Configuration 8

HUAWEI NetEngine5000E Core Router V300R007C00
Configuration Guide - Security

Issue Date 02 2009-12-10
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com
Website: Email:
Issue 02 (2009-12-10)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router Configuration Guide - Security
About This Document
About This Document

Purpose
This document introduces AAA and user management, ARP security, URPF, local attack defense, mirroring functions supported by the NE5000E, describes principles, configurations, and applications of these functions; introduces security defense policies supported by the NE5000E.
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID.
Related Versions
The following table lists the product versions related to this document. Product Name HUAWEI NetEngine5000E Core Router Version V300R007C00
Intended Audience
This document is intended for:
l l l l
Commissioning engineer Data configuration engineer Network monitoring engineer System maintenance engineer
Issue 02 (2009-12-10)
iii
About This Document
Organization
This document is organized as follows. Chapter 1 AAA and User Management Configurations Description This chapter introduces Authentication, Authorization and Accounting (AAA) security services including RADIUS, HWTACACS, domain-based user management, local user management and their configuration steps, along with typical examples. This chapter describes the type of the security that NE5000E supported, and it also describes the configuration and applications of ARP Security, along with typical examples. This chapter describes concepts and configuration steps of URPF. This chapter describes the principle, configuration, and application of Local Attack Defense. This chapter describes the mirroring configuration based on port and traffic classifier, along with typical examples. This appendix covers the attribute of RADIUS and HWTACACS. This appendix collates frequently used glossaries in this document. This appendix collates frequently used acronyms and abbreviations in this document.
2 ARP Security Configuration
3 URPF Configuration 4 Configuration of Local Attack Defense 5 Mirroring Configuration A Attributes List of RADIUS and HWTACACS B Glossary C Acronyms and Abbreviations
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury.
iv
Issue 02 (2009-12-10)
About This Document
Symbol
Description Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
General Conventions
The general conventions that may be found in this document are defined as follows. Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Examples of information displayed on the screen are in Courier New.
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
[ x | y | ... ]*
Issue 02 (2009-12-10)
About This Document
Convention &<1-n> #
Description The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
GUI Conventions
The GUI conventions that may be found in this document are defined as follows. Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows. Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows. Action Click Double-click Drag Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.
vi
Issue 02 (2009-12-10)
About This Document
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Updates in Issue 02 (2009-12-10)

Second commercial release.
Updates in Issue 01 (2009-09-05)

Initial field trial release
Issue 02 (2009-12-10)
vii
Contents
Contents
About This Document...................................................................................................................iii 1 AAA and User Management Configurations.......................................................................1-1
1.1 Overview to AAA and User Management......................................................................................................1-2 1.1.1 Introduction to AAA and User Management.........................................................................................1-2 1.1.2 AAA and User Management Supported by the NE5000E.....................................................................1-3 1.2 Configuring Local User Management.............................................................................................................1-3 1.2.1 Establishing the Configuration Task......................................................................................................1-4 1.2.2 Creating a Local User Account..............................................................................................................1-4 1.2.3 Configuring the Type of the Service That the Local User Accesses......................................................1-5 1.2.4 Configuring the Local User Authority of Accessing the FTP Directory............................................... 1-5 1.2.5 Configuring Local User Status...............................................................................................................1-6 1.2.6 Configuring the Local User Level..........................................................................................................1-7 1.2.7 Setting the Maximum Number of Access Users with the Same User Name.........................................1-7 1.2.8 Local Users Changing the Passwords.................................................................................................... 1-8 1.2.9 Cutting Off Online Users Forcibly.........................................................................................................1-8 1.2.10 Checking the Configuration.................................................................................................................1-9 1.3 Configuring AAA Schemes............................................................................................................................ 1-9 1.3.1 Establishing the Configuration Task....................................................................................................1-10 1.3.2 (Optional) Enabling RADIUS/HWTACACS Functions......................................................................1-11 1.3.3 Configuring the Authentication Scheme..............................................................................................1-11 1.3.4 (Optional) Configuring the Authorization Scheme..............................................................................1-12 1.3.5 Configuring the Accounting Scheme...................................................................................................1-13 1.3.6 (Optional) Configuring the Recording Scheme...................................................................................1-15 1.3.7 Allocating IP Addresses to Users.........................................................................................................1-15 1.3.8 Checking the Configuration.................................................................................................................1-17 1.4 Configuring Server Templates......................................................................................................................1-19 1.4.1 Establishing the Configuration Task....................................................................................................1-19 1.4.2 Configuring the RADIUS Server Template.........................................................................................1-20 1.4.3 Configuring the HWTACACS Server Template.................................................................................1-23 1.4.4 Checking the Configuration.................................................................................................................1-28 1.5 Configuring Domains....................................................................................................................................1-29 1.5.1 Establishing the Configuration Task....................................................................................................1-30 1.5.2 Creating a Domain...............................................................................................................................1-30 Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Contents
HUAWEI NetEngine5000E Core Router Configuration Guide - Security 1.5.3 Configuring the Authentication, Authorization and Accounting Schemes of the Domain..................1-31 1.5.4 Configuring the RADIUS Server Template.........................................................................................1-32 1.5.5 Configuring the HWTACACS Server Template.................................................................................1-32 1.5.6 Configuring the Address-related Attributes of the Domain.................................................................1-33 1.5.7 Configuring the Domain State..............................................................................................................1-34 1.5.8 Configuring the Maximum of Access Users Allowed by the Domain................................................1-34 1.5.9 Configuring the Idle-Cut Parameters for a Domain.............................................................................1-35 1.5.10 Checking the Configuration...............................................................................................................1-36
1.6 Maintaining AAA and User Management....................................................................................................1-36 1.6.1 Clearing the Statistics of AAA and User Management........................................................................1-36 1.6.2 Debugging AAA and User Management.............................................................................................1-37 1.7 Configuration Examples................................................................................................................................1-37 1.7.1 Example for Configuring the RADIUS Authentication and Accounting For Local Users..................1-38 1.7.2 Example for Configuring the HWTACACS Authentication, Authorization, and Accounting Mode .......................................................................................................................................................................1-41 1.7.3 Example of Configuring the HWTACACS Authentication and Authorization in the MPLS VPN Network .......................................................................................................................................................................1-45
2 ARP Security Configuration....................................................................................................2-1

2.1 Overview to ARP Security..............................................................................................................................2-2 2.1.1 Introduction to ARP Security.................................................................................................................2-2 2.1.2 ARP Security Supported by the NE5000E.............................................................................................2-2 2.2 Preventing Attacks on ARP Entries................................................................................................................2-3 2.2.1 Establishing the Configuration Task......................................................................................................2-3 2.2.2 Configuring Global Strict ARP Entry Learning.....................................................................................2-4 2.2.3 Configuring Strict ARP Entry Learning on Interfaces...........................................................................2-4 2.2.4 Checking the Destination IP Addresses of ARP Packets.......................................................................2-5 2.2.5 Configuring Speed Limit for ARP Packets............................................................................................2-6 2.2.6 Configuring Interface-based ARP Entry Restriction..............................................................................2-6 2.2.7 Checking the Configuration...................................................................................................................2-7 2.3 Maintaining the ARP Security........................................................................................................................2-8 2.3.1 Displaying Statistics About ARP Packets..............................................................................................2-8 2.3.2 Clearing Statistics About ARP Packets..................................................................................................2-8 2.3.3 Debugging ARP Packets........................................................................................................................2-9 2.4 Configuration Examples..................................................................................................................................2-9 2.4.1 Example for Preventing Attacks on ARP Entries..................................................................................2-9
3 URPF Configuration..................................................................................................................3-1
3.1 Overview to URPF..........................................................................................................................................3-2 3.1.1 Introduction to URPF.............................................................................................................................3-2 3.1.2 URPF Supported by the NE5000E.........................................................................................................3-4 3.2 Configuring URPF..........................................................................................................................................3-4 3.2.1 Establishing the Configuration Task......................................................................................................3-4 3.2.2 Configuring LPU-based URPF..............................................................................................................3-5 x Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
Contents
3.2.3 Configuring URPF on an Interface........................................................................................................ 3-5 3.2.4 Configuring Flow-based URPF..............................................................................................................3-6 3.2.5 Checking the Configuration...................................................................................................................3-7 3.3 Maintaining the URPF.................................................................................................................................... 3-8 3.3.1 Resetting the Statistics of URPF............................................................................................................3-8 3.4 Configuration Example...................................................................................................................................3-8 3.4.1 Example for Configuring URPF............................................................................................................ 3-9
4 Configuration of Local Attack Defense.................................................................................4-1

4.1 Overview to Local Attack Defense.................................................................................................................4-2 4.1.1 Introduction to Local Attack Defense....................................................................................................4-2 4.1.2 Local Attack Defense Supported by the NE5000E................................................................................4-2 4.1.3 Applications of Local Attack Defense................................................................................................... 4-3 4.2 Configuring Attack Defense Tracing and Enabling Alarming for Packet Discarding....................................4-4 4.2.1 Establishing the Configuration Task......................................................................................................4-5 4.2.2 Creating the Attack Defense Policy.......................................................................................................4-5 4.2.3 Enabling Attack Source Tracing............................................................................................................4-6 4.2.4 Configuring Attack Source Tracing.......................................................................................................4-6 4.2.5 Configuring the Alarm on Rate for Discarding Packets.........................................................................4-7 4.2.6 Applying the Attack Defense Policy......................................................................................................4-8 4.2.7 Checking the Configuration...................................................................................................................4-8 4.3 Configuring Local URPF..............................................................................................................................4-10 4.3.1 Establishing the Configuration Task....................................................................................................4-11 4.3.2 Creating the Attack Defense Policy.....................................................................................................4-11 4.3.3 Configuring Local URPF.....................................................................................................................4-11 4.3.4 Applying the Attack Defense Policy....................................................................................................4-12 4.3.5 Checking the Configuration.................................................................................................................4-12 4.4 Configuring TCP/IP Attack Defense.............................................................................................................4-13 4.4.1 Establishing the Configuration Task....................................................................................................4-13 4.4.2 Creating the Attack Defense Policy.....................................................................................................4-13 4.4.3 Enabling Defense Against UDP Packet Attacks..................................................................................4-14 4.4.4 Enabling Defense Against Malformed Packet Attacks........................................................................4-14 4.4.5 Applying the Attack Defense Policy....................................................................................................4-15 4.4.6 Checking the Configuration.................................................................................................................4-15 4.5 Configuring CAR..........................................................................................................................................4-16 4.5.1 Establishing the Configuration Task....................................................................................................4-16 4.5.2 Creating the Attack Defense Policy.....................................................................................................4-17 4.5.3 Creating the Whitelist...........................................................................................................................4-17 4.5.4 Creating the Blacklist...........................................................................................................................4-18 4.5.5 Configuring the User-Defined Flow....................................................................................................4-18 4.5.6 Configuring Packet Matching Order....................................................................................................4-19 4.5.7 Configuring CAR.................................................................................................................................4-20 4.5.8 Configuring Packet Sending Priority...................................................................................................4-20 Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xi
Contents
HUAWEI NetEngine5000E Core Router Configuration Guide - Security 4.5.9 Applying the Attack Defense Policy....................................................................................................4-21 4.5.10 Checking the Configuration...............................................................................................................4-21
4.6 Configuring Application Layer Association.................................................................................................4-23 4.6.1 Establishing the Configuration Task....................................................................................................4-24 4.6.2 Creating the Attack Defense Policy.....................................................................................................4-24 4.6.3 Disabling Application Layer Association............................................................................................4-24 4.6.4 Configuring the Packet Processing Mode............................................................................................4-25 4.6.5 Applying the Attack Defense Policy....................................................................................................4-25 4.6.6 Checking the Configuration.................................................................................................................4-26 4.7 Configuring Management/Control Plane Protection.....................................................................................4-28 4.7.1 Establishing the Configuration Task....................................................................................................4-28 4.7.2 Configuring Global Policy for Management/Control Plane Protection...............................................4-29 4.7.3 Configuring a Slot-based Policy for Management/Control Plane Protection......................................4-29 4.7.4 Configuring Interface-level Policy for Management/Control Plane Protection...................................4-30 4.7.5 Checking the Configuration.................................................................................................................4-31 4.8 Maintainning Local Attack Defense..............................................................................................................4-32 4.8.1 Resetting the Statistics of Attack Defense...........................................................................................4-33 4.9 Configuration Example.................................................................................................................................4-33 4.9.1 Example for Local Attack Defense......................................................................................................4-33
5 Mirroring Configuration...........................................................................................................5-1
5.1 Overview to Mirroring....................................................................................................................................5-2 5.1.1 Introduction to Mirroring.......................................................................................................................5-2 5.1.2 Mirroring Features Supported by the NE5000E....................................................................................5-2 5.2 Configuring Local Port Mirroring...................................................................................................................5-2 5.2.1 Establishing the Configuration Task......................................................................................................5-3 5.2.2 Configuring the Observing Port.............................................................................................................5-3 5.2.3 Configuring the Observing Port for the Entire LPU..............................................................................5-4 5.2.4 Configuring Local Port Mirroring..........................................................................................................5-4 5.2.5 Checking the Configuration...................................................................................................................5-5 5.3 Configuring Local Traffic Mirroring..............................................................................................................5-6 5.3.1 Establishing the Configuration Task......................................................................................................5-6 5.3.2 Configuring the Observing Port.............................................................................................................5-7 5.3.3 Configuring the Observing Port for the Entire LPU..............................................................................5-8 5.3.4 Defining the Traffic Class......................................................................................................................5-8 5.3.5 Defining the Traffic Behavior and Enabling Local Traffic Mirroring...................................................5-9 5.3.6 Defining the Traffic Policy and Associating the Traffic Class with the Traffic Behavior....................5-9 5.3.7 Applying the Traffic Policy to the Mirrored Port................................................................................5-10 5.3.8 Checking the Configuration.................................................................................................................5-11 5.4 Configuration Examples................................................................................................................................5-12 5.4.1 Example for Local Configuring Port Mirroring...................................................................................5-12 5.4.2 Example for Local Configuring Flow Mirroring.................................................................................5-14
A Attributes List of RADIUS and HWTACACS...................................................................A-1

xii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
Contents
A.1 RADIUS Attribute.........................................................................................................................................A-2 A.1.1 Standard RADIUS Attribute.................................................................................................................A-2 A.1.2 Huawei RADIUS Attribute..................................................................................................................A-5 A.2 HWTACACS Attribute.................................................................................................................................A-9
B Glossary......................................................................................................................................B-1 C Acronyms and Abbreviations................................................................................................C-1
Issue 02 (2009-12-10)
xiii
Figures
Figures
Figure 1-1 Networking diagram of RADIUS authentication and accounting....................................................1-38 Figure 1-2 Networking diagram of local authentication and HWTACACS authentication, authorization, and accounting...........................................................................................................................................................1-42 Figure 1-3 Diagram of configuring HWTACACS authentication and authorization of administrators............1-45 Figure 2-1 Networking diagram of preventing attacks on ARP entries.............................................................2-10 Figure 3-1 Schematic diagram of the source address spoofing attack.................................................................3-2 Figure 3-2 URPF applied on a single-homed client.............................................................................................3-2 Figure 3-3 Application environment of the URPF multi-homed client...............................................................3-3 Figure 3-4 Applicable environment of multi-homed client and multi-ISPs.........................................................3-3 Figure 3-5 Networking diagram of configuring URPF........................................................................................3-9 Figure 4-1 Networking diagram of configuring the local attack defense...........................................................4-33 Figure 5-1 Networking diagram of port mirroring.............................................................................................5-12 Figure 5-2 Networking diagram of flow mirroring............................................................................................5-15
Issue 02 (2009-12-10)
xv
1 AAA and User Management Configurations
AAA and User Management Configurations
About This Chapter

This chapter describes Authentication, Authorization and Accounting (AAA) security services including RADIUS, HWTACACS, domain-based user management,local user management, and their configuration steps, along with typical examples. 1.1 Overview to AAA and User Management This section describes the principle and concepts of AAA and user management. 1.2 Configuring Local User Management This section describes how to manage local users. 1.3 Configuring AAA Schemes This section describes how to configure various attributes of AAA. 1.4 Configuring Server Templates This section describes how to configure a server template. 1.5 Configuring Domains This section describes how to configure a domain. 1.6 Maintaining AAA and User Management This section describes how to the reset statistics and debug RADIUS or HWTACACS. 1.7 Configuration Examples This section provides two configuration examples of AAA and user management.
Issue 02 (2009-12-10)
1-1
1.1 Overview to AAA and User Management

This section describes the principle and concepts of AAA and user management. 1.1.1 Introduction to AAA and User Management 1.1.2 AAA and User Management Supported by the NE5000E
1.1.1 Introduction to AAA and User Management

Authentication, Authorization and Accounting (AAA) are three types of security services.
l l l
Authentication: determines the users who can access the network. Authorization: authorizes the user to use some services. Accounting: records the network resource utilization of the user.
AAA adopts the Server/Client model. In this model, the client runs on the administrated resource side and the server stores the user information. This model has good extensibility and is convenient for concentrated management over user information. AAA supports three types of authentication modes: non-authentication, local authentication, and remote authentication. The remote authentication mode supports two protocols: Remote Authentication Dial In User Service (RADIUS) and Huawei Terminal Access Controller Access Control System (HWTACACS). AAA supports four types of authorization modes: direct authorization, local authorization, HWTACACS authorization, and if-authenticated authorization.
NOTE
l l
RADIUS integrates authentication and authorization. Therefore, RADIUS authorization cannot be performed singly. The users that have passed HWTACACS authentication can actively modify the passwords saved on the TACACS server.
AAA supports four types of accounting modes: non-accounting, remote accounting. User authentication, authorization, and accounting should all be performed in the domain view.
Domain-based User Management

The NAS can manage users in two ways.
l
Managing users based on domains: Configurations such as the default authorization, RADIUS or HWTACACS template, and the authentication and accounting can be performed in a domain. Managing users based on user accounts.
In current AAA implementations, users are categorized into different domains. The domain to which a user belongs depends on the character string that follows the "@" of a user name. For example, the user "user@hua" belongs to the domain "hua". If there is no "@" in the user name, the user belongs to the domain "default". Besides the default domain, AAA users can create up to 254 domains.
1-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
All the AAA users are configured in the domain view through the application of authentication scheme, authorization scheme, and accounting scheme. The corresponding modes are preconfigured respectively in the AAA view. AAA, by default, adopts local authentication, local authorization, and no accounting schemes respectively. If a domain is created but no scheme is specified for the domain, AAA adopts the default schemes for this domain. The authorization precedence configured within a domain is lower than that configured on an AAA server. In other words, the authorization attribute of the AAA server is used first. The domain authorization attribute is valid only when the AAA server does not have this authorization or does not support this authorization. In this way, you can add services flexibly when using domains regardless of the attribute limitations of the AAA server.
Local User Management

Local user management refers to setting up a local user database on a local router to maintain user information.
1.1.2 AAA and User Management Supported by the NE5000E

The NE5000E supports all the preceding authentication, authorization, and accounting schemes. In addition, it also supports management of users based on domains and management of local users. The NE5000E allows the user that passes local authentication to change the password. The NE5000E supports two methods of modifying passwords of users after they pass through HWTACACS authentication:
l l
The TACACS server enables users to modify passwords. Users actively modify their passwords through command lines.
HWTACACS supports VPN instance-based forwarding. When the TACACS server of an operator is deployed in a private network and the routers are deployed in the public network, HWTACACS implements the authentication, authorization, and accounting for users through the interaction of VPN instances with the TACACS server.
1.2 Configuring Local User Management

This section describes how to manage local users. 1.2.1 Establishing the Configuration Task 1.2.2 Creating a Local User Account 1.2.3 Configuring the Type of the Service That the Local User Accesses Through this configuration procedure, service-type-based user management is realized. 1.2.4 Configuring the Local User Authority of Accessing the FTP Directory If the type of the service that the local user accesses is set to FTP, this configuration procedure is mandatory; otherwise, the FTP user cannot log in. 1.2.5 Configuring Local User Status 1.2.6 Configuring the Local User Level After the local user level is configured, the login user can run the command only when its level is equal to or higher than the command level.
Issue 02 (2009-12-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-3
1.2.7 Setting the Maximum Number of Access Users with the Same User Name 1.2.8 Local Users Changing the Passwords 1.2.9 Cutting Off Online Users Forcibly If cutting off online users based on domain names is configured, all online users in the specified domain are forcibly cut off. If cutting of online users based on user names or authentication modes is configured, the connections that match the condition are cut off simultaneously. 1.2.10 Checking the Configuration
1.2.1 Establishing the Configuration Task

Applicable Environment
You can create a single local user database on a Network Access Server (NAS) to manage access users. Generally, the router is used as NAS.
Pre-configuration Task
Before configuring local user management, complete the following tasks:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up Creating an Access Control List (ACL) and set ACL rules if you need to apply the ACL to manage local users
Data Preparation
To configure local user management, you need the following data. No. 1 2 3 4 5 6 7 Data User name and password Type of the service that the local user accesses Name of the FTP directory that the local user can access Local user status Local user level Limited number of local access users Number of the ACL used to managing the local user
1.2.2 Creating a Local User Account

Context
Do as follows on the NAS:
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:

aaa
The AAA view is displayed. Step 3 Run:

local-user user-name [ password { simple | cipher } password ]
A local user account is created. If the user name contains @, the character before @ is the user name and the character after @ is the domain name. If the user name does not contain @, the whole character string represents the user name and the domain name is default. ----End
1.2.3 Configuring the Type of the Service That the Local User Accesses
Through this configuration procedure, service-type-based user management is realized.
Context
Procedure
Step 1 Run:
system-view

aaa

local-user user-name service-type { ftp | ppp | ssh | telnet | terminal }*
The type of the service that the local user accesses is configured. By default, all access types are available for local users. ----End
1.2.4 Configuring the Local User Authority of Accessing the FTP Directory
If the type of the service that the local user accesses is set to FTP, this configuration procedure is mandatory; otherwise, the FTP user cannot log in.
Context
Procedure
Step 1 Run:
system-view

aaa

local-user user-name ftp-directory directory
The local user authority of accessing the FTP directory is configured. By default, the FTP directory is null. ----End
1.2.5 Configuring Local User Status

Context
Procedure
Step 1 Run:
system-view

aaa

local-user user-name state { active | block }
The local user status is configured. By default, the local user is in the active state. ----End
Postrequisite
Do as follows to process the local user in the active or block state:
l
If the local user is in the active state, the authentication request from this user is allowed for further processing.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-12-10)
1-6

l
If the local user is in the block state, the authentication request from this user is denied.
1.2.6 Configuring the Local User Level

After the local user level is configured, the login user can run the command only when its level is equal to or higher than the command level.
Context
Procedure
Step 1 Run:
system-view

aaa

local-user user-name level level
The local user level is configured. By default, the level of the local user is determined by the management module. ----End
Postrequisite
The login user has the same 16 levels like the command. They are Visit, Monitoring, Configure and Management, and are marked from 0 to 15. The higher the mark is, the higher the priority is.
1.2.7 Setting the Maximum Number of Access Users with the Same User Name
Context
Procedure
Step 1 Run:
system-view

aaa
Issue 02 (2009-12-10)
1-7

local-user user-name access-limit access-limit-number
The local user access limit is configured. By default, the number of access users with the same user name is not restricted. ----End
1.2.8 Local Users Changing the Passwords

Context
Do as follows on the router:
Procedure
Step 1 Run:
local-user change-password
The password of the local user is changed. Only the user that passes local authentication can change the password.
NOTE
Run the command in the user view.
----End
1.2.9 Cutting Off Online Users Forcibly

If cutting off online users based on domain names is configured, all online users in the specified domain are forcibly cut off. If cutting of online users based on user names or authentication modes is configured, the connections that match the condition are cut off simultaneously.
Context
Procedure
Step 1 Run:
system-view

aaa
The AAA view is displayed. Step 3 Perform the following as required to configure to cut off online users forcibly.
l
To cut off online users based on domain names, run the cut access-user domain domainname command.
1-8

l
To cut off online users based on user names, run the cut access-user username { local | hwtacacs | radius | none | all } [ user-name ] command. To cut off online users based on user IDs, run the cut access-user user-id start-num [ endnum ] command.
----End
1.2.10 Checking the Configuration

Prerequisite
The configurations of the local user management are complete.
Procedure
Step 1 Run the display local-user [ domain domain-name | user-name user-name ] [ | count ] [ | { begin | include | exclude } regular-expression ]command to check attributes of the local user. ----End
Example
Run the display local-user command. If attributes of the local user are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------bbb Active T Dft No 1 ftp Active F Dft No 0 ---------------------------------------------------------------------------Total 2,2 printed
1.3 Configuring AAA Schemes

This section describes how to configure various attributes of AAA. 1.3.1 Establishing the Configuration Task 1.3.2 (Optional) Enabling RADIUS/HWTACACS Functions When the RADIUS/HWTACACS functions are being disabled, the packets for Authentication, Authorization, and Accounting (AAA) sent by the user are discarded. 1.3.3 Configuring the Authentication Scheme The default authentication mode is local authentication. To allow the user to pass without being authenticated, you need to create an authentication scheme, configure non-authentication mode in the scheme, and apply the authentication scheme to the specified domain. 1.3.4 (Optional) Configuring the Authorization Scheme 1.3.5 Configuring the Accounting Scheme 1.3.6 (Optional) Configuring the Recording Scheme 1.3.7 Allocating IP Addresses to Users

To provide access services for legal users and protect sensitive network devices from unauthorized access, configure AAA.
NOTE
AAA is always enabled on the NAS.
Addresses, such as Class A addresses XXX.255.255.255 and XXX.0.0.0, Class B addresses XXX.XXX.255.255 and XXX.XXX.0.0, and Class C addresses XXX.XXX.XXX.255 and XXX.XXX.XXX.0, must not be configured as valid start or end addresses of the address pool. If the address pool contains these addresses, the addresses cannot be allocated.
NOTE
The IP address negotiation needs to be configured on the client and the server respectively.
Pre-configuration Tasks
Before configuring AAA schemes, complete the following tasks:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up
Data Preparation
To configure AAA schemes, you need the following data. No. 1 2 Data Name of the authentication scheme and the authentication mode (Optional) Name of the authorization scheme and the authorization mode, level of the HWTACACS user to be authorized through command lines, and timeout time of command-line-based authorization Name of the accounting scheme, the accounting mode, the interval of real-time accounting, accounting-start failure policy, real-time accounting failure policy, and the number of failed the real-time accounting (Optional) Name of the recording scheme, name of the HWTACACS server template related to the recording mode, and events to be recorded Interface type and interface number of the server and client, address pool ID and IP address range of the address pool, and the IP addresses to be allocated to users when no address pool is used
4 5
1-10
Issue 02 (2009-12-10)
1.3.2 (Optional) Enabling RADIUS/HWTACACS Functions

When the RADIUS/HWTACACS functions are being disabled, the packets for Authentication, Authorization, and Accounting (AAA) sent by the user are discarded.
Context
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 (Optional) Enable RADIUS/HWTACACS functions as required:
l l
Run the radius enable command to enable RADIUS functions. Run the hwtacacs enable command to enable HWTACACS functions.
The RADIUS/HWTACACS functions are enabled by default. ----End
1.3.3 Configuring the Authentication Scheme

The default authentication mode is local authentication. To allow the user to pass without being authenticated, you need to create an authentication scheme, configure non-authentication mode in the scheme, and apply the authentication scheme to the specified domain.
Context
Procedure
Step 1 Run:
system-view

aaa

authentication-scheme authentication-scheme-name
An authentication scheme is created and the authentication scheme view is displayed. Step 4 Run:
authentication-mode { hwtacacs | radius | local } * [ none ]
or
authentication-mode none
The authentication mode is configured.

By default, the authentication mode is set to local. If one authentication scheme is configured with several authentication modes, the execution order to authentication modes is consistent with their configuration order. If the authentication mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 5 Run:
authentication-super { hwtacacs | super } * [ none ]
or
authentication-super none
The authentication scheme of upgrading user level is configured. ----End
1.3.4 (Optional) Configuring the Authorization Scheme

Context
Do as follow on the router:
NOTE
l l l
You can configure command-line-based authorization for users at a certain level only when HWTACACS is adopted. For the commands containing the indications and values, such as interface ethernet2/2/0, you need to input commands in configuration file format. Otherwise, HWTACACS authorization fails. Command line authorization of HWTACACS has no relation with the authorization mode.
Procedure
Step 1 Run:
system-view

aaa

authorization-scheme authorization-scheme-name
The authorization scheme is created and the authorization scheme view is displayed. By default, an authorization scheme named default exists. This scheme cannot be deleted but modified. Step 4 Run:
authorization-mode { hwtacacs | if-authenticated | local }* [ none ]
Or Run:

authorization-mode none
The authorization mode is configured. By default, the authorization mode is set to local. If the authorization mode is set to HWTACACS, you must configure the HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 5 Run:
authorization-cmd privilege-level hwtacacs [ local ]
Command-line-based authorization is enabled. By default, command-line-based authorization is disabled. If command-line-based authorization is enabled, you must configure the HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 6 Run:
authorization-cmd no-response-policy { online | offline [ max-times max-timesvalue ] }
The policy used when the HWTACACS server is unavailable or the local user sends no response is set. Step 7 Run:
quit
Back to the AAA view. Step 8 Run:

quit
Back to the system view. Step 9 Run:

hwtacacs-server template template-name
The HWTACACS server template view is displayed. Step 10 Run:

hwtacacs-server timer response-timeout timeout-value
The timeout time of the authorization response is set. ----End
1.3.5 Configuring the Accounting Scheme

Context
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
aaa

accounting-scheme accounting-scheme-name
The accounting scheme is created and the accounting scheme view is displayed. By default, an accounting scheme named default exists. This scheme cannot be deleted but modified. Step 4 Run:
accounting-mode { hwtacacs | radius | none }
The accounting mode is configured. By default, the account scheme is set to none. If the accounting mode is set to RADIUS or HWTACACS, you must configure the RADIUS or HWTACACS template and apply the template in the view of the domain to which the user belongs. Step 5 Run:
accounting realtime interval
The real-time accounting is enabled and the accounting interval is set. By default, real-time accounting is enabled and the accounting interval is set to five minutes. The accounting interval depends on network situations. If the interval is too short, network traffic is increased and the device that receives the real-time accounting packets is burdened. If the interval is set too long, accounting may be inaccurate. Step 6 (Optional) Run:
accounting start-fail { online | offline }
The policy for failing to start accounting at the remote end is configured. By default, users' access to the network is denied when accounting fails to be started. The policy for failing to start accounting defines the operations on users' access when accounting fails to be started. Step 7 (Optional) Run:
accounting interim-fail [ max-times times ]{ online | offline }
The policy for failing real-time accounting is configured. By default, the user is cut off if real-time accounting fails for three times. The policy for failing real-time accounting defines the operations on users' access when realtime accounting fails. ----End
1-14
Issue 02 (2009-12-10)
1.3.6 (Optional) Configuring the Recording Scheme

Context
Procedure
Step 1 Run:
system-view

aaa

recording-scheme recording-scheme-name
The recording scheme is created and the recording scheme view is displayed. By default, no recording scheme exists. Step 4 Run:
recording-mode hwtacacs template-name
The recording mode is configured. By default, the recording scheme is not associated with the HWTACACS template. Step 5 Run:
quit
Back to the AAA view. Step 6 (Optional) Run:

cmd recording-scheme recording-scheme-name
The commands run on the router are recorded. Step 7 (Optional) Run:
outbound recording-scheme recording-scheme-name
The connections are recorded. Step 8 Run:

system recording-scheme recording-scheme-name
The system events are recorded. ----End
1.3.7 Allocating IP Addresses to Users

Context

NOTE
It is not necessary to configure an address pool if there is only one user. Directly allocate a specific IP address to the user. In this case, Steps 2, 3, and 4 can be skipped. Commands in Steps 6 and 7 should be run on a POS interface that supports PPP. If both local and remote interfaces are encapsulated with PPP, and the local interface has no IP address while the remote interface has an IP address, you can configure IP address negotiation on the local interface. Thus, the local interface can obtain the IP address allocated by the peer through PPP negotiation. When configuring IP address negotiation, you should note the following:
l l l l
The IP address negotiation can be set only when the interface supports PPP. When the PPP status is Down, the IP address generated through negotiation is deleted. No IP address needs be configured on the local interface because the IP address can be obtained through the negotiation. If the interface is already configured with an IP address, this IP address will be deleted. The IP address obtained by the earlier negotiation is deleted when the negotiation is reconfigured on this interface. The interface gets a new IP address through the negotiation. When the negotiated address is deleted, the interface has no address.
Procedure
Step 1 Run:
system-view

aaa

ip pool pool-number first-address [ last-address ]
The IP address pool of the local system is configured. Step 4 Run:

quit
Back to the system view. Step 5 Run:

interface interface-type interface-number
The interface view is displayed. Step 6 Run:

remote address { ip-address | pool [ pool-number ] }
IP addresses are allocated to the remote users. Step 7 Run:

ip address ppp-negotiate
IP address negotiation is configured on the interface. ----End


Prerequisite
The configurations of the AAA schemes are complete.
Procedure
l l Run the display aaa configuration [ | count ] [ | { begin | include | exclude } regularexpression ] command to check the brief information on AAA. Run the display accounting-scheme [ accounting-scheme-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the configuration about the accounting scheme. Run the display authentication-scheme [ authentication-scheme-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the configuration about the authentication scheme. Run the display authorization-scheme [ authorization-scheme-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the configuration about the authorization scheme. Run the display recording-scheme [ recording-scheme-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the configuration about the recording scheme. Run the display ip pool { global | domain domain-name } [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the usage of the address pool. Run the display access-user command to check the information about all online users.
l l
----End
Example
Run the display aaa configuration command. If brief information about AAA is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display aaa configuration --------------------------------------------------------------------------AAA configuration information : --------------------------------------------------------------------------Domain : total: 255 used: 2 Authentication-scheme : total: 16 used: 2 Authorization-scheme : total: 16 used: 2 Accounting-scheme : total: 128 used: 2 Recording-scheme : total: 128 used: 0 AAA-access-user : total: 384 used: 0 Access-user-state : authen: 0 author: 0 accounting: 0 ---------------------------------------------------------------------------
Run the display authentication-scheme command. If information about the authentication scheme is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display authentication-scheme scheme0 --------------------------------------------------------------------------Authentication-scheme-name : scheme0 Authentication-method : Local authentication Authentication-super method : Super authentication-super ---------------------------------------------------------------------------
Run the display authorization-scheme command. If information about the authorization scheme is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display authorization-scheme scheme0 --------------------------------------------------------------------------Authorization-scheme-name : scheme0 Authorization-method : Local authorization Authorization-cmd level 0 : disabled Authorization-cmd level 1 : disabled Authorization-cmd level 2 : enabled ( Hwtacacs ) Authorization-cmd level 3 : disabled Authorization-cmd level 4 : disabled Authorization-cmd level 5 : disabled Authorization-cmd level 6 : disabled Authorization-cmd level 7 : disabled Authorization-cmd level 8 : disabled Authorization-cmd level 9 : disabled Authorization-cmd level 10 : disabled Authorization-cmd level 11 : disabled Authorization-cmd level 12 : disabled Authorization-cmd level 13 : disabled Authorization-cmd level 14 : disabled Authorization-cmd level 15 : disabled Authorization-cmd no-response-policy : Online ---------------------------------------------------------------------------
Run the display accounting-scheme command. If information about the accounting scheme is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display accounting-scheme scheme0 --------------------------------------------------------------------------Accounting-scheme-name : scheme0 Accounting-method : RADIUS accounting Realtime-accounting-switch : Open Realtime-accounting-interval(min) : 5 Start-accounting-fail-policy : Cut user Realtime-accounting-fail-policy : Cut user Realtime-accounting-failure-retries : 3 ---------------------------------------------------------------------------
Run the display recording-scheme command. If information about the recording scheme is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display recording-scheme scheme0 --------------------------------------------------------------------------Recording-scheme-name : scheme0 HWTACACAS-template-name : template0 ---------------------------------------------------------------------------
Run the display ip pool global command. If brief information about all usage of the address pool is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display ip pool global ---------------------------------------------------------------------------Pool-number Pool-start-addr Pool-end-addr Pool-length Used-addr-number ---------------------------------------------------------------------------2 10.1.1.1 10.1.1.10 10 0 ---------------------------------------------------------------------------Total pool number: 1
Run the display access-user command. If brief information about all online users is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display access-user ----------------------------------------------------------------------------Total users : 2 Wait authen-ack : 0 Authentication success : 2 Accounting ready : 2 Accounting state : 0 Wait leaving-flow-query : 0 Wait accounting-start : 0
1-18
Issue 02 (2009-12-10)
Wait accounting-stop : 0 Wait authorization-client : 0 Wait authorization-server : 0 ------------------------------------------------------------------Domain-name Online-user ------------------------------------------------------------------default : 2 ------------------------------------------------------------------The used CID table are : 256 257 -----------------------------------------------------------------------------
1.4 Configuring Server Templates

This section describes how to configure a server template. 1.4.1 Establishing the Configuration Task 1.4.2 Configuring the RADIUS Server Template 1.4.3 Configuring the HWTACACS Server Template 1.4.4 Checking the Configuration

When remote authentication is adopted, you need to configure a server template (RADIUS or HWTACACS) as required. The RADIUS server template needs to be configured when RADIUS is adopted. Similarly, the HWTACACS server template needs to be configured when HWTACACS is adopted.
NOTE
Most of RADIUS configuration items adopt the default settings. You can also configure them based on the actual networking. The RADIUS configuration can be modified only when the RADIUS server template is not used by any user. Note the following differences from the configurations of the RADIUS server template when you configure the HWTACACS server template:
l l
Except deleting the HWTACACS server, you can modify most of attributes of the HWTACACS server template without checking whether the template is in use. By default, no authentication key is configured.
Before configuring the server template, complete the following tasks:
l
Data Preparation
To configure the RADIUS server, you need the following data.
No. 1
Data Name of the RADIUS server template, IP addresses and source port numbers of the primary RADIUS authentication and accounting servers, source interface number, IP addresses and source port numbers of the secondary RADIUS authentication and accounting servers, protocol version used by the RADIUS server, shared keys, user name format (with or without domain name) of the RADIUS server, traffic unit on the RADIUS server, response timeout period of the RADIUS server and retransmission times, and NAS port format the RADIUS server and the corresponding port ID format Name of the HWTACACS server template, IP addresses and source port numbers , and the VPN instances to be bound of the primary HWTACACS authentication, authorization, and accounting servers, IP addresses, and source port numbers, and the VPN instances to be bound of the secondary HWTACACS authentication, authorization, and accounting servers, retransmission times of accounting-stop packets, source IP address of the HWTACACS server, key of the HWTACACS server, user name format (with or without domain name) of the HWTACACS server, traffic unit on the HWTACACS server, response timeout period of the HWTACACS server, and the time taken by the master HWTACACS server to restore the active state
1.4.2 Configuring the RADIUS Server Template

Context
Procedure
l Creating the RADIUS server template 1. Run:
system-view
The system view is displayed. 2. Run:

radius-server template template-name
The RADIUS server template is created and the RADIUS template view is displayed. l Configuring the RADIUS authentication server 1. Run:
system-view

The RADIUS server template view is displayed. 3. Run:

radius-server authentication ip-address port [ source loopback interfacenumber ]
1-20
Issue 02 (2009-12-10)
The primary RADIUS authentication server is configured. By default, the primary RADIUS authentication server is of null configurations. 4. Run:
radius-server authentication ip-address port [ source loopback interfacenumber ] secondary
The secondary RADIUS server is configured. By default, the secondary RADIUS authentication server is of null configurations. l Configuring the RADIUS accounting function 1. Run:
system-view


radius-server accounting ip-address port [ source loopback interfacenumber ]
The primary RADIUS accounting server is configured. By default, the primary RADIUS accounting server is of null configurations. 4. Run:
radius-server accounting ip-address port [ source loopback interfacenumber ] secondary
The secondary RADIUS accounting server is configured. By default, the secondary RADIUS accounting server is of null configurations. l Configuring the protocol version of the RADIUS server 1. Run:
system-view


radius-server type { standard | portal }
The protocol version of the RADIUS server is configured. By default, the NE5000E adopts standard RADIUS. If portal is specified, the NE5000E adopts RADIUS+1.1. l Configuring the shared key of the RADIUS server 1. Run:
system-view
The system view is displayed.

2.
Run:

radius-server shared-key key-string
The shared key of the RADIUS server is configured. By default, the shared key of the RADIUS server is huawei. l Configuring the user name format of the RADIUS server 1. Run:
system-view


radius-server user-name domain-included
The user name format of the RADIUS server is configured. By default, the user name contains the domain name. If the RADIUS server does not identify the user name that contains the domain name, you can remove the domain name and then send it to the RADIUS server.
NOTE
Commonly, a user name is in the format of "user name@domain name". The character string after @ indicates the domain name.
Configuring the traffic unit of the RADIUS server 1. Run:

system-view


radius-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit of the RADIUS server is configured. By default, the traffic unit is set to byte.
NOTE
If the router adopts standard RADIUS, this configuration is invalid.
(Optional) Configuring the retransmission parameters of the RADIUS server 1. Run:

system-view
1-22
Issue 02 (2009-12-10)


radius-server timeout seconds
The timeout period for the RADIUS server to send the response packet is configured. By default, the timeout period is set to 5 seconds. To check whether the RADIUS server is valid, the NE5000E periodically sends request packets to the RADIUS server. If the RADIUS server does not return a response within the timeout period, the NE5000E must retransmit request packets. 4. Run:
radius-server retransmit retry-times
The retransmission times of the RADIUS server is configured. By default, the retransmission times are set to 3. After the NE5000E does not receive any response after it retransmits request packets for the configured times, it considers that the RADIUS server is unavailable. l (Optional) Configuring the NAS port of the RADIUS server 1. Run:
system-view


radius-server nas-port-format { new | old }
The NAS port format is configured. By default, the NAS port format is set to new. 4. Run:
radius-server nas-port-id-format { new | old }
The ID format of the NAS port of the RADIUS server is configured. By default, the ID format of the NAS port is set to new. ----End
1.4.3 Configuring the HWTACACS Server Template

Context
Procedure
l Creating the HWTACACS server template 1. Run:
system-view

The HWTACACS server template is created and the corresponding view is displayed. l Configuring the HWTACACS authentication server 1. Run:
system-view

The HWTACACS server template view is displayed. 3. Run:

hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpninstance-name ]
The primary HATACACS authentication server is configured. By default, the IP address of the primary HWTACACS authentication server is 0.0.0.0, and the server is not bound with VPN instances. 4. Run:
hwtacacs-server authentication ip-address [ port ] [ vpn-instance vpninstance-name ] secondary
The secondary HWTACACS authentication server is configured. By default, the IP address of the secondary HWTACACS authentication server is 0.0.0.0, and the server is not bound with VPN instances. l Configuring the HWTACACS authorization server 1. Run:
system-view


hwtacacs-server authorization ip-address [ port ] [ vpn-instance vpninstance-name ]
The primary HWTACACS authorization server is configured. By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0, and the server is not bound with VPN instances. 4. Run:
hwtacacs-server authorization ip-address [ port ] [ vpn-instance vpninstance-name ] secondary
1-24
Issue 02 (2009-12-10)
The secondary HWTACACS authorization server is configured. By default, the IP address of the secondary HWTACACS authorization server is 0.0.0.0, and the server is not bound with VPN instances. l Configuring the HWTACACS accounting server 1. Run:
system-view


hwtacacs-server accounting ip-address [ port ] [ vpn-instance vpn-instancename ]
The primary HWTACACS accounting server is configured. By default, the IP address of the primary HWTACACS accounting server is 0.0.0.0, and the server is not bound with VPN instances. 4. Run:
hwtacacs-server accounting ip-address [ port ] [ vpn-instance vpn-instancename ] secondary
The secondary HWTACACS accounting server is configured. By default, the IP address of the secondary HWTACACS accounting server is 0.0.0.0, and the server is not bound with VPN instances. 5. Run:
quit
Back to the system view. 6. Run:

hwtacacs-server accounting-stop-packet resend { disable | enable number }
Retransmitting the accounting-stop packets is configured. By default, the NE5000E allows retransmitting accounting-stop packets. The number of retransmitted packets is 100. Accounting-stop packets are used to inform the server to stop charging users. If the accounting server fails to receive the accounting-stop packets, it continues to charge users. Then, the NE5000E must retransmit the accounting-stop packets until the server receives the packets or until the retransmission times reach threshold. l (Optional) Configuring the source IP address of the HWTACACS server 1. Run:
system-view

Issue 02 (2009-12-10)
1-25

hwtacacs-server source-ip ip-address
The source IP address of the packet is configured. By default, the source IP address of the packet is 0.0.0.0. That is, the NE5000E adopts the IP address of the outgoing interface as the source IP address of HWTACACS packets. After the source IP address is specified, the HWTACACS template uses this IP address to communicate with the HWTACACS server. l (Optional) Configuring the shared key of the HWTACACS server 1. Run:
system-view


hwtacacs-server shared-key key-string
The shared key of the HWTACACS server is configured. By default, the shared key of the HWTACACS server is null. Setting the shared key ensures the security of community between the NE5000E and the HWTACACS server.
NOTE
To ensure identify validity of two communication ends, the shared keys configured on the router and the HWTACACS server must be the same.
(Optional) Configuring the user name format of the HWTACACS server 1. Run:
system-view


hwtacacs-server user-name domain-included
The user name format of the HWTACACS server is configured. By default, the user name contains the domain name. If the HWTACACS server denies the user name containing the domain name, you can configure the device to remove the domain name from the user name before delivering the user name to HWTACACS server.

NOTE
Commonly, the user name is in the format of "user name@domain name". The character string after @ indicates the domain name.
(Optional) Configuring the traffic unit of the HWTACACS server 1. Run:

system-view


hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }
The traffic unit of the HWTACACS server is configured. By default, the traffic unit is set to byte. l (Optional) Configuring the timer of the HWTACACS server 1. Run:
system-view


hwtacacs-server timer response-timeout value
The timeout period for the HWTACACS server to send the response packets is configured. By default, the timeout period is set to five seconds. If the device receives no response from the HWTACACS server during this period, it considers the HWTACACS server as unavailable. The device then tries to perform authentication, authorization, or accounting through other methods. 4. Run:
hwtacacs-server timer quiet value
The time taken by the primary HWTACACS server to restore the active state is configured. By default, the primary HWTACACS server needs to wait for five minutes before restoration. l Configuring active password modification 1. Run:
hwtacacs-user change-password hwtacacs-server template-name
Active password modification is configured.


NOTE
l l l
The user can successfully log in to the device only after passing HWTACACS authentication and only when the HWTACACS server template has been configured. Users are allowed to actively modify passwords before the user names and passwords saved on the TACACS server expire. For the users with expired passwords, when they log in to the device, the TACACS server returns an authentication-failure message and hence these users cannot actively modify their passwords.
----End

Prerequisite
The configurations of the server templates are complete.
Procedure
l Run the display radius-server configuration [ template template-name ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check information on the RADIUS authentication/accounting server. Run the display hwtacacs-server template [ template-name [ verbose ] ] [ | count ] [ | { begin | include | exclude } regular-expression ] commands to check information on the HWTACACS server template. Run the display hwtacacs-server accounting-stop-packet { all | number | ip ipaddress } [ | count ] [ | { begin | include | exclude } regular-expression ] commands to check information on accounting-stop packet on the HWTACACS server.
----End
Example
Run the display radius-server configuration command. If information about the RADIUS server template is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display radius-server configuration template test ------------------------------------------------------------------Server-template-name : test Protocol-version : standard Traffic-unit : KB Shared-secret-key : abcdef Timeout-interval(in second) : 6 Primary-authentication-server : 10.1.1.1:1812:LoopBack-1 Primary-accounting-server : 10.1.1.2:1813:LoopBack-1 Secondary-authentication-server : 10.1.1.2:1812:LoopBack-1 Secondary-accounting-server : 10.1.1.4:1813:LoopBack-1 Retransmission : 2 Domain-included : YES -------------------------------------------------------------------
Run the display hwtacacs-server template command. If information about the TACACS server template is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display hwtacacs-server template ----------------------------------------------------------HWTACACS-server template name : 123 Primary-authentication-server : 0.0.0.0:0:Primary-authorization-server : 0.0.0.0:0:-
1-28
Issue 02 (2009-12-10)
Primary-accounting-server : 0.0.0.0:0:Secondary-authentication-server : 0.0.0.0:0:Secondary-authorization-server : 0.0.0.0:0:Secondary-accounting-server : 0.0.0.0:0:Current-authentication-server : 0.0.0.0:0:Current-authorization-server : 0.0.0.0:0:Current-accounting-server : 0.0.0.0:0:Source-IP-address : 0.0.0.0 Shared-key : Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ------------------------------------------------------------Are you sure to display more information (y/n)[y]:y ------------------------------------------------------------HWTACACS-server template name : test1 Primary-authentication-server : 1.1.11.1:49:vpna Primary-authorization-server : 0.0.0.0:0:Primary-accounting-server : 1.1.1.1:49:vpna Secondary-authentication-server : 0.0.0.0:0:Secondary-authorization-server : 1.1.1.1:12:vpna Secondary-accounting-server : 0.0.0.0:0:Current-authentication-server : 1.1.11.1:49:vpna Current-authorization-server : 1.1.1.1:12:vpna Current-accounting-server : 1.1.1.1:49:vpna Source-IP-address : 1.1.1.1 Shared-key : Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B ------------------------------------------------------------Total 2,2 printed
1.5 Configuring Domains

This section describes how to configure a domain. 1.5.1 Establishing the Configuration Task 1.5.2 Creating a Domain 1.5.3 Configuring the Authentication, Authorization and Accounting Schemes of the Domain 1.5.4 Configuring the RADIUS Server Template If the authentication or accounting scheme of the domain is set to remote, you need to configure the RADIUS server template of the domain. 1.5.5 Configuring the HWTACACS Server Template If the authentication, authorization, or accounting scheme of the domain is set to remote, you need to configure the HWTACACS server template of the domain. 1.5.6 Configuring the Address-related Attributes of the Domain 1.5.7 Configuring the Domain State 1.5.8 Configuring the Maximum of Access Users Allowed by the Domain If the number of access users in the domain exceeds the threshold, the new access users are denied. 1.5.9 Configuring the Idle-Cut Parameters for a Domain 1.5.10 Checking the Configuration

You must configure the domain to perform AAA management on access users. The domain can allocate IP addresses to access users, or uniformly deliver the addresses of the Domain Name System (DNS) server and NetBIOS Name Service (NBNS) server to access users.
Before configuring domains, complete the following tasks:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up Configuring authentication, authorization, and accounting schemes Configuring the RADIUS or HWTACACS server template if remote authentication, authorization, or accounting is adopted
l l
Data Preparation
To configure a domain, you need the following data. No. 1 2 3 4 5 6 7 Data Domain name Names of the authentication scheme, authorization scheme, and accounting scheme in the domain Name of the RADIUS or HWTACACS template of the domain Address pool number, and start IP address and end IP address of the address pool used by the domain IP addresses of primary and secondary DNS servers used by the domain IP addresses of primary and secondary NBNS servers used by the domain Maximum number of users allowed access by the domain
1.5.2 Creating a Domain

Context
Procedure
Step 1 Run:
system-view
1-30
Issue 02 (2009-12-10)

aaa

domain domain-name
A domain is created and the domain view is displayed. By default, a domain named default exists. This domain cannot be deleted but modified. ----End
1.5.3 Configuring the Authentication, Authorization and Accounting Schemes of the Domain
Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name
The domain view is displayed. Step 4 Run:

authentication-scheme authentication-scheme-name
The authentication scheme of the domain is configured. By default, the domain uses the authentication scheme named default. Step 5 Run:
authorization-scheme authorization-scheme-name
The authorization scheme of the domain is configured. By default, the domain uses the authorization scheme named default. Step 6 Run:
accounting-scheme accounting-scheme-name
The accounting scheme of the domain is configured.

By default, the domain uses the accounting scheme named default. ----End
1.5.4 Configuring the RADIUS Server Template

If the authentication or accounting scheme of the domain is set to remote, you need to configure the RADIUS server template of the domain.
Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

radius-server template-name
The RADIUS server template of the domain is configured. By default, the RADIUS server template of the domain is null. ----End
1.5.5 Configuring the HWTACACS Server Template

If the authentication, authorization, or accounting scheme of the domain is set to remote, you need to configure the HWTACACS server template of the domain.
Context
Procedure
Step 1 Run:
system-view

aaa
1-32
Issue 02 (2009-12-10)

domain domain-name

hwtacacs-server template-name
The HWTACACS server template of the domain is configured. By default, the HWTACACS server template of the domain is null. ----End
1.5.6 Configuring the Address-related Attributes of the Domain

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name
The domain view is displayed. Step 4 Perform the following as required.

l
Run the ip pool pool-number first-address [ last-address ] command to configure the address pool of the domain. Run the dhcp server ip-pool pool-name command to configure a DHCP address pool of the domain.
Step 5 Run:
dns primary-ip ip-address
The IP address of the primary DNS server is configured. Step 6 Run:

dns second-ip ip-address
The IP address of the secondary DNS server is configured. Step 7 Run:

nbns primary-ip ip-address
Issue 02 (2009-12-10)
1-33
The IP address of the primary NBNS server is configured. Step 8 Run:

nbns second-ip ip-address
The IP address of the secondary NBNS server is configured. ----End
1.5.7 Configuring the Domain State

Context
Procedure
Step 1 Run:
system-view

aaa

domain domain-name

state { active | block }
The domain state is configured. By default, the domain is in the active state after being created. ----End
1.5.8 Configuring the Maximum of Access Users Allowed by the Domain

If the number of access users in the domain exceeds the threshold, the new access users are denied.
Context
Procedure
Step 1 Run:
system-view
1-34
Issue 02 (2009-12-10)

aaa

domain domain-name

access-limit max-number
The maximum of the access users allowed by the domain is configured. By default, the domain allows 6128 access users. ----End
1.5.9 Configuring the Idle-Cut Parameters for a Domain

Context
Do as follows on the routers.
Procedure
Step 1 Run:
system-view

aaa

domain domain-name
A domain is created and the domain view is displayed. Step 4 Run:

idle-cut idle-time idle-data
The idle-cut parameters for a domain are configured. ----End
Postrequisite
If the traffic of a user is smaller than the configured idle-data value, the user is considered in the idle state. If the duration of the user's being in the idle state exceeds the idle-time value, the user is cut off forcibly.
NOTE
The modifications of a domain or a server take effect after a user re-log in to the domain.
Issue 02 (2009-12-10)
1-35

Prerequisite
The configurations of the domains are complete.
Procedure
Step 1 Run the display domain [ domain-name ] [ | count ] [ | { begin | include | exclude } regularexpression ] command to check the configuration information on the domain. ----End
Example
Run the display domain command. If information about the domain is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display domain --------------------------------------------------------------------------------Domain name State CAR Access-limit Online BODCount RetUserCoun t --------------------------------------------------------------------------------default Active 0 6128 0 0 0 huawei Active 0 6128 0 0 0 ----------------------------------------------------------------------------------------Total 2,2 printed
1.6 Maintaining AAA and User Management

This section describes how to the reset statistics and debug RADIUS or HWTACACS. 1.6.1 Clearing the Statistics of AAA and User Management 1.6.2 Debugging AAA and User Management
1.6.1 Clearing the Statistics of AAA and User Management

Context
CAUTION
Statistics cannot be restored after you clear it. So, confirm the action before you use the command.
1-36
Issue 02 (2009-12-10)
Procedure
l Run the reset hwtacacs-server statistics { all | accounting | authentication | authorization } command in the user view to clear the statistics about the HWTACACS server. Run the reset hwtacacs-server accounting-stop-packet { all | ip ip-address } command in the user view to clear the statistics about the accounting-stop packets of the HWTACACS server.
----End
1.6.2 Debugging AAA and User Management

Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable the debugging immediately. When a fault occurs on the RADIUS or HWTACACS server, run the following debugging commands in the user view to debug and locate the fault. For the procedure of displaying the debugging information, refer to the chapter "Maintenance and Debugging" in the HUAWEI NetEngine5000E Core Router Configuration Guide - System Management. For explanations of the debugging commands, refer to the HUAWEI NetEngine5000E Core Router Command Reference.
Procedure
l l Run the debugging radius packet command in the user view to debug the RADIUS packets. Run the debugging hwtacacs { all | error | event | message | receive-packet | sendpacket } command in the user view to debug the HWTACACS server.
----End
1.7 Configuration Examples

This section provides two configuration examples of AAA and user management. 1.7.1 Example for Configuring the RADIUS Authentication and Accounting For Local Users 1.7.2 Example for Configuring the HWTACACS Authentication, Authorization, and Accounting Mode 1.7.3 Example of Configuring the HWTACACS Authentication and Authorization in the MPLS VPN Network
1.7.1 Example for Configuring the RADIUS Authentication and Accounting For Local Users
Networking Requirements
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The chassis ID must be specified along with the slot number. As shown in Figure 1-1, users belong to domain huawei and access the network through Router A. Router B acts as the access server of the destination network. If users need to access the destination network, they should first traverse the network between Router A and Router B and then access the destination network through Router B after they pass through remote authentication. In such a case, you can configure the remote authentication mode on Router B as follows:
l l
Use the RADIUS server to perform authentication and accounting for access users. The RADIUS server 129.7.66.66/24 acts as the primary authentication and accounting server. The RADIUS server 129.7.66.67/24 functions as the secondary authentication and accounting server. The default authentication port and accounting port are 1812 and 1813 respectively.
Figure 1-1 Networking diagram of RADIUS authentication and accounting
Domain huawei
RouterB Network RouterA

129.7.66.66/24
Destination network
129.7.66.67/24
1-38
Issue 02 (2009-12-10)
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure a RADIUS server template, the authentication scheme, and accounting scheme. Apply the configured template and schemes in the domain.
Data Preparation
To complete the configuration task, you need the following data:
l l
IP address of the primary (secondary) RADIUS authentication server IP address of the primary (secondary) RADIUS accounting server
Procedure
Step 1 Configure a RADIUS server template, the authentication scheme and accounting scheme. # Create a RADIUS server template named shiva.
[RouterA] radius-server template shiva
# Configure the IP addresses and ports of the primary RADIUS authentication and accounting servers.
[RouterA-radius-shiva] radius-server authentication 129.7.66.66 1812 [RouterA-radius-shiva] radius-server accounting 129.7.66.66 1813
# Configure the IP address and ports of the secondary RADIUS authentication and accounting servers.
[RouterA-radius-shiva] radius-server authentication 129.7.66.67 1812 secondary [RouterA-radius-shiva] radius-server accounting 129.7.66.67 1813 secondary
# Configure the shared key and retransmission times of the RADIUS server.
[RouterA-radius-shiva] radius-server shared-key it-is-my-secret [RouterA-radius-shiva] radius-server retransmit 2 [RouterA-radius-shiva] quit
# Enter the AAA view.

[RouterA] aaa
# Configure authentication scheme 1 with the authentication mode as RADIUS.

[RouterA-aaa] authentication-scheme 1 [RouterA-aaa-authen-1] authentication-mode radius [RouterA-aaa-authen-1] quit
# Configure accounting scheme 1 with the accounting mode as RADIUS.

[RouterA-aaa] accounting-scheme 1 [RouterA-aaa-accounting-1] accounting-mode radius [RouterA-aaa-accounting-1] quit
Step 2 Apply the RADIUS authentication scheme 1, accounting scheme 1 and the RADIUS template shiva to the domain huawei.
[RouterA-aaa] domain huawei [RouterA-aaa-domain-huawei] authentication-scheme 1 [RouterA-aaa-domain-huawei] accounting-scheme 1 [RouterA-aaa-domain-huawei] radius-server shiva
Issue 02 (2009-12-10)
1-39
Step 3 Verify the configuration. Run the display radius-server configuration template command on the router to check the RADIUS server template.
<HUAWEI> display radius-server configuration template shiva -------------------------------------------------------------------------Server-template-name : shiva Protocol-version : standard Traffic-unit : B Shared-secret-key : it-is-my-secret Timeout-interval(in second) : 5 Primary-authentication-server : 129.7.66.66:1812:LoopBack-1 Primary-accounting-server : 129.7.66.66:1813:LoopBack-1 Secondary-authentication-server : 129.7.66.67:1812:LoopBack-1 Secondary-accounting-server : 129.7.66.67:1813:LoopBack-1 Retransmission : 2 EndPacketSendTime : 0 Domain-included : YES -------------------------------------------------------------------------
Run the display domain domain-namecommand on the router to check the configuration information about the domain.
<HUAWEI> display domain huawei ------------------------------------------------------------------Domain-name : huawei Domain-state : Active Authentication-scheme-name : default Accounting-scheme-name : default Authorization-scheme-name : default Web-IP-address : Primary-DNS-IP-address : Second-DNS-IP-address : Primary-NBNS-IP-address : Second-NBNS-IP-address : Idle-data-attribute (time,flow) : 0, 60 User-access-limit : 384 Online-number : 0 RADIUS-server-template : HWTACACS-server-template : -------------------------------------------------------------------
----End
Configuration Files
# radius-server template shiva radius-server shared-key it-is-my-secret radius-server authentication 129.7.66.66 1812 radius-server authentication 129.7.66.67 1812 secondary radius-server accounting 129.7.66.66 1813 radius-server accounting 129.7.66.67 1813 secondary radius-server retransmit 2 # aaa authentication-scheme default authentication-scheme 1 authentication-mode radius # authorization-scheme default # accounting-scheme default accounting-scheme 1 accounting-mode radius # domain default
1-40
Issue 02 (2009-12-10)

domain huawei authentication-scheme accounting-scheme 1 radius-server shiva # return
1.7.2 Example for Configuring the HWTACACS Authentication, Authorization, and Accounting Mode
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The chassis ID must be specified along with the slot number. As shown in Figure 1-2,
l
Access users are authenticated by the local database first, and then by the HWTACACS server if the local authentication fails. To upgrade the level of an access user, the HWTACACS authentication mode is used first. If this mode gives no response, the local database authentication mode is used. Access users are configured with the HWTACACS authorization. Accounting is necessary for all users. Real-time accounting is enabled to all users at the interval of 3 minutes. The HWTACACS server with the IP address as 129.7.66.66 acts as the primary server and its authentication port number, authorization port number, and accounting port number are all 49. The HWTACACS server with the IP address as 129.7.66.67 functions as the secondary server. Its default authentication port number, authorization port number, and accounting port number are all 49.
l l l l
Issue 02 (2009-12-10)
1-41
Figure 1-2 Networking diagram of local authentication and HWTACACS authentication, authorization, and accounting
Domain huawei
RouterB Network RouterA Destination network

129.7.66.66/24
129.7.66.67/24
The configuration roadmap is as follows: 1. 2. 3. Configure a HWTACACS server template. Configure the authentication, authorization, and accounting schemes. Apply the configured template and schemes in the domain.
Data Preparation
To complete the following configuration, you need the following data:
l l l
IP address of the primary (secondary) HWTACACS authentication server IP address of the primary (secondary) HWTACACS authorization server IP address of the primary (secondary) HWTACACS accounting server
Procedure
Step 1 Configure a HWTACACS server template. # Create a HWTACACS server template named ht.
[RouterA] hwtacacs-server template ht
# Configure the IP addresses and ports of the primary HWTACACS AAA server.
[RouterA-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49 [RouterA-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49 [RouterA-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
1-42
Issue 02 (2009-12-10)
# Configure the IP addresses and ports of the secondary HWTACACS AAA server.
[RouterA-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary [RouterA-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary [RouterA-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Configure the shared key of the HWTACACS server.

[RouterA-hwtacacs-ht] hwtacacs-server shared-key it-is-my-secret [RouterA-hwtacacs-ht] quit
Step 2 Configure the AAA schemes. # Enter the AAA view.

[RouterA] aaa
# Configure an authentication scheme l-h with the authentication modes as local and hwtacacs in sequence. To upgrade the user level, configure the authentication modes as hwtacacs and super in sequence.
[RouterA-aaa] authentication-scheme l-h [RouterA-aaa-authen-l-h] authentication-mode local hwtacacs [HUAWEI-aaa-authen-l-h] authentication-super hwtacacs super [RouterA-aaa-authen-l-h] quit
# Configure an authorization scheme HWTACACS with the authorization mode as hwtacacs.

[RouterA-aaa] authorization-scheme hwtacacs [RouterA-aaa-author-hwtacacs] authorization-mode hwtacacs
[RouterA-aaa-author-hwtacacs] quit # Configure an accounting scheme hwtacacs with the accounting mode as hwtacacs.
[RouterA-aaa] accounting-scheme hwtacacs [RouterA-aaa-accounting-hwtacacs] accounting-mode hwtacacs
# Set the interval of real-time accounting to 3 minutes.

[RouterA-aaa-accounting-hwtacacs] accounting realtime 3 [RouterA-aaa-accounting-hwtacacs] quit
Step 3 Apply the authentication scheme l-h, authorization scheme hwtacacs, accounting scheme hwtacacs, and HWTACACS server template ht to the domain huawei.
[RouterA-aaa] domain huawei [RouterA-aaa-domain-huawei] [RouterA-aaa-domain-huawei] [RouterA-aaa-domain-huawei] [RouterA-aaa-domain-huawei] authentication-scheme l-h authorization-scheme hwtacacs accounting-scheme hwtacacs hwtacacs-server ht
Step 4 Verify the configuration. Run the display hwtacacs-server template command on the router. You can view the HWTACACS server template.
<HUAWEI> display hwtacacs-server template ht -------------------------------------------------------------------------HWTACACS-server template name : ht Primary-authentication-server : 129.7.66.66:49 Primary-authorization-server : 129.7.66.66:49 Primary-accounting-server : 129.7.66.66:49 Secondary-authentication-server : 129.7.66.67:49 Secondary-authorization-server : 129.7.66.67:49 Secondary-accounting-server : 129.7.66.67:49 Current-authentication-server : 129.7.66.66:49 Current-authorization-server : 129.7.66.66:49 Current-accounting-server : 129.7.66.66:49
Issue 02 (2009-12-10)
1-43
Source-IP-address : 0.0.0.0 Shared-key : it-is-my-secret Quiet-interval (min) : 5 Response-timeout-Interval (sec) : 5 Domain-included : Yes Traffic-unit : B --------------------------------------------------------------------------
Run the display domain command on the router. You can view the domain.
<HUAWEI>display domain huawei ------------------------------------------------------------------Domain-name : huawei Domain-state : Active Authentication-scheme-name : l-h Accounting-scheme-name : hwtacacs Authorization-scheme-name : hwtacacs Primary-DNS-IP-address : Second-DNS-IP-address : Primary-NBNS-IP-address : Second-NBNS-IP-address : User-group-name : Idle-data-attribute (time,flow) : 0, 60 InstallBODCount : 0 ReportVSMUserCount : 0 Value_add_service :NONE User-access-limit : 6128 Online-number : 0 Web-IP-address : Web-URL : Portal-server-IP : Portal-URL : Portal-force-times : 2 RADIUS-server-template : Two-acct-template : HWTACACS-server-template : ht IP-warning-threshold : Max-multilist num : 4 Multicast-profile : -------------------------------------------------------------------
----End
Configuration Files
# hwtacacs-server template ht hwtacacs-server authentication 129.7.66.66 49 hwtacacs-server authentication 129.7.66.67 49 secondary hwtacacs-server authorization 129.7.66.66 49 hwtacacs-server authorization 129.7.66.67 49 secondary hwtacacs-server accounting 129.7.66.66 49 hwtacacs-server accounting 129.7.66.67 49 secondary hwtacacs-server shared-key it-is-my-secret # aaa authentication-scheme default authentication-scheme l-h authentication-mode local hwtacacs authentication-super hwtacacs super # authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs # accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs accounting realtime 3
1-44
Issue 02 (2009-12-10)

# domain default domain huawei authentication-scheme l-h authorization-scheme hwtacacs accounting-scheme hwtacacs hwtacacs-server ht # return
1.7.3 Example of Configuring the HWTACACS Authentication and Authorization in the MPLS VPN Network
As shown in Figure 1-3: CE1 and CE2 all belong to VPN-A. The attribute of VPN-target used by VPN-A is 111:1. In the public network, the administrator logs in to PE through Console port or logs in to PE2 through a PC, other routers, or Telnet client. After the administrator is authorized, the administrator manages PE2 and the system events and records of administrator operations on PE2 are sent to the TACACS server. The TACACS server is deployed in the private network. Thus, PE2 should forward HWTACACS packets based on VPN instances.
l l l
PE2 authenticates administrators through HWTACACS. PE2 authorizes administrators through HWTACACS. The TACACS server 160.1.1.100/24 is the primary server, with authentication port 49, authorization port 49, and accounting port 49. The TACACS server 160.1.1.101/24 is the secondary server, with authentication port 49, authorization port 49, and accounting port 49 by default.
Figure 1-3 Diagram of configuring HWTACACS authentication and authorization of administrators
Backup Main TACACS TACACS server server
Loopback1 GE2/0/0 GE1/0/1
Loopback1 POS1/0/0
Loopback1 GE1/0/0 GE1/0/1
POS1/0/0
CE1 PE1 AS65410 VPNA
POS1/0/0 P POS2/0/0
Backbone AS100
PE2
GE2/0/0
CE2 AS65430 VPNA
Administrator
Device CE1 Interface GE1/0/1 IP address 10.1.1.2/24
Issue 02 (2009-12-10)
1-45

PE1

Loopback1 GE2/0/0 POS1/0/0 1.1.1.9/32 10.1.1.1/24 100.1.1.1/24 3.3.3.9/32 100.1.1.2/24 200.1.1.1/24 2.2.2.9/32 10.2.1.2/24 200.1.1.2/24 10.2.1.1/24 160.1.1.1/24 160.1.1.100/24 160.1.1.101/24
Loopback1 POS1/0/0 POS2/0/0
PE2
Loopback1 GE2/0/0 POS1/0/0
CE2
GE1/0/0 GE1/0/1
Main TACACS server Backup TACACS server
The configuration roadmap is as follows: 1. 2. 3. 4. Configure BGP/MPLS IP VPN for internetworking. Configure a HWTACACS server template. Configure the authentication scheme and authorization scheme. Apply the HWTACACS server template, the authentication scheme, and the authorization scheme.
Data Preparation
To complete the configuration, you need the following data:
l l l
IP address of the primary (secondary) HWTACACS authentication server IP address of the primary (secondary) HWTACACS authorization server IP address of the primary (secondary) HWTACACS accounting server
Procedure
Step 1 Configure BGP MPLS IP VPN Configure the IGP protocol on the network to enable the communication between PE and P on the backbone network and to advertise the IP address of CE. # Configure PE1.
<HUAWEI> system-view [HUAWEI] sysname PE1 [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32
1-46
Issue 02 (2009-12-10)

[PE1-LoopBack1] quit [PE1] interface pos1/0/0 [PE1-Pos1/0/0] ip address [PE1-Pos1/0/0] quit [PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] [PE1-ospf-1-area-0.0.0.0] [PE1-ospf-1-area-0.0.0.0] [PE1-ospf-1] quit
100.1.1.1 24
network 100.1.1.0 0.0.0.255 network 1.1.1.9 0.0.0.0 quit
# Configure P.
<HUAWEI> system-view [HUAWEI] sysname P [P] interface loopback 1 [P-LoopBack1] ip address 3.3.3.9 32 [P-LoopBack1] quit [P] interface pos 1/0/0 [P-Pos1/0/0] ip address 100.1.1.2 24 [P-Pos1/0/0] quit [P] interface pos 2/0/0 [P-Pos2/0/0] ip address 200.1.1.1 24 [P-Pos2/0/0] quit [P] ospf [P-ospf-1] area 0 [P-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255 [P-ospf-1-area-0.0.0.0] network 200.1.1.0 0.0.0.255 [P-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0 [P-ospf-1-area-0.0.0.0] quit [P-ospf-1] quit
# Configure PE2.
<HUAWEI> system-view [HUAWEI] sysname PE2 [PE2] interface loopback 1 [PE2-LoopBack1] ip address 2.2.2.9 32 [PE2-LoopBack1] quit [PE2] interface pos 1/0/0 [PE2-Pos1/0/0] ip address 200.1.1.2 24 [PE2-Pos1/0/0] quit [PE2] ospf [PE2-ospf-1] area 0 [PE2-ospf-1-area-0.0.0.0] network 200.1.1.0 0.0.0.255 [PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0 [PE2-ospf-1-area-0.0.0.0] quit [PE2-ospf-1] quit
# Configure CE1.
<HUAWEI> system-view [HUAWEI] sysname CE1 [CE1] interface gigabitethernet 1/0/1 [CE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24 [CE1-GigabitEthernet1/0/1] quit
# Configure CE2.
<HUAWEI> system-view [HUAWEI] sysname CE1 [CE1] interface gigabitethernet 1/0/0 [CE1-GigabitEthernet1/0/0] ip address 10.2.1.1 24 [CE1-GigabitEthernet1/0/0] quit [CE2] interface gigabitethernet 1/0/1 [CE2-GigabitEthernet1/0/1] ip address 160.1.1.1 24 [CE2-GigabitEthernet1/0/1] quit [CE2] ospf [CE2-ospf-1] area 0 [CE2-ospf-1-area-0.0.0.0] network 160.1.1.0 0.0.0.255
Issue 02 (2009-12-10)
1-47

[CE2-ospf-1-area-0.0.0.0] quit [CE2-ospf-1] quit
After the configuration, OSPF neighbor relationship should be set up between PE1, P1, and PE2. Run the display ospf peer command, and you can view that the neighbor relationship is Full. Run the display ip routing-table command, and you can view that PEs learn the routes to the Loopback1 interfaces on their peers. Take the display of PE1 as example:
[PE1] display ip routing-table Route Flags: R - relied, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 9 Routes : 9 Destination/Mask Proto Pre Cost Flags NextHop Interface 1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 2.2.2.9/32 OSPF 10 3125 D 100.1.1.2 Pos1/0/0 3.3.3.9/32 OSPF 10 1563 D 100.1.1.2 Pos1/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.1.1.0/24 Direct 0 0 D 100.1.1.1 Pos1/0/0 100.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.1.1.2/32 Direct 0 0 D 100.1.1.2 Pos1/0/0 200.1.1.0/24 OSPF 10 3124 D 100.1.1.2 Pos1/0/0 [PE1] display ospf peer OSPF Process 1 with Router ID 1.1.1.9 Neighbors Area 0.0.0.0 interface 100.1.1.1(Pos1/0/0)'s neighbors Router ID: 3.3.3.9 Address: 100.1.1.2 GR State: Normal State: Full Mode:Nbr is Master Priority: 1 DR: None BDR: None MTU: 1500 Dead timer due in 38 sec Neighbor is up for 00:02:44 Authentication Sequence: [ 0 ]
Configure basic MPLS functions and MPLS LDP on the MPLS backbone network and set up LDP LSPs. # Configure PE1.
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] lsp-trigger all [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface pos 1/0/0 [PE1-Pos3/0/0] mpls [PE1-Pos3/0/0] mpls ldp [PE1-Pos3/0/0] quit
# Configure P.
[P] mpls lsr-id 3.3.3.9 [P] mpls [P-mpls] lsp-trigger all [P-mpls] quit [P] mpls ldp [P-mpls-ldp] quit [P] interface pos 1/0/0 [P-Pos1/0/0] mpls [P-Pos1/0/0] mpls ldp [P-Pos1/0/0] quit [P] interface pos 2/0/0 [P-Pos2/0/0] mpls [P-Pos2/0/0] mpls ldp [P-Pos2/0/0] quit
1-48
Issue 02 (2009-12-10)
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9 [PE2] mpls [PE2-mpls] lsp-trigger all [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] interface pos 1/0/0 [PE2-Pos3/0/0] mpls [PE2-Pos3/0/0] mpls ldp [PE2-Pos3/0/0] quit
After the configuration, LDP sessions should be set up between PE1 and P, P and PE2. Run the display mpls ldp session command, and you can view that the Status field displays Operational. Run the display mpls ldp lsp command, and you can view whether LDP LSPs are set up. Take the display of PE1 as example:
[PE1] display mpls ldp session LDP Session(s) in Public Network ------------------------------------------------------------------------Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv ------------------------------------------------------------------------3.3.3.9:0 Operational DU Passive 000:00:01 7/7 ------------------------------------------------------------------------TOTAL: 1 session(s) Found. LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM [PE1] display mpls ldp lsp LDP LSP Information -----------------------------------------------------------------SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface -----------------------------------------------------------------1 1.1.1.9/32 3/NULL 127.0.0.1 Pos1/0/0/InLoop0 2 2.2.2.9/32 NULL/1027 100.1.1.2 -------/Pos1/0/0 3 3.3.3.9/32 NULL/3 100.1.1.2 -------/Pos1/0/0 -----------------------------------------------------------------TOTAL: 3 Normal LSP(s) Found. TOTAL: 0 Liberal LSP(s) Found. A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale
Configure VPN instances on PEs so that CEs can access PEs. # Configure PE1.
[PE1] ip vpn-instance vpna [PE1-vpn-instance-vpna] route-distinguisher 100:1 [PE1-vpn-instance-vpna] vpn-target 111:1 both [PE1-vpn-instance-vpna] quit [PE1] interface gigabitethernet 2/0/0 [PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna [PE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24 [PE1-GigabitEthernet1/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpna [PE2-vpn-instance-vpna] route-distinguisher 200:1 [PE2-vpn-instance-vpna] vpn-target 111:1 both [PE2-vpn-instance-vpna] quit [PE2] interface gigabitethernet 2/0/0 [PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpna [PE2-GigabitEthernet2/0/0] ip address 10.2.1.2 24 [PE2-GigabitEthernet2/0/0] quit
After the configuration, run the display ip vpn-instance verbose command on PEs, and you can view the configurations of VPN instances. Each PE can ping its connected CE.

NOTE
When PE has multiple interfaces that are bound to the same VPN, you must specify the source IP address, namely ,the -a source-ip-address if running the ping -vpn-instance vpn-instance-name -a source-ipaddress dest-ip-address command. Otherwise, the ping may fail.
Take PE1 and CE1 as example:

[PE1] display ip vpn-instance verbose Total VPN-Instances configured : 1 VPN-Instance Name and ID : vpna, 1 Create date : 2008/09/27 15:24:40 Up time : 0 days, 00 hours, 05 minutes and 19 seconds Route Distinguisher : 100:1 Export VPN Targets : 111:1 Import VPN Targets : 111:1 Label policy: label per route The diffserv-mode Information is : uniform The ttl-mode Information is : pipe Interfaces : GigabitEthernet1/0/0 [PE1] ping -vpn-instance vpna 10.1.1.2 PING 10.1.1.2: 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=56 ms Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=4 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=4 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=52 ms Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=3 ms --- 10.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/23/56 ms
Set up EBGP peer relationship between PEs and CEs and import VPN routes. # Configure CE1.
[CE1] bgp 65410 [CE1-bgp] peer 10.1.1.1 as-number 100 [CE1-bgp] import-route direct
NOTE
The configuration of CE2 is similar to that of CE1. Thus, it is omitted.
# Configure PE1.
[PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpna [PE1-bgp-vpna] peer 10.1.1.2 as-number 65410 [PE1-bgp-vpna] import-route direct [PE1-bgp-vpna] quit
NOTE
The configuration of PE2 is similar with that of PE1. Thus, it is omitted.
After the configuration, run the display bgp vpnv4 vpn-instance peer command on PE, and you can view that the BGP peer relationship between PE and the connected CE is in the Established state. Take the peer relationship between PE1 and CE1 as example:
[PE1] display bgp vpnv4 vpn-instance vpna peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.1.1.2 4 65410 11 9 0 00:06:37 Established 1
1-50
Issue 02 (2009-12-10)
Set up MP-IBGP peer relationship between PEs. # Configure PE1.

[PE1] bgp 100 [PE1-bgp] peer 2.2.2.9 as-number 100 [PE1-bgp] peer 2.2.2.9 connect-interface loopback 1 [PE1-bgp] ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 2.2.2.9 enable [PE1-bgp-af-vpnv4] quit [PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100 [PE2-bgp] peer 1.1.1.9 as-number 100 [PE2-bgp] peer 1.1.1.9 connect-interface loopback 1 [PE2-bgp] ipv4-family vpnv4 [PE2-bgp-af-vpnv4] peer 1.1.1.9 enable [PE2-bgp-af-vpnv4] quit
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command on a PE, and you can view that the BGP peer relationship between PEs is in the Established state.
[PE1] display bgp peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peer V AS MsgRcvd 2.2.2.9 4 100 2 [PE1] display bgp vpnv4 all peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 2 Peer V AS MsgRcvd 2.2.2.9 4 100 12 Peer of vpn instance: vpn instance vpna : 10.1.1.2 4 65410 25
Peers in established state : 1 MsgSent OutQ Up/Down State PrefRcv 6 0 00:00:12 Established 0
MsgSent 18 25
Peers in established state : 2 OutQ Up/Down State PrefRcv 0 00:09:38 Established 0 0 00:17:57 Established 1
Step 2 Configuring a template of the HWTACACS server on PE2 # Configure the HWTACACS server template ht.
<PE2> system-view [PE2] hwtacacs-server template ht
# Configure the IP address and ports of the primary HWTACACS authentication, authorization, and accounting servers, and bind the VPN instances to these servers.
[PE2-hwtacacs-ht] hwtacacs-server authentication 160.1.1.100 49 vpn-instance vpna [PE2-hwtacacs-ht] hwtacacs-server authorization 160.1.1.100 49 vpn-instance vpna
# Configure the IP address and ports of the secondary HWTACACS authentication, authorization, and accounting servers, and bind the VPN instances to these servers.
[PE2-hwtacacs-ht] hwtacacs-server authentication 160.1.1.101 49 vpn-instance vpna secondary [PE2-hwtacacs-ht] hwtacacs-server authorization 160.1.1.101 49 vpn-instance vpna secondary
# Configure the key of the TACACS server.

[PE2-hwtacacs-ht] hwtacacs-server shared-key it-is-my-secret [PE2-hwtacacs-ht] quit
Step 3 Configure the authentication scheme, the authorization scheme, and the accounting scheme. # Enter the AAA view.

[PE2] aaa
# Configure the authentication mode as l-h and the authentication mode as HWTACACS.
[PE2-aaa] authentication-scheme l-h [PE2-aaa-authen-l-h] authentication-mode hwtacacs [PE2-aaa-authen-l-h] quit
# Configure the authorization scheme as hwtacacs and the authorization scheme as HWTACACS.
[PE2-aaa] authorization-scheme hwtacacs [PE2-aaa-author-hwtacacs] authorization-mode hwtacacs [PE2-aaa-author-hwtacacs] quit
Step 4 Configure the huawei domain. Use the l-h authentication scheme, the HWTACACS authorization scheme, the HWTACACS accounting scheme, and the ht HWTACACS template in the domain.
[PE2-aaa] domain huawei [PE2-aaa-domain-huawei] [PE2-aaa-domain-huawei] [PE2-aaa-domain-huawei] [PE2-aaa-domain-huawei] [PE2-aaa] quit authentication-scheme l-h authorization-scheme hwtacacs hwtacacs-server ht quit
Step 5 Verify the configuration. After running the display hwtacacs-server template command on the router, you can check whether the configuration of the template on the hwtacacs server matches the requirements.
<PE2> display hwtacacs-server template ht -------------------------------------------------------------------------HWTACACS-server template name : ht Primary-authentication-server : 160.1.1.100:49:vpna Primary-authorization-server : 160.1.1.100:49:vpna Primary-accounting-server : 0.0.0.0:0:Secondary-authentication-server : 160.1.1.101:49:vpna Secondary-authorization-server : 160.1.1.101:49:vpna Secondary-accounting-server : 0.0.0.0:0:Current-authentication-server : 160.1.1.100:49:vpna Current-authorization-server : 160.1.1.100:49:vpna Current-accounting-server : 0.0.0.0:0:Source-IP-address : 0.0.0.0 Shared-key : it-is-my-secret Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : Yes Traffic-unit : B --------------------------------------------------------------------------
After running the display domain command on the router, you can check whether the configuration of the domain matches the requirements.
<CE1> display domain huawei ------------------------------------------------------------------Domain-name : huawei Domain-state : Active Authentication-scheme-name : l-h Accounting-scheme-name : default Authorization-scheme-name : hwtacacs User-CAR : Web-IP-address : Next-hop : Primary-DNS-IP-address : Second-DNS-IP-address : Primary-NBNS-IP-address : Second-NBNS-IP-address : Acl-number : -
1-52
Issue 02 (2009-12-10)
Idle-data-attribute (time,flow) : 0, 60 User-priority : User-access-limit : 384 Online-number : 0 RADIUS-server-template : HWTACACS-server-template : ht -------------------------------------------------------------------
----End
Configuration Files
l
Configuration file of PE1

# sysname PE1 # ip vpn-instance vpna route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # mpls lsr-id 1.1.1.9 mpls lsp-trigger all # mpls ldp # interface GigabitEthernet2/0/0 undo shutdown ip binding vpn-instance vpna ip address 10.1.1.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp undo shutdown ip address 100.1.1.1 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv4-family vpnv4 policy vpn-target peer 2.2.2.9 enable # ipv4-family vpn-instance vpna import-route direct peer 10.1.1.2 as-number 65410 # ospf 1 area 0.0.0.0 network 100.1.1.0 0.0.0.255 network 1.1.1.9 0.0.0.0 # return
Configuration file of P
# sysname P
Issue 02 (2009-12-10)
1-53

# mpls lsr-id 3.3.3.9 mpls lsp-trigger all # mpls ldp # interface Pos1/0/0 link-protocol ppp undo shutdown ip address 100.1.1.2 255.255.255.0 mpls mpls ldp # interface Pos2/0/0 link-protocol ppp undo shutdown ip address 200.1.1.1 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 100.1.1.0 0.0.0.255 network 200.1.1.0 0.0.0.255 network 3.3.3.9 0.0.0.0 # return l
Configuration file of PE2

# sysname PE2 # ip vpn-instance vpna route-distinguisher 200:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # hwtacacs-server template ht hwtacacs-server authentication 160.1.1.100 49 vpn-instance vpna hwtacacs-server authentication 160.1.1.101 49 vpn-instance vpna secondary hwtacacs-server authorization 160.1.1.100 vpn-instance vpna hwtacacs-server authorization 160.1.1.101 vpn-instance vpna secondary hwtacacs-server shared-key it-is-my-secret # mpls lsr-id 2.2.2.9 mpls lsp-trigger all # mpls ldp # interface GigabitEthernet2/0/0 undo shutdown ip binding vpn-instance vpna ip address 10.2.1.2 255.255.255.0 # interface Pos1/0/0 link-protocol ppp undo shutdown ip address 200.1.1.2 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # bgp 100
1-54
Issue 02 (2009-12-10)
peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpna peer 10.2.1.1 as-number 65430 import-route direct # aaa authentication-scheme default authentication-scheme l-h authentication-mode hwtacacs # authorization-scheme default authorization-scheme hwtacacs authorization-mode hwtacacs # accounting-scheme default # domain default domain huawei authentication-scheme l-h authorization-scheme hwtacacs hwtacacs-server ht # ospf 1 area 0.0.0.0 network 200.1.1.0 0.0.0.255 network 2.2.2.9 0.0.0.0 # return l
Configuration file of CE1

# sysname CE1 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.2 255.255.255.0 # bgp 65410 peer 10.1.1.1 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.1.1 enable # return
Configuration file of CE2

# sysname CE2 # interface GigabitEthernet1/0/0 undo shutdown ip address 10.2.1.1 255.255.255.0 # interface GigabitEthernet1/0/1 undo shutdown ip address 160.1.1.1 255.255.255.0 # bgp 65430
Issue 02 (2009-12-10)
1-55

peer 10.2.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.2.1.2 enable # ospf 1 area 0.0.0.0 network 160.1.1.0 0.0.0.255 # return
1-56
Issue 02 (2009-12-10)
2
About This Chapter
ARP Security Configuration
This chapter describes the type of the security that NE5000E supported, and it also describes the configuration and applications of ARP Security, along with typical examples. 2.1 Overview to ARP Security This section describes the principle and concepts of ARP security features. 2.2 Preventing Attacks on ARP Entries This section describes how to prevent attacks on ARP entries. 2.3 Maintaining the ARP Security This section describes how to display and remove statistics about ARP packets and debug ARP packets. 2.4 Configuration Examples This section provides several configuration examples of ARP security features.
Issue 02 (2009-12-10)
2-1
2.1 Overview to ARP Security

This section describes the principle and concepts of ARP security features. 2.1.1 Introduction to ARP Security 2.1.2 ARP Security Supported by the NE5000E
2.1.1 Introduction to ARP Security

In current carrier networks, the Ethernet is commonly used for access. The Address Resolution Protocol (ARP), running as an open protocol on the Ethernet, offers chances for malicious attackers because of its simplicity, openness, and lack of security measures. The attacks to ARP are of several types and in multiple mode. The attacks may target a host or a gateway. The attacks may be performed through address spoofing or violent attacks. The attacks may originate from viruses or illegitimate software. Violent attacks are performed from the perspectives of space and time.
l
Space-based attacks indicate that the attacker resorts to the finite ARP buffer of a router. The attacker sends a larger number of illegitimate ARP request and response messages to the router. As a result, the ARP buffer is overflowed; and normal ARP entries cannot be buffered. Normal forwarding is thus interrupted. Time-based attacks indicate that the attacker resorts to the finity of the processing capability of a router. The attacker sends a large number of simulate ARP request, response, or other packets that can trigger the router to perform ARP processing. As a result, the computing resources of the router are busy with ARP processing during a long period; and other services cannot be processed. Normal forwarding is thus interrupted.
Address spoofing attacks include:

l l
Netcut A Netcut sends unicast ARP requests to a gateway and updates the ARP buffer of the gateway by using the incorrect MAC address of a host to attack the host. NetRobocop A NetRobocop sends incorrect unicast ARP responses to a host to provide an incorrect gateway address to the host.The gateway can hardly detect the unicast ARP responses.
l l
The ARP security, a feature based on ARP, can prevent ARP-oriented attacks and ARP-based network scanning attacks through the following measures:
l l l l
Filtering out untrusted ARP packets Performing timestamp suppression to some ARP packets Filtering out illegal ARP packets Performing dynamic Committed Access Rate (CAR) to the packets sent to a CPU
2.1.2 ARP Security Supported by the NE5000E

Currently, the NE5000E provides the following functions to avoid ARP attacks
Interface-based ARP Entry Restriction

Limiting the number of ARP entries that an interface can learn effectively avoids ARP buffer overflow and restricts the attacked range on the interface. In this manner, the security of ARP entries is ensured. You can limit the number of ARP entries that an interface can learn through the following operations:
l l l
Configuring strict ARP entry learning in the system view or the interface view Configuring speed limit for ARP packets on the interface Setting the maximum number of the ARP entries that the interface can learn
The NE5000E supports:

l l
Layer 3 Ethernet interfaces and their sub-interfaces Eth-Trunk interfaces and their sub-interfaces
Timestamp-based Scanning-Proof
The timestamp-based scanning-proof function can identify the scanning attack on time and suppress the processing of requests generated by the scanning when a scanning attack occurs, regardless of whether it is an ARP scanning attack or IP scanning attack. In this way, the CPU is kept away from attacks. The NE5000E supports the timestamp suppression to ARP packets based on the destination IP address. ARP packets are discarded if they exceed the configured threshold during a certain period.
2.2 Preventing Attacks on ARP Entries

This section describes how to prevent attacks on ARP entries. 2.2.1 Establishing the Configuration Task 2.2.2 Configuring Global Strict ARP Entry Learning 2.2.3 Configuring Strict ARP Entry Learning on Interfaces 2.2.4 Checking the Destination IP Addresses of ARP Packets 2.2.5 Configuring Speed Limit for ARP Packets 2.2.6 Configuring Interface-based ARP Entry Restriction 2.2.7 Checking the Configuration

In an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked. So, ARP security features need to be configured on the access layer or convergence layer to ensure network security.

NOTE
To prevent attacks on ARP entries, you can configure strict ARP entry learning, speed limit for ARP packets, and interface-based ARP entry restriction separately or configure these features in combination. It is not recommended to configure strict ARP entry learning because restrictions on ARP packets are too strict and hence some ARP entries cannot be learnt though they are useful. To implement similar function, deploy ARP bidirectional isolation.
Before configuring the task of preventing attacks on ARP entries, complete the following tasks:
l
Configuring the link layer parameters of the interface and the IP address to make the link layer status of the interface Up
Data Preparation
To prevent attacks on ARP entries, you need the following data. No. 1 Data Timestamp suppression rate
2.2.2 Configuring Global Strict ARP Entry Learning

Context
Do as follows on the router that needs to be configured with ARP security features:
Procedure
Step 1 Run:
system-view
The system view is displayed Step 2 Run:

arp learning strict
The global strict ARP entry learning is configured. By default, strict ARP learning is disabled. After the arp learning strict command is run, the router learns only reply packets for the ARP request packets sent itself. ----End
2.2.3 Configuring Strict ARP Entry Learning on Interfaces

Context
Do as follows on the router whose ARP entries are to be prevented from being attacked:
Procedure
Step 1 Run:
system-view

The interface view is displayed. NE5000E supports strict ARP entry learning on the following interfaces:
l l
Ethernet interfaces and their sub-interfaces Eth-trunk interfaces and their sub-interfaces
Step 3 Run:
arp learning strict { force-enable | force-disable | trust }
Strict ARP entry learning is configured on the interface.

NOTE
l l l
If the key word force-enable of the command is selected, the interface router learns only reply packets for the ARP request packets sent itself. If the key word force-disable of the command is selected, the strict ARP entry learning function on the interface is disabled. If the key word trust is specified, strict ARP entry learning configured on the interface is disabled and the router adopts the strict ARP entry learning policy configured globally.
Strict ARP entry learning adopts the following longest-match rules:

l
If strict ARP entry learning is configured both on the interface and globally, strict ARP entry learning on the interface is preferred. If strict ARP entry learning is not configured on the interface, the global strict ARP entry learning is enabled.
----End
2.2.4 Checking the Destination IP Addresses of ARP Packets

Context
Do as follows on the router whose ARP entries are to be prevented from being attacked:
Procedure
Step 1 Run:
system-view
The system view is displayed

Step 2 Run:
The interface view is displayed. NE5000E supports the check of the destination IP address of ARP packets on the following interfaces:
l l l
Ethernet interfaces and sub-interfaces GE interfaces and sub-interfaces Eth-trunk interfaces and sub-interfaces
Step 3 Run:
arp check-destination-ip enable
The check of the destination IP address of ARP packets is enabled. The arp check-destination-ip enable command is used to protect the CPU. After the command is run, the system checks whether the destination IP addresses of the packets on the interface are correct. If the IP addresses are correct, packets are sent to the CPU; otherwise, packets are discarded. ----End
2.2.5 Configuring Speed Limit for ARP Packets

Context
Procedure
Step 1 Run:
system-view

arp speed-limit destination-ip maximum maximum slot slot-id
Speed limit for ARP packets is configured. ----End
2.2.6 Configuring Interface-based ARP Entry Restriction

Context
Procedure
Step 1 Run:
system-view
2-6
Issue 02 (2009-12-10)

The interface view is displayed. The following interfaces are supported:

l l l
Layer 3 Ethernet interfaces and sub-interfaces Layer 3 GE interfaces and sub-interfaces Layer 3 Eth-Trunk interfaces and sub-interfaces
Step 3 Run:
arp-limit maximum maximum
Interface-based ARP entry restriction is configured. During configurations, if the number of learnt ARP entries may have exceeded the restricted number to be configured, the number of the learnt ARP entries is not limited but new ARP entry learning is not carried out. ----End

Prerequisite
The configurations of the peventing atacks on ARP etries are complete.
Procedure
l l Run the display arp speed-limit destination-ip [ slot slot-id ] [ | { begin | exclude | include } regular-expression ] command to check the limited speed of ARP packets. Run the display arp-limit [ interface interface-type interface-number ] command to check the limited number of ARP entries on the interface.
----End
Example
Run the display arp speed-limit destination-ip [ slot slot-id ] [ | { begin | exclude | include } regular-expression ] command, and you can check the timestamp suppression rate configured for the ARP packets. For example:
<HUAWEI> display arp speed-limit destination-ip slot 3 Slot SuppressType SuppressValue --------------------------------------------------3 ARP 500
Run the display arp-limit [ interface interface-type interface-number ] command, and you can check the limited number of ARP entries configured on the interface.
<HUAWEI> display arp-limit interface LimitNum VlanID LearnedNum(Mainboard) --------------------------------------------------------------------------Eth-Trunk0 100 124 0 Eth-Trunk0 100 125 0
Issue 02 (2009-12-10)
2-7
GigabitEthernet2/0/1 16384 0 0 GigabitEthernet4/0/1 100 0 0 GigabitEthernet4/0/2 16384 124 0 ---------------------------------------------------------------------------
2.3 Maintaining the ARP Security

This section describes how to display and remove statistics about ARP packets and debug ARP packets. 2.3.1 Displaying Statistics About ARP Packets 2.3.2 Clearing Statistics About ARP Packets 2.3.3 Debugging ARP Packets
2.3.1 Displaying Statistics About ARP Packets

Procedure
Step 1 Run the display arp packet statistic [ slot slot-id ] command to check statistics about ARP packets. ----End
Example
Run the display arp packet statistics [ slot slot-id ] command, and you can check the statistics about ARP packets. For example:
<HUAWEI> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
2.3.2 Clearing Statistics About ARP Packets

Context
CAUTION
Statistics about ARP packets cannot be restored after you clear it. So, confirm the action before you use the command.
2-8
Issue 02 (2009-12-10)
Procedure
l Run the reset arp packet statistic [ slot slot-id ] command in the user view to clear statistics about ARP packets.
----End
2.3.3 Debugging ARP Packets

Context
CAUTION
Debugging affects the performance of the system. So, after debugging, execute the undo debugging all command to disable it immediately. For the procedure of displaying the debugging information, refer to the chapter Maintenance and Debugging in the HUAWEI NetEngine5000E Core Router Configuration Guide - System Management. For explanations of the debugging commands, refer to the NE5000E Core Router Command Reference.
Procedure
l l Run the debugging arp packet [slot slot-id | interface interface-type interface-number ] command in the user view to debug ARP packet. Run the debugging arp process [ slot slot-id | interface interface-type interfacenumber ] command in the user view to debug ARP packet processing.
----End

This section provides several configuration examples of ARP security features. 2.4.1 Example for Preventing Attacks on ARP Entries
2.4.1 Example for Preventing Attacks on ARP Entries

CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The chassis ID must be specified along with the slot number.
As shown in Figure 2-1, a carrier accesses the core network through two routers. ARP security features need to be configured on the two routers to prevent the devices attached to the routers from attacking ARP entries. Figure 2-1 Networking diagram of preventing attacks on ARP entries
core network
RouterA
RouterB
The configuration roadmap is as follows: 1. 2. 3. Configure strict ARP entry learning. Configure speed limit for ARP packets. Configure interface-based ARP entry restriction.
Data Preparations
l l
Timestamp suppression rate of ARP packets and slot numbers Limited number of ARP entries
Procedure
Step 1 Configure strict ARP entry learning.
<RouterA> system-view [RouterA] arp learning strict
Step 2 Configure destination-based speed limit for ARP packets on each slot of the attached device. The speed is limited to 50 packets per second. Take slot 1 as an example.
[RouterA] arp speed-limit destination-ip maximum 50 slot 1
Step 3 Restrict the number of ARP entries on each interface of the attached device to 20. Take GE 1/0/0 as an example.
[RouterA] interface Gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] arp-limit maximum 20 [RouterA-GigabitEthernet1/0/0] quit
Step 4 Verify the configuration. Use certain tools to send ARP request packets to Router A and then run the display arp all command on Router A. You can find that the actively sent ARP request packets are not learnt by Router A.
<RouterA> display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------100.1.1.200 00e0-fc7f-7258 I GE0/0/0 100.1.1.180 000d-88f4-d06b 9 D-0 GE0/0/0 100.1.1.24 0013-d326-ab88 9 D-0 GE0/0/0 100.1.1.166 0014-2afd-7376 10 D-0 GE0/0/0 100.1.1.37 00e0-4c77-a2f9 12 D-0 GE0/0/0 100.1.1.168 000d-88f8-332c 14 D-0 GE0/0/0 100.1.1.48 0015-e9ac-7a30 16 D-0 GE0/0/0 32.1.1.1 0088-0010-000a I GE3/0/9 24.1.1.1 0088-0010-0009 I GE3/0/8 10.1.1.1 0088-0010-0003 I GE3/0/2 10.1.1.2 00e0-fc22-18d5 9 D-3 GE3/0/2 -----------------------------------------------------------------------------Total:11 Dynamic:7 Static:0 Interface:4
Run the display arp speed-limit command on routers. You can view the limited speed.
<RouterA> display arp speed-limit destination-ip slot 1 Slot SuppressType SuppressValue --------------------------------------------------1 ARP 50
Run the display arp packet statistics command on routers. You can view the number of the discarded ARP packets and the learnt ARP entries.
<RouterA> display arp packet statistics ARP Pkt Received: sum 23 ARP-Miss Msg Received: sum 0 ARP Learnned Count: sum 8 ARP Pkt Discard For Limit: sum 5 ARP Pkt Discard For SpeedLimit: sum 0 ARP Pkt Discard For Other: sum 10 ARP-Miss Msg Discard For SpeedLimit: sum ARP-Miss Msg Discard For Other: sum 0
----End
Configuration Files
The configuration file of Router A is as follows:
# sysname RouterA # arp learning strict arp speed-limit destination-ip maximum 50 slot 1 # interface GigabitEthernet1/0/0 arp-limit maximum 20
Issue 02 (2009-12-10)
2-11

return
2-12
Issue 02 (2009-12-10)
3 URPF Configuration
3
About This Chapter
URPF Configuration
This chapter describes how to configure URPF snooping. 3.1 Overview to URPF This section describes the basic concepts of Unicast Reverse Path Forwarding (URPF). 3.2 Configuring URPF This section describes the method for configuring the Unicast Reverse Path Forwarding (URPF). 3.3 Maintaining the URPF This section describes how to clear the statistics on URPF. 3.4 Configuration Example This section provides a configuration example of URPF.
Issue 02 (2009-12-10)
3-1
3.1 Overview to URPF

This section describes the basic concepts of Unicast Reverse Path Forwarding (URPF). 3.1.1 Introduction to URPF 3.1.2 URPF Supported by the NE5000E
3.1.1 Introduction to URPF

URPF aims at preventing source address spoofing attacks across the network. URPF obtains the source address and inbound interface of the packet. Taking the source address as the destination address, URPF confirms whether the interface corresponding to the source address matches the outbound interface in the forwarding table. If they do not match, the source address is taken as spoofing and the packet is dropped. In this way, URPF can keep the network away from vicious attacks based on modifying the source address. The following diagram shows a kind of attack. Figure 3-1 Schematic diagram of the source address spoofing attack
1.1.1.1/24
2.1.1.1/24 Source address
2.1.1.1/24
RouterA
RouterB
RouterC
Router A generates a packet with a pseudo source IP address 2.1.1.1 and sends the packet to Router B. Router B sends a response packet to Router C whose IP address actually is 2.1.1.1. In this way, Router A attacks Router B and Router C by sending the illegal packet. URPF can be applied on the upstream inbound interfaces of the router, including two application environments: single-homed client and multi-homed client.
l
Single-homed client Figure 3-2 shows the connection between the client and the aggregation router of the ISP. Enable URPF on GE 1/0/0 of the ISP router to protect the router and Internet from source address spoofing attacks from the client network.
Figure 3-2 URPF applied on a single-homed client
ISP Aggregation GE1/0/0 Source address 169.1.1.1/24 URPF GE2/0/0 GE3/0/0 169.1.1.1/24
3-2
Issue 02 (2009-12-10)
Multi-homed client URPF can be applied in the case that multiple connections are set up between the client and the ISP, as shown in Figure 3-3. To make URPF work normally, ensure that the packet from the client to the host on the internet passes through the same link (between the client and the ISP router) with the packet from this host to the client, that is, route symmetry must be ensured; otherwise, URPF discards some normal packets because of mismatched interfaces.
Figure 3-3 Application environment of the URPF multi-homed client packet path route path URPF
RouterA
Enterprise
RouterC
ISP
URPF URPF
RouterB
Multi-homed client and multi-ISPs URPF can be applied in the case that a client is connected to multiple ISPs, as shown in Figure 3-4. In such a case, route symmetry also must be ensured. URPF applied in the scenario where a client is connected to multiple ISPs has the following features:
If route symmetry cannot be ensured, you can use loose detection. As long as a route with the source address exists, the packet can pass. The routers of users may only have a default route to the router of an ISP. Therefore, matching the default route entry should be supported. As the security system on the ingress, URPF is better than the traditional firewall in performance.
Figure 3-4 Applicable environment of multi-homed client and multi-ISPs
URPF
ISP A Internet ISP B
RouterC Enterprise
RouterA RouterB
URPF URPF
Issue 02 (2009-12-10)
3-3
3.1.2 URPF Supported by the NE5000E

Currently, the NE5000E can carry out the URPF check in loose mode or in strict mode in the interface view or traffic behavior view, and by default, packets that match the default route are allowed to pass the URPF check. In addition, the LPUB and LPUC support the LPU-based URPF check. If URPF is enabled in the interface view, the URPF check is performed on all the traffic over the interface. If URPF is enabled in the traffic behavior view, the URPF check is performed along with the traffic policy on the traffic complying with certain rules.
3.2 Configuring URPF

This section describes the method for configuring the Unicast Reverse Path Forwarding (URPF). 3.2.1 Establishing the Configuration Task 3.2.2 Configuring LPU-based URPF 3.2.3 Configuring URPF on an Interface 3.2.4 Configuring Flow-based URPF 3.2.5 Checking the Configuration

To prevent source address spoofing attacks across the network, configure URPF to check whether source IP addresses of packets match the inbound interfaces. If the source IP address matches with the inbound interface, the source IP address is considered as legal and the packet is allowed to pass; otherwise, the source IP address is considered as a pseudo one and the packet is discarded.
Preconfigured Tasks
Before configuring URPF, complete the following tasks:
l l
Configuring the link attributes of the interface Configuring an IP address for the interface
Data Preparations
To configure URPF, you need the following data. No 1 Data Number of the interface where URPF is to be enabled
3-4
Issue 02 (2009-12-10)
3.2.2 Configuring LPU-based URPF

Context
NOTE
Only the LPUB and LPUC support LPU-based URPF.
Procedure
Step 1 Run:
system-view

slot slot-id
The slot view is displayed. Step 3 Run:

ip urpf loose
The URPF loose check is enabled on the LPU. In loose mode, packets can pass URPF check as long as the forwarding table contains mapping entries. The interface that actually receives the packets need not match the interface in the forwarding table.
NOTE
If only interface-based URPF is configured, all the interfaces on this LPU adopt URPF configurations on the LPU to perform the check. If interface-based URPF is also configured, the interfaces adopt URPF configurations on themselves to perform the check.
----End
3.2.3 Configuring URPF on an Interface

Context
Do as follows on the router.
Procedure
Step 1 Run:
system-view

The interface view is displayed.

The interface supporting the URPF check can be the Ethernet interface, an Ethernet subinterface, GigabitEthernet interface, GigabitEthernet sub-interface, Eth-Trunk interface, EthTrunk sub-interface, IP-Trunk interface, and POS interface. Step 3 Run:
ip urpf { loose | strict } [ allow-default]
URPF is enabled on the interface. If loose is selected, it indicates that the URPF loose check is to be performed. That is, when the forwarding table contains the corresponding entries, the packet can pass the URPF check. Interface match is not required. If strict is selected, it indicates that the URPF strict check is to be performed. That is, the packet can pass the URPF check only when the forwarding table contains the corresponding entries and the outbound interface matches the entry in the forwarding table. ----End
3.2.4 Configuring Flow-based URPF

Context
Procedure
l Defining a traffic class 1. Run:
system-view

traffic classifier classifier-name [ operator { and | or } ]
The traffic class is defined and its view is displayed. 3. Perform the following as required.

Run the if-match acl acl-number command to set the ACL-based rule. Run the if-match dscp dscp-value command to set the DSCP-based rule. Run the if-match tcp syn-flag tcpflag-value command to set the TCP-flag-based rule. Run the if-match source-mac mac-address command to set the rule based on the source address of the packet. Run the if-match destination-mac mac-address command to set the rule based on the destination address of the packet. Run the if-match ip-precedence ip-precedence command to set the rule based on the IP priority of the packet. Run the if-match any command to set the rule matching all the packets.
You can select one or several matching rules in Step 3 as required. l

3-6
Configuring traffic behaviors and enable URPF

1.
Run:
system-view

traffic behavior behavior-name
The traffic behavior is defined and its view is displayed. 3. Run:

ip urpf { loose | strict } [ allow-default ]
Enable the URPF. l Defining a traffic policy and associating the traffic class with the traffic behavior 1. Run:
system-view

traffic policy policy-name
The traffic policy is defined and its view is displayed. 3. Run:

classifier classifier-name behavior behavior-name
The traffic class is associated with the traffic behavior in the traffic policy. l Applying the traffic policy 1. Run:
system-view

The interface view is displayed. The observing port of the LPU where the interface resides must be already configured. 3. Run:
traffic-policy policy-name { inbound | outbound }
The traffic policy is applied on the interface. ----End

Procedure
Step 1 Run:
display ip urpf discard statistics [ slot slot-id ]
The statistics on the packets discarded through URPF check on an LPU are displayed. ----End
Example
After the configuration is complete, run the display ip urpf discard statistics [ slot slot-id ] command to view statistics on the packets discarded through URPF check on an LPU. For example, run the display ip urpf discard statistics command to view statistics on the packets discarded by URPF check on all LPUs of the router.
<HUAWEI> display ip urpf discard statistics slot Discard-packets -----------------------------------------------------------------------------------------------------1 0 2 0 3 300 5 160
3.3 Maintaining the URPF

This section describes how to clear the statistics on URPF.
Context
3.3.1 Resetting the Statistics of URPF
3.3.1 Resetting the Statistics of URPF

Context
CAUTION
Once the statistics of the packets discarded through URPF check are cleared, they cannot be restored. Confirm the action before you use the command.
Procedure
Step 1 Run:
reset ip urpf discard statistics [ slot slot-id ]
The statistics of the packets discarded through URPF check are cleared. ----End
3.4 Configuration Example

This section provides a configuration example of URPF. 3.4.1 Example for Configuring URPF This section provides a configuration example of URPF.
3.4.1 Example for Configuring URPF

This section provides a configuration example of URPF.
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID. In this example, URPF is enabled on the inbound interface of the ISP. As shown in Figure 3-5, the client Router A connects to Router B (a router in the ISP network). Then enable URPF on GE 1/0/0 of Router B. Configure the URPF strict check on Router B and set the packet whose source IP address matches with ACL 2010 to pass the check at any time. Enable URPF on GE 1/0/0 of Router A, configure the URPF strict check. Figure 3-5 Networking diagram of configuring URPF
10.1.1.0/24
GE1/0/0 GE1/0/0 172.19.139.1/30172.19.139.2/30 Router A Router B
ISP
The configuration roadmap is as follows: 1. 2. Configure a traffic policy on the router in the ISP network, allowing the traffic from the specified network segment to pass the URPF check. Configure an IP address for the interface on Router A and enable URPF on the interface.
Data Preparations
To configure URPF, you need the following data:
l l
IP address of each interface Network segments that can pass the URPF check
Procedure
Step 1 Configure Router B. # Configure ACL 2010, allowing the traffic from the network segment 10.1.1.0/24 to pass the URPF check.
<RouterB> system-view
Issue 02 (2009-12-10)
3-9
[RouterB] acl number 2010 [RouterB-acl-basic-2010] rule permit source 10.1.1.0.0 0.0.0.255 [RouterB-acl-basic-2010] quit
# Configure a traffic class and define an ACL rule.

[RouterB] traffic classifier classifier1 [RouterB-classifier-classifier1] if-match acl 2010 [RouterB-classifier-classifier1] quit
# Define a traffic behavior and enable the URPF function.

[RouterB] traffic behavior behavior1 [RouterB-behavior-behavior1] ip urpf strict [RouterB-behavior-behavior1] quit
# Define a traffic policy and associate the traffic class and the traffic behavior.
[RouterB] traffic policy policy1 [RouterB-trafficpolicy-policy1] classifier classifier1 behavior behavior1 [RouterB-trafficpolicy-policy1] quit
# Apply the traffic policy to an interface.

[RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] undo shutdown [RouterB-GigabitEthernet1/0/0] ip address 172.19.139.2 255.255.255.252 [RouterB-GigabitEthernet1/0/0] trafficq-policy policy1 inbound
Step 2 Configure Router A. # Configure GE 1/0/0.

<RouterA> system-view [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 172.19.139.1 255.255.255.252
# Enable URPF on GE 1/0/0, set the URPF check mode to strict.

[RouterA-GigabitEthernet1/0/0] ip urpf strict
----End
Configuration Files
l
Configuration file of Router A

# sysname RouterA # interface GigabitEthernet1/0/0 undoshutdown ip address 172.19.139.1 255.255.255.252 ip urpf strict # return
Configuration file of Router B

# sysname RouterB # acl number 2010 rule 5 permit source 10.1.1.0 0.0.0.255 # traffic classifier classifier1 operator or if-match acl 2010 # traffic behavior behavior1 ip urpf strict
3-10
Issue 02 (2009-12-10)

# traffic policy policy1 classifier classifier1 behavior behavior1 # interface GigabitEthernet1/0/0 undoshutdown ip address 172.19.139.2 255.255.255.252 traffic-policy policy1 inbound # return
Issue 02 (2009-12-10)
3-11
4 Configuration of Local Attack Defense
Configuration of Local Attack Defense
About This Chapter

This chapter describes the configuration, and application of Local Attack Defense 4.1 Overview to Local Attack Defense This section describes the principle and applications of local attack defense. 4.2 Configuring Attack Defense Tracing and Enabling Alarming for Packet Discarding This section describes how to configure attack defense tracing and enable alarming for packet discarding. 4.3 Configuring Local URPF This section describes how to configure local URPF. 4.4 Configuring TCP/IP Attack Defense This section describes how to configure TCP/IP attack defense. 4.5 Configuring CAR This section describes how to configure CAR. 4.6 Configuring Application Layer Association This section describes how to configure application layer association. 4.7 Configuring Management/Control Plane Protection This section describes how to configure management/control plane protection. 4.8 Maintainning Local Attack Defense This section describes how to clear the statistics on attack defense. 4.9 Configuration Example This section provides a configuration example of local attack defense.
Issue 02 (2009-12-10)
4-1
4.1 Overview to Local Attack Defense

This section describes the principle and applications of local attack defense. 4.1.1 Introduction to Local Attack Defense 4.1.2 Local Attack Defense Supported by the NE5000E 4.1.3 Applications of Local Attack Defense
4.1.1 Introduction to Local Attack Defense

With the development and wide application of the network, higher and higher requirements are pose for the network security and device security. On the network, a large number of massive packets of various packets including the malicious attack packets need to be sent to the Central Processing Unit (CPU). The more the packets sent to the CPU are, the higher the CPU usage is and the lower the CPU performance is. In this case, services are interrupted. The malicious packets that aim at attacking the CPU busy the CPU in processing the attack packets during a long period. Therefore, other normal services are interrupted and even the system fails. To protect the CPU and make the CPU keep on processing normal services, the following restrictions on the packets to be sent to the CPU are required. Check the packets before sending and take actions to ensure that the CPU can process normal services. For example, only sent the packets that must be processed by the CPU, restrict the rate of sending packets to the CPU, and do not send defective packets.
4.1.2 Local Attack Defense Supported by the NE5000E

The NE5000E protects the CPU through the following mechanisms.
Attack Source Tracing

The attack source tracing function is used to record the attack packets when a router is attacked or packet loss occurs on a router, providing a basis for attack location and attack defense. To ensure that the router can record the attack packets in real time, deploy the attack source tracing function before other features are deployed.
Local URPF
The local URPF function is used to the check only the packets to be sent to the CPU, thereby preventing the CPU from forwarding excessive packets and ensuring the ideal system performance of the router.
TCP/IP Attack Defense

The TCP/IP protocol is prone to attacks because of its own defects. The TCP/IP attack defense function can be used to filter the malformed packets and UDP Flood packets when they are transmitted to the CPU, thereby ensuring that only packets are sent to the CPU for processing.
CAR
The Committed Access Rate (CAR) function is used to check the packets to be sent to the CPU based on the Generalized TTL Security Mechanism (GTSM). If the packets pass the GTSM check, the router takes mapped CAR actions by matching them with the whitelist, blacklist, and user-defined flow in order. In this manner, invalid packets can be filtered and the transmission rate of the packets is limited, thereby ensuring the processing of normal services.
Application Layer Association

A large number of application layer protocols are run on a router is of diversities; however, only some of them are required in a certain networking scenario. For the protocols that need not be enabled, their packets need not be sent to the CPU; otherwise, the CPU resources are wasted and the CPU may even be attacked. The NE5000E determines whether to send the protocol packets based on the application layer association function. After this function is enabled, only the packets for an enabled application layer protocol are sent to the CPU. The packets for the protocols that are not enabled are directly discarded, thereby minimizing security vulnerabilities, reducing flood attacks, and enhancing the security of router.
Management/Control Plane Protection

With management/control plane protection, the router allows only management interfaces to receive management packets. The non-management interfaces directly discard management packets. The NE5000E enables users to set rules for sending the packets of different protocols according to networking scenarios. The NE5000E supports users to set global, slot-based, and interface-based policies for management/control plane protection to achieve required protection granularities. To ensure that the router still can be managed though all the user-defined management interfaces are invalidated, the NE5000E supports automatic invalidation of the management interfaces so that users can re-define management interfaces to manage the router.
Smallest Packet Compensation

The NE5000E can efficiently defend the network against the attacks of small packets with the smallest packet compensation function. After receiving the packets to be sent to the CPU, the system checks the packet length.
l
When the length of a packet is shorter than the preset minimum packet length, the system calculates the transmission rate of the packet with the preset minimum length. When the length of a packet is longer than the preset minimum packet length, the system calculates the transmission rate of the packet with the actual packet length.
4.1.3 Applications of Local Attack Defense

The NE5000E defines a default attack defense policy. This policy cannot be modified or deleted. When a router starts, the default attack defense policy is automatically applied to the LPU. Configurations in the default policy are default configurations of each feature. When a user requires a self-defined attack defense policy, the user only needs to create an attack defense policy, modify the configurations of the required features, and then apply this policy to
the LPU. For the features that are not configured by the user, the configurations in the default attack defense policy are adopted. By default, a router processes the packets to be sent to the CPU based on the following steps: 1. 2. After receiving packets, the router first performs the URPF check. If the packets pass the URPF check, the route continues to send them to the CPU. The router then checks the packets to be sent to the CPU through TCP/IP attack defense. If the packets pass the TCP/IP attack defense check, the router continues to send them to the CPU. The router performs the GTSM check on the packets to be sent to the CPU. It continues to send only the packets that have passed the GTSM check. For the packets passing the GTSM check, the router classifies them based on ACL rules and matches them with the whitelist, blacklist, and user-defined flows in order. If the packets match the whitelist, the router continues to send the packets; otherwise, the router matches them with the blacklist. If the packets match the blacklist, the router processes them based on the rules defined in the blacklist; if the packets do not match the blacklist, the router matches them with the user-defined flows. If the packets match the user-defined flows, the router processes them based on the rules defined in the user-defined flows. If the packets do not match any rule, the router directly sends them to the CPU. The router processes the received packets based on CAR to limit the transmission rate and bandwidth of the packets to be sent to the CPU. The router checks the received packets based on application layer association. It sends only the packets for the enabled protocols. The non-management interfaces directly discard the management packets. The attack source tracing function records the discarded packet for problem location and analysis. In addition, users can also enable alarming for packet discarding. When the number of discarded packets exceeds the preset alarm threshold, the router generates an alarm and sends a trap message to the Network Management Station (NMS). In the application of local attack defense, note that:
l
3. 4.
5. 6. 7. 8.
Configuring attack defense policies is a prerequisite for configuring the local attack defense function (including the mechanisms such as CAR, attack defense tracing, and application layer association). In other words, the local attack defense function can be configured only after an attack defense policy is configured. An attack defense policy takes effect only when it is applied to an LPU and only one attack defense policy can be applied to an LPU.
The enablement of local attack defense on the NE5000E does not degrade data forwarding performance.
4.2 Configuring Attack Defense Tracing and Enabling Alarming for Packet Discarding
This section describes how to configure attack defense tracing and enable alarming for packet discarding. 4.2.1 Establishing the Configuration Task 4.2.2 Creating the Attack Defense Policy
4.2.3 Enabling Attack Source Tracing 4.2.4 Configuring Attack Source Tracing 4.2.5 Configuring the Alarm on Rate for Discarding Packets 4.2.6 Applying the Attack Defense Policy 4.2.7 Checking the Configuration

When a router is attacked, you must analyze attack packets and locate the attack source by using attack source tracing. You can also enable the alarming function so that the router can send a trap message in time to the NMS when the number of discarded packets exceeds the alarm threshold.
NOTE
l l
Using the attack-source-trace enable command, you can enable attack source tracing. Using the undo attack-source-trace enable command, you can disable attack source tracing. By default, attack source tracing is enabled and the router records the packets discarded according to various attack defense features based on the configured packet sampling ratio and packet length.
Before configuring attack defense tracing and enabling alarming for packet discarding, complete the following task:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up.
Data Preparation
To configure attack defense tracing and enable alarming for packet discarding, you need the following data. No. 1 2 3 4 Data Sampling ratio of the packets recorded by attack source tracing Length of the packets recorded by attack source tracing File name for saving information about attack source tracing Alarm threshold and interval for checking the number of discarded packets
4.2.2 Creating the Attack Defense Policy

Context
Procedure
Step 1 Run:
system-view

cpu-defend policy policy-number
The attack defense policy is created. Step 3 (Optional) Run:

description text
The description of the attack defense policy is configured. ----End
4.2.3 Enabling Attack Source Tracing

Context
Procedure
Step 1 Run:
system-view

The attack defense policy view is displayed. Step 3 Run:

attack-source-trace enable
Attack source tracing is enabled. Step 4 Run:

attack-source-trace enable { car | tcpip-defend | urpf | ma-defend | applicationapperceive } enable
Attack defense tracing is enabled for a certain local attack defense feature. By default, attack source tracing is enabled to record the packets discarded according to each local attack defense feature. ----End
4.2.4 Configuring Attack Source Tracing

Context
Procedure
Step 1 Run:
system-view


attack-source-trace sample-rate sample-rate-value
The sampling ratio of the packets recorded by attack source tracing is set. By default, the sampling ratio is 100. Step 4 Run:
attack-source-trace packet-length packet-length
The length of the packets recorded by attack source tracing is set. By default, the length of the packets is 150 bytes. Step 5 Run:
save attack-source-trace slot { slot-id | all } [ file file-name ] format ethereal linktype { cisco_hdlc | ethernet | ppp }
Information about attack source tracing is saved in the memory of an LPU as a file. ----End
4.2.5 Configuring the Alarm on Rate for Discarding Packets

Context
Procedure
Step 1 Run:
system-view


alarm drop-rate { application-apperceive | blacklist | index index | ma-defend | tcpip-defend | total-packet | urpf | user-defined-flow flow-id | whitelist } enable
Issue 02 (2009-12-10)
4-7
The alarming function for discarding the packets to be sent to the CPU is enabled. Step 4 Run:
alarm drop-rate { application-apperceive | blacklist | index index | ma-defend | tcpip-defend | total-packet | urpf | user-defined-flow flow-id | whitelist } { threshold threshold-value | interval interval-value } *
Step 5 The alarm threshold of discarding the packets to be sent to the CPU is set. ----End
4.2.6 Applying the Attack Defense Policy

Context
Procedure
Step 1 Run:
system-view

slot slot-id

cpu-defend-policy policy-number
The user-defined attack defense policy is applied on the specified LPU. You must apply the attack defense policy on the LPU; otherwise, the policy fails. ----End

Procedure
l Run the following commands to check verbose information about attack source tracing.
display attack-source-trace slot { slot-id | all } verbose [ { attack-type { applicationapperceive | car | tcpip-defend | urpf | ma-defend} | { destination-mac destinationmac-address destination-mac-wildcard } | { destination destination-address destination-wildcard } | { destination-port dest-port-number } | { protocol-number protocol-number } | { source-mac source-mac-address source-mac-wildcard } | { source source-address source-wildcard } | { source-port source-port-number } | { time-range from start-time start-date [ to end-time end-date ] } | { vlan vlan-id } ]
*
display attack-source-trace file file-name verbose [ { destination-mac destinationmac-address destination-mac-wildcard } | { destination destination-address destination-wildcard } | { destination-port dest-port-number } | { protocol-number protocol-number } | { source-mac source-mac-address source-mac-wildcard } |
4-8
{ source source-address source-wildcard } | { source-port source-port-number } | { time-range from start-time start-date [ to end-time end-date ] } | { vlan vlan-id } ]
*
Run the following commands to check brief information about attack source tracing.
display attack-source-trace file file-name brief [ { source source-address sourcewildcard } | { destination destination-address destination-wildcard } } | { sourceport source-port-number } | { destination-port dest -port-number } | { protocolnumber protocol-number } | { time-range from start-time start-date [ to end-time end-date ] } ] * display attack-source-trace { slot { slot-id | all } | file file-name } brief [ { source source-address source-wildcard } | { destination destination-address destinationwildcard } } | { source-port source-port-number } | { destination-port dest -portnumber } | { protocol-number protocol-number } | { time-range from start-time startdate [ to end-time end-date ] } | { attack-type { application-apperceive | car | tcpipdefend | urpf | ma-defend } } ] *
Run the display attack-source-trace slot { slot-id | all } original-infomation command to check original information about attack source tracing on the LPU.
----End
Example
Run the display attack-source-trace slot 1 verbose command. If the LPU in slot 1 has saved detailed information about attack packets, it means that attack source tracing functions normally.
<HUAWEI> display attack-source-trace slot 1 verbose ---------------------------------Record number : 30 packets ---------------------------------NO1. packet info interface name : GigabitEthernet 5/0/2 vlanid : 88 attack-type : urpf Attacted Pack Time : 2006-12-31 15:30:20 Ethernet II Dest :FFFF-FFFF-FFFF Sour :0000-0101-0102 Type :(0x0800)IP MPLS Label : 888 IP Vers : 4 Head len : 20 bytes DS : 0x00 Total len : 86 ID : 0x00 Flags : 0x00 Frag offset : 0 TTL : 64 Protocol : 0x06(TCP) Head checks : 0x0000 Sour : 1.1.1.1 Dest : 222.2.45.7 TCP SourPort : 0 DestPort : 21 Sequence Num : 0 Next Seq Num : 46 Head length : 20 Flags : 0x0000 Win size : 0
Issue 02 (2009-12-10)
4-9
Checks : 0x2345 Attack Trace Data: FF FF FF FF 00 00 00 01 01 01 01 01 01 01 01 01 01 01 ----------------------------------
01
Run the display attack-source-trace slot 1 brief command, and you can view brief information about attack packets saved on the LPU in slot 1.
<HUAWEI> display attack-source-trace slot 1 brief ---------------------------------Record number:30 packets ---------------------------------NO1. packet info port name : GigabitEthernet 5/0/2 vlanid : 88 attack-type : URPF Attacted Pack Time : 2006-12-31 15:30:20 Source ip : 1.1.1.1 Destination ip : 222.2.45.7 Source port number : 0 destination port number : 21 protocol number : 0x06(TCP) Attack Trace Data : FF FF FF FF 00 00 00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ----------------------------------
Run the display attack-source-trace slot 3 original-information command, and you can view the original information about attack packets saved on the router.
<HUAWEI> display attack-source-trace slot 3 original-information No 1 packet Info: Interface Name : GigabitEthernet3/0/2 Vlanid : 0 Attack Type : Application apperceive Attack Pack Time : 2002-10-04 11:13:59 Attack Source Data: 01 00 5e 00 00 09 00 05 00 05 00 05 08 00 45 c0 00 34 08 32 00 ac ac 10 01 02 e0 00 00 09 02 08 02 08 00 20 c0 6b 02 02 00 00 ac 10 01 00 ff ff ff 00 00 00 00 00 00 00 00 ---------------------------------No 2 packet Info: Interface Name : GigabitEthernet3/0/2 Vlanid : 0 Attack Type : Application apperceive Attack Pack Time : 2002-10-04 10:24:33 Attack Source Data: 01 00 5e 00 00 09 00 05 00 05 00 05 08 00 45 c0 00 34 03 f8 00 e6 ac 10 01 02 e0 00 00 09 02 08 02 08 00 20 c0 6b 02 02 00 00 ac 10 01 00 ff ff ff 00 00 00 00 00 00 00 00 ----------------------------------
00 0e 11 16 00 02 00 00
00 0e 11 1a 00 02 00 00
4.3 Configuring Local URPF

This section describes how to configure local URPF. 4.3.1 Establishing the Configuration Task 4.3.2 Creating the Attack Defense Policy 4.3.3 Configuring Local URPF 4.3.4 Applying the Attack Defense Policy 4.3.5 Checking the Configuration
4-10
Issue 02 (2009-12-10)

When massive packets are to be sent to the CPU on the network, you can apply URPF to check whether the source IP address is valid. Thus, packets with invalid source IP addresses are discarded. This prevents the source IP address spoofing attacks and flood attacks. The local URPF function is applied to the packets to be sent to the CPU only. In this case, the CPU processes only normal packets and thus its performance is not affected.
Before configuring local URPF, complete the following task:
l
Data Preparation
None.

Context
Procedure
Step 1 Run:
system-view


description text
4.3.3 Configuring Local URPF

Context
Procedure
Step 1 Run:
system-view


ip urpf { loose | strict [ allow-default ] }
Local URPF is configured. ----End

Context
Procedure
Step 1 Run:
system-view

slot slot-id


Procedure
Step 1 Run the display cpu-defend urpf statistics [ slot slot-id ] command to check the checking information about local URPF. ----End
Example
Run the display cpu-defend urpf statistics command, and you can view the statistics of local URPF.
<HUAWEI> display cpu-defend urpf statistics Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------3 URPF 0 0 0 Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------4 URPF 0 0 0 Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------6 URPF 0 0 0
4.4 Configuring TCP/IP Attack Defense

This section describes how to configure TCP/IP attack defense. 4.4.1 Establishing the Configuration Task 4.4.2 Creating the Attack Defense Policy 4.4.3 Enabling Defense Against UDP Packet Attacks 4.4.4 Enabling Defense Against Malformed Packet Attacks 4.4.5 Applying the Attack Defense Policy 4.4.6 Checking the Configuration

TCP/IP attack defense is mainly applied to service routers at the edge of the network or other routers that are easily attacked by TCP/IP packets. TCP/IP attack defense can defend routers against the attacks aimed at defects of the TCP/IP protocol and thus ensure normal services.
Before configuring the defense against TCP/IP attacks, complete the following task:
l
Data Preparation
None.

Context
Procedure
Step 1 Run:
system-view


description text
4.4.3 Enabling Defense Against UDP Packet Attacks

Context
Procedure
Step 1 Run:
system-view


udp-packet-defend enable
Defense against UDP packet attacks is enabled. By default, defense against UDP packet attacks is enabled. ----End
4.4.4 Enabling Defense Against Malformed Packet Attacks

Context
Procedure
Step 1 Run:
system-view
4-14
Issue 02 (2009-12-10)


abnormal-packet-defend enable
Defense against malformed packet attacks is enabled. By default, defense against malformed packet attacks is enabled. ----End

Context
Procedure
Step 1 Run:
system-view

slot slot-id


Procedure
Step 1 Run the display cpu-defend tcpip-defend statistics [ slot slot-id ] command to check information about defense against TCP/IP attacks. ----End
Example
Run the display cpu-defend tcpip-defend statistics command, and you can view the statistics on TCP/IP attack defense.
<HUAWEI> display cpu-defend tcpip-defend statistics Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------3 Tcpip-defend 0 0 0 -------------------------------------------------------------------------------Abnormal-packet 0 0 0 Fragment-packet 0 0 0 Tcpsyn-packet 0 0 0 Udp-packet 0 0 0 -------------------------------------------------------------------------------Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------4 Tcpip-defend 0 0 0 -------------------------------------------------------------------------------Abnormal-packet 0 0 0 Fragment-packet 0 0 0 Tcpsyn-packet 0 0 0 Udp-packet 0 0 0 -------------------------------------------------------------------------------Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------6 Tcpip-defend 0 0 0 -------------------------------------------------------------------------------Abnormal-packet 0 0 0 Fragment-packet 0 0 0 Tcpsyn-packet 0 0 0 Udp-packet 0 0 0 --------------------------------------------------------------------------------
4.5 Configuring CAR

This section describes how to configure CAR. 4.5.1 Establishing the Configuration Task 4.5.2 Creating the Attack Defense Policy 4.5.3 Creating the Whitelist 4.5.4 Creating the Blacklist 4.5.5 Configuring the User-Defined Flow 4.5.6 Configuring Packet Matching Order 4.5.7 Configuring CAR 4.5.8 Configuring Packet Sending Priority 4.5.9 Applying the Attack Defense Policy 4.5.10 Checking the Configuration

When a large number of users access the router, a lot of packets need be sent to the CPU for processing. In such a case, the router is prone to attacks. To protect the route from being attacked, configure the CAR function on the router.
4-16
Issue 02 (2009-12-10)
Before configuring the CAR function, complete the following task:
l
Connecting the interfaces and configuring the physical parameters of the interfaces to make the physical status of the interface Up
Data Preparation
To configure the CAR function, you need the following data. No. 1 2 3 4 Data Number and description of the attack defense policy Index of the packet to be sent to the CPU, the number of the user-defined flow, and the minimum packet length for smallest packet compensation CAR and Committed Burst Size (CBS) of the packets to the sent to the CPU Number of the LPU to which the attack defense policy is applied

Context
Procedure
Step 1 Run:
system-view


description text
4.5.3 Creating the Whitelist

Context
Procedure
Step 1 Run:
system-view


whitelist acl acl-number
The whitelist is created. The packets generated by Active Link Protection (ALP) and the packets passing the GTSM check are dynamically added to the whitelist. By default, the whitelist function is enabled. To disable the whitelist function, run the whitelist disable command. ----End
4.5.4 Creating the Blacklist

Context
Procedure
Step 1 Run:
system-view


blacklist acl acl-number
The blacklist is created. By default, the blacklist function is enabled. To disable the blacklist function, run the blacklist disable command. ----End
4.5.5 Configuring the User-Defined Flow

Context
Procedure
Step 1 Run:
system-view


user-defined-flow flow-id acl acl-number
The user-defined flow rules are set. ----End
4.5.6 Configuring Packet Matching Order

Context
Procedure
Step 1 Run:
system-view

The attack defense policy view is displayed. Step 3 Perform the following as required.
l
Run process-sequence blacklist { user-defined-flow | whitelist } * to set the processing priority of the packets matching the blacklist. Run process-sequence user-defined-flow { blacklist | whitelist } * to set the processing priority of the packets matching the user-defined flow rules. Run process-sequence whitelist { user-defined-flow | blacklist } * to set the processing priority of the packets matching the whitelist.
By default, the matching order of the packets to be sent to the CPU is: whitelist, blacklist, and user-defined flow. ----End
4.5.7 Configuring CAR

Context
Procedure
Step 1 Run:
system-view


car { blacklist | index index | protocol | user-defined-flow flow-id | whitelist } { cir cir-value | cbs cbs-value | min-packet-length min-packet-length-value } *
The CAR action rules are set. Step 4 Run:

car total-packet { high | low | middle | total-packet-rate }
The total rate of sending the packets to the CPU is set. ----End
4.5.8 Configuring Packet Sending Priority

Context
Procedure
Step 1 Run:
system-view

The attack defense view is displayed. Step 3 Run:

priority { blacklist | index index | protocol | user-defined-flow flow-id | whitelist } { high | middle | low }
The packet sending priority is set. ----End


Context
Procedure
Step 1 Run:
system-view

slot slot-id


Procedure
l Run the display cpu-defend policy policy-number [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the rules for filtering the packets to be sent to the CPU. Run the display cpu-defend policy car { blacklist | index index | protocol | user-definedflow flow-id | whitelist } statistics [ slot slot-id ] [ | count ] [ | { begin | include | exclude } regular-expression ] command to check the statistics on attack defense of the LPU.
----End
Example
Run the display cpu-defend policy policy-number [ | count ] [ | { begin | include | exclude } regular-expression ] command. If information about the rules for filtering the packets to be sent to the CPU is displayed, it means that the configuration succeeds. For example, you can run the display cpu-defend policy 8 command to view the filtering rules defined in Policy 8.
<HUAWEI> display cpu-defend policy 8 Number : 8 Description : Related slot : <3> Configuration : Whitelist Configuration :
Issue 02 (2009-12-10)
4-21

Whitelist Whitelist Whitelist Whitelist Whitelist Whitelist Blacklist Blacklist Blacklist Blacklist Blacklist Blacklist Blacklist
enable : open ACL number : 0 : CIR(4000) CBS(40000) Min-packet-length(128) priority : middle alarm enable : close alarm : threshold(1000000) interval(3600) Configuration : enable : open ACL number : 0 : CIR(1) CBS(1000) Min-packet-length(128) priority : middle alarm enable : close alarm : threshold(1000000) interval(3600)
ARP Configuration : Outbound ARP check enable : open Total packet Configuration : Total packet car speed : high Total packet alarm enable : close Total packet alarm : threshold(1000000) interval(3600) Process-sequence : whitelist blacklist user-defined-flow Application apperceive Configuration : Application apperceive enable : open Default Action: Min-to-cp Application apperceive alarm enable : open Application apperceive alarm : threshold(1000000) interval(3600) MA-Defend Configuration : MA-Defend alarm enable : open MA-Defend alarm : threshold(1000000) interval(3600) Source Trace Data Configuration : Source Trace enable : open Source Trace Type enable : car: open urpf: open tcpip-defend: open ma-defend: open application-apperceive: open Source Trace Sample : 100 Source Trace Packet Length : 150 URPF Configuration : URPF model : close allow default route: close URPF alarm enable : open URPF alarm : threshold(1000000) interval(3600) TCPIP-Defend Configuration : Abnormal Packet Defend : open Udp Packet Defend : open Tcpsyn Flood Defend : open Tcpsyn : CIR(1500) CBS(15000) Min-packet-length(128) Tcpsyn priority : middle fragment-flood Defend : open Ip fragment : CIR(3000) CBS(30000) Min-packet-length(128) Ip fragment priority : middle TCPIP alarm enable : open TCPIP alarm : threshold(1000000) interval(3600) User-defined-flow Configuration : User-defined-flow 1 ACL number : 0 ?-?User-defined-flow 32 ACL number : 0 User-defined-flow 1 alarm enable : close ?-?-
4-22
Issue 02 (2009-12-10)

User-defined-flow User-defined-flow ?-?User-defined-flow User-defined-flow ?-?User-defined-flow User-defined-flow ?-?User-defined-flow

32 alarm enable : close 1 alarm : threshold(1000000) interval(3600) 32 alarm : threshold(1000000) interval(3600) 1 : CIR(2000) CBS(20000) Min-packet-length(128) 32 : CIR(2000) CBS(20000) 1 priority : middle 32 priority : middle Min-packet-length(128)
Car Configuration : Car index 0 alarm enable : close ?-?Car index 233 alarm enable : close Car index 0 alarm : threshold(1000000) ?-?Car index 233 alarm : threshold(1000000) Car index 0 : CIR(3000) CBS(30000) ?-?Car index 233 : CIR(3000) CBS(30000) Car index 0 priority : middle ?-?Car index 232 priority : middle Car index 233 priority : N/A
interval(3600) interval(3600) Min-packet-length(128) Min-packet-length(128)
After the configuration, run the display cpu-defend car { blacklist | index index | protocol | user-defined-flow flow-id | whitelist } statistics [ slot slot-id ] [ | count ] [ | { begin | include | exclude } regular-expression ] command, and you can check the statistics of discarded packets. For example, you can run the display cpu-defend car blacklist statistics slot 3 command to view the statistics of packets discarded on the LPU in slot 3.
<HUAWEI> display cpu-defend car blacklist statistics slot 3 Slot : 3 Application switch : Open Default Action : Min-to-cp -------------------------------------------Blacklist Protocol switch: N/A Packet information: Passed packet(s) : 0 Dropped packet(s) : 0 Configuration information: Configged CIR : 1 kbps Actual CIR in NP : 1 Configged CBS : 1000 bytes Actual CBS in NP : 1000 Priority : low Min-packet-length : NA
kbps bytes
4.6 Configuring Application Layer Association

This section describes how to configure application layer association. 4.6.1 Establishing the Configuration Task 4.6.2 Creating the Attack Defense Policy 4.6.3 Disabling Application Layer Association 4.6.4 Configuring the Packet Processing Mode 4.6.5 Applying the Attack Defense Policy 4.6.6 Checking the Configuration

To save router resources, you can apply application layer association. In this case, if the protocol is enabled, the protocol packets are sent; if the protocol is disabled, the protocol packets are discarded.
Before configuring application layer association, complete the following task:
l
Configuring link layer protocol parameters and assigning IP addresses to the interfaces to ensure that the status of the link layer protocol of the interface is Up
Data Preparation
None.

Context
Procedure
Step 1 Run:
system-view


description text
4.6.3 Disabling Application Layer Association

Context
Procedure
Step 1 Run:
system-view


application-apperceive disable
The application layer association function is disabled. By default, application layer association is enabled. ----End
4.6.4 Configuring the Packet Processing Mode

Context
Procedure
Step 1 Run:
system-view

An attack defense policy is created and the attack defense view is displayed. Step 3 Run:
application-apperceive default-action
The default mode of processing the packets to be sent to the CPU is set. By default, application layer association is enabled. ----End

Context
Procedure
Step 1 Run:
system-view

slot slot-id


Procedure
l l Run the display application-apperceive [ slot slot-id ] command to check information about application layer association. Run the display cpu-defend application-apperceive statistics [ slot slot-id ] command to check information about the packets discarded by application layer association.
----End
Example
Run the display application-apperceive slot 3 command, and you can view information about application layer association on the LPU in slot 3 after application layer association takes effect.
<HUAWEI> display application-apperceive slot 3 -----------------------------Slot : 3 Application Switch : Open Default Action : Min-to-cp -----------------------------ProtocolName ProtocolState -----------------------------FTP SERVER Open SSH SERVER Open SNMP Open TELNET SERVER Open TFTP Open BGP Open LDP Open RSVP Open OSPF Open RIP Open MSDP Open PIM Open IGMP Open ISIS Open FTP CLIENT Open TELNET CLIENT Open SSH CLIENT Open
4-26
Issue 02 (2009-12-10)

NTP Open RADIUS Open HWTACACS Open LSPPING Open ICMP Open VRRP Open BFD Open DHCP Open DNS CLIENT Open MPLSOAM Open RRPP Open 802.1AG Open 802.3AH Open LACP Open ------------------------------
Run the display cpu-defend application-apperceive statistics slot 3command, and you can view information about the packets discarded by application layer association on the LPU in slot 3 after application layer association takes effect.
<HUAWEI> display cpu-defend application-apperceive statistics slot 3 Slot Attack-Type Total-Packets Passed-Packets Dropped-Packets -------------------------------------------------------------------------------3 Application-Apperceive 1168 1168 0 -------------------------------------------------------------------------------FTP SERVER 0 0 0 SSH SERVER 0 0 0 SNMP 0 0 0 TELNET SERVER 0 0 0 TFTP 0 0 0 BGP 0 0 0 LDP 0 0 0 RSVP 0 0 0 OSPF 0 0 0 RIP 0 0 0 ISIS 0 0 0 ICMP 0 0 0 MSDP 0 0 0 PIM 0 0 0 DHCP 16 16 0 LACP 0 0 0 NTP 0 0 0 RADIUS 0 0 0 HWTACACS 0 0 0 LSPPING 0 0 0 IGMP 0 0
Issue 02 (2009-12-10)
4-27

0 RRPP 0 VRRP 0 BFD 0 MPLSOAM 0 802.1AG 0 FTP CLIENT 0 TELNET CLIENT 0 SSH CLIENT 0 DNS CLIENT 0
0 1152 0 0 0 0 0 0 0
0 1152 0 0 0 0 0 0 0
4.7 Configuring Management/Control Plane Protection

This section describes how to configure management/control plane protection. 4.7.1 Establishing the Configuration Task 4.7.2 Configuring Global Policy for Management/Control Plane Protection 4.7.3 Configuring a Slot-based Policy for Management/Control Plane Protection 4.7.4 Configuring Interface-level Policy for Management/Control Plane Protection 4.7.5 Checking the Configuration

When routers are prone to be controlled by invalid users through non-management interface or to be attacked by flood packets, you need to apply management/control plane protection. In this case, the specified management interfaces receives management packets and non-management interfaces directly discards the received packets to save resources. Management/Control plane protection is disabled by default.
Before configuring management/control plane protection, complete the following task:
l
Data Preparation
To configure management/control plane protection, you need the following data:
4-28
Issue 02 (2009-12-10)
No. 1 2
Data Number of slot in the LPU to which slot-based management/control plane protection is applied Type and number of interface to which slot-based management/control plane protection is applied
4.7.2 Configuring Global Policy for Management/Control Plane Protection

Context
Procedure
Step 1 Run:
system-view

ma-defend global-policy
A global policy for management/control plane protection is created. Step 3 Run:

protocol { bgp | ftp | ldp | ospf | rip | rsvp | snmp | ssh | telnet | tftp } { permit | deny }
The rule for sending packets of a specified protocol is configured. Step 4 Run:
enable
The global policy for management/control plane protection is enabled. ----End
4.7.3 Configuring a Slot-based Policy for Management/Control Plane Protection

Context
Procedure
Step 1 Run:
system-view
Issue 02 (2009-12-10)
4-29

ma-defend slot-policy slot-policy-id
A slot-based policy for management/control plane protection is created. Step 3 Run:

quit
Return to the system view. Step 5 Run:

slot slot-id

ma-defend-slot slot-policy-id
A slot-based policy for management/control plane protection is applied to an LPU. ----End
4.7.4 Configuring Interface-level Policy for Management/Control Plane Protection

Context
Procedure
Step 1 Run:
system-view

ma-defend interface-policy interface-policy-id
An interface-level policy for management/control plane protection is created. Step 3 Run:

quit
4-30
Issue 02 (2009-12-10)
Return to the system view. Step 5 Run:

The interface view is displayed. Step 6 Run:

ma-defend-interface interface-policy-id
An interface-level policy for management/control plane protection is applied to an LPU. ----End

Procedure
l Run the display ma-defend { all | global-policy | interface-policy interface-policy-id | management-interface | slot-policy slot-policy-id } command to check information about a policy for management/control plane protection. Run the display cpu-defend ma-defend statistics [ slot slot-id ] command to check the information about the packets discarded by management/control plane protection
----End
Example
Run the display ma-defend all command, and you can view information about applications of management/control plane protection after management/control plane protection is enabled.
<HUAWEI> display ma-defend all MA-defend policy type: global-policy ---------------------------------------------------The global-policy is enabled -------------------------------------------------protocol rule -------------------------------------------------NA ---------------------------------------------------MA-defend policy type: slot-policy 5 ---------------------------------------------------The slot-policy is bound to slot: 6 -------------------------------------------------protocol rule -------------------------------------------------telnet deny ---------------------------------------------------MA-defend policy type: slot-policy 9 ---------------------------------------------------The slot-policy is bound to slot: NA -------------------------------------------------protocol rule -------------------------------------------------NA ---------------------------------------------------MA-defend policy type: interface-policy 7 ---------------------------------------------------The interface-policy is bound to interface: GigabitEthernet3/0/4
Issue 02 (2009-12-10)
4-31
-------------------------------------------------protocol rule -------------------------------------------------snmp permit ---------------------------------------------------MA-defend policy type: interface-policy 56 ---------------------------------------------------The interface-policy is bound to interface: NA -------------------------------------------------protocol rule -------------------------------------------------bgp deny ---------------------------------------------------MA-defend policy current administrative protocols' switches state: ---------------------------------------------------protocol state interface-number -------------------------------------------------ftp Activated 1 ssh Activated 1 snmp Activated 1 telnet Activated 1 tftp Activated 1 ----------------------------------------------------
Run the display cpu-defend ma-defend report command, and you can view information about the packets discarded by management/control plane protection.
<HUAWEI> display cpu-defend ma-defend report slot : 3 Related-policy : default ControlPlane Drop-packet Information : -----------------------------ProtocolName Drop-Packet -----------------------------slot : 4 Related-policy : default ControlPlane Drop-packet Information : -----------------------------ProtocolName Drop-Packet -----------------------------slot : 6 Related-policy : default ControlPlane Drop-packet Information : -----------------------------ProtocolName Drop-Packet ------------------------------
4.8 Maintainning Local Attack Defense

This section describes how to clear the statistics on attack defense. 4.8.1 Resetting the Statistics of Attack Defense
4-32
Issue 02 (2009-12-10)
4.8.1 Resetting the Statistics of Attack Defense

Context
CAUTION
The statistics of the local attack defense cannot be restored after you reset them. Confirm the action before you run the command.
Procedure
Step 1 Run the reset cpu-defend { all | application-apperceive | { car { protocol | blacklist | index index | user-defined-flow flow-id | whitelist } } | ma-defend | tcpip-defend | urpf } statistics [ slot slot-id ] command in the user view to clear the statistics on local attack defense ----End
4.9 Configuration Example

This section provides a configuration example of local attack defense. 4.9.1 Example for Local Attack Defense
4.9.1 Example for Local Attack Defense

As shown in Figure 4-1, the Router A always receives excessive packets and thus the traffic sent to the Router A must be restricted. The Router B always receives excessive attack packets and thus must deploy attack defense functions and the application layer association function to save router resources. The Router C must prevent attackers from managing routers by managing packets. To analyze attack information, enable the attack source tracing function to record attack information. Figure 4-1 Networking diagram of configuring the local attack defense
RouterA GE1/0/0 1.1.1.1/24 3.3.3.3/24 2.2.2.2/24 GE2/0/0 GE1/0/0 Internet RouterC RouterB
4-33
1.1.1.2/24 GE1/0/0
Issue 02 (2009-12-10)
The configuration roadmap is as follows: 1. 2. 3. On the Router A, define a blacklist and limit the rate of sending packets to the CPU by configuring CAR. On the Router B, configure the TCP/IP attack defense, local URPF, application layer association, and attack source tracing. On the Router C, configure management and application.
Data Preparation
l l
Number of the attack defense policy Index of the packet to be sent to the CPU, the number of the user-defined flow, and the minimum packet length for smallest packet compensation The CIR and CBS values of the packet to be sent Sampling rate, file name, and length for saving information about attack source tracing Number of slot in the LPU to which slot-based management and application is applied Type and number of interface to which interface-level management and application is applied Number of the LPU to which the attack defense policy is applied
l l l l
Procedure
Step 1 Configure an IP address for each interface. The configuration details are not mentioned here. Step 2 1. Configure the sending rule for the blacklist on Router A.
<RouterA> system-view [RouterA] cpu-defend policy 4 [RouterA-cpu-defend-policy-4] [RouterA-cpu-defend-policy-4] [RouterA-cpu-defend-policy-4] [RouterA-cpu-defend-policy-4] [RouterA-cpu-defend-policy-4] car blacklist cir 1000 priority blacklist low car total-packet 1000 alarm drop-rate blacklist enable alarm drop-rate blacklist interval 60 threshold 1000
Step 3 On the Router B, configure the functions such as the TCP/IP attack defense and local URPF to defend against attack packets. # Configure attack source tracing.
<RouterB> system-view [RouterB] cpu-defend policy 4 [RouterB-cpu-defend-policy-4] attack-source-trace enable [RouterB-cpu-defend-policy-4] attack-source-trace sample-rate 1000 [RouterB-cpu-defend-policy-4] attack-source-trace packet-length 200
# Configure TCP/IP attack defense.

[RouterB-cpu-defend-policy-4] udp-packet-defend enable [RouterB-cpu-defend-policy-4] abnormal-packet-defend enable
# Configure local URPF.


[RouterB-cpu-defend-policy-4] ip urpf strict
# Configure application layer association.

[RouterB-cpu-defend-policy-4] application-apperceive default-action min-to-cp
Step 4 On the Router C, configure application layer association. # Configure global management and application.
<RouterC> system-view [RouterC] ma-defend global-policy [RouterC-app-sec-global] protocol bgp permit [RouterC-app-sec-global] enable [RouterC-app-sec-global] quit
# Configure slot-based management and application.

[RouterC] ma-defend slot-policy 4 [RouterC-app-sec-slot-4] protocol ftp permit [RouterC-app-sec-slot-4] quit [RouterC] slot 2 [RouterC-slot-2] ma-defend-slot 4 [RouterC-slot-2] quit
# Configure interface-level management and application.

[RouterC] ma-defend interface-policy 4 [RouterC-app-sec-interface-4] protocol ospf permit [RouterC-app-sec-interface-4] quit [RouterC] interface gigabitethernet 2/0/0 [RouterC-GigabitEthernet2/0/0] ma-defend-interface 4 [RouterC-GigabitEthernet2/0/0] quit
Step 5 Verify the configuration. ----End
Configuration Files
l
Configuration file of the Router A
# sysname RouterA # cpu-defend policy 4 car blacklist cir 1000 priority blacklist low alarm drop-rate blacklist enable alarm drop-rate blacklist threshold 1000 interval 60 car total-packet 1000 # interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0 # return l
Configuration file of the Router B
# sysname RouterB # cpu-defend policy 4 ip urpf strict attack-source-trace packet-length 200 attack-source-trace sample-rate 1000 # interface GigabitEthernet1/0/0 undo shutdown
Issue 02 (2009-12-10)
4-35

ip address 1.1.1.2 255.255.255.0 # return l
Configuration file of the Router C
# sysname RouterC # slot 2 # ma-defend interface-policy 4 protocol ospf permit # ma-defend slot-policy 4 protocol ftp permit # ma-defend global-policy protocol bgp permit enable # interface GigabitEthernet1/0/0 undo shutdown ip address 2.2.2.2 255.255.255.0 interface GigabitEthernet2/0/0 undo shutdown ip address 3.3.3.3 255.255.255.0 # return
4-36
Issue 02 (2009-12-10)
5 Mirroring Configuration
5
About This Chapter
Mirroring Configuration
This chapter describes the basic principle and application of mirroring. 5.1 Overview to Mirroring This section describes the basic principle and application of mirroring. 5.2 Configuring Local Port Mirroring This section describes how to configure local port mirroring. 5.3 Configuring Local Traffic Mirroring This section describes how to configure local traffic mirroring. 5.4 Configuration Examples This section provides several configuration examples of mirroring.
Issue 02 (2009-12-10)
5-1
5.1 Overview to Mirroring

This section describes the basic principle and application of mirroring. 5.1.1 Introduction to Mirroring 5.1.2 Mirroring Features Supported by the NE5000E
5.1.1 Introduction to Mirroring

In mirroring, the packets that are transmitted on a certain interface (that is, the mirrored port) on a network are copied to a specified interface (that is, the observing port) and then forwarded to a packet analyzer. Users can learn the packet status on the mirrored port by using the packet analyzer to analyze the captured packets. When the packet analyzer is directly connected to the faulty network, you can apply the local mirroring function to send the mirrored data of the faulty network to the packet analyzer. When the packet analyzer cannot be directly connected to the faulty network through physical link, you can apply the remote mirroring function enables the device to send the mirrored data of the faulty network to a remote device through a specified tunnel, and then to the packet analyzer. The mirroring function is used in network fault location and network security analysis.
5.1.2 Mirroring Features Supported by the NE5000E

The NE5000E supports the following mirroring features:
l l
Upstream port/flow mirroring Upstream mirroring with the observing port and mirroring port being on the same board or on different boards Local Mirroring and remote mirroring
NOTE
When applying the remote mirroring function, you can configure only a remote observing port rather than a remote mirroring port on the NE5000E.
To enable the mirroring function on the NE5000E, note the following items:
l
It is not recommended that the observing port and mirroring port be configured with other services. This is because when the same traffic is mirrored, the network payload is increased and the normal services may be affected. One interface cannot be both the mirroring port and the observing port.
5.2 Configuring Local Port Mirroring

This section describes how to configure local port mirroring. 5.2.1 Establishing the Configuration Task 5.2.2 Configuring the Observing Port 5.2.3 Configuring the Observing Port for the Entire LPU
5.2.4 Configuring Local Port Mirroring 5.2.5 Checking the Configuration

Application Environment
When the network device and the router are connected directly, and you need to observe and analyze traffic on the interfaces of the network device, you can configure local port mirroring on the router to mirror traffic from the interface to the specific packet analyzer. In this manner, you can avoid directly analyzing packets on the interfaces.
Before configuring local port mirroring, complete the following task:
l
Configuring link layer protocol parameters and assigning IP addresses to the interfaces to ensure that the status of the link layer protocol of the interface is Up
Data Preparation
To configure local port mirroring, you need the following data. No. 1 2 3 Data Type and number of the observing port Slot number of the LPU on which the mirrored port is configured Type and number of the local mirroring port
5.2.2 Configuring the Observing Port

Context
Procedure
Step 1 Run:
system-view

The interface view is displayed.

The interfaces functioning as the observing port can be the GE interface, GE sub-interface, EthTrunk interface, Eth-Trunk sub-interface, POS interface, and IP-Trunk interface. Step 3 Run the following commands as required.
l
Run the port-observing observe-index observe-index command to configure the local observing port. Run the port-observing identifier id [ description regulation ] command to configure the remote local observing port.
----End
5.2.3 Configuring the Observing Port for the Entire LPU

Context
Procedure
Step 1 Run:
system-view

slot slot-id

mirror to observe-index observe-index
The observing port for mirroring on the entire LPU is configured.

NOTE
Then, the observing port corresponding to the observing index functions as the observing port of the entire LPU; the observing port is called the observing port for entire LPU mirroring. When a port is mirrored on the LPU, the packets are mirrored to the observing port for entire LPU mirroring. The observing port for entire LPU mirroring can be configured on either the local LPU or other LPUs.
----End
5.2.4 Configuring Local Port Mirroring

Context
Procedure
Step 1 Run:
system-view
5-4
Issue 02 (2009-12-10)

The interface view is displayed. The interface serves as the local mirroring port. The interfaces functioning as the local mirroring port include the GE interface, GE sub-interface, POS interface. Step 3 Run:
port-mirroring inbound
The local mirroring port is configured. ----End

Procedure
l l l l Run the display port-mirroring interface [ interface-type interface-number | slot slotid ] command to check the configuration of a mirroring port. Run the display port-observing interface [ interface-type interface-number | slot slotid ] command to check Check the configuration of an observing port. Run the display port-observing observe-index observe-index command to check the index of an observing port. Run the display port-observing slot [ slot-id ] command to check the observing port applied to an LPU.
----End
Example
After the mirroring port is configured successfully, run the display port-mirroring interface command, and you can view the configuration of all the mirroring ports of the router; run the display port-mirroring interface interface-type interface-number command, and you can view the configuration of a specified mirroring port; run the display port-mirroring interface slot slot-id command, and you can view the configurations of all the mirroring ports of a specified LPU. For example, run the display port-mirroring interface command, and you can view the configuration of all the mirroring ports of the router.
<HUAWEI> display port-mirroring interface -----------------------------------------------------------------------------Interface Local/Remote CAR Type In/Out WithLinkHeader Instance -----------------------------------------------------------------------------PO4/2/0 Local Port In No PO6/0/0 Local Port In ------------------------------------------------------------------------------
After the observing port is configured successfully, run the display port-observing interface command, and you can view the configurations of all the observing ports of the router; run the display port-observing interface interface-type interface-number command, and you can view the configuration of a specified observing port; run the display port-observing interface slot slot-id command, and you can view the configuration of all the observing ports of a specified LPU.
For example, run the display port-observing interface command, and you can view the configuration of all the observing ports of the router.
<HUAWEI> display port-observing interface L/R : Local/Remote ID : Identifier L-Header: WithLinkHeader Obs-index: Observe-index -----------------------------------------------------------------------------Interface L/R L-Header Obs-index ID Status Description -----------------------------------------------------------------------------GI4/1/0 L 4 down GI3/0/4 R 10 down ------------------------------------------------------------------------------
Run the display port-observing observe-index command, and you can view the configuration of the indexes of all the observing ports on the router; run the display port-observing observeindex observe-index command, and you can view the configuration of the index of the specified observing port.
<HUAWEI> display port-observing observe-index observe-index 4 observe-port : GigabitEthernet4/1/0 reference slot : 6
Run the display port-observing slot [ slot-id ] command, and you can view the configuration of the observing port on the LPU and the LPUs that use this observing port.
<HUAWEI> display port-observing slot slot 4 observe-port : GigabitEthernet4/1/0 reference slot : 6
5.3 Configuring Local Traffic Mirroring

This section describes how to configure local traffic mirroring. 5.3.1 Establishing the Configuration Task 5.3.2 Configuring the Observing Port 5.3.3 Configuring the Observing Port for the Entire LPU 5.3.4 Defining the Traffic Class 5.3.5 Defining the Traffic Behavior and Enabling Local Traffic Mirroring 5.3.6 Defining the Traffic Policy and Associating the Traffic Class with the Traffic Behavior 5.3.7 Applying the Traffic Policy to the Mirrored Port 5.3.8 Checking the Configuration

Application Environment
To provide exact control for packet analysis, the system can combine port mirroring and traffic classification to copy the packets that meet the requirements. As a result, the packets are filtered and the efficiency of packet analysis is improved.
Before configuring local traffic mirroring, complete the following task:
l
Configuring the static route or enabling an IGP to ensure that the IP routes between routers are reachable
Data Preparation
To configure local traffic mirroring, you need the following data. No. 1 2 3 4 Data Type and number of the observing port Slot number of the LPU on which the mirroring port is configured Type and number of the mirroring port Traffic classification rule, such as the ACL number, Differentiated Services CodePoint (DSCP) value, 802.1p value, TCP flag value, source or destination MAC address, and IP precedence value Name of the traffic class, name of the traffic behavior, and name of the traffic policy
5.3.2 Configuring the Observing Port

Context
Procedure
Step 1 Run:
system-view

The interface view is displayed. The interfaces functioning as the observing port can be the GE interface, GE sub-interface, EthTrunk interface, Eth-Trunk sub-interface, POS interface, and IP-Trunk interface. Step 3 Run the following commands as required.
l
Run the port-observing observe-index observe-index command to configure the local observing port. Run the port-observing identifier id [ description regulation ] command to configure the remote local observing port.
----End
5.3.3 Configuring the Observing Port for the Entire LPU

Context
Procedure
Step 1 Run:
system-view

slot slot-id

mirror to observe-index observe-index
The observing port for mirroring on the entire LPU is configured.

NOTE
Then, the observing port corresponding to the observing index functions as the observing port of the entire LPU; the observing port is called the observing port for entire LPU mirroring. When a port is mirrored on the LPU, the packets are mirrored to the observing port for entire LPU mirroring. The observing port for entire LPU mirroring can be configured on either the local LPU or other LPUs.
----End
5.3.4 Defining the Traffic Class

Context
Procedure
Step 1 Run:
system-view

traffic classifier classifier-name [ operator { and | or } ]
The traffic class is defined and its view is displayed. Step 3 Perform the following as required.
l l l
Run the if-match acl acl-number command to set the ACL-based rule. Run the if-match dscp dscp-value command to set the DSCP-based rule. Run the if-match tcp syn-flag tcpflag-value command to set the TCP-flag-based rule.
5-8

l
Run the if-match 8021p 8021p-code command to set the 802.1p-based rule for VLAN packets. Run the if-match source-mac mac-address command to set the rule based on the source address of the packet. Run the if-match destination-mac mac-address command to set the rule based on the destination address of the packet. Run the if-match ip-precedence ip-precedence command to set the rule based on the IP priority of the packet. Run the if-match any command to set the rule matching all the packets.
You can select one or several matching rules in Step 3 as required. ----End
5.3.5 Defining the Traffic Behavior and Enabling Local Traffic Mirroring
Context
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run: traffic behavior behavior-name The traffic behavior is configured and the traffic behavior view is displayed. Step 3 Run:
port-mirroring enable
Local traffic mirroring is enabled. After local traffic mirroring is enabled, the packets that match the traffic classes are copied to the observing port. ----End
5.3.6 Defining the Traffic Policy and Associating the Traffic Class with the Traffic Behavior
Context
Do as follows on the router to be configured with flow mirroring:
Procedure
Step 1 Run:
system-view

traffic policy policy-name
The traffic policy is defined and its view is displayed. Step 3 Run:
classifier classifier-name behavior behavior-name
The traffic class is associated with the traffic behavior in the traffic policy. ----End
5.3.7 Applying the Traffic Policy to the Mirrored Port

Context
Procedure
Step 1 Run:
system-view

The interface view is displayed. The interface serves as the local mirroring port. The interfaces functioning as the mirroring port include the GE interface, GE sub-interface, POS interface, FR interface, serial interface, and MP-group interface. The LPUB, LPUC, LPUE, LPUF-10, and LPUF-21 support the local upstream mirroring of which the observing port is a physical port. Step 3 Run: traffic-policy policy-name { inbound | outbound } [ link-layer | all-layer ] The traffic policy is applied to the interface. ----End
5-10
Issue 02 (2009-12-10)

Procedure
l l l Run the display traffic behavior { system-defined | user-defined } [ behavior-name ] command to check the configuration of a traffic behavior. Run the display traffic classifier { system-defined | user-defined } [ classifier-name ] command to check the configuration of a traffic class. Run the display traffic policy { system-defined | user-defined } [ policy-name [ classifier classifier-name ] ] command to check the configurations of the specified traffic class in the specified policy, all the traffic classes in all the policies, and behaviors related to the traffic classes. Run the display port-observing interface [ interface-type interface-number ] [ slot slotid ] command to check the configuration of port mirroring of the entire LPU.
----End
Example
After the traffic behavior is configured successfully, run the display traffic behavior { systemdefined | user-defined } [ behavior-name ] command, and you can view information about the configured traffic behavior. For example, run the display traffic behavior user-defined command, and you can view information about the user-defined traffic behavior.
<HUAWEI> display traffic behavior user-defined User Defined Behavior Information: Behavior: huawei Mirror: port-mirroring enable port-mirroring car cir 2000
After the traffic class is configured successfully, run the display traffic classifier { systemdefined | user-defined } [ classifier-name ] command, and you can view information about the configured traffic class. For example, run the display traffic behavior user-defined command, and you can view information about the user-defined traffic class.
<HUAWEI> display traffic classifier user-defined User Defined Classifier Information: Classifier: huawei Operator: OR Rule(s) : if-match tcp syn-flag 2
If the traffic policy is configured successfully, run the display traffic policy { systemdefined | user-defined } [ policy-name [ classifier classifier-name ] ] command, and you can view the configurations of the specified traffic class in the specified policy, all the traffic classes in all the policies, and behaviors related to traffic classes. For example, run the display traffic behavior user-defined command, and you can view the configuration of the user-defined traffic policy.
<HUAWEI> display traffic policy user-defined User Defined Traffic Policy Information: Policy: huawei Unshare-mode Classifier: default-class
Issue 02 (2009-12-10)
5-11
Behavior: be -noneClassifier: huawei Behavior: huawei Mirror: port-mirroring enable port-mirroring car cir 2000
After port mirroring is enabled, run the display port-observing [ slot slot-id ] command, and you can view the configurations of the observing port. For example, run the display port-observing slot 4 command, and you can view the configuration of the observing port of the LPU in slot 4.
<HUAWEI> display port-observing slot 4 slot 4 observe-port : GigabitEthernet4/1/0 reference slot : 4 reference slot : 6

This section provides several configuration examples of mirroring. 5.4.1 Example for Local Configuring Port Mirroring 5.4.2 Example for Local Configuring Flow Mirroring
5.4.1 Example for Local Configuring Port Mirroring

CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID. As shown in Figure 5-1, to monitor the packets received on GE 3/0/0 from Router A to Router B, configure GE 1/0/0 of Router B as the observing port and enable port mirroring on GE 3/0/0. Then all the packets received on GE 3/0/0 are copied to GE 1/0/0. All the mirrored packets are then sent to the packet analysis equipment Host D. Figure 5-1 Networking diagram of port mirroring
RouterA
RouterB RouterC GE3/0/0 GE3/0/1 7.1.1.2/24 8.1.1.2/24 GE1/0/0 GE1/0/0 7.1.1.1/24 GE1/0/0 8.1.1.1/24 9.1.1.1/24
HostD
The configuration roadmap is as follows: 1. 2. Configure GE 1/0/0 of Router B as the observing port. Configure GE 3/0/0 of Router B as the mirroring port and enable port mirroring.
Data Preparation
l l
IP addresses of the interfaces Interface type and number of the observing port and the mirroring port
Procedure
Step 1 Assign IP addresses to the interfaces, and ensure that the IP addresses are reachable. The detailed configurations are not mentioned. Step 2 Configure GE 1/0/0 as the observing port.
<RouterB> system-view [RouterB] interface gigabitethernet1/0/0 [RouterB-GigabitEthernet1/0/0] port-observing observe-index 1 [RouterB-GigabitEthernet1/0/0] quit
Step 3 Configure the observing port to observe all the mirroring ports on the LPU.
[RouterB] slot 3 [RouterB-slot-3] mirror to observe-index 1 [RouterB-slot-3] quit
Step 4 Enable upstream mirroring on GE 3/0/0.

[RouterB] interface gigabitethernet3/0/0 [RouterB-GigabitEthernet3/0/0] port-mirroring inbound [RouterB-GigabitEthernet3/0/0] quit
After the preceding configuration, all the packets received on GE 3/0/0 and the packets sent to the CPU are mirrored to GE 1/0/0. Step 5 Verify the configuration. You can view traffic mirroring through the ping command or in other ways. For example, send 10 ping packets from Router A to GE 3/0/0 of Router B and all the packets should be received on Host D. You can view the statistics about the packets on GE 1/0/0.
<RouterB> display interface gigabitethernet1/0/0 GigabitEthernet1/0/0 current state : UP Line protocol current state : UP Description: GigabitEthernet1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet protocol processing : disabled IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc7d-a497 The Vendor PN is HFBR-5710L Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode WaveLength: 850nm, Transmission Distance: 550m Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Send and Receive Enable
Issue 02 (2009-12-10)
5-13
Statistics last cleared:never Last 300 seconds input rate: 0 bits/sec, 0 packets/sec Last 300 seconds output rate: 0 bits/sec, 0 packets/sec Input: 107628 bytes, 1016 packets Output: 107628 bytes, 1016 packets Input: Unicast: 0, Multicast: 0 Broadcast: 0, JumboOctets: 0 CRC: 0, Symbol: 0 Overrun: 0 , InRangeLength: 0 LongPacket: 0 , Jabber: 0, Alignment: 0 Fragment: 0, Undersized Frame: 0 RxPause: 0 Output: Unicast: 10, Multicast: 0 Broadcast: 0, Jumbo: 0 Lost: 0, Overflow: 0, Underrun: 0 TxPause: 0
----End
Configuration Files
l

# sysname RouterA # interface GigabitEthernet1/0/0 ip address 7.1.1.1 255.255.255.0 # return

# sysname RouterB # slot 3 # interface GigabitEthernet3/0/0 ip address 7.1.1.2 255.255.255.0 port-mirroring inbound port-mirroring inbound cpu-packet # interface GigabitEthernet3/0/1 ip address 8.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 ip address 9.1.1.1 255.255.255.0 port-observing observe-index 1 # slot 3 mirror to observe-index 1 # return
Configuration file of Router C

# sysname RouterC # interface GigabitEthernet1/0/0 ip address 8.1.1.1 255.255.255.0 # return
5.4.2 Example for Local Configuring Flow Mirroring

CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID. As shown in Figure 5-2, to monitor the packets received on GE 3/0/0 of Router B from Router A, configure GE 3/0/2 of Router B as the observing port and then enable flow mirroring on GE 3/0/0. To improve the working efficiency of Host D, configure a traffic policy on GE 3/0/0 of Router B to copy only the packets with the source address 2.2.2.2 to GE 3/0/2. Figure 5-2 Networking diagram of flow mirroring
net1
GE2/0/0 1.1.1.0/24 GE3/0/0 2.2.2.2/24
RouterA
RouterB RouterC GE3/0/1 GE3/0/0 7.1.1.2/24 8.1.1.2/24 GE1/0/0 GE1/0/0 8.1.1.1/24 7.1.1.1/24 GE3/0/2 9.1.1.1/24
net2
HostD
The configuration roadmap is as follows: 1. 2. Configure GE 3/0/2 of Router B as the observing port. Configure the traffic policy on GE 3/0/0 of Router B and combine traffic classification with port mirroring.
Data Preparation
l l
IP addresses of the interfaces Interface type and number of the observing port and the mirroring port
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-15
Issue 02 (2009-12-10)
l
ACL number and names of the traffic class, traffic behavior, and traffic policy
Procedure
Step 1 Assign IP addresses to the interfaces, and ensure that the IP addresses are reachable. The detailed configurations are not mentioned. Step 2 Configure GE 3/0/2 as the observing port.
<RouterB> system-view [RouterB] interface gigabitethernet3/0/2 [RouterB-GigabitEthernet3/0/2] port-observing observe-index 3
Step 3 Configure the observing port to observe all the mirroring ports on the LPU.
[RouterB] slot 3 [RouterB-slot-3] mirror to observe-port 3 [RouterB-slot-3] quit
Step 4 Define the traffic policy on GE 3/0/0. # Set an ACL rule.

[RouterB] acl 2001 [RouterB-acl-basic-2001] rule permit source 2.2.2.2 0.0.0.0 [RouterB-acl-basic-2001] quit
# Configure traffic classification and set an ACL-based matching rule.

[RouterB] traffic classifier a [RouterB-classifier-a] if-match acl 2001 [RouterB-classifier-a] quit [RouterB] quit
# After the preceding configuration, you can run the display command to view the configuration of the traffic class.
<RouterB> display traffic classifier user-defined User Defined Classifier Information: Classifier: a Operator: OR Rule(s) : if-match acl 2001
# Set a traffic behavior and enable flow mirroring.

[RouterB] traffic behavior e [RouterB-behavior-e] port-mirroring enable [RouterB-behavior-e] quit
# Define a traffic policy and associate the traffic class with the traffic behavior.
[RouterB] traffic policy 1 [RouterB-trafficpolicy-1] classifier a behavior e [RouterB-trafficpolicy-1] quit
# Apply the traffic policy to the interface.

[RouterB] interface gigabitethernet3/0/0 [RouterB-GigabitEthernet3/0/0] traffic-policy 1 inbound [RouterB-GigabitEthernet3/0/0] quit
Step 5 Verify the configuration. You can view traffic mirroring through the ping command or in other ways. For example, send 10 ping packets with the source address 2.2.2.2/32 and another 10 packets with the source address
1.1.1.1/32 from Router A to GE 3/0/0. Host D should receive the packets with the source address 2.2.2.2/32 from Router A. ----End
Configuration Files
l

# sysname RouterA # interface GigabitEthernet1/0/0 undo shutdown ip address 7.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet3/0/0 undo shutdown ip address 2.2.2.2 255.255.255.0 # return

# sysname RouterB # slot 3 # acl number 2001 rule 5 permit source 2.2.2.2 0 # traffic classifier a operator or if-match acl 2001 # traffic behavior e port-mirroring enable # traffic policy 1 classifier a behavior e # interface GigabitEthernet3/0/0 undo shutdown ip address 7.1.1.2 255.255.255.0 traffic-policy 1 inbound # interface GigabitEthernet3/0/1 undo shutdown ip address 8.1.1.2 255.255.255.0 # interface GigabitEthernet3/0/2 undo shutdown port-observing observe-index 3 # slot 3 mirror to observe-index 3 # return
Configuration file of Router C

# sysname RouterC # interface GigabitEthernet1/0/0 undo shutdown
Issue 02 (2009-12-10)
5-17
ip address 8.1.1.1 255.255.255.0 # return
5-18
Issue 02 (2009-12-10)
A Attributes List of RADIUS and HWTACACS
Attributes List of RADIUS and HWTACACS
This appendix covers the attribute of RADIUS and HWTACACS. A.1 RADIUS Attribute This appendix covers the attribute of RADIUS. A.2 HWTACACS Attribute This appendix covers the attribute of HWTACACS.
Issue 02 (2009-12-10)
A-1
A.1 RADIUS Attribute

This appendix covers the attribute of RADIUS. A.1.1 Standard RADIUS Attribute A.1.2 Huawei RADIUS Attribute
A.1.1 Standard RADIUS Attribute

No 1 2 3 4 Name User-Name Password Challenge-Password NAS-IP-Address Description Indicate user name under authentication. Indicate user password under authentication, which is only effective on PAP authentication. Indicate user password under authentication, which is only effective on CHAP authentication. Indicate the IP address of the router. If RADIUS server group binds with the interface address, the address of the bound interface is chosen. Otherwise, the address of the interface to send packets is chosen. Indicate user access port in the format of "4-bit slot number + 2-bit card number + 5-bit port number + 21bit VLAN". Indicate the user service type, and the service type of access users is 2, and that of operation users is 6. It is fixed as 1, which refers to PPP. Indicate the IP address, which the RADIUS server assigns for users. 0xFFFFFFFE indicates the address is not assigned by the RADIUS sever but by the router. Indicate the IP address mask, which the RADIUS server assigned for users. Indicate user group. Indicate the IP address of the host connected with users. Indicate the type of login service, including, Telnet, Rlogin, TCP Clear, PortMaster (proprietary) and LAT. Indicate the message to reply whether authentication succeeds or not. Indicate the information from the server, which can be displayed for users, such as mobile phone number.
NAS-Port
6 7 8
Service-Type Framed-Protocol Framed-IP-Address
9 11 14 15 18 19
Framed-Net mask Filter-ID Login-IP-Host Login-Service Reply-Message Callback-Number
A-2
Issue 02 (2009-12-10)
No 24
Name State
Description If the access challenge packets sent from the RADIUS server to the router contains this value, the subsequent access request packets of the router must contain the same value. If the authentication accepted packets sent from the RADIUS server to the router contains this value, the subsequent accounting request packets of the router must contain the same value. For the standard RADIUS server, the router can use the class to signify CAR. Indicate the remaining time available for users with the unit of second, which acts as duration of reauthentication for users in EAP challenge packets. Indicate the idle breaking time of users with the unit of second. Indicate the service termination mode, such as, reauthentication or forcible user logout. Allow NAS to send the called number. Allow NAS to send the calling number. Indicate the hostname of the router. Indicate the type of accounting packets. 1 indicates beginning accounting packets. 2 indicates stopping accounting packet. 3 indicates real-time accounting packets. Indicate the time span to generate accounting packets with the unit of second. Indicate the octets for uplink with the unit of Byte, kbyte, Mbyte and Gbyte. Use the command to set which unit is used. Indicate the output octets with the unit of Byte, kbyte, Mbyte and Gbyte. Which unit is used depends on the command configuration. Indicate the session for accounting. For the start accounting packet, real-time accounting packet and stop accounting packets of the same session, their session IDs must be identical. Indicate the authentication model. 1 refers to RADIUS authentication, and 2 refers to the local authentication. Indicate the online time span of users with the unit of second. Indicate the number of input packets.
25
Class
27
Session-Timeout
28 29 30 31 32 40
Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Acct-Status-Type
41 42
Acct-Delay-Time Acct-Input-Octets
43
Acct-Output-Octets
44
Acct-Session-Id
45 46 47
Acct-Authentic Acct-Session-Time Acct-Input-Packets
Issue 02 (2009-12-10)
A-3
No 48 49
Name Acct-Output-Packets Terminate-Cause
Description Indicate the number of output packets. Causes for user connection interruption:
l l
User-Request (1): indicates user logs out. Lost Carrier (2): indicates handshake fails, including, ARP detection failure or PPP handshake failure. Lost Service (3): orders disconnection. Idle Timeout (4): indicates idle timeout. Session Timeout (5): indicates time limit disconnection or traffic limit disconnection. Admin Reset (6): indicates that the manager orders to break the connection. Admin Reboot (7): indicates the manager reset the router. Port Error (8): indicates the port is in error. NAS Error (9): indicates internal error occurs in the router. NAS Request (10): indicates the router breaks the connection for resources change. NAS Reboot (11): indicates that the router resets automatically. Port Unneeded (12): indicates the port is Down. Port Suspended (14): indicates the port is suspended. Service Unavailable (15): indicates the service is unavailable. User Error (17): indicates the user authentication fails or times out. Host Request (18): indicates receiving decline packets from the server.
l l l
l l
l l l
50 52
Acct-Multi-Session-ID Acct-Input-Gigawords
Indicate several session IDs, which are used to identify the relevant sessions in the log. Indicate how many times input Gigawords are as great as 4G(232)Byte, kbyte, Mbyte and Gbyte (Which unit is chosen depends on the command configuration). Indicate how many times output Gigawords are as great as 4G(232)Byte, kbyte, Mbyte and Gbyte (Which unit is chosen depends on the command configuration). Indicate the duration to generate accounting packets with the unit of second. Indicate the absolute seconds since zero o'clock, zero minute, zero second, January 1st, 1970.
53
Acct-Output-Gigawords
55
Event-Timestamp
A-4
Issue 02 (2009-12-10)
No 60 61 64 65 67 69
Name CHAP-Challenge NAS-Port-Type Tunnel-Type Tunnel-Medium-Type Tunnel-Server-Endpoint Tunnel-Password
Description Indicate the challenge word of CHAP authentication, which is only used for CHAP authentication. Indicate the port type of NAS, which can be set in BAS interface view. Indicate the protocol type of the tunnel. It is fixed as 3, signifying the L2TP tunnel. Indicate the type of medium over the tunnel. It is fixed as 1, signifying IPv4. Indicate the IP address of the tunnel at the server side. Indicate the password of tunnel authentication. The first two bytes are SALT, while the latter 16 bytes are encrypted password. Indicate the group ID of the tunnel. Indicate the ID of the tunnel. Indicate the tunnel preference. Indicate the interval for real-time charging with the unit of second. Indicate the port ID of user access, whose format is "slot=XX; subslot=XX; port=XXX; VLANID=XXXX; "or" slot=XX; subslot=XX; port=XXX;VPI=XXX;VCI=XXXX" Indicate the name of the address pool and address segment number, which is effective on the IP address, which the local address pool of the router assigns to PPP. Its format is "the name of the address pool # address segment number". Indicate the transitive local user name under tunnel authentication. Indicate the transitive user name at the server side under tunnel authentication.
81 82 83 85 87
Tunnel-Private-Group-ID Tunnel-Assignment-ID Tunnel-Preference Acct-Interim-Interval NAS-Port-Id
88
Framed-Pool
90 91
Tunnel-Client-Auth-ID Tunnel_Server_Auth_id
A.1.2 Huawei RADIUS Attribute

No 26-1 26-2 26-3 Name Input-Peak-Rate Input-Average-Rate Input-Basic-Rate Description Indicate peak rate for uplink with the unit of bit/s. Indicate average rate for uplink with the unit of bit/s. Indicate basic rate for uplink with the unit of bit/s.
Issue 02 (2009-12-10)
A-5
No 26-4 26-5 26-6 26-7
Name Output-Peak-Rate Output-Average-Rate Output-Basic-Rate In-Kb-Before-T-Switch
Description Indicate peak rate for downlink with the unit of bit/s. Indicate average rate for downlink with the unit of bit/ s. Indicate basic rate for downlink with the unit of bit/s. Indicate the received traffic before charge rate switch with the unit of kbyte. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the user flow received by the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the user flow received by the router during the period from real-time accounting to charge rate switch. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the sent traffic before charge rate switch with the unit of kbyte. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the user flow sent from the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the user flow sent from the router during the period from real-time accounting to charge rate switch. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the number of received packets before charge rate switch. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the number of packets received by the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the number of packets received by the router during the period from real-time accounting to charge rate switch. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the number of sent packets before charge rate switch. If charge rate switch does not occur in the realtime accounting period, this attribute signifies the number of packets sent from the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the number of packets sent from the router during the period from real-time accounting to charge rate switch. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1).
26-8
Out-Kb-Before-T-Switch
26-9
In-Pkt-Before-T-Switch
26-10
Out-Pkt-Before-T-Switch
A-6
Issue 02 (2009-12-10)
No 26-11
Name In-Kb-After-T-Switch
Description Indicate the received traffic after charge rate switch with the unit of kbyte. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the user flow received by the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the user flow received by the router during the period from charge rate switch to the end of real-time accounting. This attribute just applies to the RADIUS server with Portal-type (RADIUS +1.1). Indicate the sent traffic after charge rate switch with the unit of kbyte. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the user flow sent from the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the user flow sent from the router during the period from charge rate switch to the end of real-time accounting. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the number of received packets after charge rate switch. If charge rate switch does not occur in the real-time accounting period, this attribute signifies the number of packets received by the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the number of packets received by the router during the period from charge rate switch to the end of real-time accounting. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the number of sent packets after charge rate switch. If charge rate switch does not occur in the realtime accounting period, this attribute signifies the number of packets sent from the router during the entire real-time accounting period. If charge rate switch occurs in the real-time accounting period, this attribute signifies the number of packets sent from the router during the period from charge rate switch to the end of real-time accounting. This attribute just applies to the RADIUS server with Portal-type (RADIUS +1.1). Indicate the remnant available traffic with the unit of KB.
26-12
Out-Kb-After-T-Switch
26-13
In-Pkt-After-T-Switch
26-14
Out-Pkt-After-T-Switch
26-15
Remnant-Volume
Issue 02 (2009-12-10)
A-7
No 26-16
Name Tariff-Switch-Interval
Description Indicate the time interval between the latest charge rate switch moment and the current time, with the unit of second. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). They are used to operate session control packets. Their values are as follows:1: indicates session triggering request.2: indicates session interruption request.3: indicates setting policy.4: indicates result. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the priority of user service, whose effective value ranges from 1 to 9. Indicate the identifier of retransmission packets. For retransmission packets in the same session, this attribute must be identical. For those at the client side, this attribute must remain intact when returning. In start accounting packet, real-time accounting packet and end accounting packet, this value is insignificant. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). When the 26-20 attribute is set as 3 or 4, result-code is valid. When result code is 0, it indicates success; When result code is not 0, it indicates failure. When the attribute numbered 26-20 is set as 3 or 4, it is valid. When it is displayed to be 0, This attribute just applies to the RADIUS server with Portal-type (RADIUS +1.1). Indicate the index of user connection. This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate URL of forced Portal of PPP users.This attribute just applies to the RADIUS server with Portal-type (RADIUS+1.1). Indicate the initial directory of FTP users. Indicate the priority of such operation users as Telnet, whose values range from 0 to 3. Indicate the virtual template number used by MP users. Indicate the VPN instance name of VPN users. Indicate the virtual template number of VPN users.
26-20
Command
26-22 26-24
Priority Control-Identifier
26-25
Result-Code
26-26
Connect-ID
26-27
Portal-URL
26-28 26-29 26-30 26-31 26-32
Ftp-directory Exec-Privilege Radius-Mp-VT-Number VPN-instance VT-number
A-8
Issue 02 (2009-12-10)
No 26-59
Name Startup-stamp
Description Indicate the absolute seconds since zero o'clock, zero minute, zero second, January 1st, 1970. Indicate the startup timestamp of devices, with the unit of second, which signifying the absolute seconds when devices startup Indicate the IP address and MAC address of users carried in authentication packets and accounting packets, in the format of "A.B.C.D HH:HH:HH:HH:HH:HH". The IP address spaces out the MAC address. Indicate t the primary DNS server address delivered by the RADIUS server, after the user succeeds in authentication. Indicate the secondary DNS server address delivered by the RADIUS server, after the user succeeds in authentication. Indicate the version number of software of devices. Indicate product names.
26-60
Ip-Host-Address
26-135
Primary-DNS
26-136
Secondary-DNS
26-254 26-255
Version Product-ID
A.2 HWTACACS Attribute

This appendix covers the attribute of HWTACACS. Name Acl Ideltime Autocmd Priv-lvl Ftpdir Callback-line Nocallback-verify Nohangup Description Indicate an ACL of the connection, which can be used only when service=shell, and cmd=NULL. Indicate the idle timeout for a connection with the unit of minute. 0 refers to no timeout. Indicate an automatically running command, which can be used only when service=shell, and cmd=NULL. Indicate the assigned privilege level ranging from 0 to 3. Indicate the initial directory of FTP users. Indicate the information from the server, which can be displayed for users, such as mobile phone number. Indicate verification is needless after callback. Indicate that the connection is not broken after an automatically running command, which is used only when service=shell, and cmd=NULL. Indicate the network address.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. A-9
Addr
Issue 02 (2009-12-10)
Name Addr-pool Dns-servers Tunnel-type Ip-addresses Tunnel-id L2tp-hello-interval L2tp-hidden-avp L2tp-nosession-timeout L2tp-tos-reflect L2tp-tunnel-authen Gw-password L2tp-udp-checksum Source-ip L2tp-group-num Upaverage Uppeak Dnaverage Dnpeak Task_id Timezone Service
Description Indicate an address pool, from which NAS must assign addresses. Indicate the DNS server. Indicate the type of the tunnel. Indicate IP addresses of LNS, and up to five such IP addresses exist. IP addresses are separated by ',' or ';'. Indicate the tunnel ID. Indicate interval time of L2TP hello message. Indicate hidden Attribute Value Pair (AVP) of L2TP. Indicate breaking time when L2TP has no session. Indicate the TOS value of L2TP. Indicate whether the tunnel authentication of L2TP is performed. Indicate the password of gateway. Indicate the check sum of UDP packets of L2TP. Indicate the source IP address. Indicate the L2TP group number. Indicate the average rate for uplink with the unit of bps. Indicate the peak rate for uplink with the unit of bits. Indicate the average rate for downlink with the unit of bps. Indicate the peak rate for downlink with the unit of bits. Indicate the ID of the task. Indicate the time zone. Indicate the primary services consisting of authorized services or accounting services, such as, "slip", "ppp", "arap", "shell", "ttydaemon", "connection", "system" and "firewall". Indicate that protocols are subset of services, such as, "lcp", "ip", "ipx", "atalk", "vines", "lat", "xremote", "tn3270", "telnet", "rlogin", "pad", "vpdn", "ftp", "http", "deccp", "osicp" and "unknown". Indicate the maximum binding link number of MP. Indicate the current connection number of MP. Indicate the cause for log out. Indicate the extension of log out cause. Indicate the online time span of the user.
Protocol
Mlp_links_max Mlp_links_current Disc_cause Disc_cause_ext Elapsed_time
A-10
Issue 02 (2009-12-10)
Name Nas_rx_speed Nas_tx_speed
Description Indicate the output speed of NAS. Indicate the input speed of NAS.
Issue 02 (2009-12-10)
A-11
B Glossary
B
This appendix collates frequently used glossaries in this document. A AAA N NAS R RADIUS Remote Authentication Dial In User Service Network Access Server
Glossary
Authentication,Authorization and Accounting
Issue 02 (2009-12-10)
B-1
C Acronyms and Abbreviations
C
A AAA ACk ACL ARP B BGP BW C CAMS CAR CBS CID CIR CPU CRC D DHCP DNS DOS
Acronyms and Abbreviations
This appendix collates frequently used acronyms and abbreviations in this document.
Authentication, Authorization and Accounting ACKnowledgement Access Control List Address Resolution Protocol
Border Gateway Protocol Bandwidth
Comprehensive Access Management Server Committed Access Rate Committed Burst Size Channel Identifier Committed Information Rate Central Processing Unit Cyclic Redundancy Check
Dynamic Host Configuration Protocol Domain Name System Denial of Service
Issue 02 (2009-12-10)
C-1
F FE G GE H HWTACACS I ICMP ID IP ISP L LPU M MAC N NAK NAS NBNS NetBIOS P POS PPP R RADIUS RFC S SNMP SR
C-2
Fast Ethernet
GigabitEthernet
HuaWei Terminal Access Controller Access Control System
Internet Control Message Protocol IDentification Internet Protocol Internet Service Provider
Line Processing Unit
Medium Access Control
Negative ACKnowledgement Network Access Server NetBIOS Name Service Network Basic Input/Output System
Packet Over SDH/SONET Point-to-Point Protocol
Remote Authentication Dial in User Service Request for Comments
Simple Network Management Protocol Service Router

SSH T TACACS TCP TTL U UDP URPF V VLAN VPDN VPN VTY
Secure Shell
Terminal Access Controller Access Control System Transmission Control Protocol Time to Live
User Datagram Protocol Unicast Reverse Path Forwarding
Virtual Local Area Network Virtual Private Dial Network Virtual Private Network Virtual Type Terminal
Issue 02 (2009-12-10)
C-3

Configuration 8

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Configuration 8

Hochgeladen von

Copyright:

Verfügbare Formate

HUAWEI NetEngine5000E Core Router V300R007C00

Configuration Guide - Security

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

About This Document

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

2 ARP Security Configuration

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

About This Document

About This Document

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

About This Document

Updates in Issue 02 (2009-12-10)

Updates in Issue 01 (2009-09-05)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

2 ARP Security Configuration....................................................................................................2-1

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

4 Configuration of Local Attack Defense.................................................................................4-1

A Attributes List of RADIUS and HWTACACS...................................................................A-1

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

B Glossary......................................................................................................................................B-1 C Acronyms and Abbreviations................................................................................................C-1

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

1 AAA and User Management Configurations

AAA and User Management Configurations

About This Chapter

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 AAA and User Management Configurations

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

1.1 Overview to AAA and User Management

1.1.1 Introduction to AAA and User Management

Domain-based User Management

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

1 AAA and User Management Configurations

Local User Management

1.1.2 AAA and User Management Supported by the NE5000E

1.2 Configuring Local User Management

1 AAA and User Management Configurations

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

1.2.1 Establishing the Configuration Task

1.2.2 Creating a Local User Account

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

1 AAA and User Management Configurations

The system view is displayed. Step 2 Run:

The AAA view is displayed. Step 3 Run:

The system view is displayed. Step 2 Run:

The AAA view is displayed. Step 3 Run:

1 AAA and User Management Configurations

HUAWEI NetEngine5000E Core Router Configuration Guide - Security

The system view is displayed. Step 2 Run:

The AAA view is displayed. Step 3 Run: