Page 2
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local office or company headquarters. Huawei Technologies Co., Ltd. Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security Contents Contents About This Document........................1 1 AAA and User Management Configuration.................1-1 1.1 Introduction to AAA and User Management....................1-2 1.2 AAA and User Management Features Supported by the S9300..............1-2 1.3 Configuring Local User Management......................1-3 1.3.1 Establishing the Configuration Task......................1-4...
Page 4
Quidway S9300 Terabit Routing Switch Contents Configuration Guide - Security 1.6.3 Configuring an HWTACACS Authentication Server................1-23 1.6.4 Configuring an HWTACACS Authorization Server................1-23 1.6.5 (Optional) Configuring the Source IP Address of the HWTACACS Server........1-24 1.6.6 (Optional) Setting the Shared Key of an HWTACACS Server............1-24 1.6.7 (Optional) Setting the User Name Format for an HWTACACS Server..........1-25...
Page 5
Quidway S9300 Terabit Routing Switch Configuration Guide - Security Contents 2.5.6 Checking the Configuration.........................2-14 2.6 Limiting the Rate of Sending DHCP Messages....................2-16 2.6.1 Establishing the Configuration Task....................2-16 2.6.2 Enabling DHCP Snooping........................2-16 2.6.3 Limiting the Rate of Sending DHCP Messages...................2-17 2.6.4 Checking the Configuration.........................2-18 2.7 Configuring the Packet Discarding Alarm Function..................2-18...
Page 6
Quidway S9300 Terabit Routing Switch Contents Configuration Guide - Security 4.3.3 Configuring Interface-based ARP Entry Limitation................4-6 4.3.4 Checking the Configuration........................4-6 4.4 Configuring ARP Anti-Attack........................4-7 4.4.1 Establishing the Configuration Task......................4-7 4.4.2 Preventing the ARP Address Spoofing Attack..................4-8 4.4.3 Preventing the ARP Gateway Duplicate Attack..................4-9 4.4.4 Preventing the Man-in-the-Middle Attack.....................4-9...
Page 7
Quidway S9300 Terabit Routing Switch Configuration Guide - Security Contents 6.4 Maintaining IP Source Trail..........................6-4 6.4.1 Displaying the Statistics on IP Source Trail...................6-4 6.4.2 Clearing the Statistics on IP Source Trail....................6-4 6.5 Configuration Examples..........................6-5 6.5.1 Example for Configuring IP Source Trail....................6-5 7 URPF Configuration........................7-1...
Page 9
Quidway S9300 Terabit Routing Switch Configuration Guide - Security Figures Figures Figure 1-1 Networking diagram for using RADIUS to authenticate users............1-33 Figure 1-2 Networking diagram for using HWTACACS to authenticate and authorize users......1-37 Figure 2-1 Networking diagram for applying DHCP snooping on the S9300 on a Layer 2 network....2-3 Figure 2-2 Networking diagram for applying DHCP snooping on the S9300 that functions as the DHCP relay agent ....................................2-3...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security About This Document About This Document Purpose This document describes security features of the S9300 including AAA and user management, DHCP snooping, IP source guard, ARP security, traffic suppression, IP source trail, URPF and ACL from function introduction, configuration methods, maintenance and configuration examples.
Quidway S9300 Terabit Routing Switch About This Document Configuration Guide - Security Chapter Description 2 DHCP Snooping Describes basic concepts of DHCP snooping, and provides Configuration configuration methods and configuration examples. 3 IP Source Guard Describes basic concepts of IP source guard, and provides Configuration configuration methods and configuration examples.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security About This Document General Conventions The general conventions that may be found in this document are defined as follows. Convention Description Times New Roman Normal paragraphs are in Times New Roman.
Page 16
Quidway S9300 Terabit Routing Switch About This Document Configuration Guide - Security Convention Description > Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder. Keyboard Operations The keyboard operations that may be found in this document are defined as follows.
This chapter describes the principle and configuration of Authentication, Authorization, and Accounting (AAA), local user management, Remote Authentication Dial in User Service (RADIUS), HUAWEI Terminal Access Controller Access Control System (HWTACACS), and domain. 1.1 Introduction to AAA and User Management This section describes the knowledge of AAA and user management.
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security 1.1 Introduction to AAA and User Management This section describes the knowledge of AAA and user management. AAA provides the following types of services: Authentication: determines the user who can access the network.
All the users of the S9300 belong to a domain. The domain that a user belongs to depends on the character string that follows the @ of a user name. . For example, the user of "user@huawei" belongs to the domain "huawei". If there is no "@" in the user name, the user belongs to the domain default.
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security 1.3.1 Establishing the Configuration Task 1.3.2 Creating a Local User 1.3.3 (Optional) Setting the Access Type of the Local User 1.3.4 (Optional) Configuring the FTP Directory That a Local User Can Access 1.3.5 (Optional) Setting the Status of a Local User...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: local-user user-name password { simple | cipher } password A local user is created.
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Context NOTE If the access type of a local user is set to FTP, you must configure the FTP directory that the local user can access;...
If a user level is not set, the user level is 0. NOTE You can run the user-interface command in the system view to enter the user interface view. For details on the user-interface command, see "Basic Configuration Commands" in the Quidway S9300 Terabit Routing Switch Command Reference. ----End 1.3.7 (Optional) Enabling the Idle-cut Function for a Local User...
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security The idle-cut function is enabled for a local user. By default, the idle-cut function is disabled for a local user. NOTE By default, the idle-cut duration set in a domain does not take effect for a local user. After you enable the idle-cut function for a local user, the user can obtain the idle-cut duration.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration <Quidway> display local-user ---------------------------------------------------------------------- Username State Type Access-limit Online ---------------------------------------------------------------------- crystal Active F Active T ---------------------------------------------------------------------- Total 2,2 printed Run the display local-user [ username user-name ] command, and you can view detailed information about a specified user.
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Pre-configuration Tasks None Data Preparation To configure AAA schemes, you need the following data. Data Name of the authentication scheme and authentication mode Name of the authorization scheme,...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration By default, there is an authentication scheme named default on the S9300. This scheme can be modified but cannot be deleted. Step 4 Run: authentication-mode { hwtacacs | radius | local }...
Page 28
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: authorization-scheme authorization-scheme-name An authorization scheme is created and the authorization scheme view is displayed.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration When the HWTACACS server fails, the command-line-based authorization mode changes to the local authorization mode. Authorization fails because the level of the input command is higher than the level set on the local end.
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Step 7 Run: outbound recording-scheme recording-scheme-name The information about connections is recorded. By default, information about connections is not recorded. Step 8 Run: system recording-scheme recording-scheme-name System events are recorded.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Authentication-method : Local authentication Authentication-super method : Super authentication-super -------------------------------------------------------------------- You can run the display authorization-scheme [ authorization-scheme-name ] command to view the configuration of the authorization scheme.
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security 1.5.2 Creating a RADIUS Server Template 1.5.3 Configuring a RADIUS Authentication Server 1.5.4 (Optional) Configuring the Protocol Version of the RADIUS Server 1.5.5 (Optional) Setting a Shared Key for a RADIUS Server 1.5.6 (Optional) Setting the User Name Format Supported by a RADIUS Server...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Data (Optional) Timeout interval for a RADIUS server to send response packets and number of times for retransmitting request packets on a RADIUS server 1.5.2 Creating a RADIUS Server Template...
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security By default, the IP address of the secondary RADIUS authentication server is 0.0.0.0 and the port number is 0. ----End 1.5.4 (Optional) Configuring the Protocol Version of the RADIUS...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration By default, the shared key of a RADIUS server is huawei. ----End 1.5.6 (Optional) Setting the User Name Format Supported by a RADIUS Server Context NOTE A user name is in the user name@domain name format and the characters after @ refer to the domain name.
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security The traffic unit is set for a RADIUS server. By default, the traffic is expressed in bytes on the S9300. ----End 1.5.8 (Optional) Setting Retransmission Parameters on a RADIUS...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Example After completing the configurations of the RADIUS server template, you can run the display radius-server configuration command to check the configuration of all templates.
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Applicable Environment In remote authentication or authorization mode, you need to configure a server template as required. You need to configure an HWTACACS server template if HWTACACS is used in an authentication or an authorization scheme.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Step 2 Run: hwtacacs-server template template-name An HWTACACS server template is created and the HWTACACS server template view is displayed. ----End 1.6.3 Configuring an HWTACACS Authentication Server...
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security By default, the IP address of the primary HWTACACS authorization server is 0.0.0.0 and the port number is 0. Step 4 (Optional) Run: hwtacacs-server authorization ip-address [ port ] secondary The IP address of the secondary HWTACACS authorization server is configured.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration The system view is displayed. Step 2 Run: hwtacacs-server template template-name The HWTACACS server template view is displayed. Step 3 Run: hwtacacs-server shared-key key-string The shared key is set for the HWTACACS server.
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: hwtacacs-server template template-name The HWTACACS server template view is displayed. Step 3 Run: hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte } The traffic unit is set for an HWTACACS server.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Prerequisite The configurations of the HWTACACS server template are complete. Procedure Run the display hwtacacs-server template [ template-name ] command to check the configuration of the HWTACACS server template.
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Applicable Environment To perform authentication and authorization for a user logging in to the S9300, you need to configure a domain. NOTE The modification of a domain takes effect next time a user logs in.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration By default, a domain named default exists on the S9300. This domain can be modified but cannot be deleted. ----End 1.7.3 Configuring Authentication and Authorization Schemes for a...
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security Step 2 Run: The AAA view is displayed. Step 3 Run: domain domain-name The domain view is displayed. Step 4 Run: radius-server template-name A RADIUS server template is configured for the domain.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: The AAA view is displayed. Step 3 Run: domain domain-name The domain view is displayed.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration When a running fault occurs on the RADIUS or HWTACACS server, run the debugging commands in the user view to locate the fault. Procedure Run the debugging radius packet command to debug RADIUS packets.
Page 50
Apply the RADIUS server template and authentication scheme to the domain. Data Preparation To complete the configuration, you need the following data: Name of the domain that the user belongs to being huawei IP address and port number of the primary RADIUS authentication server being 10.1.1.1/24 and 1812 IP address and port number of the secondary RADIUS authentication server being 10.1.1.2/24 and 1812...
Page 51
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 1 AAA and User Management Configuration [Quidway] aaa [Quidway-aaa] domain huawei # Configure an authentication scheme for the domain. [Quidway-aaa-domain-huawei] authentication-scheme scheme1 # Configure a RADIUS server template for the domain.
Data Preparation To complete the configuration, you need the following data: Name of the domain that the user belongs to being huawei IP address of the primary HWTACACS server being 10.1.1.1/24, authentication port number being 49, and authorization port number being 49 IP address of the secondary HWTACACS server being 10.1.1.2/24, authentication port...
Page 54
Quidway S9300 Terabit Routing Switch 1 AAA and User Management Configuration Configuration Guide - Security [Quidway-aaa] authentication-scheme scheme1 # Set an authentication mode for the authentication scheme. [Quidway-aaa-authen-scheme1] authentication-mode local hwtacacs [Quidway-aaa-authen-scheme1] quit Step 2 Configure an authorization scheme. # Create an authorization scheme named scheme1.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration DHCP Snooping Configuration About This Chapter This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on the S9300 to defend against DHCP attacks. 2.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping.
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security 2.1 Introduction to DHCP Snooping This section describes the principle of DHCP snooping. DHCP snooping intercepts and analyzes DHCP messages transmitted between DHCP clients and a DHCP server. In this manner, DHCP snooping creates and maintains a DHCP snooping binding table, and filters untrusted DHCP messages according to the table.
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security NOTE When the S9300 is deployed on a Layer 2 network or functions as the DHCP relay agent, DHCP snooping is enabled. In this manner, the S9300 can defend against attacks shown in Table 2-1.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration To prevent a bogus DHCP server attack, you can configure DHCP snooping on the S9300, configure the network-side interface to be trusted and the user-side interface to be untrusted, and discard DHCP Reply messages received from untrusted interfaces.
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security DHCP snooping is enabled on the interface. DHCP snooping must be enabled on all the network-side interfaces and user-side interfaces of the S9300. Otherwise, configurations related to DHCP snooping do not take effect on the interfaces.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp server detect Detection of bogus DHCP servers is enabled. By default, detection of bogus DHCP servers is disabled on the S9300.
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security [Quidway] display this sysname Quidway dhcp snooping enable dhcp server detect 2.4 Preventing the DoS Attack by Changing the CHADDR Field This section describes how to prevent the attackers from attacking the DHCP server by modifying the CHADDR.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration 2.4.2 Enabling DHCP Snooping Context You need to enable DHCP snooping globally before enabling DHCP snooping on an interface. By default, DHCP snooping is disabled globally and on an interface.
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security The interface is the user-side interface. Step 3 Run: dhcp snooping check mac-address enable The interface is configured to check the CHADDR field in DHCP Request messages.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration 2.5.4 Enabling the Checking of DHCP Request Messages 2.5.5 (Optional) Configuring the Option 82 Function 2.5.6 Checking the Configuration 2.5.1 Establishing the Configuration Task Applicable Environment The attacker pretends to be a valid user and continuously sends DHCP Request messages intending to extend the IP address lease.
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security 2.5.2 Enabling DHCP Snooping Context You need to enable DHCP snooping globally before enabling DHCP snooping on an interface. By default, DHCP snooping is disabled globally and on an interface.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration ip-address and vlan are mandatory. mac-address and interface are optional. You do not need to set the two parameters if they are unnecessary. ----End 2.5.4 Enabling the Checking of DHCP Request Messages...
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. The interface is the user-side interface.
Page 71
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration Procedure Run the display dhcp snooping global command to check information about global DHCP snooping. Run the display dhcp snooping interface interface-type interface-number command to check information about DHCP snooping on the interface.
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security <Quidway> display dhcp option82 interface gigabitethernet 1/0/0 dhcp option82 insert enable 2.6 Limiting the Rate of Sending DHCP Messages This section describes how to prevent attackers from sending a large number of DHCP Request messages to attack the S9300.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration Context You need to enable DHCP snooping globally before enabling DHCP snooping on an interface. By default, DHCP snooping is disabled globally and on an interface. Procedure...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration Applicable Environment With DHCP snooping configured, the S9300 discards packets sent from an attacker. Table shows the relation between the type of attacks and the type of discarded packets.
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Context You need to enable DHCP snooping globally before enabling DHCP snooping on an interface. By default, DHCP snooping is disabled globally and on an interface. Procedure...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration the message. If the MAC address is different from of the value of the CHADDR field, the DHCP Request message is discarded. After you run the user-bind command, the S9300 checks whether the DHCP Request or Release message matches the binding table;...
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security mac-address: If the MAC address in the packet header is different from the MAC – address of the DHCP message, the message is discarded. user-bind: If the DHCP message does not match the binding table, the message –...
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Procedure Run the dhcp snooping user-bind autosave file-name command to back up the DHCP snooping binding table. If the binding table is backed up, the system automatically backs up the binding table –...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration Networking Requirements As shown in Figure 2-3, the S9300 is deployed between the user network and the Layer 2 network of the ISP. To prevent the bogus DHCP server attack, it is required that DHCP snooping be configured on the S9300, the user-side interface be configured as untrusted, the network-side interface be configured as trusted, and the packet discarding alarm function be configured.
Page 82
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Procedure Step 1 Enable DHCP snooping. # Enable DHCP snooping globally. <Quidway> system-view [Quidway] dhcp snooping enable # Enable DHCP snooping on the interface. You can perform other DHCP snooping configurations only after DHCP snooping is enabled on the interfaces at the DHCP server side and user side.
Page 84
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Configuration Roadmap The configuration roadmap is as follows: Enable DHCP snooping globally and on the interface. Enable the checking of the CHADDR field of DHCP Request messages on the user-side interface.
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Figure 2-5 Networking diagram for preventing the attacker from sending bogus DHCP messages for extending IP address leases ISP network L3 network DHCP relay L2 network GE1/0/0...
Page 87
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration <Quidway> system-view [Quidway] dhcp snooping enable # Enable DHCP snooping on the interface. You can perform other DHCP snooping configurations only after DHCP snooping is enabled on the interfaces at the DHCP server side and user side.
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security ifname p/cvlan tp lease mac-address ip-address vpn-instance ------------------------------------------------------------------------------- GE2/0/0 0001/0000 S 0000-005e-008a 010.001.001.003 GE2/0/0 0333/0000 D 090320-1109 0016-21f1-56b6 070.070.116.062 ------------------------------------------------------------------------------- total count : 2 Run the display dhcp option82 interface command, and you can find that the function of inserting the Option 82 field into packets is enabled on the interface.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration IP address. It is required that DHCP snooping be configured on user-side interfaces GE 1/0/0 and GE 1/0/1 of the S9300 to prevent the following type of attacks:...
Page 92
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security VLAN that the interface belongs to being 10 GE 1/0/0 and GE 1/0/1 configured as untrusted and GE 2/0/0 configured as trusted Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding...
Page 93
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable [Quidway-GigabitEthernet1/0/0] quit Step 4 Configure the DHCP snooping binding table. # If you use the static IP address, configuring DHCP snooping static entries is required.
Page 96
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security Configuration Roadmap The configuration roadmap is as follows: Enable DHCP snooping globally and in the interface view. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.
Page 97
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 2 DHCP Snooping Configuration [Quidway-GigabitEthernet2/0/0] dhcp snooping enable [Quidway-GigabitEthernet2/0/0] quit Step 2 Configure the interface as trusted. # Configure the interface connecting to the DHCP server as trusted and enable DHCP snooping on the interfaces connecting to the DHCP client.
Page 98
Quidway S9300 Terabit Routing Switch 2 DHCP Snooping Configuration Configuration Guide - Security # Enable the alarm function for checking the rate of sending packets and set the alarm threshold for checking the rate of sending packets. [Quidway] dhcp snooping check dhcp-rate alarm enable [Quidway] dhcp snooping check dhcp-rate alarm threshold 80 Step 8 Associate ARP with DHCP snooping.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 IP Source Guard Configuration IP Source Guard Configuration About This Chapter This chapter describes the principle and configuration of IP source guard. 3.1 Introduction to IP Source Guard This section describes the principle of IP source guard.
Quidway S9300 Terabit Routing Switch 3 IP Source Guard Configuration Configuration Guide - Security 3.1 Introduction to IP Source Guard This section describes the principle of IP source guard. IP source guard is a measure to filter the IP packets on interfaces. Thus the invalid packets cannot pass through the interfaces and the security of the interfaces is improved.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 IP Source Guard Configuration After the DHCP snooping function is enabled for DHCP users, the binding table is dynamically generated for the DHCP users. When users are configured with IP addresses statically, you need to configure the binding table by running commands.
Quidway S9300 Terabit Routing Switch 3 IP Source Guard Configuration Configuration Guide - Security Context For the IP address statically assigned to the user, the S9300 cannot automatically learn the MAC address of the user or generate the binding table. You need to create the binding table manually.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 IP Source Guard Configuration Context After the function of checking IP packets is enabled, the S9300 checks the received IP packets against the binding table. The check items include the source IP address, source MAC address, VLAN ID, and interface number.
Quidway S9300 Terabit Routing Switch 3 IP Source Guard Configuration Configuration Guide - Security Example After the configuration, run the display user-bind user-type static command, and you can view information about the static binding table. <Quidway> display user-bind user-type static...
Page 107
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 3 IP Source Guard Configuration Configuration Roadmap Assume that the user is configured with an IP address statically. The configuration roadmap is as follows: Enable the IP source guard function on the interfaces connected to Host A and Host B.
Page 108
Quidway S9300 Terabit Routing Switch 3 IP Source Guard Configuration Configuration Guide - Security The preceding information indicates that Host A exists in the static binding table, whereas Host B does not exist. ----End Configuration Files sysname Quidway user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration ARP Security Configuration About This Chapter This chapter describes the principle and configuration of ARP security features. 4.1 Introduction to ARP Security This section describes the principle of ARP security.
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security 4.1 Introduction to ARP Security This section describes the principle of ARP security. ARP Attack On a network, ARP entries are easily attacked. Attackers send a large number of ARP Request and Response packets to attack network devices.
Page 111
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration The S9300 can prevent ARP spoofing by using the following methods: Fixed MAC address: After learning an ARP entry, the S9300 does not allow the modification on the MAC address that is performed through ARP entry learning until this ARP entry ages.
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security and the triggered rate exceeds the set threshold, the S9300 considers that an attack occurs. In this case, the S9300 delivers ACL rules to discard the IP packets sent from this address in a period (the default value is 50 seconds).
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Data Preparation To configure the limitation on ARP entry learning, you need the following data. Data Type and number of the interface where you need to configure the limitation on ARP entry learning 4.3.2 Enabling Strict ARP Entry Learning...
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security By default, the configuration of strict ARP entry learning on an interface is the same as that configured globally. ----End 4.3.3 Configuring Interface-based ARP Entry Limitation Context If attackers occupy a large number of ARP entries, the S9300 cannot learn the ARP entries of authorized users.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Example Run the display arp learning strict command, and you can view the configuration of strict ARP entry learning. <Quidway> display arp learning strict The global configuration:arp learning strict...
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security Applicable Environment On an Ethernet Metropolitan Area Network (MAN), ARP entries are easily attacked; therefore, it is required to configure the ARP anti-attack function on the access layer or convergence layer to ensure network security.
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security By default, the interfaces are not enabled with the IP source guard function. Step 4 Run: arp anti-attack check user-bind check-item { ip-address | mac-address | vlan } The check items of ARP packets are configured.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration The system view is displayed. Run: arp anti-attack gratuitous-arp drop The S9300 is enabled to discard gratuitous ARP packets. By default, the S9300 does not discard gratuitous ARP packets.
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security By default, the S9300 does not learn ARP entries when receiving DHCP ACK messages. When the traffic passes, ARP learning is triggered. NOTE To use the arp learning dhcp-trigger command, ensure that the DHCP relay function is enabled on the VLANIF interface.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration ARP gateway-duplicate anti-attack function: enabled ARP anti-attack log-trap-timer: 30seconds (The log and trap timer of speed-limit, default is 0 and means disabled.) Run the display arp anti-attack gateway-duplicate item command, and you can view information about bogus gateway address attack on the network.
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security packets are sent to the security module, the security module will be impacted. In this case, you can suppress the transmission rate of the ARP packets; the packets that exceed the transmission rate are discarded.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration The suppression rate of ARP packets is set. Step 3 (Optional) Run: arp speed-limit source-ip ip-address maximum maximum The suppression rate of ARP packets with a specified source IP address is set.
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security Context After the VLANIF interface receives unreachable IP unicast packets, the packets are sent to the CPU of the main control board because the ARP entries corresponding to the packets are not found in the forwarding table.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration By default, ARP suppression is disabled globally. Step 3 Run: arp anti-attack rate-limit limit The threshold for transmission rate of ARP packets is set. After the threshold is set, the excessive packets are discarded. By default, the threshold for the transmission rate of ARP packets is 100 pps.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Run the following command in the user view to clear the statistics. Procedure Run the reset arp packet statistics [ slot slot-id ] command to clear the statistics on ARP packets.
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security Run the debugging arp process [ slot slot-id | interface interface-type interface- number ] command to debug the processing of ARP packets. ----End 4.7 Configuration Examples This section provides several configuration examples of ARP security.
Page 129
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Configuration Roadmap The configuration roadmap is as follows: Enable strict ARP learning. Enable interface-based ARP entry restriction. Enable the ARP anti-spoofing function. Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway address.
Page 130
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security # Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway address to prevent User 1 from sending ARP packets with the bogus gateway address.
Page 131
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------ 2.2.4.2 Others ------------------------------------------------------------------------ 1 specified IP addresses are configured, spec is 1024 items. ARP miss speed-limit for source-IP configuration:...
Quidway S9300 Terabit Routing Switch 4 ARP Security Configuration Configuration Guide - Security 4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in- the-Middle Attacks Networking Requirements As shown in Figure 4-2, two users are connected to the S9300 through GE 1/0/1 and GE 1/0/2 respectively.
Page 133
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 4 ARP Security Configuration Procedure Step 1 Configure the IP source guard function. # Enable the IP source guard function on GE 1/0/1 connected to the client. [Quidway] interface gigabitethernet 1/0/1...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Traffic Suppression Configuration Traffic Suppression Configuration About This Chapter This chapter describes the principle and configuration of traffic suppression . 5.1 Introduction to Traffic Suppression This section describes the principle of traffic suppression.
Quidway S9300 Terabit Routing Switch 5 Traffic Suppression Configuration Configuration Guide - Security 5.1 Introduction to Traffic Suppression This section describes the principle of traffic suppression. Broadcast packets entering the S9300 are forwarded on all the interfaces in a VLAN, and multicast packets are also forwarded on interfaces of the multicast group.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Traffic Suppression Configuration Data Type and number of the interface where traffic suppression needs to be configured Type of traffic (broadcast, multicast, or unknown unicast traffic) that needs to be...
Quidway S9300 Terabit Routing Switch 5 Traffic Suppression Configuration Configuration Guide - Security NOTE The suppression based on bandwidth percentage equals to the suppression based on packet rate. Assume the bandwidth on an interface is bandwidth (kbit/s). The percent-value parameter equals to the packets keyword.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 5 Traffic Suppression Configuration Networking Requirements As shown in Figure 5-1, the S9300 is connected to the Layer 2 network and Layer 3 router. To limit the number of broadcast, multicast, or unknown unicast packets forwarded on the Layer 2 network, you can configure traffic suppression on GE 1/0/2.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 IP Source Trail Configuration IP Source Trail Configuration About This Chapter This chapter describes the principle of IP source trail, and provides configuration methods and examples of IP source trail.
Quidway S9300 Terabit Routing Switch 6 IP Source Trail Configuration Configuration Guide - Security 6.1 Introduction to IP Source Trail This section describes the principle of IP source trail. IP source trail is a policy of preventing Denial of Service (DoS) attacks. It is mainly used to trace the attack source and take defense measures after confirming the attack source.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 IP Source Trail Configuration 6.3 Configuring IP Source Trail This section describes how to configure IP source trail. 6.3.1 Establishing the Configuration Task 6.3.2 Configuring IP Source Trail Based on the Destination IP Address 6.3.3 Checking the Configuration...
Quidway S9300 Terabit Routing Switch 6 IP Source Trail Configuration Configuration Guide - Security 6.3.3 Checking the Configuration Prerequisite The configurations of IP source trail are complete. Procedure Run the display ip source-trail [ ip-address ip-address ] command to check the statistics on IP source trail.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 6 IP Source Trail Configuration Context All the statistical entries on IP source trail are null upon query after the reset command is run to clear the statistics on IP source trail.
Page 146
Quidway S9300 Terabit Routing Switch 6 IP Source Trail Configuration Configuration Guide - Security Procedure Step 1 Configure IP source trail based on the destination IP address. <Quidway> system-view [Quidway] ip source-trail ip-address 10.0.0.3 Step 2 Verify the configuration. Run the display ip source-trail ip-address ip-address command, and you can view the trace result of 10.0.0.3.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 7 URPF Configuration URPF Configuration About This Chapter This chapter describes the principle of Unicast Reverse Path Forwarding (URPF), and provides configuration methods and examples of URPF. 7.1 Introduction to URPF This section describes the principle of URPF.
Quidway S9300 Terabit Routing Switch 7 URPF Configuration Configuration Guide - Security 7.1 Introduction to URPF This section describes the principle of URPF. URPF is mainly used to prevent network attacks based on source address spoofing. As shown in Figure 7-1, S9300-A sends a packet to S9300-B by using the pseudo source IP address 2.1.1.1.
Quidway S9300 Terabit Routing Switch 7 URPF Configuration Configuration Guide - Security Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: urpf slot slot-number URPF is enabled on an LPU. By default, URPF is disabled on an LPU.
VLAN, the S9300 does not perform URPF check on the traffic that match the traffic classifier rules. For the configuration procedures of traffic classifier and traffic policy, see Class-based QoS Configuration in the Quidway S9300 Terabit Routing Switch Configuration Guide - QoS. ----End 7.3.5 Checking the Configuration Issue 01 (2009-07-28) Huawei Proprietary and Confidential...
Quidway S9300 Terabit Routing Switch 7 URPF Configuration Configuration Guide - Security Prerequisite The configurations of URPF are complete. Procedure Run the display this command in the interface view to check whether URPF is enabled on the current interface. ----End Example Run the display this command to check whether URPF is enabled on GE 1/0/0.
Page 153
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 7 URPF Configuration Data Preparation To complete the configuration, you need the following data: URPF strict check mode NOTE As shown in Figure 7-2, the networking of symmetric routes is adopted. URPF strict check is recommended in the case of symmetric routes.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration ACL Configuration About This Chapter This chapter describes how to configure the Access Control List (ACL). 8.1 Introduction to the ACL This section describes the basic concepts and parameters of an ACL.
When the ACL is imported by the upper-layer software, the packets matching the ACL are processed by the S9300 according to the action deny or permit defined in the ACL. For details on login user control, see the Quidway S9300 Terabit Routing Switch Configuration Guide - Basic Configurations.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration NOTE When the ACL is sent to the hardware and is imported by QoS to classify packets, the S9300 does not process packets according to the action defined in the traffic behavior, if the packets does not match the ACL rule.
Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security Data Name of the time range when the ACL takes effect, start time, and end time Number of the ACL Number of ACL rule and the rule that identifies the type of packets, including...
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] } A time range is set.
Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security Context Do as follows on the S9300. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { auto | config } ] A basic ACL is created.
Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security 8.3.8 (Optional) Setting the Step of an ACL Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number The ACL view is displayed.
Quidway S9300 Terabit Routing Switch Configuration Guide - Basic Configuration. An ACL can also be applied to the traffic classification function. For the application of an ACL in the traffic classification function, see the Quidway S9300 Terabit Routing Switch Configuration Guide - QoS.
Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security Context When the S9300 detects the attacks from certain IP addresses or MAC addresses, the S9300 uses the blacklist to prevent the attacks. NOTE The blacklist has the highest level in an ACL. Before configuring a blacklist, you must confirm the characteristics of attack packets.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration After the whitelist is configured, the packets matching the rules defined in the whitelist are sent first after reaching the S9300. The packets are not affected by the blacklist.
Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security Context CAUTION Statistics cannot be restored after being cleared. So, confirm the action before you run the command. Procedure Run the reset blacklist command in the user view or system view to clear the statistics about a blacklist.
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration strict URPF check on GE 1/0/1 and GE 2/0/1. In addition, it is required that the S9300 trusts the packets from user A whose IP address is 10.0.0.2/24. In this case, you also need to disable URPF check for the packets sent by user A.
Page 168
Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security # Configure the URPF mode on the interface. [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] urpf strict [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet 2/0/1 [Quidway-GigabitEthernet2/0/1] urpf strict [Quidway-GigabitEthernet2/0/1] quit Step 2 Configure the traffic classifier that is based on the ACL rules.
Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security Figure 8-2 Networking diagram for configuring IPv4 ACLs Salary query server 10.164.9.9 GE2/0/1 GE1/0/2 GE1/0/1 GE1/0/3 Marketing department President's office 10.164.2.0/24 10.164.1.0/24 R&D department 10.164.3.0/24 Configuration Roadmap The configuration roadmap is as follows: Assign IP addresses to interfaces.
Page 171
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration Procedure Step 1 Assign IP addresses to interfaces. # Add interfaces to the VLAN and assign IP addresses to the VLANIF interfaces. Add GE 1/0/1, GE 2/0/1, and GE 3/0/1 to VLAN 10, VLAN 20, and VLAN 30 respectively, and add GE 2/0/1 to VLAN 100.
Page 172
Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security [Quidway] traffic behavior b_rd [Quidway-behavior-b_rd] deny [Quidway-behavior-b_rd] quit Step 6 Configure traffic policies. # Configure the traffic policy p_market and associate the traffic classifier c_market and the traffic behavior b_market with the traffic policy.
Quidway S9300 Terabit Routing Switch 8 ACL Configuration Configuration Guide - Security port default vlan 20 traffic-policy p_rd inbound interface GigabitEthernet1/0/3 port link-type access port default vlan 30 traffic-policy p_rd inbound interface GigabitEthernet2/0/1 port link-type access port default vlan 100 return 8.6.3 Example for Configuring a Frame Header-based ACL...
Page 175
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration Name of the traffic policy, and traffic classifier and traffic behavior associated with the traffic policy Interface that a traffic policy is applied to Procedure Step 1 Configure an ACL.
Page 177
Quidway S9300 Terabit Routing Switch Configuration Guide - Security 8 ACL Configuration Configuration Roadmap The configuration roadmap is as follows: Configure the ACL and its rules. Configure the blacklist. Configure the whitelist. Data Preparation To complete the configuration, you need the following data:...