Page 1 Quidway S9300 Terabit Routing Switch V100R002C00 Configuration Guide - Security Issue Date 2010–01–08 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 2 All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope.
Page 3: Table Of Contents
Quidway S9300 Terabit Routing Switch Configuration Guide - Security Contents Contents About This Document........................1 1 AAA and User Management Configuration.................1-1 1.1 Introduction to AAA and User Management....................1-2 1.2 AAA and User Management Features Supported by the S9300..............1-2 1.3 Configuring AAA Schemes..........................1-4 1.3.1 Establishing the Configuration Task......................1-4...
Page 4 Quidway S9300 Terabit Routing Switch Contents Configuration Guide - Security 1.5.10 (Optional) Setting HWTACACS Timers...................1-23 1.5.11 (Optional) Configuring Retransmission of Accounting-Stop Packet..........1-24 1.5.12 Checking the Configuration.......................1-24 1.6 Configuring a Service Scheme........................1-25 1.6.1 Establishing the Configuration Task....................1-25 1.6.2 Creating a Service Scheme........................1-26 1.6.3 Setting the Administrator Level......................1-26...
Page 5 Quidway S9300 Terabit Routing Switch Configuration Guide - Security Contents 2.2 NAC Features Supported by the S9300......................2-4 2.3 Configuring Web Authentication........................2-4 2.3.1 Establishing the Configuration Task......................2-4 2.3.2 Configuring the Web Authentication Server..................2-5 2.3.3 Binding the Web Authentication Server to the Interface...............2-5 2.3.4 Configuring the Free Rule for Web Authentication................2-6...
Page 6 Quidway S9300 Terabit Routing Switch Contents Configuration Guide - Security 2.6.3 Debugging 802.1x Authentication.......................2-31 2.6.4 Debugging MAC Address Authentication...................2-32 2.7 Configuration Examples..........................2-32 2.7.1 Example for Configuring Web Authentication..................2-32 2.7.2 Example for Configuring 802.1x Authentication.................2-35 2.7.3 Example for Configuring MAC Address Authentication..............2-38 3 DHCP Snooping Configuration....................3-1...
Page 7 Quidway S9300 Terabit Routing Switch Configuration Guide - Security Contents 3.8.5 Checking the Configuration.........................3-29 3.9 Maintaining DHCP Snooping........................3-30 3.9.1 Clearing DHCP Snooping Statistics.....................3-30 3.9.2 Resetting the DHCP Snooping Binding Table..................3-30 3.9.3 Backing Up the DHCP Snooping Binding Table.................3-30 3.10 Configuration Examples..........................3-31 3.10.1 Example for Preventing the Bogus DHCP Server Attack..............3-31...
Page 8 Quidway S9300 Terabit Routing Switch Contents Configuration Guide - Security 4.6.3 Clearing the Statistics on Discarded ARP Packets................4-20 4.6.4 Debugging ARP Packets........................4-21 4.7 Configuration Examples..........................4-21 4.7.1 Example for Configuring ARP Security Functions................4-22 4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks......4-25 5 Source IP Attack Defense Configuration................5-1...
Page 9 Quidway S9300 Terabit Routing Switch Configuration Guide - Security Contents 6.4 Configuring Attack Source Tracing........................6-8 6.4.1 Establishing the Configuration Task......................6-8 6.4.2 Creating an Attack Defense Policy......................6-9 6.4.3 Enabling the Automatic Attack Source Tracing..................6-9 6.4.4 Configuring the Threshold of Attack Source Tracing................6-10 6.4.5 (Optional) Configuring the Attack Source Alarm Function..............6-10...
Page 10 Quidway S9300 Terabit Routing Switch Contents Configuration Guide - Security 9.2 Interface Security Features Supported by the S9300..................9-2 9.3 Configuring Interface Security........................9-2 9.3.1 Establishing the Configuration Task......................9-3 9.3.2 Enabling the Interface Security Function....................9-3 9.3.3 (Optional) Configuring the Protection Action in Interface Security............9-4 9.3.4 Setting the Maximum Number of MAC Addresses Learned by an Interface........9-4...
Page 11 Quidway S9300 Terabit Routing Switch Configuration Guide - Security Contents 11.5.3 Example for Configuring a Layer 2 ACL..................11-20 11.5.4 Example for Configuring an ACL6....................11-22 Issue 06 (2010–01–08) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 13 Quidway S9300 Terabit Routing Switch Configuration Guide - Security Figures Figures Figure 1-1 Networking diagram of RADIUS authentication and accounting............1-42 Figure 1-2 Networking diagram of HWTACACS authentication, accounting, and authorization....1-45 Figure 2-1 Typical networking of NAC.......................2-2 Figure 2-2 Network diagram for configuring Web authentication..............2-33 Figure 2-3 Networking diagram for configuring 802.1x authentication............2-36...
Page 15 Quidway S9300 Terabit Routing Switch Configuration Guide - Security Tables Tables Table 3-1 Matching table between type of attacks and DHCP snooping operation modes.........3-5 Table 3-2 Relation between the type of attacks and the type of discarded packets..........3-25 Issue 06 (2010–01–08)
Page 17: About This Document
Quidway S9300 Terabit Routing Switch Configuration Guide - Security About This Document About This Document Purpose This document describes security features of the S9300 including AAA and user management, Network Access Control (NAC), DHCP snooping, ARP security, IP source guard, IP source...
Page 18: Symbol Conventions
Quidway S9300 Terabit Routing Switch About This Document Configuration Guide - Security Chapter Description 1 AAA and User Management Describes basic concepts of AAA and user Configuration management, and provides configuration methods and configuration examples. 2 NAC Configuration Describes basic concepts of Network Access Control (NAC), and provides configuration methods and configuration examples.
Page 19: General Conventions
Quidway S9300 Terabit Routing Switch Configuration Guide - Security About This Document Symbol Description Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. DANGER Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury.
Page 20 Quidway S9300 Terabit Routing Switch About This Document Configuration Guide - Security Convention Description [ x | y | ... ] Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected.
Page 21 Quidway S9300 Terabit Routing Switch Configuration Guide - Security About This Document Action Description Click Select and release the primary mouse button without moving the pointer. Double-click Press the primary mouse button twice continuously and quickly without moving the pointer.
Page 22 Quidway S9300 Terabit Routing Switch About This Document Configuration Guide - Security Updates in Issue 03 (2009-09-20) Based on issue 02 (2009-08-15), the document is updated as follows: The following information is modified: DHCP Snooping Configuration: The configuration commands Updates in Issue 02 (2009-08-15)
Page 23: Aaa And User Management Configuration
This chapter describes the principle and configuration of Authentication, Authorization, and Accounting (AAA), local user management, Remote Authentication Dial in User Service (RADIUS), HUAWEI Terminal Access Controller Access Control System (HWTACACS), and domain. 1.1 Introduction to AAA and User Management This section describes the knowledge of AAA and user management.
Page 24: Introduction To Aaa And User Management
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security 1.1 Introduction to AAA and User Management This section describes the knowledge of AAA and user management. AAA provides the following types of services: Authentication: determines the user who can access the network.
Page 25: Local User Management
The domain name delimiter can be @,|, or %.. For example, the user of "user@huawei" belongs to the domain "huawei". If there is no "@" in the user name, the user belongs to the domain default.
Page 26: Configuring Aaa Schemes
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security The authorization attribute in the domain takes effect only when the AAA server does not have or provide this authorization. In this manner, you can add services flexibly based on the domain management, regardless of the attributes provided by the AAA server.
Page 27: Configuring An Authentication Scheme
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Data Preparation To configure AAA schemes, you need the following data. Data Name of the authentication scheme and authentication mode Name of the authorization scheme,...
Page 28: Configuring An Authorization Scheme
When the local authentication mode is used for upgrading user levels, you need to run the super password command in the system view to set the password for upgrading user levels. For details on the super password command, see the Quidway S9300 Terabit Routing Switch Command Reference - Basic Configurations.
Page 29 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: authorization-scheme authorization-scheme-name An authorization scheme is created and the authorization scheme view is displayed.
Page 30: Configuring An Accounting Scheme
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security When the HWTACACS server fails, the command-line-based authorization mode changes to the local authorization mode. Authorization fails because the level of the input command is higher than the level set on the local end.
Page 31: Optional) Configuring A Recording Scheme
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Step 7 (Optional) Run: accounting interim-fail [ max-times times ] { online | offline } The policy for remote interim accounting-start failure is set. If the accounting fails after a user goes online, the S9300 processes the user according to the policy for interim accounting failure.
Page 32: Checking The Configuration
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Step 6 Run: cmd recording-scheme recording-scheme-name The commands that are used on the S9300 are recorded. By default, the commands that are used on the S9300 are not recorded.
Page 33: Establishing The Configuration Task
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration 1.4.6 (Optional) Setting a Shared Key for a RADIUS Server 1.4.7 (Optional) Setting the User Name Format Supported by a RADIUS Server 1.4.8 (Optional) Setting the Traffic Unit for a RADIUS Server 1.4.9 (Optional) Setting Retransmission Parameters on a RADIUS Server...
Page 34: Creating A Radius Server Template
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security 1.4.2 Creating a RADIUS Server Template Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: radius-server template template-name A RADIUS server template is created and the RADIUS server template view is displayed.
Page 35: Configuring A Radius Authorization Server
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration The system view is displayed. Step 2 Run: radius-server template template-name The RADIUS server template view is displayed. Step 3 Run: radius-server accounting ip-address port [ source loopback interface-number ] The primary RADIUS accounting server is configured.
Page 36: Optional) Setting The User Name Format Supported By A Radius Server
Step 3 Run: radius-server shared-key { cipher | simple } key-string The shared key is set for a RADIUS server. By default, the shared key of a RADIUS server is huawei. ----End 1.4.7 (Optional) Setting the User Name Format Supported by a...
Page 37: Optional) Setting The Traffic Unit For A Radius Server
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration When the RADIUS server does not accept the user name that contains the domain name, you can run the undo radius-server user-name domain-included command to delete the domain name before sending it to the RADIUS server.
Page 38: Optional) Setting The Nas Port Format Of A Radius Server
1.4.10 (Optional) Setting the NAS Port Format of a RADIUS Server Context The NAS port format and the NAS port ID format are developed by Huawei, which are used to maintain connectivity and service cooperation among devices of Huawei. The NAS port format and NAS port ID format have new and old forms respectively.
Page 39: Checking The Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration The RADIUS server template view is displayed. Step 3 Run: radius-server nas-port-format { new | old } The format of NAS port used by the RADIUS server is specified.
Page 40: Configuring An Hwtacacs Server Template
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Secondary-authentication-server 0.0.0.0; LoopBack:NULL Secondary-accounting-server 0.0.0.0; LoopBack:NULL Retransmission Domain-included ------------------------------------------------------------------- Total of radius template :2 1.5 Configuring an HWTACACS Server Template This section describes how to configure an HWTACACS server template on the S9300.
Page 41: Creating An Hwtacacs Server Template
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Data Name of the HWTACACS server template IP addresses of HWTACACS authentication authorization, and accounting servers (Optional) Source IP address of the HWTACACS server (Optional) Shared key of the HWTACACS...
Page 42: Configuring The Hwtacacs Accounting Server
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security The HWTACACS server template view is displayed. Step 3 Run: hwtacacs-server authentication ip-address [ port ] The IP address of the primary HWTACACS authentication server is configured.
Page 43: Optional) Configuring The Source Ip Address Of Hwtacacs Packets
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration system-view The system view is displayed. Step 2 Run: hwtacacs-server template template-name The HWTACACS server template view is displayed. Step 3 Run: hwtacacs-server authorization ip-address [ port ] The IP address of the primary HWTACACS authorization server is configured.
Page 44: Optional) Setting The User Name Format For An Hwtacacs Server
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Context Setting the shared key ensures the security of communication between the S9300 and an HWTACACS server. To ensure the validity of the authenticator and the authenticated, the shared keys set on the S9300 and the HWTACACS server must be the same.
Page 45: Optional) Setting The Traffic Unit For An Hwtacacs Server
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration If an HWTACACS server does not accept the user name that contains the domain name, you can use the undo hwtacacs-server user-name domain-included command to delete the domain name before sending it to the HWTACACS server.
Page 46: Optional) Configuring Retransmission Of Accounting-Stop Packet
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security The time taken to restore an HWTACACS server to the active state is set. By default, the time taken by the primary HWTACACS server to restore to the active state is five minutes.
Page 47: Configuring A Service Scheme
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration <Quidway> display hwtacacs-server template hhh --------------------------------------------------------------------- HWTACACS-server template name : hhh Primary-authentication-server : 100.1.1.2:26 Primary-authorization-server : 100.1.1.3:26 Primary-accounting-server : 0.0.0.0:0 Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 0.0.0.0:0 Secondary-accounting-server : 0.0.0.0:0...
Page 48: Creating A Service Scheme
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Data Service scheme Administrator level User priority Name of the DHCP server group Name and position of the address pool IP address of the primary and secondary DNS servers 1.6.2 Creating a Service Scheme...
Page 49: Configuring A Dhcp Server Group
----End 1.6.4 Configuring a DHCP Server Group Prerequisite A DHCP server group is configured. For the procedure for configuring the DHCP server group, see the Quidway S9300 Terabit Routing Switch Configuration Guide - IP Services. Procedure Step 1 Run: system-view The system view is displayed.
Page 50: Configure Primary And Secondary Dns Servers
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: service-scheme service-scheme-name The service scheme view is displayed.
Page 51: Configuring A Domain
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run the display service-scheme [ name name ] command to view the configuration of a service scheme. ----End Example Run the display service-scheme command to view all the information about the service scheme.
Page 52: Creating A Domain
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Applicable Environment To perform authentication and authorization for a user logging in to the S9300, you need to configure a domain. NOTE The modification of a domain takes effect next time a user logs in.
Page 53: Configuring Authentication , Authorization And Accounting Schemes For A Domain
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration The S9300 has two default domains: default and default_admin. Domain default is used for common access users, and domain default_admin is used for administrators. The S9300 supports up to 128 domains, including the two default domains.
Page 54: Configuring A Radius Server Template For A Domain
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security 1.7.4 Configuring a RADIUS Server Template for a Domain Context If a remote RADIUS authentication scheme is used in a domain, you must apply a RADIUS server template to the domain.
Page 55: Optional) Configuring A Service Scheme For A Domain
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration The domain view is displayed. Step 4 Run: hwtacacs-server template-name An HWTACACS server template is configured for the domain. By default, no HWTACACS server template is configured for a domain.
Page 56: Optional) Configuring The Domain Name Delimiter
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Step 2 Run: The AAA view is displayed. Step 3 Run: domain domain-name The domain view is displayed. Step 4 Run: state { active | block } The status of the domain is set.
Page 57: Configuring Local User Management
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Procedure Run the display domain [ name domain-name ] command to check the configuration of the domain. ----End Example After the configuration, you can run the display domain command to view the summary of all domains.
Page 58: Creating A Local User
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Applicable Environment You can create a local user on the S9300, configure attributes of the local user, and perform authentication and authorization for users logging in to the S9300 according to information about the local user.
Page 59: Optional) Setting The Access Type Of The Local User
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration 1.8.3 (Optional) Setting the Access Type of the Local User Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: The AAA view is displayed.
Page 60: Optional) Setting The Status Of A Local User
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security 1.8.5 (Optional) Setting the Status of a Local User Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: The AAA view is displayed.
Page 61: Optional) Setting The Access Limit For A Local User
If a user level is not set, the user level is 0. NOTE You can run the user-interface command in the system view to enter the user interface view. For details on the user-interface command, see "Basic Configuration Commands" in the Quidway S9300 Terabit Routing Switch Command Reference. ----End 1.8.7 (Optional) Setting the Access Limit for a Local User...
Page 62: Maintaining Aaa And User Management
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security ---------------------------------------------------------------------------- Total 1 user(s) Run the display local-user [ username user-name ] command, and you can view detailed information about a specified user. <Quidway> display local-user username lsj...
Page 63: Debugging
1-1, users access the network through S9300-A and are located in the domain huawei. S9300-B acts as the network access server of the destination network. The access request of the user needs to pass the network of S9300-A andS9300-B to reach the authentication server.
Page 64: Figure 1-1 Networking Diagram Of Radius Authentication And Accounting
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security The RADIUS server performs authentication and accounting for access users. The RADIUS server 129.7.66.66/24 functions as the primary authentication and accounting server. The RADIUS server 129.7.66.67/24 functions as the secondary authentication and accounting server.
Page 65 # Configure the accounting scheme1, with the accounting mode being RADIUS. [Quidway-aaa] accounting-scheme 1 [Quidway-aaa-accounting-1] accounting-mode radius [Quidway-aaa-accounting-1] quit Step 3 Configure the domain huawei and apply authentication scheme1, accounting scheme1, and RADIUS template shiva to the domain. [Quidway-aaa] domain huawei [Quidway-aaa-domain-huawei] authentication-scheme 1...
Page 66: Example For Configuring Hwtacacs Authentication, Accounting, And Authorization
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Primary-authentication-server 129.7.66.66; 1812; LoopBack:NULL Primary-accounting-server 129.7.66.66; 1813; LoopBack:NULL Secondary-authentication-server 129.7.66.67; 1812; LoopBack:NULL Secondary-accounting-server 129.7.66.67; 1813; LoopBack:NULL Retransmission Domain-included ------------------------------------------------------------------- ----End Configuration Files sysname Quidway radius-server template shiva radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
Page 67: Figure 1-2 Networking Diagram Of Hwtacacs Authentication, Accounting, And Authorization
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration The primary HWTACACS server is 129.7.66.66/24, and the IP address of the secondary HWTACACS server is 129.7.66.67/24. The port number of the server for authentication, accounting, and authorization is 49.
Page 68 # Set the interval of interim accounting to 3 minutes. [Quidway-aaa-accounting-hwtacacs] accounting realtime 3 [Quidway-aaa-accounting-hwtacacs] quit Step 3 Create a domain Huawei and apply the authentication scheme 1-h, the HWTACACS authentication scheme, the HWTACACS accounting scheme, and the HWTACACS template of ht to the domain.
Page 69 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration [Quidway-aaa-domain-huawei] quit [Quidway-aaa] quit Step 4 Verify the configuration. Run the display hwtacacs-server template command on S9300-B, and you can see that the configuration of the HWTACACS server template meets the requirements.
Page 70 Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security accounting-scheme default accounting-scheme hwtacacs accounting-mode hwtacacs accounting realtime 3 domain default domain default_admin domain huawei authentication-scheme l-h accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server ht return 1-48 Huawei Proprietary and Confidential Issue 06 (2010–01–08)
Page 71: Nac Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration NAC Configuration About This Chapter This chapter describes the working principle and configuration of network access control (NAC). 2.1 Introduction to NAC This section describes the working principle of NAC.
Page 72: Introduction To Nac
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security 2.1 Introduction to NAC This section describes the working principle of NAC. Traditional network security technologies focus on the threat brought by external computers, rather than the threat brought by internal computers. In addition, the current network devices cannot prevent the attacks initiated by the internal devices on the network.
Page 73: Authentication
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration server. Users can access network resources only after passing the authentication. Users that do not pass the authentication can only access the specified site server. When a user enters its user name and password on the Web page, the Portal protocol is used to authenticate the user.
Page 74: Nac Features Supported By The S9300
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security sends the MAC address of the user, which is considered to be the user name and password of the user, to the AAA server for authentication. 2.2 NAC Features Supported by the S9300 This section describes the NAC features supported by the S9300.
Page 75: Configuring The Web Authentication Server
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration Configuring the Internet Service Provider (ISP) authentication domain and AAA schemes, that is, RADIUS or local authentication schemes, for the user Configuring the user name and password on the RADIUS server if RADIUS authentication...
Page 76: Configuring The Free Rule For Web Authentication
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Currently, the S9300 can perform Web authentication for users only through VLANIF interfaces.
Page 77: Optional) Setting The Port That Listens To The Portal Packets
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration Context When the RADIUS server is adopted to authenticate users, do as follows if the user authentication information returned by the RADIUS server needs to be sent to the Web authentication server.
Page 78: Checking The Configuration
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: web-auth-server version v2 [ v1 ] The version of the portal protocol is set. By default, two versions coexist. If version 1 is not selected, only version 2 is in use.
Page 79: Establishing The Configuration Task
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration 2.4.6 (Optional) Configuring the Interface Access Mode 2.4.7 (Optional) Configuring the Authorization Status of an Interface 2.4.8 (Optional) Setting the Maximum Number of Concurrent Access Users 2.4.9 (Optional) Enabling DHCP Packets to Trigger Authentication 2.4.10 (Optional) Configuring 802.1x Timers...
Page 80: Enabling 802.1X Authentication On An Interface
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security The system view is displayed. Step 2 Run: dot1x 802.1x authentication is globally enabled. Running this command is equivalent to enabling 802.1x authentication globally. Related configurations of 802.1x authentication take effect only after 802.1x authentication is enabled.
Page 81: Optional) Enabling Mac Bypass Authentication
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration 802.1x authentication is enabled on the interface. You can run the undo dot1x command only when no online user exists. ----End 2.4.4 (Optional) Enabling MAC Bypass Authentication Context The 802.1x client software cannot be installed or used on some special terminals, such as printers.
Page 82: Setting The Authentication Method For The 802.1X User
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security If 802.1x authentication has been enabled, the authentication mode is changed from – 802.1x authentication to MAC address bypass authentication on the interface after you run the dot1x mac-bypass enable command.
Page 83: Optional) Configuring The Interface Access Mode
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration 2.4.6 (Optional) Configuring the Interface Access Mode Context The 802.1x protocol can work in the following modes: Interface mode: If the MAC address of a device connected to an interface passes authentication, all the MAC addresses of other devices connected to the interface can access the network without authentication.
Page 84: Optional) Configuring The Authorization Status Of An Interface
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security 2.4.7 (Optional) Configuring the Authorization Status of an Interface Context Do as follows to authorize users and control their access scope after users pass authentication. You can configure the authorization status of an interface in the following ways.
Page 85: Optional) Setting The Maximum Number Of Concurrent Access Users
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration 2.4.8 (Optional) Setting the Maximum Number of Concurrent Access Users Context When the number of access users on interfaces reaches the maximum value, the S9300 does not trigger authentication for subsequent access users. These subsequent access users thus cannot access the network.
Page 86: Optional) Enabling Dhcp Packets To Trigger Authentication
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security CAUTION If the number of users already existing on the interface is greater than the maximum number that you set, all the users are disconnected from the interface.
Page 87: Optional) Configuring The Quiet Timer Function
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dot1x timer { client-timeout client-timeout-value | handshake-period handshake- period-value | quiet-period quiet-period-value | reauthenticate-period reauthenticate-period-value | server-timeout server-timeout-value | tx-period tx- period-value } The timers of 802.1x authentication are set.
Page 88: Optional) Configuring The 802.1X Re-Authentication
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security During the quite period, the S9300 discards the 802.1x authentication request packets from the user. You can run the dot1x timer command to set the quiet period. For details, see .
Page 89: Optional) Enabling The S9300 To Send Handshake Packets To Online Users
----End 2.4.14 (Optional) Enabling the S9300 to Send Handshake Packets to Online Users Context The S9300 can send handshake packets to a Huawei client to detect whether the user is online. Issue 06 (2010–01–08) Huawei Proprietary and Confidential 2-19 Copyright © Huawei Technologies Co., Ltd.
Page 90: Optional) Setting The Retransmission Count Of The Authentication Request
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security If the client does not support the handshake function, the S9300 will not receive handshake response packets within the handshake interval. In this case, you need to disable the user handshake function to prevent the S9300 from disconnecting users by mistake.
Page 91: Configuring Mac Address Authentication
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration Procedure Run the display dot1x [ sessions | statistics ] [ interface { interface-type interface- number1 [ to interface-number2 ] } &<1-10> ] command to view the configuration of 802.1x authentication.
Page 92: Establishing The Configuration Task
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security 2.5.10 (Optional) Re-Authenticating a User with the Specific MAC Address 2.5.11 Checking the Configuration 2.5.1 Establishing the Configuration Task Applicable Environment MAC address authentication can be configured to authenticate terminals on which client software cannot be installed, such as faxes and printers.
Page 93: Enabling Mac Address Authentication On An Interface
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration Running this command is equivalent to enabling global MAC address authentication. Related configurations of MAC address authentication take effect only after MAC address authentication is enabled. By default, MAC address authentication is disabled globally.
Page 94: Optional) Enabling Direct Authentication
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security You must ensure that no online user exists before disabling MAC address authentication by the undo mac-authen command. ----End 2.5.4 (Optional) Enabling Direct Authentication Context After direct authentication is enabled, users who connect to the network through this interface pass the authentication directly.
Page 95: Configuring The User Name For Mac Address Authentication
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration By default, direct authentication is disabled on an interface. ----End 2.5.5 Configuring the User Name for MAC Address Authentication Context A user can use a fixed user name or the MAC address as the user name.
Page 96: Optional) Configuring The Domain For Mac Address Authentication
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security as 001083000011). By default, a MAC address without hyphens is used as the user name for a user that uses MAC address authentication. After you run the mac-authen username macaddress command, the access users are authenticated by using their MAC addresses as the user names and passwords.
Page 97: Optional) Setting The Timers Of Mac Address Authentication
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration Run: mac-authen domain isp-name A domain name is configured for a user who uses MAC address authentication. In the interface view: Run: system-view The system view is displayed.
Page 98: Optional) Configuring The Guest Vlan For Mac Address Authentication
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security 2.5.8 (Optional) Configuring the Guest VLAN for MAC Address Authentication Context If the MAC authentication fails after the guest VLAN function is enabled, the S9300 adds the access interface of the user to the guest VLAN. Then users in the guest VLAN can access resources in the guest VLAN without MAC address authentication.
Page 99: Optional) Re-Authenticating A User With The Specific Mac Address
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration Context When the number of access users on an interface reaches the limit, the S9300 does not trigger the authentication for the users connecting to the interface later; therefore, these users cannot access the network.
Page 100: Checking The Configuration
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security Context If re-authentication of a user with the specific MAC address is enabled, the online user is re- authenticated periodically. If a user passes the authentication, the user needs to be re-authorized;...
Page 101: Clearing The Statistics About 802.1X Authentication
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration 2.6.1 Clearing the Statistics About 802.1x Authentication 2.6.2 Clearing Statistics About MAC Address Authentication 2.6.3 Debugging 802.1x Authentication 2.6.4 Debugging MAC Address Authentication 2.6.1 Clearing the Statistics About 802.1x Authentication...
Page 102: Debugging Mac Address Authentication
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security Context CAUTION Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When a fault occurs during 802.1x authentication, run the following debugging commands in the user view to locate the fault.
Page 103: Figure 2-2 Network Diagram For Configuring Web Authentication
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration Networking Requirements As shown in Figure 2-2, the requirements are as follows: The user interacts with the Web authentication server through the S9300. The authentication is performed by the RADIUS server.
Page 104 Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security NOTE In this example, only the configuration of the S9300 is provided, and the configurations of the Web server and RADIUS server are omitted. Procedure Step 1 Set the IP address of the Layer 3 interface connected to the user.
Page 105: Example For Configuring 802.1X Authentication
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration Run the display web-auth-server configuration command on the S9300, and you can view the configuration of the Web authentication server. <Quidway> display web-auth-server configuration Listening port : 2000...
Page 106: Figure 2-3 Networking Diagram For Configuring 802.1X Authentication
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security MAC address bypass authentication is performed for the printer connected to GE 1/0/0. Figure 2-3 Networking diagram for configuring 802.1x authentication RADIUS server 192.168.2.30 User GE 2/0/1 VLANIF 20 192.168.2.10...
Page 107 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration # Set the IP address and port number of the primary RADIUS authentication server. [Quidway-radius-rd1] radius-server authentication 192.168.2.30 1812 # Set the key and retransmission count of the RADIUS server.
Page 108: Example For Configuring Mac Address Authentication
Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security Controlled User(s) amount to 1, print number:1 ----End Configuration Files sysname Quidway dot1x radius-server template rd1 radius-server shared-key cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! radius-server authentication 192.168.2.30 1812 radius-server retransmit 2 authentication-scheme web1...
Page 109 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 NAC Configuration Configuration Roadmap The configuration roadmap is as follows: Configure a RADIUS server template. Configure an AAA authentication template. Configure the domain of the users that use MAC address authentication.
Page 110 Quidway S9300 Terabit Routing Switch 2 NAC Configuration Configuration Guide - Security # Enable MAC address authentication globally and on GE 1/0/0. [Quidway] mac-authen [Quidway] interface gigabitethernet1/0/0 [Quidway-GigabitEthernet1/0/0] mac-authen # Set the maximum number of access users on GE 1/0/0.
Page 111: Dhcp Snooping Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration DHCP Snooping Configuration About This Chapter This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on the S9300 to defend against DHCP attacks. 3.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping.
Page 112 Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security 3.10 Configuration Examples This section provides several configuration examples of DHCP snooping. Huawei Proprietary and Confidential Issue 06 (2010–01–08) Copyright © Huawei Technologies Co., Ltd.
Page 113: Introduction To Dhcp Snooping
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration 3.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping. DHCP snooping intercepts and analyzes DHCP messages transmitted between DHCP clients and a DHCP server. In this manner, DHCP snooping creates and maintains a DHCP snooping binding table, and filters untrusted DHCP messages according to the table.
Page 114: Figure 3-2 Networking Diagram For Applying Dhcp Snooping On The S9300 That Functions As The Dhcp Relay Agent
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Figure 3-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2 network L3 network Trusted DHCP relay S9300 Untrusted DHCP server L2 network...
Page 115: Preventing The Bogus Dhcp Server Attack
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration NOTE When the S9300 is deployed on a Layer 2 network or functions as the DHCP relay agent, DHCP snooping is enabled. In this manner, the S9300 can defend against attacks shown in Table 3-1.
Page 116: Establishing The Configuration Task
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security 3.3.4 (Optional) Enabling Detection of Bogus DHCP Servers 3.3.5 Checking the Configuration 3.3.1 Establishing the Configuration Task Applicable Environment When a bogus DHCP server exists on a network, the bogus DHCP server on the network replies with incorrect messages such as the incorrect IP address of the gateway, incorrect domain name server (DNS) server, and incorrect IP address to the DHCP client.
Page 117 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration system-view The system view is displayed. Step 2 Run: dhcp enable DHCP is enabled globally. Step 3 Run: dhcp snooping enable DHCP snooping is enabled globally. Step 4 Run: interface interface-type interface-number The interface view is displayed.
Page 118: Configuring An Interface As A Trusted Interface
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security 3.3.3 Configuring an Interface as a Trusted Interface Context Generally, the interface connected to the DHCP server is configured as trusted and other interfaces are configured as untrusted.
Page 119: Checking The Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration untrusted interface, the S9300 considers the DHCP server as a bogus server and records it into the log. The network administrator can then maintain the network according to the log.
Page 120: Establishing The Configuration Task
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security 3.4.1 Establishing the Configuration Task 3.4.2 Enabling DHCP Snooping 3.4.3 Checking the CHADDR Field in DHCP Request Messages 3.4.4 Checking the Configuration 3.4.1 Establishing the Configuration Task...
Page 121 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp enable DHCP is enabled globally. Step 3 Run: dhcp snooping enable DHCP snooping is enabled globally.
Page 122: Checking The Chaddr Field In Dhcp Request Messages
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security NOTE The master physical interfaces of the S9300 do not support DHCP snooping over VPLS. ----End 3.4.3 Checking the CHADDR Field in DHCP Request Messages Context If the CHADDR field in DHCP Request messages matches the source MAC address in the Ethernet frame header, the messages are forwarded.
Page 123: Preventing The Attacker From Sending Bogus Dhcp Messages For Extending Ip Address Leases
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface. ----End 3.5 Preventing the Attacker from Sending Bogus DHCP...
Page 124: Enabling Dhcp Snooping
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Pre-configuration Tasks Before preventing the attacker from sending bogus DHCP messages for extending IP address leases, complete the following tasks: Configuring the DHCP server Configuring the DHCP relay agent...
Page 125: Enabling The Checking Of Dhcp Request Messages
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Or, run: vlan vlan-id The VLAN view is displayed. Step 5 Run: dhcp snooping enable DHCP snooping is enabled on the interfaceor in a VLAN. DHCP snooping must be enabled on all the user-side interfaces of the S9300. Otherwise, configurations related to DHCP snooping do not take effect on the interfaces.
Page 126: Optional) Configuring The Option 82 Function
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security vlan vlan-id The VLAN view is displayed. Step 3 Run: dhcp snooping check user-bind enable The interface or the interface in a VLANis enabled to check DHCP Request messages.
Page 127: Checking The Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration The Option 82 is appended to DHCP messages. Or, run: dhcp option82 rebuild enable The Option 82 is forcibly appended to DHCP messages. After the dhcp option82 insert enable command is used, the Option 82 is appended to DHCP messages if original DHCP messages do not carry the Option 82 field;...
Page 128: Setting The Maximum Number Of Dhcp Snooping Users
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Run the display dhcp option82 interface interface-type interface-number command to check the status of the Option 82 field. ----End 3.6 Setting the Maximum Number of DHCP Snooping Users This section describes how to set the maximum number of DHCP snooping users.
Page 129 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Context You need to enable DHCP snooping globally before enabling DHCP snooping on an interfaceor in a VLAN. By default, DHCP snooping is disabled globally and on an interfaceor in a VLAN.
Page 130: Setting The Maximum Number Of Dhcp Snooping Users
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security process DHCP messages on the VPLS network. The dhcp snooping over-vpls enable command takes effect only after DHCP snooping is enabled globally and on the interface. DHCP snooping over VPLS is often deployed on the PE of the VPLS network to control DHCP messages sent to the VPLS network from the user side.
Page 131: Checking The Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Context When MAC address security of DHCP snooping is enabled, packets are processed as follows for a non-DHCP user: If a static MAC address is not configured, the packets are discarded after reaching the interface where the dhcp snooping sticky-mac command is run.
Page 132: Limiting The Rate Of Sending Dhcp Messages
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Prerequisite The configurations of setting the maximum number of users are complete. Procedure Run the display dhcp snooping global command to check information about global DHCP snooping.
Page 133: Enabling Dhcp Snooping
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Data Rate at which DHCP messages are sent to the protocol stack 3.7.2 Enabling DHCP Snooping Context You need to enable DHCP snooping globally before enabling DHCP snooping on an interfaceor in a VLAN.
Page 134: Limiting The Rate Of Sending Dhcp Messages
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Return to the system view. Step 7 (Optional) Run: dhcp snooping over-vpls enable DHCP snooping is enabled on the S9300 of the VPLS network. On the VPLS network, after the dhcp snooping over-vpls enable command is run on the S9300, DHCP over VPLS messages are sent to the CPU of the main control board for processing.
Page 135: Checking The Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration By default, the alarm threshold of discarded DHCP packets is 100 pps. An alarm is generated when the number of discarded DHCP packets exceeds the threshold. ----End 3.7.4 Checking the Configuration...
Page 136: Enabling Dhcp Snooping
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Type of Attacks Type of Discarded Packets Attack by sending a large number of DHCP Messages exceeding the rate limit Request messages and ARP packets After the packet discarding alarm function is enabled, an alarm is generated when the number of discarded packets on the S9300 reaches the alarm threshold.
Page 137: Enabling The Checking Of Dhcp Messages
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration DHCP is enabled globally. Step 3 Run: dhcp snooping enable DHCP snooping is enabled globally. Step 4 Run: interface interface-type interface-number The interface view is displayed. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface.
Page 138: Configuring The Packet Discarding Alarm Function
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. The interface is a user-side interface.
Page 139: Checking The Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration The system view is displayed. Run: dhcp snooping alarm threshold threshold The alarm threshold of the number of globally discarded packets is set. By default, the global alarm threshold of the number of discarded DHCP messages is 100 pps.
Page 140: Maintaining Dhcp Snooping
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface. ----End 3.9 Maintaining DHCP Snooping This section describes how to maintain DHCP snooping.
Page 141: Configuration Examples
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Procedure Run the dhcp snooping user-bind autosave file-name command to back up the DHCP snooping binding table. If the binding table is backed up, the system automatically backs up the binding table –...
Page 142: Figure 3-3 Networking Diagram For Preventing The Bogus Dhcp Server Attack
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Figure 3-3 Networking diagram for preventing the bogus DHCP server attack ISP network L3 network DHCP relay L2 network GE1/0/0 DHCP server S9300 GE2/0/0 User network Configuration Roadmap The configuration roadmap is as follows: (Assume that the DHCP server has been configured.)
Page 143 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration # Enable DHCP snooping on the user-side interface. Step 2 Configure the interface as trusted or untrusted. # Configure the interface at the DHCP server side as trusted.
Page 144: Example For Preventing The Dos Attack By Changing The Chaddr Field
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security dhcp snooping enable interface GigabitEthernet1/0/0 dhcp snooping trusted interface GigabitEthernet2/0/0 dhcp snooping enable dhcp snooping alarm untrust-reply enable dhcp snooping alarm untrust-reply threshold 120 return 3.10.2 Example for Preventing the DoS Attack by Changing the...
Page 145 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Enable the checking of the CHADDR field of DHCP Request messages on the user-side interface. Configure the packet discarding alarm function. Data Preparation To complete the configuration, you need the following data:...
Page 146: Example For Preventing The Attacker From Sending Bogus Dhcp Messages For Extending Ip Address Leases
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security dhcp packet drop count total : 25 <Quidway> display dhcp snooping interface gigabitethernet 2/0/0 dhcp snooping enable dhcp snooping check mac-address dhcp snooping alarm mac-address enable dhcp snooping alarm mac-address threshold 120...
Page 147: Figure 3-5 Networking Diagram For Preventing The Attacker From Sending Bogus Dhcp Messages For Extending Ip
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Figure 3-5 Networking diagram for preventing the attacker from sending bogus DHCP messages for extending IP address leases ISP network L3 network DHCP relay L2 network GE1/0/0...
Page 148 Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security <Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable # Enable DHCP snooping on the user-side interface. [Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping enable [Quidway-GigabitEthernet2/0/0] quit Step 2 Configure the checking of packets.
Page 149: Example For Limiting The Rate Of Sending Dhcp Messages
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration dhcp option82 insert enable dhcp snooping check user-bind dhcp snooping alarm check user-bind enable dhcp snooping alarm user-bind threshold 120 dhcp packet dropped by user-bind checking = 45 Run the display user-bind all command, and you can view all the static binding entries of users.
Page 150: Figure 3-6 Networking Diagram For Limiting The Rate For Sending Dhcp Messages
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Figure 3-6 Networking diagram for limiting the rate for sending DHCP messages Attacker L2 network GE1/0/1 L3 network L2 network GE2/0/1 GE1/0/2 DHCP client DHCP relay S9300...
Page 151 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Step 2 Limit the rate for sending DHCP messages. # Enable the checking of the rate of sending DHCP Request messages. [Quidway] dhcp snooping check dhcp-rate enable # Set the rate of sending DHCP Request messages.
Page 152: Example For Applying Dhcp Snooping On A Layer 2 Network
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security 3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network Networking Requirements As shown in Figure 3-7, DHCP clients are connected to the S9300 through VLAN 10. DHCP client1 uses the dynamically allocated IP address and DHCP client2 uses the statically configured IP address.
Page 153 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Configure the Option 82 function and create the binding table that contains information about the interface. Configure the packet discarding alarm function and the alarm function for checking the rate of sending packets.
Page 154 Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check user-bind enable [Quidway-GigabitEthernet1/0/0] quit # Enable the checking of the CHADDR field on the interfaces at the DHCP client side to prevent attackers from changing the CHADDR field in DHCP Request messages.
Page 155 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80 Dhcp snooping enable is configured at these vlan :NULL Dhcp snooping enable is configured at these interface :...
Page 156: Example For Enabling Dhcp Snooping On The Dhcp Relay Agent
Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate 90 dhcp snooping check dhcp-rate alarm threshold 80 user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface gigabitethernet 1/0/1 vlan 10...
Page 157: Figure 3-8 Networking Diagram For Enabling Dhcp Snooping On The Dhcp Relay Agent
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Figure 3-8 Networking diagram for enabling DHCP snooping on the DHCP relay agent GE2/0/0 DHCP server S9300 DHCP relay GE1/0/0 DHCP client1 DHCP client2 IP:10.1.1.1/24 MAC:0001-0002-0003 Configuration Roadmap The configuration roadmap is as follows: Enable DHCP snooping globally and in the interface view.
Page 158 Alarm threshold for checking the rate of sending packets being 80 NOTE This configuration example provides only the commands related to the DHCP snooping configuration. For the configuration of DHCP Relay, see Configuring the DHCP Relay Agent in Quidway S9300 Terabit Routing Switch Configuration Guide - IP Service. Procedure Step 1 Enable DHCP snooping.
Page 159 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration [Quidway] dhcp snooping check dhcp-rate enable [Quidway] dhcp snooping check dhcp-rate 90 Step 6 Configure the Option 82 function. # Configure the user-side interface to append the Option 82 field to DHCP messages.
Page 160 Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Run the display dhcp snooping interface command, and you can view information about DHCP snooping on the interface. [Quidway] display dhcp snooping interface gigabitethernet 1/0/0 dhcp snooping enable...
Page 161: Example For Configuring Dhcp Snooping On A Vpls Network
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration interface GigabitEthernet2/0/0 dhcp snooping trusted arp dhcp-snooping-detect enable return 3.10.7 Example for Configuring DHCP Snooping on a VPLS Network Networking Requirements As shown in Figure 3-9, the DHCP client is connected to the VPLS network through the LAN switch;...
Page 162 Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Configuration Roadmap The configuration roadmap is as follows: Configure the VPLS, which involves the following: Configure the routing protocol on the backbone network to ensure the connectivity of routers.
Page 163 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration # Configure PE1. <PE1> system-view [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32 [PE1-LoopBack1] quit [PE1] interface gigabitethernet 2/0/0 [PE1-GigabitEthernet2/0/0] port link-type trunk [PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 10...
Page 164 Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Reply from 100.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 100.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 100.1.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 100.1.1.2 ping statistics ---...
Page 165 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration ------------------------------------------------------------------------------ TOTAL: 2 Normal LSP(s) Found. TOTAL: 0 Liberal LSP(s) Found. A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale Enable MPLS L2VPN on PEs.
Page 166 Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security PW MAC Learn Style : unqualify Encapsulation Type : vlan : 1500 Diffserv Mode : uniform Mpls Exp : -- DomainId : 255 Domain Name VSI State...
Page 167 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration Set the maximum number of DHCP snooping users on interfaces at the DHCP client side. In this manner, malicious IP address application can be prevented and authorized users can successfully apply for IP addresses.
Page 168 Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security Run the display dhcp snooping global command on PE1. You can view that DHCP snooping is enabled globally and in the interface view. You can also view the statistics on the alarms sent to the NMS.
Page 169 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 DHCP Snooping Configuration vlan batch 10 20 dhcp enable dhcp snooping enable dhcp snooping over-vpls enable dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate alarm enable dhcp snooping check dhcp-rate alarm threshold 80 user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003 interface...
Page 170 Quidway S9300 Terabit Routing Switch 3 DHCP Snooping Configuration Configuration Guide - Security mpls lsr-id 2.2.2.9 mpls mpls l2vpn vsi v123 static pwsignal ldp vsi-id 2 peer 1.1.1.9 mpls ldp interface Vlanif10 ip address 100.10.1.2 255.255.255.0 mpls mpls ldp interface Vlanif30...
Page 171: Arp Security Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration ARP Security Configuration About This Chapter This chapter describes the principle and configuration of ARP security features. 4.1 Introduction to ARP Security This section describes the principle of ARP security.
Page 172: Introduction To Arp Security
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security 4.1 Introduction to ARP Security This section describes the principle of ARP security. ARP Attack On a network, ARP entries are easily attacked. Attackers send a large number of ARP Request and Response packets to attack network devices.
Page 173 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration The S9300 can prevent ARP spoofing by using the following methods: Fixed MAC address: After learning an ARP entry, the S9300 does not allow the modification on the MAC address that is performed through ARP entry learning until this ARP entry ages.
Page 174: Limiting Arp Entry Learning
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security and the triggered rate exceeds the set threshold, the S9300 considers that an attack occurs. In this case, the S9300 delivers ACL rules to discard the IP packets sent from this address in a period (the default value is 50 seconds).
Page 175: Enabling Strict Arp Entry Learning
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Pre-configuration Tasks Before configuring the limitation on ARP entry learning, complete the following task: Setting the parameters of the link layer protocol and the IP address of the interface and...
Page 176 Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security force-enable: enables strict ARP entry learning on an interface. – force-disable: disables strict ARP entry learning on an interface. – trust: indicates that the configuration of strict ARP entry learning on an interface –...
Page 177: Configuring Interface-Based Arp Entry Limitation
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration 4.3.3 Configuring Interface-based ARP Entry Limitation Context If attackers occupy a large number of ARP entries, the S9300 cannot learn the ARP entries of authorized users. To prevent such attacks, you can set the maximum number of ARP entries that can be dynamically learned by an interface.
Page 178: Configuring Arp Anti-Attack
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security Vlanif100 force-disable Vlanif200 force-enable ------------------------------------------------------------ Total:2 force-enable:1 force-disable:1 Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command, and you can view the maximum number of ARP entries that can be learned by an interface or a VLAN.
Page 179: Preventing The Arp Address Spoofing Attack
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration To prevent attackers from forging the ARP packets of authorized users and modifying the ARP entries on the gateway, you can configure the ARP address anti-spoofing function.
Page 180: Preventing The Man-In-The-Middle Attack
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: arp anti-attack gateway-duplicate enable The ARP anti-attack function for preventing ARP packets with the bogus gateway address is enabled.
Page 181: Configuring Arp Proxy On A Vpls Network
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration The IP source guard function is enabled on the interface. By default, the interfaces or the interfaces in a VLAN are not enabled with the IP source guard function.
Page 182: Configuring Dhcp To Trigger Arp Learning
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security If the ARP packets are ARP request packets and the destination IP address of the packets match an entry in the DHCP snooping binding table, the S9300 constructs ARP reply packets before sending them to the requester of the PW.
Page 183: Optional) Configuring The S9300 To Discard Gratuitous Arp Packets
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration 4.4.7 (Optional) Configuring the S9300 to Discard Gratuitous ARP Packets Context If a large number of gratuitous ARP packets are sent to attack the S9300, the S9300 cannot process valid ARP packets.
Page 184: Checking The Configuration
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: arp anti-attack log-trap-timer time Log and alarm functions are enabled for potential attacks. time specifies the interval for writing an ARP log and sending an alarm. By default, the value is 0, indicating that log and alarm functions are disabled.
Page 185: Suppressing Transmission Rate Of Arp Packets
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration <Quidway> display arp anti-attack check user-bind interface GigabitEthernet 1/0/0 arp anti-attack check user-bind enable arp anti-attack check user-bind alarm enable arp anti-attack check user-bind alarm threshold 50 ARP packet drop count = 10 4.5 Suppressing Transmission Rate of ARP Packets...
Page 186: Configuring Source-Based Arp Suppression
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security Data Maximum transmission rate of the ARP packets sent by a specified source IP address (Optional) Source IP address and maximum transmission rate of the ARP packets sent by...
Page 187: Configuring Source-Based Arp Miss Suppression
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration 4.5.3 Configuring Source-based ARP Miss Suppression Context A user may have special requirements; therefore, you can set the timestamp suppression rate for ARP Miss packets with a specified source IP address different from ARP Miss packets with other source IP addresses.
Page 188: Suppressing Transmission Rate Of Arp Packets
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface vlanif interface-number The VLANIF interface view is displayed. Step 3 Run: arp-miss suppress suppress-time The suppression time for the S9300 to send ARP Miss messages is set.
Page 189: Checking The Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Step 5 (Optional) Run: arp anti-attack rate-limit alarm threshold threshold The alarm threshold of the number of ARP packets discarded because the transmission rate is exceeded is set.
Page 190: Displaying The Statistics About Arp Packets
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security 4.6.1 Displaying the Statistics About ARP Packets 4.6.2 Clearing the Statistics on ARP Packets 4.6.3 Clearing the Statistics on Discarded ARP Packets 4.6.4 Debugging ARP Packets 4.6.1 Displaying the Statistics About ARP Packets...
Page 191: Debugging Arp Packets
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Context CAUTION Statistics cannot be restored after being cleared. So, confirm the action before you run the command. To clear the statistics on discarded ARP packets, run the following commands in the user view.
Page 192: Example For Configuring Arp Security Functions
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security 4.7.1 Example for Configuring ARP Security Functions Networking Requirements As shown in Figure 4-1, the S9300 is connected to a server through GE 1/0/3 and is connected to four users in VLAN 10 and VLAN 20 through GE 1/0/1 and GE 1/0/2.
Page 193 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Enable the ARP anti-spoofing function. Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway address. Configure the rate suppression function for ARP packets.
Page 194 Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security # Set the suppression rate for ARP packets sent by User 4 to 200 pps. To prevent all users from sending a large number of ARP packets incorrectly, set the suppression rate for ARP packets of the system to 300 pps.
Page 195: Example For Configuring Arp Anti-Attack To Prevent Man-In-The-Middle Attacks
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------ 2.2.2.2 1000 Others ------------------------------------------------------------------------ 1 specified IP addresses are configured, spec is 1024 items. You can use the display arp packet statistics command to view the number of discarded ARP packets and the number of learned ARP entries.
Page 196: Figure 4-2 Networking Diagram For Prevent Man-In-The-Middle Attacks
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security the-middle attacks, you can configure the IP source guard function. After the IP source guard function is configured on the S9300, the S9300 checks the IP packets according to the binding table.
Page 197 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration # Enable the IP source guard function on GE 1/0/2 connected to the attacker. [Quidway] interface gigabitethernet 1/0/2 [Quidway-GigabitEthernet1/0/2] arp anti-attack check user-bind enable [Quidway-GigabitEthernet1/0/2] arp anti-attack check user-bind check-item ip-...
Page 198 Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security arp anti-attack check user-bind enable arp anti-attack check user-bind check-item ip-address mac-address return 4-28 Huawei Proprietary and Confidential Issue 06 (2010–01–08) Copyright © Huawei Technologies Co., Ltd.
Page 199: Source Ip Attack Defense Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Source IP Attack Defense Configuration Source IP Attack Defense Configuration About This Chapter This chapter describes the principle and configuration of attacking IP source addresses. 5.1 Overview of IP Source Guard This section describes the principle of the IP source Guard.
Page 200: Overview Of Ip Source Guard
Quidway S9300 Terabit Routing Switch 5 Source IP Attack Defense Configuration Configuration Guide - Security 5.1 Overview of IP Source Guard This section describes the principle of the IP source Guard. The source IP address spoofing is a common attack on the network, for example, the attacker forges a valid user and sends IP packets to the server or forges the source IP address of users for communication.
Page 201: Ip Source Guard Features Supported By The S9300
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Source IP Attack Defense Configuration the attack sources, the attack sources are judged according to traffic statistics that are collected based on the destination IP address (victim), source IP address, and inbound interface of packets.
Page 202 Quidway S9300 Terabit Routing Switch 5 Source IP Attack Defense Configuration Configuration Guide - Security IP+VLAN IP+MAC+VLAN NOTE IP addresses here include IPv4 addresses and IPv6 addresses. That is, after the IP Source Guard feature is enabled, the S9300 checks both the source IPv4 addresses and source IPv6 addresses of IP packets from users.
Page 203: Configuring Ip Source Guard
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Source IP Attack Defense Configuration Loose check: Regardless whether the source addresses of packets exist in the FIB table of the S9300, or whether the corresponding outbound interfaces match the inbound interfaces of the packets, packets are forwarded.
Page 204: Enabling Ip Source Guard
Quidway S9300 Terabit Routing Switch 5 Source IP Attack Defense Configuration Configuration Guide - Security Context Before forwarding the data of the users who assigned IP addresses statically, the S9300 cannot automatically learn the MAC addresses of the users or generate binding table entries for these users.
Page 205: Checking The Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Source IP Attack Defense Configuration Context After the function of checking IP packets is enabled, the S9300 checks the received IP packets against the binding table. The check items include the source IPv4 address, source IPv6 address, source MAC address, VLAN ID, and interface number.
Page 206: Configuring Ip Source Trail
Quidway S9300 Terabit Routing Switch 5 Source IP Attack Defense Configuration Configuration Guide - Security Procedure Step 1 Run the display user-bind { all | { [ ip-address ip-address | ipv6-address ipv6-address ] | mac- address mac-address | vlan vlan-id | interface interface-type interface-number } } command to view information about the binding table.
Page 207: Configuring Ip Source Trail Based On The Destination Ip Address
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Source IP Attack Defense Configuration Data Destination IP address of the attacked user host 5.4.2 Configuring IP Source Trail Based on the Destination IP Address Procedure Step 1 Run: system-view The system view is displayed.
Page 208: Configuring Urpf
Quidway S9300 Terabit Routing Switch 5 Source IP Attack Defense Configuration Configuration Guide - Security 5.5 Configuring URPF This section describes how to configure URPF. 5.5.1 Establishing the Configuration Task 5.5.2 Enabling URPF 5.5.3 Setting the URPF Check Mode on an Interface 5.5.4 (Optional) Disabling URPF for the Specified Traffic...
Page 209: Setting The Urpf Check Mode On An Interface
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Source IP Attack Defense Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: urpf slot slot-number URPF is enabled on an LPU. By default, URPF is disabled on an LPU.
Page 210: Optional) Disabling Urpf For The Specified Traffic
VLAN, the S9300 does not perform URPF check on the traffic that match the traffic classifier rules. For the configuration procedures of traffic classifier and traffic policy, see Class-based QoS Configuration in the Quidway S9300 Terabit Routing Switch Configuration Guide - QoS. ----End 5.5.5 Checking the Configuration...
Page 211: Maintaining Source Ip Attack Defense
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Source IP Attack Defense Configuration Prerequisite The configurations of URPF are complete. Procedure Run the display this command in the interface view to check whether URPF is enabled on the current interface.
Page 212: Example For Configuring Ip Source Guard
Quidway S9300 Terabit Routing Switch 5 Source IP Attack Defense Configuration Configuration Guide - Security 5.7.1 Example for Configuring IP Source Guard Networking Requirements As shown in Figure 5-3, Host A is connected to the S9300through GE 1/0/1 and Host B is connected to the S9300 through GE 1/0/2.
Page 213: Example For Configuring Ip Source Trail
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Source IP Attack Defense Configuration Procedure Step 1 Enable the IP source guard function. # Enable the IP source guard function on GE 1/0/1 connected to Host A. [Quidway] interface gigabitethernet 1/0/1...
Page 214: Figure 5-4 Networking Diagram For Configuring Ip Source Trail
Quidway S9300 Terabit Routing Switch 5 Source IP Attack Defense Configuration Configuration Guide - Security Networking Requirements As shown in Figure 5-4, User A is connected to GE 1/0/1 on the S9300. It is required that IP source trail be enabled on the S9300 so that the attack source can be traced after User A suffers from DoS attacks.
Page 215: Example For Configuring Urpf
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Source IP Attack Defense Configuration ip source-trail ip-address 10.0.0.3 return 5.7.3 Example for Configuring URPF Networking Requirements As shown in Figure 5-5, the S9300 is connected to the router of the ISP through GE 1/0/0 and is connected to the user network through GE 2/0/0.
Page 216 Quidway S9300 Terabit Routing Switch 5 Source IP Attack Defense Configuration Configuration Guide - Security [Quidway-GigabitEthernet2/0/0] display this interface GigabitEthernet2/0/0 urpf strict allow-default-route return ----End Configuration Files sysname Quidway urpf slot 2 interface GigabitEthernet2/0/0 urpf strict allow-default-route return 5-18 Huawei Proprietary and Confidential Issue 06 (2010–01–08)
Page 217: Local Attack Defense Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 Local Attack Defense Configuration Local Attack Defense Configuration About This Chapter This chapter describes the principle and configuration of local attack defense. 6.1 Overview of Local Attack Defense This section describes the principle of the local attack defense.
Page 218: Overview Of Local Attack Defense
Quidway S9300 Terabit Routing Switch 6 Local Attack Defense Configuration Configuration Guide - Security 6.1 Overview of Local Attack Defense This section describes the principle of the local attack defense. With the development and wide application of the network, users poses higher requirement for security of the network and network devices.
Page 219: Configuring The Attack Defense Policy
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 Local Attack Defense Configuration 6.3 Configuring the Attack Defense Policy This section describes how to configure the attack defense policy. 6.3.1 Establishing the Configuration Task 6.3.2 Creating an Attack Defense Policy 6.3.3 Configuring the Whitelist...
Page 220: Creating An Attack Defense Policy
Quidway S9300 Terabit Routing Switch 6 Local Attack Defense Configuration Configuration Guide - Security 6.3.2 Creating an Attack Defense Policy Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: cpu-defend policy policy-number An attack defense policy is created.
Page 221: Configuring User-Defined Flows
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 Local Attack Defense Configuration Context You can create a blacklist and add users matching the specific characteristic into the blacklist. The packets sent from the users in the blacklist are discarded by default. The S9300 supports the flexible setting of the blacklist through ACLs.
Page 222: Configuring The Rule For Sending Packets To The Cpu
Quidway S9300 Terabit Routing Switch 6 Local Attack Defense Configuration Configuration Guide - Security The ACL applied to the user-defined flows can be a basic ACL, an advanced ACL, or a layer 2 ACL. For the configuration procedure, see 11.3 Configuring an ACL.
Page 223 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 Local Attack Defense Configuration Procedure Applying the attack defense policy in the system view Run: system-view The system view is displayed. Run: cpu-defend-policy policy-number [ global ] An attack defense policy is applied.
Page 224: Configuring Attack Source Tracing
Quidway S9300 Terabit Routing Switch 6 Local Attack Defense Configuration Configuration Guide - Security Related slot : <4> Configuration : Car user-defined-flow 1 : CIR(64) CBS(10000) Car user-defined-flow 2 : CIR(64) CBS(10000) Car user-defined-flow 3 : CIR(64) CBS(10000) Car user-defined-flow 4 : CIR(64)
Page 225: Creating An Attack Defense Policy
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 Local Attack Defense Configuration Data Preparation To configure attack source tracing, you need the following data. Data Number and description of the attack defense policy Rate checking threshold in attack source tracing...
Page 226: Configuring The Threshold Of Attack Source Tracing
Quidway S9300 Terabit Routing Switch 6 Local Attack Defense Configuration Configuration Guide - Security The attack defense policy view is displayed. Step 3 Run: auto-defend enable The automatic attack source tracing function is enabled. ----End 6.4.4 Configuring the Threshold of Attack Source Tracing...
Page 227: Applying The Attack Defense Policy
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 Local Attack Defense Configuration cpu-defend policy policy-number The attack defense policy view is displayed. Step 3 Run: auto-defend alarm enable The attack source alarm function is enabled. Step 4 Run: auto-defend alarm threshold threshold-value The threshold of the attack source alarm function is set.
Page 228: Checking The Configuration
Quidway S9300 Terabit Routing Switch 6 Local Attack Defense Configuration Configuration Guide - Security slot slot-id The slot view is displayed. Run: cpu-defend-policy policy-number An attack defense policy is applied. The attack defense policy applied in the slot view takes effect only to the LPU in this slot.
Page 229: Maintaining The Attack Defense Policy
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 Local Attack Defense Configuration 6.5 Maintaining the Attack Defense Policy This section describes how to clear statistics about the attack sources and the packets sent to the CPU. 6.5.1 Clearing Statistics About Packets Destined for the CPU 6.5.2 Clearing Statistics About Attack Sources...
Page 230: Configuration Examples
Quidway S9300 Terabit Routing Switch 6 Local Attack Defense Configuration Configuration Guide - Security 6.6 Configuration Examples This section provides several configuration examples of attack defense policy. 6.6.1 Example for Configuring the Attack Defense Policy 6.6.1 Example for Configuring the Attack Defense Policy...
Page 231 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 Local Attack Defense Configuration Configure the rule for sending packets to the CPU. Apply the attack defense policy. Data Preparation To complete the configuration, you need the following data: Number of the attack defense policy...
Page 232 Quidway S9300 Terabit Routing Switch 6 Local Attack Defense Configuration Configuration Guide - Security [Quidway] slot 2 [Quidway-slot-2] cpu-defend-policy 6 [Quidway-slot-2] quit Step 5 Verify the configuration. # View information about the configured attack defense policy. <Quidway> display cpu-defend policy 6 Number : 6 Related slot : <1,2>...
Page 233: Pppoe+ Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 7 PPPoE+ Configuration PPPoE+ Configuration About This Chapter This chapter describes how to configure PPPoE+. 7.1 PPPoE+ Overview This section describes the principle of PPPoE+. 7.2 PPPoE+ Features Supported by the S9300 This section describes the PPPoE+ features supported by the S9300.
Page 234: Pppoe+ Overview
Quidway S9300 Terabit Routing Switch 7 PPPoE+ Configuration Configuration Guide - Security 7.1 PPPoE+ Overview This section describes the principle of PPPoE+. Currently, PPPoE provides good authentication and security mechanism, but still has certain disadvantages, for example, account embezzlement. In common PPPoE dialup mode, when users dial up through PPPoE from different interfaces of devices, they can access the newtork as long as their accounts are authenticated successfully on the same RADIUS server.
Page 235: Enabling Pppoe+ Globally
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 7 PPPoE+ Configuration Data Preparation To configure PPPoE+, you need the following data. Data Interface number related to PPPoE authentication Format and contents of the fields to be added to PPPoE packets 7.3.2 Enabling PPPoE+ Globally...
Page 236: Configuring The Action For Processing Original Fields In Pppoe Packets
Quidway S9300 Terabit Routing Switch 7 PPPoE+ Configuration Configuration Guide - Security After the pppoe intermediate-agent information format command is run in the system view, all the interfaces add fields in specified format to the received PPPoE packets. ----End 7.3.4 Configuring the Action for Processing Original Fields in...
Page 237: Checking The Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 7 PPPoE+ Configuration sent from the PPPoE client to the PPPoE server are forwarded through the trusted interface only. In addition, only the PPPoE packets received from the trusted interface are forwarded to the PPPoE client.
Page 238: Figure 7-1 Networking Diagram For Configuring Pppoe
Quidway S9300 Terabit Routing Switch 7 PPPoE+ Configuration Configuration Guide - Security Figure 7-1 Networking diagram for configuring PPPoE+ IP network BRAS PPPoE server GE1/0/0 PPPoE+ S9300 GE2/0/1 GE2/0/2 PPPoE client PPPoE client Configuration Roadmap The configuration roadmap is as follows: Enable PPPoE+ globally.
Page 239 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 7 PPPoE+ Configuration Step 3 Configure the action for processing original fields in PPPoE packets. Configure all the interfaces to replace original fields in PPPoE packets with the circuit ID of the S9300.
Page 241: Mff Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 MFF Configuration MFF Configuration About This Chapter This section describes the principle and configuration of the MAC-Forced Forwarding (MFF) function. 8.1 MFF Overview This section describes the principle of the MFF function.
Page 242: Mff Overview
Quidway S9300 Terabit Routing Switch 8 MFF Configuration Configuration Guide - Security 8.1 MFF Overview This section describes the principle of the MFF function. Background In traditional Ethernet solutions, VLANs are usually configured on switches to implement Layer 2 isolation and Layer 3 interconnection between clients. When many users need to be isolated on Layer 2, a large number of VLANs are required.
Page 243: Mff Features Supported By The S9300
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 MFF Configuration NOTE The network interfaces include: Uplink interfaces connected to the gateway Interfaces connected to other MFF devices when multiple MFF devices are deployed on the network Interfaces between the MFF devices on a ring network The interface role is irrelevant to the position of the interface on a network.
Page 244: Configuring Mff
Quidway S9300 Terabit Routing Switch 8 MFF Configuration Configuration Guide - Security Server Deployment on the Network The IP address of the server can be the IP address of the DHCP server, the IP address of another server, or the virtual IP address of the VRRP group.
Page 245: Enabling Global Mff
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 MFF Configuration Data VLAN ID of the MFF device Type and number of the network interface to be configured (Optional) IP address of the static gateway to be configured (Optional) IP address of the server to be configured 8.3.2 Enabling Global MFF...
Page 246: Enabling Mff In A Vlan
Quidway S9300 Terabit Routing Switch 8 MFF Configuration Configuration Guide - Security The interface view is displayed. The interface can be an Ethernet interface, a GE interface, or an Eth-Trunk interface. Step 3 Run: mac-forced-forwarding network-port The interface is configured as a network interface.
Page 247: Optional) Enabling Timed Gateway Address Detection
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 MFF Configuration 8.3.6 (Optional) Enabling Timed Gateway Address Detection Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: vlan vlan-id The VLAN view is displayed. Step 3 Run: mac-forced-forwarding gateway-detect The timed gateway address detection is enabled.
Page 248: Configuration Examples
Quidway S9300 Terabit Routing Switch 8 MFF Configuration Configuration Guide - Security Run the display mac-forced-forwarding vlan vlan-id command to view information about MFF users and gateway on the VLAN. ----End Example Run the display mac-forced-forwarding network-port command, and you can see information about the network-side interface matching the MFF VLAN.
Page 249: Figure 8-1 Networking Diagram For Configuring Mff
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 MFF Configuration Figure 8-1 Networking diagram for configuring MFF DHCP server 10.10.10.1/24 GE1/0/0 GE2/0/2 S9300-B GE2/0/1 GE2/0/1 S9300-A GE1/0/1 GE1/0/3 GE1/0/2 Configuration Roadmap The configuration roadmap is as follows: Configure DHCP snooping.
Page 250 Quidway S9300 Terabit Routing Switch 8 MFF Configuration Configuration Guide - Security # Enable DHCP snooping on the interfaces of the S9300-A. Take the configuration on GE 1/0/1 as an example. The configurations on GE 1/0/2, GE 1/0/3, and GE 2/0/1 are similar to the configuration on GE 1/0/1 and are not mentioned here.
Page 251 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 MFF Configuration # Enable MFF for VLAN 10 on S9300-B. [S9300-B] vlan 10 [S9300-B-vlan10] mac-forced-forwarding enable Step 5 (Optional) Enable the function of timed gateway address detection. # Enable the function of timed gateway address detection on S9300-A.
Page 252 Quidway S9300 Terabit Routing Switch 8 MFF Configuration Configuration Guide - Security Configuration file of S9300-B sysname S9300-B vlan batch 10 dhcp enable dhcp snooping enable mac-forced-forwarding enable vlan 10 mac-forced-forwarding enable mac-forced-forwarding gateway-detect mac-forced-forwarding server 10.10.10.1 interface gigabitethernet1/0/0 port link-type trunk...
Page 253: Interface Security Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 9 Interface Security Configuration Interface Security Configuration About This Chapter This chapter describes the principle and configuration of interface security. 9.1 Interface Security Overview This section describes the principle of the interface security function.
Page 254: Interface Security Overview
Quidway S9300 Terabit Routing Switch 9 Interface Security Configuration Configuration Guide - Security 9.1 Interface Security Overview This section describes the principle of the interface security function. The interface security function is a security protection mechanism that controls the access to the network.
Page 255: Establishing The Configuration Task
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 9 Interface Security Configuration 9.3.1 Establishing the Configuration Task Applicable Environment The interface security function records the MAC address of the host connected to an interface of the S9300, that is, the network adapter ID of the host. Only the host with the specified MAC address can communicate with this interface.
Page 256: Optional) Configuring The Protection Action In Interface Security
Quidway S9300 Terabit Routing Switch 9 Interface Security Configuration Configuration Guide - Security By default, the interface security function is disabled on interfaces of the S9300. ----End 9.3.3 (Optional) Configuring the Protection Action in Interface Security Procedure Step 1 Run: system-view The system view is displayed.
Page 257: Enabling Sticky Mac On An Interface
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 9 Interface Security Configuration The interface can be an Ethernet interface or a GE interface. Step 3 Run: port-security maximum max-number The maximum number of MAC addresses learned by an interface is set.
Page 258: Configuration Examples
Quidway S9300 Terabit Routing Switch 9 Interface Security Configuration Configuration Guide - Security Run the display sticky-mac command to view the sticky MAC entries. ----End Example Run the display sticky-mac command, and you can view the sticky MAC address entries.
Page 259 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 9 Interface Security Configuration Configuration Roadmap The configuration roadmap is as follows: Create a VLAN and set the VALN attribute of the interface to trunk. Enable the interface security function. Configure the protection action.
Page 260 Quidway S9300 Terabit Routing Switch 9 Interface Security Configuration Configuration Guide - Security Configuration Files The following lists the configuration files of the S9300. sysname Quidway interface GigabitEthernet1/0/1 port-security enable port-security protect-action protect port-security mac-address sticky port-security maximum 4 return Huawei Proprietary and Confidential Issue 06 (2010–01–08)
Page 261: Traffic Suppression Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 10 Traffic Suppression Configuration Traffic Suppression Configuration About This Chapter This chapter describes the principle and configuration of traffic suppression . 10.1 Introduction to Traffic Suppression This section describes the principle of traffic suppression.
Page 262: Introduction To Traffic Suppression
Quidway S9300 Terabit Routing Switch 10 Traffic Suppression Configuration Configuration Guide - Security 10.1 Introduction to Traffic Suppression This section describes the principle of traffic suppression. Broadcast packets entering the S9300 are forwarded on all the interfaces in a VLAN, and multicast packets are also forwarded on interfaces of the multicast group.
Page 263: Configuring Traffic Suppression On An Interface
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 10 Traffic Suppression Configuration Data Type and number of the interface where traffic suppression needs to be configured Type of traffic (broadcast, multicast, or unknown unicast traffic) that needs to be...
Page 264: Checking The Configuration
Quidway S9300 Terabit Routing Switch 10 Traffic Suppression Configuration Configuration Guide - Security NOTE The suppression based on bandwidth percentage equals to the suppression based on packet rate. Assume the bandwidth on an interface is bandwidth (kbit/s). The percent-value parameter equals to the packets keyword.
Page 265: Figure 10-1 Networking Diagram For Configuring Traffic Suppression
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 10 Traffic Suppression Configuration Networking Requirements As shown in Figure 10-1, the S9300 is connected to the Layer 2 network and Layer 3 router. To limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer 2 network, you can configure traffic suppression on GE 1/0/2.
Page 266 Quidway S9300 Terabit Routing Switch 10 Traffic Suppression Configuration Configuration Guide - Security ------------------------------------------------------------------------------- unknown-unicast cir: 100(kbit/s), cbs: 18800(byte) multicast percent percent: 80% broadcast cir: 100(kbit/s), cbs: 18800(byte) ------------------------------------------------------------------------------- ----End Configuration Files sysname Quidway interface gigabitethernet 1/0/2 unicast-suppression cir 100 cbs 18800...
Page 267: Acl Configuration
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 11 ACL Configuration ACL Configuration About This Chapter This chapter describes how to configure the Access Control List (ACL). 11.1 Introduction to the ACL This section describes the basic concepts and parameters of an ACL.
Page 268: Introduction To The Acl
ACL is set to be in permit mode, the packets matching the ACL are processed by the S9300 according to the action defined by the traffic behavior in QoS. For details on the traffic behavior, see the Quidway S9300 Terabit Routing Switch Configuration Guide - QoS.
Page 269: Configuring An Acl
When the ACL is imported by the upper-layer software, the packets matching the ACL are processed by the S9300 according to the action deny or permit defined in the ACL. For details on login user control, see the Quidway S9300 Terabit Routing Switch Configuration Guide - Basic Configurations.
Page 270: Creating An Acl
Quidway S9300 Terabit Routing Switch 11 ACL Configuration Configuration Guide - Security Pre-configuration Tasks None. Data Preparation To configure an ACL, you need the following data. Data Name of the time range when the ACL takes effect, start time, and end time...
Page 271: Optional) Setting The Time Range When An Acl Takes Effect
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 11 ACL Configuration To create a layer 2 ACL, you can set the value of acl-number ranging from 4000 to 4999. ----End 11.3.3 (Optional) Setting the Time Range When an ACL Takes Effect...
Page 272: Configuring A Basic Acl
Quidway S9300 Terabit Routing Switch 11 ACL Configuration Configuration Guide - Security The description of an ACL is a string of up to 127 characters, describing the usage of the ACL. By default, no description is configured for an ACL.
Page 273: Configuring A Layer 2 Acl
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 11 ACL Configuration auto: indicates that the ACL rules are matched on the basis of depth first principle. config: indicates that the rules are matched on the basis of the configuration order.
Page 274: Optional) Setting The Step Of An Acl
Quidway S9300 Terabit Routing Switch 11 ACL Configuration Configuration Guide - Security If match-order is not used, the match order is config. Step 3 Run: rule [ rule-id ] { deny | permit } [ source-mac source-mac-address source-mac- mask ] [ dest-mac dest-mac-address dest-mac-mask | type protocol-type protocol-type- mask ] An ACL rule is created.
Page 275: Configuring Acl6
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 11 ACL Configuration <Quidway> display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 deny ip source 10.1.1.1 0 (0 times matched) # Run the display time-range command, and you can view the configuration and status of the current time range.
Page 276: Creating An Acl6
Quidway S9300 Terabit Routing Switch 11 ACL Configuration Configuration Guide - Security Data Number of the ACL6 and the rule of identifying the packet type, including protocol type, source address and source interface, destination address and destination interface, ICMPv6 type and code, precedence, and ToS 11.4.2 Creating an ACL6...
Page 277: Configuring A Basic Acl6
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 11 ACL Configuration Time range 1: 2009-01-01 00:00 to 2009-12-31 23:59 Time range 2: 8:00-18:00 on Monday to Friday Time range 3: 14:00-18:00 on Saturday and Sunday The time range test includes 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in the year 2009.
Page 278: Checking The Configuration
Quidway S9300 Terabit Routing Switch 11 ACL Configuration Configuration Guide - Security Step 2 Run: acl ipv6 [ number ] acl6-number [ match-order { auto | config } ] An advanced ACL6 is created. The acl6-number value of an advanced ACL6 ranges from 3000 to 3999.
Page 279: Configuration Examples
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 11 ACL Configuration Example # Run the display acl ipv6 command, and you can see the ACL number, the number of rules, and content of the rules. <Quidway> display acl ipv6 2002...
Page 280 Quidway S9300 Terabit Routing Switch 11 ACL Configuration Configuration Guide - Security Configuration Roadmap The configuration roadmap is as follows: Configure the URPF function. Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Page 281 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 11 ACL Configuration # Define the traffic behavior and disable the URPF function in the traffic behavior view. [Quidway] traffic behavior tb1 [Quidway-behavior-tb1] ip uprf disable [Quidway-behavior-tb1] quit Step 4 Configure the traffic policy.
Page 282: Figure 11-2 Networking Diagram For Configuring Ipv4 Acls
Quidway S9300 Terabit Routing Switch 11 ACL Configuration Configuration Guide - Security traffic behavior tb1 ip urpf disable traffic policy tp1 classifier tc1 behavior tb1 interface GigabitEthernet1/0/1 urpf strict traffic-policy tp1 inbound interface GigabitEthernet2/0/1 urpf strict return 11.5.2 Example for Configuring an Advanced ACL...
Page 283 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 11 ACL Configuration Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface. Data Preparation To complete the configuration, you need the following data: VLAN that the interface belongs to...
Page 284 Quidway S9300 Terabit Routing Switch 11 ACL Configuration Configuration Guide - Security 10.164.9.9 0.0.0.0 time-range satime [Quidway-acl-adv-3003] quit Step 4 Configure ACL-based traffic classifiers. # Configure the traffic classifier c_market to classify the packets that match ACL 3002. [Quidway] traffic classifier c_market...
Page 285 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 11 ACL Configuration Acl's step is 5 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (0 times matched)(Active) Advanced ACL 3003, 1 rule Acl's step is 5 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range...
Page 286: Figure 11-3 Networking Diagram For Configuring Layer 2 Acls
Quidway S9300 Terabit Routing Switch 11 ACL Configuration Configuration Guide - Security deny traffic behavior b_rd deny traffic policy p_market classifier c_market behavior b_market traffic policy p_rd classifier c_rd behavior b_rd interface Vlanif10 ip address 10.164.1.1 255.255.255.0 interface Vlanif20 ip address 10.164.2.1 255.255.255.0 interface Vlanif30 ip address 10.164.3.1 255.255.255.0...
Page 287 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 11 ACL Configuration Configuration Roadmap The configuration roadmap is as follows: Configure the ACL. Configure the traffic classifier. Configure the traffic behavior. Configure the traffic policy. Apply the traffic policy to an interface.
Page 288 Quidway S9300 Terabit Routing Switch 11 ACL Configuration Configuration Guide - Security [Quidway] interface gigabitethernet 2/0/1 [Quidway-GigabitEthernet2/0/1] traffic-policy tp1 inbound [Quidway-GigabitEthernet2/0/1] quit Step 6 Verify the configuration. # Check the configuration of ACL rules. <Quidway> display acl 4000 Ethernet frame ACL 4000, 1 rule...
Page 289: Figure 11-4 Networking Diagram For Configuring Acl6 And Filtering Ipv6 Packets
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 11 ACL Configuration Networking Requirements As shown in Figure 11-4, S9300-A and S9300-B are connected through GE interfaces. You need to configure an ACL6 rule on S9300-A to prevent the IPv6 packets with the source IP address 3001::2 from entering GE 1/0/0 of S9300-A.
Page 290 Quidway S9300 Terabit Routing Switch 11 ACL Configuration Configuration Guide - Security <Quidway> system-view [Quidway] sysname S9300-B [S9300-B] ipv6 [S9300-B] interface loopback 2 [S9300-B-LoopBack2] ipv6 enable [S9300-B-LoopBack2] ipv6 address 3002::2 64 [S9300-B-LoopBack2] quit [S9300-B] interface gigabitethernet 1/0/0 [S9300-B-GigabitEthernet1/0/0] port link-type trunk...
Page 291 Quidway S9300 Terabit Routing Switch Configuration Guide - Security 11 ACL Configuration [S9300-A-classifier-class1] if-match ipv6 acl 3001 [S9300-A-classifier-class1] quit [S9300-A] traffic behavior behav1 [S9300-A-behavior-behav1] deny [S9300-A-behavior-behav1] quit [S9300-A] traffic policy policy1 [S9300-A-trafficpolicy-policy1] classifier class1 behavior behav1 [S9300-A-trafficpolicy-policy1] quit [S9300-A] interface gigabitethernet 1/0/0...
Page 292 Quidway S9300 Terabit Routing Switch 11 ACL Configuration Configuration Guide - Security traffic classifier class1 operator or if-match ipv6 acl 3001 traffic behavior behav1 deny traffic policy policy1 classifier class1 behavior behav1 interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 10...

Huawei Quidway S9300 Configuration Manual

Table of Contents

Figures

About this Document

1 AAA and User Management Configuration

2 NAC Configuration

3 DHCP Snooping Configuration

4 ARP Security Configuration

5 Source IP Attack Defense Configuration

6 Local Attack Defense Configuration

7 Pppoe+ Configuration

8 MFF Configuration

9 Interface Security Configuration

10 Traffic Suppression Configuration

11 ACL Configuration

Quick Links

Chapters

Related Manuals for Huawei Quidway S9300

Summary of Contents for Huawei Quidway S9300