Beruflich Dokumente
Kultur Dokumente
Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: Email:
Issue 02 (2009-12-10)
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID.
Related Versions
The following table lists the product versions related to this document. Product Name HUAWEI NetEngine5000E Core Router Version V300R007C00
Intended Audience
This document is intended for:
l l l l
Commissioning engineer Data configuration engineer Network monitoring engineer System maintenance engineer
Issue 02 (2009-12-10)
iii
Organization
This document is organized as follows. Chapter 1 AAA and User Management Configurations Description This chapter introduces Authentication, Authorization and Accounting (AAA) security services including RADIUS, HWTACACS, domain-based user management, local user management and their configuration steps, along with typical examples. This chapter describes the type of the security that NE5000E supported, and it also describes the configuration and applications of ARP Security, along with typical examples. This chapter describes concepts and configuration steps of URPF. This chapter describes the principle, configuration, and application of Local Attack Defense. This chapter describes the mirroring configuration based on port and traffic classifier, along with typical examples. This appendix covers the attribute of RADIUS and HWTACACS. This appendix collates frequently used glossaries in this document. This appendix collates frequently used acronyms and abbreviations in this document.
3 URPF Configuration 4 Configuration of Local Attack Defense 5 Mirroring Configuration A Attributes List of RADIUS and HWTACACS B Glossary C Acronyms and Abbreviations
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury.
iv
Issue 02 (2009-12-10)
Symbol
Description Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
General Conventions
The general conventions that may be found in this document are defined as follows. Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Examples of information displayed on the screen are in Courier New.
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
[ x | y | ... ]*
Issue 02 (2009-12-10)
Convention &<1-n> #
Description The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
GUI Conventions
The GUI conventions that may be found in this document are defined as follows. Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows. Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows. Action Click Double-click Drag Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.
vi
Issue 02 (2009-12-10)
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Issue 02 (2009-12-10)
vii
Contents
Contents
About This Document...................................................................................................................iii 1 AAA and User Management Configurations.......................................................................1-1
1.1 Overview to AAA and User Management......................................................................................................1-2 1.1.1 Introduction to AAA and User Management.........................................................................................1-2 1.1.2 AAA and User Management Supported by the NE5000E.....................................................................1-3 1.2 Configuring Local User Management.............................................................................................................1-3 1.2.1 Establishing the Configuration Task......................................................................................................1-4 1.2.2 Creating a Local User Account..............................................................................................................1-4 1.2.3 Configuring the Type of the Service That the Local User Accesses......................................................1-5 1.2.4 Configuring the Local User Authority of Accessing the FTP Directory............................................... 1-5 1.2.5 Configuring Local User Status...............................................................................................................1-6 1.2.6 Configuring the Local User Level..........................................................................................................1-7 1.2.7 Setting the Maximum Number of Access Users with the Same User Name.........................................1-7 1.2.8 Local Users Changing the Passwords.................................................................................................... 1-8 1.2.9 Cutting Off Online Users Forcibly.........................................................................................................1-8 1.2.10 Checking the Configuration.................................................................................................................1-9 1.3 Configuring AAA Schemes............................................................................................................................ 1-9 1.3.1 Establishing the Configuration Task....................................................................................................1-10 1.3.2 (Optional) Enabling RADIUS/HWTACACS Functions......................................................................1-11 1.3.3 Configuring the Authentication Scheme..............................................................................................1-11 1.3.4 (Optional) Configuring the Authorization Scheme..............................................................................1-12 1.3.5 Configuring the Accounting Scheme...................................................................................................1-13 1.3.6 (Optional) Configuring the Recording Scheme...................................................................................1-15 1.3.7 Allocating IP Addresses to Users.........................................................................................................1-15 1.3.8 Checking the Configuration.................................................................................................................1-17 1.4 Configuring Server Templates......................................................................................................................1-19 1.4.1 Establishing the Configuration Task....................................................................................................1-19 1.4.2 Configuring the RADIUS Server Template.........................................................................................1-20 1.4.3 Configuring the HWTACACS Server Template.................................................................................1-23 1.4.4 Checking the Configuration.................................................................................................................1-28 1.5 Configuring Domains....................................................................................................................................1-29 1.5.1 Establishing the Configuration Task....................................................................................................1-30 1.5.2 Creating a Domain...............................................................................................................................1-30 Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Contents
HUAWEI NetEngine5000E Core Router Configuration Guide - Security 1.5.3 Configuring the Authentication, Authorization and Accounting Schemes of the Domain..................1-31 1.5.4 Configuring the RADIUS Server Template.........................................................................................1-32 1.5.5 Configuring the HWTACACS Server Template.................................................................................1-32 1.5.6 Configuring the Address-related Attributes of the Domain.................................................................1-33 1.5.7 Configuring the Domain State..............................................................................................................1-34 1.5.8 Configuring the Maximum of Access Users Allowed by the Domain................................................1-34 1.5.9 Configuring the Idle-Cut Parameters for a Domain.............................................................................1-35 1.5.10 Checking the Configuration...............................................................................................................1-36
1.6 Maintaining AAA and User Management....................................................................................................1-36 1.6.1 Clearing the Statistics of AAA and User Management........................................................................1-36 1.6.2 Debugging AAA and User Management.............................................................................................1-37 1.7 Configuration Examples................................................................................................................................1-37 1.7.1 Example for Configuring the RADIUS Authentication and Accounting For Local Users..................1-38 1.7.2 Example for Configuring the HWTACACS Authentication, Authorization, and Accounting Mode .......................................................................................................................................................................1-41 1.7.3 Example of Configuring the HWTACACS Authentication and Authorization in the MPLS VPN Network .......................................................................................................................................................................1-45
3 URPF Configuration..................................................................................................................3-1
3.1 Overview to URPF..........................................................................................................................................3-2 3.1.1 Introduction to URPF.............................................................................................................................3-2 3.1.2 URPF Supported by the NE5000E.........................................................................................................3-4 3.2 Configuring URPF..........................................................................................................................................3-4 3.2.1 Establishing the Configuration Task......................................................................................................3-4 3.2.2 Configuring LPU-based URPF..............................................................................................................3-5 x Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
Contents
3.2.3 Configuring URPF on an Interface........................................................................................................ 3-5 3.2.4 Configuring Flow-based URPF..............................................................................................................3-6 3.2.5 Checking the Configuration...................................................................................................................3-7 3.3 Maintaining the URPF.................................................................................................................................... 3-8 3.3.1 Resetting the Statistics of URPF............................................................................................................3-8 3.4 Configuration Example...................................................................................................................................3-8 3.4.1 Example for Configuring URPF............................................................................................................ 3-9
Contents
HUAWEI NetEngine5000E Core Router Configuration Guide - Security 4.5.9 Applying the Attack Defense Policy....................................................................................................4-21 4.5.10 Checking the Configuration...............................................................................................................4-21
4.6 Configuring Application Layer Association.................................................................................................4-23 4.6.1 Establishing the Configuration Task....................................................................................................4-24 4.6.2 Creating the Attack Defense Policy.....................................................................................................4-24 4.6.3 Disabling Application Layer Association............................................................................................4-24 4.6.4 Configuring the Packet Processing Mode............................................................................................4-25 4.6.5 Applying the Attack Defense Policy....................................................................................................4-25 4.6.6 Checking the Configuration.................................................................................................................4-26 4.7 Configuring Management/Control Plane Protection.....................................................................................4-28 4.7.1 Establishing the Configuration Task....................................................................................................4-28 4.7.2 Configuring Global Policy for Management/Control Plane Protection...............................................4-29 4.7.3 Configuring a Slot-based Policy for Management/Control Plane Protection......................................4-29 4.7.4 Configuring Interface-level Policy for Management/Control Plane Protection...................................4-30 4.7.5 Checking the Configuration.................................................................................................................4-31 4.8 Maintainning Local Attack Defense..............................................................................................................4-32 4.8.1 Resetting the Statistics of Attack Defense...........................................................................................4-33 4.9 Configuration Example.................................................................................................................................4-33 4.9.1 Example for Local Attack Defense......................................................................................................4-33
5 Mirroring Configuration...........................................................................................................5-1
5.1 Overview to Mirroring....................................................................................................................................5-2 5.1.1 Introduction to Mirroring.......................................................................................................................5-2 5.1.2 Mirroring Features Supported by the NE5000E....................................................................................5-2 5.2 Configuring Local Port Mirroring...................................................................................................................5-2 5.2.1 Establishing the Configuration Task......................................................................................................5-3 5.2.2 Configuring the Observing Port.............................................................................................................5-3 5.2.3 Configuring the Observing Port for the Entire LPU..............................................................................5-4 5.2.4 Configuring Local Port Mirroring..........................................................................................................5-4 5.2.5 Checking the Configuration...................................................................................................................5-5 5.3 Configuring Local Traffic Mirroring..............................................................................................................5-6 5.3.1 Establishing the Configuration Task......................................................................................................5-6 5.3.2 Configuring the Observing Port.............................................................................................................5-7 5.3.3 Configuring the Observing Port for the Entire LPU..............................................................................5-8 5.3.4 Defining the Traffic Class......................................................................................................................5-8 5.3.5 Defining the Traffic Behavior and Enabling Local Traffic Mirroring...................................................5-9 5.3.6 Defining the Traffic Policy and Associating the Traffic Class with the Traffic Behavior....................5-9 5.3.7 Applying the Traffic Policy to the Mirrored Port................................................................................5-10 5.3.8 Checking the Configuration.................................................................................................................5-11 5.4 Configuration Examples................................................................................................................................5-12 5.4.1 Example for Local Configuring Port Mirroring...................................................................................5-12 5.4.2 Example for Local Configuring Flow Mirroring.................................................................................5-14
Contents
A.1 RADIUS Attribute.........................................................................................................................................A-2 A.1.1 Standard RADIUS Attribute.................................................................................................................A-2 A.1.2 Huawei RADIUS Attribute..................................................................................................................A-5 A.2 HWTACACS Attribute.................................................................................................................................A-9
Issue 02 (2009-12-10)
xiii
Figures
Figures
Figure 1-1 Networking diagram of RADIUS authentication and accounting....................................................1-38 Figure 1-2 Networking diagram of local authentication and HWTACACS authentication, authorization, and accounting...........................................................................................................................................................1-42 Figure 1-3 Diagram of configuring HWTACACS authentication and authorization of administrators............1-45 Figure 2-1 Networking diagram of preventing attacks on ARP entries.............................................................2-10 Figure 3-1 Schematic diagram of the source address spoofing attack.................................................................3-2 Figure 3-2 URPF applied on a single-homed client.............................................................................................3-2 Figure 3-3 Application environment of the URPF multi-homed client...............................................................3-3 Figure 3-4 Applicable environment of multi-homed client and multi-ISPs.........................................................3-3 Figure 3-5 Networking diagram of configuring URPF........................................................................................3-9 Figure 4-1 Networking diagram of configuring the local attack defense...........................................................4-33 Figure 5-1 Networking diagram of port mirroring.............................................................................................5-12 Figure 5-2 Networking diagram of flow mirroring............................................................................................5-15
Issue 02 (2009-12-10)
xv
Issue 02 (2009-12-10)
1-1
Authentication: determines the users who can access the network. Authorization: authorizes the user to use some services. Accounting: records the network resource utilization of the user.
AAA adopts the Server/Client model. In this model, the client runs on the administrated resource side and the server stores the user information. This model has good extensibility and is convenient for concentrated management over user information. AAA supports three types of authentication modes: non-authentication, local authentication, and remote authentication. The remote authentication mode supports two protocols: Remote Authentication Dial In User Service (RADIUS) and Huawei Terminal Access Controller Access Control System (HWTACACS). AAA supports four types of authorization modes: direct authorization, local authorization, HWTACACS authorization, and if-authenticated authorization.
NOTE
l l
RADIUS integrates authentication and authorization. Therefore, RADIUS authorization cannot be performed singly. The users that have passed HWTACACS authentication can actively modify the passwords saved on the TACACS server.
AAA supports four types of accounting modes: non-accounting, remote accounting. User authentication, authorization, and accounting should all be performed in the domain view.
Managing users based on domains: Configurations such as the default authorization, RADIUS or HWTACACS template, and the authentication and accounting can be performed in a domain. Managing users based on user accounts.
In current AAA implementations, users are categorized into different domains. The domain to which a user belongs depends on the character string that follows the "@" of a user name. For example, the user "user@hua" belongs to the domain "hua". If there is no "@" in the user name, the user belongs to the domain "default". Besides the default domain, AAA users can create up to 254 domains.
1-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
All the AAA users are configured in the domain view through the application of authentication scheme, authorization scheme, and accounting scheme. The corresponding modes are preconfigured respectively in the AAA view. AAA, by default, adopts local authentication, local authorization, and no accounting schemes respectively. If a domain is created but no scheme is specified for the domain, AAA adopts the default schemes for this domain. The authorization precedence configured within a domain is lower than that configured on an AAA server. In other words, the authorization attribute of the AAA server is used first. The domain authorization attribute is valid only when the AAA server does not have this authorization or does not support this authorization. In this way, you can add services flexibly when using domains regardless of the attribute limitations of the AAA server.
The TACACS server enables users to modify passwords. Users actively modify their passwords through command lines.
HWTACACS supports VPN instance-based forwarding. When the TACACS server of an operator is deployed in a private network and the routers are deployed in the public network, HWTACACS implements the authentication, authorization, and accounting for users through the interaction of VPN instances with the TACACS server.
1.2.7 Setting the Maximum Number of Access Users with the Same User Name 1.2.8 Local Users Changing the Passwords 1.2.9 Cutting Off Online Users Forcibly If cutting off online users based on domain names is configured, all online users in the specified domain are forcibly cut off. If cutting of online users based on user names or authentication modes is configured, the connections that match the condition are cut off simultaneously. 1.2.10 Checking the Configuration
Pre-configuration Task
Before configuring local user management, complete the following tasks:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up Creating an Access Control List (ACL) and set ACL rules if you need to apply the ACL to manage local users
Data Preparation
To configure local user management, you need the following data. No. 1 2 3 4 5 6 7 Data User name and password Type of the service that the local user accesses Name of the FTP directory that the local user can access Local user status Local user level Limited number of local access users Number of the ACL used to managing the local user
Procedure
Step 1 Run:
system-view
A local user account is created. If the user name contains @, the character before @ is the user name and the character after @ is the domain name. If the user name does not contain @, the whole character string represents the user name and the domain name is default. ----End
1.2.3 Configuring the Type of the Service That the Local User Accesses
Through this configuration procedure, service-type-based user management is realized.
Context
Do as follows on the NAS:
Procedure
Step 1 Run:
system-view
The type of the service that the local user accesses is configured. By default, all access types are available for local users. ----End
1.2.4 Configuring the Local User Authority of Accessing the FTP Directory
If the type of the service that the local user accesses is set to FTP, this configuration procedure is mandatory; otherwise, the FTP user cannot log in.
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-5
Context
Do as follows on the NAS:
Procedure
Step 1 Run:
system-view
The local user authority of accessing the FTP directory is configured. By default, the FTP directory is null. ----End
Procedure
Step 1 Run:
system-view
The local user status is configured. By default, the local user is in the active state. ----End
Postrequisite
Do as follows to process the local user in the active or block state:
l
If the local user is in the active state, the authentication request from this user is allowed for further processing.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
1-6
If the local user is in the block state, the authentication request from this user is denied.
Context
Do as follows on the NAS:
Procedure
Step 1 Run:
system-view
The local user level is configured. By default, the level of the local user is determined by the management module. ----End
Postrequisite
The login user has the same 16 levels like the command. They are Visit, Monitoring, Configure and Management, and are marked from 0 to 15. The higher the mark is, the higher the priority is.
1.2.7 Setting the Maximum Number of Access Users with the Same User Name
Context
Do as follows on the NAS:
Procedure
Step 1 Run:
system-view
Issue 02 (2009-12-10)
1-7
The local user access limit is configured. By default, the number of access users with the same user name is not restricted. ----End
Procedure
Step 1 Run:
local-user change-password
The password of the local user is changed. Only the user that passes local authentication can change the password.
NOTE
----End
Context
Do as follows on the NAS:
Procedure
Step 1 Run:
system-view
The AAA view is displayed. Step 3 Perform the following as required to configure to cut off online users forcibly.
l
To cut off online users based on domain names, run the cut access-user domain domainname command.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
1-8
To cut off online users based on user names, run the cut access-user username { local | hwtacacs | radius | none | all } [ user-name ] command. To cut off online users based on user IDs, run the cut access-user user-id start-num [ endnum ] command.
----End
Procedure
Step 1 Run the display local-user [ domain domain-name | user-name user-name ] [ | count ] [ | { begin | include | exclude } regular-expression ]command to check attributes of the local user. ----End
Example
Run the display local-user command. If attributes of the local user are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------bbb Active T Dft No 1 ftp Active F Dft No 0 ---------------------------------------------------------------------------Total 2,2 printed
Addresses, such as Class A addresses XXX.255.255.255 and XXX.0.0.0, Class B addresses XXX.XXX.255.255 and XXX.XXX.0.0, and Class C addresses XXX.XXX.XXX.255 and XXX.XXX.XXX.0, must not be configured as valid start or end addresses of the address pool. If the address pool contains these addresses, the addresses cannot be allocated.
NOTE
The IP address negotiation needs to be configured on the client and the server respectively.
Pre-configuration Tasks
Before configuring AAA schemes, complete the following tasks:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up
Data Preparation
To configure AAA schemes, you need the following data. No. 1 2 Data Name of the authentication scheme and the authentication mode (Optional) Name of the authorization scheme and the authorization mode, level of the HWTACACS user to be authorized through command lines, and timeout time of command-line-based authorization Name of the accounting scheme, the accounting mode, the interval of real-time accounting, accounting-start failure policy, real-time accounting failure policy, and the number of failed the real-time accounting (Optional) Name of the recording scheme, name of the HWTACACS server template related to the recording mode, and events to be recorded Interface type and interface number of the server and client, address pool ID and IP address range of the address pool, and the IP addresses to be allocated to users when no address pool is used
4 5
1-10
Issue 02 (2009-12-10)
Context
Do as follows on the router:
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 (Optional) Enable RADIUS/HWTACACS functions as required:
l l
Run the radius enable command to enable RADIUS functions. Run the hwtacacs enable command to enable HWTACACS functions.
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
An authentication scheme is created and the authentication scheme view is displayed. Step 4 Run:
authentication-mode { hwtacacs | radius | local } * [ none ]
or
authentication-mode none
By default, the authentication mode is set to local. If one authentication scheme is configured with several authentication modes, the execution order to authentication modes is consistent with their configuration order. If the authentication mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 5 Run:
authentication-super { hwtacacs | super } * [ none ]
or
authentication-super none
l l l
You can configure command-line-based authorization for users at a certain level only when HWTACACS is adopted. For the commands containing the indications and values, such as interface ethernet2/2/0, you need to input commands in configuration file format. Otherwise, HWTACACS authorization fails. Command line authorization of HWTACACS has no relation with the authorization mode.
Procedure
Step 1 Run:
system-view
The authorization scheme is created and the authorization scheme view is displayed. By default, an authorization scheme named default exists. This scheme cannot be deleted but modified. Step 4 Run:
authorization-mode { hwtacacs | if-authenticated | local }* [ none ]
Or Run:
1-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
The authorization mode is configured. By default, the authorization mode is set to local. If the authorization mode is set to HWTACACS, you must configure the HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 5 Run:
authorization-cmd privilege-level hwtacacs [ local ]
Command-line-based authorization is enabled. By default, command-line-based authorization is disabled. If command-line-based authorization is enabled, you must configure the HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 6 Run:
authorization-cmd no-response-policy { online | offline [ max-times max-timesvalue ] }
The policy used when the HWTACACS server is unavailable or the local user sends no response is set. Step 7 Run:
quit
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
The accounting scheme is created and the accounting scheme view is displayed. By default, an accounting scheme named default exists. This scheme cannot be deleted but modified. Step 4 Run:
accounting-mode { hwtacacs | radius | none }
The accounting mode is configured. By default, the account scheme is set to none. If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 5 Run:
accounting realtime interval
The real-time accounting is enabled and the accounting interval is set. By default, real-time accounting is enabled and the accounting interval is set to five minutes. The accounting interval depends on network situations. If the interval is too short, network traffic is increased and the device that receives the real-time accounting packets is burdened. If the interval is set too long, accounting may be inaccurate. Step 6 (Optional) Run:
accounting start-fail { online | offline }
The policy for failing to start accounting at the remote end is configured. By default, users' access to the network is denied when accounting fails to be started. The policy for failing to start accounting defines the operations on users' access when accounting fails to be started. Step 7 (Optional) Run:
accounting interim-fail [ max-times times ]{ online | offline }
The policy for failing real-time accounting is configured. By default, the user is cut off if real-time accounting fails for three times. The policy for failing real-time accounting defines the operations on users' access when realtime accounting fails. ----End
1-14
Issue 02 (2009-12-10)
Procedure
Step 1 Run:
system-view
The recording scheme is created and the recording scheme view is displayed. By default, no recording scheme exists. Step 4 Run:
recording-mode hwtacacs template-name
The recording mode is configured. By default, the recording scheme is not associated with the HWTACACS template. Step 5 Run:
quit
The commands run on the router are recorded. Step 7 (Optional) Run:
outbound recording-scheme recording-scheme-name
It is not necessary to configure an address pool if there is only one user. Directly allocate a specific IP address to the user. In this case, Steps 2, 3, and 4 can be skipped. Commands in Steps 6 and 7 should be run on a POS interface that supports PPP. If both local and remote interfaces are encapsulated with PPP, and the local interface has no IP address while the remote interface has an IP address, you can configure IP address negotiation on the local interface. Thus, the local interface can obtain the IP address allocated by the peer through PPP negotiation. When configuring IP address negotiation, you should note the following:
l l l l
The IP address negotiation can be set only when the interface supports PPP. When the PPP status is Down, the IP address generated through negotiation is deleted. No IP address needs be configured on the local interface because the IP address can be obtained through the negotiation. If the interface is already configured with an IP address, this IP address will be deleted. The IP address obtained by the earlier negotiation is deleted when the negotiation is reconfigured on this interface. The interface gets a new IP address through the negotiation. When the negotiated address is deleted, the interface has no address.
Procedure
Step 1 Run:
system-view
Procedure
l l Run the display aaa configuration [ | count ] [ | { begin | include | exclude } regularexpression ] command to check the brief information on AAA. Run the display accounting-scheme [ accounting-scheme-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the configuration about the accounting scheme. Run the display authentication-scheme [ authentication-scheme-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the configuration about the authentication scheme. Run the display authorization-scheme [ authorization-scheme-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the configuration about the authorization scheme. Run the display recording-scheme [ recording-scheme-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the configuration about the recording scheme. Run the display ip pool { global | domain domain-name } [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the usage of the address pool. Run the display access-user command to check the information about all online users.
l l
----End
Example
Run the display aaa configuration command. If brief information about AAA is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display aaa configuration --------------------------------------------------------------------------AAA configuration information : --------------------------------------------------------------------------Domain : total: 255 used: 2 Authentication-scheme : total: 16 used: 2 Authorization-scheme : total: 16 used: 2 Accounting-scheme : total: 128 used: 2 Recording-scheme : total: 128 used: 0 AAA-access-user : total: 384 used: 0 Access-user-state : authen: 0 author: 0 accounting: 0 ---------------------------------------------------------------------------
Run the display authentication-scheme command. If information about the authentication scheme is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display authentication-scheme scheme0 --------------------------------------------------------------------------Authentication-scheme-name : scheme0 Authentication-method : Local authentication Authentication-super method : Super authentication-super ---------------------------------------------------------------------------
Run the display authorization-scheme command. If information about the authorization scheme is displayed, it means that the configuration succeeds. For example:
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-17
<HUAWEI> display authorization-scheme scheme0 --------------------------------------------------------------------------Authorization-scheme-name : scheme0 Authorization-method : Local authorization Authorization-cmd level 0 : disabled Authorization-cmd level 1 : disabled Authorization-cmd level 2 : enabled ( Hwtacacs ) Authorization-cmd level 3 : disabled Authorization-cmd level 4 : disabled Authorization-cmd level 5 : disabled Authorization-cmd level 6 : disabled Authorization-cmd level 7 : disabled Authorization-cmd level 8 : disabled Authorization-cmd level 9 : disabled Authorization-cmd level 10 : disabled Authorization-cmd level 11 : disabled Authorization-cmd level 12 : disabled Authorization-cmd level 13 : disabled Authorization-cmd level 14 : disabled Authorization-cmd level 15 : disabled Authorization-cmd no-response-policy : Online ---------------------------------------------------------------------------
Run the display accounting-scheme command. If information about the accounting scheme is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display accounting-scheme scheme0 --------------------------------------------------------------------------Accounting-scheme-name : scheme0 Accounting-method : RADIUS accounting Realtime-accounting-switch : Open Realtime-accounting-interval(min) : 5 Start-accounting-fail-policy : Cut user Realtime-accounting-fail-policy : Cut user Realtime-accounting-failure-retries : 3 ---------------------------------------------------------------------------
Run the display recording-scheme command. If information about the recording scheme is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display recording-scheme scheme0 --------------------------------------------------------------------------Recording-scheme-name : scheme0 HWTACACAS-template-name : template0 ---------------------------------------------------------------------------
Run the display ip pool global command. If brief information about all usage of the address pool is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display ip pool global ---------------------------------------------------------------------------Pool-number Pool-start-addr Pool-end-addr Pool-length Used-addr-number ---------------------------------------------------------------------------2 10.1.1.1 10.1.1.10 10 0 ---------------------------------------------------------------------------Total pool number: 1
Run the display access-user command. If brief information about all online users is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display access-user ----------------------------------------------------------------------------Total users : 2 Wait authen-ack : 0 Authentication success : 2 Accounting ready : 2 Accounting state : 0 Wait leaving-flow-query : 0 Wait accounting-start : 0
1-18
Issue 02 (2009-12-10)
Wait accounting-stop : 0 Wait authorization-client : 0 Wait authorization-server : 0 ------------------------------------------------------------------Domain-name Online-user ------------------------------------------------------------------default : 2 ------------------------------------------------------------------The used CID table are : 256 257 -----------------------------------------------------------------------------
Most of RADIUS configuration items adopt the default settings. You can also configure them based on the actual networking. The RADIUS configuration can be modified only when the RADIUS server template is not used by any user. Note the following differences from the configurations of the RADIUS server template when you configure the HWTACACS server template:
l l
Except deleting the HWTACACS server, you can modify most of attributes of the HWTACACS server template without checking whether the template is in use. By default, no authentication key is configured.
Pre-configuration Tasks
Before configuring the server template, complete the following tasks:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up
Data Preparation
To configure the RADIUS server, you need the following data.
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-19
No. 1
Data Name of the RADIUS server template, IP addresses and source port numbers of the primary RADIUS authentication and accounting servers, source interface number, IP addresses and source port numbers of the secondary RADIUS authentication and accounting servers, protocol version used by the RADIUS server, shared keys, user name format (with or without domain name) of the RADIUS server, traffic unit on the RADIUS server, response timeout period of the RADIUS server and retransmission times, and NAS port format the RADIUS server and the corresponding port ID format Name of the HWTACACS server template, IP addresses and source port numbers , and the VPN instances to be bound of the primary HWTACACS authentication, authorization, and accounting servers, IP addresses, and source port numbers, and the VPN instances to be bound of the secondary HWTACACS authentication, authorization, and accounting servers, retransmission times of accounting-stop packets, source IP address of the HWTACACS server, key of the HWTACACS server, user name format (with or without domain name) of the HWTACACS server, traffic unit on the HWTACACS server, response timeout period of the HWTACACS server, and the time taken by the master HWTACACS server to restore the active state
Procedure
l Creating the RADIUS server template 1. Run:
system-view
The RADIUS server template is created and the RADIUS template view is displayed. l Configuring the RADIUS authentication server 1. Run:
system-view
1-20
Issue 02 (2009-12-10)
The primary RADIUS authentication server is configured. By default, the primary RADIUS authentication server is of null configurations. 4. Run:
radius-server authentication ip-address port [ source loopback interfacenumber ] secondary
The secondary RADIUS server is configured. By default, the secondary RADIUS authentication server is of null configurations. l Configuring the RADIUS accounting function 1. Run:
system-view
The primary RADIUS accounting server is configured. By default, the primary RADIUS accounting server is of null configurations. 4. Run:
radius-server accounting ip-address port [ source loopback interfacenumber ] secondary
The secondary RADIUS accounting server is configured. By default, the secondary RADIUS accounting server is of null configurations. l Configuring the protocol version of the RADIUS server 1. Run:
system-view
The protocol version of the RADIUS server is configured. By default, the NE5000E adopts standard RADIUS. If portal is specified, the NE5000E adopts RADIUS+1.1. l Configuring the shared key of the RADIUS server 1. Run:
system-view
2.
Run:
radius-server template template-name
The shared key of the RADIUS server is configured. By default, the shared key of the RADIUS server is huawei. l Configuring the user name format of the RADIUS server 1. Run:
system-view
The user name format of the RADIUS server is configured. By default, the user name contains the domain name. If the RADIUS server does not identify the user name that contains the domain name, you can remove the domain name and then send it to the RADIUS server.
NOTE
Commonly, a user name is in the format of "user name@domain name". The character string after @ indicates the domain name.
The traffic unit of the RADIUS server is configured. By default, the traffic unit is set to byte.
NOTE
1-22
Issue 02 (2009-12-10)
The timeout period for the RADIUS server to send the response packet is configured. By default, the timeout period is set to 5 seconds. To check whether the RADIUS server is valid, the NE5000E periodically sends request packets to the RADIUS server. If the RADIUS server does not return a response within the timeout period, the NE5000E must retransmit request packets. 4. Run:
radius-server retransmit retry-times
The retransmission times of the RADIUS server is configured. By default, the retransmission times are set to 3. After the NE5000E does not receive any response after it retransmits request packets for the configured times, it considers that the RADIUS server is unavailable. l (Optional) Configuring the NAS port of the RADIUS server 1. Run:
system-view
The NAS port format is configured. By default, the NAS port format is set to new. 4. Run:
radius-server nas-port-id-format { new | old }
The ID format of the NAS port of the RADIUS server is configured. By default, the ID format of the NAS port is set to new. ----End
Procedure
l Creating the HWTACACS server template 1. Run:
system-view
The HWTACACS server template is created and the corresponding view is displayed. l Configuring the HWTACACS authentication server 1. Run:
system-view
The primary HATACACS authentication server is configured. By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0, and the server is not bound with VPN instances. 4. Run:
hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpninstance-name ] secondary
The secondary HWTACACS authentication server is configured. By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0, and the server is not bound with VPN instances. l Configuring the HWTACACS authorization server 1. Run:
system-view
The primary HWTACACS authorization server is configured. By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0, and the server is not bound with VPN instances. 4. Run:
hwtacacs-server authorization ip-address [ port ] [ vpn-instance vpninstance-name ] secondary
1-24
Issue 02 (2009-12-10)
The secondary HWTACACS authorization server is configured. By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0, and the server is not bound with VPN instances. l Configuring the HWTACACS accounting server 1. Run:
system-view
The primary HWTACACS accounting server is configured. By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0, and the server is not bound with VPN instances. 4. Run:
hwtacacs-server accounting ip-address [ port ] [ vpn-instance vpn-instancename ] secondary
The secondary HWTACACS accounting server is configured. By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0, and the server is not bound with VPN instances. 5. Run:
quit
Retransmitting the accounting-stop packets is configured. By default, the NE5000E allows retransmitting accounting-stop packets. The number of retransmitted packets is 100. Accounting-stop packets are used to inform the server to stop charging users. If the accounting server fails to receive the accounting-stop packets, it continues to charge users. Then, the NE5000E must retransmit the accounting-stop packets until the server receives the packets or until the retransmission times reach threshold. l (Optional) Configuring the source IP address of the HWTACACS server 1. Run:
system-view
Issue 02 (2009-12-10)
1-25
The source IP address of the packet is configured. By default, the source IP address of the packet is 0.0.0.0. That is, the NE5000E adopts the IP address of the outgoing interface as the source IP address of HWTACACS packets. After the source IP address is specified, the HWTACACS template uses this IP address to communicate with the HWTACACS server. l (Optional) Configuring the shared key of the HWTACACS server 1. Run:
system-view
The shared key of the HWTACACS server is configured. By default, the shared key of the HWTACACS server is null. Setting the shared key ensures the security of community between the NE5000E and the HWTACACS server.
NOTE
To ensure identify validity of two communication ends, the shared keys configured on the router and the HWTACACS server must be the same.
(Optional) Configuring the user name format of the HWTACACS server 1. Run:
system-view
The user name format of the HWTACACS server is configured. By default, the user name contains the domain name. If the HWTACACS server denies the user name containing the domain name, you can configure the device to remove the domain name from the user name before delivering the user name to HWTACACS server.
1-26 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
Commonly, the user name is in the format of "user name@domain name". The character string after @ indicates the domain name.
The traffic unit of the HWTACACS server is configured. By default, the traffic unit is set to byte. l (Optional) Configuring the timer of the HWTACACS server 1. Run:
system-view
The timeout period for the HWTACACS server to send the response packets is configured. By default, the timeout period is set to five seconds. If the device receives no response from the HWTACACS server during this period, it considers the HWTACACS server as unavailable. The device then tries to perform authentication, authorization, or accounting through other methods. 4. Run:
hwtacacs-server timer quiet value
The time taken by the primary HWTACACS server to restore the active state is configured. By default, the primary HWTACACS server needs to wait for five minutes before restoration. l Configuring active password modification 1. Run:
hwtacacs-user change-password hwtacacs-server template-name
l l l
The user can successfully log in to the device only after passing HWTACACS authentication and only when the HWTACACS server template has been configured. Users are allowed to actively modify passwords before the user names and passwords saved on the TACACS server expire. For the users with expired passwords, when they log in to the device, the TACACS server returns an authentication-failure message and hence these users cannot actively modify their passwords.
----End
Procedure
l Run the display radius-server configuration [ template template-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check information on the RADIUS authentication/accounting server. Run the display hwtacacs-server template [ template-name [ verbose ] ] [ | count ] [ | { begin | include | exclude } regular-expression ] commands to check information on the HWTACACS server template. Run the display hwtacacs-server accounting-stop-packet { all | number | ip ipaddress } [ | count ] [ | { begin | include | exclude } regular-expression ] commands to check information on accounting-stop packet on the HWTACACS server.
----End
Example
Run the display radius-server configuration command. If information about the RADIUS server template is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display radius-server configuration template test ------------------------------------------------------------------Server-template-name : test Protocol-version : standard Traffic-unit : KB Shared-secret-key : abcdef Timeout-interval(in second) : 6 Primary-authentication-server : 10.1.1.1:1812:LoopBack-1 Primary-accounting-server : 10.1.1.2:1813:LoopBack-1 Secondary-authentication-server : 10.1.1.2:1812:LoopBack-1 Secondary-accounting-server : 10.1.1.4:1813:LoopBack-1 Retransmission : 2 Domain-included : YES -------------------------------------------------------------------
Run the display hwtacacs-server template command. If information about the TACACS server template is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display hwtacacs-server template ----------------------------------------------------------HWTACACS-server template name : 123 Primary-authentication-server : 0.0.0.0:0:Primary-authorization-server : 0.0.0.0:0:-
1-28
Issue 02 (2009-12-10)
Primary-accounting-server : 0.0.0.0:0:Secondary-authentication-server : 0.0.0.0:0:Secondary-authorization-server : 0.0.0.0:0:Secondary-accounting-server : 0.0.0.0:0:Current-authentication-server : 0.0.0.0:0:Current-authorization-server : 0.0.0.0:0:Current-accounting-server : 0.0.0.0:0:Source-IP-address : 0.0.0.0 Shared-key : Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ------------------------------------------------------------Are you sure to display more information (y/n)[y]:y ------------------------------------------------------------HWTACACS-server template name : test1 Primary-authentication-server : 1.1.11.1:49:vpna Primary-authorization-server : 0.0.0.0:0:Primary-accounting-server : 1.1.1.1:49:vpna Secondary-authentication-server : 0.0.0.0:0:Secondary-authorization-server : 1.1.1.1:12:vpna Secondary-accounting-server : 0.0.0.0:0:Current-authentication-server : 1.1.11.1:49:vpna Current-authorization-server : 1.1.1.1:12:vpna Current-accounting-server : 1.1.1.1:49:vpna Source-IP-address : 1.1.1.1 Shared-key : Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ------------------------------------------------------------Total 2,2 printed
Pre-configuration Tasks
Before configuring domains, complete the following tasks:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up Configuring authentication, authorization, and accounting schemes Configuring the RADIUS or HWTACACS server template if remote authentication, authorization, or accounting is adopted
l l
Data Preparation
To configure a domain, you need the following data. No. 1 2 3 4 5 6 7 Data Domain name Names of the authentication scheme, authorization scheme, and accounting scheme in the domain Name of the RADIUS or HWTACACS template of the domain Address pool number, and start IP address and end IP address of the address pool used by the domain IP addresses of primary and secondary DNS servers used by the domain IP addresses of primary and secondary NBNS servers used by the domain Maximum number of users allowed access by the domain
Procedure
Step 1 Run:
system-view
1-30
Issue 02 (2009-12-10)
A domain is created and the domain view is displayed. By default, a domain named default exists. This domain cannot be deleted but modified. ----End
1.5.3 Configuring the Authentication, Authorization and Accounting Schemes of the Domain
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The authentication scheme of the domain is configured. By default, the domain uses the authentication scheme named default. Step 5 Run:
authorization-scheme authorization-scheme-name
The authorization scheme of the domain is configured. By default, the domain uses the authorization scheme named default. Step 6 Run:
accounting-scheme accounting-scheme-name
By default, the domain uses the accounting scheme named default. ----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The RADIUS server template of the domain is configured. By default, the RADIUS server template of the domain is null. ----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
1-32
Issue 02 (2009-12-10)
The HWTACACS server template of the domain is configured. By default, the HWTACACS server template of the domain is null. ----End
Procedure
Step 1 Run:
system-view
Run the ip pool pool-number first-address [ last-address ] command to configure the address pool of the domain. Run the dhcp server ip-pool pool-name command to configure a DHCP address pool of the domain.
Step 5 Run:
dns primary-ip ip-address
Issue 02 (2009-12-10)
1-33
Procedure
Step 1 Run:
system-view
The domain state is configured. By default, the domain is in the active state after being created. ----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
1-34
Issue 02 (2009-12-10)
The maximum of the access users allowed by the domain is configured. By default, the domain allows 6128 access users. ----End
Procedure
Step 1 Run:
system-view
Postrequisite
If the traffic of a user is smaller than the configured idle-data value, the user is considered in the idle state. If the duration of the user's being in the idle state exceeds the idle-time value, the user is cut off forcibly.
NOTE
The modifications of a domain or a server take effect after a user re-log in to the domain.
Issue 02 (2009-12-10)
1-35
Procedure
Step 1 Run the display domain [ domain-name ] [ | count ] [ | { begin | include | exclude } regularexpression ] command to check the configuration information on the domain. ----End
Example
Run the display domain command. If information about the domain is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display domain --------------------------------------------------------------------------------Domain name State CAR Access-limit Online BODCount RetUserCoun t --------------------------------------------------------------------------------default Active 0 6128 0 0 0 huawei Active 0 6128 0 0 0 ----------------------------------------------------------------------------------------Total 2,2 printed
CAUTION
Statistics cannot be restored after you clear it. So, confirm the action before you use the command.
1-36
Issue 02 (2009-12-10)
Procedure
l Run the reset hwtacacs-server statistics { all | accounting | authentication | authorization } command in the user view to clear the statistics about the HWTACACS server. Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } command in the user view to clear the statistics about the accounting-stop packets of the HWTACACS server.
----End
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable the debugging immediately. When a fault occurs on the RADIUS or HWTACACS server, run the following debugging commands in the user view to debug and locate the fault. For the procedure of displaying the debugging information, refer to the chapter "Maintenance and Debugging" in the HUAWEI NetEngine5000E Core Router Configuration Guide - System Management. For explanations of the debugging commands, refer to the HUAWEI NetEngine5000E Core Router Command Reference.
Procedure
l l Run the debugging radius packet command in the user view to debug the RADIUS packets. Run the debugging hwtacacs { all | error | event | message | receive-packet | sendpacket } command in the user view to debug the HWTACACS server.
----End
1.7.1 Example for Configuring the RADIUS Authentication and Accounting For Local Users
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The chassis ID must be specified along with the slot number. As shown in Figure 1-1, users belong to domain huawei and access the network through Router A. Router B acts as the access server of the destination network. If users need to access the destination network, they should first traverse the network between Router A and Router B and then access the destination network through Router B after they pass through remote authentication. In such a case, you can configure the remote authentication mode on Router B as follows:
l l
Use the RADIUS server to perform authentication and accounting for access users. The RADIUS server 129.7.66.66/24 acts as the primary authentication and accounting server. The RADIUS server 129.7.66.67/24 functions as the secondary authentication and accounting server. The default authentication port and accounting port are 1812 and 1813 respectively.
Domain huawei
Destination network
129.7.66.67/24
1-38
Issue 02 (2009-12-10)
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure a RADIUS server template, the authentication scheme, and accounting scheme. Apply the configured template and schemes in the domain.
Data Preparation
To complete the configuration task, you need the following data:
l l
IP address of the primary (secondary) RADIUS authentication server IP address of the primary (secondary) RADIUS accounting server
Procedure
Step 1 Configure a RADIUS server template, the authentication scheme and accounting scheme. # Create a RADIUS server template named shiva.
[RouterA] radius-server template shiva
# Configure the IP addresses and ports of the primary RADIUS authentication and accounting servers.
[RouterA-radius-shiva] radius-server authentication 129.7.66.66 1812 [RouterA-radius-shiva] radius-server accounting 129.7.66.66 1813
# Configure the IP address and ports of the secondary RADIUS authentication and accounting servers.
[RouterA-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary [RouterA-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Configure the shared key and retransmission times of the RADIUS server.
[RouterA-radius-shiva] radius-server shared-key it-is-my-secret [RouterA-radius-shiva] radius-server retransmit 2 [RouterA-radius-shiva] quit
Step 2 Apply the RADIUS authentication scheme 1, accounting scheme 1 and the RADIUS template shiva to the domain huawei.
[RouterA-aaa] domain huawei [RouterA-aaa-domain-huawei] authentication-scheme 1 [RouterA-aaa-domain-huawei] accounting-scheme 1 [RouterA-aaa-domain-huawei] radius-server shiva
Issue 02 (2009-12-10)
1-39
Step 3 Verify the configuration. Run the display radius-server configuration template command on the router to check the RADIUS server template.
<HUAWEI> display radius-server configuration template shiva -------------------------------------------------------------------------Server-template-name : shiva Protocol-version : standard Traffic-unit : B Shared-secret-key : it-is-my-secret Timeout-interval(in second) : 5 Primary-authentication-server : 129.7.66.66:1812:LoopBack-1 Primary-accounting-server : 129.7.66.66:1813:LoopBack-1 Secondary-authentication-server : 129.7.66.67:1812:LoopBack-1 Secondary-accounting-server : 129.7.66.67:1813:LoopBack-1 Retransmission : 2 EndPacketSendTime : 0 Domain-included : YES -------------------------------------------------------------------------
Run the display domain domain-namecommand on the router to check the configuration information about the domain.
<HUAWEI> display domain huawei ------------------------------------------------------------------Domain-name : huawei Domain-state : Active Authentication-scheme-name : default Accounting-scheme-name : default Authorization-scheme-name : default Web-IP-address : Primary-DNS-IP-address : Second-DNS-IP-address : Primary-NBNS-IP-address : Second-NBNS-IP-address : Idle-data-attribute (time,flow) : 0, 60 User-access-limit : 384 Online-number : 0 RADIUS-server-template : HWTACACS-server-template : -------------------------------------------------------------------
----End
Configuration Files
# radius-server template shiva radius-server shared-key it-is-my-secret radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary radius-server retransmit 2 # aaa authentication-scheme default authentication-scheme 1 authentication-mode radius # authorization-scheme default # accounting-scheme default accounting-scheme 1 accounting-mode radius # domain default
1-40
Issue 02 (2009-12-10)
1.7.2 Example for Configuring the HWTACACS Authentication, Authorization, and Accounting Mode
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The chassis ID must be specified along with the slot number. As shown in Figure 1-2,
l
Access users are authenticated by the local database first, and then by the HWTACACS server if the local authentication fails. To upgrade the level of an access user, the HWTACACS authentication mode is used first. If this mode gives no response, the local database authentication mode is used. Access users are configured with the HWTACACS authorization. Accounting is necessary for all users. Real-time accounting is enabled to all users at the interval of 3 minutes. The HWTACACS server with the IP address as 129.7.66.66 acts as the primary server and its authentication port number, authorization port number, and accounting port number are all 49. The HWTACACS server with the IP address as 129.7.66.67 functions as the secondary server. Its default authentication port number, authorization port number, and accounting port number are all 49.
l l l l
Issue 02 (2009-12-10)
1-41
Figure 1-2 Networking diagram of local authentication and HWTACACS authentication, authorization, and accounting
Domain huawei
129.7.66.67/24
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a HWTACACS server template. Configure the authentication, authorization, and accounting schemes. Apply the configured template and schemes in the domain.
Data Preparation
To complete the following configuration, you need the following data:
l l l
IP address of the primary (secondary) HWTACACS authentication server IP address of the primary (secondary) HWTACACS authorization server IP address of the primary (secondary) HWTACACS accounting server
Procedure
Step 1 Configure a HWTACACS server template. # Create a HWTACACS server template named ht.
[RouterA] hwtacacs-server template ht
# Configure the IP addresses and ports of the primary HWTACACS AAA server.
[RouterA-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49 [RouterA-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49 [RouterA-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
1-42
Issue 02 (2009-12-10)
# Configure the IP addresses and ports of the secondary HWTACACS AAA server.
[RouterA-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary [RouterA-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary [RouterA-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Configure an authentication scheme l-h with the authentication modes as local and hwtacacs in sequence. To upgrade the user level, configure the authentication modes as hwtacacs and super in sequence.
[RouterA-aaa] authentication-scheme l-h [RouterA-aaa-authen-l-h] authentication-mode local hwtacacs [HUAWEI-aaa-authen-l-h] authentication-super hwtacacs super [RouterA-aaa-authen-l-h] quit
[RouterA-aaa-author-hwtacacs] quit # Configure an accounting scheme hwtacacs with the accounting mode as hwtacacs.
[RouterA-aaa] accounting-scheme hwtacacs [RouterA-aaa-accounting-hwtacacs] accounting-mode hwtacacs
Step 3 Apply the authentication scheme l-h, authorization scheme hwtacacs, accounting scheme hwtacacs, and HWTACACS server template ht to the domain huawei.
[RouterA-aaa] domain huawei [RouterA-aaa-domain-huawei] [RouterA-aaa-domain-huawei] [RouterA-aaa-domain-huawei] [RouterA-aaa-domain-huawei] authentication-scheme l-h authorization-scheme hwtacacs accounting-scheme hwtacacs hwtacacs-server ht
Step 4 Verify the configuration. Run the display hwtacacs-server template command on the router. You can view the HWTACACS server template.
<HUAWEI> display hwtacacs-server template ht -------------------------------------------------------------------------HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49 Primary-authorization-server : 129.7.66.66:49 Primary-accounting-server : 129.7.66.66:49 Secondary-authentication-server : 129.7.66.67:49 Secondary-authorization-server : 129.7.66.67:49 Secondary-accounting-server : 129.7.66.67:49 Current-authentication-server : 129.7.66.66:49 Current-authorization-server : 129.7.66.66:49 Current-accounting-server : 129.7.66.66:49
Issue 02 (2009-12-10)
1-43
Source-IP-address : 0.0.0.0 Shared-key : it-is-my-secret Quiet-interval (min) : 5 Response-timeout-Interval (sec) : 5 Domain-included : Yes Traffic-unit : B --------------------------------------------------------------------------
Run the display domain command on the router. You can view the domain.
<HUAWEI>display domain huawei ------------------------------------------------------------------Domain-name : huawei Domain-state : Active Authentication-scheme-name : l-h Accounting-scheme-name : hwtacacs Authorization-scheme-name : hwtacacs Primary-DNS-IP-address : Second-DNS-IP-address : Primary-NBNS-IP-address : Second-NBNS-IP-address : User-group-name : Idle-data-attribute (time,flow) : 0, 60 InstallBODCount : 0 ReportVSMUserCount : 0 Value_add_service :NONE User-access-limit : 6128 Online-number : 0 Web-IP-address : Web-URL : Portal-server-IP : Portal-URL : Portal-force-times : 2 RADIUS-server-template : Two-acct-template : HWTACACS-server-template : ht IP-warning-threshold : Max-multilist num : 4 Multicast-profile : -------------------------------------------------------------------
----End
Configuration Files
# hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 49 hwtacacs-server authentication 129.7.66.67 49 secondary hwtacacs-server authorization 129.7.66.66 49 hwtacacs-server authorization 129.7.66.67 49 secondary hwtacacs-server accounting 129.7.66.66 49 hwtacacs-server accounting 129.7.66.67 49 secondary hwtacacs-server shared-key it-is-my-secret # aaa authentication-scheme default authentication-scheme l-h authentication-mode local hwtacacs authentication-super hwtacacs super # authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs # accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs accounting realtime 3
1-44
Issue 02 (2009-12-10)
1.7.3 Example of Configuring the HWTACACS Authentication and Authorization in the MPLS VPN Network
Networking Requirements
As shown in Figure 1-3: CE1 and CE2 all belong to VPN-A. The attribute of VPN-target used by VPN-A is 111:1. In the public network, the administrator logs in to PE through Console port or logs in to PE2 through a PC, other routers, or Telnet client. After the administrator is authorized, the administrator manages PE2 and the system events and records of administrator operations on PE2 are sent to the TACACS server. The TACACS server is deployed in the private network. Thus, PE2 should forward HWTACACS packets based on VPN instances.
l l l
PE2 authenticates administrators through HWTACACS. PE2 authorizes administrators through HWTACACS. The TACACS server 160.1.1.100/24 is the primary server, with authentication port 49, authorization port 49, and accounting port 49. The TACACS server 160.1.1.101/24 is the secondary server, with authentication port 49, authorization port 49, and accounting port 49 by default.
Loopback1 POS1/0/0
POS1/0/0
POS1/0/0 P POS2/0/0
Backbone AS100
PE2
GE2/0/0
Administrator
Device CE1 Interface GE1/0/1 IP address 10.1.1.2/24
Issue 02 (2009-12-10)
1-45
PE2
CE2
GE1/0/0 GE1/0/1
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Configure BGP/MPLS IP VPN for internetworking. Configure a HWTACACS server template. Configure the authentication scheme and authorization scheme. Apply the HWTACACS server template, the authentication scheme, and the authorization scheme.
Data Preparation
To complete the configuration, you need the following data:
l l l
IP address of the primary (secondary) HWTACACS authentication server IP address of the primary (secondary) HWTACACS authorization server IP address of the primary (secondary) HWTACACS accounting server
Procedure
Step 1 Configure BGP MPLS IP VPN Configure the IGP protocol on the network to enable the communication between PE and P on the backbone network and to advertise the IP address of CE. # Configure PE1.
<HUAWEI> system-view [HUAWEI] sysname PE1 [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32
1-46
Issue 02 (2009-12-10)
100.1.1.1 24
# Configure P.
<HUAWEI> system-view [HUAWEI] sysname P [P] interface loopback 1 [P-LoopBack1] ip address 3.3.3.9 32 [P-LoopBack1] quit [P] interface pos 1/0/0 [P-Pos1/0/0] ip address 100.1.1.2 24 [P-Pos1/0/0] quit [P] interface pos 2/0/0 [P-Pos2/0/0] ip address 200.1.1.1 24 [P-Pos2/0/0] quit [P] ospf [P-ospf-1] area 0 [P-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255 [P-ospf-1-area-0.0.0.0] network 200.1.1.0 0.0.0.255 [P-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0 [P-ospf-1-area-0.0.0.0] quit [P-ospf-1] quit
# Configure PE2.
<HUAWEI> system-view [HUAWEI] sysname PE2 [PE2] interface loopback 1 [PE2-LoopBack1] ip address 2.2.2.9 32 [PE2-LoopBack1] quit [PE2] interface pos 1/0/0 [PE2-Pos1/0/0] ip address 200.1.1.2 24 [PE2-Pos1/0/0] quit [PE2] ospf [PE2-ospf-1] area 0 [PE2-ospf-1-area-0.0.0.0] network 200.1.1.0 0.0.0.255 [PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0 [PE2-ospf-1-area-0.0.0.0] quit [PE2-ospf-1] quit
# Configure CE1.
<HUAWEI> system-view [HUAWEI] sysname CE1 [CE1] interface gigabitethernet 1/0/1 [CE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24 [CE1-GigabitEthernet1/0/1] quit
# Configure CE2.
<HUAWEI> system-view [HUAWEI] sysname CE1 [CE1] interface gigabitethernet 1/0/0 [CE1-GigabitEthernet1/0/0] ip address 10.2.1.1 24 [CE1-GigabitEthernet1/0/0] quit [CE2] interface gigabitethernet 1/0/1 [CE2-GigabitEthernet1/0/1] ip address 160.1.1.1 24 [CE2-GigabitEthernet1/0/1] quit [CE2] ospf [CE2-ospf-1] area 0 [CE2-ospf-1-area-0.0.0.0] network 160.1.1.0 0.0.0.255
Issue 02 (2009-12-10)
1-47
After the configuration, OSPF neighbor relationship should be set up between PE1, P1, and PE2. Run the display ospf peer command, and you can view that the neighbor relationship is Full. Run the display ip routing-table command, and you can view that PEs learn the routes to the Loopback1 interfaces on their peers. Take the display of PE1 as example:
[PE1] display ip routing-table Route Flags: R - relied, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 9 Routes : 9 Destination/Mask Proto Pre Cost Flags NextHop Interface 1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 2.2.2.9/32 OSPF 10 3125 D 100.1.1.2 Pos1/0/0 3.3.3.9/32 OSPF 10 1563 D 100.1.1.2 Pos1/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.1.1.0/24 Direct 0 0 D 100.1.1.1 Pos1/0/0 100.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.1.1.2/32 Direct 0 0 D 100.1.1.2 Pos1/0/0 200.1.1.0/24 OSPF 10 3124 D 100.1.1.2 Pos1/0/0 [PE1] display ospf peer OSPF Process 1 with Router ID 1.1.1.9 Neighbors Area 0.0.0.0 interface 100.1.1.1(Pos1/0/0)'s neighbors Router ID: 3.3.3.9 Address: 100.1.1.2 GR State: Normal State: Full Mode:Nbr is Master Priority: 1 DR: None BDR: None MTU: 1500 Dead timer due in 38 sec Neighbor is up for 00:02:44 Authentication Sequence: [ 0 ]
Configure basic MPLS functions and MPLS LDP on the MPLS backbone network and set up LDP LSPs. # Configure PE1.
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] lsp-trigger all [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface pos 1/0/0 [PE1-Pos3/0/0] mpls [PE1-Pos3/0/0] mpls ldp [PE1-Pos3/0/0] quit
# Configure P.
[P] mpls lsr-id 3.3.3.9 [P] mpls [P-mpls] lsp-trigger all [P-mpls] quit [P] mpls ldp [P-mpls-ldp] quit [P] interface pos 1/0/0 [P-Pos1/0/0] mpls [P-Pos1/0/0] mpls ldp [P-Pos1/0/0] quit [P] interface pos 2/0/0 [P-Pos2/0/0] mpls [P-Pos2/0/0] mpls ldp [P-Pos2/0/0] quit
1-48
Issue 02 (2009-12-10)
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9 [PE2] mpls [PE2-mpls] lsp-trigger all [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] interface pos 1/0/0 [PE2-Pos3/0/0] mpls [PE2-Pos3/0/0] mpls ldp [PE2-Pos3/0/0] quit
After the configuration, LDP sessions should be set up between PE1 and P, P and PE2. Run the display mpls ldp session command, and you can view that the Status field displays Operational. Run the display mpls ldp lsp command, and you can view whether LDP LSPs are set up. Take the display of PE1 as example:
[PE1] display mpls ldp session LDP Session(s) in Public Network ------------------------------------------------------------------------Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv ------------------------------------------------------------------------3.3.3.9:0 Operational DU Passive 000:00:01 7/7 ------------------------------------------------------------------------TOTAL: 1 session(s) Found. LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM [PE1] display mpls ldp lsp LDP LSP Information -----------------------------------------------------------------SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface -----------------------------------------------------------------1 1.1.1.9/32 3/NULL 127.0.0.1 Pos1/0/0/InLoop0 2 2.2.2.9/32 NULL/1027 100.1.1.2 -------/Pos1/0/0 3 3.3.3.9/32 NULL/3 100.1.1.2 -------/Pos1/0/0 -----------------------------------------------------------------TOTAL: 3 Normal LSP(s) Found. TOTAL: 0 Liberal LSP(s) Found. A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale
Configure VPN instances on PEs so that CEs can access PEs. # Configure PE1.
[PE1] ip vpn-instance vpna [PE1-vpn-instance-vpna] route-distinguisher 100:1 [PE1-vpn-instance-vpna] vpn-target 111:1 both [PE1-vpn-instance-vpna] quit [PE1] interface gigabitethernet 2/0/0 [PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna [PE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24 [PE1-GigabitEthernet1/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpna [PE2-vpn-instance-vpna] route-distinguisher 200:1 [PE2-vpn-instance-vpna] vpn-target 111:1 both [PE2-vpn-instance-vpna] quit [PE2] interface gigabitethernet 2/0/0 [PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpna [PE2-GigabitEthernet2/0/0] ip address 10.2.1.2 24 [PE2-GigabitEthernet2/0/0] quit
After the configuration, run the display ip vpn-instance verbose command on PEs, and you can view the configurations of VPN instances. Each PE can ping its connected CE.
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-49
When PE has multiple interfaces that are bound to the same VPN, you must specify the source IP address, namely ,the -a source-ip-address if running the ping -vpn-instance vpn-instance-name -a source-ipaddress dest-ip-address command. Otherwise, the ping may fail.
Set up EBGP peer relationship between PEs and CEs and import VPN routes. # Configure CE1.
[CE1] bgp 65410 [CE1-bgp] peer 10.1.1.1 as-number 100 [CE1-bgp] import-route direct
NOTE
# Configure PE1.
[PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpna [PE1-bgp-vpna] peer 10.1.1.2 as-number 65410 [PE1-bgp-vpna] import-route direct [PE1-bgp-vpna] quit
NOTE
After the configuration, run the display bgp vpnv4 vpn-instance peer command on PE, and you can view that the BGP peer relationship between PE and the connected CE is in the Established state. Take the peer relationship between PE1 and CE1 as example:
[PE1] display bgp vpnv4 vpn-instance vpna peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.1.1.2 4 65410 11 9 0 00:06:37 Established 1
1-50
Issue 02 (2009-12-10)
# Configure PE2.
[PE2] bgp 100 [PE2-bgp] peer 1.1.1.9 as-number 100 [PE2-bgp] peer 1.1.1.9 connect-interface loopback 1 [PE2-bgp] ipv4-family vpnv4 [PE2-bgp-af-vpnv4] peer 1.1.1.9 enable [PE2-bgp-af-vpnv4] quit
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command on a PE, and you can view that the BGP peer relationship between PEs is in the Established state.
[PE1] display bgp peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peer V AS MsgRcvd 2.2.2.9 4 100 2 [PE1] display bgp vpnv4 all peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 2 Peer V AS MsgRcvd 2.2.2.9 4 100 12 Peer of vpn instance: vpn instance vpna : 10.1.1.2 4 65410 25
Peers in established state : 1 MsgSent OutQ Up/Down State PrefRcv 6 0 00:00:12 Established 0
MsgSent 18 25
Peers in established state : 2 OutQ Up/Down State PrefRcv 0 00:09:38 Established 0 0 00:17:57 Established 1
Step 2 Configuring a template of the HWTACACS server on PE2 # Configure the HWTACACS server template ht.
<PE2> system-view [PE2] hwtacacs-server template ht
# Configure the IP address and ports of the primary HWTACACS authentication, authorization, and accounting servers, and bind the VPN instances to these servers.
[PE2-hwtacacs-ht] hwtacacs-server authentication 160.1.1.100 49 vpn-instance vpna [PE2-hwtacacs-ht] hwtacacs-server authorization 160.1.1.100 49 vpn-instance vpna
# Configure the IP address and ports of the secondary HWTACACS authentication, authorization, and accounting servers, and bind the VPN instances to these servers.
[PE2-hwtacacs-ht] hwtacacs-server authentication 160.1.1.101 49 vpn-instance vpna secondary [PE2-hwtacacs-ht] hwtacacs-server authorization 160.1.1.101 49 vpn-instance vpna secondary
Step 3 Configure the authentication scheme, the authorization scheme, and the accounting scheme. # Enter the AAA view.
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-51
# Configure the authentication mode as l-h and the authentication mode as HWTACACS.
[PE2-aaa] authentication-scheme l-h [PE2-aaa-authen-l-h] authentication-mode hwtacacs [PE2-aaa-authen-l-h] quit
# Configure the authorization scheme as hwtacacs and the authorization scheme as HWTACACS.
[PE2-aaa] authorization-scheme hwtacacs [PE2-aaa-author-hwtacacs] authorization-mode hwtacacs [PE2-aaa-author-hwtacacs] quit
Step 4 Configure the huawei domain. Use the l-h authentication scheme, the HWTACACS authorization scheme, the HWTACACS accounting scheme, and the ht HWTACACS template in the domain.
[PE2-aaa] domain huawei [PE2-aaa-domain-huawei] [PE2-aaa-domain-huawei] [PE2-aaa-domain-huawei] [PE2-aaa-domain-huawei] [PE2-aaa] quit authentication-scheme l-h authorization-scheme hwtacacs hwtacacs-server ht quit
Step 5 Verify the configuration. After running the display hwtacacs-server template command on the router, you can check whether the configuration of the template on the hwtacacs server matches the requirements.
<PE2> display hwtacacs-server template ht -------------------------------------------------------------------------HWTACACS-server template name : ht Primary-authentication-server : 160.1.1.100:49:vpna Primary-authorization-server : 160.1.1.100:49:vpna Primary-accounting-server : 0.0.0.0:0:Secondary-authentication-server : 160.1.1.101:49:vpna Secondary-authorization-server : 160.1.1.101:49:vpna Secondary-accounting-server : 0.0.0.0:0:Current-authentication-server : 160.1.1.100:49:vpna Current-authorization-server : 160.1.1.100:49:vpna Current-accounting-server : 0.0.0.0:0:Source-IP-address : 0.0.0.0 Shared-key : it-is-my-secret Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B --------------------------------------------------------------------------
After running the display domain command on the router, you can check whether the configuration of the domain matches the requirements.
<CE1> display domain huawei ------------------------------------------------------------------Domain-name : huawei Domain-state : Active Authentication-scheme-name : l-h Accounting-scheme-name : default Authorization-scheme-name : hwtacacs User-CAR : Web-IP-address : Next-hop : Primary-DNS-IP-address : Second-DNS-IP-address : Primary-NBNS-IP-address : Second-NBNS-IP-address : Acl-number : -
1-52
Issue 02 (2009-12-10)
----End
Configuration Files
l
Configuration file of P
# sysname P
Issue 02 (2009-12-10)
1-53
1-54
Issue 02 (2009-12-10)
peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpna peer 10.2.1.1 as-number 65430 import-route direct # aaa authentication-scheme default authentication-scheme l-h authentication-mode hwtacacs # authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs # accounting-scheme default # domain default domain huawei authentication-scheme l-h authorization-scheme hwtacacs hwtacacs-server ht # ospf 1 area 0.0.0.0 network 200.1.1.0 0.0.0.255 network 2.2.2.9 0.0.0.0 # return l
Issue 02 (2009-12-10)
1-55
1-56
Issue 02 (2009-12-10)
2
About This Chapter
This chapter describes the type of the security that NE5000E supported, and it also describes the configuration and applications of ARP Security, along with typical examples. 2.1 Overview to ARP Security This section describes the principle and concepts of ARP security features. 2.2 Preventing Attacks on ARP Entries This section describes how to prevent attacks on ARP entries. 2.3 Maintaining the ARP Security This section describes how to display and remove statistics about ARP packets and debug ARP packets. 2.4 Configuration Examples This section provides several configuration examples of ARP security features.
Issue 02 (2009-12-10)
2-1
Space-based attacks indicate that the attacker resorts to the finite ARP buffer of a router. The attacker sends a larger number of illegitimate ARP request and response messages to the router. As a result, the ARP buffer is overflowed; and normal ARP entries cannot be buffered. Normal forwarding is thus interrupted. Time-based attacks indicate that the attacker resorts to the finity of the processing capability of a router. The attacker sends a large number of simulate ARP request, response, or other packets that can trigger the router to perform ARP processing. As a result, the computing resources of the router are busy with ARP processing during a long period; and other services cannot be processed. Normal forwarding is thus interrupted.
Netcut A Netcut sends unicast ARP requests to a gateway and updates the ARP buffer of the gateway by using the incorrect MAC address of a host to attack the host. NetRobocop A NetRobocop sends incorrect unicast ARP responses to a host to provide an incorrect gateway address to the host.The gateway can hardly detect the unicast ARP responses.
l l
The ARP security, a feature based on ARP, can prevent ARP-oriented attacks and ARP-based network scanning attacks through the following measures:
l l l l
Filtering out untrusted ARP packets Performing timestamp suppression to some ARP packets Filtering out illegal ARP packets Performing dynamic Committed Access Rate (CAR) to the packets sent to a CPU
Configuring strict ARP entry learning in the system view or the interface view Configuring speed limit for ARP packets on the interface Setting the maximum number of the ARP entries that the interface can learn
Layer 3 Ethernet interfaces and their sub-interfaces Eth-Trunk interfaces and their sub-interfaces
Timestamp-based Scanning-Proof
The timestamp-based scanning-proof function can identify the scanning attack on time and suppress the processing of requests generated by the scanning when a scanning attack occurs, regardless of whether it is an ARP scanning attack or IP scanning attack. In this way, the CPU is kept away from attacks. The NE5000E supports the timestamp suppression to ARP packets based on the destination IP address. ARP packets are discarded if they exceed the configured threshold during a certain period.
To prevent attacks on ARP entries, you can configure strict ARP entry learning, speed limit for ARP packets, and interface-based ARP entry restriction separately or configure these features in combination. It is not recommended to configure strict ARP entry learning because restrictions on ARP packets are too strict and hence some ARP entries cannot be learnt though they are useful. To implement similar function, deploy ARP bidirectional isolation.
Pre-configuration Task
Before configuring the task of preventing attacks on ARP entries, complete the following tasks:
l
Configuring the link layer parameters of the interface and the IP address to make the link layer status of the interface Up
Data Preparation
To prevent attacks on ARP entries, you need the following data. No. 1 Data Timestamp suppression rate
Procedure
Step 1 Run:
system-view
The global strict ARP entry learning is configured. By default, strict ARP learning is disabled. After the arp learning strict command is run, the router learns only reply packets for the ARP request packets sent itself. ----End
Context
Do as follows on the router whose ARP entries are to be prevented from being attacked:
Procedure
Step 1 Run:
system-view
The interface view is displayed. NE5000E supports strict ARP entry learning on the following interfaces:
l l
Ethernet interfaces and their sub-interfaces Eth-trunk interfaces and their sub-interfaces
Step 3 Run:
arp learning strict { force-enable | force-disable | trust }
l l l
If the key word force-enable of the command is selected, the interface router learns only reply packets for the ARP request packets sent itself. If the key word force-disable of the command is selected, the strict ARP entry learning function on the interface is disabled. If the key word trust is specified, strict ARP entry learning configured on the interface is disabled and the router adopts the strict ARP entry learning policy configured globally.
If strict ARP entry learning is configured both on the interface and globally, strict ARP entry learning on the interface is preferred. If strict ARP entry learning is not configured on the interface, the global strict ARP entry learning is enabled.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
The interface view is displayed. NE5000E supports the check of the destination IP address of ARP packets on the following interfaces:
l l l
Ethernet interfaces and sub-interfaces GE interfaces and sub-interfaces Eth-trunk interfaces and sub-interfaces
Step 3 Run:
arp check-destination-ip enable
The check of the destination IP address of ARP packets is enabled. The arp check-destination-ip enable command is used to protect the CPU. After the command is run, the system checks whether the destination IP addresses of the packets on the interface are correct. If the IP addresses are correct, packets are sent to the CPU; otherwise, packets are discarded. ----End
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
2-6
Issue 02 (2009-12-10)
Layer 3 Ethernet interfaces and sub-interfaces Layer 3 GE interfaces and sub-interfaces Layer 3 Eth-Trunk interfaces and sub-interfaces
Step 3 Run:
arp-limit maximum maximum
Interface-based ARP entry restriction is configured. During configurations, if the number of learnt ARP entries may have exceeded the restricted number to be configured, the number of the learnt ARP entries is not limited but new ARP entry learning is not carried out. ----End
Procedure
l l Run the display arp speed-limit destination-ip [ slot slot-id ] [ | { begin | exclude | include } regular-expression ] command to check the limited speed of ARP packets. Run the display arp-limit [ interface interface-type interface-number ] command to check the limited number of ARP entries on the interface.
----End
Example
Run the display arp speed-limit destination-ip [ slot slot-id ] [ | { begin | exclude | include } regular-expression ] command, and you can check the timestamp suppression rate configured for the ARP packets. For example:
<HUAWEI> display arp speed-limit destination-ip slot 3 Slot SuppressType SuppressValue --------------------------------------------------3 ARP 500
Run the display arp-limit [ interface interface-type interface-number ] command, and you can check the limited number of ARP entries configured on the interface.
<HUAWEI> display arp-limit interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------Eth-Trunk0 100 124 0 Eth-Trunk0 100 125 0
Issue 02 (2009-12-10)
2-7
Example
Run the display arp packet statistics [ slot slot-id ] command, and you can check the statistics about ARP packets. For example:
<HUAWEI> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
CAUTION
Statistics about ARP packets cannot be restored after you clear it. So, confirm the action before you use the command.
2-8
Issue 02 (2009-12-10)
Procedure
l Run the reset arp packet statistic [ slot slot-id ] command in the user view to clear statistics about ARP packets.
----End
CAUTION
Debugging affects the performance of the system. So, after debugging, execute the undo debugging all command to disable it immediately. For the procedure of displaying the debugging information, refer to the chapter Maintenance and Debugging in the HUAWEI NetEngine5000E Core Router Configuration Guide - System Management. For explanations of the debugging commands, refer to the NE5000E Core Router Command Reference.
Procedure
l l Run the debugging arp packet [slot slot-id | interface interface-type interface-number ] command in the user view to debug ARP packet. Run the debugging arp process [ slot slot-id | interface interface-type interfacenumber ] command in the user view to debug ARP packet processing.
----End
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The chassis ID must be specified along with the slot number.
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-9
As shown in Figure 2-1, a carrier accesses the core network through two routers. ARP security features need to be configured on the two routers to prevent the devices attached to the routers from attacking ARP entries. Figure 2-1 Networking diagram of preventing attacks on ARP entries
core network
RouterA
RouterB
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure strict ARP entry learning. Configure speed limit for ARP packets. Configure interface-based ARP entry restriction.
Data Preparations
To complete the configuration, you need the following data:
l l
Timestamp suppression rate of ARP packets and slot numbers Limited number of ARP entries
Procedure
Step 1 Configure strict ARP entry learning.
<RouterA> system-view [RouterA] arp learning strict
Step 2 Configure destination-based speed limit for ARP packets on each slot of the attached device. The speed is limited to 50 packets per second. Take slot 1 as an example.
2-10 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
Step 3 Restrict the number of ARP entries on each interface of the attached device to 20. Take GE 1/0/0 as an example.
[RouterA] interface Gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] arp-limit maximum 20 [RouterA-GigabitEthernet1/0/0] quit
Step 4 Verify the configuration. Use certain tools to send ARP request packets to Router A and then run the display arp all command on Router A. You can find that the actively sent ARP request packets are not learnt by Router A.
<RouterA> display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------100.1.1.200 00e0-fc7f-7258 I GE0/0/0 100.1.1.180 000d-88f4-d06b 9 D-0 GE0/0/0 100.1.1.24 0013-d326-ab88 9 D-0 GE0/0/0 100.1.1.166 0014-2afd-7376 10 D-0 GE0/0/0 100.1.1.37 00e0-4c77-a2f9 12 D-0 GE0/0/0 100.1.1.168 000d-88f8-332c 14 D-0 GE0/0/0 100.1.1.48 0015-e9ac-7a30 16 D-0 GE0/0/0 32.1.1.1 0088-0010-000a I GE3/0/9 24.1.1.1 0088-0010-0009 I GE3/0/8 10.1.1.1 0088-0010-0003 I GE3/0/2 10.1.1.2 00e0-fc22-18d5 9 D-3 GE3/0/2 -----------------------------------------------------------------------------Total:11 Dynamic:7 Static:0 Interface:4
Run the display arp speed-limit command on routers. You can view the limited speed.
<RouterA> display arp speed-limit destination-ip slot 1 Slot SuppressType SuppressValue --------------------------------------------------1 ARP 50
Run the display arp packet statistics command on routers. You can view the number of the discarded ARP packets and the learnt ARP entries.
<RouterA> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
----End
Configuration Files
The configuration file of Router A is as follows:
# sysname RouterA # arp learning strict arp speed-limit destination-ip maximum 50 slot 1 # interface GigabitEthernet1/0/0 arp-limit maximum 20
Issue 02 (2009-12-10)
2-11
2-12
Issue 02 (2009-12-10)
3 URPF Configuration
3
About This Chapter
URPF Configuration
This chapter describes how to configure URPF snooping. 3.1 Overview to URPF This section describes the basic concepts of Unicast Reverse Path Forwarding (URPF). 3.2 Configuring URPF This section describes the method for configuring the Unicast Reverse Path Forwarding (URPF). 3.3 Maintaining the URPF This section describes how to clear the statistics on URPF. 3.4 Configuration Example This section provides a configuration example of URPF.
Issue 02 (2009-12-10)
3-1
3 URPF Configuration
1.1.1.1/24
2.1.1.1/24
RouterA
RouterB
RouterC
Router A generates a packet with a pseudo source IP address 2.1.1.1 and sends the packet to Router B. Router B sends a response packet to Router C whose IP address actually is 2.1.1.1. In this way, Router A attacks Router B and Router C by sending the illegal packet. URPF can be applied on the upstream inbound interfaces of the router, including two application environments: single-homed client and multi-homed client.
l
Single-homed client Figure 3-2 shows the connection between the client and the aggregation router of the ISP. Enable URPF on GE 1/0/0 of the ISP router to protect the router and Internet from source address spoofing attacks from the client network.
ISP Aggregation GE1/0/0 Source address 169.1.1.1/24 URPF GE2/0/0 GE3/0/0 169.1.1.1/24
3-2
Issue 02 (2009-12-10)
3 URPF Configuration
Multi-homed client URPF can be applied in the case that multiple connections are set up between the client and the ISP, as shown in Figure 3-3. To make URPF work normally, ensure that the packet from the client to the host on the internet passes through the same link (between the client and the ISP router) with the packet from this host to the client, that is, route symmetry must be ensured; otherwise, URPF discards some normal packets because of mismatched interfaces.
Figure 3-3 Application environment of the URPF multi-homed client packet path route path URPF
RouterA
Enterprise
RouterC
ISP
URPF URPF
RouterB
Multi-homed client and multi-ISPs URPF can be applied in the case that a client is connected to multiple ISPs, as shown in Figure 3-4. In such a case, route symmetry also must be ensured. URPF applied in the scenario where a client is connected to multiple ISPs has the following features:
If route symmetry cannot be ensured, you can use loose detection. As long as a route with the source address exists, the packet can pass. The routers of users may only have a default route to the router of an ISP. Therefore, matching the default route entry should be supported. As the security system on the ingress, URPF is better than the traditional firewall in performance.
URPF
RouterC Enterprise
RouterA RouterB
URPF URPF
Issue 02 (2009-12-10)
3-3
3 URPF Configuration
Preconfigured Tasks
Before configuring URPF, complete the following tasks:
l l
Configuring the link attributes of the interface Configuring an IP address for the interface
Data Preparations
To configure URPF, you need the following data. No 1 Data Number of the interface where URPF is to be enabled
3-4
Issue 02 (2009-12-10)
3 URPF Configuration
Procedure
Step 1 Run:
system-view
The URPF loose check is enabled on the LPU. In loose mode, packets can pass URPF check as long as the forwarding table contains mapping entries. The interface that actually receives the packets need not match the interface in the forwarding table.
NOTE
If only interface-based URPF is configured, all the interfaces on this LPU adopt URPF configurations on the LPU to perform the check. If interface-based URPF is also configured, the interfaces adopt URPF configurations on themselves to perform the check.
----End
Procedure
Step 1 Run:
system-view
3 URPF Configuration
The interface supporting the URPF check can be the Ethernet interface, an Ethernet subinterface, GigabitEthernet interface, GigabitEthernet sub-interface, Eth-Trunk interface, EthTrunk sub-interface, IP-Trunk interface, and POS interface. Step 3 Run:
ip urpf { loose | strict } [ allow-default]
URPF is enabled on the interface. If loose is selected, it indicates that the URPF loose check is to be performed. That is, when the forwarding table contains the corresponding entries, the packet can pass the URPF check. Interface match is not required. If strict is selected, it indicates that the URPF strict check is to be performed. That is, the packet can pass the URPF check only when the forwarding table contains the corresponding entries and the outbound interface matches the entry in the forwarding table. ----End
Procedure
l Defining a traffic class 1. Run:
system-view
The traffic class is defined and its view is displayed. 3. Perform the following as required.
Run the if-match acl acl-number command to set the ACL-based rule. Run the if-match dscp dscp-value command to set the DSCP-based rule. Run the if-match tcp syn-flag tcpflag-value command to set the TCP-flag-based rule. Run the if-match source-mac mac-address command to set the rule based on the source address of the packet. Run the if-match destination-mac mac-address command to set the rule based on the destination address of the packet. Run the if-match ip-precedence ip-precedence command to set the rule based on the IP priority of the packet. Run the if-match any command to set the rule matching all the packets.
3 URPF Configuration
1.
Run:
system-view
Enable the URPF. l Defining a traffic policy and associating the traffic class with the traffic behavior 1. Run:
system-view
The traffic class is associated with the traffic behavior in the traffic policy. l Applying the traffic policy 1. Run:
system-view
The interface view is displayed. The observing port of the LPU where the interface resides must be already configured. 3. Run:
traffic-policy policy-name { inbound | outbound }
The statistics on the packets discarded through URPF check on an LPU are displayed. ----End
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-7
3 URPF Configuration
Example
After the configuration is complete, run the display ip urpf discard statistics [ slot slot-id ] command to view statistics on the packets discarded through URPF check on an LPU. For example, run the display ip urpf discard statistics command to view statistics on the packets discarded by URPF check on all LPUs of the router.
<HUAWEI> display ip urpf discard statistics slot Discard-packets -----------------------------------------------------------------------------------------------------1 0 2 0 3 300 5 160
Context
3.3.1 Resetting the Statistics of URPF
CAUTION
Once the statistics of the packets discarded through URPF check are cleared, they cannot be restored. Confirm the action before you use the command.
Procedure
Step 1 Run:
reset ip urpf discard statistics [ slot slot-id ]
The statistics of the packets discarded through URPF check are cleared. ----End
3 URPF Configuration
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID. In this example, URPF is enabled on the inbound interface of the ISP. As shown in Figure 3-5, the client Router A connects to Router B (a router in the ISP network). Then enable URPF on GE 1/0/0 of Router B. Configure the URPF strict check on Router B and set the packet whose source IP address matches with ACL 2010 to pass the check at any time. Enable URPF on GE 1/0/0 of Router A, configure the URPF strict check. Figure 3-5 Networking diagram of configuring URPF
10.1.1.0/24
ISP
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure a traffic policy on the router in the ISP network, allowing the traffic from the specified network segment to pass the URPF check. Configure an IP address for the interface on Router A and enable URPF on the interface.
Data Preparations
To configure URPF, you need the following data:
l l
IP address of each interface Network segments that can pass the URPF check
Procedure
Step 1 Configure Router B. # Configure ACL 2010, allowing the traffic from the network segment 10.1.1.0/24 to pass the URPF check.
<RouterB> system-view
Issue 02 (2009-12-10)
3-9
3 URPF Configuration
[RouterB] acl number 2010 [RouterB-acl-basic-2010] rule permit source 10.1.1.0.0 0.0.0.255 [RouterB-acl-basic-2010] quit
# Define a traffic policy and associate the traffic class and the traffic behavior.
[RouterB] traffic policy policy1 [RouterB-trafficpolicy-policy1] classifier classifier1 behavior behavior1 [RouterB-trafficpolicy-policy1] quit
----End
Configuration Files
l
3-10
Issue 02 (2009-12-10)
3 URPF Configuration
Issue 02 (2009-12-10)
3-11
Issue 02 (2009-12-10)
4-1
Local URPF
The local URPF function is used to the check only the packets to be sent to the CPU, thereby preventing the CPU from forwarding excessive packets and ensuring the ideal system performance of the router.
CAR
The Committed Access Rate (CAR) function is used to check the packets to be sent to the CPU based on the Generalized TTL Security Mechanism (GTSM). If the packets pass the GTSM check, the router takes mapped CAR actions by matching them with the whitelist, blacklist, and user-defined flow in order. In this manner, invalid packets can be filtered and the transmission rate of the packets is limited, thereby ensuring the processing of normal services.
When the length of a packet is shorter than the preset minimum packet length, the system calculates the transmission rate of the packet with the preset minimum length. When the length of a packet is longer than the preset minimum packet length, the system calculates the transmission rate of the packet with the actual packet length.
the LPU. For the features that are not configured by the user, the configurations in the default attack defense policy are adopted. By default, a router processes the packets to be sent to the CPU based on the following steps: 1. 2. After receiving packets, the router first performs the URPF check. If the packets pass the URPF check, the route continues to send them to the CPU. The router then checks the packets to be sent to the CPU through TCP/IP attack defense. If the packets pass the TCP/IP attack defense check, the router continues to send them to the CPU. The router performs the GTSM check on the packets to be sent to the CPU. It continues to send only the packets that have passed the GTSM check. For the packets passing the GTSM check, the router classifies them based on ACL rules and matches them with the whitelist, blacklist, and user-defined flows in order. If the packets match the whitelist, the router continues to send the packets; otherwise, the router matches them with the blacklist. If the packets match the blacklist, the router processes them based on the rules defined in the blacklist; if the packets do not match the blacklist, the router matches them with the user-defined flows. If the packets match the user-defined flows, the router processes them based on the rules defined in the user-defined flows. If the packets do not match any rule, the router directly sends them to the CPU. The router processes the received packets based on CAR to limit the transmission rate and bandwidth of the packets to be sent to the CPU. The router checks the received packets based on application layer association. It sends only the packets for the enabled protocols. The non-management interfaces directly discard the management packets. The attack source tracing function records the discarded packet for problem location and analysis. In addition, users can also enable alarming for packet discarding. When the number of discarded packets exceeds the preset alarm threshold, the router generates an alarm and sends a trap message to the Network Management Station (NMS). In the application of local attack defense, note that:
l
3. 4.
5. 6. 7. 8.
Configuring attack defense policies is a prerequisite for configuring the local attack defense function (including the mechanisms such as CAR, attack defense tracing, and application layer association). In other words, the local attack defense function can be configured only after an attack defense policy is configured. An attack defense policy takes effect only when it is applied to an LPU and only one attack defense policy can be applied to an LPU.
The enablement of local attack defense on the NE5000E does not degrade data forwarding performance.
4.2 Configuring Attack Defense Tracing and Enabling Alarming for Packet Discarding
This section describes how to configure attack defense tracing and enable alarming for packet discarding. 4.2.1 Establishing the Configuration Task 4.2.2 Creating the Attack Defense Policy
4-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
4.2.3 Enabling Attack Source Tracing 4.2.4 Configuring Attack Source Tracing 4.2.5 Configuring the Alarm on Rate for Discarding Packets 4.2.6 Applying the Attack Defense Policy 4.2.7 Checking the Configuration
l l
Using the attack-source-trace enable command, you can enable attack source tracing. Using the undo attack-source-trace enable command, you can disable attack source tracing. By default, attack source tracing is enabled and the router records the packets discarded according to various attack defense features based on the configured packet sampling ratio and packet length.
Pre-configuration Tasks
Before configuring attack defense tracing and enabling alarming for packet discarding, complete the following task:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up.
Data Preparation
To configure attack defense tracing and enable alarming for packet discarding, you need the following data. No. 1 2 3 4 Data Sampling ratio of the packets recorded by attack source tracing Length of the packets recorded by attack source tracing File name for saving information about attack source tracing Alarm threshold and interval for checking the number of discarded packets
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Attack defense tracing is enabled for a certain local attack defense feature. By default, attack source tracing is enabled to record the packets discarded according to each local attack defense feature. ----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The sampling ratio of the packets recorded by attack source tracing is set. By default, the sampling ratio is 100. Step 4 Run:
attack-source-trace packet-length packet-length
The length of the packets recorded by attack source tracing is set. By default, the length of the packets is 150 bytes. Step 5 Run:
save attack-source-trace slot { slot-id | all } [ file file-name ] format ethereal linktype { cisco_hdlc | ethernet | ppp }
Information about attack source tracing is saved in the memory of an LPU as a file. ----End
Procedure
Step 1 Run:
system-view
Issue 02 (2009-12-10)
4-7
The alarming function for discarding the packets to be sent to the CPU is enabled. Step 4 Run:
alarm drop-rate { application-apperceive | blacklist | index index | ma-defend | tcpip-defend | total-packet | urpf | user-defined-flow flow-id | whitelist } { threshold threshold-value | interval interval-value } *
Step 5 The alarm threshold of discarding the packets to be sent to the CPU is set. ----End
Procedure
Step 1 Run:
system-view
The user-defined attack defense policy is applied on the specified LPU. You must apply the attack defense policy on the LPU; otherwise, the policy fails. ----End
display attack-source-trace slot { slot-id | all } verbose [ { attack-type { applicationapperceive | car | tcpip-defend | urpf | ma-defend} | { destination-mac destinationmac-address destination-mac-wildcard } | { destination destination-address destination-wildcard } | { destination-port dest-port-number } | { protocol-number protocol-number } | { source-mac source-mac-address source-mac-wildcard } | { source source-address source-wildcard } | { source-port source-port-number } | { time-range from start-time start-date [ to end-time end-date ] } | { vlan vlan-id } ]
*
display attack-source-trace file file-name verbose [ { destination-mac destinationmac-address destination-mac-wildcard } | { destination destination-address destination-wildcard } | { destination-port dest-port-number } | { protocol-number protocol-number } | { source-mac source-mac-address source-mac-wildcard } |
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
4-8
{ source source-address source-wildcard } | { source-port source-port-number } | { time-range from start-time start-date [ to end-time end-date ] } | { vlan vlan-id } ]
*
Run the following commands to check brief information about attack source tracing.
display attack-source-trace file file-name brief [ { source source-address sourcewildcard } | { destination destination-address destination-wildcard } } | { sourceport source-port-number } | { destination-port dest -port-number } | { protocolnumber protocol-number } | { time-range from start-time start-date [ to end-time end-date ] } ] * display attack-source-trace { slot { slot-id | all } | file file-name } brief [ { source source-address source-wildcard } | { destination destination-address destinationwildcard } } | { source-port source-port-number } | { destination-port dest -portnumber } | { protocol-number protocol-number } | { time-range from start-time startdate [ to end-time end-date ] } | { attack-type { application-apperceive | car | tcpipdefend | urpf | ma-defend } } ] *
Run the display attack-source-trace slot { slot-id | all } original-infomation command to check original information about attack source tracing on the LPU.
----End
Example
Run the display attack-source-trace slot 1 verbose command. If the LPU in slot 1 has saved detailed information about attack packets, it means that attack source tracing functions normally.
<HUAWEI> display attack-source-trace slot 1 verbose ---------------------------------Record number : 30 packets ---------------------------------NO1. packet info interface name : GigabitEthernet 5/0/2 vlanid : 88 attack-type : urpf Attacted Pack Time : 2006-12-31 15:30:20 Ethernet II Dest :FFFF-FFFF-FFFF Sour :0000-0101-0102 Type :(0x0800)IP MPLS Label : 888 IP Vers : 4 Head len : 20 bytes DS : 0x00 Total len : 86 ID : 0x00 Flags : 0x00 Frag offset : 0 TTL : 64 Protocol : 0x06(TCP) Head checks : 0x0000 Sour : 1.1.1.1 Dest : 222.2.45.7 TCP SourPort : 0 DestPort : 21 Sequence Num : 0 Next Seq Num : 46 Head length : 20 Flags : 0x0000 Win size : 0
Issue 02 (2009-12-10)
4-9
01
Run the display attack-source-trace slot 1 brief command, and you can view brief information about attack packets saved on the LPU in slot 1.
<HUAWEI> display attack-source-trace slot 1 brief ---------------------------------Record number:30 packets ---------------------------------NO1. packet info port name : GigabitEthernet 5/0/2 vlanid : 88 attack-type : URPF Attacted Pack Time : 2006-12-31 15:30:20 Source ip : 1.1.1.1 Destination ip : 222.2.45.7 Source port number : 0 destination port number : 21 protocol number : 0x06(TCP) Attack Trace Data : FF FF FF FF 00 00 00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ----------------------------------
Run the display attack-source-trace slot 3 original-information command, and you can view the original information about attack packets saved on the router.
<HUAWEI> display attack-source-trace slot 3 original-information No 1 packet Info: Interface Name : GigabitEthernet3/0/2 Vlanid : 0 Attack Type : Application apperceive Attack Pack Time : 2002-10-04 11:13:59 Attack Source Data: 01 00 5e 00 00 09 00 05 00 05 00 05 08 00 45 c0 00 34 08 32 00 ac ac 10 01 02 e0 00 00 09 02 08 02 08 00 20 c0 6b 02 02 00 00 ac 10 01 00 ff ff ff 00 00 00 00 00 00 00 00 ---------------------------------No 2 packet Info: Interface Name : GigabitEthernet3/0/2 Vlanid : 0 Attack Type : Application apperceive Attack Pack Time : 2002-10-04 10:24:33 Attack Source Data: 01 00 5e 00 00 09 00 05 00 05 00 05 08 00 45 c0 00 34 03 f8 00 e6 ac 10 01 02 e0 00 00 09 02 08 02 08 00 20 c0 6b 02 02 00 00 ac 10 01 00 ff ff ff 00 00 00 00 00 00 00 00 ----------------------------------
00 0e 11 16 00 02 00 00
00 0e 11 1a 00 02 00 00
4-10
Issue 02 (2009-12-10)
Pre-configuration Task
Before configuring local URPF, complete the following task:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up
Data Preparation
None.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The user-defined attack defense policy is applied on the specified LPU. You must apply the attack defense policy on the LPU; otherwise, the policy fails. ----End
Example
Run the display cpu-defend urpf statistics command, and you can view the statistics of local URPF.
<HUAWEI> display cpu-defend urpf statistics Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------3 URPF 0 0 0 Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------4 URPF 0 0 0 Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------6 URPF 0 0 0
Pre-configuration Task
Before configuring the defense against TCP/IP attacks, complete the following task:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up
Data Preparation
None.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Defense against UDP packet attacks is enabled. By default, defense against UDP packet attacks is enabled. ----End
Procedure
Step 1 Run:
system-view
4-14
Issue 02 (2009-12-10)
Defense against malformed packet attacks is enabled. By default, defense against malformed packet attacks is enabled. ----End
Procedure
Step 1 Run:
system-view
The user-defined attack defense policy is applied on the specified LPU. You must apply the attack defense policy on the LPU; otherwise, the policy fails. ----End
Example
Run the display cpu-defend tcpip-defend statistics command, and you can view the statistics on TCP/IP attack defense.
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-15
<HUAWEI> display cpu-defend tcpip-defend statistics Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------3 Tcpip-defend 0 0 0 -------------------------------------------------------------------------------Abnormal-packet 0 0 0 Fragment-packet 0 0 0 Tcpsyn-packet 0 0 0 Udp-packet 0 0 0 -------------------------------------------------------------------------------Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------4 Tcpip-defend 0 0 0 -------------------------------------------------------------------------------Abnormal-packet 0 0 0 Fragment-packet 0 0 0 Tcpsyn-packet 0 0 0 Udp-packet 0 0 0 -------------------------------------------------------------------------------Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------6 Tcpip-defend 0 0 0 -------------------------------------------------------------------------------Abnormal-packet 0 0 0 Fragment-packet 0 0 0 Tcpsyn-packet 0 0 0 Udp-packet 0 0 0 --------------------------------------------------------------------------------
4-16
Issue 02 (2009-12-10)
Pre-configuration Tasks
Before configuring the CAR function, complete the following task:
l
Connecting the interfaces and configuring the physical parameters of the interfaces to make the physical status of the interface Up
Data Preparation
To configure the CAR function, you need the following data. No. 1 2 3 4 Data Number and description of the attack defense policy Index of the packet to be sent to the CPU, the number of the user-defined flow, and the minimum packet length for smallest packet compensation CAR and Committed Burst Size (CBS) of the packets to the sent to the CPU Number of the LPU to which the attack defense policy is applied
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The whitelist is created. The packets generated by Active Link Protection (ALP) and the packets passing the GTSM check are dynamically added to the whitelist. By default, the whitelist function is enabled. To disable the whitelist function, run the whitelist disable command. ----End
Procedure
Step 1 Run:
system-view
The blacklist is created. By default, the blacklist function is enabled. To disable the blacklist function, run the blacklist disable command. ----End
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The attack defense policy view is displayed. Step 3 Perform the following as required.
l
Run process-sequence blacklist { user-defined-flow | whitelist } * to set the processing priority of the packets matching the blacklist. Run process-sequence user-defined-flow { blacklist | whitelist } * to set the processing priority of the packets matching the user-defined flow rules. Run process-sequence whitelist { user-defined-flow | blacklist } * to set the processing priority of the packets matching the whitelist.
By default, the matching order of the packets to be sent to the CPU is: whitelist, blacklist, and user-defined flow. ----End
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-19
Procedure
Step 1 Run:
system-view
The total rate of sending the packets to the CPU is set. ----End
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The user-defined attack defense policy is applied on the specified LPU. You must apply the attack defense policy on the LPU; otherwise, the policy fails. ----End
----End
Example
Run the display cpu-defend policy policy-number [ | count ] [ | { begin | include | exclude } regular-expression ] command. If information about the rules for filtering the packets to be sent to the CPU is displayed, it means that the configuration succeeds. For example, you can run the display cpu-defend policy 8 command to view the filtering rules defined in Policy 8.
<HUAWEI> display cpu-defend policy 8 Number : 8 Description : Related slot : <3> Configuration : Whitelist Configuration :
Issue 02 (2009-12-10)
4-21
enable : open ACL number : 0 : CIR(4000) CBS(40000) Min-packet-length(128) priority : middle alarm enable : close alarm : threshold(1000000) interval(3600) Configuration : enable : open ACL number : 0 : CIR(1) CBS(1000) Min-packet-length(128) priority : middle alarm enable : close alarm : threshold(1000000) interval(3600)
ARP Configuration : Outbound ARP check enable : open Total packet Configuration : Total packet car speed : high Total packet alarm enable : close Total packet alarm : threshold(1000000) interval(3600) Process-sequence : whitelist blacklist user-defined-flow Application apperceive Configuration : Application apperceive enable : open Default Action: Min-to-cp Application apperceive alarm enable : open Application apperceive alarm : threshold(1000000) interval(3600) MA-Defend Configuration : MA-Defend alarm enable : open MA-Defend alarm : threshold(1000000) interval(3600) Source Trace Data Configuration : Source Trace enable : open Source Trace Type enable : car: open urpf: open tcpip-defend: open ma-defend: open application-apperceive: open Source Trace Sample : 100 Source Trace Packet Length : 150 URPF Configuration : URPF model : close allow default route: close URPF alarm enable : open URPF alarm : threshold(1000000) interval(3600) TCPIP-Defend Configuration : Abnormal Packet Defend : open Udp Packet Defend : open Tcpsyn Flood Defend : open Tcpsyn : CIR(1500) CBS(15000) Min-packet-length(128) Tcpsyn priority : middle fragment-flood Defend : open Ip fragment : CIR(3000) CBS(30000) Min-packet-length(128) Ip fragment priority : middle TCPIP alarm enable : open TCPIP alarm : threshold(1000000) interval(3600) User-defined-flow Configuration : User-defined-flow 1 ACL number : 0 ?-?User-defined-flow 32 ACL number : 0 User-defined-flow 1 alarm enable : close ?-?-
4-22
Issue 02 (2009-12-10)
Car Configuration : Car index 0 alarm enable : close ?-?Car index 233 alarm enable : close Car index 0 alarm : threshold(1000000) ?-?Car index 233 alarm : threshold(1000000) Car index 0 : CIR(3000) CBS(30000) ?-?Car index 233 : CIR(3000) CBS(30000) Car index 0 priority : middle ?-?Car index 232 priority : middle Car index 233 priority : N/A
After the configuration, run the display cpu-defend car { blacklist | index index | protocol | user-defined-flow flow-id | whitelist } statistics [ slot slot-id ] [ | count ] [ | { begin | include | exclude } regular-expression ] command, and you can check the statistics of discarded packets. For example, you can run the display cpu-defend car blacklist statistics slot 3 command to view the statistics of packets discarded on the LPU in slot 3.
<HUAWEI> display cpu-defend car blacklist statistics slot 3 Slot : 3 Application switch : Open Default Action : Min-to-cp -------------------------------------------Blacklist Protocol switch: N/A Packet information: Passed packet(s) : 0 Dropped packet(s) : 0 Configuration information: Configged CIR : 1 kbps Actual CIR in NP : 1 Configged CBS : 1000 bytes Actual CBS in NP : 1000 Priority : low Min-packet-length : NA
kbps bytes
Pre-configuration Task
Before configuring application layer association, complete the following task:
l
Configuring link layer protocol parameters and assigning IP addresses to the interfaces to ensure that the status of the link layer protocol of the interface is Up
Data Preparation
None.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The application layer association function is disabled. By default, application layer association is enabled. ----End
Procedure
Step 1 Run:
system-view
An attack defense policy is created and the attack defense view is displayed. Step 3 Run:
application-apperceive default-action
The default mode of processing the packets to be sent to the CPU is set. By default, application layer association is enabled. ----End
Procedure
Step 1 Run:
system-view
The user-defined attack defense policy is applied on the specified LPU. You must apply the attack defense policy on the LPU; otherwise, the policy fails. ----End
----End
Example
Run the display application-apperceive slot 3 command, and you can view information about application layer association on the LPU in slot 3 after application layer association takes effect.
<HUAWEI> display application-apperceive slot 3 -----------------------------Slot : 3 Application Switch : Open Default Action : Min-to-cp -----------------------------ProtocolName ProtocolState -----------------------------FTP SERVER Open SSH SERVER Open SNMP Open TELNET SERVER Open TFTP Open BGP Open LDP Open RSVP Open OSPF Open RIP Open MSDP Open PIM Open IGMP Open ISIS Open FTP CLIENT Open TELNET CLIENT Open SSH CLIENT Open
4-26
Issue 02 (2009-12-10)
Run the display cpu-defend application-apperceive statistics slot 3command, and you can view information about the packets discarded by application layer association on the LPU in slot 3 after application layer association takes effect.
<HUAWEI> display cpu-defend application-apperceive statistics slot 3 Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------3 Application-Apperceive 1168 1168 0 -------------------------------------------------------------------------------FTP SERVER 0 0 0 SSH SERVER 0 0 0 SNMP 0 0 0 TELNET SERVER 0 0 0 TFTP 0 0 0 BGP 0 0 0 LDP 0 0 0 RSVP 0 0 0 OSPF 0 0 0 RIP 0 0 0 ISIS 0 0 0 ICMP 0 0 0 MSDP 0 0 0 PIM 0 0 0 DHCP 16 16 0 LACP 0 0 0 NTP 0 0 0 RADIUS 0 0 0 HWTACACS 0 0 0 LSPPING 0 0 0 IGMP 0 0
Issue 02 (2009-12-10)
4-27
0 1152 0 0 0 0 0 0 0
0 1152 0 0 0 0 0 0 0
Pre-configuration Task
Before configuring management/control plane protection, complete the following task:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up
Data Preparation
To configure management/control plane protection, you need the following data:
4-28
Issue 02 (2009-12-10)
No. 1 2
Data Number of slot in the LPU to which slot-based management/control plane protection is applied Type and number of interface to which slot-based management/control plane protection is applied
Procedure
Step 1 Run:
system-view
The rule for sending packets of a specified protocol is configured. Step 4 Run:
enable
Procedure
Step 1 Run:
system-view
Issue 02 (2009-12-10)
4-29
The rule for sending packets of a specified protocol is configured. Step 4 Run:
quit
Procedure
Step 1 Run:
system-view
The rule for sending packets of a specified protocol is configured. Step 4 Run:
quit
4-30
Issue 02 (2009-12-10)
----End
Example
Run the display ma-defend all command, and you can view information about applications of management/control plane protection after management/control plane protection is enabled.
<HUAWEI> display ma-defend all MA-defend policy type: global-policy ---------------------------------------------------The global-policy is enabled -------------------------------------------------protocol rule -------------------------------------------------NA ---------------------------------------------------MA-defend policy type: slot-policy 5 ---------------------------------------------------The slot-policy is bound to slot: 6 -------------------------------------------------protocol rule -------------------------------------------------telnet deny ---------------------------------------------------MA-defend policy type: slot-policy 9 ---------------------------------------------------The slot-policy is bound to slot: NA -------------------------------------------------protocol rule -------------------------------------------------NA ---------------------------------------------------MA-defend policy type: interface-policy 7 ---------------------------------------------------The interface-policy is bound to interface: GigabitEthernet3/0/4
Issue 02 (2009-12-10)
4-31
-------------------------------------------------protocol rule -------------------------------------------------snmp permit ---------------------------------------------------MA-defend policy type: interface-policy 56 ---------------------------------------------------The interface-policy is bound to interface: NA -------------------------------------------------protocol rule -------------------------------------------------bgp deny ---------------------------------------------------MA-defend policy current administrative protocols' switches state: ---------------------------------------------------protocol state interface-number -------------------------------------------------ftp Activated 1 ssh Activated 1 snmp Activated 1 telnet Activated 1 tftp Activated 1 ----------------------------------------------------
Run the display cpu-defend ma-defend report command, and you can view information about the packets discarded by management/control plane protection.
<HUAWEI> display cpu-defend ma-defend report slot : 3 Related-policy : default ControlPlane Drop-packet Information : -----------------------------ProtocolName Drop-Packet -----------------------------slot : 4 Related-policy : default ControlPlane Drop-packet Information : -----------------------------ProtocolName Drop-Packet -----------------------------slot : 6 Related-policy : default ControlPlane Drop-packet Information : -----------------------------ProtocolName Drop-Packet ------------------------------
4-32
Issue 02 (2009-12-10)
CAUTION
The statistics of the local attack defense cannot be restored after you reset them. Confirm the action before you run the command.
Procedure
Step 1 Run the reset cpu-defend { all | application-apperceive | { car { protocol | blacklist | index index | user-defined-flow flow-id | whitelist } } | ma-defend | tcpip-defend | urpf } statistics [ slot slot-id ] command in the user view to clear the statistics on local attack defense ----End
RouterA GE1/0/0 1.1.1.1/24 3.3.3.3/24 2.2.2.2/24 GE2/0/0 GE1/0/0 Internet RouterC RouterB
4-33
1.1.1.2/24 GE1/0/0
Issue 02 (2009-12-10)
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. On the Router A, define a blacklist and limit the rate of sending packets to the CPU by configuring CAR. On the Router B, configure the TCP/IP attack defense, local URPF, application layer association, and attack source tracing. On the Router C, configure management and application.
Data Preparation
To complete the configuration, you need the following data:
l l
Number of the attack defense policy Index of the packet to be sent to the CPU, the number of the user-defined flow, and the minimum packet length for smallest packet compensation The CIR and CBS values of the packet to be sent Sampling rate, file name, and length for saving information about attack source tracing Number of slot in the LPU to which slot-based management and application is applied Type and number of interface to which interface-level management and application is applied Number of the LPU to which the attack defense policy is applied
l l l l
Procedure
Step 1 Configure an IP address for each interface. The configuration details are not mentioned here. Step 2 1. Configure the sending rule for the blacklist on Router A.
<RouterA> system-view [RouterA] cpu-defend policy 4 [RouterA-cpu-defend-policy-4] [RouterA-cpu-defend-policy-4] [RouterA-cpu-defend-policy-4] [RouterA-cpu-defend-policy-4] [RouterA-cpu-defend-policy-4] car blacklist cir 1000 priority blacklist low car total-packet 1000 alarm drop-rate blacklist enable alarm drop-rate blacklist interval 60 threshold 1000
Step 3 On the Router B, configure the functions such as the TCP/IP attack defense and local URPF to defend against attack packets. # Configure attack source tracing.
<RouterB> system-view [RouterB] cpu-defend policy 4 [RouterB-cpu-defend-policy-4] attack-source-trace enable [RouterB-cpu-defend-policy-4] attack-source-trace sample-rate 1000 [RouterB-cpu-defend-policy-4] attack-source-trace packet-length 200
Step 4 On the Router C, configure application layer association. # Configure global management and application.
<RouterC> system-view [RouterC] ma-defend global-policy [RouterC-app-sec-global] protocol bgp permit [RouterC-app-sec-global] enable [RouterC-app-sec-global] quit
Configuration Files
l
# sysname RouterA # cpu-defend policy 4 car blacklist cir 1000 priority blacklist low alarm drop-rate blacklist enable alarm drop-rate blacklist threshold 1000 interval 60 car total-packet 1000 # interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0 # return l
# sysname RouterB # cpu-defend policy 4 ip urpf strict attack-source-trace packet-length 200 attack-source-trace sample-rate 1000 # interface GigabitEthernet1/0/0 undo shutdown
Issue 02 (2009-12-10)
4-35
# sysname RouterC # slot 2 # ma-defend interface-policy 4 protocol ospf permit # ma-defend slot-policy 4 protocol ftp permit # ma-defend global-policy protocol bgp permit enable # interface GigabitEthernet1/0/0 undo shutdown ip address 2.2.2.2 255.255.255.0 interface GigabitEthernet2/0/0 undo shutdown ip address 3.3.3.3 255.255.255.0 # return
4-36
Issue 02 (2009-12-10)
5 Mirroring Configuration
5
About This Chapter
Mirroring Configuration
This chapter describes the basic principle and application of mirroring. 5.1 Overview to Mirroring This section describes the basic principle and application of mirroring. 5.2 Configuring Local Port Mirroring This section describes how to configure local port mirroring. 5.3 Configuring Local Traffic Mirroring This section describes how to configure local traffic mirroring. 5.4 Configuration Examples This section provides several configuration examples of mirroring.
Issue 02 (2009-12-10)
5-1
5 Mirroring Configuration
Upstream port/flow mirroring Upstream mirroring with the observing port and mirroring port being on the same board or on different boards Local Mirroring and remote mirroring
NOTE
When applying the remote mirroring function, you can configure only a remote observing port rather than a remote mirroring port on the NE5000E.
To enable the mirroring function on the NE5000E, note the following items:
l
It is not recommended that the observing port and mirroring port be configured with other services. This is because when the same traffic is mirrored, the network payload is increased and the normal services may be affected. One interface cannot be both the mirroring port and the observing port.
5 Mirroring Configuration
Pre-configuration Tasks
Before configuring local port mirroring, complete the following task:
l
Configuring link layer protocol parameters and assigning IP addresses to the interfaces to ensure that the status of the link layer protocol of the interface is Up
Data Preparation
To configure local port mirroring, you need the following data. No. 1 2 3 Data Type and number of the observing port Slot number of the LPU on which the mirrored port is configured Type and number of the local mirroring port
Procedure
Step 1 Run:
system-view
5 Mirroring Configuration
The interfaces functioning as the observing port can be the GE interface, GE sub-interface, EthTrunk interface, Eth-Trunk sub-interface, POS interface, and IP-Trunk interface. Step 3 Run the following commands as required.
l
Run the port-observing observe-index observe-index command to configure the local observing port. Run the port-observing identifier id [ description regulation ] command to configure the remote local observing port.
----End
Procedure
Step 1 Run:
system-view
Then, the observing port corresponding to the observing index functions as the observing port of the entire LPU; the observing port is called the observing port for entire LPU mirroring. When a port is mirrored on the LPU, the packets are mirrored to the observing port for entire LPU mirroring. The observing port for entire LPU mirroring can be configured on either the local LPU or other LPUs.
----End
Procedure
Step 1 Run:
system-view
5-4
Issue 02 (2009-12-10)
5 Mirroring Configuration
The interface view is displayed. The interface serves as the local mirroring port. The interfaces functioning as the local mirroring port include the GE interface, GE sub-interface, POS interface. Step 3 Run:
port-mirroring inbound
----End
Example
After the mirroring port is configured successfully, run the display port-mirroring interface command, and you can view the configuration of all the mirroring ports of the router; run the display port-mirroring interface interface-type interface-number command, and you can view the configuration of a specified mirroring port; run the display port-mirroring interface slot slot-id command, and you can view the configurations of all the mirroring ports of a specified LPU. For example, run the display port-mirroring interface command, and you can view the configuration of all the mirroring ports of the router.
<HUAWEI> display port-mirroring interface -----------------------------------------------------------------------------Interface Local/Remote CAR Type In/Out WithLinkHeader Instance -----------------------------------------------------------------------------PO4/2/0 Local Port In No PO6/0/0 Local Port In ------------------------------------------------------------------------------
After the observing port is configured successfully, run the display port-observing interface command, and you can view the configurations of all the observing ports of the router; run the display port-observing interface interface-type interface-number command, and you can view the configuration of a specified observing port; run the display port-observing interface slot slot-id command, and you can view the configuration of all the observing ports of a specified LPU.
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-5
5 Mirroring Configuration
For example, run the display port-observing interface command, and you can view the configuration of all the observing ports of the router.
<HUAWEI> display port-observing interface L/R : Local/Remote ID : Identifier L-Header: WithLinkHeader Obs-index: Observe-index -----------------------------------------------------------------------------Interface L/R L-Header Obs-index ID Status Description -----------------------------------------------------------------------------GI4/1/0 L 4 down GI3/0/4 R 10 down ------------------------------------------------------------------------------
Run the display port-observing observe-index command, and you can view the configuration of the indexes of all the observing ports on the router; run the display port-observing observeindex observe-index command, and you can view the configuration of the index of the specified observing port.
<HUAWEI> display port-observing observe-index observe-index 4 observe-port : GigabitEthernet4/1/0 reference slot : 6
Run the display port-observing slot [ slot-id ] command, and you can view the configuration of the observing port on the LPU and the LPUs that use this observing port.
<HUAWEI> display port-observing slot slot 4 observe-port : GigabitEthernet4/1/0 reference slot : 6
5 Mirroring Configuration
Pre-configuration Tasks
Before configuring local traffic mirroring, complete the following task:
l
Configuring the static route or enabling an IGP to ensure that the IP routes between routers are reachable
Data Preparation
To configure local traffic mirroring, you need the following data. No. 1 2 3 4 Data Type and number of the observing port Slot number of the LPU on which the mirroring port is configured Type and number of the mirroring port Traffic classification rule, such as the ACL number, Differentiated Services CodePoint (DSCP) value, 802.1p value, TCP flag value, source or destination MAC address, and IP precedence value Name of the traffic class, name of the traffic behavior, and name of the traffic policy
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interfaces functioning as the observing port can be the GE interface, GE sub-interface, EthTrunk interface, Eth-Trunk sub-interface, POS interface, and IP-Trunk interface. Step 3 Run the following commands as required.
l
Run the port-observing observe-index observe-index command to configure the local observing port. Run the port-observing identifier id [ description regulation ] command to configure the remote local observing port.
----End
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-7
5 Mirroring Configuration
Procedure
Step 1 Run:
system-view
Then, the observing port corresponding to the observing index functions as the observing port of the entire LPU; the observing port is called the observing port for entire LPU mirroring. When a port is mirrored on the LPU, the packets are mirrored to the observing port for entire LPU mirroring. The observing port for entire LPU mirroring can be configured on either the local LPU or other LPUs.
----End
Procedure
Step 1 Run:
system-view
The traffic class is defined and its view is displayed. Step 3 Perform the following as required.
l l l
Run the if-match acl acl-number command to set the ACL-based rule. Run the if-match dscp dscp-value command to set the DSCP-based rule. Run the if-match tcp syn-flag tcpflag-value command to set the TCP-flag-based rule.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
5-8
5 Mirroring Configuration
Run the if-match 8021p 8021p-code command to set the 802.1p-based rule for VLAN packets. Run the if-match source-mac mac-address command to set the rule based on the source address of the packet. Run the if-match destination-mac mac-address command to set the rule based on the destination address of the packet. Run the if-match ip-precedence ip-precedence command to set the rule based on the IP priority of the packet. Run the if-match any command to set the rule matching all the packets.
You can select one or several matching rules in Step 3 as required. ----End
5.3.5 Defining the Traffic Behavior and Enabling Local Traffic Mirroring
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run: traffic behavior behavior-name The traffic behavior is configured and the traffic behavior view is displayed. Step 3 Run:
port-mirroring enable
Local traffic mirroring is enabled. After local traffic mirroring is enabled, the packets that match the traffic classes are copied to the observing port. ----End
5.3.6 Defining the Traffic Policy and Associating the Traffic Class with the Traffic Behavior
Context
Do as follows on the router to be configured with flow mirroring:
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-9
5 Mirroring Configuration
Procedure
Step 1 Run:
system-view
The traffic policy is defined and its view is displayed. Step 3 Run:
classifier classifier-name behavior behavior-name
The traffic class is associated with the traffic behavior in the traffic policy. ----End
Procedure
Step 1 Run:
system-view
The interface view is displayed. The interface serves as the local mirroring port. The interfaces functioning as the mirroring port include the GE interface, GE sub-interface, POS interface, FR interface, serial interface, and MP-group interface. The LPUB, LPUC, LPUE, LPUF-10, and LPUF-21 support the local upstream mirroring of which the observing port is a physical port. Step 3 Run: traffic-policy policy-name { inbound | outbound } [ link-layer | all-layer ] The traffic policy is applied to the interface. ----End
5-10
Issue 02 (2009-12-10)
5 Mirroring Configuration
----End
Example
After the traffic behavior is configured successfully, run the display traffic behavior { systemdefined | user-defined } [ behavior-name ] command, and you can view information about the configured traffic behavior. For example, run the display traffic behavior user-defined command, and you can view information about the user-defined traffic behavior.
<HUAWEI> display traffic behavior user-defined User Defined Behavior Information: Behavior: huawei Mirror: port-mirroring enable port-mirroring car cir 2000
After the traffic class is configured successfully, run the display traffic classifier { systemdefined | user-defined } [ classifier-name ] command, and you can view information about the configured traffic class. For example, run the display traffic behavior user-defined command, and you can view information about the user-defined traffic class.
<HUAWEI> display traffic classifier user-defined User Defined Classifier Information: Classifier: huawei Operator: OR Rule(s) : if-match tcp syn-flag 2
If the traffic policy is configured successfully, run the display traffic policy { systemdefined | user-defined } [ policy-name [ classifier classifier-name ] ] command, and you can view the configurations of the specified traffic class in the specified policy, all the traffic classes in all the policies, and behaviors related to traffic classes. For example, run the display traffic behavior user-defined command, and you can view the configuration of the user-defined traffic policy.
<HUAWEI> display traffic policy user-defined User Defined Traffic Policy Information: Policy: huawei Unshare-mode Classifier: default-class
Issue 02 (2009-12-10)
5-11
5 Mirroring Configuration
Behavior: be -noneClassifier: huawei Behavior: huawei Mirror: port-mirroring enable port-mirroring car cir 2000
After port mirroring is enabled, run the display port-observing [ slot slot-id ] command, and you can view the configurations of the observing port. For example, run the display port-observing slot 4 command, and you can view the configuration of the observing port of the LPU in slot 4.
<HUAWEI> display port-observing slot 4 slot 4 observe-port : GigabitEthernet4/1/0 reference slot : 4 reference slot : 6
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID. As shown in Figure 5-1, to monitor the packets received on GE 3/0/0 from Router A to Router B, configure GE 1/0/0 of Router B as the observing port and enable port mirroring on GE 3/0/0. Then all the packets received on GE 3/0/0 are copied to GE 1/0/0. All the mirrored packets are then sent to the packet analysis equipment Host D. Figure 5-1 Networking diagram of port mirroring
RouterA
RouterB RouterC GE3/0/0 GE3/0/1 7.1.1.2/24 8.1.1.2/24 GE1/0/0 GE1/0/0 7.1.1.1/24 GE1/0/0 8.1.1.1/24 9.1.1.1/24
HostD
5-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
5 Mirroring Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure GE 1/0/0 of Router B as the observing port. Configure GE 3/0/0 of Router B as the mirroring port and enable port mirroring.
Data Preparation
To complete the configuration, you need the following data:
l l
IP addresses of the interfaces Interface type and number of the observing port and the mirroring port
Procedure
Step 1 Assign IP addresses to the interfaces, and ensure that the IP addresses are reachable. The detailed configurations are not mentioned. Step 2 Configure GE 1/0/0 as the observing port.
<RouterB> system-view [RouterB] interface gigabitethernet1/0/0 [RouterB-GigabitEthernet1/0/0] port-observing observe-index 1 [RouterB-GigabitEthernet1/0/0] quit
Step 3 Configure the observing port to observe all the mirroring ports on the LPU.
[RouterB] slot 3 [RouterB-slot-3] mirror to observe-index 1 [RouterB-slot-3] quit
After the preceding configuration, all the packets received on GE 3/0/0 and the packets sent to the CPU are mirrored to GE 1/0/0. Step 5 Verify the configuration. You can view traffic mirroring through the ping command or in other ways. For example, send 10 ping packets from Router A to GE 3/0/0 of Router B and all the packets should be received on Host D. You can view the statistics about the packets on GE 1/0/0.
<RouterB> display interface gigabitethernet1/0/0 GigabitEthernet1/0/0 current state : UP Line protocol current state : UP Description: GigabitEthernet1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet protocol processing : disabled IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc7d-a497 The Vendor PN is HFBR-5710L Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode WaveLength: 850nm, Transmission Distance: 550m Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Send and Receive Enable
Issue 02 (2009-12-10)
5-13
5 Mirroring Configuration
Statistics last cleared:never Last 300 seconds input rate: 0 bits/sec, 0 packets/sec Last 300 seconds output rate: 0 bits/sec, 0 packets/sec Input: 107628 bytes, 1016 packets Output: 107628 bytes, 1016 packets Input: Unicast: 0, Multicast: 0 Broadcast: 0, JumboOctets: 0 CRC: 0, Symbol: 0 Overrun: 0 , InRangeLength: 0 LongPacket: 0 , Jabber: 0, Alignment: 0 Fragment: 0, Undersized Frame: 0 RxPause: 0 Output: Unicast: 10, Multicast: 0 Broadcast: 0, Jumbo: 0 Lost: 0, Overflow: 0, Underrun: 0 TxPause: 0
----End
Configuration Files
l
5 Mirroring Configuration
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID. As shown in Figure 5-2, to monitor the packets received on GE 3/0/0 of Router B from Router A, configure GE 3/0/2 of Router B as the observing port and then enable flow mirroring on GE 3/0/0. To improve the working efficiency of Host D, configure a traffic policy on GE 3/0/0 of Router B to copy only the packets with the source address 2.2.2.2 to GE 3/0/2. Figure 5-2 Networking diagram of flow mirroring
net1
RouterA
RouterB RouterC GE3/0/1 GE3/0/0 7.1.1.2/24 8.1.1.2/24 GE1/0/0 GE1/0/0 8.1.1.1/24 7.1.1.1/24 GE3/0/2 9.1.1.1/24
net2
HostD
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure GE 3/0/2 of Router B as the observing port. Configure the traffic policy on GE 3/0/0 of Router B and combine traffic classification with port mirroring.
Data Preparation
To complete the configuration, you need the following data:
l l
IP addresses of the interfaces Interface type and number of the observing port and the mirroring port
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-15
Issue 02 (2009-12-10)
5 Mirroring Configuration
l
ACL number and names of the traffic class, traffic behavior, and traffic policy
Procedure
Step 1 Assign IP addresses to the interfaces, and ensure that the IP addresses are reachable. The detailed configurations are not mentioned. Step 2 Configure GE 3/0/2 as the observing port.
<RouterB> system-view [RouterB] interface gigabitethernet3/0/2 [RouterB-GigabitEthernet3/0/2] port-observing observe-index 3
Step 3 Configure the observing port to observe all the mirroring ports on the LPU.
[RouterB] slot 3 [RouterB-slot-3] mirror to observe-port 3 [RouterB-slot-3] quit
# After the preceding configuration, you can run the display command to view the configuration of the traffic class.
<RouterB> display traffic classifier user-defined User Defined Classifier Information: Classifier: a Operator: OR Rule(s) : if-match acl 2001
# Define a traffic policy and associate the traffic class with the traffic behavior.
[RouterB] traffic policy 1 [RouterB-trafficpolicy-1] classifier a behavior e [RouterB-trafficpolicy-1] quit
Step 5 Verify the configuration. You can view traffic mirroring through the ping command or in other ways. For example, send 10 ping packets with the source address 2.2.2.2/32 and another 10 packets with the source address
5-16 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
5 Mirroring Configuration
1.1.1.1/32 from Router A to GE 3/0/0. Host D should receive the packets with the source address 2.2.2.2/32 from Router A. ----End
Configuration Files
l
Issue 02 (2009-12-10)
5-17
5 Mirroring Configuration
ip address 8.1.1.1 255.255.255.0 # return
5-18
Issue 02 (2009-12-10)
This appendix covers the attribute of RADIUS and HWTACACS. A.1 RADIUS Attribute This appendix covers the attribute of RADIUS. A.2 HWTACACS Attribute This appendix covers the attribute of HWTACACS.
Issue 02 (2009-12-10)
A-1
NAS-Port
6 7 8
9 11 14 15 18 19
A-2
Issue 02 (2009-12-10)
No 24
Name State
Description If the access challenge packets sent from the RADIUS server to the router contains this value, the subsequent access request packets of the router must contain the same value. If the authentication accepted packets sent from the RADIUS server to the router contains this value, the subsequent accounting request packets of the router must contain the same value. For the standard RADIUS server, the router can use the class to signify CAR. Indicate the remaining time available for users with the unit of second, which acts as duration of reauthentication for users in EAP challenge packets. Indicate the idle breaking time of users with the unit of second. Indicate the service termination mode, such as, reauthentication or forcible user logout. Allow NAS to send the called number. Allow NAS to send the calling number. Indicate the hostname of the router. Indicate the type of accounting packets. 1 indicates beginning accounting packets. 2 indicates stopping accounting packet. 3 indicates real-time accounting packets. Indicate the time span to generate accounting packets with the unit of second. Indicate the octets for uplink with the unit of Byte, kbyte, Mbyte and Gbyte. Use the command to set which unit is used. Indicate the output octets with the unit of Byte, kbyte, Mbyte and Gbyte. Which unit is used depends on the command configuration. Indicate the session for accounting. For the start accounting packet, real-time accounting packet and stop accounting packets of the same session, their session IDs must be identical. Indicate the authentication model. 1 refers to RADIUS authentication, and 2 refers to the local authentication. Indicate the online time span of users with the unit of second. Indicate the number of input packets.
25
Class
27
Session-Timeout
28 29 30 31 32 40
41 42
Acct-Delay-Time Acct-Input-Octets
43
Acct-Output-Octets
44
Acct-Session-Id
45 46 47
Issue 02 (2009-12-10)
A-3
No 48 49
Description Indicate the number of output packets. Causes for user connection interruption:
l l
User-Request (1): indicates user logs out. Lost Carrier (2): indicates handshake fails, including, ARP detection failure or PPP handshake failure. Lost Service (3): orders disconnection. Idle Timeout (4): indicates idle timeout. Session Timeout (5): indicates time limit disconnection or traffic limit disconnection. Admin Reset (6): indicates that the manager orders to break the connection. Admin Reboot (7): indicates the manager reset the router. Port Error (8): indicates the port is in error. NAS Error (9): indicates internal error occurs in the router. NAS Request (10): indicates the router breaks the connection for resources change. NAS Reboot (11): indicates that the router resets automatically. Port Unneeded (12): indicates the port is Down. Port Suspended (14): indicates the port is suspended. Service Unavailable (15): indicates the service is unavailable. User Error (17): indicates the user authentication fails or times out. Host Request (18): indicates receiving decline packets from the server.
l l l
l l
l l l
50 52
Acct-Multi-Session-ID Acct-Input-Gigawords
Indicate several session IDs, which are used to identify the relevant sessions in the log. Indicate how many times input Gigawords are as great as 4G(232)Byte, kbyte, Mbyte and Gbyte (Which unit is chosen depends on the command configuration). Indicate how many times output Gigawords are as great as 4G(232)Byte, kbyte, Mbyte and Gbyte (Which unit is chosen depends on the command configuration). Indicate the duration to generate accounting packets with the unit of second. Indicate the absolute seconds since zero o'clock, zero minute, zero second, January 1st, 1970.
53
Acct-Output-Gigawords
55
Event-Timestamp
A-4
Issue 02 (2009-12-10)
No 60 61 64 65 67 69
Description Indicate the challenge word of CHAP authentication, which is only used for CHAP authentication. Indicate the port type of NAS, which can be set in BAS interface view. Indicate the protocol type of the tunnel. It is fixed as 3, signifying the L2TP tunnel. Indicate the type of medium over the tunnel. It is fixed as 1, signifying IPv4. Indicate the IP address of the tunnel at the server side. Indicate the password of tunnel authentication. The first two bytes are SALT, while the latter 16 bytes are encrypted password. Indicate the group ID of the tunnel. Indicate the ID of the tunnel. Indicate the tunnel preference. Indicate the interval for real-time charging with the unit of second. Indicate the port ID of user access, whose format is "slot=XX; subslot=XX; port=XXX; VLANID=XXXX; "or" slot=XX; subslot=XX; port=XXX;VPI=XXX;VCI=XXXX" Indicate the name of the address pool and address segment number, which is effective on the IP address, which the local address pool of the router assigns to PPP. Its format is "the name of the address pool # address segment number". Indicate the transitive local user name under tunnel authentication. Indicate the transitive user name at the server side under tunnel authentication.
81 82 83 85 87
88
Framed-Pool
90 91
Tunnel-Client-Auth-ID Tunnel_Server_Auth_id
Issue 02 (2009-12-10)
A-5
Description Indicate peak rate for downlink with the unit of bit/s. Indicate average rate for downlink with the unit of bit/ s. Indicate basic rate for downlink with the unit of bit/s. Indicate the received traffic before charge rate switch with the unit of kbyte. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the user flow received by the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the user flow received by the router during the period from real-time accounting to charge rate switch. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the sent traffic before charge rate switch with the unit of kbyte. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the user flow sent from the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the user flow sent from the router during the period from real-time accounting to charge rate switch. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the number of received packets before charge rate switch. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the number of packets received by the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the number of packets received by the router during the period from real-time accounting to charge rate switch. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the number of sent packets before charge rate switch. If charge rate switch does not occur in the realtime accounting period, this attribute signifies the number of packets sent from the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the number of packets sent from the router during the period from real-time accounting to charge rate switch. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1).
26-8
Out-Kb-Before-T-Switch
26-9
In-Pkt-Before-T-Switch
26-10
Out-Pkt-Before-T-Switch
A-6
Issue 02 (2009-12-10)
No 26-11
Name In-Kb-After-T-Switch
Description Indicate the received traffic after charge rate switch with the unit of kbyte. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the user flow received by the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the user flow received by the router during the period from charge rate switch to the end of real-time accounting. This attribute just applies to the RADIUS server with Portal-type (RADIUS +1.1). Indicate the sent traffic after charge rate switch with the unit of kbyte. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the user flow sent from the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the user flow sent from the router during the period from charge rate switch to the end of real-time accounting. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the number of received packets after charge rate switch. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the number of packets received by the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the number of packets received by the router during the period from charge rate switch to the end of real-time accounting. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the number of sent packets after charge rate switch. If charge rate switch does not occur in the realtime accounting period, this attribute signifies the number of packets sent from the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the number of packets sent from the router during the period from charge rate switch to the end of real-time accounting. This attribute just applies to the RADIUS server with Portal-type (RADIUS +1.1). Indicate the remnant available traffic with the unit of KB.
26-12
Out-Kb-After-T-Switch
26-13
In-Pkt-After-T-Switch
26-14
Out-Pkt-After-T-Switch
26-15
Remnant-Volume
Issue 02 (2009-12-10)
A-7
No 26-16
Name Tariff-Switch-Interval
Description Indicate the time interval between the latest charge rate switch moment and the current time, with the unit of second. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). They are used to operate session control packets. Their values are as follows:1: indicates session triggering request.2: indicates session interruption request.3: indicates setting policy.4: indicates result. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the priority of user service, whose effective value ranges from 1 to 9. Indicate the identifier of retransmission packets. For retransmission packets in the same session, this attribute must be identical. For those at the client side, this attribute must remain intact when returning. In start accounting packet, real-time accounting packet and end accounting packet, this value is insignificant. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). When the 26-20 attribute is set as 3 or 4, result-code is valid. When result code is 0, it indicates success; When result code is not 0, it indicates failure. When the attribute numbered 26-20 is set as 3 or 4, it is valid. When it is displayed to be 0, This attribute just applies to the RADIUS server with Portal-type (RADIUS +1.1). Indicate the index of user connection. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate URL of forced Portal of PPP users.This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the initial directory of FTP users. Indicate the priority of such operation users as Telnet, whose values range from 0 to 3. Indicate the virtual template number used by MP users. Indicate the VPN instance name of VPN users. Indicate the virtual template number of VPN users.
26-20
Command
26-22 26-24
Priority Control-Identifier
26-25
Result-Code
26-26
Connect-ID
26-27
Portal-URL
A-8
Issue 02 (2009-12-10)
No 26-59
Name Startup-stamp
Description Indicate the absolute seconds since zero o'clock, zero minute, zero second, January 1st, 1970. Indicate the startup timestamp of devices, with the unit of second, which signifying the absolute seconds when devices startup Indicate the IP address and MAC address of users carried in authentication packets and accounting packets, in the format of "A.B.C.D HH:HH:HH:HH:HH:HH". The IP address spaces out the MAC address. Indicate t the primary DNS server address delivered by the RADIUS server, after the user succeeds in authentication. Indicate the secondary DNS server address delivered by the RADIUS server, after the user succeeds in authentication. Indicate the version number of software of devices. Indicate product names.
26-60
Ip-Host-Address
26-135
Primary-DNS
26-136
Secondary-DNS
26-254 26-255
Version Product-ID
Addr
Issue 02 (2009-12-10)
Name Addr-pool Dns-servers Tunnel-type Ip-addresses Tunnel-id L2tp-hello-interval L2tp-hidden-avp L2tp-nosession-timeout L2tp-tos-reflect L2tp-tunnel-authen Gw-password L2tp-udp-checksum Source-ip L2tp-group-num Upaverage Uppeak Dnaverage Dnpeak Task_id Timezone Service
Description Indicate an address pool, from which NAS must assign addresses. Indicate the DNS server. Indicate the type of the tunnel. Indicate IP addresses of LNS, and up to five such IP addresses exist. IP addresses are separated by ',' or ';'. Indicate the tunnel ID. Indicate interval time of L2TP hello message. Indicate hidden Attribute Value Pair (AVP) of L2TP. Indicate breaking time when L2TP has no session. Indicate the TOS value of L2TP. Indicate whether the tunnel authentication of L2TP is performed. Indicate the password of gateway. Indicate the check sum of UDP packets of L2TP. Indicate the source IP address. Indicate the L2TP group number. Indicate the average rate for uplink with the unit of bps. Indicate the peak rate for uplink with the unit of bits. Indicate the average rate for downlink with the unit of bps. Indicate the peak rate for downlink with the unit of bits. Indicate the ID of the task. Indicate the time zone. Indicate the primary services consisting of authorized services or accounting services, such as, "slip", "ppp", "arap", "shell", "ttydaemon", "connection", "system" and "firewall". Indicate that protocols are subset of services, such as, "lcp", "ip", "ipx", "atalk", "vines", "lat", "xremote", "tn3270", "telnet", "rlogin", "pad", "vpdn", "ftp", "http", "deccp", "osicp" and "unknown". Indicate the maximum binding link number of MP. Indicate the current connection number of MP. Indicate the cause for log out. Indicate the extension of log out cause. Indicate the online time span of the user.
Protocol
A-10
Issue 02 (2009-12-10)
Description Indicate the output speed of NAS. Indicate the input speed of NAS.
Issue 02 (2009-12-10)
A-11
B Glossary
B
This appendix collates frequently used glossaries in this document. A AAA N NAS R RADIUS Remote Authentication Dial In User Service Network Access Server
Glossary
Issue 02 (2009-12-10)
B-1
C
A AAA ACk ACL ARP B BGP BW C CAMS CAR CBS CID CIR CPU CRC D DHCP DNS DOS
This appendix collates frequently used acronyms and abbreviations in this document.
Authentication, Authorization and Accounting ACKnowledgement Access Control List Address Resolution Protocol
Comprehensive Access Management Server Committed Access Rate Committed Burst Size Channel Identifier Committed Information Rate Central Processing Unit Cyclic Redundancy Check
Issue 02 (2009-12-10)
C-1
F FE G GE H HWTACACS I ICMP ID IP ISP L LPU M MAC N NAK NAS NBNS NetBIOS P POS PPP R RADIUS RFC S SNMP SR
C-2
Fast Ethernet
GigabitEthernet
Internet Control Message Protocol IDentification Internet Protocol Internet Service Provider
Negative ACKnowledgement Network Access Server NetBIOS Name Service Network Basic Input/Output System
SSH T TACACS TCP TTL U UDP URPF V VLAN VPDN VPN VTY
Secure Shell
Terminal Access Controller Access Control System Transmission Control Protocol Time to Live
Virtual Local Area Network Virtual Private Dial Network Virtual Private Network Virtual Type Terminal
Issue 02 (2009-12-10)
C-3