 1. Therefore, only one user needs to be authenticated on the interface, and other users can access the network after the first user passes the authentication.
Issue 06 (20100108)
2-15
2 NAC Configuration
CAUTION
If the number of users already existing on the interface is greater than the maximum number that you set, all the users are disconnected from the interface. The maximum number of NAC access users allowed by the S9300 depends on the models of the S9300. The specification is 8192 multiplied by number of slots of the LPU. ----End
Procedure
Step 1 Run:
system-view
Dynamic Host Configuration Protocol (DHCP) packets are enabled to trigger user authentication. By default, DHCP packets do not trigger authentication. After you run the dot1x dhcp-trigger enable command, users cannot obtain IP addresses through DHCP if they do not pass the authentication. ----End
2 NAC Configuration
Procedure
Step 1 Run:
system-view
client-timeout: Authentication timeout timer of the client. By default, the timeout timer is 30s. handshake-period: Interval of handshake packets from the S9300 to the 802.1X client. By default, the handshake interval is 15s. quiet-period: Period of the quiet timer. By default, the quiet timer is 60s. reauthenticate-period: Re-authentication interval. By default, the re-authentication interval is 3600s. server-timeout: Timeout timer of the authentication server. By default, the timeout timer of the authentication server is 30s. tx-period: Interval for sending authentication requests. By default, the interval for sending the authentication request packets is 30s.
l l
The dot1x timer command only sets the values of the timers, and you need to enable the corresponding timers by running commands or adopting the default settings. ----End
Procedure
Step 1 Run:
system-view
The quiet timer function is enabled. By default, the quiet timer function is disabled.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-17
2 NAC Configuration
During the quite period, the S9300 discards the 802.1x authentication request packets from the user. You can run the dot1x timer command to set the quiet period. For details, see . ----End
Procedure
l In the system view: 1. Run:
system-view
Re-authentication is enabled on interfaces. You can configure 802.1x re-authentication on interfaces in batches by specifying the interface list in the dot1x reauthenticate command in the system view. l In the interface view: 1. Run:
system-view
Re-authentication is enabled on the interface. By default, 802.1x re-authentication is disabled on an interface. You can run the dot1x timer command to set the timeout timer of the re-authentication. For details, see . ----End
2 NAC Configuration
Context
When the guest VLAN is enabled, the S9300 sends authentication request packets to all the interface on which 802.1x is enabled. If an interface does not return a response when the maximum number of times for re-authentication is reached, the S9300 adds this interface to the guest VLAN. Then users in the guest VLAN can access resources in the guest VLAN without 802.1x authentication. Authentication, however, is required when such users access external resources. Thus certain resources are available for users without authentication.
NOTE
The configured guest VLAN cannot be the default VLAN of the interface.
Procedure
l In the system view: 1. Run:
system-view
The guest VLAN is configured on interfaces. You can configure the guest VLAN on interfaces in batches by specifying the interface list in the dot1x guest-vlan command in the system view. l In the interface view: 1. Run:
system-view
The guest VLAN is configured on the interface. By default, no guest VLAN is configured on an interface. ----End
2.4.14 (Optional) Enabling the S9300 to Send Handshake Packets to Online Users
Context
The S9300 can send handshake packets to a Huawei client to detect whether the user is online.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-19
2 NAC Configuration
If the client does not support the handshake function, the S9300 will not receive handshake response packets within the handshake interval. In this case, you need to disable the user handshake function to prevent the S9300 from disconnecting users by mistake.
Procedure
Step 1 Run:
system-view
The handshake with 802.1x users is enabled. By default, the S9300 is enabled to send handshake packets to online users. You can run the dot1x timer command to set the handshake interval. For details, see . ----End
Procedure
Step 1 Run:
system-view
The retransmission count of the authentication request is set. By default, the S9300 retransmits an authentication request to an access user twice. ----End
2 NAC Configuration
Procedure
l Run the display dot1x [ sessions | statistics ] [ interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10> ] command to view the configuration of 802.1x authentication.
----End
Example
View the information about 802.1x authentication on GE 1/0/0.
<Quidway> display dot1x interface GigabitEthernet 1/0/0 GigabitEthernet1/0/0 current state : UP 802.1x protocol is Enabled[mac-bypass] Port control type is Auto Authentication method is MAC-based Reauthentication is disabled Max online user is 8192 Current online user is 2 Guest VLAN is disabled Authentication Success: 1 Failure: EAPOL Packets: TX : 24 RX : Sent EAPOL Request/Identity Packets : EAPOL Request/Challenge Packets : Multicast Trigger Packets : DHCP Trigger Packets : EAPOL Success Packets : EAPOL Failure Packets : Received EAPOL Start Packets : EAPOL LogOff Packets : EAPOL Response/Identity Packets : EAPOL Response/Challenge Packets: 11 4 11 1 0 0 1 11 2 0 1 1
Index MAC/VLAN UserOnlineTime UserName 16514 0000-0002-2347/800 2009-06-09 19:10:40 000000022347 16523 001e-90aa-e855/800 2009-06-09 19:14:43 abc@huawei Controlled User(s) amount to 2 , print number:2.
2 NAC Configuration
2.5.10 (Optional) Re-Authenticating a User with the Specific MAC Address 2.5.11 Checking the Configuration
Pre-configuration Tasks
MAC address authentication is only an implementation scheme to authenticate the user identity. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring MAC address authentication, complete the following tasks:
l
Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local authentication schemes, for the 802.1x user. Configuring the user name and password on the RADIUS server if RADIUS authentication is used. Adding the user name and password manually on the S9300 if local authentication is used.
Data Preparation
To configure MAC address authentication, you need the following data. No. 1 Data Number of the interface on which MAC address authentication is enabled
Procedure
Step 1 Run:
system-view
2 NAC Configuration
Running this command is equivalent to enabling global MAC address authentication. Related configurations of MAC address authentication take effect only after MAC address authentication is enabled. By default, MAC address authentication is disabled globally. ----End
CAUTION
If MAC address authentication is enabled on the interface, 802.1x authentication or direct authentication cannot be enabled on the interface. If 802.1x or direct authentication is enabled on the interface, MAC address authentication cannot be enabled on the interface. You can enable the MAC address authorization on an interface in the following ways.
Procedure
l In the system view: 1. Run:
system-view
MAC Address authentication is enabled on the interfaces. You can enable the MAC address authorization on interfaces in batches by specifying the interface list in the mac-authen command in the system view. l In the interface view: 1. Run:
system-view
2 NAC Configuration
You must ensure that no online user exists before disabling MAC address authentication by the undo mac-authen command. ----End
CAUTION
If direct authentication is enabled on an interface, 802.1x authentication and MAC address authentication cannot be enabled on the interface. If 802.1x authentication or MAC address authentication is enabled on the interface, direct authentication cannot be enabled on the interface. You can enable direct authentication in the following ways.
Procedure
Step 1 In the system view: 1. Run:
system-view
Direct authentication is enabled on interfaces. You can configure direct authentication of interfaces in batches by specifying the interface list in the direct-authen command in the system view. Step 2 In the interface view: 1. Run:
system-view
2 NAC Configuration
The global configuration is valid for all interfaces. The configuration on an interface is valid only for the specified interface. The user name configured on an interface takes precedence over the user name configured globally. If the user name is not configured on an interface, the globally configured user name is used.
Procedure
l Configuring a fixed user name for a user that uses MAC address authentication 1. Run:
system-view
The S9300 is configured to use a fixed user name for a user that uses MAC address authentication. 3. Run:
mac-authen username username
The password is set. l Configuring a MAC address as a user name for a user that uses MAC address authentication 1. Run:
system-view
Users that use MAC address authentication are configured to use their MAC addresses as their user names. 3. (Optional) Run:
mac-authen username macaddress [ format { with-hyphen | without-hyphen } ]
The format of the user name is set. There are two formats for a MAC address used as the user name, that is, the hyphenated MAC address (such as 0010-8300-0011) and the MAC address without hyphens (such
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-25
2 NAC Configuration
as 001083000011). By default, a MAC address without hyphens is used as the user name for a user that uses MAC address authentication. After you run the mac-authen username macaddress command, the access users are authenticated by using their MAC addresses as the user names and passwords. l Configuring the format of the user name in the interface view 1. Run:
system-view
The format of the user name for which MAC address authentication is used is configured. ----End
Before configuring the authentication domain for the user who uses MAC address authentication, you need to confirm that a domain is available. Otherwise, the system displays an error message during the configuration.
The domain for which MAC address authentication is used can be configured globally and on an interface.
l l
The global configuration is valid for all interfaces. The configuration on an interface is valid only for the specified interface. The domain configured on an interface takes precedence over the domain configured globally. If the domain is not configured on an interface, the globally configured domain is used.
Procedure
l In the system view: 1. Run:
system-view
2 NAC Configuration
2.
Run:
mac-authen domain isp-name
A domain name is configured for a user who uses MAC address authentication. l In the interface view: 1. Run:
system-view
A domain name is configured for a user who uses MAC address authentication. The default authentication domain is domain default. ----End
guest-vlan reauthenticate-period: Interval for re-authenticating users in a guest VLAN. By default, the re-authentication interval is 30s. offline-detect: Offline-detect timer used to set the interval for the S9300 to check whether a user goes offline. By default, the offline timer is 300s. quiet-period: Quiet timer. After the user authentication fails, the S9300 waits for a certain period before processing authentication requests of the user. During the quiet period, the S9300 does not process authentication requests from the user. By default, the quiet timer is 60s. server-timeout: Server timeout timer. In the user authentication process, if the connection between the S9300 and the RADIUS server times out, the authentication fails. By default, the time interval of the authentication server is 30s.
----End
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-27
2 NAC Configuration
2.5.8 (Optional) Configuring the Guest VLAN for MAC Address Authentication
Context
If the MAC authentication fails after the guest VLAN function is enabled, the S9300 adds the access interface of the user to the guest VLAN. Then users in the guest VLAN can access resources in the guest VLAN without MAC address authentication. Authentication, however, is required when such users access external resources. Thus certain resources are available for users without authentication.
NOTE
The VLAN to be configured as the guest VLAN must exist in the system and cannot be the default VLAN of the interface.
Procedure
l In the system view: 1. Run:
system-view
The guest VLAN of interfaces is configured. You can configure the guest VLAN of interfaces in batches by specifying the interface list in the mac-authen guest-vlan command in the system view. l In the interface view: 1. Run:
system-view
The guest VLAN of the interface is configured. By default, no guest VLAN is configured on an interface. ----End
2.5.9 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication
2-28 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
2 NAC Configuration
Context
When the number of access users on an interface reaches the limit, the S9300 does not trigger the authentication for the users connecting to the interface later; therefore, these users cannot access the network. You can configure the maximum number of access users who adopt MAC address authentication in the following ways.
Procedure
l In the system view: 1. Run:
system-view
The maximum number of access users who adopt MAC address authentication is set on interfaces. You can configure the maximum number of access users of interfaces in batches by specifying the interface list in the mac-authen max-user command in the system view. l In the interface view: 1. Run:
system-view
The maximum number of access users who adopt MAC address authentication on the interface is set. By default, the maximum number of access users who adopt MAC address authentication on an interface of the S9300 is 8192. The maximum number of NAC access users allowed by the S9300 depends on the models of the S9300. The specification is 8192 multiplied by number of slots of the LPU. ----End
2 NAC Configuration
Context
If re-authentication of a user with the specific MAC address is enabled, the online user is reauthenticated periodically. If a user passes the authentication, the user needs to be re-authorized; otherwise, the user goes offline. You can run the mac-authen timer command to set the interval of re-authentication. For details, see 2.5.7 (Optional) Setting the Timers of MAC Address Authentication.
Procedure
Step 1 Run:
system-view
A specified user that passes MAC address authentication is re-authenticated. If the user does not pass the MAC authentication, the user is not authenticated again. ----End
Procedure
l Run the display mac-authen [ interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10> ] command to view the configuration of MAC address authentication.
----End
Example
View information about MAC address authentication on GE 1/0/1.
<Quidway> display mac-authen interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state : UP MAC address authentication is Enabled Max online user is 8192 Current online user is 1 Guest VLAN is disabled Authentication Success: 1, Failure: 0 Index MAC/VLAN UserOnlineTime 16400 00e0-fc33-0011/15 2009-05-18 09:21:55 Controlled User(s) amount to 1
2 NAC Configuration
2.6.1 Clearing the Statistics About 802.1x Authentication 2.6.2 Clearing Statistics About MAC Address Authentication 2.6.3 Debugging 802.1x Authentication 2.6.4 Debugging MAC Address Authentication
CAUTION
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run the following commands. After you confirm to reset the statistics, do as follows in user view.
Procedure
l Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interfacenumber2 ] } ] command to clear the statistics about 802.1x authentication.
----End
CAUTION
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run the following commands. After you confirm to reset the statistics, do as follows in user view.
Procedure
l Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to interface-number2 ] } ] command to clear the statistics about MAC address authentication.
----End
2 NAC Configuration
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When a fault occurs during 802.1x authentication, run the following debugging commands in the user view to locate the fault.
Procedure
l Run the debugging dot1x { all | error | event | info | message | packet } command to enable debugging of 802.1x authentication packets.
----End
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When a fault occurs during MAC address authentication, run the following debugging commands in the user view to locate the fault.
Procedure
l Run the debugging mac-auten { all | error | event | info | message | packet } command to enable debugging of MAC address authentication packets.
----End
2 NAC Configuration
Networking Requirements
As shown in Figure 2-2, the requirements are as follows:
l l l l
The user interacts with the Web authentication server through the S9300. The authentication is performed by the RADIUS server. The user can access only the Web authentication server before authentication. After passing the Web authentication, the user can access the external network.
GE 1/0/1
GE 1/0/2
User
S9300
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Set the IP address of the Layer 3 interface connected to the user. Configure a RADIUS server template. Configure an AAA authentication template. Configure a domain. Configure the Web authentication function.
Data Preparation
To complete the configuration, you need the following data:
l l l l l l l
IP address and URL of the Web authentication server IP address of the Layer 3 interface connected to the authentication terminal IP address and port number of the RADIUS authentication server Key of the RADIUS server (hello) and the retransmission count (2) Name of the AAA authentication scheme (web1) Name of the RADIUS server template (rd1) Name of the user domain (isp1)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-33
Issue 06 (20100108)
2 NAC Configuration
NOTE
In this example, only the configuration of the S9300 is provided, and the configurations of the Web server and RADIUS server are omitted.
Procedure
Step 1 Set the IP address of the Layer 3 interface connected to the user.
<Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet1/0/0 [Quidway-GigabitEthernet1/0/0] port link-type access [Quidway-GigabitEthernet1/0/0] port default vlan 10 [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 192.168.1.10 24 [Quidway-Vlanif10] quit
Step 2 Configure a RADIUS server template. # Configure a RADIUS server template rd1.
[Quidway] radius-server template rd1
# Set the IP address and port number of the primary RADIUS authentication server.
[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812
Step 3 Create an authentication scheme web1 and set the authentication method to RADIUS authentication.
[Quidway] aaa [Quidway-aaa] authentication-scheme web1 [Quidway-aaa-authen-1] authentication-mode radius [Quidway-aaa-authen-1] quit
Step 4 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the domain.
[Quidway-aaa] domain isp [Quidway-aaa-domain-isp1] authentication-scheme web1 [Quidway-aaa-domain-isp1] radius-server rd1
Step 5 Configure the Web authentication function. # Set the IP address and URL of the Web authentication server
[Quidway] web-auth-serer isp1 192.168.2.20 url www.isp1.com
# Configure a free rule to redirect the user to the Web authentication page when the user starts the Web browser.
[Quidway] portal free-rule 20 destination ip 192.168.2.20 mask 24 source any
2 NAC Configuration
Run the display web-auth-server configuration command on the S9300, and you can view the configuration of the Web authentication server.
<Quidway> display web-auth-server configuration Listening port : 2000 Portal : version 1, version 2 Include reply message : enabled -----------------------------------------------------------------------Web-auth-server Name : isp1 IP-address : 192.168.1.10 Shared-key : 3MQ*TZ,O3KCQ=^Q`MAF4<1!! Port / PortFlag : 50100 / NO URL : www.isp1.com -----------------------------------------------------------------------1 Web authentication server(s) in total
----End
Configuration Files
# sysname Quidway # vlan batch 10 # web-auth-server isp1 192.168.2.20 port 50100 url www.isp1.com portal free-rule 20 destination ip 192.168.2.20 mask 255.255.255.0 source any # radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2 # aaa authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 radius-server rd1 # interface Vlanif10 ip address 192.168.1.10 255.255.255.0 web-auth-server web # interface GigabitEthernet1/0/0 port link-type access port default vlan 10 # return
802.1x authentication is performed for the user connected to GE 1/0/0 to control the user's access to the Internet. The default access control mode is adopted, that is, the S9300 controls access of the user based on the MAC address of the user. The authentication is performed by the RADIUS server. The maximum number of users on GE 1/0/0 is 100.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-35
l l
Issue 06 (20100108)
2 NAC Configuration
l
MAC address bypass authentication is performed for the printer connected to GE 1/0/0.
User
GE 2/0/1 GE 1/0/0
S9300
Printer
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Configure a RADIUS server template. Configure an AAA authentication template. Configure a domain. Configure the 802.1x authentication function.
Data Preparation
To complete the configuration, you need the following data:
l l l l l
IP address and port number of the RADIUS authentication server Key of the RADIUS server (hello) and the retransmission count (2) Name of the AAA authentication scheme (web1) Name of the RADIUS server template (rd1) Name of the user domain (isp1)
NOTE
In this example, only the configuration of the S9300 is provided, and the configuration of RADIUS server is omitted.
Procedure
Step 1 Configure a RADIUS server template. # Configure a RADIUS server template rd1.
[Quidway] radius-server template rd1
2-36
Issue 06 (20100108)
2 NAC Configuration
# Set the IP address and port number of the primary RADIUS authentication server.
[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812
Step 2 Create an authentication scheme web1 and set the authentication method to RADIUS authentication.
[Quidway] aaa [Quidway-aaa] authentication-scheme web1 [Quidway-aaa-authen-1] authentication-mode radius [Quidway-aaa-authen-1] quit
Step 3 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the domain.
[Quidway-aaa] domain isp [Quidway-aaa-domain-isp1] authentication-scheme web1 [Quidway-aaa-domain-isp1] radius-server rd1
Step 4 Configure the 802.1x authentication function. # Enable 802.1x authentication globally and on GE 1/0/0.
[Quidway] dot1x [Quidway] interface gigabitethernet1/0/0 [Quidway-GigabitEthernet1/0/0] dot1x
Step 5 Verify the configuration. Run the display dot1x interface command on the S9300, and you can view the configuration and statistics of 802.1x authentication.
<Quidway> display dot1x interface GigabitEthernet 1/0/0 GigabitEthernet1/0/0 current state : UP 802.1x protocol is Enabled[mac-bypass] The port is an authenticator Port control type is Auto Authentication method is MAC-based Reauthentication is disabled Max online user is 100 Current online user is 1 Guest VLAN is disabled Authentication Success: 4 Failure: EAPOL Packets: TX : 8 RX : Sent EAPOL Request/Identity Packets : EAPOL Request/Challenge Packets : Multicast Trigger Packets : DHCP Trigger Packets : EAPOL Success Packets : EAPOL Failure Packets : Received EAPOL Start Packets : EAPOL LogOff Packets : EAPOL Response/Identity Packets : EAPOL Response/Challenge Packets: 0 16 4 4 0 0 4 0 4 3 4 4
Issue 06 (20100108)
2-37
2 NAC Configuration
print number:1
----End
Configuration Files
# sysname Quidway # dot1x # radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2 # aaa authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 radius-server rd1 # interface GigabitEthernet1/0/0 dot1x mac-bypass dot1x max-user 100 # return
Authentication is performed for the user connected to GE 1/0/0 to control the users access to the Internet. The authentication is performed by the RADIUS server. The default authentication method is used, that is, the MAC address without hyphens is used as the user name in authentication. The maximum number of users on GE 1/0/0 is 100.
GE 2/0/1 GE 1/0/0
User
S9300
2-38
Issue 06 (20100108)
2 NAC Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Configure a RADIUS server template. Configure an AAA authentication template. Configure the domain of the users that use MAC address authentication. Configure the MAC address authentication.
Data Preparation
To complete the configuration, you need the following data:
l l l l l
IP address and port number of the RADIUS authentication server Key of the RADIUS server (hello) and the retransmission count (2) Name of the AAA authentication scheme (web1) Name of the RADIUS server template (rd1) Name of the user domain (isp1)
NOTE
In this example, only the configuration of the S9300 is provided, and the configuration of RADIUS server is omitted.
Procedure
Step 1 Configure a RADIUS server template. # Configure a RADIUS server template rd1.
[Quidway] radius-server template rd1
# Set the IP address and port number of the primary RADIUS authentication server.
[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812
Step 2 Create an authentication scheme web1 and set the authentication method to RADIUS authentication.
[Quidway] aaa [Quidway-aaa] authentication-scheme web1 [Quidway-aaa-authen-1] authentication-mode radius [Quidway-aaa-authen-1] quit
Step 3 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the domain.
[Quidway-aaa] domain isp [Quidway-aaa-domain-isp1] authentication-scheme web1 [Quidway-aaa-domain-isp1] radius-server rd1
2 NAC Configuration
# Specify domain isp1 as the domain of the users that use MAC address authentication.
[Quidway] mac-authen domain isp1
Step 5 Verify the configuration. Run the display mac-authen interface command on the S9300, and you can view the configuration of MAC address authentication.
<Quidway> display mac-authen interface GigabitEthernet 1/0/0 MAC address authentication is Enabled Max online user is 100 Current online user is 2 Guest VLAN is disabled Authentication Success: 2, Failure: 1 Controlled User(s) amount to 2 , print number:2
----End
Configuration Files
# sysname Quidway # mac-authen mac-authen domain isp # radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2 # aaa authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 radius-server rd1 # interface GigabitEthernet1/0/0 mac-authen mac-authen max-user 100 # return
2-40
Issue 06 (20100108)
3
About This Chapter
This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on the S9300 to defend against DHCP attacks. 3.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping. 3.2 DHCP Snooping Features Supported by the S9300 This section describes the DHCP snooping features supported by the S9300. 3.3 Preventing the Bogus DHCP Server Attack This section describes how to prevent the attackers from attacking the DHCP server through the S9300 by forging the DHCP server. 3.4 Preventing the DoS Attack by Changing the CHADDR Field This section describes how to prevent the attackers from attacking the DHCP server by modifying the CHADDR. 3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases This section describes how to prevent the attackers from attacking the DHCP server by forging the DHCP messages for extending IP address leases. 3.6 Setting the Maximum Number of DHCP Snooping Users This section describes how to set the maximum number of DHCP snooping users. This is because authorized users cannot access the network when an attacker applies for IP addresses continuously. 3.7 Limiting the Rate of Sending DHCP Messages This section describes how to prevent attackers from sending a large number of DHCP Request messages to attack the S9300. 3.8 Configuring the Packet Discarding Alarm Function An alarm is generated when the number of discarded packets exceeds the threshold. 3.9 Maintaining DHCP Snooping This section describes how to maintain DHCP snooping.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-1
3.10 Configuration Examples This section provides several configuration examples of DHCP snooping.
3-2
Issue 06 (20100108)
Issue 06 (20100108)
3-3
Figure 3-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2 network
L2 network
DHCP server
User network
Applying DHCP Snooping on the S9300 That Functions as the DHCP Relay Agent
The S9300 provides Layer 3 routing functions, and can function as the DHCP relay agent on a network. As shown in Figure 3-2, the S9300 that is enabled with DHCP snooping function as the DHCP relay agent. Figure 3-2 Networking diagram for applying DHCP snooping on the S9300 that functions as the DHCP relay agent
L2 network
DHCP server
User network
3-4
Issue 06 (20100108)
When the S9300 is deployed on a Layer 2 network or functions as the DHCP relay agent, DHCP snooping is enabled. In this manner, the S9300 can defend against attacks shown in Table 3-1. The difference is that: when the S9300 functions as the DHCP relay agent, it supports the association function between ARP and DHCP snooping. The S9300, however, does not support the association function when it is deployed on a Layer 2 network.
DHCPv6 Snooping
The S9300 supports DHCPv6 snooping. That is, after DHCP snooping is enabled, binding entries are also created for the users using IPv6 addresses. A DHCPv6 snooping binding entry consists of the IPv6 address, MAC address, interface number, and VLAN ID of a user.
The master physical interface of the S9300 do not support DHCP snooping over VPLS.
3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers 3.3.5 Checking the Configuration
Pre-configuration Tasks
Before preventing the bogus DHCP server attack, complete the following tasks:
l
Data Preparation
To prevent the bogus DHCP server attack, you need the following data. No. 1 Data Type and number of the interface that needs to be set to be trusted
Procedure
Step 1 Run:
3-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
The interface view is displayed. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Or, run:
vlan vlan-id
DHCP snooping is enabled on the interfaceor in a VLAN. DHCP snooping must be enabled on all the user-side interfaces of the S9300. Otherwise, configurations related to DHCP snooping do not take effect on the interfaces. This restriction does not apply to a network-side interface. Step 6 (Optional) Run:
quit
DHCP snooping is enabled on the S9300 of the VPLS network. On the VPLS network, after the dhcp snooping over-vpls enable command is run on the S9300, DHCP over VPLS messages are sent to the CPU of the main control board for processing. In this case, if you set related parameters of DHCP snooping on the interface, the S9300 can process DHCP messages on the VPLS network. The dhcp snooping over-vpls enable command takes effect only after DHCP snooping is enabled globally and on the interface. DHCP snooping over VPLS is often deployed on the PE of the VPLS network to control DHCP messages sent to the VPLS network from the user side. The dhcp snooping over-vpls enable command is run in the system view. Other configurations of DHCP snooping over VPLS are the same as configurations of DHCP snooping.
NOTE
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-7
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface is the network-side interface connected to the DHCP server. Or, run:
vlan vlan-id
Or, in the VLAN view, run: dhcp snooping trusted interface interface-type interfacenumber [ no-user-binding ] The interface is configured as a trusted interface. DHCP Reply messages sent from a trusted interface are forwarded and DHCP Request messages sent from the trusted interface are discarded; DHCP Discover messages sent from an untrusted interface are discarded. If the no-user-binding keyword is not used in the command, a binding entry is created when the interface receives a DHCP Ack message sent to a user who does not go online through the local device. If this keyword is used in the command, no binding entry is created in this case. When running the dhcp snooping trusted command in the VLAN view, the specified interface must belong to the VLAN. Compared with the dhcp snooping trusted command run in the interface view, the dhcp snooping trusted command run in the VLAN view is more accurate because a specified interface in a specified VLAN can be configured as a trusted interface. ----End
untrusted interface, the S9300 considers the DHCP server as a bogus server and records it into the log. The network administrator can then maintain the network according to the log.
NOTE
Before enabling detection of bogus DHCP servers, ensure that DHCP snooping is enabled globally and on the interface. Otherwise, the detection function does not take effect.
Procedure
Step 1 Run:
system-view
Detection of bogus DHCP servers is enabled. By default, detection of bogus DHCP servers is disabled on the S9300. ----End
Procedure
l l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface. Run the display dhcp snooping user-bind { all | ip-address ip-address | ipv6-address ipv6-address | mac-address mac-address | interface interface-type interface-number | vlan vlan-id [ interface interface-type interface-number ] } command to check the information about DHCP Snooping bind-table. Run the display this command in the system view to check the configuration of detection of bogus DHCP servers. You can only check whether detection of bogus DHCP servers is enabled through the display this command. The detection information is recorded in the log, and you can obtain related information by viewing the log. ----End
3.4.1 Establishing the Configuration Task 3.4.2 Enabling DHCP Snooping 3.4.3 Checking the CHADDR Field in DHCP Request Messages 3.4.4 Checking the Configuration
Pre-configuration Tasks
Before preventing the DoS attack by changing the CHADDR field, complete the following tasks:
l l
Data Preparation
To prevent the DoS attack by changing the CHADDR field, you need the following data. No. 1 Data Type and number of the interface enabled with the check function
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Or, run:
vlan vlan-id
DHCP snooping is enabled on the interfaceor in a VLAN. DHCP snooping must be enabled on all the user-side interfaces of the S9300. Otherwise, configurations related to DHCP snooping do not take effect on the interfaces. This restriction does not apply to a network-side interface. Step 6 (Optional) Run:
quit
DHCP snooping is enabled on the S9300 of the VPLS network. On the VPLS network, after the dhcp snooping over-vpls enable command is run on the S9300, DHCP over VPLS messages are sent to the CPU of the main control board for processing. In this case, if you set related parameters of DHCP snooping on the interface, the S9300 can process DHCP messages on the VPLS network. The dhcp snooping over-vpls enable command takes effect only after DHCP snooping is enabled globally and on the interface. DHCP snooping over VPLS is often deployed on the PE of the VPLS network to control DHCP messages sent to the VPLS network from the user side. The dhcp snooping over-vpls enable command is run in the system view. Other configurations of DHCP snooping over VPLS are the same as configurations of DHCP snooping.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-11
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface is the user-side interface. Or, run:
vlan vlan-id
The interface or the interface in a VLANis configured to check the CHADDR field in DHCP Request messages. By default, an interface or the interface in a VLANdoes not check the CHADDR field in DHCP Request messages on the S9300. ----End
Procedure
l Run the display dhcp snooping global command to check information about global DHCP snooping.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
3-12
Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface.
----End
3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases
This section describes how to prevent the attackers from attacking the DHCP server by forging the DHCP messages for extending IP address leases. 3.5.1 Establishing the Configuration Task 3.5.2 Enabling DHCP Snooping 3.5.3 Enabling the Checking of DHCP Request Messages 3.5.4 (Optional) Configuring the Option 82 Function 3.5.5 Checking the Configuration
IP addresses are classified in to IPv4 addresses and IPv6 addresses. The S9300 checks the source IP addresses of DHCP Request messages, including IPv4 addresses and IPv6 addresses.
The S9300 checks DHCP Request messages as follows: 1. Checks whether the destination MAC address is all-f. If the destination MAC address is all-f, the S9300 considers that the DHCP Request message is a broadcast message that a user sends to goes online for the first time and does not check the DHCP Request message against the binding table. Otherwise, the S9300 considers that the user sends the DHCP Request message is renew lease of the IP address and checks the DHCP Request message against the binding table. Checks whether the CIADDR field in the DHCP Request message matches an entry in the binding table. If not, the S9300 forwards the message directly. If yes, the S9300 checks whether the VLAN ID, IP address, and interface information of the message match the binding table. If all these fields match the binding table, the S9300 forwards the message; otherwise, the S9300 discards the message.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-13
2.
Issue 06 (20100108)
Pre-configuration Tasks
Before preventing the attacker from sending bogus DHCP messages for extending IP address leases, complete the following tasks:
l l
Data Preparation
To prevent the attacker from sending bogus DHCP messages for extending IP address leases, you need the following data. No. 1 2 Data Type and number of the interface enabled with detection of bogus DHCP servers Static IP addresses from which packets are forwarded
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface.
3-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
Or, run:
vlan vlan-id
DHCP snooping is enabled on the interfaceor in a VLAN. DHCP snooping must be enabled on all the user-side interfaces of the S9300. Otherwise, configurations related to DHCP snooping do not take effect on the interfaces. This restriction does not apply to a network-side interface. Step 6 (Optional) Run:
quit
DHCP snooping is enabled on the S9300 of the VPLS network. On the VPLS network, after the dhcp snooping over-vpls enable command is run on the S9300, DHCP over VPLS messages are sent to the CPU of the main control board for processing. In this case, if you set related parameters of DHCP snooping on the interface, the S9300 can process DHCP messages on the VPLS network. The dhcp snooping over-vpls enable command takes effect only after DHCP snooping is enabled globally and on the interface. DHCP snooping over VPLS is often deployed on the PE of the VPLS network to control DHCP messages sent to the VPLS network from the user side. The dhcp snooping over-vpls enable command is run in the system view. Other configurations of DHCP snooping over VPLS are the same as configurations of DHCP snooping.
NOTE
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
The interface view is displayed. The interface is the user-side interface. Or, run:
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-15
The interface or the interface in a VLANis enabled to check DHCP Request messages. By default, an interface or the interface in a VLANis disabled from checking DHCP Request messages.
NOTE
The dhcp snooping check user-bind enable command can also check whether the Release packet match the binding table, thus preventing unauthorized users from releasing the IP addresses of authorized users.
----End
The DHCP Reply messages of the DHCP server are listened to by users on other interfaces in a VLAN. After a user logs in, this valid user is forged if users on other interfaces in a VLAN forge the IP address and MAC address.
When DHCP snooping is used at Layer 2, the S9300 can obtain information about the interface required by the binding table even if the Option 82 function is not configured.
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface is the user-side interface. Or, run:
vlan vlan-id
3-16
Issue 06 (20100108)
After the dhcp option82 insert enable command is used, the Option 82 is appended to DHCP messages if original DHCP messages do not carry the Option 82 field; If the DHCP message contains an Option 82 field previously, the S9300 checks whether the Option 82 field contains the Remote-id. If the Option 82 field contains the Remote-id, the S9300 retains the original Option 82 field. If not, the S9300 inserts the Remote-id to the Option 82 field. By default, the Remote-id is the MAC address of the S9300. After the dhcp option82 rebuild enable command is used, the Option 82 field is appended to DHCP messages if original DHCP messages do not carry the Option 82 field; the original Option 82 field is removed and a new one is appended if the original DHCP messages carry the Option 82 field.
Step 4 Run:
quit
If the user-defined format of the Option 82 field is used, it is recommended that you specify the interface type, interface number, and slot ID in text.
----End
Procedure
l l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface. Run the display dhcp snooping user-bind{ all | ip-address ip-address | ipv6-address ipv6-address | mac-address mac-address | interface interface-type interface-number | vlan vlan-id [ interface interface-type interface-number ] } command to check the DHCP snooping binding table.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-17
Issue 06 (20100108)
Run the display dhcp option82 interface interface-type interface-number command to check the status of the Option 82 field.
----End
Pre-configuration Tasks
Before setting the maximum number of DHCP snooping users, complete the following tasks:
l l
Enabling DHCP snooping globally Enabling check of the DHCP snooping binding table
Data Preparation
To set the maximum number of DHCP snooping users, you need the following data. No. 1 Data Type and number of the interface, VLAN ID, and maximum number of DHCP snooping users
Context
You need to enable DHCP snooping globally before enabling DHCP snooping on an interfaceor in a VLAN. By default, DHCP snooping is disabled globally and on an interfaceor in a VLAN. Before enabling DHCP snooping, enable DHCP globally.
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Or, run:
vlan vlan-id
DHCP snooping is enabled on the interfaceor in a VLAN. DHCP snooping must be enabled on all the user-side interfaces of the S9300. Otherwise, configurations related to DHCP snooping do not take effect on the interfaces. This restriction does not apply to a network-side interface. Step 6 (Optional) Run:
quit
DHCP snooping is enabled on the S9300 of the VPLS network. On the VPLS network, after the dhcp snooping over-vpls enable command is run on the S9300, DHCP over VPLS messages are sent to the CPU of the main control board for processing. In this case, if you set related parameters of DHCP snooping on the interface, the S9300 can
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-19
process DHCP messages on the VPLS network. The dhcp snooping over-vpls enable command takes effect only after DHCP snooping is enabled globally and on the interface. DHCP snooping over VPLS is often deployed on the PE of the VPLS network to control DHCP messages sent to the VPLS network from the user side. The dhcp snooping over-vpls enable command is run in the system view. Other configurations of DHCP snooping over VPLS are the same as configurations of DHCP snooping.
NOTE
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
Procedure
Step 1 Run:
system-view
The maximum number of DHCP snooping users allowed on an interface or in a VLAN is set. By default, a maximum of 4096 users can access an interface of the S9300 or a VLAN This command takes effect only when DHCP snooping is enabled globally and on the interface and is valid only for DHCP users. When the number of DHCP snooping users on an interface or in a VLAN reaches the maximum value set through the dhcp snooping max-user-number command, no more users can access the interface. ----End
Context
When MAC address security of DHCP snooping is enabled, packets are processed as follows for a non-DHCP user:
l
If a static MAC address is not configured, the packets are discarded after reaching the interface where the dhcp snooping sticky-mac command is run. If a static MAC address is configured, the packets are forwarded normally.
MAC addresses of DHCP users in the dynamic binding table can be converted to static MAC addresses, and packets of these users can be forwarded normally. MAC addresses of static users in the static binding table cannot be converted to static MAC addresses. Therefore, you need to configure static MAC addresses for the static users to have the packets forwarded normally.
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface is a user-side interface. Step 3 Run:
dhcp snooping sticky-mac
MAC address security of DHCP snooping is enabled on the interface. By default, MAC address security of DHCP snooping is disabled on the S9300. The dhcp snooping sticky-mac command takes effect only after DHCP snooping is enabled globally. If the dhcp snooping sticky-mac command is run, the interface neither learns the MAC address of the received IP packet nor forwards or sends the received IP packet. The DHCP messages received by the interface are sent to the CPU of the main control board, and then a dynamic binding table is generated. After the dynamic binding table is generated, static MAC addresses are sent to the corresponding interface. That is, dynamic MAC addresses are converted to static MAC addresses. The static MAC address entry includes information about the MAC address and VLAN ID of the user. Subsequently, only the packets whose source MAC address matches the static MAC address can pass through the interface; otherwise, the packets are discarded. MAC addresses of static users in the static binding table cannot be converted to static MAC addresses. You need to configure static MAC addresses for the static users to have the packets forwarded normally. ----End
Prerequisite
The configurations of setting the maximum number of users are complete.
Procedure
l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on an interface.
----End
Pre-configuration Tasks
Before limiting the rate of sending packets, complete the following tasks:
l l
Data Preparation
To limit the rate of sending packets, you need the following data.
3-22
Issue 06 (20100108)
No. 1
Data Rate at which DHCP messages are sent to the protocol stack
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Or, run:
vlan vlan-id
DHCP snooping is enabled on the interfaceor in a VLAN. DHCP snooping must be enabled on all the user-side interfaces of the S9300. Otherwise, configurations related to DHCP snooping do not take effect on the interfaces. This restriction does not apply to a network-side interface. Step 6 (Optional) Run:
quit
Issue 06 (20100108)
3-23
DHCP snooping is enabled on the S9300 of the VPLS network. On the VPLS network, after the dhcp snooping over-vpls enable command is run on the S9300, DHCP over VPLS messages are sent to the CPU of the main control board for processing. In this case, if you set related parameters of DHCP snooping on the interface, the S9300 can process DHCP messages on the VPLS network. The dhcp snooping over-vpls enable command takes effect only after DHCP snooping is enabled globally and on the interface. DHCP snooping over VPLS is often deployed on the PE of the VPLS network to control DHCP messages sent to the VPLS network from the user side. The dhcp snooping over-vpls enable command is run in the system view. Other configurations of DHCP snooping over VPLS are the same as configurations of DHCP snooping.
NOTE
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
The S9300 is enabled to check the rate of sending DHCP messages. By default, the S9300 is disabled from checking the rate of sending DHCP messages. Step 3 Run:
dhcp snooping check dhcp-rate rate
The rate of sending DHCP messages is set. By default, the maximum rate of sending DHCP messages is 100 pps. The DHCP packets exceeding the rate are discarded. Step 4 Run:
dhcp snooping check dhcp-rate alarm enable
The alarm function is enabled for the DHCP packets discarded because they exceed the transmission rate. Step 5 (Optional) Run:
dhcp snooping check dhcp-rate alarm threshold threshold
The alarm threshold of the number of DHCP packets discarded because they exceed the transmission rate is set.
3-24 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
By default, the alarm threshold of discarded DHCP packets is 100 pps. An alarm is generated when the number of discarded DHCP packets exceeds the threshold. ----End
Procedure
l Run the display dhcp snooping global command to check information about global DHCP snooping.
----End
Type of Attacks Attack by sending a large number of DHCP Request messages and ARP packets
After the packet discarding alarm function is enabled, an alarm is generated when the number of discarded packets on the S9300 reaches the alarm threshold.
Pre-configuration Tasks
Before configuring the packet discarding alarm function, complete the following tasks:
l l l
Configuring the DHCP server Configuring the DHCP relay agent Configuring the S9300 to discard DHCP Reply messages on the untrusted interface at the user side Configuring the checking of DHCP messages Configuring the checking of the CHADDR field in DHCP Request messages Configuring the checking of the rate of sending DHCP messages
l l l
Data Preparation
To configure the packet discarding alarm function, you need the following data. No. 1 Data Alarm threshold for the number of discarded packets
Procedure
Step 1 Run:
system-view
3-26
Issue 06 (20100108)
The interface view is displayed. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Or, run:
vlan vlan-id
DHCP snooping is enabled on the interfaceor in a VLAN. DHCP snooping must be enabled on all the user-side interfaces of the S9300. Otherwise, configurations related to DHCP snooping do not take effect on the interfaces. This restriction does not apply to a network-side interface. Step 6 (Optional) Run:
quit
DHCP snooping is enabled on the S9300 of the VPLS network. On the VPLS network, after the dhcp snooping over-vpls enable command is run on the S9300, DHCP over VPLS messages are sent to the CPU of the main control board for processing. In this case, if you set related parameters of DHCP snooping on the interface, the S9300 can process DHCP messages on the VPLS network. The dhcp snooping over-vpls enable command takes effect only after DHCP snooping is enabled globally and on the interface. DHCP snooping over VPLS is often deployed on the PE of the VPLS network to control DHCP messages sent to the VPLS network from the user side. The dhcp snooping over-vpls enable command is run in the system view. Other configurations of DHCP snooping over VPLS are the same as configurations of DHCP snooping.
NOTE
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface is a user-side interface. Or, run:
vlan vlan-id
After you run the mac-address command, the S9300 checks whether the MAC address in the header of a DHCP Request message is the same as the value of the CHADDR field in the message. If the MAC address is different from of the value of the CHADDR field, the DHCP Request message is discarded. After you run the user-bind command, the S9300 checks whether the DHCP Request or Release message matches the binding table; the unmatched message is discarded.
The packet discarding alarm function configured globally takes effect for all interfaces. The packet discarding alarm function configured on an interface takes effect for a specified interface. If the packet discarding alarm function is not configured on an interface, the global configuration is used.
NOTE
If you need to configure the alarm function for the DHCP messages that are discarded because they exceed the transmission rate, see 3.7.3 Limiting the Rate of Sending DHCP Messages.
Procedure
l Configuring the packet discarding alarm function globally 1. Run:
system-view
3-28
Issue 06 (20100108)
The alarm threshold of the number of globally discarded packets is set. By default, the global alarm threshold of the number of discarded DHCP messages is 100 pps. l Configuring the packet discarding alarm function on an interface 1. Run:
system-view
mac-address: If the MAC address in the packet header is different from the MAC address of the DHCP message, the message is discarded. user-bind: If the DHCP message does not match the binding table, the message is discarded. The DHCP message refers to the DHCP Request message except for the Discover message. untrust-reply: If an untrusted interface receives a Reply message sent by the DHCP server, the message is discarded.
The alarm threshold of the number of discarded packets is set on the interface. By default, an interface uses the threshold set in the dhcp snooping alarm threshold command. If the command is not run in the system view, the interface uses the default threshold, 100 pps. ----End
Procedure
l Run the display dhcp snooping global command to check information about global DHCP snooping.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-29
Issue 06 (20100108)
Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface.
----End
Procedure
l l Run the reset dhcp snooping statistics global command to clear the statistics on globally discarded packets. Run the reset dhcp snooping statistics interface interface-type interface-number command to clear the statistics on discarded packets on the interface.
----End
Procedure
l Run the reset dhcp snooping user-bind [ [ vlan vlan-id | interface interface-type interfacenumber ]* | ip-address ip-address | ipv6-address ipv6-address ] command to reset the DHCP snooping binding table.
----End
Procedure
l Run the dhcp snooping user-bind autosave file-name command to back up the DHCP snooping binding table.
If the binding table is backed up, the system automatically backs up the binding table to a specified path every one hour or after 300 dynamic binding entries are generated. If the binding table is not backed up, the dynamic DHCP snooping binding table is lost after the S9300 restarts. As a result, users that obtain IP addresses dynamically from the DHCP server cannot communicate normally. Then, the users need to log in again.
----End
Issue 06 (20100108)
3-31
Figure 3-3 Networking diagram for preventing the bogus DHCP server attack
DHCP relay
DHCP server
User network
Configuration Roadmap
The configuration roadmap is as follows: (Assume that the DHCP server has been configured.) 1. 2. 3. Enable DHCP snooping globally and on the interface. Configure the interface connected to the DHCP server as a trusted interface. Configure the user-side interface as an untrusted interface. The DHCP Request messages including Offer, ACK, and NAK messages received from the untrusted interface are discarded. Configure the packet discarding alarm function.
4.
Data Preparation
To complete the configuration, you need the following data:
l l
GE 1/0/0 being the trusted interface and GE 2/0/0 being the untrusted interface Alarm threshold being 120
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable
3-32
Issue 06 (20100108)
# Enable DHCP snooping on the user-side interface. Step 2 Configure the interface as trusted or untrusted. # Configure the interface at the DHCP server side as trusted.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping trusted [Quidway-GigabitEthernet1/0/0] quit
# Configure the interface at the user side as untrusted. After DHCP snooping is enabled on GE 2/0/0, the mode of GE 2/0/0 is untrusted by default. Step 3 Configure the packet discarding alarm function. # Configure the S9300 to discard the Reply messages received by the untrusted interfaces.
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping alarm untrust-reply enable
Step 4 Verify the configuration. Run the display dhcp snooping command on the S9300, and you can view that DHCP snooping is enabled globally and in the interface view.
<Quidway> display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet2/0/0 Dhcp snooping trusted is configured at these interface : GigabitEthernet1/0/0 Dhcp option82 insert is configured at these interface :NULL Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 60 <Quidway> display dhcp snooping interface gigabitethernet 1/0/0 dhcp snooping trusted <Quidway> display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp packet dropped by untrust-reply checking = 60
----End
Configuration Files
# sysname Quidway # dhcp enable
Issue 06 (20100108)
3-33
3.10.2 Example for Preventing the DoS Attack by Changing the CHADDR Field
Networking Requirements
As shown in Figure 3-4, the S9300 is deployed between the user network and the ISP Layer 2 network. To prevent the DoS attack by changing the CHADDR field, it is required that DHCP snooping be configured on the S9300. The CHADDR field of DHCP Request messages is checked. If the CHADDR field of DHCP Request messages matches the source MAC address in the frame header, the messages are forwarded. Otherwise, the messages are discarded. The packet discarding alarm function is configured. Figure 3-4 Networking diagram for preventing the DoS attack by changing the CHADDR field
DHCP relay
DHCP server
User network
Configuration Roadmap
The configuration roadmap is as follows: 1.
3-34
2. 3.
Enable the checking of the CHADDR field of DHCP Request messages on the user-side interface. Configure the packet discarding alarm function.
Data Preparation
To complete the configuration, you need the following data:
l
Alarm threshold
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable
Step 2 Enable the checking of the CHADDR field of DHCP Request messages on the user-side interface.
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping check mac-address enable
Step 3 Configure the packet discarding alarm function. # Enable the packet discarding alarm function.
[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm mac-address enable
Step 4 Verify the configuration. Run the display dhcp snooping command on the S9300, and you can view that DHCP snooping is enabled globally and in the interface view.
<Quidway> display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet2/0/0 Dhcp snooping trusted is configured at these interface :NULL Dhcp option82 insert is configured at these interface :NULL Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0
Issue 06 (20100108)
3-35
<Quidway> display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping check mac-address dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp packet dropped by mac-address checking = 25
----End
Configuration Files
# sysname Quidway # dhcp enable dhcp snooping enable # interface GigabitEthernet2/0/0 dhcp snooping enable dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 # return
3.10.3 Example for Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases
Networking Requirements
As shown in Figure 3-5, the S9300 is deployed between the user network and the ISP Layer 2 network. To prevent the attacker from sending bogus DHCP messages for extending IP address leases, it is required that DHCP snooping be configured on the S9300 and the DHCP snooping binding table be created. If the received DHCP Request messages match entries in the binding table, they are forwarded; otherwise, they are discarded. The packet discarding alarm function is configured.
3-36
Issue 06 (20100108)
Figure 3-5 Networking diagram for preventing the attacker from sending bogus DHCP messages for extending IP address leases
DHCP relay
DHCP server
User network
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Enable DHCP snooping globally and on the interface. Use the operation mode of the DHCP snooping binding table to check DHCP Request messages. Configure the packet discarding alarm function. Configure the Option 82 function and create a binding table that contains information about the interface.
Data Preparation
To complete the configuration, you need the following data:
l l l
ID of the VLAN that each interface belongs to Static IP addresses from which packets are forwarded Alarm threshold
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping. # Enable DHCP snooping globally.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-37
Step 2 Configure the checking of packets. # Configure the checking of DHCP Request messages on the user-side interface.
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping check user-bind enable [Quidway-GigabitEthernet2/0/0] quit
Step 3 Configure static binding entries. # Configure static binding entries assigned to the user side.
[Quidway] user-bind static ip-address 10.1.1.3 mac-address 0000-005e-008a interface gigabitethernet 2/0/0 vlan 3
Step 4 Configure the packet discarding alarm function. # Enable the packet discarding alarm function.
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping alarm user-bind enable
Step 5 Configure the Option 82 function. # Configure the user-side interface to append the Option 82 field to DHCP messages.
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp option82 insert enable [Quidway-GigabitEthernet2/0/0] quit
Step 6 Verify the configuration. Run the display dhcp snooping command on the S9300, and you can view that DHCP snooping is enabled globally and on the interface.
<Quidway> display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet2/0/0 Dhcp snooping trusted is configured at these interface :NULL Dhcp option82 insert is configured at these interface : GigabitEthernet2/0/0 Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 45 <Quidway> display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable
3-38
Issue 06 (20100108)
Run the display user-bind all command, and you can view all the static binding entries of users.
<Quidway> display user-bind all bind-table: ifname O/I-vlan mac-address ip-address tp lease vsi ------------------------------------------------------------------------------GE2/0/0 3/ -- 0000-005e-008a 10.1.1.3 S 0 -------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1
Run the display dhcp option82 interface command, and you can find that the function of inserting the Option 82 field into packets is enabled on the interface.
<Quidway> display dhcp option82 interface gigabitethernet 2/0/0 dhcp option82 insert enable
----End
Configuration Files
# sysname Quidway # dhcp enable dhcp snooping enable # user-bind static ip-address 10.1.1.3 mac-address 0000-005e-008a interface gigabitethernet 2/0/0 vlan 3 # interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp option82 insert enable # return
Issue 06 (20100108)
3-39
Figure 3-6 Networking diagram for limiting the rate for sending DHCP messages
Attacker
L2 network
GE1/0/1
L2 network L3 network
GE1/0/2
DHCP client S9300
GE2/0/1
DHCP relay
DHCP server
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Enable DHCP snooping globally and in the interface view. Set the rate of sending DHCP Request messages to the protocol stack. Configure the packet discarding alarm function.
Data Preparation
To complete the configuration, you need the following data:
l l
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable
# Enable DHCP snooping on the user-side interface. The configuration procedure of GE 1/0/2 is the same as the configuration procedure of GE 1/0/1, and is not mentioned here.
[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] dhcp snooping enable [Quidway-GigabitEthernet1/0/1] quit
3-40
Issue 06 (20100108)
Step 2 Limit the rate for sending DHCP messages. # Enable the checking of the rate of sending DHCP Request messages.
[Quidway] dhcp snooping check dhcp-rate enable
Step 3 Configure the packet discarding alarm function. # Enable the packet discarding alarm function.
[Quidway] dhcp snooping check dhcp-rate alarm enable
Step 4 Verify the configuration. Run the display dhcp snooping global command on the S9300, and you can view that DHCP snooping is enabled globally, and packet discarding alarm is enabled.
[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80 Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet1/0/1 GigabitEthernet1/0/2 Dhcp snooping trusted is configured at these interface :NULL Dhcp option82 insert is configured at these interface :NULL Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0
----End
Configuration Files
# sysname Quidway # dhcp enable dhcp snooping enable dhcp snooping check dhcp-rate dhcp snooping check dhcp-rate dhcp snooping check dhcp-rate dhcp snooping check dhcp-rate # interface GigabitEthernet1/0/1 dhcp snooping enable # interface GigabitEthernet1/0/2 dhcp snooping enable # return
Issue 06 (20100108)
3-41
Bogus DHCP server attack DoS attack by changing the value of the CHADDR field Attack by sending bogus messages to extend IP address leases Attack by sending a large number of DHCP Request messages
DHCP client1
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Enable DHCP snooping globally and in the interface view. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks. Configure the DHCP snooping binding table and check DHCP Request messages by matching them with entries in the binding table to prevent attackers from sending bogus DHCP messages for extending IP address leases. Configure the checking of the CHADDR field in DHCP Request messages to prevent attackers from changing the CHADDR field in DHCP Request messages. Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers from sending a large number of DHCP Request messages.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
4. 5.
3-42
6. 7.
Configure the Option 82 function and create the binding table that contains information about the interface. Configure the packet discarding alarm function and the alarm function for checking the rate of sending packets.
Data Preparation
To complete the configuration, you need the following data:
l l l
VLAN that the interface belongs to being 10 GE 1/0/0 and GE 1/0/1 configured as untrusted and GE 2/0/0 configured as trusted Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding MAC address being 0001-0002-0003 Rate of sending DHCP messages to the protocol stack being 90 Mode of the Option 82 function being insert Alarm threshold of the number of discarded packets being 120 Alarm threshold for checking the rate of sending packets being 80
NOTE
l l l l
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable
# Enable DHCP snooping on the interface at the user side. The configuration procedure of GE 1/0/1 is the same as the configuration procedure of GE 1/0/0, and is not mentioned here.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping enable [Quidway-GigabitEthernet1/0/0] quit
Step 2 Configure the interface as trusted. # Configure the interface connecting to the DHCP server as trusted and enable DHCP snooping on all the interfaces connecting to the DHCP client. If the interface on the client side is not configured as trusted, the default mode of the interface is untrusted after DHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks.
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping trusted [Quidway-GigabitEthernet2/0/0] quit
Step 3 Configure the checking for certain types of packets. # Enable the checking of DHCP Request messages on the interfaces at the DHCP client side to prevent attackers from sending bogus DHCP messages for extending IP address leases. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-43
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check user-bind enable [Quidway-GigabitEthernet1/0/0] quit
# Enable the checking of the CHADDR field on the interfaces at the DHCP client side to prevent attackers from changing the CHADDR field in DHCP Request messages. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable [Quidway-GigabitEthernet1/0/0] quit
Step 4 Configure the DHCP snooping binding table. # If you use the static IP address, configuring DHCP snooping static entries is required.
[Quidway] user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/1 vlan 10
Step 5 Limit the rate of sending DHCP messages. # Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request messages.
[Quidway] dhcp snooping check dhcp-rate enable [Quidway] dhcp snooping check dhcp-rate 90
Step 6 Configure the Option 82 function. # Configure the user-side interface to append the Option 82 field to DHCP messages. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp option82 insert enable [Quidway-GigabitEthernet1/0/0] quit
Step 7 Configure the packet discarding alarm function. # Enable the packet discarding alarm function, and set the alarm threshold of the number of discarded packets. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here.
[Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] quit 1/0/0 snooping snooping snooping snooping snooping snooping alarm alarm alarm alarm alarm alarm mac-address enable user-bind enable untrust-reply enable mac-address threshold 120 user-bind threshold 120 untrust-reply threshold 120
# Enable the alarm function for checking the rate of sending packets, and set the alarm threshold for checking the rate of sending packets.
[Quidway] dhcp snooping check dhcp-rate alarm enable [Quidway] dhcp snooping check dhcp-rate alarm threshold 80
Step 8 Verify the configuration. Run the display dhcp snooping global command on the S9300, and you can view that DHCP snooping is enabled globally. You can also view the statistics on alarms.
[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90
3-44
Issue 06 (20100108)
Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet1/0/0 GigabitEthernet1/0/1 Dhcp snooping trusted is configured at these interface : GigabitEthernet2/0/0 Dhcp option82 insert is configured at these interface : GigabitEthernet1/0/0 GigabitEthernet1/0/1 Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0
Run the display dhcp snooping interface command, and you can view information about DHCP snooping on the interface.
[Quidway] display dhcp snooping interface gigabitethernet 1/0/0 dhcp snooping enable dhcp option82 insert enable dhcp snooping check user-bind dhcp snooping alarm check user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp packet dropped by user-bind checking = 0 dhcp snooping check mac-address dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp packet dropped by mac-address checking = 0 dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp packet dropped by untrust-reply checking = 0 [Quidway] display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping trusted
Run the display user-bind all command, and you can view the static binding entries of users.
[Quidway] display user-bind all bind-table: ifname O/I-vlan mac-address ip-address tp lease vsi ------------------------------------------------------------------------------GE1/0/1 10/ -- 0001-0002-0003 10.1.1.1 S 0 -------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1
Run the display dhcp option82 interface command, and you can view the configuration of Option 82 on the interface.
[Quidway] display dhcp option82 interface gigabitethernet 1/0/0 dhcp option82 insert enable
----End
Configuration Files
# sysname Quidway # vlan batch 10 # dhcp enable dhcp snooping enable dhcp snooping check dhcp-rate enable
Issue 06 (20100108)
3-45
dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm threshold 80 # user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/1 vlan 10 # interface GigabitEthernet1/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp option82 insert enable # interface GigabitEthernet1/0/1 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp option82 insert enable # interface GigabitEthernet2/0/0 dhcp snooping trusted # return
3.10.6 Example for Enabling DHCP Snooping on the DHCP Relay Agent
Networking Requirements
As shown in Figure 3-8, the S9300 is connected to the DHCP server and DHCP client; the DHCP relay function is enabled; DHCP client1 uses the dynamically allocated IP address and DHCP client2 uses the statically configured IP address. It is required that DHCP snooping be configured on the S9300 to prevent the following types of attacks:
l l l l
Bogus DHCP server attack DoS attack by changing the value of the CHADDR field Attack by sending bogus messages for extending IP address leases Attack by sending a large number of DHCP Request messages
When users log out abnormally after requesting for IP addresses, the system detects this failure automatically, and then deletes the binding in the DHCP binding table, and notifies the DHCP server to release IP addresses.
3-46
Issue 06 (20100108)
Figure 3-8 Networking diagram for enabling DHCP snooping on the DHCP relay agent
GE2/0/0
DHCP server
DHCP client1
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Enable DHCP snooping globally and in the interface view. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks. Configure the DHCP snooping binding table and check DHCP Request messages by matching them with entries in the binding table to prevent attackers from sending bogus DHCP messages for extending IP address leases. Configure the checking of the CHADDR field in DHCP Request messages to prevent attackers from changing the CHADDR field in DHCP Request messages. Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers from sending a large number of DHCP Request messages. Configure the Option 82 function and create the binding table that contains information about the interface. Configure the packet discarding alarm function and the alarm function for checking the rate of sending packets.
4. 5. 6. 7.
Data Preparation
To complete the configuration, you need the following data:
l l
GE 1/0/0 belonging to VLAN 10 and GE 2/0/0 belonging to VLAN 20 Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding MAC address being 0001-0002-0003 GE 1/0/0 configured as untrusted and GE 2/0/0 configured as trusted Rate of sending DHCP messages to the CPU being 90 Mode of the Option 82 function being insert
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-47
l l l
Issue 06 (20100108)
Alarm threshold of the number of discarded packets being 120 Alarm threshold for checking the rate of sending packets being 80
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration. For the configuration of DHCP Relay, see Configuring the DHCP Relay Agent in Quidway S9300 Terabit Routing Switch Configuration Guide - IP Service.
Procedure
Step 1 Enable DHCP snooping. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable
Step 2 Configure the interface as trusted. # Configure the interface connecting to the DHCP server as trusted and enable DHCP snooping on the interfaces connecting to the DHCP client. If the interface on the client side is not configured as trusted, the default mode of the interface is untrusted after DHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks.
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping trusted [Quidway-GigabitEthernet2/0/0] quit
Step 3 Enable the checking for certain types of packets and configure the DHCP snooping binding table. # Enable the checking of DHCP Request messages on the interface at the DHCP client side to prevent attackers from sending bogus DHCP messages for extending IP address leases.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check user-bind enable [Quidway-GigabitEthernet1/0/0] quit
# Enable the checking of the CHADDR field on the interface at the DHCP client side to prevent attackers from changing the CHADDR field in DHCP Request messages.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable [Quidway-GigabitEthernet1/0/0] quit
Step 4 Configure the DHCP snooping binding table. # If you use the static IP address, configuring DHCP snooping static entries is required.
[Quidway] user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/0 vlan 10
Step 5 Limit the rate of sending DHCP messages # Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request messages.
3-48 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
Step 6 Configure the Option 82 function. # Configure the user-side interface to append the Option 82 field to DHCP messages.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp option82 insert enable [Quidway-GigabitEthernet1/0/0] quit
Step 7 Configure the packet discarding alarm function. # Enable the packet discarding alarm function, and set the alarm threshold of the number of discarded packets.
[Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] quit 1/0/0 snooping snooping snooping snooping snooping snooping alarm alarm alarm alarm alarm alarm user-bind enable mac-address enable untrust-reply enable user-bind threshold 120 mac-address threshold 120 untrust-reply threshold 120
# Enable the alarm function for checking the rate of sending packets and set the alarm threshold for checking the rate of sending packets.
[Quidway] dhcp snooping check dhcp-rate alarm enable [Quidway] dhcp snooping check dhcp-rate alarm threshold 80
Step 8 Associate ARP with DHCP snooping. # The system sends the ARP packet to probe the IP address that expires within the aging time in the DHCP snooping entry and does not exist in the ARP entry. If no user is detected within the specified number of detection times, the system deletes the binding relation in the DHCP binding table and notifies the DHCP server to release the IP address.
[Quidway] arp dhcp-snooping-detect enable
Step 9 Verify the configuration. Run the display dhcp snooping global command on the S9300, and you can view that DHCP snooping is enabled globally. You can also view the statistics on alarms.
[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80 Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet1/0/0 Dhcp snooping trusted is configured at these interface : GigabitEthernet2/0/0 Dhcp option82 insert is configured at these interface : GigabitEthernet1/0/0 Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0
Issue 06 (20100108)
3-49
Run the display dhcp snooping interface command, and you can view information about DHCP snooping on the interface.
[Quidway] display dhcp snooping interface gigabitethernet 1/0/0 dhcp snooping enable dhcp option82 insert enable dhcp snooping check user-bind dhcp snooping alarm check user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp packet dropped by user-bind checking = 0 dhcp snooping check mac-address dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp packet dropped by mac-address checking = 0 dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp packet dropped by untrust-reply checking = 0 [Quidway] display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping trusted
Run the display user-bind all command, and you can view the static binding entries of users.
[Quidway] display user-bind all bind-table: ifname O/I-vlan mac-address ip-address tp lease vsi ------------------------------------------------------------------------------GE1/0/0 10/ -- 0001-0002-0003 10.1.1.1 S 0 -------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1
Run the display dhcp option82 interface command, and you can view the configuration of Option 82 on the interface.
[Quidway] display dhcp option82 interface gigabitethernet 1/0/0 dhcp option82 insert enable
----End
Configuration Files
# sysname Quidway # vlan batch 10 # dhcp enable dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm threshold 80 # user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/0 vlan 10 # interface GigabitEthernet1/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp option82 insert enable #
3-50
Issue 06 (20100108)
Bogus DHCP server attacks DoS attacks by changing the value of the CHADDR field Attacks by sending bogus messages for extending IP address leases Attacks by sending a large number of DHCP Request messages
DHCP client 1 uses the dynamically allocated IP address and DHCP client 2 uses the statically configured IP address. Figure 3-9 Networking diagram for configuring DHCP snooping on a VPLS network
Loopback1 1.1.1.9/32 GE2/0/0 VLANIF10 100.1.1.1/24 GE1/0/0 LAN Switch GE2/0/0 GE2/0/1 Loopback1 2.2.2.9/32 GE2/0/0 VLANIF10 100.1.1.2/24 PE2 DHCP server
GE3/0/0
PE1 GE1/0/0
DHCP client1
NOTE
Users apply to the DHCP server for IP addresses through the Layer 2 network; therefore, DHCP relay devices are not required in the preceding networking.
Issue 06 (20100108)
3-51
Configuration Roadmap
The configuration roadmap is as follows: 1. Configure the VPLS, which involves the following:
l
Configure the routing protocol on the backbone network to ensure the connectivity of routers. Configure basic MPLS functions and establish an LSP between PEs. Enable MPLS L2VPN on PEs. Create a VSI on the PEs and specify LDP as the signaling protocol, and then bind the VSI to the AC interfaces. Enable DHCP snooping in the system view and in the interface view, and enable DHCP snooping over VPLS. Configure interfaces as trusted or untrusted to prevent bogus DHCP server attacks. Set the maximum number of DHCP snooping users to prevent malicious IP address application. Malicious IP address application prevents authorized users applying for IP addresses. Configure the checking of the CHADDR value to prevent DoS attacks by changing the value of the CHADDR field. Configure the checking of DHCP Request messages against the DHCP snooping binding table to prevent attacks by sending bogus messages for extending IP address leases. Configure Option 82 and create a binding table covering accurate interface information. Configure the alarm function.
l l l
2.
l l
l l
Data Preparation
To complete the configuration, you need the following data:
l l l l l l
Static IP address from which packets are forwarded Maximum number of users Alarm threshold VSI name and VSI ID IP address of the peer and tunnel policy used for setting up the peer relation Interface bound to a VSI
NOTE
The following example only provides the configuration procedure of the S9300. For details on the configuration of other devices, see the related operation guides.
Procedure
Step 1 Configure the VPLS. 1. Configure an IGP on the MPLS backbone network. In this example, OSPF is adopted to advertise routes. Assign an IP address to each interface on PEs as shown in Figure 3-9.
3-52 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
# Configure PE1.
<PE1> system-view [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32 [PE1-LoopBack1] quit [PE1] interface gigabitethernet 2/0/0 [PE1-GigabitEthernet2/0/0] port link-type trunk [PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 10 [PE1-GigabitEthernet2/0/0] quit [PE1] interface vlanif 10 [PE1-Vlanif10] ip address 100.1.1.1 24 [PE1-Vlanif10] quit [PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255 [PE1-ospf-1-area-0.0.0.0] quit [PE1-ospf-1] quit
# Configure PE2.
<PE1> system-view [PE2] interface loopback 1 [PE2-LoopBack1] ip address 2.2.2.9 32 [PE2-LoopBack1] quit [PE2] interface gigabitethernet 2/0/0 [PE2-GigabitEthernet2/0/0] port link-type trunk [PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 10 [PE2-GigabitEthernet2/0/0] quit [PE2] interface vlanif 10 [PE2-Vlanif10] ip address 100.1.1.2 24 [PE2-Vlanif10] quit [PE2] ospf [PE2-ospf-1] area 0 [PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0 [PE2-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255 [PE2-ospf-1-area-0.0.0.0] quit [PE2-ospf-1] quit
After the configuration, run the display ip routing-table command on PE1 and PE2. You can view that PEs can learn routes and ping each other. Take the display on PE1 as an example.
<PE1> display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 6 Routes : 6 Destination/Mask Interface Proto Pre Cost Flags NextHop
1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 2.2.2.9/32 OSPF 10 1 D 100.1.1.2 100.1.1.0/24 Direct 0 0 D 100.1.1.1 100.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 <PE1> ping 100.1.1.2 PING 100.1.1.2: 56 data bytes, press CTRL_C to break Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=255 time=2 ms Reply from 100.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms
Vlanif10 vlanif10
Issue 06 (20100108)
3-53
Reply from 100.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 100.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 100.1.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 100.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms
2.
Enable basic MPLS functions and LDP on the MPLS backbone network. # Configure PE1.
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface vlanif 10 [PE1-Vlanif10] mpls [PE1-Vlanif10] mpls ldp [PE1-Vlanif10] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9 [PE2] mpls [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] interface vlanif 10 [PE2-Vlanif10] mpls [PE2-Vlanif10] mpls ldp [PE2-Vlanif10] quit
After the configuration, run the display mpls ldp session command on PE1 or PE2. You can view that the Status item of the peer between PE1 and PE2 is Operational, which indicates that the peer relation is established. Run the display mpls lsp command, and you can view the establishment of the LSP. Take the display on PE1 as an example.
<PE1> display mpls ldp session LDP Session(s) in Public Network -----------------------------------------------------------------------------Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv -----------------------------------------------------------------------------2.2.2.9:0 Operational DU Passive 000:00:01 7/6 -----------------------------------------------------------------------------TOTAL: 1 session(s) Found. LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM <PE1> display mpls ldp lsp LDP LSP Information -----------------------------------------------------------------------------SN DestAddress/Mask In/OutLabel Next-Hop In/OutInterface -----------------------------------------------------------------------------1 1.1.1.9/32 3/NULL 127.0.0.1 Vlanif10/ InLoop0 2 2.2.2.9/32 NULL/3 100.1.1.2 -------/ Vlanif10
3-54
Issue 06 (20100108)
-----------------------------------------------------------------------------TOTAL: 2 Normal LSP(s) Found. TOTAL: 0 Liberal LSP(s) Found. A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale
3.
# Configure PE2.
[PE2] mpls l2vpn [PE2] quit
4.
Create VSIs and specify LDP as the signaling protocol of VSIs. # Configure PE1.
[PE1] vsi v123 static [PE1-vsi-v123] pwsignal ldp [PE1-vsi-v123-ldp] vsi-id 2 [PE1-vsi-v123-ldp] peer 2.2.2.9 [PE1-vsi-v123-ldp] quit [PE1-vsi-v123] quit
# Configure PE2.
[PE1] vsi v123 static [PE2-vsi-v123] pwsignal ldp [PE2-vsi-v123-ldp] vsi-id 2 [PE2-vsi-v123-ldp] peer 1.1.1.9 [PE2-vsi-v123-ldp] quit [PE2-vsi-v123] quit
5.
# Configure PE2.
[PE1] interface gigabitethernet 3/0/0 [PE1-GigabitEthernet3/0/0] port link-typ trunk [PE1-GigabitEthernet3/0/0] port trunk allow-pass vlan 30 [PE1-GigabitEthernet3/0/0] quit [PE1] interface vlanif 30 [PE1-Vlanif30] l2 binding vsi v123 [PE1-Vlanif30] quit
After the configuration, run the display vsi name a2 verbose command on PE1, and you can find that VSI v123 sets up a PW to PE2, and the status of the VSI is Up.
<PE1> display vsi name v123 verbose ***VSI Name Administrator VSI Isolate Spoken VSI Index PW Signaling Member Discovery Style : : : : : : v123 no disable 0 ldp static
Issue 06 (20100108)
3-55
: Vlanif20 : up
Step 2 Configure DHCP snooping. 1. Enable DHCP snooping. Enable DHCP snooping globally and on the interface. # Configure PE1.
[PE1] dhcp enable [PE1] dhcp snooping enable [PE1] interface gigabitethernet [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] quit [PE1] interface gigabitethernet [PE1-GigabitEthernet2/0/0] dhcp [PE1-GigabitEthernet2/0/0] quit
2.
Configure the trusted interface. # Configure PE1. Configure the interface connecting to the DHCP server as a trusted interface and enable DHCP snooping on all the interfaces connected to the DHCP client. If the interface at the client side is not configured with "Trusted", the default interface mode is "Untrusted" after DHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks.
[PE1] interface gigabitethernet 2/0/0 [PE1-GigabitEthernet2/0/0] dhcp snooping trusted [PE1-GigabitEthernet2/0/0] quit
3.
3-56
Issue 06 (20100108)
Set the maximum number of DHCP snooping users on interfaces at the DHCP client side. In this manner, malicious IP address application can be prevented and authorized users can successfully apply for IP addresses.
[PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] dhcp snooping max-user-number 3000 [PE1-GigabitEthernet1/0/0] quit
Configure static binding entries. If users adopt static IP addresses, you need to manually configure static DHCP snooping entries.
[PE1] user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/0 vlan 20
4.
Configure the checking of specific packets. # Configure PE1. # Check DHCP Request messages on the interfaces at the DHCP client side to prevent attacks by sending bogus DHCP messages to extend IP address leases.
[PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] dhcp snooping check user-bind enable
# Check the CHADDR field on the interfaces at the DHCP client side to prevent attacks by changing the value of the CHADDR field.
[PE1-GigabitEthernet1/0/0] dhcp snooping check mac-address enable [PE1-GigabitEthernet1/0/0] quit
5.
Configure Option 82. # Configure PE1. # Configure DHCP messages to carry interface information; therefore, the binding table covers more accurate interface information.
[PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] dhcp option82 insert enable [PE1-GigabitEthernet1/0/0] quit
6.
Configure the alarm function. # Configure PE1. Enable the alarm function of discarding packets and set the alarm threshold for discarding packets.
[PE1] interface gigabitethernet [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] quit 1/0/0 snooping snooping snooping snooping snooping snooping alarm alarm alarm alarm alarm alarm user-bind enable mac-address enable untrust-reply enable user-bind threshold 120 mac-address threshold 120 untrust-reply threshold 120
Enable the alarm function of limiting the rate of packets and set the alarm threshold for limiting the rate of packets.
[PE1] dhcp snooping check dhcp-rate enable [PE1] dhcp snooping check dhcp-rate alarm enable [PE1] dhcp snooping check dhcp-rate alarm threshold 80
Step 3 Verify the configuration. After the configuration, users can dynamically apply for IP addresses.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-57
Run the display dhcp snooping global command on PE1. You can view that DHCP snooping is enabled globally and in the interface view. You can also view the statistics on the alarms sent to the NMS.
<PE1> dhcp dhcp dhcp dhcp display dhcp snooping global snooping enable snooping check dhcp-rate enable snooping check dhcp-rate alarm enable snooping check dhcp-rate alarm threshold 80
Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet1/0/0 GigabitEthernet2/0/0 Dhcp snooping trusted is configured at these interface : GigabitEthernet2/0/0 Dhcp option82 insert is configured at these interface : GigabitEthernet1/0/0 Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0
Run the display dhcp snooping interface command on PE1, and you can view information about DHCP snooping on the interface.
<PE1> dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp <PE1> dhcp dhcp dhcp display dhcp snooping interface gigabitethernet 1/0/0 snooping enable option82 insert enable snooping check user-bind snooping alarm check user-bind enable snooping alarm user-bind threshold 120 packet dropped by user-bind checking = 0 snooping check mac-address snooping alarm mac-address enable snooping alarm mac-address threshold 120 packet dropped by mac-address checking = 0 snooping alarm untrust-reply enable snooping alarm untrust-reply threshold 120 packet dropped by untrust-reply checking = 0 snooping max-user-number 3000 display dhcp snooping interface gigabitethernet 2/0/0 snooping enable snooping trusted packet dropped by untrust-reply checking = 0
Run the display user-bind all command on PE1, and you can view static binding entries of users.
<PE1> display user-bind all bind-table: ifname O/I-vlan mac-address ip-address tp lease vsi ------------------------------------------------------------------------------GE1/0/0 20/ -- 0001-0002-0003 10.1.1.1 S 0 -------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1
----End
Configuration Files
l
3-58
Issue 06 (20100108)
# vlan batch 10 20 # dhcp enable dhcp snooping enable dhcp snooping over-vpls enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80 user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface Gigab itEthernet1/0/0 vlan 20 # mpls lsr-id 1.1.1.9 mpls # mpls l2vpn # vsi v123 static pwsignal ldp vsi-id 2 peer 2.2.2.9 # mpls ldp # interface Vlanif10 ip address 100.1.1.1 255.255.255.0 mpls mpls ldp # interface Vlanif20 l2 binding vsi v123 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 20 dhcp snooping enable dhcp option82 insert enable dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping max-user-number 3000 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable dhcp snooping trusted # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 100.1.1.0 0.0.0.255 # return l
Issue 06 (20100108)
3-59
3-60
Issue 06 (20100108)
4
About This Chapter
This chapter describes the principle and configuration of ARP security features. 4.1 Introduction to ARP Security This section describes the principle of ARP security. 4.2 ARP Security Supported by the S9300 This section describes the ARP security features supported by the S9300. 4.3 Limiting ARP Entry Learning This section describes how to limit the learning of ARP entries. 4.4 Configuring ARP Anti-Attack This section describes how to configure the ARP anti-attack function. 4.5 Suppressing Transmission Rate of ARP Packets This section describes how to suppress the transmission rate of the ARP packets. 4.6 Maintaining ARP Security This section describes how to maintain ARP security. 4.7 Configuration Examples This section provides several configuration examples of ARP security.
Issue 06 (20100108)
4-1
ARP Attack
On a network, ARP entries are easily attacked. Attackers send a large number of ARP Request and Response packets to attack network devices. Attacks are classified into ARP buffer overflow attacks and ARP Denial of Service (DoS) attacks.
l
ARP buffer overflow attacks: Attackers send a large number of bogus ARP request packets and gratuitous ARP packets, which results in ARP buffer overflow. Therefore, normal ARP entries cannot be cached and packet forwarding is interrupted. ARP DoS attacks: Attackers send a large number of ARP request and response packets or other packets that can trigger the ARP processing. The device is then busy with ARP processing during a long period and ignores other services. Normal packet forwarding is thus interrupted.
Attackers scan hosts on the local network segment or hosts on other network segments through tools. Before returning response packets, the S9300 searches for ARP entries. If the MAC address corresponding to the destination IP address does not exist, the ARP module on the S9300 sends ARP Miss messages to the upper-layer software and requires the upper-layer software to send ARP request packets to obtain the destination MAC address. A large number of scanning packets generate a large number of ARP Miss packets. The resources of the system are then wasted in processing ARP Miss packets. This affects the processing of other services and hence is called scanning attack.
ARP Security
ARP security is used to filter out untrusted ARP packets and enable timestamp suppression for certain ARP packets to guarantee the security and robustness of network devices.
ARP Anti-Spoofing
ARP spoofing means that attackers use ARP packets sent by other users to construct bogus ARP packets and modify ARP entries on the gateway. As a result, the authorized users are disconnected from the network.
4-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
The S9300 can prevent ARP spoofing by using the following methods:
l
Fixed MAC address: After learning an ARP entry, the S9300 does not allow the modification on the MAC address that is performed through ARP entry learning until this ARP entry ages. Thus the S9300 prevents the ARP entries of authorized users from being modified without permission. The fixed MAC address methods have two modes: fixed-mac and fixed-all. In fixed-mac mode, the MAC addresses cannot be modified, but the VLANs and interfaces can be modified; in fixed-all mode, the MAC addresses, VLANs, and interfaces cannot be modified.
Send-ack: The S9300 does not modify the ARP entry immediately when it receives an ARP packet requesting for modifying a MAC address. Instead, the S9300 sends a unicast packet for acknowledgement to the user matching this MAC address in the original ARP table.
The source IP address in the ARP packets is the same as the IP address of the interface that receives the packets. The source IP address in the ARP packets is the virtual IP address of the incoming interface but the source MAC address of ARP packets is not the virtual MAC address of the Virtual Router Redundancy Protocol (VRRP) group when the VRRP group is in virtual MAC address mode.
In one of the preceding situation, the S9300 generates ARP anti-attack entries and discards the packets with the same source MAC address in the Ethernet header in a period (the default value is three minutes). This can prevent ARP packets with the bogus gateway address from being broadcast on a VLAN.
and the triggered rate exceeds the set threshold, the S9300 considers that an attack occurs. In this case, the S9300 delivers ACL rules to discard the IP packets sent from this address in a period (the default value is 50 seconds).
Pre-configuration Tasks
Before configuring the limitation on ARP entry learning, complete the following task:
l
Setting the parameters of the link layer protocol and the IP address of the interface and enabling the link-layer protocol
Data Preparation
To configure the limitation on ARP entry learning, you need the following data. No. 1 Data Type and number of the interface where you need to configure the limitation on ARP entry learning
Procedure
l Configuring strict ARP entry learning globally 1. Run:
system-view
Strict ARP learning is enabled. By default, strict ARP learning is disabled on the S9300. l Configuring strict ARP entry learning on an interface 1. Run:
system-view
force-enable: enables strict ARP entry learning on an interface. force-disable: disables strict ARP entry learning on an interface. trust: indicates that the configuration of strict ARP entry learning on an interface is the same as that configured globally.
By default, the configuration of strict ARP entry learning on an interface is the same as that configured globally. l Configuring strict ARP entry learning on an GE or Ethernet subinterface 1. Run:
system-view
The strict ARP entry learning function is enabled on the GE or Ethernet subinterface.
force-enable: enables strict ARP entry learning on an GE or Ethernet subinterface. force-disable: disables strict ARP entry learning on an GE or Ethernet subinterface. trust: indicates that the configuration of strict ARP entry learning on an GE or Ethernet subinterface is the same as that configured globally.
By default, the configuration of strict ARP entry learning on an GE or Ethernet subinterface is the same as that configured globally. l Configuring strict ARP entry learning on an Eth-trunk subinterface 1. Run:
system-view
The strict ARP entry learning function is enabled on the Eth-trunk subinterface.
force-enable: enables strict ARP entry learning on an Eth-trunk subinterface. force-disable: disables strict ARP entry learning on an Eth-trunk subinterface. trust: indicates that the configuration of strict ARP entry learning on an Eth-trunk subinterface is the same as that configured globally.
By default, the configuration of strict ARP entry learning on an Eth-trunk subinterface is the same as that configured globally. ----End
4-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface can be a GE interface, an Ethernet interface, an Eth-Trunk, or a VLANIF interface. Step 3 Run:
arp-limit [ vlan vlan-id [ to vlan-id2 ]] maximum maximum
Interface-based ARP entry limitation is configured. The vlan parameter can be only used on GE interfaces, Ethernet interfaces, or Eth-Trunks. ----End
Procedure
l l Run the display arp learning strict command to view the configuration of strict ARP entry learning. Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command to view the maximum number of ARP entries that can be learned by an interface or a VLAN.
----End
Example
Run the display arp learning strict command, and you can view the configuration of strict ARP entry learning.
<Quidway> display arp learning strict The global configuration:arp learning strict interface LearningStrictState ------------------------------------------------------------
Issue 06 (20100108)
4-7
Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command, and you can view the maximum number of ARP entries that can be learned by an interface or a VLAN.
<Quidway> display arp-limit interface GigabitEthernet 1/0/10 interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------GigabitEthernet1/0/10 1000 3 0 GigabitEthernet1/0/10 1000 4 0 GigabitEthernet1/0/10 1000 5 0 GigabitEthernet1/0/10 1000 6 0 GigabitEthernet1/0/10 1000 7 0 GigabitEthernet1/0/10 1000 8 0 GigabitEthernet1/0/10 1000 9 0 GigabitEthernet1/0/10 1000 10 0 --------------------------------------------------------------------------Total:8 <Quidway> display arp-limit vlan 3 interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------GigabitEthernet1/0/10 1000 3 0 --------------------------------------------------------------------------Total:1
To prevent attackers from forging the ARP packets of authorized users and modifying the ARP entries on the gateway, you can configure the ARP address anti-spoofing function. To prevent attackers from forging the gateway address, sending gratuitous ARP packets whose source IP addresses are the gateway address on the LAN, and thus making the host change the gateway address into the address of the attacker, you can configure the ARP gateway anti-collision function. To prevent unauthorized users from accessing external networks by sending ARP packets to the S9300, you can configure the ARP packet checking function.
Pre-configuration Tasks
Before configuring ARP anti-attack, complete the following task:
l
Setting the parameters of the link layer protocol and the IP address of the interface and enabling the link-layer protocol
Data Preparation
To configure ARP anti-attack, you need the following data. No. 1 Data (Optional) Alarm threshold of the ARP packets discarded because they do not match the binding table.
The ARP anti-spoofing function is enabled. You can use only one ARP anti-spoofing mode. If an ARP anti-spoofing mode is already used, the latest configuration overrides the previous configuration. By default, the ARP anti-spoofing function is disabled on the S9300. ----End
Procedure
Step 1 Run:
system-view
The ARP anti-attack function for preventing ARP packets with the bogus gateway address is enabled. After this function is enabled, the ARP packets with the bogus gateway address on an interface of the S9300 are not broadcast to other interfaces. By default, this function is disabled on the S9300. ----End
Binding entries of DHCP users are created automatically after DHCP snooping is enabled. If a user uses a static IP address, you need to configure the binding entry of the user manually. A DHCP snooping binding entry consists of the IP address, MAC address, interface number, and VLAN ID of a user. For the configuration of DHCP snooping, see 3.3.2 Enabling DHCP Snooping. For the configuration of a static binding entry, see 5.3.2 (Optional) Configuring a Static User Binding Entry.
Procedure
Step 1 Run:
system-view
4-10
Issue 06 (20100108)
The IP source guard function is enabled on the interface. By default, the interfaces or the interfaces in a VLAN are not enabled with the IP source guard function. Step 4 In the interface view, run :
arp anti-attack check user-bind check-item { ip-address | mac-address | vlan }*
The check items of ARP packets are configured. By default, the check items consist of IP address, MAC address, VLAN, and interface. The packets that do not match the binding table are discarded. Step 5 (Optional)In the interface view, run :
arp anti-attack check user-bind alarm enable
The alarm function for the discarded ARP packets is enabled. By default, the alarm function is disabled. Step 6 (Optional) In the interface view, run :
arp anti-attack check user-bind alarm threshold threshold
The alarm threshold of the number of ARP packets discarded because they do not match the binding table is set. By default, the alarm threshold is the same as the threshold set in arp anti-attack check userbind alarm threshold that is run in the system view. If the alarm threshold is not set in the system view, the default threshold on the interface is 100. ----End
Procedure
Step 1 Run:
system-view
ARP proxy is enabled on the S9300 of a VPLS network. By default, ARP proxy is disabled on the S9300 of a VPLS network. On a VPLS network, after the arp over-vpls enable command is run on the S9300, ARP packets on the PW are sent to the main control board for processing.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-11
If the ARP packets are ARP request packets and the destination IP address of the packets match an entry in the DHCP snooping binding table, the S9300 constructs ARP reply packets before sending them to the requester of the PW. The attacks caused by PW-side ARP packets broadcast to the AC on a VPLS network are thus prevented. If the ARP packets are not ARP request packets, or the packets are ARP request packets but the destination IP address of the packets do not match entries in the DHCP snooping binding table, the ARP packets are forwarded normally.
The arp over-vpls enable command needs to be used with DHCP snooping over VPLS because the DHCP snooping binding table is used. For the configuration of DHCP snooping over VPLS, see 3.3.2 Enabling DHCP Snooping. ----End
Procedure
Step 1 Run:
system-view
The S9300 is configured to learn ARP entries according to the DHCP ACK message received on the VLANIF interface, and to discard ARP request packets for querying the destination host of the network segment of the interface. By default, the S9300 does not learn ARP entries when receiving DHCP ACK messages. When the traffic passes, ARP learning is triggered.
NOTE
l l
To use the arp learning dhcp-trigger command, ensure that the DHCP relay function is enabled on the VLANIF interface. If the DHCP user and DHCP server are located on the same network segment, you cannot use the arp learning dhcp-trigger command.
----End
4-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
If the function is enabled in the system view, all the interfaces of the S9300 discard the gratuitous ARP packets. If the function is enabled in the VLANIF interface view, the VLANIF interface discards the gratuitous ARP packets. Before enabling an interface to discard gratuitous ARP packets, you do not need to enable the function globally.
Procedure
l Enabling the function of discarding gratuitous ARP packets globally 1. Run:
system-view
The S9300 is enabled to discard gratuitous ARP packets. By default, the S9300 does not discard gratuitous ARP packets. l Enabling the function of discarding gratuitous ARP packets on an VLANIF interface 1. Run:
system-view
The VLANIF interface view is displayed. Generally, this function is enabled on the user-side interface. 3. Run:
arp anti-attack gratuitous-arp drop
The interface is enabled to discard gratuitous ARP packets. By default, the interfaces of the S9300 do not discard gratuitous ARP packets. ----End
Procedure
Step 1 Run:
system-view
Log and alarm functions are enabled for potential attacks. time specifies the interval for writing an ARP log and sending an alarm. By default, the value is 0, indicating that log and alarm functions are disabled. ----End
Procedure
l l l Run the display arp anti-attack configuration { entry-check | gateway-duplicate | logtrap-timer | all } command to check the configuration of ARP anti-attack. Run the display arp anti-attack gateway-duplicate item command to check information about bogus gateway address attack on the network. Run the display arp anti-attack check user-bind interface interface-type interfacenumber command to check the configuration of the binding table for checking ARP packets.
----End
Example
Run the display arp anti-attack configuration all command, and you can view the configuration of ARP anti-attack.
<Quidway> display arp anti-attack configuration all ARP anti-attack entry-check mode: fixed-MAC ARP gateway-duplicate anti-attack function: enabled ARP anti-attack log-trap-timer: 30seconds (The log and trap timer of speed-limit, default is 0 and means disabled.)
Run the display arp anti-attack gateway-duplicate item command, and you can view information about bogus gateway address attack on the network.
<Quidway> display arp anti-attack gateway-duplicate item interface IP address MAC address VLANID aging time ------------------------------------------------------------------------------GigabitEthernet1/0/1 2.1.1.1 0000-0000-0002 2 153 GigabitEthernet1/0/1 2.1.1.1 0000-0000-0004 2 179 ------------------------------------------------------------------------------There are 2 records in gateway conflict table
Run the display arp anti-attack check user-bind interface interface-type interface-number command, and you can view the configuration of the binding table for checking ARP packets.
4-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
<Quidway> display arp anti-attack check user-bind interface GigabitEthernet 1/0/0 arp anti-attack check user-bind enable arp anti-attack check user-bind alarm enable arp anti-attack check user-bind alarm threshold 50 ARP packet drop count = 10
To prevent excessive ARP packets from increasing the CPU workload and occupying excessive ARP entries, you can suppress the transmission rate of ARP packets. Then the transmission rate of the ARP packets transmitted to the main control board is limited. To prevent a host from sending excessive IP packets whose destination IP addresses cannot be resolved, you can suppress the source IP address that sends the packets, that is, configure the suppression on ARP Miss source. Then these IP packets are discarded. After the IP source guard function is enabled on an interface, all the ARP packets passing through the interface are forwarded to the security module for check. If excessive ARP packets are sent to the security module, the security module will be impacted. In this case, you can suppress the transmission rate of the ARP packets; the packets that exceed the transmission rate are discarded.
Pre-configuration Tasks
Before configuring ARP suppression, complete the following task:
l
Setting the parameters of the link layer protocol and the IP address of the interface and enabling the link-layer protocol
Data Preparation
To configure ARP suppression, you need the following data.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-15
No. 1
Data Maximum transmission rate of the ARP packets sent by a specified source IP address (Optional) Source IP address and maximum transmission rate of the ARP packets sent by a specified source IP address
Maximum transmission rate of the ARP Miss packets sent by a specified source IP address (Optional) Source IP address and maximum transmission rate of the ARP Miss packets sent by a specified source IP address
Maximum transmission rate of the ARP packets sent to the security module (Optional) Alarm threshold of the number of ARP packets discarded because they exceed the transmission rate.
Procedure
Step 1 Run:
system-view
The suppression rate of ARP packets with a specified source IP address is set. After the preceding configurations are complete, the suppression rate of ARP packets with a specified source IP address is the value specified by maximum in step 3, and the suppression rate of ARP packets with other source IP addresses is the value specified by maximum in step 2. If the suppression rate of ARP packets is set to 0, it indicates that ARP packets are not suppressed. By default, the suppression rate of ARP packets is 5 pps. ----End
4-16 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
Procedure
Step 1 Run:
system-view
The suppression rate of ARP Miss packets is set. Step 3 (Optional) Run:
arp speed-limit source-ip ip-address maximum maximum
The suppression rate of ARP Miss packets with a specified source IP address is set. After the preceding configurations are complete, the suppression rate of ARP Miss packets with a specified source IP address is the value specified by maximum in step 3, and the suppression rate of ARP Miss packets with other source IP addresses is the value specified by maximum in step 2. If the suppression rate of ARP packets is set to 0, it indicates that ARP Miss packets are not suppressed. By default, the suppression rate of ARP Miss packets is 5 pps. ----End
Procedure
Step 1 Run:
system-view
The suppression time for the S9300 to send ARP Miss messages is set. By default, the suppression time for the S9300 to send ARP Miss messages is 5 seconds. ----End
Procedure
Step 1 Run:
system-view
The transmission rate of ARP packets is limited. By default, ARP suppression is disabled globally. Step 3 Run:
arp anti-attack rate-limit limit
The threshold for transmission rate of ARP packets is set. After the threshold is set, the excessive packets are discarded. By default, the threshold for the transmission rate of ARP packets is 100 pps. Step 4 (Optional) Run:
arp anti-attack rate-limit alarm enable
The alarm function for the ARP packets discarded because the transmission rate is exceeded is enabled. By default, the alarm function is disabled.
4-18 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
The alarm threshold of the number of ARP packets discarded because the transmission rate is exceeded is set. By default, the alarm threshold of discarded ARP packets is 5. ----End
Procedure
l Run the display arp anti-attack configuration { arp-speed-limit | arpmiss-speedlimit | all } command to view the configuration of ARP source suppression.
----End
Example
Run the display arp anti-attack configuration all command, and you can view the configuration of ARP anti-attack.
<Quidway> display arp anti-attack configuration all ARP anti-attack entry-check mode: fixed-MAC ARP gateway-duplicate anti-attack function: enabled ARP anti-attack log-trap-timer: 30seconds (The log and trap timer of speed-limit, default is 0 and means disabled.) ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) -----------------------------------------------------------------------10.0.0.1 200 10.0.0.3 300 10.0.0.8 0 2.1.1.10 1000 Others 500 -----------------------------------------------------------------------4 specified IP addresses are configured, spec is 1024 items. ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) -----------------------------------------------------------------------10.0.0.1 200 10.0.0.2 300 10.0.0.8 0 2.1.1.10 1000 Others 500 -----------------------------------------------------------------------4 specified IP addresses are configured, spec is 1024 items.
4.6.1 Displaying the Statistics About ARP Packets 4.6.2 Clearing the Statistics on ARP Packets 4.6.3 Clearing the Statistics on Discarded ARP Packets 4.6.4 Debugging ARP Packets
----End
Example
Run the display arp packet statistics command, and you can view the statistics on ARP packets.
<Quidway> display arp packet statistics ARP Pkt Received: sum 25959 ARP Learnt Count: sum 3 ARP Pkt Discard For Limit: sum 0 ARP Pkt Discard For SpeedLimit: sum ARP Pkt Discard For Other: sum 23
CAUTION
Statistics cannot be restored after you clear them. So, confirm the action before you use the command. Run the following command in the user view to clear the statistics.
Procedure
l Run the reset arp packet statistics [ slot slot-id ] command to clear the statistics on ARP packets.
----End
Context
CAUTION
Statistics cannot be restored after being cleared. So, confirm the action before you run the command. To clear the statistics on discarded ARP packets, run the following commands in the user view.
Procedure
l Run the reset arp anti-attack statistics check user-bind { global | interface interfacetype interface-number } command to clear the statistics on the packets discarded because they do not match the binding table. Run the reset arp anti-attack statistics rate-limit command to clear the statistics on the ARP packets discarded because the transmission rate exceeds the limit.
----End
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. If a running fault occurs, run the following debugging commands in the user view to locate the fault.
Procedure
l l Run the debugging arp packet [ slot slot-id | interface interface-type interface-number ] command to debug ARP packets. Run the debugging arp process [ slot slot-id | interface interface-type interfacenumber ] command to debug the processing of ARP packets.
----End
The server may send several packets with an unreachable destination IP address, and the number of these packets is larger than the number of packets from common users. After virus attacks occur on User 1, a large number of ARP packets are sent. Among these packets, the source IP address of certain ARP packets changes on the local network segment and the source IP address of certain ARP packets is the same as the IP address of the gateway. User 3 constructs a large number of ARP packets with a fixed IP address to attack the network. User 4 constructs a large number of ARP packets with an unreachable destination IP address to attack the network.
It is required that ARP security functions be configured on the S9300 to prevent the preceding attacks. The suppression rate of ARP Miss packets set on the server should be greater than the suppression rate of other users. Figure 4-1 Networking diagram for configuring ARP security functions
S9300 GE1/0/3
Server
GE1/0/1
GE1/0/2
VLAN10
VLAN20
User1
User2
User3
User4
Configuration Roadmap
The configuration roadmap is as follows: 1. 2.
4-22
3. 4. 5. 6. 7.
Enable the ARP anti-spoofing function. Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway address. Configure the rate suppression function for ARP packets. Configure the rate suppression function for ARP Miss packets. Enable log and alarm functions for potential attacks.
Data Preparation
To complete the configuration, you need the following data:
l l l l l
Number of limited ARP entries on the interface being 20 Anti-spoofing mode used to prevent attacks that is initiated by User 1 being fixed-mac IP address of the server being 2.2.2.2/24 IP address of User 4 that sends a large number of ARP packets being 2.2.4.2/24 Maximum suppression rate for ARP packets of User 4 being 200 pps and maximum suppression rate for ARP packets of other users being 300 pps Maximum suppression rate for ARP Miss packets of common users being 400 pps and maximum suppression rate for ARP Miss packets on the server being 1000 pps Interval for writing an ARP log and sending an alarm being 30 seconds
Procedure
Step 1 Enable strict ARP learning.
<Quidway> system-view [Quidway] arp learning strict
Step 2 Configure interface-based ARP entry restriction. # The number of limited ARP entries on each interface is 20. The following lists the configuration of GE 1/0/1, and the configurations of other interfaces are the same as the configuration of GE 1/0/1.
[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] arp-limit vlan 10 maximum 20 [Quidway-GigabitEthernet1/0/1] quit
Step 3 Enable the ARP anti-spoofing function. # Set the ARP anti-spoofing mode to fixed-mac to prevent ARP spoofing attacks initiated by User 1.
[Quidway] arp anti-attack entry-check fixed-mac enable
Step 4 Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway address. # Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway address to prevent User 1 from sending ARP packets with the bogus gateway address.
[Quidway] arp anti-attack gateway-duplicate enable
# Set the suppression rate for ARP packets sent by User 4 to 200 pps. To prevent all users from sending a large number of ARP packets incorrectly, set the suppression rate for ARP packets of the system to 300 pps.
[Quidway] arp speed-limit source-ip maximum 300 [Quidway] arp speed-limit source-ip 2.2.2.4 maximum 200
Step 6 Configure the rate suppression function for ARP Miss packets. # Set the suppression rate for ARP Miss packets of the system to 400 pps to prevent users from sending a large number of IP packets with an unreachable destination IP address.
[Quidway] arp-miss speed-limit source-ip maximum 400
# Set the suppression rate for ARP Miss packets on the server to 1000 pps to prevent the server from sending a large number of IP packets with an unreachable destination IP address, and to prevent communication on the network when the rate for the server to send IP packets with an unreachable destination IP address is not as required.
[Quidway] arp-miss speed-limit source-ip 2.2.2.2 maximum 1000
Step 8 Verify the configuration. After the configuration, run the display arp learning strict command, and you can view information about strict ARP learning.
<Quidway> display arp learning strict The global configuration:arp learning strict interface LearningStrictState ----------------------------------------------------------------------------------------------------------------------Total:0 force-enable:0 force-disable:0
You can use the display arp-limit command to check the maximum number of ARP entries learned by the interface.
<Quidway> display arp-limit interface GigabitEthernet1/0/1 interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------GigabitEthernet1/0/1 20 10 0 --------------------------------------------------------------------------Total:1
You can use the display arp anti-attack configuration all command to check the configuration of ARP anti-attack.
<Quidway> display arp anti-attack configuration all ARP anti-attack entry-check mode: fixed-MAC ARP gateway-duplicate anti-attack function: enabled ARP anti-attack log-trap-timer: 30seconds (The log and trap timer of speed-limit, default is 0 and means disabled.) ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) -----------------------------------------------------------------------2.2.4.2 200 Others 300 -----------------------------------------------------------------------1 specified IP addresses are configured, spec is 1024 items.
4-24
Issue 06 (20100108)
ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) -----------------------------------------------------------------------2.2.2.2 1000 Others 400 -----------------------------------------------------------------------1 specified IP addresses are configured, spec is 1024 items.
You can use the display arp packet statistics command to view the number of discarded ARP packets and the number of learned ARP entries. In addition, you can also use the display arp anti-attack gateway-duplicate item command to view information about attacks from the packets with the forged gateway address on the current network.
<Quidway> display arp packet statistics ARP Pkt Received: sum 167 ARP Learnt Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum ARP Pkt Discard For Other: sum 3
----End
Configuration Files
# sysname Quidway # vlan batch 10 20 30 # arp speed-limit source-ip maximum 300 arp-miss speed-limit source-ip maximum 400 arp learning strict arp anti-attack log-trap-timer 30 # arp anti-attack entry-check fixed-mac enable arp anti-attack gateway-duplicate enable arp-miss speed-limit source-ip 2.2.2.2 maximum 1000 arp speed-limit source-ip 2.2.4.2 maximum 200 # interface GigabitEthernet 1/0/1 port hybrid pvid vlan 10 port hybrid tagged vlan 10 arp-limit vlan 10 maximum 20 # interface GigabitEthernet 1/0/2 port hybrid pvid vlan 20 port hybrid tagged vlan 20 arp-limit vlan 20 maximum 20 # interface GigabitEthernet 1/0/3 port hybrid pvid vlan 30 port hybrid untagged vlan 30 arp-limit vlan 30 maximum 20 # return
the-middle attacks, you can configure the IP source guard function. After the IP source guard function is configured on the S9300, the S9300 checks the IP packets according to the binding table. Only the IP packets that match the content of the binding table can be forwarded; the other IP packets are discarded. In addition, you can enable the alarm function for discarded packets. Figure 4-2 Networking diagram for prevent man-in-the-middle attacks
Client
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Enable the IP source guard function. Configure the check items for ARP packets. Configure a static binding table. Enable the alarm function for discarded packets.
Data Preparation
To complete the configuration, you need the following data:
l l l l
Interfaces enabled with IP source guard: GE 1/0/1 and GE 1/0/2 Check items: IP address + MAC address Alarm threshold of the number of discarded ARP packets: 80 IP address of the client configured in the static binding table: 10.0.0.1/2; MAC address: 1-1-1; VLAN ID: 10
Procedure
Step 1 Configure the IP source guard function. # Enable the IP source guard function on GE 1/0/1 connected to the client.
[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] arp anti-attack check user-bind enable [Quidway-GigabitEthernet1/0/1] arp anti-attack check user-bind check-item ipaddress mac-address [Quidway-GigabitEthernet1/0/1] quit
4-26
Issue 06 (20100108)
Step 2 Configure the check items of the static binding table. # Configure Client in the static binding table.
[Quidway] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 1/0/1 vlan 10
Step 3 Configure the alarm function for discarded packets. # Set the alarm threshold of the ARP packets discarded because they do not match the binding table.
[Quidway] arp anti-attack check user-bind alarm threshold 80
Step 4 Verify the configuration. Run the display this command, and you can view the global alarm threshold set for the ARP packets discarded because they do not match the binding table. The alarm threshold takes effect on all interfaces.
<Quidway> display this # arp anti-attack check user-bind alarm threshold 80
Run the display arp anti-attack check user-bind interface command, and you can view the configuration of the IP source guard function on the interface.
<Quidway> display arp anti-attack check user-bind interface gigabitethernet 1/0/1 arp anti-attack check user-bind enable arp anti-attack check user-bind alarm enable ARP packet drop count = 0 <Quidway> display arp anti-attack check user-bind interface gigabitethernet 1/0/2 arp anti-attack check user-bind enable arp anti-attack check user-bind alarm enable ARP packet drop count = 20
The preceding information indicates that GE 1/0/1 does not discard ARP packets, whereas GE 1/0/2 has discarded ARP packets. It indicates that the anti-attack function takes effect. ----End
Configuration Files
# sysname Quidway # vlan batch 10 # arp anti-attack check user-bind alarm threshold 80 # user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 1/0/1 vlan 10 # interface gigabitethernet 1/0/1 arp anti-attack check user-bind enable arp anti-attack check user-bind check-item ip-address mac-address # interface gigabitethernet 1/0/2
Issue 06 (20100108)
4-27
arp anti-attack check user-bind enable arp anti-attack check user-bind check-item ip-address mac-address # return
4-28
Issue 06 (20100108)
Issue 06 (20100108)
5-1
IP Source Guard
IP source guard is a measure to filter the IP packets on interfaces. Thus the invalid packets cannot pass through the interfaces and the security of the interfaces is improved. The attacker sends a packet carrying the IP address and MAC address of an authorized user to the server. The server considers the attacker as an authorized user and learns the IP address and MAC address. The actual user, however, cannot obtain service from the server. Figure 5-1 shows the diagram of IP/MAC spoofing attack. Figure 5-1 Diagram of IP/MAC spoofing attack
DHCP server IP:1.1.1.1/24 MAC:1-1-1
IP:1.1.1.3/24 MAC:3-3-3
S9300
To prevent the IP/MAC spoofing attack, you can configure the IP source guard function on the S9300. Then the S9300 matches the IP packets reaching an interface with the entries in the binding table. If the packets match entries in the binding table, the packets can pass through the interface; otherwise, the packets are discarded.
IP Source Trail
The IP source trail function is a policy defending against the DoS attack, which traces the source of the attack and take corresponding measures after considering it as an attack. In the tracing of
5-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
the attack sources, the attack sources are judged according to traffic statistics that are collected based on the destination IP address (victim), source IP address, and inbound interface of packets. The main process of the IP Source Trail function is as follows: 1. 2. After confirming that a user is attacked, configure the IP Source Trail function based on the IP address of the user. The CPU of the LPU collects statistics about packets with the destination address being the victim IP address. Such information is regularly sent to the CPU of the main control board or available upon the request of the main control board. The main control board confirms the attack source based on the received statistics. The administrator configures the ACL on the interface directly connected to the possible attack source and set the ACL action to deny.
3.
URPF
Unicast Reverse Path Forwarding (URPF) is mainly used to prevent network attacks by blocking packets from bogus source addresses. As shown in Figure 5-2, S9300-A forges the packets with the source address being 2.1.1.1 and send a request to S9300-B. S9300-B sends a packet to the real source address 2.1.1.1 to respond to the request. In this way, S9300-A attacks S9300-B and S9300-C by sending the illegal packet. Figure 5-2 Diagram of the URPF function
1.1.1.1/24 2.1.1.1/24 Source address S9300-A S9300-B S9300-C 2.1.1.1/24
When a packet is sent to a URPF-enabled interface, URPF obtains the source address and inbound interface of the packet. URPF searches for the entry corresponding to the source address in the forwarding table. If the enry is found, URPF checks whether the outbound interface is the same as the inbound interface of the packets. If the actual inbound interface is different from the inbound interface found in the forwarding table, the packet is discarded. In this way, URPF can protect the network against vicious attacks initiated by modifying the source address.
IP Source Guard
The IP Source Guard feature is used to check the IP packets according to the binding table, including source IP addresses, source MAC addresses, and VLAN. In addition, the S9300 can check IP packets based on:
l
IP+MAC
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-3
Issue 06 (20100108)
IP addresses here include IPv4 addresses and IPv6 addresses. That is, after the IP Source Guard feature is enabled, the S9300 checks both the source IPv4 addresses and source IPv6 addresses of IP packets from users.
After the DHCP snooping function is enabled for DHCP users, the binding table is dynamically generated for the DHCP users. When users use static IP addresses, you need to configure the binding table by running commands.
NOTE
IP Source Trail
NOTE
Currently, only IPv4 addresses can be traced when the IP Source Trail feature is enabled on the S9300.
l
The IP source trail feature of the S9300 is based on the destination IP addresses. The IP Source Trail feature is configured according to the IP address of the attacked user. The CPU of the LPU collects statistics about packets with the user IP address as the destination address. Such information is regularly sent to the CPU of the main control board or available when required by the main control board.
Querying statistics about the IP Source Trail is supported globally. The global query of the statistics provides the brief mode and detailed mode:
In brief mode, information about the source address, source interface, total traffic (the number of bytes and packets), and the average rate (bbp and pps) of the traffic in a period of time is exported. In detailed mode, information about the current rate of the traffic, the maximum rate, and the start time and end time of the traffic (the query time is displayed if the traffic does not end when the traffic is queried) is exported besides the information exported in brief mode.
Querying statistics about the IP Source Trail based on board is supported. When the statistics are queried based on board, the main control board finds the cached statistics result according to the destination IP address and displays records from the specified board in brief mode.
URPF
URPF only functions at the inbound interface of the S9300. If URPF is enabled on an interface, the URPF check is conducted to packets received by the interface. The S9300 supports two kinds of URPF check modes: strict check and loose check.
l
Strict check: The source addresses of packets must exist in the FIB table of the S9300. Packets can be forwarded only when the outbound interface is the same as the inbound interface of the packets. Otherwise, packets are dropped.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
5-4
Loose check: Regardless whether the source addresses of packets exist in the FIB table of the S9300, or whether the corresponding outbound interfaces match the inbound interfaces of the packets, packets are forwarded.
NOTE
The S9300 supports the checking of the source IPv4 addresses and source IPv6 addresses of the packets passing the inbound interface.
Pre-configuration Tasks
Before configuring IP source guard, complete the following tasks:
l
Data Preparation
To configure IP source guard, you need the following data. No. 1 Data (Optional) User information in a static binding entry, including the IPv4 or IPv6 address, MAC address, VLAN ID, and interface number of the user Type and number of the interface enabled with the IP source guard function
Context
Before forwarding the data of the users who assigned IP addresses statically, the S9300 cannot automatically learn the MAC addresses of the users or generate binding table entries for these users. You need to create the binding table manually.
Procedure
Step 1 Run:
system-view
The interface view is displayed. This is a user-side interface. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Or, run:
vlan vlan-id
The IP source guard function is enabled on the interfaceor in a VLAN. By default, the interfaces or interfaces in a VLANof an S9300 are not enabled with the IP source guard function. ----End
Context
After the function of checking IP packets is enabled, the S9300 checks the received IP packets against the binding table. The check items include the source IPv4 address, source IPv6 address, source MAC address, VLAN ID, and interface number.
Procedure
Step 1 Run:
system-view
The interface view is displayed. This is a user-side interface. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Or, run:
vlan vlan-id
The check items of IP packets are configured. When receiving an IP packet, the interface checks the IP packet according to the check items, including the source IPv4 or IPv6 address, source MAC address, VLAN, or the combination of these three items. If the IP packet matches the binding table according to the check items, the packet is forwarded; otherwise, the packet is discarded. By default, the check items consist of the IPv4 address, IPv6 address, MAC address, VLAN ID, and interface number.
NOTE
----End
Procedure
Step 1 Run the display user-bind { all | { [ ip-address ip-address | ipv6-address ipv6-address ] | macaddress mac-address | vlan vlan-id | interface interface-type interface-number } * } command to view information about the binding table. Step 2 Run the display ip source check user-bind interface interface-type interface-number command to view the configuration of the IP source guard function on the interface. ----End
CAUTION
If the NetStream function is enabled on the S9300, the IP source trail function cannot be configured. To enable the IP source trail function, you must disable the NetStream function first. If the IP source trail function is enabled, the NetStream function cannot be enabled. For the configuration of the NetStream function, see NetStream Configuration in the Quidway S9300 Terabit Routing Switch Configuration Guide - Network Management.
Pre-configuration Tasks
Before configuring IP source trail, complete the following task:
l
Setting parameters of the link layer protocol and IP addresses for the interfaces to ensure that the link layer protocol is in Up state on the interfaces Ensuring that the NetStream function is disabled on the S9300
Data Preparation
To configure IP source trail, you need the following data.
5-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
No. 1
Procedure
l Run the display ip source-trail [ ip-address ip-address ] command to check the statistics on IP source trail.
----End
Example
Run the display ip source-trail command, and you can view the statistics on IP source trail.
<Quidway> display ip source-trail ip-address 10.0.0.1 Destination Address: 10.0.0.1 SrcAddr SrcIF Bytes Pkts Bits/s Pkts/s ---------------------------------------------------------------------198.19.1.8 GE2/0/1 5.151M 114.681K 5.222M 14.534K 198.19.1.11 GE2/0/1 4.825M 107.420K 5.223M 14.535K 198.19.1.7 GE2/0/1 4.433M 98.708K 5.223M 14.537K 198.19.1.5 GE2/0/1 2.868M 63.861K 5.227M 14.546K 198.19.1.9 GE2/0/1 2.215M 49.339K 5.230M 14.553K 198.19.1.3 GE2/0/1 1001.083K 21.762K 5.248M 14.605K
Issue 06 (20100108)
5-9
Pre-configuration Tasks
Before configuring URPF, complete the following task:
l
Setting parameters of the link layer protocol and IP addresses for the interfaces to ensure that the link layer protocol is in Up state on the interfaces
Data Preparation
To configure URPF, you need the following data. No. 1 2 3 Data Slot number of the LPU where URPF needs to be enabled Type and number of the interface URPF check mode
Procedure
Step 1 Run:
system-view
The interface view is displayed. The URPF check function can be configured on GE interfaces and Eth-Trunks of the S9300.
NOTE
URPF needs to be configured on the physical interface. This is because URPF is implemented on the physical interface.
Step 3 Run:
urpf { loose | strict } [ allow-default-route ]
The URPF check mode is configured on the interface. URPF determines the mode for processing a default route according to the value of allowdefault-route.
l
When neither the allow-default-route parameter is specified nor the source address of packets exists in the FIB table, the packets are discarded in URPF strict or loose check mode even if a corresponding default route is found. When the allow-default-route parameter is specified and the source address of a packet does not exist in the FIB table,
Packets pass URPF check and are forwarded in URPF strict check mode if the outgoing interface of a default route is the same as the incoming interface of the packets. Packets are discarded if the outgoing interface of a default route is different from the incoming interface of the packets.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-11
Issue 06 (20100108)
Packets pass URPF check and are forwarded in URPF loose check mode regardless of whether the outgoing interface of a default route is the same as the incoming interface of the packets.
----End
Only the S9300 installed with an EA/EC/ED LPU supports this function.
To disable the URPF function, you need to run commands in the traffic behavior view and associate the traffic behavior and a traffic classifier with a traffic policy.
Procedure
Step 1 Run:
system-view
A traffic behavior is created and the traffic behavior view is displayed. Step 3 Run:
ip urpf disable
The URPF function is disabled. By default, the RUPF function is enabled in a traffic behavior. After the URPF function is enabled on an interface, the S9300 performs the URPF check on all traffic passing through the interface. If you need to disable the URPF function, you can run commands in the traffic behavior view and associate the traffic behavior and a traffic classifier with a traffic policy. When the traffic policy is applied globally or applied to a board, an interface, or a VLAN, the S9300 does not perform URPF check on the traffic that match the traffic classifier rules. For the configuration procedures of traffic classifier and traffic policy, see Class-based QoS Configuration in the Quidway S9300 Terabit Routing Switch Configuration Guide - QoS. ----End
Prerequisite
The configurations of URPF are complete.
Procedure
l Run the display this command in the interface view to check whether URPF is enabled on the current interface.
----End
Example
Run the display this command to check whether URPF is enabled on GE 1/0/0.
[Quidway-GigabitEthernet1/0/0] display this # interface GigabitEthernet1/0/0 urpf loose allow-default-route # return
Procedure
l l Run the reset ip source-trail command to clear all the statistics on IP source trail. Run the reset ip source-trail ip-address ip-address command to clear the statistics on IP source trail based on a tracing instance.
----End
S9300 GE1/0/1 GE1/0/2 Packets: SIP:10.0.0.1/24 SMAC:2-2-2 Host A IP:10.0.0.1/24 MAC:1-1-1 Host B (Attacker) IP:10.0.0.2/24 MAC:2-2-2
Configuration Roadmap
Assume that the user is configured with an IP address statically. The configuration roadmap is as follows: 1. 2. 3. Enable the IP source guard function on the interfaces connected to Host A and Host B. Configure the check items of IP packets. Configure a static binding table.
Data Preparation
To complete the configuration, you need the following data:
l l l l
Interface connected to Host A: GE 1/0/1; interface connected to Host B: GE 1/0/2 Check items: IP address and MAC address IP address of Host A: 10.0.0.1/24; MAC address of Host A: 1-1-1 VLAN where Host A resides: VLAN 10
NOTE
This configuration example provides only the commands related to the IP Source Guard configuration.
5-14
Issue 06 (20100108)
Procedure
Step 1 Enable the IP source guard function. # Enable the IP source guard function on GE 1/0/1 connected to Host A.
[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] ip source check user-bind enable [Quidway-GigabitEthernet1/0/1] ip source check user-bind check-item ip-address macaddress [Quidway-GigabitEthernet1/0/1] quit
Step 2 Configure the check items of the static binding table. # Configure Host A in the static binding table.
[Quidway] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 1/0/1 vlan 10
Step 3 Verify the configuration. Run the display user-bind all command on the S9300 to view information about the binding table.
<Quidway> display user-bind all bind-table: ifname vsi O/I-vlan mac-address ip-address tp lease ------------------------------------------------------------------------------GE1/0/1 -10/ -- 0001-0001-0001 10.0.0.1 S 0 ------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1
The preceding information indicates that Host A exists in the static binding table, whereas Host B does not exist. ----End
Configuration Files
# sysname Quidway # user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface GigabitEthernet 1/0/1 vlan 10 # interface GigabitEthernet 1/0/1 ip source check user-bind enable ip source check user-bind check-item ip-address mac-address # interface GigabitEthernet 1/0/2 ip source check user-bind enable ip source check user-bind check-item ip-address mac-address # return
Networking Requirements
As shown in Figure 5-4, User A is connected to GE 1/0/1 on the S9300. It is required that IP source trail be enabled on the S9300 so that the attack source can be traced after User A suffers from DoS attacks. Figure 5-4 Networking diagram for configuring IP source trail
GE1/0/1
ISP S9300
UserA 10.0.0.3
Configuration Roadmap
Configure IP source trail in the system view of the S9300.
Data Preparation
To complete the configuration, you need the following data:
l l
Interface connecting the S9300 and the user host: GE 1/0/1 IP address of the attacked user host: 10.0.0.3
Procedure
Step 1 Configure IP source trail based on the destination IP address.
<Quidway> system-view [Quidway] ip source-trail ip-address 10.0.0.3
Step 2 Verify the configuration. Run the display ip source-trail ip-address ip-address command, and you can view the trace result of 10.0.0.3.
<Quidway> display ip source-trail ip-address 10.0.0.3 Destination Address: 10.0.0.3 SrcAddr SrcIF Bytes Pkts Bits/s Pkts/s ---------------------------------------------------------------------192.10.1.11 GE1/0/2 4.825M 107.420K 5.223M 14.535K 101.1.1.17 GE2/0/1 4.433M 98.708K 5.223M 14.537K 101.1.1.5 GE2/0/1 2.868M 63.861K 5.227M 14.546K 198.19.1.9 GE3/0/1 2.215M 49.339K 5.230M 14.553K 198.19.1.3 GE3/0/1 1001.083K 21.762K 5.248M 14.605K
----End
Configuration Files
# sysname Quidway #
5-16
Issue 06 (20100108)
GE1/0/0
ISP
Configuration Roadmap
Enable URPF on user side interface GE 2/0/0 of the S9300.
Data Preparation
To complete the configuration, you need the following data:
l
As shown in Figure 5-5, the networking of symmetric routes is adopted. URPF strict check is recommended in the case of symmetric routes.
The URPF takes effect when the unicast route functions normally. The following configuration procedure lists only URPF-related configurations, and the configurations of IP addresses and unicast route are not mentioned.
Procedure
Step 1 Enable URPF on an LPU.
<Quidway> system-view [Quidway] urpf slot 2
Step 3 Verify the configuration. Run the display this command in the view of GE 2/0/0 to view the URPF configuration.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-17
----End
Configuration Files
# sysname Quidway # urpf slot 2 # interface GigabitEthernet2/0/0 urpf strict allow-default-route # return
5-18
Issue 06 (20100108)
Issue 06 (20100108)
6-1
Whitelist A whitelist refers to a group of valid users or users with high priorities. You can set the whitelist by defining ACLs. Then packets matching the whitelist are sent first. In addition, existing services and user services with high priority are protected. Valid users that normally access the system and the users with the high priority can be added to the whitelist.
Blacklist A blacklist refers to a group of invalid users. You can define the blacklist through ACL rules. Then, the packets matching the blacklist are discarded. The invalid users that are involved in attacks can be added to the blacklist.
User-defined flows Users can define ACL rules for the user-defined flows. When unknown attacks occur on the network, you can flexibly specify the characteristics of the attack data flows and limit the data flows that match the specified characteristic.
CAR CAR is used to set the rate of sending the classified packets to the CPU. You can set the committed information rate (CIR, also called the average rate) and the committed burst size (CBS). By setting different CAR rules for different packets, you can reduce the intervention between different packets to prevent the CPU. CAR can also be used to set the total rate of packets sent to the CPU. When the total rate exceeds the upper limit, the system discards the packets, avoiding the CPU overload.
6-2
Issue 06 (20100108)
Pre-configuration Tasks
Before configuring an attack defense policy, complete the following tasks.
l
Connecting interfaces and setting the physical parameters of each interface to make the physical layer in Up state (Optional) If the attack defense policy needs to be applied to the main control board, install a flexible plug-in card to the main control board
Data Preparation
To configure an attack defense policy, you need the following data. No. 1 2 3 4 5 Data Number and description of the attack defense policy Number and rules of the ACL for blacklisted users Number of the user-defined flow CIR and CBS of the packets sent to the CPU Number of the LPU to which the attack defense policy is applied
Issue 06 (20100108)
6-3
Procedure
Step 1 Run:
system-view
The user-defined whitelist is created. The ACL used by the whitelist can be a basic ACL, an advanced ACL, or a layer 2 ACL. For details on ACL configuration, see 11.3 Configuring an ACL. By default, no whitelist is configured on the S9300. ----End
Context
You can create a blacklist and add users matching the specific characteristic into the blacklist. The packets sent from the users in the blacklist are discarded by default. The S9300 supports the flexible setting of the blacklist through ACLs.
Procedure
Step 1 Run:
system-view
A customized blacklist is created. The ACL used by the blacklist can be a basic ACL, an advanced ACL, or a layer 2 ACL. For the configuration procedure, see 11.3 Configuring an ACL. By default, no blacklist is configured on the S9300. ----End
Procedure
Step 1 Run:
system-view
The ACL rule of the user-defined flow is set. The S9300 has eight user-defined flows. By default, no ACL rule is configured for user-defined flows.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-5
The ACL applied to the user-defined flows can be a basic ACL, an advanced ACL, or a layer 2 ACL. For the configuration procedure, see 11.3 Configuring an ACL. ----End
The rule applied to the same packet sent to the CPU can be car or deny. If both car and deny are set, the latest setting takes effect.
Procedure
Step 1 Run:
system-view
CAR is configured for packets destined for the CPU and the rate threshold is set. Step 4 (Optional) Run:
deny { packet-type packet-type | user-defined-flow flow-id }
The action performed for the packets destined for the CPU is set to deny. By default, the CAR is set on the S9300 for packets destined for the CPU. The default CAR can be viewed through the display cpu-defend configuration command. ----End
When the attack defense policy is applied on the LPU, the cpu-defend-policy command is run in either the system view or the slot view. That is, if the cpu-defend-policy command is run in the system view and global is specified, the cpu-defend-policy command cannot be run in the slot view. In a similar manner, if the cpu-defend-policy command is run in the slot view, the cpu-defend-policy command with specified global cannot be run in the system view.
6-6
Issue 06 (20100108)
Procedure
l Applying the attack defense policy in the system view 1. Run:
system-view
If you do not specify global in the command, the attack defense policy is applied on the main control board. A flexible plug-in card needs to be installed on the main control board to support the application. If you specify global in the command, the attack defense policy is applied on all the LPUs.
An attack defense policy is applied. The attack defense policy applied in the slot view takes effect only to the LPU in this slot. ----End
----End
Example
Run the display cpu-defend policy 8 command to view the information about attack defense policy 8.
<Quidway> display cpu-defend policy 8 Number : 8 Description : arp defend attack
Issue 06 (20100108)
6-7
1 2 3 4 5 6 7 8
: : : : : : : :
Run the display cpu-defend tcp statistics slot 4 to view statistics about TCP packets directing at the CPU.
<Quidway> display cpu-defend tcp statistics slot 4 CPCAR on slot 4 ------------------------------------------------------------------------------Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets) tcp 0 0 0 0 -------------------------------------------------------------------------------
Pre-configuration Tasks
Before configuring attack source tracing, complete the following task.
l
Connecting interfaces and setting the physical parameters of each interface to make the physical layer in Up state (Optional) If the attack defense policy needs to be applied to the main control board, install a flexible service unit to the main control board.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
6-8
Data Preparation
To configure attack source tracing, you need the following data. No. 1 2 3 4 Data Number and description of the attack defense policy Rate checking threshold in attack source tracing Rate alarm threshold in attack source tracing Number of the LPU to which the attack defense policy is applied
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
6-9
Procedure
Step 1 Run:
system-view
The threshold of attack source tracing is configured. By default, the threshold of attack source tracing is set to 128 pps. ----End
Procedure
Step 1 Run:
system-view
The threshold of the attack source alarm function is set. By default, the threshold of the attack source alarm function is set to 128 pps. ----End
When the attack defense policy is applied on the LPU, the cpu-defend-policy command is run in either the system view or the slot view. That is, if the cpu-defend-policy command is run in the system view and global is specified, the cpu-defend-policy command cannot be run in the slot view. In a similar manner, if the cpu-defend-policy command is run in the slot view, the cpu-defend-policy command with specified global cannot be run in the system view.
Procedure
l Applying the attack defense policy in the system view 1. Run:
system-view
If you do not specify global in the command, the attack defense policy is applied on the main control board. A flexible plug-in card needs to be installed on the main control board to support the application. If you specify global in the command, the attack defense policy is applied on all the LPUs.
Run:
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-11
An attack defense policy is applied. The attack defense policy applied in the slot view takes effect only to the LPU in this slot. ----End
----End
Example
Run the display cpu-defend policy 8 command to view the information about attack defense policy 8.
<Quidway> display cpu-defend policy 8 Number : 8 Description : arp defend attack Related slot : <4> Configuration : Car user-defined-flow 1 : CIR(64) Car user-defined-flow 2 : CIR(64) Car user-defined-flow 3 : CIR(64) Car user-defined-flow 4 : CIR(64) Car user-defined-flow 5 : CIR(64) Car user-defined-flow 6 : CIR(64) Car user-defined-flow 7 : CIR(64) Car user-defined-flow 8 : CIR(64)
Run the display auto-defend attack-source slot 4 command to view the attack source of the LPU in slot 4.
<Quidway> display auto-defend attack-source slot 4 -- Attack Source Port Table (LPU4) ---------InterfaceName Vlan:Outer/Inner TOTAL -------------------------------------------GigabitEthernet3/0/0 199/299 156464 --------------------------------------------- Attack Source User Table (LPU4) -------------------------------------------InterfaceName Vlan:Outer/Inner MacAddress ARP DHCP IGMP TOTAL -----------------------------------------------------------------------------GigabitEthernet3/0/0 199/299 0003-5556-3244 143111 0 0 143111 ------------------------------------------------------------------------------
6-12
Issue 06 (20100108)
CAUTION
Statistics about ARP packets cannot be restored being cleared. So, confirm the action before you use the command.
Procedure
Step 1 Run the reset cpcar [ packet-type ] statistics [ all | slot slot-id ] command to clear statistics about packets directing at the CPU. ----End
CAUTION
Statistics about ARP packets cannot be restored after being cleared. So, confirm the action before you use the command.
Procedure
Step 1 Run the reset auto-defend attack-source [ slot slot-id ] command to clear statistics about attack sources. ----End
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-13
Users on net1 are authorized users; therefore, they are added to the whitelist so that their packets can be always forwarded. As the users on net2 are authorized but unfixed users, you need to separately define the rules for sending the packets of net2 users to the CPU and limit the CIR to 5 Mbit/s. Uses on net3 often attack the network; therefore, they are added to the blacklist. In this manner, they cannot access the network.
Figure 6-1 Networking diagram for Configuring the attack defense policy
GE2/0/1 Internet
Net3: 3.3.3.0/24
Configuration Roadmap
The configuration roadmap is as follows: 1. 2.
6-14
Configure the ACL and define rules for filtering the packets to be sent to the CPU. Create an attack defense policy and configure the whitelist, blacklist and user-defined flow.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
3. 4.
Configure the rule for sending packets to the CPU. Apply the attack defense policy.
Data Preparation
To complete the configuration, you need the following data:
l l l l
Number of the attack defense policy IDs of the whitelist, blacklist, and user-defined flows ACL rule and number Slot number of the LPU on which the attack defense policy is applied
NOTE
The following provides only the configuration procedure of the local attack defense feature supported by the S9300. For details on the routing configuration, see the Quidway S9300Terabit Routing Switch Configuration Guide - IP Routing.
Procedure
Step 1 Configure the rule for filtering packets to be sent to the CPU. # Define the ACL rules.
<Quidway> system-view [Quidway] acl number 2001 [Quidway-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255 [Quidway-acl-basic-2001] quit [Quidway] acl number 2002 [Quidway-acl-basic-2002] rule permit source 2.2.2.0 0.0.0.255 [Quidway-acl-basic-2002] quit [Quidway] acl number 2003 [Quidway-acl-basic-2003] rule permit source 3.3.3.0 0.0.0.255 [Quidway-acl-basic-2003] quit
Step 2 Create an attack defense policy. # Create an attack defense policy and configure the whitelist, blacklist and user-defined flow.
[Quidway] cpu-defend policy 6 [Quidway-cpu-defend-policy-6] whitelist 1 acl 2001 [Quidway-cpu-defend-policy-6] user-defined-flow 1 acl 2002 [Quidway-cpu-defend-policy-6] blacklist 1 acl 2003
Step 3 Configure the rule for sending packets to the CPU. # Set the CIR for the user-defined flow.
[Quidway-cpu-defend-policy-6] car user-defined-flow 1 cir 5000 [Quidway-cpu-defend-policy-6] quit
Step 4 Apply the attack defense policy. # Apply the attack defense policy to LPU 1.
[Quidway] slot 1 [Quidway-slot-1] cpu-defend-policy 6 [Quidway-slot-1] quit
Step 5 Verify the configuration. # View information about the configured attack defense policy.
<Quidway> display cpu-defend policy 6 Number : 6 Related slot : <1,2> Configuration : Whitelist 1 ACL number : 2001 Blacklist 1 ACL number : 2003 User-defined-flow 1 ACL number : 2002 Car user-defined-flow 1 : CIR(5000) CBS(940000) Car user-defined-flow 2 : CIR(64) CBS(10000) Car user-defined-flow 3 : CIR(64) CBS(10000) Car user-defined-flow 4 : CIR(64) CBS(10000) Car user-defined-flow 5 : CIR(64) CBS(10000) Car user-defined-flow 6 : CIR(64) CBS(10000) Car user-defined-flow 7 : CIR(64) CBS(10000) Car user-defined-flow 8 : CIR(64) CBS(10000)
----End
Configuration Files
# sysname Quidway # acl number 2001 rule 5 permit source 1.1.1.0 0.0.0.255 # acl number 2002 rule 5 permit source 2.2.2.0 0.0.0.255 # acl number 2003 rule 5 permit source 3.3.3.0 0.0.0.255 # cpu-defend policy 6 whitelist 1 acl 2001 blacklist 1 acl 2003 user-defined-flow 1 acl 2002 car user-defined-flow 1 cir 5000 cbs 940000 # slot 1 cpu-defend-policy 6 # slot 2 cpu-defend-policy 6 # return
6-16
Issue 06 (20100108)
7 PPPoE+ Configuration
7
About This Chapter
PPPoE+ Configuration
This chapter describes how to configure PPPoE+. 7.1 PPPoE+ Overview This section describes the principle of PPPoE+. 7.2 PPPoE+ Features Supported by the S9300 This section describes the PPPoE+ features supported by the S9300. 7.3 Configuring PPPoE+ This section describes how to configure PPPoE+. 7.4 Configuration Examples This section provides several configuration examples of PPPoE+.
Issue 06 (20100108)
7-1
7 PPPoE+ Configuration
Pre-configuration Tasks
None.
7-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
7 PPPoE+ Configuration
Data Preparation
To configure PPPoE+, you need the following data. No. 1 2 Data Interface number related to PPPoE authentication Format and contents of the fields to be added to PPPoE packets
PPPoE+ is enabled globally. After the pppoe intermediate-agent information enable command is run in the system view, PPPoE+ is enabled on all the interfaces. By default, PPPoE+ is disabled globally. ----End
7.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets
Context
After PPPoE+ is enabled globally, the user-side interface on the S9300 adds information in common format to the received PPPoE packets. You can modify the format of the field to be appended through this task.
Procedure
Step 1 Run:
system-view
The format and contents of fields to be added to PPPoE packets are set.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-3
7 PPPoE+ Configuration
After the pppoe intermediate-agent information format command is run in the system view, all the interfaces add fields in specified format to the received PPPoE packets. ----End
7.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets
Context
You can configure the action for processing original fields in PPPoE packets in the system view and in the interface view. The configuration in the system view is valid for all the interfaces. To adopt a different action on an interface, run the pppoe intermediate-agent information policy command in the interface view. In this case, the action for processing packets on the interface depends on the configuration of the interface.
Procedure
Step 1 Run:
system-view
The action for all the interfaces to process original fields in PPPoE packets is configured.
l l l
drop: removes the original fields from PPPoE packets. keep: reserves the contents and format of original fields in PPPoE packets. replace: replaces the original fields in PPPoE packets according to the set field format regardless of whether the packets carry the fields.
By default, the user-side interface on the S9300 replaces the original fields in the received PPPoE packets after PPPoE+ is enabled globally. Step 3 (Optional) Run:
interface interface-type interface-number
The action for all the interfaces to process original fields in PPPoE packets is configured. ----End
7 PPPoE+ Configuration
sent from the PPPoE client to the PPPoE server are forwarded through the trusted interface only. In addition, only the PPPoE packets received from the trusted interface are forwarded to the PPPoE client.
NOTE
The trusted interface only controls protocol packets in PPPoE discovery period, and does not control service packets in PPPoE session period.
Procedure
Step 1 Run:
system-view
----End
7 PPPoE+ Configuration
IP network
PPPoE client
PPPoE client
Configuration Roadmap
The configuration roadmap is as follows: 1. Enable PPPoE+ globally.
NOTE
2. 3. 4.
Configure the contents and format of fields to be added to PPPoE packets on the S9300. Configure the action for the S9300 to process PPPoE packets. Configure the interface connecting the S9300 and the PPPoE server as the trusted interface.
Data Preparation
None.
Procedure
Step 1 Enable PPPoE+.
<Quidway> system-view [Quidway] pppoe intermediate-agent information enable
Step 2 Configure the format of information fields. Configure the S9300 to add the circuit ID in extend format to PPPoE packets, that is, the format in hexadecimal notation is used.
[Quidway] pppoe intermediate-agent information format circuit-id extend
7-6
Issue 06 (20100108)
7 PPPoE+ Configuration
Step 3 Configure the action for processing original fields in PPPoE packets. Configure all the interfaces to replace original fields in PPPoE packets with the circuit ID of the S9300.
[Quidway] pppoe intermediate-agent information policy replace
Step 4 Configure the trusted interface. Configure GE 1/0/0 as the trusted interface.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] pppoe uplink-port trusted [Quidway-GigabitEthernet1/0/0] quit
----End
Configuration Files
# sysname Quidway # pppoe intermediate-agent information enable pppoe intermediate-agent information format circuit-id extend # interface GigabitEthernet1/0/0 pppoe uplink-port trusted # return
Issue 06 (20100108)
7-7
8 MFF Configuration
8
About This Chapter
MFF Configuration
This section describes the principle and configuration of the MAC-Forced Forwarding (MFF) function. 8.1 MFF Overview This section describes the principle of the MFF function. 8.2 MFF Features Supported by the S9300 This section describes the MFF features supported by the S9300. 8.3 Configuring MFF The MFF function isolates users at Layer 2 and forwards traffic through the gateway. 8.4 Configuration Examples This section provides a configuration example of MFF.
Issue 06 (20100108)
8-1
8 MFF Configuration
Background
In traditional Ethernet solutions, VLANs are usually configured on switches to implement Layer 2 isolation and Layer 3 interconnection between clients. When many users need to be isolated on Layer 2, a large number of VLANs are required. In addition, to enable the clients to communicate on Layer 3, each VLAN must be assigned an IP network segment and each VLANIF interface needs an IP address. This wastes IP addresses. In addition, the network is easy to attack and the malicious attacks from users on the network cannot be prevented. The MFF function provides a solution to this problem and implements Layer 2 isolation and Layer 3 interconnection between the clients in a broadcast domain. The MFF intercepts the ARP requests from users and replies with ARP responses containing the MAC address of the gateway through the ARP proxy. In this manner, the MFF forces users to send all traffic, including the traffic on the same subnet, to the gateway so that the gateway can monitor data traffic. This prevents malicious attacks and improves network security.
User interface A user interface is an interface directly connected to users. MFF processes packets on a user interface as follows:
Allows protocol packets to pass through. Sends ARP and DHCP packets to the CPU. If the interface has learned the MAC address of the gateway, MFF allows the unicast packets whose destination MAC address is the MAC address of the gateway to pass through and discards other packets. If the interface has not learned the MAC address of the gateway, MFF discards all packets. Rejects multicast packets and broadcast packets.
Network interface A network interface is an interface connected to another network device, for example, an access switch, an aggregate switch, or a gateway. MFF processes packets on a network interface as follows:
Allows multicast and DHCP packets to pass through. Sends ARP packets to the CPU. Rejects broadcast packets.
8-2
Issue 06 (20100108)
8 MFF Configuration
Uplink interfaces connected to the gateway Interfaces connected to other MFF devices when multiple MFF devices are deployed on the network Interfaces between the MFF devices on a ring network
l l
The interface role is irrelevant to the position of the interface on a network. On a VLAN where MFF is enabled, an interface must be a network interface or a user interface.
Static Gateway
The static gateway is applicable to the scenario where the IP addresses are set statically. When users are assigned IP addresses statically, the users cannot obtain the gateway information through the DHCP packets. In this case, a static gateway address needs to be configured for each VLAN. If the static gateway address is not configured, all the users cannot communicate with each other except for the DHCP users.
ARP Proxy
The Layer 3 communication between users is implemented through the ARP proxy. The ARP proxy reduces the number of broadcast packets at the network side and user side. The MFF processes ARP packets as follows:
l
Responds to the ARP requests of users. The MFF substitutes for the gateway to respond to the ARP requests of users. Therefore, all the packets of users are forwarded at Layer 3 by the gateway. The ARP packet of a user may be the request for the gateway address or the request for the IP addresses of other users.
Responds to the ARP requests of the gateway. The MFF substitutes for user hosts to respond to the ARP requests of the gateway. If the ARP entry mapping the request of the gateway exists on the MFF, the MFF returns a response with the requested address to the gateway. If the entry does not exist, the MFF forwards the request. In this way, the number of broadcast packets is reduced.
Monitors the ARP packets on the network and updates the IP address and MAC address of the gateway.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 8-3
Issue 06 (20100108)
8 MFF Configuration
Pre-configuration Tasks
Before configuring basic MFF functions, complete the following tasks. If DHCP users exist, you need to perform the following operations:
l l
Data Preparation
To configure the MFF function, you need the following data.
8-4
Issue 06 (20100108)
8 MFF Configuration
No. 1 2 3 4
Data VLAN ID of the MFF device Type and number of the network interface to be configured (Optional) IP address of the static gateway to be configured (Optional) IP address of the server to be configured
Procedure
Step 1 Run:
system-view
The global MFF is enabled. By default, the global MFF is disabled. ----End
This task can be performed before the global MFF is enabled; however, it takes effect only after the global MFF is enabled.
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
8-5
8 MFF Configuration
The interface view is displayed. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Step 3 Run:
mac-forced-forwarding network-port
The interface is configured as a network interface. By default, the interface is a user interface. ----End
The MFF function is enabled for the VLAN. By default, the MFF function is disabled in a VLAN. ----End
8 MFF Configuration
The timed gateway address detection is enabled. After the timed gateway address detection is enabled, the S9300 sends ARP packets periodically to detect the gateway. By default, the timed gateway address detection is disabled. ----End
Issue 06 (20100108)
8 MFF Configuration
Run the display mac-forced-forwarding vlan vlan-id command to view information about MFF users and gateway on the VLAN.
----End
Example
Run the display mac-forced-forwarding network-port command, and you can see information about the network-side interface matching the MFF VLAN.
<Quidway> display mac-forced-forwarding network-port -------------------------------------------------------------------------------VLAN ID Network-ports -------------------------------------------------------------------------------VLAN 10 GigabitEthernet2/0/0 GigabitEthernet2/0/1 GigabitEthernet2/0/2 GigabitEthernet2/0/3 VLAN 100 GigabitEthernet1/0/10 GigabitEthernet1/0/15
Run the display mac-forced-forwarding vlan vlan-id command, and you can see information about MFF users and gateway on the VLAN.
<Quidway> display mac-forced-forwarding vlan 100 Servers: 192.168.1.2 192.168.1.3 -------------------------------------------------------------------User IP User MAC Gateway IP Gateway MAC -------------------------------------------------------------------192.168.1.10 00-01-00-01-00-01 192.168.1.254 00-02-00-02-00-01 192.168.1.11 00-01-00-01-00-02 192.168.1.254 00-02-00-02-00-01 192.168.1.12 00-01-00-01-00-03 192.168.1.252 00-02-00-02-00-03 -------------------------------------------------------------------[Vlan 100] MFF host total count = 3
8-8
Issue 06 (20100108)
8 MFF Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure DHCP snooping. Enable global MFF. Configure the MFF network interfaces. Enable MFF for the VLAN. (Optional) Enable the function of timed gateway address detection. (Optional) Configure the server.
Data Preparation
To complete the configuration, you need the following data:
l l l
VLAN ID of the MFF device Type and number of the network interface to be configured (Optional) IP address of the server to be configured
Procedure
Step 1 Configure DHCP snooping. # Enable global DHCP snooping on S9300-A.
<Quidway> [Quidway] [S9300-A] [S9300-A] system-view sysname S9300-A dhcp enable dhcp snooping enable
Issue 06 (20100108)
8-9
8 MFF Configuration
# Enable DHCP snooping on the interfaces of the S9300-A. Take the configuration on GE 1/0/1 as an example. The configurations on GE 1/0/2, GE 1/0/3, and GE 2/0/1 are similar to the configuration on GE 1/0/1 and are not mentioned here.
[S9300-A] interface gigabitethernet 1/0/1 [S9300-A-GigabitEthernet1/0/1] dhcp snooping enable [S9300-A-GigabitEthernet1/0/1] quit
# Enable DHCP snooping on the interfaces of the S9300-B. Take the configuration on GE 1/0/0 as an example. The configurations on GE 2/0/1 and GE 2/0/2 are similar to the configuration on GE 1/0/0 and are not mentioned here.
[S9300-B] interface gigabitethernet 1/0/0 [S9300-B-GigabitEthernet1/0/0] dhcp snooping enable [S9300-B-GigabitEthernet1/0/0] quit
Step 3 Configure the MFF network interfaces. # Configure GE 2/0/1 of S9300-A as the network interface.
[S9300-A] interface gigabitethernet 2/0/1 [S9300-A-GigabitEthernet2/0/1] mac-forced-forwarding network-port [S9300-A-GigabitEthernet2/0/1] quit
Step 4 Enable MFF for the VLAN. # Enable MFF for VLAN 10 on S9300-A.
[S9300-A] vlan 10 [S9300-A-vlan10] mac-forced-forwarding enable
8-10
Issue 06 (20100108)
8 MFF Configuration
Step 5 (Optional) Enable the function of timed gateway address detection. # Enable the function of timed gateway address detection on S9300-A.
[S9300-A-vlan10] mac-forced-forwarding gateway-detect
----End
Configuration Files
l
# sysname S9300-A # vlan batch 10 # dhcp enable dhcp snooping enable mac-forced-forwarding enable # vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1 # interface gigabitethernet1/0/1 port link-type access port default vlan 10 dhcp snooping enable # interface gigabitethernet1/0/2 port link-type access port default vlan 10 dhcp snooping enable # interface gigabitethernet1/0/3 port link-type access port default vlan 10 dhcp snooping enable # interface gigabitethernet2/0/1 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable dhcp snooping trusted mac-forced-forwarding network-port # return
Issue 06 (20100108)
8-11
8 MFF Configuration
l
# sysname S9300-B # vlan batch 10 # dhcp enable dhcp snooping enable mac-forced-forwarding enable # vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1 # interface gigabitethernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable dhcp snooping trusted mac-forced-forwarding network-port # interface gigabitethernet2/0/1 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable mac-forced-forwarding network-port # interface gigabitethernet2/0/2 port link-type access port default vlan 10 dhcp snooping enable # return
8-12
Issue 06 (20100108)
Issue 06 (20100108)
9-1
Static MAC addresses that are manually configured Dynamic MAC addresses learned before the number of MAC addresses reaches the upper limit Dynamic or static MAC addresses in a DHCP snooping table
The S9300 considers other types of MAC addresses unauthorized. When an interface receives the packets sent from unauthorized MAC addresses, the interface security function takes effect. Currently, the S9300 supports the following protection actions in interface security:
l
protect: When an interface receives the packets sent from unauthorized MAC addresses, it does not learn the source MAC addresses of the packets or forward the packets. Instead, the interface directly discards them. restrict: When an interface receives the packets sent from unauthorized MAC addresses, it does not learn the source MAC addresses of the packets or forward the packets. Instead, the interface directly discards them and sends a trap to the Network Management System (NMS).
Pre-configuration Tasks
None.
Data Preparation
Before configuring interface security, you need the following data. No. 1 2 Data Interface type and number Maximum number of MAC addresses that can be learned by an interface
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface can be an Ethernet interface or a GE interface. Step 3 Run:
port-security enable
By default, the interface security function is disabled on interfaces of the S9300. ----End
The interface view is displayed. The interface can be an Ethernet interface or a GE interface. Step 3 Run:
port-security protect-action { protect | restrict }
The protection action in interface security is configured. By default, the protection action is restrict. ----End
l l l
If the sticky MAC function is disabled, this task can limit the maximum number of MAC addresses dynamically learned by an interface. If the sticky MAC function is enabled, this task can limit the maximum number of sticky MAC addresses learned by an interface. For the sticky MAC function, see 9.3.5 Enabling Sticky MAC on an Interface.
Procedure
Step 1 Run:
system-view
The maximum number of MAC addresses learned by an interface is set. After the interface security function is enabled, the maximum number of MAC addresses learned by an interface is 1 by default. ----End
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface can be an Ethernet interface or a GE interface. Step 3 Run:
port-security mac-address sticky
The sticky MAC function is enabled on the interface. By default, the sticky MAC function is disabled on an interface. ----End
Issue 06 (20100108)
Run the display sticky-mac command to view the sticky MAC entries.
----End
Example
Run the display sticky-mac command, and you can view the sticky MAC address entries.
<Quidway> display sticky-mac interface GigabitEthernet 2/0/1 MAC Address VLAN/VSI Port Type ---------------------------------------------------------------------0018-2000-0083 1 GigabitEthernet2/0/1 sticky mac Total 1 printed
Internet
S9300
GE1/0/1
LAN switch
PC 1
PC 2
PC 3
VLAN 10
9-6
Issue 06 (20100108)
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Create a VLAN and set the VALN attribute of the interface to trunk. Enable the interface security function. Configure the protection action. Set the maximum number of MAC addresses that can be learned by the interfaces. Enable the sticky MAC function on the interfaces.
Data Preparation
To complete the configuration, you need the following data:
l l l l
VLAN ID carried in packets that the interface allows to pass through. Types and numbers of the interfaces connected to the computers Protection action Maximum number of MAC addresses learned by interfaces
Procedure
Step 1 Create a VLAN and set the VALN attribute of the interface.
<Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port link-type trunk [Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
Step 2 Configure the interface security function. # Enable the interface security function.
[Quidway-GigabitEthernet1/0/1] port-security enable
# Set the maximum number of MAC addresses that can be learned by the interface.
[Quidway-GigabitEthernet1/0/1] port-security maximum 4
To enable the interface security function on other interfaces, repeat the preceding steps. Step 3 Verify the configuration. If PC1 is replaced by another PC, this PC cannot access the intranet of the company. ----End
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 9-7
Configuration Files
The following lists the configuration files of the S9300.
# sysname Quidway # interface GigabitEthernet1/0/1 port-security enable port-security protect-action protect port-security mac-address sticky port-security maximum 4 # return
9-8
Issue 06 (20100108)
10
Issue 06 (20100108)
10-1
Pre-configuration Tasks
None
Data Preparation
To configure traffic suppression, you need the following data.
10-2
Issue 06 (20100108)
No. 1 2
Data Type and number of the interface where traffic suppression needs to be configured Type of traffic (broadcast, multicast, or unknown unicast traffic) that needs to be suppressed Mode in which traffic is suppressed (packet rate, bit rate, or rate percentage on a physical interface) Limited rate, including packet rate, committed information rate (CIR), committed burst size (CBS), and bandwidth percentage
Procedure
Step 1 Run:
system-view
The interface view is displayed. Traffic suppression can be configured on Ethernet interfaces or GE interfaces of the S9300. Step 3 Run:
{ broadcast-suppression | multicast-suppression | unicast-suppression } { percentvalue | cir cir-value [ cbs cbs-value ] | packets packets-per-second }
Traffic suppression is configured. Traffic suppression for three types of traffic can be configured on an interface of the S9300. Select one of the following traffic suppression mode for the traffic on an interface:
l
To configure traffic suppression based on the packet rate, you must select the packets parameter. To configure traffic suppression based on the bit rate, you must select the cir and cbs parameters. To configure traffic suppression based on the bandwidth percentage, you must select the percent-value parameter.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 10-3
Issue 06 (20100108)
The suppression based on bandwidth percentage equals to the suppression based on packet rate. Assume the bandwidth on an interface is bandwidth (kbit/s). The percent-value parameter equals to the packets keyword. That is, (bandwidth x percent x 1000 x 1000/(84 x 8)). Here, 84 indicates the average packet length (including the 64-byte packet body and 20-byte frame spacing and check information), and 8 indicates the number of bits in a byte. If traffic suppression based on the bit rate is set for a type of traffic on an interface, the bandwidth percentage set for other types of traffic is converted to the bit rate through the following formula: Bit rate = Bandwidth of the interface x Percentage. The traffic limit (pps) for a type of packets cannot be set together with the traffic limit based on bit rate for other types of packets on the same interface. For example, if the bit rate for multicast packets is set on an interface, you cannot set the traffic limit (pps) for broadcast packets. If traffic suppression is configured for a type of traffic on an interface, the latest configuration overrides the previous configuration when the configuration of traffic suppression for this type of traffic at different rate is sent.
----End
Procedure
l Run the display flow-suppression interface interface-type interface-number command to check the configuration of traffic suppression.
----End
Example
Run the display flow-suppression interface interface-type interface-number command, and you can view the configuration of traffic suppression on a specified interface.
<Quidway> display flow-suppression interface gigabitethernet 1/0/0 storm type rate mode set rate value ------------------------------------------------------------------------------unknown-unicast bps cir: 1000(kbit/s), cbs: 188000(byte) multicast bps cir: 1000(kbit/s), cbs: 188000(byte) broadcast bps cir: 1000(kbit/s), cbs: 188000(byte) -------------------------------------------------------------------------------
Networking Requirements
As shown in Figure 10-1, the S9300 is connected to the Layer 2 network and Layer 3 router. To limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer 2 network, you can configure traffic suppression on GE 1/0/2. Figure 10-1 Networking diagram for configuring traffic suppression
L2 network
GE1/0/2 S9300
GE1/0/3
L3 network
Configuration Roadmap
Configure traffic suppression in the interface view of GE 1/0/2.
Data Preparation
To complete the configuration, you need the following data:
l l l l
GE 1/0/2 where traffic suppression is configured Traffic suppression for broadcast and unknown unicast packets based on the bit rate Traffic suppression for multicast packets based on the rate percentage Maximum rate of broadcast and unknown unicast packets being 100 kbit/s after traffic suppression is configured Maximum rate of multicast packets being 80 percent of the interface rate after traffic suppression is configured
Procedure
Step 1 Enter the interface view.
<Quidway> system-view [Quidway] interface gigabitethernet 1/0/2
Step 5 Verify the configuration. Run the display flow-suppression interface command, and you can view the configuration of traffic suppression on GE 1/0/2.
<Quidway> display flow-suppression interface gigabitethernet 1/0/2 storm type rate mode set rate value
Issue 06 (20100108)
10-5
------------------------------------------------------------------------------unknown-unicast bps cir: 100(kbit/s), cbs: 18800(byte) multicast percent percent: 80% broadcast bps cir: 100(kbit/s), cbs: 18800(byte) -------------------------------------------------------------------------------
----End
Configuration Files
# sysname Quidway # interface gigabitethernet 1/0/2 unicast-suppression cir 100 cbs 18800 multicast-suppression percent 80 broadcast-suppression cir 100 cbs 18800 # return
10-6
Issue 06 (20100108)
11 ACL Configuration
11
About This Chapter
ACL Configuration
This chapter describes how to configure the Access Control List (ACL). 11.1 Introduction to the ACL This section describes the basic concepts and parameters of an ACL. 11.2 Classification of ACLs Supported by the S9300 This section describes the classification of ACLs supported by the S9300. 11.3 Configuring an ACL This section describes how to create an ACL, set the time range, configure the description of an ACL, configure basic ACLs, advanced ACLs, and Ethernet frame header ACLs, and set the step of an ACL. 11.4 Configuring ACL6 This section describes how to configure basic ACL6 and advanced ACL6. 11.5 Configuration Examples This section provides configuration examples of the ACL.
Issue 06 (20100108)
11-1
11 ACL Configuration
In this manual, the ACL refers to the access control list that is used filter IPv4 packets, and the ACL6 refers to the access control list that is used to filter IPv6 packets.
Classification of ACLs
The S9300 supports basic ACLs, advanced ACLs, and Ethernet frame header ACLs for IPv4 packets.
l
Basic ACLs: classify and define data packets according to their source addresses, fragmentation flag, and effective time range. Advanced ACLs: classify and define data packets more refinedly according to the source address, destination address, source port number, destination port number, protocol type, precedence, and effective time range. Frame header-based ACLs: classify and define data packets according to the source MAC address, destination MAC address, and protocol type. A basic ACL6 can use the source IP address, fragmentation flag, and effective time range as the elements of rules. An advanced ACL6 can use the source IP address and destination IP address of data packets, protocol type supported by IP, features of the protocol such as the source port number and destination port number, ICMPv6 protocol, and ICMPv6 Code as the elements of rules.
The S9300 supports basic ACL6s and advanced ACL6s for IPv6 packets.
l
Application of ACLs
ACLs defined on the S9300 can be applied in the following scenarios:
l
Hardware-based application: The ACL is sent to the hardware. For example, when QoS is configured, the ACL is imported to classify packets. Note that when the ACL is imported by QoS, the packets matching the ACL rule in deny mode are discarded. If the action in the ACL is set to be in permit mode, the packets matching the ACL are processed by the S9300 according to the action defined by the traffic behavior in QoS. For details on the traffic behavior, see the Quidway S9300 Terabit Routing Switch Configuration Guide QoS.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
11-2
11 ACL Configuration
Software-based application: When the ACL is imported by the upper-layer software, for example, the ACL is imported when the control function is configured for login users, you can use the ACL to control FTP, Telnet and SSH users. When the S9300 functions as a TFTP client, you can configure an ACL to specify the TFTP servers that the S9300 can access through TFTP. When the ACL is imported by the upper-layer software, the packets matching the ACL are processed by the S9300 according to the action deny or permit defined in the ACL. For details on login user control, see the Quidway S9300 Terabit Routing Switch Configuration Guide - Basic Configurations.
NOTE
When the ACL is sent to the hardware and is imported by QoS to classify packets, the S9300 does not process packets according to the action defined in the traffic behavior, if the packets does not match the ACL rule. When the ACL is imported by the upper-layer software and is used to control FTP , Telnet or SSH login users, the S9300 discards the packets, if the packets does not match the ACL rule.
Context
NOTE
11.3.5 Configuring a Basic ACL, 11.3.6 Configuring an Advanced ACL, and 11.3.7 Configuring a Layer 2 ACL are optional and can be configured as required.
11.3.1 Establishing the Configuration Task 11.3.2 Creating an ACL 11.3.3 (Optional) Setting the Time Range When an ACL Takes Effect 11.3.4 (Optional) Configuring the Description of an ACL 11.3.5 Configuring a Basic ACL 11.3.6 Configuring an Advanced ACL 11.3.7 Configuring a Layer 2 ACL 11.3.8 (Optional) Setting the Step of an ACL 11.3.9 Checking the Configuration
11 ACL Configuration
Pre-configuration Tasks
None.
Data Preparation
To configure an ACL, you need the following data. No. 1 2 3 Data Name of the time range when the ACL takes effect, start time, and end time Number of the ACL Number of ACL rule and the rule that identifies the type of packets, including protocol, source address, source port, destination address, destination port, the type and code of Internet Control Message Protocol (ICMP), IP precedence, and Type of Service (ToS) value Description of the ACL Step of the ACL
4 5
Specify the number of the ACL. For example, the ACL with the number ranging from 2000 to 2999 is a basic ACL, and the ACL with the number ranging from 3000 to 3999 is an advanced ACL. Set the match order of the ACL rules. This parameter is optional. By default, the matchorder is config.
Procedure
Step 1 Run:
system-view
An ACL is created.
l l
To create a basic ACL, you can set the value of acl-number ranging from 2000 to 2999. To create an advanced ACL, you can set the value of acl-number ranging from 3000 to 3999.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
11-4
11 ACL Configuration
To create a layer 2 ACL, you can set the value of acl-number ranging from 4000 to 4999.
----End
11.3.3 (Optional) Setting the Time Range When an ACL Takes Effect
Procedure
Step 1 Run:
system-view
A time range is set. You can set the same name for multiple time ranges to describe a special period. For example, three time ranges are set with the same name test:
l l l
Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59, a definite time range Time range 2: 8:00-18:00 on Monday to Friday, a periodic time range Time range 3: 14:00-18:00 on Saturday and Sunday, a periodic time range
The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in the year 2009. ----End
Postrequisite
When a time range is specified for an ACL, the ACL takes effect only in this time range. If no time range is specified for the ACL, the ACL is always effective until it is deleted or the rules of the ACL are deleted.
11 ACL Configuration
The description of an ACL is a string of up to 127 characters, describing the usage of the ACL. By default, no description is configured for an ACL. ----End
Procedure
Step 1 Run:
system-view
A basic ACL is created. To create a basic ACL, you can set the value of acl-number ranging from 2000 to 2999. match-order indicates the match order of ACL rules.
l l
auto: indicates that the ACL rules are matched on the basis of depth first principle. config: indicates that the rules are matched on the basis of the configuration order.
An advanced ACL is created. To create an advanced ACL, the value of acl-number ranges from 3000 to 3999. match-order indicates the match order of ACL rules.
11-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
11 ACL Configuration
auto: indicates that the ACL rules are matched on the basis of depth first principle. config: indicates that the rules are matched on the basis of the configuration order.
If match-order is not used, the match order is config. Step 3 Run the following command as required:
l
When protocol is specified as the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), run:
rule [ rule-id ] { deny | permit } { tcp | udp } [ destination { destinationaddress destination-wildcard | any } | destination-port eq port | dscp dscp | fragment | precedence precedence | source { source-address source-wildcard | any } | source-port eq port | time-range time-name | tos tos ] *
When protocol is specified as another protocol rather than TCP, UDP, or ICMP, run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | dscp dscp | fragment | precedence precedence | source { source-address sourcewildcard | any } | time-range time-name | tos tos ] *
An ACL rule is created. You can configure different advanced ACLs on the S9300 according to the protocol carried by IP. Different parameter combinations are available for different protocol types.
NOTE
dscp dscp and precedence precedence cannot be specified at the same time.
----End
A layer 2 ACL is created. To create a layer 2 ACL, the value of acl-number ranges from 4000 to 4999. match-order indicates the match order of ACL rules.
l l
auto: indicates that the ACL rules are matched on the basis of depth first principle. config: indicates that the rules are matched on the basis of the configuration order.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 11-7
Issue 06 (20100108)
11 ACL Configuration
The step of an ACL is set. When changing ACL configurations, note the following:
l
The undo step command sets the default step of an ACL and re-arranges the numbers of ACL rules. By default, the value of step-value is 5.
----End
Procedure
l l Run the display acl { acl-number | all } command to check the configured ACL. Run the display time-range { all | time-name } command to check the time range.
----End
Example
# Run the display acl command, and you can view the ACL number, number of rules, and step, and details of ACL rules.
11-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
11 ACL Configuration
# Run the display time-range command, and you can view the configuration and status of the current time range.
<Quidway> display time-range all Current time is 14:19:16 12-4-2008 Tuesday Time-range : time1 ( Inactive ) 10:00 to 12:00 daily from 09:09 2008/9/9 to 23:59 2099/12/31
Configuring the packet filtering policy Configuring policy-based routing Configuring a routing policy
Pre-configuration Tasks
None
Data Preparation
To configure an ACL6, you need the following data. No. 1 2 Data Number of the ACL6 (Optional) Name of the time range during which the ACL6 is valid and the start time and end time of the time range
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 11-9
Issue 06 (20100108)
11 ACL Configuration
No. 3
Data Number of the ACL6 and the rule of identifying the packet type, including protocol type, source address and source interface, destination address and destination interface, ICMPv6 type and code, precedence, and ToS
Specify a number to identify the ACL6 type. For example, the ACL6 with the number ranging from 2000 to 2999 is a basic ACL6 and the ACL6 with the number ranging from 3000 to 3999 is an advanced ACL6. Set the match order of the ACL6. This parameter is optional. By default, the match order is config.
Procedure
Step 1 Run:
system-view
An ACL6 is created.
l l
The acl6-number value of a basic ACL6 ranges from 2000 to 2999. The acl6-number value of an advanced ACL6 ranges from 3000 to 3999.
----End
The time range is created. You can set the same name for multiple time ranges to describe a special period. For example, three time ranges are set with the same name, that is, test.
11-10 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
11 ACL Configuration
Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59 Time range 2: 8:00-18:00 on Monday to Friday Time range 3: 14:00-18:00 on Saturday and Sunday
The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in the year 2009. ----End
Postrequisite
When a time range is specified for the ACL6, the ACL6 takes effect only in this time range. If no time range is specified for the ACL6, the ACL6 is always effective until it is deleted or the rules of the ACL6 are deleted.
An ACL6 is created. The acl6-number value of a basic ACL6 ranges from 2000 to 2999. match-order indicates the match order of ACL6 rules.
l l
auto indicates that the ACL rules are matched on the basis of depth first principle. config: indicates that the rules are matched on the basis of the configuration order.
11 ACL Configuration
Step 2 Run:
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
An advanced ACL6 is created. The acl6-number value of an advanced ACL6 ranges from 3000 to 3999. match-order indicates the match order of ACL6 rules.
l l
auto indicates that the ACL rules are matched on the basis of depth first principle. config: indicates that the rules are matched on the basis of the configuration order.
If match-order is not used, the match order is config. Step 3 Perform the following steps as required to configure rules for the ACL6: You can configure the advanced ACL6 on the S9300 according to the type of the protocol carried by IP. The parameters vary according to the protocol type.
l
When protocol is TCP or UDP, run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | precedence precedence | source { source-ipv6-address prefix-length | sourceipv6-address/prefix-length | any } | source-port operator port | time-range time-name | tos tos ]*
When protocol is ICMPv6, run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | fragment | icmpv6-type { icmp6type-name | icmp6-type icmp6-code | precedence precedence | source { source-ipv6address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | tos tos ]*
When protocol is not TCP, UDP, or ICMPv6, run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | fragment | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefixlength | any } | time-range time-name | tos tos ]*
----End
Procedure
l l Run the display acl ipv6 { acl6-number | all } command to view the rules of the ACL6. Run the display time-range { all | time-name } command to view information about the time range.
----End
11-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
11 ACL Configuration
Example
# Run the display acl ipv6 command, and you can see the ACL number, the number of rules, and content of the rules.
<Quidway> display acl ipv6 2002 Basic IPv6 ACL 2002, 2 rules rule 0 permit time-range time1 (0 times matched) (Inactive) rule 1 permit (0 times matched)
# Run the display time-range command, and you can see the configuration and status of the current time range.
<Quidway> display time-range all Current time is 09:33:31 5-21-2009 Thursday Time-range : time1 ( Inactive ) 12:00 to 23:00 working-day
GE1/0/1
GE2/0/1
S9300
PC B
Issue 06 (20100108)
11-13
11 ACL Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure the URPF function. Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Data Preparation
To complete the configuration, you need the following data:
l l l l l
Interfaces enabled with URPF: GE 1/0/1 and GE 2/0/1 ACL number: 2000 IP address of user A: 10.0.0.2/24 Names of traffic classifier, traffic behavior, and traffic policy: tc1, tb1, and tp1 Interface where the traffic policy is applied: GE 1/0/1
Procedure
Step 1 Configure the URPF function. # Enable the URPF function on the LPU.
<Quidway> system-view [Quidway] urpf slot 1 [Quidway] urpf slot 2
Step 2 Configure the traffic classifier that is based on the ACL rules. # Define the ACL rules.
[Quidway] acl 2000 [Quidway-acl-basic-2000] rule permit source 10.0.0.2 0.0.0.255 [Quidway-acl-basic-2000] quit
11 ACL Configuration
# Define the traffic behavior and disable the URPF function in the traffic behavior view.
[Quidway] traffic behavior tb1 [Quidway-behavior-tb1] ip uprf disable [Quidway-behavior-tb1] quit
Step 4 Configure the traffic policy. # Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[Quidway] traffic policy tp1 [Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1 [Quidway-trafficpolicy-tp1] quit
Step 5 Verify the configuration. # Check the configuration of the ACL rules.
<Quidway> display acl 2000 Basic ACL 2000, 1 rule Acl's step is 5 rule 5 permit source 10.0.0.0 0.0.0.255 (0 times matched)
----End
Configuration Files
# sysname Quidway # urpf slot 1 urpf slot 2 # acl number 2000 rule 5 permit source 10.0.0.0 0.0.0.255 # traffic classifier tc1 operator or precedence 20 if-match acl 2000 #
Issue 06 (20100108)
11-15
11 ACL Configuration
traffic behavior tb1 ip urpf disable # traffic policy tp1 classifier tc1 behavior tb1 # interface GigabitEthernet1/0/1 urpf strict traffic-policy tp1 inbound # interface GigabitEthernet2/0/1 urpf strict # return
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4.
11-16
Assign IP addresses to interfaces. Configure the time range. Configure the ACL. Configure the traffic classifier.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
11 ACL Configuration
5. 6. 7.
Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Data Preparation
To complete the configuration, you need the following data:
l l l l l l
VLAN that the interface belongs to Name of the time range ACL ID and rules Name of the traffic classifier and classification rules Name of the traffic behavior and actions Name of the traffic policy, and traffic classifier and traffic behavior associated with the traffic policy Interface that a traffic policy is applied to
Procedure
Step 1 Assign IP addresses to interfaces. # Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces. Add GE 1/0/1, GE 2/0/1, and GE 3/0/1 to VLAN 10, VLAN 20, and VLAN 30 respectively, and add GE 2/0/1 to VLAN 100. The first IP address of the network segment is taken as the address of the VLANIF interface. Take GE 1/0/1 as an example. The configurations of other interfaces are similar to the configuration of GE 1/0/1, and are not mentioned here.
<Quidway> system-view [Quidway] vlan batch 10 20 30 100 [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port link-type access [Quidway-GigabitEthernet1/0/1] port default vlan 10 [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.164.1.1 255.255.255.0 [Quidway-Vlanif10] quit
Step 2 Configure the time range. # Configure the time range from 8:00 to 17:30.
<Quidway> system-view [Quidway] time-range satime 8:00 to 17:30 working-day
Step 3 Configure ACLs. # Configure the ACL for the personnel of the marketing department to access the salary query server.
[Quidway] acl 3002 [Quidway-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime [Quidway-acl-adv-3002] quit
# Configure the ACL for the personnel of the R&D department to access the salary query server.
[Quidway] acl 3003 [Quidway-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination
Issue 06 (20100108)
11-17
11 ACL Configuration
10.164.9.9 0.0.0.0 time-range satime [Quidway-acl-adv-3003] quit
Step 4 Configure ACL-based traffic classifiers. # Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[Quidway] traffic classifier c_market [Quidway-classifier-c_market] if-match acl 3002 [Quidway-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Quidway] traffic classifier c_rd [Quidway-classifier-c_rd] if-match acl 3003 [Quidway-classifier-c_rd] quit
Step 5 Configure traffic behaviors. # Configure the traffic behavior b_market to reject packets.
[Quidway] traffic behavior b_market [Quidway-behavior-b_market] deny [Quidway-behavior-b_market] quit
Step 6 Configure traffic policies. # Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.
[Quidway] traffic policy p_market [Quidway-trafficpolicy-p_market] classifier c_market behavior b_market [Quidway-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic behavior b_rd with the traffic policy.
[Quidway] traffic policy p_rd [Quidway-trafficpolicy-p_rd] classifier c_rd behavior b_rd [Quidway-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy. # Apply the traffic policy p_market to GE 1/0/2.
[Quidway] interface gigabitethernet 1/0/2 [Quidway-GigabitEthernet1/0/2] traffic-policy p_market inbound [Quidway-GigabitEthernet1/0/2] quit
11-18
Issue 06 (20100108)
11 ACL Configuration
Acl's step is 5 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (0 times matched)(Active) Advanced ACL 3003, 1 rule Acl's step is 5 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (0 times matched)(Active)
----End
Configuration Files
# sysname Quidway # vlan batch 10 20 30 40 100 # time-range satime 08:00 to 17:30 working-day # acl number 3002 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime # acl number 3003 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime # traffic classifier c_market operator or precedence 5 if-match acl 3002 traffic classifier c_rd operator or precedence 10 if-match acl 3003 # traffic behavior b_market
Issue 06 (20100108)
11-19
11 ACL Configuration
deny traffic behavior b_rd deny # traffic policy p_market classifier c_market behavior b_market traffic policy p_rd classifier c_rd behavior b_rd # interface Vlanif10 ip address 10.164.1.1 255.255.255.0 # interface Vlanif20 ip address 10.164.2.1 255.255.255.0 # interface Vlanif30 ip address 10.164.3.1 255.255.255.0 # interface Vlanif100 ip address 10.164.9.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type access port default vlan 10 # interface GigabitEthernet1/0/2 port link-type access port default vlan 20 traffic-policy p_rd inbound # interface GigabitEthernet1/0/3 port link-type access port default vlan 30 traffic-policy p_rd inbound # interface GigabitEthernet2/0/1 port link-type access port default vlan 100 # return
GE2/0/1
GE1/0/1
IP network
00e0-f201-0101
11-20
Issue 06 (20100108)
11 ACL Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Data Preparation
To complete the configuration, you need the following data:
l l l l
ACL ID and rules Name of the traffic classifier and classification rules Name of the traffic behavior and actions Name of the traffic policy, and traffic classifier and traffic behavior associated with the traffic policy Interface that a traffic policy is applied to
Procedure
Step 1 Configure an ACL. # Configure the required layer 2 ACL.
[Quidway] acl 4000 [Quidway-acl-ethernetframe-4000] rule deny source-mac 00e0-f201-0101 ffff-ffffffff dest-mac 0260-e207-0002 ffff-ffff-ffff [Quidway-acl-ethernetframe-4000] quit
Step 2 Configure the traffic classifier that is based on the ACL. # Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Quidway] traffic classifier tc1 [Quidway-classifier-tc1] if-match acl 4000 [Quidway-classifier-tc1] quit
Step 3 Configure the traffic behavior. # Configure the traffic behavior tb1 to reject packets.
[Quidway] traffic behavior tb1 [Quidway-behavior-tb1] deny [Quidway-behavior-tb1] quit
Step 4 Configure the traffic policy. # Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Quidway] traffic policy tp1 [Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1 [Quidway-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy. # Apply the traffic policy tp1 to GE 2/0/1.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 11-21
11 ACL Configuration
[Quidway] interface gigabitethernet 2/0/1 [Quidway-GigabitEthernet2/0/1] traffic-policy tp1 inbound [Quidway-GigabitEthernet2/0/1] quit
----End
Configuration Files
# sysname Quidway # acl number 4000 rule 5 deny source-mac 00e0-f201-0101 ffff-ffff-ffff dest-mac 0260-e207-0002 ff ff-ffff-ffff # traffic classifier tc1 operator or precedence 15 if-match acl 4000 # traffic behavior tb1 deny # traffic policy tp1 classifier tc1 behavior tb1 # interface GigabitEthernet2/0/1 traffic-policy tp1 inbound # return
11-22
Issue 06 (20100108)
11 ACL Configuration
Networking Requirements
As shown in Figure 11-4, S9300-A and S9300-B are connected through GE interfaces. You need to configure an ACL6 rule on S9300-A to prevent the IPv6 packets with the source IP address 3001::2 from entering GE 1/0/0 of S9300-A. Figure 11-4 Networking diagram for configuring ACL6 and filtering IPv6 packets
S9300-A GE1/0/0 3001::1/64 VLAN 10 S9300-B GE1/0/0 3001::2/64
Loopback2 3002::2/64
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Set the number of the ACL6. Configure the rules in the ACL6. Define the classification, action, and policy to be performed on the packets.
Data Preparation
To complete the configuration, you need the following data:
l l l l
ACL6 number Source IPv6 address permitted by the ACL6 rule Names of traffic classifier, traffic behavior, and traffic policy Interface where the traffic policy is applied
Procedure
Step 1 Enable IPv6 forwarding capability on S9300-A and S9300-B, set the parameters for the interfaces, and check the connectivity. # Configure S9300-A.
<Quidway> system-view [Quidway] sysname S9300-A [S9300-A] ipv6 [S9300-A] interface gigabitethernet 1/0/0 [S9300-A-GigabitEthernet1/0/0] port link-type trunk [S9300-A-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 [S9300-A-GigabitEthernet1/0/0] quit [S9300-A] interface vlanif 10 [S9300-A-Vlanif10] ipv6 enable [S9300-A-Vlanif10] ipv6 address 3001::1 64 [S9300-A-Vlanif10] quit
# Configure S9300-B.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 11-23
11 ACL Configuration
<Quidway> system-view [Quidway] sysname S9300-B [S9300-B] ipv6 [S9300-B] interface loopback 2 [S9300-B-LoopBack2] ipv6 enable [S9300-B-LoopBack2] ipv6 address 3002::2 64 [S9300-B-LoopBack2] quit [S9300-B] interface gigabitethernet 1/0/0 [S9300-B-GigabitEthernet1/0/0] port link-type trunk [S9300-B-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 [S9300-B-GigabitEthernet1/0/0] quit [S9300-B] interface vlanif 10 [S9300-B-Vlanif10] ipv6 enable [S9300-B-Vlanif10] ipv6 address 3001::2 64 [S9300-B-Vlanif10] quit
The ping succeeds without timeout or abnormal delay. # Ping interface VLANIF 10 of S9300-A from loopback2 of S9300-B.
[S9300-B] ping ipv6 -a 3002::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 60 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 30 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 20 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 50 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=64 time = 20 ms --- 3001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 20/36/60 ms
The ping succeeds without timeout or abnormal delay. Step 2 Create an ACL6 rule and apply the rule to the interface to reject the IPv6 packets from 3001::2. # Configure S9300-A.
[S9300-A] acl ipv6 number 3001 [S9300-A-acl6-adv-3001] rule deny ipv6 source 3001::2/128 [S9300-A-acl6-adv-3001] quit [S9300-A] traffic classifier class1
11-24
Issue 06 (20100108)
11 ACL Configuration
[S9300-A-classifier-class1] if-match ipv6 acl 3001 [S9300-A-classifier-class1] quit [S9300-A] traffic behavior behav1 [S9300-A-behavior-behav1] deny [S9300-A-behavior-behav1] quit [S9300-A] traffic policy policy1 [S9300-A-trafficpolicy-policy1] classifier class1 behavior behav1 [S9300-A-trafficpolicy-policy1] quit [S9300-A] interface gigabitethernet 1/0/0 [S9300-A-GigabitEthernet1/0/0] traffic-policy policy1 inbound [S9300-A-GigabitEthernet1/0/0] quit
Step 3 Verify the configuration. # Ping interface VLANIF 10 of S9300-A from VLANIF 10 of S9300-B.
[S9300-B] ping ipv6 -a 3001::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 3001::1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss round-trip min/avg/max = 0/0/0 ms
The ping fails. # Ping interface VLANIF 10 of S9300-A from loopback2 of S9300-B.
[S9300-B] ping ipv6 -a 3002::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 80 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 40 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 40 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=64 time = 30 ms --- 3001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/48/80 ms
Configuration Files
l
Issue 06 (20100108)
11-25
11 ACL Configuration
traffic classifier class1 operator or if-match ipv6 acl 3001 # traffic behavior behav1 deny # traffic policy policy1 classifier class1 behavior behav1 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 traffic-policy policy1 inbound # interface Vlanif10 ipv6 enable ipv6 address 3001::1/64 # ipv6 route-static 3002:: 64 3001::2 # return l
11-26
Issue 06 (20100108)