Configuration Guide - Security (V100R002C00 - 06)

Quidway S9300 Terabit Routing Switch V100R002C00
Configuration Guide - Security
Issue Date
06 20100108
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local office or company headquarters.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com
Website: Email:
Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are the property of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security
Contents
Contents
About This Document.....................................................................................................................1 1 AAA and User Management Configuration.........................................................................1-1
1.1 Introduction to AAA and User Management..................................................................................................1-2 1.2 AAA and User Management Features Supported by the S9300.....................................................................1-2 1.3 Configuring AAA Schemes............................................................................................................................1-4 1.3.1 Establishing the Configuration Task......................................................................................................1-4 1.3.2 Configuring an Authentication Scheme.................................................................................................1-5 1.3.3 Configuring an Authorization Scheme...................................................................................................1-6 1.3.4 Configuring an Accounting Scheme......................................................................................................1-8 1.3.5 (Optional) Configuring a Recording Scheme.........................................................................................1-9 1.3.6 Checking the Configuration.................................................................................................................1-10 1.4 Configuring a RADIUS Server Template.....................................................................................................1-10 1.4.1 Establishing the Configuration Task....................................................................................................1-11 1.4.2 Creating a RADIUS Server Template..................................................................................................1-12 1.4.3 Configuring a RADIUS Authentication Server...................................................................................1-12 1.4.4 Configuring the RADIUS Accounting Server.....................................................................................1-12 1.4.5 Configuring a RADIUS Authorization Server.....................................................................................1-13 1.4.6 (Optional) Setting a Shared Key for a RADIUS Server.......................................................................1-13 1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server.......................................1-14 1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server...................................................................1-15 1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server.................................................1-15 1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server.........................................................1-16 1.4.11 Checking the Configuration...............................................................................................................1-17 1.5 Configuring an HWTACACS Server Template............................................................................................1-18 1.5.1 Establishing the Configuration Task....................................................................................................1-18 1.5.2 Creating an HWTACACS Server Template........................................................................................1-19 1.5.3 Configuring an HWTACACS Authentication Server..........................................................................1-19 1.5.4 Configuring the HWTACACS Accounting Server..............................................................................1-20 1.5.5 Configuring an HWTACACS Authorization Server...........................................................................1-20 1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets...........................................1-21 1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server...........................................................1-21 1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server..............................................1-22 1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server..........................................................1-23 Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. i
Contents
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1.5.10 (Optional) Setting HWTACACS Timers...........................................................................................1-23 1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet.................................................1-24 1.5.12 Checking the Configuration...............................................................................................................1-24
1.6 Configuring a Service Scheme......................................................................................................................1-25 1.6.1 Establishing the Configuration Task....................................................................................................1-25 1.6.2 Creating a Service Scheme...................................................................................................................1-26 1.6.3 Setting the Administrator Level...........................................................................................................1-26 1.6.4 Configuring a DHCP Server Group.....................................................................................................1-27 1.6.5 Configuring an Address Pool...............................................................................................................1-27 1.6.6 Configure Primary and Secondary DNS Servers.................................................................................1-28 1.6.7 Checking the Configuration.................................................................................................................1-28 1.7 Configuring a Domain...................................................................................................................................1-29 1.7.1 Establishing the Configuration Task....................................................................................................1-29 1.7.2 Creating a Domain...............................................................................................................................1-30 1.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain........................1-31 1.7.4 Configuring a RADIUS Server Template for a Domain......................................................................1-32 1.7.5 Configuring an HWTACACS Server Template for a Domain............................................................1-32 1.7.6 (Optional) Configuring a Service Scheme for a Domain.....................................................................1-33 1.7.7 (Optional) Setting the Status of a Domain...........................................................................................1-33 1.7.8 (Optional) Configuring the Domain Name Delimiter..........................................................................1-34 1.7.9 Checking the Configuration.................................................................................................................1-34 1.8 Configuring Local User Management...........................................................................................................1-35 1.8.1 Establishing the Configuration Task....................................................................................................1-35 1.8.2 Creating a Local User...........................................................................................................................1-36 1.8.3 (Optional) Setting the Access Type of the Local User.........................................................................1-37 1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access.........................................1-37 1.8.5 (Optional) Setting the Status of a Local User......................................................................................1-38 1.8.6 (Optional) Setting the Level of a Local User.......................................................................................1-38 1.8.7 (Optional) Setting the Access Limit for a Local User..........................................................................1-39 1.8.8 Checking the Configuration.................................................................................................................1-39 1.9 Maintaining AAA and User Management....................................................................................................1-40 1.9.1 Clearing the Statistics...........................................................................................................................1-40 1.9.2 Monitoring the Running Status of AAA..............................................................................................1-40 1.9.3 Debugging............................................................................................................................................1-41 1.10 Configuration Examples..............................................................................................................................1-41 1.10.1 Example for Configuring RADIUS Authentication and Accounting................................................1-41 1.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization................1-44
2 NAC Configuration................................................................................................................... 2-1

2.1 Introduction to NAC........................................................................................................................................2-2 2.1.1 Web Authentication................................................................................................................................2-2 2.1.2 802.1x Authentication............................................................................................................................2-3 2.1.3 MAC Address Authentication................................................................................................................2-3 ii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
Contents
2.2 NAC Features Supported by the S9300..........................................................................................................2-4 2.3 Configuring Web Authentication....................................................................................................................2-4 2.3.1 Establishing the Configuration Task......................................................................................................2-4 2.3.2 Configuring the Web Authentication Server..........................................................................................2-5 2.3.3 Binding the Web Authentication Server to the Interface.......................................................................2-5 2.3.4 Configuring the Free Rule for Web Authentication...............................................................................2-6 2.3.5 (Optional) Configuring the Web Authentication Policy........................................................................2-6 2.3.6 (Optional) Setting the Port that Listens to the Portal Packets................................................................2-7 2.3.7 (Optional) Setting the Version of the Portal Protocol Packets...............................................................2-7 2.3.8 Checking the Configuration...................................................................................................................2-8 2.4 Configuring 802.1x Authentication.................................................................................................................2-8 2.4.1 Establishing the Configuration Task......................................................................................................2-9 2.4.2 Enabling Global 802.1x Authentication.................................................................................................2-9 2.4.3 Enabling 802.1x Authentication on an Interface..................................................................................2-10 2.4.4 (Optional) Enabling MAC Bypass Authentication..............................................................................2-11 2.4.5 Setting the Authentication Method for the 802.1x User......................................................................2-12 2.4.6 (Optional) Configuring the Interface Access Mode.............................................................................2-13 2.4.7 (Optional) Configuring the Authorization Status of an Interface.........................................................2-14 2.4.8 (Optional) Setting the Maximum Number of Concurrent Access Users..............................................2-15 2.4.9 (Optional) Enabling DHCP Packets to Trigger Authentication...........................................................2-16 2.4.10 (Optional) Configuring 802.1x Timers..............................................................................................2-16 2.4.11 (Optional) Configuring the Quiet Timer Function.............................................................................2-17 2.4.12 (Optional) Configuring the 802.1x Re-authentication.......................................................................2-18 2.4.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication................................................2-18 2.4.14 (Optional) Enabling the S9300 to Send Handshake Packets to Online Users.................................... 2-19 2.4.15 (Optional) Setting the Retransmission Count of the Authentication Request....................................2-20 2.4.16 Checking the Configuration...............................................................................................................2-20 2.5 Configuring MAC Address Authentication..................................................................................................2-21 2.5.1 Establishing the Configuration Task....................................................................................................2-22 2.5.2 Enabling Global MAC Address Authentication...................................................................................2-22 2.5.3 Enabling MAC Address Authentication on an Interface......................................................................2-23 2.5.4 (Optional) Enabling Direct Authentication..........................................................................................2-24 2.5.5 Configuring the User Name for MAC Address Authentication...........................................................2-25 2.5.6 (Optional) Configuring the Domain for MAC Address Authentication..............................................2-26 2.5.7 (Optional) Setting the Timers of MAC Address Authentication.........................................................2-27 2.5.8 (Optional) Configuring the Guest VLAN for MAC Address Authentication......................................2-28 2.5.9 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication .......................................................................................................................................................................2-28 2.5.10 (Optional) Re-Authenticating a User with the Specific MAC Address.............................................2-29 2.5.11 Checking the Configuration...............................................................................................................2-30 2.6 Maintaining NAC..........................................................................................................................................2-30 2.6.1 Clearing the Statistics About 802.1x Authentication...........................................................................2-31 2.6.2 Clearing Statistics About MAC Address Authentication.....................................................................2-31 Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. iii
Contents
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2.6.3 Debugging 802.1x Authentication.......................................................................................................2-31 2.6.4 Debugging MAC Address Authentication...........................................................................................2-32
2.7 Configuration Examples................................................................................................................................2-32 2.7.1 Example for Configuring Web Authentication....................................................................................2-32 2.7.2 Example for Configuring 802.1x Authentication.................................................................................2-35 2.7.3 Example for Configuring MAC Address Authentication....................................................................2-38
3 DHCP Snooping Configuration..............................................................................................3-1

3.1 Introduction to DHCP Snooping.....................................................................................................................3-3 3.2 DHCP Snooping Features Supported by the S9300........................................................................................3-3 3.3 Preventing the Bogus DHCP Server Attack....................................................................................................3-5 3.3.1 Establishing the Configuration Task......................................................................................................3-6 3.3.2 Enabling DHCP Snooping..................................................................................................................... 3-6 3.3.3 Configuring an Interface as a Trusted Interface.....................................................................................3-8 3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers.......................................................................3-8 3.3.5 Checking the Configuration...................................................................................................................3-9 3.4 Preventing the DoS Attack by Changing the CHADDR Field....................................................................... 3-9 3.4.1 Establishing the Configuration Task....................................................................................................3-10 3.4.2 Enabling DHCP Snooping...................................................................................................................3-10 3.4.3 Checking the CHADDR Field in DHCP Request Messages...............................................................3-12 3.4.4 Checking the Configuration.................................................................................................................3-12 3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases.............3-13 3.5.1 Establishing the Configuration Task....................................................................................................3-13 3.5.2 Enabling DHCP Snooping...................................................................................................................3-14 3.5.3 Enabling the Checking of DHCP Request Messages...........................................................................3-15 3.5.4 (Optional) Configuring the Option 82 Function..................................................................................3-16 3.5.5 Checking the Configuration.................................................................................................................3-17 3.6 Setting the Maximum Number of DHCP Snooping Users...........................................................................3-18 3.6.1 Establishing the Configuration Task....................................................................................................3-18 3.6.2 Enabling DHCP Snooping...................................................................................................................3-18 3.6.3 Setting the Maximum Number of DHCP Snooping Users..................................................................3-20 3.6.4 (Optional) Configuring MAC Address Security on an Interface.........................................................3-20 3.6.5 Checking the Configuration.................................................................................................................3-21 3.7 Limiting the Rate of Sending DHCP Messages............................................................................................3-22 3.7.1 Establishing the Configuration Task....................................................................................................3-22 3.7.2 Enabling DHCP Snooping...................................................................................................................3-23 3.7.3 Limiting the Rate of Sending DHCP Messages...................................................................................3-24 3.7.4 Checking the Configuration.................................................................................................................3-25 3.8 Configuring the Packet Discarding Alarm Function.....................................................................................3-25 3.8.1 Establishing the Configuration Task....................................................................................................3-25 3.8.2 Enabling DHCP Snooping...................................................................................................................3-26 3.8.3 Enabling the Checking of DHCP Messages.........................................................................................3-27 3.8.4 Configuring the Packet Discarding Alarm Function............................................................................3-28 iv Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
Contents
3.8.5 Checking the Configuration.................................................................................................................3-29 3.9 Maintaining DHCP Snooping.......................................................................................................................3-30 3.9.1 Clearing DHCP Snooping Statistics.....................................................................................................3-30 3.9.2 Resetting the DHCP Snooping Binding Table.....................................................................................3-30 3.9.3 Backing Up the DHCP Snooping Binding Table.................................................................................3-30 3.10 Configuration Examples..............................................................................................................................3-31 3.10.1 Example for Preventing the Bogus DHCP Server Attack..................................................................3-31 3.10.2 Example for Preventing the DoS Attack by Changing the CHADDR Field.....................................3-34 3.10.3 Example for Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases............................................................................................................................................................3-36 3.10.4 Example for Limiting the Rate of Sending DHCP Messages............................................................3-39 3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network........................................................3-42 3.10.6 Example for Enabling DHCP Snooping on the DHCP Relay Agent.................................................3-46 3.10.7 Example for Configuring DHCP Snooping on a VPLS Network......................................................3-51
4 ARP Security Configuration....................................................................................................4-1

4.1 Introduction to ARP Security..........................................................................................................................4-2 4.2 ARP Security Supported by the S9300...........................................................................................................4-2 4.3 Limiting ARP Entry Learning.........................................................................................................................4-4 4.3.1 Establishing the Configuration Task......................................................................................................4-4 4.3.2 Enabling Strict ARP Entry Learning......................................................................................................4-5 4.3.3 Configuring Interface-based ARP Entry Limitation..............................................................................4-7 4.3.4 Checking the Configuration...................................................................................................................4-7 4.4 Configuring ARP Anti-Attack........................................................................................................................4-8 4.4.1 Establishing the Configuration Task......................................................................................................4-8 4.4.2 Preventing the ARP Address Spoofing Attack......................................................................................4-9 4.4.3 Preventing the ARP Gateway Duplicate Attack.....................................................................................4-9 4.4.4 Preventing the Man-in-the-Middle Attack...........................................................................................4-10 4.4.5 Configuring ARP Proxy on a VPLS Network.....................................................................................4-11 4.4.6 Configuring DHCP to Trigger ARP Learning.....................................................................................4-12 4.4.7 (Optional) Configuring the S9300 to Discard Gratuitous ARP Packets..............................................4-13 4.4.8 Enabling Log and Alarm Functions for Potential Attacks...................................................................4-13 4.4.9 Checking the Configuration.................................................................................................................4-14 4.5 Suppressing Transmission Rate of ARP Packets..........................................................................................4-15 4.5.1 Establishing the Configuration Task....................................................................................................4-15 4.5.2 Configuring Source-based ARP Suppression......................................................................................4-16 4.5.3 Configuring Source-based ARP Miss Suppression..............................................................................4-17 4.5.4 Setting the Suppression Time of ARP Miss Messages........................................................................4-17 4.5.5 Suppressing Transmission Rate of ARP Packets.................................................................................4-18 4.5.6 Checking the Configuration.................................................................................................................4-19 4.6 Maintaining ARP Security............................................................................................................................4-19 4.6.1 Displaying the Statistics About ARP Packets......................................................................................4-20 4.6.2 Clearing the Statistics on ARP Packets................................................................................................4-20 Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4.6.3 Clearing the Statistics on Discarded ARP Packets...............................................................................4-20 4.6.4 Debugging ARP Packets......................................................................................................................4-21
4.7 Configuration Examples................................................................................................................................4-21 4.7.1 Example for Configuring ARP Security Functions..............................................................................4-22 4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks..........................4-25
5 Source IP Attack Defense Configuration..............................................................................5-1

5.1 Overview of IP Source Guard.........................................................................................................................5-2 5.2 IP Source Guard Features Supported by the S9300........................................................................................5-3 5.3 Configuring IP Source Guard..........................................................................................................................5-5 5.3.1 Establishing the Configuration Task......................................................................................................5-5 5.3.2 (Optional) Configuring a Static User Binding Entry............................................................................. 5-5 5.3.3 Enabling IP Source Guard......................................................................................................................5-6 5.3.4 Configuring the Check Items of IP Packets...........................................................................................5-6 5.3.5 Checking the Configuration...................................................................................................................5-7 5.4 Configuring IP Source Trail............................................................................................................................5-8 5.4.1 Establishing the Configuration Task......................................................................................................5-8 5.4.2 Configuring IP Source Trail Based on the Destination IP Address.......................................................5-9 5.4.3 Checking the Configuration...................................................................................................................5-9 5.5 Configuring URPF........................................................................................................................................5-10 5.5.1 Establishing the Configuration Task....................................................................................................5-10 5.5.2 Enabling URPF....................................................................................................................................5-10 5.5.3 Setting the URPF Check Mode on an Interface...................................................................................5-11 5.5.4 (Optional) Disabling URPF for the Specified Traffic..........................................................................5-12 5.5.5 Checking the Configuration.................................................................................................................5-12 5.6 Maintaining Source IP Attack Defense.........................................................................................................5-13 5.6.1 Clearing the Statistics on IP Source Trail............................................................................................5-13 5.7 Configuration Examples................................................................................................................................5-13 5.7.1 Example for Configuring IP Source Guard..........................................................................................5-14 5.7.2 Example for Configuring IP Source Trail............................................................................................5-15 5.7.3 Example for Configuring URPF..........................................................................................................5-17
6 Local Attack Defense Configuration......................................................................................6-1

6.1 Overview of Local Attack Defense.................................................................................................................6-2 6.2 Local Attack Defense Features Supported by the S9300................................................................................6-2 6.3 Configuring the Attack Defense Policy.......................................................................................................... 6-3 6.3.1 Establishing the Configuration Task......................................................................................................6-3 6.3.2 Creating an Attack Defense Policy........................................................................................................ 6-4 6.3.3 Configuring the Whitelist.......................................................................................................................6-4 6.3.4 Configuring the Blacklist.......................................................................................................................6-4 6.3.5 Configuring User-Defined Flows...........................................................................................................6-5 6.3.6 Configuring the Rule for Sending Packets to the CPU..........................................................................6-6 6.3.7 Applying the Attack Defense Policy......................................................................................................6-6 6.3.8 Checking the Configuration...................................................................................................................6-7 vi Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
Contents
6.4 Configuring Attack Source Tracing................................................................................................................6-8 6.4.1 Establishing the Configuration Task......................................................................................................6-8 6.4.2 Creating an Attack Defense Policy........................................................................................................6-9 6.4.3 Enabling the Automatic Attack Source Tracing.....................................................................................6-9 6.4.4 Configuring the Threshold of Attack Source Tracing..........................................................................6-10 6.4.5 (Optional) Configuring the Attack Source Alarm Function.................................................................6-10 6.4.6 Applying the Attack Defense Policy....................................................................................................6-11 6.4.7 Checking the Configuration.................................................................................................................6-12 6.5 Maintaining the Attack Defense Policy........................................................................................................6-13 6.5.1 Clearing Statistics About Packets Destined for the CPU.....................................................................6-13 6.5.2 Clearing Statistics About Attack Sources............................................................................................6-13 6.6 Configuration Examples................................................................................................................................6-14 6.6.1 Example for Configuring the Attack Defense Policy...........................................................................6-14
7 PPPoE+ Configuration..............................................................................................................7-1
7.1 PPPoE+ Overview...........................................................................................................................................7-2 7.2 PPPoE+ Features Supported by the S9300.....................................................................................................7-2 7.3 Configuring PPPoE+.......................................................................................................................................7-2 7.3.1 Establishing the Configuration Task......................................................................................................7-2 7.3.2 Enabling PPPoE+ Globally....................................................................................................................7-3 7.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets.................................7-3 7.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets............................................7-4 7.3.5 Configuring the PPPoE Trusted Interface..............................................................................................7-4 7.3.6 Checking the Configuration...................................................................................................................7-5 7.4 Configuration Examples..................................................................................................................................7-5 7.4.1 Example for Configuring PPPoE+.........................................................................................................7-5
8 MFF Configuration....................................................................................................................8-1
8.1 MFF Overview................................................................................................................................................8-2 8.2 MFF Features Supported by the S9300...........................................................................................................8-3 8.3 Configuring MFF............................................................................................................................................8-4 8.3.1 Establishing the Configuration Task......................................................................................................8-4 8.3.2 Enabling Global MFF.............................................................................................................................8-5 8.3.3 Configuring the MFF Network Interface...............................................................................................8-5 8.3.4 Enabling MFF in a VLAN.....................................................................................................................8-6 8.3.5 (Optional) Configuring the Static Gateway Address.............................................................................8-6 8.3.6 (Optional) Enabling Timed Gateway Address Detection.......................................................................8-7 8.3.7 (Optional) Setting the Server Address...................................................................................................8-7 8.3.8 Checking the Configuration...................................................................................................................8-7 8.4 Configuration Examples..................................................................................................................................8-8 8.4.1 Example for Configuring MFF..............................................................................................................8-8
9 Interface Security Configuration............................................................................................9-1

9.1 Interface Security Overview............................................................................................................................9-2 Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vii
Contents
9.2 Interface Security Features Supported by the S9300......................................................................................9-2 9.3 Configuring Interface Security........................................................................................................................9-2 9.3.1 Establishing the Configuration Task......................................................................................................9-3 9.3.2 Enabling the Interface Security Function...............................................................................................9-3 9.3.3 (Optional) Configuring the Protection Action in Interface Security......................................................9-4 9.3.4 Setting the Maximum Number of MAC Addresses Learned by an Interface........................................9-4 9.3.5 Enabling Sticky MAC on an Interface...................................................................................................9-5 9.3.6 Checking the Configuration...................................................................................................................9-5 9.4 Configuration Examples..................................................................................................................................9-6 9.4.1 Example for Configuring Interface Security..........................................................................................9-6
10 Traffic Suppression Configuration....................................................................................10-1

10.1 Introduction to Traffic Suppression............................................................................................................10-2 10.2 Traffic Suppression Features Supported by the S9300...............................................................................10-2 10.3 Configuring Traffic Suppression.................................................................................................................10-2 10.3.1 Establishing the Configuration Task..................................................................................................10-2 10.3.2 Configuring Traffic Suppression on an Interface...............................................................................10-3 10.3.3 Checking the Configuration...............................................................................................................10-4 10.4 Configuration Examples..............................................................................................................................10-4 10.4.1 Example for Configuring Traffic Suppression...................................................................................10-4
11 ACL Configuration................................................................................................................11-1
11.1 Introduction to the ACL..............................................................................................................................11-2 11.2 Classification of ACLs Supported by the S9300........................................................................................11-2 11.3 Configuring an ACL....................................................................................................................................11-3 11.3.1 Establishing the Configuration Task..................................................................................................11-3 11.3.2 Creating an ACL................................................................................................................................11-4 11.3.3 (Optional) Setting the Time Range When an ACL Takes Effect.......................................................11-5 11.3.4 (Optional) Configuring the Description of an ACL...........................................................................11-5 11.3.5 Configuring a Basic ACL...................................................................................................................11-6 11.3.6 Configuring an Advanced ACL.........................................................................................................11-6 11.3.7 Configuring a Layer 2 ACL...............................................................................................................11-7 11.3.8 (Optional) Setting the Step of an ACL...............................................................................................11-8 11.3.9 Checking the Configuration...............................................................................................................11-8 11.4 Configuring ACL6......................................................................................................................................11-9 11.4.1 Establishing the Configuration Task..................................................................................................11-9 11.4.2 Creating an ACL6............................................................................................................................11-10 11.4.3 (Optional) Creating the Time Range of the ACL6...........................................................................11-10 11.4.4 Configuring a Basic ACL6...............................................................................................................11-11 11.4.5 Configuring an Advanced ACL6.....................................................................................................11-11 11.4.6 Checking the Configuration.............................................................................................................11-12 11.5 Configuration Examples............................................................................................................................11-13 11.5.1 Example for Configuring a Basic ACL............................................................................................11-13 11.5.2 Example for Configuring an Advanced ACL..................................................................................11-16 viii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
Contents
11.5.3 Example for Configuring a Layer 2 ACL........................................................................................11-20 11.5.4 Example for Configuring an ACL6..................................................................................................11-22
Issue 06 (20100108)
ix
Figures
Figures
Figure 1-1 Networking diagram of RADIUS authentication and accounting....................................................1-42 Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization....................1-45 Figure 2-1 Typical networking of NAC...............................................................................................................2-2 Figure 2-2 Network diagram for configuring Web authentication.....................................................................2-33 Figure 2-3 Networking diagram for configuring 802.1x authentication............................................................2-36 Figure 2-4 Networking diagram for configuring MAC address authentication.................................................2-38 Figure 3-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2 network..................3-4 Figure 3-2 Networking diagram for applying DHCP snooping on the S9300 that functions as the DHCP relay agent ...............................................................................................................................................................................3-4 Figure 3-3 Networking diagram for preventing the bogus DHCP server attack................................................3-32 Figure 3-4 Networking diagram for preventing the DoS attack by changing the CHADDR field....................3-34 Figure 3-5 Networking diagram for preventing the attacker from sending bogus DHCP messages for extending IP address leases......................................................................................................................................................3-37 Figure 3-6 Networking diagram for limiting the rate for sending DHCP messages..........................................3-40 Figure 3-7 Networking diagram for configuring DHCP snooping....................................................................3-42 Figure 3-8 Networking diagram for enabling DHCP snooping on the DHCP relay agent................................3-47 Figure 3-9 Networking diagram for configuring DHCP snooping on a VPLS network....................................3-51 Figure 4-1 Networking diagram for configuring ARP security functions.........................................................4-22 Figure 4-2 Networking diagram for prevent man-in-the-middle attacks...........................................................4-26 Figure 5-1 Diagram of IP/MAC spoofing attack..................................................................................................5-2 Figure 5-2 Diagram of the URPF function...........................................................................................................5-3 Figure 5-3 Networking diagram for configuring IP source guard......................................................................5-14 Figure 5-4 Networking diagram for configuring IP source trail........................................................................5-16 Figure 5-5 Networking diagram for configuring URPF.....................................................................................5-17 Figure 6-1 Networking diagram for Configuring the attack defense policy......................................................6-14 Figure 7-1 Networking diagram for configuring PPPoE+................................................................................... 7-6 Figure 8-1 Networking diagram for configuring MFF.........................................................................................8-9 Figure 9-1 Networking diagram for configuring interface security.....................................................................9-6 Figure 10-1 Networking diagram for configuring traffic suppression...............................................................10-5 Figure 11-1 Networking diagram for disabling URPF for the specified traffic...............................................11-13 Figure 11-2 Networking diagram for configuring IPv4 ACLs.........................................................................11-16 Figure 11-3 Networking diagram for configuring layer 2 ACLs.....................................................................11-20 Figure 11-4 Networking diagram for configuring ACL6 and filtering IPv6 packets.......................................11-23
Issue 06 (20100108)
xi
Tables
Tables
Table 3-1 Matching table between type of attacks and DHCP snooping operation modes.................................3-5 Table 3-2 Relation between the type of attacks and the type of discarded packets............................................3-25
Issue 06 (20100108)
xiii
About This Document
About This Document

Purpose
This document describes security features of the S9300 including AAA and user management, Network Access Control (NAC), DHCP snooping, ARP security, IP source guard, IP source trail, Unicast Reverse Path Forwarding (URPF), local attack defense, PPPoE+, MAC-forced forwarding (MFF), interface security, traffic suppression, and ACL from function introduction, configuration methods, maintenance and configuration examples. This document guides you through the principle and configuration of security features.
Related Versions
The following table lists the product versions related to this document. Product Name S9300 Version V100R002C00
Intended Audience
This document is intended for:
l l l l
Data configuration engineer Commissioning engineer Network monitoring engineer System maintenance engineer
Organization
This document is organized as follows.
Issue 06 (20100108)
About This Document
Chapter 1 AAA and User Management Configuration 2 NAC Configuration
Description Describes basic concepts of AAA and user management, and provides configuration methods and configuration examples. Describes basic concepts of Network Access Control (NAC), and provides configuration methods and configuration examples. Describes basic concepts of DHCP snooping, and provides configuration methods and configuration examples. Describes basic concepts of ARP security, and provides configuration methods and configuration examples. Describes basic concepts of source IP attack defense, and provides configuration methods and configuration examples. Describes basic concepts of local attack defense, and provides configuration methods and configuration examples. Describes basic concepts of PPPoE+, and provides configuration methods and configuration examples. Describes basic concepts of MAC-Forced Forwarding (MFF), and provides configuration methods and configuration examples. Describes basic concepts of interface security, and provides configuration methods and configuration examples. Describes basic concepts of traffic suppression, and provides configuration methods and configuration examples. Describes basic concepts of ACL, and provides configuration methods and configuration examples.
3 DHCP Snooping Configuration
4 ARP Security Configuration
5 Source IP Attack Defense Configuration 6 Local Attack Defense Configuration
7 PPPoE+ Configuration
8 MFF Configuration
9 Interface Security Configuration
10 Traffic Suppression Configuration
11 ACL Configuration
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Issue 06 (20100108)
About This Document
Symbol
Description
DANGER
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
General Conventions
The general conventions that may be found in this document are defined as follows. Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Examples of information displayed on the screen are in Courier New.
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected.
Issue 06 (20100108)
About This Document
Convention [ x | y | ... ] { x | y | ... }*
Description Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
GUI Conventions
The GUI conventions that may be found in this document are defined as follows. Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows. Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows.
Issue 06 (20100108)
About This Document
Action Click Double-click Drag
Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Updates in Issue 06 (2010-01-08)

Based on issue 05 (2009-11-10), the document is updated as follows: The following information is modified:
l
The background information of configuring whitelist is modified6.3.3 Configuring the Whitelist The background information of configuring blacklist is modified6.3.4 Configuring the Blacklist The background information of configuring user-defined flows is modified6.3.5 Configuring User-Defined Flows The enabling strict ARP entry learning is modified: 4.3.2 Enabling Strict ARP Entry Learning The example for configuring interface security is modified: 9.4.1 Example for Configuring Interface Security

l
ACL Configuration:11.2 Classification of ACLs Supported by the S9300

l
ARP Security Configuration: The configuration commands

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5
Issue 06 (20100108)
About This Document

l
DHCP Snooping Configuration: The configuration commands

Based on issue 01 (2009-07-29), the document is updated as follows: The following information is added:
l l
7 PPPoE+ Configuration 3.6 Setting the Maximum Number of DHCP Snooping Users and 3.10.7 Example for Configuring DHCP Snooping on a VPLS Network in "DHCP Snooping Configuration" 6.3.3 Configuring the Whitelist in "Local Attack Defense Configuration"
The following information is modified:

l l
DHCP Snooping Configuration: The configuration commands Local Attack Defense Configuration: The configuration commands and configuration example

Initial commercial release.
Issue 06 (20100108)
1 AAA and User Management Configuration
AAA and User Management Configuration
About This Chapter

This chapter describes the principle and configuration of Authentication, Authorization, and Accounting (AAA), local user management, Remote Authentication Dial in User Service (RADIUS), HUAWEI Terminal Access Controller Access Control System (HWTACACS), and domain. 1.1 Introduction to AAA and User Management This section describes the knowledge of AAA and user management. 1.2 AAA and User Management Features Supported by the S9300 This section describes the AAA and user management features supported by the S9300. 1.3 Configuring AAA Schemes This section describes how to configure an authentication scheme, an authorization scheme, and a recording scheme on the S9300. 1.4 Configuring a RADIUS Server Template This section describes how to configure a RADIUS server template on the S9300. 1.5 Configuring an HWTACACS Server Template This section describes how to configure an HWTACACS server template on the S9300. 1.6 Configuring a Service Scheme This section describes how to configure a service scheme in the S9300 to store authorization information about users. 1.7 Configuring a Domain This section describes how to configure a domain on the S9300. 1.8 Configuring Local User Management This section describes how to configure local user management on the S9300. 1.9 Maintaining AAA and User Management This section describes how to maintain AAA and user management. 1.10 Configuration Examples This section provides several configuration examples of AAA and user management.
Issue 06 (20100108)
1-1
1.1 Introduction to AAA and User Management

This section describes the knowledge of AAA and user management.
AAA
AAA provides the following types of services:
l l l
Authentication: determines the user who can access the network. Authorization: authorizes the user to use certain services. Accounting: records network resource usage of the user.
AAA adopts the client/server model, which features good extensibility and facilitates concentrated management over user information.
Domain-based User Management

User authentication, authorization, and accounting are performed in the domain view. Users can be managed based on the domain. You can configure authorization, create authentication and accounting schemes, and create RADIUS or HWTACACS templates in the domain.
Local User Management

To perform local user management, you need to set up the local user database, maintain user information, and manage users on the local S9300.
1.2 AAA and User Management Features Supported by the S9300

This section describes the AAA and user management features supported by the S9300.
AAA
The S9300 provides authentication schemes in the following modes:
l
Non-authentication: completely trusts users and does not check their validity. This mode is seldom used. Local authentication: configures user information including the user name, password, and attributes of the local user on the S9300. In local authentication mode, the processing speed is fast, but the capacity of information storage is restricted by the hardware. Remote authentication: configures user information including the user name, password, and attributes of the local user on an authentication server. The S9300 functions as the client to communicate with the authentication server. Thus, the user is remotely authenticated through the RADIUS or HWTACACS protocol.
The S9300 provides authorization schemes in the following modes:

l
Non-authorization: completely trusts users and directly authorizes them.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
1-2

l l l
Local authorization: authorizes users according to the configured attributes of local user accounts on the S9300. Remote authorization: authorizes users remotely through HWTACACS. The S9300 functions as the client to communicate with the authorization server. If-authenticated authorization: authorizes users after the users pass authentication in local or remote authentication mode. None: Users are not charged. RADIUS accounting: The S9300 sends the accounting packets to the RADIUS server. Then the RADIUS server performs accounting. HWTACACS accounting: The S9300 sends the accounting packets to the HWTACACS server. Then the HWTACACS server performs accounting.
The S9300 provides the following accounting modes:

l l l
In the RADIUS and HWTACACS accounting modes, the S9300 generates accounting packets when a user goes online or goes offline, and then sends them to the RADIUS or HWTACACS server. The server then performs accounting based on the information in the packets, such as login time, logout time and traffic volume. The S9300 supports interim accounting. It means that the S9300 generates accounting packets periodically and sends the accounting packets to the accounting server when a user is online. In this way, the duration of abnormal accounting can be minimized when the communication between the S9300 and the accounting server is interrupted.
Local User Management

To perform local user management, you need to set up the local user database, maintain user information, and manage users on the local S9300. In local authentication or local authorization mode, you need to perform the task of 1.8 Configuring Local User Management.
Domain-based User Management

The S9300 manages users based on the domain. You can configure authentication and authorization schemes in a domain. Then, the specified schemes are adopted to perform authentication and authorization for users that belong to the domain. All the users of the S9300 belong to a domain. The domain that a user belongs to depends on the character string that follows the domain name delimiter. The domain name delimiter can be @,|, or %.. For example, the user of "user@huawei" belongs to the domain "huawei". If there is no "@" in the user name, the user belongs to the domain default. By default, there are two domains named default and default-admin in the S9300, which cannot be deleted but can be modified. If the domain of an access user cannot be obtained, the default domain is used.
l l
Domain default is used for common access user. By default, local authentication is performed for the users in domain default. Domain default_admin is used for administrators. By default, local authentication is performed for the users in domain default_admin.
The S9300 supports up to 128 domains, including the two default domains. The priority of authorization configured in a domain is lower than the priority configured on an AAA server. That is, the authorization attribute sent by the AAA server is used preferentially.
Issue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-3
The authorization attribute in the domain takes effect only when the AAA server does not have or provide this authorization. In this manner, you can add services flexibly based on the domain management, regardless of the attributes provided by the AAA server.
RADIUS and HWTACACS Server Templates

When RADIUS or HWTACACS is specified in an authentication or an authorization scheme for communication between the client and the server, you must configure a RADIUS or an HWTACACS server template.
l
In a RADIUS server template, you can set the attributes such as the IP addresses, port number, and key of the authentication server and accounting server. In an HWTACACS template, you can set the attributes such as the IP addresses, port number, and key of the authentication server, accounting server, and authorization server.
NOTE
Authentication and authorization are used together in RADIUS; therefore, you cannot use RADIUS alone to perform authorization.
1.3 Configuring AAA Schemes

This section describes how to configure an authentication scheme, an authorization scheme, and a recording scheme on the S9300. 1.3.1 Establishing the Configuration Task 1.3.2 Configuring an Authentication Scheme 1.3.3 Configuring an Authorization Scheme 1.3.4 Configuring an Accounting Scheme 1.3.5 (Optional) Configuring a Recording Scheme 1.3.6 Checking the Configuration
1.3.1 Establishing the Configuration Task

Applicable Environment
An AAA scheme of the S9300 consists of the authentication scheme, authorization scheme, accounting scheme, and recording scheme. The S9300 chooses the authentication, authorization, accounting, and recording modes (local processing, remote processing, or no processing) and relevant parameters for users according to the AAA scheme. After an AAA scheme is configured, you can apply this AAA scheme (excluding the recording scheme) to a domain. The S9300 then uses the scheme to perform authentication, authorization, and accounting for users in the domain. You can configure different recording schemes for different transactions in the AAA view.
Pre-configuration Tasks
None
1-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 06 (20100108)
Data Preparation
To configure AAA schemes, you need the following data. No. 1 2 Data Name of the authentication scheme and authentication mode Name of the authorization scheme, authorization mode, (optional) user level in command-line-based authorization mode on the HWTACACS server, and (optional) timeout interval for command-line-based authorization Name of the accounting scheme and accounting mode (Optional) Name of the recording scheme, name of the HWTACACS server template associated with the recording scheme, and recording policy used to record events
3 4
1.3.2 Configuring an Authentication Scheme

Context
NOTE
By default, the local authentication mode is used. If users are not authenticated, you must create an authentication scheme or modify the default authentication scheme by setting the authentication mode to none. Then, you apply this authentication scheme to the domain that users belong to. You need to set the authentication modes for a user logging in to the S9300 and upgrading user levels separately.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:

aaa
The AAA view is displayed. Step 3 Run:

authentication-scheme authentication-scheme-name
An authentication scheme is created and the authentication scheme view is displayed.

By default, there is an authentication scheme named default on the S9300. This scheme can be modified but cannot be deleted. Step 4 Run:
authentication-mode { hwtacacs | radius | local }*[ none ]
Or
authentication-mode none
The authentication mode is set. none indicates the non-authentication mode. By default, the local authentication mode is used. If multiple authentication modes are used in an authentication scheme, the non-authentication mode must be used as the last authentication mode. If the authentication mode is set to RADIUS or HWTACACS, you must configure a RADIUS or an HWTACACS server template and apply the template in the view of the domain that the user belongs to.
NOTE
If multiple authentication modes are used in an authentication scheme, the authentication modes take effect according to their configuration sequence. The S9300 adopts the next authorization mode only when the current authorization mode is invalid. The S9300, however, does not adopt any other authorization mode when users are not authorized in the current authorization mode.
Step 5 Run:
authentication-super { hwtacacs | super }* [ none ]
Or,
authentication-super none
The authentication mode for upgrading user levels is set. The none parameter indicates that the non-authentication mode is used. That is, user levels are changed by users. By default, the local authentication mode is used for upgrading user levels. When the local authentication mode is used for upgrading user levels, you need to run the super password command in the system view to set the password for upgrading user levels. For details on the super password command, see the Quidway S9300 Terabit Routing Switch Command Reference - Basic Configurations. ----End
1.3.3 Configuring an Authorization Scheme

Context
NOTE
You can configure command-line-based authorization only when HWTACACS is adopted.
Procedure
Step 1 Run:
system-view
1-6
Issue 06 (20100108)

aaa

authorization-scheme authorization-scheme-name
An authorization scheme is created and the authorization scheme view is displayed. By default, an authorization scheme named default exists on the S9300. This scheme can be modified but cannot be deleted. Step 4 Run:
authorization-mode { hwtacacs | if-authenticated | local }*[ none ] or authorization-mode none
The authorization mode is set. By default, the local authorization mode is used. If multiple authorization modes are used in an authorization scheme, the non-authorization mode must be used as the last authorization mode. When using the HWTACACS authorization mode, you must create an HWTACACS server template and apply the template to the domain that the user belongs to.
NOTE
If multiple authorization modes are used in an authorization scheme, the authentication modes take effect according to their configuration sequence. The S9300 adopts the next authorization mode only when the current authorization mode is invalid. The S9300, however, does not adopt any other authorization mode when users are not authorized in the current authorization mode.
Step 5 (Optional) Run:

authorization-cmd privilege-level hwtacacs [ local ]
The command-line-based authorization function is configured for users at a level. By default, the command-line-based authorization function is not configured for users at levels 0 to 15. If command-line authorization is enabled, you must create an HWTACACS server template and apply the template in the view of the domain that the user belongs to. Step 6 (Optional) Run:
authorization-cmd no-response-policy { online | offline [ max-times max-timesvalue ] }
A policy is configured for command-line-based authorization failure. By default, a policy is used to keep the user online when command-line-based authorization fails. The policy for command-line-based authorization failure is used only when the HWTACACS server fails or the local user is not configured. The policy for command-line-based authorization failure cannot be triggered in the following situations:
l
The server works normally but the input command line fails to pass authorization on the HWTACACS server.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-7
Issue 06 (20100108)

l
When the HWTACACS server fails, the command-line-based authorization mode changes to the local authorization mode. Authorization fails because the level of the input command is higher than the level set on the local end.
----End
1.3.4 Configuring an Accounting Scheme

Procedure
Step 1 Run:
system-view

aaa

accounting-scheme accounting-scheme-name
An accounting scheme is created and the accounting scheme view is displayed. By default, the S9300 provides an accounting scheme named default. This scheme can be modified but cannot be deleted. Step 4 Run:
accounting-mode { hwtacacs | radius | none }
The accounting mode is set. By default, the accounting mode is none. If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS server template and apply the template to the corresponding user domain. Step 5 (Optional) Run:
accounting realtime interval
Interim accounting is enabled and the accounting interval is set. By default, interim accounting is enabled and the accounting interval is 5 minutes. The accounting interval depends on network situations. A short interval increases the traffic on the network and burdens the device that receive interim accounting packets. A long interval increases the errors of accounting when the communication between accounting server and the S9300 fails. Step 6 (Optional) Run:
accounting start-fail { online | offline }
The policy for remote accounting-start failure is set. If accounting start fails when a user logs in, the S9300 processes the user according to the policy for accounting start failure. By default, the S9300 forbids a user to get online when accounting start fails.

accounting interim-fail [ max-times times ] { online | offline }
The policy for remote interim accounting-start failure is set. If the accounting fails after a user goes online, the S9300 processes the user according to the policy for interim accounting failure. By default, the number of interim accounting failures is set to 3 and the policy keeps the user online. ----End
1.3.5 (Optional) Configuring a Recording Scheme

Context
To monitor the device and locate faults, you can configure a recording scheme to record the following:
l l l
Commands that are run on the S9300 Information about connections System events
NOTE
You can configure the recording function only when HWTACACS is adopted.
Procedure
Step 1 Run:
system-view

aaa

recording-scheme recording-scheme-name
A recording scheme is created and the recording scheme view is displayed. By default, no recording scheme exists on the S9300. Step 4 Run:
recording-mode hwtacacs template-name
An HWTACACS server template that is associated with the recording scheme is configured. By default, a recording scheme is not associated with an HWTACACS server template. Step 5 Run:
quit
Return to the AAA view.

Step 6 Run:
cmd recording-scheme recording-scheme-name
The commands that are used on the S9300 are recorded. By default, the commands that are used on the S9300 are not recorded. Step 7 Run:
outbound recording-scheme recording-scheme-name
The information about connections is recorded. By default, information about connections is not recorded. Step 8 Run:
system recording-scheme recording-scheme-name
System events are recorded. By default, system events are not recorded. ----End
1.3.6 Checking the Configuration

Prerequisite
The configurations of AAA schemes are complete.
Procedure
l l l l l Run the display aaa configuration command to check the summary of AAA. Run the display authentication-scheme [ authentication-scheme-name ] command to check the configuration of the authentication scheme. Run the display authorization-scheme [ authorization-scheme-name ] command to check the configuration of the authorization scheme. Run the display recording-scheme [ recording-scheme-name ] command to check the configuration of the recording scheme. Run the display access-user command to check the summary of all online users.
----End
1.4 Configuring a RADIUS Server Template

This section describes how to configure a RADIUS server template on the S9300. 1.4.1 Establishing the Configuration Task 1.4.2 Creating a RADIUS Server Template 1.4.3 Configuring a RADIUS Authentication Server 1.4.4 Configuring the RADIUS Accounting Server 1.4.5 Configuring a RADIUS Authorization Server
1.4.6 (Optional) Setting a Shared Key for a RADIUS Server 1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server 1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server 1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server 1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server 1.4.11 Checking the Configuration

In remote authentication or authorization mode, you need to configure a server template as required. You need to configure a RADIUS server template if RADIUS is used in the authentication scheme.
NOTE
There are default parameters of a RADIUS server template, and the default parameters can be changed according to the networking. You can modify the RADIUS configuration only when the RADIUS server template is not in use.
None
Data Preparation
To configure a RADIUS server template, you need the following data. No. 1 2 3 4 5 6 Data IP address of the RADIUS authentication server IP address of the RADIUS accounting server (Optional) Shared key of the RADIUS server (Optional) User name format supported by the RADIUS server (Optional) Traffic unit of the RADIUS server (Optional) Timeout interval for a RADIUS server to send response packets and number of times for retransmitting request packets on a RADIUS server (Optional) Format of the NAS port attribute of the RADIUS server
Issue 06 (20100108)
1-11
1.4.2 Creating a RADIUS Server Template

Procedure
Step 1 Run:
system-view

radius-server template template-name
A RADIUS server template is created and the RADIUS server template view is displayed. ----End
1.4.3 Configuring a RADIUS Authentication Server

Procedure
Step 1 Run:
system-view

The RADIUS server template view is displayed. Step 3 Run:

radius-server authentication ip-address port [ source loopback interface-number ]
The primary RADIUS authentication server is configured. By default, the IP address of the primary RADIUS authentication server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run:
radius-server authentication ip-address port [ source loopback interface-number ] secondary
The secondary RADIUS authentication server is configured. By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the port number is 0. ----End
1.4.4 Configuring the RADIUS Accounting Server

Procedure
Step 1 Run:
system-view
1-12
Issue 06 (20100108)


radius-server accounting ip-address port [ source loopback interface-number ]
The primary RADIUS accounting server is configured. By default, the IP address of the primary RADIUS accounting server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run:
radius-server accounting ip-address port [ source loopback interface-number ] secondary
The secondary RADIUS accounting server is configured. By default, the IP address of the secondary RADIUS accounting server is 0.0.0.0 and the port number is 0. ----End
1.4.5 Configuring a RADIUS Authorization Server

Context
The RADIUS authorization server is mainly used to dynamically authorize users during service selection.
Procedure
Step 1 Run:
system-view

radius-server authorization ip-address { server-group group-name | shared-key { cipher | simple } key-string } * [ ack-reserved-interval interval ]
The RADIUS authorization server is configured. By default, no RADIUS authorization server is configured in the S9300. ----End
1.4.6 (Optional) Setting a Shared Key for a RADIUS Server

Context
When exchanging authentication packets, the S9300 and the RADIUS server encrypt important information such as the password by using the Message Digest 5 (MD5) algorithm to ensure the
security of information transmitted over a network. To guarantee the validity of the authenticator and the authenticated, the keys on the S9300 and the RADIUS server must be the same.
Procedure
Step 1 Run:
system-view


radius-server shared-key { cipher | simple } key-string
The shared key is set for a RADIUS server. By default, the shared key of a RADIUS server is huawei. ----End
1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server
Context
NOTE
A user name is in the user name@domain name format and the characters after @ refer to the domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %
Procedure
Step 1 Run:
system-view


radius-server user-name domain-included
The user name format supported by a RADIUS server is set. By default, a user name supported by a RADIUS server contains the domain name. That is, the S9300 sends the user name, domain name, and domain name delimiter to the RADIUS server for authentication.
When the RADIUS server does not accept the user name that contains the domain name, you can run the undo radius-server user-name domain-included command to delete the domain name before sending it to the RADIUS server. ----End
1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server

Procedure
Step 1 Run:
system-view


radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit is set for a RADIUS server. By default, the traffic is expressed in bytes on the S9300. ----End
1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server

Procedure
Step 1 Run:
system-view


radius-server timeout seconds
The timeout interval for a RADIUS server to send response packets is set. By default, the timeout interval for a RADIUS server to send response packets is five seconds. To check whether a RADIUS server is available, the S9300 periodically sends request packets to the RADIUS server. If no response is received from the RADIUS server within the timeout interval, the S9300 retransmits the request packets. Step 4 Run:

radius-server retransmit retry-times
The number of times for retransmitting request packets on a RADIUS server is set. By default, the number of times for retransmitting request packets on a RADIUS server is 3. After retransmitting request packets to a RADIUS server for the set number of times, the S9300 considers that the RADIUS server is unavailable. ----End
1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server

Context
The NAS port format and the NAS port ID format are developed by Huawei, which are used to maintain connectivity and service cooperation among devices of Huawei. The NAS port format and NAS port ID format have new and old forms respectively. The ID format of the physical port that access users belong to depends on the format of the NAS port attribute. For Ethernet access users:
l
NAS port
New NAS port format: slot number (8 bits) + subslot number (4 bits) + port number (8 bits) + VLAN ID (12 bits). Old NAS port format: slot number (12 bits) + port number (8 bits) + VLAN ID (12 bits). New format of NAS port ID: slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx. Where slot ranges from 0 to 15, subslot 0 to 15, port 0 to 255, and VLAN ID 1 to 4094. Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) + card number (3 bytes) + VLANID (9 characters)
NAS port ID
For ADSL access users:

l
NAS port format: slot number (4 bits) + subslot number (2 bits) + port number (2 bits) + VPI (8 bits) + VCI (16 bits). NAS port ID
New format of NAS port ID: slot=xx; subslot=x; VPI=xxx; VCI=xxxxx, in which slot ranges from 0 to 15, subslot ranges from 0 to 9, port 0 to 9, VPI 0 to 255, and VCI 0 to 65535. Old format of NAS port ID: slot number (2 characters) + subslot number (2 bytes) + card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixed with 0s if they contain less bytes than specified.
Procedure
Step 1 Run:
system-view

1-16
Issue 06 (20100108)

radius-server nas-port-format { new | old }
The format of NAS port used by the RADIUS server is specified. By default, the new format of NAS port is used. Step 4 Run:
radius-server nas-port-id-format { new | old }
The format of the NAS port ID used by the RADIUS server is specified. By default, the new format of the NAS port ID is used. ----End

Prerequisite
The configurations of the RADIUS server template are complete.
Procedure
l Run the display radius-server configuration [ template template-name ] command to check the configuration of the RADIUS server template.
----End
Example
After completing the configurations of the RADIUS server template, you can run the display radius-server configuration command to check the configuration of all templates.
<Quidway> display radius-server configuration ------------------------------------------------------------------Server-template-name : radius Protocol-version : standard Traffic-unit : B Shared-secret-key : huawei Timeout-interval(in second) : 5 Primary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Primary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Secondary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Secondary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Retransmission : 3 Domain-included : YES ------------------------------------------------------------------------------------------------------------------------------------Server-template-name Protocol-version Traffic-unit Shared-secret-key Timeout-interval(in second) Primary-authentication-server Primary-accounting-server : : : : : : : test standard B hello 5 10.1.1.2; 10.1.1.2;
1812; 1812;
LoopBack:NULL LoopBack:NULL
Issue 06 (20100108)
1-17
Secondary-authentication-server : 0.0.0.0; 0; LoopBack:NULL Secondary-accounting-server : 0.0.0.0; 0; LoopBack:NULL Retransmission : 5 Domain-included : YES ------------------------------------------------------------------Total of radius template :2
1.5 Configuring an HWTACACS Server Template

This section describes how to configure an HWTACACS server template on the S9300. 1.5.1 Establishing the Configuration Task 1.5.2 Creating an HWTACACS Server Template 1.5.3 Configuring an HWTACACS Authentication Server 1.5.4 Configuring the HWTACACS Accounting Server 1.5.5 Configuring an HWTACACS Authorization Server 1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets 1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server 1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server 1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server 1.5.10 (Optional) Setting HWTACACS Timers 1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet 1.5.12 Checking the Configuration

In remote authentication or authorization mode, you need to configure a server template as required. You need to configure an HWTACACS server template if HWTACACS is used in an authentication or an authorization scheme.
NOTE
The S9300 does not check whether the HWTACACS template is in use when you modify attributes of the HWTACACS server except for deleting the configuration of the server.
None
Data Preparation
To configure an HWTACACS server template, you need the following data.
No. 1 2 3 4 5 6 7
Data Name of the HWTACACS server template IP addresses of HWTACACS authentication authorization, and accounting servers (Optional) Source IP address of the HWTACACS server (Optional) Shared key of the HWTACACS server (Optional) User name format supported by the HWTACACS server (Optional) Traffic unit of the HWTACACS server (Optional) Timeout interval for the HWTACACS server to send response packets and time when the primary HWTACACS server is restored to the active state
1.5.2 Creating an HWTACACS Server Template

Procedure
Step 1 Run:
system-view

hwtacacs-server template template-name
An HWTACACS server template is created and the HWTACACS server template view is displayed. ----End
1.5.3 Configuring an HWTACACS Authentication Server

Procedure
Step 1 Run:
system-view

Issue 06 (20100108)
1-19
The HWTACACS server template view is displayed. Step 3 Run:

hwtacacs-server authentication ip-address [ port ]
The IP address of the primary HWTACACS authentication server is configured. By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run:
hwtacacs-server authentication ip-address [ port ] secondary
The IP address of the secondary HWTACACS authentication server is configured. By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0 and the port number is 0. ----End
1.5.4 Configuring the HWTACACS Accounting Server

Procedure
Step 1 Run:
system-view


hwtacacs-server accounting ip-address [ port ]
The primary HWTACACS accounting server is configured. By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0 and the port number is 0. Step 4 Run:
hwtacacs-server accounting ip-address [ port ] secondary
The secondary HWTACACS accounting server is configured. By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0 and the port number is 0. ----End
1.5.5 Configuring an HWTACACS Authorization Server

Procedure
Step 1 Run:

system-view


hwtacacs-server authorization ip-address [ port ]
The IP address of the primary HWTACACS authorization server is configured. By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run:
hwtacacs-server authorization ip-address [ port ] secondary
The IP address of the secondary HWTACACS authorization server is configured. By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0 and the port number is 0. ----End
1.5.6 (Optional) Configuring the Source IP Address of HWTACACS Packets

Procedure
Step 1 Run:
system-view


hwtacacs-server source-ip ip-address
The source IP address of HWTACACS packets is configured. By default, the source IP address of an HWTACACS packet is 0.0.0.0. In this case, the S9300 uses the IP address of the outgoing interface as the source IP address of the HWTACACS packet. After you specify the source IP address of HWTACACS packets, the specified address is used for the communication between the S9300 and the HWTACACS server. In this case, the HWTACACS server uses the specified IP address to communicate with the S9300. ----End
1.5.7 (Optional) Setting the Shared Key of an HWTACACS Server

Context
Setting the shared key ensures the security of communication between the S9300 and an HWTACACS server. To ensure the validity of the authenticator and the authenticated, the shared keys set on the S9300 and the HWTACACS server must be the same.
Procedure
Step 1 Run:
system-view


hwtacacs-server shared-key { cipher | simple } key-string
The shared key is set for the HWTACACS server. By default, no shared key is set for the HWTACACS server. ----End
1.5.8 (Optional) Setting the User Name Format for an HWTACACS Server
Context
NOTE
A user name is in the user name@domain name format and the character string after "@" refers to the domain name. In the user name, @ is the domain name delimiter. The domain name delimiter can also be any of the following symbols: \ / : < > | ' %
Procedure
Step 1 Run:
system-view


hwtacacs-server user-name domain-included
The user name format is set for an HWTACACS server. By default, a user name supported by an HWTACACS server contains the domain name. That is, the S9300 sends the user name, domain name, and domain name delimiter to the RADIUS server for authentication.
If an HWTACACS server does not accept the user name that contains the domain name, you can use the undo hwtacacs-server user-name domain-included command to delete the domain name before sending it to the HWTACACS server. ----End
1.5.9 (Optional) Setting the Traffic Unit for an HWTACACS Server

Procedure
Step 1 Run:
system-view


hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit is set for an HWTACACS server. By default, the traffic is expressed in bytes on the S9300. ----End
1.5.10 (Optional) Setting HWTACACS Timers

Procedure
Step 1 Run:
system-view


hwtacacs-server timer response-timeout
The timeout interval for an HWTACACS server to send response packets is set. By default, the timeout interval for an HWTACACS server to send response packets is five seconds. If the S9300 receives no response from an HWTACACS server during the timeout interval, it considers the HWTACACS server as unavailable. In this case, the S9300 performs authentication or authorization in other modes. Step 4 Run:
hwtacacs-server timer quiet value
Issue 06 (20100108)
1-23
The time taken to restore an HWTACACS server to the active state is set. By default, the time taken by the primary HWTACACS server to restore to the active state is five minutes. ----End
1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet

Context
If the HWTACACS accounting mode is used, the S9300 sends an Accounting-Stop packet to the HWTACACS server after a user goes offline. If the connectivity of the network is not desirable, you can enable the function of retransmitting the Accounting-Stop packet to prevent the loss of accounting information.
Procedure
Step 1 Run:
system-view

hwtacacs-server accounting-stop-packet resend { disable | enable number }
The function of retransmitting the Accounting-Stop packet is configured. You can enable the function of retransmitting the Accounting-Stop packet and set the retransmission count, or disable the function. By default, the retransmission function is enabled and the retransmission count is 10. ----End

Prerequisite
The configurations of the HWTACACS server template are complete.
Procedure
l Run the display hwtacacs-server template [ template-name ] command to check the configuration of the HWTACACS server template.
----End
Example
After completing the configurations of the HWTACACS server template, you can run the display hwtacacs-server template [ template-name ] command to view the configuration of the template.
<Quidway> display hwtacacs-server template hhh --------------------------------------------------------------------HWTACACS-server template name : hhh Primary-authentication-server : 100.1.1.2:26 Primary-authorization-server : 100.1.1.3:26 Primary-accounting-server : 0.0.0.0:0 Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 0.0.0.0:0 Secondary-accounting-server : 0.0.0.0:0 Current-authentication-server : 100.1.1.2:26 Current-authorization-server : 100.1.1.3:26 Current-accounting-server : 0.0.0.0:0 Source-IP-address : 0.0.0.0 Shared-key : lsj Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 20 Domain-included : Yes Traffic-unit : B --------------------------------------------------------------------Total 1,1 printed
1.6 Configuring a Service Scheme

This section describes how to configure a service scheme in the S9300 to store authorization information about users. 1.6.1 Establishing the Configuration Task 1.6.2 Creating a Service Scheme 1.6.3 Setting the Administrator Level 1.6.4 Configuring a DHCP Server Group 1.6.5 Configuring an Address Pool 1.6.6 Configure Primary and Secondary DNS Servers 1.6.7 Checking the Configuration

Access users must acquire authorization information before getting online. Authorization information about users can be managed through the service scheme.
Before configuring a service scheme, complete the following tasks:
l l
Creating a DHCP server group Creating an address pool
Data Preparation
To configure a service scheme, you need the following data.
No. 1 2 3 4 5 6
Data Service scheme Administrator level User priority Name of the DHCP server group Name and position of the address pool IP address of the primary and secondary DNS servers
1.6.2 Creating a Service Scheme

Context
The service scheme is the aggregation of authorization information about users. After a service scheme is created, you can set attributes of users in the service scheme view.
Procedure
Step 1 Run:
system-view

aaa

service-scheme service-scheme-name
A service scheme is created. service-scheme-name is a string of 1 to 32 characters, excluding /, :, *, ?, <, >, and @. By default, no service scheme is configured in the S9300. ----End
1.6.3 Setting the Administrator Level

Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
aaa

The service scheme view is displayed. Step 4 Run:

adminuser-priority level
The administrator is enabled to log in to the S9300 and the administrator level is set. The value of level ranges from 0 to 15. If this command is not run, the administrator level is displayed as 16, which is invalid. ----End
1.6.4 Configuring a DHCP Server Group

Prerequisite
A DHCP server group is configured. For the procedure for configuring the DHCP server group, see the Quidway S9300 Terabit Routing Switch Configuration Guide - IP Services.
Procedure
Step 1 Run:
system-view

aaa


dhcp-server group group-name
A DHCP server group is configured. ----End
1.6.5 Configuring an Address Pool

Prerequisite
An IP address pool is configured. For the procedure for configuring the DHCP server group, see the Quidway S9300 Terabit Routing Switch Configuration Guide - IP Services.
Procedure
Step 1 Run:
system-view

aaa


ip-pool pool-name [ move-to new-position ]
An IP address pool is configured or the position of a configured address pool is moved. ----End
1.6.6 Configure Primary and Secondary DNS Servers

Procedure
Step 1 Run:
system-view

aaa


dns ip-address
The IP address of the primary DNS server is configured. Step 5 Run:

dns ip-address secondary
The IP address of the secondary DNS server is configured. ----End

Procedure
Step 1 Run the display service-scheme [ name name ] command to view the configuration of a service scheme. ----End
Example
Run the display service-scheme command to view all the information about the service scheme.
<Quidway> display service-scheme ------------------------------------------------------------------service-scheme-name scheme-index ------------------------------------------------------------------svcscheme1 0 svcscheme2 1 ------------------------------------------------------------------Total of service scheme: 2
Run the display service-scheme name svcscheme1 command to view the configuration of service scheme svcscheme1.
<Quidway> display service-scheme name svcscheme1 service-scheme-name : svcscheme1 service-scheme-primary-dns : service-scheme-secondry-dns : service-scheme-uppriority : 0 service-scheme-downpriority : 0 service-scheme-adminlevel : 16 service-scheme-dhcpgroup : service-scheme-flowstatup : false service-scheme-flowstatdown : false Idle-data-attribute(time,rate): <0,60>
1.7 Configuring a Domain

This section describes how to configure a domain on the S9300. 1.7.1 Establishing the Configuration Task 1.7.2 Creating a Domain 1.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain 1.7.4 Configuring a RADIUS Server Template for a Domain 1.7.5 Configuring an HWTACACS Server Template for a Domain 1.7.6 (Optional) Configuring a Service Scheme for a Domain 1.7.7 (Optional) Setting the Status of a Domain 1.7.8 (Optional) Configuring the Domain Name Delimiter 1.7.9 Checking the Configuration

To perform authentication and authorization for a user logging in to the S9300, you need to configure a domain.
NOTE
The modification of a domain takes effect next time a user logs in.
Before configuring a domain, complete the following tasks:
l l l
Configuring authentication and authorization schemes Configuring a RADIUS server template if RADIUS is used in an authentication scheme Configuring an HWTACACS server template if HWTACACS is used in an authentication or an authorization scheme Configuring local user management in local authentication or authorization mode
Data Preparation
To configure a domain, you need the following data. No. 1 2 3 Data Name of the domain Names of authentication and authorization schemes of the domain (Optional) Name of the RADIUS server template or the HWTACACS server template of the domain (Optional) Status of the domain
1.7.2 Creating a Domain

Procedure
Step 1 Run:
system-view

aaa

domain domain-name
A domain is created and the domain view is displayed.

The S9300 has two default domains: default and default_admin. Domain default is used for common access users, and domain default_admin is used for administrators. The S9300 supports up to 128 domains, including the two default domains. ----End
Postrequisite
After creating a domain, you can run the domain domain-name [ admin ] command in the system view to configure the domain as the global default domain. The access users whose domain names cannot be obtained are added to this domain. If you do not run the domain domain-name [ admin ] command, the S9300 adds the common users and administrators whose domain names cannot be obtained to domains default and default_admin respectively.
1.7.3 Configuring Authentication , Authorization and Accounting Schemes for a Domain

Procedure
Step 1 Run:
system-view

aaa

domain domain-name
The domain view is displayed. Step 4 Run:

authentication-scheme authentication-scheme-name
An authentication scheme is configured for the domain. By default, the authentication scheme named default is used for a domain. Step 5 Run:
authorization-scheme authorization-scheme-name
An authorization scheme is configured for the domain. By default, no authorization scheme is bound to a domain. Step 6 Run:
accounting-scheme accounting-scheme-name
An accounting scheme is configured for the domain. By default, the accounting scheme named default is used for a domain. ----End
1.7.4 Configuring a RADIUS Server Template for a Domain

Context
If a remote RADIUS authentication scheme is used in a domain, you must apply a RADIUS server template to the domain.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

radius-server template-name
A RADIUS server template is configured for the domain. By default, no RADIUS server template is configured for a domain. ----End
1.7.5 Configuring an HWTACACS Server Template for a Domain

Context
If the remote HWTACACS authentication or authorization mode is used in a domain, you need to apply an HWTACACS server template to the domain.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name
1-32
Issue 06 (20100108)

hwtacacs-server template-name
An HWTACACS server template is configured for the domain. By default, no HWTACACS server template is configured for a domain. ----End
1.7.6 (Optional) Configuring a Service Scheme for a Domain

Context
Configuring a service scheme for a domain is to bind a service scheme to a domain. Users in the domain obtain service information, such as the IP address and DNS server, from the service scheme.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

A service scheme is bound to the domain. By default, no service scheme is bound to the domain. Before binding a service scheme to a domain, you must create the service scheme. ----End
1.7.7 (Optional) Setting the Status of a Domain

Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

domain domain-name

state { active | block }
The status of the domain is set. When a domain is in blocking state, users that belong to this domain cannot log in. By default, the domain is in active state after being created. ----End
1.7.8 (Optional) Configuring the Domain Name Delimiter

Context
A user account on the S9300 consists of a user name and a domain name. The user name and domain name are separated by the domain name delimiter. For example, if the defined domain name delimiter is @, the user account of user1 in domain dom1 is user1@dom1.
Procedure
Step 1 Run:
system-view

aaa

domain-name-delimiter delimiter
The domain name delimiter is configured. delimiter can be set to anyone of \, /, :, <, >, |, @, ', and %. By default, the domain name delimiter is @. ----End

Prerequisite
The configurations of the domain are complete.
Procedure
l Run the display domain [ name domain-name ] command to check the configuration of the domain.
----End
Example
After the configuration, you can run the display domain command to view the summary of all domains.
<Quidway> display domain ------------------------------------------------------------------------DomainName index ------------------------------------------------------------------------default 0 default_admin 1 huawei 2 ------------------------------------------------------------------------Total: 3
Run the display domain [ name domain-name ] command, and you can view the configuration of a specified domain.
<Quidway> display domain name huawei Domain-name : huawei Domain-state : Active Authentication-scheme-name : scheme0 Accounting-scheme-name : default Authorization-scheme-name : Service-scheme-name : RADIUS-server-group : Accounting-copy-RADIUS-group : Hwtacacs-server-template : -
1.8 Configuring Local User Management

This section describes how to configure local user management on the S9300. 1.8.1 Establishing the Configuration Task 1.8.2 Creating a Local User 1.8.3 (Optional) Setting the Access Type of the Local User 1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access 1.8.5 (Optional) Setting the Status of a Local User 1.8.6 (Optional) Setting the Level of a Local User 1.8.7 (Optional) Setting the Access Limit for a Local User 1.8.8 Checking the Configuration

You can create a local user on the S9300, configure attributes of the local user, and perform authentication and authorization for users logging in to the S9300 according to information about the local user.
None
Data Preparation
To configure local user management, you need the following data. No. 1 2 3 4 5 6 Data User name and password Access type of the local user Name of the FTP directory that the local user can access Status of the local user Level of the local user Maximum number of local access users
1.8.2 Creating a Local User

Procedure
Step 1 Run:
system-view

aaa

local-user user-name password { simple | cipher } password
A local user is created. If the user name contains the domain name delimiter, such as @, |, and %, the character string before @ refers to the user name and the character string after @ refers to the domain name. If the user name does not contain domain name delimiter, the entire character string represents the user name and the domain name is default. ----End
1.8.3 (Optional) Setting the Access Type of the Local User

Procedure
Step 1 Run:
system-view

aaa

local-user user-name service-type { 8021x | bind | ftp | ssh | telnet | web }*
The access type of the local user is set. By default, a local user can use all access types. A user can successfully log in only when its access type matches the specified access type. ----End
1.8.4 (Optional) Configuring the FTP Directory That a Local User Can Access
Context
NOTE
If the access type of a local user is set to FTP, you must configure the FTP directory that the local user can access; otherwise, the FTP user cannot log in.
Procedure
Step 1 Run:
system-view

aaa

local-user user-name ftp-directory directory
The FTP directory that a local user can access is configured. By default, the FTP directory that a local user can access is null. ----End
1.8.5 (Optional) Setting the Status of a Local User

Procedure
Step 1 Run:
system-view

aaa

local-user user-name state { active | block }
The status of a local user is set. By default, a local user is in active state. The S9300 processes a local user in active or blocking state as follows:
l
If the local user is in active state, the S9300 receives the authentication request of this user for further processing. If the local user is in blocking state, the S9300 rejects the authentication request of this user.
----End
1.8.6 (Optional) Setting the Level of a Local User

Context
After the level of a local user is set, the login user can run the command only when the level is equal to or higher than the command level. Similar to the command levels, users are classified into 16 levels numbered 0 to 15. The greater the number, the higher the user level.
Procedure
Step 1 Run:
system-view

aaa

local-user user-name level level
The level of a local user is set.

By default, the level of a local user is determined by the management module. For example, there is a user level in the user interface view. If a user level is not set, the user level is 0.
NOTE
You can run the user-interface command in the system view to enter the user interface view. For details on the user-interface command, see "Basic Configuration Commands" in the Quidway S9300 Terabit Routing Switch Command Reference.
----End
1.8.7 (Optional) Setting the Access Limit for a Local User

Procedure
Step 1 Run:
system-view

aaa

local-user user-name access-limit max-number
The maximum number of online local users is set. By default, the number of access users with the same user name is not restricted on the S9300. ----End

Prerequisite
The configurations of the local user are complete.
Procedure
l Run the display local-user [ username user-name ] command to check the attributes of the local user.
----End
Example
After completing the configuration of local user management, you can run the display localuser command to view brief information about attributes of the local user.
<Quidway> display local-user ---------------------------------------------------------------------------No. User-Name State AuthMask AdminLevel ---------------------------------------------------------------------------0 lsj A A -
Issue 06 (20100108)
1-39
---------------------------------------------------------------------------Total 1 user(s)
Run the display local-user [ username user-name ] command, and you can view detailed information about a specified user.
<Quidway> display local-user username lsj The contents of local user : Password : hello State : Active Auth-Type-Mask : A Admin-level : Idle-Cut : No FTP-directory : Access-Limit :No Accessed-Num
:0
1.9 Maintaining AAA and User Management

This section describes how to maintain AAA and user management. 1.9.1 Clearing the Statistics 1.9.2 Monitoring the Running Status of AAA 1.9.3 Debugging
1.9.1 Clearing the Statistics

Context
CAUTION
Statistics cannot be restored after you clear them. So, confirm the action before you use the command. Run the following command in the user view to clear the statistics.
Procedure
l Run the reset hwtacacs-server statistics { all | accounting | authentication | authorization } command to clear the statistics on the HWTACACS server.
----End
1.9.2 Monitoring the Running Status of AAA

Procedure
Step 1 Run the display aaa configuration command to view AAA running information. ----End
Example
Run the display aaa configuration command to view AAA running information.
<Quidway> display aaa configuration Domain Name Delimiter Domain Authentication-scheme Accounting-scheme Authorization-scheme Service-scheme : : : : : : @ total: total: total: total: total: 128 128 128 128 128 used: used: used: used: used: 5 1 3 1 0
1.9.3 Debugging
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When a running fault occurs on the RADIUS or HWTACACS server, run the debugging commands in the user view to locate the fault.
Procedure
l l Run the debugging radius packet command to debug RADIUS packets. Run the debugging hwtacacs { all | error | event | message | receive-packet | sendpacket } command to debug HWTACACS.
----End
1.10 Configuration Examples

This section provides several configuration examples of AAA and user management. 1.10.1 Example for Configuring RADIUS Authentication and Accounting 1.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization
1.10.1 Example for Configuring RADIUS Authentication and Accounting

Networking Requirements
As shown in Figure 1-1, users access the network through S9300-A and are located in the domain huawei. S9300-B acts as the network access server of the destination network. The access request of the user needs to pass the network of S9300-A andS9300-B to reach the authentication server. The user can access the destination network through S9300-B after passing the remote authentication. The remote authentication mode on S9300-B is as follows:

l l
The RADIUS server performs authentication and accounting for access users. The RADIUS server 129.7.66.66/24 functions as the primary authentication and accounting server. The RADIUS server 129.7.66.67/24 functions as the secondary authentication and accounting server. The default authentication port and accounting port are 1812 and 1813 respectively.
Figure 1-1 Networking diagram of RADIUS authentication and accounting

Domain Huawei
S9300-A Network
S9300-B 129.7.66.66/24
129.7.66.67/24 Destination Network
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a RADIUS server template. Configure the authentication and accounting schemes. Apply the RADIUS server template, the authentication and accounting schemes to the domain.
Data Preparation
To complete the configuration, you need the following data:
l l l
Name of the domain that a user belongs to Name of the RADIUS server template Name of the authentication scheme, authentication mode, name of the accounting scheme, and accounting mode IP addresses, authentication and accounting port numbers of the primary and secondary RADIUS servers Key and retransmission times of the RADIUS server
1-42

NOTE
The following configurations are performed on S9300-B.
Procedure
Step 1 Configure a RADIUS server template. # Configure the RADIUS template named shiva.
<Quidway> system-view [Quidway] radius-server template shiva
# Configure the IP addresses and port numbers of the primary RADIUS authentication and accounting servers.
[Quidway-radius-shiva] radius-server authentication 129.7.66.66 1812 [Quidway-radius-shiva] radius-server accounting 129.7.66.66 1813
# Set the IP addresses and port numbers of the secondary RADIUS authentication and accounting servers.
[Quidway-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary [Quidway-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Set the key and retransmission count for the RADIUS server.
[Quidway-radius-shiva] radius-server shared-key cipher hello [Quidway-radius-shiva] radius-server retransmit 2 [Quidway-radius-shiva] quit
Step 2 Configure the authentication and accounting schemes. # Configure authentication scheme1, with the authentication mode being RADIUS.
[Quidway] aaa [Quidway-aaa] authentication-scheme 1 [Quidway-aaa-authen-1] authentication-mode radius [Quidway-aaa-authen-1] quit
# Configure the accounting scheme1, with the accounting mode being RADIUS.
[Quidway-aaa] accounting-scheme 1 [Quidway-aaa-accounting-1] accounting-mode radius [Quidway-aaa-accounting-1] quit
Step 3 Configure the domain huawei and apply authentication scheme1, accounting scheme1, and RADIUS template shiva to the domain.
[Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] authentication-scheme 1 [Quidway-aaa-domain-huawei] accounting-scheme 1 [Quidway-aaa-domain-huawei] radius-server shiva
Step 4 Verify the configuration. After running the display radius-server configuration template command on S9300-B, you can view that the configuration of the RADIUS server template meets the requirements.
<Quidway> display radius-server configuration template shiva ------------------------------------------------------------------Server-template-name Protocol-version Traffic-unit Shared-secret-key Timeout-interval(in second) : : : : : shiva standard B 3MQ*TZ,O3KCQ=^Q`MAF4<1!! 5
Issue 06 (20100108)
1-43

Primary-authentication-server Primary-accounting-server Secondary-authentication-server Secondary-accounting-server : : : :

129.7.66.66; 129.7.66.66; 129.7.66.67; 129.7.66.67; 1812; 1813; 1812; 1813; LoopBack:NULL LoopBack:NULL LoopBack:NULL LoopBack:NULL
Retransmission : 2 Domain-included : YES -------------------------------------------------------------------
----End
Configuration Files
# sysname Quidway # radius-server template shiva radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary radius-server retransmit 2 # aaa authentication-scheme default authentication-scheme 1 authentication-mode radius authorization-scheme default accounting-scheme default accounting-scheme 1 accounting-mode radius domain default domain default_admin domain huawei authentication-scheme 1 accounting-scheme 1 radius-server shiva # return
1.10.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization

As shown in Figure 1-2:
l
Access users are first authenticated locally. If local authentication fails, the HWTACACS server is adopted to authenticate access users. HWTACACS authentication is required before the level of access users is promoted. If the HWTACACS authentication is not responded, local authentication is performed. HWTACACS authorization is performed to access users. All access users need to be charged. Interim accounting is performed every 3 minutes.
l l l
1-44

l
The primary HWTACACS server is 129.7.66.66/24, and the IP address of the secondary HWTACACS server is 129.7.66.67/24. The port number of the server for authentication, accounting, and authorization is 49.
Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization

Domain Huawei
S9300-A Network
S9300-B 129.7.66.66/24
129.7.66.67/24 Destination Network
The configuration roadmap is as follows: 1. 2. 3. Configure an HWTACACS server template. Configure the authentication, authorization, and accounting schemes. Apply the HWTACACS server template, authentication, authorization, and accounting schemes to the domain.
Data Preparation
l l l
Name of the domain that the user belongs to Name of the HWTACACS server template Name of the authentication scheme, authentication mode, name of the authorization scheme, authorization mode, name of the accounting scheme, and accounting mode IP addresses, authentication port numbers, authorization port numbers, and accounting port numbers of the primary and secondary HWTACACS servers Key of the HWTACACS server
NOTE
The following configurations are performed on S9300-B.
Issue 06 (20100108)
1-45
Procedure
Step 1 Configure an HWTACACS server template. # Configure an HWTACACS server template named ht.
<Quidway> system-view [Quidway] hwtacacs-server template ht
# Configure the IP address and port number of the primary HWTACACS server for authentication, authorization, and accounting.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49 [Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49 [Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP address and port number of the secondary HWTACACS server for authentication, authorization, and accounting.
[Quidway-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary [Quidway-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary [Quidway-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Configure the key of the TACACS server.

[Quidway-hwtacacs-ht] hwtacacs-server shared-key cipher hello [Quidway-hwtacacs-ht] quit
Step 2 Configure the authentication, authorization, and accounting schemes. # Create an authentication scheme 1-h and set the authentication mode to local-HWTACACS, that is, the system performs the local authentication first and then the HWTACACS authentication. The HWTACACS authentication supersedes the local authentication when the level of a user is promoted.
[Quidway] aaa [Quidway-aaa] authentication-scheme l-h [Quidway-aaa-authen-l-h] authentication-mode local hwtacacs [Quidway-aaa-authen-l-h] authentication-super hwtacacs super [Quidway-aaa-authen-l-h] quit
# Create an authorization scheme hwtacacs, and set the authorization mode to HWTACACS.
[Quidway-aaa] authorization-scheme hwtacacs [Quidway-aaa-author-hwtacacs] authorization-mode hwtacacs [Quidway-aaa-author-hwtacacs] quit
# Create an accounting scheme hwtacacs, and set the accounting mode to HWTACACS.
[Quidway-aaa] accounting-scheme hwtacacs [Quidway-aaa-accounting-hwtacacs] accounting-mode hwtacacs
# Set the interval of interim accounting to 3 minutes.

[Quidway-aaa-accounting-hwtacacs] accounting realtime 3 [Quidway-aaa-accounting-hwtacacs] quit
Step 3 Create a domain Huawei and apply the authentication scheme 1-h, the HWTACACS authentication scheme, the HWTACACS accounting scheme, and the HWTACACS template of ht to the domain.
[Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] [Quidway-aaa-domain-huawei] authentication-scheme l-h authorization-scheme hwtacacs accounting-scheme hwtacacs hwtacacs-server ht
1-46
Issue 06 (20100108)

[Quidway-aaa-domain-huawei] quit [Quidway-aaa] quit
Step 4 Verify the configuration. Run the display hwtacacs-server template command on S9300-B, and you can see that the configuration of the HWTACACS server template meets the requirements.
<Quidway> display hwtacacs-server template ht --------------------------------------------------------------------------HWTACACS-server template index : 0 HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49 Primary-authorization-server : 129.7.66.66:49 Primary-accounting-server : 129.7.66.66:49 Secondary-authentication-server : 129.7.66.67:49 Secondary-authorization-server : 129.7.66.67:49 Secondary-accounting-server : 129.7.66.67:49 Current-authentication-server : 129.7.66.66:49 Current-authorization-server : 129.7.66.66:49 Current-accounting-server : 129.7.66.66:49 Source-IP-address : 0.0.0.0 Shared-key : 3MQ*TZ,O3KCQ=^Q`MAF4<1!! Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ---------------------------------------------------------------------------
Run the display domain command on S9300-B, and you can see that the configuration of the domain meets the requirements.
<Quidway> display domain name huawei Domain-name Domain-state Authentication-scheme-name Accounting-scheme-name Authorization-scheme-name Service-scheme-name RADIUS-server-group Accounting-copy-RADIUS-group Hwtacacs-server-template : : : : : : : : : huawei Active l-h hwtacacs hwtacacs ht
----End
Configuration Files
# sysname Quidway # hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 hwtacacs-server authentication 129.7.66.67 secondary hwtacacs-server authorization 129.7.66.66 hwtacacs-server authorization 129.7.66.67 secondary hwtacacs-server accounting 129.7.66.66 hwtacacs-server accounting 129.7.66.67 secondary hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! # aaa authentication-scheme default authentication-scheme l-h authentication-mode local hwtacacs authentication-super hwtacacs super authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs
Issue 06 (20100108)
1-47

accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs accounting realtime 3 domain default domain default_admin domain huawei authentication-scheme l-h accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server ht # return
1-48
Issue 06 (20100108)
2 NAC Configuration
2
About This Chapter
NAC Configuration
This chapter describes the working principle and configuration of network access control (NAC). 2.1 Introduction to NAC This section describes the working principle of NAC. 2.2 NAC Features Supported by the S9300 This section describes the NAC features supported by the S9300. 2.3 Configuring Web Authentication This section describes how to configure the Web authentication function. 2.4 Configuring 802.1x Authentication This section describes how to configure the 802.1x authentication function. 2.5 Configuring MAC Address Authentication This section describes how to configure the MAC address authentication function. 2.6 Maintaining NAC This section describes how to clear statistics about NAC and debug NAC. 2.7 Configuration Examples This section provides several configuration examples of NAC.
Issue 06 (20100108)
2-1
2 NAC Configuration
2.1 Introduction to NAC

This section describes the working principle of NAC. Traditional network security technologies focus on the threat brought by external computers, rather than the threat brought by internal computers. In addition, the current network devices cannot prevent the attacks initiated by the internal devices on the network. Network Access Control (NAC) is an architecture of secure access, with the end-to-end security concept. NAC considers the internal network security from the perspective of user terminals, rather than network devices. Figure 2-1 Typical networking of NAC
User NAD ACS
Remediation server AAA server
Directory server S9300 PVS & Aduit server
As shown in Figure 2-1, NAC, as a controlling scheme for network security access, includes the following parts:
l l
User: Access users who need to be authenticated. If 802.1x is adopted for user authentication, users need to install client software. NAD: Network access devices, including routers and switches (hereinafter referred to as the S9300), which are used to authenticate and authorize users. The NAD needs to work with the AAA server to prevent unauthorized terminals from accessing the network, minimize the threat brought by insecure terminals, prevent unauthorized access requests from authorized terminals, and thus protect core resources. ACS: Access control server that is used to check terminal security and health, manage policies and user behaviors, audit rule violations, strengthen behavior audit, and prevent malicious damages from terminals.
2.1.1 Web Authentication 2.1.2 802.1x Authentication 2.1.3 MAC Address Authentication
2.1.1 Web Authentication

Web authentication is also called Portal authentication. When opening a browser for the first time and entering a URL, users are forcibly re-directed to the authentication page of the Web
2 NAC Configuration
server. Users can access network resources only after passing the authentication. Users that do not pass the authentication can only access the specified site server. When a user enters its user name and password on the Web page, the Portal protocol is used to authenticate the user. This process is Web authentication. The Portal protocol enables Web servers to communicate with other devices. The portal protocol is based on client/server model and uses the User Datagram Protocol (UDP) as the transmission protocol. In Web authentication, the Web authentication server and the S9300 communicate with each other through the portal protocol. In this case, the S9300 functions as the client. When obtaining the user name and password entered by the user on the authentication page, the Web authentication server transfers them to the S9300 through the portal protocol.
2.1.2 802.1x Authentication

The IEEE 802.1x standard (hereinafter referred to as 802.1x), is an interface-based network access control protocol. Interface-based network access control is used to authenticate and control access devices on an interface of a LAN access control device. User devices connected to the interface can access the sources on the LAN only after they pass the authentication. 802.1x focuses on the status of the access interface only. When an authorized user accesses the network by sending the user name and password, the interface is open. When an unauthorized user or no user accesses the network, the interface is closed. The authentication result is reflected by the status of the interface. The IP address negotiation and allocation that are considered in common authentication technologies are not involved. Therefore, 802.1x authentication is the simplest implementation scheme among the authentication technologies. 802.1x supports the authentication mode based on the access interface and the MAC address.
l
Authentication mode based on the access interface: Other users can access network resources without authentication when the first user under the interface is successfully authenticated. But other users are disconnected when the first user goes offline. Authentication mode based on the MAC address: Access users under this interface need be authenticated.
802.1x supports the following authentication modes:

l
EAP termination mode: The network access device terminates EAP packets, obtains the user name and password from the packets, encrypts the password, and sends the user name and password to the AAA server for authentication. EAP transparent transmission authentication: Also called EAP relay authentication. The network access device directly encapsulates authentication information about 802.1x users and EAP packets into the attribute field of RADIUS packets and sends them to the RADIUS server. Therefore, the EAP packets do not need to be converted to the RADIUS packets before they are sent to the RADIUS server.
2.1.3 MAC Address Authentication

MAC address authentication is an authentication method that controls the network access authority of a user based on the interface and MAC address. No client software needs to be installed. The user name and password are the MAC address of the user device. After detecting the MAC address of a user for the first time, the device starts authenticating the user. In the MAC bypass authentication, the device first triggers the 802.1x authentication to authenticate the user. If the 802.1x authentication is not performed for a long time, the device
2 NAC Configuration
sends the MAC address of the user, which is considered to be the user name and password of the user, to the AAA server for authentication.
2.2 NAC Features Supported by the S9300

This section describes the NAC features supported by the S9300. Functioning as the network access device (NAD), the S9300 supports the following NAC features:
l l l l l l l
802.1x authentication based on the port 802.1x authentication based on the MAC address EAPOL termination authentication EAPOL transparent transmission authentication MAC address authentication MAC bypass authentication Web authentication
2.3 Configuring Web Authentication

This section describes how to configure the Web authentication function. 2.3.1 Establishing the Configuration Task 2.3.2 Configuring the Web Authentication Server 2.3.3 Binding the Web Authentication Server to the Interface 2.3.4 Configuring the Free Rule for Web Authentication 2.3.5 (Optional) Configuring the Web Authentication Policy 2.3.6 (Optional) Setting the Port that Listens to the Portal Packets 2.3.7 (Optional) Setting the Version of the Portal Protocol Packets 2.3.8 Checking the Configuration

The Web authentication can be configured for users who cannot install client software. Such users can enter the user names and passwords in the Internet Web Browser for authentication.
Web authentication is only an implementation scheme to authenticate the user identity. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring Web authentication, complete the following tasks:

l
2 NAC Configuration
Configuring the Internet Service Provider (ISP) authentication domain and AAA schemes, that is, RADIUS or local authentication schemes, for the user Configuring the user name and password on the RADIUS server if RADIUS authentication is used Adding the user name and password manually on the S9300 if local authentication is used
Data Preparation
To configure Web authentication, you need the following data. No. 1 2 3 Data Name, IP address, and URL of the Web Server Version number and interface number of the Portal protocol Authentication-free rule ID
2.3.2 Configuring the Web Authentication Server

Context
To perform Web authentication for users, you must configure the Web authentication server.
Procedure
Step 1 Run:
system-view

web-auth-server server-name ip-address [ port port-number [ all ] ] [ shared-key { cipher | simple } key-string ] [ url url-string ]
The Web authentication server is configured. Up to 16 Web authentication servers can be configured. ----End
2.3.3 Binding the Web Authentication Server to the Interface

Context
After the Web authentication server is bound to the VLANIF interface, the Web authentication can be performed for all the access users under the VLANIF interface.
2 NAC Configuration
Procedure
Step 1 Run:
system-view

interface interface-type interface-number
The interface view is displayed. Currently, the S9300 can perform Web authentication for users only through VLANIF interfaces. Step 3 Run:
web-auth-server server-name
The Web authentication server is bound to the VLANIF interface. You must configure a Web authentication server in the system view first and then bind the server to the interface according to the server name in the interface view. ----End
2.3.4 Configuring the Free Rule for Web Authentication

Context
You need to configure the free rule in the following situations:
l
After opening the HTTP browser, the user is forcibly re-directed to the authentication page of the Web authentication server. The free rule is mandatory if the Web authentication is adopted. Some special users need to access certain resources when they fail to pass the authentication.
Procedure
Step 1 Run:
system-view

portal free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id }* } }*
The free rule is configured. When the free rule is configured for Web authentication users, user packets matching the rule can be forwarded before the Web authentication. Therefore, users without the Web authentication possess certain access authority. ----End
2.3.5 (Optional) Configuring the Web Authentication Policy

2 NAC Configuration
Context
When the RADIUS server is adopted to authenticate users, do as follows if the user authentication information returned by the RADIUS server needs to be sent to the Web authentication server.
Procedure
Step 1 Run:
system-view

web-auth-server reply-message
The device is configured to send the reply message for user authentication to the Web authentication server. By default, the S9300 sends the reply message for user authentication to the Web authentication server. ----End
2.3.6 (Optional) Setting the Port that Listens to the Portal Packets
Context
Do as follows to configure the port number for the S9300 to receive portal packets when the S9300 communicates with the Web server. The port number must be consistent with the destination port number contained in the packets sent by the Web authentication server and is globally unique.
Procedure
Step 1 Run:
system-view

web-auth-server listening-port
The number of the port number that listens to Portal packets is configured. By default, the port number that listens to portal packets is 2000. ----End
2.3.7 (Optional) Setting the Version of the Portal Protocol Packets

Context
When the S9300 communicates with the Web authentication server by using the Portal protocol, version numbers of the portal protocols used by the S9300 and the Web authentication server must be the same.
2 NAC Configuration
Procedure
Step 1 Run:
system-view

web-auth-server version v2 [ v1 ]
The version of the portal protocol is set. By default, two versions coexist. If version 1 is not selected, only version 2 is in use. ----End

Context
The configurations of Web authentication are complete.
Procedure
l Run the display web-auth-server configuration command to view the configuration of a Web authentication server.
----End
Example
# View the configuration of the Web authentication server.
<Quidway> display web-auth-server configuration Listening port : 2000 Portal : version 1, version 2 Include reply message : enabled -----------------------------------------------------------------------Web-auth-server Name : servera IP-address : 100.1.1.114 Shared-key : Port / PortFlag : 10 / NO URL : -----------------------------------------------------------------------1 Web authentication server(s) in total
2.4 Configuring 802.1x Authentication

This section describes how to configure the 802.1x authentication function. 2.4.1 Establishing the Configuration Task 2.4.2 Enabling Global 802.1x Authentication 2.4.3 Enabling 802.1x Authentication on an Interface 2.4.4 (Optional) Enabling MAC Bypass Authentication 2.4.5 Setting the Authentication Method for the 802.1x User
2 NAC Configuration
2.4.6 (Optional) Configuring the Interface Access Mode 2.4.7 (Optional) Configuring the Authorization Status of an Interface 2.4.8 (Optional) Setting the Maximum Number of Concurrent Access Users 2.4.9 (Optional) Enabling DHCP Packets to Trigger Authentication 2.4.10 (Optional) Configuring 802.1x Timers 2.4.11 (Optional) Configuring the Quiet Timer Function 2.4.12 (Optional) Configuring the 802.1x Re-authentication 2.4.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication 2.4.14 (Optional) Enabling the S9300 to Send Handshake Packets to Online Users 2.4.15 (Optional) Setting the Retransmission Count of the Authentication Request 2.4.16 Checking the Configuration

You can configure 802.1x to implement port-based network access control, that is, to authenticate and control access devices on an interface of a LAN access control device.
802.1x authentication is only an implementation scheme to authenticate the user identity. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring 802.1x authentication, complete the following tasks:
l
Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local authentication schemes, for the 1x user Configuring the user name and password on the RADIUS server if RADIUS authentication is used Adding the user name and password manually on the S9300 if local authentication is used
Data Preparation
None.
2.4.2 Enabling Global 802.1x Authentication

Context
Before the configuration of 802.1x authentication, 802.1x needs to be globally enabled first.
Procedure
Step 1 Run:
system-view
Issue 06 (20100108)
2-9
2 NAC Configuration

dot1x
802.1x authentication is globally enabled. Running this command is equivalent to enabling 802.1x authentication globally. Related configurations of 802.1x authentication take effect only after 802.1x authentication is enabled. By default, 802.1x authentication is disabled. ----End
2.4.3 Enabling 802.1x Authentication on an Interface

Context
CAUTION
If 802.1x is enabled on the interface, MAC address authentication or direct authentication cannot be enabled on the interface. If MAC address authentication or direct authentication is enabled on the interface, 802.1x cannot be enabled on the interface. You can enable 802.1x on an interface in the following ways.
Procedure
l In the system view: 1. Run:
system-view
The system view is displayed. 2. Run:

dot1x interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
802.1x authentication is enabled on the interfaces. You can enable the 802.1x function on interfaces in batches by specifying the interface list in the dot1x command in the system view. l In the interface view: 1. Run:
system-view

interface { ethernet | gigabitethernet } interface-number
The interface view is displayed. 3. Run:

dot1x
2-10
Issue 06 (20100108)
2 NAC Configuration
802.1x authentication is enabled on the interface. You can run the undo dot1x command only when no online user exists. ----End
2.4.4 (Optional) Enabling MAC Bypass Authentication

Context
The 802.1x client software cannot be installed or used on some special terminals, such as printers. In this case, the MAC bypass authentication can be adopted. If 802.1x authentication on the terminal fails, the access device sends the user name and password, namely, the MAC address of the terminal, to the RADIUS server for authentication. This process is MAC address bypass authentication. You can configure MAC address bypass authentication in the following ways.
Procedure
system-view

dot1x mac-bypass interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
MAC bypass authentication is enabled on interfaces. You can configure MAC address bypass authentication on interfaces in batches by specifying the interface list in the dot1x mac-bypass command in the system view. l In the interface view: 1. Run:
system-view


dot1x mac-bypass enable
MAC address bypass authentication is enabled on the interface. After you run the dot1x mac-bypass enable command, the commands of enabling 802.1x authentication on the interface are overwritten. The details are as follows:
If 802.1x authentication is disabled on the interface, 802.1x authentication is enabled after you run the dot1x mac-bypass enable command.
Issue 06 (20100108)
2 NAC Configuration
If 802.1x authentication has been enabled, the authentication mode is changed from 802.1x authentication to MAC address bypass authentication on the interface after you run the dot1x mac-bypass enable command.
To disable MAC address bypass authentication, run the undo dot1x command. Note that 802.1x functions are disabled. ----End
2.4.5 Setting the Authentication Method for the 802.1x User

Context
The authentication method for the 802.1x user can be set according to the actual networking environment and security requirement.
Procedure
Step 1 Run:
system-view

dot1x authentication-method { chap | eap | pap }
The authentication method is set for the 802.1x user. By default, CHAP authentication is used for an 802.1x user. If you run the dot1x authenticationmethod command repeatedly, the latest configuration takes effect.
l
The Password Authentication Protocol (PAP) uses the two-way handshake mechanism and sends the password in plain text. The Challenge Handshake Authentication Protocol (CHAP) uses the three-way handshake mechanism. It transmits only the user name but not the password on the network; therefore, compared with PAP authentication, CHAP authentication is more secure and reliable and protects user privacy better. In Extensible Authentication Protocol (EAP) authentication, the S9300 sends the authentication information of an 802.1x user to the RADIUS server through EAP packets without converting EAP packets into RADIUS packets. To use the PEAP, EAP-TLS, EAPTTLS, or EAP-MD5 authentication, you only need to enable the EAP authentication.
PAP authentication and CHAP authentication are two kinds of termination authentication methods and EAP authentication is a kind of relay authentication method.
CAUTION
If local authentication is adopted, you cannot use the EAP authentication for 802.1x users. ----End
2 NAC Configuration
2.4.6 (Optional) Configuring the Interface Access Mode

Context
The 802.1x protocol can work in the following modes:
l
Interface mode: If the MAC address of a device connected to an interface passes authentication, all the MAC addresses of other devices connected to the interface can access the network without authentication. MAC mode: The MAC address of each device connected to the interface must pass authentication to access the network.
You can configure the access mode of an interface in the following ways.
Procedure
system-view

dot1x port-method { mac | port interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10> }
The access mode of interfaces is configured. You can configure the access mode of interfaces in batches by specifying the interface list in the dot1x port-method command in the system view. l In the interface view: 1. Run:
system-view


dot1x port-method { mac | port }
The access mode of the interface is configured. By default, the access mode of an interface is MAC mode.
CAUTION
If the dot1x port-method { mac | port } command is run to change the access control mode of an interface when an online 802.1x user exists, the online user is disconnected forcibly. ----End
2 NAC Configuration
2.4.7 (Optional) Configuring the Authorization Status of an Interface

Context
Do as follows to authorize users and control their access scope after users pass authentication. You can configure the authorization status of an interface in the following ways.
Procedure
system-view

dot1x port-control { auto | authorized-force | unauthorized-force } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
The authorization status of interfaces is set. You can configure the authorization status of interfaces in batches by specifying the interface list in the dot1x port-control command in the system view. l In the interface view: 1. Run:
system-view


dot1x port-control { auto | authorized-force | unauthorized-force }
The authorization status of the interface is configured. By default, the authorization status of an interface is auto.
auto: An interface is initially in unauthorized state and sends and receives only EAPoL packets. Therefore, users cannot access network resources. If a user passes the authentication, the interface is in authorized state and allows users to access network resources. authorized-force: An interface is always in authorized state and allows users to access network resources without authentication. unauthorized-force: An interface is always in unauthorized state and does not users to access network resources.
----End
2 NAC Configuration
2.4.8 (Optional) Setting the Maximum Number of Concurrent Access Users

Context
When the number of access users on interfaces reaches the maximum value, the S9300 does not trigger authentication for subsequent access users. These subsequent access users thus cannot access the network. You can set the maximum number of access users on interfaces in the following ways.
Procedure
system-view

dot1x max-user user-number interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
The maximum number of concurrent access users is set on the interfaces. You can configure the maximum number of concurrent access users on interfaces in batches by specifying the interface list in the dot1x max-user command in the system view. l In the interface view: 1. Run:
system-view


dot1x max-user user-number
The maximum number of concurrent access users is set on the interface. By default, each interface allows up to 8192 concurrent access users. This command takes effect only to the interface where users are authenticated based on MAC addresses If users are authenticated based on the interface, the maximum number of access users is automatically set to 1. Therefore, only one user needs to be authenticated on the interface, and other users can access the network after the first user passes the authentication.
Issue 06 (20100108)
2-15
2 NAC Configuration
CAUTION
If the number of users already existing on the interface is greater than the maximum number that you set, all the users are disconnected from the interface. The maximum number of NAC access users allowed by the S9300 depends on the models of the S9300. The specification is 8192 multiplied by number of slots of the LPU. ----End
2.4.9 (Optional) Enabling DHCP Packets to Trigger Authentication

Context
After DHCP packets are enabled to trigger authentication, 802.1x allows the S9300 to trigger the user identity authentication when the access user runs DHCP to apply for the IP address. In this case, an 802.1x user is authenticated without dial-up by using the client software. This speeds up network deployment.
Procedure
Step 1 Run:
system-view

dot1x dhcp-trigger enable
Dynamic Host Configuration Protocol (DHCP) packets are enabled to trigger user authentication. By default, DHCP packets do not trigger authentication. After you run the dot1x dhcp-trigger enable command, users cannot obtain IP addresses through DHCP if they do not pass the authentication. ----End
2.4.10 (Optional) Configuring 802.1x Timers

Context
When enabled, 802.1x starts many timers to ensure the reasonable and ordered exchanges between supplicants, the authenticator, and the authentication server. To adjust the exchange process, you can run some commands to change values of some timers, but some timers cannot be adjusted. It may be necessary in certain cases or in poor networking environment. Normally, it is recommended that you retain the default settings of the timers.
2 NAC Configuration
Procedure
Step 1 Run:
system-view

dot1x timer { client-timeout client-timeout-value | handshake-period handshakeperiod-value | quiet-period quiet-period-value | reauthenticate-period reauthenticate-period-value | server-timeout server-timeout-value | tx-period txperiod-value }
The timers of 802.1x authentication are set.

l
client-timeout: Authentication timeout timer of the client. By default, the timeout timer is 30s. handshake-period: Interval of handshake packets from the S9300 to the 802.1X client. By default, the handshake interval is 15s. quiet-period: Period of the quiet timer. By default, the quiet timer is 60s. reauthenticate-period: Re-authentication interval. By default, the re-authentication interval is 3600s. server-timeout: Timeout timer of the authentication server. By default, the timeout timer of the authentication server is 30s. tx-period: Interval for sending authentication requests. By default, the interval for sending the authentication request packets is 30s.
l l
The dot1x timer command only sets the values of the timers, and you need to enable the corresponding timers by running commands or adopting the default settings. ----End
2.4.11 (Optional) Configuring the Quiet Timer Function

Context
If a user fails the 802.1x authentication after the quiet timer function is enabled, the S9300 considers the user quiet for a period and does not process the authentication requests from the user in this period. In this manner, the impact caused by frequent authentication is prevented.
Procedure
Step 1 Run:
system-view

dot1x quiet-period
The quiet timer function is enabled. By default, the quiet timer function is disabled.
2 NAC Configuration
During the quite period, the S9300 discards the 802.1x authentication request packets from the user. You can run the dot1x timer command to set the quiet period. For details, see . ----End
2.4.12 (Optional) Configuring the 802.1x Re-authentication

Context
When the 802.1x authentication is not complete when the session times out, the S9300 disconnects the session and initiates re-authentication. You can configure 802.1x re-authentication in the following ways.
Procedure
system-view

dot1x reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
Re-authentication is enabled on interfaces. You can configure 802.1x re-authentication on interfaces in batches by specifying the interface list in the dot1x reauthenticate command in the system view. l In the interface view: 1. Run:
system-view


dot1x reauthenticate enable
Re-authentication is enabled on the interface. By default, 802.1x re-authentication is disabled on an interface. You can run the dot1x timer command to set the timeout timer of the re-authentication. For details, see . ----End
2.4.13 (Optional) Configuring the Guest VLAN for 802.1x Authentication

2 NAC Configuration
Context
When the guest VLAN is enabled, the S9300 sends authentication request packets to all the interface on which 802.1x is enabled. If an interface does not return a response when the maximum number of times for re-authentication is reached, the S9300 adds this interface to the guest VLAN. Then users in the guest VLAN can access resources in the guest VLAN without 802.1x authentication. Authentication, however, is required when such users access external resources. Thus certain resources are available for users without authentication.
NOTE
The configured guest VLAN cannot be the default VLAN of the interface.
You can configure the guest VLAN in the following ways.
Procedure
system-view

dot1x guest-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
The guest VLAN is configured on interfaces. You can configure the guest VLAN on interfaces in batches by specifying the interface list in the dot1x guest-vlan command in the system view. l In the interface view: 1. Run:
system-view


dot1x guest-vlan vlan-id
The guest VLAN is configured on the interface. By default, no guest VLAN is configured on an interface. ----End
2.4.14 (Optional) Enabling the S9300 to Send Handshake Packets to Online Users
Context
The S9300 can send handshake packets to a Huawei client to detect whether the user is online.
2 NAC Configuration
If the client does not support the handshake function, the S9300 will not receive handshake response packets within the handshake interval. In this case, you need to disable the user handshake function to prevent the S9300 from disconnecting users by mistake.
Procedure
Step 1 Run:
system-view

dot1x handshake
The handshake with 802.1x users is enabled. By default, the S9300 is enabled to send handshake packets to online users. You can run the dot1x timer command to set the handshake interval. For details, see . ----End
2.4.15 (Optional) Setting the Retransmission Count of the Authentication Request

Context
If the S9300 does not receive a response after sending an authentication request to a user, the The S9300 retransmits the authentication request to the user. When no response is received when the authentication request has been sent for the maximum number of times, the S9300 does not retransmit the authentication request to the user.
Procedure
Step 1 Run:
system-view

dot1x retry max-retry-value
The retransmission count of the authentication request is set. By default, the S9300 retransmits an authentication request to an access user twice. ----End

Prerequisite
The configurations of 802.1x authentication are complete.
2 NAC Configuration
Procedure
l Run the display dot1x [ sessions | statistics ] [ interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10> ] command to view the configuration of 802.1x authentication.
----End
Example
View the information about 802.1x authentication on GE 1/0/0.
<Quidway> display dot1x interface GigabitEthernet 1/0/0 GigabitEthernet1/0/0 current state : UP 802.1x protocol is Enabled[mac-bypass] Port control type is Auto Authentication method is MAC-based Reauthentication is disabled Max online user is 8192 Current online user is 2 Guest VLAN is disabled Authentication Success: 1 Failure: EAPOL Packets: TX : 24 RX : Sent EAPOL Request/Identity Packets : EAPOL Request/Challenge Packets : Multicast Trigger Packets : DHCP Trigger Packets : EAPOL Success Packets : EAPOL Failure Packets : Received EAPOL Start Packets : EAPOL LogOff Packets : EAPOL Response/Identity Packets : EAPOL Response/Challenge Packets: 11 4 11 1 0 0 1 11 2 0 1 1
Index MAC/VLAN UserOnlineTime UserName 16514 0000-0002-2347/800 2009-06-09 19:10:40 000000022347 16523 001e-90aa-e855/800 2009-06-09 19:14:43 abc@huawei Controlled User(s) amount to 2 , print number:2.
2.5 Configuring MAC Address Authentication

This section describes how to configure the MAC address authentication function. 2.5.1 Establishing the Configuration Task 2.5.2 Enabling Global MAC Address Authentication 2.5.3 Enabling MAC Address Authentication on an Interface 2.5.4 (Optional) Enabling Direct Authentication 2.5.5 Configuring the User Name for MAC Address Authentication 2.5.6 (Optional) Configuring the Domain for MAC Address Authentication 2.5.7 (Optional) Setting the Timers of MAC Address Authentication 2.5.8 (Optional) Configuring the Guest VLAN for MAC Address Authentication 2.5.9 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication
2 NAC Configuration
2.5.10 (Optional) Re-Authenticating a User with the Specific MAC Address 2.5.11 Checking the Configuration

MAC address authentication can be configured to authenticate terminals on which client software cannot be installed, such as faxes and printers.
MAC address authentication is only an implementation scheme to authenticate the user identity. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring MAC address authentication, complete the following tasks:
l
Configuring the ISP authentication domain and AAA schemes, that is, RADIUS or local authentication schemes, for the 802.1x user. Configuring the user name and password on the RADIUS server if RADIUS authentication is used. Adding the user name and password manually on the S9300 if local authentication is used.
Data Preparation
To configure MAC address authentication, you need the following data. No. 1 Data Number of the interface on which MAC address authentication is enabled
2.5.2 Enabling Global MAC Address Authentication

Context
Before the configuration of MAC address authentication, enable MAC address authentication globally.
Procedure
Step 1 Run:
system-view

mac-authen
MAC address authentication is enabled globally.

2 NAC Configuration
Running this command is equivalent to enabling global MAC address authentication. Related configurations of MAC address authentication take effect only after MAC address authentication is enabled. By default, MAC address authentication is disabled globally. ----End
2.5.3 Enabling MAC Address Authentication on an Interface

Context
CAUTION
If MAC address authentication is enabled on the interface, 802.1x authentication or direct authentication cannot be enabled on the interface. If 802.1x or direct authentication is enabled on the interface, MAC address authentication cannot be enabled on the interface. You can enable the MAC address authorization on an interface in the following ways.
Procedure
system-view

mac-authen interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
MAC Address authentication is enabled on the interfaces. You can enable the MAC address authorization on interfaces in batches by specifying the interface list in the mac-authen command in the system view. l In the interface view: 1. Run:
system-view


mac-authen
MAC Address authentication is enabled on the interface.

2 NAC Configuration
You must ensure that no online user exists before disabling MAC address authentication by the undo mac-authen command. ----End
2.5.4 (Optional) Enabling Direct Authentication

Context
After direct authentication is enabled, users who connect to the network through this interface pass the authentication directly.
CAUTION
If direct authentication is enabled on an interface, 802.1x authentication and MAC address authentication cannot be enabled on the interface. If 802.1x authentication or MAC address authentication is enabled on the interface, direct authentication cannot be enabled on the interface. You can enable direct authentication in the following ways.
Procedure
Step 1 In the system view: 1. Run:
system-view

direct-authen interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10>
Direct authentication is enabled on interfaces. You can configure direct authentication of interfaces in batches by specifying the interface list in the direct-authen command in the system view. Step 2 In the interface view: 1. Run:
system-view


direct-authen enable
Direct authentication is enabled on the interface.

2 NAC Configuration
By default, direct authentication is disabled on an interface. ----End
2.5.5 Configuring the User Name for MAC Address Authentication

Context
A user can use a fixed user name or the MAC address as the user name. The user name for which MAC address authentication is used can be configured globally and on an interface.
l l
The global configuration is valid for all interfaces. The configuration on an interface is valid only for the specified interface. The user name configured on an interface takes precedence over the user name configured globally. If the user name is not configured on an interface, the globally configured user name is used.
Procedure
l Configuring a fixed user name for a user that uses MAC address authentication 1. Run:
system-view

mac-authen username fixed
The S9300 is configured to use a fixed user name for a user that uses MAC address authentication. 3. Run:
mac-authen username username
A fixed user name is configured for the user. 4. Run:

mac-authen password password
The password is set. l Configuring a MAC address as a user name for a user that uses MAC address authentication 1. Run:
system-view

mac-authen username macaddress
Users that use MAC address authentication are configured to use their MAC addresses as their user names. 3. (Optional) Run:
mac-authen username macaddress [ format { with-hyphen | without-hyphen } ]
The format of the user name is set. There are two formats for a MAC address used as the user name, that is, the hyphenated MAC address (such as 0010-8300-0011) and the MAC address without hyphens (such
2 NAC Configuration
as 001083000011). By default, a MAC address without hyphens is used as the user name for a user that uses MAC address authentication. After you run the mac-authen username macaddress command, the access users are authenticated by using their MAC addresses as the user names and passwords. l Configuring the format of the user name in the interface view 1. Run:
system-view


mac-authen username { fixed user-name [ password password ] | macaddress format { with-hyphen | without-hyphen } }
The format of the user name for which MAC address authentication is used is configured. ----End
2.5.6 (Optional) Configuring the Domain for MAC Address Authentication

Context
If the user authenticates the format of the user name through MAC address authentication or the format of the user name does not contain the domain name, you must configure the authentication domain. If the authentication domain is specified in the user name of a fixed format, the authentication domain of the user is used.
NOTE
Before configuring the authentication domain for the user who uses MAC address authentication, you need to confirm that a domain is available. Otherwise, the system displays an error message during the configuration.
The domain for which MAC address authentication is used can be configured globally and on an interface.
l l
The global configuration is valid for all interfaces. The configuration on an interface is valid only for the specified interface. The domain configured on an interface takes precedence over the domain configured globally. If the domain is not configured on an interface, the globally configured domain is used.
Procedure
system-view

2 NAC Configuration
2.
Run:
mac-authen domain isp-name
A domain name is configured for a user who uses MAC address authentication. l In the interface view: 1. Run:
system-view


mac-authen domain isp-name
A domain name is configured for a user who uses MAC address authentication. The default authentication domain is domain default. ----End
2.5.7 (Optional) Setting the Timers of MAC Address Authentication

Procedure
Step 1 Run:
system-view

mac-authen timer { guest-vlan reauthenticate-period interval | offline-detect offline-detect-value | quiet-period quiet-value | server-timeout server-timeoutvalue }
Parameters of timers for MAC address authentication are set.

l
guest-vlan reauthenticate-period: Interval for re-authenticating users in a guest VLAN. By default, the re-authentication interval is 30s. offline-detect: Offline-detect timer used to set the interval for the S9300 to check whether a user goes offline. By default, the offline timer is 300s. quiet-period: Quiet timer. After the user authentication fails, the S9300 waits for a certain period before processing authentication requests of the user. During the quiet period, the S9300 does not process authentication requests from the user. By default, the quiet timer is 60s. server-timeout: Server timeout timer. In the user authentication process, if the connection between the S9300 and the RADIUS server times out, the authentication fails. By default, the time interval of the authentication server is 30s.
----End
2 NAC Configuration
2.5.8 (Optional) Configuring the Guest VLAN for MAC Address Authentication
Context
If the MAC authentication fails after the guest VLAN function is enabled, the S9300 adds the access interface of the user to the guest VLAN. Then users in the guest VLAN can access resources in the guest VLAN without MAC address authentication. Authentication, however, is required when such users access external resources. Thus certain resources are available for users without authentication.
NOTE
The VLAN to be configured as the guest VLAN must exist in the system and cannot be the default VLAN of the interface.
You can configure the guest VLAN in the following ways.
Procedure
system-view

mac-authen guest-vlan vlan-id interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
The guest VLAN of interfaces is configured. You can configure the guest VLAN of interfaces in batches by specifying the interface list in the mac-authen guest-vlan command in the system view. l In the interface view: 1. Run:
system-view


mac-authen guest-vlan vlan-id
The guest VLAN of the interface is configured. By default, no guest VLAN is configured on an interface. ----End
2.5.9 (Optional) Setting the Maximum Number of Access Users Who Adopt MAC Address Authentication
2 NAC Configuration
Context
When the number of access users on an interface reaches the limit, the S9300 does not trigger the authentication for the users connecting to the interface later; therefore, these users cannot access the network. You can configure the maximum number of access users who adopt MAC address authentication in the following ways.
Procedure
system-view

mac-authen max-user user-number interface { interface-type interfacenumber1 [ to interface-number2 ] } &<1-10>
The maximum number of access users who adopt MAC address authentication is set on interfaces. You can configure the maximum number of access users of interfaces in batches by specifying the interface list in the mac-authen max-user command in the system view. l In the interface view: 1. Run:
system-view


mac-authen max-user user-number
The maximum number of access users who adopt MAC address authentication on the interface is set. By default, the maximum number of access users who adopt MAC address authentication on an interface of the S9300 is 8192. The maximum number of NAC access users allowed by the S9300 depends on the models of the S9300. The specification is 8192 multiplied by number of slots of the LPU. ----End
2.5.10 (Optional) Re-Authenticating a User with the Specific MAC Address

2 NAC Configuration
Context
If re-authentication of a user with the specific MAC address is enabled, the online user is reauthenticated periodically. If a user passes the authentication, the user needs to be re-authorized; otherwise, the user goes offline. You can run the mac-authen timer command to set the interval of re-authentication. For details, see 2.5.7 (Optional) Setting the Timers of MAC Address Authentication.
Procedure
Step 1 Run:
system-view

mac-authen reauthenticate mac-address mac-address
A specified user that passes MAC address authentication is re-authenticated. If the user does not pass the MAC authentication, the user is not authenticated again. ----End

Prerequisite
The configurations of MAC address authentication are complete.
Procedure
l Run the display mac-authen [ interface { interface-type interface-number1 [ to interfacenumber2 ] } &<1-10> ] command to view the configuration of MAC address authentication.
----End
Example
View information about MAC address authentication on GE 1/0/1.
<Quidway> display mac-authen interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state : UP MAC address authentication is Enabled Max online user is 8192 Current online user is 1 Guest VLAN is disabled Authentication Success: 1, Failure: 0 Index MAC/VLAN UserOnlineTime 16400 00e0-fc33-0011/15 2009-05-18 09:21:55 Controlled User(s) amount to 1
2.6 Maintaining NAC

This section describes how to clear statistics about NAC and debug NAC.
2 NAC Configuration
2.6.1 Clearing the Statistics About 802.1x Authentication 2.6.2 Clearing Statistics About MAC Address Authentication 2.6.3 Debugging 802.1x Authentication 2.6.4 Debugging MAC Address Authentication
2.6.1 Clearing the Statistics About 802.1x Authentication

Context
CAUTION
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run the following commands. After you confirm to reset the statistics, do as follows in user view.
Procedure
l Run the reset dot1x statistics [ interface { interface-type interface-number1 [ to interfacenumber2 ] } ] command to clear the statistics about 802.1x authentication.
----End
2.6.2 Clearing Statistics About MAC Address Authentication

Context
CAUTION
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run the following commands. After you confirm to reset the statistics, do as follows in user view.
Procedure
l Run the reset mac-authen statistics [ interface { interface-type interface-number1 [ to interface-number2 ] } ] command to clear the statistics about MAC address authentication.
----End
2.6.3 Debugging 802.1x Authentication

2 NAC Configuration
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When a fault occurs during 802.1x authentication, run the following debugging commands in the user view to locate the fault.
Procedure
l Run the debugging dot1x { all | error | event | info | message | packet } command to enable debugging of 802.1x authentication packets.
----End
2.6.4 Debugging MAC Address Authentication

Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When a fault occurs during MAC address authentication, run the following debugging commands in the user view to locate the fault.
Procedure
l Run the debugging mac-auten { all | error | event | info | message | packet } command to enable debugging of MAC address authentication packets.
----End

This section provides several configuration examples of NAC. 2.7.1 Example for Configuring Web Authentication 2.7.2 Example for Configuring 802.1x Authentication 2.7.3 Example for Configuring MAC Address Authentication
2.7.1 Example for Configuring Web Authentication

2 NAC Configuration
As shown in Figure 2-2, the requirements are as follows:
l l l l
The user interacts with the Web authentication server through the S9300. The authentication is performed by the RADIUS server. The user can access only the Web authentication server before authentication. After passing the Web authentication, the user can access the external network.
Figure 2-2 Network diagram for configuring Web authentication

Web server 192.168.2.20 RADIUS server 192.168.2.30
GE 1/0/1
GE 1/0/2
VLAN 20 GE1/0/0 VLANIF 10 192.168.1.10
VLANIF 20 192.168.2.10 Internet GE 2/0/0
User
S9300
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Set the IP address of the Layer 3 interface connected to the user. Configure a RADIUS server template. Configure an AAA authentication template. Configure a domain. Configure the Web authentication function.
Data Preparation
l l l l l l l
IP address and URL of the Web authentication server IP address of the Layer 3 interface connected to the authentication terminal IP address and port number of the RADIUS authentication server Key of the RADIUS server (hello) and the retransmission count (2) Name of the AAA authentication scheme (web1) Name of the RADIUS server template (rd1) Name of the user domain (isp1)
Issue 06 (20100108)
2 NAC Configuration
NOTE
In this example, only the configuration of the S9300 is provided, and the configurations of the Web server and RADIUS server are omitted.
Procedure
Step 1 Set the IP address of the Layer 3 interface connected to the user.
<Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet1/0/0 [Quidway-GigabitEthernet1/0/0] port link-type access [Quidway-GigabitEthernet1/0/0] port default vlan 10 [Quidway-GigabitEthernet1/0/0] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 192.168.1.10 24 [Quidway-Vlanif10] quit
Step 2 Configure a RADIUS server template. # Configure a RADIUS server template rd1.
[Quidway] radius-server template rd1
# Set the IP address and port number of the primary RADIUS authentication server.
[Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812
# Set the key and retransmission count of the RADIUS server.

[Quidway-radius-rd1] radius-server shared-key cipher hello [Quidway-radius-rd1] radius-server retransmit 2 [Quidway-radius-rd1] quit
Step 3 Create an authentication scheme web1 and set the authentication method to RADIUS authentication.
[Quidway] aaa [Quidway-aaa] authentication-scheme web1 [Quidway-aaa-authen-1] authentication-mode radius [Quidway-aaa-authen-1] quit
Step 4 Create a domain isp1 and bind the authentication scheme and RADIUS server template to the domain.
[Quidway-aaa] domain isp [Quidway-aaa-domain-isp1] authentication-scheme web1 [Quidway-aaa-domain-isp1] radius-server rd1
Step 5 Configure the Web authentication function. # Set the IP address and URL of the Web authentication server
[Quidway] web-auth-serer isp1 192.168.2.20 url www.isp1.com
# Bind the Web authentication server to the Layer 3 interface.

[Quidway] interface vlanif 10 [Quidway-Vlanif10] web-auth-server isp1 [Quidway-Vlanif10] quit
# Configure a free rule to redirect the user to the Web authentication page when the user starts the Web browser.
[Quidway] portal free-rule 20 destination ip 192.168.2.20 mask 24 source any
Step 6 Verify the configuration.

2 NAC Configuration
Run the display web-auth-server configuration command on the S9300, and you can view the configuration of the Web authentication server.
<Quidway> display web-auth-server configuration Listening port : 2000 Portal : version 1, version 2 Include reply message : enabled -----------------------------------------------------------------------Web-auth-server Name : isp1 IP-address : 192.168.1.10 Shared-key : 3MQ*TZ,O3KCQ=^Q`MAF4<1!! Port / PortFlag : 50100 / NO URL : www.isp1.com -----------------------------------------------------------------------1 Web authentication server(s) in total
----End
Configuration Files
# sysname Quidway # vlan batch 10 # web-auth-server isp1 192.168.2.20 port 50100 url www.isp1.com portal free-rule 20 destination ip 192.168.2.20 mask 255.255.255.0 source any # radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2 # aaa authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 radius-server rd1 # interface Vlanif10 ip address 192.168.1.10 255.255.255.0 web-auth-server web # interface GigabitEthernet1/0/0 port link-type access port default vlan 10 # return
2.7.2 Example for Configuring 802.1x Authentication

l
802.1x authentication is performed for the user connected to GE 1/0/0 to control the user's access to the Internet. The default access control mode is adopted, that is, the S9300 controls access of the user based on the MAC address of the user. The authentication is performed by the RADIUS server. The maximum number of users on GE 1/0/0 is 100.
l l
Issue 06 (20100108)
2 NAC Configuration
l
MAC address bypass authentication is performed for the printer connected to GE 1/0/0.
Figure 2-3 Networking diagram for configuring 802.1x authentication

RADIUS server 192.168.2.30
User
GE 2/0/1 GE 1/0/0
S9300
Printer
The configuration roadmap is as follows: 1. 2. 3. 4. Configure a RADIUS server template. Configure an AAA authentication template. Configure a domain. Configure the 802.1x authentication function.
Data Preparation
l l l l l
IP address and port number of the RADIUS authentication server Key of the RADIUS server (hello) and the retransmission count (2) Name of the AAA authentication scheme (web1) Name of the RADIUS server template (rd1) Name of the user domain (isp1)
NOTE
In this example, only the configuration of the S9300 is provided, and the configuration of RADIUS server is omitted.
Procedure
2-36
Issue 06 (20100108)
2 NAC Configuration

Step 4 Configure the 802.1x authentication function. # Enable 802.1x authentication globally and on GE 1/0/0.
[Quidway] dot1x [Quidway] interface gigabitethernet1/0/0 [Quidway-GigabitEthernet1/0/0] dot1x
# Set the maximum number of access users on GE 1/0/0.

[Quidway-GigabitEthernet1/0/0] dot1x max-user 100
# Configure MAC address bypass authentication.

[Quidway-GigabitEthernet1/0/0] dot1x mac-bypass
Step 5 Verify the configuration. Run the display dot1x interface command on the S9300, and you can view the configuration and statistics of 802.1x authentication.
<Quidway> display dot1x interface GigabitEthernet 1/0/0 GigabitEthernet1/0/0 current state : UP 802.1x protocol is Enabled[mac-bypass] The port is an authenticator Port control type is Auto Authentication method is MAC-based Reauthentication is disabled Max online user is 100 Current online user is 1 Guest VLAN is disabled Authentication Success: 4 Failure: EAPOL Packets: TX : 8 RX : Sent EAPOL Request/Identity Packets : EAPOL Request/Challenge Packets : Multicast Trigger Packets : DHCP Trigger Packets : EAPOL Success Packets : EAPOL Failure Packets : Received EAPOL Start Packets : EAPOL LogOff Packets : EAPOL Response/Identity Packets : EAPOL Response/Challenge Packets: 0 16 4 4 0 0 4 0 4 3 4 4
Issue 06 (20100108)
2-37
2 NAC Configuration
Controlled User(s) amount to 1,
print number:1
----End
Configuration Files
# sysname Quidway # dot1x # radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2 # aaa authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 radius-server rd1 # interface GigabitEthernet1/0/0 dot1x mac-bypass dot1x max-user 100 # return
2.7.3 Example for Configuring MAC Address Authentication

l l l l
Authentication is performed for the user connected to GE 1/0/0 to control the users access to the Internet. The authentication is performed by the RADIUS server. The default authentication method is used, that is, the MAC address without hyphens is used as the user name in authentication. The maximum number of users on GE 1/0/0 is 100.
Figure 2-4 Networking diagram for configuring MAC address authentication

RADIUS server 192.168.2.30
GE 2/0/1 GE 1/0/0
User
S9300
2-38
Issue 06 (20100108)
2 NAC Configuration
The configuration roadmap is as follows: 1. 2. 3. 4. Configure a RADIUS server template. Configure an AAA authentication template. Configure the domain of the users that use MAC address authentication. Configure the MAC address authentication.
Data Preparation
l l l l l
IP address and port number of the RADIUS authentication server Key of the RADIUS server (hello) and the retransmission count (2) Name of the AAA authentication scheme (web1) Name of the RADIUS server template (rd1) Name of the user domain (isp1)
NOTE
In this example, only the configuration of the S9300 is provided, and the configuration of RADIUS server is omitted.
Procedure

Step 4 Configure the MAC address authentication function.

2 NAC Configuration
# Enable MAC address authentication globally and on GE 1/0/0.

[Quidway] mac-authen [Quidway] interface gigabitethernet1/0/0 [Quidway-GigabitEthernet1/0/0] mac-authen
# Set the maximum number of access users on GE 1/0/0.

[Quidway-GigabitEthernet1/0/0] mac-authen max-user 100 [Quidway-GigabitEthernet1/0/0] quit
# Specify domain isp1 as the domain of the users that use MAC address authentication.
[Quidway] mac-authen domain isp1
Step 5 Verify the configuration. Run the display mac-authen interface command on the S9300, and you can view the configuration of MAC address authentication.
<Quidway> display mac-authen interface GigabitEthernet 1/0/0 MAC address authentication is Enabled Max online user is 100 Current online user is 2 Guest VLAN is disabled Authentication Success: 2, Failure: 1 Controlled User(s) amount to 2 , print number:2
----End
Configuration Files
# sysname Quidway # mac-authen mac-authen domain isp # radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2 # aaa authentication-scheme web1 authentication-mode radius domain isp1 authentication-scheme web1 radius-server rd1 # interface GigabitEthernet1/0/0 mac-authen mac-authen max-user 100 # return
2-40
Issue 06 (20100108)
3
About This Chapter
DHCP Snooping Configuration
This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on the S9300 to defend against DHCP attacks. 3.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping. 3.2 DHCP Snooping Features Supported by the S9300 This section describes the DHCP snooping features supported by the S9300. 3.3 Preventing the Bogus DHCP Server Attack This section describes how to prevent the attackers from attacking the DHCP server through the S9300 by forging the DHCP server. 3.4 Preventing the DoS Attack by Changing the CHADDR Field This section describes how to prevent the attackers from attacking the DHCP server by modifying the CHADDR. 3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases This section describes how to prevent the attackers from attacking the DHCP server by forging the DHCP messages for extending IP address leases. 3.6 Setting the Maximum Number of DHCP Snooping Users This section describes how to set the maximum number of DHCP snooping users. This is because authorized users cannot access the network when an attacker applies for IP addresses continuously. 3.7 Limiting the Rate of Sending DHCP Messages This section describes how to prevent attackers from sending a large number of DHCP Request messages to attack the S9300. 3.8 Configuring the Packet Discarding Alarm Function An alarm is generated when the number of discarded packets exceeds the threshold. 3.9 Maintaining DHCP Snooping This section describes how to maintain DHCP snooping.
3.10 Configuration Examples This section provides several configuration examples of DHCP snooping.
3-2
Issue 06 (20100108)
3.1 Introduction to DHCP Snooping

This section describes the principle of DHCP snooping. DHCP snooping intercepts and analyzes DHCP messages transmitted between DHCP clients and a DHCP server. In this manner, DHCP snooping creates and maintains a DHCP snooping binding table, and filters untrusted DHCP messages according to the table. The binding table contains the MAC address, IP address, lease, binding type, VLAN ID, and interface information. DHCP snooping ensures that authorized users can access the network by recording the mapping between IP addresses and MAC addresses of clients. In this manner, DHCP snooping acts as a firewall between DHCP clients and a DHCP server. DHCP snooping prevents attacks including DHCP Denial of Service (DoS) attacks, bogus DHCP server attacks, and bogus DHCP messages for extending IP address leases.
3.2 DHCP Snooping Features Supported by the S9300

This section describes the DHCP snooping features supported by the S9300. The S9300 supports security features such as the trusted interface, DHCP snooping binding table, binding of the IP address, MAC address, and interface, and Option 82. In this manner, security of the device enabled with DHCP is ensured. As the Terabit Routing Switch, the S9300 supports Layer 2 switching functions and Layer 3 routing functions. DHCP snooping can be used in the applications of Layer 2 switching functions and Layer 3 routing features.
Applying DHCP Snooping on the S9300 on a Layer 2 Network

When being deployed on a Layer 2 network, the S9300 is located between the DHCP relay and the Layer 2 user network. Figure 3-1 shows the DHCP snooping application on the S9300 where DHCP snooping is enabled.
Issue 06 (20100108)
3-3
Figure 3-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2 network
L3 network Trusted DHCP relay Untrusted S9300
L2 network
DHCP server
User network
Applying DHCP Snooping on the S9300 That Functions as the DHCP Relay Agent
The S9300 provides Layer 3 routing functions, and can function as the DHCP relay agent on a network. As shown in Figure 3-2, the S9300 that is enabled with DHCP snooping function as the DHCP relay agent. Figure 3-2 Networking diagram for applying DHCP snooping on the S9300 that functions as the DHCP relay agent
L3 network Trusted Untrusted S9300 DHCP relay
L2 network
DHCP server
User network
3-4
Issue 06 (20100108)

NOTE
When the S9300 is deployed on a Layer 2 network or functions as the DHCP relay agent, DHCP snooping is enabled. In this manner, the S9300 can defend against attacks shown in Table 3-1. The difference is that: when the S9300 functions as the DHCP relay agent, it supports the association function between ARP and DHCP snooping. The S9300, however, does not support the association function when it is deployed on a Layer 2 network.
DHCPv6 Snooping
The S9300 supports DHCPv6 snooping. That is, after DHCP snooping is enabled, binding entries are also created for the users using IPv6 addresses. A DHCPv6 snooping binding entry consists of the IPv6 address, MAC address, interface number, and VLAN ID of a user.
DHCP Snooping over VPLS

When the S9300 is deployed on the VPLS network and DHCP snooping over VPLS is enabled, DHCP over VPLS messages are sent to the CPU of the main control board for processing. In this case, if you set related parameters of DHCP snooping on the interface, the S9300 can process DHCP messages on the VPLS network.
NOTE
The master physical interface of the S9300 do not support DHCP snooping over VPLS.
Type of Attacks Defended Against by DHCP Snooping

DHCP snooping provides different operation modes according to the type of attacks, as shown in Table 3-1. Table 3-1 Matching table between type of attacks and DHCP snooping operation modes Type of Attacks Bogus DHCP server attack DoS attack by changing the value of the CHADDR field Attack by sending bogus messages to extend IP address leases DHCP flooding attack DHCP Snooping Operation Mode Setting an interface to trusted or untrusted Checking the CHADDR field in DHCP messages Checking whether DHCP request messages match entries in the DHCP snooping binding table Limiting the rate of sending DHCP messages
3.3 Preventing the Bogus DHCP Server Attack

This section describes how to prevent the attackers from attacking the DHCP server through the S9300 by forging the DHCP server. 3.3.1 Establishing the Configuration Task 3.3.2 Enabling DHCP Snooping 3.3.3 Configuring an Interface as a Trusted Interface
3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers 3.3.5 Checking the Configuration

When a bogus DHCP server exists on a network, the bogus DHCP server on the network replies with incorrect messages such as the incorrect IP address of the gateway, incorrect domain name server (DNS) server, and incorrect IP address to the DHCP client. As a result, the DHCP client cannot access the network or cannot access the correct destination network. To prevent a bogus DHCP server attack, you can configure DHCP snooping on the S9300, configure the network-side interface to be trusted and the user-side interface to be untrusted, and discard DHCP Reply messages received from untrusted interfaces. To locate a bogus DHCP server, you can configure detection of bogus DHCP servers on the S9300. In this case, the S9300 obtains related information about DHCP servers by checking DHCP Reply messages, and records the information in the log. This facilitates network maintenance.
Before preventing the bogus DHCP server attack, complete the following tasks:
l
Configuring the DHCP server
Data Preparation
To prevent the bogus DHCP server attack, you need the following data. No. 1 Data Type and number of the interface that needs to be set to be trusted
3.3.2 Enabling DHCP Snooping

Context
You need to enable DHCP snooping globally before enabling DHCP snooping on an interfaceor in a VLAN. By default, DHCP snooping is disabled globally and on an interfaceor in a VLAN. Before enabling DHCP snooping, enable DHCP globally.
Procedure
Step 1 Run:

system-view

dhcp enable
DHCP is enabled globally. Step 3 Run:

dhcp snooping enable
DHCP snooping is enabled globally. Step 4 Run:

The interface view is displayed. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Or, run:
vlan vlan-id
The VLAN view is displayed. Step 5 Run:

DHCP snooping is enabled on the interfaceor in a VLAN. DHCP snooping must be enabled on all the user-side interfaces of the S9300. Otherwise, configurations related to DHCP snooping do not take effect on the interfaces. This restriction does not apply to a network-side interface. Step 6 (Optional) Run:
quit
Return to the system view. Step 7 (Optional) Run:

dhcp snooping over-vpls enable
DHCP snooping is enabled on the S9300 of the VPLS network. On the VPLS network, after the dhcp snooping over-vpls enable command is run on the S9300, DHCP over VPLS messages are sent to the CPU of the main control board for processing. In this case, if you set related parameters of DHCP snooping on the interface, the S9300 can process DHCP messages on the VPLS network. The dhcp snooping over-vpls enable command takes effect only after DHCP snooping is enabled globally and on the interface. DHCP snooping over VPLS is often deployed on the PE of the VPLS network to control DHCP messages sent to the VPLS network from the user side. The dhcp snooping over-vpls enable command is run in the system view. Other configurations of DHCP snooping over VPLS are the same as configurations of DHCP snooping.
NOTE
The master physical interfaces of the S9300 do not support DHCP snooping over VPLS.
----End
3.3.3 Configuring an Interface as a Trusted Interface

Context
Generally, the interface connected to the DHCP server is configured as trusted and other interfaces are configured as untrusted. After DHCP snooping is enabled on an interface, the interface is an untrusted interface by default.
Procedure
Step 1 Run:
system-view

The interface view is displayed. The interface is the network-side interface connected to the DHCP server. Or, run:
vlan vlan-id
The VLAN view is displayed. Step 3 In the interface viewRun:

dhcp snooping trusted [ no-user-binding ]
Or, in the VLAN view, run: dhcp snooping trusted interface interface-type interfacenumber [ no-user-binding ] The interface is configured as a trusted interface. DHCP Reply messages sent from a trusted interface are forwarded and DHCP Request messages sent from the trusted interface are discarded; DHCP Discover messages sent from an untrusted interface are discarded. If the no-user-binding keyword is not used in the command, a binding entry is created when the interface receives a DHCP Ack message sent to a user who does not go online through the local device. If this keyword is used in the command, no binding entry is created in this case. When running the dhcp snooping trusted command in the VLAN view, the specified interface must belong to the VLAN. Compared with the dhcp snooping trusted command run in the interface view, the dhcp snooping trusted command run in the VLAN view is more accurate because a specified interface in a specified VLAN can be configured as a trusted interface. ----End
3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers

Context
After detection of bogus DHCP servers is enabled, the S9300 records IP addresses of the DHCP servers contained in all DHCP Reply messages. If a DHCP Reply message is sent from an
untrusted interface, the S9300 considers the DHCP server as a bogus server and records it into the log. The network administrator can then maintain the network according to the log.
NOTE
Before enabling detection of bogus DHCP servers, ensure that DHCP snooping is enabled globally and on the interface. Otherwise, the detection function does not take effect.
Procedure
Step 1 Run:
system-view

dhcp server detect
Detection of bogus DHCP servers is enabled. By default, detection of bogus DHCP servers is disabled on the S9300. ----End

Prerequisite
The configurations of preventing the bogus DHCP server attack are complete.
Procedure
l l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface. Run the display dhcp snooping user-bind { all | ip-address ip-address | ipv6-address ipv6-address | mac-address mac-address | interface interface-type interface-number | vlan vlan-id [ interface interface-type interface-number ] } command to check the information about DHCP Snooping bind-table. Run the display this command in the system view to check the configuration of detection of bogus DHCP servers. You can only check whether detection of bogus DHCP servers is enabled through the display this command. The detection information is recorded in the log, and you can obtain related information by viewing the log. ----End
3.4 Preventing the DoS Attack by Changing the CHADDR Field

This section describes how to prevent the attackers from attacking the DHCP server by modifying the CHADDR.
3.4.1 Establishing the Configuration Task 3.4.2 Enabling DHCP Snooping 3.4.3 Checking the CHADDR Field in DHCP Request Messages 3.4.4 Checking the Configuration

The attacker may change the client hardware address (CHADDR) carried in DHCP messages instead of the source MAC address in the frame header to apply for IP addresses continuously. The S9300, however, only checks the validity of packets based on the source MAC address in the frame header. The attack packets can still be forwarded normally. The MAC address limit cannot take effect in this manner. To prevent the attacker from changing the CHADDR field, you can configure DHCP snooping on the S9300 to check the CHADDR field carried in DHCP Request messages. If the CHADDR field matches the source MAC address in the frame header, the message is forwarded. Otherwise, the message is discarded.
Before preventing the DoS attack by changing the CHADDR field, complete the following tasks:
l l
Configuring the DHCP server Configuring the DHCP relay agent
Data Preparation
To prevent the DoS attack by changing the CHADDR field, you need the following data. No. 1 Data Type and number of the interface enabled with the check function

Context
Procedure
Step 1 Run:
system-view

dhcp enable


vlan vlan-id

quit


NOTE
----End
3.4.3 Checking the CHADDR Field in DHCP Request Messages

Context
If the CHADDR field in DHCP Request messages matches the source MAC address in the Ethernet frame header, the messages are forwarded. Otherwise, the messages are discarded.
Procedure
Step 1 Run:
system-view

The interface view is displayed. The interface is the user-side interface. Or, run:
vlan vlan-id

dhcp snooping check mac-address enable
The interface or the interface in a VLANis configured to check the CHADDR field in DHCP Request messages. By default, an interface or the interface in a VLANdoes not check the CHADDR field in DHCP Request messages on the S9300. ----End

Prerequisite
The configurations of preventing the DoS attack by changing the CHADDR field are complete.
Procedure
l Run the display dhcp snooping global command to check information about global DHCP snooping.
3-12
Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface.
----End
3.5 Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases
This section describes how to prevent the attackers from attacking the DHCP server by forging the DHCP messages for extending IP address leases. 3.5.1 Establishing the Configuration Task 3.5.2 Enabling DHCP Snooping 3.5.3 Enabling the Checking of DHCP Request Messages 3.5.4 (Optional) Configuring the Option 82 Function 3.5.5 Checking the Configuration

The attacker pretends to be a valid user and continuously sends DHCP Request messages intending to extend the IP address lease. As a result, certain expired IP addresses cannot be reused. To prevent the attacker from sending bogus DHCP messages to extend IP address leases, you can create the DHCP snooping binding table on the S9300 to check DHCP Request messages. If the source IP address, source MAC address, VLAN, and interface of the DHCP Request messages match entries in the binding table, the DHCP Request messages are then forwarded. Otherwise, the DHCP Request messages are discarded.
NOTE
IP addresses are classified in to IPv4 addresses and IPv6 addresses. The S9300 checks the source IP addresses of DHCP Request messages, including IPv4 addresses and IPv6 addresses.
The S9300 checks DHCP Request messages as follows: 1. Checks whether the destination MAC address is all-f. If the destination MAC address is all-f, the S9300 considers that the DHCP Request message is a broadcast message that a user sends to goes online for the first time and does not check the DHCP Request message against the binding table. Otherwise, the S9300 considers that the user sends the DHCP Request message is renew lease of the IP address and checks the DHCP Request message against the binding table. Checks whether the CIADDR field in the DHCP Request message matches an entry in the binding table. If not, the S9300 forwards the message directly. If yes, the S9300 checks whether the VLAN ID, IP address, and interface information of the message match the binding table. If all these fields match the binding table, the S9300 forwards the message; otherwise, the S9300 discards the message.
2.
Issue 06 (20100108)
Before preventing the attacker from sending bogus DHCP messages for extending IP address leases, complete the following tasks:
l l
Data Preparation
To prevent the attacker from sending bogus DHCP messages for extending IP address leases, you need the following data. No. 1 2 Data Type and number of the interface enabled with detection of bogus DHCP servers Static IP addresses from which packets are forwarded

Context
Procedure
Step 1 Run:
system-view

dhcp enable


The interface view is displayed. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface.
Or, run:
vlan vlan-id

quit

NOTE
----End
3.5.3 Enabling the Checking of DHCP Request Messages

Procedure
Step 1 Run:
system-view


vlan vlan-id

dhcp snooping check user-bind enable
The interface or the interface in a VLANis enabled to check DHCP Request messages. By default, an interface or the interface in a VLANis disabled from checking DHCP Request messages.
NOTE
The dhcp snooping check user-bind enable command can also check whether the Release packet match the binding table, thus preventing unauthorized users from releasing the IP addresses of authorized users.
----End
3.5.4 (Optional) Configuring the Option 82 Function

Context
After the Option 82 function is enabled, the S9300 can generate binding entries for users on different interfaces according to the Option 82 field in DHCP messages. When the Option 82 function is used on the DHCP relay agent, the generated binding table does not contain information about the interface if the set Option 82 field does not contain information about the interface. The following situations are caused:
l
The DHCP Reply messages of the DHCP server are listened to by users on other interfaces in a VLAN. After a user logs in, this valid user is forged if users on other interfaces in a VLAN forge the IP address and MAC address.
When DHCP snooping is used at Layer 2, the S9300 can obtain information about the interface required by the binding table even if the Option 82 function is not configured.
Procedure
Step 1 Run:
system-view

vlan vlan-id

dhcp option82 insert enable
3-16
Issue 06 (20100108)
The Option 82 is appended to DHCP messages. Or, run:

dhcp option82 rebuild enable
The Option 82 is forcibly appended to DHCP messages.

l
After the dhcp option82 insert enable command is used, the Option 82 is appended to DHCP messages if original DHCP messages do not carry the Option 82 field; If the DHCP message contains an Option 82 field previously, the S9300 checks whether the Option 82 field contains the Remote-id. If the Option 82 field contains the Remote-id, the S9300 retains the original Option 82 field. If not, the S9300 inserts the Remote-id to the Option 82 field. By default, the Remote-id is the MAC address of the S9300. After the dhcp option82 rebuild enable command is used, the Option 82 field is appended to DHCP messages if original DHCP messages do not carry the Option 82 field; the original Option 82 field is removed and a new one is appended if the original DHCP messages carry the Option 82 field.
Step 4 Run:
quit

dhcp option82 [ circuit-id | remote-id ] format { default | common | extend | userdefined text }
The format of the Option 82 field is set.

NOTE
If the user-defined format of the Option 82 field is used, it is recommended that you specify the interface type, interface number, and slot ID in text.
----End

Prerequisite
The configurations of preventing the attacker from sending bogus DHCP messages for extending IP address leases are complete.
Procedure
l l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface. Run the display dhcp snooping user-bind{ all | ip-address ip-address | ipv6-address ipv6-address | mac-address mac-address | interface interface-type interface-number | vlan vlan-id [ interface interface-type interface-number ] } command to check the DHCP snooping binding table.
Issue 06 (20100108)
Run the display dhcp option82 interface interface-type interface-number command to check the status of the Option 82 field.
----End
3.6 Setting the Maximum Number of DHCP Snooping Users

This section describes how to set the maximum number of DHCP snooping users. This is because authorized users cannot access the network when an attacker applies for IP addresses continuously. 3.6.1 Establishing the Configuration Task 3.6.2 Enabling DHCP Snooping 3.6.3 Setting the Maximum Number of DHCP Snooping Users 3.6.4 (Optional) Configuring MAC Address Security on an Interface 3.6.5 Checking the Configuration

To prevent malicious users from applying for IP addresses, you can set the maximum number of DHDCP snooping users. When the number of DHCP snooping users reaches the maximum value, users cannot successfully apply for IP addresses.
Before setting the maximum number of DHCP snooping users, complete the following tasks:
l l
Enabling DHCP snooping globally Enabling check of the DHCP snooping binding table
Data Preparation
To set the maximum number of DHCP snooping users, you need the following data. No. 1 Data Type and number of the interface, VLAN ID, and maximum number of DHCP snooping users

Context
Procedure
Step 1 Run:
system-view

dhcp enable


vlan vlan-id

quit

DHCP snooping is enabled on the S9300 of the VPLS network. On the VPLS network, after the dhcp snooping over-vpls enable command is run on the S9300, DHCP over VPLS messages are sent to the CPU of the main control board for processing. In this case, if you set related parameters of DHCP snooping on the interface, the S9300 can
process DHCP messages on the VPLS network. The dhcp snooping over-vpls enable command takes effect only after DHCP snooping is enabled globally and on the interface. DHCP snooping over VPLS is often deployed on the PE of the VPLS network to control DHCP messages sent to the VPLS network from the user side. The dhcp snooping over-vpls enable command is run in the system view. Other configurations of DHCP snooping over VPLS are the same as configurations of DHCP snooping.
NOTE
----End
3.6.3 Setting the Maximum Number of DHCP Snooping Users

Context
If an unauthorized user applies for IP addresses maliciously, authorized users cannot access the network. To address this problem, you can set the maximum number of access users.
Procedure
Step 1 Run:
system-view

The interface view is displayed. Or, run:

vlan vlan-id

dhcp snooping max-user-number max-user-number
The maximum number of DHCP snooping users allowed on an interface or in a VLAN is set. By default, a maximum of 4096 users can access an interface of the S9300 or a VLAN This command takes effect only when DHCP snooping is enabled globally and on the interface and is valid only for DHCP users. When the number of DHCP snooping users on an interface or in a VLAN reaches the maximum value set through the dhcp snooping max-user-number command, no more users can access the interface. ----End
3.6.4 (Optional) Configuring MAC Address Security on an Interface

Context
When MAC address security of DHCP snooping is enabled, packets are processed as follows for a non-DHCP user:
l
If a static MAC address is not configured, the packets are discarded after reaching the interface where the dhcp snooping sticky-mac command is run. If a static MAC address is configured, the packets are forwarded normally.
MAC addresses of DHCP users in the dynamic binding table can be converted to static MAC addresses, and packets of these users can be forwarded normally. MAC addresses of static users in the static binding table cannot be converted to static MAC addresses. Therefore, you need to configure static MAC addresses for the static users to have the packets forwarded normally.
Procedure
Step 1 Run:
system-view

The interface view is displayed. The interface is a user-side interface. Step 3 Run:
dhcp snooping sticky-mac
MAC address security of DHCP snooping is enabled on the interface. By default, MAC address security of DHCP snooping is disabled on the S9300. The dhcp snooping sticky-mac command takes effect only after DHCP snooping is enabled globally. If the dhcp snooping sticky-mac command is run, the interface neither learns the MAC address of the received IP packet nor forwards or sends the received IP packet. The DHCP messages received by the interface are sent to the CPU of the main control board, and then a dynamic binding table is generated. After the dynamic binding table is generated, static MAC addresses are sent to the corresponding interface. That is, dynamic MAC addresses are converted to static MAC addresses. The static MAC address entry includes information about the MAC address and VLAN ID of the user. Subsequently, only the packets whose source MAC address matches the static MAC address can pass through the interface; otherwise, the packets are discarded. MAC addresses of static users in the static binding table cannot be converted to static MAC addresses. You need to configure static MAC addresses for the static users to have the packets forwarded normally. ----End

Prerequisite
The configurations of setting the maximum number of users are complete.
Procedure
l l Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on an interface.
----End
3.7 Limiting the Rate of Sending DHCP Messages

This section describes how to prevent attackers from sending a large number of DHCP Request messages to attack the S9300. 3.7.1 Establishing the Configuration Task 3.7.2 Enabling DHCP Snooping 3.7.3 Limiting the Rate of Sending DHCP Messages 3.7.4 Checking the Configuration

If an attacker sends DHCP Request messages continuously on a network, the DHCP protocol stack of the S9300 is affected. To prevent an attacker from sending a large number of DHCP Request messages, you can configure DHCP snooping on the S9300 to check DHCP Request messages and limit the rate of sending DHCP Request messages. Only a certain number of DHCP Request messages can be sent to the protocol stack during a certain period. Excessive DHCP Request messages are discarded.
Before limiting the rate of sending packets, complete the following tasks:
l l
Data Preparation
To limit the rate of sending packets, you need the following data.
3-22
Issue 06 (20100108)
No. 1
Data Rate at which DHCP messages are sent to the protocol stack

Context
Procedure
Step 1 Run:
system-view

dhcp enable


vlan vlan-id

quit
Issue 06 (20100108)
3-23

NOTE
----End
3.7.3 Limiting the Rate of Sending DHCP Messages

Procedure
Step 1 Run:
system-view

dhcp snooping check dhcp-rate enable
The S9300 is enabled to check the rate of sending DHCP messages. By default, the S9300 is disabled from checking the rate of sending DHCP messages. Step 3 Run:
dhcp snooping check dhcp-rate rate
The rate of sending DHCP messages is set. By default, the maximum rate of sending DHCP messages is 100 pps. The DHCP packets exceeding the rate are discarded. Step 4 Run:
dhcp snooping check dhcp-rate alarm enable
The alarm function is enabled for the DHCP packets discarded because they exceed the transmission rate. Step 5 (Optional) Run:
dhcp snooping check dhcp-rate alarm threshold threshold
The alarm threshold of the number of DHCP packets discarded because they exceed the transmission rate is set.
By default, the alarm threshold of discarded DHCP packets is 100 pps. An alarm is generated when the number of discarded DHCP packets exceeds the threshold. ----End

Prerequisite
The configurations of limiting the rate of sending DHCP messages are complete.
Procedure
----End
3.8 Configuring the Packet Discarding Alarm Function

An alarm is generated when the number of discarded packets exceeds the threshold. 3.8.1 Establishing the Configuration Task 3.8.2 Enabling DHCP Snooping 3.8.3 Enabling the Checking of DHCP Messages 3.8.4 Configuring the Packet Discarding Alarm Function 3.8.5 Checking the Configuration

With DHCP snooping configured, the S9300 discards packets sent from an attacker. Table 3-2 shows the relation between the type of attacks and the type of discarded packets. Table 3-2 Relation between the type of attacks and the type of discarded packets Type of Attacks Bogus attack DoS attack by changing the CHADDR field Type of Discarded Packets DHCP Reply messages received from untrusted interfaces DHCP Request messages whose CHADDR field does not match the source MAC address in the frame header DHCP Request messages that do not match entries in the binding table
3-25
Attack by sending bogus messages to extend IP address leases

Issue 06 (20100108)
Type of Attacks Attack by sending a large number of DHCP Request messages and ARP packets
Type of Discarded Packets Messages exceeding the rate limit
After the packet discarding alarm function is enabled, an alarm is generated when the number of discarded packets on the S9300 reaches the alarm threshold.
Before configuring the packet discarding alarm function, complete the following tasks:
l l l
Configuring the DHCP server Configuring the DHCP relay agent Configuring the S9300 to discard DHCP Reply messages on the untrusted interface at the user side Configuring the checking of DHCP messages Configuring the checking of the CHADDR field in DHCP Request messages Configuring the checking of the rate of sending DHCP messages
l l l
Data Preparation
To configure the packet discarding alarm function, you need the following data. No. 1 Data Alarm threshold for the number of discarded packets

Context
Procedure
Step 1 Run:
system-view

dhcp enable
3-26
Issue 06 (20100108)


vlan vlan-id

quit

NOTE
----End
3.8.3 Enabling the Checking of DHCP Messages

Procedure
Step 1 Run:
system-view

The interface view is displayed. The interface is a user-side interface. Or, run:
vlan vlan-id

dhcp snooping check { mac-address | user-bind } enable
The function of checking DHCP messages is enabled.

l
After you run the mac-address command, the S9300 checks whether the MAC address in the header of a DHCP Request message is the same as the value of the CHADDR field in the message. If the MAC address is different from of the value of the CHADDR field, the DHCP Request message is discarded. After you run the user-bind command, the S9300 checks whether the DHCP Request or Release message matches the binding table; the unmatched message is discarded.
By default, the S9300 does not check DHCP messages. ----End
3.8.4 Configuring the Packet Discarding Alarm Function

Context
The packet discarding alarm function can be configured globally and on the interface.
l l
The packet discarding alarm function configured globally takes effect for all interfaces. The packet discarding alarm function configured on an interface takes effect for a specified interface. If the packet discarding alarm function is not configured on an interface, the global configuration is used.
NOTE
If you need to configure the alarm function for the DHCP messages that are discarded because they exceed the transmission rate, see 3.7.3 Limiting the Rate of Sending DHCP Messages.
Procedure
l Configuring the packet discarding alarm function globally 1. Run:
system-view
3-28
Issue 06 (20100108)

dhcp snooping alarm threshold threshold
The alarm threshold of the number of globally discarded packets is set. By default, the global alarm threshold of the number of discarded DHCP messages is 100 pps. l Configuring the packet discarding alarm function on an interface 1. Run:
system-view


dhcp snooping alarm { mac-address | user-bind | untrust-reply } enable
The packet discarding alarm function is enabled on the interface.
mac-address: If the MAC address in the packet header is different from the MAC address of the DHCP message, the message is discarded. user-bind: If the DHCP message does not match the binding table, the message is discarded. The DHCP message refers to the DHCP Request message except for the Discover message. untrust-reply: If an untrusted interface receives a Reply message sent by the DHCP server, the message is discarded.
By default, the packet discarding alarm function is disabled on an interface. 4. Run:

dhcp snooping alarm { mac-address | user-bind | untrust-reply } threshold threshold
The alarm threshold of the number of discarded packets is set on the interface. By default, an interface uses the threshold set in the dhcp snooping alarm threshold command. If the command is not run in the system view, the interface uses the default threshold, 100 pps. ----End

Prerequisite
The configurations of the packet discarding alarm function are complete.
Procedure
Issue 06 (20100108)
Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface.
----End
3.9 Maintaining DHCP Snooping

This section describes how to maintain DHCP snooping. 3.9.1 Clearing DHCP Snooping Statistics 3.9.2 Resetting the DHCP Snooping Binding Table 3.9.3 Backing Up the DHCP Snooping Binding Table
3.9.1 Clearing DHCP Snooping Statistics

Context
To clear the statistics on DHCP snooping discarded packets, run the following commands in the system view.
Procedure
l l Run the reset dhcp snooping statistics global command to clear the statistics on globally discarded packets. Run the reset dhcp snooping statistics interface interface-type interface-number command to clear the statistics on discarded packets on the interface.
----End
3.9.2 Resetting the DHCP Snooping Binding Table

Context
To clear entries in the DHCP snooping binding table, run the following command in the user view or system view.
Procedure
l Run the reset dhcp snooping user-bind [ [ vlan vlan-id | interface interface-type interfacenumber ]* | ip-address ip-address | ipv6-address ipv6-address ] command to reset the DHCP snooping binding table.
----End
3.9.3 Backing Up the DHCP Snooping Binding Table

Context
To back up the DHCP snooping binding table, run the following command in the system view.
Procedure
l Run the dhcp snooping user-bind autosave file-name command to back up the DHCP snooping binding table.
If the binding table is backed up, the system automatically backs up the binding table to a specified path every one hour or after 300 dynamic binding entries are generated. If the binding table is not backed up, the dynamic DHCP snooping binding table is lost after the S9300 restarts. As a result, users that obtain IP addresses dynamically from the DHCP server cannot communicate normally. Then, the users need to log in again.
----End

This section provides several configuration examples of DHCP snooping. 3.10.1 Example for Preventing the Bogus DHCP Server Attack 3.10.2 Example for Preventing the DoS Attack by Changing the CHADDR Field 3.10.3 Example for Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases 3.10.4 Example for Limiting the Rate of Sending DHCP Messages 3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network 3.10.6 Example for Enabling DHCP Snooping on the DHCP Relay Agent 3.10.7 Example for Configuring DHCP Snooping on a VPLS Network
3.10.1 Example for Preventing the Bogus DHCP Server Attack

As shown in Figure 3-3, the S9300 is deployed between the user network and the Layer 2 network of the ISP. To prevent the bogus DHCP server attack, it is required that DHCP snooping be configured on the S9300, the user-side interface be configured as untrusted, the network-side interface be configured as trusted, and the packet discarding alarm function be configured.
Issue 06 (20100108)
3-31
Figure 3-3 Networking diagram for preventing the bogus DHCP server attack
ISP network L3 network
L2 network GE1/0/0 S9300 GE2/0/0
DHCP relay
DHCP server
User network
The configuration roadmap is as follows: (Assume that the DHCP server has been configured.) 1. 2. 3. Enable DHCP snooping globally and on the interface. Configure the interface connected to the DHCP server as a trusted interface. Configure the user-side interface as an untrusted interface. The DHCP Request messages including Offer, ACK, and NAK messages received from the untrusted interface are discarded. Configure the packet discarding alarm function.
4.
Data Preparation
l l
GE 1/0/0 being the trusted interface and GE 2/0/0 being the untrusted interface Alarm threshold being 120
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Procedure
Step 1 Enable DHCP snooping. # Enable DHCP snooping globally.
<Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable
3-32
Issue 06 (20100108)
# Enable DHCP snooping on the user-side interface. Step 2 Configure the interface as trusted or untrusted. # Configure the interface at the DHCP server side as trusted.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping trusted [Quidway-GigabitEthernet1/0/0] quit
# Configure the interface at the user side as untrusted. After DHCP snooping is enabled on GE 2/0/0, the mode of GE 2/0/0 is untrusted by default. Step 3 Configure the packet discarding alarm function. # Configure the S9300 to discard the Reply messages received by the untrusted interfaces.
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping alarm untrust-reply enable
# Set the alarm threshold.

[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm untrust-reply threshold 120 [Quidway-GigabitEthernet2/0/0] quit
Step 4 Verify the configuration. Run the display dhcp snooping command on the S9300, and you can view that DHCP snooping is enabled globally and in the interface view.
<Quidway> display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet2/0/0 Dhcp snooping trusted is configured at these interface : GigabitEthernet1/0/0 Dhcp option82 insert is configured at these interface :NULL Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 60 <Quidway> display dhcp snooping interface gigabitethernet 1/0/0 dhcp snooping trusted <Quidway> display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp packet dropped by untrust-reply checking = 60
----End
Configuration Files
# sysname Quidway # dhcp enable
Issue 06 (20100108)
3-33

dhcp snooping enable # interface GigabitEthernet1/0/0 dhcp snooping trusted # interface GigabitEthernet2/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 # return
3.10.2 Example for Preventing the DoS Attack by Changing the CHADDR Field
As shown in Figure 3-4, the S9300 is deployed between the user network and the ISP Layer 2 network. To prevent the DoS attack by changing the CHADDR field, it is required that DHCP snooping be configured on the S9300. The CHADDR field of DHCP Request messages is checked. If the CHADDR field of DHCP Request messages matches the source MAC address in the frame header, the messages are forwarded. Otherwise, the messages are discarded. The packet discarding alarm function is configured. Figure 3-4 Networking diagram for preventing the DoS attack by changing the CHADDR field
DHCP relay
DHCP server
User network
The configuration roadmap is as follows: 1.
3-34
Enable DHCP snooping globally and on the interface.

2. 3.
Enable the checking of the CHADDR field of DHCP Request messages on the user-side interface. Configure the packet discarding alarm function.
Data Preparation
l
Alarm threshold
NOTE
Procedure
# Enable DHCP snooping on the user-side interface.

[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping enable [Quidway-GigabitEthernet2/0/0] quit
Step 2 Enable the checking of the CHADDR field of DHCP Request messages on the user-side interface.
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping check mac-address enable
Step 3 Configure the packet discarding alarm function. # Enable the packet discarding alarm function.
[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm mac-address enable

[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm mac-address threshold 120
Step 4 Verify the configuration. Run the display dhcp snooping command on the S9300, and you can view that DHCP snooping is enabled globally and in the interface view.
<Quidway> display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet2/0/0 Dhcp snooping trusted is configured at these interface :NULL Dhcp option82 insert is configured at these interface :NULL Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0
Issue 06 (20100108)
3-35

dhcp packet drop count total : 25
<Quidway> display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping check mac-address dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp packet dropped by mac-address checking = 25
----End
Configuration Files
# sysname Quidway # dhcp enable dhcp snooping enable # interface GigabitEthernet2/0/0 dhcp snooping enable dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 # return
3.10.3 Example for Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address Leases
As shown in Figure 3-5, the S9300 is deployed between the user network and the ISP Layer 2 network. To prevent the attacker from sending bogus DHCP messages for extending IP address leases, it is required that DHCP snooping be configured on the S9300 and the DHCP snooping binding table be created. If the received DHCP Request messages match entries in the binding table, they are forwarded; otherwise, they are discarded. The packet discarding alarm function is configured.
3-36
Issue 06 (20100108)
Figure 3-5 Networking diagram for preventing the attacker from sending bogus DHCP messages for extending IP address leases
DHCP relay
DHCP server
User network
The configuration roadmap is as follows: 1. 2. 3. 4. Enable DHCP snooping globally and on the interface. Use the operation mode of the DHCP snooping binding table to check DHCP Request messages. Configure the packet discarding alarm function. Configure the Option 82 function and create a binding table that contains information about the interface.
Data Preparation
l l l
ID of the VLAN that each interface belongs to Static IP addresses from which packets are forwarded Alarm threshold
NOTE
Procedure

# Enable DHCP snooping on the user-side interface.

Step 2 Configure the checking of packets. # Configure the checking of DHCP Request messages on the user-side interface.
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping check user-bind enable [Quidway-GigabitEthernet2/0/0] quit
Step 3 Configure static binding entries. # Configure static binding entries assigned to the user side.
[Quidway] user-bind static ip-address 10.1.1.3 mac-address 0000-005e-008a interface gigabitethernet 2/0/0 vlan 3
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping alarm user-bind enable

[Quidway-GigabitEthernet2/0/0] dhcp snooping alarm user-bind threshold 120
Step 5 Configure the Option 82 function. # Configure the user-side interface to append the Option 82 field to DHCP messages.
[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp option82 insert enable [Quidway-GigabitEthernet2/0/0] quit
Step 6 Verify the configuration. Run the display dhcp snooping command on the S9300, and you can view that DHCP snooping is enabled globally and on the interface.
<Quidway> display dhcp snooping global dhcp snooping enable Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet2/0/0 Dhcp snooping trusted is configured at these interface :NULL Dhcp option82 insert is configured at these interface : GigabitEthernet2/0/0 Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 45 <Quidway> display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable
3-38
Issue 06 (20100108)

dhcp dhcp dhcp dhcp dhcp option82 insert enable snooping check user-bind snooping alarm check user-bind enable snooping alarm user-bind threshold 120 packet dropped by user-bind checking = 45
Run the display user-bind all command, and you can view all the static binding entries of users.
<Quidway> display user-bind all bind-table: ifname O/I-vlan mac-address ip-address tp lease vsi ------------------------------------------------------------------------------GE2/0/0 3/ -- 0000-005e-008a 10.1.1.3 S 0 -------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1
Run the display dhcp option82 interface command, and you can find that the function of inserting the Option 82 field into packets is enabled on the interface.
<Quidway> display dhcp option82 interface gigabitethernet 2/0/0 dhcp option82 insert enable
----End
Configuration Files
# sysname Quidway # dhcp enable dhcp snooping enable # user-bind static ip-address 10.1.1.3 mac-address 0000-005e-008a interface gigabitethernet 2/0/0 vlan 3 # interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp option82 insert enable # return
3.10.4 Example for Limiting the Rate of Sending DHCP Messages

As shown in Figure 3-6, to prevent the attacker from sending a large number of DHCP Request messages, it is required that DHCP snooping be enabled on the S9300 to control the rate of sending DHCP Request messages to the protocol stack. At the same time, the packet discarding alarm function is enabled.
Issue 06 (20100108)
3-39
Figure 3-6 Networking diagram for limiting the rate for sending DHCP messages
Attacker
L2 network
GE1/0/1
L2 network L3 network
GE1/0/2
DHCP client S9300
GE2/0/1
DHCP relay
DHCP server
The configuration roadmap is as follows: 1. 2. 3. Enable DHCP snooping globally and in the interface view. Set the rate of sending DHCP Request messages to the protocol stack. Configure the packet discarding alarm function.
Data Preparation
l l
Rate of sending DHCP Request messages Alarm threshold

NOTE
Procedure
# Enable DHCP snooping on the user-side interface. The configuration procedure of GE 1/0/2 is the same as the configuration procedure of GE 1/0/1, and is not mentioned here.
3-40
Issue 06 (20100108)
Step 2 Limit the rate for sending DHCP messages. # Enable the checking of the rate of sending DHCP Request messages.
[Quidway] dhcp snooping check dhcp-rate enable
# Set the rate of sending DHCP Request messages.

[Quidway] dhcp snooping check dhcp-rate 90
[Quidway] dhcp snooping check dhcp-rate alarm enable

[Quidway] dhcp snooping check dhcp-rate alarm threshold 120
Step 4 Verify the configuration. Run the display dhcp snooping global command on the S9300, and you can view that DHCP snooping is enabled globally, and packet discarding alarm is enabled.
[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80 Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet1/0/1 GigabitEthernet1/0/2 Dhcp snooping trusted is configured at these interface :NULL Dhcp option82 insert is configured at these interface :NULL Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0
----End
Configuration Files
# sysname Quidway # dhcp enable dhcp snooping enable dhcp snooping check dhcp-rate dhcp snooping check dhcp-rate dhcp snooping check dhcp-rate dhcp snooping check dhcp-rate # interface GigabitEthernet1/0/1 dhcp snooping enable # interface GigabitEthernet1/0/2 dhcp snooping enable # return
enable alarm enable 90 alarm threshold 80
Issue 06 (20100108)
3-41
3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network

As shown in Figure 3-7, DHCP clients are connected to the S9300 through VLAN 10. DHCP client1 uses the dynamically allocated IP address and DHCP client2 uses the statically configured IP address. It is required that DHCP snooping be configured on user-side interfaces GE 1/0/0 and GE 1/0/1 of the S9300 to prevent the following type of attacks:
l l l l
Bogus DHCP server attack DoS attack by changing the value of the CHADDR field Attack by sending bogus messages to extend IP address leases Attack by sending a large number of DHCP Request messages
Figure 3-7 Networking diagram for configuring DHCP snooping

DHCP relay DHCP server
GE2/0/0 S9300 GE1/0/0 GE1/0/1
DHCP client1
DHCP client2 IP:10.1.1.1/24 MAC:0001-0002-0003
The configuration roadmap is as follows: 1. 2. 3. Enable DHCP snooping globally and in the interface view. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks. Configure the DHCP snooping binding table and check DHCP Request messages by matching them with entries in the binding table to prevent attackers from sending bogus DHCP messages for extending IP address leases. Configure the checking of the CHADDR field in DHCP Request messages to prevent attackers from changing the CHADDR field in DHCP Request messages. Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers from sending a large number of DHCP Request messages.
4. 5.
3-42
6. 7.
Configure the Option 82 function and create the binding table that contains information about the interface. Configure the packet discarding alarm function and the alarm function for checking the rate of sending packets.
Data Preparation
l l l
VLAN that the interface belongs to being 10 GE 1/0/0 and GE 1/0/1 configured as untrusted and GE 2/0/0 configured as trusted Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding MAC address being 0001-0002-0003 Rate of sending DHCP messages to the protocol stack being 90 Mode of the Option 82 function being insert Alarm threshold of the number of discarded packets being 120 Alarm threshold for checking the rate of sending packets being 80
NOTE
l l l l
Procedure
# Enable DHCP snooping on the interface at the user side. The configuration procedure of GE 1/0/1 is the same as the configuration procedure of GE 1/0/0, and is not mentioned here.
Step 2 Configure the interface as trusted. # Configure the interface connecting to the DHCP server as trusted and enable DHCP snooping on all the interfaces connecting to the DHCP client. If the interface on the client side is not configured as trusted, the default mode of the interface is untrusted after DHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks.
Step 3 Configure the checking for certain types of packets. # Enable the checking of DHCP Request messages on the interfaces at the DHCP client side to prevent attackers from sending bogus DHCP messages for extending IP address leases. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here.
# Enable the checking of the CHADDR field on the interfaces at the DHCP client side to prevent attackers from changing the CHADDR field in DHCP Request messages. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable [Quidway-GigabitEthernet1/0/0] quit
Step 4 Configure the DHCP snooping binding table. # If you use the static IP address, configuring DHCP snooping static entries is required.
[Quidway] user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/1 vlan 10
Step 5 Limit the rate of sending DHCP messages. # Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request messages.
[Quidway] dhcp snooping check dhcp-rate enable [Quidway] dhcp snooping check dhcp-rate 90
Step 6 Configure the Option 82 function. # Configure the user-side interface to append the Option 82 field to DHCP messages. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here.
Step 7 Configure the packet discarding alarm function. # Enable the packet discarding alarm function, and set the alarm threshold of the number of discarded packets. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here.
[Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] quit 1/0/0 snooping snooping snooping snooping snooping snooping alarm alarm alarm alarm alarm alarm mac-address enable user-bind enable untrust-reply enable mac-address threshold 120 user-bind threshold 120 untrust-reply threshold 120
# Enable the alarm function for checking the rate of sending packets, and set the alarm threshold for checking the rate of sending packets.
[Quidway] dhcp snooping check dhcp-rate alarm enable [Quidway] dhcp snooping check dhcp-rate alarm threshold 80
Step 8 Verify the configuration. Run the display dhcp snooping global command on the S9300, and you can view that DHCP snooping is enabled globally. You can also view the statistics on alarms.
[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90
3-44
Issue 06 (20100108)

dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80
Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet1/0/0 GigabitEthernet1/0/1 Dhcp snooping trusted is configured at these interface : GigabitEthernet2/0/0 Dhcp option82 insert is configured at these interface : GigabitEthernet1/0/0 GigabitEthernet1/0/1 Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0
Run the display dhcp snooping interface command, and you can view information about DHCP snooping on the interface.
[Quidway] display dhcp snooping interface gigabitethernet 1/0/0 dhcp snooping enable dhcp option82 insert enable dhcp snooping check user-bind dhcp snooping alarm check user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp packet dropped by user-bind checking = 0 dhcp snooping check mac-address dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp packet dropped by mac-address checking = 0 dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp packet dropped by untrust-reply checking = 0 [Quidway] display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping trusted
Run the display user-bind all command, and you can view the static binding entries of users.
[Quidway] display user-bind all bind-table: ifname O/I-vlan mac-address ip-address tp lease vsi ------------------------------------------------------------------------------GE1/0/1 10/ -- 0001-0002-0003 10.1.1.1 S 0 -------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1
Run the display dhcp option82 interface command, and you can view the configuration of Option 82 on the interface.
[Quidway] display dhcp option82 interface gigabitethernet 1/0/0 dhcp option82 insert enable
----End
Configuration Files
# sysname Quidway # vlan batch 10 # dhcp enable dhcp snooping enable dhcp snooping check dhcp-rate enable
Issue 06 (20100108)
3-45
dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm threshold 80 # user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/1 vlan 10 # interface GigabitEthernet1/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp option82 insert enable # interface GigabitEthernet1/0/1 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp option82 insert enable # interface GigabitEthernet2/0/0 dhcp snooping trusted # return
3.10.6 Example for Enabling DHCP Snooping on the DHCP Relay Agent
As shown in Figure 3-8, the S9300 is connected to the DHCP server and DHCP client; the DHCP relay function is enabled; DHCP client1 uses the dynamically allocated IP address and DHCP client2 uses the statically configured IP address. It is required that DHCP snooping be configured on the S9300 to prevent the following types of attacks:
l l l l
Bogus DHCP server attack DoS attack by changing the value of the CHADDR field Attack by sending bogus messages for extending IP address leases Attack by sending a large number of DHCP Request messages
When users log out abnormally after requesting for IP addresses, the system detects this failure automatically, and then deletes the binding in the DHCP binding table, and notifies the DHCP server to release IP addresses.
3-46
Issue 06 (20100108)
Figure 3-8 Networking diagram for enabling DHCP snooping on the DHCP relay agent
GE2/0/0
DHCP server
S9300 DHCP relay GE1/0/0
DHCP client1
The configuration roadmap is as follows: 1. 2. 3. Enable DHCP snooping globally and in the interface view. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks. Configure the DHCP snooping binding table and check DHCP Request messages by matching them with entries in the binding table to prevent attackers from sending bogus DHCP messages for extending IP address leases. Configure the checking of the CHADDR field in DHCP Request messages to prevent attackers from changing the CHADDR field in DHCP Request messages. Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers from sending a large number of DHCP Request messages. Configure the Option 82 function and create the binding table that contains information about the interface. Configure the packet discarding alarm function and the alarm function for checking the rate of sending packets.
4. 5. 6. 7.
Data Preparation
l l
GE 1/0/0 belonging to VLAN 10 and GE 2/0/0 belonging to VLAN 20 Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding MAC address being 0001-0002-0003 GE 1/0/0 configured as untrusted and GE 2/0/0 configured as trusted Rate of sending DHCP messages to the CPU being 90 Mode of the Option 82 function being insert
l l l
Issue 06 (20100108)

l l
Alarm threshold of the number of discarded packets being 120 Alarm threshold for checking the rate of sending packets being 80
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration. For the configuration of DHCP Relay, see Configuring the DHCP Relay Agent in Quidway S9300 Terabit Routing Switch Configuration Guide - IP Service.
Procedure
# Enable DHCP snooping on the interface at the user side.

Step 2 Configure the interface as trusted. # Configure the interface connecting to the DHCP server as trusted and enable DHCP snooping on the interfaces connecting to the DHCP client. If the interface on the client side is not configured as trusted, the default mode of the interface is untrusted after DHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks.
Step 3 Enable the checking for certain types of packets and configure the DHCP snooping binding table. # Enable the checking of DHCP Request messages on the interface at the DHCP client side to prevent attackers from sending bogus DHCP messages for extending IP address leases.
# Enable the checking of the CHADDR field on the interface at the DHCP client side to prevent attackers from changing the CHADDR field in DHCP Request messages.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable [Quidway-GigabitEthernet1/0/0] quit
Step 4 Configure the DHCP snooping binding table. # If you use the static IP address, configuring DHCP snooping static entries is required.
Step 5 Limit the rate of sending DHCP messages # Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request messages.

[Quidway] dhcp snooping check dhcp-rate enable [Quidway] dhcp snooping check dhcp-rate 90
Step 6 Configure the Option 82 function. # Configure the user-side interface to append the Option 82 field to DHCP messages.
Step 7 Configure the packet discarding alarm function. # Enable the packet discarding alarm function, and set the alarm threshold of the number of discarded packets.
[Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] dhcp [Quidway-GigabitEthernet1/0/0] quit 1/0/0 snooping snooping snooping snooping snooping snooping alarm alarm alarm alarm alarm alarm user-bind enable mac-address enable untrust-reply enable user-bind threshold 120 mac-address threshold 120 untrust-reply threshold 120
# Enable the alarm function for checking the rate of sending packets and set the alarm threshold for checking the rate of sending packets.
[Quidway] dhcp snooping check dhcp-rate alarm enable [Quidway] dhcp snooping check dhcp-rate alarm threshold 80
Step 8 Associate ARP with DHCP snooping. # The system sends the ARP packet to probe the IP address that expires within the aging time in the DHCP snooping entry and does not exist in the ARP entry. If no user is detected within the specified number of detection times, the system deletes the binding relation in the DHCP binding table and notifies the DHCP server to release the IP address.
[Quidway] arp dhcp-snooping-detect enable
Step 9 Verify the configuration. Run the display dhcp snooping global command on the S9300, and you can view that DHCP snooping is enabled globally. You can also view the statistics on alarms.
[Quidway] display dhcp snooping global dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80 Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet1/0/0 Dhcp snooping trusted is configured at these interface : GigabitEthernet2/0/0 Dhcp option82 insert is configured at these interface : GigabitEthernet1/0/0 Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0
Issue 06 (20100108)
3-49
Run the display dhcp snooping interface command, and you can view information about DHCP snooping on the interface.
[Quidway] display dhcp snooping interface gigabitethernet 1/0/0 dhcp snooping enable dhcp option82 insert enable dhcp snooping check user-bind dhcp snooping alarm check user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp packet dropped by user-bind checking = 0 dhcp snooping check mac-address dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp packet dropped by mac-address checking = 0 dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp packet dropped by untrust-reply checking = 0 [Quidway] display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping trusted
Run the display user-bind all command, and you can view the static binding entries of users.
[Quidway] display user-bind all bind-table: ifname O/I-vlan mac-address ip-address tp lease vsi ------------------------------------------------------------------------------GE1/0/0 10/ -- 0001-0002-0003 10.1.1.1 S 0 -------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1
Run the display dhcp option82 interface command, and you can view the configuration of Option 82 on the interface.
[Quidway] display dhcp option82 interface gigabitethernet 1/0/0 dhcp option82 insert enable
----End
Configuration Files
# sysname Quidway # vlan batch 10 # dhcp enable dhcp snooping enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm threshold 80 # user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/0 vlan 10 # interface GigabitEthernet1/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp option82 insert enable #
3-50
Issue 06 (20100108)

interface GigabitEthernet2/0/0 dhcp snooping trusted # arp dhcp-snooping-detect enable # return
3.10.7 Example for Configuring DHCP Snooping on a VPLS Network

As shown in Figure 3-9, the DHCP client is connected to the VPLS network through the LAN switch; PE1 and PE2 are connected through a VPLS public network. DHCP snooping is enable on PE1; the interface at the DHCP client side is configured as untrusted and the interface at the DHCP server side is configured as trusted. In addition, PE1 can prevent the following attacks:
l l l l
Bogus DHCP server attacks DoS attacks by changing the value of the CHADDR field Attacks by sending bogus messages for extending IP address leases Attacks by sending a large number of DHCP Request messages
DHCP client 1 uses the dynamically allocated IP address and DHCP client 2 uses the statically configured IP address. Figure 3-9 Networking diagram for configuring DHCP snooping on a VPLS network
Loopback1 1.1.1.9/32 GE2/0/0 VLANIF10 100.1.1.1/24 GE1/0/0 LAN Switch GE2/0/0 GE2/0/1 Loopback1 2.2.2.9/32 GE2/0/0 VLANIF10 100.1.1.2/24 PE2 DHCP server
GE3/0/0
PE1 GE1/0/0
DHCP client1
NOTE
Users apply to the DHCP server for IP addresses through the Layer 2 network; therefore, DHCP relay devices are not required in the preceding networking.
Issue 06 (20100108)
3-51
The configuration roadmap is as follows: 1. Configure the VPLS, which involves the following:
l
Configure the routing protocol on the backbone network to ensure the connectivity of routers. Configure basic MPLS functions and establish an LSP between PEs. Enable MPLS L2VPN on PEs. Create a VSI on the PEs and specify LDP as the signaling protocol, and then bind the VSI to the AC interfaces. Enable DHCP snooping in the system view and in the interface view, and enable DHCP snooping over VPLS. Configure interfaces as trusted or untrusted to prevent bogus DHCP server attacks. Set the maximum number of DHCP snooping users to prevent malicious IP address application. Malicious IP address application prevents authorized users applying for IP addresses. Configure the checking of the CHADDR value to prevent DoS attacks by changing the value of the CHADDR field. Configure the checking of DHCP Request messages against the DHCP snooping binding table to prevent attacks by sending bogus messages for extending IP address leases. Configure Option 82 and create a binding table covering accurate interface information. Configure the alarm function.
l l l
2.
Configure DHCP snooping, which involves the following:

l
l l
l l
Data Preparation
l l l l l l
Static IP address from which packets are forwarded Maximum number of users Alarm threshold VSI name and VSI ID IP address of the peer and tunnel policy used for setting up the peer relation Interface bound to a VSI
NOTE
The following example only provides the configuration procedure of the S9300. For details on the configuration of other devices, see the related operation guides.
Procedure
Step 1 Configure the VPLS. 1. Configure an IGP on the MPLS backbone network. In this example, OSPF is adopted to advertise routes. Assign an IP address to each interface on PEs as shown in Figure 3-9.
# Configure PE1.
<PE1> system-view [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32 [PE1-LoopBack1] quit [PE1] interface gigabitethernet 2/0/0 [PE1-GigabitEthernet2/0/0] port link-type trunk [PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 10 [PE1-GigabitEthernet2/0/0] quit [PE1] interface vlanif 10 [PE1-Vlanif10] ip address 100.1.1.1 24 [PE1-Vlanif10] quit [PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255 [PE1-ospf-1-area-0.0.0.0] quit [PE1-ospf-1] quit
# Configure PE2.
<PE1> system-view [PE2] interface loopback 1 [PE2-LoopBack1] ip address 2.2.2.9 32 [PE2-LoopBack1] quit [PE2] interface gigabitethernet 2/0/0 [PE2-GigabitEthernet2/0/0] port link-type trunk [PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 10 [PE2-GigabitEthernet2/0/0] quit [PE2] interface vlanif 10 [PE2-Vlanif10] ip address 100.1.1.2 24 [PE2-Vlanif10] quit [PE2] ospf [PE2-ospf-1] area 0 [PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0 [PE2-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255 [PE2-ospf-1-area-0.0.0.0] quit [PE2-ospf-1] quit
After the configuration, run the display ip routing-table command on PE1 and PE2. You can view that PEs can learn routes and ping each other. Take the display on PE1 as an example.
<PE1> display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 6 Routes : 6 Destination/Mask Interface Proto Pre Cost Flags NextHop
1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 2.2.2.9/32 OSPF 10 1 D 100.1.1.2 100.1.1.0/24 Direct 0 0 D 100.1.1.1 100.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 <PE1> ping 100.1.1.2 PING 100.1.1.2: 56 data bytes, press CTRL_C to break Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=255 time=2 ms Reply from 100.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms
Vlanif10 vlanif10
Issue 06 (20100108)
3-53
Reply from 100.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 100.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 100.1.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 100.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms
2.
Enable basic MPLS functions and LDP on the MPLS backbone network. # Configure PE1.
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface vlanif 10 [PE1-Vlanif10] mpls [PE1-Vlanif10] mpls ldp [PE1-Vlanif10] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9 [PE2] mpls [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] interface vlanif 10 [PE2-Vlanif10] mpls [PE2-Vlanif10] mpls ldp [PE2-Vlanif10] quit
After the configuration, run the display mpls ldp session command on PE1 or PE2. You can view that the Status item of the peer between PE1 and PE2 is Operational, which indicates that the peer relation is established. Run the display mpls lsp command, and you can view the establishment of the LSP. Take the display on PE1 as an example.
<PE1> display mpls ldp session LDP Session(s) in Public Network -----------------------------------------------------------------------------Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv -----------------------------------------------------------------------------2.2.2.9:0 Operational DU Passive 000:00:01 7/6 -----------------------------------------------------------------------------TOTAL: 1 session(s) Found. LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM <PE1> display mpls ldp lsp LDP LSP Information -----------------------------------------------------------------------------SN DestAddress/Mask In/OutLabel Next-Hop In/OutInterface -----------------------------------------------------------------------------1 1.1.1.9/32 3/NULL 127.0.0.1 Vlanif10/ InLoop0 2 2.2.2.9/32 NULL/3 100.1.1.2 -------/ Vlanif10
3-54
Issue 06 (20100108)
-----------------------------------------------------------------------------TOTAL: 2 Normal LSP(s) Found. TOTAL: 0 Liberal LSP(s) Found. A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale
3.
Enable MPLS L2VPN on PEs. # Configure PE1.

[PE1] mpls l2vpn [PE1] quit
# Configure PE2.
[PE2] mpls l2vpn [PE2] quit
4.
Create VSIs and specify LDP as the signaling protocol of VSIs. # Configure PE1.
[PE1] vsi v123 static [PE1-vsi-v123] pwsignal ldp [PE1-vsi-v123-ldp] vsi-id 2 [PE1-vsi-v123-ldp] peer 2.2.2.9 [PE1-vsi-v123-ldp] quit [PE1-vsi-v123] quit
# Configure PE2.
[PE1] vsi v123 static [PE2-vsi-v123] pwsignal ldp [PE2-vsi-v123-ldp] vsi-id 2 [PE2-vsi-v123-ldp] peer 1.1.1.9 [PE2-vsi-v123-ldp] quit [PE2-vsi-v123] quit
5.
Bind the VSI to the interfaces on the PEs. # Configure PE1.

[PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] port link-typ trunk [PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 20 [PE1-GigabitEthernet1/0/0] quit [PE1] interface vlanif 20 [PE1-Vlanif20] l2 binding vsi v123 [PE1-Vlanif20] quit
# Configure PE2.
[PE1] interface gigabitethernet 3/0/0 [PE1-GigabitEthernet3/0/0] port link-typ trunk [PE1-GigabitEthernet3/0/0] port trunk allow-pass vlan 30 [PE1-GigabitEthernet3/0/0] quit [PE1] interface vlanif 30 [PE1-Vlanif30] l2 binding vsi v123 [PE1-Vlanif30] quit
After the configuration, run the display vsi name a2 verbose command on PE1, and you can find that VSI v123 sets up a PW to PE2, and the status of the VSI is Up.
<PE1> display vsi name v123 verbose ***VSI Name Administrator VSI Isolate Spoken VSI Index PW Signaling Member Discovery Style : : : : : : v123 no disable 0 ldp static
Issue 06 (20100108)
3-55

PW MAC Learn Style Encapsulation Type MTU Diffserv Mode Mpls Exp DomainId Domain Name VSI State VSI ID *Peer Router ID VC Label Peer Type Session Tunnel ID Interface Name State **PW Information: *Peer Ip Address PW State Local VC Label Remote VC Label PW Type Tunnel ID FIB Link-ID : : : : : : : 2.2.2.9 up 21504 21504 label 0x802000 1 : : : : : : : : : : : : : : unqualify vlan 1500 uniform -255 up 2 2.2.2.9 27648 dynamic up 0x802000
: Vlanif20 : up
Step 2 Configure DHCP snooping. 1. Enable DHCP snooping. Enable DHCP snooping globally and on the interface. # Configure PE1.
[PE1] dhcp enable [PE1] dhcp snooping enable [PE1] interface gigabitethernet [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] quit [PE1] interface gigabitethernet [PE1-GigabitEthernet2/0/0] dhcp [PE1-GigabitEthernet2/0/0] quit
1/0/0 snooping enable 2/0/0 snooping enable
Enable DHCP snooping over VPLS. # Configure PE1.

[PE1] dhcp snooping over-vpls enable
2.
Configure the trusted interface. # Configure PE1. Configure the interface connecting to the DHCP server as a trusted interface and enable DHCP snooping on all the interfaces connected to the DHCP client. If the interface at the client side is not configured with "Trusted", the default interface mode is "Untrusted" after DHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks.
[PE1] interface gigabitethernet 2/0/0 [PE1-GigabitEthernet2/0/0] dhcp snooping trusted [PE1-GigabitEthernet2/0/0] quit
3.
Configure the DHCP snooping binding table. # Configure PE1.
3-56
Issue 06 (20100108)
Set the maximum number of DHCP snooping users on interfaces at the DHCP client side. In this manner, malicious IP address application can be prevented and authorized users can successfully apply for IP addresses.
[PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] dhcp snooping max-user-number 3000 [PE1-GigabitEthernet1/0/0] quit
Configure static binding entries. If users adopt static IP addresses, you need to manually configure static DHCP snooping entries.
[PE1] user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/0 vlan 20
4.
Configure the checking of specific packets. # Configure PE1. # Check DHCP Request messages on the interfaces at the DHCP client side to prevent attacks by sending bogus DHCP messages to extend IP address leases.
[PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] dhcp snooping check user-bind enable
# Check the CHADDR field on the interfaces at the DHCP client side to prevent attacks by changing the value of the CHADDR field.
[PE1-GigabitEthernet1/0/0] dhcp snooping check mac-address enable [PE1-GigabitEthernet1/0/0] quit
5.
Configure Option 82. # Configure PE1. # Configure DHCP messages to carry interface information; therefore, the binding table covers more accurate interface information.
[PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] dhcp option82 insert enable [PE1-GigabitEthernet1/0/0] quit
6.
Configure the alarm function. # Configure PE1. Enable the alarm function of discarding packets and set the alarm threshold for discarding packets.
[PE1] interface gigabitethernet [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] dhcp [PE1-GigabitEthernet1/0/0] quit 1/0/0 snooping snooping snooping snooping snooping snooping alarm alarm alarm alarm alarm alarm user-bind enable mac-address enable untrust-reply enable user-bind threshold 120 mac-address threshold 120 untrust-reply threshold 120
Enable the alarm function of limiting the rate of packets and set the alarm threshold for limiting the rate of packets.
[PE1] dhcp snooping check dhcp-rate enable [PE1] dhcp snooping check dhcp-rate alarm enable [PE1] dhcp snooping check dhcp-rate alarm threshold 80
Step 3 Verify the configuration. After the configuration, users can dynamically apply for IP addresses.
Run the display dhcp snooping global command on PE1. You can view that DHCP snooping is enabled globally and in the interface view. You can also view the statistics on the alarms sent to the NMS.
<PE1> dhcp dhcp dhcp dhcp display dhcp snooping global snooping enable snooping check dhcp-rate enable snooping check dhcp-rate alarm enable snooping check dhcp-rate alarm threshold 80
Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface : GigabitEthernet1/0/0 GigabitEthernet2/0/0 Dhcp snooping trusted is configured at these interface : GigabitEthernet2/0/0 Dhcp option82 insert is configured at these interface : GigabitEthernet1/0/0 Dhcp option82 rebuild is configured at these interface :NULL dhcp packet drop count within alarm range : 0 dhcp packet drop count total : 0
Run the display dhcp snooping interface command on PE1, and you can view information about DHCP snooping on the interface.
<PE1> dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp dhcp <PE1> dhcp dhcp dhcp display dhcp snooping interface gigabitethernet 1/0/0 snooping enable option82 insert enable snooping check user-bind snooping alarm check user-bind enable snooping alarm user-bind threshold 120 packet dropped by user-bind checking = 0 snooping check mac-address snooping alarm mac-address enable snooping alarm mac-address threshold 120 packet dropped by mac-address checking = 0 snooping alarm untrust-reply enable snooping alarm untrust-reply threshold 120 packet dropped by untrust-reply checking = 0 snooping max-user-number 3000 display dhcp snooping interface gigabitethernet 2/0/0 snooping enable snooping trusted packet dropped by untrust-reply checking = 0
Run the display user-bind all command on PE1, and you can view static binding entries of users.
<PE1> display user-bind all bind-table: ifname O/I-vlan mac-address ip-address tp lease vsi ------------------------------------------------------------------------------GE1/0/0 20/ -- 0001-0002-0003 10.1.1.1 S 0 -------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1
----End
Configuration Files
l
Configuration file of PE1

# sysname PE1
3-58
Issue 06 (20100108)
# vlan batch 10 20 # dhcp enable dhcp snooping enable dhcp snooping over-vpls enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80 user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface Gigab itEthernet1/0/0 vlan 20 # mpls lsr-id 1.1.1.9 mpls # mpls l2vpn # vsi v123 static pwsignal ldp vsi-id 2 peer 2.2.2.9 # mpls ldp # interface Vlanif10 ip address 100.1.1.1 255.255.255.0 mpls mpls ldp # interface Vlanif20 l2 binding vsi v123 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 20 dhcp snooping enable dhcp option82 insert enable dhcp snooping check user-bind enable dhcp snooping alarm user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp snooping check mac-address enable dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120 dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 dhcp snooping max-user-number 3000 # interface GigabitEthernet2/0/0 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable dhcp snooping trusted # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 100.1.1.0 0.0.0.255 # return l
Configuration file of PE2

# sysname PE2 # vlan batch 10 30
Issue 06 (20100108)
3-59

# mpls lsr-id 2.2.2.9 mpls # mpls l2vpn # vsi v123 static pwsignal ldp vsi-id 2 peer 1.1.1.9 # mpls ldp # interface Vlanif10 ip address 100.10.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif30 l2 binding vsi v123 # interface GigabitEthernet2/0/10 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet3/0/0 port link-type trunk port trunk allow-pass vlan 30 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 100.1.1.0 0.0.0.255 # return
3-60
Issue 06 (20100108)
4
About This Chapter
ARP Security Configuration
This chapter describes the principle and configuration of ARP security features. 4.1 Introduction to ARP Security This section describes the principle of ARP security. 4.2 ARP Security Supported by the S9300 This section describes the ARP security features supported by the S9300. 4.3 Limiting ARP Entry Learning This section describes how to limit the learning of ARP entries. 4.4 Configuring ARP Anti-Attack This section describes how to configure the ARP anti-attack function. 4.5 Suppressing Transmission Rate of ARP Packets This section describes how to suppress the transmission rate of the ARP packets. 4.6 Maintaining ARP Security This section describes how to maintain ARP security. 4.7 Configuration Examples This section provides several configuration examples of ARP security.
Issue 06 (20100108)
4-1
4.1 Introduction to ARP Security

This section describes the principle of ARP security.
ARP Attack
On a network, ARP entries are easily attacked. Attackers send a large number of ARP Request and Response packets to attack network devices. Attacks are classified into ARP buffer overflow attacks and ARP Denial of Service (DoS) attacks.
l
ARP buffer overflow attacks: Attackers send a large number of bogus ARP request packets and gratuitous ARP packets, which results in ARP buffer overflow. Therefore, normal ARP entries cannot be cached and packet forwarding is interrupted. ARP DoS attacks: Attackers send a large number of ARP request and response packets or other packets that can trigger the ARP processing. The device is then busy with ARP processing during a long period and ignores other services. Normal packet forwarding is thus interrupted.
Attackers scan hosts on the local network segment or hosts on other network segments through tools. Before returning response packets, the S9300 searches for ARP entries. If the MAC address corresponding to the destination IP address does not exist, the ARP module on the S9300 sends ARP Miss messages to the upper-layer software and requires the upper-layer software to send ARP request packets to obtain the destination MAC address. A large number of scanning packets generate a large number of ARP Miss packets. The resources of the system are then wasted in processing ARP Miss packets. This affects the processing of other services and hence is called scanning attack.
ARP Security
ARP security is used to filter out untrusted ARP packets and enable timestamp suppression for certain ARP packets to guarantee the security and robustness of network devices.
4.2 ARP Security Supported by the S9300

This section describes the ARP security features supported by the S9300. The S9300 supports the following ARP security features.
Limitation on ARP Entry Learning

You can configure the strict ARP entry learning so that the S9300 can learn only the response messages of the ARP requests sent locally. You can set the maximum number of ARP entries that can be dynamically learned by an interface. This prevents malicious use of ARP entries and ensures that the S9300 can learn the ARP entries of authorized users.
ARP Anti-Spoofing
ARP spoofing means that attackers use ARP packets sent by other users to construct bogus ARP packets and modify ARP entries on the gateway. As a result, the authorized users are disconnected from the network.
The S9300 can prevent ARP spoofing by using the following methods:
l
Fixed MAC address: After learning an ARP entry, the S9300 does not allow the modification on the MAC address that is performed through ARP entry learning until this ARP entry ages. Thus the S9300 prevents the ARP entries of authorized users from being modified without permission. The fixed MAC address methods have two modes: fixed-mac and fixed-all. In fixed-mac mode, the MAC addresses cannot be modified, but the VLANs and interfaces can be modified; in fixed-all mode, the MAC addresses, VLANs, and interfaces cannot be modified.
Send-ack: The S9300 does not modify the ARP entry immediately when it receives an ARP packet requesting for modifying a MAC address. Instead, the S9300 sends a unicast packet for acknowledgement to the user matching this MAC address in the original ARP table.
Preventing ARP Gateway Attack

ARP gateway attack means that an attacker sends gratuitous ARP packets with the source IP address as the bogus gateway address on a local area network (LAN). After receiving these packets, the host replaces its gateway address with the address of the attacker. As a result, none of the hosts on a LAN can access the network. When the S9300 receives ARP packets with the bogus gateway address, there are the following situations:
l
The source IP address in the ARP packets is the same as the IP address of the interface that receives the packets. The source IP address in the ARP packets is the virtual IP address of the incoming interface but the source MAC address of ARP packets is not the virtual MAC address of the Virtual Router Redundancy Protocol (VRRP) group when the VRRP group is in virtual MAC address mode.
In one of the preceding situation, the S9300 generates ARP anti-attack entries and discards the packets with the same source MAC address in the Ethernet header in a period (the default value is three minutes). This can prevent ARP packets with the bogus gateway address from being broadcast on a VLAN.
Suppressing ARP Packet Source

When a large number of packets are sent from a source IP address, the CPU resources of the device and the bandwidth reserved for sending ARP packets are occupied. The S9300 can suppress the transmission rate of the ARP packets with a specified source IP address. If the number of ARP packets with a specified source IP address received by the S9300 within a specified period exceeds the set threshold, the S9300 does not process the excessive ARP request packets.
Suppressing ARP Miss Packet Source

When a host sends a large number of IP packets whose destination IP address cannot be resolved to attack the device, the S9300 suppresses the ARP Miss packets that have the specified source IP address. If a large number of IP packets whose destination IP address cannot be resolved are sent to the S9300 from a source IP address, the ARP Miss packets are triggered. The S9300 takes statistics on the ARP Miss packets. If a source IP address triggers the ARP Miss packets continuously in a period
and the triggered rate exceeds the set threshold, the S9300 considers that an attack occurs. In this case, the S9300 delivers ACL rules to discard the IP packets sent from this address in a period (the default value is 50 seconds).
Preventing ARP Man-in-the-Middle Attack

A man-in-the-middle on the network may send a packet carrying its own MAC address and the IP address of the server to the client. The client learns the MAC address and IP address contained in the packet and considers the man-in-the-middle as the server. Then, the man-in-the-middle sends a packet carrying its own MAC address and the IP address of the client to the server. The server can learn the IP address and MAC address of the man-in-the-middle and consider the man-in-the-middle as the client. In this way, the man-in-the-middle obtains the data exchanged between the server and the client. To prevent the man-in-the-middle attacks, you can configure the S9300 to check the ARP packets according to the binding table. Only the packets that match the content of the binding table can be forwarded; the other packets are discarded.
Limitation on the Transmission Rate of ARP Packets

The transmission rate of the ARP packets on the S9300 can be limited. This prevents the excessive ARP packets from being transmitted to the security module and degrading system performance.
ARP Proxy on a VPLS Network

On the VPLS network, the S9300 can process ARP packets on the PW. If the ARP packets are ARP request packets and the destination IP address of the packets matches an entry in the DHCP snooping binding table, the S9300 constructs ARP reply packets before sending them to the requester of the PW. The attacks caused by PW-side ARP packets broadcast to the AC on a VPLS network are thus prevented.
4.3 Limiting ARP Entry Learning

This section describes how to limit the learning of ARP entries. 4.3.1 Establishing the Configuration Task 4.3.2 Enabling Strict ARP Entry Learning 4.3.3 Configuring Interface-based ARP Entry Limitation 4.3.4 Checking the Configuration

After the strict ARP entry learning is enabled, the S9300 learns only the response messages of the ARP request messages sent locally. You can configure the limitation on ARP entry learning based on interfaces to limit the number of ARP entries dynamically learned by the interfaces.
Before configuring the limitation on ARP entry learning, complete the following task:
l
Setting the parameters of the link layer protocol and the IP address of the interface and enabling the link-layer protocol
Data Preparation
To configure the limitation on ARP entry learning, you need the following data. No. 1 Data Type and number of the interface where you need to configure the limitation on ARP entry learning
4.3.2 Enabling Strict ARP Entry Learning

Context
Strict ARP entry learning means that the S9300 learns only the response packets of the locally sent ARP Request packets.
Procedure
l Configuring strict ARP entry learning globally 1. Run:
system-view

arp learning strict
Strict ARP learning is enabled. By default, strict ARP learning is disabled on the S9300. l Configuring strict ARP entry learning on an interface 1. Run:
system-view

The interface view is displayed. The interface is a VLANIF interface. 3. Run:

arp learning strict { force-enable | force-disable | trust }
The strict ARP entry learning function is enabled on the interface.


force-enable: enables strict ARP entry learning on an interface. force-disable: disables strict ARP entry learning on an interface. trust: indicates that the configuration of strict ARP entry learning on an interface is the same as that configured globally.
By default, the configuration of strict ARP entry learning on an interface is the same as that configured globally. l Configuring strict ARP entry learning on an GE or Ethernet subinterface 1. Run:
system-view

interface interface-type interface-number [.subnumber ]
The GE or Ethernet subinterface view is displayed. 3. Run:

The strict ARP entry learning function is enabled on the GE or Ethernet subinterface.

force-enable: enables strict ARP entry learning on an GE or Ethernet subinterface. force-disable: disables strict ARP entry learning on an GE or Ethernet subinterface. trust: indicates that the configuration of strict ARP entry learning on an GE or Ethernet subinterface is the same as that configured globally.
By default, the configuration of strict ARP entry learning on an GE or Ethernet subinterface is the same as that configured globally. l Configuring strict ARP entry learning on an Eth-trunk subinterface 1. Run:
system-view

interface eth-trunk trunk-id [.subnumber ]
The Eth-trunk subinterface view is displayed. 3. Run:

The strict ARP entry learning function is enabled on the Eth-trunk subinterface.

force-enable: enables strict ARP entry learning on an Eth-trunk subinterface. force-disable: disables strict ARP entry learning on an Eth-trunk subinterface. trust: indicates that the configuration of strict ARP entry learning on an Eth-trunk subinterface is the same as that configured globally.
By default, the configuration of strict ARP entry learning on an Eth-trunk subinterface is the same as that configured globally. ----End
4.3.3 Configuring Interface-based ARP Entry Limitation

Context
If attackers occupy a large number of ARP entries, the S9300 cannot learn the ARP entries of authorized users. To prevent such attacks, you can set the maximum number of ARP entries that can be dynamically learned by an interface.
Procedure
Step 1 Run:
system-view

The interface view is displayed. The interface can be a GE interface, an Ethernet interface, an Eth-Trunk, or a VLANIF interface. Step 3 Run:
arp-limit [ vlan vlan-id [ to vlan-id2 ]] maximum maximum
Interface-based ARP entry limitation is configured. The vlan parameter can be only used on GE interfaces, Ethernet interfaces, or Eth-Trunks. ----End

Prerequisite
The configurations of ARP entry limitation are complete.
Procedure
l l Run the display arp learning strict command to view the configuration of strict ARP entry learning. Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command to view the maximum number of ARP entries that can be learned by an interface or a VLAN.
----End
Example
Run the display arp learning strict command, and you can view the configuration of strict ARP entry learning.
<Quidway> display arp learning strict The global configuration:arp learning strict interface LearningStrictState ------------------------------------------------------------
Issue 06 (20100108)
4-7
Vlanif100 force-disable Vlanif200 force-enable -----------------------------------------------------------Total:2 force-enable:1 force-disable:1
Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command, and you can view the maximum number of ARP entries that can be learned by an interface or a VLAN.
<Quidway> display arp-limit interface GigabitEthernet 1/0/10 interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------GigabitEthernet1/0/10 1000 3 0 GigabitEthernet1/0/10 1000 4 0 GigabitEthernet1/0/10 1000 5 0 GigabitEthernet1/0/10 1000 6 0 GigabitEthernet1/0/10 1000 7 0 GigabitEthernet1/0/10 1000 8 0 GigabitEthernet1/0/10 1000 9 0 GigabitEthernet1/0/10 1000 10 0 --------------------------------------------------------------------------Total:8 <Quidway> display arp-limit vlan 3 interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------GigabitEthernet1/0/10 1000 3 0 --------------------------------------------------------------------------Total:1
4.4 Configuring ARP Anti-Attack

This section describes how to configure the ARP anti-attack function. 4.4.1 Establishing the Configuration Task 4.4.2 Preventing the ARP Address Spoofing Attack 4.4.3 Preventing the ARP Gateway Duplicate Attack 4.4.4 Preventing the Man-in-the-Middle Attack 4.4.5 Configuring ARP Proxy on a VPLS Network 4.4.6 Configuring DHCP to Trigger ARP Learning 4.4.7 (Optional) Configuring the S9300 to Discard Gratuitous ARP Packets 4.4.8 Enabling Log and Alarm Functions for Potential Attacks 4.4.9 Checking the Configuration

On an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked; therefore, it is required to configure the ARP anti-attack function on the access layer or convergence layer to ensure network security.

l
To prevent attackers from forging the ARP packets of authorized users and modifying the ARP entries on the gateway, you can configure the ARP address anti-spoofing function. To prevent attackers from forging the gateway address, sending gratuitous ARP packets whose source IP addresses are the gateway address on the LAN, and thus making the host change the gateway address into the address of the attacker, you can configure the ARP gateway anti-collision function. To prevent unauthorized users from accessing external networks by sending ARP packets to the S9300, you can configure the ARP packet checking function.
Before configuring ARP anti-attack, complete the following task:
l
Data Preparation
To configure ARP anti-attack, you need the following data. No. 1 Data (Optional) Alarm threshold of the ARP packets discarded because they do not match the binding table.
4.4.2 Preventing the ARP Address Spoofing Attack

Procedure
Step 1 Run:
system-view

arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable
The ARP anti-spoofing function is enabled. You can use only one ARP anti-spoofing mode. If an ARP anti-spoofing mode is already used, the latest configuration overrides the previous configuration. By default, the ARP anti-spoofing function is disabled on the S9300. ----End
4.4.3 Preventing the ARP Gateway Duplicate Attack

Procedure
Step 1 Run:
system-view

arp anti-attack gateway-duplicate enable
The ARP anti-attack function for preventing ARP packets with the bogus gateway address is enabled. After this function is enabled, the ARP packets with the bogus gateway address on an interface of the S9300 are not broadcast to other interfaces. By default, this function is disabled on the S9300. ----End
4.4.4 Preventing the Man-in-the-Middle Attack

Context
To prevent man-in-the-middle attacks, you can configure the S9300 to check ARP packets. If the packets received on the interface or the interface in a VLAN match the binding table, the packets are forwarded; otherwise, the packets are discarded. In addition, you can configure the alarm function. When the number of discarded packets exceeds the threshold, an alarm is generated.
NOTE
Binding entries of DHCP users are created automatically after DHCP snooping is enabled. If a user uses a static IP address, you need to configure the binding entry of the user manually. A DHCP snooping binding entry consists of the IP address, MAC address, interface number, and VLAN ID of a user. For the configuration of DHCP snooping, see 3.3.2 Enabling DHCP Snooping. For the configuration of a static binding entry, see 5.3.2 (Optional) Configuring a Static User Binding Entry.
Procedure
Step 1 Run:
system-view

The interface view is displayed. Or, run:

vlan vlan-id

arp anti-attack check user-bind enable
4-10
Issue 06 (20100108)
The IP source guard function is enabled on the interface. By default, the interfaces or the interfaces in a VLAN are not enabled with the IP source guard function. Step 4 In the interface view, run :
arp anti-attack check user-bind check-item { ip-address | mac-address | vlan }*
Or in the VLAN view, run:

arp anti-attack check user-bind check-item { ip-address | mac-address | interface }
*
The check items of ARP packets are configured. By default, the check items consist of IP address, MAC address, VLAN, and interface. The packets that do not match the binding table are discarded. Step 5 (Optional)In the interface view, run :
arp anti-attack check user-bind alarm enable
The alarm function for the discarded ARP packets is enabled. By default, the alarm function is disabled. Step 6 (Optional) In the interface view, run :
arp anti-attack check user-bind alarm threshold threshold
The alarm threshold of the number of ARP packets discarded because they do not match the binding table is set. By default, the alarm threshold is the same as the threshold set in arp anti-attack check userbind alarm threshold that is run in the system view. If the alarm threshold is not set in the system view, the default threshold on the interface is 100. ----End
4.4.5 Configuring ARP Proxy on a VPLS Network

Context
To prevent attacks caused by PW-side ARP packets broadcast to the AC on a VPLS network, you can configure ARP proxy on the S9300 to process the PW-side ARP packets.
Procedure
Step 1 Run:
system-view

arp over-vpls enable
ARP proxy is enabled on the S9300 of a VPLS network. By default, ARP proxy is disabled on the S9300 of a VPLS network. On a VPLS network, after the arp over-vpls enable command is run on the S9300, ARP packets on the PW are sent to the main control board for processing.

l
If the ARP packets are ARP request packets and the destination IP address of the packets match an entry in the DHCP snooping binding table, the S9300 constructs ARP reply packets before sending them to the requester of the PW. The attacks caused by PW-side ARP packets broadcast to the AC on a VPLS network are thus prevented. If the ARP packets are not ARP request packets, or the packets are ARP request packets but the destination IP address of the packets do not match entries in the DHCP snooping binding table, the ARP packets are forwarded normally.
The arp over-vpls enable command needs to be used with DHCP snooping over VPLS because the DHCP snooping binding table is used. For the configuration of DHCP snooping over VPLS, see 3.3.2 Enabling DHCP Snooping. ----End
4.4.6 Configuring DHCP to Trigger ARP Learning

Context
This task is performed to enable DHCP-triggered ARP learning. When the DHCP server assigns an IP address to the user, the S9300 obtains the MAC address of the user and generates the ARP entry corresponding to the IP address after responding to DHCP ACK messages. In this manner, the S9300 does not need to learn ARP entries of the user hosts.
Procedure
Step 1 Run:
system-view

interface vlanif interface-number
The VLANIF interface view is displayed. Step 3 Run:

arp learning dhcp-trigger
The S9300 is configured to learn ARP entries according to the DHCP ACK message received on the VLANIF interface, and to discard ARP request packets for querying the destination host of the network segment of the interface. By default, the S9300 does not learn ARP entries when receiving DHCP ACK messages. When the traffic passes, ARP learning is triggered.
NOTE
l l
To use the arp learning dhcp-trigger command, ensure that the DHCP relay function is enabled on the VLANIF interface. If the DHCP user and DHCP server are located on the same network segment, you cannot use the arp learning dhcp-trigger command.
----End
4.4.7 (Optional) Configuring the S9300 to Discard Gratuitous ARP Packets

Context
If a large number of gratuitous ARP packets are sent to attack the S9300, the S9300 cannot process valid ARP packets. You can configure the S9300 to discard the gratuitous ARP packets. The function of discarding gratuitous ARP packets can be enabled in the system view or the VLANIF interface view.
l
If the function is enabled in the system view, all the interfaces of the S9300 discard the gratuitous ARP packets. If the function is enabled in the VLANIF interface view, the VLANIF interface discards the gratuitous ARP packets. Before enabling an interface to discard gratuitous ARP packets, you do not need to enable the function globally.
Procedure
l Enabling the function of discarding gratuitous ARP packets globally 1. Run:
system-view

arp anti-attack gratuitous-arp drop
The S9300 is enabled to discard gratuitous ARP packets. By default, the S9300 does not discard gratuitous ARP packets. l Enabling the function of discarding gratuitous ARP packets on an VLANIF interface 1. Run:
system-view

The VLANIF interface view is displayed. Generally, this function is enabled on the user-side interface. 3. Run:
arp anti-attack gratuitous-arp drop
The interface is enabled to discard gratuitous ARP packets. By default, the interfaces of the S9300 do not discard gratuitous ARP packets. ----End
4.4.8 Enabling Log and Alarm Functions for Potential Attacks

Procedure
Step 1 Run:
system-view

arp anti-attack log-trap-timer time
Log and alarm functions are enabled for potential attacks. time specifies the interval for writing an ARP log and sending an alarm. By default, the value is 0, indicating that log and alarm functions are disabled. ----End

Prerequisite
The configurations of ARP anti-attack are complete.
Procedure
l l l Run the display arp anti-attack configuration { entry-check | gateway-duplicate | logtrap-timer | all } command to check the configuration of ARP anti-attack. Run the display arp anti-attack gateway-duplicate item command to check information about bogus gateway address attack on the network. Run the display arp anti-attack check user-bind interface interface-type interfacenumber command to check the configuration of the binding table for checking ARP packets.
----End
Example
Run the display arp anti-attack configuration all command, and you can view the configuration of ARP anti-attack.
<Quidway> display arp anti-attack configuration all ARP anti-attack entry-check mode: fixed-MAC ARP gateway-duplicate anti-attack function: enabled ARP anti-attack log-trap-timer: 30seconds (The log and trap timer of speed-limit, default is 0 and means disabled.)
Run the display arp anti-attack gateway-duplicate item command, and you can view information about bogus gateway address attack on the network.
<Quidway> display arp anti-attack gateway-duplicate item interface IP address MAC address VLANID aging time ------------------------------------------------------------------------------GigabitEthernet1/0/1 2.1.1.1 0000-0000-0002 2 153 GigabitEthernet1/0/1 2.1.1.1 0000-0000-0004 2 179 ------------------------------------------------------------------------------There are 2 records in gateway conflict table
Run the display arp anti-attack check user-bind interface interface-type interface-number command, and you can view the configuration of the binding table for checking ARP packets.
<Quidway> display arp anti-attack check user-bind interface GigabitEthernet 1/0/0 arp anti-attack check user-bind enable arp anti-attack check user-bind alarm enable arp anti-attack check user-bind alarm threshold 50 ARP packet drop count = 10
4.5 Suppressing Transmission Rate of ARP Packets

This section describes how to suppress the transmission rate of the ARP packets. 4.5.1 Establishing the Configuration Task 4.5.2 Configuring Source-based ARP Suppression 4.5.3 Configuring Source-based ARP Miss Suppression 4.5.4 Setting the Suppression Time of ARP Miss Messages 4.5.5 Suppressing Transmission Rate of ARP Packets 4.5.6 Checking the Configuration

On an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked; therefore, it is required to configure ARP suppression features on the access layer or convergence layer to ensure network security.
l
To prevent excessive ARP packets from increasing the CPU workload and occupying excessive ARP entries, you can suppress the transmission rate of ARP packets. Then the transmission rate of the ARP packets transmitted to the main control board is limited. To prevent a host from sending excessive IP packets whose destination IP addresses cannot be resolved, you can suppress the source IP address that sends the packets, that is, configure the suppression on ARP Miss source. Then these IP packets are discarded. After the IP source guard function is enabled on an interface, all the ARP packets passing through the interface are forwarded to the security module for check. If excessive ARP packets are sent to the security module, the security module will be impacted. In this case, you can suppress the transmission rate of the ARP packets; the packets that exceed the transmission rate are discarded.
Before configuring ARP suppression, complete the following task:
l
Data Preparation
To configure ARP suppression, you need the following data.
No. 1
Data Maximum transmission rate of the ARP packets sent by a specified source IP address (Optional) Source IP address and maximum transmission rate of the ARP packets sent by a specified source IP address
Maximum transmission rate of the ARP Miss packets sent by a specified source IP address (Optional) Source IP address and maximum transmission rate of the ARP Miss packets sent by a specified source IP address
Maximum transmission rate of the ARP packets sent to the security module (Optional) Alarm threshold of the number of ARP packets discarded because they exceed the transmission rate.
4.5.2 Configuring Source-based ARP Suppression

Context
A user may have special requirements; therefore, you can set the suppression rate for ARP packets with a specified source IP address different from packets with other source IP addresses.
Procedure
Step 1 Run:
system-view

arp speed-limit source-ip maximum maximum
The suppression rate of ARP packets is set. Step 3 (Optional) Run:

arp speed-limit source-ip ip-address maximum maximum
The suppression rate of ARP packets with a specified source IP address is set. After the preceding configurations are complete, the suppression rate of ARP packets with a specified source IP address is the value specified by maximum in step 3, and the suppression rate of ARP packets with other source IP addresses is the value specified by maximum in step 2. If the suppression rate of ARP packets is set to 0, it indicates that ARP packets are not suppressed. By default, the suppression rate of ARP packets is 5 pps. ----End
4.5.3 Configuring Source-based ARP Miss Suppression

Context
A user may have special requirements; therefore, you can set the timestamp suppression rate for ARP Miss packets with a specified source IP address different from ARP Miss packets with other source IP addresses.
Procedure
Step 1 Run:
system-view

arp speed-limit source-ip maximum maximum
The suppression rate of ARP Miss packets is set. Step 3 (Optional) Run:
arp speed-limit source-ip ip-address maximum maximum
The suppression rate of ARP Miss packets with a specified source IP address is set. After the preceding configurations are complete, the suppression rate of ARP Miss packets with a specified source IP address is the value specified by maximum in step 3, and the suppression rate of ARP Miss packets with other source IP addresses is the value specified by maximum in step 2. If the suppression rate of ARP packets is set to 0, it indicates that ARP Miss packets are not suppressed. By default, the suppression rate of ARP Miss packets is 5 pps. ----End
4.5.4 Setting the Suppression Time of ARP Miss Messages

Context
After the VLANIF interface receives unreachable IP unicast packets, the packets are sent to the CPU of the main control board because the ARP entries corresponding to the packets are not found in the forwarding table. Then, the main control board is triggered to learn ARP entries. When the main control board learns ARP entries, it sends ARP broadcast request packets and generates fake ARP entries. The main control board sends the fake ARP entries to the LPU. The LPU does not send ARP Miss messages after receiving the fake ARP entry. If the main control board does not learn valid ARP entries, it deletes fake ARP entries. Then, ARP Miss messages are sent continuously and ARP learning is triggered again. The fake ARP entry is aged within five seconds and thus deleted by default. That is, ARP Miss messages are not sent to the CPU of the main control board within five seconds by default. When a large number of fake ARP entries are generated on the S9300, the S9300 is attacked by unknown packets. In this case, you can adjust the interval for sending unknown packets to reduce the sent unknown unicast packets and the CPU usage of the main control board.
Procedure
Step 1 Run:
system-view

The VLANIF interface view is displayed. Step 3 Run:

arp-miss suppress suppress-time
The suppression time for the S9300 to send ARP Miss messages is set. By default, the suppression time for the S9300 to send ARP Miss messages is 5 seconds. ----End
4.5.5 Suppressing Transmission Rate of ARP Packets

Context
Before configuring the global ARP suppression, ensure that the IP source guard function is enabled on the interface.
Procedure
Step 1 Run:
system-view

arp anti-attack rate-limit enable
The transmission rate of ARP packets is limited. By default, ARP suppression is disabled globally. Step 3 Run:
arp anti-attack rate-limit limit
The threshold for transmission rate of ARP packets is set. After the threshold is set, the excessive packets are discarded. By default, the threshold for the transmission rate of ARP packets is 100 pps. Step 4 (Optional) Run:
arp anti-attack rate-limit alarm enable
The alarm function for the ARP packets discarded because the transmission rate is exceeded is enabled. By default, the alarm function is disabled.

arp anti-attack rate-limit alarm threshold threshold
The alarm threshold of the number of ARP packets discarded because the transmission rate is exceeded is set. By default, the alarm threshold of discarded ARP packets is 5. ----End

Prerequisite
The configurations of the limitation on ARP transmission rate are complete.
Procedure
l Run the display arp anti-attack configuration { arp-speed-limit | arpmiss-speedlimit | all } command to view the configuration of ARP source suppression.
----End
Example
Run the display arp anti-attack configuration all command, and you can view the configuration of ARP anti-attack.
<Quidway> display arp anti-attack configuration all ARP anti-attack entry-check mode: fixed-MAC ARP gateway-duplicate anti-attack function: enabled ARP anti-attack log-trap-timer: 30seconds (The log and trap timer of speed-limit, default is 0 and means disabled.) ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) -----------------------------------------------------------------------10.0.0.1 200 10.0.0.3 300 10.0.0.8 0 2.1.1.10 1000 Others 500 -----------------------------------------------------------------------4 specified IP addresses are configured, spec is 1024 items. ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) -----------------------------------------------------------------------10.0.0.1 200 10.0.0.2 300 10.0.0.8 0 2.1.1.10 1000 Others 500 -----------------------------------------------------------------------4 specified IP addresses are configured, spec is 1024 items.
4.6 Maintaining ARP Security

This section describes how to maintain ARP security.
4.6.1 Displaying the Statistics About ARP Packets 4.6.2 Clearing the Statistics on ARP Packets 4.6.3 Clearing the Statistics on Discarded ARP Packets 4.6.4 Debugging ARP Packets
4.6.1 Displaying the Statistics About ARP Packets

Procedure
l Run the display arp packet statistics [ slot slot-id ] command to view the statistics on ARP packets.
----End
Example
Run the display arp packet statistics command, and you can view the statistics on ARP packets.
<Quidway> display arp packet statistics ARP Pkt Received: sum 25959 ARP Learnt Count: sum 3 ARP Pkt Discard For Limit: sum 0 ARP Pkt Discard For SpeedLimit: sum ARP Pkt Discard For Other: sum 23
4.6.2 Clearing the Statistics on ARP Packets

Context
CAUTION
Statistics cannot be restored after you clear them. So, confirm the action before you use the command. Run the following command in the user view to clear the statistics.
Procedure
l Run the reset arp packet statistics [ slot slot-id ] command to clear the statistics on ARP packets.
----End
4.6.3 Clearing the Statistics on Discarded ARP Packets

Context
CAUTION
Statistics cannot be restored after being cleared. So, confirm the action before you run the command. To clear the statistics on discarded ARP packets, run the following commands in the user view.
Procedure
l Run the reset arp anti-attack statistics check user-bind { global | interface interfacetype interface-number } command to clear the statistics on the packets discarded because they do not match the binding table. Run the reset arp anti-attack statistics rate-limit command to clear the statistics on the ARP packets discarded because the transmission rate exceeds the limit.
----End
4.6.4 Debugging ARP Packets

Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. If a running fault occurs, run the following debugging commands in the user view to locate the fault.
Procedure
l l Run the debugging arp packet [ slot slot-id | interface interface-type interface-number ] command to debug ARP packets. Run the debugging arp process [ slot slot-id | interface interface-type interfacenumber ] command to debug the processing of ARP packets.
----End

This section provides several configuration examples of ARP security. 4.7.1 Example for Configuring ARP Security Functions 4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks
4.7.1 Example for Configuring ARP Security Functions

As shown in Figure 4-1, the S9300 is connected to a server through GE 1/0/3 and is connected to four users in VLAN 10 and VLAN 20 through GE 1/0/1 and GE 1/0/2. There are the following ARP attacks on the network:
l
The server may send several packets with an unreachable destination IP address, and the number of these packets is larger than the number of packets from common users. After virus attacks occur on User 1, a large number of ARP packets are sent. Among these packets, the source IP address of certain ARP packets changes on the local network segment and the source IP address of certain ARP packets is the same as the IP address of the gateway. User 3 constructs a large number of ARP packets with a fixed IP address to attack the network. User 4 constructs a large number of ARP packets with an unreachable destination IP address to attack the network.
It is required that ARP security functions be configured on the S9300 to prevent the preceding attacks. The suppression rate of ARP Miss packets set on the server should be greater than the suppression rate of other users. Figure 4-1 Networking diagram for configuring ARP security functions
S9300 GE1/0/3
Server
GE1/0/1
GE1/0/2
VLAN10
VLAN20
User1
User2
User3
User4
The configuration roadmap is as follows: 1. 2.
4-22
Enable strict ARP learning. Enable interface-based ARP entry restriction.

3. 4. 5. 6. 7.
Enable the ARP anti-spoofing function. Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway address. Configure the rate suppression function for ARP packets. Configure the rate suppression function for ARP Miss packets. Enable log and alarm functions for potential attacks.
Data Preparation
l l l l l
Number of limited ARP entries on the interface being 20 Anti-spoofing mode used to prevent attacks that is initiated by User 1 being fixed-mac IP address of the server being 2.2.2.2/24 IP address of User 4 that sends a large number of ARP packets being 2.2.4.2/24 Maximum suppression rate for ARP packets of User 4 being 200 pps and maximum suppression rate for ARP packets of other users being 300 pps Maximum suppression rate for ARP Miss packets of common users being 400 pps and maximum suppression rate for ARP Miss packets on the server being 1000 pps Interval for writing an ARP log and sending an alarm being 30 seconds
Procedure
Step 1 Enable strict ARP learning.
<Quidway> system-view [Quidway] arp learning strict
Step 2 Configure interface-based ARP entry restriction. # The number of limited ARP entries on each interface is 20. The following lists the configuration of GE 1/0/1, and the configurations of other interfaces are the same as the configuration of GE 1/0/1.
[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] arp-limit vlan 10 maximum 20 [Quidway-GigabitEthernet1/0/1] quit
Step 3 Enable the ARP anti-spoofing function. # Set the ARP anti-spoofing mode to fixed-mac to prevent ARP spoofing attacks initiated by User 1.
[Quidway] arp anti-attack entry-check fixed-mac enable
Step 4 Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway address. # Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway address to prevent User 1 from sending ARP packets with the bogus gateway address.
[Quidway] arp anti-attack gateway-duplicate enable
Step 5 Configure the rate suppression function for ARP packets.

# Set the suppression rate for ARP packets sent by User 4 to 200 pps. To prevent all users from sending a large number of ARP packets incorrectly, set the suppression rate for ARP packets of the system to 300 pps.
[Quidway] arp speed-limit source-ip maximum 300 [Quidway] arp speed-limit source-ip 2.2.2.4 maximum 200
Step 6 Configure the rate suppression function for ARP Miss packets. # Set the suppression rate for ARP Miss packets of the system to 400 pps to prevent users from sending a large number of IP packets with an unreachable destination IP address.
[Quidway] arp-miss speed-limit source-ip maximum 400
# Set the suppression rate for ARP Miss packets on the server to 1000 pps to prevent the server from sending a large number of IP packets with an unreachable destination IP address, and to prevent communication on the network when the rate for the server to send IP packets with an unreachable destination IP address is not as required.
[Quidway] arp-miss speed-limit source-ip 2.2.2.2 maximum 1000
Step 7 Enable log and alarm functions for potential attacks.

[Quidway] arp anti-attack log-trap-timer 30
Step 8 Verify the configuration. After the configuration, run the display arp learning strict command, and you can view information about strict ARP learning.
<Quidway> display arp learning strict The global configuration:arp learning strict interface LearningStrictState ----------------------------------------------------------------------------------------------------------------------Total:0 force-enable:0 force-disable:0
You can use the display arp-limit command to check the maximum number of ARP entries learned by the interface.
<Quidway> display arp-limit interface GigabitEthernet1/0/1 interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------GigabitEthernet1/0/1 20 10 0 --------------------------------------------------------------------------Total:1
You can use the display arp anti-attack configuration all command to check the configuration of ARP anti-attack.
<Quidway> display arp anti-attack configuration all ARP anti-attack entry-check mode: fixed-MAC ARP gateway-duplicate anti-attack function: enabled ARP anti-attack log-trap-timer: 30seconds (The log and trap timer of speed-limit, default is 0 and means disabled.) ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) -----------------------------------------------------------------------2.2.4.2 200 Others 300 -----------------------------------------------------------------------1 specified IP addresses are configured, spec is 1024 items.
4-24
Issue 06 (20100108)
ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) -----------------------------------------------------------------------2.2.2.2 1000 Others 400 -----------------------------------------------------------------------1 specified IP addresses are configured, spec is 1024 items.
You can use the display arp packet statistics command to view the number of discarded ARP packets and the number of learned ARP entries. In addition, you can also use the display arp anti-attack gateway-duplicate item command to view information about attacks from the packets with the forged gateway address on the current network.
<Quidway> display arp packet statistics ARP Pkt Received: sum 167 ARP Learnt Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum ARP Pkt Discard For Other: sum 3
----End
Configuration Files
# sysname Quidway # vlan batch 10 20 30 # arp speed-limit source-ip maximum 300 arp-miss speed-limit source-ip maximum 400 arp learning strict arp anti-attack log-trap-timer 30 # arp anti-attack entry-check fixed-mac enable arp anti-attack gateway-duplicate enable arp-miss speed-limit source-ip 2.2.2.2 maximum 1000 arp speed-limit source-ip 2.2.4.2 maximum 200 # interface GigabitEthernet 1/0/1 port hybrid pvid vlan 10 port hybrid tagged vlan 10 arp-limit vlan 10 maximum 20 # interface GigabitEthernet 1/0/2 port hybrid pvid vlan 20 port hybrid tagged vlan 20 arp-limit vlan 20 maximum 20 # interface GigabitEthernet 1/0/3 port hybrid pvid vlan 30 port hybrid untagged vlan 30 arp-limit vlan 30 maximum 20 # return
4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-inthe-Middle Attacks

As shown in Figure 4-2, two users are connected to the S9300 through GE 1/0/1 and GE 1/0/2 respectively. Assume that the user connected to GE 1/0/2 is an attacker. To prevent the man-inIssue 06 (20100108) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-25
the-middle attacks, you can configure the IP source guard function. After the IP source guard function is configured on the S9300, the S9300 checks the IP packets according to the binding table. Only the IP packets that match the content of the binding table can be forwarded; the other IP packets are discarded. In addition, you can enable the alarm function for discarded packets. Figure 4-2 Networking diagram for prevent man-in-the-middle attacks
Attacker GE1/0/2 GE1/0/1 Server IP:10.0.0.1/24 MAC:1-1-1 VLAN ID:10 S9300
Client
The configuration roadmap is as follows: 1. 2. 3. 4. Enable the IP source guard function. Configure the check items for ARP packets. Configure a static binding table. Enable the alarm function for discarded packets.
Data Preparation
l l l l
Interfaces enabled with IP source guard: GE 1/0/1 and GE 1/0/2 Check items: IP address + MAC address Alarm threshold of the number of discarded ARP packets: 80 IP address of the client configured in the static binding table: 10.0.0.1/2; MAC address: 1-1-1; VLAN ID: 10
Procedure
Step 1 Configure the IP source guard function. # Enable the IP source guard function on GE 1/0/1 connected to the client.
[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] arp anti-attack check user-bind enable [Quidway-GigabitEthernet1/0/1] arp anti-attack check user-bind check-item ipaddress mac-address [Quidway-GigabitEthernet1/0/1] quit
4-26
Issue 06 (20100108)
# Enable the IP source guard function on GE 1/0/2 connected to the attacker.

[Quidway] interface gigabitethernet 1/0/2 [Quidway-GigabitEthernet1/0/2] arp anti-attack check user-bind enable [Quidway-GigabitEthernet1/0/2] arp anti-attack check user-bind check-item ipaddress mac-address [Quidway-GigabitEthernet1/0/2] quit
Step 2 Configure the check items of the static binding table. # Configure Client in the static binding table.
Step 3 Configure the alarm function for discarded packets. # Set the alarm threshold of the ARP packets discarded because they do not match the binding table.
[Quidway] arp anti-attack check user-bind alarm threshold 80
Step 4 Verify the configuration. Run the display this command, and you can view the global alarm threshold set for the ARP packets discarded because they do not match the binding table. The alarm threshold takes effect on all interfaces.
<Quidway> display this # arp anti-attack check user-bind alarm threshold 80
Run the display arp anti-attack check user-bind interface command, and you can view the configuration of the IP source guard function on the interface.
<Quidway> display arp anti-attack check user-bind interface gigabitethernet 1/0/1 arp anti-attack check user-bind enable arp anti-attack check user-bind alarm enable ARP packet drop count = 0 <Quidway> display arp anti-attack check user-bind interface gigabitethernet 1/0/2 arp anti-attack check user-bind enable arp anti-attack check user-bind alarm enable ARP packet drop count = 20
The preceding information indicates that GE 1/0/1 does not discard ARP packets, whereas GE 1/0/2 has discarded ARP packets. It indicates that the anti-attack function takes effect. ----End
Configuration Files
# sysname Quidway # vlan batch 10 # arp anti-attack check user-bind alarm threshold 80 # user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 1/0/1 vlan 10 # interface gigabitethernet 1/0/1 arp anti-attack check user-bind enable arp anti-attack check user-bind check-item ip-address mac-address # interface gigabitethernet 1/0/2
Issue 06 (20100108)
4-27
arp anti-attack check user-bind enable arp anti-attack check user-bind check-item ip-address mac-address # return
4-28
Issue 06 (20100108)
5 Source IP Attack Defense Configuration
Source IP Attack Defense Configuration
About This Chapter

This chapter describes the principle and configuration of attacking IP source addresses. 5.1 Overview of IP Source Guard This section describes the principle of the IP source Guard. 5.2 IP Source Guard Features Supported by the S9300 This section describes how the IP Source Guard feature is supported in the S9300. 5.3 Configuring IP Source Guard This section describes how to configure IP source guard. 5.4 Configuring IP Source Trail This section describes how to configure IP source trail. 5.5 Configuring URPF This section describes how to configure URPF. 5.6 Maintaining Source IP Attack Defense This section describes how to maintain source IP source attack defense. 5.7 Configuration Examples This section provides a configuration example of IP source guard.
Issue 06 (20100108)
5-1
5.1 Overview of IP Source Guard

This section describes the principle of the IP source Guard. The source IP address spoofing is a common attack on the network, for example, the attacker forges a valid user and sends IP packets to the server or forges the source IP address of users for communication. As a result, valid users cannot acquire normal network services. To tackle such attacks, the S9300 provides the following methods:
l l l
IP Source Guard IP Source Trail URPF (Unicast Reverse Path Forwarding)
IP Source Guard
IP source guard is a measure to filter the IP packets on interfaces. Thus the invalid packets cannot pass through the interfaces and the security of the interfaces is improved. The attacker sends a packet carrying the IP address and MAC address of an authorized user to the server. The server considers the attacker as an authorized user and learns the IP address and MAC address. The actual user, however, cannot obtain service from the server. Figure 5-1 shows the diagram of IP/MAC spoofing attack. Figure 5-1 Diagram of IP/MAC spoofing attack
DHCP server IP:1.1.1.1/24 MAC:1-1-1
IP:1.1.1.3/24 MAC:3-3-3
S9300
IP:1.1.1.2/24 MAC:2-2-2 Attacker
IP:1.1.1.3/24 MAC:3-3-3 DHCP client
To prevent the IP/MAC spoofing attack, you can configure the IP source guard function on the S9300. Then the S9300 matches the IP packets reaching an interface with the entries in the binding table. If the packets match entries in the binding table, the packets can pass through the interface; otherwise, the packets are discarded.
IP Source Trail
The IP source trail function is a policy defending against the DoS attack, which traces the source of the attack and take corresponding measures after considering it as an attack. In the tracing of
the attack sources, the attack sources are judged according to traffic statistics that are collected based on the destination IP address (victim), source IP address, and inbound interface of packets. The main process of the IP Source Trail function is as follows: 1. 2. After confirming that a user is attacked, configure the IP Source Trail function based on the IP address of the user. The CPU of the LPU collects statistics about packets with the destination address being the victim IP address. Such information is regularly sent to the CPU of the main control board or available upon the request of the main control board. The main control board confirms the attack source based on the received statistics. The administrator configures the ACL on the interface directly connected to the possible attack source and set the ACL action to deny.
3.
URPF
Unicast Reverse Path Forwarding (URPF) is mainly used to prevent network attacks by blocking packets from bogus source addresses. As shown in Figure 5-2, S9300-A forges the packets with the source address being 2.1.1.1 and send a request to S9300-B. S9300-B sends a packet to the real source address 2.1.1.1 to respond to the request. In this way, S9300-A attacks S9300-B and S9300-C by sending the illegal packet. Figure 5-2 Diagram of the URPF function
1.1.1.1/24 2.1.1.1/24 Source address S9300-A S9300-B S9300-C 2.1.1.1/24
When a packet is sent to a URPF-enabled interface, URPF obtains the source address and inbound interface of the packet. URPF searches for the entry corresponding to the source address in the forwarding table. If the enry is found, URPF checks whether the outbound interface is the same as the inbound interface of the packets. If the actual inbound interface is different from the inbound interface found in the forwarding table, the packet is discarded. In this way, URPF can protect the network against vicious attacks initiated by modifying the source address.
5.2 IP Source Guard Features Supported by the S9300

This section describes how the IP Source Guard feature is supported in the S9300.
IP Source Guard
The IP Source Guard feature is used to check the IP packets according to the binding table, including source IP addresses, source MAC addresses, and VLAN. In addition, the S9300 can check IP packets based on:
l
IP+MAC
Issue 06 (20100108)

l l l
IP+VLAN IP+MAC+VLAN ...

NOTE
IP addresses here include IPv4 addresses and IPv6 addresses. That is, after the IP Source Guard feature is enabled, the S9300 checks both the source IPv4 addresses and source IPv6 addresses of IP packets from users.
The S9300 provides two binding mechanisms:

l
After the DHCP snooping function is enabled for DHCP users, the binding table is dynamically generated for the DHCP users. When users use static IP addresses, you need to configure the binding table by running commands.
NOTE
For the configurations of DHCP snooping, see 3 DHCP Snooping Configuration.
IP Source Trail
NOTE
Currently, only IPv4 addresses can be traced when the IP Source Trail feature is enabled on the S9300.
l
The IP source trail feature of the S9300 is based on the destination IP addresses. The IP Source Trail feature is configured according to the IP address of the attacked user. The CPU of the LPU collects statistics about packets with the user IP address as the destination address. Such information is regularly sent to the CPU of the main control board or available when required by the main control board.
Querying statistics about the IP Source Trail is supported globally. The global query of the statistics provides the brief mode and detailed mode:
In brief mode, information about the source address, source interface, total traffic (the number of bytes and packets), and the average rate (bbp and pps) of the traffic in a period of time is exported. In detailed mode, information about the current rate of the traffic, the maximum rate, and the start time and end time of the traffic (the query time is displayed if the traffic does not end when the traffic is queried) is exported besides the information exported in brief mode.
Querying statistics about the IP Source Trail based on board is supported. When the statistics are queried based on board, the main control board finds the cached statistics result according to the destination IP address and displays records from the specified board in brief mode.
URPF
URPF only functions at the inbound interface of the S9300. If URPF is enabled on an interface, the URPF check is conducted to packets received by the interface. The S9300 supports two kinds of URPF check modes: strict check and loose check.
l
Strict check: The source addresses of packets must exist in the FIB table of the S9300. Packets can be forwarded only when the outbound interface is the same as the inbound interface of the packets. Otherwise, packets are dropped.
5-4

l
Loose check: Regardless whether the source addresses of packets exist in the FIB table of the S9300, or whether the corresponding outbound interfaces match the inbound interfaces of the packets, packets are forwarded.
NOTE
The S9300 supports the checking of the source IPv4 addresses and source IPv6 addresses of the packets passing the inbound interface.
5.3 Configuring IP Source Guard

This section describes how to configure IP source guard. 5.3.1 Establishing the Configuration Task 5.3.2 (Optional) Configuring a Static User Binding Entry 5.3.3 Enabling IP Source Guard 5.3.4 Configuring the Check Items of IP Packets 5.3.5 Checking the Configuration

After the IP source guard function is configured on the S9300, the S9300 checks the IP packets according to the binding table. Only the IP packets that match the content of the binding table can be forwarded; the other IP packets are discarded.
Before configuring IP source guard, complete the following tasks:
l
3.3.2 Enabling DHCP Snooping if there are DHCP users
Data Preparation
To configure IP source guard, you need the following data. No. 1 Data (Optional) User information in a static binding entry, including the IPv4 or IPv6 address, MAC address, VLAN ID, and interface number of the user Type and number of the interface enabled with the IP source guard function
5.3.2 (Optional) Configuring a Static User Binding Entry

Context
Before forwarding the data of the users who assigned IP addresses statically, the S9300 cannot automatically learn the MAC addresses of the users or generate binding table entries for these users. You need to create the binding table manually.
Procedure
Step 1 Run:
system-view

user-bind static { [ ip-address ip-address | ipv6-address ipv6-address ] | macaddress mac-address }* [ interface interface-type interface-number | vlan vlan-id [ cevlan vlan-id ] ]*
A static user binding entry is configured. ----End
5.3.3 Enabling IP Source Guard

Procedure
Step 1 Run:
system-view

The interface view is displayed. This is a user-side interface. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Or, run:
vlan vlan-id

ip source check user-bind enable
The IP source guard function is enabled on the interfaceor in a VLAN. By default, the interfaces or interfaces in a VLANof an S9300 are not enabled with the IP source guard function. ----End
5.3.4 Configuring the Check Items of IP Packets

Context
After the function of checking IP packets is enabled, the S9300 checks the received IP packets against the binding table. The check items include the source IPv4 address, source IPv6 address, source MAC address, VLAN ID, and interface number.
Procedure
Step 1 Run:
system-view

The interface view is displayed. This is a user-side interface. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Or, run:
vlan vlan-id
The VLAN view is displayed. Step 3 In the interface view, run:

ip source check user-bind check-item { [ ip-address | ipv6-address ] | mac-address | vlan }*
Or in the VLAN view, run:

ip source check user-bind check-item { [ ip-address | ipv6-address ] | mac-address | interface }*
The check items of IP packets are configured. When receiving an IP packet, the interface checks the IP packet according to the check items, including the source IPv4 or IPv6 address, source MAC address, VLAN, or the combination of these three items. If the IP packet matches the binding table according to the check items, the packet is forwarded; otherwise, the packet is discarded. By default, the check items consist of the IPv4 address, IPv6 address, MAC address, VLAN ID, and interface number.
NOTE
This command is valid only for dynamic binding entries.
----End

Prerequisite
The configurations of IP source guard are complete.
Procedure
Step 1 Run the display user-bind { all | { [ ip-address ip-address | ipv6-address ipv6-address ] | macaddress mac-address | vlan vlan-id | interface interface-type interface-number } * } command to view information about the binding table. Step 2 Run the display ip source check user-bind interface interface-type interface-number command to view the configuration of the IP source guard function on the interface. ----End
5.4 Configuring IP Source Trail

This section describes how to configure IP source trail. 5.4.1 Establishing the Configuration Task 5.4.2 Configuring IP Source Trail Based on the Destination IP Address 5.4.3 Checking the Configuration

When a user host is under attack, you can configure IP source trail on the S9300 connected to the host to trace the attack source and take defense measures after confirming the attack source.
CAUTION
If the NetStream function is enabled on the S9300, the IP source trail function cannot be configured. To enable the IP source trail function, you must disable the NetStream function first. If the IP source trail function is enabled, the NetStream function cannot be enabled. For the configuration of the NetStream function, see NetStream Configuration in the Quidway S9300 Terabit Routing Switch Configuration Guide - Network Management.
Before configuring IP source trail, complete the following task:
l
Setting parameters of the link layer protocol and IP addresses for the interfaces to ensure that the link layer protocol is in Up state on the interfaces Ensuring that the NetStream function is disabled on the S9300
Data Preparation
To configure IP source trail, you need the following data.
No. 1
Data Destination IP address of the attacked user host
5.4.2 Configuring IP Source Trail Based on the Destination IP Address

Procedure
Step 1 Run:
system-view

ip source-trail ip-address ip-address
IP source trail based on the destination IP address is configured. ----End

Prerequisite
The configurations of IP source trail are complete.
Procedure
l Run the display ip source-trail [ ip-address ip-address ] command to check the statistics on IP source trail.
----End
Example
Run the display ip source-trail command, and you can view the statistics on IP source trail.
<Quidway> display ip source-trail ip-address 10.0.0.1 Destination Address: 10.0.0.1 SrcAddr SrcIF Bytes Pkts Bits/s Pkts/s ---------------------------------------------------------------------198.19.1.8 GE2/0/1 5.151M 114.681K 5.222M 14.534K 198.19.1.11 GE2/0/1 4.825M 107.420K 5.223M 14.535K 198.19.1.7 GE2/0/1 4.433M 98.708K 5.223M 14.537K 198.19.1.5 GE2/0/1 2.868M 63.861K 5.227M 14.546K 198.19.1.9 GE2/0/1 2.215M 49.339K 5.230M 14.553K 198.19.1.3 GE2/0/1 1001.083K 21.762K 5.248M 14.605K
Issue 06 (20100108)
5-9
5.5 Configuring URPF

This section describes how to configure URPF. 5.5.1 Establishing the Configuration Task 5.5.2 Enabling URPF 5.5.3 Setting the URPF Check Mode on an Interface 5.5.4 (Optional) Disabling URPF for the Specified Traffic 5.5.5 Checking the Configuration

To prevent source address spoofing attacks on a network, you can configure URPF to check whether the source IP address of a packet matches the incoming interface. If the source IP address matches the incoming interface, the source IP address is considered as valid and the packets are allowed to pass; otherwise, the source IP address is considered as pseudo and the packets are discarded.
Before configuring URPF, complete the following task:
l
Setting parameters of the link layer protocol and IP addresses for the interfaces to ensure that the link layer protocol is in Up state on the interfaces
Data Preparation
To configure URPF, you need the following data. No. 1 2 3 Data Slot number of the LPU where URPF needs to be enabled Type and number of the interface URPF check mode
5.5.2 Enabling URPF

Context
You can perform URPF configurations on an interface only after enabling global URPF on an LPU.
Procedure
Step 1 Run:
system-view

urpf slot slot-number
URPF is enabled on an LPU. By default, URPF is disabled on an LPU. ----End
5.5.3 Setting the URPF Check Mode on an Interface

Procedure
Step 1 Run:
system-view

The interface view is displayed. The URPF check function can be configured on GE interfaces and Eth-Trunks of the S9300.
NOTE
URPF needs to be configured on the physical interface. This is because URPF is implemented on the physical interface.
Step 3 Run:
urpf { loose | strict } [ allow-default-route ]
The URPF check mode is configured on the interface. URPF determines the mode for processing a default route according to the value of allowdefault-route.
l
When neither the allow-default-route parameter is specified nor the source address of packets exists in the FIB table, the packets are discarded in URPF strict or loose check mode even if a corresponding default route is found. When the allow-default-route parameter is specified and the source address of a packet does not exist in the FIB table,
Packets pass URPF check and are forwarded in URPF strict check mode if the outgoing interface of a default route is the same as the incoming interface of the packets. Packets are discarded if the outgoing interface of a default route is different from the incoming interface of the packets.
Issue 06 (20100108)
Packets pass URPF check and are forwarded in URPF loose check mode regardless of whether the outgoing interface of a default route is the same as the incoming interface of the packets.
----End
5.5.4 (Optional) Disabling URPF for the Specified Traffic

Context
After the URPF function is enabled on an interface, the S9300 performs the URPF check on all traffic passing through the interface. To prevent the packets of a certain type from being discarded, you can disable the URPF check for these packets. For example, if the S9300 is configured to trust all the packets from a certain server, the S9300 does not check these packets.
NOTE
Only the S9300 installed with an EA/EC/ED LPU supports this function.
To disable the URPF function, you need to run commands in the traffic behavior view and associate the traffic behavior and a traffic classifier with a traffic policy.
Procedure
Step 1 Run:
system-view

traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed. Step 3 Run:
ip urpf disable
The URPF function is disabled. By default, the RUPF function is enabled in a traffic behavior. After the URPF function is enabled on an interface, the S9300 performs the URPF check on all traffic passing through the interface. If you need to disable the URPF function, you can run commands in the traffic behavior view and associate the traffic behavior and a traffic classifier with a traffic policy. When the traffic policy is applied globally or applied to a board, an interface, or a VLAN, the S9300 does not perform URPF check on the traffic that match the traffic classifier rules. For the configuration procedures of traffic classifier and traffic policy, see Class-based QoS Configuration in the Quidway S9300 Terabit Routing Switch Configuration Guide - QoS. ----End

Prerequisite
The configurations of URPF are complete.
Procedure
l Run the display this command in the interface view to check whether URPF is enabled on the current interface.
----End
Example
Run the display this command to check whether URPF is enabled on GE 1/0/0.
[Quidway-GigabitEthernet1/0/0] display this # interface GigabitEthernet1/0/0 urpf loose allow-default-route # return
5.6 Maintaining Source IP Attack Defense

This section describes how to maintain source IP source attack defense. 5.6.1 Clearing the Statistics on IP Source Trail
5.6.1 Clearing the Statistics on IP Source Trail

Context
All the statistical entries on IP source trail are null upon query after the reset command is run to clear the statistics on IP source trail.
Procedure
l l Run the reset ip source-trail command to clear all the statistics on IP source trail. Run the reset ip source-trail ip-address ip-address command to clear the statistics on IP source trail based on a tracing instance.
----End

This section provides a configuration example of IP source guard. 5.7.1 Example for Configuring IP Source Guard 5.7.2 Example for Configuring IP Source Trail 5.7.3 Example for Configuring URPF
5.7.1 Example for Configuring IP Source Guard

As shown in Figure 5-3, Host A is connected to the S9300through GE 1/0/1 and Host B is connected to the S9300 through GE 1/0/2. You need to configure the IP source guard function on the S9300 so that Host B cannot forge the IP address and MAC address on Host A and the IP packets from Host A can be sent to the server. Figure 5-3 Networking diagram for configuring IP source guard
Server
S9300 GE1/0/1 GE1/0/2 Packets: SIP:10.0.0.1/24 SMAC:2-2-2 Host A IP:10.0.0.1/24 MAC:1-1-1 Host B (Attacker) IP:10.0.0.2/24 MAC:2-2-2
Assume that the user is configured with an IP address statically. The configuration roadmap is as follows: 1. 2. 3. Enable the IP source guard function on the interfaces connected to Host A and Host B. Configure the check items of IP packets. Configure a static binding table.
Data Preparation
l l l l
Interface connected to Host A: GE 1/0/1; interface connected to Host B: GE 1/0/2 Check items: IP address and MAC address IP address of Host A: 10.0.0.1/24; MAC address of Host A: 1-1-1 VLAN where Host A resides: VLAN 10
NOTE
This configuration example provides only the commands related to the IP Source Guard configuration.
5-14
Issue 06 (20100108)
Procedure
Step 1 Enable the IP source guard function. # Enable the IP source guard function on GE 1/0/1 connected to Host A.
[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] ip source check user-bind enable [Quidway-GigabitEthernet1/0/1] ip source check user-bind check-item ip-address macaddress [Quidway-GigabitEthernet1/0/1] quit
# Enable the IP source guard function on GE 1/0/2 connected to Host B.

[Quidway] interface gigabitethernet 1/0/2 [Quidway-GigabitEthernet1/0/2] ip source check user-bind enable [Quidway-GigabitEthernet1/0/2] ip source check user-bind check-item ip-address macaddress [Quidway-GigabitEthernet1/0/2] quit
Step 2 Configure the check items of the static binding table. # Configure Host A in the static binding table.
Step 3 Verify the configuration. Run the display user-bind all command on the S9300 to view information about the binding table.
<Quidway> display user-bind all bind-table: ifname vsi O/I-vlan mac-address ip-address tp lease ------------------------------------------------------------------------------GE1/0/1 -10/ -- 0001-0001-0001 10.0.0.1 S 0 ------------------------------------------------------------------------------Static binditem count: 1 Static binditem total count: 1
The preceding information indicates that Host A exists in the static binding table, whereas Host B does not exist. ----End
Configuration Files
# sysname Quidway # user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface GigabitEthernet 1/0/1 vlan 10 # interface GigabitEthernet 1/0/1 ip source check user-bind enable ip source check user-bind check-item ip-address mac-address # interface GigabitEthernet 1/0/2 ip source check user-bind enable ip source check user-bind check-item ip-address mac-address # return
5.7.2 Example for Configuring IP Source Trail

As shown in Figure 5-4, User A is connected to GE 1/0/1 on the S9300. It is required that IP source trail be enabled on the S9300 so that the attack source can be traced after User A suffers from DoS attacks. Figure 5-4 Networking diagram for configuring IP source trail
GE1/0/1
ISP S9300
UserA 10.0.0.3
Configure IP source trail in the system view of the S9300.
Data Preparation
l l
Interface connecting the S9300 and the user host: GE 1/0/1 IP address of the attacked user host: 10.0.0.3
Procedure
Step 1 Configure IP source trail based on the destination IP address.
<Quidway> system-view [Quidway] ip source-trail ip-address 10.0.0.3
Step 2 Verify the configuration. Run the display ip source-trail ip-address ip-address command, and you can view the trace result of 10.0.0.3.
<Quidway> display ip source-trail ip-address 10.0.0.3 Destination Address: 10.0.0.3 SrcAddr SrcIF Bytes Pkts Bits/s Pkts/s ---------------------------------------------------------------------192.10.1.11 GE1/0/2 4.825M 107.420K 5.223M 14.535K 101.1.1.17 GE2/0/1 4.433M 98.708K 5.223M 14.537K 101.1.1.5 GE2/0/1 2.868M 63.861K 5.227M 14.546K 198.19.1.9 GE3/0/1 2.215M 49.339K 5.230M 14.553K 198.19.1.3 GE3/0/1 1001.083K 21.762K 5.248M 14.605K
----End
Configuration Files
# sysname Quidway #
5-16
Issue 06 (20100108)

ip source-trail ip-address 10.0.0.3 # return
5.7.3 Example for Configuring URPF

As shown in Figure 5-5, the S9300 is connected to the router of the ISP through GE 1/0/0 and is connected to the user network through GE 2/0/0. To protect the S9300 against the attack based on the source address at the user side, you need to enable the URPF check function and matching of the default route on the S9300. Figure 5-5 Networking diagram for configuring URPF
GE2/0/0 User network S9300
GE1/0/0
ISP
Enable URPF on user side interface GE 2/0/0 of the S9300.
Data Preparation
l
URPF strict check mode

NOTE
As shown in Figure 5-5, the networking of symmetric routes is adopted. URPF strict check is recommended in the case of symmetric routes.
The URPF takes effect when the unicast route functions normally. The following configuration procedure lists only URPF-related configurations, and the configurations of IP addresses and unicast route are not mentioned.
Procedure
Step 1 Enable URPF on an LPU.
<Quidway> system-view [Quidway] urpf slot 2
Step 2 Set the URPF check mode on an interface.

[Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] urpf strict allow-default-route
Step 3 Verify the configuration. Run the display this command in the view of GE 2/0/0 to view the URPF configuration.

[Quidway-GigabitEthernet2/0/0] display this # interface GigabitEthernet2/0/0 urpf strict allow-default-route # return
----End
Configuration Files
# sysname Quidway # urpf slot 2 # interface GigabitEthernet2/0/0 urpf strict allow-default-route # return
5-18
Issue 06 (20100108)
6 Local Attack Defense Configuration
Local Attack Defense Configuration
About This Chapter

This chapter describes the principle and configuration of local attack defense. 6.1 Overview of Local Attack Defense This section describes the principle of the local attack defense. 6.2 Local Attack Defense Features Supported by the S9300 This section describes how the local attack defense feature is supported in the S9300. 6.3 Configuring the Attack Defense Policy This section describes how to configure the attack defense policy. 6.4 Configuring Attack Source Tracing After the attack source tracing function is configured, the system can actively defend against possible attack packets by analyzing whether packets directing at the CPU attack the CPU. 6.5 Maintaining the Attack Defense Policy This section describes how to clear statistics about the attack sources and the packets sent to the CPU. 6.6 Configuration Examples This section provides several configuration examples of attack defense policy.
Issue 06 (20100108)
6-1
6.1 Overview of Local Attack Defense

This section describes the principle of the local attack defense. With the development and wide application of the network, users poses higher requirement for security of the network and network devices. On the network, a large number of packets including the malicious attack packets are sent to the Central Processing Unit (CPU). These packets cause high CPU usage, degrade the system performance, and affect service provisioning. The malicious packets that aim at attacking the CPU busy the CPU in processing the attack packets during a long period. Therefore, other normal services are interrupted and even the system fails. To protect the CPU and enable the CPU to process and respond to normal services, the packets to be sent to the CPU need to be limited. For example, filtering and classifying packets to be sent to the CPU, limiting the number of such packets and their rate, and setting the priority of such packets. Packets that do not conform to certain rules are directly discarded to ensure that the CPU can process normal services. The local attack defense feature of the S9300 is specially designed for packets directing at the CPU and mainly used to protect the S9300 from attacks and ensure that the existing services run normally upon attacks.
6.2 Local Attack Defense Features Supported by the S9300

This section describes how the local attack defense feature is supported in the S9300. The S9300 implements the local attack defense feature through the following methods:
l
Whitelist A whitelist refers to a group of valid users or users with high priorities. You can set the whitelist by defining ACLs. Then packets matching the whitelist are sent first. In addition, existing services and user services with high priority are protected. Valid users that normally access the system and the users with the high priority can be added to the whitelist.
Blacklist A blacklist refers to a group of invalid users. You can define the blacklist through ACL rules. Then, the packets matching the blacklist are discarded. The invalid users that are involved in attacks can be added to the blacklist.
User-defined flows Users can define ACL rules for the user-defined flows. When unknown attacks occur on the network, you can flexibly specify the characteristics of the attack data flows and limit the data flows that match the specified characteristic.
CAR CAR is used to set the rate of sending the classified packets to the CPU. You can set the committed information rate (CIR, also called the average rate) and the committed burst size (CBS). By setting different CAR rules for different packets, you can reduce the intervention between different packets to prevent the CPU. CAR can also be used to set the total rate of packets sent to the CPU. When the total rate exceeds the upper limit, the system discards the packets, avoiding the CPU overload.
6-2
Issue 06 (20100108)
6.3 Configuring the Attack Defense Policy

This section describes how to configure the attack defense policy. 6.3.1 Establishing the Configuration Task 6.3.2 Creating an Attack Defense Policy 6.3.3 Configuring the Whitelist 6.3.4 Configuring the Blacklist 6.3.5 Configuring User-Defined Flows 6.3.6 Configuring the Rule for Sending Packets to the CPU 6.3.7 Applying the Attack Defense Policy 6.3.8 Checking the Configuration

When a large number of users access the S9300, the CPU of the S9300 may be attacked by the packets sent by attackers or the CPU needs to process a large number of packets.
Before configuring an attack defense policy, complete the following tasks.
l
Connecting interfaces and setting the physical parameters of each interface to make the physical layer in Up state (Optional) If the attack defense policy needs to be applied to the main control board, install a flexible plug-in card to the main control board
Data Preparation
To configure an attack defense policy, you need the following data. No. 1 2 3 4 5 Data Number and description of the attack defense policy Number and rules of the ACL for blacklisted users Number of the user-defined flow CIR and CBS of the packets sent to the CPU Number of the LPU to which the attack defense policy is applied
Issue 06 (20100108)
6-3
6.3.2 Creating an Attack Defense Policy

Procedure
Step 1 Run:
system-view

cpu-defend policy policy-number
An attack defense policy is created. Step 3 (Optional) Run:

description text
The description of the attack defense policy is set. ----End
6.3.3 Configuring the Whitelist

Context
You can create a whitelist and add users matching the specific characteristic to the whitelist. The system allows the packets of whitelist users to pass through and first forwards the packets of whitelist users. The CAR and deny cannot be configured for the packets of whitelist users. The S9300 supports the flexible setting of the whitelist through ACLs.
Procedure
Step 1 Run:
system-view

The attack defense policy view is displayed. Step 3 Run:

whitelist whitelist-id acl acl-number
The user-defined whitelist is created. The ACL used by the whitelist can be a basic ACL, an advanced ACL, or a layer 2 ACL. For details on ACL configuration, see 11.3 Configuring an ACL. By default, no whitelist is configured on the S9300. ----End
6.3.4 Configuring the Blacklist

Context
You can create a blacklist and add users matching the specific characteristic into the blacklist. The packets sent from the users in the blacklist are discarded by default. The S9300 supports the flexible setting of the blacklist through ACLs.
Procedure
Step 1 Run:
system-view


blacklist blacklist-id acl acl-number
A customized blacklist is created. The ACL used by the blacklist can be a basic ACL, an advanced ACL, or a layer 2 ACL. For the configuration procedure, see 11.3 Configuring an ACL. By default, no blacklist is configured on the S9300. ----End
6.3.5 Configuring User-Defined Flows

Context
The S9300 supports the binding of the user-defined flow to the ACL rule. When unknown attacks emerge on the network, the S9300 can flexibly identify the characteristics of the attack data flows and limit the data flows that match the specified characteristic.
Procedure
Step 1 Run:
system-view


user-defined-flow flow-id acl acl-number
The ACL rule of the user-defined flow is set. The S9300 has eight user-defined flows. By default, no ACL rule is configured for user-defined flows.
The ACL applied to the user-defined flows can be a basic ACL, an advanced ACL, or a layer 2 ACL. For the configuration procedure, see 11.3 Configuring an ACL. ----End
6.3.6 Configuring the Rule for Sending Packets to the CPU

Context
NOTE
The rule applied to the same packet sent to the CPU can be car or deny. If both car and deny are set, the latest setting takes effect.
Procedure
Step 1 Run:
system-view

The attack defense policy view is displayed. Step 3 (Optional) Run:

car { packet-type | user-defined-flow flow-id } cir cir-value [ cbs cbs-value ]
*
CAR is configured for packets destined for the CPU and the rate threshold is set. Step 4 (Optional) Run:
deny { packet-type packet-type | user-defined-flow flow-id }
The action performed for the packets destined for the CPU is set to deny. By default, the CAR is set on the S9300 for packets destined for the CPU. The default CAR can be viewed through the display cpu-defend configuration command. ----End
6.3.7 Applying the Attack Defense Policy

Context
The attack defense policy can be applied to the main control board or all the LPUs in the system view or to the specified LPU in the slot view.
NOTE
When the attack defense policy is applied on the LPU, the cpu-defend-policy command is run in either the system view or the slot view. That is, if the cpu-defend-policy command is run in the system view and global is specified, the cpu-defend-policy command cannot be run in the slot view. In a similar manner, if the cpu-defend-policy command is run in the slot view, the cpu-defend-policy command with specified global cannot be run in the system view.
6-6
Issue 06 (20100108)
Procedure
l Applying the attack defense policy in the system view 1. Run:
system-view

cpu-defend-policy policy-number [ global ]
An attack defense policy is applied.
If you do not specify global in the command, the attack defense policy is applied on the main control board. A flexible plug-in card needs to be installed on the main control board to support the application. If you specify global in the command, the attack defense policy is applied on all the LPUs.
Applying the attack defense policy in the slot view 1. Run:

system-view

slot slot-id
The slot view is displayed. 3. Run:

cpu-defend-policy policy-number
An attack defense policy is applied. The attack defense policy applied in the slot view takes effect only to the LPU in this slot. ----End

Procedure
l l Run the display cpu-defend policy command to view the information about the attack defense policy. Run the display cpu-defend [ packet-type ] statistics [ all | slot slot-id ] command to view statistics about packets directing at the CPU.
----End
Example
Run the display cpu-defend policy 8 command to view the information about attack defense policy 8.
<Quidway> display cpu-defend policy 8 Number : 8 Description : arp defend attack
Issue 06 (20100108)
6-7

Related slot : <4> Configuration : Car user-defined-flow Car user-defined-flow Car user-defined-flow Car user-defined-flow Car user-defined-flow Car user-defined-flow Car user-defined-flow Car user-defined-flow
1 2 3 4 5 6 7 8
: : : : : : : :
CIR(64) CIR(64) CIR(64) CIR(64) CIR(64) CIR(64) CIR(64) CIR(64)
CBS(10000) CBS(10000) CBS(10000) CBS(10000) CBS(10000) CBS(10000) CBS(10000) CBS(10000)
Run the display cpu-defend tcp statistics slot 4 to view statistics about TCP packets directing at the CPU.
<Quidway> display cpu-defend tcp statistics slot 4 CPCAR on slot 4 ------------------------------------------------------------------------------Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets) tcp 0 0 0 0 -------------------------------------------------------------------------------
6.4 Configuring Attack Source Tracing

After the attack source tracing function is configured, the system can actively defend against possible attack packets by analyzing whether packets directing at the CPU attack the CPU. 6.4.1 Establishing the Configuration Task 6.4.2 Creating an Attack Defense Policy 6.4.3 Enabling the Automatic Attack Source Tracing 6.4.4 Configuring the Threshold of Attack Source Tracing 6.4.5 (Optional) Configuring the Attack Source Alarm Function 6.4.6 Applying the Attack Defense Policy 6.4.7 Checking the Configuration

A large number of attack packets may attack the CPUs of devices on the network. Attack source tracing, as a means of proactive attack defense, actively defend against possible attack packets by analyzing whether packets directing at the CPU may attack the CPU.
Before configuring attack source tracing, complete the following task.
l
Connecting interfaces and setting the physical parameters of each interface to make the physical layer in Up state (Optional) If the attack defense policy needs to be applied to the main control board, install a flexible service unit to the main control board.
6-8
Data Preparation
To configure attack source tracing, you need the following data. No. 1 2 3 4 Data Number and description of the attack defense policy Rate checking threshold in attack source tracing Rate alarm threshold in attack source tracing Number of the LPU to which the attack defense policy is applied
6.4.2 Creating an Attack Defense Policy

Procedure
Step 1 Run:
system-view

An attack defense policy is created. Step 3 (Optional) Run:

description text
The description of the attack defense policy is set. ----End
6.4.3 Enabling the Automatic Attack Source Tracing

Context
Configurations relating to other attack source tracing features, such as checking threshold and alarm threshold in attack source tracing, can be conducted after the automatic attack source tracing function is enabled.
Procedure
Step 1 Run:
system-view

Issue 06 (20100108)
6-9

auto-defend enable
The automatic attack source tracing function is enabled. ----End
6.4.4 Configuring the Threshold of Attack Source Tracing

Context
After the threshold of attack source tracing is configured, a log is recorded when the number of packets sent by the possible attack source in a given period exceeds the threshold. The S9300supports the source tracing of ARP packets, DHCP packets, and IGMP packets to be sent to the CPU.
Procedure
Step 1 Run:
system-view


auto-defend threshold threshold-value
The threshold of attack source tracing is configured. By default, the threshold of attack source tracing is set to 128 pps. ----End
6.4.5 (Optional) Configuring the Attack Source Alarm Function

Context
After the attack source alarm function is enabled, a trap is sent to the Network Management System (NMS) when the number of packets sent by the possible attack source in a given period exceeds the alarm threshold.
Procedure
Step 1 Run:
system-view



auto-defend alarm enable
The attack source alarm function is enabled. Step 4 Run:

auto-defend alarm threshold threshold-value
The threshold of the attack source alarm function is set. By default, the threshold of the attack source alarm function is set to 128 pps. ----End
6.4.6 Applying the Attack Defense Policy

Context
The attack defense policy can be applied to the main control board or all the LPUs in the system view or to the specified LPU in the slot view.
NOTE
When the attack defense policy is applied on the LPU, the cpu-defend-policy command is run in either the system view or the slot view. That is, if the cpu-defend-policy command is run in the system view and global is specified, the cpu-defend-policy command cannot be run in the slot view. In a similar manner, if the cpu-defend-policy command is run in the slot view, the cpu-defend-policy command with specified global cannot be run in the system view.
Procedure
l Applying the attack defense policy in the system view 1. Run:
system-view

cpu-defend-policy policy-number [ global ]
An attack defense policy is applied.
If you do not specify global in the command, the attack defense policy is applied on the main control board. A flexible plug-in card needs to be installed on the main control board to support the application. If you specify global in the command, the attack defense policy is applied on all the LPUs.
Applying the attack defense policy in the slot view 1. Run:

system-view
The system view is displayed. 2.

Issue 06 (20100108)
Run:

slot slot-id
The slot view is displayed. 3. Run:

cpu-defend-policy policy-number
An attack defense policy is applied. The attack defense policy applied in the slot view takes effect only to the LPU in this slot. ----End

Procedure
l l Run the display cpu-defend policy policy-number command to view the attack defense policy. Run the display auto-defend attack-source [ slot slot-id ] command to view the list of attack sources configured globally or in a specified slot.
----End
Example
Run the display cpu-defend policy 8 command to view the information about attack defense policy 8.
<Quidway> display cpu-defend policy 8 Number : 8 Description : arp defend attack Related slot : <4> Configuration : Car user-defined-flow 1 : CIR(64) Car user-defined-flow 2 : CIR(64) Car user-defined-flow 3 : CIR(64) Car user-defined-flow 4 : CIR(64) Car user-defined-flow 5 : CIR(64) Car user-defined-flow 6 : CIR(64) Car user-defined-flow 7 : CIR(64) Car user-defined-flow 8 : CIR(64)
CBS(10000) CBS(10000) CBS(10000) CBS(10000) CBS(10000) CBS(10000) CBS(10000) CBS(10000)
Run the display auto-defend attack-source slot 4 command to view the attack source of the LPU in slot 4.
<Quidway> display auto-defend attack-source slot 4 -- Attack Source Port Table (LPU4) ---------InterfaceName Vlan:Outer/Inner TOTAL -------------------------------------------GigabitEthernet3/0/0 199/299 156464 --------------------------------------------- Attack Source User Table (LPU4) -------------------------------------------InterfaceName Vlan:Outer/Inner MacAddress ARP DHCP IGMP TOTAL -----------------------------------------------------------------------------GigabitEthernet3/0/0 199/299 0003-5556-3244 143111 0 0 143111 ------------------------------------------------------------------------------
6-12
Issue 06 (20100108)
6.5 Maintaining the Attack Defense Policy

This section describes how to clear statistics about the attack sources and the packets sent to the CPU. 6.5.1 Clearing Statistics About Packets Destined for the CPU 6.5.2 Clearing Statistics About Attack Sources
6.5.1 Clearing Statistics About Packets Destined for the CPU

Context
CAUTION
Statistics about ARP packets cannot be restored being cleared. So, confirm the action before you use the command.
Procedure
Step 1 Run the reset cpcar [ packet-type ] statistics [ all | slot slot-id ] command to clear statistics about packets directing at the CPU. ----End
6.5.2 Clearing Statistics About Attack Sources

Context
CAUTION
Statistics about ARP packets cannot be restored after being cleared. So, confirm the action before you use the command.
Procedure
Step 1 Run the reset auto-defend attack-source [ slot slot-id ] command to clear statistics about attack sources. ----End

This section provides several configuration examples of attack defense policy. 6.6.1 Example for Configuring the Attack Defense Policy
6.6.1 Example for Configuring the Attack Defense Policy

As shown in Figure 6-1, three local user networks net1, net2 and net3 access the Internet through the S9300. The S9300 is connected to a large number of users, and receives many packets to be sent to the CPU. In this case, the CPU of the S9300 may be attacked by packets directing at the CPU. To protect the CPU and enable the S9300 to process services normally, you need to configure local attack defense. You need to configure the following attack defense features on the S9300:
l
Users on net1 are authorized users; therefore, they are added to the whitelist so that their packets can be always forwarded. As the users on net2 are authorized but unfixed users, you need to separately define the rules for sending the packets of net2 users to the CPU and limit the CIR to 5 Mbit/s. Uses on net3 often attack the network; therefore, they are added to the blacklist. In this manner, they cannot access the network.
Figure 6-1 Networking diagram for Configuring the attack defense policy
GE1/0/1 Net1: 1.1.1.0/24 GE1/0/2 S9300 Net2: 2.2.2.0/24 GE1/0/3
GE2/0/1 Internet
Net3: 3.3.3.0/24
The configuration roadmap is as follows: 1. 2.
6-14
Configure the ACL and define rules for filtering the packets to be sent to the CPU. Create an attack defense policy and configure the whitelist, blacklist and user-defined flow.
3. 4.
Configure the rule for sending packets to the CPU. Apply the attack defense policy.
Data Preparation
l l l l
Number of the attack defense policy IDs of the whitelist, blacklist, and user-defined flows ACL rule and number Slot number of the LPU on which the attack defense policy is applied
NOTE
The following provides only the configuration procedure of the local attack defense feature supported by the S9300. For details on the routing configuration, see the Quidway S9300Terabit Routing Switch Configuration Guide - IP Routing.
Procedure
Step 1 Configure the rule for filtering packets to be sent to the CPU. # Define the ACL rules.
<Quidway> system-view [Quidway] acl number 2001 [Quidway-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255 [Quidway-acl-basic-2001] quit [Quidway] acl number 2002 [Quidway-acl-basic-2002] rule permit source 2.2.2.0 0.0.0.255 [Quidway-acl-basic-2002] quit [Quidway] acl number 2003 [Quidway-acl-basic-2003] rule permit source 3.3.3.0 0.0.0.255 [Quidway-acl-basic-2003] quit
Step 2 Create an attack defense policy. # Create an attack defense policy and configure the whitelist, blacklist and user-defined flow.
[Quidway] cpu-defend policy 6 [Quidway-cpu-defend-policy-6] whitelist 1 acl 2001 [Quidway-cpu-defend-policy-6] user-defined-flow 1 acl 2002 [Quidway-cpu-defend-policy-6] blacklist 1 acl 2003
Step 3 Configure the rule for sending packets to the CPU. # Set the CIR for the user-defined flow.
[Quidway-cpu-defend-policy-6] car user-defined-flow 1 cir 5000 [Quidway-cpu-defend-policy-6] quit
Step 4 Apply the attack defense policy. # Apply the attack defense policy to LPU 1.
[Quidway] slot 1 [Quidway-slot-1] cpu-defend-policy 6 [Quidway-slot-1] quit
# Apply the attack defense policy to LPU 2.


[Quidway] slot 2 [Quidway-slot-2] cpu-defend-policy 6 [Quidway-slot-2] quit
Step 5 Verify the configuration. # View information about the configured attack defense policy.
<Quidway> display cpu-defend policy 6 Number : 6 Related slot : <1,2> Configuration : Whitelist 1 ACL number : 2001 Blacklist 1 ACL number : 2003 User-defined-flow 1 ACL number : 2002 Car user-defined-flow 1 : CIR(5000) CBS(940000) Car user-defined-flow 2 : CIR(64) CBS(10000) Car user-defined-flow 3 : CIR(64) CBS(10000) Car user-defined-flow 4 : CIR(64) CBS(10000) Car user-defined-flow 5 : CIR(64) CBS(10000) Car user-defined-flow 6 : CIR(64) CBS(10000) Car user-defined-flow 7 : CIR(64) CBS(10000) Car user-defined-flow 8 : CIR(64) CBS(10000)
----End
Configuration Files
# sysname Quidway # acl number 2001 rule 5 permit source 1.1.1.0 0.0.0.255 # acl number 2002 rule 5 permit source 2.2.2.0 0.0.0.255 # acl number 2003 rule 5 permit source 3.3.3.0 0.0.0.255 # cpu-defend policy 6 whitelist 1 acl 2001 blacklist 1 acl 2003 user-defined-flow 1 acl 2002 car user-defined-flow 1 cir 5000 cbs 940000 # slot 1 cpu-defend-policy 6 # slot 2 cpu-defend-policy 6 # return
6-16
Issue 06 (20100108)
7
About This Chapter
PPPoE+ Configuration
This chapter describes how to configure PPPoE+. 7.1 PPPoE+ Overview This section describes the principle of PPPoE+. 7.2 PPPoE+ Features Supported by the S9300 This section describes the PPPoE+ features supported by the S9300. 7.3 Configuring PPPoE+ This section describes how to configure PPPoE+. 7.4 Configuration Examples This section provides several configuration examples of PPPoE+.
Issue 06 (20100108)
7-1
7.1 PPPoE+ Overview

This section describes the principle of PPPoE+. Currently, PPPoE provides good authentication and security mechanism, but still has certain disadvantages, for example, account embezzlement. In common PPPoE dialup mode, when users dial up through PPPoE from different interfaces of devices, they can access the newtork as long as their accounts are authenticated successfully on the same RADIUS server. After PPPoE+ is enabled, you need to enter the user name and password in authentication and the authentication packet carries information including the interface. If the port number identified by the RADIUS server is different from the configured one, the authentication fails. In this manner, unauthorized users cannot embezzle the accounts of authorized users (mainly the company) to access the Internet.
7.2 PPPoE+ Features Supported by the S9300

This section describes the PPPoE+ features supported by the S9300. The S9300 can add the device type and interface number to the received PPPoE packets. In this manner, the PPPoE server can perform policy control flexibly for the client according to the information in the received PPPoE packets, for example, IP address allocation control and flexible accounting.
7.3 Configuring PPPoE+

This section describes how to configure PPPoE+. 7.3.1 Establishing the Configuration Task 7.3.2 Enabling PPPoE+ Globally 7.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets 7.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets 7.3.5 Configuring the PPPoE Trusted Interface 7.3.6 Checking the Configuration

To prevent the access of unauthorized users during PPPoE authentication, you need to configure PPPoE+ on the S9300. In this case, interface information is added to the PPPoE packets. The security of the network is thus ensured.
None.
Data Preparation
To configure PPPoE+, you need the following data. No. 1 2 Data Interface number related to PPPoE authentication Format and contents of the fields to be added to PPPoE packets
7.3.2 Enabling PPPoE+ Globally

Procedure
Step 1 Run:
system-view

pppoe intermediate-agent information enable
PPPoE+ is enabled globally. After the pppoe intermediate-agent information enable command is run in the system view, PPPoE+ is enabled on all the interfaces. By default, PPPoE+ is disabled globally. ----End
7.3.3 Configuring the Format and Contents of Fields to Be Added To PPPoE Packets
Context
After PPPoE+ is enabled globally, the user-side interface on the S9300 adds information in common format to the received PPPoE packets. You can modify the format of the field to be appended through this task.
Procedure
Step 1 Run:
system-view

pppoe intermediate-agent information format { circuit-id | remote-id } { common | extend | user-defined text }
The format and contents of fields to be added to PPPoE packets are set.
After the pppoe intermediate-agent information format command is run in the system view, all the interfaces add fields in specified format to the received PPPoE packets. ----End
7.3.4 Configuring the Action for Processing Original Fields in PPPoE Packets
Context
You can configure the action for processing original fields in PPPoE packets in the system view and in the interface view. The configuration in the system view is valid for all the interfaces. To adopt a different action on an interface, run the pppoe intermediate-agent information policy command in the interface view. In this case, the action for processing packets on the interface depends on the configuration of the interface.
Procedure
Step 1 Run:
system-view

pppoe intermediate-agent information policy { drop | keep | replace }
The action for all the interfaces to process original fields in PPPoE packets is configured.
l l l
drop: removes the original fields from PPPoE packets. keep: reserves the contents and format of original fields in PPPoE packets. replace: replaces the original fields in PPPoE packets according to the set field format regardless of whether the packets carry the fields.
By default, the user-side interface on the S9300 replaces the original fields in the received PPPoE packets after PPPoE+ is enabled globally. Step 3 (Optional) Run:
The Ethernet interface view is displayed. Then run:

pppoe intermediate-agent information policy { drop | keep | replace }
The action for all the interfaces to process original fields in PPPoE packets is configured. ----End
7.3.5 Configuring the PPPoE Trusted Interface

Context
To prevent bogus PPPoE servers and the security risk caused by PPPoE packets forwarded to non-PPPoE service interfaces, you can configure the interface connecting the S9300 and the PPPoE server as the trusted interface. After the trusted interface is configured, PPPoE packets
sent from the PPPoE client to the PPPoE server are forwarded through the trusted interface only. In addition, only the PPPoE packets received from the trusted interface are forwarded to the PPPoE client.
NOTE
The trusted interface only controls protocol packets in PPPoE discovery period, and does not control service packets in PPPoE session period.
Procedure
Step 1 Run:
system-view

The Ethernet interface view is displayed. Step 3 Run:

pppoe uplink-port trusted
The interface is configured as the trusted interface. ----End

Procedure
l l Run the display pppoe intermediate-agent information format command to check information about the circuit ID and remote ID that are globally set. Run the display pppoe intermediate-agent information policy command to check the globally set action for processing original fields in PPPoE packets.
----End

This section provides several configuration examples of PPPoE+. 7.4.1 Example for Configuring PPPoE+
7.4.1 Example for Configuring PPPoE+

As shown in Figure 7-1, the S9300 is connected to the upstream device BRAS and the downstream device PC; the PPPoE server is configured on the BRAS device. PPPoE+ is enabled on the S9300 to control and monitor dialup users.
Figure 7-1 Networking diagram for configuring PPPoE+
IP network
BRAS PPPoE server
GE1/0/0 PPPoE+ GE2/0/1 S9300 GE2/0/2
PPPoE client
PPPoE client
The configuration roadmap is as follows: 1. Enable PPPoE+ globally.
NOTE
After PPPoE+ is enabled globally, PPPoE+ is enabled on all the interfaces.
2. 3. 4.
Configure the contents and format of fields to be added to PPPoE packets on the S9300. Configure the action for the S9300 to process PPPoE packets. Configure the interface connecting the S9300 and the PPPoE server as the trusted interface.
Data Preparation
None.
Procedure
Step 1 Enable PPPoE+.
<Quidway> system-view [Quidway] pppoe intermediate-agent information enable
Step 2 Configure the format of information fields. Configure the S9300 to add the circuit ID in extend format to PPPoE packets, that is, the format in hexadecimal notation is used.
[Quidway] pppoe intermediate-agent information format circuit-id extend
7-6
Issue 06 (20100108)
Step 3 Configure the action for processing original fields in PPPoE packets. Configure all the interfaces to replace original fields in PPPoE packets with the circuit ID of the S9300.
[Quidway] pppoe intermediate-agent information policy replace
Step 4 Configure the trusted interface. Configure GE 1/0/0 as the trusted interface.
[Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] pppoe uplink-port trusted [Quidway-GigabitEthernet1/0/0] quit
----End
Configuration Files
# sysname Quidway # pppoe intermediate-agent information enable pppoe intermediate-agent information format circuit-id extend # interface GigabitEthernet1/0/0 pppoe uplink-port trusted # return
Issue 06 (20100108)
7-7
8 MFF Configuration
8
About This Chapter
MFF Configuration
This section describes the principle and configuration of the MAC-Forced Forwarding (MFF) function. 8.1 MFF Overview This section describes the principle of the MFF function. 8.2 MFF Features Supported by the S9300 This section describes the MFF features supported by the S9300. 8.3 Configuring MFF The MFF function isolates users at Layer 2 and forwards traffic through the gateway. 8.4 Configuration Examples This section provides a configuration example of MFF.
Issue 06 (20100108)
8-1
8 MFF Configuration
8.1 MFF Overview

This section describes the principle of the MFF function.
Background
In traditional Ethernet solutions, VLANs are usually configured on switches to implement Layer 2 isolation and Layer 3 interconnection between clients. When many users need to be isolated on Layer 2, a large number of VLANs are required. In addition, to enable the clients to communicate on Layer 3, each VLAN must be assigned an IP network segment and each VLANIF interface needs an IP address. This wastes IP addresses. In addition, the network is easy to attack and the malicious attacks from users on the network cannot be prevented. The MFF function provides a solution to this problem and implements Layer 2 isolation and Layer 3 interconnection between the clients in a broadcast domain. The MFF intercepts the ARP requests from users and replies with ARP responses containing the MAC address of the gateway through the ARP proxy. In this manner, the MFF forces users to send all traffic, including the traffic on the same subnet, to the gateway so that the gateway can monitor data traffic. This prevents malicious attacks and improves network security.
MFF Interface Role

Two types of interfaces are involved in the MFF function: network interface and user interface.
l
User interface A user interface is an interface directly connected to users. MFF processes packets on a user interface as follows:

Allows protocol packets to pass through. Sends ARP and DHCP packets to the CPU. If the interface has learned the MAC address of the gateway, MFF allows the unicast packets whose destination MAC address is the MAC address of the gateway to pass through and discards other packets. If the interface has not learned the MAC address of the gateway, MFF discards all packets. Rejects multicast packets and broadcast packets.
Network interface A network interface is an interface connected to another network device, for example, an access switch, an aggregate switch, or a gateway. MFF processes packets on a network interface as follows:

Allows multicast and DHCP packets to pass through. Sends ARP packets to the CPU. Rejects broadcast packets.
8-2
Issue 06 (20100108)

NOTE
8 MFF Configuration
The network interfaces include:

l l l
Uplink interfaces connected to the gateway Interfaces connected to other MFF devices when multiple MFF devices are deployed on the network Interfaces between the MFF devices on a ring network
l l
The interface role is irrelevant to the position of the interface on a network. On a VLAN where MFF is enabled, an interface must be a network interface or a user interface.
8.2 MFF Features Supported by the S9300

This section describes the MFF features supported by the S9300.
Static Gateway
The static gateway is applicable to the scenario where the IP addresses are set statically. When users are assigned IP addresses statically, the users cannot obtain the gateway information through the DHCP packets. In this case, a static gateway address needs to be configured for each VLAN. If the static gateway address is not configured, all the users cannot communicate with each other except for the DHCP users.
Gateway Address Detection and Maintenance

If the function of timed gateway address detection is enabled, MFF sends detection packets periodically to check whether the gateway address needs to be updated. The detection packet is a forged ARP packet whose source IP address and MAC address are the addresses of the first user in the MFF user list. If the first user entry is deleted, the MFF selects another user entry to forge the ARP packet. If the gateway does not have any matching user information after the user entry is deleted, the MFF deletes the probe information.
ARP Proxy
The Layer 3 communication between users is implemented through the ARP proxy. The ARP proxy reduces the number of broadcast packets at the network side and user side. The MFF processes ARP packets as follows:
l
Responds to the ARP requests of users. The MFF substitutes for the gateway to respond to the ARP requests of users. Therefore, all the packets of users are forwarded at Layer 3 by the gateway. The ARP packet of a user may be the request for the gateway address or the request for the IP addresses of other users.
Responds to the ARP requests of the gateway. The MFF substitutes for user hosts to respond to the ARP requests of the gateway. If the ARP entry mapping the request of the gateway exists on the MFF, the MFF returns a response with the requested address to the gateway. If the entry does not exist, the MFF forwards the request. In this way, the number of broadcast packets is reduced.
Monitors the ARP packets on the network and updates the IP address and MAC address of the gateway.
Issue 06 (20100108)
8 MFF Configuration
Server Deployment on the Network

The IP address of the server can be the IP address of the DHCP server, the IP address of another server, or the virtual IP address of the VRRP group. If a network interface receives an ARP request whose source IP address is the IP address of the server, the interface responds to the ARP request as a gateway. That is, the packets sent from users are forwarded to the gateway, and then sent to the server. The packets sent by the server, however, are not forwarded to the gateway.
8.3 Configuring MFF

The MFF function isolates users at Layer 2 and forwards traffic through the gateway. 8.3.1 Establishing the Configuration Task 8.3.2 Enabling Global MFF 8.3.3 Configuring the MFF Network Interface 8.3.4 Enabling MFF in a VLAN 8.3.5 (Optional) Configuring the Static Gateway Address 8.3.6 (Optional) Enabling Timed Gateway Address Detection 8.3.7 (Optional) Setting the Server Address 8.3.8 Checking the Configuration

At the access layer of the Metro Ethernet, you can configure the MFF function to implement the Layer 2 isolation between access users. The traffic between users is forwarded by the gateway at the Layer 3. In this way, you can filter the user traffic, perform traffic scheduling based on policies, and charge users.
Before configuring basic MFF functions, complete the following tasks. If DHCP users exist, you need to perform the following operations:
l l
Enabling DHCP snooping Configuring the trusted interface of DHCP snooping
Data Preparation
To configure the MFF function, you need the following data.
8-4
Issue 06 (20100108)
8 MFF Configuration
No. 1 2 3 4
Data VLAN ID of the MFF device Type and number of the network interface to be configured (Optional) IP address of the static gateway to be configured (Optional) IP address of the server to be configured
8.3.2 Enabling Global MFF

Context
You can perform other MFF configurations only after enabling the global MFF.
Procedure
Step 1 Run:
system-view

mac-forced-forwarding enable
The global MFF is enabled. By default, the global MFF is disabled. ----End
8.3.3 Configuring the MFF Network Interface

Context
The MFF function of a VLAN takes effect after you configure at least one network interface on the VLAN.
NOTE
This task can be performed before the global MFF is enabled; however, it takes effect only after the global MFF is enabled.
Procedure
Step 1 Run:
system-view

Issue 06 (20100108)
8-5
8 MFF Configuration
The interface view is displayed. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Step 3 Run:
mac-forced-forwarding network-port
The interface is configured as a network interface. By default, the interface is a user interface. ----End
8.3.4 Enabling MFF in a VLAN

Procedure
Step 1 Run:
system-view

vlan vlan-id

mac-forced-forwarding enable
The MFF function is enabled for the VLAN. By default, the MFF function is disabled in a VLAN. ----End
8.3.5 (Optional) Configuring the Static Gateway Address

Procedure
Step 1 Run:
system-view

vlan vlan-id

mac-forced-forwarding static-gateway ip-address
The IP address of the static gateway is set. ----End

8 MFF Configuration
8.3.6 (Optional) Enabling Timed Gateway Address Detection

Procedure
Step 1 Run:
system-view

vlan vlan-id

mac-forced-forwarding gateway-detect
The timed gateway address detection is enabled. After the timed gateway address detection is enabled, the S9300 sends ARP packets periodically to detect the gateway. By default, the timed gateway address detection is disabled. ----End
8.3.7 (Optional) Setting the Server Address

Procedure
Step 1 Run:
system-view

vlan vlan-id

mac-forced-forwarding server ip-address &<1~10>
The IP address of the server deployed on the network is set. ----End

Procedure
l Run the display mac-forced-forwarding network-port command to view the MFF network interface.
Issue 06 (20100108)
8 MFF Configuration
Run the display mac-forced-forwarding vlan vlan-id command to view information about MFF users and gateway on the VLAN.
----End
Example
Run the display mac-forced-forwarding network-port command, and you can see information about the network-side interface matching the MFF VLAN.
<Quidway> display mac-forced-forwarding network-port -------------------------------------------------------------------------------VLAN ID Network-ports -------------------------------------------------------------------------------VLAN 10 GigabitEthernet2/0/0 GigabitEthernet2/0/1 GigabitEthernet2/0/2 GigabitEthernet2/0/3 VLAN 100 GigabitEthernet1/0/10 GigabitEthernet1/0/15
Run the display mac-forced-forwarding vlan vlan-id command, and you can see information about MFF users and gateway on the VLAN.
<Quidway> display mac-forced-forwarding vlan 100 Servers: 192.168.1.2 192.168.1.3 -------------------------------------------------------------------User IP User MAC Gateway IP Gateway MAC -------------------------------------------------------------------192.168.1.10 00-01-00-01-00-01 192.168.1.254 00-02-00-02-00-01 192.168.1.11 00-01-00-01-00-02 192.168.1.254 00-02-00-02-00-01 192.168.1.12 00-01-00-01-00-03 192.168.1.252 00-02-00-02-00-03 -------------------------------------------------------------------[Vlan 100] MFF host total count = 3

This section provides a configuration example of MFF. 8.4.1 Example for Configuring MFF
8.4.1 Example for Configuring MFF

As shown in Figure 8-1, all the user hosts obtain IP addresses through the DHCP server and all the devices are located in VLAN 10. To implement Layer 2 isolation and Layer 3 interconnection between the hosts, you need to configure the MFF function on S9300-A and S9300-B.
8-8
Issue 06 (20100108)
8 MFF Configuration
Figure 8-1 Networking diagram for configuring MFF

DHCP server AR 10.10.10.1/24
GE1/0/0 S9300-B GE2/0/2 GE2/0/1 GE2/0/1 S9300-A GE1/0/1 GE1/0/3 GE1/0/2
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure DHCP snooping. Enable global MFF. Configure the MFF network interfaces. Enable MFF for the VLAN. (Optional) Enable the function of timed gateway address detection. (Optional) Configure the server.
Data Preparation
l l l
VLAN ID of the MFF device Type and number of the network interface to be configured (Optional) IP address of the server to be configured
Procedure
Step 1 Configure DHCP snooping. # Enable global DHCP snooping on S9300-A.
<Quidway> [Quidway] [S9300-A] [S9300-A] system-view sysname S9300-A dhcp enable dhcp snooping enable
Issue 06 (20100108)
8-9
8 MFF Configuration
# Enable DHCP snooping on the interfaces of the S9300-A. Take the configuration on GE 1/0/1 as an example. The configurations on GE 1/0/2, GE 1/0/3, and GE 2/0/1 are similar to the configuration on GE 1/0/1 and are not mentioned here.
[S9300-A] interface gigabitethernet 1/0/1 [S9300-A-GigabitEthernet1/0/1] dhcp snooping enable [S9300-A-GigabitEthernet1/0/1] quit
# Set the status of interface GE 2/0/1 on S9300-A to Trusted.

[S9300-A] interface gigabitethernet 2/0/1 [S9300-A-GigabitEthernet2/0/1] dhcp snooping trusted [S9300-A-GigabitEthernet2/0/1] quit
# Enable global DHCP snooping on S9300-B.

<Quidway> [Quidway] [S9300-B] [S9300-B] system-view sysname S9300-B dhcp enable dhcp snooping enable
# Enable DHCP snooping on the interfaces of the S9300-B. Take the configuration on GE 1/0/0 as an example. The configurations on GE 2/0/1 and GE 2/0/2 are similar to the configuration on GE 1/0/0 and are not mentioned here.
[S9300-B] interface gigabitethernet 1/0/0 [S9300-B-GigabitEthernet1/0/0] dhcp snooping enable [S9300-B-GigabitEthernet1/0/0] quit
# Set the status of interface GE 1/0/0 on S9300-B to Trusted.

[S9300-B] interface gigabitethernet 1/0/0 [S9300-B-GigabitEthernet1/0/0] dhcp snooping trusted [S9300-B-GigabitEthernet1/0/0] quit
Step 2 Enable global MFF. # Enable global MFF on S9300-A.

[S9300-A] mac-forced-forwarding enable
# Enable global MFF on S9300-B.

[S9300-B] mac-forced-forwarding enable
Step 3 Configure the MFF network interfaces. # Configure GE 2/0/1 of S9300-A as the network interface.
[S9300-A] interface gigabitethernet 2/0/1 [S9300-A-GigabitEthernet2/0/1] mac-forced-forwarding network-port [S9300-A-GigabitEthernet2/0/1] quit
# Configure GE 1/0/0 and GE 2/0/1 of S9300-B as the network interfaces.

[S9300-B] interface gigabitethernet 1/0/0 [S9300-B-GigabitEthernet1/0/0] mac-forced-forwarding network-port [S9300-B-GigabitEthernet1/0/0] quit [S9300-B] interface gigabitethernet 2/0/1 [S9300-B-GigabitEthernet2/0/1] mac-forced-forwarding network-port [S9300-B-GigabitEthernet2/0/1] quit
Step 4 Enable MFF for the VLAN. # Enable MFF for VLAN 10 on S9300-A.
[S9300-A] vlan 10 [S9300-A-vlan10] mac-forced-forwarding enable
8-10
Issue 06 (20100108)
8 MFF Configuration
# Enable MFF for VLAN 10 on S9300-B.

[S9300-B] vlan 10 [S9300-B-vlan10] mac-forced-forwarding enable
Step 5 (Optional) Enable the function of timed gateway address detection. # Enable the function of timed gateway address detection on S9300-A.
[S9300-A-vlan10] mac-forced-forwarding gateway-detect
# Enable the function of timed gateway address detection on S9300-B.

[S9300-B-vlan10] mac-forced-forwarding gateway-detect
Step 6 (Optional) Configure the server. # Configure the server on S9300-A.

[S9300-A-vlan10] mac-forced-forwarding server 10.10.10.1
# Configure the server on S9300-B.

[S9300-B-vlan10] mac-forced-forwarding server 10.10.10.1
----End
Configuration Files
l
Configuration file of S9300-A
# sysname S9300-A # vlan batch 10 # dhcp enable dhcp snooping enable mac-forced-forwarding enable # vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1 # interface gigabitethernet1/0/1 port link-type access port default vlan 10 dhcp snooping enable # interface gigabitethernet1/0/2 port link-type access port default vlan 10 dhcp snooping enable # interface gigabitethernet1/0/3 port link-type access port default vlan 10 dhcp snooping enable # interface gigabitethernet2/0/1 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable dhcp snooping trusted mac-forced-forwarding network-port # return
Issue 06 (20100108)
8-11
8 MFF Configuration
l
Configuration file of S9300-B
# sysname S9300-B # vlan batch 10 # dhcp enable dhcp snooping enable mac-forced-forwarding enable # vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1 # interface gigabitethernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable dhcp snooping trusted mac-forced-forwarding network-port # interface gigabitethernet2/0/1 port link-type trunk port trunk allow-pass vlan 10 dhcp snooping enable mac-forced-forwarding network-port # interface gigabitethernet2/0/2 port link-type access port default vlan 10 dhcp snooping enable # return
8-12
Issue 06 (20100108)
Interface Security Configuration
About This Chapter

This chapter describes the principle and configuration of interface security. 9.1 Interface Security Overview This section describes the principle of the interface security function. 9.2 Interface Security Features Supported by the S9300 This section describes the interface security features supported by the S9300. 9.3 Configuring Interface Security This section describes how to configure the interface security function. 9.4 Configuration Examples This section provides a configuration example of interface security.
Issue 06 (20100108)
9-1
9.1 Interface Security Overview

This section describes the principle of the interface security function. The interface security function is a security protection mechanism that controls the access to the network. The interface security function records the MAC address of the host connected to an interface of the S9300, that is, the network adapter ID of the host. Only the host with the specified MAC address can communicate with this interface. Hosts with other MAC addresses are prevented form communicating with the interface. The interface security function prevents certain devices from accessing the network, thus enhancing network security.
9.2 Interface Security Features Supported by the S9300

This section describes the interface security features supported by the S9300. The Ethernet and GE interfaces on the S9300 support the interface security function. After interface security is configured on an Ethernet interface or a GE interface, the S9300 considers the following types of MAC addresses authorized:
l l
Static MAC addresses that are manually configured Dynamic MAC addresses learned before the number of MAC addresses reaches the upper limit Dynamic or static MAC addresses in a DHCP snooping table
The S9300 considers other types of MAC addresses unauthorized. When an interface receives the packets sent from unauthorized MAC addresses, the interface security function takes effect. Currently, the S9300 supports the following protection actions in interface security:
l
protect: When an interface receives the packets sent from unauthorized MAC addresses, it does not learn the source MAC addresses of the packets or forward the packets. Instead, the interface directly discards them. restrict: When an interface receives the packets sent from unauthorized MAC addresses, it does not learn the source MAC addresses of the packets or forward the packets. Instead, the interface directly discards them and sends a trap to the Network Management System (NMS).
9.3 Configuring Interface Security

This section describes how to configure the interface security function. 9.3.1 Establishing the Configuration Task 9.3.2 Enabling the Interface Security Function 9.3.3 (Optional) Configuring the Protection Action in Interface Security 9.3.4 Setting the Maximum Number of MAC Addresses Learned by an Interface 9.3.5 Enabling Sticky MAC on an Interface 9.3.6 Checking the Configuration

The interface security function records the MAC address of the host connected to an interface of the S9300, that is, the network adapter ID of the host. Only the host with the specified MAC address can communicate with this interface. Hosts with other MAC addresses are prevented form communicating with the interface. The interface security function prevents certain devices from accessing the network, thus enhancing network security.
None.
Data Preparation
Before configuring interface security, you need the following data. No. 1 2 Data Interface type and number Maximum number of MAC addresses that can be learned by an interface
9.3.2 Enabling the Interface Security Function

Context
You can perform other configurations of interface security, for example, configuring protection actions, setting the maximum number of MAC addresses that can be learned, and configuring the sticky MAC address only after the interface security function is enabled.
Procedure
Step 1 Run:
system-view

The interface view is displayed. The interface can be an Ethernet interface or a GE interface. Step 3 Run:
port-security enable
The interface security function is enabled.

By default, the interface security function is disabled on interfaces of the S9300. ----End
9.3.3 (Optional) Configuring the Protection Action in Interface Security

Procedure
Step 1 Run:
system-view

port-security protect-action { protect | restrict }
The protection action in interface security is configured. By default, the protection action is restrict. ----End
9.3.4 Setting the Maximum Number of MAC Addresses Learned by an Interface

Context
NOTE
l l l
If the sticky MAC function is disabled, this task can limit the maximum number of MAC addresses dynamically learned by an interface. If the sticky MAC function is enabled, this task can limit the maximum number of sticky MAC addresses learned by an interface. For the sticky MAC function, see 9.3.5 Enabling Sticky MAC on an Interface.
Procedure
Step 1 Run:
system-view

The interface view is displayed.

The interface can be an Ethernet interface or a GE interface. Step 3 Run:

port-security maximum max-number
The maximum number of MAC addresses learned by an interface is set. After the interface security function is enabled, the maximum number of MAC addresses learned by an interface is 1 by default. ----End
9.3.5 Enabling Sticky MAC on an Interface

Context
The sticky MAC function converts a dynamic MAC address learned by an interface into a static MAC address. It seems that the MAC address is stuck to the interface. When the number of MAC addresses learned by an interface reaches the maximum, the interface cannot learn new MAC addresses. The interface converts the dynamic MAC addresses to sticky MAC addresses, and only the hosts with the sticky MAC addresses are allowed to communicate with the S9300. After this function is enabled, the S9300 does not need to learn the MAC addresses again after restart. In addition, hosts using untrusted MAC addresses are prevented from communicating with the S9300 through this interface.
Procedure
Step 1 Run:
system-view

port-security mac-address sticky
The sticky MAC function is enabled on the interface. By default, the sticky MAC function is disabled on an interface. ----End

Procedure
l Run the display current-configuration interface interface-type interface-number command to check the current configuration of the interface.
Issue 06 (20100108)
Run the display sticky-mac command to view the sticky MAC entries.
----End
Example
Run the display sticky-mac command, and you can view the sticky MAC address entries.
<Quidway> display sticky-mac interface GigabitEthernet 2/0/1 MAC Address VLAN/VSI Port Type ---------------------------------------------------------------------0018-2000-0083 1 GigabitEthernet2/0/1 sticky mac Total 1 printed

This section provides a configuration example of interface security. 9.4.1 Example for Configuring Interface Security
9.4.1 Example for Configuring Interface Security

As shown in Figure 9-1, a company wants to prevent the computers of non-employees from accessing the intranet of the company to protect information security. To achieve this goal, the company needs to enable the sticky MAC function on the interfaces connected to computers of employees and set the maximum number of MAC addresses learned by the interfaces to be the same as the number of trusted computers. Figure 9-1 Networking diagram for configuring interface security
Internet
S9300
GE1/0/1
LAN switch
PC 1
PC 2
PC 3
VLAN 10
9-6
Issue 06 (20100108)
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Create a VLAN and set the VALN attribute of the interface to trunk. Enable the interface security function. Configure the protection action. Set the maximum number of MAC addresses that can be learned by the interfaces. Enable the sticky MAC function on the interfaces.
Data Preparation
l l l l
VLAN ID carried in packets that the interface allows to pass through. Types and numbers of the interfaces connected to the computers Protection action Maximum number of MAC addresses learned by interfaces
Procedure
Step 1 Create a VLAN and set the VALN attribute of the interface.
<Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port link-type trunk [Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
Step 2 Configure the interface security function. # Enable the interface security function.
[Quidway-GigabitEthernet1/0/1] port-security enable
# Configure the protection action.

[Quidway-GigabitEthernet1/0/1] port-security protect-action protect
# Set the maximum number of MAC addresses that can be learned by the interface.
[Quidway-GigabitEthernet1/0/1] port-security maximum 4
# Enable the sticky MAC function on the interface.

[Quidway-GigabitEthernet1/0/1] port-security mac-address sticky
To enable the interface security function on other interfaces, repeat the preceding steps. Step 3 Verify the configuration. If PC1 is replaced by another PC, this PC cannot access the intranet of the company. ----End
Configuration Files
The following lists the configuration files of the S9300.
# sysname Quidway # interface GigabitEthernet1/0/1 port-security enable port-security protect-action protect port-security mac-address sticky port-security maximum 4 # return
9-8
Issue 06 (20100108)
10
Traffic Suppression Configuration
About This Chapter

This chapter describes the principle and configuration of traffic suppression . 10.1 Introduction to Traffic Suppression This section describes the principle of traffic suppression. 10.2 Traffic Suppression Features Supported by the S9300 This section describes the traffic suppression features supported by the S9300. 10.3 Configuring Traffic Suppression This section describes how to configure traffic suppression on a specified interface. 10.4 Configuration Examples This section provides several configuration examples of traffic suppression.
Issue 06 (20100108)
10-1
10.1 Introduction to Traffic Suppression

This section describes the principle of traffic suppression. Broadcast packets entering the S9300 are forwarded on all the interfaces in a VLAN, and multicast packets are also forwarded on interfaces of the multicast group. After unknown unicast packets enter the S9300, the S9300 broadcast the packets to all the interfaces. These three types of packets consume great bandwidth, reduces available bandwidth of the system, and affects normal forwarding and processing capabilities. The traffic suppression function can be used to limit the traffic entering the interface, and to protect the S9300 against the three types of traffic. It also guarantees available bandwidth and processing capabilities of the S9300 when the traffic is abnormal.
10.2 Traffic Suppression Features Supported by the S9300

This section describes the traffic suppression features supported by the S9300. The traffic suppression function can be configured on Ethernet interfaces of the S9300 .
10.3 Configuring Traffic Suppression

This section describes how to configure traffic suppression on a specified interface. 10.3.1 Establishing the Configuration Task 10.3.2 Configuring Traffic Suppression on an Interface 10.3.3 Checking the Configuration

To limit the rate of incoming broadcast, multicast, and unknown unicast packets on an interface and protect the device against traffic attacks, you can configure traffic suppression on the interface.
None
Data Preparation
To configure traffic suppression, you need the following data.
10-2
Issue 06 (20100108)
No. 1 2
Data Type and number of the interface where traffic suppression needs to be configured Type of traffic (broadcast, multicast, or unknown unicast traffic) that needs to be suppressed Mode in which traffic is suppressed (packet rate, bit rate, or rate percentage on a physical interface) Limited rate, including packet rate, committed information rate (CIR), committed burst size (CBS), and bandwidth percentage
10.3.2 Configuring Traffic Suppression on an Interface

Context
Do as follows on the S9300 where traffic suppression needs to be configured.
Procedure
Step 1 Run:
system-view

The interface view is displayed. Traffic suppression can be configured on Ethernet interfaces or GE interfaces of the S9300. Step 3 Run:
{ broadcast-suppression | multicast-suppression | unicast-suppression } { percentvalue | cir cir-value [ cbs cbs-value ] | packets packets-per-second }
Traffic suppression is configured. Traffic suppression for three types of traffic can be configured on an interface of the S9300. Select one of the following traffic suppression mode for the traffic on an interface:
l
To configure traffic suppression based on the packet rate, you must select the packets parameter. To configure traffic suppression based on the bit rate, you must select the cir and cbs parameters. To configure traffic suppression based on the bandwidth percentage, you must select the percent-value parameter.
Issue 06 (20100108)

NOTE
The suppression based on bandwidth percentage equals to the suppression based on packet rate. Assume the bandwidth on an interface is bandwidth (kbit/s). The percent-value parameter equals to the packets keyword. That is, (bandwidth x percent x 1000 x 1000/(84 x 8)). Here, 84 indicates the average packet length (including the 64-byte packet body and 20-byte frame spacing and check information), and 8 indicates the number of bits in a byte. If traffic suppression based on the bit rate is set for a type of traffic on an interface, the bandwidth percentage set for other types of traffic is converted to the bit rate through the following formula: Bit rate = Bandwidth of the interface x Percentage. The traffic limit (pps) for a type of packets cannot be set together with the traffic limit based on bit rate for other types of packets on the same interface. For example, if the bit rate for multicast packets is set on an interface, you cannot set the traffic limit (pps) for broadcast packets. If traffic suppression is configured for a type of traffic on an interface, the latest configuration overrides the previous configuration when the configuration of traffic suppression for this type of traffic at different rate is sent.
----End

Prerequisite
The configurations of traffic suppression are complete.
Procedure
l Run the display flow-suppression interface interface-type interface-number command to check the configuration of traffic suppression.
----End
Example
Run the display flow-suppression interface interface-type interface-number command, and you can view the configuration of traffic suppression on a specified interface.
<Quidway> display flow-suppression interface gigabitethernet 1/0/0 storm type rate mode set rate value ------------------------------------------------------------------------------unknown-unicast bps cir: 1000(kbit/s), cbs: 188000(byte) multicast bps cir: 1000(kbit/s), cbs: 188000(byte) broadcast bps cir: 1000(kbit/s), cbs: 188000(byte) -------------------------------------------------------------------------------

This section provides several configuration examples of traffic suppression. 10.4.1 Example for Configuring Traffic Suppression
10.4.1 Example for Configuring Traffic Suppression

As shown in Figure 10-1, the S9300 is connected to the Layer 2 network and Layer 3 router. To limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer 2 network, you can configure traffic suppression on GE 1/0/2. Figure 10-1 Networking diagram for configuring traffic suppression
L2 network
GE1/0/2 S9300
GE1/0/3
L3 network
Configure traffic suppression in the interface view of GE 1/0/2.
Data Preparation
l l l l
GE 1/0/2 where traffic suppression is configured Traffic suppression for broadcast and unknown unicast packets based on the bit rate Traffic suppression for multicast packets based on the rate percentage Maximum rate of broadcast and unknown unicast packets being 100 kbit/s after traffic suppression is configured Maximum rate of multicast packets being 80 percent of the interface rate after traffic suppression is configured
Procedure
Step 1 Enter the interface view.
<Quidway> system-view [Quidway] interface gigabitethernet 1/0/2
Step 2 Configure traffic suppression for broadcast packets.

[Quidway-GigabitEthernet1/0/2] broadcast-suppression cir 100
Step 3 Configure traffic suppression for multicast packets.

[Quidway-GigabitEthernet1/0/2] multicast-suppression 80
Step 4 Configure traffic suppression for unknown unicast packets.

[Quidway-GigabitEthernet1/0/2] unicast-suppression cir 100
Step 5 Verify the configuration. Run the display flow-suppression interface command, and you can view the configuration of traffic suppression on GE 1/0/2.
<Quidway> display flow-suppression interface gigabitethernet 1/0/2 storm type rate mode set rate value
Issue 06 (20100108)
10-5
------------------------------------------------------------------------------unknown-unicast bps cir: 100(kbit/s), cbs: 18800(byte) multicast percent percent: 80% broadcast bps cir: 100(kbit/s), cbs: 18800(byte) -------------------------------------------------------------------------------
----End
Configuration Files
# sysname Quidway # interface gigabitethernet 1/0/2 unicast-suppression cir 100 cbs 18800 multicast-suppression percent 80 broadcast-suppression cir 100 cbs 18800 # return
10-6
Issue 06 (20100108)
11
About This Chapter
ACL Configuration
This chapter describes how to configure the Access Control List (ACL). 11.1 Introduction to the ACL This section describes the basic concepts and parameters of an ACL. 11.2 Classification of ACLs Supported by the S9300 This section describes the classification of ACLs supported by the S9300. 11.3 Configuring an ACL This section describes how to create an ACL, set the time range, configure the description of an ACL, configure basic ACLs, advanced ACLs, and Ethernet frame header ACLs, and set the step of an ACL. 11.4 Configuring ACL6 This section describes how to configure basic ACL6 and advanced ACL6. 11.5 Configuration Examples This section provides configuration examples of the ACL.
Issue 06 (20100108)
11-1
11.1 Introduction to the ACL

This section describes the basic concepts and parameters of an ACL. To filter packets, a set of rules needs to be configured on the S9300 to determine the data packets that can pass through. These rules are defined in an ACL. An ACL is a series of orderly rules composed of permit and deny clauses. The clauses are described based on the source address, destination address, and port number of a packet, and so on. The ACL classifies packets according to the rules. After these rules are applied to the interfaces on the S9300, the S9300 can determine packets that are received and rejected.
11.2 Classification of ACLs Supported by the S9300

This section describes the classification of ACLs supported by the S9300.
NOTE
In this manual, the ACL refers to the access control list that is used filter IPv4 packets, and the ACL6 refers to the access control list that is used to filter IPv6 packets.
Classification of ACLs
The S9300 supports basic ACLs, advanced ACLs, and Ethernet frame header ACLs for IPv4 packets.
l
Basic ACLs: classify and define data packets according to their source addresses, fragmentation flag, and effective time range. Advanced ACLs: classify and define data packets more refinedly according to the source address, destination address, source port number, destination port number, protocol type, precedence, and effective time range. Frame header-based ACLs: classify and define data packets according to the source MAC address, destination MAC address, and protocol type. A basic ACL6 can use the source IP address, fragmentation flag, and effective time range as the elements of rules. An advanced ACL6 can use the source IP address and destination IP address of data packets, protocol type supported by IP, features of the protocol such as the source port number and destination port number, ICMPv6 protocol, and ICMPv6 Code as the elements of rules.
The S9300 supports basic ACL6s and advanced ACL6s for IPv6 packets.
l
Application of ACLs
ACLs defined on the S9300 can be applied in the following scenarios:
l
Hardware-based application: The ACL is sent to the hardware. For example, when QoS is configured, the ACL is imported to classify packets. Note that when the ACL is imported by QoS, the packets matching the ACL rule in deny mode are discarded. If the action in the ACL is set to be in permit mode, the packets matching the ACL are processed by the S9300 according to the action defined by the traffic behavior in QoS. For details on the traffic behavior, see the Quidway S9300 Terabit Routing Switch Configuration Guide QoS.
11-2

l
Software-based application: When the ACL is imported by the upper-layer software, for example, the ACL is imported when the control function is configured for login users, you can use the ACL to control FTP, Telnet and SSH users. When the S9300 functions as a TFTP client, you can configure an ACL to specify the TFTP servers that the S9300 can access through TFTP. When the ACL is imported by the upper-layer software, the packets matching the ACL are processed by the S9300 according to the action deny or permit defined in the ACL. For details on login user control, see the Quidway S9300 Terabit Routing Switch Configuration Guide - Basic Configurations.
NOTE
When the ACL is sent to the hardware and is imported by QoS to classify packets, the S9300 does not process packets according to the action defined in the traffic behavior, if the packets does not match the ACL rule. When the ACL is imported by the upper-layer software and is used to control FTP , Telnet or SSH login users, the S9300 discards the packets, if the packets does not match the ACL rule.
11.3 Configuring an ACL

This section describes how to create an ACL, set the time range, configure the description of an ACL, configure basic ACLs, advanced ACLs, and Ethernet frame header ACLs, and set the step of an ACL.
Context
NOTE
11.3.5 Configuring a Basic ACL, 11.3.6 Configuring an Advanced ACL, and 11.3.7 Configuring a Layer 2 ACL are optional and can be configured as required.
11.3.1 Establishing the Configuration Task 11.3.2 Creating an ACL 11.3.3 (Optional) Setting the Time Range When an ACL Takes Effect 11.3.4 (Optional) Configuring the Description of an ACL 11.3.5 Configuring a Basic ACL 11.3.6 Configuring an Advanced ACL 11.3.7 Configuring a Layer 2 ACL 11.3.8 (Optional) Setting the Step of an ACL 11.3.9 Checking the Configuration

ACLs can be used in multiple services, such as routing policies and packet filtering, to distinguish the types of packets and process them accordingly.
None.
Data Preparation
To configure an ACL, you need the following data. No. 1 2 3 Data Name of the time range when the ACL takes effect, start time, and end time Number of the ACL Number of ACL rule and the rule that identifies the type of packets, including protocol, source address, source port, destination address, destination port, the type and code of Internet Control Message Protocol (ICMP), IP precedence, and Type of Service (ToS) value Description of the ACL Step of the ACL
4 5
11.3.2 Creating an ACL

Context
An ACL consists of a series of rules defined by multiple permit or deny clauses. You need to create an ACL before configuring the rules of the ACL. To create an ACL, you need to:
l
Specify the number of the ACL. For example, the ACL with the number ranging from 2000 to 2999 is a basic ACL, and the ACL with the number ranging from 3000 to 3999 is an advanced ACL. Set the match order of the ACL rules. This parameter is optional. By default, the matchorder is config.
Procedure
Step 1 Run:
system-view

acl [ number ] acl-number
An ACL is created.
l l
To create a basic ACL, you can set the value of acl-number ranging from 2000 to 2999. To create an advanced ACL, you can set the value of acl-number ranging from 3000 to 3999.
11-4

l
To create a layer 2 ACL, you can set the value of acl-number ranging from 4000 to 4999.
----End
11.3.3 (Optional) Setting the Time Range When an ACL Takes Effect
Procedure
Step 1 Run:
system-view

time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] }
A time range is set. You can set the same name for multiple time ranges to describe a special period. For example, three time ranges are set with the same name test:
l l l
Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59, a definite time range Time range 2: 8:00-18:00 on Monday to Friday, a periodic time range Time range 3: 14:00-18:00 on Saturday and Sunday, a periodic time range
The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in the year 2009. ----End
Postrequisite
When a time range is specified for an ACL, the ACL takes effect only in this time range. If no time range is specified for the ACL, the ACL is always effective until it is deleted or the rules of the ACL are deleted.
11.3.4 (Optional) Configuring the Description of an ACL

Procedure
Step 1 Run:
system-view

acl as-number
The ACL view is displayed. Step 3 Run:

description text
The description of the ACL is configured.

The description of an ACL is a string of up to 127 characters, describing the usage of the ACL. By default, no description is configured for an ACL. ----End
11.3.5 Configuring a Basic ACL

Context
Do as follows on the S9300.
Procedure
Step 1 Run:
system-view

acl [ number ] acl-number [ match-order { auto | config } ]
A basic ACL is created. To create a basic ACL, you can set the value of acl-number ranging from 2000 to 2999. match-order indicates the match order of ACL rules.
l l
auto: indicates that the ACL rules are matched on the basis of depth first principle. config: indicates that the rules are matched on the basis of the configuration order.
If match-order is not used, the match order is config. Step 3 Run:

rule [ rule-id ] { deny | permit } [ fragment | source { source-address sourcewildcard | any } | time-range time-name ] *
An ACL rule is created. ----End
11.3.6 Configuring an Advanced ACL

Procedure
Step 1 Run:
system-view

An advanced ACL is created. To create an advanced ACL, the value of acl-number ranges from 3000 to 3999. match-order indicates the match order of ACL rules.

l l
If match-order is not used, the match order is config. Step 3 Run the following command as required:
l
When protocol is specified as the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), run:
rule [ rule-id ] { deny | permit } { tcp | udp } [ destination { destinationaddress destination-wildcard | any } | destination-port eq port | dscp dscp | fragment | precedence precedence | source { source-address source-wildcard | any } | source-port eq port | time-range time-name | tos tos ] *
An ACL rule is created.

l
When protocol is specified as ICMP, run:

rule [ rule-id ] { deny | permit } icmp [ destination { destination-address destination-wildcard | any } | fragment | icmp-type { icmp-name | icmp-type icmpcode } | precedence precedence | source { source-address source-wildcard | any } | time-range time-name ] *
An ACL rule is created.

l
When protocol is specified as another protocol rather than TCP, UDP, or ICMP, run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | dscp dscp | fragment | precedence precedence | source { source-address sourcewildcard | any } | time-range time-name | tos tos ] *
An ACL rule is created. You can configure different advanced ACLs on the S9300 according to the protocol carried by IP. Different parameter combinations are available for different protocol types.
NOTE
dscp dscp and precedence precedence cannot be specified at the same time.
----End
11.3.7 Configuring a Layer 2 ACL

Procedure
Step 1 Run:
system-view

A layer 2 ACL is created. To create a layer 2 ACL, the value of acl-number ranges from 4000 to 4999. match-order indicates the match order of ACL rules.
l l
Issue 06 (20100108)

rule [ rule-id ] { deny | permit } [ source-mac source-mac-address source-macmask ] [ dest-mac dest-mac-address dest-mac-mask | type protocol-type protocol-typemask ]
An ACL rule is created. ----End
11.3.8 (Optional) Setting the Step of an ACL

Procedure
Step 1 Run:
system-view

acl [ number ] acl-number
The ACL view is displayed. Step 3 Run:

step step-value
The step of an ACL is set. When changing ACL configurations, note the following:
l
The undo step command sets the default step of an ACL and re-arranges the numbers of ACL rules. By default, the value of step-value is 5.
----End

Prerequisite
The configurations of the ACL are complete.
Procedure
l l Run the display acl { acl-number | all } command to check the configured ACL. Run the display time-range { all | time-name } command to check the time range.
----End
Example
# Run the display acl command, and you can view the ACL number, number of rules, and step, and details of ACL rules.

<Quidway> display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 deny ip source 10.1.1.1 0 (0 times matched)
# Run the display time-range command, and you can view the configuration and status of the current time range.
<Quidway> display time-range all Current time is 14:19:16 12-4-2008 Tuesday Time-range : time1 ( Inactive ) 10:00 to 12:00 daily from 09:09 2008/9/9 to 23:59 2099/12/31
11.4 Configuring ACL6

This section describes how to configure basic ACL6 and advanced ACL6. 11.4.1 Establishing the Configuration Task 11.4.2 Creating an ACL6 11.4.3 (Optional) Creating the Time Range of the ACL6 11.4.4 Configuring a Basic ACL6 11.4.5 Configuring an Advanced ACL6 11.4.6 Checking the Configuration

An ACL6 can be applied to the following tasks:
l l l
Configuring the packet filtering policy Configuring policy-based routing Configuring a routing policy
None
Data Preparation
To configure an ACL6, you need the following data. No. 1 2 Data Number of the ACL6 (Optional) Name of the time range during which the ACL6 is valid and the start time and end time of the time range
Issue 06 (20100108)
No. 3
Data Number of the ACL6 and the rule of identifying the packet type, including protocol type, source address and source interface, destination address and destination interface, ICMPv6 type and code, precedence, and ToS
11.4.2 Creating an ACL6

Context
To create an ACL6, you need to:
l
Specify a number to identify the ACL6 type. For example, the ACL6 with the number ranging from 2000 to 2999 is a basic ACL6 and the ACL6 with the number ranging from 3000 to 3999 is an advanced ACL6. Set the match order of the ACL6. This parameter is optional. By default, the match order is config.
Procedure
Step 1 Run:
system-view

acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
An ACL6 is created.
l l
The acl6-number value of a basic ACL6 ranges from 2000 to 2999. The acl6-number value of an advanced ACL6 ranges from 3000 to 3999.
----End
11.4.3 (Optional) Creating the Time Range of the ACL6

Procedure
Step 1 Run:
system-view

time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] }
The time range is created. You can set the same name for multiple time ranges to describe a special period. For example, three time ranges are set with the same name, that is, test.

l l l
Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59 Time range 2: 8:00-18:00 on Monday to Friday Time range 3: 14:00-18:00 on Saturday and Sunday
The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in the year 2009. ----End
Postrequisite
When a time range is specified for the ACL6, the ACL6 takes effect only in this time range. If no time range is specified for the ACL6, the ACL6 is always effective until it is deleted or the rules of the ACL6 are deleted.
11.4.4 Configuring a Basic ACL6

Procedure
Step 1 Run:
system-view

An ACL6 is created. The acl6-number value of a basic ACL6 ranges from 2000 to 2999. match-order indicates the match order of ACL6 rules.
l l
auto indicates that the ACL rules are matched on the basis of depth first principle. config: indicates that the rules are matched on the basis of the configuration order.

rule [ rule-id ] { deny | permit } [ fragment | source { source-ipv6-address prefixlength | source-ipv6-address/prefix-length | any } | time-range time-name ] *
The rule of the ACL6 is configured. ----End
11.4.5 Configuring an Advanced ACL6

Procedure
Step 1 Run:
system-view

Step 2 Run:
An advanced ACL6 is created. The acl6-number value of an advanced ACL6 ranges from 3000 to 3999. match-order indicates the match order of ACL6 rules.
l l
auto indicates that the ACL rules are matched on the basis of depth first principle. config: indicates that the rules are matched on the basis of the configuration order.
If match-order is not used, the match order is config. Step 3 Perform the following steps as required to configure rules for the ACL6: You can configure the advanced ACL6 on the S9300 according to the type of the protocol carried by IP. The parameters vary according to the protocol type.
l
When protocol is TCP or UDP, run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | precedence precedence | source { source-ipv6-address prefix-length | sourceipv6-address/prefix-length | any } | source-port operator port | time-range time-name | tos tos ]*
When protocol is ICMPv6, run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | fragment | icmpv6-type { icmp6type-name | icmp6-type icmp6-code | precedence precedence | source { source-ipv6address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | tos tos ]*
When protocol is not TCP, UDP, or ICMPv6, run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | fragment | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefixlength | any } | time-range time-name | tos tos ]*
----End

Prerequisite
The configurations of the ACL6 are complete.
Procedure
l l Run the display acl ipv6 { acl6-number | all } command to view the rules of the ACL6. Run the display time-range { all | time-name } command to view information about the time range.
----End
Example
# Run the display acl ipv6 command, and you can see the ACL number, the number of rules, and content of the rules.
<Quidway> display acl ipv6 2002 Basic IPv6 ACL 2002, 2 rules rule 0 permit time-range time1 (0 times matched) (Inactive) rule 1 permit (0 times matched)
# Run the display time-range command, and you can see the configuration and status of the current time range.
<Quidway> display time-range all Current time is 09:33:31 5-21-2009 Thursday Time-range : time1 ( Inactive ) 12:00 to 23:00 working-day

This section provides configuration examples of the ACL. 11.5.1 Example for Configuring a Basic ACL 11.5.2 Example for Configuring an Advanced ACL 11.5.3 Example for Configuring a Layer 2 ACL 11.5.4 Example for Configuring an ACL6
11.5.1 Example for Configuring a Basic ACL

As shown in Figure 11-1, GE 1/0/1 of the S9300 is connected to the user, and GE 2/0/1 is connected to the upstream router. To prevent source address spoofing, you need to configure strict URPF check on GE 1/0/1 and GE 2/0/1. In addition, it is required that the S9300 trusts the packets from user A whose IP address is 10.0.0.2/24. In this case, you also need to disable URPF check for the packets sent by user A. Figure 11-1 Networking diagram for disabling URPF for the specified traffic
PC A IP:10.0.0.2/24
GE1/0/1
GE2/0/1
S9300
PC B
Issue 06 (20100108)
11-13
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure the URPF function. Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Data Preparation
l l l l l
Interfaces enabled with URPF: GE 1/0/1 and GE 2/0/1 ACL number: 2000 IP address of user A: 10.0.0.2/24 Names of traffic classifier, traffic behavior, and traffic policy: tc1, tb1, and tp1 Interface where the traffic policy is applied: GE 1/0/1
Procedure
Step 1 Configure the URPF function. # Enable the URPF function on the LPU.
<Quidway> system-view [Quidway] urpf slot 1 [Quidway] urpf slot 2
# Configure the URPF mode on the interface.

[Quidway] interface gigabitethernet [Quidway-GigabitEthernet1/0/1] urpf [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet2/0/1] urpf [Quidway-GigabitEthernet2/0/1] quit 1/0/1 strict 2/0/1 strict
Step 2 Configure the traffic classifier that is based on the ACL rules. # Define the ACL rules.
[Quidway] acl 2000 [Quidway-acl-basic-2000] rule permit source 10.0.0.2 0.0.0.255 [Quidway-acl-basic-2000] quit
# Configure the traffic classifier and define the ACL rules.

[Quidway] traffic classifier tc1 [Quidway-classifier-tc1] if-match acl 2000 [Quidway-classifier-tc1] quit
Step 3 Configure the traffic behavior.

# Define the traffic behavior and disable the URPF function in the traffic behavior view.
[Quidway] traffic behavior tb1 [Quidway-behavior-tb1] ip uprf disable [Quidway-behavior-tb1] quit
Step 4 Configure the traffic policy. # Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[Quidway] traffic policy tp1 [Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1 [Quidway-trafficpolicy-tp1] quit
# Apply the traffic policy to GE 1/0/1.

[Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] traffic-policy tp1 inbound [Quidway-GigabitEthernet1/0/1] quit
Step 5 Verify the configuration. # Check the configuration of the ACL rules.
<Quidway> display acl 2000 Basic ACL 2000, 1 rule Acl's step is 5 rule 5 permit source 10.0.0.0 0.0.0.255 (0 times matched)
# Check the configuration of the traffic classifier.

<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 20 Operator: OR Rule(s) : if-match acl 2000
# Check the configuration of the traffic policy.

<Quidway> display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: default-class Behavior: be -noneClassifier: tc1 Behavior: tb1 urpf switch: off
----End
Configuration Files
# sysname Quidway # urpf slot 1 urpf slot 2 # acl number 2000 rule 5 permit source 10.0.0.0 0.0.0.255 # traffic classifier tc1 operator or precedence 20 if-match acl 2000 #
Issue 06 (20100108)
11-15
traffic behavior tb1 ip urpf disable # traffic policy tp1 classifier tc1 behavior tb1 # interface GigabitEthernet1/0/1 urpf strict traffic-policy tp1 inbound # interface GigabitEthernet2/0/1 urpf strict # return
11.5.2 Example for Configuring an Advanced ACL

As shown in Figure 11-2, the departments of the company are connected through the S9300s. It is required that the IPv4 ACL be configured correctly. The personnel of the R&D department and marketing department cannot access the salary query server at 10.164.9.9 from 8:00 to 17:30, whereas the personnel of the president's office can access the server at any time. Figure 11-2 Networking diagram for configuring IPv4 ACLs
Salary query server 10.164.9.9
GE2/0/1 GE1/0/2 GE1/0/1 GE1/0/3 President's office 10.164.1.0/24
Marketing department 10.164.2.0/24
R&D department 10.164.3.0/24
The configuration roadmap is as follows: 1. 2. 3. 4.
11-16
Assign IP addresses to interfaces. Configure the time range. Configure the ACL. Configure the traffic classifier.
5. 6. 7.
Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Data Preparation
l l l l l l
VLAN that the interface belongs to Name of the time range ACL ID and rules Name of the traffic classifier and classification rules Name of the traffic behavior and actions Name of the traffic policy, and traffic classifier and traffic behavior associated with the traffic policy Interface that a traffic policy is applied to
Procedure
Step 1 Assign IP addresses to interfaces. # Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces. Add GE 1/0/1, GE 2/0/1, and GE 3/0/1 to VLAN 10, VLAN 20, and VLAN 30 respectively, and add GE 2/0/1 to VLAN 100. The first IP address of the network segment is taken as the address of the VLANIF interface. Take GE 1/0/1 as an example. The configurations of other interfaces are similar to the configuration of GE 1/0/1, and are not mentioned here.
<Quidway> system-view [Quidway] vlan batch 10 20 30 100 [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port link-type access [Quidway-GigabitEthernet1/0/1] port default vlan 10 [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.164.1.1 255.255.255.0 [Quidway-Vlanif10] quit
Step 2 Configure the time range. # Configure the time range from 8:00 to 17:30.
<Quidway> system-view [Quidway] time-range satime 8:00 to 17:30 working-day
Step 3 Configure ACLs. # Configure the ACL for the personnel of the marketing department to access the salary query server.
[Quidway] acl 3002 [Quidway-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satime [Quidway-acl-adv-3002] quit
# Configure the ACL for the personnel of the R&D department to access the salary query server.
[Quidway] acl 3003 [Quidway-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination
Issue 06 (20100108)
11-17
10.164.9.9 0.0.0.0 time-range satime [Quidway-acl-adv-3003] quit
Step 4 Configure ACL-based traffic classifiers. # Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[Quidway] traffic classifier c_market [Quidway-classifier-c_market] if-match acl 3002 [Quidway-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Quidway] traffic classifier c_rd [Quidway-classifier-c_rd] if-match acl 3003 [Quidway-classifier-c_rd] quit
Step 5 Configure traffic behaviors. # Configure the traffic behavior b_market to reject packets.
[Quidway] traffic behavior b_market [Quidway-behavior-b_market] deny [Quidway-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.

[Quidway] traffic behavior b_rd [Quidway-behavior-b_rd] deny [Quidway-behavior-b_rd] quit
Step 6 Configure traffic policies. # Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.
[Quidway] traffic policy p_market [Quidway-trafficpolicy-p_market] classifier c_market behavior b_market [Quidway-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic behavior b_rd with the traffic policy.
[Quidway] traffic policy p_rd [Quidway-trafficpolicy-p_rd] classifier c_rd behavior b_rd [Quidway-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy. # Apply the traffic policy p_market to GE 1/0/2.
[Quidway] interface gigabitethernet 1/0/2 [Quidway-GigabitEthernet1/0/2] traffic-policy p_market inbound [Quidway-GigabitEthernet1/0/2] quit
# Apply the traffic policy p_rd to GE 1/0/3.

[Quidway] interface gigabitethernet 1/0/3 [Quidway-GigabitEthernet1/0/3] traffic-policy p_rd inbound [Quidway-GigabitEthernet1/0/3] quit
Step 8 Verify the configuration. # Check the configuration of ACL rules.

<Quidway> display acl all Total nonempty ACL number is 2 Advanced ACL 3002, 1 rule
11-18
Issue 06 (20100108)
Acl's step is 5 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (0 times matched)(Active) Advanced ACL 3003, 1 rule Acl's step is 5 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (0 times matched)(Active)

<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: c_market Precedence: 5 Operator: OR Rule(s) : if-match acl 3002 Classifier: c_rd Precedence: 10 Operator: OR Rule(s) : if-match acl 3003

<Quidway> display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: p_market Classifier: default-class Behavior: be -noneClassifier: c_market Behavior: b_market Deny Policy: p_rd Classifier: Behavior: -noneClassifier: Behavior: Deny default-class be c_rd b_rd
----End
Configuration Files
# sysname Quidway # vlan batch 10 20 30 40 100 # time-range satime 08:00 to 17:30 working-day # acl number 3002 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime # acl number 3003 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime # traffic classifier c_market operator or precedence 5 if-match acl 3002 traffic classifier c_rd operator or precedence 10 if-match acl 3003 # traffic behavior b_market
Issue 06 (20100108)
11-19
deny traffic behavior b_rd deny # traffic policy p_market classifier c_market behavior b_market traffic policy p_rd classifier c_rd behavior b_rd # interface Vlanif10 ip address 10.164.1.1 255.255.255.0 # interface Vlanif20 ip address 10.164.2.1 255.255.255.0 # interface Vlanif30 ip address 10.164.3.1 255.255.255.0 # interface Vlanif100 ip address 10.164.9.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type access port default vlan 10 # interface GigabitEthernet1/0/2 port link-type access port default vlan 20 traffic-policy p_rd inbound # interface GigabitEthernet1/0/3 port link-type access port default vlan 30 traffic-policy p_rd inbound # interface GigabitEthernet2/0/1 port link-type access port default vlan 100 # return
11.5.3 Example for Configuring a Layer 2 ACL

As shown in Figure 11-3, the S9300 that functions as the gateway is connected to the PC. It is required that the ACL configured to prevent the packets with the source MAC address as 00e0f201-0101 and the destination MAC address as 0260-e207-0002 from passing through. Figure 11-3 Networking diagram for configuring layer 2 ACLs
GE2/0/1
GE1/0/1
IP network
00e0-f201-0101
11-20
Issue 06 (20100108)
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Data Preparation
l l l l
ACL ID and rules Name of the traffic classifier and classification rules Name of the traffic behavior and actions Name of the traffic policy, and traffic classifier and traffic behavior associated with the traffic policy Interface that a traffic policy is applied to
Procedure
Step 1 Configure an ACL. # Configure the required layer 2 ACL.
[Quidway] acl 4000 [Quidway-acl-ethernetframe-4000] rule deny source-mac 00e0-f201-0101 ffff-ffffffff dest-mac 0260-e207-0002 ffff-ffff-ffff [Quidway-acl-ethernetframe-4000] quit
Step 2 Configure the traffic classifier that is based on the ACL. # Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Quidway] traffic classifier tc1 [Quidway-classifier-tc1] if-match acl 4000 [Quidway-classifier-tc1] quit
Step 3 Configure the traffic behavior. # Configure the traffic behavior tb1 to reject packets.
[Quidway] traffic behavior tb1 [Quidway-behavior-tb1] deny [Quidway-behavior-tb1] quit
Step 4 Configure the traffic policy. # Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Quidway] traffic policy tp1 [Quidway-trafficpolicy-tp1] classifier tc1 behavior tb1 [Quidway-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy. # Apply the traffic policy tp1 to GE 2/0/1.
[Quidway] interface gigabitethernet 2/0/1 [Quidway-GigabitEthernet2/0/1] traffic-policy tp1 inbound [Quidway-GigabitEthernet2/0/1] quit
Step 6 Verify the configuration. # Check the configuration of ACL rules.

<Quidway> display acl 4000 Ethernet frame ACL 4000, 1 rule Acl's step is 5 rule 5 deny source-mac 00e0-f201-0101 ffff-ffff-ffff dest-mac 0260-e207-0002 ff ff-ffff-ffff(0 times matched)

<Quidway> display traffic classifier user-defined User Defined Classifier Information: Classifier: tc1 Precedence: 15 Operator: OR Rule(s) : if-match acl 4000

<Quidway> display traffic policy user-defined tp1 User Defined Traffic Policy Information: Policy: tp1 Classifier: default-class Behavior: be -noneClassifier: tc1 Behavior: tb1 Deny
----End
Configuration Files
# sysname Quidway # acl number 4000 rule 5 deny source-mac 00e0-f201-0101 ffff-ffff-ffff dest-mac 0260-e207-0002 ff ff-ffff-ffff # traffic classifier tc1 operator or precedence 15 if-match acl 4000 # traffic behavior tb1 deny # traffic policy tp1 classifier tc1 behavior tb1 # interface GigabitEthernet2/0/1 traffic-policy tp1 inbound # return
11.5.4 Example for Configuring an ACL6
11-22
Issue 06 (20100108)
As shown in Figure 11-4, S9300-A and S9300-B are connected through GE interfaces. You need to configure an ACL6 rule on S9300-A to prevent the IPv6 packets with the source IP address 3001::2 from entering GE 1/0/0 of S9300-A. Figure 11-4 Networking diagram for configuring ACL6 and filtering IPv6 packets
S9300-A GE1/0/0 3001::1/64 VLAN 10 S9300-B GE1/0/0 3001::2/64
Loopback2 3002::2/64
The configuration roadmap is as follows: 1. 2. 3. Set the number of the ACL6. Configure the rules in the ACL6. Define the classification, action, and policy to be performed on the packets.
Data Preparation
l l l l
ACL6 number Source IPv6 address permitted by the ACL6 rule Names of traffic classifier, traffic behavior, and traffic policy Interface where the traffic policy is applied
Procedure
Step 1 Enable IPv6 forwarding capability on S9300-A and S9300-B, set the parameters for the interfaces, and check the connectivity. # Configure S9300-A.
<Quidway> system-view [Quidway] sysname S9300-A [S9300-A] ipv6 [S9300-A] interface gigabitethernet 1/0/0 [S9300-A-GigabitEthernet1/0/0] port link-type trunk [S9300-A-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 [S9300-A-GigabitEthernet1/0/0] quit [S9300-A] interface vlanif 10 [S9300-A-Vlanif10] ipv6 enable [S9300-A-Vlanif10] ipv6 address 3001::1 64 [S9300-A-Vlanif10] quit
# Configure a static route on S9300-A.

[S9300-A] ipv6 route-static 3002:: 64 3001::2
# Configure S9300-B.
<Quidway> system-view [Quidway] sysname S9300-B [S9300-B] ipv6 [S9300-B] interface loopback 2 [S9300-B-LoopBack2] ipv6 enable [S9300-B-LoopBack2] ipv6 address 3002::2 64 [S9300-B-LoopBack2] quit [S9300-B] interface gigabitethernet 1/0/0 [S9300-B-GigabitEthernet1/0/0] port link-type trunk [S9300-B-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 [S9300-B-GigabitEthernet1/0/0] quit [S9300-B] interface vlanif 10 [S9300-B-Vlanif10] ipv6 enable [S9300-B-Vlanif10] ipv6 address 3001::2 64 [S9300-B-Vlanif10] quit
# Ping interface VLANIF 10 of S9300-A from VLANIF 10 of S9300-B.

[S9300-B] ping ipv6 -a 3001::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 80 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 40 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 30 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=64 time = 1 ms --- 3001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/40/80 ms
The ping succeeds without timeout or abnormal delay. # Ping interface VLANIF 10 of S9300-A from loopback2 of S9300-B.
The ping succeeds without timeout or abnormal delay. Step 2 Create an ACL6 rule and apply the rule to the interface to reject the IPv6 packets from 3001::2. # Configure S9300-A.
[S9300-A] acl ipv6 number 3001 [S9300-A-acl6-adv-3001] rule deny ipv6 source 3001::2/128 [S9300-A-acl6-adv-3001] quit [S9300-A] traffic classifier class1
11-24
Issue 06 (20100108)
[S9300-A-classifier-class1] if-match ipv6 acl 3001 [S9300-A-classifier-class1] quit [S9300-A] traffic behavior behav1 [S9300-A-behavior-behav1] deny [S9300-A-behavior-behav1] quit [S9300-A] traffic policy policy1 [S9300-A-trafficpolicy-policy1] classifier class1 behavior behav1 [S9300-A-trafficpolicy-policy1] quit [S9300-A] interface gigabitethernet 1/0/0 [S9300-A-GigabitEthernet1/0/0] traffic-policy policy1 inbound [S9300-A-GigabitEthernet1/0/0] quit
Step 3 Verify the configuration. # Ping interface VLANIF 10 of S9300-A from VLANIF 10 of S9300-B.
[S9300-B] ping ipv6 -a 3001::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 3001::1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss round-trip min/avg/max = 0/0/0 ms
The ping fails. # Ping interface VLANIF 10 of S9300-A from loopback2 of S9300-B.
The ping succeeds without timeout or abnormal delay. ----End
Configuration Files
l
Configuration file of S9300-A

# sysname S9300-A # ipv6 # acl ipv6 number 3001 rule 0 deny ipv6 source 3001::2/128 #
Issue 06 (20100108)
11-25
traffic classifier class1 operator or if-match ipv6 acl 3001 # traffic behavior behav1 deny # traffic policy policy1 classifier class1 behavior behav1 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 traffic-policy policy1 inbound # interface Vlanif10 ipv6 enable ipv6 address 3001::1/64 # ipv6 route-static 3002:: 64 3001::2 # return l
Configuration file of S9300-B

# sysname S9300-B # ipv6 # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10 # interface Vlanif 10 ipv6 enable ipv6 address 3001::2/64 # interface LoopBack2 ipv6 enable ipv6 address 3002::2/64 # return
11-26
Issue 06 (20100108)

Configuration Guide - Security (V100R002C00 - 06)

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Configuration Guide - Security (V100R002C00 - 06)

Hochgeladen von

Copyright:

Verfügbare Formate

Quidway S9300 Terabit Routing Switch V100R002C00

Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Huawei Technologies Co., Ltd.

Trademarks and Permissions

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

2 NAC Configuration................................................................................................................... 2-1

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

3 DHCP Snooping Configuration..............................................................................................3-1

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

4 ARP Security Configuration....................................................................................................4-1

5 Source IP Attack Defense Configuration..............................................................................5-1

6 Local Attack Defense Configuration......................................................................................6-1

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

9 Interface Security Configuration............................................................................................9-1

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

10 Traffic Suppression Configuration....................................................................................10-1

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

About This Document

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

Chapter 1 AAA and User Management Configuration 2 NAC Configuration

3 DHCP Snooping Configuration

4 ARP Security Configuration

5 Source IP Attack Defense Configuration 6 Local Attack Defense Configuration

9 Interface Security Configuration

10 Traffic Suppression Configuration

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

Convention [ x | y | ... ] { x | y | ... }*

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

About This Document

Action Click Double-click Drag

Updates in Issue 06 (2010-01-08)

Updates in Issue 05 (2009-11-10)

ACL Configuration:11.2 Classification of ACLs Supported by the S9300

Updates in Issue 04 (2009-09-30)

ARP Security Configuration: The configuration commands

About This Document

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

Updates in Issue 03 (2009-09-20)

DHCP Snooping Configuration: The configuration commands

Updates in Issue 02 (2009-08-15)

The following information is modified:

Updates in Issue 01 (2009-07-29)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - Security

1 AAA and User Management Configuration